summaryrefslogtreecommitdiff
path: root/src/charon/sa/authenticators
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 11:35:38 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 11:35:38 +0000
commit7c52c3f35cdbdff58443b994f2f33d13b4d81f57 (patch)
treee54a27979ea72ec41702bec2984c2eadac3b8862 /src/charon/sa/authenticators
parent4ef45ba0404dac3773e83af995a5ec584b23d633 (diff)
downloadvyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.tar.gz
vyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.zip
Updated to new upstream version.
Diffstat (limited to 'src/charon/sa/authenticators')
-rw-r--r--src/charon/sa/authenticators/authenticator.c49
-rw-r--r--src/charon/sa/authenticators/authenticator.h89
-rw-r--r--src/charon/sa/authenticators/eap/eap_manager.c22
-rw-r--r--src/charon/sa/authenticators/eap/eap_manager.h2
-rw-r--r--src/charon/sa/authenticators/eap/eap_method.c35
-rw-r--r--src/charon/sa/authenticators/eap/eap_method.h11
-rw-r--r--src/charon/sa/authenticators/eap/sim_manager.c2
-rw-r--r--src/charon/sa/authenticators/eap/sim_manager.h4
-rw-r--r--src/charon/sa/authenticators/eap_authenticator.c786
-rw-r--r--src/charon/sa/authenticators/eap_authenticator.h113
-rw-r--r--src/charon/sa/authenticators/psk_authenticator.c147
-rw-r--r--src/charon/sa/authenticators/psk_authenticator.h30
-rw-r--r--src/charon/sa/authenticators/pubkey_authenticator.c229
-rw-r--r--src/charon/sa/authenticators/pubkey_authenticator.h30
14 files changed, 882 insertions, 667 deletions
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
index 827c7a69a..ea8a16279 100644
--- a/src/charon/sa/authenticators/authenticator.c
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2006-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: authenticator.c 4276 2008-08-22 10:44:51Z martin $
*/
#include <string.h>
@@ -23,6 +21,7 @@
#include <sa/authenticators/pubkey_authenticator.h>
#include <sa/authenticators/psk_authenticator.h>
#include <sa/authenticators/eap_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
@@ -35,7 +34,8 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
"ECDSA-521 signature");
ENUM_END(auth_method_names, AUTH_ECDSA_521);
-ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+ "any",
"public key",
"pre-shared key",
"EAP",
@@ -44,17 +44,23 @@ ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
/**
* Described in header.
*/
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
- auth_class_t class)
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- switch (class)
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
{
+ case AUTH_CLASS_ANY:
+ /* defaults to PUBKEY */
case AUTH_CLASS_PUBKEY:
- return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+ return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+ received_nonce, sent_init);
case AUTH_CLASS_PSK:
- return (authenticator_t*)psk_authenticator_create(ike_sa);
+ return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+ received_nonce, sent_init);
case AUTH_CLASS_EAP:
- return (authenticator_t*)eap_authenticator_create(ike_sa);
+ return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+ received_nonce, sent_nonce, received_init, sent_init);
default:
return NULL;
}
@@ -63,19 +69,32 @@ authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
/**
* Described in header.
*/
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
- auth_method_t method)
+authenticator_t *authenticator_create_verifier(
+ ike_sa_t *ike_sa, message_t *message,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- switch (method)
+ auth_payload_t *auth_payload;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (auth_payload == NULL)
+ {
+ return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+ received_nonce, sent_nonce, received_init, sent_init);
+ }
+ switch (auth_payload->get_auth_method(auth_payload))
{
case AUTH_RSA:
case AUTH_ECDSA_256:
case AUTH_ECDSA_384:
case AUTH_ECDSA_521:
- return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+ return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+ sent_nonce, received_init);
case AUTH_PSK:
- return (authenticator_t*)psk_authenticator_create(ike_sa);
+ return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+ sent_nonce, received_init);
default:
return NULL;
}
}
+
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index 345cc7deb..c60881629 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -30,9 +28,8 @@ typedef enum auth_class_t auth_class_t;
typedef struct authenticator_t authenticator_t;
#include <library.h>
+#include <config/auth_cfg.h>
#include <sa/ike_sa.h>
-#include <config/peer_cfg.h>
-#include <encoding/payloads/auth_payload.h>
/**
* Method to use for authentication, as defined in IKEv2.
@@ -84,6 +81,8 @@ extern enum_name_t *auth_method_names;
* certificate finally dictates wich method is used.
*/
enum auth_class_t {
+ /** any class acceptable */
+ AUTH_CLASS_ANY = 0,
/** authentication using public keys (RSA, ECDSA) */
AUTH_CLASS_PUBKEY = 1,
/** authentication using a pre-shared secrets */
@@ -100,66 +99,70 @@ extern enum_name_t *auth_class_names;
/**
* Authenticator interface implemented by the various authenticators.
*
- * Currently the following two AUTH methods are supported:
- * - shared key message integrity code
- * - RSA digital signature
- * - EAP using the EAP framework and one of the EAP plugins
- * - ECDSA is supported using OpenSSL
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
*/
struct authenticator_t {
/**
- * Verify a received authentication payload.
+ * Process an incoming message using the authenticator.
*
- * @param ike_sa_init binary representation of received ike_sa_init
- * @param my_nonce the sent nonce
- * @param auth_payload authentication payload to verify
+ * @param message message containing authentication payloads
* @return
- * - SUCCESS,
- * - FAILED if verification failed
- * - INVALID_ARG if auth_method does not match
- * - NOT_FOUND if credentials not found
+ * - SUCCESS if authentication successful
+ * - FAILED if authentication failed
+ * - NEED_MORE if another exchange required
*/
- status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload);
-
+ status_t (*process)(authenticator_t *this, message_t *message);
+
/**
- * Build an authentication payload to send to the other peer.
+ * Attach authentication data to an outgoing message.
*
- * @param ike_sa_init binary representation of sent ike_sa_init
- * @param other_nonce the received nonce
- * @param auth_payload the resulting authentication payload
+ * @param message message to add authentication data to
* @return
- * - SUCCESS,
- * - NOT_FOUND if credentials not found
+ * - SUCCESS if authentication successful
+ * - FAILED if authentication failed
+ * - NEED_MORE if another exchange required
*/
- status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload);
-
+ status_t (*build)(authenticator_t *this, message_t *message);
+
/**
- * Destroys a authenticator_t object.
+ * Destroy authenticator instance.
*/
void (*destroy) (authenticator_t *this);
};
/**
- * Creates an authenticator for the specified auth class (as configured).
+ * Create an authenticator to build signatures.
*
- * @param ike_sa associated ike_sa
- * @param class class of authentication to use
- * @return authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param cfg authentication configuration
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return authenticator, NULL if not supported
*/
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
- auth_class_t class);
+authenticator_t *authenticator_create_builder(
+ ike_sa_t *ike_sa, auth_cfg_t *cfg,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
/**
- * Creates an authenticator for method (as received in payload).
+ * Create an authenticator to verify signatures.
*
- * @param ike_sa associated ike_sa
- * @param method method as found in payload
- * @return authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param message message containing authentication data
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return authenticator, NULL if not supported
*/
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
- auth_method_t method);
+authenticator_t *authenticator_create_verifier(
+ ike_sa_t *ike_sa, message_t *message,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index c1c2d6fce..b8316036e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $
*/
#include "eap_manager.h"
@@ -65,9 +63,9 @@ struct private_eap_manager_t {
linked_list_t *methods;
/**
- * mutex to lock methods
+ * rwlock to lock methods
*/
- mutex_t *mutex;
+ rwlock_t *lock;
};
/**
@@ -84,9 +82,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
entry->role = role;
entry->constructor = constructor;
- this->mutex->lock(this->mutex);
+ this->lock->write_lock(this->lock);
this->methods->insert_last(this->methods, entry);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
}
/**
@@ -97,7 +95,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
enumerator_t *enumerator;
eap_entry_t *entry;
- this->mutex->lock(this->mutex);
+ this->lock->write_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -108,7 +106,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
}
/**
@@ -123,7 +121,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
eap_entry_t *entry;
eap_method_t *method = NULL;
- this->mutex->lock(this->mutex);
+ this->lock->read_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -138,7 +136,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
return method;
}
@@ -148,7 +146,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
static void destroy(private_eap_manager_t *this)
{
this->methods->destroy_function(this->methods, free);
- this->mutex->destroy(this->mutex);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -165,7 +163,7 @@ eap_manager_t *eap_manager_create()
this->public.destroy = (void(*)(eap_manager_t*))destroy;
this->methods = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
return &this->public;
}
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
index db5535a81..667c54a8e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ b/src/charon/sa/authenticators/eap/eap_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 2e4307eb4..1d1900301 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_method.c 4997 2009-03-24 10:24:58Z martin $
*/
#include "eap_method.h"
@@ -36,6 +34,36 @@ ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
"EAP_EXPERIMENTAL");
ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+ int i;
+ static struct {
+ char *name;
+ eap_type_t type;
+ } types[] = {
+ {"identity", EAP_IDENTITY},
+ {"md5", EAP_MD5},
+ {"otp", EAP_OTP},
+ {"gtc", EAP_GTC},
+ {"sim", EAP_SIM},
+ {"aka", EAP_AKA},
+ {"mschapv2", EAP_MSCHAPV2},
+ {"radius", EAP_RADIUS},
+ };
+
+ for (i = 0; i < countof(types); i++)
+ {
+ if (strcaseeq(name, types[i].name))
+ {
+ return types[i].type;
+ }
+ }
+ return 0;
+}
+
ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
"EAP_REQUEST",
"EAP_RESPONSE",
@@ -48,3 +76,6 @@ ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
"EAP_PEER",
);
+
+
+
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 6f3da1ba7..578b89e96 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_method.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -69,6 +67,14 @@ enum eap_type_t {
extern enum_name_t *eap_type_names;
/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name EAP method name (such as "md5", "aka")
+ * @return method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
+/**
* EAP code, type of an EAP message
*/
enum eap_code_t {
@@ -83,7 +89,6 @@ enum eap_code_t {
*/
extern enum_name_t *eap_code_names;
-
/**
* Interface of an EAP method for server and client side.
*
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
index e6817ca20..51cd4fb3f 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.c
+++ b/src/charon/sa/authenticators/eap/sim_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "sim_manager.h"
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
index 69a2e4df9..3c6d66dfe 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -39,7 +39,7 @@ struct sim_card_t {
* The returned identity owned by the sim_card and not destroyed outside.
* The SIM card may return ID_ANY if it does not support/use an IMSI.
*
- * @return identity of type ID_EAP/ID_ANY
+ * @return identity
*/
identification_t* (*get_imsi)(sim_card_t *this);
@@ -63,7 +63,7 @@ struct sim_provider_t {
/**
* Get a single triplet to authenticate a EAP client.
*
- * @param imsi client identity of type ID_EAP
+ * @param imsi client identity
* @param rand RAND output buffer, fixed size 16 bytes
* @param sres SRES output buffer, fixed size 4 byte
* @param kc KC output buffer, fixed size 8 bytes
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 7b97fe56c..2abdf7a02 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,17 +11,14 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_authenticator.c 5037 2009-03-26 13:58:17Z andreas $
*/
-#include <string.h>
-
#include "eap_authenticator.h"
#include <daemon.h>
-#include <config/peer_cfg.h>
#include <sa/authenticators/eap/eap_method.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
typedef struct private_eap_authenticator_t private_eap_authenticator_t;
@@ -41,9 +38,24 @@ struct private_eap_authenticator_t {
ike_sa_t *ike_sa;
/**
- * Role of this authenticator, PEER or SERVER
+ * others nonce to include in AUTH calculation
+ */
+ chunk_t received_nonce;
+
+ /**
+ * our nonce to include in AUTH calculation
+ */
+ chunk_t sent_nonce;
+
+ /**
+ * others IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t received_init;
+
+ /**
+ * our IKE_SA_INIT message data to include in AUTH calculation
*/
- eap_role_t role;
+ chunk_t sent_init;
/**
* Current EAP method processing
@@ -56,442 +68,514 @@ struct private_eap_authenticator_t {
chunk_t msk;
/**
- * should we do a EAP-Identity exchange as server?
+ * EAP authentication method completed successfully
*/
- bool do_eap_identity;
+ bool eap_complete;
/**
- * saved EAP type if we do eap_identity
+ * authentication payload verified successfully
*/
- eap_type_t type;
+ bool auth_complete;
/**
- * saved vendor id if we do eap_identity
+ * generated EAP payload
*/
- u_int32_t vendor;
+ eap_payload_t *eap_payload;
+
+ /**
+ * EAP identity of peer
+ */
+ identification_t *eap_identity;
};
+
/**
- * Implementation of authenticator_t.verify.
+ * load an EAP method
*/
-static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
+static eap_method_t *load_method(private_eap_authenticator_t *this,
+ eap_type_t type, u_int32_t vendor, eap_role_t role)
{
- chunk_t auth_data, recv_auth_data;
- identification_t *other_id;
- keymat_t *keymat;
-
- other_id = this->ike_sa->get_other_id(this->ike_sa);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
-
- auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
- this->msk, other_id);
+ identification_t *server, *peer;
- recv_auth_data = auth_payload->get_data(auth_payload);
- if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+ if (role == EAP_SERVER)
{
- DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
- chunk_free(&auth_data);
- return FAILED;
+ server = this->ike_sa->get_my_id(this->ike_sa);
+ peer = this->ike_sa->get_other_id(this->ike_sa);
}
- chunk_free(&auth_data);
-
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
- other_id, auth_class_names, AUTH_CLASS_EAP);
- return SUCCESS;
-}
-
-/**
- * Implementation of authenticator_t.build.
- */
-static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
-{
- identification_t *my_id;
- chunk_t auth_data;
- keymat_t *keymat;
-
- my_id = this->ike_sa->get_my_id(this->ike_sa);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
-
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
- my_id, auth_class_names, AUTH_CLASS_EAP);
-
- auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
- this->msk, my_id);
-
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
- (*auth_payload)->set_data(*auth_payload, auth_data);
- chunk_free(&auth_data);
-
- return SUCCESS;
+ else
+ {
+ server = this->ike_sa->get_other_id(this->ike_sa);
+ peer = this->ike_sa->get_my_id(this->ike_sa);
+ }
+ if (this->eap_identity)
+ {
+ peer = this->eap_identity;
+ }
+ return charon->eap->create_instance(charon->eap, type, vendor,
+ role, server, peer);
}
/**
- * get the peers identity to use in the EAP method
+ * Initiate EAP conversation as server
*/
-static identification_t *get_peer_id(private_eap_authenticator_t *this)
+static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
+ bool do_identity)
{
+ auth_cfg_t *auth;
+ eap_type_t type;
identification_t *id;
- peer_cfg_t *config;
- auth_info_t *auth;
+ u_int32_t vendor;
+ eap_payload_t *out;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
- id = this->ike_sa->get_eap_identity(this->ike_sa);
- if (!id)
+ /* initiate EAP-Identity exchange if required */
+ if (!this->eap_identity && do_identity)
{
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- auth = config->get_auth(config);
- if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) ||
- id->get_type(id) == ID_ANY)
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (id)
{
- if (this->role == EAP_PEER)
+ this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+ if (this->method)
{
- id = this->ike_sa->get_my_id(this->ike_sa);
- }
- else
- {
- id = this->ike_sa->get_other_id(this->ike_sa);
+ if (this->method->initiate(this->method, &out) == NEED_MORE)
+ {
+ DBG1(DBG_IKE, "initiating EAP-Identity request");
+ return out;
+ }
+ this->method->destroy(this->method);
}
+ DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
}
}
- if (id->get_type(id) == ID_EAP)
+ /* invoke real EAP method */
+ type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+ vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+ this->method = load_method(this, type, vendor, EAP_SERVER);
+ if (this->method &&
+ this->method->initiate(this->method, &out) == NEED_MORE)
{
- return id->clone(id);
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor);
+
+ }
+ else
+ {
+ DBG1(DBG_IKE, "initiating %N", eap_type_names, type);
+ }
+ return out;
}
- return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * get the servers identity to use in the EAP method
- */
-static identification_t *get_server_id(private_eap_authenticator_t *this)
-{
- identification_t *id;
-
- if (this->role == EAP_SERVER)
+ if (vendor)
{
- id = this->ike_sa->get_my_id(this->ike_sa);
+ DBG1(DBG_IKE, "initiating EAP vendor type %d-%d failed", type, vendor);
}
else
{
- id = this->ike_sa->get_other_id(this->ike_sa);
+ DBG1(DBG_IKE, "initiating %N failed", eap_type_names, type);
}
- if (id->get_type(id) == ID_EAP)
- {
- return id->clone(id);
- }
- return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * load an EAP method using the correct identities
- */
-static eap_method_t *load_method(private_eap_authenticator_t *this,
- eap_type_t type, u_int32_t vendor, eap_role_t role)
-{
- identification_t *server, *peer;
- eap_method_t *method;
-
- server = get_server_id(this);
- peer = get_peer_id(this);
- method = charon->eap->create_instance(charon->eap, type, vendor, role,
- server, peer);
- server->destroy(server);
- peer->destroy(peer);
- return method;
+ return eap_payload_create_code(EAP_FAILURE, 0);
}
/**
- * Implementation of eap_authenticator_t.initiate
+ * Handle EAP exchange as server
*/
-static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
- u_int32_t vendor, eap_payload_t **out)
+static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ eap_payload_t *in)
{
- /* if initiate() is called, role is always server */
- this->role = EAP_SERVER;
-
- if (this->do_eap_identity)
- { /* do an EAP-Identity request first */
- this->type = type;
- this->vendor = vendor;
- vendor = 0;
- type = EAP_IDENTITY;
- }
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
+ eap_payload_t *out;
+ auth_cfg_t *cfg;
- if (type == 0)
+ if (in->get_code(in) != EAP_RESPONSE)
{
- DBG1(DBG_IKE,
- "client requested EAP authentication, but configuration forbids it");
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ DBG1(DBG_IKE, "received %N, sending %N",
+ eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- if (vendor)
- {
- DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
- }
- this->method = load_method(this, type, vendor, this->role);
- if (this->method == NULL)
+ type = this->method->get_type(this->method, &vendor);
+ received_type = in->get_type(in, &received_vendor);
+ if (type != received_type || vendor != received_vendor)
{
- if (vendor == 0 && type == EAP_IDENTITY)
+ if (received_vendor == 0 && received_type == EAP_NAK)
{
- DBG1(DBG_IKE, "skipping %N, no implementation found",
- eap_type_names, type);
- this->do_eap_identity = FALSE;
- return initiate(this, this->type, this->vendor, out);
+ DBG1(DBG_IKE, "received %N, sending %N",
+ eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received invalid EAP response, sending %N",
+ eap_code_names, EAP_FAILURE);
}
- DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
- eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- if (this->method->initiate(this->method, out) != NEED_MORE)
+
+ switch (this->method->process(this->method, in, &out))
{
- DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
- eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ case NEED_MORE:
+ return out;
+ case SUCCESS:
+ if (type == EAP_IDENTITY)
+ {
+ chunk_t data;
+ char buf[256];
+
+ if (this->method->get_msk(this->method, &data) == SUCCESS)
+ {
+ snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
+ this->eap_identity = identification_create_from_string(buf);
+ DBG1(DBG_IKE, "received EAP identity '%Y'",
+ this->eap_identity);
+ }
+ /* restart EAP exchange, but with real method */
+ this->method->destroy(this->method);
+ return server_initiate_eap(this, FALSE);
+ }
+ if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+ {
+ this->msk = chunk_clone(this->msk);
+ }
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+ "%sMSK established", type, vendor,
+ this->msk.ptr ? "" : "no ");
+ }
+ else
+ {
+ DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+ eap_type_names, type, this->msk.ptr ? "" : "no ");
+ }
+ this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
+ TRUE);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+ if (vendor)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+ }
+ this->eap_complete = TRUE;
+ return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
+ "peer %Y", type, vendor,
+ this->ike_sa->get_other_id(this->ike_sa));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
+ eap_type_names, type,
+ this->ike_sa->get_other_id(this->ike_sa));
+ }
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- return NEED_MORE;
}
/**
* Processing method for a peer
*/
-static status_t process_peer(private_eap_authenticator_t *this,
- eap_payload_t *in, eap_payload_t **out)
+static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
+ eap_payload_t *in)
{
eap_type_t type;
u_int32_t vendor;
+ auth_cfg_t *auth;
+ eap_payload_t *out;
+ identification_t *id;
type = in->get_type(in, &vendor);
if (!vendor && type == EAP_IDENTITY)
{
- eap_method_t *method;
+ DESTROY_IF(this->eap_identity);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (!id || id->get_type(id) == ID_ANY)
+ {
+ id = this->ike_sa->get_my_id(this->ike_sa);
+ }
+ DBG1(DBG_IKE, "server requested %N, sending '%Y'",
+ eap_type_names, type, id);
+ this->eap_identity = id->clone(id);
- method = load_method(this, type, 0, EAP_PEER);
- if (method == NULL || method->process(method, in, out) != SUCCESS)
+ this->method = load_method(this, type, vendor, EAP_PEER);
+ if (this->method)
{
- DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
- eap_type_names, type);
- DESTROY_IF(method);
- return FAILED;
+ if (this->method->process(this->method, in, &out) == SUCCESS)
+ {
+ this->method->destroy(this->method);
+ this->method = NULL;
+ return out;
+ }
+ this->method->destroy(this->method);
+ this->method = NULL;
}
- DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);
- method->destroy(method);
- return NEED_MORE;
+ DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
+ eap_type_names, type);
+ return eap_payload_create_nak(in->get_identifier(in));
}
-
- /* create an eap_method for the first call */
if (this->method == NULL)
{
if (vendor)
{
- DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
type, vendor);
}
else
{
- DBG1(DBG_IKE, "EAP server requested %N authentication",
+ DBG1(DBG_IKE, "server requested %N authentication",
eap_type_names, type);
}
this->method = load_method(this, type, vendor, EAP_PEER);
- if (this->method == NULL)
+ if (!this->method)
{
- DBG1(DBG_IKE, "EAP server requested unsupported "
- "EAP method, sending EAP_NAK");
- *out = eap_payload_create_nak(in->get_identifier(in));
- return NEED_MORE;
+ DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
+ return eap_payload_create_nak(in->get_identifier(in));
}
}
type = this->method->get_type(this->method, &vendor);
- switch (this->method->process(this->method, in, out))
+ if (this->method->process(this->method, in, &out) == NEED_MORE)
+ { /* client methods should never return SUCCESS */
+ return out;
+ }
+
+ if (vendor)
{
- case NEED_MORE:
- return NEED_MORE;
- case SUCCESS:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
- }
- return SUCCESS;
- case FAILED:
- default:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N failed",
- eap_type_names, type);
- }
- return FAILED;
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
}
+ return NULL;
}
/**
- * handle an EAP-Identity response on the server
+ * Verify AUTH payload
*/
-static status_t process_eap_identity(private_eap_authenticator_t *this,
- eap_payload_t **out)
+static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
+ chunk_t nonce, chunk_t init)
{
- chunk_t data;
- identification_t *id;
-
- if (this->method->get_msk(this->method, &data) == SUCCESS)
+ auth_payload_t *auth_payload;
+ chunk_t auth_data, recv_auth_data;
+ identification_t *other_id;
+ auth_cfg_t *auth;
+ keymat_t *keymat;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message,
+ AUTHENTICATION);
+ if (!auth_payload)
{
- id = identification_create_from_encoding(ID_EAP, data);
- DBG1(DBG_IKE, "using EAP identity '%D'", id);
- this->ike_sa->set_eap_identity(this->ike_sa, id);
+ DBG1(DBG_IKE, "AUTH payload missing");
+ return FALSE;
}
- /* restart EAP exchange, but with real method */
- this->method->destroy(this->method);
- this->method = NULL;
- this->do_eap_identity = FALSE;
- return initiate(this, this->type, this->vendor, out);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
+ this->msk, other_id);
+ recv_auth_data = auth_payload->get_data(auth_payload);
+ if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+ {
+ DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
+ this->msk.ptr ? "" : "out");
+ chunk_free(&auth_data);
+ return FALSE;
+ }
+ chunk_free(&auth_data);
+
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+ other_id, auth_class_names, AUTH_CLASS_EAP);
+ this->auth_complete = TRUE;
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+ return TRUE;
+}
+
+/**
+ * Build AUTH payload
+ */
+static void build_auth(private_eap_authenticator_t *this, message_t *message,
+ chunk_t nonce, chunk_t init)
+{
+ auth_payload_t *auth_payload;
+ identification_t *my_id;
+ chunk_t auth_data;
+ keymat_t *keymat;
+
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+ my_id, auth_class_names, AUTH_CLASS_EAP);
+
+ auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+ auth_payload->set_data(auth_payload, auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
+ chunk_free(&auth_data);
}
/**
- * Processing method for a server
+ * Implementation of authenticator_t.process for a server
*/
static status_t process_server(private_eap_authenticator_t *this,
- eap_payload_t *in, eap_payload_t **out)
+ message_t *message)
{
- eap_type_t type;
- u_int32_t vendor;
+ eap_payload_t *eap_payload;
- type = this->method->get_type(this->method, &vendor);
+ if (this->eap_complete)
+ {
+ if (!verify_auth(this, message, this->sent_nonce, this->received_init))
+ {
+ return FAILED;
+ }
+ return NEED_MORE;
+ }
- switch (this->method->process(this->method, in, out))
+ if (!this->method)
{
- case NEED_MORE:
- return NEED_MORE;
- case SUCCESS:
- if (this->do_eap_identity)
- {
- return process_eap_identity(this, out);
- }
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
- {
- this->msk = chunk_clone(this->msk);
- }
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
- "%sMSK established", type, vendor,
- this->msk.ptr ? "" : "no ");
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
- eap_type_names, type, this->msk.ptr ? "" : "no ");
- }
- *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
- return SUCCESS;
- case FAILED:
- default:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
- "peer %D", type, vendor,
- this->ike_sa->get_other_id(this->ike_sa));
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N failed for peer '%D'",
- eap_type_names, type,
- this->ike_sa->get_other_id(this->ike_sa));
- }
- *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+ this->eap_payload = server_initiate_eap(this, TRUE);
+ }
+ else
+ {
+ eap_payload = (eap_payload_t*)message->get_payload(message,
+ EXTENSIBLE_AUTHENTICATION);
+ if (!eap_payload)
+ {
return FAILED;
+ }
+ this->eap_payload = server_process_eap(this, eap_payload);
}
+ return NEED_MORE;
}
/**
- * Implementation of eap_authenticator_t.process
+ * Implementation of authenticator_t.build for a server
*/
-static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
- eap_payload_t **out)
+static status_t build_server(private_eap_authenticator_t *this,
+ message_t *message)
{
- eap_code_t code = in->get_code(in);
+ if (this->eap_payload)
+ {
+ eap_code_t code;
+
+ code = this->eap_payload->get_code(this->eap_payload);
+ message->add_payload(message, (payload_t*)this->eap_payload);
+ this->eap_payload = NULL;
+ if (code == EAP_FAILURE)
+ {
+ return FAILED;
+ }
+ return NEED_MORE;
+ }
+ if (this->eap_complete && this->auth_complete)
+ {
+ build_auth(this, message, this->received_nonce, this->sent_init);
+ return SUCCESS;
+ }
+ return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.process for a client
+ */
+static status_t process_client(private_eap_authenticator_t *this,
+ message_t *message)
+{
+ eap_payload_t *eap_payload;
- switch (this->role)
+ if (this->eap_complete)
{
- case EAP_SERVER:
+ if (!verify_auth(this, message, this->sent_nonce, this->received_init))
{
- switch (code)
+ return FAILED;
+ }
+ return SUCCESS;
+ }
+
+ eap_payload = (eap_payload_t*)message->get_payload(message,
+ EXTENSIBLE_AUTHENTICATION);
+ if (eap_payload)
+ {
+ switch (eap_payload->get_code(eap_payload))
+ {
+ case EAP_REQUEST:
{
- case EAP_RESPONSE:
+ this->eap_payload = client_process_eap(this, eap_payload);
+ if (this->eap_payload)
{
- return process_server(this, in, out);
- }
- default:
- {
- DBG1(DBG_IKE, "received %N, sending %N",
- eap_code_names, code, eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE,
- in->get_identifier(in));
- return FAILED;
+ return NEED_MORE;
}
+ return FAILED;
}
- }
- case EAP_PEER:
- {
- switch (code)
+ case EAP_SUCCESS:
{
- case EAP_REQUEST:
+ eap_type_t type;
+ u_int32_t vendor;
+ auth_cfg_t *cfg;
+
+ if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
{
- return process_peer(this, in, out);
+ this->msk = chunk_clone(this->msk);
}
- case EAP_SUCCESS:
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
{
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
- {
- this->msk = chunk_clone(this->msk);
- }
- return SUCCESS;
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+ "%sMSK established", type, vendor,
+ this->msk.ptr ? "" : "no ");
}
- case EAP_FAILURE:
- default:
+ else
{
- DBG1(DBG_IKE, "received %N, EAP authentication failed",
- eap_code_names, code);
- return FAILED;
+ DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+ eap_type_names, type, this->msk.ptr ? "" : "no ");
}
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+ if (vendor)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+ }
+ this->eap_complete = TRUE;
+ return NEED_MORE;
+ }
+ case EAP_FAILURE:
+ default:
+ {
+ DBG1(DBG_IKE, "received %N, EAP authentication failed",
+ eap_code_names, eap_payload->get_code(eap_payload));
+ return FAILED;
}
- }
- default:
- {
- return FAILED;
}
}
+ return FAILED;
}
/**
- * Implementation of authenticator_t.is_mutual.
+ * Implementation of authenticator_t.build for a client
*/
-static bool is_mutual(private_eap_authenticator_t *this)
+static status_t build_client(private_eap_authenticator_t *this,
+ message_t *message)
{
- if (this->method)
+ if (this->eap_payload)
{
- return this->method->is_mutual(this->method);
+ message->add_payload(message, (payload_t*)this->eap_payload);
+ this->eap_payload = NULL;
+ return NEED_MORE;
}
- return FALSE;
+ if (this->eap_complete)
+ {
+ build_auth(this, message, this->received_nonce, this->sent_init);
+ return NEED_MORE;
+ }
+ return NEED_MORE;
}
/**
@@ -500,6 +584,8 @@ static bool is_mutual(private_eap_authenticator_t *this)
static void destroy(private_eap_authenticator_t *this)
{
DESTROY_IF(this->method);
+ DESTROY_IF(this->eap_payload);
+ DESTROY_IF(this->eap_identity);
chunk_free(&this->msk);
free(this);
}
@@ -507,46 +593,56 @@ static void destroy(private_eap_authenticator_t *this)
/*
* Described in header.
*/
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- peer_cfg_t *config;
- auth_info_t *auth;
- identification_t *id;
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
-
- this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
- this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
- this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
- this->role = EAP_PEER;
+ this->received_init = received_init;
+ this->received_nonce = received_nonce;
+ this->sent_init = sent_init;
+ this->sent_nonce = sent_nonce;
+ this->msk = chunk_empty;
this->method = NULL;
+ this->eap_payload = NULL;
+ this->eap_complete = FALSE;
+ this->auth_complete = FALSE;
+ this->eap_identity = NULL;
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
+{
+ private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->received_init = received_init;
+ this->received_nonce = received_nonce;
+ this->sent_init = sent_init;
+ this->sent_nonce = sent_nonce;
this->msk = chunk_empty;
- this->do_eap_identity = FALSE;
- this->type = 0;
- this->vendor = 0;
+ this->method = NULL;
+ this->eap_payload = NULL;
+ this->eap_complete = FALSE;
+ this->auth_complete = FALSE;
+ this->eap_identity = NULL;
- config = ike_sa->get_peer_cfg(ike_sa);
- if (config)
- {
- auth = config->get_auth(config);
- if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
- {
- if (id->get_type(id) == ID_ANY)
- { /* %any as configured EAP identity runs EAP-Identity first */
- this->do_eap_identity = TRUE;
- }
- else
- {
- ike_sa->set_eap_identity(ike_sa, id->clone(id));
- }
- }
- }
return &this->public;
}
+
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index 3ee6839fa..b90a6f4df 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -26,21 +24,13 @@
typedef struct eap_authenticator_t eap_authenticator_t;
#include <sa/authenticators/authenticator.h>
-#include <encoding/payloads/eap_payload.h>
/**
- * Implementation of the authenticator_t interface using AUTH_CLASS_EAP.
+ * Implementation of authenticator_t using EAP authentication.
*
* Authentication using EAP involves the most complex authenticator. It stays
* alive over multiple ike_auth transactions and handles multiple EAP
* messages.
- * EAP authentication must be clearly distinguished between using
- * mutual EAP methods and using methods not providing server authentication.
- * If no mutual authentication is used, the server must prove it's identity
- * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
- * the client should accept an EAP-only authentication.
- * RFC4306 does always use traditional authentiction, EAP only authentication
- * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
*
* @verbatim
ike_sa_init
@@ -49,12 +39,12 @@ typedef struct eap_authenticator_t eap_authenticator_t;
followed by multiple ike_auth:
+--------+ +--------+
- | EAP | ID, SA, TS, N(EAP_ONLY) | EAP |
+ | EAP | IDi, [IDr,] SA, TS | EAP |
| client | ---------------------------> | server |
- | | ID, [AUTH,] EAP | | AUTH payload is
- | | <--------------------------- | | only included if
- | | EAP | | authentication
- | | ---------------------------> | | is not mutual.
+ | | ID, AUTH, EAP | |
+ | | <--------------------------- | |
+ | | EAP | |
+ | | ---------------------------> | |
| | EAP | |
| | <--------------------------- | |
| | EAP | |
@@ -74,74 +64,35 @@ struct eap_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
-
- /**
- * Check if the EAP method was/is mutual and secure.
- *
- * RFC4306 proposes to authenticate the EAP responder (server) by standard
- * IKEv2 methods (RSA, psk). Not all, but some EAP methods
- * provide mutual authentication, which would result in a redundant
- * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
- * the the server provides mutual authentication, authentication using
- * RSA/PSK may be omitted. If the server did not include a traditional
- * AUTH payload, the client must verify that the server initiated mutual
- * EAP authentication before it can trust the server.
- *
- * @return TRUE, if no AUTH payload required, FALSE otherwise
- */
- bool (*is_mutual) (eap_authenticator_t* this);
-
- /**
- * Initiate the EAP exchange.
- *
- * The server initiates EAP exchanges, so the client never calls
- * this method. If initiate() returns NEED_MORE, the EAP authentication
- * process started. In any case, a payload is created in "out".
- *
- * @param type EAP method to use to authenticate client
- * @param vendor EAP vendor identifier, if type is vendor specific, or 0
- * @param out created initiaal EAP message to send
- * @return
- * - FAILED, if initiation failed
- * - NEED_MORE, if more EAP exchanges reqired
- */
- status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
- u_int32_t vendor, eap_payload_t **out);
-
- /**
- * Process an EAP message.
- *
- * After receiving an EAP message "in", the peer/server processes
- * the payload and creates a reply/subsequent request.
- * The server side always returns NEED_MORE if another EAP message
- * is expected from the client, SUCCESS if EAP exchange completed and
- * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
- * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
- * created.
- * The peer (client) side only creates a "out" payload if result is
- * NEED_MORE, a SUCCESS/FAILED is returned whenever a
- * EAP_SUCCESS/EAP_FAILURE message is received in "in".
- * If a SUCCESS is returned (on any side), the EAP authentication was
- * successful and the AUTH payload can be exchanged.
- *
- * @param in received EAP message
- * @param out created EAP message to send
- * @return
- * - FAILED, if authentication/EAP exchange failed
- * - SUCCESS, if authentication completed
- * - NEED_MORE, if more EAP exchanges reqired
- */
- status_t (*process) (eap_authenticator_t* this,
- eap_payload_t *in, eap_payload_t **out);
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_CLASS_EAP.
+ * Create an authenticator to authenticate against an EAP server.
*
- * @param ike_sa associated ike_sa
- * @return eap_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return EAP authenticator
+ */
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to authenticate EAP clients.
+ *
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return EAP authenticator
*/
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index ae5a66479..742b67789 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,17 +12,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $
*/
-#include <string.h>
-
#include "psk_authenticator.h"
#include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
typedef struct private_psk_authenticator_t private_psk_authenticator_t;
@@ -40,22 +35,74 @@ struct private_psk_authenticator_t {
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
+
+ /**
+ * nonce to include in AUTH calculation
+ */
+ chunk_t nonce;
+
+ /**
+ * IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t ike_sa_init;
};
+/*
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_psk_authenticator_t *this, message_t *message)
+{
+ identification_t *my_id, *other_id;
+ auth_payload_t *auth_payload;
+ shared_key_t *key;
+ chunk_t auth_data;
+ keymat_t *keymat;
+
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+ my_id, auth_method_names, AUTH_PSK);
+ key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+ my_id, other_id);
+ if (key == NULL)
+ {
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
+ return NOT_FOUND;
+ }
+ auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
+ this->nonce, key->get_key(key), my_id);
+ key->destroy(key);
+ DBG2(DBG_IKE, "successfully created shared key MAC");
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+ auth_payload->set_data(auth_payload, auth_data);
+ chunk_free(&auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
+
+ return SUCCESS;
+}
+
/**
- * Implementation of authenticator_t.verify.
+ * Implementation of authenticator_t.process for verifier
*/
-static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
+static status_t process(private_psk_authenticator_t *this, message_t *message)
{
chunk_t auth_data, recv_auth_data;
identification_t *my_id, *other_id;
+ auth_payload_t *auth_payload;
+ auth_cfg_t *auth;
shared_key_t *key;
enumerator_t *enumerator;
bool authenticated = FALSE;
int keys_found = 0;
keymat_t *keymat;
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (!auth_payload)
+ {
+ return FAILED;
+ }
keymat = this->ike_sa->get_keymat(this->ike_sa);
recv_auth_data = auth_payload->get_data(auth_payload);
my_id = this->ike_sa->get_my_id(this->ike_sa);
@@ -66,11 +113,11 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
{
keys_found++;
- auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
- key->get_key(key), other_id);
+ auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
+ this->nonce, key->get_key(key), other_id);
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
{
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
other_id, auth_method_names, AUTH_PSK);
authenticated = TRUE;
}
@@ -82,49 +129,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
{
if (keys_found == 0)
{
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
- DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+ DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
return FAILED;
}
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
return SUCCESS;
}
/**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
*/
-static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t return_failed()
{
- identification_t *my_id, *other_id;
- shared_key_t *key;
- chunk_t auth_data;
- keymat_t *keymat;
-
- keymat = this->ike_sa->get_keymat(this->ike_sa);
- my_id = this->ike_sa->get_my_id(this->ike_sa);
- other_id = this->ike_sa->get_other_id(this->ike_sa);
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
- my_id, auth_method_names, AUTH_PSK);
- key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
- my_id, other_id);
- if (key == NULL)
- {
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
- return NOT_FOUND;
- }
- auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
- key->get_key(key), my_id);
- key->destroy(key);
- DBG2(DBG_IKE, "successfully created shared key MAC");
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
- (*auth_payload)->set_data(*auth_payload, auth_data);
-
- chunk_free(&auth_data);
- return SUCCESS;
+ return FAILED;
}
/**
@@ -138,17 +162,38 @@ static void destroy(private_psk_authenticator_t *this)
/*
* Described in header.
*/
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init)
{
private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
+ this->ike_sa_init = sent_init;
+ this->nonce = received_nonce;
return &this->public;
}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init)
+{
+ private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->ike_sa_init = received_init;
+ this->nonce = sent_nonce;
+
+ return &this->public;
+}
+
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
index df65076a4..5bb743d93 100644
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: psk_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -28,22 +26,36 @@ typedef struct psk_authenticator_t psk_authenticator_t;
#include <sa/authenticators/authenticator.h>
/**
- * Implementation of the authenticator_t interface using AUTH_PSK.
+ * Implementation of authenticator_t using pre-shared keys.
*/
struct psk_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_PSK.
+ * Create an authenticator to build PSK signatures.
*
- * @param ike_sa associated ike_sa
- * @return psk_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return PSK authenticator
+ */
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify PSK signatures.
+ *
+ * @param ike_sa associated ike_sa
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @return PSK authenticator
*/
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init);
#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index c16f3b888..44cabfb94 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,17 +13,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $
*/
-#include <string.h>
-
#include "pubkey_authenticator.h"
#include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
@@ -41,95 +36,40 @@ struct private_pubkey_authenticator_t {
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
-};
-
-/**
- * Implementation of authenticator_t.verify.
- */
-static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
-{
- public_key_t *public;
- auth_method_t auth_method;
- chunk_t auth_data, octets;
- identification_t *id;
- auth_info_t *auth, *current_auth;
- enumerator_t *enumerator;
- key_type_t key_type = KEY_ECDSA;
- signature_scheme_t scheme;
- status_t status = FAILED;
- keymat_t *keymat;
- id = this->ike_sa->get_other_id(this->ike_sa);
- auth_method = auth_payload->get_auth_method(auth_payload);
- switch (auth_method)
- {
- case AUTH_RSA:
- /* We are currently fixed to SHA1 hashes.
- * TODO: allow other hash algorithms and note it in "auth" */
- key_type = KEY_RSA;
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case AUTH_ECDSA_256:
- scheme = SIGN_ECDSA_256;
- break;
- case AUTH_ECDSA_384:
- scheme = SIGN_ECDSA_384;
- break;
- case AUTH_ECDSA_521:
- scheme = SIGN_ECDSA_521;
- break;
- default:
- return INVALID_ARG;
- }
- auth_data = auth_payload->get_data(auth_payload);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id);
- auth = this->ike_sa->get_other_auth(this->ike_sa);
- enumerator = charon->credentials->create_public_enumerator(
- charon->credentials, key_type, id, auth);
- while (enumerator->enumerate(enumerator, &public, &current_auth))
- {
- if (public->verify(public, scheme, octets, auth_data))
- {
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
- id, auth_method_names, auth_method);
- status = SUCCESS;
- auth->merge(auth, current_auth);
- break;
- }
- else
- {
- DBG1(DBG_IKE, "signature validation failed, looking for another key");
- }
- }
- enumerator->destroy(enumerator);
- chunk_free(&octets);
- return status;
-}
+ /**
+ * nonce to include in AUTH calculation
+ */
+ chunk_t nonce;
+
+ /**
+ * IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t ike_sa_init;
+};
/**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.build for builder
*/
-static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t build(private_pubkey_authenticator_t *this, message_t *message)
{
chunk_t octets, auth_data;
status_t status = FAILED;
private_key_t *private;
identification_t *id;
- auth_info_t *auth;
+ auth_cfg_t *auth;
+ auth_payload_t *auth_payload;
auth_method_t auth_method;
signature_scheme_t scheme;
keymat_t *keymat;
id = this->ike_sa->get_my_id(this->ike_sa);
- auth = this->ike_sa->get_my_auth(this->ike_sa);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
private = charon->credentials->get_private(charon->credentials, KEY_ANY,
id, auth);
if (private == NULL)
{
- DBG1(DBG_IKE, "no private key found for '%D'", id);
+ DBG1(DBG_IKE, "no private key found for '%Y'", id);
return NOT_FOUND;
}
@@ -169,18 +109,18 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
return status;
}
keymat = this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id);
-
+ octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+ this->nonce, id);
if (private->sign(private, scheme, octets, &auth_data))
{
- auth_payload_t *payload = auth_payload_create();
- payload->set_auth_method(payload, auth_method);
- payload->set_data(payload, auth_data);
- *auth_payload = payload;
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, auth_method);
+ auth_payload->set_data(auth_payload, auth_data);
chunk_free(&auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
status = SUCCESS;
}
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
auth_method_names, auth_method,
(status == SUCCESS)? "successful":"failed");
chunk_free(&octets);
@@ -190,6 +130,93 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
}
/**
+ * Implementation of authenticator_t.process for verifier
+ */
+static status_t process(private_pubkey_authenticator_t *this, message_t *message)
+{
+ public_key_t *public;
+ auth_method_t auth_method;
+ auth_payload_t *auth_payload;
+ chunk_t auth_data, octets;
+ identification_t *id;
+ auth_cfg_t *auth, *current_auth;
+ enumerator_t *enumerator;
+ key_type_t key_type = KEY_ECDSA;
+ signature_scheme_t scheme;
+ status_t status = NOT_FOUND;
+ keymat_t *keymat;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (!auth_payload)
+ {
+ return FAILED;
+ }
+ auth_method = auth_payload->get_auth_method(auth_payload);
+ switch (auth_method)
+ {
+ case AUTH_RSA:
+ /* We currently accept SHA1 signatures only
+ * TODO: allow other hash algorithms and note it in "auth" */
+ key_type = KEY_RSA;
+ scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ break;
+ case AUTH_ECDSA_256:
+ scheme = SIGN_ECDSA_256;
+ break;
+ case AUTH_ECDSA_384:
+ scheme = SIGN_ECDSA_384;
+ break;
+ case AUTH_ECDSA_521:
+ scheme = SIGN_ECDSA_521;
+ break;
+ default:
+ return INVALID_ARG;
+ }
+ auth_data = auth_payload->get_data(auth_payload);
+ id = this->ike_sa->get_other_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+ this->nonce, id);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ enumerator = charon->credentials->create_public_enumerator(
+ charon->credentials, key_type, id, auth);
+ while (enumerator->enumerate(enumerator, &public, &current_auth))
+ {
+ if (public->verify(public, scheme, octets, auth_data))
+ {
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+ id, auth_method_names, auth_method);
+ status = SUCCESS;
+ auth->merge(auth, current_auth, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ break;
+ }
+ else
+ {
+ status = FAILED;
+ DBG1(DBG_IKE, "signature validation failed, looking for another key");
+ }
+ }
+ enumerator->destroy(enumerator);
+ chunk_free(&octets);
+ if (status == NOT_FOUND)
+ {
+ DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+ key_type_names, key_type, id);
+ }
+ return status;
+}
+
+/**
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
+ */
+static status_t return_failed()
+{
+ return FAILED;
+}
+
+/**
* Implementation of authenticator_t.destroy.
*/
static void destroy(private_pubkey_authenticator_t *this)
@@ -200,17 +227,37 @@ static void destroy(private_pubkey_authenticator_t *this)
/*
* Described in header.
*/
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa)
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init)
+{
+ private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->ike_sa_init = sent_init;
+ this->nonce = received_nonce;
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init)
{
private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
+ this->ike_sa_init = received_init;
+ this->nonce = sent_nonce;
return &this->public;
}
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
index d2189fa97..e67f020ff 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ b/src/charon/sa/authenticators/pubkey_authenticator.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: pubkey_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -29,22 +27,36 @@ typedef struct pubkey_authenticator_t pubkey_authenticator_t;
#include <sa/authenticators/authenticator.h>
/**
- * Implementation of the authenticator_t interface using AUTH_PUBKEY.
+ * Implementation of authenticator_t using public key authenitcation.
*/
struct pubkey_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_PUBKEY.
+ * Create an authenticator to build public key signatures.
*
- * @param ike_sa associated ike_sa
- * @return pubkey_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return public key authenticator
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify public key signatures.
+ *
+ * @param ike_sa associated ike_sa
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @return public key authenticator
*/
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa);
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init);
#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/