some improvements in signaling code
[strongswan.git] / src / charon / sa / transactions / ike_auth.c
1 /**
2 * @file ike_auth.c
3 *
4 * @brief Implementation of ike_auth_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include "ike_auth.h"
26
27 #include <string.h>
28
29 #include <daemon.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
38
39
40 typedef struct private_ike_auth_t private_ike_auth_t;
41
42 /**
43 * Private members of a ike_auth_t object..
44 */
45 struct private_ike_auth_t {
46
47 /**
48 * Public methods and transaction_t interface.
49 */
50 ike_auth_t public;
51
52 /**
53 * Assigned IKE_SA.
54 */
55 ike_sa_t *ike_sa;
56
57 /**
58 * Message sent by our peer, if already generated
59 */
60 message_t *message;
61
62 /**
63 * Message ID this transaction uses
64 */
65 u_int32_t message_id;
66
67 /**
68 * Times we did send the request
69 */
70 u_int32_t requested;
71
72 /**
73 * initiator chosen nonce
74 */
75 chunk_t nonce_i;
76
77 /**
78 * responder chosen nonce
79 */
80 chunk_t nonce_r;
81
82 /**
83 * encoded request message of ike_sa_init transaction
84 */
85 chunk_t init_request;
86
87 /**
88 * encoded response message of ike_sa_init transaction
89 */
90 chunk_t init_response;
91
92 /**
93 * connection definition used for IKE_SA setup
94 */
95 connection_t *connection;
96
97 /**
98 * policy definition used CHILD_SA creation
99 */
100 policy_t *policy;
101
102 /**
103 * Negotiated proposal used for CHILD_SA
104 */
105 proposal_t *proposal;
106
107 /**
108 * Negotiated traffic selectors for initiator
109 */
110 linked_list_t *tsi;
111
112 /**
113 * Negotiated traffic selectors for responder
114 */
115 linked_list_t *tsr;
116
117 /**
118 * CHILD_SA created along with IKE_AUTH
119 */
120 child_sa_t *child_sa;
121
122 /**
123 * did other peer create a CHILD_SA?
124 */
125 bool build_child;
126
127 /**
128 * reqid to use for CHILD_SA setup
129 */
130 u_int32_t reqid;
131 };
132
133 /**
134 * Implementation of transaction_t.get_message_id.
135 */
136 static u_int32_t get_message_id(private_ike_auth_t *this)
137 {
138 return this->message_id;
139 }
140
141 /**
142 * Implementation of transaction_t.requested.
143 */
144 static u_int32_t requested(private_ike_auth_t *this)
145 {
146 return this->requested++;
147 }
148
149 /**
150 * Implementation of transaction_t.set_config.
151 */
152 static void set_config(private_ike_auth_t *this,
153 connection_t *connection, policy_t *policy)
154 {
155 this->connection = connection;
156 this->policy = policy;
157 }
158
159 /**
160 * Implementation of transaction_t.set_reqid.
161 */
162 static void set_reqid(private_ike_auth_t *this, u_int32_t reqid)
163 {
164 this->reqid = reqid;
165 }
166
167 /**
168 * Implementation of transaction_t.set_nonces.
169 */
170 static void set_nonces(private_ike_auth_t *this, chunk_t nonce_i, chunk_t nonce_r)
171 {
172 this->nonce_i = nonce_i;
173 this->nonce_r = nonce_r;
174 }
175
176 /**
177 * Implementation of transaction_t.set_init_messages.
178 */
179 static void set_init_messages(private_ike_auth_t *this, chunk_t init_request, chunk_t init_response)
180 {
181 this->init_request = init_request;
182 this->init_response = init_response;
183 }
184
185 /**
186 * Implementation of transaction_t.get_request.
187 */
188 static status_t get_request(private_ike_auth_t *this, message_t **result)
189 {
190 message_t *request;
191 host_t *me, *other;
192 identification_t *my_id, *other_id;
193 id_payload_t *my_id_payload;
194
195 /* check if we already have built a message (retransmission) */
196 if (this->message)
197 {
198 *result = this->message;
199 return SUCCESS;
200 }
201
202 me = this->ike_sa->get_my_host(this->ike_sa);
203 other = this->ike_sa->get_other_host(this->ike_sa);
204 my_id = this->policy->get_my_id(this->policy);
205 other_id = this->policy->get_other_id(this->policy);
206
207 /* build the request */
208 request = message_create();
209 request->set_source(request, me->clone(me));
210 request->set_destination(request, other->clone(other));
211 request->set_exchange_type(request, IKE_AUTH);
212 request->set_request(request, TRUE);
213 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
214 /* apply for caller */
215 *result = request;
216 /* store for retransmission */
217 this->message = request;
218
219 { /* build ID payload */
220 my_id_payload = id_payload_create_from_identification(TRUE, my_id);
221 request->add_payload(request, (payload_t*)my_id_payload);
222 }
223
224 { /* TODO: build certreq payload */
225
226 }
227
228 /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
229 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
230 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
231 {
232 cert_payload_t *cert_payload;
233
234 x509_t *cert = charon->credentials->get_certificate(charon->credentials, my_id);
235
236 if (cert)
237 {
238 cert_payload = cert_payload_create_from_x509(cert);
239 request->add_payload(request, (payload_t*)cert_payload);
240 }
241 else
242 {
243 DBG1(DBG_IKE, "could not find my certificate, certificate payload omitted");
244 }
245 }
246
247 { /* build IDr payload, if other_id defined */
248 id_payload_t *id_payload;
249 if (!other_id->contains_wildcards(other_id))
250 {
251 id_payload = id_payload_create_from_identification(FALSE, other_id);
252 request->add_payload(request, (payload_t*)id_payload);
253 }
254 }
255
256 { /* build auth payload */
257 authenticator_t *authenticator;
258 auth_payload_t *auth_payload;
259 auth_method_t auth_method;
260 status_t status;
261
262 auth_method = this->policy->get_auth_method(this->policy);
263 authenticator = authenticator_create(this->ike_sa, auth_method);
264 status = authenticator->compute_auth_data(authenticator,
265 &auth_payload,
266 this->init_request,
267 this->nonce_r,
268 my_id,
269 other_id,
270 TRUE);
271 authenticator->destroy(authenticator);
272 if (status != SUCCESS)
273 {
274 SIG(IKE_UP_FAILED, "could not generate AUTH data, deleting IKE_SA");
275 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
276 return DESTROY_ME;
277 }
278 request->add_payload(request, (payload_t*)auth_payload);
279 }
280
281 { /* build SA payload for CHILD_SA */
282 linked_list_t *proposal_list;
283 sa_payload_t *sa_payload;
284 u_int32_t soft_lifetime, hard_lifetime;
285 bool enable_natt;
286
287 proposal_list = this->policy->get_proposals(this->policy);
288 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
289 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
290 enable_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
291 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
292 soft_lifetime, hard_lifetime,
293 this->policy->get_updown(this->policy),
294 this->policy->get_hostaccess(this->policy),
295 enable_natt);
296 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
297 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
298 {
299 SIG(IKE_UP_FAILED, "could not install CHILD_SA, deleting IKE_SA");
300 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
301 return DESTROY_ME;
302 }
303 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
304 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
305 request->add_payload(request, (payload_t*)sa_payload);
306 }
307
308 { /* build TSi payload */
309 linked_list_t *ts_list;
310 ts_payload_t *ts_payload;
311
312 ts_list = this->policy->get_my_traffic_selectors(this->policy, me);
313 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
314 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
315
316 request->add_payload(request, (payload_t*)ts_payload);
317 }
318
319 { /* build TSr payload */
320 linked_list_t *ts_list;
321 ts_payload_t *ts_payload;
322
323 ts_list = this->policy->get_other_traffic_selectors(this->policy, other);
324 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
325 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
326
327 request->add_payload(request, (payload_t*)ts_payload);
328 }
329
330 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
331 request->set_message_id(request, this->message_id);
332 return SUCCESS;
333 }
334
335 /**
336 * Handle all kind of notifies
337 */
338 static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
339 {
340 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
341
342 DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
343
344 switch (notify_type)
345 {
346 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
347 case SINGLE_PAIR_REQUIRED:
348 {
349 SIG(CHILD_UP_FAILED, "received a SINGLE_PAIR_REQUIRED notify");
350 this->build_child = FALSE;
351 return SUCCESS;
352 }
353 case TS_UNACCEPTABLE:
354 {
355 SIG(CHILD_UP_FAILED, "received TS_UNACCEPTABLE notify");
356 this->build_child = FALSE;
357 return SUCCESS;
358 }
359 case NO_PROPOSAL_CHOSEN:
360 {
361 SIG(CHILD_UP_FAILED, "received NO_PROPOSAL_CHOSEN notify");
362 this->build_child = FALSE;
363 return SUCCESS;
364 }
365 default:
366 {
367 if (notify_type < 16383)
368 {
369 SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA",
370 notify_type_names, notify_type);
371 return DESTROY_ME;
372 }
373 else
374 {
375 DBG1(DBG_IKE, "received %N notify, ignored",
376 notify_type_names, notify_type);
377 return SUCCESS;
378 }
379 }
380 }
381 }
382
383 /**
384 * Build a notify message.
385 */
386 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
387 {
388 notify_payload_t *notify;
389
390 if (flush_message)
391 {
392 payload_t *payload;
393 iterator_t *iterator = message->get_payload_iterator(message);
394 while (iterator->iterate(iterator, (void**)&payload))
395 {
396 payload->destroy(payload);
397 iterator->remove(iterator);
398 }
399 iterator->destroy(iterator);
400 }
401
402 notify = notify_payload_create();
403 notify->set_notify_type(notify, type);
404 message->add_payload(message, (payload_t*)notify);
405 }
406
407 /**
408 * Import a certificate from a cert payload
409 */
410 static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_payload)
411 {
412 bool found;
413 x509_t *cert;
414 cert_encoding_t encoding;
415
416 encoding = cert_payload->get_cert_encoding(cert_payload);
417 if (encoding != CERT_X509_SIGNATURE)
418 {
419 DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
420 cert_encoding_names, encoding);
421 return;
422 }
423 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
424 if (cert)
425 {
426 if (charon->credentials->verify(charon->credentials, cert, &found))
427 {
428 DBG2(DBG_IKE, "received end entity certificate is trusted, added to store");
429 if (!found)
430 {
431 charon->credentials->add_end_certificate(charon->credentials, cert);
432 }
433 else
434 {
435 cert->destroy(cert);
436 }
437 }
438 else
439 {
440 DBG1(DBG_IKE, "received end entity certificate is not trusted, discarded");
441 cert->destroy(cert);
442 }
443 }
444 else
445 {
446 DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
447 }
448 }
449
450 /**
451 * Install a CHILD_SA for usage
452 */
453 static status_t install_child_sa(private_ike_auth_t *this, bool initiator)
454 {
455 prf_plus_t *prf_plus;
456 chunk_t seed;
457 status_t status;
458
459 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
460 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
461 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
462 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
463 chunk_free(&seed);
464
465 if (initiator)
466 {
467 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
468 }
469 else
470 {
471 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
472 }
473 prf_plus->destroy(prf_plus);
474 if (status != SUCCESS)
475 {
476 return DESTROY_ME;
477 }
478 if (initiator)
479 {
480 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
481 }
482 else
483 {
484 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
485 }
486 if (status != SUCCESS)
487 {
488 return DESTROY_ME;
489 }
490
491 /* add to IKE_SA, and remove from transaction */
492 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
493 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
494 this->child_sa = NULL;
495 return SUCCESS;
496 }
497
498 /**
499 * Implementation of transaction_t.get_response.
500 */
501 static status_t get_response(private_ike_auth_t *this, message_t *request,
502 message_t **result, transaction_t **next)
503 {
504 host_t *me, *other;
505 identification_t *my_id, *other_id;
506 message_t *response;
507 status_t status;
508 iterator_t *payloads;
509 payload_t *payload;
510 id_payload_t *idi_request = NULL;
511 id_payload_t *idr_request = NULL;
512 auth_payload_t *auth_request = NULL;
513 cert_payload_t *cert_request = NULL;
514 sa_payload_t *sa_request = NULL;
515 ts_payload_t *tsi_request = NULL;
516 ts_payload_t *tsr_request = NULL;
517 id_payload_t *idr_response;
518
519 /* check if we already have built a response (retransmission) */
520 if (this->message)
521 {
522 *result = this->message;
523 return SUCCESS;
524 }
525
526 SIG(CHILD_UP_START, "setting up CHILD_SA along with IKE_AUTH");
527
528 me = this->ike_sa->get_my_host(this->ike_sa);
529 other = this->ike_sa->get_other_host(this->ike_sa);
530 this->message_id = request->get_message_id(request);
531
532 /* set up response */
533 response = message_create();
534 response->set_source(response, me->clone(me));
535 response->set_destination(response, other->clone(other));
536 response->set_exchange_type(response, IKE_AUTH);
537 response->set_request(response, FALSE);
538 response->set_message_id(response, this->message_id);
539 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
540 this->message = response;
541 *result = response;
542
543 /* check message type */
544 if (request->get_exchange_type(request) != IKE_AUTH)
545 {
546 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
547 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
548 return DESTROY_ME;
549 }
550
551 /* Iterate over all payloads. */
552 payloads = request->get_payload_iterator(request);
553 while (payloads->iterate(payloads, (void**)&payload))
554 {
555 switch (payload->get_type(payload))
556 {
557 case ID_INITIATOR:
558 idi_request = (id_payload_t*)payload;
559 break;
560 case ID_RESPONDER:
561 idr_request = (id_payload_t*)payload;
562 break;
563 case AUTHENTICATION:
564 auth_request = (auth_payload_t*)payload;
565 break;
566 case CERTIFICATE:
567 cert_request = (cert_payload_t*)payload;
568 break;
569 case SECURITY_ASSOCIATION:
570 sa_request = (sa_payload_t*)payload;
571 break;
572 case TRAFFIC_SELECTOR_INITIATOR:
573 tsi_request = (ts_payload_t*)payload;
574 break;
575 case TRAFFIC_SELECTOR_RESPONDER:
576 tsr_request = (ts_payload_t*)payload;
577 break;
578 case NOTIFY:
579 {
580 status = process_notifies(this, (notify_payload_t*)payload);
581 if (status == FAILED)
582 {
583 payloads->destroy(payloads);
584 /* we return SUCCESS, returned FAILED means do next transaction */
585 return SUCCESS;
586 }
587 if (status == DESTROY_ME)
588 {
589 payloads->destroy(payloads);
590 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
591 return DESTROY_ME;
592 }
593 break;
594 }
595 default:
596 {
597 DBG1(DBG_IKE, "ignoring %N payload",
598 payload_type_names, payload->get_type(payload));
599 break;
600 }
601 }
602 }
603 payloads->destroy(payloads);
604
605 /* check if we have all payloads */
606 if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
607 {
608 build_notify(INVALID_SYNTAX, response, TRUE);
609 SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
610 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
611 return DESTROY_ME;
612 }
613
614 { /* process ID payload */
615 other_id = idi_request->get_identification(idi_request);
616 if (idr_request)
617 {
618 my_id = idr_request->get_identification(idr_request);
619 }
620 else
621 {
622 my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
623 }
624 }
625
626 { /* get a policy and process traffic selectors */
627 linked_list_t *my_ts, *other_ts;
628
629 my_ts = tsr_request->get_traffic_selectors(tsr_request);
630 other_ts = tsi_request->get_traffic_selectors(tsi_request);
631
632 this->policy = charon->policies->get_policy(charon->policies,
633 my_id, other_id,
634 my_ts, other_ts,
635 me, other);
636 if (this->policy)
637 {
638 this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
639 this->tsi = this->policy->select_other_traffic_selectors(this->policy, other_ts, other);
640 }
641 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
642 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
643
644 /* TODO: We should check somehow if we have a policy, but with other
645 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
646 if (this->policy == NULL)
647 {
648 SIG(IKE_UP_FAILED, "no acceptable policy for IDs %D - %D found, "
649 "deleting IKE_SA", my_id, other_id);
650 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
651 my_id->destroy(my_id);
652 other_id->destroy(other_id);
653 build_notify(AUTHENTICATION_FAILED, response, TRUE);
654 return DESTROY_ME;
655 }
656 my_id->destroy(my_id);
657
658 /* get my id from policy, which must contain a fully qualified valid id */
659 my_id = this->policy->get_my_id(this->policy);
660 this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
661 this->ike_sa->set_other_id(this->ike_sa, other_id);
662
663 idr_response = id_payload_create_from_identification(FALSE, my_id);
664 response->add_payload(response, (payload_t*)idr_response);
665 }
666
667 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
668 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
669 { /* build certificate payload */
670 x509_t *cert;
671 cert_payload_t *cert_payload;
672
673 cert = charon->credentials->get_certificate(charon->credentials, my_id);
674 if (cert)
675 {
676 cert_payload = cert_payload_create_from_x509(cert);
677 response->add_payload(response, (payload_t *)cert_payload);
678 }
679 else
680 {
681 DBG1(DBG_IKE, "could not find my certificate, cert payload omitted");
682 }
683 }
684
685 if (cert_request)
686 { /* process certificate payload */
687 import_certificate(this, cert_request);
688 }
689
690 { /* process auth payload */
691 authenticator_t *authenticator;
692 auth_payload_t *auth_response;
693 auth_method_t auth_method;
694 status_t status;
695
696 auth_method = this->policy->get_auth_method(this->policy);
697 authenticator = authenticator_create(this->ike_sa, auth_method);
698 status = authenticator->verify_auth_data(authenticator, auth_request,
699 this->init_request,
700 this->nonce_r,
701 my_id,
702 other_id,
703 TRUE);
704 if (status != SUCCESS)
705 {
706 SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA");
707 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
708 build_notify(AUTHENTICATION_FAILED, response, TRUE);
709 authenticator->destroy(authenticator);
710 return DESTROY_ME;
711 }
712 status = authenticator->compute_auth_data(authenticator, &auth_response,
713 this->init_response,
714 this->nonce_i,
715 my_id,
716 other_id,
717 FALSE);
718 authenticator->destroy(authenticator);
719 if (status != SUCCESS)
720 {
721 SIG(IKE_UP_FAILED, "authentication data generation failed, deleting IKE_SA");
722 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
723 build_notify(AUTHENTICATION_FAILED, response, TRUE);
724 return DESTROY_ME;
725 }
726 response->add_payload(response, (payload_t*)auth_response);
727 }
728
729 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
730 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
731
732 { /* process SA payload */
733 linked_list_t *proposal_list;
734 sa_payload_t *sa_response;
735 ts_payload_t *ts_response;
736 bool use_natt;
737 u_int32_t soft_lifetime, hard_lifetime;
738
739 /* prepare reply */
740 sa_response = sa_payload_create();
741
742 /* get proposals from request, and select one with ours */
743 proposal_list = sa_request->get_proposals(sa_request);
744 DBG2(DBG_IKE, "selecting proposals:");
745 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
746 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
747
748 /* do we have a proposal? */
749 if (this->proposal == NULL)
750 {
751 SIG(CHILD_UP_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created");
752 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
753 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
754 }
755 /* do we have traffic selectors? */
756 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
757 {
758 SIG(CHILD_UP_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
759 DBG1(DBG_IKE, "adding TS_UNACCEPTABLE notify to response");
760 build_notify(TS_UNACCEPTABLE, response, FALSE);
761 }
762 else
763 {
764 /* create child sa */
765 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
766 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
767 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
768 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
769 soft_lifetime, hard_lifetime,
770 this->policy->get_updown(this->policy),
771 this->policy->get_hostaccess(this->policy),
772 use_natt);
773 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
774 if (install_child_sa(this, FALSE) != SUCCESS)
775 {
776 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA created");
777 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
778 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
779 }
780 else
781 {
782 /* add proposal to sa payload */
783 sa_response->add_proposal(sa_response, this->proposal);
784 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
785 }
786 }
787 response->add_payload(response, (payload_t*)sa_response);
788
789 /* add ts payload after sa payload */
790 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
791 response->add_payload(response, (payload_t*)ts_response);
792 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
793 response->add_payload(response, (payload_t*)ts_response);
794 }
795 /* set established state */
796 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
797 return SUCCESS;
798 }
799
800
801 /**
802 * Implementation of transaction_t.conclude
803 */
804 static status_t conclude(private_ike_auth_t *this, message_t *response,
805 transaction_t **transaction)
806 {
807 iterator_t *payloads;
808 payload_t *payload;
809 host_t *me, *other;
810 identification_t *other_id, *my_id;
811 ts_payload_t *tsi_payload = NULL;
812 ts_payload_t *tsr_payload = NULL;
813 id_payload_t *idr_payload = NULL;
814 cert_payload_t *cert_payload = NULL;
815 auth_payload_t *auth_payload = NULL;
816 sa_payload_t *sa_payload = NULL;
817 status_t status;
818
819 /* check message type */
820 if (response->get_exchange_type(response) != IKE_AUTH)
821 {
822 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
823 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
824 return DESTROY_ME;
825 }
826
827 me = this->ike_sa->get_my_host(this->ike_sa);
828 other = this->ike_sa->get_other_host(this->ike_sa);
829
830 /* Iterate over all payloads to collect them */
831 payloads = response->get_payload_iterator(response);
832 while (payloads->iterate(payloads, (void**)&payload))
833 {
834 switch (payload->get_type(payload))
835 {
836 case ID_RESPONDER:
837 idr_payload = (id_payload_t*)payload;
838 break;
839 case AUTHENTICATION:
840 auth_payload = (auth_payload_t*)payload;
841 break;
842 case CERTIFICATE:
843 cert_payload = (cert_payload_t*)payload;
844 break;
845 case SECURITY_ASSOCIATION:
846 sa_payload = (sa_payload_t*)payload;
847 break;
848 case TRAFFIC_SELECTOR_INITIATOR:
849 tsi_payload = (ts_payload_t*)payload;
850 break;
851 case TRAFFIC_SELECTOR_RESPONDER:
852 tsr_payload = (ts_payload_t*)payload;
853 break;
854 case NOTIFY:
855 {
856 status = process_notifies(this, (notify_payload_t*)payload);
857 if (status == FAILED)
858 {
859 payloads->destroy(payloads);
860 /* we return SUCCESS, as transaction completet */
861 return SUCCESS;
862 }
863 if (status == DESTROY_ME)
864 {
865 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
866 payloads->destroy(payloads);
867 return status;
868 }
869 break;
870 }
871 default:
872 {
873 DBG1(DBG_IKE, "ignoring payload %N",
874 payload_type_names, payload->get_type(payload));
875 break;
876 }
877 }
878 }
879 payloads->destroy(payloads);
880
881 if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
882 {
883 SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA");
884 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
885 return DESTROY_ME;
886 }
887
888 { /* process idr payload */
889 identification_t *configured_other_id;
890 int wildcards;
891
892 other_id = idr_payload->get_identification(idr_payload);
893 configured_other_id = this->policy->get_other_id(this->policy);
894
895 if (!other_id->matches(other_id, configured_other_id, &wildcards))
896 {
897 other_id->destroy(other_id);
898 SIG(IKE_UP_FAILED, "other peer uses unacceptable ID (%D, excepted "
899 "%D), deleting IKE_SA", other_id, configured_other_id);
900 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
901 return DESTROY_ME;
902 }
903 /* update other ID. It was already set, but may contain wildcards */
904 this->ike_sa->set_other_id(this->ike_sa, other_id);
905 }
906
907 if (cert_payload)
908 { /* process cert payload */
909 import_certificate(this, cert_payload);
910 }
911
912 { /* authenticate peer */
913 authenticator_t *authenticator;
914 auth_method_t auth_method;
915 status_t status;
916
917 auth_method = this->policy->get_auth_method(this->policy);
918 authenticator = authenticator_create(this->ike_sa, auth_method);
919 my_id = this->policy->get_my_id(this->policy);
920
921 status = authenticator->verify_auth_data(authenticator,
922 auth_payload,
923 this->init_response,
924 this->nonce_i,
925 my_id,
926 other_id,
927 FALSE);
928 authenticator->destroy(authenticator);
929 if (status != SUCCESS)
930 {
931 SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed, "
932 "deleting IKE_SA", other_id, auth_method_names, auth_method);
933 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
934 return DESTROY_ME;
935 }
936 }
937
938 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
939 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
940
941 { /* process traffic selectors for us */
942 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
943 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
944 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
945 }
946
947 { /* process traffic selectors for other */
948 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
949 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received, other);
950 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
951 }
952
953 { /* process sa payload */
954 linked_list_t *proposal_list;
955
956 proposal_list = sa_payload->get_proposals(sa_payload);
957 /* we have to re-check here if other's selection is valid */
958 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
959 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
960
961 /* everything fine to create CHILD? */
962 if (this->proposal == NULL ||
963 this->tsi->get_count(this->tsi) == 0 ||
964 this->tsr->get_count(this->tsr) == 0 ||
965 !this->build_child)
966 {
967 SIG(CHILD_UP_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
968 }
969 else
970 {
971 if (install_child_sa(this, TRUE) != SUCCESS)
972 {
973 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
974 /* TODO: we should send a DELETE for that CHILD to stay
975 * synchronous with the peer */
976 }
977 else
978 {
979 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
980 }
981 }
982 }
983 /* set new state */
984 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
985 return SUCCESS;
986 }
987
988 /**
989 * implements transaction_t.destroy
990 */
991 static void destroy(private_ike_auth_t *this)
992 {
993 DESTROY_IF(this->message);
994 DESTROY_IF(this->proposal);
995 DESTROY_IF(this->child_sa);
996 DESTROY_IF(this->policy);
997 DESTROY_IF(this->connection);
998 if (this->tsi)
999 {
1000 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1001 }
1002 if (this->tsr)
1003 {
1004 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1005 }
1006 chunk_free(&this->nonce_i);
1007 chunk_free(&this->nonce_r);
1008 chunk_free(&this->init_request);
1009 chunk_free(&this->init_response);
1010 free(this);
1011 }
1012
1013 /*
1014 * Described in header.
1015 */
1016 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
1017 {
1018 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1019
1020 /* transaction interface functions */
1021 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
1022 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
1023 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
1024 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
1025 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
1026 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
1027
1028 /* public functions */
1029 this->public.set_config = (void(*)(ike_auth_t*,connection_t*,policy_t*))set_config;
1030 this->public.set_reqid = (void(*)(ike_auth_t*,u_int32_t))set_reqid;
1031 this->public.set_nonces = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_nonces;
1032 this->public.set_init_messages = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_init_messages;
1033
1034 /* private data */
1035 this->ike_sa = ike_sa;
1036 this->message_id = 0;
1037 this->message = NULL;
1038 this->requested = 0;
1039 this->nonce_i = CHUNK_INITIALIZER;
1040 this->nonce_r = CHUNK_INITIALIZER;
1041 this->init_request = CHUNK_INITIALIZER;
1042 this->init_response = CHUNK_INITIALIZER;
1043 this->child_sa = NULL;
1044 this->proposal = NULL;
1045 this->tsi = NULL;
1046 this->tsr = NULL;
1047 this->build_child = TRUE;
1048 this->reqid = 0;
1049
1050 return &this->public;
1051 }