Raise alerts when enforcing IKE_SA unique policy
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "ike_auth.h"
19
20 #include <string.h>
21
22 #include <daemon.h>
23 #include <encoding/payloads/id_payload.h>
24 #include <encoding/payloads/auth_payload.h>
25 #include <encoding/payloads/eap_payload.h>
26 #include <encoding/payloads/nonce_payload.h>
27 #include <sa/ikev2/authenticators/eap_authenticator.h>
28
29 typedef struct private_ike_auth_t private_ike_auth_t;
30
31 /**
32 * Private members of a ike_auth_t task.
33 */
34 struct private_ike_auth_t {
35
36 /**
37 * Public methods and task_t interface.
38 */
39 ike_auth_t public;
40
41 /**
42 * Assigned IKE_SA.
43 */
44 ike_sa_t *ike_sa;
45
46 /**
47 * Are we the initiator?
48 */
49 bool initiator;
50
51 /**
52 * Nonce chosen by us in ike_init
53 */
54 chunk_t my_nonce;
55
56 /**
57 * Nonce chosen by peer in ike_init
58 */
59 chunk_t other_nonce;
60
61 /**
62 * IKE_SA_INIT message sent by us
63 */
64 packet_t *my_packet;
65
66 /**
67 * IKE_SA_INIT message sent by peer
68 */
69 packet_t *other_packet;
70
71 /**
72 * Reserved bytes of ID payload
73 */
74 char reserved[3];
75
76 /**
77 * currently active authenticator, to authenticate us
78 */
79 authenticator_t *my_auth;
80
81 /**
82 * currently active authenticator, to authenticate peer
83 */
84 authenticator_t *other_auth;
85
86 /**
87 * peer_cfg candidates, ordered by priority
88 */
89 linked_list_t *candidates;
90
91 /**
92 * selected peer config (might change when using multiple authentications)
93 */
94 peer_cfg_t *peer_cfg;
95
96 /**
97 * have we planned an(other) authentication exchange?
98 */
99 bool do_another_auth;
100
101 /**
102 * has the peer announced another authentication exchange?
103 */
104 bool expect_another_auth;
105
106 /**
107 * should we send a AUTHENTICATION_FAILED notify?
108 */
109 bool authentication_failed;
110
111 /**
112 * received an INITIAL_CONTACT?
113 */
114 bool initial_contact;
115 };
116
117 /**
118 * check if multiple authentication extension is enabled, configuration-wise
119 */
120 static bool multiple_auth_enabled()
121 {
122 return lib->settings->get_bool(lib->settings,
123 "%s.multiple_authentication", TRUE, charon->name);
124 }
125
126 /**
127 * collect the needed information in the IKE_SA_INIT exchange from our message
128 */
129 static status_t collect_my_init_data(private_ike_auth_t *this,
130 message_t *message)
131 {
132 nonce_payload_t *nonce;
133
134 /* get the nonce that was generated in ike_init */
135 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
136 if (nonce == NULL)
137 {
138 return FAILED;
139 }
140 this->my_nonce = nonce->get_nonce(nonce);
141
142 /* pre-generate the message, keep a copy */
143 if (this->ike_sa->generate_message(this->ike_sa, message,
144 &this->my_packet) != SUCCESS)
145 {
146 return FAILED;
147 }
148 return NEED_MORE;
149 }
150
151 /**
152 * collect the needed information in the IKE_SA_INIT exchange from others message
153 */
154 static status_t collect_other_init_data(private_ike_auth_t *this,
155 message_t *message)
156 {
157 /* we collect the needed information in the IKE_SA_INIT exchange */
158 nonce_payload_t *nonce;
159
160 /* get the nonce that was generated in ike_init */
161 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
162 if (nonce == NULL)
163 {
164 return FAILED;
165 }
166 this->other_nonce = nonce->get_nonce(nonce);
167
168 /* keep a copy of the received packet */
169 this->other_packet = message->get_packet(message);
170 return NEED_MORE;
171 }
172
173 /**
174 * Get and store reserved bytes of id_payload, required for AUTH payload
175 */
176 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
177 {
178 u_int8_t *byte;
179 int i;
180
181 for (i = 0; i < countof(this->reserved); i++)
182 {
183 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
184 if (byte)
185 {
186 this->reserved[i] = *byte;
187 }
188 }
189 }
190
191 /**
192 * Get the next authentication configuration
193 */
194 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
195 {
196 enumerator_t *e1, *e2;
197 auth_cfg_t *c1, *c2, *next = NULL;
198
199 /* find an available config not already done */
200 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
201 while (e1->enumerate(e1, &c1))
202 {
203 bool found = FALSE;
204
205 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
206 while (e2->enumerate(e2, &c2))
207 {
208 if (c2->complies(c2, c1, FALSE))
209 {
210 found = TRUE;
211 break;
212 }
213 }
214 e2->destroy(e2);
215 if (!found)
216 {
217 next = c1;
218 break;
219 }
220 }
221 e1->destroy(e1);
222 return next;
223 }
224
225 /**
226 * Check if we have should initiate another authentication round
227 */
228 static bool do_another_auth(private_ike_auth_t *this)
229 {
230 bool do_another = FALSE;
231 enumerator_t *done, *todo;
232 auth_cfg_t *done_cfg, *todo_cfg;
233
234 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
235 {
236 return FALSE;
237 }
238
239 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
240 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
241 while (todo->enumerate(todo, &todo_cfg))
242 {
243 if (!done->enumerate(done, &done_cfg))
244 {
245 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
246 }
247 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
248 {
249 do_another = TRUE;
250 break;
251 }
252 }
253 done->destroy(done);
254 todo->destroy(todo);
255 return do_another;
256 }
257
258 /**
259 * Get peer configuration candidates from backends
260 */
261 static bool load_cfg_candidates(private_ike_auth_t *this)
262 {
263 enumerator_t *enumerator;
264 peer_cfg_t *peer_cfg;
265 host_t *me, *other;
266 identification_t *my_id, *other_id;
267
268 me = this->ike_sa->get_my_host(this->ike_sa);
269 other = this->ike_sa->get_other_host(this->ike_sa);
270 my_id = this->ike_sa->get_my_id(this->ike_sa);
271 other_id = this->ike_sa->get_other_id(this->ike_sa);
272
273 DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
274 me, my_id, other, other_id);
275 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
276 me, other, my_id, other_id, IKEV2);
277 while (enumerator->enumerate(enumerator, &peer_cfg))
278 {
279 peer_cfg->get_ref(peer_cfg);
280 if (this->peer_cfg == NULL)
281 { /* best match */
282 this->peer_cfg = peer_cfg;
283 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
284 }
285 else
286 {
287 this->candidates->insert_last(this->candidates, peer_cfg);
288 }
289 }
290 enumerator->destroy(enumerator);
291 if (this->peer_cfg)
292 {
293 DBG1(DBG_CFG, "selected peer config '%s'",
294 this->peer_cfg->get_name(this->peer_cfg));
295 return TRUE;
296 }
297 DBG1(DBG_CFG, "no matching peer config found");
298 return FALSE;
299 }
300
301 /**
302 * update the current peer candidate if necessary, using candidates
303 */
304 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
305 {
306 do
307 {
308 if (this->peer_cfg)
309 {
310 bool complies = TRUE;
311 enumerator_t *e1, *e2, *tmp;
312 auth_cfg_t *c1, *c2;
313
314 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
315 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
316
317 if (strict)
318 { /* swap lists in strict mode: all configured rounds must be
319 * fulfilled. If !strict, we check only the rounds done so far. */
320 tmp = e1;
321 e1 = e2;
322 e2 = tmp;
323 }
324 while (e1->enumerate(e1, &c1))
325 {
326 /* check if done authentications comply to configured ones */
327 if ((!e2->enumerate(e2, &c2)) ||
328 (!strict && !c1->complies(c1, c2, TRUE)) ||
329 (strict && !c2->complies(c2, c1, TRUE)))
330 {
331 complies = FALSE;
332 break;
333 }
334 }
335 e1->destroy(e1);
336 e2->destroy(e2);
337 if (complies)
338 {
339 break;
340 }
341 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
342 this->peer_cfg->get_name(this->peer_cfg));
343 this->peer_cfg->destroy(this->peer_cfg);
344 }
345 if (this->candidates->remove_first(this->candidates,
346 (void**)&this->peer_cfg) != SUCCESS)
347 {
348 DBG1(DBG_CFG, "no alternative config found");
349 this->peer_cfg = NULL;
350 }
351 else
352 {
353 DBG1(DBG_CFG, "switching to peer config '%s'",
354 this->peer_cfg->get_name(this->peer_cfg));
355 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
356 }
357 }
358 while (this->peer_cfg);
359
360 return this->peer_cfg != NULL;
361 }
362
363 METHOD(task_t, build_i, status_t,
364 private_ike_auth_t *this, message_t *message)
365 {
366 auth_cfg_t *cfg;
367
368 if (message->get_exchange_type(message) == IKE_SA_INIT)
369 {
370 return collect_my_init_data(this, message);
371 }
372
373 if (this->peer_cfg == NULL)
374 {
375 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
376 this->peer_cfg->get_ref(this->peer_cfg);
377 }
378
379 if (message->get_message_id(message) == 1)
380 { /* in the first IKE_AUTH ... */
381 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
382 { /* indicate support for multiple authentication */
383 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
384 chunk_empty);
385 }
386 /* indicate support for EAP-only authentication */
387 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
388 chunk_empty);
389 }
390
391 if (!this->do_another_auth && !this->my_auth)
392 { /* we have done our rounds */
393 return NEED_MORE;
394 }
395
396 /* check if an authenticator is in progress */
397 if (this->my_auth == NULL)
398 {
399 identification_t *idi, *idr = NULL;
400 id_payload_t *id_payload;
401
402 /* clean up authentication config from a previous round */
403 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
404 cfg->purge(cfg, TRUE);
405
406 /* add (optional) IDr */
407 cfg = get_auth_cfg(this, FALSE);
408 if (cfg)
409 {
410 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
411 if (!cfg->get(cfg, AUTH_RULE_IDENTITY_LOOSE) && idr &&
412 !idr->contains_wildcards(idr))
413 {
414 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
415 id_payload = id_payload_create_from_identification(
416 ID_RESPONDER, idr);
417 message->add_payload(message, (payload_t*)id_payload);
418 }
419 }
420 /* add IDi */
421 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
422 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
423 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
424 if (!idi || idi->get_type(idi) == ID_ANY)
425 { /* ID_ANY is invalid as IDi, use local IP address instead */
426 host_t *me;
427
428 DBG1(DBG_CFG, "no IDi configured, fall back on IP address");
429 me = this->ike_sa->get_my_host(this->ike_sa);
430 idi = identification_create_from_sockaddr(me->get_sockaddr(me));
431 cfg->add(cfg, AUTH_RULE_IDENTITY, idi);
432 }
433 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
434 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
435 get_reserved_id_bytes(this, id_payload);
436 message->add_payload(message, (payload_t*)id_payload);
437
438 if (idr && message->get_message_id(message) == 1 &&
439 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
440 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
441 {
442 host_t *host;
443
444 host = this->ike_sa->get_other_host(this->ike_sa);
445 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
446 idi, idr, host->get_family(host)))
447 {
448 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
449 }
450 }
451
452 /* build authentication data */
453 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
454 this->other_nonce, this->my_nonce,
455 this->other_packet->get_data(this->other_packet),
456 this->my_packet->get_data(this->my_packet),
457 this->reserved);
458 if (!this->my_auth)
459 {
460 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
461 return FAILED;
462 }
463 }
464 switch (this->my_auth->build(this->my_auth, message))
465 {
466 case SUCCESS:
467 /* authentication step complete, reset authenticator */
468 cfg = auth_cfg_create();
469 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
470 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
471 this->my_auth->destroy(this->my_auth);
472 this->my_auth = NULL;
473 break;
474 case NEED_MORE:
475 break;
476 default:
477 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
478 return FAILED;
479 }
480
481 /* check for additional authentication rounds */
482 if (do_another_auth(this))
483 {
484 if (message->get_payload(message, AUTHENTICATION))
485 {
486 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
487 }
488 }
489 else
490 {
491 this->do_another_auth = FALSE;
492 }
493 return NEED_MORE;
494 }
495
496 METHOD(task_t, process_r, status_t,
497 private_ike_auth_t *this, message_t *message)
498 {
499 auth_cfg_t *cfg, *cand;
500 id_payload_t *id_payload;
501 identification_t *id;
502
503 if (message->get_exchange_type(message) == IKE_SA_INIT)
504 {
505 return collect_other_init_data(this, message);
506 }
507
508 if (this->my_auth == NULL && this->do_another_auth)
509 {
510 /* handle (optional) IDr payload, apply proposed identity */
511 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
512 if (id_payload)
513 {
514 id = id_payload->get_identification(id_payload);
515 }
516 else
517 {
518 id = identification_create_from_encoding(ID_ANY, chunk_empty);
519 }
520 this->ike_sa->set_my_id(this->ike_sa, id);
521 }
522
523 if (!this->expect_another_auth)
524 {
525 return NEED_MORE;
526 }
527
528 if (message->get_message_id(message) == 1)
529 { /* check for extensions in the first IKE_AUTH */
530 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
531 {
532 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
533 }
534 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
535 {
536 this->ike_sa->enable_extension(this->ike_sa,
537 EXT_EAP_ONLY_AUTHENTICATION);
538 }
539 }
540
541 if (this->other_auth == NULL)
542 {
543 /* handle IDi payload */
544 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
545 if (!id_payload)
546 {
547 DBG1(DBG_IKE, "IDi payload missing");
548 return FAILED;
549 }
550 id = id_payload->get_identification(id_payload);
551 get_reserved_id_bytes(this, id_payload);
552 this->ike_sa->set_other_id(this->ike_sa, id);
553 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
554 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
555
556 if (this->peer_cfg == NULL)
557 {
558 if (!load_cfg_candidates(this))
559 {
560 this->authentication_failed = TRUE;
561 return NEED_MORE;
562 }
563 }
564 if (message->get_payload(message, AUTHENTICATION) == NULL)
565 { /* before authenticating with EAP, we need a EAP config */
566 cand = get_auth_cfg(this, FALSE);
567 while (!cand || (
568 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
569 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
570 { /* peer requested EAP, but current config does not match */
571 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
572 this->peer_cfg->destroy(this->peer_cfg);
573 this->peer_cfg = NULL;
574 if (!update_cfg_candidates(this, FALSE))
575 {
576 this->authentication_failed = TRUE;
577 return NEED_MORE;
578 }
579 cand = get_auth_cfg(this, FALSE);
580 }
581 /* copy over the EAP specific rules for authentication */
582 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
583 cand->get(cand, AUTH_RULE_EAP_TYPE));
584 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
585 cand->get(cand, AUTH_RULE_EAP_VENDOR));
586 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
587 if (id)
588 {
589 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
590 }
591 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
592 if (id)
593 {
594 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
595 }
596 }
597
598 /* verify authentication data */
599 this->other_auth = authenticator_create_verifier(this->ike_sa,
600 message, this->other_nonce, this->my_nonce,
601 this->other_packet->get_data(this->other_packet),
602 this->my_packet->get_data(this->my_packet),
603 this->reserved);
604 if (!this->other_auth)
605 {
606 this->authentication_failed = TRUE;
607 return NEED_MORE;
608 }
609 }
610 switch (this->other_auth->process(this->other_auth, message))
611 {
612 case SUCCESS:
613 this->other_auth->destroy(this->other_auth);
614 this->other_auth = NULL;
615 break;
616 case NEED_MORE:
617 if (message->get_payload(message, AUTHENTICATION))
618 { /* AUTH verification successful, but another build() needed */
619 break;
620 }
621 return NEED_MORE;
622 default:
623 this->authentication_failed = TRUE;
624 return NEED_MORE;
625 }
626
627 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
628 * delete any existing IKE_SAs with that peer. */
629 if (message->get_message_id(message) == 1 &&
630 message->get_notify(message, INITIAL_CONTACT))
631 {
632 this->initial_contact = TRUE;
633 }
634
635 /* another auth round done, invoke authorize hook */
636 if (!charon->bus->authorize(charon->bus, FALSE))
637 {
638 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
639 this->authentication_failed = TRUE;
640 return NEED_MORE;
641 }
642
643 /* store authentication information */
644 cfg = auth_cfg_create();
645 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
646 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
647
648 if (!update_cfg_candidates(this, FALSE))
649 {
650 this->authentication_failed = TRUE;
651 return NEED_MORE;
652 }
653
654 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
655 {
656 this->expect_another_auth = FALSE;
657 if (!update_cfg_candidates(this, TRUE))
658 {
659 this->authentication_failed = TRUE;
660 return NEED_MORE;
661 }
662 }
663 return NEED_MORE;
664 }
665
666 METHOD(task_t, build_r, status_t,
667 private_ike_auth_t *this, message_t *message)
668 {
669 auth_cfg_t *cfg;
670
671 if (message->get_exchange_type(message) == IKE_SA_INIT)
672 {
673 if (multiple_auth_enabled())
674 {
675 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
676 chunk_empty);
677 }
678 return collect_my_init_data(this, message);
679 }
680
681 if (this->authentication_failed || this->peer_cfg == NULL)
682 {
683 goto peer_auth_failed;
684 }
685
686 if (this->my_auth == NULL && this->do_another_auth)
687 {
688 identification_t *id, *id_cfg;
689 id_payload_t *id_payload;
690
691 /* add IDr */
692 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
693 cfg->purge(cfg, TRUE);
694 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
695
696 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
697 id = this->ike_sa->get_my_id(this->ike_sa);
698 if (id->get_type(id) == ID_ANY)
699 { /* no IDr received, apply configured ID */
700 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
701 { /* no ID configured, use local IP address */
702 host_t *me;
703
704 DBG1(DBG_CFG, "no IDr configured, fall back on IP address");
705 me = this->ike_sa->get_my_host(this->ike_sa);
706 id_cfg = identification_create_from_sockaddr(
707 me->get_sockaddr(me));
708 cfg->add(cfg, AUTH_RULE_IDENTITY, id_cfg);
709 }
710 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
711 id = id_cfg;
712 }
713 else
714 { /* IDr received, check if it matches configuration */
715 if (id_cfg && !id->matches(id, id_cfg))
716 {
717 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
718 goto peer_auth_failed;
719 }
720 }
721
722 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
723 get_reserved_id_bytes(this, id_payload);
724 message->add_payload(message, (payload_t*)id_payload);
725
726 if (this->initial_contact)
727 {
728 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
729 this->ike_sa, TRUE);
730 this->initial_contact = FALSE;
731 }
732
733 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
734 { /* EAP-only authentication */
735 if (!this->ike_sa->supports_extension(this->ike_sa,
736 EXT_EAP_ONLY_AUTHENTICATION))
737 {
738 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
739 "does not support it");
740 goto peer_auth_failed;
741 }
742 }
743 else
744 {
745 /* build authentication data */
746 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
747 this->other_nonce, this->my_nonce,
748 this->other_packet->get_data(this->other_packet),
749 this->my_packet->get_data(this->my_packet),
750 this->reserved);
751 if (!this->my_auth)
752 {
753 goto local_auth_failed;
754 }
755 }
756 }
757
758 if (this->other_auth)
759 {
760 switch (this->other_auth->build(this->other_auth, message))
761 {
762 case SUCCESS:
763 this->other_auth->destroy(this->other_auth);
764 this->other_auth = NULL;
765 break;
766 case NEED_MORE:
767 break;
768 default:
769 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
770 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
771 goto peer_auth_failed_no_notify;
772 }
773 goto peer_auth_failed;
774 }
775 }
776 if (this->my_auth)
777 {
778 switch (this->my_auth->build(this->my_auth, message))
779 {
780 case SUCCESS:
781 cfg = auth_cfg_create();
782 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
783 TRUE);
784 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
785 this->my_auth->destroy(this->my_auth);
786 this->my_auth = NULL;
787 break;
788 case NEED_MORE:
789 break;
790 default:
791 goto local_auth_failed;
792 }
793 }
794
795 /* check for additional authentication rounds */
796 if (do_another_auth(this))
797 {
798 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
799 }
800 else
801 {
802 this->do_another_auth = FALSE;
803 }
804 if (!this->do_another_auth && !this->expect_another_auth)
805 {
806 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
807 this->ike_sa, FALSE))
808 {
809 DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
810 charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
811 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
812 chunk_empty);
813 return FAILED;
814 }
815 if (!charon->bus->authorize(charon->bus, TRUE))
816 {
817 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
818 goto peer_auth_failed;
819 }
820 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
821 this->ike_sa->get_name(this->ike_sa),
822 this->ike_sa->get_unique_id(this->ike_sa),
823 this->ike_sa->get_my_host(this->ike_sa),
824 this->ike_sa->get_my_id(this->ike_sa),
825 this->ike_sa->get_other_host(this->ike_sa),
826 this->ike_sa->get_other_id(this->ike_sa));
827 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
828 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
829 return SUCCESS;
830 }
831 return NEED_MORE;
832
833 peer_auth_failed:
834 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
835 peer_auth_failed_no_notify:
836 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
837 return FAILED;
838 local_auth_failed:
839 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
840 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
841 return FAILED;
842 }
843
844 METHOD(task_t, process_i, status_t,
845 private_ike_auth_t *this, message_t *message)
846 {
847 enumerator_t *enumerator;
848 payload_t *payload;
849 auth_cfg_t *cfg;
850 bool mutual_eap = FALSE;
851
852 if (message->get_exchange_type(message) == IKE_SA_INIT)
853 {
854 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
855 multiple_auth_enabled())
856 {
857 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
858 }
859 return collect_other_init_data(this, message);
860 }
861
862 enumerator = message->create_payload_enumerator(message);
863 while (enumerator->enumerate(enumerator, &payload))
864 {
865 if (payload->get_type(payload) == NOTIFY)
866 {
867 notify_payload_t *notify = (notify_payload_t*)payload;
868 notify_type_t type = notify->get_notify_type(notify);
869
870 switch (type)
871 {
872 case NO_PROPOSAL_CHOSEN:
873 case SINGLE_PAIR_REQUIRED:
874 case NO_ADDITIONAL_SAS:
875 case INTERNAL_ADDRESS_FAILURE:
876 case FAILED_CP_REQUIRED:
877 case TS_UNACCEPTABLE:
878 case INVALID_SELECTORS:
879 /* these are errors, but are not critical as only the
880 * CHILD_SA won't get build, but IKE_SA establishes anyway */
881 break;
882 case MOBIKE_SUPPORTED:
883 case ADDITIONAL_IP4_ADDRESS:
884 case ADDITIONAL_IP6_ADDRESS:
885 /* handled in ike_mobike task */
886 break;
887 case AUTH_LIFETIME:
888 /* handled in ike_auth_lifetime task */
889 break;
890 case ME_ENDPOINT:
891 /* handled in ike_me task */
892 break;
893 default:
894 {
895 if (type <= 16383)
896 {
897 DBG1(DBG_IKE, "received %N notify error",
898 notify_type_names, type);
899 enumerator->destroy(enumerator);
900 return FAILED;
901 }
902 DBG2(DBG_IKE, "received %N notify",
903 notify_type_names, type);
904 break;
905 }
906 }
907 }
908 }
909 enumerator->destroy(enumerator);
910
911 if (this->expect_another_auth)
912 {
913 if (this->other_auth == NULL)
914 {
915 id_payload_t *id_payload;
916 identification_t *id;
917
918 /* handle IDr payload */
919 id_payload = (id_payload_t*)message->get_payload(message,
920 ID_RESPONDER);
921 if (!id_payload)
922 {
923 DBG1(DBG_IKE, "IDr payload missing");
924 goto peer_auth_failed;
925 }
926 id = id_payload->get_identification(id_payload);
927 get_reserved_id_bytes(this, id_payload);
928 this->ike_sa->set_other_id(this->ike_sa, id);
929 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
930 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
931
932 if (message->get_payload(message, AUTHENTICATION))
933 {
934 /* verify authentication data */
935 this->other_auth = authenticator_create_verifier(this->ike_sa,
936 message, this->other_nonce, this->my_nonce,
937 this->other_packet->get_data(this->other_packet),
938 this->my_packet->get_data(this->my_packet),
939 this->reserved);
940 if (!this->other_auth)
941 {
942 goto peer_auth_failed;
943 }
944 }
945 else
946 {
947 /* responder omitted AUTH payload, indicating EAP-only */
948 mutual_eap = TRUE;
949 }
950 }
951 if (this->other_auth)
952 {
953 switch (this->other_auth->process(this->other_auth, message))
954 {
955 case SUCCESS:
956 break;
957 case NEED_MORE:
958 return NEED_MORE;
959 default:
960 goto peer_auth_failed;
961 }
962 this->other_auth->destroy(this->other_auth);
963 this->other_auth = NULL;
964 }
965 /* another auth round done, invoke authorize hook */
966 if (!charon->bus->authorize(charon->bus, FALSE))
967 {
968 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
969 goto peer_auth_failed;
970 }
971
972 /* store authentication information, reset authenticator */
973 cfg = auth_cfg_create();
974 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
975 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
976 }
977
978 if (this->my_auth)
979 {
980 switch (this->my_auth->process(this->my_auth, message))
981 {
982 case SUCCESS:
983 cfg = auth_cfg_create();
984 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
985 TRUE);
986 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
987 this->my_auth->destroy(this->my_auth);
988 this->my_auth = NULL;
989 this->do_another_auth = do_another_auth(this);
990 break;
991 case NEED_MORE:
992 break;
993 default:
994 charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
995 return FAILED;
996 }
997 }
998 if (mutual_eap)
999 {
1000 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
1001 {
1002 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
1003 goto peer_auth_failed;
1004 }
1005 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
1006 }
1007
1008 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
1009 {
1010 this->expect_another_auth = FALSE;
1011 }
1012 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
1013 {
1014 if (!update_cfg_candidates(this, TRUE))
1015 {
1016 goto peer_auth_failed;
1017 }
1018 if (!charon->bus->authorize(charon->bus, TRUE))
1019 {
1020 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
1021 "cancelling");
1022 goto peer_auth_failed;
1023 }
1024 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1025 this->ike_sa->get_name(this->ike_sa),
1026 this->ike_sa->get_unique_id(this->ike_sa),
1027 this->ike_sa->get_my_host(this->ike_sa),
1028 this->ike_sa->get_my_id(this->ike_sa),
1029 this->ike_sa->get_other_host(this->ike_sa),
1030 this->ike_sa->get_other_id(this->ike_sa));
1031 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1032 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1033 return SUCCESS;
1034 }
1035 return NEED_MORE;
1036
1037 peer_auth_failed:
1038 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
1039 return FAILED;
1040 }
1041
1042 METHOD(task_t, get_type, task_type_t,
1043 private_ike_auth_t *this)
1044 {
1045 return TASK_IKE_AUTH;
1046 }
1047
1048 METHOD(task_t, migrate, void,
1049 private_ike_auth_t *this, ike_sa_t *ike_sa)
1050 {
1051 chunk_free(&this->my_nonce);
1052 chunk_free(&this->other_nonce);
1053 DESTROY_IF(this->my_packet);
1054 DESTROY_IF(this->other_packet);
1055 DESTROY_IF(this->peer_cfg);
1056 DESTROY_IF(this->my_auth);
1057 DESTROY_IF(this->other_auth);
1058 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1059
1060 this->my_packet = NULL;
1061 this->other_packet = NULL;
1062 this->ike_sa = ike_sa;
1063 this->peer_cfg = NULL;
1064 this->my_auth = NULL;
1065 this->other_auth = NULL;
1066 this->do_another_auth = TRUE;
1067 this->expect_another_auth = TRUE;
1068 this->authentication_failed = FALSE;
1069 this->candidates = linked_list_create();
1070 }
1071
1072 METHOD(task_t, destroy, void,
1073 private_ike_auth_t *this)
1074 {
1075 chunk_free(&this->my_nonce);
1076 chunk_free(&this->other_nonce);
1077 DESTROY_IF(this->my_packet);
1078 DESTROY_IF(this->other_packet);
1079 DESTROY_IF(this->my_auth);
1080 DESTROY_IF(this->other_auth);
1081 DESTROY_IF(this->peer_cfg);
1082 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1083 free(this);
1084 }
1085
1086 /*
1087 * Described in header.
1088 */
1089 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1090 {
1091 private_ike_auth_t *this;
1092
1093 INIT(this,
1094 .public = {
1095 .task = {
1096 .get_type = _get_type,
1097 .migrate = _migrate,
1098 .build = _build_r,
1099 .process = _process_r,
1100 .destroy = _destroy,
1101 },
1102 },
1103 .ike_sa = ike_sa,
1104 .initiator = initiator,
1105 .candidates = linked_list_create(),
1106 .do_another_auth = TRUE,
1107 .expect_another_auth = TRUE,
1108 );
1109 if (initiator)
1110 {
1111 this->public.task.build = _build_i;
1112 this->public.task.process = _process_i;
1113 }
1114 return &this->public;
1115 }