Add basic support for XAuth responder authentication
[strongswan.git] / src / libcharon / sa / ikev1 / tasks / aggressive_mode.c
old mode 100755 (executable)
new mode 100644 (file)
index b89b71b..d6ed9aa
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
@@ -174,6 +177,8 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)informational_create(this->ike_sa, notify));
        /* cancel all active/passive tasks in favour of informational */
+       this->ike_sa->flush_queue(this->ike_sa,
+                                       this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
        return ALREADY_DONE;
 }
 
@@ -185,6 +190,8 @@ static status_t send_delete(private_aggressive_mode_t *this)
        this->ike_sa->queue_task(this->ike_sa,
                                                (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
        /* cancel all active tasks in favour of informational */
+       this->ike_sa->flush_queue(this->ike_sa,
+                                       this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
        return ALREADY_DONE;
 }
 
@@ -228,7 +235,7 @@ METHOD(task_t, build_i, status_t,
                        this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
                        proposals = this->ike_cfg->get_proposals(this->ike_cfg);
                        sa_payload = sa_payload_create_from_proposals_v1(proposals,
-                                               this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                        proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
                        message->add_payload(message, &sa_payload->payload_interface);
@@ -296,9 +303,17 @@ METHOD(task_t, build_i, status_t,
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet */
-                                       return FAILED;
+                                       this->ike_sa->queue_task(this->ike_sa,
+                                                                       (task_t*)xauth_create(this->ike_sa, TRUE));
+                                       return SUCCESS;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_notify(this, AUTHENTICATION_FAILED);
@@ -360,10 +375,28 @@ METHOD(task_t, process_r, status_t,
                                DBG1(DBG_IKE, "no proposal found");
                                return send_notify(this, NO_PROPOSAL_CHOSEN);
                        }
+                       this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
                        this->method = sa_payload->get_auth_method(sa_payload);
                        this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+                       switch (this->method)
+                       {
+                               case AUTH_XAUTH_INIT_PSK:
+                               case AUTH_XAUTH_RESP_PSK:
+                               case AUTH_PSK:
+                                       if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+                                               "care_about_security_and_use_aggressive_mode_psk", FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+                                                        "security reasons");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
+                               default:
+                                       break;
+                       }
+
                        if (!this->proposal->get_algorithm(this->proposal,
                                                                                DIFFIE_HELLMAN_GROUP, &group, NULL))
                        {
@@ -394,7 +427,6 @@ METHOD(task_t, process_r, status_t,
                                                                                                          this->method, TRUE, id);
                        if (!this->peer_cfg)
                        {
-                               DBG1(DBG_IKE, "no peer config found");
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
                        this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
@@ -408,11 +440,22 @@ METHOD(task_t, process_r, status_t,
                }
                case AM_AUTH:
                {
-                       if (!this->ph1->verify_auth(this->ph1, this->method, message,
-                                                                               this->id_data))
+                       while (TRUE)
                        {
-                               this->id_data = chunk_empty;
-                               return send_delete(this);
+                               if (this->ph1->verify_auth(this->ph1, this->method, message,
+                                                                                  this->id_data))
+                               {
+                                       break;
+                               }
+                               this->peer_cfg->destroy(this->peer_cfg);
+                               this->peer_cfg = this->ph1->select_config(this->ph1,
+                                                                                                       this->method, TRUE, NULL);
+                               if (!this->peer_cfg)
+                               {
+                                       this->id_data = chunk_empty;
+                                       return send_delete(this);
+                               }
+                               this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
                        }
                        this->id_data = chunk_empty;
 
@@ -434,9 +477,16 @@ METHOD(task_t, process_r, status_t,
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet supported */
-                                       return FAILED;
+                                       /* wait for XAUTH request */
+                                       return SUCCESS;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_delete(this);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_delete(this);
@@ -462,19 +512,18 @@ METHOD(task_t, build_r, status_t,
                identification_t *id;
 
                sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-                                                       this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                message->add_payload(message, &sa_payload->payload_interface);
 
                if (!this->ph1->add_nonce_ke(this->ph1, message))
                {
                        return send_notify(this, INVALID_KEY_INFORMATION);
                }
-               if (!this->ph1->create_hasher(this->ph1, this->proposal))
+               if (!this->ph1->create_hasher(this->ph1))
                {
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
-               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method,
-                                                                       this->proposal))
+               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
                {
                        return send_notify(this, INVALID_KEY_INFORMATION);
                }
@@ -528,6 +577,7 @@ METHOD(task_t, process_i, status_t,
                        DBG1(DBG_IKE, "no proposal found");
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
+               this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
                lifetime = sa_payload->get_lifetime(sa_payload);
                if (lifetime != this->lifetime)
@@ -547,15 +597,10 @@ METHOD(task_t, process_i, status_t,
                {
                        return send_notify(this, INVALID_PAYLOAD_TYPE);
                }
-               if (!this->ph1->create_hasher(this->ph1, this->proposal))
+               if (!this->ph1->create_hasher(this->ph1))
                {
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
-               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method,
-                                                                       this->proposal))
-               {
-                       return send_notify(this, INVALID_KEY_INFORMATION);
-               }
 
                id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
                if (!id_payload)
@@ -573,6 +618,10 @@ METHOD(task_t, process_i, status_t,
                }
                this->ike_sa->set_other_id(this->ike_sa, id);
 
+               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+               {
+                       return send_notify(this, INVALID_KEY_INFORMATION);
+               }
                if (!this->ph1->verify_auth(this->ph1, this->method, message,
                                                                        id_payload->get_encoded(id_payload)))
                {