projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
preparations to include certreqs in policy decisions
[strongswan.git] / src / charon / sa / transactions / ike_auth.c
1 /**
2 * @file ike_auth.c
3 *
4 * @brief Implementation of ike_auth_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include "ike_auth.h"
26
27 #include <string.h>
28
29 #include <daemon.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticators/authenticator.h>
37 #include <sa/child_sa.h>
38
39
40 typedef struct private_ike_auth_t private_ike_auth_t;
41
42 /**
43 * Private members of a ike_auth_t object..
44 */
45 struct private_ike_auth_t {
46
47 /**
48 * Public methods and transaction_t interface.
49 */
50 ike_auth_t public;
51
52 /**
53 * Assigned IKE_SA.
54 */
55 ike_sa_t *ike_sa;
56
57 /**
58 * Message sent by our peer, if already generated
59 */
60 message_t *message;
61
62 /**
63 * Message ID this transaction uses
64 */
65 u_int32_t message_id;
66
67 /**
68 * Times we did send the request
69 */
70 u_int32_t requested;
71
72 /**
73 * initiator chosen nonce
74 */
75 chunk_t nonce_i;
76
77 /**
78 * responder chosen nonce
79 */
80 chunk_t nonce_r;
81
82 /**
83 * encoded request message of ike_sa_init transaction
84 */
85 chunk_t init_request;
86
87 /**
88 * encoded response message of ike_sa_init transaction
89 */
90 chunk_t init_response;
91
92 /**
93 * connection definition used for IKE_SA setup
94 */
95 connection_t *connection;
96
97 /**
98 * policy definition used CHILD_SA creation
99 */
100 policy_t *policy;
101
102 /**
103 * Negotiated proposal used for CHILD_SA
104 */
105 proposal_t *proposal;
106
107 /**
108 * Negotiated traffic selectors for initiator
109 */
110 linked_list_t *tsi;
111
112 /**
113 * Negotiated traffic selectors for responder
114 */
115 linked_list_t *tsr;
116
117 /**
118 * CHILD_SA created along with IKE_AUTH
119 */
120 child_sa_t *child_sa;
121
122 /**
123 * did other peer create a CHILD_SA?
124 */
125 bool build_child;
126
127 /**
128 * reqid to use for CHILD_SA setup
129 */
130 u_int32_t reqid;
131 };
132
133 /**
134 * Implementation of transaction_t.get_message_id.
135 */
136 static u_int32_t get_message_id(private_ike_auth_t *this)
137 {
138 return this->message_id;
139 }
140
141 /**
142 * Implementation of transaction_t.requested.
143 */
144 static u_int32_t requested(private_ike_auth_t *this)
145 {
146 return this->requested++;
147 }
148
149 /**
150 * Implementation of transaction_t.set_config.
151 */
152 static void set_config(private_ike_auth_t *this,
153 connection_t *connection, policy_t *policy)
154 {
155 this->connection = connection;
156 this->policy = policy;
157 }
158
159 /**
160 * Implementation of transaction_t.set_reqid.
161 */
162 static void set_reqid(private_ike_auth_t *this, u_int32_t reqid)
163 {
164 this->reqid = reqid;
165 }
166
167 /**
168 * Implementation of transaction_t.set_nonces.
169 */
170 static void set_nonces(private_ike_auth_t *this, chunk_t nonce_i, chunk_t nonce_r)
171 {
172 this->nonce_i = nonce_i;
173 this->nonce_r = nonce_r;
174 }
175
176 /**
177 * Implementation of transaction_t.set_init_messages.
178 */
179 static void set_init_messages(private_ike_auth_t *this, chunk_t init_request, chunk_t init_response)
180 {
181 this->init_request = init_request;
182 this->init_response = init_response;
183 }
184
185 /**
186 * Implementation of transaction_t.get_request.
187 */
188 static status_t get_request(private_ike_auth_t *this, message_t **result)
189 {
190 message_t *request;
191 host_t *me, *other;
192 identification_t *my_id, *other_id;
193 id_payload_t *my_id_payload;
194
195 /* check if we already have built a message (retransmission) */
196 if (this->message)
197 {
198 *result = this->message;
199 return SUCCESS;
200 }
201
202 me = this->ike_sa->get_my_host(this->ike_sa);
203 other = this->ike_sa->get_other_host(this->ike_sa);
204 my_id = this->policy->get_my_id(this->policy);
205 other_id = this->policy->get_other_id(this->policy);
206
207 /* build the request */
208 request = message_create();
209 request->set_source(request, me->clone(me));
210 request->set_destination(request, other->clone(other));
211 request->set_exchange_type(request, IKE_AUTH);
212 request->set_request(request, TRUE);
213 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
214 /* apply for caller */
215 *result = request;
216 /* store for retransmission */
217 this->message = request;
218
219 { /* build ID payload */
220 my_id_payload = id_payload_create_from_identification(TRUE, my_id);
221 request->add_payload(request, (payload_t*)my_id_payload);
222 }
223
224 /* build certificate request payload */
225 if (this->connection->get_certreq_policy(this->connection) != CERT_NEVER_SEND)
226 {
227 certreq_payload_t *certreq_payload;
228 identification_t *other_ca = this->policy->get_other_ca(this->policy);
229
230 certreq_payload = (other_ca->get_type(other_ca) == ID_ANY)
231 ? certreq_payload_create_from_cacerts()
232 : certreq_payload_create_from_cacert(other_ca);
233
234 if (certreq_payload != NULL)
235 {
236 request->add_payload(request, (payload_t*)certreq_payload);
237 }
238 }
239
240 /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
241 if (this->policy->get_auth_method(this->policy) == AUTH_RSA
242 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
243 {
244 cert_payload_t *cert_payload;
245
246 x509_t *cert = charon->credentials->get_certificate(charon->credentials, my_id);
247
248 if (cert)
249 {
250 cert_payload = cert_payload_create_from_x509(cert);
251 request->add_payload(request, (payload_t*)cert_payload);
252 }
253 else
254 {
255 DBG1(DBG_IKE, "could not find my certificate, certificate payload omitted");
256 }
257 }
258
259 { /* build IDr payload, if other_id defined */
260 id_payload_t *id_payload;
261 if (!other_id->contains_wildcards(other_id))
262 {
263 id_payload = id_payload_create_from_identification(FALSE, other_id);
264 request->add_payload(request, (payload_t*)id_payload);
265 }
266 }
267
268 { /* build auth payload */
269 authenticator_t *authenticator;
270 auth_payload_t *auth_payload;
271 auth_method_t auth_method;
272 status_t status;
273
274 auth_method = this->policy->get_auth_method(this->policy);
275 authenticator = authenticator_create(this->ike_sa, auth_method);
276 if (authenticator == NULL)
277 {
278 SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
279 auth_method_names, auth_method);
280 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
281 return DESTROY_ME;
282 }
283 status = authenticator->build(authenticator, this->init_request,
284 this->nonce_r, &auth_payload);
285 authenticator->destroy(authenticator);
286 if (status != SUCCESS)
287 {
288 SIG(IKE_UP_FAILED, "could not generate AUTH data, deleting IKE_SA");
289 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
290 return DESTROY_ME;
291 }
292 request->add_payload(request, (payload_t*)auth_payload);
293 }
294
295 { /* build SA payload for CHILD_SA */
296 linked_list_t *proposal_list;
297 sa_payload_t *sa_payload;
298 u_int32_t soft_lifetime, hard_lifetime;
299 bool enable_natt;
300
301 proposal_list = this->policy->get_proposals(this->policy);
302 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
303 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
304 enable_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
305 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
306 soft_lifetime, hard_lifetime,
307 this->policy->get_updown(this->policy),
308 this->policy->get_hostaccess(this->policy),
309 enable_natt);
310 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
311 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
312 {
313 SIG(IKE_UP_FAILED, "could not install CHILD_SA, deleting IKE_SA");
314 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
315 return DESTROY_ME;
316 }
317 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
318 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
319 request->add_payload(request, (payload_t*)sa_payload);
320 }
321
322 { /* build TSi payload */
323 linked_list_t *ts_list;
324 ts_payload_t *ts_payload;
325
326 ts_list = this->policy->get_my_traffic_selectors(this->policy, me);
327 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
328 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
329
330 request->add_payload(request, (payload_t*)ts_payload);
331 }
332
333 { /* build TSr payload */
334 linked_list_t *ts_list;
335 ts_payload_t *ts_payload;
336
337 ts_list = this->policy->get_other_traffic_selectors(this->policy, other);
338 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
339 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
340
341 request->add_payload(request, (payload_t*)ts_payload);
342 }
343
344 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
345 request->set_message_id(request, this->message_id);
346 return SUCCESS;
347 }
348
349 /**
350 * Handle all kind of notifies
351 */
352 static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
353 {
354 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
355
356 DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
357
358 switch (notify_type)
359 {
360 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
361 case SINGLE_PAIR_REQUIRED:
362 {
363 SIG(CHILD_UP_FAILED, "received a SINGLE_PAIR_REQUIRED notify");
364 this->build_child = FALSE;
365 return SUCCESS;
366 }
367 case TS_UNACCEPTABLE:
368 {
369 SIG(CHILD_UP_FAILED, "received TS_UNACCEPTABLE notify");
370 this->build_child = FALSE;
371 return SUCCESS;
372 }
373 case NO_PROPOSAL_CHOSEN:
374 {
375 SIG(CHILD_UP_FAILED, "received NO_PROPOSAL_CHOSEN notify");
376 this->build_child = FALSE;
377 return SUCCESS;
378 }
379 default:
380 {
381 if (notify_type < 16383)
382 {
383 SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA",
384 notify_type_names, notify_type);
385 return DESTROY_ME;
386 }
387 else
388 {
389 DBG1(DBG_IKE, "received %N notify, ignored",
390 notify_type_names, notify_type);
391 return SUCCESS;
392 }
393 }
394 }
395 }
396
397 /**
398 * Build a notify message.
399 */
400 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
401 {
402 notify_payload_t *notify;
403
404 if (flush_message)
405 {
406 payload_t *payload;
407 iterator_t *iterator = message->get_payload_iterator(message);
408 while (iterator->iterate(iterator, (void**)&payload))
409 {
410 payload->destroy(payload);
411 iterator->remove(iterator);
412 }
413 iterator->destroy(iterator);
414 }
415
416 notify = notify_payload_create();
417 notify->set_notify_type(notify, type);
418 message->add_payload(message, (payload_t*)notify);
419 }
420
421 /**
422 * Import certificate requests from a certreq payload
423 */
424 static void add_certificate_request(certreq_payload_t *certreq_payload,
425 linked_list_t *requested_ca_keyids)
426 {
427 chunk_t keyids;
428
429 cert_encoding_t encoding = certreq_payload->get_cert_encoding(certreq_payload);
430
431 if (encoding != CERT_X509_SIGNATURE)
432 {
433 DBG1(DBG_IKE, "certreq payload %N not supported, ignored",
434 cert_encoding_names, encoding);
435 return;
436 }
437
438 keyids = certreq_payload->get_data(certreq_payload);
439
440 while (keyids.len >= HASH_SIZE_SHA1)
441 {
442 chunk_t keyid = { keyids.ptr, HASH_SIZE_SHA1};
443 x509_t *cacert = charon->credentials->get_ca_certificate_by_keyid(charon->credentials, keyid);
444
445 if (cacert)
446 {
447 DBG2(DBG_IKE, "request for certificate issued by ca '%D'", cacert->get_subject(cacert));
448 requested_ca_keyids->insert_last(requested_ca_keyids, (void *)&keyid);
449 }
450 else
451 {
452 DBG2(DBG_IKE, "request for certificate issued by unknown ca");
453 }
454 DBG2(DBG_IKE, " with keyid %#B", &keyid);
455
456 keyids.ptr += HASH_SIZE_SHA1;
457 keyids.len -= HASH_SIZE_SHA1;
458 }
459 }
460
461 /**
462 * Import a certificate from a cert payload
463 */
464 static void import_certificate(cert_payload_t *cert_payload)
465 {
466 bool found;
467 x509_t *cert;
468 cert_encoding_t encoding;
469
470 encoding = cert_payload->get_cert_encoding(cert_payload);
471 if (encoding != CERT_X509_SIGNATURE)
472 {
473 DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
474 cert_encoding_names, encoding);
475 return;
476 }
477 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
478 if (cert)
479 {
480 if (charon->credentials->verify(charon->credentials, cert, &found))
481 {
482 DBG2(DBG_IKE, "received end entity certificate is trusted, added to store");
483 if (!found)
484 {
485 charon->credentials->add_end_certificate(charon->credentials, cert);
486 }
487 else
488 {
489 cert->destroy(cert);
490 }
491 }
492 else
493 {
494 DBG1(DBG_IKE, "received end entity certificate is not trusted, discarded");
495 cert->destroy(cert);
496 }
497 }
498 else
499 {
500 DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
501 }
502 }
503
504 /**
505 * Install a CHILD_SA for usage
506 */
507 static status_t install_child_sa(private_ike_auth_t *this, bool initiator)
508 {
509 prf_plus_t *prf_plus;
510 chunk_t seed;
511 status_t status;
512
513 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
514 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
515 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
516 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
517 chunk_free(&seed);
518
519 if (initiator)
520 {
521 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
522 }
523 else
524 {
525 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
526 }
527 prf_plus->destroy(prf_plus);
528 if (status != SUCCESS)
529 {
530 return DESTROY_ME;
531 }
532 if (initiator)
533 {
534 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
535 }
536 else
537 {
538 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
539 }
540 if (status != SUCCESS)
541 {
542 return DESTROY_ME;
543 }
544
545 /* add to IKE_SA, and remove from transaction */
546 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
547 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
548 this->child_sa = NULL;
549 return SUCCESS;
550 }
551
552 /**
553 * Implementation of transaction_t.get_response.
554 */
555 static status_t get_response(private_ike_auth_t *this, message_t *request,
556 message_t **result, transaction_t **next)
557 {
558 host_t *me, *other;
559 identification_t *my_id, *other_id;
560 linked_list_t *requested_ca_keyids;
561 message_t *response;
562 status_t status;
563 iterator_t *payloads;
564 payload_t *payload;
565 id_payload_t *idi_request = NULL;
566 id_payload_t *idr_request = NULL;
567 auth_payload_t *auth_request = NULL;
568 certreq_payload_t *certreq_request = NULL;
569 cert_payload_t *cert_request = NULL;
570 sa_payload_t *sa_request = NULL;
571 ts_payload_t *tsi_request = NULL;
572 ts_payload_t *tsr_request = NULL;
573 id_payload_t *idr_response;
574
575 /* check if we already have built a response (retransmission) */
576 if (this->message)
577 {
578 *result = this->message;
579 return SUCCESS;
580 }
581
582 SIG(CHILD_UP_START, "setting up CHILD_SA along with IKE_AUTH");
583
584 me = this->ike_sa->get_my_host(this->ike_sa);
585 other = this->ike_sa->get_other_host(this->ike_sa);
586 this->message_id = request->get_message_id(request);
587
588 /* set up response */
589 response = message_create();
590 response->set_source(response, me->clone(me));
591 response->set_destination(response, other->clone(other));
592 response->set_exchange_type(response, IKE_AUTH);
593 response->set_request(response, FALSE);
594 response->set_message_id(response, this->message_id);
595 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
596 this->message = response;
597 *result = response;
598
599 /* check message type */
600 if (request->get_exchange_type(request) != IKE_AUTH)
601 {
602 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
603 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
604 return DESTROY_ME;
605 }
606
607 /* initialize list of requested ca keyids */
608 requested_ca_keyids = linked_list_create();
609
610 /* Iterate over all payloads. */
611 payloads = request->get_payload_iterator(request);
612 while (payloads->iterate(payloads, (void**)&payload))
613 {
614 switch (payload->get_type(payload))
615 {
616 case ID_INITIATOR:
617 idi_request = (id_payload_t*)payload;
618 break;
619 case ID_RESPONDER:
620 idr_request = (id_payload_t*)payload;
621 break;
622 case AUTHENTICATION:
623 auth_request = (auth_payload_t*)payload;
624 break;
625 case CERTIFICATE_REQUEST:
626 certreq_request = (certreq_payload_t*)payload;
627 add_certificate_request(certreq_request, requested_ca_keyids);
628 break;
629 case CERTIFICATE:
630 cert_request = (cert_payload_t*)payload;
631 break;
632 case SECURITY_ASSOCIATION:
633 sa_request = (sa_payload_t*)payload;
634 break;
635 case TRAFFIC_SELECTOR_INITIATOR:
636 tsi_request = (ts_payload_t*)payload;
637 break;
638 case TRAFFIC_SELECTOR_RESPONDER:
639 tsr_request = (ts_payload_t*)payload;
640 break;
641 case NOTIFY:
642 {
643 status = process_notifies(this, (notify_payload_t*)payload);
644 if (status == FAILED)
645 {
646 payloads->destroy(payloads);
647 requested_ca_keyids->destroy(requested_ca_keyids);
648 /* we return SUCCESS, returned FAILED means do next transaction */
649 return SUCCESS;
650 }
651 if (status == DESTROY_ME)
652 {
653 payloads->destroy(payloads);
654 requested_ca_keyids->destroy(requested_ca_keyids);
655 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
656 return DESTROY_ME;
657 }
658 break;
659 }
660 default:
661 {
662 DBG1(DBG_IKE, "ignoring %N payload",
663 payload_type_names, payload->get_type(payload));
664 break;
665 }
666 }
667 }
668 payloads->destroy(payloads);
669
670 /* check if we have all payloads */
671 if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
672 {
673 build_notify(INVALID_SYNTAX, response, TRUE);
674 SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
675 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
676 requested_ca_keyids->destroy(requested_ca_keyids);
677 return DESTROY_ME;
678 }
679
680 { /* process ID payload */
681 other_id = idi_request->get_identification(idi_request);
682 if (idr_request)
683 {
684 my_id = idr_request->get_identification(idr_request);
685 }
686 else
687 {
688 my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
689 }
690 }
691
692
693 { /* get a policy and process traffic selectors */
694 linked_list_t *my_ts, *other_ts;
695
696 my_ts = tsr_request->get_traffic_selectors(tsr_request);
697 other_ts = tsi_request->get_traffic_selectors(tsi_request);
698
699 this->policy = charon->policies->get_policy(charon->policies,
700 my_id, other_id,
701 my_ts, other_ts,
702 me, other,
703 requested_ca_keyids);
704 requested_ca_keyids->destroy(requested_ca_keyids);
705
706 if (this->policy)
707 {
708 this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
709 this->tsi = this->policy->select_other_traffic_selectors(this->policy, other_ts, other);
710 }
711 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
712 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
713
714 /* TODO: We should check somehow if we have a policy, but with other
715 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
716 if (this->policy == NULL)
717 {
718 SIG(IKE_UP_FAILED, "no acceptable policy for IDs %D - %D found, "
719 "deleting IKE_SA", my_id, other_id);
720 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
721 my_id->destroy(my_id);
722 other_id->destroy(other_id);
723 build_notify(AUTHENTICATION_FAILED, response, TRUE);
724 return DESTROY_ME;
725 }
726 my_id->destroy(my_id);
727
728 /* get my id from policy, which must contain a fully qualified valid id */
729 my_id = this->policy->get_my_id(this->policy);
730 this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
731 this->ike_sa->set_other_id(this->ike_sa, other_id);
732
733 idr_response = id_payload_create_from_identification(FALSE, my_id);
734 response->add_payload(response, (payload_t*)idr_response);
735 }
736
737 if (this->policy->get_auth_method(this->policy) == AUTH_RSA
738 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
739 { /* build certificate payload */
740 x509_t *cert;
741 cert_payload_t *cert_payload;
742
743 cert = charon->credentials->get_certificate(charon->credentials, my_id);
744 if (cert)
745 {
746 cert_payload = cert_payload_create_from_x509(cert);
747 response->add_payload(response, (payload_t *)cert_payload);
748 }
749 else
750 {
751 DBG1(DBG_IKE, "could not find my certificate, cert payload omitted");
752 }
753 }
754
755 if (cert_request)
756 { /* process certificate payload */
757 import_certificate(cert_request);
758 }
759
760 { /* process auth payload */
761 authenticator_t *authenticator;
762 auth_payload_t *auth_response;
763 auth_method_t auth_method;
764 status_t status;
765
766 auth_method = auth_request->get_auth_method(auth_request);
767 authenticator = authenticator_create(this->ike_sa, auth_method);
768 if (authenticator == NULL)
769 {
770 SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
771 auth_method_names, auth_method);
772 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
773 return DESTROY_ME;
774 }
775 status = authenticator->verify(authenticator, this->init_request,
776 this->nonce_r, auth_request);
777 authenticator->destroy(authenticator);
778 if (status != SUCCESS)
779 {
780 SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA");
781 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
782 build_notify(AUTHENTICATION_FAILED, response, TRUE);
783 return DESTROY_ME;
784 }
785
786 auth_method = this->policy->get_auth_method(this->policy);
787 authenticator = authenticator_create(this->ike_sa, auth_method);
788 if (authenticator == NULL)
789 {
790 SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
791 auth_method_names, auth_method);
792 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
793 return DESTROY_ME;
794 }
795 status = authenticator->build(authenticator, this->init_response,
796 this->nonce_i, &auth_response);
797 authenticator->destroy(authenticator);
798 if (status != SUCCESS)
799 {
800 SIG(IKE_UP_FAILED, "authentication data generation failed, deleting IKE_SA");
801 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
802 build_notify(AUTHENTICATION_FAILED, response, TRUE);
803 return DESTROY_ME;
804 }
805 response->add_payload(response, (payload_t*)auth_response);
806 }
807
808 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
809 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
810
811 { /* process SA payload */
812 linked_list_t *proposal_list;
813 sa_payload_t *sa_response;
814 ts_payload_t *ts_response;
815 bool use_natt;
816 u_int32_t soft_lifetime, hard_lifetime;
817
818 /* prepare reply */
819 sa_response = sa_payload_create();
820
821 /* get proposals from request, and select one with ours */
822 proposal_list = sa_request->get_proposals(sa_request);
823 DBG2(DBG_IKE, "selecting proposals:");
824 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
825 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
826
827 /* do we have a proposal? */
828 if (this->proposal == NULL)
829 {
830 SIG(CHILD_UP_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created");
831 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
832 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
833 }
834 /* do we have traffic selectors? */
835 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
836 {
837 SIG(CHILD_UP_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
838 DBG1(DBG_IKE, "adding TS_UNACCEPTABLE notify to response");
839 build_notify(TS_UNACCEPTABLE, response, FALSE);
840 }
841 else
842 {
843 /* create child sa */
844 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
845 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
846 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
847 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
848 soft_lifetime, hard_lifetime,
849 this->policy->get_updown(this->policy),
850 this->policy->get_hostaccess(this->policy),
851 use_natt);
852 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
853 if (install_child_sa(this, FALSE) != SUCCESS)
854 {
855 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA created");
856 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
857 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
858 }
859 else
860 {
861 /* add proposal to sa payload */
862 sa_response->add_proposal(sa_response, this->proposal);
863 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
864 }
865 }
866 response->add_payload(response, (payload_t*)sa_response);
867
868 /* add ts payload after sa payload */
869 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
870 response->add_payload(response, (payload_t*)ts_response);
871 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
872 response->add_payload(response, (payload_t*)ts_response);
873 }
874 /* set established state */
875 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
876 return SUCCESS;
877 }
878
879
880 /**
881 * Implementation of transaction_t.conclude
882 */
883 static status_t conclude(private_ike_auth_t *this, message_t *response,
884 transaction_t **transaction)
885 {
886 iterator_t *payloads;
887 payload_t *payload;
888 host_t *me, *other;
889 identification_t *other_id, *my_id;
890 ts_payload_t *tsi_payload = NULL;
891 ts_payload_t *tsr_payload = NULL;
892 id_payload_t *idr_payload = NULL;
893 cert_payload_t *cert_payload = NULL;
894 auth_payload_t *auth_payload = NULL;
895 sa_payload_t *sa_payload = NULL;
896 status_t status;
897
898 /* check message type */
899 if (response->get_exchange_type(response) != IKE_AUTH)
900 {
901 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
902 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
903 return DESTROY_ME;
904 }
905
906 me = this->ike_sa->get_my_host(this->ike_sa);
907 other = this->ike_sa->get_other_host(this->ike_sa);
908
909 /* Iterate over all payloads to collect them */
910 payloads = response->get_payload_iterator(response);
911 while (payloads->iterate(payloads, (void**)&payload))
912 {
913 switch (payload->get_type(payload))
914 {
915 case ID_RESPONDER:
916 idr_payload = (id_payload_t*)payload;
917 break;
918 case AUTHENTICATION:
919 auth_payload = (auth_payload_t*)payload;
920 break;
921 case CERTIFICATE:
922 cert_payload = (cert_payload_t*)payload;
923 break;
924 case SECURITY_ASSOCIATION:
925 sa_payload = (sa_payload_t*)payload;
926 break;
927 case TRAFFIC_SELECTOR_INITIATOR:
928 tsi_payload = (ts_payload_t*)payload;
929 break;
930 case TRAFFIC_SELECTOR_RESPONDER:
931 tsr_payload = (ts_payload_t*)payload;
932 break;
933 case NOTIFY:
934 {
935 status = process_notifies(this, (notify_payload_t*)payload);
936 if (status == FAILED)
937 {
938 payloads->destroy(payloads);
939 /* we return SUCCESS, as transaction completet */
940 return SUCCESS;
941 }
942 if (status == DESTROY_ME)
943 {
944 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
945 payloads->destroy(payloads);
946 return status;
947 }
948 break;
949 }
950 default:
951 {
952 DBG1(DBG_IKE, "ignoring payload %N",
953 payload_type_names, payload->get_type(payload));
954 break;
955 }
956 }
957 }
958 payloads->destroy(payloads);
959
960 if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
961 {
962 SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA");
963 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
964 return DESTROY_ME;
965 }
966
967 { /* process idr payload */
968 identification_t *configured_other_id;
969 int wildcards;
970
971 other_id = idr_payload->get_identification(idr_payload);
972 configured_other_id = this->policy->get_other_id(this->policy);
973
974 if (!other_id->matches(other_id, configured_other_id, &wildcards))
975 {
976 other_id->destroy(other_id);
977 SIG(IKE_UP_FAILED, "other peer uses unacceptable ID (%D, excepted "
978 "%D), deleting IKE_SA", other_id, configured_other_id);
979 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
980 return DESTROY_ME;
981 }
982 /* update other ID. It was already set, but may contain wildcards */
983 this->ike_sa->set_other_id(this->ike_sa, other_id);
984 }
985
986 if (cert_payload)
987 { /* process cert payload */
988 import_certificate(cert_payload);
989 }
990
991 { /* authenticate peer */
992 authenticator_t *authenticator;
993 auth_method_t auth_method;
994 status_t status;
995
996 my_id = this->policy->get_my_id(this->policy);
997 auth_method = auth_payload->get_auth_method(auth_payload);
998 authenticator = authenticator_create(this->ike_sa, auth_method);
999 if (authenticator == NULL)
1000 {
1001 SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
1002 auth_method_names, auth_method);
1003 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
1004 return DESTROY_ME;
1005 }
1006 status = authenticator->verify(authenticator, this->init_response,
1007 this->nonce_i, auth_payload);
1008 authenticator->destroy(authenticator);
1009 if (status != SUCCESS)
1010 {
1011 SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed, "
1012 "deleting IKE_SA", other_id, auth_method_names, auth_method);
1013 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
1014 return DESTROY_ME;
1015 }
1016 }
1017
1018 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
1019 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
1020
1021 { /* process traffic selectors for us */
1022 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
1023 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
1024 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
1025 }
1026
1027 { /* process traffic selectors for other */
1028 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
1029 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received, other);
1030 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
1031 }
1032
1033 { /* process sa payload */
1034 linked_list_t *proposal_list;
1035
1036 proposal_list = sa_payload->get_proposals(sa_payload);
1037 /* we have to re-check here if other's selection is valid */
1038 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
1039 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
1040
1041 /* everything fine to create CHILD? */
1042 if (this->proposal == NULL ||
1043 this->tsi->get_count(this->tsi) == 0 ||
1044 this->tsr->get_count(this->tsr) == 0 ||
1045 !this->build_child)
1046 {
1047 SIG(CHILD_UP_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
1048 }
1049 else
1050 {
1051 if (install_child_sa(this, TRUE) != SUCCESS)
1052 {
1053 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
1054 /* TODO: we should send a DELETE for that CHILD to stay
1055 * synchronous with the peer */
1056 }
1057 else
1058 {
1059 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
1060 }
1061 }
1062 }
1063 /* set new state */
1064 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1065 return SUCCESS;
1066 }
1067
1068 /**
1069 * implements transaction_t.destroy
1070 */
1071 static void destroy(private_ike_auth_t *this)
1072 {
1073 DESTROY_IF(this->message);
1074 DESTROY_IF(this->proposal);
1075 DESTROY_IF(this->child_sa);
1076 DESTROY_IF(this->policy);
1077 DESTROY_IF(this->connection);
1078 if (this->tsi)
1079 {
1080 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1081 }
1082 if (this->tsr)
1083 {
1084 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1085 }
1086 chunk_free(&this->nonce_i);
1087 chunk_free(&this->nonce_r);
1088 chunk_free(&this->init_request);
1089 chunk_free(&this->init_response);
1090 free(this);
1091 }
1092
1093 /*
1094 * Described in header.
1095 */
1096 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
1097 {
1098 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1099
1100 /* transaction interface functions */
1101 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
1102 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
1103 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
1104 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
1105 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
1106 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
1107
1108 /* public functions */
1109 this->public.set_config = (void(*)(ike_auth_t*,connection_t*,policy_t*))set_config;
1110 this->public.set_reqid = (void(*)(ike_auth_t*,u_int32_t))set_reqid;
1111 this->public.set_nonces = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_nonces;
1112 this->public.set_init_messages = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_init_messages;
1113
1114 /* private data */
1115 this->ike_sa = ike_sa;
1116 this->message_id = 0;
1117 this->message = NULL;
1118 this->requested = 0;
1119 this->nonce_i = CHUNK_INITIALIZER;
1120 this->nonce_r = CHUNK_INITIALIZER;
1121 this->init_request = CHUNK_INITIALIZER;
1122 this->init_response = CHUNK_INITIALIZER;
1123 this->child_sa = NULL;
1124 this->proposal = NULL;
1125 this->tsi = NULL;
1126 this->tsr = NULL;
1127 this->build_child = TRUE;
1128 this->reqid = 0;
1129
1130 return &this->public;
1131 }
strongSwan - IPsec VPN