Refactor auth_cfg applying to a common function
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "ike_auth.h"
19
20 #include <string.h>
21
22 #include <daemon.h>
23 #include <encoding/payloads/id_payload.h>
24 #include <encoding/payloads/auth_payload.h>
25 #include <encoding/payloads/eap_payload.h>
26 #include <encoding/payloads/nonce_payload.h>
27 #include <sa/ikev2/authenticators/eap_authenticator.h>
28
29 typedef struct private_ike_auth_t private_ike_auth_t;
30
31 /**
32 * Private members of a ike_auth_t task.
33 */
34 struct private_ike_auth_t {
35
36 /**
37 * Public methods and task_t interface.
38 */
39 ike_auth_t public;
40
41 /**
42 * Assigned IKE_SA.
43 */
44 ike_sa_t *ike_sa;
45
46 /**
47 * Are we the initiator?
48 */
49 bool initiator;
50
51 /**
52 * Nonce chosen by us in ike_init
53 */
54 chunk_t my_nonce;
55
56 /**
57 * Nonce chosen by peer in ike_init
58 */
59 chunk_t other_nonce;
60
61 /**
62 * IKE_SA_INIT message sent by us
63 */
64 packet_t *my_packet;
65
66 /**
67 * IKE_SA_INIT message sent by peer
68 */
69 packet_t *other_packet;
70
71 /**
72 * Reserved bytes of ID payload
73 */
74 char reserved[3];
75
76 /**
77 * currently active authenticator, to authenticate us
78 */
79 authenticator_t *my_auth;
80
81 /**
82 * currently active authenticator, to authenticate peer
83 */
84 authenticator_t *other_auth;
85
86 /**
87 * peer_cfg candidates, ordered by priority
88 */
89 linked_list_t *candidates;
90
91 /**
92 * selected peer config (might change when using multiple authentications)
93 */
94 peer_cfg_t *peer_cfg;
95
96 /**
97 * have we planned an(other) authentication exchange?
98 */
99 bool do_another_auth;
100
101 /**
102 * has the peer announced another authentication exchange?
103 */
104 bool expect_another_auth;
105
106 /**
107 * should we send a AUTHENTICATION_FAILED notify?
108 */
109 bool authentication_failed;
110
111 /**
112 * received an INITIAL_CONTACT?
113 */
114 bool initial_contact;
115 };
116
117 /**
118 * check if multiple authentication extension is enabled, configuration-wise
119 */
120 static bool multiple_auth_enabled()
121 {
122 return lib->settings->get_bool(lib->settings,
123 "%s.multiple_authentication", TRUE, charon->name);
124 }
125
126 /**
127 * collect the needed information in the IKE_SA_INIT exchange from our message
128 */
129 static status_t collect_my_init_data(private_ike_auth_t *this,
130 message_t *message)
131 {
132 nonce_payload_t *nonce;
133
134 /* get the nonce that was generated in ike_init */
135 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
136 if (nonce == NULL)
137 {
138 return FAILED;
139 }
140 this->my_nonce = nonce->get_nonce(nonce);
141
142 /* pre-generate the message, keep a copy */
143 if (this->ike_sa->generate_message(this->ike_sa, message,
144 &this->my_packet) != SUCCESS)
145 {
146 return FAILED;
147 }
148 return NEED_MORE;
149 }
150
151 /**
152 * collect the needed information in the IKE_SA_INIT exchange from others message
153 */
154 static status_t collect_other_init_data(private_ike_auth_t *this,
155 message_t *message)
156 {
157 /* we collect the needed information in the IKE_SA_INIT exchange */
158 nonce_payload_t *nonce;
159
160 /* get the nonce that was generated in ike_init */
161 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
162 if (nonce == NULL)
163 {
164 return FAILED;
165 }
166 this->other_nonce = nonce->get_nonce(nonce);
167
168 /* keep a copy of the received packet */
169 this->other_packet = message->get_packet(message);
170 return NEED_MORE;
171 }
172
173 /**
174 * Get and store reserved bytes of id_payload, required for AUTH payload
175 */
176 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
177 {
178 u_int8_t *byte;
179 int i;
180
181 for (i = 0; i < countof(this->reserved); i++)
182 {
183 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
184 if (byte)
185 {
186 this->reserved[i] = *byte;
187 }
188 }
189 }
190
191 /**
192 * Get the next authentication configuration
193 */
194 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
195 {
196 enumerator_t *e1, *e2;
197 auth_cfg_t *c1, *c2, *next = NULL;
198
199 /* find an available config not already done */
200 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
201 while (e1->enumerate(e1, &c1))
202 {
203 bool found = FALSE;
204
205 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
206 while (e2->enumerate(e2, &c2))
207 {
208 if (c2->complies(c2, c1, FALSE))
209 {
210 found = TRUE;
211 break;
212 }
213 }
214 e2->destroy(e2);
215 if (!found)
216 {
217 next = c1;
218 break;
219 }
220 }
221 e1->destroy(e1);
222 return next;
223 }
224
225 /**
226 * Move the currently active auth config to the auth configs completed
227 */
228 static void apply_auth_cfg(private_ike_auth_t *this, bool local)
229 {
230 auth_cfg_t *cfg;
231
232 cfg = auth_cfg_create();
233 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
234 this->ike_sa->add_auth_cfg(this->ike_sa, local, cfg);
235 }
236
237 /**
238 * Check if we have should initiate another authentication round
239 */
240 static bool do_another_auth(private_ike_auth_t *this)
241 {
242 bool do_another = FALSE;
243 enumerator_t *done, *todo;
244 auth_cfg_t *done_cfg, *todo_cfg;
245
246 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
247 {
248 return FALSE;
249 }
250
251 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
252 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
253 while (todo->enumerate(todo, &todo_cfg))
254 {
255 if (!done->enumerate(done, &done_cfg))
256 {
257 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
258 }
259 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
260 {
261 do_another = TRUE;
262 break;
263 }
264 }
265 done->destroy(done);
266 todo->destroy(todo);
267 return do_another;
268 }
269
270 /**
271 * Get peer configuration candidates from backends
272 */
273 static bool load_cfg_candidates(private_ike_auth_t *this)
274 {
275 enumerator_t *enumerator;
276 peer_cfg_t *peer_cfg;
277 host_t *me, *other;
278 identification_t *my_id, *other_id;
279
280 me = this->ike_sa->get_my_host(this->ike_sa);
281 other = this->ike_sa->get_other_host(this->ike_sa);
282 my_id = this->ike_sa->get_my_id(this->ike_sa);
283 other_id = this->ike_sa->get_other_id(this->ike_sa);
284
285 DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
286 me, my_id, other, other_id);
287 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
288 me, other, my_id, other_id, IKEV2);
289 while (enumerator->enumerate(enumerator, &peer_cfg))
290 {
291 peer_cfg->get_ref(peer_cfg);
292 if (this->peer_cfg == NULL)
293 { /* best match */
294 this->peer_cfg = peer_cfg;
295 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
296 }
297 else
298 {
299 this->candidates->insert_last(this->candidates, peer_cfg);
300 }
301 }
302 enumerator->destroy(enumerator);
303 if (this->peer_cfg)
304 {
305 DBG1(DBG_CFG, "selected peer config '%s'",
306 this->peer_cfg->get_name(this->peer_cfg));
307 return TRUE;
308 }
309 DBG1(DBG_CFG, "no matching peer config found");
310 return FALSE;
311 }
312
313 /**
314 * update the current peer candidate if necessary, using candidates
315 */
316 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
317 {
318 do
319 {
320 if (this->peer_cfg)
321 {
322 bool complies = TRUE;
323 enumerator_t *e1, *e2, *tmp;
324 auth_cfg_t *c1, *c2;
325
326 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
327 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
328
329 if (strict)
330 { /* swap lists in strict mode: all configured rounds must be
331 * fulfilled. If !strict, we check only the rounds done so far. */
332 tmp = e1;
333 e1 = e2;
334 e2 = tmp;
335 }
336 while (e1->enumerate(e1, &c1))
337 {
338 /* check if done authentications comply to configured ones */
339 if ((!e2->enumerate(e2, &c2)) ||
340 (!strict && !c1->complies(c1, c2, TRUE)) ||
341 (strict && !c2->complies(c2, c1, TRUE)))
342 {
343 complies = FALSE;
344 break;
345 }
346 }
347 e1->destroy(e1);
348 e2->destroy(e2);
349 if (complies)
350 {
351 break;
352 }
353 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
354 this->peer_cfg->get_name(this->peer_cfg));
355 this->peer_cfg->destroy(this->peer_cfg);
356 }
357 if (this->candidates->remove_first(this->candidates,
358 (void**)&this->peer_cfg) != SUCCESS)
359 {
360 DBG1(DBG_CFG, "no alternative config found");
361 this->peer_cfg = NULL;
362 }
363 else
364 {
365 DBG1(DBG_CFG, "switching to peer config '%s'",
366 this->peer_cfg->get_name(this->peer_cfg));
367 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
368 }
369 }
370 while (this->peer_cfg);
371
372 return this->peer_cfg != NULL;
373 }
374
375 METHOD(task_t, build_i, status_t,
376 private_ike_auth_t *this, message_t *message)
377 {
378 auth_cfg_t *cfg;
379
380 if (message->get_exchange_type(message) == IKE_SA_INIT)
381 {
382 return collect_my_init_data(this, message);
383 }
384
385 if (this->peer_cfg == NULL)
386 {
387 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
388 this->peer_cfg->get_ref(this->peer_cfg);
389 }
390
391 if (message->get_message_id(message) == 1)
392 { /* in the first IKE_AUTH ... */
393 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
394 { /* indicate support for multiple authentication */
395 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
396 chunk_empty);
397 }
398 /* indicate support for EAP-only authentication */
399 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
400 chunk_empty);
401 }
402
403 if (!this->do_another_auth && !this->my_auth)
404 { /* we have done our rounds */
405 return NEED_MORE;
406 }
407
408 /* check if an authenticator is in progress */
409 if (this->my_auth == NULL)
410 {
411 identification_t *idi, *idr = NULL;
412 id_payload_t *id_payload;
413
414 /* clean up authentication config from a previous round */
415 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
416 cfg->purge(cfg, TRUE);
417
418 /* add (optional) IDr */
419 cfg = get_auth_cfg(this, FALSE);
420 if (cfg)
421 {
422 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
423 if (!cfg->get(cfg, AUTH_RULE_IDENTITY_LOOSE) && idr &&
424 !idr->contains_wildcards(idr))
425 {
426 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
427 id_payload = id_payload_create_from_identification(
428 ID_RESPONDER, idr);
429 message->add_payload(message, (payload_t*)id_payload);
430 }
431 }
432 /* add IDi */
433 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
434 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
435 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
436 if (!idi || idi->get_type(idi) == ID_ANY)
437 { /* ID_ANY is invalid as IDi, use local IP address instead */
438 host_t *me;
439
440 DBG1(DBG_CFG, "no IDi configured, fall back on IP address");
441 me = this->ike_sa->get_my_host(this->ike_sa);
442 idi = identification_create_from_sockaddr(me->get_sockaddr(me));
443 cfg->add(cfg, AUTH_RULE_IDENTITY, idi);
444 }
445 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
446 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
447 get_reserved_id_bytes(this, id_payload);
448 message->add_payload(message, (payload_t*)id_payload);
449
450 if (idr && message->get_message_id(message) == 1 &&
451 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
452 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
453 {
454 host_t *host;
455
456 host = this->ike_sa->get_other_host(this->ike_sa);
457 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
458 idi, idr, host->get_family(host)))
459 {
460 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
461 }
462 }
463
464 /* build authentication data */
465 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
466 this->other_nonce, this->my_nonce,
467 this->other_packet->get_data(this->other_packet),
468 this->my_packet->get_data(this->my_packet),
469 this->reserved);
470 if (!this->my_auth)
471 {
472 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
473 return FAILED;
474 }
475 }
476 switch (this->my_auth->build(this->my_auth, message))
477 {
478 case SUCCESS:
479 apply_auth_cfg(this, TRUE);
480 this->my_auth->destroy(this->my_auth);
481 this->my_auth = NULL;
482 break;
483 case NEED_MORE:
484 break;
485 default:
486 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
487 return FAILED;
488 }
489
490 /* check for additional authentication rounds */
491 if (do_another_auth(this))
492 {
493 if (message->get_payload(message, AUTHENTICATION))
494 {
495 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
496 }
497 }
498 else
499 {
500 this->do_another_auth = FALSE;
501 }
502 return NEED_MORE;
503 }
504
505 METHOD(task_t, process_r, status_t,
506 private_ike_auth_t *this, message_t *message)
507 {
508 auth_cfg_t *cfg, *cand;
509 id_payload_t *id_payload;
510 identification_t *id;
511
512 if (message->get_exchange_type(message) == IKE_SA_INIT)
513 {
514 return collect_other_init_data(this, message);
515 }
516
517 if (this->my_auth == NULL && this->do_another_auth)
518 {
519 /* handle (optional) IDr payload, apply proposed identity */
520 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
521 if (id_payload)
522 {
523 id = id_payload->get_identification(id_payload);
524 }
525 else
526 {
527 id = identification_create_from_encoding(ID_ANY, chunk_empty);
528 }
529 this->ike_sa->set_my_id(this->ike_sa, id);
530 }
531
532 if (!this->expect_another_auth)
533 {
534 return NEED_MORE;
535 }
536
537 if (message->get_message_id(message) == 1)
538 { /* check for extensions in the first IKE_AUTH */
539 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
540 {
541 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
542 }
543 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
544 {
545 this->ike_sa->enable_extension(this->ike_sa,
546 EXT_EAP_ONLY_AUTHENTICATION);
547 }
548 }
549
550 if (this->other_auth == NULL)
551 {
552 /* handle IDi payload */
553 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
554 if (!id_payload)
555 {
556 DBG1(DBG_IKE, "IDi payload missing");
557 return FAILED;
558 }
559 id = id_payload->get_identification(id_payload);
560 get_reserved_id_bytes(this, id_payload);
561 this->ike_sa->set_other_id(this->ike_sa, id);
562 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
563 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
564
565 if (this->peer_cfg == NULL)
566 {
567 if (!load_cfg_candidates(this))
568 {
569 this->authentication_failed = TRUE;
570 return NEED_MORE;
571 }
572 }
573 if (message->get_payload(message, AUTHENTICATION) == NULL)
574 { /* before authenticating with EAP, we need a EAP config */
575 cand = get_auth_cfg(this, FALSE);
576 while (!cand || (
577 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
578 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
579 { /* peer requested EAP, but current config does not match */
580 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
581 this->peer_cfg->destroy(this->peer_cfg);
582 this->peer_cfg = NULL;
583 if (!update_cfg_candidates(this, FALSE))
584 {
585 this->authentication_failed = TRUE;
586 return NEED_MORE;
587 }
588 cand = get_auth_cfg(this, FALSE);
589 }
590 /* copy over the EAP specific rules for authentication */
591 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
592 cand->get(cand, AUTH_RULE_EAP_TYPE));
593 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
594 cand->get(cand, AUTH_RULE_EAP_VENDOR));
595 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
596 if (id)
597 {
598 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
599 }
600 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
601 if (id)
602 {
603 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
604 }
605 }
606
607 /* verify authentication data */
608 this->other_auth = authenticator_create_verifier(this->ike_sa,
609 message, this->other_nonce, this->my_nonce,
610 this->other_packet->get_data(this->other_packet),
611 this->my_packet->get_data(this->my_packet),
612 this->reserved);
613 if (!this->other_auth)
614 {
615 this->authentication_failed = TRUE;
616 return NEED_MORE;
617 }
618 }
619 switch (this->other_auth->process(this->other_auth, message))
620 {
621 case SUCCESS:
622 this->other_auth->destroy(this->other_auth);
623 this->other_auth = NULL;
624 break;
625 case NEED_MORE:
626 if (message->get_payload(message, AUTHENTICATION))
627 { /* AUTH verification successful, but another build() needed */
628 break;
629 }
630 return NEED_MORE;
631 default:
632 this->authentication_failed = TRUE;
633 return NEED_MORE;
634 }
635
636 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
637 * delete any existing IKE_SAs with that peer. */
638 if (message->get_message_id(message) == 1 &&
639 message->get_notify(message, INITIAL_CONTACT))
640 {
641 this->initial_contact = TRUE;
642 }
643
644 /* another auth round done, invoke authorize hook */
645 if (!charon->bus->authorize(charon->bus, FALSE))
646 {
647 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
648 this->authentication_failed = TRUE;
649 return NEED_MORE;
650 }
651
652 apply_auth_cfg(this, FALSE);
653
654 if (!update_cfg_candidates(this, FALSE))
655 {
656 this->authentication_failed = TRUE;
657 return NEED_MORE;
658 }
659
660 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
661 {
662 this->expect_another_auth = FALSE;
663 if (!update_cfg_candidates(this, TRUE))
664 {
665 this->authentication_failed = TRUE;
666 return NEED_MORE;
667 }
668 }
669 return NEED_MORE;
670 }
671
672 METHOD(task_t, build_r, status_t,
673 private_ike_auth_t *this, message_t *message)
674 {
675 auth_cfg_t *cfg;
676
677 if (message->get_exchange_type(message) == IKE_SA_INIT)
678 {
679 if (multiple_auth_enabled())
680 {
681 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
682 chunk_empty);
683 }
684 return collect_my_init_data(this, message);
685 }
686
687 if (this->authentication_failed || this->peer_cfg == NULL)
688 {
689 goto peer_auth_failed;
690 }
691
692 if (this->my_auth == NULL && this->do_another_auth)
693 {
694 identification_t *id, *id_cfg;
695 id_payload_t *id_payload;
696
697 /* add IDr */
698 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
699 cfg->purge(cfg, TRUE);
700 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
701
702 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
703 id = this->ike_sa->get_my_id(this->ike_sa);
704 if (id->get_type(id) == ID_ANY)
705 { /* no IDr received, apply configured ID */
706 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
707 { /* no ID configured, use local IP address */
708 host_t *me;
709
710 DBG1(DBG_CFG, "no IDr configured, fall back on IP address");
711 me = this->ike_sa->get_my_host(this->ike_sa);
712 id_cfg = identification_create_from_sockaddr(
713 me->get_sockaddr(me));
714 cfg->add(cfg, AUTH_RULE_IDENTITY, id_cfg);
715 }
716 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
717 id = id_cfg;
718 }
719 else
720 { /* IDr received, check if it matches configuration */
721 if (id_cfg && !id->matches(id, id_cfg))
722 {
723 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
724 goto peer_auth_failed;
725 }
726 }
727
728 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
729 get_reserved_id_bytes(this, id_payload);
730 message->add_payload(message, (payload_t*)id_payload);
731
732 if (this->initial_contact)
733 {
734 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
735 this->ike_sa, TRUE);
736 this->initial_contact = FALSE;
737 }
738
739 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
740 { /* EAP-only authentication */
741 if (!this->ike_sa->supports_extension(this->ike_sa,
742 EXT_EAP_ONLY_AUTHENTICATION))
743 {
744 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
745 "does not support it");
746 goto peer_auth_failed;
747 }
748 }
749 else
750 {
751 /* build authentication data */
752 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
753 this->other_nonce, this->my_nonce,
754 this->other_packet->get_data(this->other_packet),
755 this->my_packet->get_data(this->my_packet),
756 this->reserved);
757 if (!this->my_auth)
758 {
759 goto local_auth_failed;
760 }
761 }
762 }
763
764 if (this->other_auth)
765 {
766 switch (this->other_auth->build(this->other_auth, message))
767 {
768 case SUCCESS:
769 this->other_auth->destroy(this->other_auth);
770 this->other_auth = NULL;
771 break;
772 case NEED_MORE:
773 break;
774 default:
775 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
776 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
777 goto peer_auth_failed_no_notify;
778 }
779 goto peer_auth_failed;
780 }
781 }
782 if (this->my_auth)
783 {
784 switch (this->my_auth->build(this->my_auth, message))
785 {
786 case SUCCESS:
787 apply_auth_cfg(this, TRUE);
788 this->my_auth->destroy(this->my_auth);
789 this->my_auth = NULL;
790 break;
791 case NEED_MORE:
792 break;
793 default:
794 goto local_auth_failed;
795 }
796 }
797
798 /* check for additional authentication rounds */
799 if (do_another_auth(this))
800 {
801 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
802 }
803 else
804 {
805 this->do_another_auth = FALSE;
806 }
807 if (!this->do_another_auth && !this->expect_another_auth)
808 {
809 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
810 this->ike_sa, FALSE))
811 {
812 DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
813 charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
814 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
815 chunk_empty);
816 return FAILED;
817 }
818 if (!charon->bus->authorize(charon->bus, TRUE))
819 {
820 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
821 goto peer_auth_failed;
822 }
823 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
824 this->ike_sa->get_name(this->ike_sa),
825 this->ike_sa->get_unique_id(this->ike_sa),
826 this->ike_sa->get_my_host(this->ike_sa),
827 this->ike_sa->get_my_id(this->ike_sa),
828 this->ike_sa->get_other_host(this->ike_sa),
829 this->ike_sa->get_other_id(this->ike_sa));
830 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
831 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
832 return SUCCESS;
833 }
834 return NEED_MORE;
835
836 peer_auth_failed:
837 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
838 peer_auth_failed_no_notify:
839 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
840 return FAILED;
841 local_auth_failed:
842 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
843 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
844 return FAILED;
845 }
846
847 METHOD(task_t, process_i, status_t,
848 private_ike_auth_t *this, message_t *message)
849 {
850 enumerator_t *enumerator;
851 payload_t *payload;
852 auth_cfg_t *cfg;
853 bool mutual_eap = FALSE;
854
855 if (message->get_exchange_type(message) == IKE_SA_INIT)
856 {
857 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
858 multiple_auth_enabled())
859 {
860 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
861 }
862 return collect_other_init_data(this, message);
863 }
864
865 enumerator = message->create_payload_enumerator(message);
866 while (enumerator->enumerate(enumerator, &payload))
867 {
868 if (payload->get_type(payload) == NOTIFY)
869 {
870 notify_payload_t *notify = (notify_payload_t*)payload;
871 notify_type_t type = notify->get_notify_type(notify);
872
873 switch (type)
874 {
875 case NO_PROPOSAL_CHOSEN:
876 case SINGLE_PAIR_REQUIRED:
877 case NO_ADDITIONAL_SAS:
878 case INTERNAL_ADDRESS_FAILURE:
879 case FAILED_CP_REQUIRED:
880 case TS_UNACCEPTABLE:
881 case INVALID_SELECTORS:
882 /* these are errors, but are not critical as only the
883 * CHILD_SA won't get build, but IKE_SA establishes anyway */
884 break;
885 case MOBIKE_SUPPORTED:
886 case ADDITIONAL_IP4_ADDRESS:
887 case ADDITIONAL_IP6_ADDRESS:
888 /* handled in ike_mobike task */
889 break;
890 case AUTH_LIFETIME:
891 /* handled in ike_auth_lifetime task */
892 break;
893 case ME_ENDPOINT:
894 /* handled in ike_me task */
895 break;
896 default:
897 {
898 if (type <= 16383)
899 {
900 DBG1(DBG_IKE, "received %N notify error",
901 notify_type_names, type);
902 enumerator->destroy(enumerator);
903 return FAILED;
904 }
905 DBG2(DBG_IKE, "received %N notify",
906 notify_type_names, type);
907 break;
908 }
909 }
910 }
911 }
912 enumerator->destroy(enumerator);
913
914 if (this->expect_another_auth)
915 {
916 if (this->other_auth == NULL)
917 {
918 id_payload_t *id_payload;
919 identification_t *id;
920
921 /* handle IDr payload */
922 id_payload = (id_payload_t*)message->get_payload(message,
923 ID_RESPONDER);
924 if (!id_payload)
925 {
926 DBG1(DBG_IKE, "IDr payload missing");
927 goto peer_auth_failed;
928 }
929 id = id_payload->get_identification(id_payload);
930 get_reserved_id_bytes(this, id_payload);
931 this->ike_sa->set_other_id(this->ike_sa, id);
932 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
933 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
934
935 if (message->get_payload(message, AUTHENTICATION))
936 {
937 /* verify authentication data */
938 this->other_auth = authenticator_create_verifier(this->ike_sa,
939 message, this->other_nonce, this->my_nonce,
940 this->other_packet->get_data(this->other_packet),
941 this->my_packet->get_data(this->my_packet),
942 this->reserved);
943 if (!this->other_auth)
944 {
945 goto peer_auth_failed;
946 }
947 }
948 else
949 {
950 /* responder omitted AUTH payload, indicating EAP-only */
951 mutual_eap = TRUE;
952 }
953 }
954 if (this->other_auth)
955 {
956 switch (this->other_auth->process(this->other_auth, message))
957 {
958 case SUCCESS:
959 break;
960 case NEED_MORE:
961 return NEED_MORE;
962 default:
963 goto peer_auth_failed;
964 }
965 this->other_auth->destroy(this->other_auth);
966 this->other_auth = NULL;
967 }
968 /* another auth round done, invoke authorize hook */
969 if (!charon->bus->authorize(charon->bus, FALSE))
970 {
971 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
972 goto peer_auth_failed;
973 }
974
975 apply_auth_cfg(this, FALSE);
976 }
977
978 if (this->my_auth)
979 {
980 switch (this->my_auth->process(this->my_auth, message))
981 {
982 case SUCCESS:
983 apply_auth_cfg(this, TRUE);
984 this->my_auth->destroy(this->my_auth);
985 this->my_auth = NULL;
986 this->do_another_auth = do_another_auth(this);
987 break;
988 case NEED_MORE:
989 break;
990 default:
991 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
992 return FAILED;
993 }
994 }
995 if (mutual_eap)
996 {
997 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
998 {
999 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
1000 goto peer_auth_failed;
1001 }
1002 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
1003 }
1004
1005 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
1006 {
1007 this->expect_another_auth = FALSE;
1008 }
1009 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
1010 {
1011 if (!update_cfg_candidates(this, TRUE))
1012 {
1013 goto peer_auth_failed;
1014 }
1015 if (!charon->bus->authorize(charon->bus, TRUE))
1016 {
1017 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
1018 "cancelling");
1019 goto peer_auth_failed;
1020 }
1021 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1022 this->ike_sa->get_name(this->ike_sa),
1023 this->ike_sa->get_unique_id(this->ike_sa),
1024 this->ike_sa->get_my_host(this->ike_sa),
1025 this->ike_sa->get_my_id(this->ike_sa),
1026 this->ike_sa->get_other_host(this->ike_sa),
1027 this->ike_sa->get_other_id(this->ike_sa));
1028 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1029 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1030 return SUCCESS;
1031 }
1032 return NEED_MORE;
1033
1034 peer_auth_failed:
1035 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
1036 return FAILED;
1037 }
1038
1039 METHOD(task_t, get_type, task_type_t,
1040 private_ike_auth_t *this)
1041 {
1042 return TASK_IKE_AUTH;
1043 }
1044
1045 METHOD(task_t, migrate, void,
1046 private_ike_auth_t *this, ike_sa_t *ike_sa)
1047 {
1048 chunk_free(&this->my_nonce);
1049 chunk_free(&this->other_nonce);
1050 DESTROY_IF(this->my_packet);
1051 DESTROY_IF(this->other_packet);
1052 DESTROY_IF(this->peer_cfg);
1053 DESTROY_IF(this->my_auth);
1054 DESTROY_IF(this->other_auth);
1055 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1056
1057 this->my_packet = NULL;
1058 this->other_packet = NULL;
1059 this->ike_sa = ike_sa;
1060 this->peer_cfg = NULL;
1061 this->my_auth = NULL;
1062 this->other_auth = NULL;
1063 this->do_another_auth = TRUE;
1064 this->expect_another_auth = TRUE;
1065 this->authentication_failed = FALSE;
1066 this->candidates = linked_list_create();
1067 }
1068
1069 METHOD(task_t, destroy, void,
1070 private_ike_auth_t *this)
1071 {
1072 chunk_free(&this->my_nonce);
1073 chunk_free(&this->other_nonce);
1074 DESTROY_IF(this->my_packet);
1075 DESTROY_IF(this->other_packet);
1076 DESTROY_IF(this->my_auth);
1077 DESTROY_IF(this->other_auth);
1078 DESTROY_IF(this->peer_cfg);
1079 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1080 free(this);
1081 }
1082
1083 /*
1084 * Described in header.
1085 */
1086 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1087 {
1088 private_ike_auth_t *this;
1089
1090 INIT(this,
1091 .public = {
1092 .task = {
1093 .get_type = _get_type,
1094 .migrate = _migrate,
1095 .build = _build_r,
1096 .process = _process_r,
1097 .destroy = _destroy,
1098 },
1099 },
1100 .ike_sa = ike_sa,
1101 .initiator = initiator,
1102 .candidates = linked_list_create(),
1103 .do_another_auth = TRUE,
1104 .expect_another_auth = TRUE,
1105 );
1106 if (initiator)
1107 {
1108 this->public.task.build = _build_i;
1109 this->public.task.process = _process_i;
1110 }
1111 return &this->public;
1112 }