Send INITIAL_CONTACT even if we have a unique policy
[strongswan.git] / src / libcharon / sa / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details
15 */
16
17 #include "ike_auth.h"
18
19 #include <string.h>
20
21 #include <daemon.h>
22 #include <encoding/payloads/id_payload.h>
23 #include <encoding/payloads/auth_payload.h>
24 #include <encoding/payloads/eap_payload.h>
25 #include <encoding/payloads/nonce_payload.h>
26 #include <sa/authenticators/eap_authenticator.h>
27
28 typedef struct private_ike_auth_t private_ike_auth_t;
29
30 /**
31 * Private members of a ike_auth_t task.
32 */
33 struct private_ike_auth_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 ike_auth_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Nonce chosen by us in ike_init
52 */
53 chunk_t my_nonce;
54
55 /**
56 * Nonce chosen by peer in ike_init
57 */
58 chunk_t other_nonce;
59
60 /**
61 * IKE_SA_INIT message sent by us
62 */
63 packet_t *my_packet;
64
65 /**
66 * IKE_SA_INIT message sent by peer
67 */
68 packet_t *other_packet;
69
70 /**
71 * Reserved bytes of ID payload
72 */
73 char reserved[3];
74
75 /**
76 * currently active authenticator, to authenticate us
77 */
78 authenticator_t *my_auth;
79
80 /**
81 * currently active authenticator, to authenticate peer
82 */
83 authenticator_t *other_auth;
84
85 /**
86 * peer_cfg candidates, ordered by priority
87 */
88 linked_list_t *candidates;
89
90 /**
91 * selected peer config (might change when using multiple authentications)
92 */
93 peer_cfg_t *peer_cfg;
94
95 /**
96 * have we planned an(other) authentication exchange?
97 */
98 bool do_another_auth;
99
100 /**
101 * has the peer announced another authentication exchange?
102 */
103 bool expect_another_auth;
104
105 /**
106 * should we send a AUTHENTICATION_FAILED notify?
107 */
108 bool authentication_failed;
109
110 /**
111 * received an INITIAL_CONTACT?
112 */
113 bool initial_contact;
114 };
115
116 /**
117 * check if multiple authentication extension is enabled, configuration-wise
118 */
119 static bool multiple_auth_enabled()
120 {
121 return lib->settings->get_bool(lib->settings,
122 "charon.multiple_authentication", TRUE);
123 }
124
125 /**
126 * collect the needed information in the IKE_SA_INIT exchange from our message
127 */
128 static status_t collect_my_init_data(private_ike_auth_t *this,
129 message_t *message)
130 {
131 nonce_payload_t *nonce;
132
133 /* get the nonce that was generated in ike_init */
134 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
135 if (nonce == NULL)
136 {
137 return FAILED;
138 }
139 this->my_nonce = nonce->get_nonce(nonce);
140
141 /* pre-generate the message, keep a copy */
142 if (this->ike_sa->generate_message(this->ike_sa, message,
143 &this->my_packet) != SUCCESS)
144 {
145 return FAILED;
146 }
147 return NEED_MORE;
148 }
149
150 /**
151 * collect the needed information in the IKE_SA_INIT exchange from others message
152 */
153 static status_t collect_other_init_data(private_ike_auth_t *this,
154 message_t *message)
155 {
156 /* we collect the needed information in the IKE_SA_INIT exchange */
157 nonce_payload_t *nonce;
158
159 /* get the nonce that was generated in ike_init */
160 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
161 if (nonce == NULL)
162 {
163 return FAILED;
164 }
165 this->other_nonce = nonce->get_nonce(nonce);
166
167 /* keep a copy of the received packet */
168 this->other_packet = message->get_packet(message);
169 return NEED_MORE;
170 }
171
172 /**
173 * Get and store reserved bytes of id_payload, required for AUTH payload
174 */
175 static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
176 {
177 u_int8_t *byte;
178 int i;
179
180 for (i = 0; i < countof(this->reserved); i++)
181 {
182 byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
183 if (byte)
184 {
185 this->reserved[i] = *byte;
186 }
187 }
188 }
189
190 /**
191 * Get the next authentication configuration
192 */
193 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
194 {
195 enumerator_t *e1, *e2;
196 auth_cfg_t *c1, *c2, *next = NULL;
197
198 /* find an available config not already done */
199 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
200 while (e1->enumerate(e1, &c1))
201 {
202 bool found = FALSE;
203
204 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
205 while (e2->enumerate(e2, &c2))
206 {
207 if (c2->complies(c2, c1, FALSE))
208 {
209 found = TRUE;
210 break;
211 }
212 }
213 e2->destroy(e2);
214 if (!found)
215 {
216 next = c1;
217 break;
218 }
219 }
220 e1->destroy(e1);
221 return next;
222 }
223
224 /**
225 * Check if we have should initiate another authentication round
226 */
227 static bool do_another_auth(private_ike_auth_t *this)
228 {
229 bool do_another = FALSE;
230 enumerator_t *done, *todo;
231 auth_cfg_t *done_cfg, *todo_cfg;
232
233 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
234 {
235 return FALSE;
236 }
237
238 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
239 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
240 while (todo->enumerate(todo, &todo_cfg))
241 {
242 if (!done->enumerate(done, &done_cfg))
243 {
244 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
245 }
246 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
247 {
248 do_another = TRUE;
249 break;
250 }
251 }
252 done->destroy(done);
253 todo->destroy(todo);
254 return do_another;
255 }
256
257 /**
258 * Get peer configuration candidates from backends
259 */
260 static bool load_cfg_candidates(private_ike_auth_t *this)
261 {
262 enumerator_t *enumerator;
263 peer_cfg_t *peer_cfg;
264 host_t *me, *other;
265 identification_t *my_id, *other_id;
266
267 me = this->ike_sa->get_my_host(this->ike_sa);
268 other = this->ike_sa->get_other_host(this->ike_sa);
269 my_id = this->ike_sa->get_my_id(this->ike_sa);
270 other_id = this->ike_sa->get_other_id(this->ike_sa);
271
272 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
273 me, other, my_id, other_id);
274 while (enumerator->enumerate(enumerator, &peer_cfg))
275 {
276 peer_cfg->get_ref(peer_cfg);
277 if (this->peer_cfg == NULL)
278 { /* best match */
279 this->peer_cfg = peer_cfg;
280 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
281 }
282 else
283 {
284 this->candidates->insert_last(this->candidates, peer_cfg);
285 }
286 }
287 enumerator->destroy(enumerator);
288 if (this->peer_cfg)
289 {
290 DBG1(DBG_CFG, "selected peer config '%s'",
291 this->peer_cfg->get_name(this->peer_cfg));
292 return TRUE;
293 }
294 DBG1(DBG_CFG, "no matching peer config found");
295 return FALSE;
296 }
297
298 /**
299 * update the current peer candidate if necessary, using candidates
300 */
301 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
302 {
303 do
304 {
305 if (this->peer_cfg)
306 {
307 bool complies = TRUE;
308 enumerator_t *e1, *e2, *tmp;
309 auth_cfg_t *c1, *c2;
310
311 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
312 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
313
314 if (strict)
315 { /* swap lists in strict mode: all configured rounds must be
316 * fulfilled. If !strict, we check only the rounds done so far. */
317 tmp = e1;
318 e1 = e2;
319 e2 = tmp;
320 }
321 while (e1->enumerate(e1, &c1))
322 {
323 /* check if done authentications comply to configured ones */
324 if ((!e2->enumerate(e2, &c2)) ||
325 (!strict && !c1->complies(c1, c2, TRUE)) ||
326 (strict && !c2->complies(c2, c1, TRUE)))
327 {
328 complies = FALSE;
329 break;
330 }
331 }
332 e1->destroy(e1);
333 e2->destroy(e2);
334 if (complies)
335 {
336 break;
337 }
338 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
339 this->peer_cfg->get_name(this->peer_cfg));
340 this->peer_cfg->destroy(this->peer_cfg);
341 }
342 if (this->candidates->remove_first(this->candidates,
343 (void**)&this->peer_cfg) != SUCCESS)
344 {
345 DBG1(DBG_CFG, "no alternative config found");
346 this->peer_cfg = NULL;
347 }
348 else
349 {
350 DBG1(DBG_CFG, "switching to peer config '%s'",
351 this->peer_cfg->get_name(this->peer_cfg));
352 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
353 }
354 }
355 while (this->peer_cfg);
356
357 return this->peer_cfg != NULL;
358 }
359
360 /**
361 * Implementation of task_t.build for initiator
362 */
363 static status_t build_i(private_ike_auth_t *this, message_t *message)
364 {
365 auth_cfg_t *cfg;
366
367 if (message->get_exchange_type(message) == IKE_SA_INIT)
368 {
369 return collect_my_init_data(this, message);
370 }
371
372 if (this->peer_cfg == NULL)
373 {
374 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
375 this->peer_cfg->get_ref(this->peer_cfg);
376 }
377
378 if (message->get_message_id(message) == 1)
379 { /* in the first IKE_AUTH ... */
380 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
381 { /* indicate support for multiple authentication */
382 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
383 chunk_empty);
384 }
385 /* indicate support for EAP-only authentication */
386 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
387 chunk_empty);
388 }
389
390 if (!this->do_another_auth && !this->my_auth)
391 { /* we have done our rounds */
392 return NEED_MORE;
393 }
394
395 /* check if an authenticator is in progress */
396 if (this->my_auth == NULL)
397 {
398 identification_t *idi, *idr = NULL;
399 id_payload_t *id_payload;
400
401 /* clean up authentication config from a previous round */
402 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
403 cfg->purge(cfg, TRUE);
404
405 /* add (optional) IDr */
406 cfg = get_auth_cfg(this, FALSE);
407 if (cfg)
408 {
409 idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
410 if (idr && !idr->contains_wildcards(idr))
411 {
412 this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
413 id_payload = id_payload_create_from_identification(
414 ID_RESPONDER, idr);
415 message->add_payload(message, (payload_t*)id_payload);
416 }
417 }
418 /* add IDi */
419 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
420 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
421 idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
422 if (!idi)
423 {
424 DBG1(DBG_CFG, "configuration misses IDi");
425 return FAILED;
426 }
427 this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
428 id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
429 get_reserved_id_bytes(this, id_payload);
430 message->add_payload(message, (payload_t*)id_payload);
431
432 if (idr && message->get_message_id(message))
433 {
434 host_t *host;
435
436 host = this->ike_sa->get_other_host(this->ike_sa);
437 if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
438 idi, idr, host->get_family(host)))
439 {
440 message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
441 }
442 }
443
444 /* build authentication data */
445 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
446 this->other_nonce, this->my_nonce,
447 this->other_packet->get_data(this->other_packet),
448 this->my_packet->get_data(this->my_packet),
449 this->reserved);
450 if (!this->my_auth)
451 {
452 return FAILED;
453 }
454 }
455 switch (this->my_auth->build(this->my_auth, message))
456 {
457 case SUCCESS:
458 /* authentication step complete, reset authenticator */
459 cfg = auth_cfg_create();
460 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
461 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
462 this->my_auth->destroy(this->my_auth);
463 this->my_auth = NULL;
464 break;
465 case NEED_MORE:
466 break;
467 default:
468 return FAILED;
469 }
470
471 /* check for additional authentication rounds */
472 if (do_another_auth(this))
473 {
474 if (message->get_payload(message, AUTHENTICATION))
475 {
476 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
477 }
478 }
479 else
480 {
481 this->do_another_auth = FALSE;
482 }
483 return NEED_MORE;
484 }
485
486 /**
487 * Implementation of task_t.process for responder
488 */
489 static status_t process_r(private_ike_auth_t *this, message_t *message)
490 {
491 auth_cfg_t *cfg, *cand;
492 id_payload_t *id_payload;
493 identification_t *id;
494
495 if (message->get_exchange_type(message) == IKE_SA_INIT)
496 {
497 return collect_other_init_data(this, message);
498 }
499
500 if (this->my_auth == NULL && this->do_another_auth)
501 {
502 /* handle (optional) IDr payload, apply proposed identity */
503 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
504 if (id_payload)
505 {
506 id = id_payload->get_identification(id_payload);
507 }
508 else
509 {
510 id = identification_create_from_encoding(ID_ANY, chunk_empty);
511 }
512 this->ike_sa->set_my_id(this->ike_sa, id);
513 }
514
515 if (!this->expect_another_auth)
516 {
517 return NEED_MORE;
518 }
519
520 if (message->get_message_id(message) == 1)
521 { /* check for extensions in the first IKE_AUTH */
522 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
523 {
524 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
525 }
526 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
527 {
528 this->ike_sa->enable_extension(this->ike_sa,
529 EXT_EAP_ONLY_AUTHENTICATION);
530 }
531 }
532
533 if (this->other_auth == NULL)
534 {
535 /* handle IDi payload */
536 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
537 if (!id_payload)
538 {
539 DBG1(DBG_IKE, "IDi payload missing");
540 return FAILED;
541 }
542 id = id_payload->get_identification(id_payload);
543 get_reserved_id_bytes(this, id_payload);
544 this->ike_sa->set_other_id(this->ike_sa, id);
545 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
546 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
547
548 if (this->peer_cfg == NULL)
549 {
550 if (!load_cfg_candidates(this))
551 {
552 this->authentication_failed = TRUE;
553 return NEED_MORE;
554 }
555 }
556 if (message->get_payload(message, AUTHENTICATION) == NULL)
557 { /* before authenticating with EAP, we need a EAP config */
558 cand = get_auth_cfg(this, FALSE);
559 while (!cand || (
560 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
561 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
562 { /* peer requested EAP, but current config does not match */
563 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
564 this->peer_cfg->destroy(this->peer_cfg);
565 this->peer_cfg = NULL;
566 if (!update_cfg_candidates(this, FALSE))
567 {
568 this->authentication_failed = TRUE;
569 return NEED_MORE;
570 }
571 cand = get_auth_cfg(this, FALSE);
572 }
573 /* copy over the EAP specific rules for authentication */
574 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
575 cand->get(cand, AUTH_RULE_EAP_TYPE));
576 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
577 cand->get(cand, AUTH_RULE_EAP_VENDOR));
578 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
579 if (id)
580 {
581 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
582 }
583 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
584 if (id)
585 {
586 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
587 }
588 }
589
590 /* verify authentication data */
591 this->other_auth = authenticator_create_verifier(this->ike_sa,
592 message, this->other_nonce, this->my_nonce,
593 this->other_packet->get_data(this->other_packet),
594 this->my_packet->get_data(this->my_packet),
595 this->reserved);
596 if (!this->other_auth)
597 {
598 this->authentication_failed = TRUE;
599 return NEED_MORE;
600 }
601 }
602 switch (this->other_auth->process(this->other_auth, message))
603 {
604 case SUCCESS:
605 this->other_auth->destroy(this->other_auth);
606 this->other_auth = NULL;
607 break;
608 case NEED_MORE:
609 if (message->get_payload(message, AUTHENTICATION))
610 { /* AUTH verification successful, but another build() needed */
611 break;
612 }
613 return NEED_MORE;
614 default:
615 this->authentication_failed = TRUE;
616 return NEED_MORE;
617 }
618
619 /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
620 * delete any existing IKE_SAs with that peer. */
621 if (message->get_message_id(message) == 1 &&
622 message->get_notify(message, INITIAL_CONTACT))
623 {
624 this->initial_contact = TRUE;
625 }
626
627 /* store authentication information */
628 cfg = auth_cfg_create();
629 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
630 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
631
632 /* another auth round done, invoke authorize hook */
633 if (!charon->bus->authorize(charon->bus, FALSE))
634 {
635 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
636 this->authentication_failed = TRUE;
637 return NEED_MORE;
638 }
639
640 if (!update_cfg_candidates(this, FALSE))
641 {
642 this->authentication_failed = TRUE;
643 return NEED_MORE;
644 }
645
646 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
647 {
648 this->expect_another_auth = FALSE;
649 if (!update_cfg_candidates(this, TRUE))
650 {
651 this->authentication_failed = TRUE;
652 return NEED_MORE;
653 }
654 }
655 return NEED_MORE;
656 }
657
658 /**
659 * Implementation of task_t.build for responder
660 */
661 static status_t build_r(private_ike_auth_t *this, message_t *message)
662 {
663 auth_cfg_t *cfg;
664
665 if (message->get_exchange_type(message) == IKE_SA_INIT)
666 {
667 if (multiple_auth_enabled())
668 {
669 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
670 chunk_empty);
671 }
672 return collect_my_init_data(this, message);
673 }
674
675 if (this->authentication_failed || this->peer_cfg == NULL)
676 {
677 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
678 return FAILED;
679 }
680
681 if (this->my_auth == NULL && this->do_another_auth)
682 {
683 identification_t *id, *id_cfg;
684 id_payload_t *id_payload;
685
686 /* add IDr */
687 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
688 cfg->purge(cfg, TRUE);
689 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
690
691 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
692 id = this->ike_sa->get_my_id(this->ike_sa);
693 if (id->get_type(id) == ID_ANY)
694 { /* no IDr received, apply configured ID */
695 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
696 {
697 DBG1(DBG_CFG, "IDr not configured and negotiation failed");
698 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
699 chunk_empty);
700 return FAILED;
701 }
702 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
703 id = id_cfg;
704 }
705 else
706 { /* IDr received, check if it matches configuration */
707 if (id_cfg && !id->matches(id, id_cfg))
708 {
709 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
710 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
711 chunk_empty);
712 return FAILED;
713 }
714 }
715
716 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
717 get_reserved_id_bytes(this, id_payload);
718 message->add_payload(message, (payload_t*)id_payload);
719
720 if (this->initial_contact)
721 {
722 charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
723 this->ike_sa, TRUE);
724 this->initial_contact = FALSE;
725 }
726
727 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
728 { /* EAP-only authentication */
729 if (!this->ike_sa->supports_extension(this->ike_sa,
730 EXT_EAP_ONLY_AUTHENTICATION))
731 {
732 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
733 "does not support it");
734 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
735 chunk_empty);
736 return FAILED;
737 }
738 }
739 else
740 {
741 /* build authentication data */
742 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
743 this->other_nonce, this->my_nonce,
744 this->other_packet->get_data(this->other_packet),
745 this->my_packet->get_data(this->my_packet),
746 this->reserved);
747 if (!this->my_auth)
748 {
749 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
750 chunk_empty);
751 return FAILED;
752 }
753 }
754 }
755
756 if (this->other_auth)
757 {
758 switch (this->other_auth->build(this->other_auth, message))
759 {
760 case SUCCESS:
761 this->other_auth->destroy(this->other_auth);
762 this->other_auth = NULL;
763 break;
764 case NEED_MORE:
765 break;
766 default:
767 if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
768 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
769 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
770 chunk_empty);
771 }
772 return FAILED;
773 }
774 }
775 if (this->my_auth)
776 {
777 switch (this->my_auth->build(this->my_auth, message))
778 {
779 case SUCCESS:
780 cfg = auth_cfg_create();
781 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
782 TRUE);
783 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
784 this->my_auth->destroy(this->my_auth);
785 this->my_auth = NULL;
786 break;
787 case NEED_MORE:
788 break;
789 default:
790 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
791 chunk_empty);
792 return FAILED;
793 }
794 }
795
796 /* check for additional authentication rounds */
797 if (do_another_auth(this))
798 {
799 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
800 }
801 else
802 {
803 this->do_another_auth = FALSE;
804 }
805 if (!this->do_another_auth && !this->expect_another_auth)
806 {
807 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
808 this->ike_sa, FALSE))
809 {
810 DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
811 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
812 chunk_empty);
813 return FAILED;
814 }
815 if (!charon->bus->authorize(charon->bus, TRUE))
816 {
817 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
818 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
819 chunk_empty);
820 return FAILED;
821 }
822 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
823 this->ike_sa->get_name(this->ike_sa),
824 this->ike_sa->get_unique_id(this->ike_sa),
825 this->ike_sa->get_my_host(this->ike_sa),
826 this->ike_sa->get_my_id(this->ike_sa),
827 this->ike_sa->get_other_host(this->ike_sa),
828 this->ike_sa->get_other_id(this->ike_sa));
829 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
830 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
831 return SUCCESS;
832 }
833 return NEED_MORE;
834 }
835
836 /**
837 * Implementation of task_t.process for initiator
838 */
839 static status_t process_i(private_ike_auth_t *this, message_t *message)
840 {
841 enumerator_t *enumerator;
842 payload_t *payload;
843 auth_cfg_t *cfg;
844 bool mutual_eap = FALSE;
845
846 if (message->get_exchange_type(message) == IKE_SA_INIT)
847 {
848 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
849 multiple_auth_enabled())
850 {
851 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
852 }
853 return collect_other_init_data(this, message);
854 }
855
856 enumerator = message->create_payload_enumerator(message);
857 while (enumerator->enumerate(enumerator, &payload))
858 {
859 if (payload->get_type(payload) == NOTIFY)
860 {
861 notify_payload_t *notify = (notify_payload_t*)payload;
862 notify_type_t type = notify->get_notify_type(notify);
863
864 switch (type)
865 {
866 case NO_PROPOSAL_CHOSEN:
867 case SINGLE_PAIR_REQUIRED:
868 case NO_ADDITIONAL_SAS:
869 case INTERNAL_ADDRESS_FAILURE:
870 case FAILED_CP_REQUIRED:
871 case TS_UNACCEPTABLE:
872 case INVALID_SELECTORS:
873 /* these are errors, but are not critical as only the
874 * CHILD_SA won't get build, but IKE_SA establishes anyway */
875 break;
876 case MOBIKE_SUPPORTED:
877 case ADDITIONAL_IP4_ADDRESS:
878 case ADDITIONAL_IP6_ADDRESS:
879 /* handled in ike_mobike task */
880 break;
881 case AUTH_LIFETIME:
882 /* handled in ike_auth_lifetime task */
883 break;
884 case ME_ENDPOINT:
885 /* handled in ike_me task */
886 break;
887 default:
888 {
889 if (type <= 16383)
890 {
891 DBG1(DBG_IKE, "received %N notify error",
892 notify_type_names, type);
893 enumerator->destroy(enumerator);
894 return FAILED;
895 }
896 DBG2(DBG_IKE, "received %N notify",
897 notify_type_names, type);
898 break;
899 }
900 }
901 }
902 }
903 enumerator->destroy(enumerator);
904
905 if (this->expect_another_auth)
906 {
907 if (this->other_auth == NULL)
908 {
909 id_payload_t *id_payload;
910 identification_t *id;
911
912 /* handle IDr payload */
913 id_payload = (id_payload_t*)message->get_payload(message,
914 ID_RESPONDER);
915 if (!id_payload)
916 {
917 DBG1(DBG_IKE, "IDr payload missing");
918 return FAILED;
919 }
920 id = id_payload->get_identification(id_payload);
921 get_reserved_id_bytes(this, id_payload);
922 this->ike_sa->set_other_id(this->ike_sa, id);
923 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
924 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
925
926 if (message->get_payload(message, AUTHENTICATION))
927 {
928 /* verify authentication data */
929 this->other_auth = authenticator_create_verifier(this->ike_sa,
930 message, this->other_nonce, this->my_nonce,
931 this->other_packet->get_data(this->other_packet),
932 this->my_packet->get_data(this->my_packet),
933 this->reserved);
934 if (!this->other_auth)
935 {
936 return FAILED;
937 }
938 }
939 else
940 {
941 /* responder omitted AUTH payload, indicating EAP-only */
942 mutual_eap = TRUE;
943 }
944 }
945 if (this->other_auth)
946 {
947 switch (this->other_auth->process(this->other_auth, message))
948 {
949 case SUCCESS:
950 break;
951 case NEED_MORE:
952 return NEED_MORE;
953 default:
954 return FAILED;
955 }
956 this->other_auth->destroy(this->other_auth);
957 this->other_auth = NULL;
958 }
959 /* store authentication information, reset authenticator */
960 cfg = auth_cfg_create();
961 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
962 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
963
964 /* another auth round done, invoke authorize hook */
965 if (!charon->bus->authorize(charon->bus, FALSE))
966 {
967 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
968 return FAILED;
969 }
970 }
971
972 if (this->my_auth)
973 {
974 switch (this->my_auth->process(this->my_auth, message))
975 {
976 case SUCCESS:
977 cfg = auth_cfg_create();
978 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
979 TRUE);
980 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
981 this->my_auth->destroy(this->my_auth);
982 this->my_auth = NULL;
983 this->do_another_auth = do_another_auth(this);
984 break;
985 case NEED_MORE:
986 break;
987 default:
988 return FAILED;
989 }
990 }
991 if (mutual_eap)
992 {
993 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
994 {
995 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
996 return FAILED;
997 }
998 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
999 }
1000
1001 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
1002 {
1003 this->expect_another_auth = FALSE;
1004 }
1005 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
1006 {
1007 if (!update_cfg_candidates(this, TRUE))
1008 {
1009 return FAILED;
1010 }
1011 if (!charon->bus->authorize(charon->bus, TRUE))
1012 {
1013 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
1014 return FAILED;
1015 }
1016 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
1017 this->ike_sa->get_name(this->ike_sa),
1018 this->ike_sa->get_unique_id(this->ike_sa),
1019 this->ike_sa->get_my_host(this->ike_sa),
1020 this->ike_sa->get_my_id(this->ike_sa),
1021 this->ike_sa->get_other_host(this->ike_sa),
1022 this->ike_sa->get_other_id(this->ike_sa));
1023 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
1024 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
1025 return SUCCESS;
1026 }
1027 return NEED_MORE;
1028 }
1029
1030 /**
1031 * Implementation of task_t.get_type
1032 */
1033 static task_type_t get_type(private_ike_auth_t *this)
1034 {
1035 return IKE_AUTHENTICATE;
1036 }
1037
1038 /**
1039 * Implementation of task_t.migrate
1040 */
1041 static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
1042 {
1043 chunk_free(&this->my_nonce);
1044 chunk_free(&this->other_nonce);
1045 DESTROY_IF(this->my_packet);
1046 DESTROY_IF(this->other_packet);
1047 DESTROY_IF(this->peer_cfg);
1048 DESTROY_IF(this->my_auth);
1049 DESTROY_IF(this->other_auth);
1050 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1051
1052 this->my_packet = NULL;
1053 this->other_packet = NULL;
1054 this->ike_sa = ike_sa;
1055 this->peer_cfg = NULL;
1056 this->my_auth = NULL;
1057 this->other_auth = NULL;
1058 this->do_another_auth = TRUE;
1059 this->expect_another_auth = TRUE;
1060 this->authentication_failed = FALSE;
1061 this->candidates = linked_list_create();
1062 }
1063
1064 /**
1065 * Implementation of task_t.destroy
1066 */
1067 static void destroy(private_ike_auth_t *this)
1068 {
1069 chunk_free(&this->my_nonce);
1070 chunk_free(&this->other_nonce);
1071 DESTROY_IF(this->my_packet);
1072 DESTROY_IF(this->other_packet);
1073 DESTROY_IF(this->my_auth);
1074 DESTROY_IF(this->other_auth);
1075 DESTROY_IF(this->peer_cfg);
1076 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1077 free(this);
1078 }
1079
1080 /*
1081 * Described in header.
1082 */
1083 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1084 {
1085 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1086
1087 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
1088 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
1089 this->public.task.destroy = (void(*)(task_t*))destroy;
1090
1091 if (initiator)
1092 {
1093 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
1094 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
1095 }
1096 else
1097 {
1098 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
1099 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
1100 }
1101
1102 this->ike_sa = ike_sa;
1103 this->initiator = initiator;
1104 this->my_nonce = chunk_empty;
1105 this->other_nonce = chunk_empty;
1106 this->my_packet = NULL;
1107 this->other_packet = NULL;
1108 this->peer_cfg = NULL;
1109 this->candidates = linked_list_create();
1110 this->my_auth = NULL;
1111 this->other_auth = NULL;
1112 this->do_another_auth = TRUE;
1113 this->expect_another_auth = TRUE;
1114 this->authentication_failed = FALSE;
1115
1116 return &this->public;
1117 }
1118