Make use of the new Phase 1 helper class in main mode
This commit is contained in:
parent
c29a89b80d
commit
b4bd875612
|
@ -21,11 +21,8 @@
|
|||
#include <string.h>
|
||||
|
||||
#include <daemon.h>
|
||||
#include <sa/ikev1/keymat_v1.h>
|
||||
#include <crypto/diffie_hellman.h>
|
||||
#include <sa/ikev1/phase1.h>
|
||||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/ke_payload.h>
|
||||
#include <encoding/payloads/nonce_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
#include <encoding/payloads/hash_payload.h>
|
||||
#include <sa/ikev1/tasks/xauth.h>
|
||||
|
@ -56,6 +53,11 @@ struct private_main_mode_t {
|
|||
*/
|
||||
bool initiator;
|
||||
|
||||
/**
|
||||
* Common phase 1 helper class
|
||||
*/
|
||||
phase1_t *ph1;
|
||||
|
||||
/**
|
||||
* IKE config to establish
|
||||
*/
|
||||
|
@ -66,51 +68,11 @@ struct private_main_mode_t {
|
|||
*/
|
||||
peer_cfg_t *peer_cfg;
|
||||
|
||||
/**
|
||||
* Local authentication configuration
|
||||
*/
|
||||
auth_cfg_t *my_auth;
|
||||
|
||||
/**
|
||||
* Remote authentication configuration
|
||||
*/
|
||||
auth_cfg_t *other_auth;
|
||||
|
||||
/**
|
||||
* selected IKE proposal
|
||||
*/
|
||||
proposal_t *proposal;
|
||||
|
||||
/**
|
||||
* DH exchange
|
||||
*/
|
||||
diffie_hellman_t *dh;
|
||||
|
||||
/**
|
||||
* Keymat derivation (from SA)
|
||||
*/
|
||||
keymat_v1_t *keymat;
|
||||
|
||||
/**
|
||||
* Received public DH value from peer
|
||||
*/
|
||||
chunk_t dh_value;
|
||||
|
||||
/**
|
||||
* Initiators nonce
|
||||
*/
|
||||
chunk_t nonce_i;
|
||||
|
||||
/**
|
||||
* Responder nonce
|
||||
*/
|
||||
chunk_t nonce_r;
|
||||
|
||||
/**
|
||||
* Encoded SA initiator payload used for authentication
|
||||
*/
|
||||
chunk_t sa_payload;
|
||||
|
||||
/**
|
||||
* Negotiated SA lifetime
|
||||
*/
|
||||
|
@ -119,7 +81,7 @@ struct private_main_mode_t {
|
|||
/**
|
||||
* Negotiated authentication method
|
||||
*/
|
||||
auth_method_t auth_method;
|
||||
auth_method_t method;
|
||||
|
||||
/** states of main mode */
|
||||
enum {
|
||||
|
@ -131,298 +93,20 @@ struct private_main_mode_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* Get the first authentcation config from peer config
|
||||
* Set IKE_SA to established state
|
||||
*/
|
||||
static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
|
||||
static void establish(private_main_mode_t *this)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *cfg = NULL;
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
this->ike_sa->get_my_host(this->ike_sa),
|
||||
this->ike_sa->get_my_id(this->ike_sa),
|
||||
this->ike_sa->get_other_host(this->ike_sa),
|
||||
this->ike_sa->get_other_id(this->ike_sa));
|
||||
|
||||
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
|
||||
enumerator->enumerate(enumerator, &cfg);
|
||||
enumerator->destroy(enumerator);
|
||||
return cfg;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an authenticator, if supported
|
||||
*/
|
||||
static authenticator_t *create_authenticator(private_main_mode_t *this,
|
||||
id_payload_t *id)
|
||||
{
|
||||
authenticator_t *authenticator;
|
||||
authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
|
||||
this->auth_method, this->dh,
|
||||
this->dh_value, this->sa_payload,
|
||||
id->get_encoded(id));
|
||||
if (!authenticator)
|
||||
{
|
||||
DBG1(DBG_IKE, "negotiated authentication method %N not supported",
|
||||
auth_method_names, this->auth_method);
|
||||
}
|
||||
return authenticator;
|
||||
}
|
||||
|
||||
/**
|
||||
* Save the encoded SA payload of a message
|
||||
*/
|
||||
static bool save_sa_payload(private_main_mode_t *this, message_t *message)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
payload_t *payload, *sa = NULL;
|
||||
chunk_t data;
|
||||
size_t offset = IKE_HEADER_LENGTH;
|
||||
|
||||
enumerator = message->create_payload_enumerator(message);
|
||||
while (enumerator->enumerate(enumerator, &payload))
|
||||
{
|
||||
if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
|
||||
{
|
||||
sa = payload;
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
offset += payload->get_length(payload);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
data = message->get_packet_data(message);
|
||||
if (sa && data.len >= offset + sa->get_length(sa))
|
||||
{
|
||||
/* Get SA payload without 4 byte fixed header */
|
||||
data = chunk_skip(data, offset);
|
||||
data.len = sa->get_length(sa);
|
||||
data = chunk_skip(data, 4);
|
||||
this->sa_payload = chunk_clone(data);
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate and add NONCE, KE payload
|
||||
*/
|
||||
static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
|
||||
message_t *message)
|
||||
{
|
||||
nonce_payload_t *nonce_payload;
|
||||
ke_payload_t *ke_payload;
|
||||
rng_t *rng;
|
||||
|
||||
ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
|
||||
this->dh);
|
||||
message->add_payload(message, &ke_payload->payload_interface);
|
||||
|
||||
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
|
||||
if (!rng)
|
||||
{
|
||||
DBG1(DBG_IKE, "no RNG found to create nonce");
|
||||
return FALSE;
|
||||
}
|
||||
rng->allocate_bytes(rng, NONCE_SIZE, nonce);
|
||||
rng->destroy(rng);
|
||||
|
||||
nonce_payload = nonce_payload_create(NONCE_V1);
|
||||
nonce_payload->set_nonce(nonce_payload, *nonce);
|
||||
message->add_payload(message, &nonce_payload->payload_interface);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract nonce from NONCE payload, process KE payload
|
||||
*/
|
||||
static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
|
||||
message_t *message)
|
||||
{
|
||||
nonce_payload_t *nonce_payload;
|
||||
ke_payload_t *ke_payload;
|
||||
|
||||
ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
|
||||
if (!ke_payload)
|
||||
{
|
||||
DBG1(DBG_IKE, "KE payload missing in message");
|
||||
return FALSE;
|
||||
}
|
||||
this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
|
||||
this->dh->set_other_public_value(this->dh, this->dh_value);
|
||||
|
||||
nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
|
||||
if (!nonce_payload)
|
||||
{
|
||||
DBG1(DBG_IKE, "NONCE payload missing in message");
|
||||
return FALSE;
|
||||
}
|
||||
*nonce = nonce_payload->get_nonce(nonce_payload);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the two auth classes from local or remote config
|
||||
*/
|
||||
static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
|
||||
auth_class_t *c1, auth_class_t *c2)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
*c1 = *c2 = AUTH_CLASS_ANY;
|
||||
|
||||
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
|
||||
while (enumerator->enumerate(enumerator, &auth))
|
||||
{
|
||||
if (*c1 == AUTH_CLASS_ANY)
|
||||
{
|
||||
*c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
|
||||
}
|
||||
else
|
||||
{
|
||||
*c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get auth method to use from a peer config
|
||||
*/
|
||||
static auth_method_t get_auth_method(private_main_mode_t *this,
|
||||
peer_cfg_t *peer_cfg)
|
||||
{
|
||||
auth_class_t i1, i2, r1, r2;
|
||||
|
||||
get_auth_class(peer_cfg, this->initiator, &i1, &i2);
|
||||
get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
|
||||
|
||||
if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
|
||||
{
|
||||
if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
|
||||
{
|
||||
/* TODO-IKEv1: ECDSA? */
|
||||
return AUTH_RSA;
|
||||
}
|
||||
if (i2 == AUTH_CLASS_XAUTH)
|
||||
{
|
||||
return AUTH_XAUTH_INIT_RSA;
|
||||
}
|
||||
if (r2 == AUTH_CLASS_XAUTH)
|
||||
{
|
||||
return AUTH_XAUTH_RESP_RSA;
|
||||
}
|
||||
}
|
||||
if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK)
|
||||
{
|
||||
if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
|
||||
{
|
||||
return AUTH_PSK;
|
||||
}
|
||||
if (i2 == AUTH_CLASS_XAUTH)
|
||||
{
|
||||
return AUTH_XAUTH_INIT_PSK;
|
||||
}
|
||||
if (r2 == AUTH_CLASS_XAUTH)
|
||||
{
|
||||
return AUTH_XAUTH_RESP_PSK;
|
||||
}
|
||||
}
|
||||
if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY &&
|
||||
i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
|
||||
{
|
||||
return AUTH_HYBRID_INIT_RSA;
|
||||
}
|
||||
return AUTH_NONE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if a peer skipped authentication by using Hybrid authentication
|
||||
*/
|
||||
static bool skipped_auth(private_main_mode_t *this, bool local)
|
||||
{
|
||||
bool initiator;
|
||||
|
||||
initiator = local == this->initiator;
|
||||
if (initiator && this->auth_method == AUTH_HYBRID_INIT_RSA)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
if (!initiator && this->auth_method == AUTH_HYBRID_RESP_RSA)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if remote authentication constraints fulfilled
|
||||
*/
|
||||
static bool check_constraints(private_main_mode_t *this)
|
||||
{
|
||||
identification_t *id;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
|
||||
/* auth identity to comply */
|
||||
id = this->ike_sa->get_other_id(this->ike_sa);
|
||||
auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
|
||||
if (skipped_auth(this, FALSE))
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
return auth->complies(auth, this->other_auth, TRUE);
|
||||
}
|
||||
|
||||
/**
|
||||
* Save authentication information after authentication succeeded
|
||||
*/
|
||||
static void save_auth_cfg(private_main_mode_t *this, bool local)
|
||||
{
|
||||
auth_cfg_t *auth;
|
||||
|
||||
if (skipped_auth(this, local))
|
||||
{
|
||||
return;
|
||||
}
|
||||
auth = auth_cfg_create();
|
||||
/* for local config, we _copy_ entires from the config, as it contains
|
||||
* certificates we must send later. */
|
||||
auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
|
||||
this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
|
||||
}
|
||||
|
||||
/**
|
||||
* Select the best configuration as responder
|
||||
*/
|
||||
static peer_cfg_t *select_config(private_main_mode_t *this, identification_t *id)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
peer_cfg_t *current, *found = NULL;
|
||||
host_t *me, *other;
|
||||
|
||||
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||
DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]",
|
||||
auth_method_names, this->auth_method, me, other, id);
|
||||
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
|
||||
me, other, NULL, id, IKEV1);
|
||||
while (enumerator->enumerate(enumerator, ¤t))
|
||||
{
|
||||
if (get_auth_method(this, current) == this->auth_method)
|
||||
{
|
||||
found = current->get_ref(current);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (found)
|
||||
{
|
||||
DBG2(DBG_CFG, "selected peer config \"%s\"", found->get_name(found));
|
||||
}
|
||||
return found;
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -519,31 +203,24 @@ METHOD(task_t, build_i, status_t,
|
|||
linked_list_t *proposals;
|
||||
packet_t *packet;
|
||||
|
||||
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
|
||||
DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
|
||||
DBG0(DBG_IKE, "initiating main mode IKE_SA %s[%d] to %H",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
this->ike_sa->get_other_host(this->ike_sa));
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
|
||||
|
||||
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
|
||||
this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
||||
this->peer_cfg->get_ref(this->peer_cfg);
|
||||
|
||||
this->my_auth = get_auth_cfg(this->peer_cfg, TRUE);
|
||||
this->other_auth = get_auth_cfg(this->peer_cfg, FALSE);
|
||||
if (!this->my_auth || !this->other_auth)
|
||||
{
|
||||
DBG1(DBG_CFG, "no auth config found");
|
||||
return FAILED;
|
||||
}
|
||||
this->auth_method = get_auth_method(this, this->peer_cfg);
|
||||
if (this->auth_method == AUTH_NONE)
|
||||
this->method = this->ph1->get_auth_method(this->ph1, this->peer_cfg);
|
||||
if (this->method == AUTH_NONE)
|
||||
{
|
||||
DBG1(DBG_CFG, "configuration uses unsupported authentication");
|
||||
return FAILED;
|
||||
}
|
||||
this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
|
||||
FALSE);
|
||||
FALSE);
|
||||
if (!this->lifetime)
|
||||
{ /* fall back to rekey time of no rekey time configured */
|
||||
this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
|
||||
|
@ -552,7 +229,7 @@ METHOD(task_t, build_i, status_t,
|
|||
this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
|
||||
proposals = this->ike_cfg->get_proposals(this->ike_cfg);
|
||||
sa_payload = sa_payload_create_from_proposals_v1(proposals,
|
||||
this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
|
||||
this->lifetime, 0, this->method, MODE_NONE, FALSE);
|
||||
proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
|
||||
|
||||
message->add_payload(message, &sa_payload->payload_interface);
|
||||
|
@ -565,9 +242,8 @@ METHOD(task_t, build_i, status_t,
|
|||
return FAILED;
|
||||
}
|
||||
packet->destroy(packet);
|
||||
if (!save_sa_payload(this, message))
|
||||
if (!this->ph1->save_sa_payload(this->ph1, message))
|
||||
{
|
||||
DBG1(DBG_IKE, "SA payload invalid");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
@ -578,7 +254,7 @@ METHOD(task_t, build_i, status_t,
|
|||
{
|
||||
u_int16_t group;
|
||||
|
||||
if (!this->keymat->create_hasher(this->keymat, this->proposal))
|
||||
if (!this->ph1->create_hasher(this->ph1, this->proposal))
|
||||
{
|
||||
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
||||
}
|
||||
|
@ -588,14 +264,12 @@ METHOD(task_t, build_i, status_t,
|
|||
DBG1(DBG_IKE, "DH group selection failed");
|
||||
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
||||
}
|
||||
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
|
||||
group);
|
||||
if (!this->dh)
|
||||
if (!this->ph1->create_dh(this->ph1, group))
|
||||
{
|
||||
DBG1(DBG_IKE, "negotiated DH group not supported");
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
if (!add_nonce_ke(this, &this->nonce_i, message))
|
||||
if (!this->ph1->add_nonce_ke(this->ph1, message))
|
||||
{
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
|
@ -604,31 +278,24 @@ METHOD(task_t, build_i, status_t,
|
|||
}
|
||||
case MM_KE:
|
||||
{
|
||||
authenticator_t *authenticator;
|
||||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
|
||||
id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
|
||||
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
|
||||
if (!id)
|
||||
{
|
||||
DBG1(DBG_CFG, "own identity not known");
|
||||
return send_notify(this, INVALID_ID_INFORMATION);
|
||||
}
|
||||
|
||||
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
|
||||
|
||||
id_payload = id_payload_create_from_identification(ID_V1, id);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
|
||||
authenticator = create_authenticator(this, id_payload);
|
||||
if (!authenticator || authenticator->build(authenticator,
|
||||
message) != SUCCESS)
|
||||
if (!this->ph1->build_auth(this->ph1, this->method, message,
|
||||
id_payload->get_encoded(id_payload)))
|
||||
{
|
||||
DESTROY_IF(authenticator);
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
authenticator->destroy(authenticator);
|
||||
save_auth_cfg(this, TRUE);
|
||||
|
||||
this->state = MM_AUTH;
|
||||
return NEED_MORE;
|
||||
|
@ -649,7 +316,7 @@ METHOD(task_t, process_r, status_t,
|
|||
sa_payload_t *sa_payload;
|
||||
|
||||
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
|
||||
DBG0(DBG_IKE, "%H is initiating a Main Mode",
|
||||
DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
|
||||
message->get_source(message));
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
|
||||
|
||||
|
@ -659,9 +326,13 @@ METHOD(task_t, process_r, status_t,
|
|||
|
||||
sa_payload = (sa_payload_t*)message->get_payload(message,
|
||||
SECURITY_ASSOCIATION_V1);
|
||||
if (!sa_payload || !save_sa_payload(this, message))
|
||||
if (!sa_payload)
|
||||
{
|
||||
DBG1(DBG_IKE, "SA payload missing");
|
||||
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
||||
}
|
||||
if (!this->ph1->save_sa_payload(this->ph1, message))
|
||||
{
|
||||
DBG1(DBG_IKE, "SA payload missing or invalid");
|
||||
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
||||
}
|
||||
|
||||
|
@ -675,7 +346,7 @@ METHOD(task_t, process_r, status_t,
|
|||
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
||||
}
|
||||
|
||||
this->auth_method = sa_payload->get_auth_method(sa_payload);
|
||||
this->method = sa_payload->get_auth_method(sa_payload);
|
||||
this->lifetime = sa_payload->get_lifetime(sa_payload);
|
||||
|
||||
this->state = MM_SA;
|
||||
|
@ -685,7 +356,7 @@ METHOD(task_t, process_r, status_t,
|
|||
{
|
||||
u_int16_t group;
|
||||
|
||||
if (!this->keymat->create_hasher(this->keymat, this->proposal))
|
||||
if (!this->ph1->create_hasher(this->ph1, this->proposal))
|
||||
{
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
|
@ -695,13 +366,12 @@ METHOD(task_t, process_r, status_t,
|
|||
DBG1(DBG_IKE, "DH group selection failed");
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
this->dh = lib->crypto->create_dh(lib->crypto, group);
|
||||
if (!this->dh)
|
||||
if (!this->ph1->create_dh(this->ph1, group))
|
||||
{
|
||||
DBG1(DBG_IKE, "negotiated DH group not supported");
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
if (!get_nonce_ke(this, &this->nonce_i, message))
|
||||
if (!this->ph1->get_nonce_ke(this->ph1, message))
|
||||
{
|
||||
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
||||
}
|
||||
|
@ -710,7 +380,6 @@ METHOD(task_t, process_r, status_t,
|
|||
}
|
||||
case MM_KE:
|
||||
{
|
||||
authenticator_t *authenticator;
|
||||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
|
||||
|
@ -723,7 +392,8 @@ METHOD(task_t, process_r, status_t,
|
|||
|
||||
id = id_payload->get_identification(id_payload);
|
||||
this->ike_sa->set_other_id(this->ike_sa, id);
|
||||
this->peer_cfg = select_config(this, id);
|
||||
this->peer_cfg = this->ph1->select_config(this->ph1,
|
||||
this->method, id);
|
||||
if (!this->peer_cfg)
|
||||
{
|
||||
DBG1(DBG_IKE, "no peer config found");
|
||||
|
@ -731,28 +401,11 @@ METHOD(task_t, process_r, status_t,
|
|||
}
|
||||
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
|
||||
|
||||
this->my_auth = get_auth_cfg(this->peer_cfg, TRUE);
|
||||
this->other_auth = get_auth_cfg(this->peer_cfg, FALSE);
|
||||
if (!this->my_auth || !this->other_auth)
|
||||
{
|
||||
DBG1(DBG_IKE, "auth config missing");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
authenticator = create_authenticator(this, id_payload);
|
||||
if (!authenticator || authenticator->process(authenticator,
|
||||
message) != SUCCESS)
|
||||
{
|
||||
DESTROY_IF(authenticator);
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
authenticator->destroy(authenticator);
|
||||
if (!check_constraints(this))
|
||||
if (!this->ph1->verify_auth(this->ph1, this->method, message,
|
||||
id_payload->get_encoded(id_payload)))
|
||||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
save_auth_cfg(this, FALSE);
|
||||
|
||||
this->state = MM_AUTH;
|
||||
if (has_notify_errors(this, message))
|
||||
{
|
||||
|
@ -765,143 +418,6 @@ METHOD(task_t, process_r, status_t,
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Lookup a shared secret for this IKE_SA
|
||||
*/
|
||||
static shared_key_t *lookup_shared_key(private_main_mode_t *this)
|
||||
{
|
||||
host_t *me, *other;
|
||||
identification_t *my_id, *other_id;
|
||||
shared_key_t *shared_key = NULL;
|
||||
|
||||
/* try to get a PSK for IP addresses */
|
||||
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||
my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
|
||||
other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
|
||||
if (my_id && other_id)
|
||||
{
|
||||
shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
|
||||
my_id, other_id);
|
||||
}
|
||||
DESTROY_IF(my_id);
|
||||
DESTROY_IF(other_id);
|
||||
if (shared_key)
|
||||
{
|
||||
return shared_key;
|
||||
}
|
||||
|
||||
if (this->my_auth && this->other_auth)
|
||||
{ /* as initiator, use identities from configuraiton */
|
||||
my_id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
|
||||
other_id = this->other_auth->get(this->other_auth, AUTH_RULE_IDENTITY);
|
||||
if (my_id && other_id)
|
||||
{
|
||||
shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
|
||||
my_id, other_id);
|
||||
if (!shared_key)
|
||||
{
|
||||
DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
|
||||
my_id, me, other_id, other);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{ /* as responder, we try to find a config by IP */
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *my_auth, *other_auth;
|
||||
peer_cfg_t *peer_cfg = NULL;
|
||||
|
||||
enumerator = charon->backends->create_peer_cfg_enumerator(
|
||||
charon->backends, me, other, NULL, NULL, IKEV1);
|
||||
while (enumerator->enumerate(enumerator, &peer_cfg))
|
||||
{
|
||||
my_auth = get_auth_cfg(peer_cfg, TRUE);
|
||||
other_auth = get_auth_cfg(peer_cfg, FALSE);
|
||||
if (my_auth && other_auth)
|
||||
{
|
||||
my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
|
||||
other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
|
||||
if (my_id && other_id)
|
||||
{
|
||||
shared_key = lib->credmgr->get_shared(lib->credmgr,
|
||||
SHARED_IKE, my_id, other_id);
|
||||
if (shared_key)
|
||||
{
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_IKE, "no shared key found for "
|
||||
"'%Y'[%H] - '%Y'[%H]", my_id, me, other_id, other);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
if (!peer_cfg)
|
||||
{
|
||||
DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
|
||||
}
|
||||
}
|
||||
return shared_key;
|
||||
}
|
||||
|
||||
/**
|
||||
* Derive key material for this IKE_SA
|
||||
*/
|
||||
static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
|
||||
chunk_t nonce_r)
|
||||
{
|
||||
ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
|
||||
shared_key_t *shared_key = NULL;
|
||||
|
||||
switch (this->auth_method)
|
||||
{
|
||||
case AUTH_PSK:
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
shared_key = lookup_shared_key(this);
|
||||
if (!shared_key)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
|
||||
this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
|
||||
{
|
||||
DESTROY_IF(shared_key);
|
||||
DBG1(DBG_IKE, "key derivation for %N failed",
|
||||
auth_method_names, this->auth_method);
|
||||
return FALSE;
|
||||
}
|
||||
DESTROY_IF(shared_key);
|
||||
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
|
||||
NULL);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set IKE_SA to established state
|
||||
*/
|
||||
static void establish(private_main_mode_t *this)
|
||||
{
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
this->ike_sa->get_my_host(this->ike_sa),
|
||||
this->ike_sa->get_my_id(this->ike_sa),
|
||||
this->ike_sa->get_other_host(this->ike_sa),
|
||||
this->ike_sa->get_other_id(this->ike_sa));
|
||||
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
||||
}
|
||||
|
||||
METHOD(task_t, build_r, status_t,
|
||||
private_main_mode_t *this, message_t *message)
|
||||
{
|
||||
|
@ -912,18 +428,19 @@ METHOD(task_t, build_r, status_t,
|
|||
sa_payload_t *sa_payload;
|
||||
|
||||
sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
|
||||
this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
|
||||
this->lifetime, 0, this->method, MODE_NONE, FALSE);
|
||||
message->add_payload(message, &sa_payload->payload_interface);
|
||||
|
||||
return NEED_MORE;
|
||||
}
|
||||
case MM_KE:
|
||||
{
|
||||
if (!add_nonce_ke(this, &this->nonce_r, message))
|
||||
if (!this->ph1->add_nonce_ke(this->ph1, message))
|
||||
{
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
if (!derive_keys(this, this->nonce_i, this->nonce_r))
|
||||
if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method,
|
||||
this->proposal))
|
||||
{
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
|
@ -931,11 +448,10 @@ METHOD(task_t, build_r, status_t,
|
|||
}
|
||||
case MM_AUTH:
|
||||
{
|
||||
authenticator_t *authenticator;
|
||||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
|
||||
id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
|
||||
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
|
||||
if (!id)
|
||||
{
|
||||
DBG1(DBG_CFG, "own identity not known");
|
||||
|
@ -946,17 +462,12 @@ METHOD(task_t, build_r, status_t,
|
|||
id_payload = id_payload_create_from_identification(ID_V1, id);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
|
||||
authenticator = create_authenticator(this, id_payload);
|
||||
if (!authenticator || authenticator->build(authenticator,
|
||||
message) != SUCCESS)
|
||||
if (!this->ph1->build_auth(this->ph1, this->method, message,
|
||||
id_payload->get_encoded(id_payload)))
|
||||
{
|
||||
DESTROY_IF(authenticator);
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
authenticator->destroy(authenticator);
|
||||
save_auth_cfg(this, TRUE);
|
||||
|
||||
switch (this->auth_method)
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
|
@ -991,7 +502,7 @@ METHOD(task_t, process_i, status_t,
|
|||
{
|
||||
linked_list_t *list;
|
||||
sa_payload_t *sa_payload;
|
||||
auth_method_t auth_method;
|
||||
auth_method_t method;
|
||||
u_int32_t lifetime;
|
||||
|
||||
sa_payload = (sa_payload_t*)message->get_payload(message,
|
||||
|
@ -1018,22 +529,23 @@ METHOD(task_t, process_i, status_t,
|
|||
"lifetime %us", lifetime, this->lifetime);
|
||||
}
|
||||
this->lifetime = lifetime;
|
||||
auth_method = sa_payload->get_auth_method(sa_payload);
|
||||
if (auth_method != this->auth_method)
|
||||
method = sa_payload->get_auth_method(sa_payload);
|
||||
if (method != this->method)
|
||||
{
|
||||
DBG1(DBG_IKE, "received %N authentication, but configured %N, "
|
||||
"continue with configured", auth_method_names, auth_method,
|
||||
auth_method_names, this->auth_method);
|
||||
"continue with configured", auth_method_names, method,
|
||||
auth_method_names, this->method);
|
||||
}
|
||||
return NEED_MORE;
|
||||
}
|
||||
case MM_KE:
|
||||
{
|
||||
if (!get_nonce_ke(this, &this->nonce_r, message))
|
||||
if (!this->ph1->get_nonce_ke(this->ph1, message))
|
||||
{
|
||||
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
||||
}
|
||||
if (!derive_keys(this, this->nonce_i, this->nonce_r))
|
||||
if (!this->ph1->derive_keys(this->ph1, this->peer_cfg,
|
||||
this->method, this->proposal))
|
||||
{
|
||||
return send_notify(this, INVALID_KEY_INFORMATION);
|
||||
}
|
||||
|
@ -1041,9 +553,8 @@ METHOD(task_t, process_i, status_t,
|
|||
}
|
||||
case MM_AUTH:
|
||||
{
|
||||
authenticator_t *authenticator;
|
||||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
identification_t *id, *cid;
|
||||
|
||||
id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
|
||||
if (!id_payload)
|
||||
|
@ -1052,28 +563,20 @@ METHOD(task_t, process_i, status_t,
|
|||
return send_delete(this);
|
||||
}
|
||||
id = id_payload->get_identification(id_payload);
|
||||
if (!id->matches(id, this->other_auth->get(this->other_auth,
|
||||
AUTH_RULE_IDENTITY)))
|
||||
cid = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
|
||||
if (cid && !id->matches(id, cid))
|
||||
{
|
||||
DBG1(DBG_IKE, "IDir does not match");
|
||||
DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
|
||||
id->destroy(id);
|
||||
return send_delete(this);
|
||||
}
|
||||
this->ike_sa->set_other_id(this->ike_sa, id);
|
||||
|
||||
authenticator = create_authenticator(this, id_payload);
|
||||
if (!authenticator || authenticator->process(authenticator,
|
||||
message) != SUCCESS)
|
||||
{
|
||||
DESTROY_IF(authenticator);
|
||||
return send_delete(this);
|
||||
}
|
||||
authenticator->destroy(authenticator);
|
||||
if (!check_constraints(this))
|
||||
if (!this->ph1->verify_auth(this->ph1, this->method, message,
|
||||
id_payload->get_encoded(id_payload)))
|
||||
{
|
||||
return send_delete(this);
|
||||
}
|
||||
save_auth_cfg(this, FALSE);
|
||||
|
||||
if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
|
||||
{
|
||||
|
@ -1081,7 +584,7 @@ METHOD(task_t, process_i, status_t,
|
|||
(task_t*)mode_config_create(this->ike_sa, TRUE));
|
||||
}
|
||||
|
||||
switch (this->auth_method)
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
|
@ -1114,18 +617,13 @@ METHOD(task_t, migrate, void,
|
|||
{
|
||||
DESTROY_IF(this->peer_cfg);
|
||||
DESTROY_IF(this->proposal);
|
||||
DESTROY_IF(this->dh);
|
||||
chunk_free(&this->dh_value);
|
||||
chunk_free(&this->nonce_i);
|
||||
chunk_free(&this->nonce_r);
|
||||
chunk_free(&this->sa_payload);
|
||||
this->ph1->destroy(this->ph1);
|
||||
|
||||
this->ike_sa = ike_sa;
|
||||
this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
|
||||
this->state = MM_INIT;
|
||||
this->peer_cfg = NULL;
|
||||
this->proposal = NULL;
|
||||
this->dh = NULL;
|
||||
this->ph1 = phase1_create(ike_sa, this->initiator);
|
||||
}
|
||||
|
||||
METHOD(task_t, destroy, void,
|
||||
|
@ -1133,11 +631,7 @@ METHOD(task_t, destroy, void,
|
|||
{
|
||||
DESTROY_IF(this->peer_cfg);
|
||||
DESTROY_IF(this->proposal);
|
||||
DESTROY_IF(this->dh);
|
||||
free(this->dh_value.ptr);
|
||||
free(this->nonce_i.ptr);
|
||||
free(this->nonce_r.ptr);
|
||||
free(this->sa_payload.ptr);
|
||||
this->ph1->destroy(this->ph1);
|
||||
free(this);
|
||||
}
|
||||
|
||||
|
@ -1157,7 +651,7 @@ main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
|
|||
},
|
||||
},
|
||||
.ike_sa = ike_sa,
|
||||
.keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
|
||||
.ph1 = phase1_create(ike_sa, initiator),
|
||||
.initiator = initiator,
|
||||
.state = MM_INIT,
|
||||
);
|
||||
|
|
Loading…
Reference in New Issue