2007-02-28 14:04:36 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2005-2007 Martin Willi
|
|
|
|
|
* Copyright (C) 2005 Jan Hutter
|
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
2008-03-13 14:14:44 +00:00
|
|
|
* for more details
|
|
|
|
|
*
|
|
|
|
|
* $Id$
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "ike_auth.h"
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include <daemon.h>
|
|
|
|
|
#include <crypto/diffie_hellman.h>
|
|
|
|
|
#include <encoding/payloads/id_payload.h>
|
|
|
|
|
#include <encoding/payloads/auth_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <encoding/payloads/eap_payload.h>
|
2007-02-28 14:04:36 +00:00
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <sa/authenticators/eap_authenticator.h>
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
typedef struct private_ike_auth_t private_ike_auth_t;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private members of a ike_auth_t task.
|
|
|
|
|
*/
|
|
|
|
|
struct private_ike_auth_t {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public methods and task_t interface.
|
|
|
|
|
*/
|
|
|
|
|
ike_auth_t public;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Assigned IKE_SA.
|
|
|
|
|
*/
|
|
|
|
|
ike_sa_t *ike_sa;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Are we the initiator?
|
|
|
|
|
*/
|
|
|
|
|
bool initiator;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce chosen by us in ike_init
|
|
|
|
|
*/
|
|
|
|
|
chunk_t my_nonce;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce chosen by peer in ike_init
|
|
|
|
|
*/
|
|
|
|
|
chunk_t other_nonce;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* IKE_SA_INIT message sent by us
|
|
|
|
|
*/
|
|
|
|
|
packet_t *my_packet;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* IKE_SA_INIT message sent by peer
|
|
|
|
|
*/
|
|
|
|
|
packet_t *other_packet;
|
|
|
|
|
|
|
|
|
|
/**
|
2007-03-08 00:27:43 +00:00
|
|
|
* EAP authenticator when using EAP
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2007-03-08 00:27:43 +00:00
|
|
|
eap_authenticator_t *eap_auth;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
/**
|
2007-03-08 00:27:43 +00:00
|
|
|
* EAP payload received and ready to process
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2007-03-08 00:27:43 +00:00
|
|
|
eap_payload_t *eap_payload;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* has the peer been authenticated successfully?
|
|
|
|
|
*/
|
|
|
|
|
bool peer_authenticated;
|
|
|
|
|
};
|
|
|
|
|
|
2008-04-14 13:23:24 +00:00
|
|
|
/**
|
|
|
|
|
* check uniqueness and delete duplicates
|
|
|
|
|
*/
|
|
|
|
|
static bool check_uniqueness(private_ike_auth_t *this)
|
|
|
|
|
{
|
|
|
|
|
ike_sa_t *duplicate;
|
|
|
|
|
unique_policy_t policy;
|
|
|
|
|
status_t status = SUCCESS;
|
|
|
|
|
peer_cfg_t *peer_cfg;
|
|
|
|
|
bool cancel = FALSE;
|
|
|
|
|
|
|
|
|
|
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
|
policy = peer_cfg->get_unique_policy(peer_cfg);
|
|
|
|
|
if (policy == UNIQUE_NO)
|
|
|
|
|
{
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
duplicate = charon->ike_sa_manager->checkout_duplicate(
|
|
|
|
|
charon->ike_sa_manager, this->ike_sa);
|
|
|
|
|
if (duplicate)
|
|
|
|
|
{
|
|
|
|
|
peer_cfg = duplicate->get_peer_cfg(duplicate);
|
|
|
|
|
if (peer_cfg &&
|
|
|
|
|
peer_cfg->equals(peer_cfg, this->ike_sa->get_peer_cfg(this->ike_sa)))
|
|
|
|
|
{
|
|
|
|
|
switch (duplicate->get_state(duplicate))
|
|
|
|
|
{
|
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
|
case IKE_REKEYING:
|
|
|
|
|
switch (policy)
|
|
|
|
|
{
|
|
|
|
|
case UNIQUE_REPLACE:
|
|
|
|
|
DBG1(DBG_IKE, "deleting duplicate IKE_SA due "
|
|
|
|
|
"uniqueness policy");
|
|
|
|
|
status = duplicate->delete(duplicate);
|
|
|
|
|
break;
|
|
|
|
|
case UNIQUE_KEEP:
|
|
|
|
|
DBG1(DBG_IKE, "cancelling IKE_SA setup due "
|
|
|
|
|
"uniqueness policy");
|
|
|
|
|
cancel = TRUE;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (status == DESTROY_ME)
|
|
|
|
|
{
|
|
|
|
|
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
|
|
|
|
|
duplicate);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
charon->ike_sa_manager->checkin(charon->ike_sa_manager, duplicate);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return cancel;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
2007-03-08 00:27:43 +00:00
|
|
|
* build the AUTH payload
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2007-03-08 00:27:43 +00:00
|
|
|
static status_t build_auth(private_ike_auth_t *this, message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
|
authenticator_t *auth;
|
|
|
|
|
auth_payload_t *auth_payload;
|
2007-04-10 06:01:03 +00:00
|
|
|
peer_cfg_t *config;
|
2008-06-10 09:08:27 +00:00
|
|
|
config_auth_method_t method;
|
2007-02-28 14:04:36 +00:00
|
|
|
status_t status;
|
|
|
|
|
|
2007-03-05 15:22:50 +00:00
|
|
|
/* create own authenticator and add auth payload */
|
2007-04-10 06:01:03 +00:00
|
|
|
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
|
if (!config)
|
2007-03-05 15:22:50 +00:00
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found");
|
2007-03-05 15:22:50 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-04-10 06:01:03 +00:00
|
|
|
method = config->get_auth_method(config);
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
auth = authenticator_create(this->ike_sa, method);
|
|
|
|
|
if (auth == NULL)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "configured authentication method %N not supported",
|
2008-06-10 09:08:27 +00:00
|
|
|
config_auth_method_names, method);
|
2007-02-28 14:04:36 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
status = auth->build(auth, this->my_packet->get_data(this->my_packet),
|
|
|
|
|
this->other_nonce, &auth_payload);
|
2007-02-28 14:04:36 +00:00
|
|
|
auth->destroy(auth);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "generating authentication data failed");
|
2007-02-28 14:04:36 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
message->add_payload(message, (payload_t*)auth_payload);
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2007-03-08 14:41:30 +00:00
|
|
|
* build ID payload(s)
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2007-03-08 00:27:43 +00:00
|
|
|
static status_t build_id(private_ike_auth_t *this, message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2007-03-08 00:27:43 +00:00
|
|
|
identification_t *me, *other;
|
|
|
|
|
id_payload_t *id;
|
2007-04-10 06:01:03 +00:00
|
|
|
peer_cfg_t *config;
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
|
me = this->ike_sa->get_my_id(this->ike_sa);
|
|
|
|
|
other = this->ike_sa->get_other_id(this->ike_sa);
|
2007-04-10 06:01:03 +00:00
|
|
|
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
|
if (me->contains_wildcards(me))
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2007-04-10 06:01:03 +00:00
|
|
|
me = config->get_my_id(config);
|
2007-03-08 00:27:43 +00:00
|
|
|
if (me->contains_wildcards(me))
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "negotiation of own ID failed");
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
2007-10-02 11:55:10 +00:00
|
|
|
id = id_payload_create_from_identification(this->initiator ? ID_INITIATOR : ID_RESPONDER, me);
|
2007-03-08 00:27:43 +00:00
|
|
|
message->add_payload(message, (payload_t*)id);
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
/* as initiator, include other ID if it does not contain wildcards */
|
|
|
|
|
if (this->initiator && !other->contains_wildcards(other))
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2007-10-02 11:55:10 +00:00
|
|
|
id = id_payload_create_from_identification(ID_RESPONDER, other);
|
2007-03-08 00:27:43 +00:00
|
|
|
message->add_payload(message, (payload_t*)id);
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* process AUTH payload
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_auth(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
auth_payload_t *auth_payload;
|
|
|
|
|
authenticator_t *auth;
|
|
|
|
|
auth_method_t auth_method;
|
|
|
|
|
status_t status;
|
|
|
|
|
|
|
|
|
|
auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
if (auth_payload == NULL)
|
|
|
|
|
{
|
2007-03-08 00:27:43 +00:00
|
|
|
/* AUTH payload is missing, client wants to use EAP authentication */
|
|
|
|
|
return NOT_FOUND;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2008-06-10 09:08:27 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
auth_method = auth_payload->get_auth_method(auth_payload);
|
2008-06-10 09:08:27 +00:00
|
|
|
auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload);
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (auth == NULL)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not "
|
2007-02-28 14:04:36 +00:00
|
|
|
"supported", auth_method_names, auth_method,
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-03-08 00:27:43 +00:00
|
|
|
return NOT_SUPPORTED;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
status = auth->verify(auth, this->other_packet->get_data(this->other_packet),
|
|
|
|
|
this->my_nonce, auth_payload);
|
|
|
|
|
auth->destroy(auth);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
|
2007-02-28 14:04:36 +00:00
|
|
|
this->ike_sa->get_other_id(this->ike_sa),
|
|
|
|
|
auth_method_names, auth_method);
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* process ID payload(s)
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_id(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2007-04-25 06:06:13 +00:00
|
|
|
identification_t *id, *req;
|
2007-03-08 00:27:43 +00:00
|
|
|
id_payload_t *idr, *idi;
|
|
|
|
|
|
|
|
|
|
idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
|
|
|
|
|
idr = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
|
|
|
|
|
|
|
|
|
|
if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "ID payload missing in message");
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
id = idr->get_identification(idr);
|
2007-04-25 06:06:13 +00:00
|
|
|
req = this->ike_sa->get_other_id(this->ike_sa);
|
2008-03-13 14:14:44 +00:00
|
|
|
if (!id->matches(id, req))
|
2007-04-25 06:06:13 +00:00
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
|
2007-04-25 06:06:13 +00:00
|
|
|
id->destroy(id);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
id = idi->get_identification(idi);
|
|
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
|
if (idr)
|
|
|
|
|
{
|
|
|
|
|
id = idr->get_identification(idr);
|
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id);
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return SUCCESS;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from our message
|
|
|
|
|
*/
|
|
|
|
|
static status_t collect_my_init_data(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
nonce_payload_t *nonce;
|
|
|
|
|
|
|
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
|
if (nonce == NULL)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->my_nonce = nonce->get_nonce(nonce);
|
|
|
|
|
|
|
|
|
|
/* pre-generate the message, so we can store it for us */
|
|
|
|
|
if (this->ike_sa->generate_message(this->ike_sa, message,
|
|
|
|
|
&this->my_packet) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from others message
|
|
|
|
|
*/
|
|
|
|
|
static status_t collect_other_init_data(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
/* we collect the needed information in the IKE_SA_INIT exchange */
|
|
|
|
|
nonce_payload_t *nonce;
|
|
|
|
|
|
|
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
|
if (nonce == NULL)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->other_nonce = nonce->get_nonce(nonce);
|
|
|
|
|
|
|
|
|
|
/* pre-generate the message, so we can store it for us */
|
|
|
|
|
this->other_packet = message->get_packet(message);
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-20 12:06:40 +00:00
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build to create AUTH payload from EAP data
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
authenticator_t *auth;
|
|
|
|
|
auth_payload_t *auth_payload;
|
|
|
|
|
|
|
|
|
|
auth = (authenticator_t*)this->eap_auth;
|
|
|
|
|
if (auth->build(auth, this->my_packet->get_data(this->my_packet),
|
|
|
|
|
this->other_nonce, &auth_payload) != SUCCESS)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "generating authentication data failed");
|
2007-03-08 00:27:43 +00:00
|
|
|
if (!this->initiator)
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
}
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
message->add_payload(message, (payload_t*)auth_payload);
|
2007-03-27 16:11:29 +00:00
|
|
|
if (!this->initiator)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2007-03-27 16:11:29 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2008-07-22 17:10:10 +00:00
|
|
|
SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
|
2007-09-15 15:54:30 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
2007-03-27 16:11:29 +00:00
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2008-03-19 12:06:38 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-03-27 16:11:29 +00:00
|
|
|
return SUCCESS;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2007-03-27 16:11:29 +00:00
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.process to verify AUTH payload after EAP
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
auth_payload_t *auth_payload;
|
|
|
|
|
authenticator_t *auth;
|
|
|
|
|
|
|
|
|
|
auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
|
|
|
|
|
this->peer_authenticated = FALSE;
|
|
|
|
|
|
|
|
|
|
if (auth_payload)
|
|
|
|
|
{
|
|
|
|
|
auth = (authenticator_t*)this->eap_auth;
|
|
|
|
|
if (auth->verify(auth, this->other_packet->get_data(this->other_packet),
|
|
|
|
|
this->my_nonce, auth_payload) == SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->peer_authenticated = TRUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!this->peer_authenticated)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->get_other_id(this->ike_sa),
|
|
|
|
|
auth_method_names, AUTH_EAP);
|
|
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
2007-03-27 16:11:29 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2008-07-22 17:10:10 +00:00
|
|
|
SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
|
2007-09-15 15:54:30 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
2007-03-27 16:11:29 +00:00
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2008-03-19 12:06:38 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-03-08 00:27:43 +00:00
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.process for EAP exchanges
|
|
|
|
|
*/
|
2007-03-08 22:56:14 +00:00
|
|
|
static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
|
eap_payload_t *eap;
|
|
|
|
|
|
|
|
|
|
eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
|
2007-03-08 22:56:14 +00:00
|
|
|
if (eap == NULL)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "EAP payload missing");
|
2007-03-08 22:56:14 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
switch (this->eap_auth->process(this->eap_auth, eap, &eap))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2007-03-08 22:56:14 +00:00
|
|
|
case NEED_MORE:
|
|
|
|
|
this->eap_payload = eap;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
/* EAP exchange completed, now create and process AUTH */
|
|
|
|
|
this->eap_payload = NULL;
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
default:
|
|
|
|
|
this->eap_payload = NULL;
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP",
|
2007-03-08 22:56:14 +00:00
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
|
|
|
|
return FAILED;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2007-03-08 22:56:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.process for EAP exchanges
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_eap_r(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
this->eap_payload = (eap_payload_t*)message->get_payload(message,
|
|
|
|
|
EXTENSIBLE_AUTHENTICATION);
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for EAP exchanges
|
|
|
|
|
*/
|
2007-03-08 22:56:14 +00:00
|
|
|
static status_t build_eap_i(private_ike_auth_t *this, message_t *message)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2007-03-08 22:56:14 +00:00
|
|
|
message->add_payload(message, (payload_t*)this->eap_payload);
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for EAP exchanges
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
status_t status = NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
eap_payload_t *eap;
|
2007-03-08 22:56:14 +00:00
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
if (this->eap_payload == NULL)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "EAP payload missing");
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 22:56:14 +00:00
|
|
|
switch (this->eap_auth->process(this->eap_auth, this->eap_payload, &eap))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
|
case NEED_MORE:
|
2007-03-08 22:56:14 +00:00
|
|
|
|
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
case SUCCESS:
|
|
|
|
|
/* EAP exchange completed, now create and process AUTH */
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
|
2007-03-08 22:56:14 +00:00
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
default:
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->get_other_id(this->ike_sa),
|
|
|
|
|
auth_method_names, AUTH_EAP);
|
2007-03-08 22:56:14 +00:00
|
|
|
status = FAILED;
|
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2007-03-08 22:56:14 +00:00
|
|
|
message->add_payload(message, (payload_t*)eap);
|
|
|
|
|
return status;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for initiator
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_i(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2007-04-10 06:01:03 +00:00
|
|
|
peer_cfg_t *config;
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
|
}
|
2007-03-08 16:58:59 +00:00
|
|
|
|
|
|
|
|
if (build_id(this, message) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2007-04-10 06:01:03 +00:00
|
|
|
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
2008-06-10 09:08:27 +00:00
|
|
|
if (config->get_auth_method(config) == CONF_AUTH_EAP)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2007-03-08 00:27:43 +00:00
|
|
|
this->eap_auth = eap_authenticator_create(this->ike_sa);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (build_auth(this, message) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
2007-03-08 16:58:59 +00:00
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2007-04-10 22:38:06 +00:00
|
|
|
* Implementation of task_t.process for responder
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
|
|
|
|
static status_t process_r(private_ike_auth_t *this, message_t *message)
|
2007-04-10 06:01:03 +00:00
|
|
|
{
|
|
|
|
|
peer_cfg_t *config;
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
if (process_id(this, message) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
switch (process_auth(this, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
this->peer_authenticated = TRUE;
|
|
|
|
|
break;
|
|
|
|
|
case NOT_FOUND:
|
|
|
|
|
/* use EAP if no AUTH payload found */
|
2007-11-20 12:06:40 +00:00
|
|
|
this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
|
2007-03-08 00:27:43 +00:00
|
|
|
this->eap_auth = eap_authenticator_create(this->ike_sa);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2008-03-13 14:14:44 +00:00
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2007-05-18 12:25:37 +00:00
|
|
|
|
|
|
|
|
config = charon->backends->get_peer_cfg(charon->backends,
|
2008-07-01 09:05:20 +00:00
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
2007-05-18 12:25:37 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa),
|
2008-03-13 14:14:44 +00:00
|
|
|
this->ike_sa->get_other_auth(this->ike_sa));
|
2007-05-18 12:25:37 +00:00
|
|
|
if (config)
|
|
|
|
|
{
|
|
|
|
|
this->ike_sa->set_peer_cfg(this->ike_sa, config);
|
|
|
|
|
config->destroy(config);
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for responder
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_r(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2007-04-10 06:01:03 +00:00
|
|
|
peer_cfg_t *config;
|
2007-03-08 00:27:43 +00:00
|
|
|
eap_type_t eap_type;
|
2007-12-13 17:31:21 +00:00
|
|
|
u_int32_t eap_vendor;
|
2007-03-08 00:27:43 +00:00
|
|
|
eap_payload_t *eap_payload;
|
|
|
|
|
status_t status;
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
if (!this->peer_authenticated && this->eap_auth == NULL)
|
|
|
|
|
{
|
|
|
|
|
/* peer not authenticated, nor does it want to use EAP */
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2007-04-10 06:01:03 +00:00
|
|
|
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
|
if (config == NULL)
|
2007-03-08 14:41:30 +00:00
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'",
|
2007-04-10 06:01:03 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-03-08 14:41:30 +00:00
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
if (build_id(this, message) != SUCCESS ||
|
|
|
|
|
build_auth(this, message) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-14 13:23:24 +00:00
|
|
|
if (check_uniqueness(this))
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
/* use "traditional" authentication if we could authenticate peer */
|
|
|
|
|
if (this->peer_authenticated)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2008-07-22 17:10:10 +00:00
|
|
|
SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
|
2007-09-15 15:54:30 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
2007-02-28 14:04:36 +00:00
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2008-03-19 12:06:38 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-02-28 14:04:36 +00:00
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
|
/* initiate EAP authenitcation */
|
2007-12-13 17:31:21 +00:00
|
|
|
eap_type = config->get_eap_type(config, &eap_vendor);
|
|
|
|
|
status = this->eap_auth->initiate(this->eap_auth, eap_type,
|
|
|
|
|
eap_vendor, &eap_payload);
|
2007-03-08 00:27:43 +00:00
|
|
|
message->add_payload(message, (payload_t*)eap_payload);
|
|
|
|
|
if (status != NEED_MORE)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "unable to initiate EAP authentication");
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* switch to EAP methods */
|
2007-03-08 22:56:14 +00:00
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_r;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_r;
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.process for initiator
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_i(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
payload_t *payload;
|
2008-03-13 14:14:44 +00:00
|
|
|
peer_cfg_t *config;
|
|
|
|
|
auth_info_t *auth;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
iterator = message->get_payload_iterator(message);
|
|
|
|
|
while (iterator->iterate(iterator, (void**)&payload))
|
|
|
|
|
{
|
|
|
|
|
if (payload->get_type(payload) == NOTIFY)
|
|
|
|
|
{
|
|
|
|
|
notify_payload_t *notify = (notify_payload_t*)payload;
|
|
|
|
|
notify_type_t type = notify->get_notify_type(notify);
|
|
|
|
|
|
|
|
|
|
switch (type)
|
|
|
|
|
{
|
|
|
|
|
case NO_PROPOSAL_CHOSEN:
|
|
|
|
|
case SINGLE_PAIR_REQUIRED:
|
|
|
|
|
case NO_ADDITIONAL_SAS:
|
|
|
|
|
case INTERNAL_ADDRESS_FAILURE:
|
|
|
|
|
case FAILED_CP_REQUIRED:
|
|
|
|
|
case TS_UNACCEPTABLE:
|
|
|
|
|
case INVALID_SELECTORS:
|
|
|
|
|
/* these are errors, but are not critical as only the
|
|
|
|
|
* CHILD_SA won't get build, but IKE_SA establishes anyway */
|
2007-06-21 15:25:28 +00:00
|
|
|
break;
|
|
|
|
|
case MOBIKE_SUPPORTED:
|
|
|
|
|
case ADDITIONAL_IP4_ADDRESS:
|
|
|
|
|
case ADDITIONAL_IP6_ADDRESS:
|
|
|
|
|
/* handled in ike_mobike task */
|
|
|
|
|
break;
|
2007-11-20 12:06:40 +00:00
|
|
|
case AUTH_LIFETIME:
|
2007-12-03 10:52:18 +00:00
|
|
|
/* handled in ike_auth_lifetime task */
|
2007-11-20 12:06:40 +00:00
|
|
|
break;
|
2008-03-26 18:40:19 +00:00
|
|
|
case ME_ENDPOINT:
|
|
|
|
|
/* handled in ike_me task */
|
2007-12-03 23:06:17 +00:00
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
default:
|
|
|
|
|
{
|
|
|
|
|
if (type < 16383)
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "received %N notify error",
|
2007-02-28 14:04:36 +00:00
|
|
|
notify_type_names, type);
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2008-04-02 19:15:05 +00:00
|
|
|
DBG2(DBG_IKE, "received %N notify",
|
2007-03-08 20:18:39 +00:00
|
|
|
notify_type_names, type);
|
|
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
if (process_id(this, message) != SUCCESS ||
|
|
|
|
|
process_auth(this, message) != SUCCESS)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2007-03-08 00:27:43 +00:00
|
|
|
return FAILED;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
|
if (this->eap_auth)
|
|
|
|
|
{
|
|
|
|
|
/* switch to EAP authentication methods */
|
2007-03-08 22:56:14 +00:00
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_i;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_i;
|
|
|
|
|
return process_eap_i(this, message);
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
2008-03-13 14:14:44 +00:00
|
|
|
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
|
auth = this->ike_sa->get_other_auth(this->ike_sa);
|
|
|
|
|
if (!auth->complies(auth, config->get_auth(config)))
|
|
|
|
|
{
|
2008-07-18 15:51:40 +00:00
|
|
|
SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed",
|
2008-03-13 14:14:44 +00:00
|
|
|
this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2008-07-22 17:10:10 +00:00
|
|
|
SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
|
2007-09-15 15:54:30 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
2007-03-08 00:27:43 +00:00
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
2008-03-19 12:06:38 +00:00
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
2008-07-21 12:47:59 +00:00
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-03-08 00:27:43 +00:00
|
|
|
return SUCCESS;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.get_type
|
|
|
|
|
*/
|
|
|
|
|
static task_type_t get_type(private_ike_auth_t *this)
|
|
|
|
|
{
|
|
|
|
|
return IKE_AUTHENTICATE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.migrate
|
|
|
|
|
*/
|
|
|
|
|
static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
|
|
|
|
|
{
|
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
|
DESTROY_IF(this->other_packet);
|
2007-03-08 00:27:43 +00:00
|
|
|
if (this->eap_auth)
|
|
|
|
|
{
|
|
|
|
|
this->eap_auth->authenticator_interface.destroy(
|
|
|
|
|
&this->eap_auth->authenticator_interface);
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
this->my_packet = NULL;
|
|
|
|
|
this->other_packet = NULL;
|
|
|
|
|
this->peer_authenticated = FALSE;
|
2007-03-08 00:27:43 +00:00
|
|
|
this->eap_auth = NULL;
|
|
|
|
|
this->eap_payload = NULL;
|
2007-02-28 14:04:36 +00:00
|
|
|
this->ike_sa = ike_sa;
|
2007-03-08 00:27:43 +00:00
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.destroy
|
|
|
|
|
*/
|
|
|
|
|
static void destroy(private_ike_auth_t *this)
|
|
|
|
|
{
|
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
|
DESTROY_IF(this->other_packet);
|
2007-03-08 00:27:43 +00:00
|
|
|
if (this->eap_auth)
|
|
|
|
|
{
|
|
|
|
|
this->eap_auth->authenticator_interface.destroy(
|
|
|
|
|
&this->eap_auth->authenticator_interface);
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
free(this);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Described in header.
|
|
|
|
|
*/
|
|
|
|
|
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
|
|
|
|
|
{
|
|
|
|
|
private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
|
|
|
|
|
|
|
|
|
|
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
|
|
|
|
|
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
|
|
|
|
|
this->public.task.destroy = (void(*)(task_t*))destroy;
|
|
|
|
|
|
|
|
|
|
if (initiator)
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
this->ike_sa = ike_sa;
|
|
|
|
|
this->initiator = initiator;
|
|
|
|
|
this->my_nonce = chunk_empty;
|
|
|
|
|
this->other_nonce = chunk_empty;
|
|
|
|
|
this->my_packet = NULL;
|
|
|
|
|
this->other_packet = NULL;
|
|
|
|
|
this->peer_authenticated = FALSE;
|
2007-03-08 00:27:43 +00:00
|
|
|
this->eap_auth = NULL;
|
|
|
|
|
this->eap_payload = NULL;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
return &this->public;
|
|
|
|
|
}
|
