From 15a682f4c23d0b8340b31077698e6f6d924c2861 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 19 Dec 2011 13:10:29 +0100 Subject: Separated libcharon/sa directory with ikev1 and ikev2 subfolders --- src/libcharon/sa/ikev1/tasks/main_mode.c | 1155 ++++++++++++++++++++++++++++++ 1 file changed, 1155 insertions(+) create mode 100644 src/libcharon/sa/ikev1/tasks/main_mode.c (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c new file mode 100644 index 000000000..7f263260c --- /dev/null +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -0,0 +1,1155 @@ +/* + * Copyright (C) 2011 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2011 Martin Willi + * Copyright (C) 2011 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "main_mode.h" + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct private_main_mode_t private_main_mode_t; + +/** + * Private members of a main_mode_t task. + */ +struct private_main_mode_t { + + /** + * Public methods and task_t interface. + */ + main_mode_t public; + + /** + * Assigned IKE_SA. + */ + ike_sa_t *ike_sa; + + /** + * Are we the initiator? + */ + bool initiator; + + /** + * IKE config to establish + */ + ike_cfg_t *ike_cfg; + + /** + * Peer config to use + */ + peer_cfg_t *peer_cfg; + + /** + * Local authentication configuration + */ + auth_cfg_t *my_auth; + + /** + * Remote authentication configuration + */ + auth_cfg_t *other_auth; + + /** + * selected IKE proposal + */ + proposal_t *proposal; + + /** + * DH exchange + */ + diffie_hellman_t *dh; + + /** + * Keymat derivation (from SA) + */ + keymat_v1_t *keymat; + + /** + * Received public DH value from peer + */ + chunk_t dh_value; + + /** + * Initiators nonce + */ + chunk_t nonce_i; + + /** + * Responder nonce + */ + chunk_t nonce_r; + + /** + * Encoded SA initiator payload used for authentication + */ + chunk_t sa_payload; + + /** + * Negotiated SA lifetime + */ + u_int32_t lifetime; + + /** + * Negotiated authentication method + */ + auth_method_t auth_method; + + /** states of main mode */ + enum { + MM_INIT, + MM_SA, + MM_KE, + MM_AUTH, + } state; +}; + +/** + * Get the first authentcation config from peer config + */ +static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local) +{ + enumerator_t *enumerator; + auth_cfg_t *cfg = NULL; + + enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); + enumerator->enumerate(enumerator, &cfg); + enumerator->destroy(enumerator); + return cfg; +} + +/** + * Create an authenticator, if supported + */ +static authenticator_t *create_authenticator(private_main_mode_t *this, + id_payload_t *id) +{ + authenticator_t *authenticator; + authenticator = authenticator_create_v1(this->ike_sa, this->initiator, + this->auth_method, this->dh, + this->dh_value, this->sa_payload, + id->get_encoded(id)); + if (!authenticator) + { + DBG1(DBG_IKE, "negotiated authentication method %N not supported", + auth_method_names, this->auth_method); + } + return authenticator; +} + +/** + * Save the encoded SA payload of a message + */ +static bool save_sa_payload(private_main_mode_t *this, message_t *message) +{ + enumerator_t *enumerator; + payload_t *payload, *sa = NULL; + chunk_t data; + size_t offset = IKE_HEADER_LENGTH; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1) + { + sa = payload; + break; + } + else + { + offset += payload->get_length(payload); + } + } + enumerator->destroy(enumerator); + + data = message->get_packet_data(message); + if (sa && data.len >= offset + sa->get_length(sa)) + { + /* Get SA payload without 4 byte fixed header */ + data = chunk_skip(data, offset); + data.len = sa->get_length(sa); + data = chunk_skip(data, 4); + this->sa_payload = chunk_clone(data); + return TRUE; + } + return FALSE; +} + +/** + * Generate and add NONCE, KE payload + */ +static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce, + message_t *message) +{ + nonce_payload_t *nonce_payload; + ke_payload_t *ke_payload; + rng_t *rng; + + ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, + this->dh); + message->add_payload(message, &ke_payload->payload_interface); + + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + DBG1(DBG_IKE, "no RNG found to create nonce"); + return FALSE; + } + rng->allocate_bytes(rng, NONCE_SIZE, nonce); + rng->destroy(rng); + + nonce_payload = nonce_payload_create(NONCE_V1); + nonce_payload->set_nonce(nonce_payload, *nonce); + message->add_payload(message, &nonce_payload->payload_interface); + + return TRUE; +} + +/** + * Extract nonce from NONCE payload, process KE payload + */ +static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce, + message_t *message) +{ + nonce_payload_t *nonce_payload; + ke_payload_t *ke_payload; + + ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1); + if (!ke_payload) + { + DBG1(DBG_IKE, "KE payload missing in message"); + return FALSE; + } + this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload)); + this->dh->set_other_public_value(this->dh, this->dh_value); + + nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1); + if (!nonce_payload) + { + DBG1(DBG_IKE, "NONCE payload missing in message"); + return FALSE; + } + *nonce = nonce_payload->get_nonce(nonce_payload); + + return TRUE; +} + +/** + * Get the two auth classes from local or remote config + */ +static void get_auth_class(peer_cfg_t *peer_cfg, bool local, + auth_class_t *c1, auth_class_t *c2) +{ + enumerator_t *enumerator; + auth_cfg_t *auth; + + *c1 = *c2 = AUTH_CLASS_ANY; + + enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); + while (enumerator->enumerate(enumerator, &auth)) + { + if (*c1 == AUTH_CLASS_ANY) + { + *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); + } + else + { + *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); + break; + } + } + enumerator->destroy(enumerator); +} + +/** + * Get auth method to use from a peer config + */ +static auth_method_t get_auth_method(private_main_mode_t *this, + peer_cfg_t *peer_cfg) +{ + auth_class_t i1, i2, r1, r2; + + get_auth_class(peer_cfg, this->initiator, &i1, &i2); + get_auth_class(peer_cfg, !this->initiator, &r1, &r2); + + if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY) + { + if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) + { + /* TODO-IKEv1: ECDSA? */ + return AUTH_RSA; + } + if (i2 == AUTH_CLASS_XAUTH) + { + return AUTH_XAUTH_INIT_RSA; + } + if (r2 == AUTH_CLASS_XAUTH) + { + return AUTH_XAUTH_RESP_RSA; + } + } + if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK) + { + if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) + { + return AUTH_PSK; + } + if (i2 == AUTH_CLASS_XAUTH) + { + return AUTH_XAUTH_INIT_PSK; + } + if (r2 == AUTH_CLASS_XAUTH) + { + return AUTH_XAUTH_RESP_PSK; + } + } + if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY && + i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) + { + return AUTH_HYBRID_INIT_RSA; + } + return AUTH_NONE; +} + +/** + * Check if a peer skipped authentication by using Hybrid authentication + */ +static bool skipped_auth(private_main_mode_t *this, bool local) +{ + bool initiator; + + initiator = local == this->initiator; + if (initiator && this->auth_method == AUTH_HYBRID_INIT_RSA) + { + return TRUE; + } + if (!initiator && this->auth_method == AUTH_HYBRID_RESP_RSA) + { + return TRUE; + } + return FALSE; +} + +/** + * Check if remote authentication constraints fulfilled + */ +static bool check_constraints(private_main_mode_t *this) +{ + identification_t *id; + auth_cfg_t *auth; + + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + /* auth identity to comply */ + id = this->ike_sa->get_other_id(this->ike_sa); + auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id)); + if (skipped_auth(this, FALSE)) + { + return TRUE; + } + return auth->complies(auth, this->other_auth, TRUE); +} + +/** + * Save authentication information after authentication succeeded + */ +static void save_auth_cfg(private_main_mode_t *this, bool local) +{ + auth_cfg_t *auth; + + if (skipped_auth(this, local)) + { + return; + } + auth = auth_cfg_create(); + /* for local config, we _copy_ entires from the config, as it contains + * certificates we must send later. */ + auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); + this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); +} + +/** + * Select the best configuration as responder + */ +static peer_cfg_t *select_config(private_main_mode_t *this, identification_t *id) +{ + enumerator_t *enumerator; + peer_cfg_t *current, *found = NULL; + host_t *me, *other; + + me = this->ike_sa->get_my_host(this->ike_sa); + other = this->ike_sa->get_other_host(this->ike_sa); + DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]", + auth_method_names, this->auth_method, me, other, id); + enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, + me, other, NULL, id, IKEV1); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (get_auth_method(this, current) == this->auth_method) + { + found = current->get_ref(current); + break; + } + } + enumerator->destroy(enumerator); + + if (found) + { + DBG2(DBG_CFG, "selected peer config \"%s\"", found->get_name(found)); + } + return found; +} + +/** + * Check for notify errors, return TRUE if error found + */ +static bool has_notify_errors(private_main_mode_t *this, message_t *message) +{ + enumerator_t *enumerator; + payload_t *payload; + bool err = FALSE; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == NOTIFY_V1) + { + notify_payload_t *notify; + notify_type_t type; + + notify = (notify_payload_t*)payload; + type = notify->get_notify_type(notify); + if (type < 16384) + { + DBG1(DBG_IKE, "received %N error notify", + notify_type_names, type); + err = TRUE; + } + else if (type == INITIAL_CONTACT_IKEV1) + { + if (!this->initiator && this->state == MM_AUTH) + { + /* If authenticated and received INITIAL_CONTACT, + * delete any existing IKE_SAs with that peer. + * The delete takes place when the SA is checked in due + * to other id not known until the 3rd message.*/ + this->ike_sa->set_condition(this->ike_sa, + COND_INIT_CONTACT_SEEN, TRUE); + } + } + else + { + DBG1(DBG_IKE, "received %N notify", notify_type_names, type); + } + } + } + enumerator->destroy(enumerator); + + return err; +} + +/** + * Queue a task sending a notify in an INFORMATIONAL exchange + */ +static status_t send_notify(private_main_mode_t *this, notify_type_t type) +{ + notify_payload_t *notify; + ike_sa_id_t *ike_sa_id; + u_int64_t spi_i, spi_r; + chunk_t spi; + + notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1, + PROTO_IKE, type); + ike_sa_id = this->ike_sa->get_id(this->ike_sa); + spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); + spi_r = ike_sa_id->get_responder_spi(ike_sa_id); + spi = chunk_cata("cc", chunk_from_thing(spi_i), chunk_from_thing(spi_r)); + notify->set_spi_data(notify, spi); + + this->ike_sa->queue_task(this->ike_sa, + (task_t*)informational_create(this->ike_sa, notify)); + /* cancel all active/passive tasks in favour of informational */ + return ALREADY_DONE; +} + +/** + * Queue a delete task if authentication failed as initiator + */ +static status_t send_delete(private_main_mode_t *this) +{ + this->ike_sa->queue_task(this->ike_sa, + (task_t*)isakmp_delete_create(this->ike_sa, TRUE)); + /* cancel all active tasks in favour of informational */ + return ALREADY_DONE; +} + +METHOD(task_t, build_i, status_t, + private_main_mode_t *this, message_t *message) +{ + switch (this->state) + { + case MM_INIT: + { + sa_payload_t *sa_payload; + linked_list_t *proposals; + packet_t *packet; + + this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); + + this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + this->peer_cfg->get_ref(this->peer_cfg); + + this->my_auth = get_auth_cfg(this->peer_cfg, TRUE); + this->other_auth = get_auth_cfg(this->peer_cfg, FALSE); + if (!this->my_auth || !this->other_auth) + { + DBG1(DBG_CFG, "no auth config found"); + return FAILED; + } + this->auth_method = get_auth_method(this, this->peer_cfg); + if (this->auth_method == AUTH_NONE) + { + DBG1(DBG_CFG, "configuration uses unsupported authentication"); + return FAILED; + } + this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg, + FALSE); + if (!this->lifetime) + { /* fall back to rekey time of no rekey time configured */ + this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg, + FALSE); + } + proposals = this->ike_cfg->get_proposals(this->ike_cfg); + sa_payload = sa_payload_create_from_proposals_v1(proposals, + this->lifetime, 0, this->auth_method, MODE_NONE, FALSE); + proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); + + message->add_payload(message, &sa_payload->payload_interface); + + /* pregenerate message to store SA payload */ + if (this->ike_sa->generate_message(this->ike_sa, message, + &packet) != SUCCESS) + { + DBG1(DBG_IKE, "pregenerating SA payload failed"); + return FAILED; + } + packet->destroy(packet); + if (!save_sa_payload(this, message)) + { + DBG1(DBG_IKE, "SA payload invalid"); + return FAILED; + } + + this->state = MM_SA; + return NEED_MORE; + } + case MM_SA: + { + u_int16_t group; + + if (!this->keymat->create_hasher(this->keymat, this->proposal)) + { + return send_notify(this, NO_PROPOSAL_CHOSEN); + } + if (!this->proposal->get_algorithm(this->proposal, + DIFFIE_HELLMAN_GROUP, &group, NULL)) + { + DBG1(DBG_IKE, "DH group selection failed"); + return send_notify(this, NO_PROPOSAL_CHOSEN); + } + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + group); + if (!this->dh) + { + DBG1(DBG_IKE, "negotiated DH group not supported"); + return send_notify(this, INVALID_KEY_INFORMATION); + } + if (!add_nonce_ke(this, &this->nonce_i, message)) + { + return send_notify(this, INVALID_KEY_INFORMATION); + } + this->state = MM_KE; + return NEED_MORE; + } + case MM_KE: + { + authenticator_t *authenticator; + id_payload_t *id_payload; + identification_t *id; + + id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); + if (!id) + { + DBG1(DBG_CFG, "own identity not known"); + return send_notify(this, INVALID_ID_INFORMATION); + } + + this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); + + id_payload = id_payload_create_from_identification(ID_V1, id); + message->add_payload(message, &id_payload->payload_interface); + + authenticator = create_authenticator(this, id_payload); + if (!authenticator || authenticator->build(authenticator, + message) != SUCCESS) + { + DESTROY_IF(authenticator); + return send_notify(this, AUTHENTICATION_FAILED); + } + authenticator->destroy(authenticator); + save_auth_cfg(this, TRUE); + + this->state = MM_AUTH; + return NEED_MORE; + } + default: + return FAILED; + } +} + +METHOD(task_t, process_r, status_t, + private_main_mode_t *this, message_t *message) +{ + switch (this->state) + { + case MM_INIT: + { + linked_list_t *list; + sa_payload_t *sa_payload; + + this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + DBG0(DBG_IKE, "%H is initiating a Main Mode", + message->get_source(message)); + this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); + + this->ike_sa->update_hosts(this->ike_sa, + message->get_destination(message), + message->get_source(message), TRUE); + + sa_payload = (sa_payload_t*)message->get_payload(message, + SECURITY_ASSOCIATION_V1); + if (!sa_payload || !save_sa_payload(this, message)) + { + DBG1(DBG_IKE, "SA payload missing or invalid"); + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + + list = sa_payload->get_proposals(sa_payload); + this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, + list, FALSE); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + if (!this->proposal) + { + DBG1(DBG_IKE, "no proposal found"); + return send_notify(this, NO_PROPOSAL_CHOSEN); + } + + this->auth_method = sa_payload->get_auth_method(sa_payload); + this->lifetime = sa_payload->get_lifetime(sa_payload); + + this->state = MM_SA; + return NEED_MORE; + } + case MM_SA: + { + u_int16_t group; + + if (!this->keymat->create_hasher(this->keymat, this->proposal)) + { + return send_notify(this, INVALID_KEY_INFORMATION); + } + if (!this->proposal->get_algorithm(this->proposal, + DIFFIE_HELLMAN_GROUP, &group, NULL)) + { + DBG1(DBG_IKE, "DH group selection failed"); + return send_notify(this, INVALID_KEY_INFORMATION); + } + this->dh = lib->crypto->create_dh(lib->crypto, group); + if (!this->dh) + { + DBG1(DBG_IKE, "negotiated DH group not supported"); + return send_notify(this, INVALID_KEY_INFORMATION); + } + if (!get_nonce_ke(this, &this->nonce_i, message)) + { + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + this->state = MM_KE; + return NEED_MORE; + } + case MM_KE: + { + authenticator_t *authenticator; + id_payload_t *id_payload; + identification_t *id; + + id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + if (!id_payload) + { + DBG1(DBG_IKE, "IDii payload missing"); + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + + id = id_payload->get_identification(id_payload); + this->ike_sa->set_other_id(this->ike_sa, id); + this->peer_cfg = select_config(this, id); + if (!this->peer_cfg) + { + DBG1(DBG_IKE, "no peer config found"); + return send_notify(this, AUTHENTICATION_FAILED); + } + this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); + + this->my_auth = get_auth_cfg(this->peer_cfg, TRUE); + this->other_auth = get_auth_cfg(this->peer_cfg, FALSE); + if (!this->my_auth || !this->other_auth) + { + DBG1(DBG_IKE, "auth config missing"); + return send_notify(this, AUTHENTICATION_FAILED); + } + + authenticator = create_authenticator(this, id_payload); + if (!authenticator || authenticator->process(authenticator, + message) != SUCCESS) + { + DESTROY_IF(authenticator); + return send_notify(this, AUTHENTICATION_FAILED); + } + authenticator->destroy(authenticator); + if (!check_constraints(this)) + { + return send_notify(this, AUTHENTICATION_FAILED); + } + save_auth_cfg(this, FALSE); + + this->state = MM_AUTH; + if (has_notify_errors(this, message)) + { + return FAILED; + } + return NEED_MORE; + } + default: + return FAILED; + } +} + +/** + * Lookup a shared secret for this IKE_SA + */ +static shared_key_t *lookup_shared_key(private_main_mode_t *this) +{ + host_t *me, *other; + identification_t *my_id, *other_id; + shared_key_t *shared_key = NULL; + + /* try to get a PSK for IP addresses */ + me = this->ike_sa->get_my_host(this->ike_sa); + other = this->ike_sa->get_other_host(this->ike_sa); + my_id = identification_create_from_sockaddr(me->get_sockaddr(me)); + other_id = identification_create_from_sockaddr(other->get_sockaddr(other)); + if (my_id && other_id) + { + shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, + my_id, other_id); + } + DESTROY_IF(my_id); + DESTROY_IF(other_id); + if (shared_key) + { + return shared_key; + } + + if (this->my_auth && this->other_auth) + { /* as initiator, use identities from configuraiton */ + my_id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); + other_id = this->other_auth->get(this->other_auth, AUTH_RULE_IDENTITY); + if (my_id && other_id) + { + shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, + my_id, other_id); + } + else + { + DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", + my_id, me, other_id, other); + } + } + else + { /* as responder, we try to find a config by IP */ + enumerator_t *enumerator; + auth_cfg_t *my_auth, *other_auth; + peer_cfg_t *peer_cfg = NULL; + + enumerator = charon->backends->create_peer_cfg_enumerator( + charon->backends, me, other, NULL, NULL, IKEV1); + while (enumerator->enumerate(enumerator, &peer_cfg)) + { + my_auth = get_auth_cfg(peer_cfg, TRUE); + other_auth = get_auth_cfg(peer_cfg, FALSE); + if (my_auth && other_auth) + { + my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY); + other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); + if (my_id && other_id) + { + shared_key = lib->credmgr->get_shared(lib->credmgr, + SHARED_IKE, my_id, other_id); + if (shared_key) + { + break; + } + else + { + DBG1(DBG_IKE, "no shared key found for " + "'%Y'[%H] - '%Y'[%H]", my_id, me, other_id, other); + } + } + } + } + enumerator->destroy(enumerator); + if (!peer_cfg) + { + DBG1(DBG_IKE, "no shared key found for %H - %H", me, other); + } + } + return shared_key; +} + +/** + * Derive key material for this IKE_SA + */ +static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i, + chunk_t nonce_r) +{ + ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa); + shared_key_t *shared_key = NULL; + + switch (this->auth_method) + { + case AUTH_PSK: + case AUTH_XAUTH_INIT_PSK: + case AUTH_XAUTH_RESP_PSK: + shared_key = lookup_shared_key(this); + break; + default: + break; + } + if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh, + this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key)) + { + DESTROY_IF(shared_key); + DBG1(DBG_IKE, "key derivation for %N failed", + auth_method_names, this->auth_method); + return FALSE; + } + DESTROY_IF(shared_key); + charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r, + NULL); + + return TRUE; +} + +/** + * Set IKE_SA to established state + */ +static void establish(private_main_mode_t *this) +{ + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); + + this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); +} + +METHOD(task_t, build_r, status_t, + private_main_mode_t *this, message_t *message) +{ + switch (this->state) + { + case MM_SA: + { + sa_payload_t *sa_payload; + + sa_payload = sa_payload_create_from_proposal_v1(this->proposal, + this->lifetime, 0, this->auth_method, MODE_NONE, FALSE); + message->add_payload(message, &sa_payload->payload_interface); + + return NEED_MORE; + } + case MM_KE: + { + if (!add_nonce_ke(this, &this->nonce_r, message)) + { + return send_notify(this, INVALID_KEY_INFORMATION); + } + if (!derive_keys(this, this->nonce_i, this->nonce_r)) + { + return send_notify(this, INVALID_KEY_INFORMATION); + } + return NEED_MORE; + } + case MM_AUTH: + { + authenticator_t *authenticator; + id_payload_t *id_payload; + identification_t *id; + + id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); + if (!id) + { + DBG1(DBG_CFG, "own identity not known"); + return send_notify(this, INVALID_ID_INFORMATION); + } + this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); + + id_payload = id_payload_create_from_identification(ID_V1, id); + message->add_payload(message, &id_payload->payload_interface); + + authenticator = create_authenticator(this, id_payload); + if (!authenticator || authenticator->build(authenticator, + message) != SUCCESS) + { + DESTROY_IF(authenticator); + return send_notify(this, AUTHENTICATION_FAILED); + } + authenticator->destroy(authenticator); + save_auth_cfg(this, TRUE); + + if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) + { + this->ike_sa->queue_task(this->ike_sa, + (task_t*)mode_config_create(this->ike_sa, TRUE)); + } + + switch (this->auth_method) + { + case AUTH_XAUTH_INIT_PSK: + case AUTH_XAUTH_INIT_RSA: + case AUTH_HYBRID_INIT_RSA: + this->ike_sa->queue_task(this->ike_sa, + (task_t*)xauth_create(this->ike_sa, TRUE)); + return SUCCESS; + case AUTH_XAUTH_RESP_PSK: + case AUTH_XAUTH_RESP_RSA: + case AUTH_HYBRID_RESP_RSA: + /* TODO-IKEv1: not yet supported */ + return FAILED; + default: + establish(this); + return SUCCESS; + } + } + default: + return FAILED; + } +} + +METHOD(task_t, process_i, status_t, + private_main_mode_t *this, message_t *message) +{ + switch (this->state) + { + case MM_SA: + { + linked_list_t *list; + sa_payload_t *sa_payload; + auth_method_t auth_method; + u_int32_t lifetime; + + sa_payload = (sa_payload_t*)message->get_payload(message, + SECURITY_ASSOCIATION_V1); + if (!sa_payload) + { + DBG1(DBG_IKE, "SA payload missing"); + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + list = sa_payload->get_proposals(sa_payload); + this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, + list, FALSE); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + if (!this->proposal) + { + DBG1(DBG_IKE, "no proposal found"); + return send_notify(this, NO_PROPOSAL_CHOSEN); + } + + lifetime = sa_payload->get_lifetime(sa_payload); + if (lifetime != this->lifetime) + { + DBG1(DBG_IKE, "received lifetime %us does not match configured " + "%us, using lower value", lifetime, this->lifetime); + } + this->lifetime = min(this->lifetime, lifetime); + auth_method = sa_payload->get_auth_method(sa_payload); + if (auth_method != this->auth_method) + { + DBG1(DBG_IKE, "received %N authentication, but configured %N, " + "continue with configured", auth_method_names, auth_method, + auth_method_names, this->auth_method); + } + return NEED_MORE; + } + case MM_KE: + { + if (!get_nonce_ke(this, &this->nonce_r, message)) + { + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + if (!derive_keys(this, this->nonce_i, this->nonce_r)) + { + return send_notify(this, INVALID_KEY_INFORMATION); + } + return NEED_MORE; + } + case MM_AUTH: + { + authenticator_t *authenticator; + id_payload_t *id_payload; + identification_t *id; + + id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + if (!id_payload) + { + DBG1(DBG_IKE, "IDir payload missing"); + return send_delete(this); + } + id = id_payload->get_identification(id_payload); + if (!id->matches(id, this->other_auth->get(this->other_auth, + AUTH_RULE_IDENTITY))) + { + DBG1(DBG_IKE, "IDir does not match"); + id->destroy(id); + return send_delete(this); + } + this->ike_sa->set_other_id(this->ike_sa, id); + + authenticator = create_authenticator(this, id_payload); + if (!authenticator || authenticator->process(authenticator, + message) != SUCCESS) + { + DESTROY_IF(authenticator); + return send_delete(this); + } + authenticator->destroy(authenticator); + if (!check_constraints(this)) + { + return send_delete(this); + } + save_auth_cfg(this, FALSE); + + switch (this->auth_method) + { + case AUTH_XAUTH_INIT_PSK: + case AUTH_XAUTH_INIT_RSA: + case AUTH_HYBRID_INIT_RSA: + /* wait for XAUTH request */ + return SUCCESS; + case AUTH_XAUTH_RESP_PSK: + case AUTH_XAUTH_RESP_RSA: + case AUTH_HYBRID_RESP_RSA: + /* TODO-IKEv1: not yet */ + return FAILED; + default: + establish(this); + return SUCCESS; + } + } + default: + return FAILED; + } +} + +METHOD(task_t, get_type, task_type_t, + private_main_mode_t *this) +{ + return TASK_MAIN_MODE; +} + +METHOD(task_t, migrate, void, + private_main_mode_t *this, ike_sa_t *ike_sa) +{ + this->ike_sa = ike_sa; +} + +METHOD(task_t, destroy, void, + private_main_mode_t *this) +{ + DESTROY_IF(this->peer_cfg); + DESTROY_IF(this->proposal); + DESTROY_IF(this->dh); + free(this->dh_value.ptr); + free(this->nonce_i.ptr); + free(this->nonce_r.ptr); + free(this->sa_payload.ptr); + free(this); +} + +/* + * Described in header. + */ +main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator) +{ + private_main_mode_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa), + .initiator = initiator, + .state = MM_INIT, + ); + + if (initiator) + { + this->public.task.build = _build_i; + this->public.task.process = _process_i; + } + else + { + this->public.task.build = _build_r; + this->public.task.process = _process_r; + } + + return &this->public; +} -- cgit v1.2.3 From 451ebecc85382bebc1acff9ad664d21573ba4894 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 20 Dec 2011 17:59:45 +0100 Subject: Implemented migration of Main Mode task --- src/libcharon/sa/ikev1/tasks/main_mode.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 7f263260c..cd790787f 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -1103,7 +1103,20 @@ METHOD(task_t, get_type, task_type_t, METHOD(task_t, migrate, void, private_main_mode_t *this, ike_sa_t *ike_sa) { + DESTROY_IF(this->peer_cfg); + DESTROY_IF(this->proposal); + DESTROY_IF(this->dh); + chunk_free(&this->dh_value); + chunk_free(&this->nonce_i); + chunk_free(&this->nonce_r); + chunk_free(&this->sa_payload); + this->ike_sa = ike_sa; + this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa); + this->state = MM_INIT; + this->peer_cfg = NULL; + this->proposal = NULL; + this->dh = NULL; } METHOD(task_t, destroy, void, -- cgit v1.2.3 From 54773729a88196dfa394fa8ca4639318f99c43eb Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 3 Jan 2012 11:57:35 +0100 Subject: Queue Mode Config tasks after main mode as initiator, not as responder --- src/libcharon/sa/ikev1/tasks/main_mode.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index cd790787f..a9486e839 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -950,12 +950,6 @@ METHOD(task_t, build_r, status_t, authenticator->destroy(authenticator); save_auth_cfg(this, TRUE); - if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) - { - this->ike_sa->queue_task(this->ike_sa, - (task_t*)mode_config_create(this->ike_sa, TRUE)); - } - switch (this->auth_method) { case AUTH_XAUTH_INIT_PSK: @@ -1072,6 +1066,12 @@ METHOD(task_t, process_i, status_t, } save_auth_cfg(this, FALSE); + if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) + { + this->ike_sa->queue_task(this->ike_sa, + (task_t*)mode_config_create(this->ike_sa, TRUE)); + } + switch (this->auth_method) { case AUTH_XAUTH_INIT_PSK: -- cgit v1.2.3 From c9d68d17f0a004e36b57fcf46f87d8254263deb5 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 3 Jan 2012 13:33:18 +0100 Subject: Include peer config overtime in negotiated ISAKMP SA lifetime --- src/libcharon/sa/ikev1/tasks/main_mode.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index a9486e839..75f167b1d 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -548,6 +548,7 @@ METHOD(task_t, build_i, status_t, this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg, FALSE); } + this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg); proposals = this->ike_cfg->get_proposals(this->ike_cfg); sa_payload = sa_payload_create_from_proposals_v1(proposals, this->lifetime, 0, this->auth_method, MODE_NONE, FALSE); @@ -1006,9 +1007,9 @@ METHOD(task_t, process_i, status_t, if (lifetime != this->lifetime) { DBG1(DBG_IKE, "received lifetime %us does not match configured " - "%us, using lower value", lifetime, this->lifetime); + "lifetime %us", lifetime, this->lifetime); } - this->lifetime = min(this->lifetime, lifetime); + this->lifetime = lifetime; auth_method = sa_payload->get_auth_method(sa_payload); if (auth_method != this->auth_method) { -- cgit v1.2.3 From b147679a2c1b3c232a13f8f58418b4976571b8da Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 4 Jan 2012 17:51:22 +0100 Subject: Try to detect reauthentication as responder and adopt children to new SA --- src/libcharon/sa/ikev1/tasks/main_mode.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 75f167b1d..3c0a2520e 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -32,6 +32,7 @@ #include #include #include +#include typedef struct private_main_mode_t private_main_mode_t; @@ -966,6 +967,9 @@ METHOD(task_t, build_r, status_t, return FAILED; default: establish(this); + lib->processor->queue_job(lib->processor, (job_t*) + adopt_children_job_create( + this->ike_sa->get_id(this->ike_sa))); return SUCCESS; } } -- cgit v1.2.3 From 44dcd5944ab878cb5bbbec6aa79d5d99b109d33f Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 9 Jan 2012 13:41:35 +0100 Subject: Fix error handling if no PSK found for main mode --- src/libcharon/sa/ikev1/tasks/main_mode.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 3c0a2520e..2fc06ca1a 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -799,11 +799,11 @@ static shared_key_t *lookup_shared_key(private_main_mode_t *this) { shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id); - } - else - { - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); + if (!shared_key) + { + DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", + my_id, me, other_id, other); + } } } else @@ -862,6 +862,10 @@ static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i, case AUTH_XAUTH_INIT_PSK: case AUTH_XAUTH_RESP_PSK: shared_key = lookup_shared_key(this); + if (!shared_key) + { + return FALSE; + } break; default: break; -- cgit v1.2.3 From b4bd8756127b55fb4631f4ec5f6db8779af0ce29 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 9 Jan 2012 17:05:16 +0100 Subject: Make use of the new Phase 1 helper class in main mode --- src/libcharon/sa/ikev1/tasks/main_mode.c | 652 ++++--------------------------- 1 file changed, 73 insertions(+), 579 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 2fc06ca1a..a3b567870 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -21,11 +21,8 @@ #include #include -#include -#include +#include #include -#include -#include #include #include #include @@ -56,6 +53,11 @@ struct private_main_mode_t { */ bool initiator; + /** + * Common phase 1 helper class + */ + phase1_t *ph1; + /** * IKE config to establish */ @@ -66,51 +68,11 @@ struct private_main_mode_t { */ peer_cfg_t *peer_cfg; - /** - * Local authentication configuration - */ - auth_cfg_t *my_auth; - - /** - * Remote authentication configuration - */ - auth_cfg_t *other_auth; - /** * selected IKE proposal */ proposal_t *proposal; - /** - * DH exchange - */ - diffie_hellman_t *dh; - - /** - * Keymat derivation (from SA) - */ - keymat_v1_t *keymat; - - /** - * Received public DH value from peer - */ - chunk_t dh_value; - - /** - * Initiators nonce - */ - chunk_t nonce_i; - - /** - * Responder nonce - */ - chunk_t nonce_r; - - /** - * Encoded SA initiator payload used for authentication - */ - chunk_t sa_payload; - /** * Negotiated SA lifetime */ @@ -119,7 +81,7 @@ struct private_main_mode_t { /** * Negotiated authentication method */ - auth_method_t auth_method; + auth_method_t method; /** states of main mode */ enum { @@ -131,298 +93,20 @@ struct private_main_mode_t { }; /** - * Get the first authentcation config from peer config - */ -static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local) -{ - enumerator_t *enumerator; - auth_cfg_t *cfg = NULL; - - enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); - enumerator->enumerate(enumerator, &cfg); - enumerator->destroy(enumerator); - return cfg; -} - -/** - * Create an authenticator, if supported - */ -static authenticator_t *create_authenticator(private_main_mode_t *this, - id_payload_t *id) -{ - authenticator_t *authenticator; - authenticator = authenticator_create_v1(this->ike_sa, this->initiator, - this->auth_method, this->dh, - this->dh_value, this->sa_payload, - id->get_encoded(id)); - if (!authenticator) - { - DBG1(DBG_IKE, "negotiated authentication method %N not supported", - auth_method_names, this->auth_method); - } - return authenticator; -} - -/** - * Save the encoded SA payload of a message - */ -static bool save_sa_payload(private_main_mode_t *this, message_t *message) -{ - enumerator_t *enumerator; - payload_t *payload, *sa = NULL; - chunk_t data; - size_t offset = IKE_HEADER_LENGTH; - - enumerator = message->create_payload_enumerator(message); - while (enumerator->enumerate(enumerator, &payload)) - { - if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1) - { - sa = payload; - break; - } - else - { - offset += payload->get_length(payload); - } - } - enumerator->destroy(enumerator); - - data = message->get_packet_data(message); - if (sa && data.len >= offset + sa->get_length(sa)) - { - /* Get SA payload without 4 byte fixed header */ - data = chunk_skip(data, offset); - data.len = sa->get_length(sa); - data = chunk_skip(data, 4); - this->sa_payload = chunk_clone(data); - return TRUE; - } - return FALSE; -} - -/** - * Generate and add NONCE, KE payload - */ -static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce, - message_t *message) -{ - nonce_payload_t *nonce_payload; - ke_payload_t *ke_payload; - rng_t *rng; - - ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, - this->dh); - message->add_payload(message, &ke_payload->payload_interface); - - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng) - { - DBG1(DBG_IKE, "no RNG found to create nonce"); - return FALSE; - } - rng->allocate_bytes(rng, NONCE_SIZE, nonce); - rng->destroy(rng); - - nonce_payload = nonce_payload_create(NONCE_V1); - nonce_payload->set_nonce(nonce_payload, *nonce); - message->add_payload(message, &nonce_payload->payload_interface); - - return TRUE; -} - -/** - * Extract nonce from NONCE payload, process KE payload - */ -static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce, - message_t *message) -{ - nonce_payload_t *nonce_payload; - ke_payload_t *ke_payload; - - ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1); - if (!ke_payload) - { - DBG1(DBG_IKE, "KE payload missing in message"); - return FALSE; - } - this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload)); - this->dh->set_other_public_value(this->dh, this->dh_value); - - nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1); - if (!nonce_payload) - { - DBG1(DBG_IKE, "NONCE payload missing in message"); - return FALSE; - } - *nonce = nonce_payload->get_nonce(nonce_payload); - - return TRUE; -} - -/** - * Get the two auth classes from local or remote config - */ -static void get_auth_class(peer_cfg_t *peer_cfg, bool local, - auth_class_t *c1, auth_class_t *c2) -{ - enumerator_t *enumerator; - auth_cfg_t *auth; - - *c1 = *c2 = AUTH_CLASS_ANY; - - enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); - while (enumerator->enumerate(enumerator, &auth)) - { - if (*c1 == AUTH_CLASS_ANY) - { - *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); - } - else - { - *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); - break; - } - } - enumerator->destroy(enumerator); -} - -/** - * Get auth method to use from a peer config - */ -static auth_method_t get_auth_method(private_main_mode_t *this, - peer_cfg_t *peer_cfg) -{ - auth_class_t i1, i2, r1, r2; - - get_auth_class(peer_cfg, this->initiator, &i1, &i2); - get_auth_class(peer_cfg, !this->initiator, &r1, &r2); - - if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY) - { - if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) - { - /* TODO-IKEv1: ECDSA? */ - return AUTH_RSA; - } - if (i2 == AUTH_CLASS_XAUTH) - { - return AUTH_XAUTH_INIT_RSA; - } - if (r2 == AUTH_CLASS_XAUTH) - { - return AUTH_XAUTH_RESP_RSA; - } - } - if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK) - { - if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) - { - return AUTH_PSK; - } - if (i2 == AUTH_CLASS_XAUTH) - { - return AUTH_XAUTH_INIT_PSK; - } - if (r2 == AUTH_CLASS_XAUTH) - { - return AUTH_XAUTH_RESP_PSK; - } - } - if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY && - i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) - { - return AUTH_HYBRID_INIT_RSA; - } - return AUTH_NONE; -} - -/** - * Check if a peer skipped authentication by using Hybrid authentication - */ -static bool skipped_auth(private_main_mode_t *this, bool local) -{ - bool initiator; - - initiator = local == this->initiator; - if (initiator && this->auth_method == AUTH_HYBRID_INIT_RSA) - { - return TRUE; - } - if (!initiator && this->auth_method == AUTH_HYBRID_RESP_RSA) - { - return TRUE; - } - return FALSE; -} - -/** - * Check if remote authentication constraints fulfilled - */ -static bool check_constraints(private_main_mode_t *this) -{ - identification_t *id; - auth_cfg_t *auth; - - auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - /* auth identity to comply */ - id = this->ike_sa->get_other_id(this->ike_sa); - auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id)); - if (skipped_auth(this, FALSE)) - { - return TRUE; - } - return auth->complies(auth, this->other_auth, TRUE); -} - -/** - * Save authentication information after authentication succeeded - */ -static void save_auth_cfg(private_main_mode_t *this, bool local) -{ - auth_cfg_t *auth; - - if (skipped_auth(this, local)) - { - return; - } - auth = auth_cfg_create(); - /* for local config, we _copy_ entires from the config, as it contains - * certificates we must send later. */ - auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); - this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); -} - -/** - * Select the best configuration as responder + * Set IKE_SA to established state */ -static peer_cfg_t *select_config(private_main_mode_t *this, identification_t *id) +static void establish(private_main_mode_t *this) { - enumerator_t *enumerator; - peer_cfg_t *current, *found = NULL; - host_t *me, *other; - - me = this->ike_sa->get_my_host(this->ike_sa); - other = this->ike_sa->get_other_host(this->ike_sa); - DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]", - auth_method_names, this->auth_method, me, other, id); - enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, - me, other, NULL, id, IKEV1); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (get_auth_method(this, current) == this->auth_method) - { - found = current->get_ref(current); - break; - } - } - enumerator->destroy(enumerator); + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); - if (found) - { - DBG2(DBG_CFG, "selected peer config \"%s\"", found->get_name(found)); - } - return found; + this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); } /** @@ -519,31 +203,24 @@ METHOD(task_t, build_i, status_t, linked_list_t *proposals; packet_t *packet; - this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); - DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H", + DBG0(DBG_IKE, "initiating main mode IKE_SA %s[%d] to %H", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); + this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); this->peer_cfg->get_ref(this->peer_cfg); - this->my_auth = get_auth_cfg(this->peer_cfg, TRUE); - this->other_auth = get_auth_cfg(this->peer_cfg, FALSE); - if (!this->my_auth || !this->other_auth) - { - DBG1(DBG_CFG, "no auth config found"); - return FAILED; - } - this->auth_method = get_auth_method(this, this->peer_cfg); - if (this->auth_method == AUTH_NONE) + this->method = this->ph1->get_auth_method(this->ph1, this->peer_cfg); + if (this->method == AUTH_NONE) { DBG1(DBG_CFG, "configuration uses unsupported authentication"); return FAILED; } this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg, - FALSE); + FALSE); if (!this->lifetime) { /* fall back to rekey time of no rekey time configured */ this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg, @@ -552,7 +229,7 @@ METHOD(task_t, build_i, status_t, this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg); proposals = this->ike_cfg->get_proposals(this->ike_cfg); sa_payload = sa_payload_create_from_proposals_v1(proposals, - this->lifetime, 0, this->auth_method, MODE_NONE, FALSE); + this->lifetime, 0, this->method, MODE_NONE, FALSE); proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -565,9 +242,8 @@ METHOD(task_t, build_i, status_t, return FAILED; } packet->destroy(packet); - if (!save_sa_payload(this, message)) + if (!this->ph1->save_sa_payload(this->ph1, message)) { - DBG1(DBG_IKE, "SA payload invalid"); return FAILED; } @@ -578,7 +254,7 @@ METHOD(task_t, build_i, status_t, { u_int16_t group; - if (!this->keymat->create_hasher(this->keymat, this->proposal)) + if (!this->ph1->create_hasher(this->ph1, this->proposal)) { return send_notify(this, NO_PROPOSAL_CHOSEN); } @@ -588,14 +264,12 @@ METHOD(task_t, build_i, status_t, DBG1(DBG_IKE, "DH group selection failed"); return send_notify(this, NO_PROPOSAL_CHOSEN); } - this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, - group); - if (!this->dh) + if (!this->ph1->create_dh(this->ph1, group)) { DBG1(DBG_IKE, "negotiated DH group not supported"); return send_notify(this, INVALID_KEY_INFORMATION); } - if (!add_nonce_ke(this, &this->nonce_i, message)) + if (!this->ph1->add_nonce_ke(this->ph1, message)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -604,31 +278,24 @@ METHOD(task_t, build_i, status_t, } case MM_KE: { - authenticator_t *authenticator; id_payload_t *id_payload; identification_t *id; - id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); + id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); if (!id) { DBG1(DBG_CFG, "own identity not known"); return send_notify(this, INVALID_ID_INFORMATION); } - this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_V1, id); message->add_payload(message, &id_payload->payload_interface); - authenticator = create_authenticator(this, id_payload); - if (!authenticator || authenticator->build(authenticator, - message) != SUCCESS) + if (!this->ph1->build_auth(this->ph1, this->method, message, + id_payload->get_encoded(id_payload))) { - DESTROY_IF(authenticator); return send_notify(this, AUTHENTICATION_FAILED); } - authenticator->destroy(authenticator); - save_auth_cfg(this, TRUE); this->state = MM_AUTH; return NEED_MORE; @@ -649,7 +316,7 @@ METHOD(task_t, process_r, status_t, sa_payload_t *sa_payload; this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); - DBG0(DBG_IKE, "%H is initiating a Main Mode", + DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); @@ -659,9 +326,13 @@ METHOD(task_t, process_r, status_t, sa_payload = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION_V1); - if (!sa_payload || !save_sa_payload(this, message)) + if (!sa_payload) + { + DBG1(DBG_IKE, "SA payload missing"); + return send_notify(this, INVALID_PAYLOAD_TYPE); + } + if (!this->ph1->save_sa_payload(this->ph1, message)) { - DBG1(DBG_IKE, "SA payload missing or invalid"); return send_notify(this, INVALID_PAYLOAD_TYPE); } @@ -675,7 +346,7 @@ METHOD(task_t, process_r, status_t, return send_notify(this, NO_PROPOSAL_CHOSEN); } - this->auth_method = sa_payload->get_auth_method(sa_payload); + this->method = sa_payload->get_auth_method(sa_payload); this->lifetime = sa_payload->get_lifetime(sa_payload); this->state = MM_SA; @@ -685,7 +356,7 @@ METHOD(task_t, process_r, status_t, { u_int16_t group; - if (!this->keymat->create_hasher(this->keymat, this->proposal)) + if (!this->ph1->create_hasher(this->ph1, this->proposal)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -695,13 +366,12 @@ METHOD(task_t, process_r, status_t, DBG1(DBG_IKE, "DH group selection failed"); return send_notify(this, INVALID_KEY_INFORMATION); } - this->dh = lib->crypto->create_dh(lib->crypto, group); - if (!this->dh) + if (!this->ph1->create_dh(this->ph1, group)) { DBG1(DBG_IKE, "negotiated DH group not supported"); return send_notify(this, INVALID_KEY_INFORMATION); } - if (!get_nonce_ke(this, &this->nonce_i, message)) + if (!this->ph1->get_nonce_ke(this->ph1, message)) { return send_notify(this, INVALID_PAYLOAD_TYPE); } @@ -710,7 +380,6 @@ METHOD(task_t, process_r, status_t, } case MM_KE: { - authenticator_t *authenticator; id_payload_t *id_payload; identification_t *id; @@ -723,7 +392,8 @@ METHOD(task_t, process_r, status_t, id = id_payload->get_identification(id_payload); this->ike_sa->set_other_id(this->ike_sa, id); - this->peer_cfg = select_config(this, id); + this->peer_cfg = this->ph1->select_config(this->ph1, + this->method, id); if (!this->peer_cfg) { DBG1(DBG_IKE, "no peer config found"); @@ -731,28 +401,11 @@ METHOD(task_t, process_r, status_t, } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); - this->my_auth = get_auth_cfg(this->peer_cfg, TRUE); - this->other_auth = get_auth_cfg(this->peer_cfg, FALSE); - if (!this->my_auth || !this->other_auth) - { - DBG1(DBG_IKE, "auth config missing"); - return send_notify(this, AUTHENTICATION_FAILED); - } - - authenticator = create_authenticator(this, id_payload); - if (!authenticator || authenticator->process(authenticator, - message) != SUCCESS) - { - DESTROY_IF(authenticator); - return send_notify(this, AUTHENTICATION_FAILED); - } - authenticator->destroy(authenticator); - if (!check_constraints(this)) + if (!this->ph1->verify_auth(this->ph1, this->method, message, + id_payload->get_encoded(id_payload))) { return send_notify(this, AUTHENTICATION_FAILED); } - save_auth_cfg(this, FALSE); - this->state = MM_AUTH; if (has_notify_errors(this, message)) { @@ -765,143 +418,6 @@ METHOD(task_t, process_r, status_t, } } -/** - * Lookup a shared secret for this IKE_SA - */ -static shared_key_t *lookup_shared_key(private_main_mode_t *this) -{ - host_t *me, *other; - identification_t *my_id, *other_id; - shared_key_t *shared_key = NULL; - - /* try to get a PSK for IP addresses */ - me = this->ike_sa->get_my_host(this->ike_sa); - other = this->ike_sa->get_other_host(this->ike_sa); - my_id = identification_create_from_sockaddr(me->get_sockaddr(me)); - other_id = identification_create_from_sockaddr(other->get_sockaddr(other)); - if (my_id && other_id) - { - shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); - } - DESTROY_IF(my_id); - DESTROY_IF(other_id); - if (shared_key) - { - return shared_key; - } - - if (this->my_auth && this->other_auth) - { /* as initiator, use identities from configuraiton */ - my_id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); - other_id = this->other_auth->get(this->other_auth, AUTH_RULE_IDENTITY); - if (my_id && other_id) - { - shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); - if (!shared_key) - { - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); - } - } - } - else - { /* as responder, we try to find a config by IP */ - enumerator_t *enumerator; - auth_cfg_t *my_auth, *other_auth; - peer_cfg_t *peer_cfg = NULL; - - enumerator = charon->backends->create_peer_cfg_enumerator( - charon->backends, me, other, NULL, NULL, IKEV1); - while (enumerator->enumerate(enumerator, &peer_cfg)) - { - my_auth = get_auth_cfg(peer_cfg, TRUE); - other_auth = get_auth_cfg(peer_cfg, FALSE); - if (my_auth && other_auth) - { - my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY); - other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); - if (my_id && other_id) - { - shared_key = lib->credmgr->get_shared(lib->credmgr, - SHARED_IKE, my_id, other_id); - if (shared_key) - { - break; - } - else - { - DBG1(DBG_IKE, "no shared key found for " - "'%Y'[%H] - '%Y'[%H]", my_id, me, other_id, other); - } - } - } - } - enumerator->destroy(enumerator); - if (!peer_cfg) - { - DBG1(DBG_IKE, "no shared key found for %H - %H", me, other); - } - } - return shared_key; -} - -/** - * Derive key material for this IKE_SA - */ -static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i, - chunk_t nonce_r) -{ - ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa); - shared_key_t *shared_key = NULL; - - switch (this->auth_method) - { - case AUTH_PSK: - case AUTH_XAUTH_INIT_PSK: - case AUTH_XAUTH_RESP_PSK: - shared_key = lookup_shared_key(this); - if (!shared_key) - { - return FALSE; - } - break; - default: - break; - } - if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh, - this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key)) - { - DESTROY_IF(shared_key); - DBG1(DBG_IKE, "key derivation for %N failed", - auth_method_names, this->auth_method); - return FALSE; - } - DESTROY_IF(shared_key); - charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r, - NULL); - - return TRUE; -} - -/** - * Set IKE_SA to established state - */ -static void establish(private_main_mode_t *this) -{ - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", - this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_unique_id(this->ike_sa), - this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa)); - - this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); -} - METHOD(task_t, build_r, status_t, private_main_mode_t *this, message_t *message) { @@ -912,18 +428,19 @@ METHOD(task_t, build_r, status_t, sa_payload_t *sa_payload; sa_payload = sa_payload_create_from_proposal_v1(this->proposal, - this->lifetime, 0, this->auth_method, MODE_NONE, FALSE); + this->lifetime, 0, this->method, MODE_NONE, FALSE); message->add_payload(message, &sa_payload->payload_interface); return NEED_MORE; } case MM_KE: { - if (!add_nonce_ke(this, &this->nonce_r, message)) + if (!this->ph1->add_nonce_ke(this->ph1, message)) { return send_notify(this, INVALID_KEY_INFORMATION); } - if (!derive_keys(this, this->nonce_i, this->nonce_r)) + if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method, + this->proposal)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -931,11 +448,10 @@ METHOD(task_t, build_r, status_t, } case MM_AUTH: { - authenticator_t *authenticator; id_payload_t *id_payload; identification_t *id; - id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY); + id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); if (!id) { DBG1(DBG_CFG, "own identity not known"); @@ -946,17 +462,12 @@ METHOD(task_t, build_r, status_t, id_payload = id_payload_create_from_identification(ID_V1, id); message->add_payload(message, &id_payload->payload_interface); - authenticator = create_authenticator(this, id_payload); - if (!authenticator || authenticator->build(authenticator, - message) != SUCCESS) + if (!this->ph1->build_auth(this->ph1, this->method, message, + id_payload->get_encoded(id_payload))) { - DESTROY_IF(authenticator); return send_notify(this, AUTHENTICATION_FAILED); } - authenticator->destroy(authenticator); - save_auth_cfg(this, TRUE); - - switch (this->auth_method) + switch (this->method) { case AUTH_XAUTH_INIT_PSK: case AUTH_XAUTH_INIT_RSA: @@ -991,7 +502,7 @@ METHOD(task_t, process_i, status_t, { linked_list_t *list; sa_payload_t *sa_payload; - auth_method_t auth_method; + auth_method_t method; u_int32_t lifetime; sa_payload = (sa_payload_t*)message->get_payload(message, @@ -1018,22 +529,23 @@ METHOD(task_t, process_i, status_t, "lifetime %us", lifetime, this->lifetime); } this->lifetime = lifetime; - auth_method = sa_payload->get_auth_method(sa_payload); - if (auth_method != this->auth_method) + method = sa_payload->get_auth_method(sa_payload); + if (method != this->method) { DBG1(DBG_IKE, "received %N authentication, but configured %N, " - "continue with configured", auth_method_names, auth_method, - auth_method_names, this->auth_method); + "continue with configured", auth_method_names, method, + auth_method_names, this->method); } return NEED_MORE; } case MM_KE: { - if (!get_nonce_ke(this, &this->nonce_r, message)) + if (!this->ph1->get_nonce_ke(this->ph1, message)) { return send_notify(this, INVALID_PAYLOAD_TYPE); } - if (!derive_keys(this, this->nonce_i, this->nonce_r)) + if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, + this->method, this->proposal)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -1041,9 +553,8 @@ METHOD(task_t, process_i, status_t, } case MM_AUTH: { - authenticator_t *authenticator; id_payload_t *id_payload; - identification_t *id; + identification_t *id, *cid; id_payload = (id_payload_t*)message->get_payload(message, ID_V1); if (!id_payload) @@ -1052,28 +563,20 @@ METHOD(task_t, process_i, status_t, return send_delete(this); } id = id_payload->get_identification(id_payload); - if (!id->matches(id, this->other_auth->get(this->other_auth, - AUTH_RULE_IDENTITY))) + cid = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); + if (cid && !id->matches(id, cid)) { - DBG1(DBG_IKE, "IDir does not match"); + DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid); id->destroy(id); return send_delete(this); } this->ike_sa->set_other_id(this->ike_sa, id); - authenticator = create_authenticator(this, id_payload); - if (!authenticator || authenticator->process(authenticator, - message) != SUCCESS) - { - DESTROY_IF(authenticator); - return send_delete(this); - } - authenticator->destroy(authenticator); - if (!check_constraints(this)) + if (!this->ph1->verify_auth(this->ph1, this->method, message, + id_payload->get_encoded(id_payload))) { return send_delete(this); } - save_auth_cfg(this, FALSE); if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) { @@ -1081,7 +584,7 @@ METHOD(task_t, process_i, status_t, (task_t*)mode_config_create(this->ike_sa, TRUE)); } - switch (this->auth_method) + switch (this->method) { case AUTH_XAUTH_INIT_PSK: case AUTH_XAUTH_INIT_RSA: @@ -1114,18 +617,13 @@ METHOD(task_t, migrate, void, { DESTROY_IF(this->peer_cfg); DESTROY_IF(this->proposal); - DESTROY_IF(this->dh); - chunk_free(&this->dh_value); - chunk_free(&this->nonce_i); - chunk_free(&this->nonce_r); - chunk_free(&this->sa_payload); + this->ph1->destroy(this->ph1); this->ike_sa = ike_sa; - this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa); this->state = MM_INIT; this->peer_cfg = NULL; this->proposal = NULL; - this->dh = NULL; + this->ph1 = phase1_create(ike_sa, this->initiator); } METHOD(task_t, destroy, void, @@ -1133,11 +631,7 @@ METHOD(task_t, destroy, void, { DESTROY_IF(this->peer_cfg); DESTROY_IF(this->proposal); - DESTROY_IF(this->dh); - free(this->dh_value.ptr); - free(this->nonce_i.ptr); - free(this->nonce_r.ptr); - free(this->sa_payload.ptr); + this->ph1->destroy(this->ph1); free(this); } @@ -1157,7 +651,7 @@ main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator) }, }, .ike_sa = ike_sa, - .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa), + .ph1 = phase1_create(ike_sa, initiator), .initiator = initiator, .state = MM_INIT, ); -- cgit v1.2.3 From 91c212fd6a69b3ecc721b091880b7c01ba9779b7 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 9 Jan 2012 16:33:15 +0000 Subject: Select IKEv1 configurations by main/aggressive mode option --- src/libcharon/sa/ikev1/tasks/main_mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index a3b567870..52c2258e5 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -393,7 +393,7 @@ METHOD(task_t, process_r, status_t, id = id_payload->get_identification(id_payload); this->ike_sa->set_other_id(this->ike_sa, id); this->peer_cfg = this->ph1->select_config(this->ph1, - this->method, id); + this->method, FALSE, id); if (!this->peer_cfg) { DBG1(DBG_IKE, "no peer config found"); -- cgit v1.2.3 From 37c12bd31e1429105ba592593cc9410ffd7f6d57 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 10 Jan 2012 11:23:04 +0100 Subject: Streamlined debug output when initiating IKEv1 IKE_SAs --- src/libcharon/sa/ikev1/tasks/main_mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 52c2258e5..ba1a9ad1d 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -203,7 +203,7 @@ METHOD(task_t, build_i, status_t, linked_list_t *proposals; packet_t *packet; - DBG0(DBG_IKE, "initiating main mode IKE_SA %s[%d] to %H", + DBG0(DBG_IKE, "initiating Main Mode IKE_SA %s[%d] to %H", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa)); -- cgit v1.2.3 From 3e6b740336e8df61b1a94a1b21f142731f0fd912 Mon Sep 17 00:00:00 2001 From: Clavister OpenSource Date: Tue, 10 Jan 2012 14:37:39 +0100 Subject: Isakmp_dpd task added. --- src/libcharon/sa/ikev1/tasks/main_mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 src/libcharon/sa/ikev1/tasks/main_mode.c (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c old mode 100644 new mode 100755 index ba1a9ad1d..f1e3290a7 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -176,7 +176,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type) notify->set_spi_data(notify, spi); this->ike_sa->queue_task(this->ike_sa, - (task_t*)informational_create(this->ike_sa, notify)); + (task_t*)informational_create(this->ike_sa, notify, 0)); /* cancel all active/passive tasks in favour of informational */ return ALREADY_DONE; } -- cgit v1.2.3 From 2ddd45c9a76a77d673cca5ce0bd2ea0bb7ee859a Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 10 Jan 2012 17:21:52 +0100 Subject: Simplified DPD handling by using a task for a single message only --- src/libcharon/sa/ikev1/tasks/main_mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index f1e3290a7..ba1a9ad1d 100755 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -176,7 +176,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type) notify->set_spi_data(notify, spi); this->ike_sa->queue_task(this->ike_sa, - (task_t*)informational_create(this->ike_sa, notify, 0)); + (task_t*)informational_create(this->ike_sa, notify)); /* cancel all active/passive tasks in favour of informational */ return ALREADY_DONE; } -- cgit v1.2.3 From f420f51f55f3641553411b74f4925bd9f64116b5 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 18 Jan 2012 13:12:07 +0100 Subject: Invoke authorization hooks for IKEv1 connections --- src/libcharon/sa/ikev1/tasks/main_mode.c | 47 +++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 10 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index ba1a9ad1d..c1a61cede 100755 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -95,8 +95,14 @@ struct private_main_mode_t { /** * Set IKE_SA to established state */ -static void establish(private_main_mode_t *this) +static bool establish(private_main_mode_t *this) { + if (!charon->bus->authorize(charon->bus, TRUE)) + { + DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling"); + return FALSE; + } + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), @@ -107,6 +113,8 @@ static void establish(private_main_mode_t *this) this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); + + return TRUE; } /** @@ -406,6 +414,13 @@ METHOD(task_t, process_r, status_t, { return send_notify(this, AUTHENTICATION_FAILED); } + if (!charon->bus->authorize(charon->bus, FALSE)) + { + DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " + "cancelling"); + return send_notify(this, AUTHENTICATION_FAILED); + } + this->state = MM_AUTH; if (has_notify_errors(this, message)) { @@ -467,6 +482,7 @@ METHOD(task_t, build_r, status_t, { return send_notify(this, AUTHENTICATION_FAILED); } + switch (this->method) { case AUTH_XAUTH_INIT_PSK: @@ -481,7 +497,10 @@ METHOD(task_t, build_r, status_t, /* TODO-IKEv1: not yet supported */ return FAILED; default: - establish(this); + if (!establish(this)) + { + return send_notify(this, AUTHENTICATION_FAILED); + } lib->processor->queue_job(lib->processor, (job_t*) adopt_children_job_create( this->ike_sa->get_id(this->ike_sa))); @@ -577,29 +596,37 @@ METHOD(task_t, process_i, status_t, { return send_delete(this); } - - if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) + if (!charon->bus->authorize(charon->bus, FALSE)) { - this->ike_sa->queue_task(this->ike_sa, - (task_t*)mode_config_create(this->ike_sa, TRUE)); + DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " + "cancelling"); + return send_delete(this); } - switch (this->method) { case AUTH_XAUTH_INIT_PSK: case AUTH_XAUTH_INIT_RSA: case AUTH_HYBRID_INIT_RSA: /* wait for XAUTH request */ - return SUCCESS; + break; case AUTH_XAUTH_RESP_PSK: case AUTH_XAUTH_RESP_RSA: case AUTH_HYBRID_RESP_RSA: /* TODO-IKEv1: not yet */ return FAILED; default: - establish(this); - return SUCCESS; + if (!establish(this)) + { + return send_delete(this); + } + break; + } + if (this->peer_cfg->get_virtual_ip(this->peer_cfg)) + { + this->ike_sa->queue_task(this->ike_sa, + (task_t*)mode_config_create(this->ike_sa, TRUE)); } + return SUCCESS; } default: return FAILED; -- cgit v1.2.3 From 3624b09e21b0deab788db0dfea63e2c324d5284c Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 18 Jan 2012 17:42:06 +0100 Subject: Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper --- src/libcharon/sa/ikev1/tasks/main_mode.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/libcharon/sa/ikev1/tasks/main_mode.c') diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index c1a61cede..a7be22916 100755 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -262,7 +262,7 @@ METHOD(task_t, build_i, status_t, { u_int16_t group; - if (!this->ph1->create_hasher(this->ph1, this->proposal)) + if (!this->ph1->create_hasher(this->ph1)) { return send_notify(this, NO_PROPOSAL_CHOSEN); } @@ -353,6 +353,7 @@ METHOD(task_t, process_r, status_t, DBG1(DBG_IKE, "no proposal found"); return send_notify(this, NO_PROPOSAL_CHOSEN); } + this->ike_sa->set_proposal(this->ike_sa, this->proposal); this->method = sa_payload->get_auth_method(sa_payload); this->lifetime = sa_payload->get_lifetime(sa_payload); @@ -364,7 +365,7 @@ METHOD(task_t, process_r, status_t, { u_int16_t group; - if (!this->ph1->create_hasher(this->ph1, this->proposal)) + if (!this->ph1->create_hasher(this->ph1)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -454,8 +455,7 @@ METHOD(task_t, build_r, status_t, { return send_notify(this, INVALID_KEY_INFORMATION); } - if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method, - this->proposal)) + if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method)) { return send_notify(this, INVALID_KEY_INFORMATION); } @@ -540,6 +540,7 @@ METHOD(task_t, process_i, status_t, DBG1(DBG_IKE, "no proposal found"); return send_notify(this, NO_PROPOSAL_CHOSEN); } + this->ike_sa->set_proposal(this->ike_sa, this->proposal); lifetime = sa_payload->get_lifetime(sa_payload); if (lifetime != this->lifetime) @@ -563,8 +564,7 @@ METHOD(task_t, process_i, status_t, { return send_notify(this, INVALID_PAYLOAD_TYPE); } - if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, - this->method, this->proposal)) + if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method)) { return send_notify(this, INVALID_KEY_INFORMATION); } -- cgit v1.2.3