![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to rebuild_auth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / conftest / hooks|
Return to rebuild_auth.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / conftest / hooks |
1.1 misho 1: /*
2: * Copyright (C) 2010 Martin Willi
3: * Copyright (C) 2010 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #include "hook.h"
17:
18: #include <sa/ikev2/keymat_v2.h>
19: #include <encoding/generator.h>
20: #include <encoding/payloads/nonce_payload.h>
21: #include <encoding/payloads/auth_payload.h>
22: #include <encoding/payloads/id_payload.h>
23:
24: typedef struct private_rebuild_auth_t private_rebuild_auth_t;
25:
26: /**
27: * Private data of an rebuild_auth_t object.
28: */
29: struct private_rebuild_auth_t {
30:
31: /**
32: * Implements the hook_t interface.
33: */
34: hook_t hook;
35:
36: /**
37: * Our IKE_SA_INIT data, required to rebuild AUTH
38: */
39: chunk_t ike_init;
40:
41: /**
42: * Received NONCE, required to rebuild AUTH
43: */
44: chunk_t nonce;
45:
46: /**
47: * ID to use for key lookup, if not from IDi
48: */
49: identification_t *id;
50: };
51:
52: /**
53: * Rebuild our AUTH data
54: */
55: static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
56: message_t *message)
57: {
58: enumerator_t *enumerator;
59: chunk_t octets, auth_data;
60: private_key_t *private;
61: payload_t *payload;
62: auth_payload_t *auth_payload;
63: auth_method_t auth_method;
64: signature_scheme_t scheme;
65: keymat_v2_t *keymat;
66: identification_t *id;
67: char reserved[3];
68: generator_t *generator;
69: chunk_t data;
70: uint32_t *lenpos;
71:
72: payload = message->get_payload(message,
73: message->get_request(message) ? PLV2_ID_INITIATOR : PLV2_ID_RESPONDER);
74: if (!payload)
75: {
76: DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
77: return FALSE;
78: }
79:
80: generator = generator_create();
81: generator->generate_payload(generator, payload);
82: data = generator->get_chunk(generator, &lenpos);
83: if (data.len < 8)
84: {
85: DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH");
86: generator->destroy(generator);
87: return FALSE;
88: }
89: memcpy(reserved, data.ptr + 5, 3);
90: id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
91: generator->destroy(generator);
92:
93: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
94: this->id ?: id, NULL);
95: if (private == NULL)
96: {
97: DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
98: this->id ?: id);
99: id->destroy(id);
100: return FALSE;
101: }
102:
103: switch (private->get_type(private))
104: {
105: case KEY_RSA:
106: scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
107: auth_method = AUTH_RSA;
108: break;
109: case KEY_ECDSA:
110: /* we try to deduct the signature scheme from the keysize */
111: switch (private->get_keysize(private))
112: {
113: case 256:
114: scheme = SIGN_ECDSA_256;
115: auth_method = AUTH_ECDSA_256;
116: break;
117: case 384:
118: scheme = SIGN_ECDSA_384;
119: auth_method = AUTH_ECDSA_384;
120: break;
121: case 521:
122: scheme = SIGN_ECDSA_521;
123: auth_method = AUTH_ECDSA_521;
124: break;
125: default:
126: DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
127: private->get_keysize(private));
128: id->destroy(id);
129: return FALSE;
130: }
131: break;
132: default:
133: DBG1(DBG_CFG, "private key of type %N not supported",
134: key_type_names, private->get_type(private));
135: id->destroy(id);
136: return FALSE;
137: }
138: keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
139: if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init, this->nonce,
140: chunk_empty, id, reserved, &octets, NULL))
141: {
142: private->destroy(private);
143: id->destroy(id);
144: return FALSE;
145: }
146: if (!private->sign(private, scheme, NULL, octets, &auth_data))
147: {
148: chunk_free(&octets);
149: private->destroy(private);
150: id->destroy(id);
151: return FALSE;
152: }
153: auth_payload = auth_payload_create();
154: auth_payload->set_auth_method(auth_payload, auth_method);
155: auth_payload->set_data(auth_payload, auth_data);
156: chunk_free(&auth_data);
157: chunk_free(&octets);
158: private->destroy(private);
159:
160: enumerator = message->create_payload_enumerator(message);
161: while (enumerator->enumerate(enumerator, &payload))
162: {
163: if (payload->get_type(payload) == PLV2_AUTH)
164: {
165: message->remove_payload_at(message, enumerator);
166: payload->destroy(payload);
167: }
168: }
169: enumerator->destroy(enumerator);
170:
171: message->add_payload(message, (payload_t*)auth_payload);
172: DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N",
173: id, auth_method_names, auth_method);
174: id->destroy(id);
175: return TRUE;
176: }
177:
178: METHOD(listener_t, message, bool,
179: private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
180: bool incoming, bool plain)
181: {
182: if (plain)
183: {
184: if (!incoming && message->get_message_id(message) == 1)
185: {
186: rebuild_auth(this, ike_sa, message);
187: }
188: if (message->get_exchange_type(message) == IKE_SA_INIT)
189: {
190: if (incoming)
191: {
192: nonce_payload_t *nonce;
193:
194: nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
195: if (nonce)
196: {
197: free(this->nonce.ptr);
198: this->nonce = nonce->get_nonce(nonce);
199: }
200: }
201: else
202: {
203: packet_t *packet;
204:
205: if (message->generate(message, NULL, &packet) == SUCCESS)
206: {
207: free(this->ike_init.ptr);
208: this->ike_init = chunk_clone(packet->get_data(packet));
209: packet->destroy(packet);
210: }
211: }
212: }
213: }
214: return TRUE;
215: }
216:
217: METHOD(hook_t, destroy, void,
218: private_rebuild_auth_t *this)
219: {
220: free(this->ike_init.ptr);
221: free(this->nonce.ptr);
222: DESTROY_IF(this->id);
223: free(this);
224: }
225:
226: /**
227: * Create the IKE_AUTH fill hook
228: */
229: hook_t *rebuild_auth_hook_create(char *name)
230: {
231: private_rebuild_auth_t *this;
232: char *id;
233:
234: INIT(this,
235: .hook = {
236: .listener = {
237: .message = _message,
238: },
239: .destroy = _destroy,
240: },
241: );
242: id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name);
243: if (id)
244: {
245: this->id = identification_create_from_string(id);
246: }
247:
248: return &this->hook;
249: }