Create negotiated hasher earlier during Main Mode so it is available for building...
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2011 Martin Willi
6 * Copyright (C) 2011 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "main_mode.h"
20
21 #include <string.h>
22
23 #include <daemon.h>
24 #include <sa/keymat_v1.h>
25 #include <crypto/diffie_hellman.h>
26 #include <encoding/payloads/sa_payload.h>
27 #include <encoding/payloads/ke_payload.h>
28 #include <encoding/payloads/nonce_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/hash_payload.h>
31 #include <processing/jobs/initiate_xauth_job.h>
32
33 typedef struct private_main_mode_t private_main_mode_t;
34
35 /**
36 * Private members of a main_mode_t task.
37 */
38 struct private_main_mode_t {
39
40 /**
41 * Public methods and task_t interface.
42 */
43 main_mode_t public;
44
45 /**
46 * Assigned IKE_SA.
47 */
48 ike_sa_t *ike_sa;
49
50 /**
51 * Are we the initiator?
52 */
53 bool initiator;
54
55 /**
56 * IKE config to establish
57 */
58 ike_cfg_t *ike_cfg;
59
60 /**
61 * Peer config to use
62 */
63 peer_cfg_t *peer_cfg;
64
65 /**
66 * Local authentication configuration
67 */
68 auth_cfg_t *my_auth;
69
70 /**
71 * Remote authentication configuration
72 */
73 auth_cfg_t *other_auth;
74
75 /**
76 * selected IKE proposal
77 */
78 proposal_t *proposal;
79
80 /**
81 * DH exchange
82 */
83 diffie_hellman_t *dh;
84
85 /**
86 * Keymat derivation (from SA)
87 */
88 keymat_v1_t *keymat;
89
90 /**
91 * Received public DH value from peer
92 */
93 chunk_t dh_value;
94
95 /**
96 * Initiators nonce
97 */
98 chunk_t nonce_i;
99
100 /**
101 * Responder nonce
102 */
103 chunk_t nonce_r;
104
105 /**
106 * Encoded SA initiator payload used for authentication
107 */
108 chunk_t sa_payload;
109
110 /**
111 * Negotiated SA lifetime
112 */
113 u_int32_t lifetime;
114
115 /**
116 * Negotiated authentication method
117 */
118 auth_method_t auth_method;
119
120 /** states of main mode */
121 enum {
122 MM_INIT,
123 MM_SA,
124 MM_KE,
125 MM_AUTH,
126 } state;
127 };
128
129 /**
130 * Get the first authentcation config from peer config
131 */
132 static auth_cfg_t *get_auth_cfg(private_main_mode_t *this, bool local)
133 {
134 enumerator_t *enumerator;
135 auth_cfg_t *cfg = NULL;
136
137 enumerator = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg,
138 local);
139 enumerator->enumerate(enumerator, &cfg);
140 enumerator->destroy(enumerator);
141 return cfg;
142 }
143
144 /**
145 * Save the encoded SA payload of a message
146 */
147 static bool save_sa_payload(private_main_mode_t *this, message_t *message)
148 {
149 enumerator_t *enumerator;
150 payload_t *payload, *sa = NULL;
151 chunk_t data;
152 size_t offset = IKE_HEADER_LENGTH;
153
154 enumerator = message->create_payload_enumerator(message);
155 while (enumerator->enumerate(enumerator, &payload))
156 {
157 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
158 {
159 sa = payload;
160 break;
161 }
162 else
163 {
164 offset += payload->get_length(payload);
165 }
166 }
167 enumerator->destroy(enumerator);
168
169 data = message->get_packet_data(message);
170 if (sa && data.len >= offset + sa->get_length(sa))
171 {
172 /* Get SA payload without 4 byte fixed header */
173 data = chunk_skip(data, offset);
174 data.len = sa->get_length(sa);
175 data = chunk_skip(data, 4);
176 this->sa_payload = chunk_clone(data);
177 return TRUE;
178 }
179 return FALSE;
180 }
181
182 /**
183 * Build main mode hash payloads
184 */
185 static void build_hash(private_main_mode_t *this, bool initiator,
186 message_t *message, identification_t *id)
187 {
188 hash_payload_t *hash_payload;
189 chunk_t hash, dh;
190
191 this->dh->get_my_public_value(this->dh, &dh);
192 hash = this->keymat->get_hash(this->keymat, initiator, dh, this->dh_value,
193 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
194 free(dh.ptr);
195
196 hash_payload = hash_payload_create(HASH_V1);
197 hash_payload->set_hash(hash_payload, hash);
198 free(hash.ptr);
199
200 message->add_payload(message, &hash_payload->payload_interface);
201 }
202
203 /**
204 * Verify main mode hash payload
205 */
206 static bool verify_hash(private_main_mode_t *this, bool initiator,
207 message_t *message, identification_t *id)
208 {
209 hash_payload_t *hash_payload;
210 chunk_t hash, dh;
211 bool equal;
212
213 hash_payload = (hash_payload_t*)message->get_payload(message,
214 HASH_V1);
215 if (!hash_payload)
216 {
217 DBG1(DBG_IKE, "HASH payload missing in message");
218 return FALSE;
219 }
220 hash = hash_payload->get_hash(hash_payload);
221 this->dh->get_my_public_value(this->dh, &dh);
222 hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
223 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
224 free(dh.ptr);
225 equal = chunk_equals(hash, hash_payload->get_hash(hash_payload));
226 free(hash.ptr);
227 if (!equal)
228 {
229 DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
230 }
231 return equal;
232 }
233
234 /**
235 * Generate and add NONCE, KE payload
236 */
237 static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
238 message_t *message)
239 {
240 nonce_payload_t *nonce_payload;
241 ke_payload_t *ke_payload;
242 rng_t *rng;
243
244 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
245 this->dh);
246 message->add_payload(message, &ke_payload->payload_interface);
247
248 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
249 if (!rng)
250 {
251 DBG1(DBG_IKE, "no RNG found to create nonce");
252 return FALSE;
253 }
254 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
255 rng->destroy(rng);
256
257 nonce_payload = nonce_payload_create(NONCE_V1);
258 nonce_payload->set_nonce(nonce_payload, *nonce);
259 message->add_payload(message, &nonce_payload->payload_interface);
260
261 return TRUE;
262 }
263
264 /**
265 * Extract nonce from NONCE payload, process KE payload
266 */
267 static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
268 message_t *message)
269 {
270 nonce_payload_t *nonce_payload;
271 ke_payload_t *ke_payload;
272
273 ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
274 if (!ke_payload)
275 {
276 DBG1(DBG_IKE, "KE payload missing in message");
277 return FALSE;
278 }
279 this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
280 this->dh->set_other_public_value(this->dh, this->dh_value);
281
282 nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
283 if (!nonce_payload)
284 {
285 DBG1(DBG_IKE, "NONCE payload missing in message");
286 return FALSE;
287 }
288 *nonce = nonce_payload->get_nonce(nonce_payload);
289
290 return TRUE;
291 }
292
293 /**
294 * Get auth method to use
295 */
296 static auth_method_t get_auth_method(private_main_mode_t *this)
297 {
298 switch ((uintptr_t)this->my_auth->get(this->my_auth, AUTH_RULE_AUTH_CLASS))
299 {
300 case AUTH_CLASS_PSK:
301 return AUTH_PSK;
302 case AUTH_CLASS_XAUTH_PSK:
303 return AUTH_XAUTH_INIT_PSK;
304 case AUTH_CLASS_XAUTH_PUBKEY:
305 return AUTH_XAUTH_INIT_RSA;
306 case AUTH_CLASS_PUBKEY:
307 /* TODO-IKEv1: look for a key, return RSA or ECDSA */
308 default:
309 /* TODO-IKEv1: XAUTH methods */
310 return AUTH_RSA;
311 }
312 }
313
314 METHOD(task_t, build_i, status_t,
315 private_main_mode_t *this, message_t *message)
316 {
317 switch (this->state)
318 {
319 case MM_INIT:
320 {
321 sa_payload_t *sa_payload;
322 linked_list_t *proposals;
323 packet_t *packet;
324
325 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
326 DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
327 this->ike_sa->get_name(this->ike_sa),
328 this->ike_sa->get_unique_id(this->ike_sa),
329 this->ike_sa->get_other_host(this->ike_sa));
330 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
331
332 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
333 this->peer_cfg->get_ref(this->peer_cfg);
334
335 this->my_auth = get_auth_cfg(this, TRUE);
336 this->other_auth = get_auth_cfg(this, FALSE);
337 if (!this->my_auth || !this->other_auth)
338 {
339 DBG1(DBG_CFG, "no auth config found");
340 return FAILED;
341 }
342
343 proposals = this->ike_cfg->get_proposals(this->ike_cfg);
344 this->auth_method = get_auth_method(this);
345 this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
346 FALSE);
347 if (!this->lifetime)
348 { /* fall back to rekey time of no rekey time configured */
349 this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
350 FALSE);
351 }
352 sa_payload = sa_payload_create_from_proposals_v1(proposals,
353 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
354 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
355
356 message->add_payload(message, &sa_payload->payload_interface);
357
358 /* pregenerate message to store SA payload */
359 if (this->ike_sa->generate_message(this->ike_sa, message,
360 &packet) != SUCCESS)
361 {
362 DBG1(DBG_IKE, "pregenerating SA payload failed");
363 return FAILED;
364 }
365 packet->destroy(packet);
366 if (!save_sa_payload(this, message))
367 {
368 DBG1(DBG_IKE, "SA payload invalid");
369 return FAILED;
370 }
371
372 this->state = MM_SA;
373 return NEED_MORE;
374 }
375 case MM_SA:
376 {
377 u_int16_t group;
378
379 if (!this->keymat->create_hasher(this->keymat, this->proposal))
380 {
381 return FAILED;
382 }
383 if (!this->proposal->get_algorithm(this->proposal,
384 DIFFIE_HELLMAN_GROUP, &group, NULL))
385 {
386 DBG1(DBG_IKE, "DH group selection failed");
387 return FAILED;
388 }
389 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
390 group);
391 if (!this->dh)
392 {
393 DBG1(DBG_IKE, "negotiated DH group not supported");
394 return FAILED;
395 }
396 if (!add_nonce_ke(this, &this->nonce_i, message))
397 {
398 return FAILED;
399 }
400 this->state = MM_KE;
401 return NEED_MORE;
402 }
403 case MM_KE:
404 {
405 id_payload_t *id_payload;
406 identification_t *id;
407
408 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
409 if (!id)
410 {
411 DBG1(DBG_CFG, "own identity not known");
412 return FAILED;
413 }
414
415 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
416
417 id_payload = id_payload_create_from_identification(ID_V1, id);
418 message->add_payload(message, &id_payload->payload_interface);
419
420 build_hash(this, TRUE, message, id);
421
422 this->state = MM_AUTH;
423 return NEED_MORE;
424 }
425 default:
426 return FAILED;
427 }
428 }
429
430 METHOD(task_t, process_r, status_t,
431 private_main_mode_t *this, message_t *message)
432 {
433 switch (this->state)
434 {
435 case MM_INIT:
436 {
437 linked_list_t *list;
438 sa_payload_t *sa_payload;
439
440 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
441 DBG0(DBG_IKE, "%H is initiating a Main Mode",
442 message->get_source(message));
443 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
444
445 this->ike_sa->update_hosts(this->ike_sa,
446 message->get_destination(message),
447 message->get_source(message), TRUE);
448
449 sa_payload = (sa_payload_t*)message->get_payload(message,
450 SECURITY_ASSOCIATION_V1);
451 if (!sa_payload || !save_sa_payload(this, message))
452 {
453 DBG1(DBG_IKE, "SA payload missing or invalid");
454 return FAILED;
455 }
456
457 list = sa_payload->get_proposals(sa_payload);
458 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
459 list, FALSE);
460 list->destroy_offset(list, offsetof(proposal_t, destroy));
461 if (!this->proposal)
462 {
463 DBG1(DBG_IKE, "no proposal found");
464 return FAILED;
465 }
466
467 this->auth_method = sa_payload->get_auth_method(sa_payload);
468 this->lifetime = sa_payload->get_lifetime(sa_payload);
469
470 this->state = MM_SA;
471 return NEED_MORE;
472 }
473 case MM_SA:
474 {
475 u_int16_t group;
476
477 if (!this->keymat->create_hasher(this->keymat, this->proposal))
478 {
479 return FAILED;
480 }
481 if (!this->proposal->get_algorithm(this->proposal,
482 DIFFIE_HELLMAN_GROUP, &group, NULL))
483 {
484 DBG1(DBG_IKE, "DH group selection failed");
485 return FAILED;
486 }
487 this->dh = lib->crypto->create_dh(lib->crypto, group);
488 if (!this->dh)
489 {
490 DBG1(DBG_IKE, "negotiated DH group not supported");
491 return FAILED;
492 }
493 if (!get_nonce_ke(this, &this->nonce_i, message))
494 {
495 return FAILED;
496 }
497 this->state = MM_KE;
498 return NEED_MORE;
499 }
500 case MM_KE:
501 {
502 enumerator_t *enumerator;
503 id_payload_t *id_payload;
504 identification_t *id, *any;
505
506 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
507 if (!id_payload)
508 {
509 DBG1(DBG_IKE, "IDii payload missing");
510 return FAILED;
511 }
512
513 id = id_payload->get_identification(id_payload);
514 any = identification_create_from_encoding(ID_ANY, chunk_empty);
515 enumerator = charon->backends->create_peer_cfg_enumerator(
516 charon->backends,
517 this->ike_sa->get_my_host(this->ike_sa),
518 this->ike_sa->get_other_host(this->ike_sa),
519 any, id);
520 if (!enumerator->enumerate(enumerator, &this->peer_cfg))
521 {
522 DBG1(DBG_IKE, "no peer config found");
523 id->destroy(id);
524 any->destroy(any);
525 enumerator->destroy(enumerator);
526 return FAILED;
527 }
528 this->peer_cfg->get_ref(this->peer_cfg);
529 enumerator->destroy(enumerator);
530 any->destroy(any);
531
532 this->ike_sa->set_other_id(this->ike_sa, id);
533
534 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
535
536 this->my_auth = get_auth_cfg(this, TRUE);
537 this->other_auth = get_auth_cfg(this, FALSE);
538 if (!this->my_auth || !this->other_auth)
539 {
540 DBG1(DBG_IKE, "auth config missing");
541 return FAILED;
542 }
543
544 if (!verify_hash(this, TRUE, message, id))
545 {
546 return FAILED;
547 }
548
549 this->state = MM_AUTH;
550 return NEED_MORE;
551 }
552 default:
553 return FAILED;
554 }
555 }
556
557 /**
558 * Lookup a shared secret for this IKE_SA
559 */
560 static shared_key_t *lookup_shared_key(private_main_mode_t *this)
561 {
562 host_t *me, *other;
563 identification_t *my_id, *other_id;
564 shared_key_t *shared_key;
565
566 me = this->ike_sa->get_my_host(this->ike_sa);
567 other = this->ike_sa->get_other_host(this->ike_sa);
568 my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
569 other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
570 if (!my_id || !other_id)
571 {
572 DESTROY_IF(my_id);
573 DESTROY_IF(other_id);
574 return NULL;
575 }
576 shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id,
577 other_id);
578 if (!shared_key)
579 {
580 DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
581 }
582 my_id->destroy(my_id);
583 other_id->destroy(other_id);
584 return shared_key;
585 }
586
587 /**
588 * Derive key material for this IKE_SA
589 */
590 static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
591 chunk_t nonce_r)
592 {
593 ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
594 shared_key_t *shared_key = NULL;
595
596 switch (this->auth_method)
597 {
598 case AUTH_PSK:
599 case AUTH_XAUTH_INIT_PSK:
600 shared_key = lookup_shared_key(this);
601 break;
602 default:
603 break;
604 }
605 if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
606 this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
607 {
608 DESTROY_IF(shared_key);
609 return FALSE;
610 }
611 DESTROY_IF(shared_key);
612 charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
613 NULL);
614 return TRUE;
615 }
616
617 METHOD(task_t, build_r, status_t,
618 private_main_mode_t *this, message_t *message)
619 {
620 switch (this->state)
621 {
622 case MM_SA:
623 {
624 sa_payload_t *sa_payload;
625
626 sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
627 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
628 message->add_payload(message, &sa_payload->payload_interface);
629
630 return NEED_MORE;
631 }
632 case MM_KE:
633 {
634 if (!add_nonce_ke(this, &this->nonce_r, message))
635 {
636 return FAILED;
637 }
638 if (!derive_keys(this, this->nonce_i, this->nonce_r))
639 {
640 DBG1(DBG_IKE, "key derivation failed");
641 return FAILED;
642 }
643 return NEED_MORE;
644 }
645 case MM_AUTH:
646 {
647 id_payload_t *id_payload;
648 identification_t *id;
649
650 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
651 if (!id)
652 {
653 DBG1(DBG_CFG, "own identity not known");
654 return FAILED;
655 }
656
657 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
658
659 id_payload = id_payload_create_from_identification(ID_V1, id);
660 message->add_payload(message, &id_payload->payload_interface);
661
662 build_hash(this, FALSE, message, id);
663
664 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
665 this->ike_sa->get_name(this->ike_sa),
666 this->ike_sa->get_unique_id(this->ike_sa),
667 this->ike_sa->get_my_host(this->ike_sa),
668 this->ike_sa->get_my_id(this->ike_sa),
669 this->ike_sa->get_other_host(this->ike_sa),
670 this->ike_sa->get_other_id(this->ike_sa));
671
672 switch (this->auth_method)
673 {
674 case AUTH_XAUTH_INIT_PSK:
675 case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
676 {
677 job_t *job = (job_t *) initiate_xauth_job_create(this->ike_sa->get_id(this->ike_sa));
678 lib->processor->queue_job(lib->processor, job);
679 break;
680 }
681 case AUTH_XAUTH_RESP_PSK:
682 case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
683 {
684 break;
685 }
686 default:
687 {
688 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
689 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
690 break;
691 }
692 }
693 return SUCCESS;
694 }
695 default:
696 return FAILED;
697 }
698 }
699
700 METHOD(task_t, process_i, status_t,
701 private_main_mode_t *this, message_t *message)
702 {
703 switch (this->state)
704 {
705 case MM_SA:
706 {
707 linked_list_t *list;
708 sa_payload_t *sa_payload;
709 auth_method_t auth_method;
710 u_int32_t lifetime;
711
712 sa_payload = (sa_payload_t*)message->get_payload(message,
713 SECURITY_ASSOCIATION_V1);
714 if (!sa_payload)
715 {
716 DBG1(DBG_IKE, "SA payload missing");
717 return FAILED;
718 }
719 list = sa_payload->get_proposals(sa_payload);
720 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
721 list, FALSE);
722 list->destroy_offset(list, offsetof(proposal_t, destroy));
723 if (!this->proposal)
724 {
725 DBG1(DBG_IKE, "no proposal found");
726 return FAILED;
727 }
728
729 lifetime = sa_payload->get_lifetime(sa_payload);
730 if (lifetime != this->lifetime)
731 {
732 DBG1(DBG_IKE, "received lifetime %us does not match configured "
733 "%us, using lower value", lifetime, this->lifetime);
734 }
735 this->lifetime = min(this->lifetime, lifetime);
736 auth_method = sa_payload->get_auth_method(sa_payload);
737 if (auth_method != this->auth_method)
738 {
739 DBG1(DBG_IKE, "received %N authentication, but configured %N, "
740 "continue with configured", auth_method_names, auth_method,
741 auth_method_names, this->auth_method);
742 }
743 return NEED_MORE;
744 }
745 case MM_KE:
746 {
747 if (!get_nonce_ke(this, &this->nonce_r, message))
748 {
749 return FAILED;
750 }
751 if (!derive_keys(this, this->nonce_i, this->nonce_r))
752 {
753 DBG1(DBG_IKE, "key derivation failed");
754 return FAILED;
755 }
756 return NEED_MORE;
757 }
758 case MM_AUTH:
759 {
760 id_payload_t *id_payload;
761 identification_t *id;
762
763 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
764 if (!id_payload)
765 {
766 DBG1(DBG_IKE, "IDir payload missing");
767 return FAILED;
768 }
769 id = id_payload->get_identification(id_payload);
770 if (!id->matches(id, this->other_auth->get(this->other_auth,
771 AUTH_RULE_IDENTITY)))
772 {
773 DBG1(DBG_IKE, "IDir does not match");
774 id->destroy(id);
775 return FAILED;
776 }
777 this->ike_sa->set_other_id(this->ike_sa, id);
778
779 if (!verify_hash(this, FALSE, message, id))
780 {
781 return FAILED;
782 }
783
784 /* TODO-IKEv1: check for XAUTH rounds, queue them */
785 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
786 this->ike_sa->get_name(this->ike_sa),
787 this->ike_sa->get_unique_id(this->ike_sa),
788 this->ike_sa->get_my_host(this->ike_sa),
789 this->ike_sa->get_my_id(this->ike_sa),
790 this->ike_sa->get_other_host(this->ike_sa),
791 this->ike_sa->get_other_id(this->ike_sa));
792
793 switch (this->auth_method)
794 {
795 case AUTH_XAUTH_RESP_PSK:
796 case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
797 {
798 this->ike_sa->initiate_xauth(this->ike_sa, FALSE);
799 break;
800 }
801 case AUTH_XAUTH_INIT_PSK:
802 case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
803 {
804 break;
805 }
806 default:
807 {
808 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
809 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
810 break;
811 }
812 }
813
814 return SUCCESS;
815 }
816 default:
817 return FAILED;
818 }
819 }
820
821 METHOD(task_t, get_type, task_type_t,
822 private_main_mode_t *this)
823 {
824 return TASK_MAIN_MODE;
825 }
826
827 METHOD(task_t, migrate, void,
828 private_main_mode_t *this, ike_sa_t *ike_sa)
829 {
830 this->ike_sa = ike_sa;
831 }
832
833 METHOD(task_t, destroy, void,
834 private_main_mode_t *this)
835 {
836 DESTROY_IF(this->peer_cfg);
837 DESTROY_IF(this->proposal);
838 DESTROY_IF(this->dh);
839 free(this->dh_value.ptr);
840 free(this->nonce_i.ptr);
841 free(this->nonce_r.ptr);
842 free(this->sa_payload.ptr);
843 free(this);
844 }
845
846 /*
847 * Described in header.
848 */
849 main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
850 {
851 private_main_mode_t *this;
852
853 INIT(this,
854 .public = {
855 .task = {
856 .get_type = _get_type,
857 .migrate = _migrate,
858 .destroy = _destroy,
859 },
860 },
861 .ike_sa = ike_sa,
862 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
863 .initiator = initiator,
864 .state = MM_INIT,
865 );
866
867 if (initiator)
868 {
869 this->public.task.build = _build_i;
870 this->public.task.process = _process_i;
871 }
872 else
873 {
874 this->public.task.build = _build_r;
875 this->public.task.process = _process_r;
876 }
877
878 return &this->public;
879 }