Use the AAA Identity for EAP authentication, if given
[strongswan.git] / src / libcharon / sa / tasks / ike_auth.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details
15 */
16
17 #include "ike_auth.h"
18
19 #include <string.h>
20
21 #include <daemon.h>
22 #include <encoding/payloads/id_payload.h>
23 #include <encoding/payloads/auth_payload.h>
24 #include <encoding/payloads/eap_payload.h>
25 #include <encoding/payloads/nonce_payload.h>
26 #include <sa/authenticators/eap_authenticator.h>
27
28 typedef struct private_ike_auth_t private_ike_auth_t;
29
30 /**
31 * Private members of a ike_auth_t task.
32 */
33 struct private_ike_auth_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 ike_auth_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Nonce chosen by us in ike_init
52 */
53 chunk_t my_nonce;
54
55 /**
56 * Nonce chosen by peer in ike_init
57 */
58 chunk_t other_nonce;
59
60 /**
61 * IKE_SA_INIT message sent by us
62 */
63 packet_t *my_packet;
64
65 /**
66 * IKE_SA_INIT message sent by peer
67 */
68 packet_t *other_packet;
69
70 /**
71 * currently active authenticator, to authenticate us
72 */
73 authenticator_t *my_auth;
74
75 /**
76 * currently active authenticator, to authenticate peer
77 */
78 authenticator_t *other_auth;
79
80 /**
81 * peer_cfg candidates, ordered by priority
82 */
83 linked_list_t *candidates;
84
85 /**
86 * selected peer config (might change when using multiple authentications)
87 */
88 peer_cfg_t *peer_cfg;
89
90 /**
91 * have we planned an(other) authentication exchange?
92 */
93 bool do_another_auth;
94
95 /**
96 * has the peer announced another authentication exchange?
97 */
98 bool expect_another_auth;
99
100 /**
101 * should we send a AUTHENTICATION_FAILED notify?
102 */
103 bool authentication_failed;
104 };
105
106 /**
107 * check if multiple authentication extension is enabled, configuration-wise
108 */
109 static bool multiple_auth_enabled()
110 {
111 return lib->settings->get_bool(lib->settings,
112 "charon.multiple_authentication", TRUE);
113 }
114
115 /**
116 * collect the needed information in the IKE_SA_INIT exchange from our message
117 */
118 static status_t collect_my_init_data(private_ike_auth_t *this,
119 message_t *message)
120 {
121 nonce_payload_t *nonce;
122
123 /* get the nonce that was generated in ike_init */
124 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
125 if (nonce == NULL)
126 {
127 return FAILED;
128 }
129 this->my_nonce = nonce->get_nonce(nonce);
130
131 /* pre-generate the message, keep a copy */
132 if (this->ike_sa->generate_message(this->ike_sa, message,
133 &this->my_packet) != SUCCESS)
134 {
135 return FAILED;
136 }
137 return NEED_MORE;
138 }
139
140 /**
141 * collect the needed information in the IKE_SA_INIT exchange from others message
142 */
143 static status_t collect_other_init_data(private_ike_auth_t *this,
144 message_t *message)
145 {
146 /* we collect the needed information in the IKE_SA_INIT exchange */
147 nonce_payload_t *nonce;
148
149 /* get the nonce that was generated in ike_init */
150 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
151 if (nonce == NULL)
152 {
153 return FAILED;
154 }
155 this->other_nonce = nonce->get_nonce(nonce);
156
157 /* keep a copy of the received packet */
158 this->other_packet = message->get_packet(message);
159 return NEED_MORE;
160 }
161
162 /**
163 * Get the next authentication configuration
164 */
165 static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
166 {
167 enumerator_t *e1, *e2;
168 auth_cfg_t *c1, *c2, *next = NULL;
169
170 /* find an available config not already done */
171 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
172 while (e1->enumerate(e1, &c1))
173 {
174 bool found = FALSE;
175
176 e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
177 while (e2->enumerate(e2, &c2))
178 {
179 if (c2->complies(c2, c1, FALSE))
180 {
181 found = TRUE;
182 break;
183 }
184 }
185 e2->destroy(e2);
186 if (!found)
187 {
188 next = c1;
189 break;
190 }
191 }
192 e1->destroy(e1);
193 return next;
194 }
195
196 /**
197 * Check if we have should initiate another authentication round
198 */
199 static bool do_another_auth(private_ike_auth_t *this)
200 {
201 bool do_another = FALSE;
202 enumerator_t *done, *todo;
203 auth_cfg_t *done_cfg, *todo_cfg;
204
205 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
206 {
207 return FALSE;
208 }
209
210 done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
211 todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
212 while (todo->enumerate(todo, &todo_cfg))
213 {
214 if (!done->enumerate(done, &done_cfg))
215 {
216 done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
217 }
218 if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
219 {
220 do_another = TRUE;
221 break;
222 }
223 }
224 done->destroy(done);
225 todo->destroy(todo);
226 return do_another;
227 }
228
229 /**
230 * Get peer configuration candidates from backends
231 */
232 static bool load_cfg_candidates(private_ike_auth_t *this)
233 {
234 enumerator_t *enumerator;
235 peer_cfg_t *peer_cfg;
236 host_t *me, *other;
237 identification_t *my_id, *other_id;
238
239 me = this->ike_sa->get_my_host(this->ike_sa);
240 other = this->ike_sa->get_other_host(this->ike_sa);
241 my_id = this->ike_sa->get_my_id(this->ike_sa);
242 other_id = this->ike_sa->get_other_id(this->ike_sa);
243
244 enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
245 me, other, my_id, other_id);
246 while (enumerator->enumerate(enumerator, &peer_cfg))
247 {
248 peer_cfg->get_ref(peer_cfg);
249 if (this->peer_cfg == NULL)
250 { /* best match */
251 this->peer_cfg = peer_cfg;
252 this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
253 }
254 else
255 {
256 this->candidates->insert_last(this->candidates, peer_cfg);
257 }
258 }
259 enumerator->destroy(enumerator);
260 if (this->peer_cfg)
261 {
262 DBG1(DBG_CFG, "selected peer config '%s'",
263 this->peer_cfg->get_name(this->peer_cfg));
264 return TRUE;
265 }
266 DBG1(DBG_CFG, "no matching peer config found");
267 return FALSE;
268 }
269
270 /**
271 * update the current peer candidate if necessary, using candidates
272 */
273 static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
274 {
275 do
276 {
277 if (this->peer_cfg)
278 {
279 bool complies = TRUE;
280 enumerator_t *e1, *e2, *tmp;
281 auth_cfg_t *c1, *c2;
282
283 e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
284 e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
285
286 if (strict)
287 { /* swap lists in strict mode: all configured rounds must be
288 * fulfilled. If !strict, we check only the rounds done so far. */
289 tmp = e1;
290 e1 = e2;
291 e2 = tmp;
292 }
293 while (e1->enumerate(e1, &c1))
294 {
295 /* check if done authentications comply to configured ones */
296 if ((!e2->enumerate(e2, &c2)) ||
297 (!strict && !c1->complies(c1, c2, TRUE)) ||
298 (strict && !c2->complies(c2, c1, TRUE)))
299 {
300 complies = FALSE;
301 break;
302 }
303 }
304 e1->destroy(e1);
305 e2->destroy(e2);
306 if (complies)
307 {
308 break;
309 }
310 DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
311 this->peer_cfg->get_name(this->peer_cfg));
312 this->peer_cfg->destroy(this->peer_cfg);
313 }
314 if (this->candidates->remove_first(this->candidates,
315 (void**)&this->peer_cfg) != SUCCESS)
316 {
317 DBG1(DBG_CFG, "no alternative config found");
318 this->peer_cfg = NULL;
319 }
320 else
321 {
322 DBG1(DBG_CFG, "switching to peer config '%s'",
323 this->peer_cfg->get_name(this->peer_cfg));
324 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
325 }
326 }
327 while (this->peer_cfg);
328
329 return this->peer_cfg != NULL;
330 }
331
332 /**
333 * Implementation of task_t.build for initiator
334 */
335 static status_t build_i(private_ike_auth_t *this, message_t *message)
336 {
337 auth_cfg_t *cfg;
338
339 if (message->get_exchange_type(message) == IKE_SA_INIT)
340 {
341 return collect_my_init_data(this, message);
342 }
343
344 if (this->peer_cfg == NULL)
345 {
346 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
347 this->peer_cfg->get_ref(this->peer_cfg);
348 }
349
350 if (message->get_message_id(message) == 1)
351 { /* in the first IKE_AUTH ... */
352 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
353 { /* indicate support for multiple authentication */
354 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
355 chunk_empty);
356 }
357 /* indicate support for EAP-only authentication */
358 message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
359 chunk_empty);
360 }
361
362 if (!this->do_another_auth && !this->my_auth)
363 { /* we have done our rounds */
364 return NEED_MORE;
365 }
366
367 /* check if an authenticator is in progress */
368 if (this->my_auth == NULL)
369 {
370 identification_t *id;
371 id_payload_t *id_payload;
372
373 /* clean up authentication config from a previous round */
374 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
375 cfg->purge(cfg, TRUE);
376
377 /* add (optional) IDr */
378 cfg = get_auth_cfg(this, FALSE);
379 if (cfg)
380 {
381 id = cfg->get(cfg, AUTH_RULE_IDENTITY);
382 if (id && !id->contains_wildcards(id))
383 {
384 this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
385 id_payload = id_payload_create_from_identification(
386 ID_RESPONDER, id);
387 message->add_payload(message, (payload_t*)id_payload);
388 }
389 }
390 /* add IDi */
391 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
392 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
393 id = cfg->get(cfg, AUTH_RULE_IDENTITY);
394 if (!id)
395 {
396 DBG1(DBG_CFG, "configuration misses IDi");
397 return FAILED;
398 }
399 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
400 id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
401 message->add_payload(message, (payload_t*)id_payload);
402
403 /* build authentication data */
404 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
405 this->other_nonce, this->my_nonce,
406 this->other_packet->get_data(this->other_packet),
407 this->my_packet->get_data(this->my_packet));
408 if (!this->my_auth)
409 {
410 return FAILED;
411 }
412 }
413 switch (this->my_auth->build(this->my_auth, message))
414 {
415 case SUCCESS:
416 /* authentication step complete, reset authenticator */
417 cfg = auth_cfg_create();
418 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
419 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
420 this->my_auth->destroy(this->my_auth);
421 this->my_auth = NULL;
422 break;
423 case NEED_MORE:
424 break;
425 default:
426 return FAILED;
427 }
428
429 /* check for additional authentication rounds */
430 if (do_another_auth(this))
431 {
432 if (message->get_payload(message, AUTHENTICATION))
433 {
434 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
435 }
436 }
437 else
438 {
439 this->do_another_auth = FALSE;
440 }
441 return NEED_MORE;
442 }
443
444 /**
445 * Implementation of task_t.process for responder
446 */
447 static status_t process_r(private_ike_auth_t *this, message_t *message)
448 {
449 auth_cfg_t *cfg, *cand;
450 id_payload_t *id_payload;
451 identification_t *id;
452
453 if (message->get_exchange_type(message) == IKE_SA_INIT)
454 {
455 return collect_other_init_data(this, message);
456 }
457
458 if (this->my_auth == NULL && this->do_another_auth)
459 {
460 /* handle (optional) IDr payload, apply proposed identity */
461 id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
462 if (id_payload)
463 {
464 id = id_payload->get_identification(id_payload);
465 }
466 else
467 {
468 id = identification_create_from_encoding(ID_ANY, chunk_empty);
469 }
470 this->ike_sa->set_my_id(this->ike_sa, id);
471 }
472
473 if (!this->expect_another_auth)
474 {
475 return NEED_MORE;
476 }
477
478 if (message->get_message_id(message) == 1)
479 { /* check for extensions in the first IKE_AUTH */
480 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
481 {
482 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
483 }
484 if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
485 {
486 this->ike_sa->enable_extension(this->ike_sa,
487 EXT_EAP_ONLY_AUTHENTICATION);
488 }
489 }
490
491 if (this->other_auth == NULL)
492 {
493 /* handle IDi payload */
494 id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
495 if (!id_payload)
496 {
497 DBG1(DBG_IKE, "IDi payload missing");
498 return FAILED;
499 }
500 id = id_payload->get_identification(id_payload);
501 this->ike_sa->set_other_id(this->ike_sa, id);
502 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
503 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
504
505 if (this->peer_cfg == NULL)
506 {
507 if (!load_cfg_candidates(this))
508 {
509 this->authentication_failed = TRUE;
510 return NEED_MORE;
511 }
512 }
513 if (message->get_payload(message, AUTHENTICATION) == NULL)
514 { /* before authenticating with EAP, we need a EAP config */
515 cand = get_auth_cfg(this, FALSE);
516 while (!cand || (
517 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
518 (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
519 { /* peer requested EAP, but current config does not match */
520 DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
521 this->peer_cfg->destroy(this->peer_cfg);
522 this->peer_cfg = NULL;
523 if (!update_cfg_candidates(this, FALSE))
524 {
525 this->authentication_failed = TRUE;
526 return NEED_MORE;
527 }
528 cand = get_auth_cfg(this, FALSE);
529 }
530 /* copy over the EAP specific rules for authentication */
531 cfg->add(cfg, AUTH_RULE_EAP_TYPE,
532 cand->get(cand, AUTH_RULE_EAP_TYPE));
533 cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
534 cand->get(cand, AUTH_RULE_EAP_VENDOR));
535 id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
536 if (id)
537 {
538 cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
539 }
540 id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
541 if (id)
542 {
543 cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
544 }
545 }
546
547 /* verify authentication data */
548 this->other_auth = authenticator_create_verifier(this->ike_sa,
549 message, this->other_nonce, this->my_nonce,
550 this->other_packet->get_data(this->other_packet),
551 this->my_packet->get_data(this->my_packet));
552 if (!this->other_auth)
553 {
554 this->authentication_failed = TRUE;
555 return NEED_MORE;
556 }
557 }
558 switch (this->other_auth->process(this->other_auth, message))
559 {
560 case SUCCESS:
561 this->other_auth->destroy(this->other_auth);
562 this->other_auth = NULL;
563 break;
564 case NEED_MORE:
565 if (message->get_payload(message, AUTHENTICATION))
566 { /* AUTH verification successful, but another build() needed */
567 break;
568 }
569 return NEED_MORE;
570 default:
571 this->authentication_failed = TRUE;
572 return NEED_MORE;
573 }
574
575 /* store authentication information */
576 cfg = auth_cfg_create();
577 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
578 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
579
580 /* another auth round done, invoke authorize hook */
581 if (!charon->bus->authorize(charon->bus, FALSE))
582 {
583 DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
584 this->authentication_failed = TRUE;
585 return NEED_MORE;
586 }
587
588 if (!update_cfg_candidates(this, FALSE))
589 {
590 this->authentication_failed = TRUE;
591 return NEED_MORE;
592 }
593
594 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
595 {
596 this->expect_another_auth = FALSE;
597 if (!update_cfg_candidates(this, TRUE))
598 {
599 this->authentication_failed = TRUE;
600 return NEED_MORE;
601 }
602 }
603 return NEED_MORE;
604 }
605
606 /**
607 * Implementation of task_t.build for responder
608 */
609 static status_t build_r(private_ike_auth_t *this, message_t *message)
610 {
611 auth_cfg_t *cfg;
612
613 if (message->get_exchange_type(message) == IKE_SA_INIT)
614 {
615 if (multiple_auth_enabled())
616 {
617 message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
618 chunk_empty);
619 }
620 return collect_my_init_data(this, message);
621 }
622
623 if (this->authentication_failed || this->peer_cfg == NULL)
624 {
625 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
626 return FAILED;
627 }
628
629 if (this->my_auth == NULL && this->do_another_auth)
630 {
631 identification_t *id, *id_cfg;
632 id_payload_t *id_payload;
633
634 /* add IDr */
635 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
636 cfg->purge(cfg, TRUE);
637 cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
638
639 id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
640 id = this->ike_sa->get_my_id(this->ike_sa);
641 if (id->get_type(id) == ID_ANY)
642 { /* no IDr received, apply configured ID */
643 if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
644 {
645 DBG1(DBG_CFG, "IDr not configured and negotiation failed");
646 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
647 chunk_empty);
648 return FAILED;
649 }
650 this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
651 id = id_cfg;
652 }
653 else
654 { /* IDr received, check if it matches configuration */
655 if (id_cfg && !id->matches(id, id_cfg))
656 {
657 DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
658 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
659 chunk_empty);
660 return FAILED;
661 }
662 }
663
664 id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
665 message->add_payload(message, (payload_t*)id_payload);
666
667 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
668 { /* EAP-only authentication */
669 if (!this->ike_sa->supports_extension(this->ike_sa,
670 EXT_EAP_ONLY_AUTHENTICATION))
671 {
672 DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
673 "does not support it");
674 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
675 chunk_empty);
676 return FAILED;
677 }
678 }
679 else
680 {
681 /* build authentication data */
682 this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
683 this->other_nonce, this->my_nonce,
684 this->other_packet->get_data(this->other_packet),
685 this->my_packet->get_data(this->my_packet));
686 if (!this->my_auth)
687 {
688 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
689 chunk_empty);
690 return FAILED;
691 }
692 }
693 }
694
695 if (this->other_auth)
696 {
697 switch (this->other_auth->build(this->other_auth, message))
698 {
699 case SUCCESS:
700 this->other_auth->destroy(this->other_auth);
701 this->other_auth = NULL;
702 break;
703 case NEED_MORE:
704 break;
705 default:
706 if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
707 { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
708 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
709 chunk_empty);
710 }
711 return FAILED;
712 }
713 }
714 if (this->my_auth)
715 {
716 switch (this->my_auth->build(this->my_auth, message))
717 {
718 case SUCCESS:
719 cfg = auth_cfg_create();
720 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
721 TRUE);
722 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
723 this->my_auth->destroy(this->my_auth);
724 this->my_auth = NULL;
725 break;
726 case NEED_MORE:
727 break;
728 default:
729 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
730 chunk_empty);
731 return FAILED;
732 }
733 }
734
735 /* check for additional authentication rounds */
736 if (do_another_auth(this))
737 {
738 message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
739 }
740 else
741 {
742 this->do_another_auth = FALSE;
743 }
744 if (!this->do_another_auth && !this->expect_another_auth)
745 {
746 if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
747 this->ike_sa))
748 {
749 DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
750 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
751 chunk_empty);
752 return FAILED;
753 }
754 if (!charon->bus->authorize(charon->bus, TRUE))
755 {
756 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
757 message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
758 chunk_empty);
759 return FAILED;
760 }
761 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
762 this->ike_sa->get_name(this->ike_sa),
763 this->ike_sa->get_unique_id(this->ike_sa),
764 this->ike_sa->get_my_host(this->ike_sa),
765 this->ike_sa->get_my_id(this->ike_sa),
766 this->ike_sa->get_other_host(this->ike_sa),
767 this->ike_sa->get_other_id(this->ike_sa));
768 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
769 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
770 return SUCCESS;
771 }
772 return NEED_MORE;
773 }
774
775 /**
776 * Implementation of task_t.process for initiator
777 */
778 static status_t process_i(private_ike_auth_t *this, message_t *message)
779 {
780 enumerator_t *enumerator;
781 payload_t *payload;
782 auth_cfg_t *cfg;
783 bool mutual_eap = FALSE;
784
785 if (message->get_exchange_type(message) == IKE_SA_INIT)
786 {
787 if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
788 multiple_auth_enabled())
789 {
790 this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
791 }
792 return collect_other_init_data(this, message);
793 }
794
795 enumerator = message->create_payload_enumerator(message);
796 while (enumerator->enumerate(enumerator, &payload))
797 {
798 if (payload->get_type(payload) == NOTIFY)
799 {
800 notify_payload_t *notify = (notify_payload_t*)payload;
801 notify_type_t type = notify->get_notify_type(notify);
802
803 switch (type)
804 {
805 case NO_PROPOSAL_CHOSEN:
806 case SINGLE_PAIR_REQUIRED:
807 case NO_ADDITIONAL_SAS:
808 case INTERNAL_ADDRESS_FAILURE:
809 case FAILED_CP_REQUIRED:
810 case TS_UNACCEPTABLE:
811 case INVALID_SELECTORS:
812 /* these are errors, but are not critical as only the
813 * CHILD_SA won't get build, but IKE_SA establishes anyway */
814 break;
815 case MOBIKE_SUPPORTED:
816 case ADDITIONAL_IP4_ADDRESS:
817 case ADDITIONAL_IP6_ADDRESS:
818 /* handled in ike_mobike task */
819 break;
820 case AUTH_LIFETIME:
821 /* handled in ike_auth_lifetime task */
822 break;
823 case ME_ENDPOINT:
824 /* handled in ike_me task */
825 break;
826 default:
827 {
828 if (type < 16383)
829 {
830 DBG1(DBG_IKE, "received %N notify error",
831 notify_type_names, type);
832 enumerator->destroy(enumerator);
833 return FAILED;
834 }
835 DBG2(DBG_IKE, "received %N notify",
836 notify_type_names, type);
837 break;
838 }
839 }
840 }
841 }
842 enumerator->destroy(enumerator);
843
844 if (this->expect_another_auth)
845 {
846 if (this->other_auth == NULL)
847 {
848 id_payload_t *id_payload;
849 identification_t *id;
850
851 /* handle IDr payload */
852 id_payload = (id_payload_t*)message->get_payload(message,
853 ID_RESPONDER);
854 if (!id_payload)
855 {
856 DBG1(DBG_IKE, "IDr payload missing");
857 return FAILED;
858 }
859 id = id_payload->get_identification(id_payload);
860 this->ike_sa->set_other_id(this->ike_sa, id);
861 cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
862 cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
863
864 if (message->get_payload(message, AUTHENTICATION))
865 {
866 /* verify authentication data */
867 this->other_auth = authenticator_create_verifier(this->ike_sa,
868 message, this->other_nonce, this->my_nonce,
869 this->other_packet->get_data(this->other_packet),
870 this->my_packet->get_data(this->my_packet));
871 if (!this->other_auth)
872 {
873 return FAILED;
874 }
875 }
876 else
877 {
878 /* responder omitted AUTH payload, indicating EAP-only */
879 mutual_eap = TRUE;
880 }
881 }
882 if (this->other_auth)
883 {
884 switch (this->other_auth->process(this->other_auth, message))
885 {
886 case SUCCESS:
887 break;
888 case NEED_MORE:
889 return NEED_MORE;
890 default:
891 return FAILED;
892 }
893 this->other_auth->destroy(this->other_auth);
894 this->other_auth = NULL;
895 }
896 /* store authentication information, reset authenticator */
897 cfg = auth_cfg_create();
898 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
899 this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
900
901 /* another auth round done, invoke authorize hook */
902 if (!charon->bus->authorize(charon->bus, FALSE))
903 {
904 DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
905 return FAILED;
906 }
907 }
908
909 if (this->my_auth)
910 {
911 switch (this->my_auth->process(this->my_auth, message))
912 {
913 case SUCCESS:
914 cfg = auth_cfg_create();
915 cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
916 TRUE);
917 this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
918 this->my_auth->destroy(this->my_auth);
919 this->my_auth = NULL;
920 this->do_another_auth = do_another_auth(this);
921 break;
922 case NEED_MORE:
923 break;
924 default:
925 return FAILED;
926 }
927 }
928 if (mutual_eap)
929 {
930 if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
931 {
932 DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
933 return FAILED;
934 }
935 DBG1(DBG_IKE, "allow mutual EAP-only authentication");
936 }
937
938 if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
939 {
940 this->expect_another_auth = FALSE;
941 }
942 if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
943 {
944 if (!update_cfg_candidates(this, TRUE))
945 {
946 return FAILED;
947 }
948 if (!charon->bus->authorize(charon->bus, TRUE))
949 {
950 DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
951 return FAILED;
952 }
953 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
954 this->ike_sa->get_name(this->ike_sa),
955 this->ike_sa->get_unique_id(this->ike_sa),
956 this->ike_sa->get_my_host(this->ike_sa),
957 this->ike_sa->get_my_id(this->ike_sa),
958 this->ike_sa->get_other_host(this->ike_sa),
959 this->ike_sa->get_other_id(this->ike_sa));
960 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
961 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
962 return SUCCESS;
963 }
964 return NEED_MORE;
965 }
966
967 /**
968 * Implementation of task_t.get_type
969 */
970 static task_type_t get_type(private_ike_auth_t *this)
971 {
972 return IKE_AUTHENTICATE;
973 }
974
975 /**
976 * Implementation of task_t.migrate
977 */
978 static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
979 {
980 chunk_free(&this->my_nonce);
981 chunk_free(&this->other_nonce);
982 DESTROY_IF(this->my_packet);
983 DESTROY_IF(this->other_packet);
984 DESTROY_IF(this->peer_cfg);
985 DESTROY_IF(this->my_auth);
986 DESTROY_IF(this->other_auth);
987 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
988
989 this->my_packet = NULL;
990 this->other_packet = NULL;
991 this->ike_sa = ike_sa;
992 this->peer_cfg = NULL;
993 this->my_auth = NULL;
994 this->other_auth = NULL;
995 this->do_another_auth = TRUE;
996 this->expect_another_auth = TRUE;
997 this->authentication_failed = FALSE;
998 this->candidates = linked_list_create();
999 }
1000
1001 /**
1002 * Implementation of task_t.destroy
1003 */
1004 static void destroy(private_ike_auth_t *this)
1005 {
1006 chunk_free(&this->my_nonce);
1007 chunk_free(&this->other_nonce);
1008 DESTROY_IF(this->my_packet);
1009 DESTROY_IF(this->other_packet);
1010 DESTROY_IF(this->my_auth);
1011 DESTROY_IF(this->other_auth);
1012 DESTROY_IF(this->peer_cfg);
1013 this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
1014 free(this);
1015 }
1016
1017 /*
1018 * Described in header.
1019 */
1020 ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
1021 {
1022 private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
1023
1024 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
1025 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
1026 this->public.task.destroy = (void(*)(task_t*))destroy;
1027
1028 if (initiator)
1029 {
1030 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
1031 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
1032 }
1033 else
1034 {
1035 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
1036 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
1037 }
1038
1039 this->ike_sa = ike_sa;
1040 this->initiator = initiator;
1041 this->my_nonce = chunk_empty;
1042 this->other_nonce = chunk_empty;
1043 this->my_packet = NULL;
1044 this->other_packet = NULL;
1045 this->peer_cfg = NULL;
1046 this->candidates = linked_list_create();
1047 this->my_auth = NULL;
1048 this->other_auth = NULL;
1049 this->do_another_auth = TRUE;
1050 this->expect_another_auth = TRUE;
1051 this->authentication_failed = FALSE;
1052
1053 return &this->public;
1054 }
1055