fc0cb2368af11b853e6c7e6e625b545cab7f483c
[strongswan.git] / src / charon / sa / tasks / ike_cert_post.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2006-2009 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ike_cert_post.h"
18
19 #include <daemon.h>
20 #include <sa/ike_sa.h>
21 #include <encoding/payloads/cert_payload.h>
22 #include <encoding/payloads/certreq_payload.h>
23 #include <credentials/certificates/x509.h>
24
25
26 typedef struct private_ike_cert_post_t private_ike_cert_post_t;
27
28 /**
29 * Private members of a ike_cert_post_t task.
30 */
31 struct private_ike_cert_post_t {
32
33 /**
34 * Public methods and task_t interface.
35 */
36 ike_cert_post_t public;
37
38 /**
39 * Assigned IKE_SA.
40 */
41 ike_sa_t *ike_sa;
42
43 /**
44 * Are we the initiator?
45 */
46 bool initiator;
47 };
48
49 /**
50 * Generates the cert payload, if possible with "Hash and URL"
51 */
52 static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certificate_t *cert)
53 {
54 cert_payload_t *payload = NULL;
55
56 if (this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
57 {
58 /* ok, our peer sent us a HTTP_CERT_LOOKUP_SUPPORTED Notify */
59 hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
60 if (hasher != NULL)
61 {
62 chunk_t hash, encoded = cert->get_encoding(cert);
63 enumerator_t *enumerator;
64 char *url;
65
66 hasher->allocate_hash(hasher, encoded, &hash);
67 identification_t *id = identification_create_from_encoding(ID_CERT_DER_SHA1, hash);
68
69 enumerator = charon->credentials->create_cdp_enumerator(charon->credentials, CERT_X509, id);
70 if (enumerator->enumerate(enumerator, &url))
71 {
72 /* if we have an URL available we send that to our peer */
73 payload = cert_payload_create_from_hash_and_url(hash, url);
74 }
75 enumerator->destroy(enumerator);
76
77 id->destroy(id);
78 chunk_free(&hash);
79 chunk_free(&encoded);
80 hasher->destroy(hasher);
81 }
82 else
83 {
84 DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
85 }
86 }
87
88 if (!payload)
89 {
90 /* our peer does not support "Hash and URL" or we do not have an URL
91 * to send to our peer, just create a normal cert payload */
92 payload = cert_payload_create_from_cert(cert);
93 }
94
95 return payload;
96 }
97
98 /**
99 * add certificates to message
100 */
101 static void build_certs(private_ike_cert_post_t *this, message_t *message)
102 {
103 peer_cfg_t *peer_cfg;
104 auth_cfg_t *auth;
105
106 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
107 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
108 if (!peer_cfg ||
109 (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
110 {
111 return;
112 }
113 switch (peer_cfg->get_cert_policy(peer_cfg))
114 {
115 case CERT_NEVER_SEND:
116 break;
117 case CERT_SEND_IF_ASKED:
118 if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
119 {
120 break;
121 }
122 /* FALL */
123 case CERT_ALWAYS_SEND:
124 {
125 cert_payload_t *payload;
126 enumerator_t *enumerator;
127 certificate_t *cert;
128 auth_rule_t type;
129
130 /* get subject cert first, then issuing certificates */
131 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
132 if (!cert)
133 {
134 break;
135 }
136 payload = build_cert_payload(this, cert);
137 if (!payload)
138 {
139 break;
140 }
141 DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
142 cert->get_subject(cert));
143 message->add_payload(message, (payload_t*)payload);
144
145 enumerator = auth->create_enumerator(auth);
146 while (enumerator->enumerate(enumerator, &type, &cert))
147 {
148 if (type == AUTH_RULE_IM_CERT)
149 {
150 payload = cert_payload_create_from_cert(cert);
151 if (payload)
152 {
153 DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
154 cert->get_subject(cert));
155 message->add_payload(message, (payload_t*)payload);
156 }
157 }
158 }
159 enumerator->destroy(enumerator);
160 }
161 }
162 }
163
164 /**
165 * Implementation of task_t.process for initiator
166 */
167 static status_t build_i(private_ike_cert_post_t *this, message_t *message)
168 {
169 if (message->get_payload(message, AUTHENTICATION))
170 { /* CERT payloads are sended along AUTH payloads */
171 build_certs(this, message);
172 }
173 return NEED_MORE;
174 }
175
176 /**
177 * Implementation of task_t.process for responder
178 */
179 static status_t process_r(private_ike_cert_post_t *this, message_t *message)
180 {
181 return NEED_MORE;
182 }
183
184 /**
185 * Implementation of task_t.build for responder
186 */
187 static status_t build_r(private_ike_cert_post_t *this, message_t *message)
188 {
189 if (message->get_payload(message, AUTHENTICATION))
190 { /* CERT payloads are sended along AUTH payloads */
191 build_certs(this, message);
192 }
193 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
194 { /* stay alive, we might have additional rounds with certs */
195 return NEED_MORE;
196 }
197 return SUCCESS;
198 }
199
200 /**
201 * Implementation of task_t.process for initiator
202 */
203 static status_t process_i(private_ike_cert_post_t *this, message_t *message)
204 {
205 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
206 { /* stay alive, we might have additional rounds with CERTS */
207 return NEED_MORE;
208 }
209 return SUCCESS;
210 }
211
212 /**
213 * Implementation of task_t.get_type
214 */
215 static task_type_t get_type(private_ike_cert_post_t *this)
216 {
217 return IKE_CERT_POST;
218 }
219
220 /**
221 * Implementation of task_t.migrate
222 */
223 static void migrate(private_ike_cert_post_t *this, ike_sa_t *ike_sa)
224 {
225 this->ike_sa = ike_sa;
226 }
227
228 /**
229 * Implementation of task_t.destroy
230 */
231 static void destroy(private_ike_cert_post_t *this)
232 {
233 free(this);
234 }
235
236 /*
237 * Described in header.
238 */
239 ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
240 {
241 private_ike_cert_post_t *this = malloc_thing(private_ike_cert_post_t);
242
243 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
244 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
245 this->public.task.destroy = (void(*)(task_t*))destroy;
246
247 if (initiator)
248 {
249 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
250 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
251 }
252 else
253 {
254 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
255 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
256 }
257
258 this->ike_sa = ike_sa;
259 this->initiator = initiator;
260
261 return &this->public;
262 }
263