4 * @brief Implementation of ike_auth_t transaction.
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
40 typedef struct private_ike_auth_t private_ike_auth_t
;
43 * Private members of a ike_auth_t object..
45 struct private_ike_auth_t
{
48 * Public methods and transaction_t interface.
58 * Message sent by our peer, if already generated
63 * Message ID this transaction uses
68 * Times we did send the request
73 * initiator chosen nonce
78 * responder chosen nonce
83 * encoded request message of ike_sa_init transaction
88 * encoded response message of ike_sa_init transaction
90 chunk_t init_response
;
93 * connection definition used for IKE_SA setup
95 connection_t
*connection
;
98 * policy definition used CHILD_SA creation
103 * Negotiated proposal used for CHILD_SA
105 proposal_t
*proposal
;
108 * Negotiated traffic selectors for initiator
113 * Negotiated traffic selectors for responder
118 * CHILD_SA created along with IKE_AUTH
120 child_sa_t
*child_sa
;
123 * did other peer create a CHILD_SA?
128 * reqid to use for CHILD_SA setup
134 * Implementation of transaction_t.get_message_id.
136 static u_int32_t
get_message_id(private_ike_auth_t
*this)
138 return this->message_id
;
142 * Implementation of transaction_t.requested.
144 static u_int32_t
requested(private_ike_auth_t
*this)
146 return this->requested
++;
150 * Implementation of transaction_t.set_config.
152 static void set_config(private_ike_auth_t
*this,
153 connection_t
*connection
, policy_t
*policy
)
155 this->connection
= connection
;
156 this->policy
= policy
;
160 * Implementation of transaction_t.set_reqid.
162 static void set_reqid(private_ike_auth_t
*this, u_int32_t reqid
)
168 * Implementation of transaction_t.set_nonces.
170 static void set_nonces(private_ike_auth_t
*this, chunk_t nonce_i
, chunk_t nonce_r
)
172 this->nonce_i
= nonce_i
;
173 this->nonce_r
= nonce_r
;
177 * Implementation of transaction_t.set_init_messages.
179 static void set_init_messages(private_ike_auth_t
*this, chunk_t init_request
, chunk_t init_response
)
181 this->init_request
= init_request
;
182 this->init_response
= init_response
;
186 * Implementation of transaction_t.get_request.
188 static status_t
get_request(private_ike_auth_t
*this, message_t
**result
)
192 identification_t
*my_id
, *other_id
;
193 id_payload_t
*my_id_payload
;
195 /* check if we already have built a message (retransmission) */
198 *result
= this->message
;
202 me
= this->ike_sa
->get_my_host(this->ike_sa
);
203 other
= this->ike_sa
->get_other_host(this->ike_sa
);
204 my_id
= this->policy
->get_my_id(this->policy
);
205 other_id
= this->policy
->get_other_id(this->policy
);
207 /* build the request */
208 request
= message_create();
209 request
->set_source(request
, me
->clone(me
));
210 request
->set_destination(request
, other
->clone(other
));
211 request
->set_exchange_type(request
, IKE_AUTH
);
212 request
->set_request(request
, TRUE
);
213 request
->set_ike_sa_id(request
, this->ike_sa
->get_id(this->ike_sa
));
214 /* apply for caller */
216 /* store for retransmission */
217 this->message
= request
;
219 { /* build ID payload */
220 my_id_payload
= id_payload_create_from_identification(TRUE
, my_id
);
221 request
->add_payload(request
, (payload_t
*)my_id_payload
);
224 { /* TODO: build certreq payload */
228 /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
229 if (this->policy
->get_auth_method(this->policy
) == RSA_DIGITAL_SIGNATURE
230 && this->connection
->get_cert_policy(this->connection
) != CERT_NEVER_SEND
)
232 cert_payload_t
*cert_payload
;
234 x509_t
*cert
= charon
->credentials
->get_certificate(charon
->credentials
, my_id
);
238 cert_payload
= cert_payload_create_from_x509(cert
);
239 request
->add_payload(request
, (payload_t
*)cert_payload
);
243 DBG1(DBG_IKE
, "could not find my certificate, certificate payload omitted");
247 { /* build IDr payload, if other_id defined */
248 id_payload_t
*id_payload
;
249 if (!other_id
->contains_wildcards(other_id
))
251 id_payload
= id_payload_create_from_identification(FALSE
, other_id
);
252 request
->add_payload(request
, (payload_t
*)id_payload
);
256 { /* build auth payload */
257 authenticator_t
*authenticator
;
258 auth_payload_t
*auth_payload
;
259 auth_method_t auth_method
;
262 auth_method
= this->policy
->get_auth_method(this->policy
);
263 authenticator
= authenticator_create(this->ike_sa
, auth_method
);
264 status
= authenticator
->compute_auth_data(authenticator
,
271 authenticator
->destroy(authenticator
);
272 if (status
!= SUCCESS
)
274 SIG(IKE_UP_FAILED
, "could not generate AUTH data, deleting IKE_SA");
275 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
278 request
->add_payload(request
, (payload_t
*)auth_payload
);
281 { /* build SA payload for CHILD_SA */
282 linked_list_t
*proposal_list
;
283 sa_payload_t
*sa_payload
;
284 u_int32_t soft_lifetime
, hard_lifetime
;
287 proposal_list
= this->policy
->get_proposals(this->policy
);
288 soft_lifetime
= this->policy
->get_soft_lifetime(this->policy
);
289 hard_lifetime
= this->policy
->get_hard_lifetime(this->policy
);
290 enable_natt
= this->ike_sa
->is_natt_enabled(this->ike_sa
);
291 this->child_sa
= child_sa_create(this->reqid
, me
, other
, my_id
, other_id
,
292 soft_lifetime
, hard_lifetime
,
293 this->policy
->get_updown(this->policy
),
294 this->policy
->get_hostaccess(this->policy
),
296 this->child_sa
->set_name(this->child_sa
, this->policy
->get_name(this->policy
));
297 if (this->child_sa
->alloc(this->child_sa
, proposal_list
) != SUCCESS
)
299 SIG(IKE_UP_FAILED
, "could not install CHILD_SA, deleting IKE_SA");
300 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
303 sa_payload
= sa_payload_create_from_proposal_list(proposal_list
);
304 proposal_list
->destroy_offset(proposal_list
, offsetof(proposal_t
, destroy
));
305 request
->add_payload(request
, (payload_t
*)sa_payload
);
308 { /* build TSi payload */
309 linked_list_t
*ts_list
;
310 ts_payload_t
*ts_payload
;
312 ts_list
= this->policy
->get_my_traffic_selectors(this->policy
, me
);
313 ts_payload
= ts_payload_create_from_traffic_selectors(TRUE
, ts_list
);
314 ts_list
->destroy_offset(ts_list
, offsetof(traffic_selector_t
, destroy
));
316 request
->add_payload(request
, (payload_t
*)ts_payload
);
319 { /* build TSr payload */
320 linked_list_t
*ts_list
;
321 ts_payload_t
*ts_payload
;
323 ts_list
= this->policy
->get_other_traffic_selectors(this->policy
, other
);
324 ts_payload
= ts_payload_create_from_traffic_selectors(FALSE
, ts_list
);
325 ts_list
->destroy_offset(ts_list
, offsetof(traffic_selector_t
, destroy
));
327 request
->add_payload(request
, (payload_t
*)ts_payload
);
330 this->message_id
= this->ike_sa
->get_next_message_id(this->ike_sa
);
331 request
->set_message_id(request
, this->message_id
);
336 * Handle all kind of notifies
338 static status_t
process_notifies(private_ike_auth_t
*this, notify_payload_t
*notify_payload
)
340 notify_type_t notify_type
= notify_payload
->get_notify_type(notify_payload
);
342 DBG2(DBG_IKE
, "process notify type %N", notify_type_names
, notify_type
);
346 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
347 case SINGLE_PAIR_REQUIRED
:
349 SIG(CHILD_UP_FAILED
, "received a SINGLE_PAIR_REQUIRED notify");
350 this->build_child
= FALSE
;
353 case TS_UNACCEPTABLE
:
355 SIG(CHILD_UP_FAILED
, "received TS_UNACCEPTABLE notify");
356 this->build_child
= FALSE
;
359 case NO_PROPOSAL_CHOSEN
:
361 SIG(CHILD_UP_FAILED
, "received NO_PROPOSAL_CHOSEN notify");
362 this->build_child
= FALSE
;
367 if (notify_type
< 16383)
369 SIG(IKE_UP_FAILED
, "received %N notify error, deleting IKE_SA",
370 notify_type_names
, notify_type
);
375 DBG1(DBG_IKE
, "received %N notify, ignored",
376 notify_type_names
, notify_type
);
384 * Build a notify message.
386 static void build_notify(notify_type_t type
, message_t
*message
, bool flush_message
)
388 notify_payload_t
*notify
;
393 iterator_t
*iterator
= message
->get_payload_iterator(message
);
394 while (iterator
->iterate(iterator
, (void**)&payload
))
396 payload
->destroy(payload
);
397 iterator
->remove(iterator
);
399 iterator
->destroy(iterator
);
402 notify
= notify_payload_create();
403 notify
->set_notify_type(notify
, type
);
404 message
->add_payload(message
, (payload_t
*)notify
);
408 * Import a certificate from a cert payload
410 static void import_certificate(private_ike_auth_t
*this, cert_payload_t
*cert_payload
)
414 cert_encoding_t encoding
;
416 encoding
= cert_payload
->get_cert_encoding(cert_payload
);
417 if (encoding
!= CERT_X509_SIGNATURE
)
419 DBG1(DBG_IKE
, "certificate payload %N not supported, ignored",
420 cert_encoding_names
, encoding
);
423 cert
= x509_create_from_chunk(cert_payload
->get_data_clone(cert_payload
));
426 if (charon
->credentials
->verify(charon
->credentials
, cert
, &found
))
428 DBG2(DBG_IKE
, "received end entity certificate is trusted, added to store");
431 charon
->credentials
->add_end_certificate(charon
->credentials
, cert
);
440 DBG1(DBG_IKE
, "received end entity certificate is not trusted, discarded");
446 DBG1(DBG_IKE
, "parsing of received certificate failed, discarded");
451 * Install a CHILD_SA for usage
453 static status_t
install_child_sa(private_ike_auth_t
*this, bool initiator
)
455 prf_plus_t
*prf_plus
;
459 seed
= chunk_alloc(this->nonce_i
.len
+ this->nonce_r
.len
);
460 memcpy(seed
.ptr
, this->nonce_i
.ptr
, this->nonce_i
.len
);
461 memcpy(seed
.ptr
+ this->nonce_i
.len
, this->nonce_r
.ptr
, this->nonce_r
.len
);
462 prf_plus
= prf_plus_create(this->ike_sa
->get_child_prf(this->ike_sa
), seed
);
467 status
= this->child_sa
->update(this->child_sa
, this->proposal
, prf_plus
);
471 status
= this->child_sa
->add(this->child_sa
, this->proposal
, prf_plus
);
473 prf_plus
->destroy(prf_plus
);
474 if (status
!= SUCCESS
)
480 status
= this->child_sa
->add_policies(this->child_sa
, this->tsi
, this->tsr
);
484 status
= this->child_sa
->add_policies(this->child_sa
, this->tsr
, this->tsi
);
486 if (status
!= SUCCESS
)
491 /* add to IKE_SA, and remove from transaction */
492 this->child_sa
->set_state(this->child_sa
, CHILD_INSTALLED
);
493 this->ike_sa
->add_child_sa(this->ike_sa
, this->child_sa
);
494 this->child_sa
= NULL
;
499 * Implementation of transaction_t.get_response.
501 static status_t
get_response(private_ike_auth_t
*this, message_t
*request
,
502 message_t
**result
, transaction_t
**next
)
505 identification_t
*my_id
, *other_id
;
508 iterator_t
*payloads
;
510 id_payload_t
*idi_request
= NULL
;
511 id_payload_t
*idr_request
= NULL
;
512 auth_payload_t
*auth_request
= NULL
;
513 cert_payload_t
*cert_request
= NULL
;
514 sa_payload_t
*sa_request
= NULL
;
515 ts_payload_t
*tsi_request
= NULL
;
516 ts_payload_t
*tsr_request
= NULL
;
517 id_payload_t
*idr_response
;
519 /* check if we already have built a response (retransmission) */
522 *result
= this->message
;
526 SIG(CHILD_UP_START
, "setting up CHILD_SA along with IKE_AUTH");
528 me
= this->ike_sa
->get_my_host(this->ike_sa
);
529 other
= this->ike_sa
->get_other_host(this->ike_sa
);
530 this->message_id
= request
->get_message_id(request
);
532 /* set up response */
533 response
= message_create();
534 response
->set_source(response
, me
->clone(me
));
535 response
->set_destination(response
, other
->clone(other
));
536 response
->set_exchange_type(response
, IKE_AUTH
);
537 response
->set_request(response
, FALSE
);
538 response
->set_message_id(response
, this->message_id
);
539 response
->set_ike_sa_id(response
, this->ike_sa
->get_id(this->ike_sa
));
540 this->message
= response
;
543 /* check message type */
544 if (request
->get_exchange_type(request
) != IKE_AUTH
)
546 SIG(IKE_UP_FAILED
, "IKE_AUTH response of invalid type, deleting IKE_SA");
547 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
551 /* Iterate over all payloads. */
552 payloads
= request
->get_payload_iterator(request
);
553 while (payloads
->iterate(payloads
, (void**)&payload
))
555 switch (payload
->get_type(payload
))
558 idi_request
= (id_payload_t
*)payload
;
561 idr_request
= (id_payload_t
*)payload
;
564 auth_request
= (auth_payload_t
*)payload
;
567 cert_request
= (cert_payload_t
*)payload
;
569 case SECURITY_ASSOCIATION
:
570 sa_request
= (sa_payload_t
*)payload
;
572 case TRAFFIC_SELECTOR_INITIATOR
:
573 tsi_request
= (ts_payload_t
*)payload
;
575 case TRAFFIC_SELECTOR_RESPONDER
:
576 tsr_request
= (ts_payload_t
*)payload
;
580 status
= process_notifies(this, (notify_payload_t
*)payload
);
581 if (status
== FAILED
)
583 payloads
->destroy(payloads
);
584 /* we return SUCCESS, returned FAILED means do next transaction */
587 if (status
== DESTROY_ME
)
589 payloads
->destroy(payloads
);
590 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
597 DBG1(DBG_IKE
, "ignoring %N payload",
598 payload_type_names
, payload
->get_type(payload
));
603 payloads
->destroy(payloads
);
605 /* check if we have all payloads */
606 if (!(idi_request
&& auth_request
&& sa_request
&& tsi_request
&& tsr_request
))
608 build_notify(INVALID_SYNTAX
, response
, TRUE
);
609 SIG(IKE_UP_FAILED
, "request message incomplete, deleting IKE_SA");
610 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
614 { /* process ID payload */
615 other_id
= idi_request
->get_identification(idi_request
);
618 my_id
= idr_request
->get_identification(idr_request
);
622 my_id
= identification_create_from_encoding(ID_ANY
, CHUNK_INITIALIZER
);
626 { /* get a policy and process traffic selectors */
627 linked_list_t
*my_ts
, *other_ts
;
629 my_ts
= tsr_request
->get_traffic_selectors(tsr_request
);
630 other_ts
= tsi_request
->get_traffic_selectors(tsi_request
);
632 this->policy
= charon
->policies
->get_policy(charon
->policies
,
638 this->tsr
= this->policy
->select_my_traffic_selectors(this->policy
, my_ts
, me
);
639 this->tsi
= this->policy
->select_other_traffic_selectors(this->policy
, other_ts
, other
);
641 my_ts
->destroy_offset(my_ts
, offsetof(traffic_selector_t
, destroy
));
642 other_ts
->destroy_offset(other_ts
, offsetof(traffic_selector_t
, destroy
));
644 /* TODO: We should check somehow if we have a policy, but with other
645 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
646 if (this->policy
== NULL
)
648 SIG(IKE_UP_FAILED
, "no acceptable policy for IDs %D - %D found, "
649 "deleting IKE_SA", my_id
, other_id
);
650 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
651 my_id
->destroy(my_id
);
652 other_id
->destroy(other_id
);
653 build_notify(AUTHENTICATION_FAILED
, response
, TRUE
);
656 my_id
->destroy(my_id
);
658 /* get my id from policy, which must contain a fully qualified valid id */
659 my_id
= this->policy
->get_my_id(this->policy
);
660 this->ike_sa
->set_my_id(this->ike_sa
, my_id
->clone(my_id
));
661 this->ike_sa
->set_other_id(this->ike_sa
, other_id
);
663 idr_response
= id_payload_create_from_identification(FALSE
, my_id
);
664 response
->add_payload(response
, (payload_t
*)idr_response
);
667 if (this->policy
->get_auth_method(this->policy
) == RSA_DIGITAL_SIGNATURE
668 && this->connection
->get_cert_policy(this->connection
) != CERT_NEVER_SEND
)
669 { /* build certificate payload */
671 cert_payload_t
*cert_payload
;
673 cert
= charon
->credentials
->get_certificate(charon
->credentials
, my_id
);
676 cert_payload
= cert_payload_create_from_x509(cert
);
677 response
->add_payload(response
, (payload_t
*)cert_payload
);
681 DBG1(DBG_IKE
, "could not find my certificate, cert payload omitted");
686 { /* process certificate payload */
687 import_certificate(this, cert_request
);
690 { /* process auth payload */
691 authenticator_t
*authenticator
;
692 auth_payload_t
*auth_response
;
693 auth_method_t auth_method
;
696 auth_method
= this->policy
->get_auth_method(this->policy
);
697 authenticator
= authenticator_create(this->ike_sa
, auth_method
);
698 status
= authenticator
->verify_auth_data(authenticator
, auth_request
,
704 if (status
!= SUCCESS
)
706 SIG(IKE_UP_FAILED
, "authentication failed, deleting IKE_SA");
707 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
708 build_notify(AUTHENTICATION_FAILED
, response
, TRUE
);
709 authenticator
->destroy(authenticator
);
712 status
= authenticator
->compute_auth_data(authenticator
, &auth_response
,
718 authenticator
->destroy(authenticator
);
719 if (status
!= SUCCESS
)
721 SIG(IKE_UP_FAILED
, "authentication data generation failed, deleting IKE_SA");
722 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
723 build_notify(AUTHENTICATION_FAILED
, response
, TRUE
);
726 response
->add_payload(response
, (payload_t
*)auth_response
);
729 SIG(IKE_UP_SUCCESS
, "IKE_SA '%s' established between %H[%D]...%H[%D]",
730 this->ike_sa
->get_name(this->ike_sa
), me
, my_id
, other
, other_id
);
732 { /* process SA payload */
733 linked_list_t
*proposal_list
;
734 sa_payload_t
*sa_response
;
735 ts_payload_t
*ts_response
;
737 u_int32_t soft_lifetime
, hard_lifetime
;
740 sa_response
= sa_payload_create();
742 /* get proposals from request, and select one with ours */
743 proposal_list
= sa_request
->get_proposals(sa_request
);
744 DBG2(DBG_IKE
, "selecting proposals:");
745 this->proposal
= this->policy
->select_proposal(this->policy
, proposal_list
);
746 proposal_list
->destroy_offset(proposal_list
, offsetof(proposal_t
, destroy
));
748 /* do we have a proposal? */
749 if (this->proposal
== NULL
)
751 SIG(CHILD_UP_FAILED
, "CHILD_SA proposals unacceptable, no CHILD_SA created");
752 DBG1(DBG_IKE
, "adding NO_PROPOSAL_CHOSEN notify to response");
753 build_notify(NO_PROPOSAL_CHOSEN
, response
, FALSE
);
755 /* do we have traffic selectors? */
756 else if (this->tsi
->get_count(this->tsi
) == 0 || this->tsr
->get_count(this->tsr
) == 0)
758 SIG(CHILD_UP_FAILED
, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
759 DBG1(DBG_IKE
, "adding TS_UNACCEPTABLE notify to response");
760 build_notify(TS_UNACCEPTABLE
, response
, FALSE
);
764 /* create child sa */
765 soft_lifetime
= this->policy
->get_soft_lifetime(this->policy
);
766 hard_lifetime
= this->policy
->get_hard_lifetime(this->policy
);
767 use_natt
= this->ike_sa
->is_natt_enabled(this->ike_sa
);
768 this->child_sa
= child_sa_create(this->reqid
, me
, other
, my_id
, other_id
,
769 soft_lifetime
, hard_lifetime
,
770 this->policy
->get_updown(this->policy
),
771 this->policy
->get_hostaccess(this->policy
),
773 this->child_sa
->set_name(this->child_sa
, this->policy
->get_name(this->policy
));
774 if (install_child_sa(this, FALSE
) != SUCCESS
)
776 SIG(CHILD_UP_FAILED
, "installing CHILD_SA failed, no CHILD_SA created");
777 DBG1(DBG_IKE
, "adding NO_PROPOSAL_CHOSEN notify to response");
778 build_notify(NO_PROPOSAL_CHOSEN
, response
, FALSE
);
782 /* add proposal to sa payload */
783 sa_response
->add_proposal(sa_response
, this->proposal
);
784 SIG(CHILD_UP_SUCCESS
, "CHILD_SA created");
787 response
->add_payload(response
, (payload_t
*)sa_response
);
789 /* add ts payload after sa payload */
790 ts_response
= ts_payload_create_from_traffic_selectors(TRUE
, this->tsi
);
791 response
->add_payload(response
, (payload_t
*)ts_response
);
792 ts_response
= ts_payload_create_from_traffic_selectors(FALSE
, this->tsr
);
793 response
->add_payload(response
, (payload_t
*)ts_response
);
795 /* set established state */
796 this->ike_sa
->set_state(this->ike_sa
, IKE_ESTABLISHED
);
802 * Implementation of transaction_t.conclude
804 static status_t
conclude(private_ike_auth_t
*this, message_t
*response
,
805 transaction_t
**transaction
)
807 iterator_t
*payloads
;
810 identification_t
*other_id
, *my_id
;
811 ts_payload_t
*tsi_payload
= NULL
;
812 ts_payload_t
*tsr_payload
= NULL
;
813 id_payload_t
*idr_payload
= NULL
;
814 cert_payload_t
*cert_payload
= NULL
;
815 auth_payload_t
*auth_payload
= NULL
;
816 sa_payload_t
*sa_payload
= NULL
;
819 /* check message type */
820 if (response
->get_exchange_type(response
) != IKE_AUTH
)
822 SIG(IKE_UP_FAILED
, "IKE_AUTH response of invalid type, deleting IKE_SA");
823 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
827 me
= this->ike_sa
->get_my_host(this->ike_sa
);
828 other
= this->ike_sa
->get_other_host(this->ike_sa
);
830 /* Iterate over all payloads to collect them */
831 payloads
= response
->get_payload_iterator(response
);
832 while (payloads
->iterate(payloads
, (void**)&payload
))
834 switch (payload
->get_type(payload
))
837 idr_payload
= (id_payload_t
*)payload
;
840 auth_payload
= (auth_payload_t
*)payload
;
843 cert_payload
= (cert_payload_t
*)payload
;
845 case SECURITY_ASSOCIATION
:
846 sa_payload
= (sa_payload_t
*)payload
;
848 case TRAFFIC_SELECTOR_INITIATOR
:
849 tsi_payload
= (ts_payload_t
*)payload
;
851 case TRAFFIC_SELECTOR_RESPONDER
:
852 tsr_payload
= (ts_payload_t
*)payload
;
856 status
= process_notifies(this, (notify_payload_t
*)payload
);
857 if (status
== FAILED
)
859 payloads
->destroy(payloads
);
860 /* we return SUCCESS, as transaction completet */
863 if (status
== DESTROY_ME
)
865 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
866 payloads
->destroy(payloads
);
873 DBG1(DBG_IKE
, "ignoring payload %N",
874 payload_type_names
, payload
->get_type(payload
));
879 payloads
->destroy(payloads
);
881 if (!(idr_payload
&& auth_payload
&& sa_payload
&& tsi_payload
&& tsr_payload
))
883 SIG(IKE_UP_FAILED
, "response message incomplete, deleting IKE_SA");
884 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
888 { /* process idr payload */
889 identification_t
*configured_other_id
;
892 other_id
= idr_payload
->get_identification(idr_payload
);
893 configured_other_id
= this->policy
->get_other_id(this->policy
);
895 if (!other_id
->matches(other_id
, configured_other_id
, &wildcards
))
897 other_id
->destroy(other_id
);
898 SIG(IKE_UP_FAILED
, "other peer uses unacceptable ID (%D, excepted "
899 "%D), deleting IKE_SA", other_id
, configured_other_id
);
900 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
903 /* update other ID. It was already set, but may contain wildcards */
904 this->ike_sa
->set_other_id(this->ike_sa
, other_id
);
908 { /* process cert payload */
909 import_certificate(this, cert_payload
);
912 { /* authenticate peer */
913 authenticator_t
*authenticator
;
914 auth_method_t auth_method
;
917 auth_method
= this->policy
->get_auth_method(this->policy
);
918 authenticator
= authenticator_create(this->ike_sa
, auth_method
);
919 my_id
= this->policy
->get_my_id(this->policy
);
921 status
= authenticator
->verify_auth_data(authenticator
,
928 authenticator
->destroy(authenticator
);
929 if (status
!= SUCCESS
)
931 SIG(IKE_UP_FAILED
, "authentication of '%D' with %N failed, "
932 "deleting IKE_SA", other_id
, auth_method_names
, auth_method
);
933 SIG(CHILD_UP_FAILED
, "initiating CHILD_SA failed, unable to create IKE_SA");
938 SIG(IKE_UP_SUCCESS
, "IKE_SA '%s' established between %H[%D]...%H[%D]",
939 this->ike_sa
->get_name(this->ike_sa
), me
, my_id
, other
, other_id
);
941 { /* process traffic selectors for us */
942 linked_list_t
*ts_received
= tsi_payload
->get_traffic_selectors(tsi_payload
);
943 this->tsi
= this->policy
->select_my_traffic_selectors(this->policy
, ts_received
, me
);
944 ts_received
->destroy_offset(ts_received
, offsetof(traffic_selector_t
, destroy
));
947 { /* process traffic selectors for other */
948 linked_list_t
*ts_received
= tsr_payload
->get_traffic_selectors(tsr_payload
);
949 this->tsr
= this->policy
->select_other_traffic_selectors(this->policy
, ts_received
, other
);
950 ts_received
->destroy_offset(ts_received
, offsetof(traffic_selector_t
, destroy
));
953 { /* process sa payload */
954 linked_list_t
*proposal_list
;
956 proposal_list
= sa_payload
->get_proposals(sa_payload
);
957 /* we have to re-check here if other's selection is valid */
958 this->proposal
= this->policy
->select_proposal(this->policy
, proposal_list
);
959 proposal_list
->destroy_offset(proposal_list
, offsetof(proposal_t
, destroy
));
961 /* everything fine to create CHILD? */
962 if (this->proposal
== NULL
||
963 this->tsi
->get_count(this->tsi
) == 0 ||
964 this->tsr
->get_count(this->tsr
) == 0 ||
967 SIG(CHILD_UP_FAILED
, "CHILD_SA negotiation failed, no CHILD_SA built");
971 if (install_child_sa(this, TRUE
) != SUCCESS
)
973 SIG(CHILD_UP_FAILED
, "installing CHILD_SA failed, no CHILD_SA built");
974 /* TODO: we should send a DELETE for that CHILD to stay
975 * synchronous with the peer */
979 SIG(CHILD_UP_SUCCESS
, "CHILD_SA created");
984 this->ike_sa
->set_state(this->ike_sa
, IKE_ESTABLISHED
);
989 * implements transaction_t.destroy
991 static void destroy(private_ike_auth_t
*this)
993 DESTROY_IF(this->message
);
994 DESTROY_IF(this->proposal
);
995 DESTROY_IF(this->child_sa
);
996 DESTROY_IF(this->policy
);
997 DESTROY_IF(this->connection
);
1000 this->tsi
->destroy_offset(this->tsi
, offsetof(traffic_selector_t
, destroy
));
1004 this->tsr
->destroy_offset(this->tsr
, offsetof(traffic_selector_t
, destroy
));
1006 chunk_free(&this->nonce_i
);
1007 chunk_free(&this->nonce_r
);
1008 chunk_free(&this->init_request
);
1009 chunk_free(&this->init_response
);
1014 * Described in header.
1016 ike_auth_t
*ike_auth_create(ike_sa_t
*ike_sa
)
1018 private_ike_auth_t
*this = malloc_thing(private_ike_auth_t
);
1020 /* transaction interface functions */
1021 this->public.transaction
.get_request
= (status_t(*)(transaction_t
*,message_t
**))get_request
;
1022 this->public.transaction
.get_response
= (status_t(*)(transaction_t
*,message_t
*,message_t
**,transaction_t
**))get_response
;
1023 this->public.transaction
.conclude
= (status_t(*)(transaction_t
*,message_t
*,transaction_t
**))conclude
;
1024 this->public.transaction
.get_message_id
= (u_int32_t(*)(transaction_t
*))get_message_id
;
1025 this->public.transaction
.requested
= (u_int32_t(*)(transaction_t
*))requested
;
1026 this->public.transaction
.destroy
= (void(*)(transaction_t
*))destroy
;
1028 /* public functions */
1029 this->public.set_config
= (void(*)(ike_auth_t
*,connection_t
*,policy_t
*))set_config
;
1030 this->public.set_reqid
= (void(*)(ike_auth_t
*,u_int32_t
))set_reqid
;
1031 this->public.set_nonces
= (void(*)(ike_auth_t
*,chunk_t
,chunk_t
))set_nonces
;
1032 this->public.set_init_messages
= (void(*)(ike_auth_t
*,chunk_t
,chunk_t
))set_init_messages
;
1035 this->ike_sa
= ike_sa
;
1036 this->message_id
= 0;
1037 this->message
= NULL
;
1038 this->requested
= 0;
1039 this->nonce_i
= CHUNK_INITIALIZER
;
1040 this->nonce_r
= CHUNK_INITIALIZER
;
1041 this->init_request
= CHUNK_INITIALIZER
;
1042 this->init_response
= CHUNK_INITIALIZER
;
1043 this->child_sa
= NULL
;
1044 this->proposal
= NULL
;
1047 this->build_child
= TRUE
;
1050 return &this->public;