]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright headers after acquisition by secunet
[thirdparty/strongswan.git] / src / libcharon / sa / ikev1 / tasks / isakmp_cert_post.c
1 /*
2 * Copyright (C) 2011 Martin Willi
3 *
4 * Copyright (C) secunet Security Networks AG
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "isakmp_cert_post.h"
18
19 #include <daemon.h>
20 #include <sa/ike_sa.h>
21 #include <encoding/payloads/cert_payload.h>
22 #include <encoding/payloads/certreq_payload.h>
23 #include <encoding/payloads/auth_payload.h>
24 #include <encoding/payloads/sa_payload.h>
25 #include <credentials/certificates/x509.h>
26
27
28 typedef struct private_isakmp_cert_post_t private_isakmp_cert_post_t;
29
30 /**
31 * Private members of a isakmp_cert_post_t task.
32 */
33 struct private_isakmp_cert_post_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 isakmp_cert_post_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * States of ike cert pre
52 */
53 enum {
54 CR_SA,
55 CR_KE,
56 CR_AUTH,
57 } state;
58 };
59
60 /**
61 * Check if we actually use certificates for authentication
62 */
63 static bool use_certs(private_isakmp_cert_post_t *this, message_t *message)
64 {
65 enumerator_t *enumerator;
66 payload_t *payload;
67 bool use = FALSE;
68
69 enumerator = message->create_payload_enumerator(message);
70 while (enumerator->enumerate(enumerator, &payload))
71 {
72 if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION)
73 {
74 sa_payload_t *sa_payload = (sa_payload_t*)payload;
75
76 switch (sa_payload->get_auth_method(sa_payload))
77 {
78 case AUTH_RSA:
79 case AUTH_ECDSA_256:
80 case AUTH_ECDSA_384:
81 case AUTH_ECDSA_521:
82 case AUTH_XAUTH_INIT_RSA:
83 case AUTH_XAUTH_RESP_RSA:
84 case AUTH_HYBRID_INIT_RSA:
85 case AUTH_HYBRID_RESP_RSA:
86 use = TRUE;
87 break;
88 default:
89 break;
90 }
91 break;
92 }
93 }
94 enumerator->destroy(enumerator);
95
96 return use;
97 }
98
99 /**
100 * Add certificates to message
101 */
102 static void build_certs(private_isakmp_cert_post_t *this, message_t *message)
103 {
104 peer_cfg_t *peer_cfg;
105
106 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
107 if (!peer_cfg)
108 {
109 return;
110 }
111
112 switch (peer_cfg->get_cert_policy(peer_cfg))
113 {
114 case CERT_NEVER_SEND:
115 break;
116 case CERT_SEND_IF_ASKED:
117 if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
118 {
119 break;
120 }
121 /* FALL */
122 case CERT_ALWAYS_SEND:
123 {
124 cert_payload_t *payload;
125 enumerator_t *enumerator;
126 certificate_t *cert;
127 auth_rule_t type;
128 auth_cfg_t *auth;
129
130 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
131 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
132 if (!cert)
133 {
134 break;
135 }
136 payload = cert_payload_create_from_cert(PLV1_CERTIFICATE, cert);
137 if (!payload)
138 {
139 break;
140 }
141 DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
142 cert->get_subject(cert));
143 message->add_payload(message, (payload_t*)payload);
144
145 enumerator = auth->create_enumerator(auth);
146 while (enumerator->enumerate(enumerator, &type, &cert))
147 {
148 if (type == AUTH_RULE_IM_CERT)
149 {
150 payload = cert_payload_create_from_cert(PLV1_CERTIFICATE, cert);
151 if (payload)
152 {
153 DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
154 cert->get_subject(cert));
155 message->add_payload(message, (payload_t*)payload);
156 }
157 }
158 }
159 enumerator->destroy(enumerator);
160 }
161 }
162 }
163
164 METHOD(task_t, build_i, status_t,
165 private_isakmp_cert_post_t *this, message_t *message)
166 {
167 switch (message->get_exchange_type(message))
168 {
169 case ID_PROT:
170 if (this->state == CR_AUTH)
171 {
172 build_certs(this, message);
173 return SUCCESS;
174 }
175 return NEED_MORE;
176 case AGGRESSIVE:
177 if (this->state == CR_AUTH)
178 {
179 build_certs(this, message);
180 return SUCCESS;
181 }
182 return NEED_MORE;
183 default:
184 return FAILED;
185 }
186 }
187
188 METHOD(task_t, process_r, status_t,
189 private_isakmp_cert_post_t *this, message_t *message)
190 {
191 switch (message->get_exchange_type(message))
192 {
193 case ID_PROT:
194 {
195 switch (this->state)
196 {
197 case CR_SA:
198 if (!use_certs(this, message))
199 {
200 return SUCCESS;
201 }
202 return NEED_MORE;
203 case CR_KE:
204 return NEED_MORE;
205 case CR_AUTH:
206 return NEED_MORE;
207 default:
208 return FAILED;
209 }
210 }
211 case AGGRESSIVE:
212 {
213 switch (this->state)
214 {
215 case CR_SA:
216 if (!use_certs(this, message))
217 {
218 return SUCCESS;
219 }
220 return NEED_MORE;
221 case CR_AUTH:
222 return SUCCESS;
223 default:
224 return FAILED;
225 }
226 }
227 default:
228 return FAILED;
229 }
230 }
231
232 METHOD(task_t, build_r, status_t,
233 private_isakmp_cert_post_t *this, message_t *message)
234 {
235 switch (message->get_exchange_type(message))
236 {
237 case ID_PROT:
238 switch (this->state)
239 {
240 case CR_SA:
241 this->state = CR_KE;
242 return NEED_MORE;
243 case CR_KE:
244 this->state = CR_AUTH;
245 return NEED_MORE;
246 case CR_AUTH:
247 build_certs(this, message);
248 return SUCCESS;
249 }
250 case AGGRESSIVE:
251 switch (this->state)
252 {
253 case CR_SA:
254 build_certs(this, message);
255 this->state = CR_AUTH;
256 return NEED_MORE;
257 case CR_AUTH:
258 return SUCCESS;
259 default:
260 return FAILED;
261 }
262 default:
263 return FAILED;
264 }
265 }
266
267 METHOD(task_t, process_i, status_t,
268 private_isakmp_cert_post_t *this, message_t *message)
269 {
270 switch (message->get_exchange_type(message))
271 {
272 case ID_PROT:
273 {
274 switch (this->state)
275 {
276 case CR_SA:
277 if (!use_certs(this, message))
278 {
279 return SUCCESS;
280 }
281 this->state = CR_KE;
282 return NEED_MORE;
283 case CR_KE:
284 this->state = CR_AUTH;
285 return NEED_MORE;
286 case CR_AUTH:
287 return SUCCESS;
288 default:
289 return FAILED;
290 }
291 }
292 case AGGRESSIVE:
293 {
294 if (this->state == CR_SA)
295 {
296 if (!use_certs(this, message))
297 {
298 return SUCCESS;
299 }
300 this->state = CR_AUTH;
301 return NEED_MORE;
302 }
303 return SUCCESS;
304 }
305 default:
306 return FAILED;
307 }
308 }
309
310 METHOD(task_t, get_type, task_type_t,
311 private_isakmp_cert_post_t *this)
312 {
313 return TASK_ISAKMP_CERT_POST;
314 }
315
316 METHOD(task_t, migrate, void,
317 private_isakmp_cert_post_t *this, ike_sa_t *ike_sa)
318 {
319 this->ike_sa = ike_sa;
320 this->state = CR_SA;
321 }
322
323 METHOD(task_t, destroy, void,
324 private_isakmp_cert_post_t *this)
325 {
326 free(this);
327 }
328
329 /*
330 * Described in header.
331 */
332 isakmp_cert_post_t *isakmp_cert_post_create(ike_sa_t *ike_sa, bool initiator)
333 {
334 private_isakmp_cert_post_t *this;
335
336 INIT(this,
337 .public = {
338 .task = {
339 .get_type = _get_type,
340 .migrate = _migrate,
341 .destroy = _destroy,
342 },
343 },
344 .ike_sa = ike_sa,
345 .initiator = initiator,
346 .state = CR_SA,
347 );
348 if (initiator)
349 {
350 this->public.task.process = _process_i;
351 this->public.task.build = _build_i;
352 }
353 else
354 {
355 this->public.task.process = _process_r;
356 this->public.task.build = _build_r;
357 }
358 return &this->public;
359 }
Unnamed repository; edit this file 'description' to name the repository.