Fall back on IP address as IDi if none is configured at all.
[strongswan.git] / src / libcharon / sa / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details
16 */
17
18 #include "ike_auth.h"
19
20 #include <string.h>
21
22 #include <daemon.h>
23 #include <encoding/payloads/id_payload.h>
24 #include <encoding/payloads/auth_payload.h>
25 #include <encoding/payloads/eap_payload.h>
26 #include <encoding/payloads/nonce_payload.h>
27 #include <sa/authenticators/eap_authenticator.h>
28
29 typedef struct private_ike_auth_t private_ike_auth_t;
30
31 /**
32 * Private members of a ike_auth_t task.
33 */
34 struct private_ike_auth_t {
35
36 /**
37 * Public methods and task_t interface.
38 */
39 ike_auth_t public;
40
41 /**
42 * Assigned IKE_SA.
43 */
44 ike_sa_t *ike_sa;
45
46 /**
47 * Are we the initiator?
48 */
49 bool initiator;
50
51 /**
52 * Nonce chosen by us in ike_init
53 */
54 chunk_t my_nonce;
55
56 /**
57 * Nonce chosen by peer in ike_init
58 */
59 chunk_t other_nonce;
60
61 /**
62 * IKE_SA_INIT message sent by us
63 */
64 packet_t *my_packet;
65
66 /**
67 * IKE_SA_INIT message sent by peer
68 */
69 packet_t *other_packet;
70
71 /**
72 * Reserved bytes of ID payload
73 */
74 char reserved[3];
75
76 /**
77 * currently active authenticator, to authenticate us
78 */
79 authenticator_t *my_auth;
80
81 /**
82 * currently active authenticator, to authenticate peer
83 */
84 authenticator_t *other_auth;
85
86 /**
87 * peer_cfg candidates, ordered by priority
88 */
89 linked_list_t *candidates;
90
91 /**
92 * selected peer config (might change when using multiple authentications)
93 */
94 peer_cfg_t *peer_cfg;
95
96 /**
97 * have we planned an(other) authentication exchange?
98 */
99 bool do_another_auth;
100
101 /**
102 * has the peer announced another authentication exchange?
103 */
104 bool expect_another_auth;
105
106 /**
107 * should we send a AUTHENTICATION_FAILED notify?
108 */
109 bool authentication_failed;
110
111 /**
112 * received an INITIAL_CONTACT?
113 */
114 bool initial_contact;
115 };
116
117 /**
118 * check if multiple authentication extension is enabled, configuration-wise
119 */
120 static bool multiple_auth_enabled()
121 {
122 return lib->settings->get_bool(lib->settings,
123 "charon.multiple_authentication", TRUE);
124 }
125
126 /**
127 * collect the needed information in the IKE_SA_INIT exchange from our message
128 */
129 static status_t collect_my_init_data(private_ike_auth_t *this,
130 message_t *message)
131 {
132 nonce_payload_t *nonce;
133
134 /* get the nonce that was generated in ike_init */
135 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
136 if (nonce == NULL)
137 {
138 return FAILED;
139 }
140 this->my_nonce = nonce->get_nonce(nonce);
141
142 /* pre-generate the message, keep a copy */
143 if (this->ike_sa->generate_message(this->ike_sa, message,
144 &this->my_packet) != SUCCESS)
145 {
146 return FAILED;
147 }
148 return NEED_MORE;
149 }
150
151 /**
152 * collect the needed information in the IKE_SA_INIT exchange from others message
153 */
154 static status_t collect_other_init_data(private_ike_auth_t *this,
155 message_t *message)
156 {
157 /* we collect the needed information in the IKE_SA_INIT exchange */
158 nonce_payload_t *nonce;
159
160 /* get the nonce that was generated in ike_init */
161 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
162 if (nonce == NULL)
163 {
164 return FAILED;
165 }
166 this->other_nonce = nonce->get_nonce(nonce);
167
168 /* keep a copy of the received packet */
169 this->other_packet = message->get_packet(message);
170 return NEED_MORE;
171 }
172
173 /**
174 * Get and store reserved bytes of id_payload, required for AUTH payload
175 */
176 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
177 {
178 u_int8_t *byte;
179 int i;
180
181 for (i = 0; i < countof(this->reserved); i++)
182 {
183 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
184 if (byte)
185 {
186 this->reserved[i] = *byte;
187 }
188 }
189 }
190
191 /**
192 * Get the next authentication configuration
193 */
194 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
195 {
196 enumerator_t *e1, *e2;
197 auth_cfg_t *c1, *c2, *next = NULL;
198
199 /* find an available config not already done */
200 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
201 while (e1->enumerate(e1, &c1))
202 {
203 bool found = FALSE;
204
205 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
206 while (e2->enumerate(e2, &c2))
207 {
208 if (c2->complies(c2, c1, FALSE))
209 {
210 found = TRUE;
211 break;
212 }
213 }
214 e2->destroy(e2);
215 if (!found)
216 {
217 next = c1;
218 break;
219 }
220 }
221 e1->destroy(e1);
222 return next;
223 }
224
225 /**
226 * Check if we have should initiate another authentication round
227 */
228 static bool do_another_auth(private_ike_auth_t *this)
229 {
230 bool do_another = FALSE;
231 enumerator_t *done, *todo;
232 auth_cfg_t *done_cfg, *todo_cfg;
233
234 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
235 {
236 return FALSE;
237 }
238
239 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
240 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
241 while (todo->enumerate(todo, &todo_cfg))
242 {
243 if (!done->enumerate(done, &done_cfg))
244 {
245 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
246 }
247 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
248 {
249 do_another = TRUE;
250 break;
251 }
252 }
253 done->destroy(done);
254 todo->destroy(todo);
255 return do_another;
256 }
257
258 /**
259 * Get peer configuration candidates from backends
260 */
261 static bool load_cfg_candidates(private_ike_auth_t *this)
262 {
263 enumerator_t *enumerator;
264 peer_cfg_t *peer_cfg;
265 host_t *me, *other;
266 identification_t *my_id, *other_id;
267
268 me = this->ike_sa->get_my_host(this->ike_sa);
269 other = this->ike_sa->get_other_host(this->ike_sa);
270 my_id = this->ike_sa->get_my_id(this->ike_sa);
271 other_id = this->ike_sa->get_other_id(this->ike_sa);
272
273 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
274 me, other, my_id, other_id);
275 while (enumerator->enumerate(enumerator, &peer_cfg))
276 {
277 peer_cfg->get_ref(peer_cfg);
278 if (this->peer_cfg == NULL)
279 { /* best match */
280 this->peer_cfg = peer_cfg;
281 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
282 }
283 else
284 {
285 this->candidates->insert_last(this->candidates, peer_cfg);
286 }
287 }
288 enumerator->destroy(enumerator);
289 if (this->peer_cfg)
290 {
291 DBG1(DBG_CFG, "selected peer config '%s'",
292 this->peer_cfg->get_name(this->peer_cfg));
293 return TRUE;
294 }
295 DBG1(DBG_CFG, "no matching peer config found");
296 return FALSE;
297 }
298
299 /**
300 * update the current peer candidate if necessary, using candidates
301 */
302 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
303 {
304 do
305 {
306 if (this->peer_cfg)
307 {
308 bool complies = TRUE;
309 enumerator_t *e1, *e2, *tmp;
310 auth_cfg_t *c1, *c2;
311
312 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
313 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
314
315 if (strict)
316 { /* swap lists in strict mode: all configured rounds must be
317 * fulfilled. If !strict, we check only the rounds done so far. */
318 tmp = e1;
319 e1 = e2;
320 e2 = tmp;
321 }
322 while (e1->enumerate(e1, &c1))
323 {
324 /* check if done authentications comply to configured ones */
325 if ((!e2->enumerate(e2, &c2)) ||
326 (!strict && !c1->complies(c1, c2, TRUE)) ||
327 (strict && !c2->complies(c2, c1, TRUE)))
328 {
329 complies = FALSE;
330 break;
331 }
332 }
333 e1->destroy(e1);
334 e2->destroy(e2);
335 if (complies)
336 {
337 break;
338 }
339 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
340 this->peer_cfg->get_name(this->peer_cfg));
341 this->peer_cfg->destroy(this->peer_cfg);
342 }
343 if (this->candidates->remove_first(this->candidates,
344 (void**)&this->peer_cfg) != SUCCESS)
345 {
346 DBG1(DBG_CFG, "no alternative config found");
347 this->peer_cfg = NULL;
348 }
349 else
350 {
351 DBG1(DBG_CFG, "switching to peer config '%s'",
352 this->peer_cfg->get_name(this->peer_cfg));
353 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
354 }
355 }
356 while (this->peer_cfg);
357
358 return this->peer_cfg != NULL;
359 }
360
361 METHOD(task_t, build_i, status_t,
362 private_ike_auth_t *this, message_t *message)
363 {
364 auth_cfg_t *cfg;
365
366 if (message->get_exchange_type(message) == IKE_SA_INIT)
367 {
368 return collect_my_init_data(this, message);
369 }
370
371 if (this->peer_cfg == NULL)
372 {
373 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
374 this->peer_cfg->get_ref(this->peer_cfg);
375 }
376
377 if (message->get_message_id(message) == 1)
378 { /* in the first IKE_AUTH ... */
379 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
380 { /* indicate support for multiple authentication */
381 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
382 chunk_empty);
383 }
384 /* indicate support for EAP-only authentication */
385 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
386 chunk_empty);
387 }
388
389 if (!this->do_another_auth && !this->my_auth)
390 { /* we have done our rounds */
391 return NEED_MORE;
392 }
393
394 /* check if an authenticator is in progress */
395 if (this->my_auth == NULL)
396 {
397 identification_t *idi, *idr = NULL;
398 id_payload_t *id_payload;
399
400 /* clean up authentication config from a previous round */
401 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
402 cfg->purge(cfg, TRUE);
403
404 /* add (optional) IDr */
405 cfg = get_auth_cfg(this, FALSE);
406 if (cfg)
407 {
408 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
409 if (idr && !idr->contains_wildcards(idr))
410 {
411 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
412 id_payload = id_payload_create_from_identification(
413 ID_RESPONDER, idr);
414 message->add_payload(message, (payload_t*)id_payload);
415 }
416 }
417 /* add IDi */
418 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
419 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
420 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
421 if (!idi || idi->get_type(idi) == ID_ANY)
422 { /* ID_ANY is invalid as IDi, use local IP address instead */
423 host_t *me;
424
425 DBG1(DBG_CFG, "no IDi configured, fall back on IP address");
426 me = this->ike_sa->get_my_host(this->ike_sa);
427 idi = identification_create_from_sockaddr(me->get_sockaddr(me));
428 if (!cfg->replace_value(cfg, AUTH_RULE_IDENTITY, idi))
429 {
430 cfg->add(cfg, AUTH_RULE_IDENTITY, idi);
431 }
432 }
433 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
434 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
435 get_reserved_id_bytes(this, id_payload);
436 message->add_payload(message, (payload_t*)id_payload);
437
438 if (idr && message->get_message_id(message) == 1 &&
439 this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
440 {
441 host_t *host;
442
443 host = this->ike_sa->get_other_host(this->ike_sa);
444 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
445 idi, idr, host->get_family(host)))
446 {
447 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
448 }
449 }
450
451 /* build authentication data */
452 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
453 this->other_nonce, this->my_nonce,
454 this->other_packet->get_data(this->other_packet),
455 this->my_packet->get_data(this->my_packet),
456 this->reserved);
457 if (!this->my_auth)
458 {
459 return FAILED;
460 }
461 }
462 switch (this->my_auth->build(this->my_auth, message))
463 {
464 case SUCCESS:
465 /* authentication step complete, reset authenticator */
466 cfg = auth_cfg_create();
467 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
468 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
469 this->my_auth->destroy(this->my_auth);
470 this->my_auth = NULL;
471 break;
472 case NEED_MORE:
473 break;
474 default:
475 return FAILED;
476 }
477
478 /* check for additional authentication rounds */
479 if (do_another_auth(this))
480 {
481 if (message->get_payload(message, AUTHENTICATION))
482 {
483 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
484 }
485 }
486 else
487 {
488 this->do_another_auth = FALSE;
489 }
490 return NEED_MORE;
491 }
492
493 METHOD(task_t, process_r, status_t,
494 private_ike_auth_t *this, message_t *message)
495 {
496 auth_cfg_t *cfg, *cand;
497 id_payload_t *id_payload;
498 identification_t *id;
499
500 if (message->get_exchange_type(message) == IKE_SA_INIT)
501 {
502 return collect_other_init_data(this, message);
503 }
504
505 if (this->my_auth == NULL && this->do_another_auth)
506 {
507 /* handle (optional) IDr payload, apply proposed identity */
508 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
509 if (id_payload)
510 {
511 id = id_payload->get_identification(id_payload);
512 }
513 else
514 {
515 id = identification_create_from_encoding(ID_ANY, chunk_empty);
516 }
517 this->ike_sa->set_my_id(this->ike_sa, id);
518 }
519
520 if (!this->expect_another_auth)
521 {
522 return NEED_MORE;
523 }
524
525 if (message->get_message_id(message) == 1)
526 { /* check for extensions in the first IKE_AUTH */
527 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
528 {
529 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
530 }
531 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
532 {
533 this->ike_sa->enable_extension(this->ike_sa,
534 EXT_EAP_ONLY_AUTHENTICATION);
535 }
536 }
537
538 if (this->other_auth == NULL)
539 {
540 /* handle IDi payload */
541 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
542 if (!id_payload)
543 {
544 DBG1(DBG_IKE, "IDi payload missing");
545 return FAILED;
546 }
547 id = id_payload->get_identification(id_payload);
548 get_reserved_id_bytes(this, id_payload);
549 this->ike_sa->set_other_id(this->ike_sa, id);
550 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
551 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
552
553 if (this->peer_cfg == NULL)
554 {
555 if (!load_cfg_candidates(this))
556 {
557 this->authentication_failed = TRUE;
558 return NEED_MORE;
559 }
560 }
561 if (message->get_payload(message, AUTHENTICATION) == NULL)
562 { /* before authenticating with EAP, we need a EAP config */
563 cand = get_auth_cfg(this, FALSE);
564 while (!cand || (
565 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
566 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
567 { /* peer requested EAP, but current config does not match */
568 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
569 this->peer_cfg->destroy(this->peer_cfg);
570 this->peer_cfg = NULL;
571 if (!update_cfg_candidates(this, FALSE))
572 {
573 this->authentication_failed = TRUE;
574 return NEED_MORE;
575 }
576 cand = get_auth_cfg(this, FALSE);
577 }
578 /* copy over the EAP specific rules for authentication */
579 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
580 cand->get(cand, AUTH_RULE_EAP_TYPE));
581 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
582 cand->get(cand, AUTH_RULE_EAP_VENDOR));
583 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
584 if (id)
585 {
586 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
587 }
588 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
589 if (id)
590 {
591 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
592 }
593 }
594
595 /* verify authentication data */
596 this->other_auth = authenticator_create_verifier(this->ike_sa,
597 message, this->other_nonce, this->my_nonce,
598 this->other_packet->get_data(this->other_packet),
599 this->my_packet->get_data(this->my_packet),
600 this->reserved);
601 if (!this->other_auth)
602 {
603 this->authentication_failed = TRUE;
604 return NEED_MORE;
605 }
606 }
607 switch (this->other_auth->process(this->other_auth, message))
608 {
609 case SUCCESS:
610 this->other_auth->destroy(this->other_auth);
611 this->other_auth = NULL;
612 break;
613 case NEED_MORE:
614 if (message->get_payload(message, AUTHENTICATION))
615 { /* AUTH verification successful, but another build() needed */
616 break;
617 }
618 return NEED_MORE;
619 default:
620 this->authentication_failed = TRUE;
621 return NEED_MORE;
622 }
623
624 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
625 * delete any existing IKE_SAs with that peer. */
626 if (message->get_message_id(message) == 1 &&
627 message->get_notify(message, INITIAL_CONTACT))
628 {
629 this->initial_contact = TRUE;
630 }
631
632 /* another auth round done, invoke authorize hook */
633 if (!charon->bus->authorize(charon->bus, FALSE))
634 {
635 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
636 this->authentication_failed = TRUE;
637 return NEED_MORE;
638 }
639
640 /* store authentication information */
641 cfg = auth_cfg_create();
642 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
643 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
644
645 if (!update_cfg_candidates(this, FALSE))
646 {
647 this->authentication_failed = TRUE;
648 return NEED_MORE;
649 }
650
651 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
652 {
653 this->expect_another_auth = FALSE;
654 if (!update_cfg_candidates(this, TRUE))
655 {
656 this->authentication_failed = TRUE;
657 return NEED_MORE;
658 }
659 }
660 return NEED_MORE;
661 }
662
663 METHOD(task_t, build_r, status_t,
664 private_ike_auth_t *this, message_t *message)
665 {
666 auth_cfg_t *cfg;
667
668 if (message->get_exchange_type(message) == IKE_SA_INIT)
669 {
670 if (multiple_auth_enabled())
671 {
672 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
673 chunk_empty);
674 }
675 return collect_my_init_data(this, message);
676 }
677
678 if (this->authentication_failed || this->peer_cfg == NULL)
679 {
680 goto peer_auth_failed;
681 }
682
683 if (this->my_auth == NULL && this->do_another_auth)
684 {
685 identification_t *id, *id_cfg;
686 id_payload_t *id_payload;
687
688 /* add IDr */
689 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
690 cfg->purge(cfg, TRUE);
691 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
692
693 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
694 id = this->ike_sa->get_my_id(this->ike_sa);
695 if (id->get_type(id) == ID_ANY)
696 { /* no IDr received, apply configured ID */
697 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
698 {
699 DBG1(DBG_CFG, "IDr not configured and negotiation failed");
700 goto peer_auth_failed;
701 }
702 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
703 id = id_cfg;
704 }
705 else
706 { /* IDr received, check if it matches configuration */
707 if (id_cfg && !id->matches(id, id_cfg))
708 {
709 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
710 goto peer_auth_failed;
711 }
712 }
713
714 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
715 get_reserved_id_bytes(this, id_payload);
716 message->add_payload(message, (payload_t*)id_payload);
717
718 if (this->initial_contact)
719 {
720 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
721 this->ike_sa, TRUE);
722 this->initial_contact = FALSE;
723 }
724
725 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
726 { /* EAP-only authentication */
727 if (!this->ike_sa->supports_extension(this->ike_sa,
728 EXT_EAP_ONLY_AUTHENTICATION))
729 {
730 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
731 "does not support it");
732 goto peer_auth_failed;
733 }
734 }
735 else
736 {
737 /* build authentication data */
738 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
739 this->other_nonce, this->my_nonce,
740 this->other_packet->get_data(this->other_packet),
741 this->my_packet->get_data(this->my_packet),
742 this->reserved);
743 if (!this->my_auth)
744 {
745 goto peer_auth_failed;
746 }
747 }
748 }
749
750 if (this->other_auth)
751 {
752 switch (this->other_auth->build(this->other_auth, message))
753 {
754 case SUCCESS:
755 this->other_auth->destroy(this->other_auth);
756 this->other_auth = NULL;
757 break;
758 case NEED_MORE:
759 break;
760 default:
761 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
762 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
763 goto peer_auth_failed_no_notify;
764 }
765 goto peer_auth_failed;
766 }
767 }
768 if (this->my_auth)
769 {
770 switch (this->my_auth->build(this->my_auth, message))
771 {
772 case SUCCESS:
773 cfg = auth_cfg_create();
774 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
775 TRUE);
776 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
777 this->my_auth->destroy(this->my_auth);
778 this->my_auth = NULL;
779 break;
780 case NEED_MORE:
781 break;
782 default:
783 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
784 chunk_empty);
785 return FAILED;
786 }
787 }
788
789 /* check for additional authentication rounds */
790 if (do_another_auth(this))
791 {
792 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
793 }
794 else
795 {
796 this->do_another_auth = FALSE;
797 }
798 if (!this->do_another_auth && !this->expect_another_auth)
799 {
800 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
801 this->ike_sa, FALSE))
802 {
803 DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
804 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
805 chunk_empty);
806 return FAILED;
807 }
808 if (!charon->bus->authorize(charon->bus, TRUE))
809 {
810 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
811 goto peer_auth_failed;
812 }
813 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
814 this->ike_sa->get_name(this->ike_sa),
815 this->ike_sa->get_unique_id(this->ike_sa),
816 this->ike_sa->get_my_host(this->ike_sa),
817 this->ike_sa->get_my_id(this->ike_sa),
818 this->ike_sa->get_other_host(this->ike_sa),
819 this->ike_sa->get_other_id(this->ike_sa));
820 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
821 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
822 return SUCCESS;
823 }
824 return NEED_MORE;
825
826 peer_auth_failed:
827 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
828 chunk_empty);
829 peer_auth_failed_no_notify:
830 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
831 return FAILED;
832 }
833
834 METHOD(task_t, process_i, status_t,
835 private_ike_auth_t *this, message_t *message)
836 {
837 enumerator_t *enumerator;
838 payload_t *payload;
839 auth_cfg_t *cfg;
840 bool mutual_eap = FALSE;
841
842 if (message->get_exchange_type(message) == IKE_SA_INIT)
843 {
844 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
845 multiple_auth_enabled())
846 {
847 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
848 }
849 return collect_other_init_data(this, message);
850 }
851
852 enumerator = message->create_payload_enumerator(message);
853 while (enumerator->enumerate(enumerator, &payload))
854 {
855 if (payload->get_type(payload) == NOTIFY)
856 {
857 notify_payload_t *notify = (notify_payload_t*)payload;
858 notify_type_t type = notify->get_notify_type(notify);
859
860 switch (type)
861 {
862 case NO_PROPOSAL_CHOSEN:
863 case SINGLE_PAIR_REQUIRED:
864 case NO_ADDITIONAL_SAS:
865 case INTERNAL_ADDRESS_FAILURE:
866 case FAILED_CP_REQUIRED:
867 case TS_UNACCEPTABLE:
868 case INVALID_SELECTORS:
869 /* these are errors, but are not critical as only the
870 * CHILD_SA won't get build, but IKE_SA establishes anyway */
871 break;
872 case MOBIKE_SUPPORTED:
873 case ADDITIONAL_IP4_ADDRESS:
874 case ADDITIONAL_IP6_ADDRESS:
875 /* handled in ike_mobike task */
876 break;
877 case AUTH_LIFETIME:
878 /* handled in ike_auth_lifetime task */
879 break;
880 case ME_ENDPOINT:
881 /* handled in ike_me task */
882 break;
883 default:
884 {
885 if (type <= 16383)
886 {
887 DBG1(DBG_IKE, "received %N notify error",
888 notify_type_names, type);
889 enumerator->destroy(enumerator);
890 return FAILED;
891 }
892 DBG2(DBG_IKE, "received %N notify",
893 notify_type_names, type);
894 break;
895 }
896 }
897 }
898 }
899 enumerator->destroy(enumerator);
900
901 if (this->expect_another_auth)
902 {
903 if (this->other_auth == NULL)
904 {
905 id_payload_t *id_payload;
906 identification_t *id;
907
908 /* handle IDr payload */
909 id_payload = (id_payload_t*)message->get_payload(message,
910 ID_RESPONDER);
911 if (!id_payload)
912 {
913 DBG1(DBG_IKE, "IDr payload missing");
914 goto peer_auth_failed;
915 }
916 id = id_payload->get_identification(id_payload);
917 get_reserved_id_bytes(this, id_payload);
918 this->ike_sa->set_other_id(this->ike_sa, id);
919 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
920 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
921
922 if (message->get_payload(message, AUTHENTICATION))
923 {
924 /* verify authentication data */
925 this->other_auth = authenticator_create_verifier(this->ike_sa,
926 message, this->other_nonce, this->my_nonce,
927 this->other_packet->get_data(this->other_packet),
928 this->my_packet->get_data(this->my_packet),
929 this->reserved);
930 if (!this->other_auth)
931 {
932 goto peer_auth_failed;
933 }
934 }
935 else
936 {
937 /* responder omitted AUTH payload, indicating EAP-only */
938 mutual_eap = TRUE;
939 }
940 }
941 if (this->other_auth)
942 {
943 switch (this->other_auth->process(this->other_auth, message))
944 {
945 case SUCCESS:
946 break;
947 case NEED_MORE:
948 return NEED_MORE;
949 default:
950 goto peer_auth_failed;
951 }
952 this->other_auth->destroy(this->other_auth);
953 this->other_auth = NULL;
954 }
955 /* another auth round done, invoke authorize hook */
956 if (!charon->bus->authorize(charon->bus, FALSE))
957 {
958 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
959 goto peer_auth_failed;
960 }
961
962 /* store authentication information, reset authenticator */
963 cfg = auth_cfg_create();
964 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
965 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
966 }
967
968 if (this->my_auth)
969 {
970 switch (this->my_auth->process(this->my_auth, message))
971 {
972 case SUCCESS:
973 cfg = auth_cfg_create();
974 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
975 TRUE);
976 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
977 this->my_auth->destroy(this->my_auth);
978 this->my_auth = NULL;
979 this->do_another_auth = do_another_auth(this);
980 break;
981 case NEED_MORE:
982 break;
983 default:
984 return FAILED;
985 }
986 }
987 if (mutual_eap)
988 {
989 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
990 {
991 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
992 goto peer_auth_failed;
993 }
994 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
995 }
996
997 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
998 {
999 this->expect_another_auth = FALSE;
1000 }
1001 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
1002 {
1003 if (!update_cfg_candidates(this, TRUE))
1004 {
1005 goto peer_auth_failed;
1006 }
1007 if (!charon->bus->authorize(charon->bus, TRUE))
1008 {
1009 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
1010 "cancelling");
1011 goto peer_auth_failed;
1012 }
1013 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1014 this->ike_sa->get_name(this->ike_sa),
1015 this->ike_sa->get_unique_id(this->ike_sa),
1016 this->ike_sa->get_my_host(this->ike_sa),
1017 this->ike_sa->get_my_id(this->ike_sa),
1018 this->ike_sa->get_other_host(this->ike_sa),
1019 this->ike_sa->get_other_id(this->ike_sa));
1020 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1021 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1022 return SUCCESS;
1023 }
1024 return NEED_MORE;
1025
1026 peer_auth_failed:
1027 charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
1028 return FAILED;
1029 }
1030
1031 METHOD(task_t, get_type, task_type_t,
1032 private_ike_auth_t *this)
1033 {
1034 return IKE_AUTHENTICATE;
1035 }
1036
1037 METHOD(task_t, migrate, void,
1038 private_ike_auth_t *this, ike_sa_t *ike_sa)
1039 {
1040 chunk_free(&this->my_nonce);
1041 chunk_free(&this->other_nonce);
1042 DESTROY_IF(this->my_packet);
1043 DESTROY_IF(this->other_packet);
1044 DESTROY_IF(this->peer_cfg);
1045 DESTROY_IF(this->my_auth);
1046 DESTROY_IF(this->other_auth);
1047 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1048
1049 this->my_packet = NULL;
1050 this->other_packet = NULL;
1051 this->ike_sa = ike_sa;
1052 this->peer_cfg = NULL;
1053 this->my_auth = NULL;
1054 this->other_auth = NULL;
1055 this->do_another_auth = TRUE;
1056 this->expect_another_auth = TRUE;
1057 this->authentication_failed = FALSE;
1058 this->candidates = linked_list_create();
1059 }
1060
1061 METHOD(task_t, destroy, void,
1062 private_ike_auth_t *this)
1063 {
1064 chunk_free(&this->my_nonce);
1065 chunk_free(&this->other_nonce);
1066 DESTROY_IF(this->my_packet);
1067 DESTROY_IF(this->other_packet);
1068 DESTROY_IF(this->my_auth);
1069 DESTROY_IF(this->other_auth);
1070 DESTROY_IF(this->peer_cfg);
1071 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1072 free(this);
1073 }
1074
1075 /*
1076 * Described in header.
1077 */
1078 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1079 {
1080 private_ike_auth_t *this;
1081
1082 INIT(this,
1083 .public = {
1084 .task = {
1085 .get_type = _get_type,
1086 .migrate = _migrate,
1087 .build = _build_r,
1088 .process = _process_r,
1089 .destroy = _destroy,
1090 },
1091 },
1092 .ike_sa = ike_sa,
1093 .initiator = initiator,
1094 .candidates = linked_list_create(),
1095 .do_another_auth = TRUE,
1096 .expect_another_auth = TRUE,
1097 );
1098 if (initiator)
1099 {
1100 this->public.task.build = _build_i;
1101 this->public.task.process = _process_i;
1102 }
1103 return &this->public;
1104 }
1105