Annotation of embedaddon/strongswan/src/conftest/hooks/rebuild_auth.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2010 Martin Willi
! 3: * Copyright (C) 2010 revosec AG
! 4: *
! 5: * This program is free software; you can redistribute it and/or modify it
! 6: * under the terms of the GNU General Public License as published by the
! 7: * Free Software Foundation; either version 2 of the License, or (at your
! 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 9: *
! 10: * This program is distributed in the hope that it will be useful, but
! 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 13: * for more details.
! 14: */
! 15:
! 16: #include "hook.h"
! 17:
! 18: #include <sa/ikev2/keymat_v2.h>
! 19: #include <encoding/generator.h>
! 20: #include <encoding/payloads/nonce_payload.h>
! 21: #include <encoding/payloads/auth_payload.h>
! 22: #include <encoding/payloads/id_payload.h>
! 23:
! 24: typedef struct private_rebuild_auth_t private_rebuild_auth_t;
! 25:
! 26: /**
! 27: * Private data of an rebuild_auth_t object.
! 28: */
! 29: struct private_rebuild_auth_t {
! 30:
! 31: /**
! 32: * Implements the hook_t interface.
! 33: */
! 34: hook_t hook;
! 35:
! 36: /**
! 37: * Our IKE_SA_INIT data, required to rebuild AUTH
! 38: */
! 39: chunk_t ike_init;
! 40:
! 41: /**
! 42: * Received NONCE, required to rebuild AUTH
! 43: */
! 44: chunk_t nonce;
! 45:
! 46: /**
! 47: * ID to use for key lookup, if not from IDi
! 48: */
! 49: identification_t *id;
! 50: };
! 51:
! 52: /**
! 53: * Rebuild our AUTH data
! 54: */
! 55: static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
! 56: message_t *message)
! 57: {
! 58: enumerator_t *enumerator;
! 59: chunk_t octets, auth_data;
! 60: private_key_t *private;
! 61: payload_t *payload;
! 62: auth_payload_t *auth_payload;
! 63: auth_method_t auth_method;
! 64: signature_scheme_t scheme;
! 65: keymat_v2_t *keymat;
! 66: identification_t *id;
! 67: char reserved[3];
! 68: generator_t *generator;
! 69: chunk_t data;
! 70: uint32_t *lenpos;
! 71:
! 72: payload = message->get_payload(message,
! 73: message->get_request(message) ? PLV2_ID_INITIATOR : PLV2_ID_RESPONDER);
! 74: if (!payload)
! 75: {
! 76: DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
! 77: return FALSE;
! 78: }
! 79:
! 80: generator = generator_create();
! 81: generator->generate_payload(generator, payload);
! 82: data = generator->get_chunk(generator, &lenpos);
! 83: if (data.len < 8)
! 84: {
! 85: DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH");
! 86: generator->destroy(generator);
! 87: return FALSE;
! 88: }
! 89: memcpy(reserved, data.ptr + 5, 3);
! 90: id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
! 91: generator->destroy(generator);
! 92:
! 93: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
! 94: this->id ?: id, NULL);
! 95: if (private == NULL)
! 96: {
! 97: DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
! 98: this->id ?: id);
! 99: id->destroy(id);
! 100: return FALSE;
! 101: }
! 102:
! 103: switch (private->get_type(private))
! 104: {
! 105: case KEY_RSA:
! 106: scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
! 107: auth_method = AUTH_RSA;
! 108: break;
! 109: case KEY_ECDSA:
! 110: /* we try to deduct the signature scheme from the keysize */
! 111: switch (private->get_keysize(private))
! 112: {
! 113: case 256:
! 114: scheme = SIGN_ECDSA_256;
! 115: auth_method = AUTH_ECDSA_256;
! 116: break;
! 117: case 384:
! 118: scheme = SIGN_ECDSA_384;
! 119: auth_method = AUTH_ECDSA_384;
! 120: break;
! 121: case 521:
! 122: scheme = SIGN_ECDSA_521;
! 123: auth_method = AUTH_ECDSA_521;
! 124: break;
! 125: default:
! 126: DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
! 127: private->get_keysize(private));
! 128: id->destroy(id);
! 129: return FALSE;
! 130: }
! 131: break;
! 132: default:
! 133: DBG1(DBG_CFG, "private key of type %N not supported",
! 134: key_type_names, private->get_type(private));
! 135: id->destroy(id);
! 136: return FALSE;
! 137: }
! 138: keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
! 139: if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init, this->nonce,
! 140: chunk_empty, id, reserved, &octets, NULL))
! 141: {
! 142: private->destroy(private);
! 143: id->destroy(id);
! 144: return FALSE;
! 145: }
! 146: if (!private->sign(private, scheme, NULL, octets, &auth_data))
! 147: {
! 148: chunk_free(&octets);
! 149: private->destroy(private);
! 150: id->destroy(id);
! 151: return FALSE;
! 152: }
! 153: auth_payload = auth_payload_create();
! 154: auth_payload->set_auth_method(auth_payload, auth_method);
! 155: auth_payload->set_data(auth_payload, auth_data);
! 156: chunk_free(&auth_data);
! 157: chunk_free(&octets);
! 158: private->destroy(private);
! 159:
! 160: enumerator = message->create_payload_enumerator(message);
! 161: while (enumerator->enumerate(enumerator, &payload))
! 162: {
! 163: if (payload->get_type(payload) == PLV2_AUTH)
! 164: {
! 165: message->remove_payload_at(message, enumerator);
! 166: payload->destroy(payload);
! 167: }
! 168: }
! 169: enumerator->destroy(enumerator);
! 170:
! 171: message->add_payload(message, (payload_t*)auth_payload);
! 172: DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N",
! 173: id, auth_method_names, auth_method);
! 174: id->destroy(id);
! 175: return TRUE;
! 176: }
! 177:
! 178: METHOD(listener_t, message, bool,
! 179: private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
! 180: bool incoming, bool plain)
! 181: {
! 182: if (plain)
! 183: {
! 184: if (!incoming && message->get_message_id(message) == 1)
! 185: {
! 186: rebuild_auth(this, ike_sa, message);
! 187: }
! 188: if (message->get_exchange_type(message) == IKE_SA_INIT)
! 189: {
! 190: if (incoming)
! 191: {
! 192: nonce_payload_t *nonce;
! 193:
! 194: nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
! 195: if (nonce)
! 196: {
! 197: free(this->nonce.ptr);
! 198: this->nonce = nonce->get_nonce(nonce);
! 199: }
! 200: }
! 201: else
! 202: {
! 203: packet_t *packet;
! 204:
! 205: if (message->generate(message, NULL, &packet) == SUCCESS)
! 206: {
! 207: free(this->ike_init.ptr);
! 208: this->ike_init = chunk_clone(packet->get_data(packet));
! 209: packet->destroy(packet);
! 210: }
! 211: }
! 212: }
! 213: }
! 214: return TRUE;
! 215: }
! 216:
! 217: METHOD(hook_t, destroy, void,
! 218: private_rebuild_auth_t *this)
! 219: {
! 220: free(this->ike_init.ptr);
! 221: free(this->nonce.ptr);
! 222: DESTROY_IF(this->id);
! 223: free(this);
! 224: }
! 225:
! 226: /**
! 227: * Create the IKE_AUTH fill hook
! 228: */
! 229: hook_t *rebuild_auth_hook_create(char *name)
! 230: {
! 231: private_rebuild_auth_t *this;
! 232: char *id;
! 233:
! 234: INIT(this,
! 235: .hook = {
! 236: .listener = {
! 237: .message = _message,
! 238: },
! 239: .destroy = _destroy,
! 240: },
! 241: );
! 242: id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name);
! 243: if (id)
! 244: {
! 245: this->id = identification_create_from_string(id);
! 246: }
! 247:
! 248: return &this->hook;
! 249: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to rebuild_auth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / conftest / hooks