2007-02-28 14:04:36 +00:00
|
|
|
/*
|
2009-04-14 10:34:24 +00:00
|
|
|
* Copyright (C) 2005-2009 Martin Willi
|
2007-02-28 14:04:36 +00:00
|
|
|
* Copyright (C) 2005 Jan Hutter
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
2008-03-13 14:14:44 +00:00
|
|
|
* for more details
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "ike_auth.h"
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include <daemon.h>
|
|
|
|
#include <encoding/payloads/id_payload.h>
|
|
|
|
#include <encoding/payloads/auth_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <encoding/payloads/eap_payload.h>
|
2007-02-28 14:04:36 +00:00
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <sa/authenticators/eap_authenticator.h>
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
typedef struct private_ike_auth_t private_ike_auth_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Private members of a ike_auth_t task.
|
|
|
|
*/
|
|
|
|
struct private_ike_auth_t {
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* Public methods and task_t interface.
|
|
|
|
*/
|
|
|
|
ike_auth_t public;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* Assigned IKE_SA.
|
|
|
|
*/
|
|
|
|
ike_sa_t *ike_sa;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* Are we the initiator?
|
|
|
|
*/
|
|
|
|
bool initiator;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* Nonce chosen by us in ike_init
|
|
|
|
*/
|
|
|
|
chunk_t my_nonce;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* Nonce chosen by peer in ike_init
|
|
|
|
*/
|
|
|
|
chunk_t other_nonce;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* IKE_SA_INIT message sent by us
|
|
|
|
*/
|
|
|
|
packet_t *my_packet;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
* IKE_SA_INIT message sent by peer
|
|
|
|
*/
|
|
|
|
packet_t *other_packet;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2010-11-25 10:35:43 +00:00
|
|
|
/**
|
|
|
|
* Reserved bytes of ID payload
|
|
|
|
*/
|
|
|
|
char reserved[3];
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* currently active authenticator, to authenticate us
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
authenticator_t *my_auth;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* currently active authenticator, to authenticate peer
|
|
|
|
*/
|
|
|
|
authenticator_t *other_auth;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* peer_cfg candidates, ordered by priority
|
|
|
|
*/
|
|
|
|
linked_list_t *candidates;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* selected peer config (might change when using multiple authentications)
|
|
|
|
*/
|
|
|
|
peer_cfg_t *peer_cfg;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* have we planned an(other) authentication exchange?
|
|
|
|
*/
|
|
|
|
bool do_another_auth;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* has the peer announced another authentication exchange?
|
|
|
|
*/
|
|
|
|
bool expect_another_auth;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
* should we send a AUTHENTICATION_FAILED notify?
|
|
|
|
*/
|
|
|
|
bool authentication_failed;
|
2011-01-05 15:44:01 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* received an INITIAL_CONTACT?
|
|
|
|
*/
|
|
|
|
bool initial_contact;
|
2009-04-14 10:34:24 +00:00
|
|
|
};
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* check if multiple authentication extension is enabled, configuration-wise
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool multiple_auth_enabled()
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
return lib->settings->get_bool(lib->settings,
|
|
|
|
"charon.multiple_authentication", TRUE);
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from our message
|
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static status_t collect_my_init_data(private_ike_auth_t *this,
|
|
|
|
message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
nonce_payload_t *nonce;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
if (nonce == NULL)
|
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
this->my_nonce = nonce->get_nonce(nonce);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* pre-generate the message, keep a copy */
|
2007-02-28 14:04:36 +00:00
|
|
|
if (this->ike_sa->generate_message(this->ike_sa, message,
|
|
|
|
&this->my_packet) != SUCCESS)
|
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from others message
|
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static status_t collect_other_init_data(private_ike_auth_t *this,
|
|
|
|
message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
/* we collect the needed information in the IKE_SA_INIT exchange */
|
|
|
|
nonce_payload_t *nonce;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
if (nonce == NULL)
|
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
this->other_nonce = nonce->get_nonce(nonce);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* keep a copy of the received packet */
|
2007-02-28 14:04:36 +00:00
|
|
|
this->other_packet = message->get_packet(message);
|
2009-09-04 11:46:09 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
2010-11-25 10:35:43 +00:00
|
|
|
/**
|
|
|
|
* Get and store reserved bytes of id_payload, required for AUTH payload
|
|
|
|
*/
|
|
|
|
static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
|
|
|
|
{
|
|
|
|
u_int8_t *byte;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < countof(this->reserved); i++)
|
|
|
|
{
|
|
|
|
byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
|
|
|
|
if (byte)
|
|
|
|
{
|
|
|
|
this->reserved[i] = *byte;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Get the next authentication configuration
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *e1, *e2;
|
|
|
|
auth_cfg_t *c1, *c2, *next = NULL;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* find an available config not already done */
|
|
|
|
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
|
|
|
|
while (e1->enumerate(e1, &c1))
|
2009-02-10 17:21:44 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
bool found = FALSE;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-12-01 10:35:30 +00:00
|
|
|
e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
|
2009-04-14 10:34:24 +00:00
|
|
|
while (e2->enumerate(e2, &c2))
|
|
|
|
{
|
|
|
|
if (c2->complies(c2, c1, FALSE))
|
|
|
|
{
|
|
|
|
found = TRUE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e2->destroy(e2);
|
|
|
|
if (!found)
|
|
|
|
{
|
|
|
|
next = c1;
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
e1->destroy(e1);
|
|
|
|
return next;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Check if we have should initiate another authentication round
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool do_another_auth(private_ike_auth_t *this)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
bool do_another = FALSE;
|
|
|
|
enumerator_t *done, *todo;
|
|
|
|
auth_cfg_t *done_cfg, *todo_cfg;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
return FALSE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-12-01 10:35:30 +00:00
|
|
|
done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
|
2009-04-14 10:34:24 +00:00
|
|
|
todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
|
|
|
|
while (todo->enumerate(todo, &todo_cfg))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!done->enumerate(done, &done_cfg))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
}
|
|
|
|
if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
|
|
|
|
{
|
|
|
|
do_another = TRUE;
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
done->destroy(done);
|
|
|
|
todo->destroy(todo);
|
|
|
|
return do_another;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Get peer configuration candidates from backends
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool load_cfg_candidates(private_ike_auth_t *this)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *enumerator;
|
|
|
|
peer_cfg_t *peer_cfg;
|
|
|
|
host_t *me, *other;
|
|
|
|
identification_t *my_id, *other_id;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
|
|
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
|
|
|
my_id = this->ike_sa->get_my_id(this->ike_sa);
|
|
|
|
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
|
|
|
|
me, other, my_id, other_id);
|
|
|
|
while (enumerator->enumerate(enumerator, &peer_cfg))
|
|
|
|
{
|
|
|
|
peer_cfg->get_ref(peer_cfg);
|
|
|
|
if (this->peer_cfg == NULL)
|
|
|
|
{ /* best match */
|
|
|
|
this->peer_cfg = peer_cfg;
|
|
|
|
this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->candidates->insert_last(this->candidates, peer_cfg);
|
|
|
|
}
|
2007-03-08 22:56:14 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
if (this->peer_cfg)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
DBG1(DBG_CFG, "selected peer config '%s'",
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
return TRUE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
DBG1(DBG_CFG, "no matching peer config found");
|
|
|
|
return FALSE;
|
2007-03-08 22:56:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* update the current peer candidate if necessary, using candidates
|
2007-03-08 22:56:14 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
|
2007-03-08 22:56:14 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
do
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->peer_cfg)
|
|
|
|
{
|
|
|
|
bool complies = TRUE;
|
|
|
|
enumerator_t *e1, *e2, *tmp;
|
|
|
|
auth_cfg_t *c1, *c2;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-12-01 10:35:30 +00:00
|
|
|
e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
|
2009-04-14 10:34:24 +00:00
|
|
|
e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (strict)
|
|
|
|
{ /* swap lists in strict mode: all configured rounds must be
|
|
|
|
* fulfilled. If !strict, we check only the rounds done so far. */
|
|
|
|
tmp = e1;
|
|
|
|
e1 = e2;
|
|
|
|
e2 = tmp;
|
|
|
|
}
|
|
|
|
while (e1->enumerate(e1, &c1))
|
|
|
|
{
|
|
|
|
/* check if done authentications comply to configured ones */
|
|
|
|
if ((!e2->enumerate(e2, &c2)) ||
|
|
|
|
(!strict && !c1->complies(c1, c2, TRUE)) ||
|
|
|
|
(strict && !c2->complies(c2, c1, TRUE)))
|
|
|
|
{
|
|
|
|
complies = FALSE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e1->destroy(e1);
|
|
|
|
e2->destroy(e2);
|
|
|
|
if (complies)
|
|
|
|
{
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
this->peer_cfg->destroy(this->peer_cfg);
|
|
|
|
}
|
|
|
|
if (this->candidates->remove_first(this->candidates,
|
|
|
|
(void**)&this->peer_cfg) != SUCCESS)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "no alternative config found");
|
|
|
|
this->peer_cfg = NULL;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "switching to peer config '%s'",
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
while (this->peer_cfg);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
return this->peer_cfg != NULL;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, build_i, status_t,
|
|
|
|
private_ike_auth_t *this, message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
{
|
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->peer_cfg == NULL)
|
2007-03-08 16:58:59 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
this->peer_cfg->get_ref(this->peer_cfg);
|
2007-03-08 16:58:59 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2010-01-07 13:30:28 +00:00
|
|
|
if (message->get_message_id(message) == 1)
|
|
|
|
{ /* in the first IKE_AUTH ... */
|
|
|
|
if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
|
|
|
|
{ /* indicate support for multiple authentication */
|
|
|
|
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
|
|
|
|
chunk_empty);
|
|
|
|
}
|
|
|
|
/* indicate support for EAP-only authentication */
|
|
|
|
message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
|
|
|
|
chunk_empty);
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->do_another_auth && !this->my_auth)
|
|
|
|
{ /* we have done our rounds */
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* check if an authenticator is in progress */
|
|
|
|
if (this->my_auth == NULL)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2011-01-05 14:58:38 +00:00
|
|
|
identification_t *idi, *idr = NULL;
|
2009-04-14 10:34:24 +00:00
|
|
|
id_payload_t *id_payload;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* clean up authentication config from a previous round */
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
cfg->purge(cfg, TRUE);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* add (optional) IDr */
|
|
|
|
cfg = get_auth_cfg(this, FALSE);
|
|
|
|
if (cfg)
|
|
|
|
{
|
2011-01-05 14:58:38 +00:00
|
|
|
idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
if (idr && !idr->contains_wildcards(idr))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2011-01-05 14:58:38 +00:00
|
|
|
this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
|
2009-04-14 10:34:24 +00:00
|
|
|
id_payload = id_payload_create_from_identification(
|
2011-01-05 14:58:38 +00:00
|
|
|
ID_RESPONDER, idr);
|
2009-04-14 10:34:24 +00:00
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* add IDi */
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
|
2011-01-05 14:58:38 +00:00
|
|
|
idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
if (!idi)
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "configuration misses IDi");
|
|
|
|
return FAILED;
|
|
|
|
}
|
2011-01-05 14:58:38 +00:00
|
|
|
this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
|
|
|
|
id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
|
2010-11-25 10:35:43 +00:00
|
|
|
get_reserved_id_bytes(this, id_payload);
|
2009-04-14 10:34:24 +00:00
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-01-13 09:50:46 +00:00
|
|
|
if (idr && message->get_message_id(message) == 1 &&
|
|
|
|
this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
|
2011-01-05 14:58:38 +00:00
|
|
|
{
|
|
|
|
host_t *host;
|
|
|
|
|
|
|
|
host = this->ike_sa->get_other_host(this->ike_sa);
|
|
|
|
if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
|
|
|
|
idi, idr, host->get_family(host)))
|
|
|
|
{
|
|
|
|
message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* build authentication data */
|
2009-05-11 08:35:44 +00:00
|
|
|
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
|
|
|
|
this->other_nonce, this->my_nonce,
|
|
|
|
this->other_packet->get_data(this->other_packet),
|
2010-11-25 10:35:43 +00:00
|
|
|
this->my_packet->get_data(this->my_packet),
|
|
|
|
this->reserved);
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->my_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->my_auth->build(this->my_auth, message))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
/* authentication step complete, reset authenticator */
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
|
2009-12-01 10:35:30 +00:00
|
|
|
this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
|
2009-04-14 10:34:24 +00:00
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
this->my_auth = NULL;
|
|
|
|
break;
|
|
|
|
case NEED_MORE:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* check for additional authentication rounds */
|
|
|
|
if (do_another_auth(this))
|
|
|
|
{
|
|
|
|
if (message->get_payload(message, AUTHENTICATION))
|
|
|
|
{
|
|
|
|
message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->do_another_auth = FALSE;
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, process_r, status_t,
|
|
|
|
private_ike_auth_t *this, message_t *message)
|
2007-04-10 06:01:03 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg, *cand;
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
identification_t *id;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
{
|
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth == NULL && this->do_another_auth)
|
|
|
|
{
|
|
|
|
/* handle (optional) IDr payload, apply proposed identity */
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
|
|
|
|
if (id_payload)
|
|
|
|
{
|
|
|
|
id = id_payload->get_identification(id_payload);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
id = identification_create_from_encoding(ID_ANY, chunk_empty);
|
|
|
|
}
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id);
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->expect_another_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
2010-01-07 13:30:28 +00:00
|
|
|
|
|
|
|
if (message->get_message_id(message) == 1)
|
|
|
|
{ /* check for extensions in the first IKE_AUTH */
|
|
|
|
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
|
|
|
|
{
|
|
|
|
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
|
|
|
}
|
2010-08-04 10:55:09 +00:00
|
|
|
if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
|
|
|
|
{
|
2010-01-07 13:30:28 +00:00
|
|
|
this->ike_sa->enable_extension(this->ike_sa,
|
|
|
|
EXT_EAP_ONLY_AUTHENTICATION);
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth == NULL)
|
|
|
|
{
|
|
|
|
/* handle IDi payload */
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
|
|
|
|
if (!id_payload)
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "IDi payload missing");
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
id = id_payload->get_identification(id_payload);
|
2010-11-25 10:35:43 +00:00
|
|
|
get_reserved_id_bytes(this, id_payload);
|
2009-04-14 10:34:24 +00:00
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
|
|
|
|
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->peer_cfg == NULL)
|
|
|
|
{
|
|
|
|
if (!load_cfg_candidates(this))
|
|
|
|
{
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (message->get_payload(message, AUTHENTICATION) == NULL)
|
|
|
|
{ /* before authenticating with EAP, we need a EAP config */
|
|
|
|
cand = get_auth_cfg(this, FALSE);
|
|
|
|
while (!cand || (
|
|
|
|
(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
|
|
|
|
(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
|
|
|
|
{ /* peer requested EAP, but current config does not match */
|
2010-07-21 12:55:51 +00:00
|
|
|
DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg->destroy(this->peer_cfg);
|
|
|
|
this->peer_cfg = NULL;
|
|
|
|
if (!update_cfg_candidates(this, FALSE))
|
|
|
|
{
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
cand = get_auth_cfg(this, FALSE);
|
|
|
|
}
|
2010-06-28 13:41:48 +00:00
|
|
|
/* copy over the EAP specific rules for authentication */
|
|
|
|
cfg->add(cfg, AUTH_RULE_EAP_TYPE,
|
|
|
|
cand->get(cand, AUTH_RULE_EAP_TYPE));
|
|
|
|
cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
|
|
|
|
cand->get(cand, AUTH_RULE_EAP_VENDOR));
|
|
|
|
id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
|
|
|
|
if (id)
|
|
|
|
{
|
|
|
|
cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
|
|
|
|
}
|
2010-08-31 16:06:02 +00:00
|
|
|
id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
|
|
|
|
if (id)
|
|
|
|
{
|
|
|
|
cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* verify authentication data */
|
2009-05-11 08:35:44 +00:00
|
|
|
this->other_auth = authenticator_create_verifier(this->ike_sa,
|
|
|
|
message, this->other_nonce, this->my_nonce,
|
|
|
|
this->other_packet->get_data(this->other_packet),
|
2010-11-25 10:35:43 +00:00
|
|
|
this->my_packet->get_data(this->my_packet),
|
|
|
|
this->reserved);
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->other_auth)
|
|
|
|
{
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
switch (this->other_auth->process(this->other_auth, message))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
case SUCCESS:
|
2009-04-14 10:34:24 +00:00
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
this->other_auth = NULL;
|
2007-03-08 00:27:43 +00:00
|
|
|
break;
|
2009-04-14 10:34:24 +00:00
|
|
|
case NEED_MORE:
|
|
|
|
if (message->get_payload(message, AUTHENTICATION))
|
|
|
|
{ /* AUTH verification successful, but another build() needed */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
default:
|
2009-04-14 10:34:24 +00:00
|
|
|
this->authentication_failed = TRUE;
|
2008-03-13 14:14:44 +00:00
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-01-05 15:44:01 +00:00
|
|
|
/* If authenticated (with non-EAP) and received INITIAL_CONTACT,
|
|
|
|
* delete any existing IKE_SAs with that peer. */
|
|
|
|
if (message->get_message_id(message) == 1 &&
|
|
|
|
message->get_notify(message, INITIAL_CONTACT))
|
|
|
|
{
|
|
|
|
this->initial_contact = TRUE;
|
|
|
|
}
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* another auth round done, invoke authorize hook */
|
2009-12-01 10:35:30 +00:00
|
|
|
if (!charon->bus->authorize(charon->bus, FALSE))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2009-12-01 10:35:30 +00:00
|
|
|
DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
|
2009-04-14 10:34:24 +00:00
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-02-03 12:31:11 +00:00
|
|
|
/* store authentication information */
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
|
|
|
|
this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!update_cfg_candidates(this, FALSE))
|
2007-05-18 12:25:37 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
2007-05-18 12:25:37 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
|
|
|
|
{
|
|
|
|
this->expect_another_auth = FALSE;
|
|
|
|
if (!update_cfg_candidates(this, TRUE))
|
|
|
|
{
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
2008-08-22 10:44:51 +00:00
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, build_r, status_t,
|
|
|
|
private_ike_auth_t *this, message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (multiple_auth_enabled())
|
|
|
|
{
|
|
|
|
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
|
|
|
|
chunk_empty);
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->authentication_failed || this->peer_cfg == NULL)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth == NULL && this->do_another_auth)
|
2007-03-08 14:41:30 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
identification_t *id, *id_cfg;
|
|
|
|
id_payload_t *id_payload;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* add IDr */
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
cfg->purge(cfg, TRUE);
|
|
|
|
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
id = this->ike_sa->get_my_id(this->ike_sa);
|
|
|
|
if (id->get_type(id) == ID_ANY)
|
|
|
|
{ /* no IDr received, apply configured ID */
|
|
|
|
if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "IDr not configured and negotiation failed");
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
|
|
|
|
id = id_cfg;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{ /* IDr received, check if it matches configuration */
|
|
|
|
if (id_cfg && !id->matches(id, id_cfg))
|
|
|
|
{
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
|
2009-04-14 10:34:24 +00:00
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
|
2010-11-25 10:35:43 +00:00
|
|
|
get_reserved_id_bytes(this, id_payload);
|
2009-04-14 10:34:24 +00:00
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-01-05 15:44:01 +00:00
|
|
|
if (this->initial_contact)
|
|
|
|
{
|
|
|
|
charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
|
|
|
|
this->ike_sa, TRUE);
|
|
|
|
this->initial_contact = FALSE;
|
|
|
|
}
|
|
|
|
|
2010-01-07 14:51:30 +00:00
|
|
|
if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
|
|
|
|
{ /* EAP-only authentication */
|
|
|
|
if (!this->ike_sa->supports_extension(this->ike_sa,
|
|
|
|
EXT_EAP_ONLY_AUTHENTICATION))
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
|
|
|
|
"does not support it");
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2010-01-07 14:51:30 +00:00
|
|
|
/* build authentication data */
|
|
|
|
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
|
|
|
|
this->other_nonce, this->my_nonce,
|
|
|
|
this->other_packet->get_data(this->other_packet),
|
2010-11-25 10:35:43 +00:00
|
|
|
this->my_packet->get_data(this->my_packet),
|
|
|
|
this->reserved);
|
2010-01-07 14:51:30 +00:00
|
|
|
if (!this->my_auth)
|
|
|
|
{
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2007-03-08 14:41:30 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->other_auth->build(this->other_auth, message))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
this->other_auth = NULL;
|
|
|
|
break;
|
|
|
|
case NEED_MORE:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
|
|
|
|
{ /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
}
|
|
|
|
return FAILED;
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth)
|
2008-04-14 13:23:24 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->my_auth->build(this->my_auth, message))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
|
|
|
|
TRUE);
|
2009-12-01 10:35:30 +00:00
|
|
|
this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
|
2009-04-14 10:34:24 +00:00
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
this->my_auth = NULL;
|
|
|
|
break;
|
|
|
|
case NEED_MORE:
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
2008-04-14 13:23:24 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* check for additional authentication rounds */
|
|
|
|
if (do_another_auth(this))
|
|
|
|
{
|
|
|
|
message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->do_another_auth = FALSE;
|
|
|
|
}
|
|
|
|
if (!this->do_another_auth && !this->expect_another_auth)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
|
2011-01-05 15:44:01 +00:00
|
|
|
this->ike_sa, FALSE))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-12-01 10:35:30 +00:00
|
|
|
if (!charon->bus->authorize(charon->bus, TRUE))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
chunk_empty);
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
2008-10-14 08:52:13 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2009-09-04 11:46:09 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2008-10-14 08:52:13 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2009-09-04 09:10:52 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2009-07-09 11:44:06 +00:00
|
|
|
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
2007-02-28 14:04:36 +00:00
|
|
|
return SUCCESS;
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, process_i, status_t,
|
|
|
|
private_ike_auth_t *this, message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *enumerator;
|
2007-02-28 14:04:36 +00:00
|
|
|
payload_t *payload;
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
2010-02-09 15:11:07 +00:00
|
|
|
bool mutual_eap = FALSE;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
|
|
|
|
multiple_auth_enabled())
|
|
|
|
{
|
|
|
|
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator = message->create_payload_enumerator(message);
|
|
|
|
while (enumerator->enumerate(enumerator, &payload))
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
if (payload->get_type(payload) == NOTIFY)
|
|
|
|
{
|
|
|
|
notify_payload_t *notify = (notify_payload_t*)payload;
|
|
|
|
notify_type_t type = notify->get_notify_type(notify);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
switch (type)
|
|
|
|
{
|
|
|
|
case NO_PROPOSAL_CHOSEN:
|
|
|
|
case SINGLE_PAIR_REQUIRED:
|
|
|
|
case NO_ADDITIONAL_SAS:
|
|
|
|
case INTERNAL_ADDRESS_FAILURE:
|
|
|
|
case FAILED_CP_REQUIRED:
|
|
|
|
case TS_UNACCEPTABLE:
|
|
|
|
case INVALID_SELECTORS:
|
|
|
|
/* these are errors, but are not critical as only the
|
|
|
|
* CHILD_SA won't get build, but IKE_SA establishes anyway */
|
2007-06-21 15:25:28 +00:00
|
|
|
break;
|
|
|
|
case MOBIKE_SUPPORTED:
|
|
|
|
case ADDITIONAL_IP4_ADDRESS:
|
|
|
|
case ADDITIONAL_IP6_ADDRESS:
|
|
|
|
/* handled in ike_mobike task */
|
|
|
|
break;
|
2007-11-20 12:06:40 +00:00
|
|
|
case AUTH_LIFETIME:
|
2007-12-03 10:52:18 +00:00
|
|
|
/* handled in ike_auth_lifetime task */
|
2007-11-20 12:06:40 +00:00
|
|
|
break;
|
2008-03-26 18:40:19 +00:00
|
|
|
case ME_ENDPOINT:
|
|
|
|
/* handled in ike_me task */
|
2007-12-03 23:06:17 +00:00
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
default:
|
|
|
|
{
|
2010-09-29 17:01:36 +00:00
|
|
|
if (type <= 16383)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2008-10-14 08:52:13 +00:00
|
|
|
DBG1(DBG_IKE, "received %N notify error",
|
2007-02-28 14:04:36 +00:00
|
|
|
notify_type_names, type);
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
2009-09-04 11:46:09 +00:00
|
|
|
return FAILED;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2008-04-02 19:15:05 +00:00
|
|
|
DBG2(DBG_IKE, "received %N notify",
|
2007-03-08 20:18:39 +00:00
|
|
|
notify_type_names, type);
|
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->expect_another_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth == NULL)
|
|
|
|
{
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
identification_t *id;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* handle IDr payload */
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message,
|
|
|
|
ID_RESPONDER);
|
|
|
|
if (!id_payload)
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "IDr payload missing");
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
|
|
|
id = id_payload->get_identification(id_payload);
|
2010-11-25 10:35:43 +00:00
|
|
|
get_reserved_id_bytes(this, id_payload);
|
2009-04-14 10:34:24 +00:00
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
|
|
|
|
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2010-01-07 14:51:30 +00:00
|
|
|
if (message->get_payload(message, AUTHENTICATION))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2010-01-07 14:51:30 +00:00
|
|
|
/* verify authentication data */
|
|
|
|
this->other_auth = authenticator_create_verifier(this->ike_sa,
|
|
|
|
message, this->other_nonce, this->my_nonce,
|
|
|
|
this->other_packet->get_data(this->other_packet),
|
2010-11-25 10:35:43 +00:00
|
|
|
this->my_packet->get_data(this->my_packet),
|
|
|
|
this->reserved);
|
2010-01-07 14:51:30 +00:00
|
|
|
if (!this->other_auth)
|
|
|
|
{
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2010-01-07 14:51:30 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
2010-02-09 15:11:07 +00:00
|
|
|
{
|
|
|
|
/* responder omitted AUTH payload, indicating EAP-only */
|
|
|
|
mutual_eap = TRUE;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
|
|
|
}
|
2010-01-07 14:51:30 +00:00
|
|
|
if (this->other_auth)
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2010-01-07 14:51:30 +00:00
|
|
|
switch (this->other_auth->process(this->other_auth, message))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
break;
|
|
|
|
case NEED_MORE:
|
|
|
|
return NEED_MORE;
|
|
|
|
default:
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2010-01-07 14:51:30 +00:00
|
|
|
}
|
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
this->other_auth = NULL;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
|
|
|
/* another auth round done, invoke authorize hook */
|
2009-12-01 10:35:30 +00:00
|
|
|
if (!charon->bus->authorize(charon->bus, FALSE))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2009-12-01 10:35:30 +00:00
|
|
|
DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2011-02-03 12:31:11 +00:00
|
|
|
|
|
|
|
/* store authentication information, reset authenticator */
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
|
|
|
|
this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2010-02-09 15:11:07 +00:00
|
|
|
if (this->my_auth)
|
|
|
|
{
|
|
|
|
switch (this->my_auth->process(this->my_auth, message))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
|
|
|
|
TRUE);
|
|
|
|
this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
|
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
this->my_auth = NULL;
|
|
|
|
this->do_another_auth = do_another_auth(this);
|
|
|
|
break;
|
|
|
|
case NEED_MORE:
|
|
|
|
break;
|
|
|
|
default:
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2010-02-09 15:11:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (mutual_eap)
|
|
|
|
{
|
|
|
|
if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2010-02-09 15:11:07 +00:00
|
|
|
}
|
|
|
|
DBG1(DBG_IKE, "allow mutual EAP-only authentication");
|
|
|
|
}
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->expect_another_auth = FALSE;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
|
|
|
|
{
|
|
|
|
if (!update_cfg_candidates(this, TRUE))
|
|
|
|
{
|
2011-08-10 13:17:40 +00:00
|
|
|
goto remote_auth_failed;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2009-12-01 10:35:30 +00:00
|
|
|
if (!charon->bus->authorize(charon->bus, TRUE))
|
2009-04-14 10:34:24 +00:00
|
|
|
{
|
2011-08-10 13:17:40 +00:00
|
|
|
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
|
|
|
|
"cancelling");
|
|
|
|
goto remote_auth_failed;
|
2009-04-14 10:34:24 +00:00
|
|
|
}
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
2009-04-14 10:34:24 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2009-09-04 11:46:09 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2009-04-14 10:34:24 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2009-09-04 09:10:52 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2009-07-09 11:44:06 +00:00
|
|
|
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
2009-04-14 10:34:24 +00:00
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
return NEED_MORE;
|
2011-08-10 13:17:40 +00:00
|
|
|
|
|
|
|
remote_auth_failed:
|
|
|
|
charon->bus->alert(charon->bus, ALERT_RESPONDER_AUTH_FAILED);
|
|
|
|
return FAILED;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, get_type, task_type_t,
|
|
|
|
private_ike_auth_t *this)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
return IKE_AUTHENTICATE;
|
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, migrate, void,
|
|
|
|
private_ike_auth_t *this, ike_sa_t *ike_sa)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
DESTROY_IF(this->other_packet);
|
2009-04-14 10:34:24 +00:00
|
|
|
DESTROY_IF(this->peer_cfg);
|
|
|
|
DESTROY_IF(this->my_auth);
|
|
|
|
DESTROY_IF(this->other_auth);
|
|
|
|
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
this->my_packet = NULL;
|
|
|
|
this->other_packet = NULL;
|
|
|
|
this->ike_sa = ike_sa;
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg = NULL;
|
|
|
|
this->my_auth = NULL;
|
|
|
|
this->other_auth = NULL;
|
|
|
|
this->do_another_auth = TRUE;
|
|
|
|
this->expect_another_auth = TRUE;
|
|
|
|
this->authentication_failed = FALSE;
|
|
|
|
this->candidates = linked_list_create();
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-02 14:13:39 +00:00
|
|
|
METHOD(task_t, destroy, void,
|
|
|
|
private_ike_auth_t *this)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
DESTROY_IF(this->other_packet);
|
2009-04-14 10:34:24 +00:00
|
|
|
DESTROY_IF(this->my_auth);
|
|
|
|
DESTROY_IF(this->other_auth);
|
|
|
|
DESTROY_IF(this->peer_cfg);
|
|
|
|
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
|
2007-02-28 14:04:36 +00:00
|
|
|
free(this);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Described in header.
|
|
|
|
*/
|
|
|
|
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
|
|
|
|
{
|
2011-02-02 14:13:39 +00:00
|
|
|
private_ike_auth_t *this;
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
.public = {
|
|
|
|
.task = {
|
|
|
|
.get_type = _get_type,
|
|
|
|
.migrate = _migrate,
|
|
|
|
.build = _build_r,
|
|
|
|
.process = _process_r,
|
|
|
|
.destroy = _destroy,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
.ike_sa = ike_sa,
|
|
|
|
.initiator = initiator,
|
|
|
|
.candidates = linked_list_create(),
|
|
|
|
.do_another_auth = TRUE,
|
|
|
|
.expect_another_auth = TRUE,
|
|
|
|
);
|
2007-02-28 14:04:36 +00:00
|
|
|
if (initiator)
|
|
|
|
{
|
2011-02-02 14:13:39 +00:00
|
|
|
this->public.task.build = _build_i;
|
|
|
|
this->public.task.process = _process_i;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
return &this->public;
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|