send a certreq as initiator if other_ca is set
[strongswan.git] / src / charon / sa / transactions / ike_auth.c
1 /**
2 * @file ike_auth.c
3 *
4 * @brief Implementation of ike_auth_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include "ike_auth.h"
26
27 #include <string.h>
28
29 #include <daemon.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
38
39
40 typedef struct private_ike_auth_t private_ike_auth_t;
41
42 /**
43 * Private members of a ike_auth_t object..
44 */
45 struct private_ike_auth_t {
46
47 /**
48 * Public methods and transaction_t interface.
49 */
50 ike_auth_t public;
51
52 /**
53 * Assigned IKE_SA.
54 */
55 ike_sa_t *ike_sa;
56
57 /**
58 * Message sent by our peer, if already generated
59 */
60 message_t *message;
61
62 /**
63 * Message ID this transaction uses
64 */
65 u_int32_t message_id;
66
67 /**
68 * Times we did send the request
69 */
70 u_int32_t requested;
71
72 /**
73 * initiator chosen nonce
74 */
75 chunk_t nonce_i;
76
77 /**
78 * responder chosen nonce
79 */
80 chunk_t nonce_r;
81
82 /**
83 * encoded request message of ike_sa_init transaction
84 */
85 chunk_t init_request;
86
87 /**
88 * encoded response message of ike_sa_init transaction
89 */
90 chunk_t init_response;
91
92 /**
93 * connection definition used for IKE_SA setup
94 */
95 connection_t *connection;
96
97 /**
98 * policy definition used CHILD_SA creation
99 */
100 policy_t *policy;
101
102 /**
103 * Negotiated proposal used for CHILD_SA
104 */
105 proposal_t *proposal;
106
107 /**
108 * Negotiated traffic selectors for initiator
109 */
110 linked_list_t *tsi;
111
112 /**
113 * Negotiated traffic selectors for responder
114 */
115 linked_list_t *tsr;
116
117 /**
118 * CHILD_SA created along with IKE_AUTH
119 */
120 child_sa_t *child_sa;
121
122 /**
123 * did other peer create a CHILD_SA?
124 */
125 bool build_child;
126
127 /**
128 * reqid to use for CHILD_SA setup
129 */
130 u_int32_t reqid;
131 };
132
133 /**
134 * Implementation of transaction_t.get_message_id.
135 */
136 static u_int32_t get_message_id(private_ike_auth_t *this)
137 {
138 return this->message_id;
139 }
140
141 /**
142 * Implementation of transaction_t.requested.
143 */
144 static u_int32_t requested(private_ike_auth_t *this)
145 {
146 return this->requested++;
147 }
148
149 /**
150 * Implementation of transaction_t.set_config.
151 */
152 static void set_config(private_ike_auth_t *this,
153 connection_t *connection, policy_t *policy)
154 {
155 this->connection = connection;
156 this->policy = policy;
157 }
158
159 /**
160 * Implementation of transaction_t.set_reqid.
161 */
162 static void set_reqid(private_ike_auth_t *this, u_int32_t reqid)
163 {
164 this->reqid = reqid;
165 }
166
167 /**
168 * Implementation of transaction_t.set_nonces.
169 */
170 static void set_nonces(private_ike_auth_t *this, chunk_t nonce_i, chunk_t nonce_r)
171 {
172 this->nonce_i = nonce_i;
173 this->nonce_r = nonce_r;
174 }
175
176 /**
177 * Implementation of transaction_t.set_init_messages.
178 */
179 static void set_init_messages(private_ike_auth_t *this, chunk_t init_request, chunk_t init_response)
180 {
181 this->init_request = init_request;
182 this->init_response = init_response;
183 }
184
185 /**
186 * Implementation of transaction_t.get_request.
187 */
188 static status_t get_request(private_ike_auth_t *this, message_t **result)
189 {
190 message_t *request;
191 host_t *me, *other;
192 identification_t *my_id, *other_id;
193 id_payload_t *my_id_payload;
194
195 /* check if we already have built a message (retransmission) */
196 if (this->message)
197 {
198 *result = this->message;
199 return SUCCESS;
200 }
201
202 me = this->ike_sa->get_my_host(this->ike_sa);
203 other = this->ike_sa->get_other_host(this->ike_sa);
204 my_id = this->policy->get_my_id(this->policy);
205 other_id = this->policy->get_other_id(this->policy);
206
207 /* build the request */
208 request = message_create();
209 request->set_source(request, me->clone(me));
210 request->set_destination(request, other->clone(other));
211 request->set_exchange_type(request, IKE_AUTH);
212 request->set_request(request, TRUE);
213 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
214 /* apply for caller */
215 *result = request;
216 /* store for retransmission */
217 this->message = request;
218
219 { /* build ID payload */
220 my_id_payload = id_payload_create_from_identification(TRUE, my_id);
221 request->add_payload(request, (payload_t*)my_id_payload);
222 }
223
224 /* build certificate request payload */
225 if (this->connection->get_certreq_policy(this->connection) != CERT_NEVER_SEND)
226 {
227 certreq_payload_t *certreq_payload;
228
229 identification_t *other_ca = this->policy->get_other_ca(this->policy);
230
231 if (other_ca->get_type(other_ca) == ID_ANY)
232 {
233
234 }
235 else
236 {
237 x509_t *cacert = charon->credentials->get_ca_certificate(charon->credentials, other_ca);
238
239 DBG2(DBG_IKE, "certreq with ca: '%D'", other_ca);
240 certreq_payload = certreq_payload_create_from_x509(cacert);
241 request->add_payload(request, (payload_t*)certreq_payload);
242 }
243 }
244
245 /* build certificate payload. TODO: Handle certreq from init_ike_sa. */
246 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
247 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
248 {
249 cert_payload_t *cert_payload;
250
251 x509_t *cert = charon->credentials->get_certificate(charon->credentials, my_id);
252
253 if (cert)
254 {
255 cert_payload = cert_payload_create_from_x509(cert);
256 request->add_payload(request, (payload_t*)cert_payload);
257 }
258 else
259 {
260 DBG1(DBG_IKE, "could not find my certificate, certificate payload omitted");
261 }
262 }
263
264 { /* build IDr payload, if other_id defined */
265 id_payload_t *id_payload;
266 if (!other_id->contains_wildcards(other_id))
267 {
268 id_payload = id_payload_create_from_identification(FALSE, other_id);
269 request->add_payload(request, (payload_t*)id_payload);
270 }
271 }
272
273 { /* build auth payload */
274 authenticator_t *authenticator;
275 auth_payload_t *auth_payload;
276 auth_method_t auth_method;
277 status_t status;
278
279 auth_method = this->policy->get_auth_method(this->policy);
280 authenticator = authenticator_create(this->ike_sa, auth_method);
281 status = authenticator->compute_auth_data(authenticator,
282 &auth_payload,
283 this->init_request,
284 this->nonce_r,
285 my_id,
286 other_id,
287 TRUE);
288 authenticator->destroy(authenticator);
289 if (status != SUCCESS)
290 {
291 SIG(IKE_UP_FAILED, "could not generate AUTH data, deleting IKE_SA");
292 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
293 return DESTROY_ME;
294 }
295 request->add_payload(request, (payload_t*)auth_payload);
296 }
297
298 { /* build SA payload for CHILD_SA */
299 linked_list_t *proposal_list;
300 sa_payload_t *sa_payload;
301 u_int32_t soft_lifetime, hard_lifetime;
302 bool enable_natt;
303
304 proposal_list = this->policy->get_proposals(this->policy);
305 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
306 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
307 enable_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
308 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
309 soft_lifetime, hard_lifetime,
310 this->policy->get_updown(this->policy),
311 this->policy->get_hostaccess(this->policy),
312 enable_natt);
313 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
314 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
315 {
316 SIG(IKE_UP_FAILED, "could not install CHILD_SA, deleting IKE_SA");
317 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
318 return DESTROY_ME;
319 }
320 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
321 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
322 request->add_payload(request, (payload_t*)sa_payload);
323 }
324
325 { /* build TSi payload */
326 linked_list_t *ts_list;
327 ts_payload_t *ts_payload;
328
329 ts_list = this->policy->get_my_traffic_selectors(this->policy, me);
330 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
331 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
332
333 request->add_payload(request, (payload_t*)ts_payload);
334 }
335
336 { /* build TSr payload */
337 linked_list_t *ts_list;
338 ts_payload_t *ts_payload;
339
340 ts_list = this->policy->get_other_traffic_selectors(this->policy, other);
341 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
342 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
343
344 request->add_payload(request, (payload_t*)ts_payload);
345 }
346
347 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
348 request->set_message_id(request, this->message_id);
349 return SUCCESS;
350 }
351
352 /**
353 * Handle all kind of notifies
354 */
355 static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *notify_payload)
356 {
357 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
358
359 DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
360
361 switch (notify_type)
362 {
363 /* these notifies are not critical. no child_sa is built, but IKE stays alive */
364 case SINGLE_PAIR_REQUIRED:
365 {
366 SIG(CHILD_UP_FAILED, "received a SINGLE_PAIR_REQUIRED notify");
367 this->build_child = FALSE;
368 return SUCCESS;
369 }
370 case TS_UNACCEPTABLE:
371 {
372 SIG(CHILD_UP_FAILED, "received TS_UNACCEPTABLE notify");
373 this->build_child = FALSE;
374 return SUCCESS;
375 }
376 case NO_PROPOSAL_CHOSEN:
377 {
378 SIG(CHILD_UP_FAILED, "received NO_PROPOSAL_CHOSEN notify");
379 this->build_child = FALSE;
380 return SUCCESS;
381 }
382 default:
383 {
384 if (notify_type < 16383)
385 {
386 SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA",
387 notify_type_names, notify_type);
388 return DESTROY_ME;
389 }
390 else
391 {
392 DBG1(DBG_IKE, "received %N notify, ignored",
393 notify_type_names, notify_type);
394 return SUCCESS;
395 }
396 }
397 }
398 }
399
400 /**
401 * Build a notify message.
402 */
403 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
404 {
405 notify_payload_t *notify;
406
407 if (flush_message)
408 {
409 payload_t *payload;
410 iterator_t *iterator = message->get_payload_iterator(message);
411 while (iterator->iterate(iterator, (void**)&payload))
412 {
413 payload->destroy(payload);
414 iterator->remove(iterator);
415 }
416 iterator->destroy(iterator);
417 }
418
419 notify = notify_payload_create();
420 notify->set_notify_type(notify, type);
421 message->add_payload(message, (payload_t*)notify);
422 }
423
424 /**
425 * Import a certificate from a cert payload
426 */
427 static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_payload)
428 {
429 bool found;
430 x509_t *cert;
431 cert_encoding_t encoding;
432
433 encoding = cert_payload->get_cert_encoding(cert_payload);
434 if (encoding != CERT_X509_SIGNATURE)
435 {
436 DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
437 cert_encoding_names, encoding);
438 return;
439 }
440 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
441 if (cert)
442 {
443 if (charon->credentials->verify(charon->credentials, cert, &found))
444 {
445 DBG2(DBG_IKE, "received end entity certificate is trusted, added to store");
446 if (!found)
447 {
448 charon->credentials->add_end_certificate(charon->credentials, cert);
449 }
450 else
451 {
452 cert->destroy(cert);
453 }
454 }
455 else
456 {
457 DBG1(DBG_IKE, "received end entity certificate is not trusted, discarded");
458 cert->destroy(cert);
459 }
460 }
461 else
462 {
463 DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
464 }
465 }
466
467 /**
468 * Install a CHILD_SA for usage
469 */
470 static status_t install_child_sa(private_ike_auth_t *this, bool initiator)
471 {
472 prf_plus_t *prf_plus;
473 chunk_t seed;
474 status_t status;
475
476 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
477 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
478 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
479 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
480 chunk_free(&seed);
481
482 if (initiator)
483 {
484 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
485 }
486 else
487 {
488 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
489 }
490 prf_plus->destroy(prf_plus);
491 if (status != SUCCESS)
492 {
493 return DESTROY_ME;
494 }
495 if (initiator)
496 {
497 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
498 }
499 else
500 {
501 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
502 }
503 if (status != SUCCESS)
504 {
505 return DESTROY_ME;
506 }
507
508 /* add to IKE_SA, and remove from transaction */
509 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
510 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
511 this->child_sa = NULL;
512 return SUCCESS;
513 }
514
515 /**
516 * Implementation of transaction_t.get_response.
517 */
518 static status_t get_response(private_ike_auth_t *this, message_t *request,
519 message_t **result, transaction_t **next)
520 {
521 host_t *me, *other;
522 identification_t *my_id, *other_id;
523 message_t *response;
524 status_t status;
525 iterator_t *payloads;
526 payload_t *payload;
527 id_payload_t *idi_request = NULL;
528 id_payload_t *idr_request = NULL;
529 auth_payload_t *auth_request = NULL;
530 cert_payload_t *cert_request = NULL;
531 sa_payload_t *sa_request = NULL;
532 ts_payload_t *tsi_request = NULL;
533 ts_payload_t *tsr_request = NULL;
534 id_payload_t *idr_response;
535
536 /* check if we already have built a response (retransmission) */
537 if (this->message)
538 {
539 *result = this->message;
540 return SUCCESS;
541 }
542
543 SIG(CHILD_UP_START, "setting up CHILD_SA along with IKE_AUTH");
544
545 me = this->ike_sa->get_my_host(this->ike_sa);
546 other = this->ike_sa->get_other_host(this->ike_sa);
547 this->message_id = request->get_message_id(request);
548
549 /* set up response */
550 response = message_create();
551 response->set_source(response, me->clone(me));
552 response->set_destination(response, other->clone(other));
553 response->set_exchange_type(response, IKE_AUTH);
554 response->set_request(response, FALSE);
555 response->set_message_id(response, this->message_id);
556 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
557 this->message = response;
558 *result = response;
559
560 /* check message type */
561 if (request->get_exchange_type(request) != IKE_AUTH)
562 {
563 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
564 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
565 return DESTROY_ME;
566 }
567
568 /* Iterate over all payloads. */
569 payloads = request->get_payload_iterator(request);
570 while (payloads->iterate(payloads, (void**)&payload))
571 {
572 switch (payload->get_type(payload))
573 {
574 case ID_INITIATOR:
575 idi_request = (id_payload_t*)payload;
576 break;
577 case ID_RESPONDER:
578 idr_request = (id_payload_t*)payload;
579 break;
580 case AUTHENTICATION:
581 auth_request = (auth_payload_t*)payload;
582 break;
583 case CERTIFICATE:
584 cert_request = (cert_payload_t*)payload;
585 break;
586 case SECURITY_ASSOCIATION:
587 sa_request = (sa_payload_t*)payload;
588 break;
589 case TRAFFIC_SELECTOR_INITIATOR:
590 tsi_request = (ts_payload_t*)payload;
591 break;
592 case TRAFFIC_SELECTOR_RESPONDER:
593 tsr_request = (ts_payload_t*)payload;
594 break;
595 case NOTIFY:
596 {
597 status = process_notifies(this, (notify_payload_t*)payload);
598 if (status == FAILED)
599 {
600 payloads->destroy(payloads);
601 /* we return SUCCESS, returned FAILED means do next transaction */
602 return SUCCESS;
603 }
604 if (status == DESTROY_ME)
605 {
606 payloads->destroy(payloads);
607 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
608 return DESTROY_ME;
609 }
610 break;
611 }
612 default:
613 {
614 DBG1(DBG_IKE, "ignoring %N payload",
615 payload_type_names, payload->get_type(payload));
616 break;
617 }
618 }
619 }
620 payloads->destroy(payloads);
621
622 /* check if we have all payloads */
623 if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
624 {
625 build_notify(INVALID_SYNTAX, response, TRUE);
626 SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
627 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
628 return DESTROY_ME;
629 }
630
631 { /* process ID payload */
632 other_id = idi_request->get_identification(idi_request);
633 if (idr_request)
634 {
635 my_id = idr_request->get_identification(idr_request);
636 }
637 else
638 {
639 my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
640 }
641 }
642
643 { /* get a policy and process traffic selectors */
644 linked_list_t *my_ts, *other_ts;
645
646 my_ts = tsr_request->get_traffic_selectors(tsr_request);
647 other_ts = tsi_request->get_traffic_selectors(tsi_request);
648
649 this->policy = charon->policies->get_policy(charon->policies,
650 my_id, other_id,
651 my_ts, other_ts,
652 me, other);
653 if (this->policy)
654 {
655 this->tsr = this->policy->select_my_traffic_selectors(this->policy, my_ts, me);
656 this->tsi = this->policy->select_other_traffic_selectors(this->policy, other_ts, other);
657 }
658 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
659 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
660
661 /* TODO: We should check somehow if we have a policy, but with other
662 * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
663 if (this->policy == NULL)
664 {
665 SIG(IKE_UP_FAILED, "no acceptable policy for IDs %D - %D found, "
666 "deleting IKE_SA", my_id, other_id);
667 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
668 my_id->destroy(my_id);
669 other_id->destroy(other_id);
670 build_notify(AUTHENTICATION_FAILED, response, TRUE);
671 return DESTROY_ME;
672 }
673 my_id->destroy(my_id);
674
675 /* get my id from policy, which must contain a fully qualified valid id */
676 my_id = this->policy->get_my_id(this->policy);
677 this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
678 this->ike_sa->set_other_id(this->ike_sa, other_id);
679
680 idr_response = id_payload_create_from_identification(FALSE, my_id);
681 response->add_payload(response, (payload_t*)idr_response);
682 }
683
684 if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
685 && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
686 { /* build certificate payload */
687 x509_t *cert;
688 cert_payload_t *cert_payload;
689
690 cert = charon->credentials->get_certificate(charon->credentials, my_id);
691 if (cert)
692 {
693 cert_payload = cert_payload_create_from_x509(cert);
694 response->add_payload(response, (payload_t *)cert_payload);
695 }
696 else
697 {
698 DBG1(DBG_IKE, "could not find my certificate, cert payload omitted");
699 }
700 }
701
702 if (cert_request)
703 { /* process certificate payload */
704 import_certificate(this, cert_request);
705 }
706
707 { /* process auth payload */
708 authenticator_t *authenticator;
709 auth_payload_t *auth_response;
710 auth_method_t auth_method;
711 status_t status;
712
713 auth_method = this->policy->get_auth_method(this->policy);
714 authenticator = authenticator_create(this->ike_sa, auth_method);
715 status = authenticator->verify_auth_data(authenticator, auth_request,
716 this->init_request,
717 this->nonce_r,
718 my_id,
719 other_id,
720 TRUE);
721 if (status != SUCCESS)
722 {
723 SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA");
724 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
725 build_notify(AUTHENTICATION_FAILED, response, TRUE);
726 authenticator->destroy(authenticator);
727 return DESTROY_ME;
728 }
729 status = authenticator->compute_auth_data(authenticator, &auth_response,
730 this->init_response,
731 this->nonce_i,
732 my_id,
733 other_id,
734 FALSE);
735 authenticator->destroy(authenticator);
736 if (status != SUCCESS)
737 {
738 SIG(IKE_UP_FAILED, "authentication data generation failed, deleting IKE_SA");
739 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
740 build_notify(AUTHENTICATION_FAILED, response, TRUE);
741 return DESTROY_ME;
742 }
743 response->add_payload(response, (payload_t*)auth_response);
744 }
745
746 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
747 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
748
749 { /* process SA payload */
750 linked_list_t *proposal_list;
751 sa_payload_t *sa_response;
752 ts_payload_t *ts_response;
753 bool use_natt;
754 u_int32_t soft_lifetime, hard_lifetime;
755
756 /* prepare reply */
757 sa_response = sa_payload_create();
758
759 /* get proposals from request, and select one with ours */
760 proposal_list = sa_request->get_proposals(sa_request);
761 DBG2(DBG_IKE, "selecting proposals:");
762 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
763 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
764
765 /* do we have a proposal? */
766 if (this->proposal == NULL)
767 {
768 SIG(CHILD_UP_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created");
769 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
770 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
771 }
772 /* do we have traffic selectors? */
773 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
774 {
775 SIG(CHILD_UP_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
776 DBG1(DBG_IKE, "adding TS_UNACCEPTABLE notify to response");
777 build_notify(TS_UNACCEPTABLE, response, FALSE);
778 }
779 else
780 {
781 /* create child sa */
782 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
783 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
784 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
785 this->child_sa = child_sa_create(this->reqid, me, other, my_id, other_id,
786 soft_lifetime, hard_lifetime,
787 this->policy->get_updown(this->policy),
788 this->policy->get_hostaccess(this->policy),
789 use_natt);
790 this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
791 if (install_child_sa(this, FALSE) != SUCCESS)
792 {
793 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA created");
794 DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
795 build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
796 }
797 else
798 {
799 /* add proposal to sa payload */
800 sa_response->add_proposal(sa_response, this->proposal);
801 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
802 }
803 }
804 response->add_payload(response, (payload_t*)sa_response);
805
806 /* add ts payload after sa payload */
807 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
808 response->add_payload(response, (payload_t*)ts_response);
809 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
810 response->add_payload(response, (payload_t*)ts_response);
811 }
812 /* set established state */
813 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
814 return SUCCESS;
815 }
816
817
818 /**
819 * Implementation of transaction_t.conclude
820 */
821 static status_t conclude(private_ike_auth_t *this, message_t *response,
822 transaction_t **transaction)
823 {
824 iterator_t *payloads;
825 payload_t *payload;
826 host_t *me, *other;
827 identification_t *other_id, *my_id;
828 ts_payload_t *tsi_payload = NULL;
829 ts_payload_t *tsr_payload = NULL;
830 id_payload_t *idr_payload = NULL;
831 cert_payload_t *cert_payload = NULL;
832 auth_payload_t *auth_payload = NULL;
833 sa_payload_t *sa_payload = NULL;
834 status_t status;
835
836 /* check message type */
837 if (response->get_exchange_type(response) != IKE_AUTH)
838 {
839 SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
840 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
841 return DESTROY_ME;
842 }
843
844 me = this->ike_sa->get_my_host(this->ike_sa);
845 other = this->ike_sa->get_other_host(this->ike_sa);
846
847 /* Iterate over all payloads to collect them */
848 payloads = response->get_payload_iterator(response);
849 while (payloads->iterate(payloads, (void**)&payload))
850 {
851 switch (payload->get_type(payload))
852 {
853 case ID_RESPONDER:
854 idr_payload = (id_payload_t*)payload;
855 break;
856 case AUTHENTICATION:
857 auth_payload = (auth_payload_t*)payload;
858 break;
859 case CERTIFICATE:
860 cert_payload = (cert_payload_t*)payload;
861 break;
862 case SECURITY_ASSOCIATION:
863 sa_payload = (sa_payload_t*)payload;
864 break;
865 case TRAFFIC_SELECTOR_INITIATOR:
866 tsi_payload = (ts_payload_t*)payload;
867 break;
868 case TRAFFIC_SELECTOR_RESPONDER:
869 tsr_payload = (ts_payload_t*)payload;
870 break;
871 case NOTIFY:
872 {
873 status = process_notifies(this, (notify_payload_t*)payload);
874 if (status == FAILED)
875 {
876 payloads->destroy(payloads);
877 /* we return SUCCESS, as transaction completet */
878 return SUCCESS;
879 }
880 if (status == DESTROY_ME)
881 {
882 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
883 payloads->destroy(payloads);
884 return status;
885 }
886 break;
887 }
888 default:
889 {
890 DBG1(DBG_IKE, "ignoring payload %N",
891 payload_type_names, payload->get_type(payload));
892 break;
893 }
894 }
895 }
896 payloads->destroy(payloads);
897
898 if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
899 {
900 SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA");
901 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
902 return DESTROY_ME;
903 }
904
905 { /* process idr payload */
906 identification_t *configured_other_id;
907 int wildcards;
908
909 other_id = idr_payload->get_identification(idr_payload);
910 configured_other_id = this->policy->get_other_id(this->policy);
911
912 if (!other_id->matches(other_id, configured_other_id, &wildcards))
913 {
914 other_id->destroy(other_id);
915 SIG(IKE_UP_FAILED, "other peer uses unacceptable ID (%D, excepted "
916 "%D), deleting IKE_SA", other_id, configured_other_id);
917 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
918 return DESTROY_ME;
919 }
920 /* update other ID. It was already set, but may contain wildcards */
921 this->ike_sa->set_other_id(this->ike_sa, other_id);
922 }
923
924 if (cert_payload)
925 { /* process cert payload */
926 import_certificate(this, cert_payload);
927 }
928
929 { /* authenticate peer */
930 authenticator_t *authenticator;
931 auth_method_t auth_method;
932 status_t status;
933
934 auth_method = this->policy->get_auth_method(this->policy);
935 authenticator = authenticator_create(this->ike_sa, auth_method);
936 my_id = this->policy->get_my_id(this->policy);
937
938 status = authenticator->verify_auth_data(authenticator,
939 auth_payload,
940 this->init_response,
941 this->nonce_i,
942 my_id,
943 other_id,
944 FALSE);
945 authenticator->destroy(authenticator);
946 if (status != SUCCESS)
947 {
948 SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed, "
949 "deleting IKE_SA", other_id, auth_method_names, auth_method);
950 SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
951 return DESTROY_ME;
952 }
953 }
954
955 SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
956 this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
957
958 { /* process traffic selectors for us */
959 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
960 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
961 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
962 }
963
964 { /* process traffic selectors for other */
965 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
966 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received, other);
967 ts_received->destroy_offset(ts_received, offsetof(traffic_selector_t, destroy));
968 }
969
970 { /* process sa payload */
971 linked_list_t *proposal_list;
972
973 proposal_list = sa_payload->get_proposals(sa_payload);
974 /* we have to re-check here if other's selection is valid */
975 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
976 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
977
978 /* everything fine to create CHILD? */
979 if (this->proposal == NULL ||
980 this->tsi->get_count(this->tsi) == 0 ||
981 this->tsr->get_count(this->tsr) == 0 ||
982 !this->build_child)
983 {
984 SIG(CHILD_UP_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
985 }
986 else
987 {
988 if (install_child_sa(this, TRUE) != SUCCESS)
989 {
990 SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
991 /* TODO: we should send a DELETE for that CHILD to stay
992 * synchronous with the peer */
993 }
994 else
995 {
996 SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
997 }
998 }
999 }
1000 /* set new state */
1001 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1002 return SUCCESS;
1003 }
1004
1005 /**
1006 * implements transaction_t.destroy
1007 */
1008 static void destroy(private_ike_auth_t *this)
1009 {
1010 DESTROY_IF(this->message);
1011 DESTROY_IF(this->proposal);
1012 DESTROY_IF(this->child_sa);
1013 DESTROY_IF(this->policy);
1014 DESTROY_IF(this->connection);
1015 if (this->tsi)
1016 {
1017 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1018 }
1019 if (this->tsr)
1020 {
1021 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1022 }
1023 chunk_free(&this->nonce_i);
1024 chunk_free(&this->nonce_r);
1025 chunk_free(&this->init_request);
1026 chunk_free(&this->init_response);
1027 free(this);
1028 }
1029
1030 /*
1031 * Described in header.
1032 */
1033 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
1034 {
1035 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1036
1037 /* transaction interface functions */
1038 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
1039 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
1040 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
1041 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
1042 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
1043 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
1044
1045 /* public functions */
1046 this->public.set_config = (void(*)(ike_auth_t*,connection_t*,policy_t*))set_config;
1047 this->public.set_reqid = (void(*)(ike_auth_t*,u_int32_t))set_reqid;
1048 this->public.set_nonces = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_nonces;
1049 this->public.set_init_messages = (void(*)(ike_auth_t*,chunk_t,chunk_t))set_init_messages;
1050
1051 /* private data */
1052 this->ike_sa = ike_sa;
1053 this->message_id = 0;
1054 this->message = NULL;
1055 this->requested = 0;
1056 this->nonce_i = CHUNK_INITIALIZER;
1057 this->nonce_r = CHUNK_INITIALIZER;
1058 this->init_request = CHUNK_INITIALIZER;
1059 this->init_response = CHUNK_INITIALIZER;
1060 this->child_sa = NULL;
1061 this->proposal = NULL;
1062 this->tsi = NULL;
1063 this->tsr = NULL;
1064 this->build_child = TRUE;
1065 this->reqid = 0;
1066
1067 return &this->public;
1068 }