44cd8079d71998d3a78a33a9cd239a4e7c286dd5
[strongswan.git] / src / charon / sa / transactions / ike_auth.c
1 /**
2 * @file ike_auth.c
3 *
4 * @brief Implementation of ike_auth_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include "ike_auth.h"
26
27 #include <string.h>
28
29 #include <daemon.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
38
39
40 typedef struct private_ike_auth_t private_ike_auth_t;
41
42 /**
43 * Private members of a ike_auth_t object..
44 */
45 struct private_ike_auth_t {
46
47 /**
48 * Public methods and transaction_t interface.
49 */
50 ike_auth_t public;
51
52 /**
53 * Assigned IKE_SA.
54 */
55 ike_sa_t *ike_sa;
56
57 /**
58 * Message sent by our peer, if already generated
59 */
60 message_t *message;
61
62 /**
63 * Message ID this transaction uses
64 */
65 u_int32_t message_id;
66
67 /**
68 * Times we did send the request
69 */
70 u_int32_t requested;
71
72 /**
73 * initiator chosen nonce
74 */
75 chunk_t nonce_i;
76
77 /**
78 * responder chosen nonce
79 */
80 chunk_t nonce_r;
81
82 /**
83 * encoded request message of ike_sa_init transaction
84 */
85 chunk_t init_request;
86
87 /**
88 * encoded response message of ike_sa_init transaction
89 */
90 chunk_t init_response;
91
92 /**
93 * connection definition used for IKE_SA setup
94 */
95 connection_t *connection;
96
97 /**
98 * policy definition used CHILD_SA creation
99 */
100 policy_t *policy;
101
102 /**
103 * Negotiated proposal used for CHILD_SA
104 */
105 proposal_t *proposal;
106
107 /**
108 * Negotiated traffic selectors for initiator
109 */
110 linked_list_t *tsi;
111
112 /**
113 * Negotiated traffic selectors for responder
114 */
115 linked_list_t *tsr;
116
117 /**
118 * CHILD_SA created along with IKE_AUTH
119 */
120 child_sa_t *child_sa;
121
122 /**
123 * did other peer create a CHILD_SA?
124 */
125 bool build_child;
126
127 /**
128 * reqid to use for CHILD_SA setup
129 */
130 u_int32_t reqid;
131 };
132
133 /**
134 * Implementation of transaction_t.get_message_id.
135 */
136 static u_int32_t get_message_id(private_ike_auth_t *this)
137 {
138 return this->message_id;
139 }
140
141 /**
142 * Implementation of transaction_t.requested.
143 */
144 static u_int32_t requested(private_ike_auth_t *this)
145 {
146 return this->requested++;
147 }
148
149 /**
150 * Implementation of transaction_t.set_config.
151 */
152 static void set_config(private_ike_auth_t *this,
153 connection_t *connection, policy_t *policy)
154 {
155 this->connection = connection;
156 this->policy = policy;
157 }
158
159 /**
160 * Implementation of transaction_t.set_reqid.
161 */
162 static void set_reqid(private_ike_auth_t *this, u_int32_t reqid)
163 {
164 this->reqid = reqid;
165 }
166
167 /**
168 * Implementation of transaction_t.set_nonces.
169 */
170 static void set_nonces(private_ike_auth_t *this, chunk_t nonce_i, chunk_t nonce_r)
171 {
172 this->nonce_i = nonce_i;
173 this->nonce_r = nonce_r;
174 }
175
176 /**
177 * Implementation of transaction_t.set_init_messages.
178 */
179 static void set_init_messages(private_ike_auth_t *this, chunk_t init_request, chunk_t init_response)
180 {
181 this->init_request = init_request;
182 this->init_response = init_response;
183 }
184
185 /**
186 * Implementation of transaction_t.get_request.
187 */
188 static status_t get_request(private_ike_auth_t *this, message_t **result)
189 {
190 message_t *request;
191 host_t *me, *other;
192 identification_t *my_id, *other_id;
193 id_payload_t *my_id_payload;
194
195 /* check if we already have built a message (retransmission) */
196 if (this->message)
197 {
198 *result = this->message;
199 return SUCCESS;
200 }
201
202 me = this->ike_sa->get_my_host(this->ike_sa);
203 other = this->ike_sa->get_other_host(this->ike_sa);
204 my_id = this->policy->get_my_id(this->policy);
205 other_id = this->policy->get_other_id(this->policy);
206
207 /* build the request */
208 request = message_create();
209 request->set_source(request, me->clone(me));
210 request->set_destination(request, other->clone(other));
211 request->set_exchange_type(request, IKE_AUTH);
212 request->set_request(request, TRUE);
213 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
214 /* apply for caller */
215 *result = request;
216 /* store for retransmission */
217 this->message = request;
218
219 { /* build ID payload */
220 my_id_payload = id_payload_create_from_identification(TRUE, my_id);
221 request->add_payload(request, (payload_t*)my_id_payload);
222 }
223
224 { /* TODO: build certreq payload */
225
226 }
227
228 /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
229 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
230 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
231 {
232 cert_payload_t *cert_payload;
233
234 x509_t *cert = charon->credentials->get_certificate(charon->credentials, my_id);
235
236 if (cert)
237 {
238 cert_payload = cert_payload_create_from_x509(cert);
239 request->add_payload(request, (payload_t*)cert_payload);
240 }
241 else
242 {
243 DBG1(SIG_DBG_IKE, "could not find my certificate, certificate payload omitted");
244 }
245 }
246
247 { /* build IDr payload, if other_id defined */
248 id_payload_t *id_payload;
249 if (!other_id->contains_wildcards(other_id))
250 {
251 id_payload = id_payload_create_from_identification(FALSE, other_id);
252 request->add_payload(request, (payload_t*)id_payload);
253 }
254 }
255
256 { /* build auth payload */
257 authenticator_t *authenticator;
258 auth_payload_t *auth_payload;
259 auth_method_t auth_method;
260 status_t status;
261
262 auth_method = this->policy->get_auth_method(this->policy);
263 authenticator = authenticator_create(this->ike_sa, auth_method);
264 status = authenticator->compute_auth_data(authenticator,
265 &auth_payload,
266 this->init_request,
267 this->nonce_r,
268 my_id,
269 other_id,
270 TRUE);
271 authenticator->destroy(authenticator);
272 if (status != SUCCESS)
273 {
274 DBG1(SIG_DBG_IKE, "could not generate AUTH data, deleting IKE_SA");
275 return DESTROY_ME;
276 }
277 request->add_payload(request, (payload_t*)auth_payload);
278 }
279
280 { /* build SA payload for CHILD_SA */
281 linked_list_t *proposal_list;
282 sa_payload_t *sa_payload;
283 u_int32_t soft_lifetime, hard_lifetime;
284 bool enable_natt;
285
286 proposal_list = this->policy->get_proposals(this->policy);
287 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
288 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
289 enable_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
290 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
291 soft_lifetime, hard_lifetime,
292 this->policy->get_updown(this->policy),
293 this->policy->get_hostaccess(this->policy),
294 enable_natt);
295 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
296 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
297 {
298 DBG1(SIG_DBG_IKE, "could not install CHILD_SA, deleting IKE_SA");
299 return DESTROY_ME;
300 }
301 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
302 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
303 request->add_payload(request, (payload_t*)sa_payload);
304 }
305
306 { /* build TSi payload */
307 linked_list_t *ts_list;
308 ts_payload_t *ts_payload;
309
310 ts_list = this->policy->get_my_traffic_selectors(this->policy, me);
311 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
312 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
313
314 request->add_payload(request, (payload_t*)ts_payload);
315 }
316
317 { /* build TSr payload */
318 linked_list_t *ts_list;
319 ts_payload_t *ts_payload;
320
321 ts_list = this->policy->get_other_traffic_selectors(this->policy, other);
322 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
323 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
324
325 request->add_payload(request, (payload_t*)ts_payload);
326 }
327
328 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
329 request->set_message_id(request, this->message_id);
330 return SUCCESS;
331 }
332
333 /**
334 * Handle all kind of notifies
335 */
336 static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
337 {
338 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
339
340 DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
341
342 switch (notify_type)
343 {
344 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
345 case SINGLE_PAIR_REQUIRED:
346 {
347 DBG1(SIG_DBG_IKE, "received a SINGLE_PAIR_REQUIRED notify");
348 this->build_child = FALSE;
349 return SUCCESS;
350 }
351 case TS_UNACCEPTABLE:
352 {
353 DBG1(SIG_DBG_IKE, "received TS_UNACCEPTABLE notify");
354 this->build_child = FALSE;
355 return SUCCESS;
356 }
357 case NO_PROPOSAL_CHOSEN:
358 {
359 DBG1(SIG_DBG_IKE, "received NO_PROPOSAL_CHOSEN notify");
360 this->build_child = FALSE;
361 return SUCCESS;
362 }
363 default:
364 {
365 if (notify_type < 16383)
366 {
367 DBG1(SIG_DBG_IKE, "received %N notify error, deleting IKE_SA",
368 notify_type_names, notify_type);
369 return DESTROY_ME;
370 }
371 else
372 {
373 DBG1(SIG_DBG_IKE, "received %N notify, ignored",
374 notify_type_names, notify_type);
375 return SUCCESS;
376 }
377 }
378 }
379 }
380
381 /**
382 * Build a notify message.
383 */
384 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
385 {
386 notify_payload_t *notify;
387
388 if (flush_message)
389 {
390 payload_t *payload;
391 iterator_t *iterator = message->get_payload_iterator(message);
392 while (iterator->iterate(iterator, (void**)&payload))
393 {
394 payload->destroy(payload);
395 iterator->remove(iterator);
396 }
397 iterator->destroy(iterator);
398 }
399
400 notify = notify_payload_create();
401 notify->set_notify_type(notify, type);
402 message->add_payload(message, (payload_t*)notify);
403 }
404
405 /**
406 * Import a certificate from a cert payload
407 */
408 static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_payload)
409 {
410 bool found;
411 x509_t *cert;
412 cert_encoding_t encoding;
413
414 encoding = cert_payload->get_cert_encoding(cert_payload);
415 if (encoding != CERT_X509_SIGNATURE)
416 {
417 DBG1(SIG_DBG_IKE, "certificate payload %N not supported, ignored",
418 cert_encoding_names, encoding);
419 return;
420 }
421 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
422 if (cert)
423 {
424 if (charon->credentials->verify(charon->credentials, cert, &found))
425 {
426 DBG2(SIG_DBG_IKE, "received end entity certificate is trusted, added to store");
427 if (!found)
428 {
429 charon->credentials->add_end_certificate(charon->credentials, cert);
430 }
431 else
432 {
433 cert->destroy(cert);
434 }
435 }
436 else
437 {
438 DBG1(SIG_DBG_IKE, "received end entity certificate is not trusted, discarded");
439 cert->destroy(cert);
440 }
441 }
442 else
443 {
444 DBG1(SIG_DBG_IKE, "parsing of received certificate failed, discarded");
445 }
446 }
447
448 /**
449 * Install a CHILD_SA for usage
450 */
451 static status_t install_child_sa(private_ike_auth_t *this, bool initiator)
452 {
453 prf_plus_t *prf_plus;
454 chunk_t seed;
455 status_t status;
456
457 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
458 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
459 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
460 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
461 chunk_free(&seed);
462
463 if (initiator)
464 {
465 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
466 }
467 else
468 {
469 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
470 }
471 prf_plus->destroy(prf_plus);
472 if (status != SUCCESS)
473 {
474 return DESTROY_ME;
475 }
476 if (initiator)
477 {
478 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
479 }
480 else
481 {
482 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
483 }
484 if (status != SUCCESS)
485 {
486 return DESTROY_ME;
487 }
488
489 /* add to IKE_SA, and remove from transaction */
490 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
491 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
492 this->child_sa = NULL;
493 return SUCCESS;
494 }
495
496 /**
497 * Implementation of transaction_t.get_response.
498 */
499 static status_t get_response(private_ike_auth_t *this, message_t *request,
500 message_t **result, transaction_t **next)
501 {
502 host_t *me, *other;
503 identification_t *my_id, *other_id;
504 message_t *response;
505 status_t status;
506 iterator_t *payloads;
507 id_payload_t *idi_request = NULL;
508 id_payload_t *idr_request = NULL;
509 auth_payload_t *auth_request = NULL;
510 cert_payload_t *cert_request = NULL;
511 sa_payload_t *sa_request = NULL;
512 ts_payload_t *tsi_request = NULL;
513 ts_payload_t *tsr_request = NULL;
514 id_payload_t *idr_response;
515
516 /* check if we already have built a response (retransmission) */
517 if (this->message)
518 {
519 *result = this->message;
520 return SUCCESS;
521 }
522
523 me = this->ike_sa->get_my_host(this->ike_sa);
524 other = this->ike_sa->get_other_host(this->ike_sa);
525 this->message_id = request->get_message_id(request);
526
527 /* set up response */
528 response = message_create();
529 response->set_source(response, me->clone(me));
530 response->set_destination(response, other->clone(other));
531 response->set_exchange_type(response, IKE_AUTH);
532 response->set_request(response, FALSE);
533 response->set_message_id(response, this->message_id);
534 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
535 this->message = response;
536 *result = response;
537
538 /* check message type */
539 if (request->get_exchange_type(request) != IKE_AUTH)
540 {
541 DBG1(SIG_DBG_IKE, "IKE_AUTH response of invalid type, deleting IKE_SA");
542 return DESTROY_ME;
543 }
544
545 /* Iterate over all payloads. */
546 payloads = request->get_payload_iterator(request);
547 while (payloads->has_next(payloads))
548 {
549 payload_t *payload;
550 payloads->current(payloads, (void**)&payload);
551 switch (payload->get_type(payload))
552 {
553 case ID_INITIATOR:
554 idi_request = (id_payload_t*)payload;
555 break;
556 case ID_RESPONDER:
557 idr_request = (id_payload_t*)payload;
558 break;
559 case AUTHENTICATION:
560 auth_request = (auth_payload_t*)payload;
561 break;
562 case CERTIFICATE:
563 cert_request = (cert_payload_t*)payload;
564 break;
565 case SECURITY_ASSOCIATION:
566 sa_request = (sa_payload_t*)payload;
567 break;
568 case TRAFFIC_SELECTOR_INITIATOR:
569 tsi_request = (ts_payload_t*)payload;
570 break;
571 case TRAFFIC_SELECTOR_RESPONDER:
572 tsr_request = (ts_payload_t*)payload;
573 break;
574 case NOTIFY:
575 {
576 status = process_notifies(this, (notify_payload_t*)payload);
577 if (status == FAILED)
578 {
579 payloads->destroy(payloads);
580 /* we return SUCCESS, returned FAILED means do next transaction */
581 return SUCCESS;
582 }
583 if (status == DESTROY_ME)
584 {
585 payloads->destroy(payloads);
586 return DESTROY_ME;
587 }
588 break;
589 }
590 default:
591 {
592 DBG1(SIG_DBG_IKE, "ignoring %N payload",
593 payload_type_names, payload->get_type(payload));
594 break;
595 }
596 }
597 }
598 payloads->destroy(payloads);
599
600 /* check if we have all payloads */
601 if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
602 {
603 build_notify(INVALID_SYNTAX, response, TRUE);
604 DBG1(SIG_DBG_IKE, "request message incomplete, deleting IKE_SA");
605 return DESTROY_ME;
606 }
607
608 { /* process ID payload */
609 other_id = idi_request->get_identification(idi_request);
610 if (idr_request)
611 {
612 my_id = idr_request->get_identification(idr_request);
613 }
614 else
615 {
616 my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
617 }
618 }
619
620 { /* get a policy and process traffic selectors */
621 linked_list_t *my_ts, *other_ts;
622
623 my_ts = tsr_request->get_traffic_selectors(tsr_request);
624 other_ts = tsi_request->get_traffic_selectors(tsi_request);
625
626 this->policy = charon->policies->get_policy(charon->policies,
627 my_id, other_id,
628 my_ts, other_ts,
629 me, other);
630 if (this->policy)
631 {
632 this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
633 this->tsi = this->policy->select_other_traffic_selectors(this->policy, other_ts, other);
634 }
635 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
636 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
637
638 /* TODO: We should check somehow if we have a policy, but with other
639 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
640 if (this->policy == NULL)
641 {
642 DBG1(SIG_DBG_IKE, "no acceptable policy for IDs %D - %D found, deleting IKE_SA",
643 my_id, other_id);
644 my_id->destroy(my_id);
645 other_id->destroy(other_id);
646 build_notify(AUTHENTICATION_FAILED, response, TRUE);
647 return DESTROY_ME;
648 }
649 my_id->destroy(my_id);
650
651 /* get my id from policy, which must contain a fully qualified valid id */
652 my_id = this->policy->get_my_id(this->policy);
653 this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
654 this->ike_sa->set_other_id(this->ike_sa, other_id);
655
656 idr_response = id_payload_create_from_identification(FALSE, my_id);
657 response->add_payload(response, (payload_t*)idr_response);
658 }
659
660 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
661 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
662 { /* build certificate payload */
663 x509_t *cert;
664 cert_payload_t *cert_payload;
665
666 cert = charon->credentials->get_certificate(charon->credentials, my_id);
667 if (cert)
668 {
669 cert_payload = cert_payload_create_from_x509(cert);
670 response->add_payload(response, (payload_t *)cert_payload);
671 }
672 else
673 {
674 DBG1(SIG_DBG_IKE, "could not find my certificate, cert payload omitted");
675 }
676 }
677
678 if (cert_request)
679 { /* process certificate payload */
680 import_certificate(this, cert_request);
681 }
682
683 { /* process auth payload */
684 authenticator_t *authenticator;
685 auth_payload_t *auth_response;
686 auth_method_t auth_method;
687 status_t status;
688
689 auth_method = this->policy->get_auth_method(this->policy);
690 authenticator = authenticator_create(this->ike_sa, auth_method);
691 status = authenticator->verify_auth_data(authenticator, auth_request,
692 this->init_request,
693 this->nonce_r,
694 my_id,
695 other_id,
696 TRUE);
697 if (status != SUCCESS)
698 {
699 DBG1(SIG_DBG_IKE, "authentication failed, deleting IKE_SA");
700 build_notify(AUTHENTICATION_FAILED, response, TRUE);
701 authenticator->destroy(authenticator);
702 return DESTROY_ME;
703 }
704 status = authenticator->compute_auth_data(authenticator, &auth_response,
705 this->init_response,
706 this->nonce_i,
707 my_id,
708 other_id,
709 FALSE);
710 authenticator->destroy(authenticator);
711 if (status != SUCCESS)
712 {
713 DBG1(SIG_DBG_IKE, "authentication data generation failed, deleting IKE_SA");
714 build_notify(AUTHENTICATION_FAILED, response, TRUE);
715 return DESTROY_ME;
716 }
717 response->add_payload(response, (payload_t*)auth_response);
718 }
719
720 { /* process SA payload */
721 linked_list_t *proposal_list;
722 sa_payload_t *sa_response;
723 ts_payload_t *ts_response;
724 bool use_natt;
725 u_int32_t soft_lifetime, hard_lifetime;
726
727 /* prepare reply */
728 sa_response = sa_payload_create();
729
730 /* get proposals from request, and select one with ours */
731 proposal_list = sa_request->get_proposals(sa_request);
732 DBG2(SIG_DBG_IKE, "selecting proposals:");
733 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
734 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
735
736 /* do we have a proposal? */
737 if (this->proposal == NULL)
738 {
739 DBG1(SIG_DBG_IKE, "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
740 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
741 }
742 /* do we have traffic selectors? */
743 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
744 {
745 DBG1(SIG_DBG_IKE, "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
746 build_notify(TS_UNACCEPTABLE, response, FALSE);
747 }
748 else
749 {
750 /* create child sa */
751 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
752 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
753 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
754 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
755 soft_lifetime, hard_lifetime,
756 this->policy->get_updown(this->policy),
757 this->policy->get_hostaccess(this->policy),
758 use_natt);
759 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
760 if (install_child_sa(this, FALSE) != SUCCESS)
761 {
762 DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
763 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
764 }
765 /* add proposal to sa payload */
766 sa_response->add_proposal(sa_response, this->proposal);
767 }
768 response->add_payload(response, (payload_t*)sa_response);
769
770 /* add ts payload after sa payload */
771 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
772 response->add_payload(response, (payload_t*)ts_response);
773 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
774 response->add_payload(response, (payload_t*)ts_response);
775 }
776 /* set established state */
777 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
778 return SUCCESS;
779 }
780
781
782 /**
783 * Implementation of transaction_t.conclude
784 */
785 static status_t conclude(private_ike_auth_t *this, message_t *response,
786 transaction_t **transaction)
787 {
788 iterator_t *payloads;
789 host_t *me, *other;
790 identification_t *other_id;
791 ts_payload_t *tsi_payload = NULL;
792 ts_payload_t *tsr_payload = NULL;
793 id_payload_t *idr_payload = NULL;
794 cert_payload_t *cert_payload = NULL;
795 auth_payload_t *auth_payload = NULL;
796 sa_payload_t *sa_payload = NULL;
797 status_t status;
798
799 /* check message type */
800 if (response->get_exchange_type(response) != IKE_AUTH)
801 {
802 DBG1(SIG_DBG_IKE, "IKE_AUTH response of invalid type, deleting IKE_SA");
803 return DESTROY_ME;
804 }
805
806 me = this->ike_sa->get_my_host(this->ike_sa);
807 other = this->ike_sa->get_other_host(this->ike_sa);
808
809 /* Iterate over all payloads to collect them */
810 payloads = response->get_payload_iterator(response);
811 while (payloads->has_next(payloads))
812 {
813 payload_t *payload;
814 payloads->current(payloads, (void**)&payload);
815
816 switch (payload->get_type(payload))
817 {
818 case ID_RESPONDER:
819 idr_payload = (id_payload_t*)payload;
820 break;
821 case AUTHENTICATION:
822 auth_payload = (auth_payload_t*)payload;
823 break;
824 case CERTIFICATE:
825 cert_payload = (cert_payload_t*)payload;
826 break;
827 case SECURITY_ASSOCIATION:
828 sa_payload = (sa_payload_t*)payload;
829 break;
830 case TRAFFIC_SELECTOR_INITIATOR:
831 tsi_payload = (ts_payload_t*)payload;
832 break;
833 case TRAFFIC_SELECTOR_RESPONDER:
834 tsr_payload = (ts_payload_t*)payload;
835 break;
836 case NOTIFY:
837 {
838 status = process_notifies(this, (notify_payload_t*)payload);
839 if (status == FAILED)
840 {
841 payloads->destroy(payloads);
842 /* we return SUCCESS, returned FAILED means do next transaction */
843 return SUCCESS;
844 }
845 if (status == DESTROY_ME)
846 {
847 payloads->destroy(payloads);
848 return status;
849 }
850 break;
851 }
852 default:
853 {
854 DBG1(SIG_DBG_IKE, "ignoring payload %N",
855 payload_type_names, payload->get_type(payload));
856 break;
857 }
858 }
859 }
860 payloads->destroy(payloads);
861
862 if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
863 {
864 DBG1(SIG_DBG_IKE, "response message incomplete, deleting IKE_SA");
865 return DESTROY_ME;
866 }
867
868 { /* process idr payload */
869 identification_t *configured_other_id;
870 int wildcards;
871
872 other_id = idr_payload->get_identification(idr_payload);
873 configured_other_id = this->policy->get_other_id(this->policy);
874
875 if (!other_id->matches(other_id, configured_other_id, &wildcards))
876 {
877 other_id->destroy(other_id);
878 DBG1(SIG_DBG_IKE, "other peer uses unacceptable ID (%D, excepted %D), deleting IKE_SA",
879 other_id, configured_other_id);
880 return DESTROY_ME;
881 }
882 /* update other ID. It was already set, but may contain wildcards */
883 this->ike_sa->set_other_id(this->ike_sa, other_id);
884 }
885
886 if (cert_payload)
887 { /* process cert payload */
888 import_certificate(this, cert_payload);
889 }
890
891 { /* authenticate peer */
892 authenticator_t *authenticator;
893 auth_method_t auth_method;
894 identification_t *my_id;
895 status_t status;
896
897 auth_method = this->policy->get_auth_method(this->policy);
898 authenticator = authenticator_create(this->ike_sa, auth_method);
899 my_id = this->policy->get_my_id(this->policy);
900
901 status = authenticator->verify_auth_data(authenticator,
902 auth_payload,
903 this->init_response,
904 this->nonce_i,
905 my_id,
906 other_id,
907 FALSE);
908 authenticator->destroy(authenticator);
909 if (status != SUCCESS)
910 {
911 DBG1(SIG_DBG_IKE, "authentication failed, deleting IKE_SA");
912 return DESTROY_ME;
913 }
914 }
915
916 { /* process traffic selectors for us */
917 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
918 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
919 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
920 }
921
922 { /* process traffic selectors for other */
923 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
924 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received, other);
925 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
926 }
927
928 { /* process sa payload */
929 linked_list_t *proposal_list;
930
931 proposal_list = sa_payload->get_proposals(sa_payload);
932 /* we have to re-check here if other's selection is valid */
933 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
934 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
935
936 /* everything fine to create CHILD? */
937 if (this->proposal == NULL ||
938 this->tsi->get_count(this->tsi) == 0 ||
939 this->tsr->get_count(this->tsr) == 0 ||
940 !this->build_child)
941 {
942 DBG1(SIG_DBG_IKE, "CHILD_SA creation failed");
943 }
944 else
945 {
946 if (install_child_sa(this, TRUE) != SUCCESS)
947 {
948 DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, no CHILD_SA built");
949 }
950 }
951 }
952 /* set new state */
953 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
954 return SUCCESS;
955 }
956
957 /**
958 * implements transaction_t.destroy
959 */
960 static void destroy(private_ike_auth_t *this)
961 {
962 DESTROY_IF(this->message);
963 DESTROY_IF(this->proposal);
964 DESTROY_IF(this->child_sa);
965 DESTROY_IF(this->policy);
966 DESTROY_IF(this->connection);
967 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
968 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
969 chunk_free(&this->nonce_i);
970 chunk_free(&this->nonce_r);
971 chunk_free(&this->init_request);
972 chunk_free(&this->init_response);
973 free(this);
974 }
975
976 /*
977 * Described in header.
978 */
979 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
980 {
981 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
982
983 /* transaction interface functions */
984 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
985 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
986 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
987 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
988 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
989 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
990
991 /* public functions */
992 this->public.set_config = (void(*)(ike_auth_t*,connection_t*,policy_t*))set_config;
993 this->public.set_reqid = (void(*)(ike_auth_t*,u_int32_t))set_reqid;
994 this->public.set_nonces = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_nonces;
995 this->public.set_init_messages = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_init_messages;
996
997 /* private data */
998 this->ike_sa = ike_sa;
999 this->message_id = 0;
1000 this->message = NULL;
1001 this->requested = 0;
1002 this->nonce_i = CHUNK_INITIALIZER;
1003 this->nonce_r = CHUNK_INITIALIZER;
1004 this->init_request = CHUNK_INITIALIZER;
1005 this->init_response = CHUNK_INITIALIZER;
1006 this->child_sa = NULL;
1007 this->proposal = NULL;
1008 this->tsi = NULL;
1009 this->tsr = NULL;
1010 this->build_child = TRUE;
1011 this->reqid = 0;
1012
1013 return &this->public;
1014 }