Implemented migration of certificate handling tasks
[strongswan.git] / src / libcharon / sa / ikev1 / tasks / isakmp_cert_post.c
1 /*
2 * Copyright (C) 2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "isakmp_cert_post.h"
17
18 #include <daemon.h>
19 #include <sa/ike_sa.h>
20 #include <encoding/payloads/cert_payload.h>
21 #include <encoding/payloads/certreq_payload.h>
22 #include <encoding/payloads/auth_payload.h>
23 #include <encoding/payloads/sa_payload.h>
24 #include <credentials/certificates/x509.h>
25
26
27 typedef struct private_isakmp_cert_post_t private_isakmp_cert_post_t;
28
29 /**
30 * Private members of a isakmp_cert_post_t task.
31 */
32 struct private_isakmp_cert_post_t {
33
34 /**
35 * Public methods and task_t interface.
36 */
37 isakmp_cert_post_t public;
38
39 /**
40 * Assigned IKE_SA.
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * Are we the initiator?
46 */
47 bool initiator;
48
49 /**
50 * States of ike cert pre
51 */
52 enum {
53 CR_SA,
54 CR_KE,
55 CR_AUTH,
56 } state;
57 };
58
59 /**
60 * Check if we actually use certificates for authentication
61 */
62 static bool use_certs(private_isakmp_cert_post_t *this, message_t *message)
63 {
64 enumerator_t *enumerator;
65 payload_t *payload;
66 bool use = FALSE;
67
68 enumerator = message->create_payload_enumerator(message);
69 while (enumerator->enumerate(enumerator, &payload))
70 {
71 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
72 {
73 sa_payload_t *sa_payload = (sa_payload_t*)payload;
74
75 switch (sa_payload->get_auth_method(sa_payload))
76 {
77 case AUTH_RSA:
78 case AUTH_XAUTH_INIT_RSA:
79 case AUTH_XAUTH_RESP_RSA:
80 case AUTH_HYBRID_INIT_RSA:
81 case AUTH_HYBRID_RESP_RSA:
82 use = TRUE;
83 break;
84 default:
85 break;
86 }
87 break;
88 }
89 }
90 enumerator->destroy(enumerator);
91
92 return use;
93 }
94
95 /**
96 * Add certificates to message
97 */
98 static void build_certs(private_isakmp_cert_post_t *this, message_t *message)
99 {
100 peer_cfg_t *peer_cfg;
101
102 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
103 if (!peer_cfg)
104 {
105 return;
106 }
107
108 switch (peer_cfg->get_cert_policy(peer_cfg))
109 {
110 case CERT_NEVER_SEND:
111 break;
112 case CERT_SEND_IF_ASKED:
113 if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
114 {
115 break;
116 }
117 /* FALL */
118 case CERT_ALWAYS_SEND:
119 {
120 cert_payload_t *payload;
121 enumerator_t *enumerator;
122 certificate_t *cert;
123 auth_rule_t type;
124 auth_cfg_t *auth;
125
126 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
127 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
128 if (!cert)
129 {
130 break;
131 }
132 payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert);
133 if (!payload)
134 {
135 break;
136 }
137 DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
138 cert->get_subject(cert));
139 message->add_payload(message, (payload_t*)payload);
140
141 enumerator = auth->create_enumerator(auth);
142 while (enumerator->enumerate(enumerator, &type, &cert))
143 {
144 if (type == AUTH_RULE_IM_CERT)
145 {
146 payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert);
147 if (payload)
148 {
149 DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
150 cert->get_subject(cert));
151 message->add_payload(message, (payload_t*)payload);
152 }
153 }
154 }
155 enumerator->destroy(enumerator);
156 }
157 }
158 }
159
160 METHOD(task_t, build_i, status_t,
161 private_isakmp_cert_post_t *this, message_t *message)
162 {
163 switch (message->get_exchange_type(message))
164 {
165 case ID_PROT:
166 if (this->state == CR_AUTH)
167 {
168 build_certs(this, message);
169 return SUCCESS;
170 }
171 return NEED_MORE;
172 case AGGRESSIVE:
173 if (this->state == CR_AUTH)
174 {
175 build_certs(this, message);
176 return SUCCESS;
177 }
178 return NEED_MORE;
179 default:
180 return FAILED;
181 }
182 }
183
184 METHOD(task_t, process_r, status_t,
185 private_isakmp_cert_post_t *this, message_t *message)
186 {
187 switch (message->get_exchange_type(message))
188 {
189 case ID_PROT:
190 {
191 switch (this->state)
192 {
193 case CR_SA:
194 if (!use_certs(this, message))
195 {
196 return SUCCESS;
197 }
198 return NEED_MORE;
199 case CR_KE:
200 return NEED_MORE;
201 case CR_AUTH:
202 return NEED_MORE;
203 }
204 }
205 case AGGRESSIVE:
206 {
207 switch (this->state)
208 {
209 case CR_SA:
210 if (!use_certs(this, message))
211 {
212 return SUCCESS;
213 }
214 return NEED_MORE;
215 case CR_AUTH:
216 return SUCCESS;
217 default:
218 return FAILED;
219 }
220 }
221 default:
222 return FAILED;
223 }
224 }
225
226 METHOD(task_t, build_r, status_t,
227 private_isakmp_cert_post_t *this, message_t *message)
228 {
229 switch (message->get_exchange_type(message))
230 {
231 case ID_PROT:
232 switch (this->state)
233 {
234 case CR_SA:
235 this->state = CR_KE;
236 return NEED_MORE;
237 case CR_KE:
238 this->state = CR_AUTH;
239 return NEED_MORE;
240 case CR_AUTH:
241 build_certs(this, message);
242 return SUCCESS;
243 }
244 case AGGRESSIVE:
245 switch (this->state)
246 {
247 case CR_SA:
248 build_certs(this, message);
249 this->state = CR_AUTH;
250 return NEED_MORE;
251 case CR_AUTH:
252 return SUCCESS;
253 default:
254 return FAILED;
255 }
256 default:
257 return FAILED;
258 }
259 }
260
261 METHOD(task_t, process_i, status_t,
262 private_isakmp_cert_post_t *this, message_t *message)
263 {
264 switch (message->get_exchange_type(message))
265 {
266 case ID_PROT:
267 {
268 switch (this->state)
269 {
270 case CR_SA:
271 if (!use_certs(this, message))
272 {
273 return SUCCESS;
274 }
275 this->state = CR_KE;
276 return NEED_MORE;
277 case CR_KE:
278 this->state = CR_AUTH;
279 return NEED_MORE;
280 case CR_AUTH:
281 return SUCCESS;
282 default:
283 return FAILED;
284 }
285 break;
286 }
287 case AGGRESSIVE:
288 {
289 if (!use_certs(this, message))
290 {
291 return SUCCESS;
292 }
293 return SUCCESS;
294 }
295 default:
296 return FAILED;
297 }
298 }
299
300 METHOD(task_t, get_type, task_type_t,
301 private_isakmp_cert_post_t *this)
302 {
303 return TASK_ISAKMP_CERT_POST;
304 }
305
306 METHOD(task_t, migrate, void,
307 private_isakmp_cert_post_t *this, ike_sa_t *ike_sa)
308 {
309 this->ike_sa = ike_sa;
310 this->state = CR_SA;
311 }
312
313 METHOD(task_t, destroy, void,
314 private_isakmp_cert_post_t *this)
315 {
316 free(this);
317 }
318
319 /*
320 * Described in header.
321 */
322 isakmp_cert_post_t *isakmp_cert_post_create(ike_sa_t *ike_sa, bool initiator)
323 {
324 private_isakmp_cert_post_t *this;
325
326 INIT(this,
327 .public = {
328 .task = {
329 .get_type = _get_type,
330 .migrate = _migrate,
331 .destroy = _destroy,
332 },
333 },
334 .ike_sa = ike_sa,
335 .initiator = initiator,
336 .state = CR_SA,
337 );
338 if (initiator)
339 {
340 this->public.task.process = _process_i;
341 this->public.task.build = _build_i;
342 }
343 else
344 {
345 this->public.task.process = _process_r;
346 this->public.task.build = _build_r;
347 }
348 return &this->public;
349 }