projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
handle certificate parsing error more generous
[strongswan.git] / src / charon / sa / transactions / ike_auth.c
1 /**
2 * @file ike_auth.c
3 *
4 * @brief Implementation of ike_auth_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include "ike_auth.h"
26
27 #include <string.h>
28
29 #include <daemon.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
38
39
40 typedef struct private_ike_auth_t private_ike_auth_t;
41
42 /**
43 * Private members of a ike_auth_t object..
44 */
45 struct private_ike_auth_t {
46
47 /**
48 * Public methods and transaction_t interface.
49 */
50 ike_auth_t public;
51
52 /**
53 * Assigned IKE_SA.
54 */
55 ike_sa_t *ike_sa;
56
57 /**
58 * Message sent by our peer, if already generated
59 */
60 message_t *message;
61
62 /**
63 * Message ID this transaction uses
64 */
65 u_int32_t message_id;
66
67 /**
68 * Times we did send the request
69 */
70 u_int32_t requested;
71
72 /**
73 * initiator chosen nonce
74 */
75 chunk_t nonce_i;
76
77 /**
78 * responder chosen nonce
79 */
80 chunk_t nonce_r;
81
82 /**
83 * encoded request message of ike_sa_init transaction
84 */
85 chunk_t init_request;
86
87 /**
88 * encoded response message of ike_sa_init transaction
89 */
90 chunk_t init_response;
91
92 /**
93 * connection definition used for IKE_SA setup
94 */
95 connection_t *connection;
96
97 /**
98 * policy definition used CHILD_SA creation
99 */
100 policy_t *policy;
101
102 /**
103 * Negotiated proposal used for CHILD_SA
104 */
105 proposal_t *proposal;
106
107 /**
108 * Negotiated traffic selectors for initiator
109 */
110 linked_list_t *tsi;
111
112 /**
113 * Negotiated traffic selectors for responder
114 */
115 linked_list_t *tsr;
116
117 /**
118 * CHILD_SA created along with IKE_AUTH
119 */
120 child_sa_t *child_sa;
121
122 /**
123 * did other peer create a CHILD_SA?
124 */
125 bool build_child;
126
127 /**
128 * reqid to use for CHILD_SA setup
129 */
130 u_int32_t reqid;
131
132 /**
133 * Assigned logger.
134 */
135 logger_t *logger;
136 };
137
138 /**
139 * Implementation of transaction_t.get_message_id.
140 */
141 static u_int32_t get_message_id(private_ike_auth_t *this)
142 {
143 return this->message_id;
144 }
145
146 /**
147 * Implementation of transaction_t.requested.
148 */
149 static u_int32_t requested(private_ike_auth_t *this)
150 {
151 return this->requested++;
152 }
153
154 /**
155 * Implementation of transaction_t.set_config.
156 */
157 static void set_config(private_ike_auth_t *this,
158 connection_t *connection, policy_t *policy)
159 {
160 this->connection = connection;
161 this->policy = policy;
162 }
163
164 /**
165 * Implementation of transaction_t.set_reqid.
166 */
167 static void set_reqid(private_ike_auth_t *this, u_int32_t reqid)
168 {
169 this->reqid = reqid;
170 }
171
172 /**
173 * Implementation of transaction_t.set_nonces.
174 */
175 static void set_nonces(private_ike_auth_t *this, chunk_t nonce_i, chunk_t nonce_r)
176 {
177 this->nonce_i = nonce_i;
178 this->nonce_r = nonce_r;
179 }
180
181 /**
182 * Implementation of transaction_t.set_init_messages.
183 */
184 static void set_init_messages(private_ike_auth_t *this, chunk_t init_request, chunk_t init_response)
185 {
186 this->init_request = init_request;
187 this->init_response = init_response;
188 }
189
190 /**
191 * destroy a list of traffic selectors
192 */
193 static void destroy_ts_list(linked_list_t *list)
194 {
195 if (list)
196 {
197 traffic_selector_t *ts;
198
199 while (list->remove_last(list, (void**)&ts) == SUCCESS)
200 {
201 ts->destroy(ts);
202 }
203 list->destroy(list);
204 }
205 }
206
207 /**
208 * destroy a list of proposals
209 */
210 static void destroy_proposal_list(linked_list_t *list)
211 {
212 proposal_t *proposal;
213
214 while (list->remove_last(list, (void**)&proposal) == SUCCESS)
215 {
216 proposal->destroy(proposal);
217 }
218 list->destroy(list);
219 }
220
221 /**
222 * Implementation of transaction_t.get_request.
223 */
224 static status_t get_request(private_ike_auth_t *this, message_t **result)
225 {
226 message_t *request;
227 host_t *me, *other;
228 identification_t *my_id, *other_id;
229 id_payload_t *my_id_payload;
230
231 /* check if we already have built a message (retransmission) */
232 if (this->message)
233 {
234 *result = this->message;
235 return SUCCESS;
236 }
237
238 me = this->ike_sa->get_my_host(this->ike_sa);
239 other = this->ike_sa->get_other_host(this->ike_sa);
240 my_id = this->policy->get_my_id(this->policy);
241 other_id = this->policy->get_other_id(this->policy);
242
243 /* build the request */
244 request = message_create();
245 request->set_source(request, me->clone(me));
246 request->set_destination(request, other->clone(other));
247 request->set_exchange_type(request, IKE_AUTH);
248 request->set_request(request, TRUE);
249 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
250 /* apply for caller */
251 *result = request;
252 /* store for retransmission */
253 this->message = request;
254
255 { /* build ID payload */
256 my_id_payload = id_payload_create_from_identification(TRUE, my_id);
257 request->add_payload(request, (payload_t*)my_id_payload);
258 }
259
260 { /* TODO: build certreq payload */
261
262 }
263
264 if (this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
265 { /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
266 x509_t *cert;
267 cert_payload_t *cert_payload;
268
269 cert = charon->credentials->get_certificate(charon->credentials, my_id);
270 if (cert)
271 {
272 cert_payload = cert_payload_create_from_x509(cert);
273 request->add_payload(request, (payload_t*)cert_payload);
274 }
275 else
276 {
277 this->logger->log(this->logger, ERROR,
278 "could not find my certificate, certificate payload omitted");
279 }
280 }
281
282 { /* build IDr payload, if other_id defined */
283 id_payload_t *id_payload;
284 if (!other_id->contains_wildcards(other_id))
285 {
286 id_payload = id_payload_create_from_identification(FALSE, other_id);
287 request->add_payload(request, (payload_t*)id_payload);
288 }
289 }
290
291 { /* build auth payload */
292 authenticator_t *authenticator;
293 auth_payload_t *auth_payload;
294 auth_method_t auth_method;
295 status_t status;
296
297 auth_method = this->connection->get_auth_method(this->connection);
298 authenticator = authenticator_create(this->ike_sa, auth_method);
299 status = authenticator->compute_auth_data(authenticator, &auth_payload,
300 this->init_request, this->nonce_r, my_id_payload, TRUE);
301 authenticator->destroy(authenticator);
302 if (status != SUCCESS)
303 {
304 this->logger->log(this->logger, AUDIT,
305 "could not generate AUTH data, deleting IKE_SA");
306 return DESTROY_ME;
307 }
308 request->add_payload(request, (payload_t*)auth_payload);
309 }
310
311 { /* build SA payload for CHILD_SA */
312 linked_list_t *proposal_list;
313 sa_payload_t *sa_payload;
314 u_int32_t soft_lifetime, hard_lifetime;
315 bool enable_natt;
316
317 proposal_list = this->policy->get_proposals(this->policy);
318 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
319 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
320 enable_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
321 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
322 soft_lifetime, hard_lifetime,
323 this->policy->get_updown(this->policy),
324 enable_natt);
325 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
326 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
327 {
328 this->logger->log(this->logger, ERROR,
329 "could not install CHILD_SA, deleting IKE_SA");
330 return DESTROY_ME;
331 }
332 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
333 destroy_proposal_list(proposal_list);
334 request->add_payload(request, (payload_t*)sa_payload);
335 }
336
337 { /* build TSi payload */
338 linked_list_t *ts_list;
339 ts_payload_t *ts_payload;
340
341 ts_list = this->policy->get_my_traffic_selectors(this->policy, me);
342 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
343 destroy_ts_list(ts_list);
344
345 request->add_payload(request, (payload_t*)ts_payload);
346 }
347
348 { /* build TSr payload */
349 linked_list_t *ts_list;
350 ts_payload_t *ts_payload;
351
352 ts_list = this->policy->get_other_traffic_selectors(this->policy, other);
353 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
354 destroy_ts_list(ts_list);
355
356 request->add_payload(request, (payload_t*)ts_payload);
357 }
358
359 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
360 request->set_message_id(request, this->message_id);
361 return SUCCESS;
362 }
363
364 /**
365 * Handle all kind of notifies
366 */
367 static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
368 {
369 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
370
371 this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
372 mapping_find(notify_type_m, notify_type));
373
374 switch (notify_type)
375 {
376 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
377 case SINGLE_PAIR_REQUIRED:
378 {
379 this->logger->log(this->logger, AUDIT,
380 "received a SINGLE_PAIR_REQUIRED notify");
381 this->build_child = FALSE;
382 return SUCCESS;
383 }
384 case TS_UNACCEPTABLE:
385 {
386 this->logger->log(this->logger, CONTROL,
387 "received TS_UNACCEPTABLE notify");
388 this->build_child = FALSE;
389 return SUCCESS;
390 }
391 case NO_PROPOSAL_CHOSEN:
392 {
393 this->logger->log(this->logger, CONTROL,
394 "received NO_PROPOSAL_CHOSEN notify");
395 this->build_child = FALSE;
396 return SUCCESS;
397 }
398 default:
399 {
400 if (notify_type < 16383)
401 {
402 this->logger->log(this->logger, AUDIT,
403 "received %s notify error (%d), deleting IKE_SA",
404 mapping_find(notify_type_m, notify_type),
405 notify_type);
406 return DESTROY_ME;
407 }
408 else
409 {
410 this->logger->log(this->logger, CONTROL,
411 "received %s notify (%d), ignored",
412 mapping_find(notify_type_m, notify_type),
413 notify_type);
414 return SUCCESS;
415 }
416 }
417 }
418 }
419
420 /**
421 * Build a notify message.
422 */
423 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
424 {
425 notify_payload_t *notify;
426
427 if (flush_message)
428 {
429 payload_t *payload;
430 iterator_t *iterator = message->get_payload_iterator(message);
431 while (iterator->iterate(iterator, (void**)&payload))
432 {
433 payload->destroy(payload);
434 iterator->remove(iterator);
435 }
436 iterator->destroy(iterator);
437 }
438
439 notify = notify_payload_create();
440 notify->set_notify_type(notify, type);
441 message->add_payload(message, (payload_t*)notify);
442 }
443
444 /**
445 * Import a certificate from a cert payload
446 */
447 static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_payload)
448 {
449 bool found;
450 x509_t *cert;
451 cert_encoding_t encoding;
452
453 encoding = cert_payload->get_cert_encoding(cert_payload);
454 if (encoding != CERT_X509_SIGNATURE)
455 {
456 this->logger->log(this->logger, ERROR,
457 "certificate payload %s not supported, ignored",
458 enum_name(&cert_encoding_names, encoding));
459 return;
460 }
461 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
462 if (cert)
463 {
464 if (charon->credentials->verify(charon->credentials, cert, &found))
465 {
466 this->logger->log(this->logger, CONTROL|LEVEL1,
467 "received end entity certificate is trusted, added to store");
468 if (!found)
469 {
470 charon->credentials->add_end_certificate(charon->credentials, cert);
471 }
472 else
473 {
474 cert->destroy(cert);
475 }
476 }
477 else
478 {
479 this->logger->log(this->logger, CONTROL,
480 "received end entity certificate is not trusted, discarded");
481 cert->destroy(cert);
482 }
483 }
484 else
485 {
486 this->logger->log(this->logger, CONTROL,
487 "parsing of received certificate failed, discarded");
488 }
489 }
490
491 /**
492 * Install a CHILD_SA for usage
493 */
494 static status_t install_child_sa(private_ike_auth_t *this, bool initiator)
495 {
496 prf_plus_t *prf_plus;
497 chunk_t seed;
498 status_t status;
499
500 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
501 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
502 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
503 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
504 chunk_free(&seed);
505
506 if (initiator)
507 {
508 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
509 }
510 else
511 {
512 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
513 }
514 prf_plus->destroy(prf_plus);
515 if (status != SUCCESS)
516 {
517 return DESTROY_ME;
518 }
519 if (initiator)
520 {
521 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
522 }
523 else
524 {
525 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
526 }
527 if (status != SUCCESS)
528 {
529 return DESTROY_ME;
530 }
531
532 /* add to IKE_SA, and remove from transaction */
533 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
534 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
535 this->child_sa = NULL;
536 return SUCCESS;
537 }
538
539 /**
540 * Implementation of transaction_t.get_response.
541 */
542 static status_t get_response(private_ike_auth_t *this, message_t *request,
543 message_t **result, transaction_t **next)
544 {
545 host_t *me, *other;
546 identification_t *my_id, *other_id;
547 message_t *response;
548 status_t status;
549 iterator_t *payloads;
550 id_payload_t *idi_request = NULL;
551 id_payload_t *idr_request = NULL;
552 auth_payload_t *auth_request = NULL;
553 cert_payload_t *cert_request = NULL;
554 sa_payload_t *sa_request = NULL;
555 ts_payload_t *tsi_request = NULL;
556 ts_payload_t *tsr_request = NULL;
557 id_payload_t *idr_response;
558
559 /* check if we already have built a response (retransmission) */
560 if (this->message)
561 {
562 *result = this->message;
563 return SUCCESS;
564 }
565
566 me = this->ike_sa->get_my_host(this->ike_sa);
567 other = this->ike_sa->get_other_host(this->ike_sa);
568 this->message_id = request->get_message_id(request);
569
570 /* set up response */
571 response = message_create();
572 response->set_source(response, me->clone(me));
573 response->set_destination(response, other->clone(other));
574 response->set_exchange_type(response, IKE_AUTH);
575 response->set_request(response, FALSE);
576 response->set_message_id(response, this->message_id);
577 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
578 this->message = response;
579 *result = response;
580
581 /* check message type */
582 if (request->get_exchange_type(request) != IKE_AUTH)
583 {
584 this->logger->log(this->logger, ERROR,
585 "IKE_AUTH response of invalid type, deleting IKE_SA");
586 return DESTROY_ME;
587 }
588
589 /* Iterate over all payloads. */
590 payloads = request->get_payload_iterator(request);
591 while (payloads->has_next(payloads))
592 {
593 payload_t *payload;
594 payloads->current(payloads, (void**)&payload);
595 switch (payload->get_type(payload))
596 {
597 case ID_INITIATOR:
598 idi_request = (id_payload_t*)payload;
599 break;
600 case ID_RESPONDER:
601 idr_request = (id_payload_t*)payload;
602 break;
603 case AUTHENTICATION:
604 auth_request = (auth_payload_t*)payload;
605 break;
606 case CERTIFICATE:
607 cert_request = (cert_payload_t*)payload;
608 break;
609 case SECURITY_ASSOCIATION:
610 sa_request = (sa_payload_t*)payload;
611 break;
612 case TRAFFIC_SELECTOR_INITIATOR:
613 tsi_request = (ts_payload_t*)payload;
614 break;
615 case TRAFFIC_SELECTOR_RESPONDER:
616 tsr_request = (ts_payload_t*)payload;
617 break;
618 case NOTIFY:
619 {
620 status = process_notifies(this, (notify_payload_t*)payload);
621 if (status == FAILED)
622 {
623 payloads->destroy(payloads);
624 /* we return SUCCESS, returned FAILED means do next transaction */
625 return SUCCESS;
626 }
627 if (status == DESTROY_ME)
628 {
629 payloads->destroy(payloads);
630 return DESTROY_ME;
631 }
632 break;
633 }
634 default:
635 {
636 this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
637 mapping_find(payload_type_m, payload->get_type(payload)),
638 payload->get_type(payload));
639 break;
640 }
641 }
642 }
643 payloads->destroy(payloads);
644
645 /* check if we have all payloads */
646 if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
647 {
648 build_notify(INVALID_SYNTAX, response, TRUE);
649 this->logger->log(this->logger, AUDIT,
650 "request message incomplete, deleting IKE_SA");
651 return DESTROY_ME;
652 }
653
654 { /* process ID payload */
655 other_id = idi_request->get_identification(idi_request);
656 if (idr_request)
657 {
658 my_id = idr_request->get_identification(idr_request);
659 }
660 else
661 {
662 my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
663 }
664 }
665
666 { /* get a policy and process traffic selectors */
667 linked_list_t *my_ts, *other_ts;
668
669 my_ts = tsr_request->get_traffic_selectors(tsr_request);
670 other_ts = tsi_request->get_traffic_selectors(tsi_request);
671
672 this->policy = charon->policies->get_policy(charon->policies,
673 my_id, other_id,
674 my_ts, other_ts,
675 me, other);
676 if (this->policy)
677 {
678 this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
679 this->tsi = this->policy->select_other_traffic_selectors(this->policy, other_ts, other);
680 }
681 destroy_ts_list(my_ts);
682 destroy_ts_list(other_ts);
683
684 /* TODO: We should check somehow if we have a policy, but with other
685 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
686 if (this->policy == NULL)
687 {
688 this->logger->log(this->logger, AUDIT,
689 "no acceptable policy for IDs %s - %s found, deleting IKE_SA",
690 my_id->get_string(my_id), other_id->get_string(other_id));
691 my_id->destroy(my_id);
692 other_id->destroy(other_id);
693 build_notify(AUTHENTICATION_FAILED, response, TRUE);
694 return DESTROY_ME;
695 }
696 my_id->destroy(my_id);
697
698 /* get my id from policy, which must contain a fully qualified valid id */
699 my_id = this->policy->get_my_id(this->policy);
700 this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
701 this->ike_sa->set_other_id(this->ike_sa, other_id);
702
703 idr_response = id_payload_create_from_identification(FALSE, my_id);
704 response->add_payload(response, (payload_t*)idr_response);
705 }
706
707 if (this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
708 { /* build certificate payload */
709 x509_t *cert;
710 cert_payload_t *cert_payload;
711
712 cert = charon->credentials->get_certificate(charon->credentials, my_id);
713 if (cert == NULL)
714 {
715 this->logger->log(this->logger, ERROR,
716 "could not find my certificate, cert payload omitted");
717 }
718 cert_payload = cert_payload_create_from_x509(cert);
719 response->add_payload(response, (payload_t *)cert_payload);
720 }
721
722 if (cert_request)
723 { /* process certificate payload */
724 import_certificate(this, cert_request);
725 }
726
727 { /* process auth payload */
728 authenticator_t *authenticator;
729 auth_payload_t *auth_response;
730 auth_method_t auth_method;
731 status_t status;
732
733 auth_method = this->connection->get_auth_method(this->connection);
734 authenticator = authenticator_create(this->ike_sa, auth_method);
735 status = authenticator->verify_auth_data(authenticator, auth_request,
736 this->init_request,
737 this->nonce_r, idi_request,
738 TRUE);
739 if (status != SUCCESS)
740 {
741 this->logger->log(this->logger, AUDIT,
742 "authentication failed, deleting IKE_SA");
743 build_notify(AUTHENTICATION_FAILED, response, TRUE);
744 authenticator->destroy(authenticator);
745 return DESTROY_ME;
746 }
747 status = authenticator->compute_auth_data(authenticator, &auth_response,
748 this->init_response,
749 this->nonce_i, idr_response,
750 FALSE);
751 authenticator->destroy(authenticator);
752 if (status != SUCCESS)
753 {
754 this->logger->log(this->logger, AUDIT,
755 "authentication data generation failed, deleting IKE_SA");
756 build_notify(AUTHENTICATION_FAILED, response, TRUE);
757 return DESTROY_ME;
758 }
759 response->add_payload(response, (payload_t*)auth_response);
760 }
761
762 { /* process SA payload */
763 linked_list_t *proposal_list;
764 sa_payload_t *sa_response;
765 ts_payload_t *ts_response;
766 bool use_natt;
767 u_int32_t soft_lifetime, hard_lifetime;
768
769 /* prepare reply */
770 sa_response = sa_payload_create();
771
772 /* get proposals from request, and select one with ours */
773 proposal_list = sa_request->get_proposals(sa_request);
774 this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
775 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
776 destroy_proposal_list(proposal_list);
777
778 /* do we have a proposal? */
779 if (this->proposal == NULL)
780 {
781 this->logger->log(this->logger, AUDIT,
782 "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
783 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
784 }
785 /* do we have traffic selectors? */
786 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
787 {
788 this->logger->log(this->logger, AUDIT,
789 "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
790 build_notify(TS_UNACCEPTABLE, response, FALSE);
791 }
792 else
793 {
794 /* create child sa */
795 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
796 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
797 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
798 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
799 soft_lifetime, hard_lifetime,
800 this->policy->get_updown(this->policy),
801 use_natt);
802 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
803 if (install_child_sa(this, FALSE) != SUCCESS)
804 {
805 this->logger->log(this->logger, ERROR,
806 "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
807 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
808 }
809 /* add proposal to sa payload */
810 sa_response->add_proposal(sa_response, this->proposal);
811 }
812 response->add_payload(response, (payload_t*)sa_response);
813
814 /* add ts payload after sa payload */
815 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
816 response->add_payload(response, (payload_t*)ts_response);
817 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
818 response->add_payload(response, (payload_t*)ts_response);
819 }
820 /* set established state */
821 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
822 return SUCCESS;
823 }
824
825
826 /**
827 * Implementation of transaction_t.conclude
828 */
829 static status_t conclude(private_ike_auth_t *this, message_t *response,
830 transaction_t **transaction)
831 {
832 iterator_t *payloads;
833 host_t *me, *other;
834 identification_t *other_id;
835 ts_payload_t *tsi_payload = NULL;
836 ts_payload_t *tsr_payload = NULL;
837 id_payload_t *idr_payload = NULL;
838 cert_payload_t *cert_payload = NULL;
839 auth_payload_t *auth_payload = NULL;
840 sa_payload_t *sa_payload = NULL;
841 status_t status;
842
843 /* check message type */
844 if (response->get_exchange_type(response) != IKE_AUTH)
845 {
846 this->logger->log(this->logger, ERROR,
847 "IKE_AUTH response of invalid type, deleting IKE_SA");
848 return DESTROY_ME;
849 }
850
851 me = this->ike_sa->get_my_host(this->ike_sa);
852 other = this->ike_sa->get_other_host(this->ike_sa);
853
854 /* Iterate over all payloads to collect them */
855 payloads = response->get_payload_iterator(response);
856 while (payloads->has_next(payloads))
857 {
858 payload_t *payload;
859 payloads->current(payloads, (void**)&payload);
860
861 switch (payload->get_type(payload))
862 {
863 case ID_RESPONDER:
864 idr_payload = (id_payload_t*)payload;
865 break;
866 case AUTHENTICATION:
867 auth_payload = (auth_payload_t*)payload;
868 break;
869 case CERTIFICATE:
870 cert_payload = (cert_payload_t*)payload;
871 break;
872 case SECURITY_ASSOCIATION:
873 sa_payload = (sa_payload_t*)payload;
874 break;
875 case TRAFFIC_SELECTOR_INITIATOR:
876 tsi_payload = (ts_payload_t*)payload;
877 break;
878 case TRAFFIC_SELECTOR_RESPONDER:
879 tsr_payload = (ts_payload_t*)payload;
880 break;
881 case NOTIFY:
882 {
883 status = process_notifies(this, (notify_payload_t*)payload);
884 if (status == FAILED)
885 {
886 payloads->destroy(payloads);
887 /* we return SUCCESS, returned FAILED means do next transaction */
888 return SUCCESS;
889 }
890 if (status == DESTROY_ME)
891 {
892 payloads->destroy(payloads);
893 return status;
894 }
895 break;
896 }
897 default:
898 {
899 this->logger->log(this->logger, CONTROL, "ignoring payload %s (%d)",
900 mapping_find(payload_type_m, payload->get_type(payload)),
901 payload->get_type(payload));
902 break;
903 }
904 }
905 }
906 payloads->destroy(payloads);
907
908 if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
909 {
910 this->logger->log(this->logger, AUDIT, "response message incomplete, deleting IKE_SA");
911 return DESTROY_ME;
912 }
913
914 { /* process idr payload */
915 identification_t *configured_other_id;
916 int wildcards;
917
918 other_id = idr_payload->get_identification(idr_payload);
919 configured_other_id = this->policy->get_other_id(this->policy);
920
921 if (!other_id->matches(other_id, configured_other_id, &wildcards))
922 {
923 other_id->destroy(other_id);
924 this->logger->log(this->logger, AUDIT,
925 "other peer uses unacceptable ID (%s, excepted %s), deleting IKE_SA",
926 other_id->get_string(other_id),
927 configured_other_id->get_string(configured_other_id));
928 return DESTROY_ME;
929 }
930 /* update other ID. It was already set, but may contain wildcards */
931 this->ike_sa->set_other_id(this->ike_sa, other_id);
932 }
933
934 if (cert_payload)
935 { /* process cert payload */
936 import_certificate(this, cert_payload);
937 }
938
939 { /* authenticate peer */
940 authenticator_t *authenticator;
941 auth_method_t auth_method;
942 status_t status;
943
944 auth_method = this->connection->get_auth_method(this->connection);
945 authenticator = authenticator_create(this->ike_sa, auth_method);
946 status = authenticator->verify_auth_data(authenticator, auth_payload,
947 this->init_response,
948 this->nonce_i, idr_payload,
949 FALSE);
950 authenticator->destroy(authenticator);
951 if (status != SUCCESS)
952 {
953 this->logger->log(this->logger, AUDIT, "authentication failed, deleting IKE_SA");
954 return DESTROY_ME;
955 }
956 }
957
958 { /* process traffic selectors for us */
959 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
960 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
961 destroy_ts_list(ts_received);
962 }
963
964 { /* process traffic selectors for other */
965 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
966 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received, other);
967 destroy_ts_list(ts_received);
968 }
969
970 { /* process sa payload */
971 linked_list_t *proposal_list;
972
973 proposal_list = sa_payload->get_proposals(sa_payload);
974 /* we have to re-check here if other's selection is valid */
975 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
976 destroy_proposal_list(proposal_list);
977
978 /* everything fine to create CHILD? */
979 if (this->proposal == NULL ||
980 this->tsi->get_count(this->tsi) == 0 ||
981 this->tsr->get_count(this->tsr) == 0 ||
982 !this->build_child)
983 {
984 this->logger->log(this->logger, AUDIT,
985 "CHILD_SA creation failed");
986 }
987 else
988 {
989 if (install_child_sa(this, TRUE) != SUCCESS)
990 {
991 this->logger->log(this->logger, ERROR,
992 "installing CHILD_SA failed, no CHILD_SA built");
993 }
994 }
995 }
996 /* set new state */
997 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
998 return SUCCESS;
999 }
1000
1001 /**
1002 * implements transaction_t.destroy
1003 */
1004 static void destroy(private_ike_auth_t *this)
1005 {
1006 DESTROY_IF(this->message);
1007 DESTROY_IF(this->proposal);
1008 DESTROY_IF(this->child_sa);
1009 DESTROY_IF(this->policy);
1010 DESTROY_IF(this->connection);
1011 destroy_ts_list(this->tsi);
1012 destroy_ts_list(this->tsr);
1013 chunk_free(&this->nonce_i);
1014 chunk_free(&this->nonce_r);
1015 chunk_free(&this->init_request);
1016 chunk_free(&this->init_response);
1017 free(this);
1018 }
1019
1020 /*
1021 * Described in header.
1022 */
1023 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
1024 {
1025 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1026
1027 /* transaction interface functions */
1028 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
1029 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
1030 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
1031 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
1032 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
1033 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
1034
1035 /* public functions */
1036 this->public.set_config = (void(*)(ike_auth_t*,connection_t*,policy_t*))set_config;
1037 this->public.set_reqid = (void(*)(ike_auth_t*,u_int32_t))set_reqid;
1038 this->public.set_nonces = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_nonces;
1039 this->public.set_init_messages = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_init_messages;
1040
1041 /* private data */
1042 this->ike_sa = ike_sa;
1043 this->message_id = 0;
1044 this->message = NULL;
1045 this->requested = 0;
1046 this->nonce_i = CHUNK_INITIALIZER;
1047 this->nonce_r = CHUNK_INITIALIZER;
1048 this->init_request = CHUNK_INITIALIZER;
1049 this->init_response = CHUNK_INITIALIZER;
1050 this->child_sa = NULL;
1051 this->proposal = NULL;
1052 this->tsi = NULL;
1053 this->tsr = NULL;
1054 this->build_child = TRUE;
1055 this->reqid = 0;
1056 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
1057
1058 return &this->public;
1059 }
strongSwan - IPsec VPN