Add basic support for XAuth responder authentication
[strongswan.git] / src / libcharon / sa / ikev1 / tasks / aggressive_mode.c
index e1c51a8..d6ed9aa 100644 (file)
@@ -235,7 +235,7 @@ METHOD(task_t, build_i, status_t,
                        this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
                        proposals = this->ike_cfg->get_proposals(this->ike_cfg);
                        sa_payload = sa_payload_create_from_proposals_v1(proposals,
-                                               this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                        proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
                        message->add_payload(message, &sa_payload->payload_interface);
@@ -303,9 +303,17 @@ METHOD(task_t, build_i, status_t,
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet */
-                                       return FAILED;
+                                       this->ike_sa->queue_task(this->ike_sa,
+                                                                       (task_t*)xauth_create(this->ike_sa, TRUE));
+                                       return SUCCESS;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_notify(this, AUTHENTICATION_FAILED);
@@ -372,6 +380,23 @@ METHOD(task_t, process_r, status_t,
                        this->method = sa_payload->get_auth_method(sa_payload);
                        this->lifetime = sa_payload->get_lifetime(sa_payload);
 
+                       switch (this->method)
+                       {
+                               case AUTH_XAUTH_INIT_PSK:
+                               case AUTH_XAUTH_RESP_PSK:
+                               case AUTH_PSK:
+                                       if (!lib->settings->get_bool(lib->settings, "charon.i_dont_"
+                                               "care_about_security_and_use_aggressive_mode_psk", FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+                                                        "security reasons");
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
+                               default:
+                                       break;
+                       }
+
                        if (!this->proposal->get_algorithm(this->proposal,
                                                                                DIFFIE_HELLMAN_GROUP, &group, NULL))
                        {
@@ -452,9 +477,16 @@ METHOD(task_t, process_r, status_t,
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
-                                       /* TODO-IKEv1: not yet supported */
-                                       return FAILED;
+                                       /* wait for XAUTH request */
+                                       return SUCCESS;
                                default:
+                                       if (charon->ike_sa_manager->check_uniqueness(
+                                                               charon->ike_sa_manager, this->ike_sa, FALSE))
+                                       {
+                                               DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+                                                        "uniqueness policy");
+                                               return send_delete(this);
+                                       }
                                        if (!establish(this))
                                        {
                                                return send_delete(this);
@@ -480,7 +512,7 @@ METHOD(task_t, build_r, status_t,
                identification_t *id;
 
                sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
-                                                       this->lifetime, 0, this->method, MODE_NONE, FALSE);
+                                               this->lifetime, 0, this->method, MODE_NONE, FALSE, 0);
                message->add_payload(message, &sa_payload->payload_interface);
 
                if (!this->ph1->add_nonce_ke(this->ph1, message))
@@ -569,10 +601,6 @@ METHOD(task_t, process_i, status_t,
                {
                        return send_notify(this, NO_PROPOSAL_CHOSEN);
                }
-               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
-               {
-                       return send_notify(this, INVALID_KEY_INFORMATION);
-               }
 
                id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
                if (!id_payload)
@@ -590,6 +618,10 @@ METHOD(task_t, process_i, status_t,
                }
                this->ike_sa->set_other_id(this->ike_sa, id);
 
+               if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+               {
+                       return send_notify(this, INVALID_KEY_INFORMATION);
+               }
                if (!this->ph1->verify_auth(this->ph1, this->method, message,
                                                                        id_payload->get_encoded(id_payload)))
                {