/*
- * Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
#include <string.h>
#include <daemon.h>
-#include <sa/ikev1/keymat_v1.h>
-#include <crypto/diffie_hellman.h>
+#include <sa/ikev1/phase1.h>
#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/hash_payload.h>
#include <sa/ikev1/tasks/xauth.h>
#include <sa/ikev1/tasks/informational.h>
#include <sa/ikev1/tasks/isakmp_delete.h>
#include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
typedef struct private_main_mode_t private_main_mode_t;
*/
bool initiator;
+ /**
+ * Common phase 1 helper class
+ */
+ phase1_t *ph1;
+
/**
* IKE config to establish
*/
*/
peer_cfg_t *peer_cfg;
- /**
- * Local authentication configuration
- */
- auth_cfg_t *my_auth;
-
- /**
- * Remote authentication configuration
- */
- auth_cfg_t *other_auth;
-
/**
* selected IKE proposal
*/
proposal_t *proposal;
- /**
- * DH exchange
- */
- diffie_hellman_t *dh;
-
- /**
- * Keymat derivation (from SA)
- */
- keymat_v1_t *keymat;
-
- /**
- * Received public DH value from peer
- */
- chunk_t dh_value;
-
- /**
- * Initiators nonce
- */
- chunk_t nonce_i;
-
- /**
- * Responder nonce
- */
- chunk_t nonce_r;
-
- /**
- * Encoded SA initiator payload used for authentication
- */
- chunk_t sa_payload;
-
/**
* Negotiated SA lifetime
*/
- u_int32_t lifetime;
+ uint32_t lifetime;
/**
* Negotiated authentication method
*/
- auth_method_t auth_method;
+ auth_method_t method;
/** states of main mode */
enum {
};
/**
- * Get the first authentcation config from peer config
- */
-static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
-{
- enumerator_t *enumerator;
- auth_cfg_t *cfg = NULL;
-
- enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
- enumerator->enumerate(enumerator, &cfg);
- enumerator->destroy(enumerator);
- return cfg;
-}
-
-/**
- * Create an authenticator, if supported
- */
-static authenticator_t *create_authenticator(private_main_mode_t *this,
- id_payload_t *id)
-{
- authenticator_t *authenticator;
- authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
- this->auth_method, this->dh,
- this->dh_value, this->sa_payload,
- id->get_encoded(id));
- if (!authenticator)
- {
- DBG1(DBG_IKE, "negotiated authentication method %N not supported",
- auth_method_names, this->auth_method);
- }
- return authenticator;
-}
-
-/**
- * Save the encoded SA payload of a message
+ * Set IKE_SA to established state
*/
-static bool save_sa_payload(private_main_mode_t *this, message_t *message)
+static bool establish(private_main_mode_t *this)
{
- enumerator_t *enumerator;
- payload_t *payload, *sa = NULL;
- chunk_t data;
- size_t offset = IKE_HEADER_LENGTH;
-
- enumerator = message->create_payload_enumerator(message);
- while (enumerator->enumerate(enumerator, &payload))
+ if (!charon->bus->authorize(charon->bus, TRUE))
{
- if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
- {
- sa = payload;
- break;
- }
- else
- {
- offset += payload->get_length(payload);
- }
- }
- enumerator->destroy(enumerator);
-
- data = message->get_packet_data(message);
- if (sa && data.len >= offset + sa->get_length(sa))
- {
- /* Get SA payload without 4 byte fixed header */
- data = chunk_skip(data, offset);
- data.len = sa->get_length(sa);
- data = chunk_skip(data, 4);
- this->sa_payload = chunk_clone(data);
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * Generate and add NONCE, KE payload
- */
-static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
- message_t *message)
-{
- nonce_payload_t *nonce_payload;
- ke_payload_t *ke_payload;
- rng_t *rng;
-
- ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
- this->dh);
- message->add_payload(message, &ke_payload->payload_interface);
-
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (!rng)
- {
- DBG1(DBG_IKE, "no RNG found to create nonce");
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
return FALSE;
}
- rng->allocate_bytes(rng, NONCE_SIZE, nonce);
- rng->destroy(rng);
-
- nonce_payload = nonce_payload_create(NONCE_V1);
- nonce_payload->set_nonce(nonce_payload, *nonce);
- message->add_payload(message, &nonce_payload->payload_interface);
-
- return TRUE;
-}
-/**
- * Extract nonce from NONCE payload, process KE payload
- */
-static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
- message_t *message)
-{
- nonce_payload_t *nonce_payload;
- ke_payload_t *ke_payload;
-
- ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
- if (!ke_payload)
- {
- DBG1(DBG_IKE, "KE payload missing in message");
- return FALSE;
- }
- this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
- this->dh->set_other_public_value(this->dh, this->dh_value);
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
- nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
- if (!nonce_payload)
- {
- DBG1(DBG_IKE, "NONCE payload missing in message");
- return FALSE;
- }
- *nonce = nonce_payload->get_nonce(nonce_payload);
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
return TRUE;
}
-/**
- * Get the two auth classes from local or remote config
- */
-static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
- auth_class_t *c1, auth_class_t *c2)
-{
- enumerator_t *enumerator;
- auth_cfg_t *auth;
-
- *c1 = *c2 = AUTH_CLASS_ANY;
-
- enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
- while (enumerator->enumerate(enumerator, &auth))
- {
- if (*c1 == AUTH_CLASS_ANY)
- {
- *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
- }
- else
- {
- *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
- break;
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Get auth method to use from a peer config
- */
-static auth_method_t get_auth_method(private_main_mode_t *this,
- peer_cfg_t *peer_cfg)
-{
- auth_class_t i1, i2, r1, r2;
-
- get_auth_class(peer_cfg, this->initiator, &i1, &i2);
- get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
-
- if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
- {
- if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
- {
- /* TODO-IKEv1: ECDSA? */
- return AUTH_RSA;
- }
- if (i2 == AUTH_CLASS_XAUTH)
- {
- return AUTH_XAUTH_INIT_RSA;
- }
- if (r2 == AUTH_CLASS_XAUTH)
- {
- return AUTH_XAUTH_RESP_RSA;
- }
- }
- if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK)
- {
- if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
- {
- return AUTH_PSK;
- }
- if (i2 == AUTH_CLASS_XAUTH)
- {
- return AUTH_XAUTH_INIT_PSK;
- }
- if (r2 == AUTH_CLASS_XAUTH)
- {
- return AUTH_XAUTH_RESP_PSK;
- }
- }
- if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY &&
- i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
- {
- return AUTH_HYBRID_INIT_RSA;
- }
- return AUTH_NONE;
-}
-
-/**
- * Check if a peer skipped authentication by using Hybrid authentication
- */
-static bool skipped_auth(private_main_mode_t *this, bool local)
-{
- bool initiator;
-
- initiator = local == this->initiator;
- if (initiator && this->auth_method == AUTH_HYBRID_INIT_RSA)
- {
- return TRUE;
- }
- if (!initiator && this->auth_method == AUTH_HYBRID_RESP_RSA)
- {
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * Check if remote authentication constraints fulfilled
- */
-static bool check_constraints(private_main_mode_t *this)
-{
- identification_t *id;
- auth_cfg_t *auth;
-
- auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
- /* auth identity to comply */
- id = this->ike_sa->get_other_id(this->ike_sa);
- auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
- if (skipped_auth(this, FALSE))
- {
- return TRUE;
- }
- return auth->complies(auth, this->other_auth, TRUE);
-}
-
-/**
- * Save authentication information after authentication succeeded
- */
-static void save_auth_cfg(private_main_mode_t *this, bool local)
-{
- auth_cfg_t *auth;
-
- if (skipped_auth(this, local))
- {
- return;
- }
- auth = auth_cfg_create();
- /* for local config, we _copy_ entires from the config, as it contains
- * certificates we must send later. */
- auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
- this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
-}
-
-/**
- * Select the best configuration as responder
- */
-static peer_cfg_t *select_config(private_main_mode_t *this, identification_t *id)
-{
- enumerator_t *enumerator;
- peer_cfg_t *current, *found = NULL;
- host_t *me, *other;
-
- me = this->ike_sa->get_my_host(this->ike_sa);
- other = this->ike_sa->get_other_host(this->ike_sa);
- DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]",
- auth_method_names, this->auth_method, me, other, id);
- enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
- me, other, NULL, id, IKEV1);
- while (enumerator->enumerate(enumerator, ¤t))
- {
- if (get_auth_method(this, current) == this->auth_method)
- {
- found = current->get_ref(current);
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- if (found)
- {
- DBG2(DBG_CFG, "selected peer config \"%s\"", found->get_name(found));
- }
- return found;
-}
-
/**
* Check for notify errors, return TRUE if error found
*/
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
- if (payload->get_type(payload) == NOTIFY_V1)
+ if (payload->get_type(payload) == PLV1_NOTIFY)
{
notify_payload_t *notify;
notify_type_t type;
{
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
- u_int64_t spi_i, spi_r;
+ uint64_t spi_i, spi_r;
chunk_t spi;
- notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+ notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
PROTO_IKE, type);
ike_sa_id = this->ike_sa->get_id(this->ike_sa);
spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
this->ike_sa->queue_task(this->ike_sa,
(task_t*)informational_create(this->ike_sa, notify));
/* cancel all active/passive tasks in favour of informational */
+ this->ike_sa->flush_queue(this->ike_sa,
+ this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
return ALREADY_DONE;
}
this->ike_sa->queue_task(this->ike_sa,
(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
/* cancel all active tasks in favour of informational */
+ this->ike_sa->flush_queue(this->ike_sa,
+ this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
return ALREADY_DONE;
}
+/**
+ * Add an INITIAL_CONTACT notify if first contact with peer
+ */
+static void add_initial_contact(private_main_mode_t *this, message_t *message,
+ identification_t *idi)
+{
+ identification_t *idr;
+ host_t *host;
+ notify_payload_t *notify;
+ ike_sa_id_t *ike_sa_id;
+ uint64_t spi_i, spi_r;
+ chunk_t spi;
+
+ idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+ if (idr && !idr->contains_wildcards(idr))
+ {
+ if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+ {
+ host = this->ike_sa->get_other_host(this->ike_sa);
+ if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+ idi, idr, host->get_family(host)))
+ {
+ notify = notify_payload_create_from_protocol_and_type(
+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+ spi = chunk_cata("cc", chunk_from_thing(spi_i),
+ chunk_from_thing(spi_r));
+ notify->set_spi_data(notify, spi);
+ message->add_payload(message, (payload_t*)notify);
+ }
+ }
+ }
+}
+
METHOD(task_t, build_i, status_t,
private_main_mode_t *this, message_t *message)
{
linked_list_t *proposals;
packet_t *packet;
- this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
- DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
+ DBG0(DBG_IKE, "initiating Main Mode IKE_SA %s[%d] to %H",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+ this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
this->peer_cfg->get_ref(this->peer_cfg);
- this->my_auth = get_auth_cfg(this->peer_cfg, TRUE);
- this->other_auth = get_auth_cfg(this->peer_cfg, FALSE);
- if (!this->my_auth || !this->other_auth)
- {
- DBG1(DBG_CFG, "no auth config found");
- return FAILED;
- }
- this->auth_method = get_auth_method(this, this->peer_cfg);
- if (this->auth_method == AUTH_NONE)
+ this->method = this->ph1->get_auth_method(this->ph1, this->peer_cfg);
+ if (this->method == AUTH_NONE)
{
DBG1(DBG_CFG, "configuration uses unsupported authentication");
return FAILED;
}
this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
- FALSE);
+ FALSE);
if (!this->lifetime)
{ /* fall back to rekey time of no rekey time configured */
this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
proposals = this->ike_cfg->get_proposals(this->ike_cfg);
sa_payload = sa_payload_create_from_proposals_v1(proposals,
- this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
+ this->lifetime, 0, this->method, MODE_NONE,
+ ENCAP_NONE, 0);
proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
message->add_payload(message, &sa_payload->payload_interface);
return FAILED;
}
packet->destroy(packet);
- if (!save_sa_payload(this, message))
+ if (!this->ph1->save_sa_payload(this->ph1, message))
{
- DBG1(DBG_IKE, "SA payload invalid");
return FAILED;
}
}
case MM_SA:
{
- u_int16_t group;
+ uint16_t group;
- if (!this->keymat->create_hasher(this->keymat, this->proposal))
+ if (!this->ph1->create_hasher(this->ph1))
{
return send_notify(this, NO_PROPOSAL_CHOSEN);
}
DBG1(DBG_IKE, "DH group selection failed");
return send_notify(this, NO_PROPOSAL_CHOSEN);
}
- this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
- group);
- if (!this->dh)
+ if (!this->ph1->create_dh(this->ph1, group))
{
DBG1(DBG_IKE, "negotiated DH group not supported");
return send_notify(this, INVALID_KEY_INFORMATION);
}
- if (!add_nonce_ke(this, &this->nonce_i, message))
+ if (!this->ph1->add_nonce_ke(this->ph1, message))
{
return send_notify(this, INVALID_KEY_INFORMATION);
}
}
case MM_KE:
{
- authenticator_t *authenticator;
id_payload_t *id_payload;
identification_t *id;
- id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return send_notify(this, INVALID_ID_INFORMATION);
- }
-
+ id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
-
- id_payload = id_payload_create_from_identification(ID_V1, id);
+ id_payload = id_payload_create_from_identification(PLV1_ID, id);
message->add_payload(message, &id_payload->payload_interface);
- authenticator = create_authenticator(this, id_payload);
- if (!authenticator || authenticator->build(authenticator,
- message) != SUCCESS)
+ if (!this->ph1->build_auth(this->ph1, this->method, message,
+ id_payload->get_encoded(id_payload)))
{
- DESTROY_IF(authenticator);
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
- authenticator->destroy(authenticator);
- save_auth_cfg(this, TRUE);
+
+ add_initial_contact(this, message, id);
this->state = MM_AUTH;
return NEED_MORE;
{
linked_list_t *list;
sa_payload_t *sa_payload;
+ proposal_selection_flag_t flags = 0;
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
- DBG0(DBG_IKE, "%H is initiating a Main Mode",
+ DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
message->get_source(message));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
message->get_source(message), TRUE);
sa_payload = (sa_payload_t*)message->get_payload(message,
- SECURITY_ASSOCIATION_V1);
- if (!sa_payload || !save_sa_payload(this, message))
+ PLV1_SECURITY_ASSOCIATION);
+ if (!sa_payload)
+ {
+ DBG1(DBG_IKE, "SA payload missing");
+ return send_notify(this, INVALID_PAYLOAD_TYPE);
+ }
+ if (!this->ph1->save_sa_payload(this->ph1, message))
{
- DBG1(DBG_IKE, "SA payload missing or invalid");
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_SKIP_PRIVATE;
+ }
+ if (!lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns))
+ {
+ flags |= PROPOSAL_PREFER_SUPPLIED;
+ }
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE);
+ list, flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
DBG1(DBG_IKE, "no proposal found");
return send_notify(this, NO_PROPOSAL_CHOSEN);
}
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
- this->auth_method = sa_payload->get_auth_method(sa_payload);
- this->lifetime = sa_payload->get_lifetime(sa_payload);
+ this->method = sa_payload->get_auth_method(sa_payload);
+ this->lifetime = sa_payload->get_lifetime(sa_payload,
+ this->proposal);
this->state = MM_SA;
return NEED_MORE;
}
case MM_SA:
{
- u_int16_t group;
+ uint16_t group;
- if (!this->keymat->create_hasher(this->keymat, this->proposal))
+ if (!this->ph1->create_hasher(this->ph1))
{
return send_notify(this, INVALID_KEY_INFORMATION);
}
DBG1(DBG_IKE, "DH group selection failed");
return send_notify(this, INVALID_KEY_INFORMATION);
}
- this->dh = lib->crypto->create_dh(lib->crypto, group);
- if (!this->dh)
+ if (!this->ph1->create_dh(this->ph1, group))
{
DBG1(DBG_IKE, "negotiated DH group not supported");
return send_notify(this, INVALID_KEY_INFORMATION);
}
- if (!get_nonce_ke(this, &this->nonce_i, message))
+ if (!this->ph1->get_nonce_ke(this->ph1, message))
{
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
}
case MM_KE:
{
- authenticator_t *authenticator;
id_payload_t *id_payload;
identification_t *id;
- id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+ id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID);
if (!id_payload)
{
DBG1(DBG_IKE, "IDii payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
-
id = id_payload->get_identification(id_payload);
this->ike_sa->set_other_id(this->ike_sa, id);
- this->peer_cfg = select_config(this, id);
- if (!this->peer_cfg)
- {
- DBG1(DBG_IKE, "no peer config found");
- return send_notify(this, AUTHENTICATION_FAILED);
- }
- this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
- this->my_auth = get_auth_cfg(this->peer_cfg, TRUE);
- this->other_auth = get_auth_cfg(this->peer_cfg, FALSE);
- if (!this->my_auth || !this->other_auth)
+ while (TRUE)
{
- DBG1(DBG_IKE, "auth config missing");
- return send_notify(this, AUTHENTICATION_FAILED);
- }
+ DESTROY_IF(this->peer_cfg);
+ this->peer_cfg = this->ph1->select_config(this->ph1,
+ this->method, FALSE, id);
+ if (!this->peer_cfg)
+ {
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+ this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
- authenticator = create_authenticator(this, id_payload);
- if (!authenticator || authenticator->process(authenticator,
- message) != SUCCESS)
- {
- DESTROY_IF(authenticator);
- return send_notify(this, AUTHENTICATION_FAILED);
+ if (this->ph1->verify_auth(this->ph1, this->method, message,
+ id_payload->get_encoded(id_payload)))
+ {
+ break;
+ }
}
- authenticator->destroy(authenticator);
- if (!check_constraints(this))
+
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
- save_auth_cfg(this, FALSE);
this->state = MM_AUTH;
if (has_notify_errors(this, message))
}
}
-/**
- * Lookup a shared secret for this IKE_SA
- */
-static shared_key_t *lookup_shared_key(private_main_mode_t *this)
-{
- host_t *me, *other;
- identification_t *my_id, *other_id;
- shared_key_t *shared_key = NULL;
-
- /* try to get a PSK for IP addresses */
- me = this->ike_sa->get_my_host(this->ike_sa);
- other = this->ike_sa->get_other_host(this->ike_sa);
- my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
- other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
- if (my_id && other_id)
- {
- shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
- my_id, other_id);
- }
- DESTROY_IF(my_id);
- DESTROY_IF(other_id);
- if (shared_key)
- {
- return shared_key;
- }
-
- if (this->my_auth && this->other_auth)
- { /* as initiator, use identities from configuraiton */
- my_id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
- other_id = this->other_auth->get(this->other_auth, AUTH_RULE_IDENTITY);
- if (my_id && other_id)
- {
- shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
- my_id, other_id);
- }
- else
- {
- DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
- my_id, me, other_id, other);
- }
- }
- else
- { /* as responder, we try to find a config by IP */
- enumerator_t *enumerator;
- auth_cfg_t *my_auth, *other_auth;
- peer_cfg_t *peer_cfg = NULL;
-
- enumerator = charon->backends->create_peer_cfg_enumerator(
- charon->backends, me, other, NULL, NULL, IKEV1);
- while (enumerator->enumerate(enumerator, &peer_cfg))
- {
- my_auth = get_auth_cfg(peer_cfg, TRUE);
- other_auth = get_auth_cfg(peer_cfg, FALSE);
- if (my_auth && other_auth)
- {
- my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
- other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
- if (my_id && other_id)
- {
- shared_key = lib->credmgr->get_shared(lib->credmgr,
- SHARED_IKE, my_id, other_id);
- if (shared_key)
- {
- break;
- }
- else
- {
- DBG1(DBG_IKE, "no shared key found for "
- "'%Y'[%H] - '%Y'[%H]", my_id, me, other_id, other);
- }
- }
- }
- }
- enumerator->destroy(enumerator);
- if (!peer_cfg)
- {
- DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
- }
- }
- return shared_key;
-}
-
-/**
- * Derive key material for this IKE_SA
- */
-static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
- chunk_t nonce_r)
-{
- ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
- shared_key_t *shared_key = NULL;
-
- switch (this->auth_method)
- {
- case AUTH_PSK:
- case AUTH_XAUTH_INIT_PSK:
- case AUTH_XAUTH_RESP_PSK:
- shared_key = lookup_shared_key(this);
- break;
- default:
- break;
- }
- if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
- this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
- {
- DESTROY_IF(shared_key);
- DBG1(DBG_IKE, "key derivation for %N failed",
- auth_method_names, this->auth_method);
- return FALSE;
- }
- DESTROY_IF(shared_key);
- charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
- NULL);
-
- return TRUE;
-}
-
-/**
- * Set IKE_SA to established state
- */
-static void establish(private_main_mode_t *this)
-{
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
- this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_unique_id(this->ike_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
-
- this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-}
-
METHOD(task_t, build_r, status_t,
private_main_mode_t *this, message_t *message)
{
sa_payload_t *sa_payload;
sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
- this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
+ this->lifetime, 0, this->method, MODE_NONE,
+ ENCAP_NONE, 0);
message->add_payload(message, &sa_payload->payload_interface);
return NEED_MORE;
}
case MM_KE:
{
- if (!add_nonce_ke(this, &this->nonce_r, message))
+ if (!this->ph1->add_nonce_ke(this->ph1, message))
{
return send_notify(this, INVALID_KEY_INFORMATION);
}
- if (!derive_keys(this, this->nonce_i, this->nonce_r))
+ if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
{
return send_notify(this, INVALID_KEY_INFORMATION);
}
}
case MM_AUTH:
{
- authenticator_t *authenticator;
id_payload_t *id_payload;
identification_t *id;
+ adopt_children_job_t *job = NULL;
+ xauth_t *xauth = NULL;
- id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return send_notify(this, INVALID_ID_INFORMATION);
- }
+ id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
- id_payload = id_payload_create_from_identification(ID_V1, id);
+ id_payload = id_payload_create_from_identification(PLV1_ID, id);
message->add_payload(message, &id_payload->payload_interface);
- authenticator = create_authenticator(this, id_payload);
- if (!authenticator || authenticator->build(authenticator,
- message) != SUCCESS)
+ if (!this->ph1->build_auth(this->ph1, this->method, message,
+ id_payload->get_encoded(id_payload)))
{
- DESTROY_IF(authenticator);
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
- authenticator->destroy(authenticator);
- save_auth_cfg(this, TRUE);
- switch (this->auth_method)
+ switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)xauth_create(this->ike_sa, TRUE));
- return SUCCESS;
+ xauth = xauth_create(this->ike_sa, TRUE);
+ this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
- /* TODO-IKEv1: not yet supported */
- return FAILED;
+ /* wait for XAUTH request */
+ break;
default:
- establish(this);
- lib->processor->queue_job(lib->processor, (job_t*)
- adopt_children_job_create(
- this->ike_sa->get_id(this->ike_sa)));
- return SUCCESS;
+ if (charon->ike_sa_manager->check_uniqueness(
+ charon->ike_sa_manager, this->ike_sa, FALSE))
+ {
+ DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+ "policy");
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+ if (!establish(this))
+ {
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+ job = adopt_children_job_create(
+ this->ike_sa->get_id(this->ike_sa));
+ break;
+ }
+ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
}
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
+ {
+ if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ if (job)
+ {
+ job->queue_task(job, (task_t*)
+ mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
+ else if (xauth)
+ {
+ xauth->queue_mode_config_push(xauth);
+ }
+ else
+ {
+ this->ike_sa->queue_task(this->ike_sa, (task_t*)
+ mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
+ }
+ }
+ if (job)
+ {
+ lib->processor->queue_job(lib->processor, (job_t*)job);
+ }
+ return SUCCESS;
}
default:
return FAILED;
}
}
+/**
+ * Schedule a timeout for the IKE_SA should it not establish
+ */
+static void schedule_timeout(ike_sa_t *ike_sa)
+{
+ job_t *job;
+
+ job = (job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE);
+ lib->scheduler->schedule_job(lib->scheduler, job, HALF_OPEN_IKE_SA_TIMEOUT);
+}
+
METHOD(task_t, process_i, status_t,
private_main_mode_t *this, message_t *message)
{
{
linked_list_t *list;
sa_payload_t *sa_payload;
- auth_method_t auth_method;
- u_int32_t lifetime;
+ auth_method_t method;
+ proposal_selection_flag_t flags = 0;
+ uint32_t lifetime;
sa_payload = (sa_payload_t*)message->get_payload(message,
- SECURITY_ASSOCIATION_V1);
+ PLV1_SECURITY_ASSOCIATION);
if (!sa_payload)
{
DBG1(DBG_IKE, "SA payload missing");
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
list = sa_payload->get_proposals(sa_payload);
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ {
+ flags |= PROPOSAL_SKIP_PRIVATE;
+ }
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE);
+ list, flags);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
DBG1(DBG_IKE, "no proposal found");
return send_notify(this, NO_PROPOSAL_CHOSEN);
}
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
- lifetime = sa_payload->get_lifetime(sa_payload);
+ lifetime = sa_payload->get_lifetime(sa_payload, this->proposal);
if (lifetime != this->lifetime)
{
DBG1(DBG_IKE, "received lifetime %us does not match configured "
"lifetime %us", lifetime, this->lifetime);
}
this->lifetime = lifetime;
- auth_method = sa_payload->get_auth_method(sa_payload);
- if (auth_method != this->auth_method)
+ method = sa_payload->get_auth_method(sa_payload);
+ if (method != this->method)
{
DBG1(DBG_IKE, "received %N authentication, but configured %N, "
- "continue with configured", auth_method_names, auth_method,
- auth_method_names, this->auth_method);
+ "continue with configured", auth_method_names, method,
+ auth_method_names, this->method);
}
return NEED_MORE;
}
case MM_KE:
{
- if (!get_nonce_ke(this, &this->nonce_r, message))
+ if (!this->ph1->get_nonce_ke(this->ph1, message))
{
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
- if (!derive_keys(this, this->nonce_i, this->nonce_r))
+ if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
{
return send_notify(this, INVALID_KEY_INFORMATION);
}
}
case MM_AUTH:
{
- authenticator_t *authenticator;
id_payload_t *id_payload;
- identification_t *id;
+ identification_t *id, *cid;
- id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+ id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID);
if (!id_payload)
{
DBG1(DBG_IKE, "IDir payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
id = id_payload->get_identification(id_payload);
- if (!id->matches(id, this->other_auth->get(this->other_auth,
- AUTH_RULE_IDENTITY)))
+ cid = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+ if (cid && !id->matches(id, cid))
{
- DBG1(DBG_IKE, "IDir does not match");
+ DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
id->destroy(id);
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
this->ike_sa->set_other_id(this->ike_sa, id);
- authenticator = create_authenticator(this, id_payload);
- if (!authenticator || authenticator->process(authenticator,
- message) != SUCCESS)
+ if (!this->ph1->verify_auth(this->ph1, this->method, message,
+ id_payload->get_encoded(id_payload)))
{
- DESTROY_IF(authenticator);
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
- authenticator->destroy(authenticator);
- if (!check_constraints(this))
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
- save_auth_cfg(this, FALSE);
-
- if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
- {
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
- }
- switch (this->auth_method)
+ switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
/* wait for XAUTH request */
- return SUCCESS;
+ schedule_timeout(this->ike_sa);
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
- /* TODO-IKEv1: not yet */
- return FAILED;
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)xauth_create(this->ike_sa, TRUE));
+ break;
default:
- establish(this);
- return SUCCESS;
+ if (charon->ike_sa_manager->check_uniqueness(
+ charon->ike_sa_manager, this->ike_sa, FALSE))
+ {
+ DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+ "policy");
+ return send_delete(this);
+ }
+ if (!establish(this))
+ {
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+ return send_delete(this);
+ }
+ break;
+ }
+ /* check for and prepare mode config push/pull */
+ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
+ else
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ }
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ else
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
}
+ return SUCCESS;
}
default:
return FAILED;
{
DESTROY_IF(this->peer_cfg);
DESTROY_IF(this->proposal);
- DESTROY_IF(this->dh);
- chunk_free(&this->dh_value);
- chunk_free(&this->nonce_i);
- chunk_free(&this->nonce_r);
- chunk_free(&this->sa_payload);
+ this->ph1->destroy(this->ph1);
this->ike_sa = ike_sa;
- this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
this->state = MM_INIT;
this->peer_cfg = NULL;
this->proposal = NULL;
- this->dh = NULL;
+ this->ph1 = phase1_create(ike_sa, this->initiator);
}
METHOD(task_t, destroy, void,
{
DESTROY_IF(this->peer_cfg);
DESTROY_IF(this->proposal);
- DESTROY_IF(this->dh);
- free(this->dh_value.ptr);
- free(this->nonce_i.ptr);
- free(this->nonce_r.ptr);
- free(this->sa_payload.ptr);
+ this->ph1->destroy(this->ph1);
free(this);
}
},
},
.ike_sa = ike_sa,
- .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
+ .ph1 = phase1_create(ike_sa, initiator),
.initiator = initiator,
.state = MM_INIT,
);