2007-02-28 14:04:36 +00:00
|
|
|
/*
|
2009-04-14 10:34:24 +00:00
|
|
|
* Copyright (C) 2005-2009 Martin Willi
|
2007-02-28 14:04:36 +00:00
|
|
|
* Copyright (C) 2005 Jan Hutter
|
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
2008-03-13 14:14:44 +00:00
|
|
|
* for more details
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "ike_auth.h"
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include <daemon.h>
|
|
|
|
|
#include <encoding/payloads/id_payload.h>
|
|
|
|
|
#include <encoding/payloads/auth_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <encoding/payloads/eap_payload.h>
|
2007-02-28 14:04:36 +00:00
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
2007-03-08 00:27:43 +00:00
|
|
|
#include <sa/authenticators/eap_authenticator.h>
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
typedef struct private_ike_auth_t private_ike_auth_t;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private members of a ike_auth_t task.
|
|
|
|
|
*/
|
|
|
|
|
struct private_ike_auth_t {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public methods and task_t interface.
|
|
|
|
|
*/
|
|
|
|
|
ike_auth_t public;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Assigned IKE_SA.
|
|
|
|
|
*/
|
|
|
|
|
ike_sa_t *ike_sa;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Are we the initiator?
|
|
|
|
|
*/
|
|
|
|
|
bool initiator;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce chosen by us in ike_init
|
|
|
|
|
*/
|
|
|
|
|
chunk_t my_nonce;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Nonce chosen by peer in ike_init
|
|
|
|
|
*/
|
|
|
|
|
chunk_t other_nonce;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* IKE_SA_INIT message sent by us
|
|
|
|
|
*/
|
|
|
|
|
packet_t *my_packet;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* IKE_SA_INIT message sent by peer
|
|
|
|
|
*/
|
|
|
|
|
packet_t *other_packet;
|
|
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* completed authentication configs initiated by us (auth_cfg_t)
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
linked_list_t *my_cfgs;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* completed authentication configs initiated by other (auth_cfg_t)
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
linked_list_t *other_cfgs;;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* currently active authenticator, to authenticate us
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
authenticator_t *my_auth;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* currently active authenticator, to authenticate peer
|
|
|
|
|
*/
|
|
|
|
|
authenticator_t *other_auth;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* peer_cfg candidates, ordered by priority
|
|
|
|
|
*/
|
|
|
|
|
linked_list_t *candidates;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* selected peer config (might change when using multiple authentications)
|
|
|
|
|
*/
|
|
|
|
|
peer_cfg_t *peer_cfg;
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* have we planned an(other) authentication exchange?
|
|
|
|
|
*/
|
|
|
|
|
bool do_another_auth;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* has the peer announced another authentication exchange?
|
|
|
|
|
*/
|
|
|
|
|
bool expect_another_auth;
|
2008-06-10 09:08:27 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/**
|
|
|
|
|
* should we send a AUTHENTICATION_FAILED notify?
|
|
|
|
|
*/
|
|
|
|
|
bool authentication_failed;
|
|
|
|
|
};
|
2007-03-08 00:27:43 +00:00
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* check if multiple authentication extension is enabled, configuration-wise
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool multiple_auth_enabled()
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
return lib->settings->get_bool(lib->settings,
|
|
|
|
|
"charon.multiple_authentication", TRUE);
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from our message
|
|
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static status_t collect_my_init_data(private_ike_auth_t *this,
|
|
|
|
|
message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
|
nonce_payload_t *nonce;
|
|
|
|
|
|
|
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
|
if (nonce == NULL)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->my_nonce = nonce->get_nonce(nonce);
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* pre-generate the message, keep a copy */
|
2007-02-28 14:04:36 +00:00
|
|
|
if (this->ike_sa->generate_message(this->ike_sa, message,
|
|
|
|
|
&this->my_packet) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* collect the needed information in the IKE_SA_INIT exchange from others message
|
|
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static status_t collect_other_init_data(private_ike_auth_t *this,
|
|
|
|
|
message_t *message)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
|
/* we collect the needed information in the IKE_SA_INIT exchange */
|
|
|
|
|
nonce_payload_t *nonce;
|
|
|
|
|
|
|
|
|
|
/* get the nonce that was generated in ike_init */
|
|
|
|
|
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
|
|
|
|
|
if (nonce == NULL)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->other_nonce = nonce->get_nonce(nonce);
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* keep a copy of the received packet */
|
2007-02-28 14:04:36 +00:00
|
|
|
this->other_packet = message->get_packet(message);
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-08 00:27:43 +00:00
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Get the next authentication configuration
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *e1, *e2;
|
|
|
|
|
auth_cfg_t *c1, *c2, *next = NULL;
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* find an available config not already done */
|
|
|
|
|
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
|
|
|
|
|
while (e1->enumerate(e1, &c1))
|
2009-02-10 17:21:44 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
bool found = FALSE;
|
|
|
|
|
|
|
|
|
|
if (local)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
|
|
|
|
|
}
|
|
|
|
|
while (e2->enumerate(e2, &c2))
|
|
|
|
|
{
|
|
|
|
|
if (c2->complies(c2, c1, FALSE))
|
|
|
|
|
{
|
|
|
|
|
found = TRUE;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
e2->destroy(e2);
|
|
|
|
|
if (!found)
|
|
|
|
|
{
|
|
|
|
|
next = c1;
|
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
e1->destroy(e1);
|
|
|
|
|
return next;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Check if we have should initiate another authentication round
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool do_another_auth(private_ike_auth_t *this)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
bool do_another = FALSE;
|
|
|
|
|
enumerator_t *done, *todo;
|
|
|
|
|
auth_cfg_t *done_cfg, *todo_cfg;
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
return FALSE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
|
|
|
|
done = this->my_cfgs->create_enumerator(this->my_cfgs);
|
|
|
|
|
todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
|
|
|
|
|
while (todo->enumerate(todo, &todo_cfg))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!done->enumerate(done, &done_cfg))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
|
}
|
|
|
|
|
if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
|
|
|
|
|
{
|
|
|
|
|
do_another = TRUE;
|
|
|
|
|
break;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
done->destroy(done);
|
|
|
|
|
todo->destroy(todo);
|
|
|
|
|
return do_another;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* Get peer configuration candidates from backends
|
2007-03-08 00:27:43 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool load_cfg_candidates(private_ike_auth_t *this)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
peer_cfg_t *peer_cfg;
|
|
|
|
|
host_t *me, *other;
|
|
|
|
|
identification_t *my_id, *other_id;
|
|
|
|
|
|
|
|
|
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
|
|
|
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
|
|
|
|
my_id = this->ike_sa->get_my_id(this->ike_sa);
|
|
|
|
|
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
|
|
|
|
|
|
|
|
|
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
|
|
|
|
|
me, other, my_id, other_id);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &peer_cfg))
|
|
|
|
|
{
|
|
|
|
|
peer_cfg->get_ref(peer_cfg);
|
|
|
|
|
if (this->peer_cfg == NULL)
|
|
|
|
|
{ /* best match */
|
|
|
|
|
this->peer_cfg = peer_cfg;
|
|
|
|
|
this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->candidates->insert_last(this->candidates, peer_cfg);
|
|
|
|
|
}
|
2007-03-08 22:56:14 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
if (this->peer_cfg)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
DBG1(DBG_CFG, "selected peer config '%s'",
|
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
|
return TRUE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
DBG1(DBG_CFG, "no matching peer config found");
|
|
|
|
|
return FALSE;
|
2007-03-08 22:56:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2009-04-14 10:34:24 +00:00
|
|
|
* update the current peer candidate if necessary, using candidates
|
2007-03-08 22:56:14 +00:00
|
|
|
*/
|
2009-04-14 10:34:24 +00:00
|
|
|
static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
|
2007-03-08 22:56:14 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
do
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->peer_cfg)
|
|
|
|
|
{
|
|
|
|
|
bool complies = TRUE;
|
|
|
|
|
enumerator_t *e1, *e2, *tmp;
|
|
|
|
|
auth_cfg_t *c1, *c2;
|
2007-03-08 22:56:14 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
|
|
|
|
|
e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
|
|
|
|
|
|
|
|
|
|
if (strict)
|
|
|
|
|
{ /* swap lists in strict mode: all configured rounds must be
|
|
|
|
|
* fulfilled. If !strict, we check only the rounds done so far. */
|
|
|
|
|
tmp = e1;
|
|
|
|
|
e1 = e2;
|
|
|
|
|
e2 = tmp;
|
|
|
|
|
}
|
|
|
|
|
while (e1->enumerate(e1, &c1))
|
|
|
|
|
{
|
|
|
|
|
/* check if done authentications comply to configured ones */
|
|
|
|
|
if ((!e2->enumerate(e2, &c2)) ||
|
|
|
|
|
(!strict && !c1->complies(c1, c2, TRUE)) ||
|
|
|
|
|
(strict && !c2->complies(c2, c1, TRUE)))
|
|
|
|
|
{
|
|
|
|
|
complies = FALSE;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
e1->destroy(e1);
|
|
|
|
|
e2->destroy(e2);
|
|
|
|
|
if (complies)
|
|
|
|
|
{
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
|
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
|
this->peer_cfg->destroy(this->peer_cfg);
|
|
|
|
|
}
|
|
|
|
|
if (this->candidates->remove_first(this->candidates,
|
|
|
|
|
(void**)&this->peer_cfg) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "no alternative config found");
|
|
|
|
|
this->peer_cfg = NULL;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "switching to peer config '%s'",
|
|
|
|
|
this->peer_cfg->get_name(this->peer_cfg));
|
|
|
|
|
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
while (this->peer_cfg);
|
|
|
|
|
|
|
|
|
|
return this->peer_cfg != NULL;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for initiator
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_i(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
|
|
|
|
if (this->peer_cfg == NULL)
|
2007-03-08 16:58:59 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
|
|
|
|
this->peer_cfg->get_ref(this->peer_cfg);
|
2007-03-08 16:58:59 +00:00
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_message_id(message) == 1 &&
|
|
|
|
|
this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
|
|
|
|
|
{ /* in the first IKE_AUTH, indicate support for multiple authentication */
|
|
|
|
|
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
|
|
|
|
if (!this->do_another_auth && !this->my_auth)
|
|
|
|
|
{ /* we have done our rounds */
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check if an authenticator is in progress */
|
|
|
|
|
if (this->my_auth == NULL)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
identification_t *id;
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
|
|
|
|
|
/* clean up authentication config from a previous round */
|
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
|
cfg->purge(cfg, TRUE);
|
|
|
|
|
|
|
|
|
|
/* add (optional) IDr */
|
|
|
|
|
cfg = get_auth_cfg(this, FALSE);
|
|
|
|
|
if (cfg)
|
|
|
|
|
{
|
|
|
|
|
id = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
|
if (id && !id->contains_wildcards(id))
|
|
|
|
|
{
|
|
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
|
|
|
|
|
id_payload = id_payload_create_from_identification(
|
|
|
|
|
ID_RESPONDER, id);
|
|
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* add IDi */
|
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
|
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
|
|
|
|
|
id = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
|
if (!id)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "configuration misses IDi");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
|
|
|
|
|
id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
|
|
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
|
|
|
|
|
|
|
|
|
/* build authentication data */
|
|
|
|
|
this->my_auth = authenticator_create_builder(
|
|
|
|
|
this->ike_sa, cfg, this->other_nonce,
|
|
|
|
|
this->my_packet->get_data(this->my_packet));
|
|
|
|
|
if (!this->my_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->my_auth->build(this->my_auth, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
/* authentication step complete, reset authenticator */
|
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
|
|
|
|
|
this->my_cfgs->insert_last(this->my_cfgs, cfg);
|
|
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
|
this->my_auth = NULL;
|
|
|
|
|
break;
|
|
|
|
|
case NEED_MORE:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check for additional authentication rounds */
|
|
|
|
|
if (do_another_auth(this))
|
|
|
|
|
{
|
|
|
|
|
if (message->get_payload(message, AUTHENTICATION))
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->do_another_auth = FALSE;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2007-04-10 22:38:06 +00:00
|
|
|
* Implementation of task_t.process for responder
|
2007-02-28 14:04:36 +00:00
|
|
|
*/
|
|
|
|
|
static status_t process_r(private_ike_auth_t *this, message_t *message)
|
2007-04-10 06:01:03 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg, *cand;
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
identification_t *id;
|
2007-04-10 06:01:03 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
|
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth == NULL && this->do_another_auth)
|
|
|
|
|
{
|
|
|
|
|
/* handle (optional) IDr payload, apply proposed identity */
|
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
|
|
|
|
|
if (id_payload)
|
|
|
|
|
{
|
|
|
|
|
id = id_payload->get_identification(id_payload);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
id = identification_create_from_encoding(ID_ANY, chunk_empty);
|
|
|
|
|
}
|
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!this->expect_another_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
|
|
|
|
|
{
|
|
|
|
|
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth == NULL)
|
|
|
|
|
{
|
|
|
|
|
/* handle IDi payload */
|
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
|
|
|
|
|
if (!id_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "IDi payload missing");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
id = id_payload->get_identification(id_payload);
|
|
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
|
|
|
|
|
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
|
|
|
|
|
|
|
|
|
|
if (this->peer_cfg == NULL)
|
|
|
|
|
{
|
|
|
|
|
if (!load_cfg_candidates(this))
|
|
|
|
|
{
|
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (message->get_payload(message, AUTHENTICATION) == NULL)
|
|
|
|
|
{ /* before authenticating with EAP, we need a EAP config */
|
|
|
|
|
cand = get_auth_cfg(this, FALSE);
|
|
|
|
|
while (!cand || (
|
|
|
|
|
(uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
|
|
|
|
|
(uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
|
|
|
|
|
{ /* peer requested EAP, but current config does not match */
|
|
|
|
|
this->peer_cfg->destroy(this->peer_cfg);
|
|
|
|
|
this->peer_cfg = NULL;
|
|
|
|
|
if (!update_cfg_candidates(this, FALSE))
|
|
|
|
|
{
|
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
cand = get_auth_cfg(this, FALSE);
|
|
|
|
|
}
|
|
|
|
|
cfg->merge(cfg, cand, TRUE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* verify authentication data */
|
|
|
|
|
this->other_auth = authenticator_create_verifier(
|
|
|
|
|
this->ike_sa, message, this->my_nonce,
|
|
|
|
|
this->other_packet->get_data(this->other_packet));
|
|
|
|
|
if (!this->other_auth)
|
|
|
|
|
{
|
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
switch (this->other_auth->process(this->other_auth, message))
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
2009-04-14 10:34:24 +00:00
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
|
this->other_auth = NULL;
|
2007-03-08 00:27:43 +00:00
|
|
|
break;
|
2009-04-14 10:34:24 +00:00
|
|
|
case NEED_MORE:
|
|
|
|
|
if (message->get_payload(message, AUTHENTICATION))
|
|
|
|
|
{ /* AUTH verification successful, but another build() needed */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
default:
|
2009-04-14 10:34:24 +00:00
|
|
|
this->authentication_failed = TRUE;
|
2008-03-13 14:14:44 +00:00
|
|
|
return NEED_MORE;
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
|
|
|
|
/* store authentication information */
|
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
|
|
|
|
|
this->other_cfgs->insert_last(this->other_cfgs, cfg);
|
|
|
|
|
|
|
|
|
|
/* another auth round done, invoke authorize hook */
|
|
|
|
|
if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
|
|
|
|
|
this->other_cfgs->get_count(this->other_cfgs));
|
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!update_cfg_candidates(this, FALSE))
|
2007-05-18 12:25:37 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
2007-05-18 12:25:37 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
|
|
|
|
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
|
|
|
|
|
{
|
|
|
|
|
this->expect_another_auth = FALSE;
|
|
|
|
|
if (!update_cfg_candidates(this, TRUE))
|
|
|
|
|
{
|
|
|
|
|
this->authentication_failed = TRUE;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
2008-08-22 10:44:51 +00:00
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.build for responder
|
|
|
|
|
*/
|
|
|
|
|
static status_t build_r(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
|
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (multiple_auth_enabled())
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return collect_my_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->authentication_failed || this->peer_cfg == NULL)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth == NULL && this->do_another_auth)
|
2007-03-08 14:41:30 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
identification_t *id, *id_cfg;
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
|
|
|
|
|
/* add IDr */
|
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
|
|
|
cfg->purge(cfg, TRUE);
|
|
|
|
|
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
|
|
|
|
|
|
|
|
|
|
id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
|
|
|
|
|
id = this->ike_sa->get_my_id(this->ike_sa);
|
|
|
|
|
if (id->get_type(id) == ID_ANY)
|
|
|
|
|
{ /* no IDr received, apply configured ID */
|
|
|
|
|
if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_CFG, "IDr not configured and negotiation failed");
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
|
|
|
|
|
id = id_cfg;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{ /* IDr received, check if it matches configuration */
|
|
|
|
|
if (id_cfg && !id->matches(id, id_cfg))
|
|
|
|
|
{
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
|
2009-04-14 10:34:24 +00:00
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
|
|
|
|
|
message->add_payload(message, (payload_t*)id_payload);
|
|
|
|
|
|
|
|
|
|
/* build authentication data */
|
|
|
|
|
this->my_auth = authenticator_create_builder(
|
|
|
|
|
this->ike_sa, cfg, this->other_nonce,
|
|
|
|
|
this->my_packet->get_data(this->my_packet));
|
|
|
|
|
if (!this->my_auth)
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-03-08 14:41:30 +00:00
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->other_auth->build(this->other_auth, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
|
this->other_auth = NULL;
|
|
|
|
|
break;
|
|
|
|
|
case NEED_MORE:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
|
|
|
|
|
{ /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
}
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth)
|
2008-04-14 13:23:24 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->my_auth->build(this->my_auth, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
|
|
|
|
|
TRUE);
|
|
|
|
|
this->my_cfgs->insert_last(this->my_cfgs, cfg);
|
|
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
|
this->my_auth = NULL;
|
|
|
|
|
break;
|
|
|
|
|
case NEED_MORE:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2008-04-14 13:23:24 +00:00
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
/* check for additional authentication rounds */
|
|
|
|
|
if (do_another_auth(this))
|
|
|
|
|
{
|
|
|
|
|
message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->do_another_auth = FALSE;
|
|
|
|
|
}
|
|
|
|
|
if (!this->do_another_auth && !this->expect_another_auth)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
|
|
|
|
|
this->ike_sa))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
|
|
|
|
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
|
|
|
|
chunk_empty);
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
2008-10-14 08:52:13 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
2007-02-28 14:04:36 +00:00
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.process for initiator
|
|
|
|
|
*/
|
|
|
|
|
static status_t process_i(private_ike_auth_t *this, message_t *message)
|
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator_t *enumerator;
|
2007-02-28 14:04:36 +00:00
|
|
|
payload_t *payload;
|
2009-04-14 10:34:24 +00:00
|
|
|
auth_cfg_t *cfg;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
if (message->get_exchange_type(message) == IKE_SA_INIT)
|
|
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
|
|
|
|
|
multiple_auth_enabled())
|
|
|
|
|
{
|
|
|
|
|
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
return collect_other_init_data(this, message);
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator = message->create_payload_enumerator(message);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &payload))
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
|
|
|
|
if (payload->get_type(payload) == NOTIFY)
|
|
|
|
|
{
|
|
|
|
|
notify_payload_t *notify = (notify_payload_t*)payload;
|
|
|
|
|
notify_type_t type = notify->get_notify_type(notify);
|
|
|
|
|
|
|
|
|
|
switch (type)
|
|
|
|
|
{
|
|
|
|
|
case NO_PROPOSAL_CHOSEN:
|
|
|
|
|
case SINGLE_PAIR_REQUIRED:
|
|
|
|
|
case NO_ADDITIONAL_SAS:
|
|
|
|
|
case INTERNAL_ADDRESS_FAILURE:
|
|
|
|
|
case FAILED_CP_REQUIRED:
|
|
|
|
|
case TS_UNACCEPTABLE:
|
|
|
|
|
case INVALID_SELECTORS:
|
|
|
|
|
/* these are errors, but are not critical as only the
|
|
|
|
|
* CHILD_SA won't get build, but IKE_SA establishes anyway */
|
2007-06-21 15:25:28 +00:00
|
|
|
break;
|
|
|
|
|
case MOBIKE_SUPPORTED:
|
|
|
|
|
case ADDITIONAL_IP4_ADDRESS:
|
|
|
|
|
case ADDITIONAL_IP6_ADDRESS:
|
|
|
|
|
/* handled in ike_mobike task */
|
|
|
|
|
break;
|
2007-11-20 12:06:40 +00:00
|
|
|
case AUTH_LIFETIME:
|
2007-12-03 10:52:18 +00:00
|
|
|
/* handled in ike_auth_lifetime task */
|
2007-11-20 12:06:40 +00:00
|
|
|
break;
|
2008-03-26 18:40:19 +00:00
|
|
|
case ME_ENDPOINT:
|
|
|
|
|
/* handled in ike_me task */
|
2007-12-03 23:06:17 +00:00
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
default:
|
|
|
|
|
{
|
|
|
|
|
if (type < 16383)
|
|
|
|
|
{
|
2008-10-14 08:52:13 +00:00
|
|
|
DBG1(DBG_IKE, "received %N notify error",
|
2007-02-28 14:04:36 +00:00
|
|
|
notify_type_names, type);
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
2007-02-28 14:04:36 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
2008-04-02 19:15:05 +00:00
|
|
|
DBG2(DBG_IKE, "received %N notify",
|
2007-03-08 20:18:39 +00:00
|
|
|
notify_type_names, type);
|
|
|
|
|
break;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
enumerator->destroy(enumerator);
|
2007-02-28 14:04:36 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->my_auth)
|
2007-02-28 14:04:36 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
switch (this->my_auth->process(this->my_auth, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
|
|
|
|
|
TRUE);
|
|
|
|
|
this->my_cfgs->insert_last(this->my_cfgs, cfg);
|
|
|
|
|
this->my_auth->destroy(this->my_auth);
|
|
|
|
|
this->my_auth = NULL;
|
|
|
|
|
this->do_another_auth = do_another_auth(this);
|
|
|
|
|
break;
|
|
|
|
|
case NEED_MORE:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->expect_another_auth)
|
2007-03-08 00:27:43 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
if (this->other_auth == NULL)
|
|
|
|
|
{
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
identification_t *id;
|
|
|
|
|
|
|
|
|
|
/* responder is not allowed to do EAP */
|
|
|
|
|
if (!message->get_payload(message, AUTHENTICATION))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "AUTH payload missing");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handle IDr payload */
|
|
|
|
|
id_payload = (id_payload_t*)message->get_payload(message,
|
|
|
|
|
ID_RESPONDER);
|
|
|
|
|
if (!id_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "IDr payload missing");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
id = id_payload->get_identification(id_payload);
|
|
|
|
|
this->ike_sa->set_other_id(this->ike_sa, id);
|
|
|
|
|
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
|
|
|
|
|
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
|
|
|
|
|
|
|
|
|
|
/* verify authentication data */
|
|
|
|
|
this->other_auth = authenticator_create_verifier(
|
|
|
|
|
this->ike_sa, message, this->my_nonce,
|
|
|
|
|
this->other_packet->get_data(this->other_packet));
|
|
|
|
|
if (!this->other_auth)
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
switch (this->other_auth->process(this->other_auth, message))
|
|
|
|
|
{
|
|
|
|
|
case SUCCESS:
|
|
|
|
|
break;
|
|
|
|
|
case NEED_MORE:
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
/* store authentication information, reset authenticator */
|
|
|
|
|
cfg = auth_cfg_create();
|
|
|
|
|
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
|
|
|
|
|
this->other_cfgs->insert_last(this->other_cfgs, cfg);
|
|
|
|
|
this->other_auth->destroy(this->other_auth);
|
|
|
|
|
this->other_auth = NULL;
|
|
|
|
|
|
|
|
|
|
/* another auth round done, invoke authorize hook */
|
|
|
|
|
if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
|
|
|
|
|
this->other_cfgs->get_count(this->other_cfgs));
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2007-03-08 00:27:43 +00:00
|
|
|
}
|
|
|
|
|
|
2009-04-14 10:34:24 +00:00
|
|
|
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
|
2008-03-13 14:14:44 +00:00
|
|
|
{
|
2009-04-14 10:34:24 +00:00
|
|
|
this->expect_another_auth = FALSE;
|
2008-03-13 14:14:44 +00:00
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
|
|
|
|
|
{
|
|
|
|
|
if (!update_cfg_candidates(this, TRUE))
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
2009-04-14 10:34:24 +00:00
|
|
|
this->ike_sa->get_name(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_unique_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_my_id(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_id(this->ike_sa));
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
return NEED_MORE;
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.get_type
|
|
|
|
|
*/
|
|
|
|
|
static task_type_t get_type(private_ike_auth_t *this)
|
|
|
|
|
{
|
|
|
|
|
return IKE_AUTHENTICATE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.migrate
|
|
|
|
|
*/
|
|
|
|
|
static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
|
|
|
|
|
{
|
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
|
DESTROY_IF(this->other_packet);
|
2009-04-14 10:34:24 +00:00
|
|
|
DESTROY_IF(this->peer_cfg);
|
|
|
|
|
DESTROY_IF(this->my_auth);
|
|
|
|
|
DESTROY_IF(this->other_auth);
|
|
|
|
|
this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
|
|
|
|
|
this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
|
|
|
|
|
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
|
2007-03-08 00:27:43 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
this->my_packet = NULL;
|
|
|
|
|
this->other_packet = NULL;
|
|
|
|
|
this->ike_sa = ike_sa;
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg = NULL;
|
|
|
|
|
this->my_auth = NULL;
|
|
|
|
|
this->other_auth = NULL;
|
|
|
|
|
this->do_another_auth = TRUE;
|
|
|
|
|
this->expect_another_auth = TRUE;
|
|
|
|
|
this->authentication_failed = FALSE;
|
|
|
|
|
this->my_cfgs = linked_list_create();
|
|
|
|
|
this->other_cfgs = linked_list_create();
|
|
|
|
|
this->candidates = linked_list_create();
|
2007-02-28 14:04:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of task_t.destroy
|
|
|
|
|
*/
|
|
|
|
|
static void destroy(private_ike_auth_t *this)
|
|
|
|
|
{
|
|
|
|
|
chunk_free(&this->my_nonce);
|
|
|
|
|
chunk_free(&this->other_nonce);
|
|
|
|
|
DESTROY_IF(this->my_packet);
|
|
|
|
|
DESTROY_IF(this->other_packet);
|
2009-04-14 10:34:24 +00:00
|
|
|
DESTROY_IF(this->my_auth);
|
|
|
|
|
DESTROY_IF(this->other_auth);
|
|
|
|
|
DESTROY_IF(this->peer_cfg);
|
|
|
|
|
this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
|
|
|
|
|
this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
|
|
|
|
|
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
|
2007-02-28 14:04:36 +00:00
|
|
|
free(this);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Described in header.
|
|
|
|
|
*/
|
|
|
|
|
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
|
|
|
|
|
{
|
|
|
|
|
private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
|
2009-04-14 10:34:24 +00:00
|
|
|
|
2007-02-28 14:04:36 +00:00
|
|
|
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
|
|
|
|
|
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
|
|
|
|
|
this->public.task.destroy = (void(*)(task_t*))destroy;
|
|
|
|
|
|
|
|
|
|
if (initiator)
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
|
|
|
|
|
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
this->ike_sa = ike_sa;
|
|
|
|
|
this->initiator = initiator;
|
|
|
|
|
this->my_nonce = chunk_empty;
|
|
|
|
|
this->other_nonce = chunk_empty;
|
|
|
|
|
this->my_packet = NULL;
|
|
|
|
|
this->other_packet = NULL;
|
2009-04-14 10:34:24 +00:00
|
|
|
this->peer_cfg = NULL;
|
|
|
|
|
this->my_cfgs = linked_list_create();
|
|
|
|
|
this->other_cfgs = linked_list_create();
|
|
|
|
|
this->candidates = linked_list_create();
|
|
|
|
|
this->my_auth = NULL;
|
|
|
|
|
this->other_auth = NULL;
|
|
|
|
|
this->do_another_auth = TRUE;
|
|
|
|
|
this->expect_another_auth = TRUE;
|
|
|
|
|
this->authentication_failed = FALSE;
|
2007-02-28 14:04:36 +00:00
|
|
|
|
|
|
|
|
return &this->public;
|
|
|
|
|
}
|
2009-04-14 10:34:24 +00:00
|
|
|
|
