Queue Mode Config tasks when required
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
index f895117..cea0631 100755 (executable)
@@ -28,7 +28,8 @@
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/hash_payload.h>
-#include <processing/jobs/initiate_xauth_job.h>
+#include <sa/tasks/xauth.h>
+#include <sa/tasks/mode_config.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -117,6 +118,21 @@ struct private_main_mode_t {
         */
        auth_method_t auth_method;
 
+       /**
+        * Authenticator to use
+        */
+       authenticator_t *authenticator;
+
+       /**
+        * Notify type in case of error
+        */
+       notify_type_t notify_type;
+
+       /**
+        * Notify data in case of error
+        */
+       chunk_t notify_data;
+
        /** states of main mode */
        enum {
                MM_INIT,
@@ -180,283 +196,252 @@ static bool save_sa_payload(private_main_mode_t *this, message_t *message)
 }
 
 /**
- * Add signature payload to message
+ * Generate and add NONCE, KE payload
  */
-static bool add_signature(private_main_mode_t *this,
-                                          message_t *message, chunk_t hash)
+static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
+                                                message_t *message)
 {
-       chunk_t auth_data;
-       bool status = FALSE;
-       private_key_t *private;
-       identification_t *id;
-       auth_cfg_t *auth;
-       hash_payload_t *signature_payload;
-       signature_scheme_t scheme;
+       nonce_payload_t *nonce_payload;
+       ke_payload_t *ke_payload;
+       rng_t *rng;
 
-       id = this->ike_sa->get_my_id(this->ike_sa);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-       private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
-       if (private == NULL)
+       ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
+                                                                                                          this->dh);
+       message->add_payload(message, &ke_payload->payload_interface);
+
+       rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+       if (!rng)
        {
-               DBG1(DBG_IKE, "no private key found for '%Y' type %d", id, id->get_type(id));
-               free(hash.ptr);
+               DBG1(DBG_IKE, "no RNG found to create nonce");
                return FALSE;
        }
+       rng->allocate_bytes(rng, NONCE_SIZE, nonce);
+       rng->destroy(rng);
 
-       switch (private->get_type(private))
-       {
-               case KEY_RSA:
-                       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
-                       break;
+       nonce_payload = nonce_payload_create(NONCE_V1);
+       nonce_payload->set_nonce(nonce_payload, *nonce);
+       message->add_payload(message, &nonce_payload->payload_interface);
 
-               default:
-                       DBG1(DBG_IKE, "private key of type %N not supported",
-                                       key_type_names, private->get_type(private));
-                       private->destroy(private);
-                       free(hash.ptr);
-                       return FALSE;
-       }
+       return TRUE;
+}
 
-       if (private->sign(private, scheme, hash, &auth_data))
+/**
+ * Extract nonce from NONCE payload, process KE payload
+ */
+static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
+                                                message_t *message)
+{
+       nonce_payload_t *nonce_payload;
+       ke_payload_t *ke_payload;
+
+       ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
+       if (!ke_payload)
        {
-               signature_payload = hash_payload_create(SIGNATURE_V1);
-               signature_payload->set_hash(signature_payload, auth_data);
-               chunk_free(&auth_data);
-               message->add_payload(message, (payload_t*)signature_payload);
-               status = TRUE;
+               DBG1(DBG_IKE, "KE payload missing in message");
+               return FALSE;
        }
+       this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
+       this->dh->set_other_public_value(this->dh, this->dh_value);
 
-       DBG1(DBG_IKE, "authentication of '%Y' (myself) %s", id,
-                (status == TRUE)? "successful":"failed");
+       nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
+       if (!nonce_payload)
+       {
+               DBG1(DBG_IKE, "NONCE payload missing in message");
+               return FALSE;
+       }
+       *nonce = nonce_payload->get_nonce(nonce_payload);
 
-       free(hash.ptr);
-       private->destroy(private);
-       return status;
+       return TRUE;
 }
 
-
 /**
- * Build main mode hash or signature payloads
+ * Get the two auth classes from local or remote config
  */
-static bool build_hash(private_main_mode_t *this, bool initiator,
-                                          message_t *message, identification_t *id)
+static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
+                                                  auth_class_t *c1, auth_class_t *c2)
 {
-       hash_payload_t *hash_payload;
-       chunk_t hash, dh;
+       enumerator_t *enumerator;
+       auth_cfg_t *auth;
 
-       this->dh->get_my_public_value(this->dh, &dh);
-       hash = this->keymat->get_hash(this->keymat, initiator, dh, this->dh_value,
-                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
-       free(dh.ptr);
+       *c1 = *c2 = AUTH_CLASS_ANY;
 
-       switch (this->auth_method)
+       enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+       while (enumerator->enumerate(enumerator, &auth))
        {
-               case AUTH_RSA:
-               case AUTH_XAUTH_INIT_RSA:
-               case AUTH_XAUTH_RESP_RSA:
+               if (*c1 == AUTH_CLASS_ANY)
                {
-                       return add_signature(this, message, hash);
+                       *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
                }
-               default:
+               else
                {
-                       hash_payload = hash_payload_create(HASH_V1);
-                       hash_payload->set_hash(hash_payload, hash);
-                       message->add_payload(message, &hash_payload->payload_interface);
-                       free(hash.ptr);
+                       *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
                        break;
                }
        }
-
-       return TRUE;
+       enumerator->destroy(enumerator);
 }
 
 /**
- * Verify main mode hash payload
+ * Get auth method to use from a peer config
  */
-static bool verify_hash(private_main_mode_t *this, bool initiator,
-                                          message_t *message, identification_t *id)
+static auth_method_t get_auth_method(private_main_mode_t *this,
+                                                                        peer_cfg_t *peer_cfg)
 {
-       hash_payload_t *hash_payload;
-       chunk_t hash, dh;
-       bool equal;
+       auth_class_t i1, i2, r1, r2;
+
+       get_auth_class(peer_cfg, this->initiator, &i1, &i2);
+       get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
 
-       hash_payload = (hash_payload_t*)message->get_payload(message,
-                                                                                                                HASH_V1);
-       if (!hash_payload)
+       if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
        {
-               DBG1(DBG_IKE, "HASH payload missing in message");
-               return FALSE;
+               if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
+               {
+                       /* TODO-IKEv1: ECDSA? */
+                       return AUTH_RSA;
+               }
+               if (i2 == AUTH_CLASS_XAUTH)
+               {
+                       return AUTH_XAUTH_INIT_RSA;
+               }
+               if (r2 == AUTH_CLASS_XAUTH)
+               {
+                       return AUTH_XAUTH_RESP_RSA;
+               }
        }
-       hash = hash_payload->get_hash(hash_payload);
-       this->dh->get_my_public_value(this->dh, &dh);
-       hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
-                               this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
-       free(dh.ptr);
-       equal = chunk_equals(hash, hash_payload->get_hash(hash_payload));
-       free(hash.ptr);
-       if (!equal)
+       if (i1 == AUTH_CLASS_PSK && r2 == AUTH_CLASS_PSK)
        {
-               DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
+               if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
+               {
+                       return AUTH_PSK;
+               }
+               if (i2 == AUTH_CLASS_XAUTH)
+               {
+                       return AUTH_XAUTH_INIT_PSK;
+               }
+               if (r2 == AUTH_CLASS_XAUTH)
+               {
+                       return AUTH_XAUTH_RESP_PSK;
+               }
        }
-       return equal;
+       /* TODO-IKEv1: Hybrid methods? */
+       return AUTH_NONE;;
 }
 
 /**
- * Verify main mode signature payload
+ * Select the best configuration as responder
  */
-static bool verify_signature(private_main_mode_t *this, bool initiator,
-                                          message_t *message, identification_t *id)
+static peer_cfg_t *select_config(private_main_mode_t *this, identification_t *id)
 {
-       chunk_t hash, dh;
-       public_key_t *public;
-       hash_payload_t *signature_payload;
-       auth_method_t auth_method;
-       chunk_t auth_data;
-       auth_cfg_t *auth, *current_auth;
        enumerator_t *enumerator;
-       key_type_t key_type = KEY_ECDSA;
-       signature_scheme_t scheme;
-       status_t status = NOT_FOUND;
-
-       signature_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1);
-       if (!signature_payload)
-       {
-               DBG1(DBG_IKE, "no signature_payload found");
-               return FALSE;
-       }
-
-       auth_method = this->auth_method;
-
-       switch (auth_method)
+       identification_t *any;
+       peer_cfg_t *current, *found = NULL;
+
+       any = identification_create_from_encoding(ID_ANY, chunk_empty);
+       enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+                                               this->ike_sa->get_my_host(this->ike_sa),
+                                               this->ike_sa->get_other_host(this->ike_sa), any, id);
+       while (enumerator->enumerate(enumerator, &current))
        {
-               case AUTH_XAUTH_INIT_RSA:
-               case AUTH_XAUTH_RESP_RSA:
-                       key_type = KEY_RSA;
-                       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
-                       break;
-
-               default:
-                       DBG1(DBG_IKE, "unsupported auth_method (%d)",auth_method);
-                       return FALSE;
-       }
-
-       this->dh->get_my_public_value(this->dh, &dh);
-       hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
-                                                                                                                               this->ike_sa->get_id(this->ike_sa),
-                                                                                                                               this->sa_payload, id);
-       free(dh.ptr);
-
-       auth_data = signature_payload->get_hash(signature_payload);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                               key_type, id, auth);
-       while (enumerator->enumerate(enumerator, &public, &current_auth))
-       {
-               if (public->verify(public, scheme, hash, auth_data))
+               if (get_auth_method(this, current) == this->auth_method)
                {
-                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                                                  id, auth_method_names, auth_method);
-                       status = SUCCESS;
-                       auth->merge(auth, current_auth, FALSE);
-                       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+                       found = current->get_ref(current);
                        break;
                }
-               else
-               {
-                       status = NOT_FOUND;
-                       DBG1(DBG_IKE, "signature validation failed, looking for another key");
-               }
        }
        enumerator->destroy(enumerator);
-       if (status == NOT_FOUND)
-       {
-               DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
-                        key_type_names, key_type, id);
-       }
+       any->destroy(any);
 
-       free(hash.ptr);
-       return status == SUCCESS;
+       return found;
 }
 
-
 /**
- * Generate and add NONCE, KE payload
+ * Check for notify errors, return TRUE if error found
  */
-static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
-                                                message_t *message)
+static bool has_notify_errors(private_main_mode_t *this, message_t *message)
 {
-       nonce_payload_t *nonce_payload;
-       ke_payload_t *ke_payload;
-       rng_t *rng;
-
-       ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
-                                                                                                          this->dh);
-       message->add_payload(message, &ke_payload->payload_interface);
+       enumerator_t *enumerator;
+       payload_t *payload;
+       bool err = FALSE;
 
-       rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-       if (!rng)
+       enumerator = message->create_payload_enumerator(message);
+       while (enumerator->enumerate(enumerator, &payload))
        {
-               DBG1(DBG_IKE, "no RNG found to create nonce");
-               return FALSE;
-       }
-       rng->allocate_bytes(rng, NONCE_SIZE, nonce);
-       rng->destroy(rng);
+               if (payload->get_type(payload) == NOTIFY_V1)
+               {
+                       notify_payload_t *notify;
+                       notify_type_t type;
 
-       nonce_payload = nonce_payload_create(NONCE_V1);
-       nonce_payload->set_nonce(nonce_payload, *nonce);
-       message->add_payload(message, &nonce_payload->payload_interface);
+                       notify = (notify_payload_t*)payload;
+                       type = notify->get_notify_type(notify);
+                       if (type < 16384)
+                       {
+                               DBG1(DBG_IKE, "received %N error notify",
+                                        notify_type_names, type);
+                               err = TRUE;
+                       }
+                       else if (type == INITIAL_CONTACT_IKEV1)
+                       {
+                               if (!this->initiator && this->state == MM_AUTH)
+                               {
+                                       /* If authenticated and received INITIAL_CONTACT,
+                                        * delete any existing IKE_SAs with that peer.
+                                        * The delete takes place when the SA is checked in due
+                                        * to other id not known until the 3rd message.*/
+                                       this->ike_sa->set_condition(this->ike_sa, COND_INIT_CONTACT_SEEN, TRUE);
+                               }
+                       }
+                       else
+                       {
+                               DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
+                       }
+               }
+       }
+       enumerator->destroy(enumerator);
 
-       return TRUE;
+       return err;
 }
 
-/**
- * Extract nonce from NONCE payload, process KE payload
- */
-static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
-                                                message_t *message)
+METHOD(task_t, build_notify_error, status_t,
+       private_main_mode_t *this, message_t *message)
 {
-       nonce_payload_t *nonce_payload;
-       ke_payload_t *ke_payload;
+       notify_payload_t *notify;
+       ike_sa_id_t *ike_sa_id;
+       chunk_t spi;
+       u_int64_t spi_i, spi_r;
 
-       ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
-       if (!ke_payload)
-       {
-               DBG1(DBG_IKE, "KE payload missing in message");
-               return FALSE;
-       }
-       this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
-       this->dh->set_other_public_value(this->dh, this->dh_value);
+       notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+                                               PROTO_IKE, this->notify_type);
 
-       nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
-       if (!nonce_payload)
+       if (this->notify_data.ptr)
        {
-               DBG1(DBG_IKE, "NONCE payload missing in message");
-               return FALSE;
+               notify->set_notification_data(notify, this->notify_data);
        }
-       *nonce = nonce_payload->get_nonce(nonce_payload);
 
-       return TRUE;
+       ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+
+       spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+       spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+
+       spi = chunk_cata("cc", chunk_from_thing(spi_i), chunk_from_thing(spi_r));
+
+       notify->set_spi_data(notify, spi);
+
+       message->add_payload(message, (payload_t*)notify);
+
+       return SUCCESS;
 }
 
 /**
- * Get auth method to use
+ * Set the task ready to build notify error message
  */
-static auth_method_t get_auth_method(private_main_mode_t *this)
+static status_t set_notify_error(private_main_mode_t *this,
+                                                                                                                                notify_type_t type, chunk_t data)
 {
-       switch ((uintptr_t)this->my_auth->get(this->my_auth, AUTH_RULE_AUTH_CLASS))
-       {
-               case AUTH_CLASS_PSK:
-                       return AUTH_PSK;
-               case AUTH_CLASS_XAUTH_PSK:
-                       return AUTH_XAUTH_INIT_PSK;
-               case AUTH_CLASS_XAUTH_PUBKEY:
-                       return AUTH_XAUTH_INIT_RSA;
-               case AUTH_CLASS_PUBKEY:
-                       /* TODO-IKEv1: look for a key, return RSA or ECDSA */
-               default:
-                       /* TODO-IKEv1: XAUTH methods */
-                       return AUTH_RSA;
-       }
+       this->notify_type = type;
+       this->notify_data = data;
+       /* The task will be destroyed after build */
+       this->public.task.build = _build_notify_error;
+       return FAILED_SEND_ERROR;
 }
 
 METHOD(task_t, build_i, status_t,
@@ -487,9 +472,12 @@ METHOD(task_t, build_i, status_t,
                                DBG1(DBG_CFG, "no auth config found");
                                return FAILED;
                        }
-
-                       proposals = this->ike_cfg->get_proposals(this->ike_cfg);
-                       this->auth_method = get_auth_method(this);
+                       this->auth_method = get_auth_method(this, this->peer_cfg);
+                       if (this->auth_method == AUTH_NONE)
+                       {
+                               DBG1(DBG_CFG, "configuration uses unsupported authentication");
+                               return FAILED;
+                       }
                        this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
                                                                                                                        FALSE);
                        if (!this->lifetime)
@@ -497,6 +485,7 @@ METHOD(task_t, build_i, status_t,
                                this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
                                                                                                                                 FALSE);
                        }
+                       proposals = this->ike_cfg->get_proposals(this->ike_cfg);
                        sa_payload = sa_payload_create_from_proposals_v1(proposals,
                                                this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
                        proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
@@ -565,12 +554,11 @@ METHOD(task_t, build_i, status_t,
                        id_payload = id_payload_create_from_identification(ID_V1, id);
                        message->add_payload(message, &id_payload->payload_interface);
 
-                       if (!build_hash(this, TRUE, message, id))
+                       if (this->authenticator->build(this->authenticator,
+                                                                                  message) != SUCCESS)
                        {
-                               DBG1(DBG_CFG, "failed to build hash");
                                return FAILED;
                        }
-
                        this->state = MM_AUTH;
                        return NEED_MORE;
                }
@@ -613,7 +601,7 @@ METHOD(task_t, process_r, status_t,
                        if (!this->proposal)
                        {
                                DBG1(DBG_IKE, "no proposal found");
-                               return FAILED;
+                               return set_notify_error(this, NO_PROPOSAL_CHOSEN, chunk_empty);
                        }
 
                        this->auth_method = sa_payload->get_auth_method(sa_payload);
@@ -651,9 +639,8 @@ METHOD(task_t, process_r, status_t,
                }
                case MM_KE:
                {
-                       enumerator_t *enumerator;
                        id_payload_t *id_payload;
-                       identification_t *id, *any;
+                       identification_t *id;
 
                        id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
                        if (!id_payload)
@@ -663,26 +650,13 @@ METHOD(task_t, process_r, status_t,
                        }
 
                        id = id_payload->get_identification(id_payload);
-                       any = identification_create_from_encoding(ID_ANY, chunk_empty);
-                       enumerator = charon->backends->create_peer_cfg_enumerator(
-                                                                       charon->backends,
-                                                                       this->ike_sa->get_my_host(this->ike_sa),
-                                                                       this->ike_sa->get_other_host(this->ike_sa),
-                                                                       any, id);
-                       if (!enumerator->enumerate(enumerator, &this->peer_cfg))
+                       this->ike_sa->set_other_id(this->ike_sa, id);
+                       this->peer_cfg = select_config(this, id);
+                       if (!this->peer_cfg)
                        {
                                DBG1(DBG_IKE, "no peer config found");
-                               id->destroy(id);
-                               any->destroy(any);
-                               enumerator->destroy(enumerator);
-                               return FAILED;
+                               return set_notify_error(this, AUTHENTICATION_FAILED, chunk_empty);
                        }
-                       this->peer_cfg->get_ref(this->peer_cfg);
-                       enumerator->destroy(enumerator);
-                       any->destroy(any);
-
-                       this->ike_sa->set_other_id(this->ike_sa, id);
-
                        this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
 
                        this->my_auth = get_auth_cfg(this, TRUE);
@@ -690,37 +664,20 @@ METHOD(task_t, process_r, status_t,
                        if (!this->my_auth || !this->other_auth)
                        {
                                DBG1(DBG_IKE, "auth config missing");
-                               return FAILED;
+                               return set_notify_error(this, AUTHENTICATION_FAILED, chunk_empty);
                        }
 
-                       switch (this->auth_method)
+                       if (this->authenticator->process(this->authenticator,
+                                                                                        message) != SUCCESS)
                        {
-                               case AUTH_PSK:
-                               case AUTH_XAUTH_INIT_PSK:
-                                       if (!verify_hash(this, TRUE, message, id))
-                                       {
-                                               return FAILED;
-                                       }
-                                       break;
-
-                               case AUTH_XAUTH_RESP_RSA:
-                               case AUTH_XAUTH_INIT_RSA:
-                               case AUTH_RSA:
-                               {
-                                       if (!verify_signature(this, TRUE, message, id))
-                                       {
-                                               return FAILED;
-                                       }
-                                       break;
-                               }
-
-                               default:
-                                       DBG1(DBG_IKE, "unknown auth_method:%d",get_auth_method(this));
-                                       return FAILED;
-                                       break;
+                               return set_notify_error(this, AUTHENTICATION_FAILED, chunk_empty);
                        }
-
                        this->state = MM_AUTH;
+
+                       if (has_notify_errors(this, message))
+                       {
+                               return FAILED;
+                       }
                        return NEED_MORE;
                }
                default:
@@ -771,6 +728,7 @@ static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
        {
                case AUTH_PSK:
                case AUTH_XAUTH_INIT_PSK:
+               case AUTH_XAUTH_RESP_PSK:
                        shared_key = lookup_shared_key(this);
                        break;
                default:
@@ -780,14 +738,43 @@ static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
                        this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
        {
                DESTROY_IF(shared_key);
+               DBG1(DBG_IKE, "key derivation for %N failed",
+                        auth_method_names, this->auth_method);
                return FALSE;
        }
        DESTROY_IF(shared_key);
        charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
                                                  NULL);
+
+       this->authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
+                                                                                       this->auth_method, this->dh,
+                                                                                       this->dh_value, this->sa_payload);
+       if (!this->authenticator)
+       {
+               DBG1(DBG_IKE, "negotiated authentication method %N not supported",
+                        auth_method_names, this->auth_method);
+               return FALSE;
+       }
        return TRUE;
 }
 
+/**
+ * Set IKE_SA to established state
+ */
+static void establish(private_main_mode_t *this)
+{
+       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+                this->ike_sa->get_name(this->ike_sa),
+                this->ike_sa->get_unique_id(this->ike_sa),
+                this->ike_sa->get_my_host(this->ike_sa),
+                this->ike_sa->get_my_id(this->ike_sa),
+                this->ike_sa->get_other_host(this->ike_sa),
+                this->ike_sa->get_other_id(this->ike_sa));
+
+       this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+       charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+}
+
 METHOD(task_t, build_r, status_t,
        private_main_mode_t *this, message_t *message)
 {
@@ -811,7 +798,6 @@ METHOD(task_t, build_r, status_t,
                        }
                        if (!derive_keys(this, this->nonce_i, this->nonce_r))
                        {
-                               DBG1(DBG_IKE, "key derivation failed");
                                return FAILED;
                        }
                        return NEED_MORE;
@@ -833,42 +819,33 @@ METHOD(task_t, build_r, status_t,
                        id_payload = id_payload_create_from_identification(ID_V1, id);
                        message->add_payload(message, &id_payload->payload_interface);
 
-                       if (!build_hash(this, FALSE, message, id))
+                       if (this->authenticator->build(this->authenticator,
+                                                                                  message) != SUCCESS)
                        {
-                               DBG1(DBG_CFG, "failed to build hash");
                                return FAILED;
                        }
 
-                       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-                                this->ike_sa->get_name(this->ike_sa),
-                                this->ike_sa->get_unique_id(this->ike_sa),
-                                this->ike_sa->get_my_host(this->ike_sa),
-                                this->ike_sa->get_my_id(this->ike_sa),
-                                this->ike_sa->get_other_host(this->ike_sa),
-                                this->ike_sa->get_other_id(this->ike_sa));
+                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+                       {
+                               this->ike_sa->queue_task(this->ike_sa,
+                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
+                       }
 
                        switch (this->auth_method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
-                               case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
-                               {
-                                       job_t *job = (job_t *) initiate_xauth_job_create(this->ike_sa->get_id(this->ike_sa));
-                                       lib->processor->queue_job(lib->processor, job);
-                                       break;
-                               }
+                               case AUTH_XAUTH_INIT_RSA:
+                                       this->ike_sa->queue_task(this->ike_sa,
+                                                                       (task_t*)xauth_create(this->ike_sa, TRUE));
+                                       return SUCCESS;
                                case AUTH_XAUTH_RESP_PSK:
-                               case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
-                               {
-                                       break;
-                               }
+                               case AUTH_XAUTH_RESP_RSA:
+                                       /* TODO-IKEv1: not yet supported */
+                                       return FAILED;
                                default:
-                               {
-                                       this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-                                       charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-                                       break;
-                               }
+                                       establish(this);
+                                       return SUCCESS;
                        }
-                       return SUCCESS;
                }
                default:
                        return FAILED;
@@ -928,7 +905,6 @@ METHOD(task_t, process_i, status_t,
                        }
                        if (!derive_keys(this, this->nonce_i, this->nonce_r))
                        {
-                               DBG1(DBG_IKE, "key derivation failed");
                                return FAILED;
                        }
                        return NEED_MORE;
@@ -954,42 +930,26 @@ METHOD(task_t, process_i, status_t,
                        }
                        this->ike_sa->set_other_id(this->ike_sa, id);
 
-                       if (!verify_hash(this, FALSE, message, id))
+                       if (this->authenticator->process(this->authenticator,
+                                                                                        message) != SUCCESS)
                        {
                                return FAILED;
                        }
 
-                       /* TODO-IKEv1: check for XAUTH rounds, queue them */
-                       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-                                this->ike_sa->get_name(this->ike_sa),
-                                this->ike_sa->get_unique_id(this->ike_sa),
-                                this->ike_sa->get_my_host(this->ike_sa),
-                                this->ike_sa->get_my_id(this->ike_sa),
-                                this->ike_sa->get_other_host(this->ike_sa),
-                                this->ike_sa->get_other_id(this->ike_sa));
-
                        switch (this->auth_method)
                        {
-                               case AUTH_XAUTH_RESP_PSK:
-                               case AUTH_XAUTH_RESP_RSA: /* There should be more RESP cases here once added */
-                               {
-                                       this->ike_sa->initiate_xauth(this->ike_sa, FALSE);
-                                       break;
-                               }
                                case AUTH_XAUTH_INIT_PSK:
-                               case AUTH_XAUTH_INIT_RSA: /* There should be more INIT cases here once added */
-                               {
-                                       break;
-                               }
+                               case AUTH_XAUTH_INIT_RSA:
+                                       /* wait for XAUTH request */
+                                       return SUCCESS;
+                               case AUTH_XAUTH_RESP_PSK:
+                               case AUTH_XAUTH_RESP_RSA:
+                                       /* TODO-IKEv1: not yet */
+                                       return FAILED;
                                default:
-                               {
-                                       this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-                                       charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-                                       break;
-                               }
+                                       establish(this);
+                                       return SUCCESS;
                        }
-
-                       return SUCCESS;
                }
                default:
                        return FAILED;
@@ -1014,6 +974,7 @@ METHOD(task_t, destroy, void,
        DESTROY_IF(this->peer_cfg);
        DESTROY_IF(this->proposal);
        DESTROY_IF(this->dh);
+       DESTROY_IF(this->authenticator);
        free(this->dh_value.ptr);
        free(this->nonce_i.ptr);
        free(this->nonce_r.ptr);