Add basic support for XAuth responder authentication
[strongswan.git] / src / libcharon / sa / ikev1 / tasks / aggressive_mode.c
index 483351d..d6ed9aa 100644 (file)
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -95,8 +98,14 @@ struct private_aggressive_mode_t {
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_aggressive_mode_t *this)
+static bool establish(private_aggressive_mode_t *this)
 {
+       if (!charon->bus->authorize(charon->bus, TRUE))
+       {
+               DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+               return FALSE;
+       }
+
        DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +116,8 @@ static void establish(private_aggressive_mode_t *this)
 
        this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
        charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+       return TRUE;
 }
 
 /**
@@ -166,6 +177,8 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)informational_create(this->ike_sa, notify));
        /* cancel all active/passive tasks in favour of informational */
+       this->ike_sa->flush_queue(this->ike_sa,
+                                       this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
        return ALREADY_DONE;
 }
 
@@ -177,6 +190,8 @@ static status_t send_delete(private_aggressive_mode_t *this)
        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
        /* cancel all active tasks in favour of informational */
+       this->ike_sa->flush_queue(this->ike_sa,
+                                       this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
        return ALREADY_DONE;
 }
 
@@ -194,7 +209,7 @@ METHOD(task_t, build_i, status_t,
                        packet_t *packet;
                        u_int16_t group;
 
-                       DBG0(DBG_IKE, "initiating aggressive mode IKE_SA %s[%d] to %H",
+                       DBG0(DBG_IKE, "initiating Aggressive Mode IKE_SA %s[%d] to %H",
                                 this->ike_sa->get_name(this->ike_sa),
                                 this->ike_sa->get_unique_id(this->ike_sa),
                                 this->ike_sa->get_other_host(this->ike_sa));
@@ -220,7 +235,7 @@ METHOD(task_t, build_i, status_t,
                        this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
                        proposals = this->ike_cfg->get_proposals(this->ike_cfg);
                        sa_payload = sa_payload_create_from_proposals_v1(proposals,
-                                               this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                        proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
                        message->add_payload(message, &sa_payload->payload_interface);
@@ -278,28 +293,39 @@ METHOD(task_t, build_i, status_t,
                        }
                        this->id_data = chunk_empty;
 
-                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
-                       {
-                               this->ike_sa->queue_task(this->ike_sa,
-                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
-                       }
-
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
                                case AUTH_XAUTH_INIT_RSA:
                                case AUTH_HYBRID_INIT_RSA:
                                        /* wait for XAUTH request */
-                                       return SUCCESS;
+                                       break;
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet */
-                                       return FAILED;
-                               default:
-                                       establish(this);
+                                       this->ike_sa->queue_task(this->ike_sa,
+                                                                       (task_t*)xauth_create(this->ike_sa, TRUE));
                                        return SUCCESS;
+                               default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       if (!establish(this))
+                                       {
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
                        }
+                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+                       {
+                               this->ike_sa->queue_task(this->ike_sa,
+                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
+                       }
+                       return SUCCESS;
                }
                default:
                        return FAILED;
@@ -349,10 +375,28 @@ METHOD(task_t, process_r, status_t,
                                DBG1(DBG_IKE, "no proposal found");
                                return send_notify(this, NO_PROPOSAL_CHOSEN);
                        }
+                       this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
                        this->method = sa_payload->get_auth_method(sa_payload);
                        this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+                       switch (this->method)
+                       {
+                               case AUTH_XAUTH_INIT_PSK:
+                               case AUTH_XAUTH_RESP_PSK:
+                               case AUTH_PSK:
+                                       if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+                                               "care_about_security_and_use_aggressive_mode_psk", FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+                                                        "security reasons");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
+                               default:
+                                       break;
+                       }
+
                        if (!this->proposal->get_algorithm(this->proposal,
                                                                                DIFFIE_HELLMAN_GROUP, &group, NULL))
                        {
@@ -383,7 +427,6 @@ METHOD(task_t, process_r, status_t,
                                                                                                          this->method, TRUE, id);
                        if (!this->peer_cfg)
                        {
-                               DBG1(DBG_IKE, "no peer config found");
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
                        this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
@@ -397,14 +440,32 @@ METHOD(task_t, process_r, status_t,
                }
                case AM_AUTH:
                {
-                       if (!this->ph1->verify_auth(this->ph1, this->method, message,
-                                                                               this->id_data))
+                       while (TRUE)
                        {
-                               this->id_data = chunk_empty;
-                               return send_delete(this);
+                               if (this->ph1->verify_auth(this->ph1, this->method, message,
+                                                                                  this->id_data))
+                               {
+                                       break;
+                               }
+                               this->peer_cfg->destroy(this->peer_cfg);
+                               this->peer_cfg = this->ph1->select_config(this->ph1,
+                                                                                                       this->method, TRUE, NULL);
+                               if (!this->peer_cfg)
+                               {
+                                       this->id_data = chunk_empty;
+                                       return send_delete(this);
+                               }
+                               this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
                        }
                        this->id_data = chunk_empty;
 
+                       if (!charon->bus->authorize(charon->bus, FALSE))
+                       {
+                               DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+                                        "IKE_SA, cancelling");
+                               return send_delete(this);
+                       }
+
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
@@ -416,10 +477,20 @@ METHOD(task_t, process_r, status_t,
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet supported */
-                                       return FAILED;
+                                       /* wait for XAUTH request */
+                                       return SUCCESS;
                                default:
-                                       establish(this);
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_delete(this);
+                                       }
+                                       if (!establish(this))
+                                       {
+                                               return send_delete(this);
+                                       }
                                        lib->processor->queue_job(lib->processor, (job_t*)
                                                                        adopt_children_job_create(
                                                                                this->ike_sa->get_id(this->ike_sa)));
@@ -441,19 +512,18 @@ METHOD(task_t, build_r, status_t,
                identification_t *id;
 
                sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-                                                       this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                message->add_payload(message, &sa_payload->payload_interface);
 
                if (!this->ph1->add_nonce_ke(this->ph1, message))
                {
                        return send_notify(this, INVALID_KEY_INFORMATION);
                }
-               if (!this->ph1->create_hasher(this->ph1, this->proposal))
+               if (!this->ph1->create_hasher(this->ph1))
                {
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
-               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method,
-                                                                       this->proposal))
+               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
                {
                        return send_notify(this, INVALID_KEY_INFORMATION);
                }
@@ -507,6 +577,7 @@ METHOD(task_t, process_i, status_t,
                        DBG1(DBG_IKE, "no proposal found");
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
+               this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
                lifetime = sa_payload->get_lifetime(sa_payload);
                if (lifetime != this->lifetime)
@@ -526,15 +597,10 @@ METHOD(task_t, process_i, status_t,
                {
                        return send_notify(this, INVALID_PAYLOAD_TYPE);
                }
-               if (!this->ph1->create_hasher(this->ph1, this->proposal))
+               if (!this->ph1->create_hasher(this->ph1))
                {
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
-               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method,
-                                                                       this->proposal))
-               {
-                       return send_notify(this, INVALID_KEY_INFORMATION);
-               }
 
                id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
                if (!id_payload)
@@ -552,11 +618,22 @@ METHOD(task_t, process_i, status_t,
                }
                this->ike_sa->set_other_id(this->ike_sa, id);
 
+               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+               {
+                       return send_notify(this, INVALID_KEY_INFORMATION);
+               }
                if (!this->ph1->verify_auth(this->ph1, this->method, message,
                                                                        id_payload->get_encoded(id_payload)))
                {
                        return send_notify(this, AUTHENTICATION_FAILED);
                }
+               if (!charon->bus->authorize(charon->bus, FALSE))
+               {
+                       DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+                                "cancelling");
+                       return send_notify(this, AUTHENTICATION_FAILED);
+               }
+
                return NEED_MORE;
        }
        return FAILED;