183ca34404bc5eb74300ea773736cb78f04fe737
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details
15 */
16
17 #include "ike_auth.h"
18
19 #include <string.h>
20
21 #include <daemon.h>
22 #include <encoding/payloads/id_payload.h>
23 #include <encoding/payloads/auth_payload.h>
24 #include <encoding/payloads/eap_payload.h>
25 #include <encoding/payloads/nonce_payload.h>
26 #include <sa/ikev2/authenticators/eap_authenticator.h>
27
28 typedef struct private_ike_auth_t private_ike_auth_t;
29
30 /**
31 * Private members of a ike_auth_t task.
32 */
33 struct private_ike_auth_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 ike_auth_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Nonce chosen by us in ike_init
52 */
53 chunk_t my_nonce;
54
55 /**
56 * Nonce chosen by peer in ike_init
57 */
58 chunk_t other_nonce;
59
60 /**
61 * IKE_SA_INIT message sent by us
62 */
63 packet_t *my_packet;
64
65 /**
66 * IKE_SA_INIT message sent by peer
67 */
68 packet_t *other_packet;
69
70 /**
71 * Reserved bytes of ID payload
72 */
73 char reserved[3];
74
75 /**
76 * currently active authenticator, to authenticate us
77 */
78 authenticator_t *my_auth;
79
80 /**
81 * currently active authenticator, to authenticate peer
82 */
83 authenticator_t *other_auth;
84
85 /**
86 * peer_cfg candidates, ordered by priority
87 */
88 linked_list_t *candidates;
89
90 /**
91 * selected peer config (might change when using multiple authentications)
92 */
93 peer_cfg_t *peer_cfg;
94
95 /**
96 * have we planned an(other) authentication exchange?
97 */
98 bool do_another_auth;
99
100 /**
101 * has the peer announced another authentication exchange?
102 */
103 bool expect_another_auth;
104
105 /**
106 * should we send a AUTHENTICATION_FAILED notify?
107 */
108 bool authentication_failed;
109
110 /**
111 * received an INITIAL_CONTACT?
112 */
113 bool initial_contact;
114 };
115
116 /**
117 * check if multiple authentication extension is enabled, configuration-wise
118 */
119 static bool multiple_auth_enabled()
120 {
121 return lib->settings->get_bool(lib->settings,
122 "charon.multiple_authentication", TRUE);
123 }
124
125 /**
126 * collect the needed information in the IKE_SA_INIT exchange from our message
127 */
128 static status_t collect_my_init_data(private_ike_auth_t *this,
129 message_t *message)
130 {
131 nonce_payload_t *nonce;
132
133 /* get the nonce that was generated in ike_init */
134 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
135 if (nonce == NULL)
136 {
137 return FAILED;
138 }
139 this->my_nonce = nonce->get_nonce(nonce);
140
141 /* pre-generate the message, keep a copy */
142 if (this->ike_sa->generate_message(this->ike_sa, message,
143 &this->my_packet) != SUCCESS)
144 {
145 return FAILED;
146 }
147 return NEED_MORE;
148 }
149
150 /**
151 * collect the needed information in the IKE_SA_INIT exchange from others message
152 */
153 static status_t collect_other_init_data(private_ike_auth_t *this,
154 message_t *message)
155 {
156 /* we collect the needed information in the IKE_SA_INIT exchange */
157 nonce_payload_t *nonce;
158
159 /* get the nonce that was generated in ike_init */
160 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
161 if (nonce == NULL)
162 {
163 return FAILED;
164 }
165 this->other_nonce = nonce->get_nonce(nonce);
166
167 /* keep a copy of the received packet */
168 this->other_packet = message->get_packet(message);
169 return NEED_MORE;
170 }
171
172 /**
173 * Get and store reserved bytes of id_payload, required for AUTH payload
174 */
175 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
176 {
177 u_int8_t *byte;
178 int i;
179
180 for (i = 0; i < countof(this->reserved); i++)
181 {
182 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
183 if (byte)
184 {
185 this->reserved[i] = *byte;
186 }
187 }
188 }
189
190 /**
191 * Get the next authentication configuration
192 */
193 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
194 {
195 enumerator_t *e1, *e2;
196 auth_cfg_t *c1, *c2, *next = NULL;
197
198 /* find an available config not already done */
199 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
200 while (e1->enumerate(e1, &c1))
201 {
202 bool found = FALSE;
203
204 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
205 while (e2->enumerate(e2, &c2))
206 {
207 if (c2->complies(c2, c1, FALSE))
208 {
209 found = TRUE;
210 break;
211 }
212 }
213 e2->destroy(e2);
214 if (!found)
215 {
216 next = c1;
217 break;
218 }
219 }
220 e1->destroy(e1);
221 return next;
222 }
223
224 /**
225 * Check if we have should initiate another authentication round
226 */
227 static bool do_another_auth(private_ike_auth_t *this)
228 {
229 bool do_another = FALSE;
230 enumerator_t *done, *todo;
231 auth_cfg_t *done_cfg, *todo_cfg;
232
233 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
234 {
235 return FALSE;
236 }
237
238 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
239 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
240 while (todo->enumerate(todo, &todo_cfg))
241 {
242 if (!done->enumerate(done, &done_cfg))
243 {
244 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
245 }
246 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
247 {
248 do_another = TRUE;
249 break;
250 }
251 }
252 done->destroy(done);
253 todo->destroy(todo);
254 return do_another;
255 }
256
257 /**
258 * Get peer configuration candidates from backends
259 */
260 static bool load_cfg_candidates(private_ike_auth_t *this)
261 {
262 enumerator_t *enumerator;
263 peer_cfg_t *peer_cfg;
264 host_t *me, *other;
265 identification_t *my_id, *other_id;
266
267 me = this->ike_sa->get_my_host(this->ike_sa);
268 other = this->ike_sa->get_other_host(this->ike_sa);
269 my_id = this->ike_sa->get_my_id(this->ike_sa);
270 other_id = this->ike_sa->get_other_id(this->ike_sa);
271
272 DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
273 me, my_id, other, other_id);
274 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
275 me, other, my_id, other_id, IKEV2);
276 while (enumerator->enumerate(enumerator, &peer_cfg))
277 {
278 peer_cfg->get_ref(peer_cfg);
279 if (this->peer_cfg == NULL)
280 { /* best match */
281 this->peer_cfg = peer_cfg;
282 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
283 }
284 else
285 {
286 this->candidates->insert_last(this->candidates, peer_cfg);
287 }
288 }
289 enumerator->destroy(enumerator);
290 if (this->peer_cfg)
291 {
292 DBG1(DBG_CFG, "selected peer config '%s'",
293 this->peer_cfg->get_name(this->peer_cfg));
294 return TRUE;
295 }
296 DBG1(DBG_CFG, "no matching peer config found");
297 return FALSE;
298 }
299
300 /**
301 * update the current peer candidate if necessary, using candidates
302 */
303 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
304 {
305 do
306 {
307 if (this->peer_cfg)
308 {
309 bool complies = TRUE;
310 enumerator_t *e1, *e2, *tmp;
311 auth_cfg_t *c1, *c2;
312
313 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
314 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
315
316 if (strict)
317 { /* swap lists in strict mode: all configured rounds must be
318 * fulfilled. If !strict, we check only the rounds done so far. */
319 tmp = e1;
320 e1 = e2;
321 e2 = tmp;
322 }
323 while (e1->enumerate(e1, &c1))
324 {
325 /* check if done authentications comply to configured ones */
326 if ((!e2->enumerate(e2, &c2)) ||
327 (!strict && !c1->complies(c1, c2, TRUE)) ||
328 (strict && !c2->complies(c2, c1, TRUE)))
329 {
330 complies = FALSE;
331 break;
332 }
333 }
334 e1->destroy(e1);
335 e2->destroy(e2);
336 if (complies)
337 {
338 break;
339 }
340 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
341 this->peer_cfg->get_name(this->peer_cfg));
342 this->peer_cfg->destroy(this->peer_cfg);
343 }
344 if (this->candidates->remove_first(this->candidates,
345 (void**)&this->peer_cfg) != SUCCESS)
346 {
347 DBG1(DBG_CFG, "no alternative config found");
348 this->peer_cfg = NULL;
349 }
350 else
351 {
352 DBG1(DBG_CFG, "switching to peer config '%s'",
353 this->peer_cfg->get_name(this->peer_cfg));
354 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
355 }
356 }
357 while (this->peer_cfg);
358
359 return this->peer_cfg != NULL;
360 }
361
362 METHOD(task_t, build_i, status_t,
363 private_ike_auth_t *this, message_t *message)
364 {
365 auth_cfg_t *cfg;
366
367 if (message->get_exchange_type(message) == IKE_SA_INIT)
368 {
369 return collect_my_init_data(this, message);
370 }
371
372 if (this->peer_cfg == NULL)
373 {
374 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
375 this->peer_cfg->get_ref(this->peer_cfg);
376 }
377
378 if (message->get_message_id(message) == 1)
379 { /* in the first IKE_AUTH ... */
380 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
381 { /* indicate support for multiple authentication */
382 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
383 chunk_empty);
384 }
385 /* indicate support for EAP-only authentication */
386 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
387 chunk_empty);
388 }
389
390 if (!this->do_another_auth && !this->my_auth)
391 { /* we have done our rounds */
392 return NEED_MORE;
393 }
394
395 /* check if an authenticator is in progress */
396 if (this->my_auth == NULL)
397 {
398 identification_t *idi, *idr = NULL;
399 id_payload_t *id_payload;
400
401 /* clean up authentication config from a previous round */
402 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
403 cfg->purge(cfg, TRUE);
404
405 /* add (optional) IDr */
406 cfg = get_auth_cfg(this, FALSE);
407 if (cfg)
408 {
409 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
410 if (idr && !idr->contains_wildcards(idr))
411 {
412 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
413 id_payload = id_payload_create_from_identification(
414 ID_RESPONDER, idr);
415 message->add_payload(message, (payload_t*)id_payload);
416 }
417 }
418 /* add IDi */
419 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
420 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
421 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
422 if (!idi)
423 {
424 DBG1(DBG_CFG, "configuration misses IDi");
425 return FAILED;
426 }
427 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
428 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
429 get_reserved_id_bytes(this, id_payload);
430 message->add_payload(message, (payload_t*)id_payload);
431
432 if (idr && message->get_message_id(message) == 1 &&
433 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
434 {
435 host_t *host;
436
437 host = this->ike_sa->get_other_host(this->ike_sa);
438 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
439 idi, idr, host->get_family(host)))
440 {
441 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
442 }
443 }
444
445 /* build authentication data */
446 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
447 this->other_nonce, this->my_nonce,
448 this->other_packet->get_data(this->other_packet),
449 this->my_packet->get_data(this->my_packet),
450 this->reserved);
451 if (!this->my_auth)
452 {
453 return FAILED;
454 }
455 }
456 switch (this->my_auth->build(this->my_auth, message))
457 {
458 case SUCCESS:
459 /* authentication step complete, reset authenticator */
460 cfg = auth_cfg_create();
461 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
462 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
463 this->my_auth->destroy(this->my_auth);
464 this->my_auth = NULL;
465 break;
466 case NEED_MORE:
467 break;
468 default:
469 return FAILED;
470 }
471
472 /* check for additional authentication rounds */
473 if (do_another_auth(this))
474 {
475 if (message->get_payload(message, AUTHENTICATION))
476 {
477 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
478 }
479 }
480 else
481 {
482 this->do_another_auth = FALSE;
483 }
484 return NEED_MORE;
485 }
486
487 METHOD(task_t, process_r, status_t,
488 private_ike_auth_t *this, message_t *message)
489 {
490 auth_cfg_t *cfg, *cand;
491 id_payload_t *id_payload;
492 identification_t *id;
493
494 if (message->get_exchange_type(message) == IKE_SA_INIT)
495 {
496 return collect_other_init_data(this, message);
497 }
498
499 if (this->my_auth == NULL && this->do_another_auth)
500 {
501 /* handle (optional) IDr payload, apply proposed identity */
502 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
503 if (id_payload)
504 {
505 id = id_payload->get_identification(id_payload);
506 }
507 else
508 {
509 id = identification_create_from_encoding(ID_ANY, chunk_empty);
510 }
511 this->ike_sa->set_my_id(this->ike_sa, id);
512 }
513
514 if (!this->expect_another_auth)
515 {
516 return NEED_MORE;
517 }
518
519 if (message->get_message_id(message) == 1)
520 { /* check for extensions in the first IKE_AUTH */
521 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
522 {
523 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
524 }
525 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
526 {
527 this->ike_sa->enable_extension(this->ike_sa,
528 EXT_EAP_ONLY_AUTHENTICATION);
529 }
530 }
531
532 if (this->other_auth == NULL)
533 {
534 /* handle IDi payload */
535 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
536 if (!id_payload)
537 {
538 DBG1(DBG_IKE, "IDi payload missing");
539 return FAILED;
540 }
541 id = id_payload->get_identification(id_payload);
542 get_reserved_id_bytes(this, id_payload);
543 this->ike_sa->set_other_id(this->ike_sa, id);
544 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
545 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
546
547 if (this->peer_cfg == NULL)
548 {
549 if (!load_cfg_candidates(this))
550 {
551 this->authentication_failed = TRUE;
552 return NEED_MORE;
553 }
554 }
555 if (message->get_payload(message, AUTHENTICATION) == NULL)
556 { /* before authenticating with EAP, we need a EAP config */
557 cand = get_auth_cfg(this, FALSE);
558 while (!cand || (
559 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
560 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
561 { /* peer requested EAP, but current config does not match */
562 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
563 this->peer_cfg->destroy(this->peer_cfg);
564 this->peer_cfg = NULL;
565 if (!update_cfg_candidates(this, FALSE))
566 {
567 this->authentication_failed = TRUE;
568 return NEED_MORE;
569 }
570 cand = get_auth_cfg(this, FALSE);
571 }
572 /* copy over the EAP specific rules for authentication */
573 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
574 cand->get(cand, AUTH_RULE_EAP_TYPE));
575 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
576 cand->get(cand, AUTH_RULE_EAP_VENDOR));
577 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
578 if (id)
579 {
580 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
581 }
582 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
583 if (id)
584 {
585 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
586 }
587 }
588
589 /* verify authentication data */
590 this->other_auth = authenticator_create_verifier(this->ike_sa,
591 message, this->other_nonce, this->my_nonce,
592 this->other_packet->get_data(this->other_packet),
593 this->my_packet->get_data(this->my_packet),
594 this->reserved);
595 if (!this->other_auth)
596 {
597 this->authentication_failed = TRUE;
598 return NEED_MORE;
599 }
600 }
601 switch (this->other_auth->process(this->other_auth, message))
602 {
603 case SUCCESS:
604 this->other_auth->destroy(this->other_auth);
605 this->other_auth = NULL;
606 break;
607 case NEED_MORE:
608 if (message->get_payload(message, AUTHENTICATION))
609 { /* AUTH verification successful, but another build() needed */
610 break;
611 }
612 return NEED_MORE;
613 default:
614 this->authentication_failed = TRUE;
615 return NEED_MORE;
616 }
617
618 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
619 * delete any existing IKE_SAs with that peer. */
620 if (message->get_message_id(message) == 1 &&
621 message->get_notify(message, INITIAL_CONTACT))
622 {
623 this->initial_contact = TRUE;
624 }
625
626 /* another auth round done, invoke authorize hook */
627 if (!charon->bus->authorize(charon->bus, FALSE))
628 {
629 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
630 this->authentication_failed = TRUE;
631 return NEED_MORE;
632 }
633
634 /* store authentication information */
635 cfg = auth_cfg_create();
636 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
637 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
638
639 if (!update_cfg_candidates(this, FALSE))
640 {
641 this->authentication_failed = TRUE;
642 return NEED_MORE;
643 }
644
645 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
646 {
647 this->expect_another_auth = FALSE;
648 if (!update_cfg_candidates(this, TRUE))
649 {
650 this->authentication_failed = TRUE;
651 return NEED_MORE;
652 }
653 }
654 return NEED_MORE;
655 }
656
657 METHOD(task_t, build_r, status_t,
658 private_ike_auth_t *this, message_t *message)
659 {
660 auth_cfg_t *cfg;
661
662 if (message->get_exchange_type(message) == IKE_SA_INIT)
663 {
664 if (multiple_auth_enabled())
665 {
666 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
667 chunk_empty);
668 }
669 return collect_my_init_data(this, message);
670 }
671
672 if (this->authentication_failed || this->peer_cfg == NULL)
673 {
674 goto peer_auth_failed;
675 }
676
677 if (this->my_auth == NULL && this->do_another_auth)
678 {
679 identification_t *id, *id_cfg;
680 id_payload_t *id_payload;
681
682 /* add IDr */
683 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
684 cfg->purge(cfg, TRUE);
685 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
686
687 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
688 id = this->ike_sa->get_my_id(this->ike_sa);
689 if (id->get_type(id) == ID_ANY)
690 { /* no IDr received, apply configured ID */
691 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
692 {
693 DBG1(DBG_CFG, "IDr not configured and negotiation failed");
694 goto peer_auth_failed;
695 }
696 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
697 id = id_cfg;
698 }
699 else
700 { /* IDr received, check if it matches configuration */
701 if (id_cfg && !id->matches(id, id_cfg))
702 {
703 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
704 goto peer_auth_failed;
705 }
706 }
707
708 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
709 get_reserved_id_bytes(this, id_payload);
710 message->add_payload(message, (payload_t*)id_payload);
711
712 if (this->initial_contact)
713 {
714 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
715 this->ike_sa, TRUE);
716 this->initial_contact = FALSE;
717 }
718
719 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
720 { /* EAP-only authentication */
721 if (!this->ike_sa->supports_extension(this->ike_sa,
722 EXT_EAP_ONLY_AUTHENTICATION))
723 {
724 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
725 "does not support it");
726 goto peer_auth_failed;
727 }
728 }
729 else
730 {
731 /* build authentication data */
732 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
733 this->other_nonce, this->my_nonce,
734 this->other_packet->get_data(this->other_packet),
735 this->my_packet->get_data(this->my_packet),
736 this->reserved);
737 if (!this->my_auth)
738 {
739 goto peer_auth_failed;
740 }
741 }
742 }
743
744 if (this->other_auth)
745 {
746 switch (this->other_auth->build(this->other_auth, message))
747 {
748 case SUCCESS:
749 this->other_auth->destroy(this->other_auth);
750 this->other_auth = NULL;
751 break;
752 case NEED_MORE:
753 break;
754 default:
755 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
756 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
757 goto peer_auth_failed_no_notify;
758 }
759 goto peer_auth_failed;
760 }
761 }
762 if (this->my_auth)
763 {
764 switch (this->my_auth->build(this->my_auth, message))
765 {
766 case SUCCESS:
767 cfg = auth_cfg_create();
768 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
769 TRUE);
770 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
771 this->my_auth->destroy(this->my_auth);
772 this->my_auth = NULL;
773 break;
774 case NEED_MORE:
775 break;
776 default:
777 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
778 chunk_empty);
779 return FAILED;
780 }
781 }
782
783 /* check for additional authentication rounds */
784 if (do_another_auth(this))
785 {
786 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
787 }
788 else
789 {
790 this->do_another_auth = FALSE;
791 }
792 if (!this->do_another_auth && !this->expect_another_auth)
793 {
794 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
795 this->ike_sa, FALSE))
796 {
797 DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
798 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
799 chunk_empty);
800 return FAILED;
801 }
802 if (!charon->bus->authorize(charon->bus, TRUE))
803 {
804 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
805 goto peer_auth_failed;
806 }
807 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
808 this->ike_sa->get_name(this->ike_sa),
809 this->ike_sa->get_unique_id(this->ike_sa),
810 this->ike_sa->get_my_host(this->ike_sa),
811 this->ike_sa->get_my_id(this->ike_sa),
812 this->ike_sa->get_other_host(this->ike_sa),
813 this->ike_sa->get_other_id(this->ike_sa));
814 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
815 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
816 return SUCCESS;
817 }
818 return NEED_MORE;
819
820 peer_auth_failed:
821 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
822 chunk_empty);
823 peer_auth_failed_no_notify:
824 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
825 return FAILED;
826 }
827
828 METHOD(task_t, process_i, status_t,
829 private_ike_auth_t *this, message_t *message)
830 {
831 enumerator_t *enumerator;
832 payload_t *payload;
833 auth_cfg_t *cfg;
834 bool mutual_eap = FALSE;
835
836 if (message->get_exchange_type(message) == IKE_SA_INIT)
837 {
838 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
839 multiple_auth_enabled())
840 {
841 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
842 }
843 return collect_other_init_data(this, message);
844 }
845
846 enumerator = message->create_payload_enumerator(message);
847 while (enumerator->enumerate(enumerator, &payload))
848 {
849 if (payload->get_type(payload) == NOTIFY)
850 {
851 notify_payload_t *notify = (notify_payload_t*)payload;
852 notify_type_t type = notify->get_notify_type(notify);
853
854 switch (type)
855 {
856 case NO_PROPOSAL_CHOSEN:
857 case SINGLE_PAIR_REQUIRED:
858 case NO_ADDITIONAL_SAS:
859 case INTERNAL_ADDRESS_FAILURE:
860 case FAILED_CP_REQUIRED:
861 case TS_UNACCEPTABLE:
862 case INVALID_SELECTORS:
863 /* these are errors, but are not critical as only the
864 * CHILD_SA won't get build, but IKE_SA establishes anyway */
865 break;
866 case MOBIKE_SUPPORTED:
867 case ADDITIONAL_IP4_ADDRESS:
868 case ADDITIONAL_IP6_ADDRESS:
869 /* handled in ike_mobike task */
870 break;
871 case AUTH_LIFETIME:
872 /* handled in ike_auth_lifetime task */
873 break;
874 case ME_ENDPOINT:
875 /* handled in ike_me task */
876 break;
877 default:
878 {
879 if (type <= 16383)
880 {
881 DBG1(DBG_IKE, "received %N notify error",
882 notify_type_names, type);
883 enumerator->destroy(enumerator);
884 return FAILED;
885 }
886 DBG2(DBG_IKE, "received %N notify",
887 notify_type_names, type);
888 break;
889 }
890 }
891 }
892 }
893 enumerator->destroy(enumerator);
894
895 if (this->expect_another_auth)
896 {
897 if (this->other_auth == NULL)
898 {
899 id_payload_t *id_payload;
900 identification_t *id;
901
902 /* handle IDr payload */
903 id_payload = (id_payload_t*)message->get_payload(message,
904 ID_RESPONDER);
905 if (!id_payload)
906 {
907 DBG1(DBG_IKE, "IDr payload missing");
908 goto peer_auth_failed;
909 }
910 id = id_payload->get_identification(id_payload);
911 get_reserved_id_bytes(this, id_payload);
912 this->ike_sa->set_other_id(this->ike_sa, id);
913 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
914 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
915
916 if (message->get_payload(message, AUTHENTICATION))
917 {
918 /* verify authentication data */
919 this->other_auth = authenticator_create_verifier(this->ike_sa,
920 message, this->other_nonce, this->my_nonce,
921 this->other_packet->get_data(this->other_packet),
922 this->my_packet->get_data(this->my_packet),
923 this->reserved);
924 if (!this->other_auth)
925 {
926 goto peer_auth_failed;
927 }
928 }
929 else
930 {
931 /* responder omitted AUTH payload, indicating EAP-only */
932 mutual_eap = TRUE;
933 }
934 }
935 if (this->other_auth)
936 {
937 switch (this->other_auth->process(this->other_auth, message))
938 {
939 case SUCCESS:
940 break;
941 case NEED_MORE:
942 return NEED_MORE;
943 default:
944 goto peer_auth_failed;
945 }
946 this->other_auth->destroy(this->other_auth);
947 this->other_auth = NULL;
948 }
949 /* another auth round done, invoke authorize hook */
950 if (!charon->bus->authorize(charon->bus, FALSE))
951 {
952 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
953 goto peer_auth_failed;
954 }
955
956 /* store authentication information, reset authenticator */
957 cfg = auth_cfg_create();
958 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
959 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
960 }
961
962 if (this->my_auth)
963 {
964 switch (this->my_auth->process(this->my_auth, message))
965 {
966 case SUCCESS:
967 cfg = auth_cfg_create();
968 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
969 TRUE);
970 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
971 this->my_auth->destroy(this->my_auth);
972 this->my_auth = NULL;
973 this->do_another_auth = do_another_auth(this);
974 break;
975 case NEED_MORE:
976 break;
977 default:
978 return FAILED;
979 }
980 }
981 if (mutual_eap)
982 {
983 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
984 {
985 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
986 goto peer_auth_failed;
987 }
988 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
989 }
990
991 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
992 {
993 this->expect_another_auth = FALSE;
994 }
995 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
996 {
997 if (!update_cfg_candidates(this, TRUE))
998 {
999 goto peer_auth_failed;
1000 }
1001 if (!charon->bus->authorize(charon->bus, TRUE))
1002 {
1003 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
1004 "cancelling");
1005 goto peer_auth_failed;
1006 }
1007 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1008 this->ike_sa->get_name(this->ike_sa),
1009 this->ike_sa->get_unique_id(this->ike_sa),
1010 this->ike_sa->get_my_host(this->ike_sa),
1011 this->ike_sa->get_my_id(this->ike_sa),
1012 this->ike_sa->get_other_host(this->ike_sa),
1013 this->ike_sa->get_other_id(this->ike_sa));
1014 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1015 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1016 return SUCCESS;
1017 }
1018 return NEED_MORE;
1019
1020 peer_auth_failed:
1021 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
1022 return FAILED;
1023 }
1024
1025 METHOD(task_t, get_type, task_type_t,
1026 private_ike_auth_t *this)
1027 {
1028 return TASK_IKE_AUTH;
1029 }
1030
1031 METHOD(task_t, migrate, void,
1032 private_ike_auth_t *this, ike_sa_t *ike_sa)
1033 {
1034 chunk_free(&this->my_nonce);
1035 chunk_free(&this->other_nonce);
1036 DESTROY_IF(this->my_packet);
1037 DESTROY_IF(this->other_packet);
1038 DESTROY_IF(this->peer_cfg);
1039 DESTROY_IF(this->my_auth);
1040 DESTROY_IF(this->other_auth);
1041 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1042
1043 this->my_packet = NULL;
1044 this->other_packet = NULL;
1045 this->ike_sa = ike_sa;
1046 this->peer_cfg = NULL;
1047 this->my_auth = NULL;
1048 this->other_auth = NULL;
1049 this->do_another_auth = TRUE;
1050 this->expect_another_auth = TRUE;
1051 this->authentication_failed = FALSE;
1052 this->candidates = linked_list_create();
1053 }
1054
1055 METHOD(task_t, destroy, void,
1056 private_ike_auth_t *this)
1057 {
1058 chunk_free(&this->my_nonce);
1059 chunk_free(&this->other_nonce);
1060 DESTROY_IF(this->my_packet);
1061 DESTROY_IF(this->other_packet);
1062 DESTROY_IF(this->my_auth);
1063 DESTROY_IF(this->other_auth);
1064 DESTROY_IF(this->peer_cfg);
1065 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1066 free(this);
1067 }
1068
1069 /*
1070 * Described in header.
1071 */
1072 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1073 {
1074 private_ike_auth_t *this;
1075
1076 INIT(this,
1077 .public = {
1078 .task = {
1079 .get_type = _get_type,
1080 .migrate = _migrate,
1081 .build = _build_r,
1082 .process = _process_r,
1083 .destroy = _destroy,
1084 },
1085 },
1086 .ike_sa = ike_sa,
1087 .initiator = initiator,
1088 .candidates = linked_list_create(),
1089 .do_another_auth = TRUE,
1090 .expect_another_auth = TRUE,
1091 );
1092 if (initiator)
1093 {
1094 this->public.task.build = _build_i;
1095 this->public.task.process = _process_i;
1096 }
1097 return &this->public;
1098 }