03394dd5c88e3bdb21f05a973feda0e2f30dc528
[strongswan.git] / src / libcharon / sa / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details
15 */
16
17 #include "ike_auth.h"
18
19 #include <string.h>
20
21 #include <daemon.h>
22 #include <encoding/payloads/id_payload.h>
23 #include <encoding/payloads/auth_payload.h>
24 #include <encoding/payloads/eap_payload.h>
25 #include <encoding/payloads/nonce_payload.h>
26 #include <sa/authenticators/eap_authenticator.h>
27
28 typedef struct private_ike_auth_t private_ike_auth_t;
29
30 /**
31 * Private members of a ike_auth_t task.
32 */
33 struct private_ike_auth_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 ike_auth_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Nonce chosen by us in ike_init
52 */
53 chunk_t my_nonce;
54
55 /**
56 * Nonce chosen by peer in ike_init
57 */
58 chunk_t other_nonce;
59
60 /**
61 * IKE_SA_INIT message sent by us
62 */
63 packet_t *my_packet;
64
65 /**
66 * IKE_SA_INIT message sent by peer
67 */
68 packet_t *other_packet;
69
70 /**
71 * Reserved bytes of ID payload
72 */
73 char reserved[3];
74
75 /**
76 * currently active authenticator, to authenticate us
77 */
78 authenticator_t *my_auth;
79
80 /**
81 * currently active authenticator, to authenticate peer
82 */
83 authenticator_t *other_auth;
84
85 /**
86 * peer_cfg candidates, ordered by priority
87 */
88 linked_list_t *candidates;
89
90 /**
91 * selected peer config (might change when using multiple authentications)
92 */
93 peer_cfg_t *peer_cfg;
94
95 /**
96 * have we planned an(other) authentication exchange?
97 */
98 bool do_another_auth;
99
100 /**
101 * has the peer announced another authentication exchange?
102 */
103 bool expect_another_auth;
104
105 /**
106 * should we send a AUTHENTICATION_FAILED notify?
107 */
108 bool authentication_failed;
109
110 /**
111 * received an INITIAL_CONTACT?
112 */
113 bool initial_contact;
114 };
115
116 /**
117 * check if multiple authentication extension is enabled, configuration-wise
118 */
119 static bool multiple_auth_enabled()
120 {
121 return lib->settings->get_bool(lib->settings,
122 "charon.multiple_authentication", TRUE);
123 }
124
125 /**
126 * collect the needed information in the IKE_SA_INIT exchange from our message
127 */
128 static status_t collect_my_init_data(private_ike_auth_t *this,
129 message_t *message)
130 {
131 nonce_payload_t *nonce;
132
133 /* get the nonce that was generated in ike_init */
134 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
135 if (nonce == NULL)
136 {
137 return FAILED;
138 }
139 this->my_nonce = nonce->get_nonce(nonce);
140
141 /* pre-generate the message, keep a copy */
142 if (this->ike_sa->generate_message(this->ike_sa, message,
143 &this->my_packet) != SUCCESS)
144 {
145 return FAILED;
146 }
147 return NEED_MORE;
148 }
149
150 /**
151 * collect the needed information in the IKE_SA_INIT exchange from others message
152 */
153 static status_t collect_other_init_data(private_ike_auth_t *this,
154 message_t *message)
155 {
156 /* we collect the needed information in the IKE_SA_INIT exchange */
157 nonce_payload_t *nonce;
158
159 /* get the nonce that was generated in ike_init */
160 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
161 if (nonce == NULL)
162 {
163 return FAILED;
164 }
165 this->other_nonce = nonce->get_nonce(nonce);
166
167 /* keep a copy of the received packet */
168 this->other_packet = message->get_packet(message);
169 return NEED_MORE;
170 }
171
172 /**
173 * Get and store reserved bytes of id_payload, required for AUTH payload
174 */
175 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
176 {
177 u_int8_t *byte;
178 int i;
179
180 for (i = 0; i < countof(this->reserved); i++)
181 {
182 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
183 if (byte)
184 {
185 this->reserved[i] = *byte;
186 }
187 }
188 }
189
190 /**
191 * Get the next authentication configuration
192 */
193 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
194 {
195 enumerator_t *e1, *e2;
196 auth_cfg_t *c1, *c2, *next = NULL;
197
198 /* find an available config not already done */
199 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
200 while (e1->enumerate(e1, &c1))
201 {
202 bool found = FALSE;
203
204 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
205 while (e2->enumerate(e2, &c2))
206 {
207 if (c2->complies(c2, c1, FALSE))
208 {
209 found = TRUE;
210 break;
211 }
212 }
213 e2->destroy(e2);
214 if (!found)
215 {
216 next = c1;
217 break;
218 }
219 }
220 e1->destroy(e1);
221 return next;
222 }
223
224 /**
225 * Check if we have should initiate another authentication round
226 */
227 static bool do_another_auth(private_ike_auth_t *this)
228 {
229 bool do_another = FALSE;
230 enumerator_t *done, *todo;
231 auth_cfg_t *done_cfg, *todo_cfg;
232
233 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
234 {
235 return FALSE;
236 }
237
238 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
239 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
240 while (todo->enumerate(todo, &todo_cfg))
241 {
242 if (!done->enumerate(done, &done_cfg))
243 {
244 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
245 }
246 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
247 {
248 do_another = TRUE;
249 break;
250 }
251 }
252 done->destroy(done);
253 todo->destroy(todo);
254 return do_another;
255 }
256
257 /**
258 * Get peer configuration candidates from backends
259 */
260 static bool load_cfg_candidates(private_ike_auth_t *this)
261 {
262 enumerator_t *enumerator;
263 peer_cfg_t *peer_cfg;
264 host_t *me, *other;
265 identification_t *my_id, *other_id;
266
267 me = this->ike_sa->get_my_host(this->ike_sa);
268 other = this->ike_sa->get_other_host(this->ike_sa);
269 my_id = this->ike_sa->get_my_id(this->ike_sa);
270 other_id = this->ike_sa->get_other_id(this->ike_sa);
271
272 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
273 me, other, my_id, other_id);
274 while (enumerator->enumerate(enumerator, &peer_cfg))
275 {
276 peer_cfg->get_ref(peer_cfg);
277 if (this->peer_cfg == NULL)
278 { /* best match */
279 this->peer_cfg = peer_cfg;
280 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
281 }
282 else
283 {
284 this->candidates->insert_last(this->candidates, peer_cfg);
285 }
286 }
287 enumerator->destroy(enumerator);
288 if (this->peer_cfg)
289 {
290 DBG1(DBG_CFG, "selected peer config '%s'",
291 this->peer_cfg->get_name(this->peer_cfg));
292 return TRUE;
293 }
294 DBG1(DBG_CFG, "no matching peer config found");
295 return FALSE;
296 }
297
298 /**
299 * update the current peer candidate if necessary, using candidates
300 */
301 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
302 {
303 do
304 {
305 if (this->peer_cfg)
306 {
307 bool complies = TRUE;
308 enumerator_t *e1, *e2, *tmp;
309 auth_cfg_t *c1, *c2;
310
311 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
312 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
313
314 if (strict)
315 { /* swap lists in strict mode: all configured rounds must be
316 * fulfilled. If !strict, we check only the rounds done so far. */
317 tmp = e1;
318 e1 = e2;
319 e2 = tmp;
320 }
321 while (e1->enumerate(e1, &c1))
322 {
323 /* check if done authentications comply to configured ones */
324 if ((!e2->enumerate(e2, &c2)) ||
325 (!strict && !c1->complies(c1, c2, TRUE)) ||
326 (strict && !c2->complies(c2, c1, TRUE)))
327 {
328 complies = FALSE;
329 break;
330 }
331 }
332 e1->destroy(e1);
333 e2->destroy(e2);
334 if (complies)
335 {
336 break;
337 }
338 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
339 this->peer_cfg->get_name(this->peer_cfg));
340 this->peer_cfg->destroy(this->peer_cfg);
341 }
342 if (this->candidates->remove_first(this->candidates,
343 (void**)&this->peer_cfg) != SUCCESS)
344 {
345 DBG1(DBG_CFG, "no alternative config found");
346 this->peer_cfg = NULL;
347 }
348 else
349 {
350 DBG1(DBG_CFG, "switching to peer config '%s'",
351 this->peer_cfg->get_name(this->peer_cfg));
352 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
353 }
354 }
355 while (this->peer_cfg);
356
357 return this->peer_cfg != NULL;
358 }
359
360 METHOD(task_t, build_i, status_t,
361 private_ike_auth_t *this, message_t *message)
362 {
363 auth_cfg_t *cfg;
364
365 if (message->get_exchange_type(message) == IKE_SA_INIT)
366 {
367 return collect_my_init_data(this, message);
368 }
369
370 if (this->peer_cfg == NULL)
371 {
372 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
373 this->peer_cfg->get_ref(this->peer_cfg);
374 }
375
376 if (message->get_message_id(message) == 1)
377 { /* in the first IKE_AUTH ... */
378 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
379 { /* indicate support for multiple authentication */
380 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
381 chunk_empty);
382 }
383 /* indicate support for EAP-only authentication */
384 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
385 chunk_empty);
386 }
387
388 if (!this->do_another_auth && !this->my_auth)
389 { /* we have done our rounds */
390 return NEED_MORE;
391 }
392
393 /* check if an authenticator is in progress */
394 if (this->my_auth == NULL)
395 {
396 identification_t *idi, *idr = NULL;
397 id_payload_t *id_payload;
398
399 /* clean up authentication config from a previous round */
400 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
401 cfg->purge(cfg, TRUE);
402
403 /* add (optional) IDr */
404 cfg = get_auth_cfg(this, FALSE);
405 if (cfg)
406 {
407 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
408 if (idr && !idr->contains_wildcards(idr))
409 {
410 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
411 id_payload = id_payload_create_from_identification(
412 ID_RESPONDER, idr);
413 message->add_payload(message, (payload_t*)id_payload);
414 }
415 }
416 /* add IDi */
417 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
418 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
419 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
420 if (!idi)
421 {
422 DBG1(DBG_CFG, "configuration misses IDi");
423 return FAILED;
424 }
425 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
426 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
427 get_reserved_id_bytes(this, id_payload);
428 message->add_payload(message, (payload_t*)id_payload);
429
430 if (idr && message->get_message_id(message) == 1 &&
431 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
432 {
433 host_t *host;
434
435 host = this->ike_sa->get_other_host(this->ike_sa);
436 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
437 idi, idr, host->get_family(host)))
438 {
439 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
440 }
441 }
442
443 /* build authentication data */
444 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
445 this->other_nonce, this->my_nonce,
446 this->other_packet->get_data(this->other_packet),
447 this->my_packet->get_data(this->my_packet),
448 this->reserved);
449 if (!this->my_auth)
450 {
451 return FAILED;
452 }
453 }
454 switch (this->my_auth->build(this->my_auth, message))
455 {
456 case SUCCESS:
457 /* authentication step complete, reset authenticator */
458 cfg = auth_cfg_create();
459 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
460 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
461 this->my_auth->destroy(this->my_auth);
462 this->my_auth = NULL;
463 break;
464 case NEED_MORE:
465 break;
466 default:
467 return FAILED;
468 }
469
470 /* check for additional authentication rounds */
471 if (do_another_auth(this))
472 {
473 if (message->get_payload(message, AUTHENTICATION))
474 {
475 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
476 }
477 }
478 else
479 {
480 this->do_another_auth = FALSE;
481 }
482 return NEED_MORE;
483 }
484
485 METHOD(task_t, process_r, status_t,
486 private_ike_auth_t *this, message_t *message)
487 {
488 auth_cfg_t *cfg, *cand;
489 id_payload_t *id_payload;
490 identification_t *id;
491
492 if (message->get_exchange_type(message) == IKE_SA_INIT)
493 {
494 return collect_other_init_data(this, message);
495 }
496
497 if (this->my_auth == NULL && this->do_another_auth)
498 {
499 /* handle (optional) IDr payload, apply proposed identity */
500 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
501 if (id_payload)
502 {
503 id = id_payload->get_identification(id_payload);
504 }
505 else
506 {
507 id = identification_create_from_encoding(ID_ANY, chunk_empty);
508 }
509 this->ike_sa->set_my_id(this->ike_sa, id);
510 }
511
512 if (!this->expect_another_auth)
513 {
514 return NEED_MORE;
515 }
516
517 if (message->get_message_id(message) == 1)
518 { /* check for extensions in the first IKE_AUTH */
519 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
520 {
521 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
522 }
523 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
524 {
525 this->ike_sa->enable_extension(this->ike_sa,
526 EXT_EAP_ONLY_AUTHENTICATION);
527 }
528 }
529
530 if (this->other_auth == NULL)
531 {
532 /* handle IDi payload */
533 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
534 if (!id_payload)
535 {
536 DBG1(DBG_IKE, "IDi payload missing");
537 return FAILED;
538 }
539 id = id_payload->get_identification(id_payload);
540 get_reserved_id_bytes(this, id_payload);
541 this->ike_sa->set_other_id(this->ike_sa, id);
542 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
543 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
544
545 if (this->peer_cfg == NULL)
546 {
547 if (!load_cfg_candidates(this))
548 {
549 this->authentication_failed = TRUE;
550 return NEED_MORE;
551 }
552 }
553 if (message->get_payload(message, AUTHENTICATION) == NULL)
554 { /* before authenticating with EAP, we need a EAP config */
555 cand = get_auth_cfg(this, FALSE);
556 while (!cand || (
557 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
558 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
559 { /* peer requested EAP, but current config does not match */
560 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
561 this->peer_cfg->destroy(this->peer_cfg);
562 this->peer_cfg = NULL;
563 if (!update_cfg_candidates(this, FALSE))
564 {
565 this->authentication_failed = TRUE;
566 return NEED_MORE;
567 }
568 cand = get_auth_cfg(this, FALSE);
569 }
570 /* copy over the EAP specific rules for authentication */
571 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
572 cand->get(cand, AUTH_RULE_EAP_TYPE));
573 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
574 cand->get(cand, AUTH_RULE_EAP_VENDOR));
575 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
576 if (id)
577 {
578 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
579 }
580 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
581 if (id)
582 {
583 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
584 }
585 }
586
587 /* verify authentication data */
588 this->other_auth = authenticator_create_verifier(this->ike_sa,
589 message, this->other_nonce, this->my_nonce,
590 this->other_packet->get_data(this->other_packet),
591 this->my_packet->get_data(this->my_packet),
592 this->reserved);
593 if (!this->other_auth)
594 {
595 this->authentication_failed = TRUE;
596 return NEED_MORE;
597 }
598 }
599 switch (this->other_auth->process(this->other_auth, message))
600 {
601 case SUCCESS:
602 this->other_auth->destroy(this->other_auth);
603 this->other_auth = NULL;
604 break;
605 case NEED_MORE:
606 if (message->get_payload(message, AUTHENTICATION))
607 { /* AUTH verification successful, but another build() needed */
608 break;
609 }
610 return NEED_MORE;
611 default:
612 this->authentication_failed = TRUE;
613 return NEED_MORE;
614 }
615
616 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
617 * delete any existing IKE_SAs with that peer. */
618 if (message->get_message_id(message) == 1 &&
619 message->get_notify(message, INITIAL_CONTACT))
620 {
621 this->initial_contact = TRUE;
622 }
623
624 /* store authentication information */
625 cfg = auth_cfg_create();
626 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
627 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
628
629 /* another auth round done, invoke authorize hook */
630 if (!charon->bus->authorize(charon->bus, FALSE))
631 {
632 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
633 this->authentication_failed = TRUE;
634 return NEED_MORE;
635 }
636
637 if (!update_cfg_candidates(this, FALSE))
638 {
639 this->authentication_failed = TRUE;
640 return NEED_MORE;
641 }
642
643 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
644 {
645 this->expect_another_auth = FALSE;
646 if (!update_cfg_candidates(this, TRUE))
647 {
648 this->authentication_failed = TRUE;
649 return NEED_MORE;
650 }
651 }
652 return NEED_MORE;
653 }
654
655 METHOD(task_t, build_r, status_t,
656 private_ike_auth_t *this, message_t *message)
657 {
658 auth_cfg_t *cfg;
659
660 if (message->get_exchange_type(message) == IKE_SA_INIT)
661 {
662 if (multiple_auth_enabled())
663 {
664 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
665 chunk_empty);
666 }
667 return collect_my_init_data(this, message);
668 }
669
670 if (this->authentication_failed || this->peer_cfg == NULL)
671 {
672 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
673 return FAILED;
674 }
675
676 if (this->my_auth == NULL && this->do_another_auth)
677 {
678 identification_t *id, *id_cfg;
679 id_payload_t *id_payload;
680
681 /* add IDr */
682 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
683 cfg->purge(cfg, TRUE);
684 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
685
686 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
687 id = this->ike_sa->get_my_id(this->ike_sa);
688 if (id->get_type(id) == ID_ANY)
689 { /* no IDr received, apply configured ID */
690 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
691 {
692 DBG1(DBG_CFG, "IDr not configured and negotiation failed");
693 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
694 chunk_empty);
695 return FAILED;
696 }
697 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
698 id = id_cfg;
699 }
700 else
701 { /* IDr received, check if it matches configuration */
702 if (id_cfg && !id->matches(id, id_cfg))
703 {
704 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
705 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
706 chunk_empty);
707 return FAILED;
708 }
709 }
710
711 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
712 get_reserved_id_bytes(this, id_payload);
713 message->add_payload(message, (payload_t*)id_payload);
714
715 if (this->initial_contact)
716 {
717 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
718 this->ike_sa, TRUE);
719 this->initial_contact = FALSE;
720 }
721
722 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
723 { /* EAP-only authentication */
724 if (!this->ike_sa->supports_extension(this->ike_sa,
725 EXT_EAP_ONLY_AUTHENTICATION))
726 {
727 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
728 "does not support it");
729 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
730 chunk_empty);
731 return FAILED;
732 }
733 }
734 else
735 {
736 /* build authentication data */
737 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
738 this->other_nonce, this->my_nonce,
739 this->other_packet->get_data(this->other_packet),
740 this->my_packet->get_data(this->my_packet),
741 this->reserved);
742 if (!this->my_auth)
743 {
744 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
745 chunk_empty);
746 return FAILED;
747 }
748 }
749 }
750
751 if (this->other_auth)
752 {
753 switch (this->other_auth->build(this->other_auth, message))
754 {
755 case SUCCESS:
756 this->other_auth->destroy(this->other_auth);
757 this->other_auth = NULL;
758 break;
759 case NEED_MORE:
760 break;
761 default:
762 if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
763 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
764 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
765 chunk_empty);
766 }
767 return FAILED;
768 }
769 }
770 if (this->my_auth)
771 {
772 switch (this->my_auth->build(this->my_auth, message))
773 {
774 case SUCCESS:
775 cfg = auth_cfg_create();
776 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
777 TRUE);
778 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
779 this->my_auth->destroy(this->my_auth);
780 this->my_auth = NULL;
781 break;
782 case NEED_MORE:
783 break;
784 default:
785 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
786 chunk_empty);
787 return FAILED;
788 }
789 }
790
791 /* check for additional authentication rounds */
792 if (do_another_auth(this))
793 {
794 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
795 }
796 else
797 {
798 this->do_another_auth = FALSE;
799 }
800 if (!this->do_another_auth && !this->expect_another_auth)
801 {
802 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
803 this->ike_sa, FALSE))
804 {
805 DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
806 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
807 chunk_empty);
808 return FAILED;
809 }
810 if (!charon->bus->authorize(charon->bus, TRUE))
811 {
812 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
813 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
814 chunk_empty);
815 return FAILED;
816 }
817 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
818 this->ike_sa->get_name(this->ike_sa),
819 this->ike_sa->get_unique_id(this->ike_sa),
820 this->ike_sa->get_my_host(this->ike_sa),
821 this->ike_sa->get_my_id(this->ike_sa),
822 this->ike_sa->get_other_host(this->ike_sa),
823 this->ike_sa->get_other_id(this->ike_sa));
824 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
825 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
826 return SUCCESS;
827 }
828 return NEED_MORE;
829 }
830
831 METHOD(task_t, process_i, status_t,
832 private_ike_auth_t *this, message_t *message)
833 {
834 enumerator_t *enumerator;
835 payload_t *payload;
836 auth_cfg_t *cfg;
837 bool mutual_eap = FALSE;
838
839 if (message->get_exchange_type(message) == IKE_SA_INIT)
840 {
841 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
842 multiple_auth_enabled())
843 {
844 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
845 }
846 return collect_other_init_data(this, message);
847 }
848
849 enumerator = message->create_payload_enumerator(message);
850 while (enumerator->enumerate(enumerator, &payload))
851 {
852 if (payload->get_type(payload) == NOTIFY)
853 {
854 notify_payload_t *notify = (notify_payload_t*)payload;
855 notify_type_t type = notify->get_notify_type(notify);
856
857 switch (type)
858 {
859 case NO_PROPOSAL_CHOSEN:
860 case SINGLE_PAIR_REQUIRED:
861 case NO_ADDITIONAL_SAS:
862 case INTERNAL_ADDRESS_FAILURE:
863 case FAILED_CP_REQUIRED:
864 case TS_UNACCEPTABLE:
865 case INVALID_SELECTORS:
866 /* these are errors, but are not critical as only the
867 * CHILD_SA won't get build, but IKE_SA establishes anyway */
868 break;
869 case MOBIKE_SUPPORTED:
870 case ADDITIONAL_IP4_ADDRESS:
871 case ADDITIONAL_IP6_ADDRESS:
872 /* handled in ike_mobike task */
873 break;
874 case AUTH_LIFETIME:
875 /* handled in ike_auth_lifetime task */
876 break;
877 case ME_ENDPOINT:
878 /* handled in ike_me task */
879 break;
880 default:
881 {
882 if (type <= 16383)
883 {
884 DBG1(DBG_IKE, "received %N notify error",
885 notify_type_names, type);
886 enumerator->destroy(enumerator);
887 return FAILED;
888 }
889 DBG2(DBG_IKE, "received %N notify",
890 notify_type_names, type);
891 break;
892 }
893 }
894 }
895 }
896 enumerator->destroy(enumerator);
897
898 if (this->expect_another_auth)
899 {
900 if (this->other_auth == NULL)
901 {
902 id_payload_t *id_payload;
903 identification_t *id;
904
905 /* handle IDr payload */
906 id_payload = (id_payload_t*)message->get_payload(message,
907 ID_RESPONDER);
908 if (!id_payload)
909 {
910 DBG1(DBG_IKE, "IDr payload missing");
911 return FAILED;
912 }
913 id = id_payload->get_identification(id_payload);
914 get_reserved_id_bytes(this, id_payload);
915 this->ike_sa->set_other_id(this->ike_sa, id);
916 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
917 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
918
919 if (message->get_payload(message, AUTHENTICATION))
920 {
921 /* verify authentication data */
922 this->other_auth = authenticator_create_verifier(this->ike_sa,
923 message, this->other_nonce, this->my_nonce,
924 this->other_packet->get_data(this->other_packet),
925 this->my_packet->get_data(this->my_packet),
926 this->reserved);
927 if (!this->other_auth)
928 {
929 return FAILED;
930 }
931 }
932 else
933 {
934 /* responder omitted AUTH payload, indicating EAP-only */
935 mutual_eap = TRUE;
936 }
937 }
938 if (this->other_auth)
939 {
940 switch (this->other_auth->process(this->other_auth, message))
941 {
942 case SUCCESS:
943 break;
944 case NEED_MORE:
945 return NEED_MORE;
946 default:
947 return FAILED;
948 }
949 this->other_auth->destroy(this->other_auth);
950 this->other_auth = NULL;
951 }
952 /* store authentication information, reset authenticator */
953 cfg = auth_cfg_create();
954 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
955 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
956
957 /* another auth round done, invoke authorize hook */
958 if (!charon->bus->authorize(charon->bus, FALSE))
959 {
960 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
961 return FAILED;
962 }
963 }
964
965 if (this->my_auth)
966 {
967 switch (this->my_auth->process(this->my_auth, message))
968 {
969 case SUCCESS:
970 cfg = auth_cfg_create();
971 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
972 TRUE);
973 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
974 this->my_auth->destroy(this->my_auth);
975 this->my_auth = NULL;
976 this->do_another_auth = do_another_auth(this);
977 break;
978 case NEED_MORE:
979 break;
980 default:
981 return FAILED;
982 }
983 }
984 if (mutual_eap)
985 {
986 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
987 {
988 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
989 return FAILED;
990 }
991 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
992 }
993
994 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
995 {
996 this->expect_another_auth = FALSE;
997 }
998 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
999 {
1000 if (!update_cfg_candidates(this, TRUE))
1001 {
1002 return FAILED;
1003 }
1004 if (!charon->bus->authorize(charon->bus, TRUE))
1005 {
1006 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
1007 return FAILED;
1008 }
1009 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1010 this->ike_sa->get_name(this->ike_sa),
1011 this->ike_sa->get_unique_id(this->ike_sa),
1012 this->ike_sa->get_my_host(this->ike_sa),
1013 this->ike_sa->get_my_id(this->ike_sa),
1014 this->ike_sa->get_other_host(this->ike_sa),
1015 this->ike_sa->get_other_id(this->ike_sa));
1016 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1017 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1018 return SUCCESS;
1019 }
1020 return NEED_MORE;
1021 }
1022
1023 METHOD(task_t, get_type, task_type_t,
1024 private_ike_auth_t *this)
1025 {
1026 return IKE_AUTHENTICATE;
1027 }
1028
1029 METHOD(task_t, migrate, void,
1030 private_ike_auth_t *this, ike_sa_t *ike_sa)
1031 {
1032 chunk_free(&this->my_nonce);
1033 chunk_free(&this->other_nonce);
1034 DESTROY_IF(this->my_packet);
1035 DESTROY_IF(this->other_packet);
1036 DESTROY_IF(this->peer_cfg);
1037 DESTROY_IF(this->my_auth);
1038 DESTROY_IF(this->other_auth);
1039 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1040
1041 this->my_packet = NULL;
1042 this->other_packet = NULL;
1043 this->ike_sa = ike_sa;
1044 this->peer_cfg = NULL;
1045 this->my_auth = NULL;
1046 this->other_auth = NULL;
1047 this->do_another_auth = TRUE;
1048 this->expect_another_auth = TRUE;
1049 this->authentication_failed = FALSE;
1050 this->candidates = linked_list_create();
1051 }
1052
1053 METHOD(task_t, destroy, void,
1054 private_ike_auth_t *this)
1055 {
1056 chunk_free(&this->my_nonce);
1057 chunk_free(&this->other_nonce);
1058 DESTROY_IF(this->my_packet);
1059 DESTROY_IF(this->other_packet);
1060 DESTROY_IF(this->my_auth);
1061 DESTROY_IF(this->other_auth);
1062 DESTROY_IF(this->peer_cfg);
1063 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1064 free(this);
1065 }
1066
1067 /*
1068 * Described in header.
1069 */
1070 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1071 {
1072 private_ike_auth_t *this;
1073
1074 INIT(this,
1075 .public = {
1076 .task = {
1077 .get_type = _get_type,
1078 .migrate = _migrate,
1079 .build = _build_r,
1080 .process = _process_r,
1081 .destroy = _destroy,
1082 },
1083 },
1084 .ike_sa = ike_sa,
1085 .initiator = initiator,
1086 .candidates = linked_list_create(),
1087 .do_another_auth = TRUE,
1088 .expect_another_auth = TRUE,
1089 );
1090 if (initiator)
1091 {
1092 this->public.task.build = _build_i;
1093 this->public.task.process = _process_i;
1094 }
1095 return &this->public;
1096 }
1097