Handling of initial contact
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2011 Martin Willi
6 * Copyright (C) 2011 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "main_mode.h"
20
21 #include <string.h>
22
23 #include <daemon.h>
24 #include <sa/keymat_v1.h>
25 #include <crypto/diffie_hellman.h>
26 #include <encoding/payloads/sa_payload.h>
27 #include <encoding/payloads/ke_payload.h>
28 #include <encoding/payloads/nonce_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/hash_payload.h>
31 #include <processing/jobs/initiate_xauth_job.h>
32
33 typedef struct private_main_mode_t private_main_mode_t;
34
35 /**
36 * Private members of a main_mode_t task.
37 */
38 struct private_main_mode_t {
39
40 /**
41 * Public methods and task_t interface.
42 */
43 main_mode_t public;
44
45 /**
46 * Assigned IKE_SA.
47 */
48 ike_sa_t *ike_sa;
49
50 /**
51 * Are we the initiator?
52 */
53 bool initiator;
54
55 /**
56 * IKE config to establish
57 */
58 ike_cfg_t *ike_cfg;
59
60 /**
61 * Peer config to use
62 */
63 peer_cfg_t *peer_cfg;
64
65 /**
66 * Local authentication configuration
67 */
68 auth_cfg_t *my_auth;
69
70 /**
71 * Remote authentication configuration
72 */
73 auth_cfg_t *other_auth;
74
75 /**
76 * selected IKE proposal
77 */
78 proposal_t *proposal;
79
80 /**
81 * DH exchange
82 */
83 diffie_hellman_t *dh;
84
85 /**
86 * Keymat derivation (from SA)
87 */
88 keymat_v1_t *keymat;
89
90 /**
91 * Received public DH value from peer
92 */
93 chunk_t dh_value;
94
95 /**
96 * Initiators nonce
97 */
98 chunk_t nonce_i;
99
100 /**
101 * Responder nonce
102 */
103 chunk_t nonce_r;
104
105 /**
106 * Encoded SA initiator payload used for authentication
107 */
108 chunk_t sa_payload;
109
110 /**
111 * Negotiated SA lifetime
112 */
113 u_int32_t lifetime;
114
115 /**
116 * Negotiated authentication method
117 */
118 auth_method_t auth_method;
119
120 /**
121 * Authenticator to use
122 */
123 authenticator_t *authenticator;
124
125 /** states of main mode */
126 enum {
127 MM_INIT,
128 MM_SA,
129 MM_KE,
130 MM_AUTH,
131 } state;
132 };
133
134 /**
135 * Get the first authentcation config from peer config
136 */
137 static auth_cfg_t *get_auth_cfg(private_main_mode_t *this, bool local)
138 {
139 enumerator_t *enumerator;
140 auth_cfg_t *cfg = NULL;
141
142 enumerator = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg,
143 local);
144 enumerator->enumerate(enumerator, &cfg);
145 enumerator->destroy(enumerator);
146 return cfg;
147 }
148
149 /**
150 * Save the encoded SA payload of a message
151 */
152 static bool save_sa_payload(private_main_mode_t *this, message_t *message)
153 {
154 enumerator_t *enumerator;
155 payload_t *payload, *sa = NULL;
156 chunk_t data;
157 size_t offset = IKE_HEADER_LENGTH;
158
159 enumerator = message->create_payload_enumerator(message);
160 while (enumerator->enumerate(enumerator, &payload))
161 {
162 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
163 {
164 sa = payload;
165 break;
166 }
167 else
168 {
169 offset += payload->get_length(payload);
170 }
171 }
172 enumerator->destroy(enumerator);
173
174 data = message->get_packet_data(message);
175 if (sa && data.len >= offset + sa->get_length(sa))
176 {
177 /* Get SA payload without 4 byte fixed header */
178 data = chunk_skip(data, offset);
179 data.len = sa->get_length(sa);
180 data = chunk_skip(data, 4);
181 this->sa_payload = chunk_clone(data);
182 return TRUE;
183 }
184 return FALSE;
185 }
186
187 /**
188 * Generate and add NONCE, KE payload
189 */
190 static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
191 message_t *message)
192 {
193 nonce_payload_t *nonce_payload;
194 ke_payload_t *ke_payload;
195 rng_t *rng;
196
197 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
198 this->dh);
199 message->add_payload(message, &ke_payload->payload_interface);
200
201 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
202 if (!rng)
203 {
204 DBG1(DBG_IKE, "no RNG found to create nonce");
205 return FALSE;
206 }
207 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
208 rng->destroy(rng);
209
210 nonce_payload = nonce_payload_create(NONCE_V1);
211 nonce_payload->set_nonce(nonce_payload, *nonce);
212 message->add_payload(message, &nonce_payload->payload_interface);
213
214 return TRUE;
215 }
216
217 /**
218 * Extract nonce from NONCE payload, process KE payload
219 */
220 static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
221 message_t *message)
222 {
223 nonce_payload_t *nonce_payload;
224 ke_payload_t *ke_payload;
225
226 ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
227 if (!ke_payload)
228 {
229 DBG1(DBG_IKE, "KE payload missing in message");
230 return FALSE;
231 }
232 this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
233 this->dh->set_other_public_value(this->dh, this->dh_value);
234
235 nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
236 if (!nonce_payload)
237 {
238 DBG1(DBG_IKE, "NONCE payload missing in message");
239 return FALSE;
240 }
241 *nonce = nonce_payload->get_nonce(nonce_payload);
242
243 return TRUE;
244 }
245
246 /**
247 * Get auth method to use
248 */
249 static auth_method_t get_auth_method(private_main_mode_t *this)
250 {
251 switch ((uintptr_t)this->my_auth->get(this->my_auth, AUTH_RULE_AUTH_CLASS))
252 {
253 case AUTH_CLASS_PSK:
254 return AUTH_PSK;
255 case AUTH_CLASS_XAUTH_PSK:
256 return AUTH_XAUTH_INIT_PSK;
257 case AUTH_CLASS_XAUTH_PUBKEY:
258 return AUTH_XAUTH_INIT_RSA;
259 case AUTH_CLASS_PUBKEY:
260 /* TODO-IKEv1: look for a key, return RSA or ECDSA */
261 default:
262 /* TODO-IKEv1: XAUTH methods */
263 return AUTH_RSA;
264 }
265 }
266 /**
267 * Check for notify errors, return TRUE if error found
268 */
269 static bool has_notify_errors(private_main_mode_t *this, message_t *message)
270 {
271 enumerator_t *enumerator;
272 payload_t *payload;
273 bool err = FALSE;
274
275 enumerator = message->create_payload_enumerator(message);
276 while (enumerator->enumerate(enumerator, &payload))
277 {
278 if (payload->get_type(payload) == NOTIFY_V1)
279 {
280 notify_payload_t *notify;
281 notify_type_t type;
282
283 notify = (notify_payload_t*)payload;
284 type = notify->get_notify_type(notify);
285 if (type < 16384)
286 {
287 DBG1(DBG_IKE, "received %N error notify",
288 notify_type_names, type);
289 err = TRUE;
290 }
291 else if (type == INITIAL_CONTACT_IKEV1)
292 {
293 if (!this->initiator && this->state == MM_AUTH)
294 {
295 /* If authenticated and received INITIAL_CONTACT,
296 * delete any existing IKE_SAs with that peer.
297 * The delete takes place when the SA is checked in due
298 * to other id not known until the 3rd message.*/
299 this->ike_sa->set_condition(this->ike_sa, COND_INIT_CONTACT_SEEN, TRUE);
300 }
301 }
302 else
303 {
304 DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
305 }
306 }
307 }
308 enumerator->destroy(enumerator);
309
310 return err;
311 }
312
313 METHOD(task_t, build_i, status_t,
314 private_main_mode_t *this, message_t *message)
315 {
316 switch (this->state)
317 {
318 case MM_INIT:
319 {
320 sa_payload_t *sa_payload;
321 linked_list_t *proposals;
322 packet_t *packet;
323
324 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
325 DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
326 this->ike_sa->get_name(this->ike_sa),
327 this->ike_sa->get_unique_id(this->ike_sa),
328 this->ike_sa->get_other_host(this->ike_sa));
329 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
330
331 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
332 this->peer_cfg->get_ref(this->peer_cfg);
333
334 this->my_auth = get_auth_cfg(this, TRUE);
335 this->other_auth = get_auth_cfg(this, FALSE);
336 if (!this->my_auth || !this->other_auth)
337 {
338 DBG1(DBG_CFG, "no auth config found");
339 return FAILED;
340 }
341
342 proposals = this->ike_cfg->get_proposals(this->ike_cfg);
343 this->auth_method = get_auth_method(this);
344 this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
345 FALSE);
346 if (!this->lifetime)
347 { /* fall back to rekey time of no rekey time configured */
348 this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
349 FALSE);
350 }
351 sa_payload = sa_payload_create_from_proposals_v1(proposals,
352 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
353 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
354
355 message->add_payload(message, &sa_payload->payload_interface);
356
357 /* pregenerate message to store SA payload */
358 if (this->ike_sa->generate_message(this->ike_sa, message,
359 &packet) != SUCCESS)
360 {
361 DBG1(DBG_IKE, "pregenerating SA payload failed");
362 return FAILED;
363 }
364 packet->destroy(packet);
365 if (!save_sa_payload(this, message))
366 {
367 DBG1(DBG_IKE, "SA payload invalid");
368 return FAILED;
369 }
370
371 this->state = MM_SA;
372 return NEED_MORE;
373 }
374 case MM_SA:
375 {
376 u_int16_t group;
377
378 if (!this->keymat->create_hasher(this->keymat, this->proposal))
379 {
380 return FAILED;
381 }
382 if (!this->proposal->get_algorithm(this->proposal,
383 DIFFIE_HELLMAN_GROUP, &group, NULL))
384 {
385 DBG1(DBG_IKE, "DH group selection failed");
386 return FAILED;
387 }
388 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
389 group);
390 if (!this->dh)
391 {
392 DBG1(DBG_IKE, "negotiated DH group not supported");
393 return FAILED;
394 }
395 if (!add_nonce_ke(this, &this->nonce_i, message))
396 {
397 return FAILED;
398 }
399 this->state = MM_KE;
400 return NEED_MORE;
401 }
402 case MM_KE:
403 {
404 id_payload_t *id_payload;
405 identification_t *id;
406
407 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
408 if (!id)
409 {
410 DBG1(DBG_CFG, "own identity not known");
411 return FAILED;
412 }
413
414 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
415
416 id_payload = id_payload_create_from_identification(ID_V1, id);
417 message->add_payload(message, &id_payload->payload_interface);
418
419 if (this->authenticator->build(this->authenticator,
420 message) != SUCCESS)
421 {
422 return FAILED;
423 }
424 this->state = MM_AUTH;
425 return NEED_MORE;
426 }
427 default:
428 return FAILED;
429 }
430 }
431
432 METHOD(task_t, process_r, status_t,
433 private_main_mode_t *this, message_t *message)
434 {
435 switch (this->state)
436 {
437 case MM_INIT:
438 {
439 linked_list_t *list;
440 sa_payload_t *sa_payload;
441
442 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
443 DBG0(DBG_IKE, "%H is initiating a Main Mode",
444 message->get_source(message));
445 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
446
447 this->ike_sa->update_hosts(this->ike_sa,
448 message->get_destination(message),
449 message->get_source(message), TRUE);
450
451 sa_payload = (sa_payload_t*)message->get_payload(message,
452 SECURITY_ASSOCIATION_V1);
453 if (!sa_payload || !save_sa_payload(this, message))
454 {
455 DBG1(DBG_IKE, "SA payload missing or invalid");
456 return FAILED;
457 }
458
459 list = sa_payload->get_proposals(sa_payload);
460 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
461 list, FALSE);
462 list->destroy_offset(list, offsetof(proposal_t, destroy));
463 if (!this->proposal)
464 {
465 DBG1(DBG_IKE, "no proposal found");
466 return FAILED;
467 }
468
469 this->auth_method = sa_payload->get_auth_method(sa_payload);
470 this->lifetime = sa_payload->get_lifetime(sa_payload);
471
472 this->state = MM_SA;
473 return NEED_MORE;
474 }
475 case MM_SA:
476 {
477 u_int16_t group;
478
479 if (!this->keymat->create_hasher(this->keymat, this->proposal))
480 {
481 return FAILED;
482 }
483 if (!this->proposal->get_algorithm(this->proposal,
484 DIFFIE_HELLMAN_GROUP, &group, NULL))
485 {
486 DBG1(DBG_IKE, "DH group selection failed");
487 return FAILED;
488 }
489 this->dh = lib->crypto->create_dh(lib->crypto, group);
490 if (!this->dh)
491 {
492 DBG1(DBG_IKE, "negotiated DH group not supported");
493 return FAILED;
494 }
495 if (!get_nonce_ke(this, &this->nonce_i, message))
496 {
497 return FAILED;
498 }
499 this->state = MM_KE;
500 return NEED_MORE;
501 }
502 case MM_KE:
503 {
504 enumerator_t *enumerator;
505 id_payload_t *id_payload;
506 identification_t *id, *any;
507
508 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
509 if (!id_payload)
510 {
511 DBG1(DBG_IKE, "IDii payload missing");
512 return FAILED;
513 }
514
515 id = id_payload->get_identification(id_payload);
516 any = identification_create_from_encoding(ID_ANY, chunk_empty);
517 enumerator = charon->backends->create_peer_cfg_enumerator(
518 charon->backends,
519 this->ike_sa->get_my_host(this->ike_sa),
520 this->ike_sa->get_other_host(this->ike_sa),
521 any, id);
522 if (!enumerator->enumerate(enumerator, &this->peer_cfg))
523 {
524 DBG1(DBG_IKE, "no peer config found");
525 id->destroy(id);
526 any->destroy(any);
527 enumerator->destroy(enumerator);
528 return FAILED;
529 }
530 this->peer_cfg->get_ref(this->peer_cfg);
531 enumerator->destroy(enumerator);
532 any->destroy(any);
533
534 this->ike_sa->set_other_id(this->ike_sa, id);
535
536 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
537
538 this->my_auth = get_auth_cfg(this, TRUE);
539 this->other_auth = get_auth_cfg(this, FALSE);
540 if (!this->my_auth || !this->other_auth)
541 {
542 DBG1(DBG_IKE, "auth config missing");
543 return FAILED;
544 }
545
546 if (this->authenticator->process(this->authenticator,
547 message) != SUCCESS)
548 {
549 return FAILED;
550 }
551 this->state = MM_AUTH;
552
553 if (has_notify_errors(this, message))
554 {
555 return FAILED;
556 }
557 return NEED_MORE;
558 }
559 default:
560 return FAILED;
561 }
562 }
563
564 /**
565 * Lookup a shared secret for this IKE_SA
566 */
567 static shared_key_t *lookup_shared_key(private_main_mode_t *this)
568 {
569 host_t *me, *other;
570 identification_t *my_id, *other_id;
571 shared_key_t *shared_key;
572
573 me = this->ike_sa->get_my_host(this->ike_sa);
574 other = this->ike_sa->get_other_host(this->ike_sa);
575 my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
576 other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
577 if (!my_id || !other_id)
578 {
579 DESTROY_IF(my_id);
580 DESTROY_IF(other_id);
581 return NULL;
582 }
583 shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id,
584 other_id);
585 if (!shared_key)
586 {
587 DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
588 }
589 my_id->destroy(my_id);
590 other_id->destroy(other_id);
591 return shared_key;
592 }
593
594 /**
595 * Derive key material for this IKE_SA
596 */
597 static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
598 chunk_t nonce_r)
599 {
600 ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
601 shared_key_t *shared_key = NULL;
602
603 switch (this->auth_method)
604 {
605 case AUTH_PSK:
606 case AUTH_XAUTH_INIT_PSK:
607 case AUTH_XAUTH_RESP_PSK:
608 shared_key = lookup_shared_key(this);
609 break;
610 default:
611 break;
612 }
613 if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
614 this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
615 {
616 DESTROY_IF(shared_key);
617 DBG1(DBG_IKE, "key derivation for %N failed",
618 auth_method_names, this->auth_method);
619 return FALSE;
620 }
621 DESTROY_IF(shared_key);
622 charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
623 NULL);
624
625 this->authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
626 this->auth_method, this->dh,
627 this->dh_value, this->sa_payload);
628 if (!this->authenticator)
629 {
630 DBG1(DBG_IKE, "negotiated authentication method %N not supported",
631 auth_method_names, this->auth_method);
632 return FALSE;
633 }
634 return TRUE;
635 }
636
637 METHOD(task_t, build_r, status_t,
638 private_main_mode_t *this, message_t *message)
639 {
640 switch (this->state)
641 {
642 case MM_SA:
643 {
644 sa_payload_t *sa_payload;
645
646 sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
647 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
648 message->add_payload(message, &sa_payload->payload_interface);
649
650 return NEED_MORE;
651 }
652 case MM_KE:
653 {
654 if (!add_nonce_ke(this, &this->nonce_r, message))
655 {
656 return FAILED;
657 }
658 if (!derive_keys(this, this->nonce_i, this->nonce_r))
659 {
660 return FAILED;
661 }
662 return NEED_MORE;
663 }
664 case MM_AUTH:
665 {
666 id_payload_t *id_payload;
667 identification_t *id;
668
669 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
670 if (!id)
671 {
672 DBG1(DBG_CFG, "own identity not known");
673 return FAILED;
674 }
675
676 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
677
678 id_payload = id_payload_create_from_identification(ID_V1, id);
679 message->add_payload(message, &id_payload->payload_interface);
680
681 if (this->authenticator->build(this->authenticator,
682 message) != SUCCESS)
683 {
684 return FAILED;
685 }
686
687 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
688 this->ike_sa->get_name(this->ike_sa),
689 this->ike_sa->get_unique_id(this->ike_sa),
690 this->ike_sa->get_my_host(this->ike_sa),
691 this->ike_sa->get_my_id(this->ike_sa),
692 this->ike_sa->get_other_host(this->ike_sa),
693 this->ike_sa->get_other_id(this->ike_sa));
694
695 switch (this->auth_method)
696 {
697 case AUTH_XAUTH_INIT_PSK:
698 case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
699 {
700 job_t *job = (job_t *) initiate_xauth_job_create(this->ike_sa->get_id(this->ike_sa));
701 lib->processor->queue_job(lib->processor, job);
702 break;
703 }
704 case AUTH_XAUTH_RESP_PSK:
705 case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
706 {
707 break;
708 }
709 default:
710 {
711 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
712 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
713 break;
714 }
715 }
716 return SUCCESS;
717 }
718 default:
719 return FAILED;
720 }
721 }
722
723 METHOD(task_t, process_i, status_t,
724 private_main_mode_t *this, message_t *message)
725 {
726 switch (this->state)
727 {
728 case MM_SA:
729 {
730 linked_list_t *list;
731 sa_payload_t *sa_payload;
732 auth_method_t auth_method;
733 u_int32_t lifetime;
734
735 sa_payload = (sa_payload_t*)message->get_payload(message,
736 SECURITY_ASSOCIATION_V1);
737 if (!sa_payload)
738 {
739 DBG1(DBG_IKE, "SA payload missing");
740 return FAILED;
741 }
742 list = sa_payload->get_proposals(sa_payload);
743 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
744 list, FALSE);
745 list->destroy_offset(list, offsetof(proposal_t, destroy));
746 if (!this->proposal)
747 {
748 DBG1(DBG_IKE, "no proposal found");
749 return FAILED;
750 }
751
752 lifetime = sa_payload->get_lifetime(sa_payload);
753 if (lifetime != this->lifetime)
754 {
755 DBG1(DBG_IKE, "received lifetime %us does not match configured "
756 "%us, using lower value", lifetime, this->lifetime);
757 }
758 this->lifetime = min(this->lifetime, lifetime);
759 auth_method = sa_payload->get_auth_method(sa_payload);
760 if (auth_method != this->auth_method)
761 {
762 DBG1(DBG_IKE, "received %N authentication, but configured %N, "
763 "continue with configured", auth_method_names, auth_method,
764 auth_method_names, this->auth_method);
765 }
766 return NEED_MORE;
767 }
768 case MM_KE:
769 {
770 if (!get_nonce_ke(this, &this->nonce_r, message))
771 {
772 return FAILED;
773 }
774 if (!derive_keys(this, this->nonce_i, this->nonce_r))
775 {
776 return FAILED;
777 }
778 return NEED_MORE;
779 }
780 case MM_AUTH:
781 {
782 id_payload_t *id_payload;
783 identification_t *id;
784
785 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
786 if (!id_payload)
787 {
788 DBG1(DBG_IKE, "IDir payload missing");
789 return FAILED;
790 }
791 id = id_payload->get_identification(id_payload);
792 if (!id->matches(id, this->other_auth->get(this->other_auth,
793 AUTH_RULE_IDENTITY)))
794 {
795 DBG1(DBG_IKE, "IDir does not match");
796 id->destroy(id);
797 return FAILED;
798 }
799 this->ike_sa->set_other_id(this->ike_sa, id);
800
801 if (this->authenticator->process(this->authenticator,
802 message) != SUCCESS)
803 {
804 return FAILED;
805 }
806
807 /* TODO-IKEv1: check for XAUTH rounds, queue them */
808 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
809 this->ike_sa->get_name(this->ike_sa),
810 this->ike_sa->get_unique_id(this->ike_sa),
811 this->ike_sa->get_my_host(this->ike_sa),
812 this->ike_sa->get_my_id(this->ike_sa),
813 this->ike_sa->get_other_host(this->ike_sa),
814 this->ike_sa->get_other_id(this->ike_sa));
815
816 switch (this->auth_method)
817 {
818 case AUTH_XAUTH_RESP_PSK:
819 case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
820 {
821 this->ike_sa->initiate_xauth(this->ike_sa, FALSE);
822 break;
823 }
824 case AUTH_XAUTH_INIT_PSK:
825 case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
826 {
827 break;
828 }
829 default:
830 {
831 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
832 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
833 break;
834 }
835 }
836
837 return SUCCESS;
838 }
839 default:
840 return FAILED;
841 }
842 }
843
844 METHOD(task_t, get_type, task_type_t,
845 private_main_mode_t *this)
846 {
847 return TASK_MAIN_MODE;
848 }
849
850 METHOD(task_t, migrate, void,
851 private_main_mode_t *this, ike_sa_t *ike_sa)
852 {
853 this->ike_sa = ike_sa;
854 }
855
856 METHOD(task_t, destroy, void,
857 private_main_mode_t *this)
858 {
859 DESTROY_IF(this->peer_cfg);
860 DESTROY_IF(this->proposal);
861 DESTROY_IF(this->dh);
862 DESTROY_IF(this->authenticator);
863 free(this->dh_value.ptr);
864 free(this->nonce_i.ptr);
865 free(this->nonce_r.ptr);
866 free(this->sa_payload.ptr);
867 free(this);
868 }
869
870 /*
871 * Described in header.
872 */
873 main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
874 {
875 private_main_mode_t *this;
876
877 INIT(this,
878 .public = {
879 .task = {
880 .get_type = _get_type,
881 .migrate = _migrate,
882 .destroy = _destroy,
883 },
884 },
885 .ike_sa = ike_sa,
886 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
887 .initiator = initiator,
888 .state = MM_INIT,
889 );
890
891 if (initiator)
892 {
893 this->public.task.build = _build_i;
894 this->public.task.process = _process_i;
895 }
896 else
897 {
898 this->public.task.build = _build_r;
899 this->public.task.process = _process_r;
900 }
901
902 return &this->public;
903 }