diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:35:38 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:35:38 +0000 |
commit | 7c52c3f35cdbdff58443b994f2f33d13b4d81f57 (patch) | |
tree | e54a27979ea72ec41702bec2984c2eadac3b8862 /src/charon/sa/authenticators | |
parent | 4ef45ba0404dac3773e83af995a5ec584b23d633 (diff) | |
download | vyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.tar.gz vyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.zip |
Updated to new upstream version.
Diffstat (limited to 'src/charon/sa/authenticators')
-rw-r--r-- | src/charon/sa/authenticators/authenticator.c | 49 | ||||
-rw-r--r-- | src/charon/sa/authenticators/authenticator.h | 89 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/eap_manager.c | 22 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/eap_manager.h | 2 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/eap_method.c | 35 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/eap_method.h | 11 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/sim_manager.c | 2 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap/sim_manager.h | 4 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap_authenticator.c | 786 | ||||
-rw-r--r-- | src/charon/sa/authenticators/eap_authenticator.h | 113 | ||||
-rw-r--r-- | src/charon/sa/authenticators/psk_authenticator.c | 147 | ||||
-rw-r--r-- | src/charon/sa/authenticators/psk_authenticator.h | 30 | ||||
-rw-r--r-- | src/charon/sa/authenticators/pubkey_authenticator.c | 229 | ||||
-rw-r--r-- | src/charon/sa/authenticators/pubkey_authenticator.h | 30 |
14 files changed, 882 insertions, 667 deletions
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c index 827c7a69a..ea8a16279 100644 --- a/src/charon/sa/authenticators/authenticator.c +++ b/src/charon/sa/authenticators/authenticator.c @@ -1,6 +1,6 @@ /* + * Copyright (C) 2006-2009 Martin Willi * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2006-2008 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: authenticator.c 4276 2008-08-22 10:44:51Z martin $ */ #include <string.h> @@ -23,6 +21,7 @@ #include <sa/authenticators/pubkey_authenticator.h> #include <sa/authenticators/psk_authenticator.h> #include <sa/authenticators/eap_authenticator.h> +#include <encoding/payloads/auth_payload.h> ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS, @@ -35,7 +34,8 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS, "ECDSA-521 signature"); ENUM_END(auth_method_names, AUTH_ECDSA_521); -ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP, +ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, + "any", "public key", "pre-shared key", "EAP", @@ -44,17 +44,23 @@ ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP, /** * Described in header. */ -authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa, - auth_class_t class) +authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { - switch (class) + switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) { + case AUTH_CLASS_ANY: + /* defaults to PUBKEY */ case AUTH_CLASS_PUBKEY: - return (authenticator_t*)pubkey_authenticator_create(ike_sa); + return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa, + received_nonce, sent_init); case AUTH_CLASS_PSK: - return (authenticator_t*)psk_authenticator_create(ike_sa); + return (authenticator_t*)psk_authenticator_create_builder(ike_sa, + received_nonce, sent_init); case AUTH_CLASS_EAP: - return (authenticator_t*)eap_authenticator_create(ike_sa); + return (authenticator_t*)eap_authenticator_create_builder(ike_sa, + received_nonce, sent_nonce, received_init, sent_init); default: return NULL; } @@ -63,19 +69,32 @@ authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa, /** * Described in header. */ -authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa, - auth_method_t method) +authenticator_t *authenticator_create_verifier( + ike_sa_t *ike_sa, message_t *message, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { - switch (method) + auth_payload_t *auth_payload; + + auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + if (auth_payload == NULL) + { + return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, + received_nonce, sent_nonce, received_init, sent_init); + } + switch (auth_payload->get_auth_method(auth_payload)) { case AUTH_RSA: case AUTH_ECDSA_256: case AUTH_ECDSA_384: case AUTH_ECDSA_521: - return (authenticator_t*)pubkey_authenticator_create(ike_sa); + return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, + sent_nonce, received_init); case AUTH_PSK: - return (authenticator_t*)psk_authenticator_create(ike_sa); + return (authenticator_t*)psk_authenticator_create_verifier(ike_sa, + sent_nonce, received_init); default: return NULL; } } + diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h index 345cc7deb..c60881629 100644 --- a/src/charon/sa/authenticators/authenticator.h +++ b/src/charon/sa/authenticators/authenticator.h @@ -1,6 +1,6 @@ /* + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: authenticator.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -30,9 +28,8 @@ typedef enum auth_class_t auth_class_t; typedef struct authenticator_t authenticator_t; #include <library.h> +#include <config/auth_cfg.h> #include <sa/ike_sa.h> -#include <config/peer_cfg.h> -#include <encoding/payloads/auth_payload.h> /** * Method to use for authentication, as defined in IKEv2. @@ -84,6 +81,8 @@ extern enum_name_t *auth_method_names; * certificate finally dictates wich method is used. */ enum auth_class_t { + /** any class acceptable */ + AUTH_CLASS_ANY = 0, /** authentication using public keys (RSA, ECDSA) */ AUTH_CLASS_PUBKEY = 1, /** authentication using a pre-shared secrets */ @@ -100,66 +99,70 @@ extern enum_name_t *auth_class_names; /** * Authenticator interface implemented by the various authenticators. * - * Currently the following two AUTH methods are supported: - * - shared key message integrity code - * - RSA digital signature - * - EAP using the EAP framework and one of the EAP plugins - * - ECDSA is supported using OpenSSL + * An authenticator implementation handles AUTH and EAP payloads. Received + * messages are passed to the process() method, to send authentication data + * the message is passed to the build() method. */ struct authenticator_t { /** - * Verify a received authentication payload. + * Process an incoming message using the authenticator. * - * @param ike_sa_init binary representation of received ike_sa_init - * @param my_nonce the sent nonce - * @param auth_payload authentication payload to verify + * @param message message containing authentication payloads * @return - * - SUCCESS, - * - FAILED if verification failed - * - INVALID_ARG if auth_method does not match - * - NOT_FOUND if credentials not found + * - SUCCESS if authentication successful + * - FAILED if authentication failed + * - NEED_MORE if another exchange required */ - status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init, - chunk_t my_nonce, auth_payload_t *auth_payload); - + status_t (*process)(authenticator_t *this, message_t *message); + /** - * Build an authentication payload to send to the other peer. + * Attach authentication data to an outgoing message. * - * @param ike_sa_init binary representation of sent ike_sa_init - * @param other_nonce the received nonce - * @param auth_payload the resulting authentication payload + * @param message message to add authentication data to * @return - * - SUCCESS, - * - NOT_FOUND if credentials not found + * - SUCCESS if authentication successful + * - FAILED if authentication failed + * - NEED_MORE if another exchange required */ - status_t (*build) (authenticator_t *this, chunk_t ike_sa_init, - chunk_t other_nonce, auth_payload_t **auth_payload); - + status_t (*build)(authenticator_t *this, message_t *message); + /** - * Destroys a authenticator_t object. + * Destroy authenticator instance. */ void (*destroy) (authenticator_t *this); }; /** - * Creates an authenticator for the specified auth class (as configured). + * Create an authenticator to build signatures. * - * @param ike_sa associated ike_sa - * @param class class of authentication to use - * @return authenticator_t object + * @param ike_sa associated ike_sa + * @param cfg authentication configuration + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return authenticator, NULL if not supported */ -authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa, - auth_class_t class); +authenticator_t *authenticator_create_builder( + ike_sa_t *ike_sa, auth_cfg_t *cfg, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); /** - * Creates an authenticator for method (as received in payload). + * Create an authenticator to verify signatures. * - * @param ike_sa associated ike_sa - * @param method method as found in payload - * @return authenticator_t object + * @param ike_sa associated ike_sa + * @param message message containing authentication data + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return authenticator, NULL if not supported */ -authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa, - auth_method_t method); +authenticator_t *authenticator_create_verifier( + ike_sa_t *ike_sa, message_t *message, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); #endif /** AUTHENTICATOR_H_ @}*/ diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c index c1c2d6fce..b8316036e 100644 --- a/src/charon/sa/authenticators/eap/eap_manager.c +++ b/src/charon/sa/authenticators/eap/eap_manager.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $ */ #include "eap_manager.h" @@ -65,9 +63,9 @@ struct private_eap_manager_t { linked_list_t *methods; /** - * mutex to lock methods + * rwlock to lock methods */ - mutex_t *mutex; + rwlock_t *lock; }; /** @@ -84,9 +82,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type, entry->role = role; entry->constructor = constructor; - this->mutex->lock(this->mutex); + this->lock->write_lock(this->lock); this->methods->insert_last(this->methods, entry); - this->mutex->unlock(this->mutex); + this->lock->unlock(this->lock); } /** @@ -97,7 +95,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru enumerator_t *enumerator; eap_entry_t *entry; - this->mutex->lock(this->mutex); + this->lock->write_lock(this->lock); enumerator = this->methods->create_enumerator(this->methods); while (enumerator->enumerate(enumerator, &entry)) { @@ -108,7 +106,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru } } enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); + this->lock->unlock(this->lock); } /** @@ -123,7 +121,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this, eap_entry_t *entry; eap_method_t *method = NULL; - this->mutex->lock(this->mutex); + this->lock->read_lock(this->lock); enumerator = this->methods->create_enumerator(this->methods); while (enumerator->enumerate(enumerator, &entry)) { @@ -138,7 +136,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this, } } enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); + this->lock->unlock(this->lock); return method; } @@ -148,7 +146,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this, static void destroy(private_eap_manager_t *this) { this->methods->destroy_function(this->methods, free); - this->mutex->destroy(this->mutex); + this->lock->destroy(this->lock); free(this); } @@ -165,7 +163,7 @@ eap_manager_t *eap_manager_create() this->public.destroy = (void(*)(eap_manager_t*))destroy; this->methods = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->lock = rwlock_create(RWLOCK_DEFAULT); return &this->public; } diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h index db5535a81..667c54a8e 100644 --- a/src/charon/sa/authenticators/eap/eap_manager.h +++ b/src/charon/sa/authenticators/eap/eap_manager.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_manager.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c index 2e4307eb4..1d1900301 100644 --- a/src/charon/sa/authenticators/eap/eap_method.c +++ b/src/charon/sa/authenticators/eap/eap_method.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_method.c 4997 2009-03-24 10:24:58Z martin $ */ #include "eap_method.h" @@ -36,6 +34,36 @@ ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, "EAP_EXPERIMENTAL"); ENUM_END(eap_type_names, EAP_EXPERIMENTAL); +/* + * See header + */ +eap_type_t eap_type_from_string(char *name) +{ + int i; + static struct { + char *name; + eap_type_t type; + } types[] = { + {"identity", EAP_IDENTITY}, + {"md5", EAP_MD5}, + {"otp", EAP_OTP}, + {"gtc", EAP_GTC}, + {"sim", EAP_SIM}, + {"aka", EAP_AKA}, + {"mschapv2", EAP_MSCHAPV2}, + {"radius", EAP_RADIUS}, + }; + + for (i = 0; i < countof(types); i++) + { + if (strcaseeq(name, types[i].name)) + { + return types[i].type; + } + } + return 0; +} + ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE, "EAP_REQUEST", "EAP_RESPONSE", @@ -48,3 +76,6 @@ ENUM(eap_role_names, EAP_SERVER, EAP_PEER, "EAP_PEER", ); + + + diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h index 6f3da1ba7..578b89e96 100644 --- a/src/charon/sa/authenticators/eap/eap_method.h +++ b/src/charon/sa/authenticators/eap/eap_method.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_method.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -69,6 +67,14 @@ enum eap_type_t { extern enum_name_t *eap_type_names; /** + * Lookup the EAP method type from a string. + * + * @param name EAP method name (such as "md5", "aka") + * @return method type, 0 if unkown + */ +eap_type_t eap_type_from_string(char *name); + +/** * EAP code, type of an EAP message */ enum eap_code_t { @@ -83,7 +89,6 @@ enum eap_code_t { */ extern enum_name_t *eap_code_names; - /** * Interface of an EAP method for server and client side. * diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c index e6817ca20..51cd4fb3f 100644 --- a/src/charon/sa/authenticators/eap/sim_manager.c +++ b/src/charon/sa/authenticators/eap/sim_manager.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ #include "sim_manager.h" diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h index 69a2e4df9..3c6d66dfe 100644 --- a/src/charon/sa/authenticators/eap/sim_manager.h +++ b/src/charon/sa/authenticators/eap/sim_manager.h @@ -39,7 +39,7 @@ struct sim_card_t { * The returned identity owned by the sim_card and not destroyed outside. * The SIM card may return ID_ANY if it does not support/use an IMSI. * - * @return identity of type ID_EAP/ID_ANY + * @return identity */ identification_t* (*get_imsi)(sim_card_t *this); @@ -63,7 +63,7 @@ struct sim_provider_t { /** * Get a single triplet to authenticate a EAP client. * - * @param imsi client identity of type ID_EAP + * @param imsi client identity * @param rand RAND output buffer, fixed size 16 bytes * @param sres SRES output buffer, fixed size 4 byte * @param kc KC output buffer, fixed size 8 bytes diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 7b97fe56c..2abdf7a02 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -11,17 +11,14 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_authenticator.c 5037 2009-03-26 13:58:17Z andreas $ */ -#include <string.h> - #include "eap_authenticator.h" #include <daemon.h> -#include <config/peer_cfg.h> #include <sa/authenticators/eap/eap_method.h> +#include <encoding/payloads/auth_payload.h> +#include <encoding/payloads/eap_payload.h> typedef struct private_eap_authenticator_t private_eap_authenticator_t; @@ -41,9 +38,24 @@ struct private_eap_authenticator_t { ike_sa_t *ike_sa; /** - * Role of this authenticator, PEER or SERVER + * others nonce to include in AUTH calculation + */ + chunk_t received_nonce; + + /** + * our nonce to include in AUTH calculation + */ + chunk_t sent_nonce; + + /** + * others IKE_SA_INIT message data to include in AUTH calculation + */ + chunk_t received_init; + + /** + * our IKE_SA_INIT message data to include in AUTH calculation */ - eap_role_t role; + chunk_t sent_init; /** * Current EAP method processing @@ -56,442 +68,514 @@ struct private_eap_authenticator_t { chunk_t msk; /** - * should we do a EAP-Identity exchange as server? + * EAP authentication method completed successfully */ - bool do_eap_identity; + bool eap_complete; /** - * saved EAP type if we do eap_identity + * authentication payload verified successfully */ - eap_type_t type; + bool auth_complete; /** - * saved vendor id if we do eap_identity + * generated EAP payload */ - u_int32_t vendor; + eap_payload_t *eap_payload; + + /** + * EAP identity of peer + */ + identification_t *eap_identity; }; + /** - * Implementation of authenticator_t.verify. + * load an EAP method */ -static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init, - chunk_t my_nonce, auth_payload_t *auth_payload) +static eap_method_t *load_method(private_eap_authenticator_t *this, + eap_type_t type, u_int32_t vendor, eap_role_t role) { - chunk_t auth_data, recv_auth_data; - identification_t *other_id; - keymat_t *keymat; - - other_id = this->ike_sa->get_other_id(this->ike_sa); - keymat = this->ike_sa->get_keymat(this->ike_sa); - - auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce, - this->msk, other_id); + identification_t *server, *peer; - recv_auth_data = auth_payload->get_data(auth_payload); - if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) + if (role == EAP_SERVER) { - DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed"); - chunk_free(&auth_data); - return FAILED; + server = this->ike_sa->get_my_id(this->ike_sa); + peer = this->ike_sa->get_other_id(this->ike_sa); } - chunk_free(&auth_data); - - DBG1(DBG_IKE, "authentication of '%D' with %N successful", - other_id, auth_class_names, AUTH_CLASS_EAP); - return SUCCESS; -} - -/** - * Implementation of authenticator_t.build. - */ -static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init, - chunk_t other_nonce, auth_payload_t **auth_payload) -{ - identification_t *my_id; - chunk_t auth_data; - keymat_t *keymat; - - my_id = this->ike_sa->get_my_id(this->ike_sa); - keymat = this->ike_sa->get_keymat(this->ike_sa); - - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", - my_id, auth_class_names, AUTH_CLASS_EAP); - - auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce, - this->msk, my_id); - - *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK); - (*auth_payload)->set_data(*auth_payload, auth_data); - chunk_free(&auth_data); - - return SUCCESS; + else + { + server = this->ike_sa->get_other_id(this->ike_sa); + peer = this->ike_sa->get_my_id(this->ike_sa); + } + if (this->eap_identity) + { + peer = this->eap_identity; + } + return charon->eap->create_instance(charon->eap, type, vendor, + role, server, peer); } /** - * get the peers identity to use in the EAP method + * Initiate EAP conversation as server */ -static identification_t *get_peer_id(private_eap_authenticator_t *this) +static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this, + bool do_identity) { + auth_cfg_t *auth; + eap_type_t type; identification_t *id; - peer_cfg_t *config; - auth_info_t *auth; + u_int32_t vendor; + eap_payload_t *out; + + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - id = this->ike_sa->get_eap_identity(this->ike_sa); - if (!id) + /* initiate EAP-Identity exchange if required */ + if (!this->eap_identity && do_identity) { - config = this->ike_sa->get_peer_cfg(this->ike_sa); - auth = config->get_auth(config); - if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) || - id->get_type(id) == ID_ANY) + id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); + if (id) { - if (this->role == EAP_PEER) + this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER); + if (this->method) { - id = this->ike_sa->get_my_id(this->ike_sa); - } - else - { - id = this->ike_sa->get_other_id(this->ike_sa); + if (this->method->initiate(this->method, &out) == NEED_MORE) + { + DBG1(DBG_IKE, "initiating EAP-Identity request"); + return out; + } + this->method->destroy(this->method); } + DBG1(DBG_IKE, "EAP-Identity request configured, but not supported"); } } - if (id->get_type(id) == ID_EAP) + /* invoke real EAP method */ + type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE); + vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR); + this->method = load_method(this, type, vendor, EAP_SERVER); + if (this->method && + this->method->initiate(this->method, &out) == NEED_MORE) { - return id->clone(id); + if (vendor) + { + DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor); + + } + else + { + DBG1(DBG_IKE, "initiating %N", eap_type_names, type); + } + return out; } - return identification_create_from_encoding(ID_EAP, id->get_encoding(id)); -} - -/** - * get the servers identity to use in the EAP method - */ -static identification_t *get_server_id(private_eap_authenticator_t *this) -{ - identification_t *id; - - if (this->role == EAP_SERVER) + if (vendor) { - id = this->ike_sa->get_my_id(this->ike_sa); + DBG1(DBG_IKE, "initiating EAP vendor type %d-%d failed", type, vendor); } else { - id = this->ike_sa->get_other_id(this->ike_sa); + DBG1(DBG_IKE, "initiating %N failed", eap_type_names, type); } - if (id->get_type(id) == ID_EAP) - { - return id->clone(id); - } - return identification_create_from_encoding(ID_EAP, id->get_encoding(id)); -} - -/** - * load an EAP method using the correct identities - */ -static eap_method_t *load_method(private_eap_authenticator_t *this, - eap_type_t type, u_int32_t vendor, eap_role_t role) -{ - identification_t *server, *peer; - eap_method_t *method; - - server = get_server_id(this); - peer = get_peer_id(this); - method = charon->eap->create_instance(charon->eap, type, vendor, role, - server, peer); - server->destroy(server); - peer->destroy(peer); - return method; + return eap_payload_create_code(EAP_FAILURE, 0); } /** - * Implementation of eap_authenticator_t.initiate + * Handle EAP exchange as server */ -static status_t initiate(private_eap_authenticator_t *this, eap_type_t type, - u_int32_t vendor, eap_payload_t **out) +static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + eap_payload_t *in) { - /* if initiate() is called, role is always server */ - this->role = EAP_SERVER; - - if (this->do_eap_identity) - { /* do an EAP-Identity request first */ - this->type = type; - this->vendor = vendor; - vendor = 0; - type = EAP_IDENTITY; - } + eap_type_t type, received_type; + u_int32_t vendor, received_vendor; + eap_payload_t *out; + auth_cfg_t *cfg; - if (type == 0) + if (in->get_code(in) != EAP_RESPONSE) { - DBG1(DBG_IKE, - "client requested EAP authentication, but configuration forbids it"); - *out = eap_payload_create_code(EAP_FAILURE, 0); - return FAILED; + DBG1(DBG_IKE, "received %N, sending %N", + eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE); + return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); } - if (vendor) - { - DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d", - type, vendor); - } - else - { - DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type); - } - this->method = load_method(this, type, vendor, this->role); - if (this->method == NULL) + type = this->method->get_type(this->method, &vendor); + received_type = in->get_type(in, &received_vendor); + if (type != received_type || vendor != received_vendor) { - if (vendor == 0 && type == EAP_IDENTITY) + if (received_vendor == 0 && received_type == EAP_NAK) { - DBG1(DBG_IKE, "skipping %N, no implementation found", - eap_type_names, type); - this->do_eap_identity = FALSE; - return initiate(this, this->type, this->vendor, out); + DBG1(DBG_IKE, "received %N, sending %N", + eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE); + } + else + { + DBG1(DBG_IKE, "received invalid EAP response, sending %N", + eap_code_names, EAP_FAILURE); } - DBG1(DBG_IKE, "configured EAP server method not supported, sending %N", - eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE, 0); - return FAILED; + return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); } - if (this->method->initiate(this->method, out) != NEED_MORE) + + switch (this->method->process(this->method, in, &out)) { - DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N", - eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE, 0); - return FAILED; + case NEED_MORE: + return out; + case SUCCESS: + if (type == EAP_IDENTITY) + { + chunk_t data; + char buf[256]; + + if (this->method->get_msk(this->method, &data) == SUCCESS) + { + snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr); + this->eap_identity = identification_create_from_string(buf); + DBG1(DBG_IKE, "received EAP identity '%Y'", + this->eap_identity); + } + /* restart EAP exchange, but with real method */ + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } + if (this->method->get_msk(this->method, &this->msk) == SUCCESS) + { + this->msk = chunk_clone(this->msk); + } + if (vendor) + { + DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, " + "%sMSK established", type, vendor, + this->msk.ptr ? "" : "no "); + } + else + { + DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established", + eap_type_names, type, this->msk.ptr ? "" : "no "); + } + this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, + TRUE); + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); + if (vendor) + { + cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); + } + this->eap_complete = TRUE; + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: + if (vendor) + { + DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for " + "peer %Y", type, vendor, + this->ike_sa->get_other_id(this->ike_sa)); + } + else + { + DBG1(DBG_IKE, "EAP method %N failed for peer %Y", + eap_type_names, type, + this->ike_sa->get_other_id(this->ike_sa)); + } + return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); } - return NEED_MORE; } /** * Processing method for a peer */ -static status_t process_peer(private_eap_authenticator_t *this, - eap_payload_t *in, eap_payload_t **out) +static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, + eap_payload_t *in) { eap_type_t type; u_int32_t vendor; + auth_cfg_t *auth; + eap_payload_t *out; + identification_t *id; type = in->get_type(in, &vendor); if (!vendor && type == EAP_IDENTITY) { - eap_method_t *method; + DESTROY_IF(this->eap_identity); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); + if (!id || id->get_type(id) == ID_ANY) + { + id = this->ike_sa->get_my_id(this->ike_sa); + } + DBG1(DBG_IKE, "server requested %N, sending '%Y'", + eap_type_names, type, id); + this->eap_identity = id->clone(id); - method = load_method(this, type, 0, EAP_PEER); - if (method == NULL || method->process(method, in, out) != SUCCESS) + this->method = load_method(this, type, vendor, EAP_PEER); + if (this->method) { - DBG1(DBG_IKE, "EAP server requested %N, but unable to process", - eap_type_names, type); - DESTROY_IF(method); - return FAILED; + if (this->method->process(this->method, in, &out) == SUCCESS) + { + this->method->destroy(this->method); + this->method = NULL; + return out; + } + this->method->destroy(this->method); + this->method = NULL; } - DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type); - method->destroy(method); - return NEED_MORE; + DBG1(DBG_IKE, "%N not supported, sending EAP_NAK", + eap_type_names, type); + return eap_payload_create_nak(in->get_identifier(in)); } - - /* create an eap_method for the first call */ if (this->method == NULL) { if (vendor) { - DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d", + DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d", type, vendor); } else { - DBG1(DBG_IKE, "EAP server requested %N authentication", + DBG1(DBG_IKE, "server requested %N authentication", eap_type_names, type); } this->method = load_method(this, type, vendor, EAP_PEER); - if (this->method == NULL) + if (!this->method) { - DBG1(DBG_IKE, "EAP server requested unsupported " - "EAP method, sending EAP_NAK"); - *out = eap_payload_create_nak(in->get_identifier(in)); - return NEED_MORE; + DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK"); + return eap_payload_create_nak(in->get_identifier(in)); } } type = this->method->get_type(this->method, &vendor); - switch (this->method->process(this->method, in, out)) + if (this->method->process(this->method, in, &out) == NEED_MORE) + { /* client methods should never return SUCCESS */ + return out; + } + + if (vendor) { - case NEED_MORE: - return NEED_MORE; - case SUCCESS: - if (vendor) - { - DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded", - type, vendor); - } - else - { - DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type); - } - return SUCCESS; - case FAILED: - default: - if (vendor) - { - DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed", - type, vendor); - } - else - { - DBG1(DBG_IKE, "EAP method %N failed", - eap_type_names, type); - } - return FAILED; + DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor); + } + else + { + DBG1(DBG_IKE, "%N method failed", eap_type_names, type); } + return NULL; } /** - * handle an EAP-Identity response on the server + * Verify AUTH payload */ -static status_t process_eap_identity(private_eap_authenticator_t *this, - eap_payload_t **out) +static bool verify_auth(private_eap_authenticator_t *this, message_t *message, + chunk_t nonce, chunk_t init) { - chunk_t data; - identification_t *id; - - if (this->method->get_msk(this->method, &data) == SUCCESS) + auth_payload_t *auth_payload; + chunk_t auth_data, recv_auth_data; + identification_t *other_id; + auth_cfg_t *auth; + keymat_t *keymat; + + auth_payload = (auth_payload_t*)message->get_payload(message, + AUTHENTICATION); + if (!auth_payload) { - id = identification_create_from_encoding(ID_EAP, data); - DBG1(DBG_IKE, "using EAP identity '%D'", id); - this->ike_sa->set_eap_identity(this->ike_sa, id); + DBG1(DBG_IKE, "AUTH payload missing"); + return FALSE; } - /* restart EAP exchange, but with real method */ - this->method->destroy(this->method); - this->method = NULL; - this->do_eap_identity = FALSE; - return initiate(this, this->type, this->vendor, out); + other_id = this->ike_sa->get_other_id(this->ike_sa); + keymat = this->ike_sa->get_keymat(this->ike_sa); + auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, + this->msk, other_id); + recv_auth_data = auth_payload->get_data(auth_payload); + if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) + { + DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed", + this->msk.ptr ? "" : "out"); + chunk_free(&auth_data); + return FALSE; + } + chunk_free(&auth_data); + + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", + other_id, auth_class_names, AUTH_CLASS_EAP); + this->auth_complete = TRUE; + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + return TRUE; +} + +/** + * Build AUTH payload + */ +static void build_auth(private_eap_authenticator_t *this, message_t *message, + chunk_t nonce, chunk_t init) +{ + auth_payload_t *auth_payload; + identification_t *my_id; + chunk_t auth_data; + keymat_t *keymat; + + my_id = this->ike_sa->get_my_id(this->ike_sa); + keymat = this->ike_sa->get_keymat(this->ike_sa); + + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", + my_id, auth_class_names, AUTH_CLASS_EAP); + + auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id); + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, AUTH_PSK); + auth_payload->set_data(auth_payload, auth_data); + message->add_payload(message, (payload_t*)auth_payload); + chunk_free(&auth_data); } /** - * Processing method for a server + * Implementation of authenticator_t.process for a server */ static status_t process_server(private_eap_authenticator_t *this, - eap_payload_t *in, eap_payload_t **out) + message_t *message) { - eap_type_t type; - u_int32_t vendor; + eap_payload_t *eap_payload; - type = this->method->get_type(this->method, &vendor); + if (this->eap_complete) + { + if (!verify_auth(this, message, this->sent_nonce, this->received_init)) + { + return FAILED; + } + return NEED_MORE; + } - switch (this->method->process(this->method, in, out)) + if (!this->method) { - case NEED_MORE: - return NEED_MORE; - case SUCCESS: - if (this->do_eap_identity) - { - return process_eap_identity(this, out); - } - if (this->method->get_msk(this->method, &this->msk) == SUCCESS) - { - this->msk = chunk_clone(this->msk); - } - if (vendor) - { - DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, " - "%sMSK established", type, vendor, - this->msk.ptr ? "" : "no "); - } - else - { - DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established", - eap_type_names, type, this->msk.ptr ? "" : "no "); - } - *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); - return SUCCESS; - case FAILED: - default: - if (vendor) - { - DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for " - "peer %D", type, vendor, - this->ike_sa->get_other_id(this->ike_sa)); - } - else - { - DBG1(DBG_IKE, "EAP method %N failed for peer '%D'", - eap_type_names, type, - this->ike_sa->get_other_id(this->ike_sa)); - } - *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); + this->eap_payload = server_initiate_eap(this, TRUE); + } + else + { + eap_payload = (eap_payload_t*)message->get_payload(message, + EXTENSIBLE_AUTHENTICATION); + if (!eap_payload) + { return FAILED; + } + this->eap_payload = server_process_eap(this, eap_payload); } + return NEED_MORE; } /** - * Implementation of eap_authenticator_t.process + * Implementation of authenticator_t.build for a server */ -static status_t process(private_eap_authenticator_t *this, eap_payload_t *in, - eap_payload_t **out) +static status_t build_server(private_eap_authenticator_t *this, + message_t *message) { - eap_code_t code = in->get_code(in); + if (this->eap_payload) + { + eap_code_t code; + + code = this->eap_payload->get_code(this->eap_payload); + message->add_payload(message, (payload_t*)this->eap_payload); + this->eap_payload = NULL; + if (code == EAP_FAILURE) + { + return FAILED; + } + return NEED_MORE; + } + if (this->eap_complete && this->auth_complete) + { + build_auth(this, message, this->received_nonce, this->sent_init); + return SUCCESS; + } + return FAILED; +} + +/** + * Implementation of authenticator_t.process for a client + */ +static status_t process_client(private_eap_authenticator_t *this, + message_t *message) +{ + eap_payload_t *eap_payload; - switch (this->role) + if (this->eap_complete) { - case EAP_SERVER: + if (!verify_auth(this, message, this->sent_nonce, this->received_init)) { - switch (code) + return FAILED; + } + return SUCCESS; + } + + eap_payload = (eap_payload_t*)message->get_payload(message, + EXTENSIBLE_AUTHENTICATION); + if (eap_payload) + { + switch (eap_payload->get_code(eap_payload)) + { + case EAP_REQUEST: { - case EAP_RESPONSE: + this->eap_payload = client_process_eap(this, eap_payload); + if (this->eap_payload) { - return process_server(this, in, out); - } - default: - { - DBG1(DBG_IKE, "received %N, sending %N", - eap_code_names, code, eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE, - in->get_identifier(in)); - return FAILED; + return NEED_MORE; } + return FAILED; } - } - case EAP_PEER: - { - switch (code) + case EAP_SUCCESS: { - case EAP_REQUEST: + eap_type_t type; + u_int32_t vendor; + auth_cfg_t *cfg; + + if (this->method->get_msk(this->method, &this->msk) == SUCCESS) { - return process_peer(this, in, out); + this->msk = chunk_clone(this->msk); } - case EAP_SUCCESS: + type = this->method->get_type(this->method, &vendor); + if (vendor) { - if (this->method->get_msk(this->method, &this->msk) == SUCCESS) - { - this->msk = chunk_clone(this->msk); - } - return SUCCESS; + DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, " + "%sMSK established", type, vendor, + this->msk.ptr ? "" : "no "); } - case EAP_FAILURE: - default: + else { - DBG1(DBG_IKE, "received %N, EAP authentication failed", - eap_code_names, code); - return FAILED; + DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established", + eap_type_names, type, this->msk.ptr ? "" : "no "); } + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); + if (vendor) + { + cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); + } + this->eap_complete = TRUE; + return NEED_MORE; + } + case EAP_FAILURE: + default: + { + DBG1(DBG_IKE, "received %N, EAP authentication failed", + eap_code_names, eap_payload->get_code(eap_payload)); + return FAILED; } - } - default: - { - return FAILED; } } + return FAILED; } /** - * Implementation of authenticator_t.is_mutual. + * Implementation of authenticator_t.build for a client */ -static bool is_mutual(private_eap_authenticator_t *this) +static status_t build_client(private_eap_authenticator_t *this, + message_t *message) { - if (this->method) + if (this->eap_payload) { - return this->method->is_mutual(this->method); + message->add_payload(message, (payload_t*)this->eap_payload); + this->eap_payload = NULL; + return NEED_MORE; } - return FALSE; + if (this->eap_complete) + { + build_auth(this, message, this->received_nonce, this->sent_init); + return NEED_MORE; + } + return NEED_MORE; } /** @@ -500,6 +584,8 @@ static bool is_mutual(private_eap_authenticator_t *this) static void destroy(private_eap_authenticator_t *this) { DESTROY_IF(this->method); + DESTROY_IF(this->eap_payload); + DESTROY_IF(this->eap_identity); chunk_free(&this->msk); free(this); } @@ -507,46 +593,56 @@ static void destroy(private_eap_authenticator_t *this) /* * Described in header. */ -eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa) +eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) { - peer_cfg_t *config; - auth_info_t *auth; - identification_t *id; private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); - /* public functions */ - this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify; - this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build; - this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy; - - this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual; - this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate; - this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process; + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - /* private data */ this->ike_sa = ike_sa; - this->role = EAP_PEER; + this->received_init = received_init; + this->received_nonce = received_nonce; + this->sent_init = sent_init; + this->sent_nonce = sent_nonce; + this->msk = chunk_empty; this->method = NULL; + this->eap_payload = NULL; + this->eap_complete = FALSE; + this->auth_complete = FALSE; + this->eap_identity = NULL; + + return &this->public; +} + +/* + * Described in header. + */ +eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init) +{ + private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->received_init = received_init; + this->received_nonce = received_nonce; + this->sent_init = sent_init; + this->sent_nonce = sent_nonce; this->msk = chunk_empty; - this->do_eap_identity = FALSE; - this->type = 0; - this->vendor = 0; + this->method = NULL; + this->eap_payload = NULL; + this->eap_complete = FALSE; + this->auth_complete = FALSE; + this->eap_identity = NULL; - config = ike_sa->get_peer_cfg(ike_sa); - if (config) - { - auth = config->get_auth(config); - if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id)) - { - if (id->get_type(id) == ID_ANY) - { /* %any as configured EAP identity runs EAP-Identity first */ - this->do_eap_identity = TRUE; - } - else - { - ike_sa->set_eap_identity(ike_sa, id->clone(id)); - } - } - } return &this->public; } + diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h index 3ee6839fa..b90a6f4df 100644 --- a/src/charon/sa/authenticators/eap_authenticator.h +++ b/src/charon/sa/authenticators/eap_authenticator.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: eap_authenticator.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -26,21 +24,13 @@ typedef struct eap_authenticator_t eap_authenticator_t; #include <sa/authenticators/authenticator.h> -#include <encoding/payloads/eap_payload.h> /** - * Implementation of the authenticator_t interface using AUTH_CLASS_EAP. + * Implementation of authenticator_t using EAP authentication. * * Authentication using EAP involves the most complex authenticator. It stays * alive over multiple ike_auth transactions and handles multiple EAP * messages. - * EAP authentication must be clearly distinguished between using - * mutual EAP methods and using methods not providing server authentication. - * If no mutual authentication is used, the server must prove it's identity - * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual, - * the client should accept an EAP-only authentication. - * RFC4306 does always use traditional authentiction, EAP only authentication - * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt. * * @verbatim ike_sa_init @@ -49,12 +39,12 @@ typedef struct eap_authenticator_t eap_authenticator_t; followed by multiple ike_auth: +--------+ +--------+ - | EAP | ID, SA, TS, N(EAP_ONLY) | EAP | + | EAP | IDi, [IDr,] SA, TS | EAP | | client | ---------------------------> | server | - | | ID, [AUTH,] EAP | | AUTH payload is - | | <--------------------------- | | only included if - | | EAP | | authentication - | | ---------------------------> | | is not mutual. + | | ID, AUTH, EAP | | + | | <--------------------------- | | + | | EAP | | + | | ---------------------------> | | | | EAP | | | | <--------------------------- | | | | EAP | | @@ -74,74 +64,35 @@ struct eap_authenticator_t { /** * Implemented authenticator_t interface. */ - authenticator_t authenticator_interface; - - /** - * Check if the EAP method was/is mutual and secure. - * - * RFC4306 proposes to authenticate the EAP responder (server) by standard - * IKEv2 methods (RSA, psk). Not all, but some EAP methods - * provide mutual authentication, which would result in a redundant - * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and - * the the server provides mutual authentication, authentication using - * RSA/PSK may be omitted. If the server did not include a traditional - * AUTH payload, the client must verify that the server initiated mutual - * EAP authentication before it can trust the server. - * - * @return TRUE, if no AUTH payload required, FALSE otherwise - */ - bool (*is_mutual) (eap_authenticator_t* this); - - /** - * Initiate the EAP exchange. - * - * The server initiates EAP exchanges, so the client never calls - * this method. If initiate() returns NEED_MORE, the EAP authentication - * process started. In any case, a payload is created in "out". - * - * @param type EAP method to use to authenticate client - * @param vendor EAP vendor identifier, if type is vendor specific, or 0 - * @param out created initiaal EAP message to send - * @return - * - FAILED, if initiation failed - * - NEED_MORE, if more EAP exchanges reqired - */ - status_t (*initiate) (eap_authenticator_t* this, eap_type_t type, - u_int32_t vendor, eap_payload_t **out); - - /** - * Process an EAP message. - * - * After receiving an EAP message "in", the peer/server processes - * the payload and creates a reply/subsequent request. - * The server side always returns NEED_MORE if another EAP message - * is expected from the client, SUCCESS if EAP exchange completed and - * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with - * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always - * created. - * The peer (client) side only creates a "out" payload if result is - * NEED_MORE, a SUCCESS/FAILED is returned whenever a - * EAP_SUCCESS/EAP_FAILURE message is received in "in". - * If a SUCCESS is returned (on any side), the EAP authentication was - * successful and the AUTH payload can be exchanged. - * - * @param in received EAP message - * @param out created EAP message to send - * @return - * - FAILED, if authentication/EAP exchange failed - * - SUCCESS, if authentication completed - * - NEED_MORE, if more EAP exchanges reqired - */ - status_t (*process) (eap_authenticator_t* this, - eap_payload_t *in, eap_payload_t **out); + authenticator_t authenticator; }; /** - * Creates an authenticator for AUTH_CLASS_EAP. + * Create an authenticator to authenticate against an EAP server. * - * @param ike_sa associated ike_sa - * @return eap_authenticator_t object + * @param ike_sa associated ike_sa + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return EAP authenticator + */ +eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); + +/** + * Create an authenticator to authenticate EAP clients. + * + * @param ike_sa associated ike_sa + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return EAP authenticator */ -eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa); +eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); #endif /** EAP_AUTHENTICATOR_H_ @}*/ diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c index ae5a66479..742b67789 100644 --- a/src/charon/sa/authenticators/psk_authenticator.c +++ b/src/charon/sa/authenticators/psk_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2008 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -12,17 +12,12 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $ */ -#include <string.h> - #include "psk_authenticator.h" #include <daemon.h> -#include <credentials/auth_info.h> - +#include <encoding/payloads/auth_payload.h> typedef struct private_psk_authenticator_t private_psk_authenticator_t; @@ -40,22 +35,74 @@ struct private_psk_authenticator_t { * Assigned IKE_SA */ ike_sa_t *ike_sa; + + /** + * nonce to include in AUTH calculation + */ + chunk_t nonce; + + /** + * IKE_SA_INIT message data to include in AUTH calculation + */ + chunk_t ike_sa_init; }; +/* + * Implementation of authenticator_t.build for builder + */ +static status_t build(private_psk_authenticator_t *this, message_t *message) +{ + identification_t *my_id, *other_id; + auth_payload_t *auth_payload; + shared_key_t *key; + chunk_t auth_data; + keymat_t *keymat; + + keymat = this->ike_sa->get_keymat(this->ike_sa); + my_id = this->ike_sa->get_my_id(this->ike_sa); + other_id = this->ike_sa->get_other_id(this->ike_sa); + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", + my_id, auth_method_names, AUTH_PSK); + key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, + my_id, other_id); + if (key == NULL) + { + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); + return NOT_FOUND; + } + auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, + this->nonce, key->get_key(key), my_id); + key->destroy(key); + DBG2(DBG_IKE, "successfully created shared key MAC"); + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, AUTH_PSK); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + message->add_payload(message, (payload_t*)auth_payload); + + return SUCCESS; +} + /** - * Implementation of authenticator_t.verify. + * Implementation of authenticator_t.process for verifier */ -static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init, - chunk_t my_nonce, auth_payload_t *auth_payload) +static status_t process(private_psk_authenticator_t *this, message_t *message) { chunk_t auth_data, recv_auth_data; identification_t *my_id, *other_id; + auth_payload_t *auth_payload; + auth_cfg_t *auth; shared_key_t *key; enumerator_t *enumerator; bool authenticated = FALSE; int keys_found = 0; keymat_t *keymat; + auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + if (!auth_payload) + { + return FAILED; + } keymat = this->ike_sa->get_keymat(this->ike_sa); recv_auth_data = auth_payload->get_data(auth_payload); my_id = this->ike_sa->get_my_id(this->ike_sa); @@ -66,11 +113,11 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init, { keys_found++; - auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce, - key->get_key(key), other_id); + auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, + this->nonce, key->get_key(key), other_id); if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_method_names, AUTH_PSK); authenticated = TRUE; } @@ -82,49 +129,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init, { if (keys_found == 0) { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } - DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched", + DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched", keys_found, keys_found == 1 ? "" : "s", my_id, other_id); return FAILED; } + + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK); return SUCCESS; } /** - * Implementation of authenticator_t.build. + * Implementation of authenticator_t.process for builder + * Implementation of authenticator_t.build for verifier */ -static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init, - chunk_t other_nonce, auth_payload_t **auth_payload) +static status_t return_failed() { - identification_t *my_id, *other_id; - shared_key_t *key; - chunk_t auth_data; - keymat_t *keymat; - - keymat = this->ike_sa->get_keymat(this->ike_sa); - my_id = this->ike_sa->get_my_id(this->ike_sa); - other_id = this->ike_sa->get_other_id(this->ike_sa); - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", - my_id, auth_method_names, AUTH_PSK); - key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, - my_id, other_id); - if (key == NULL) - { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); - return NOT_FOUND; - } - auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce, - key->get_key(key), my_id); - key->destroy(key); - DBG2(DBG_IKE, "successfully created shared key MAC"); - *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK); - (*auth_payload)->set_data(*auth_payload, auth_data); - - chunk_free(&auth_data); - return SUCCESS; + return FAILED; } /** @@ -138,17 +162,38 @@ static void destroy(private_psk_authenticator_t *this) /* * Described in header. */ -psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa) +psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init) { private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); - /* public functions */ - this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify; - this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build; - this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy; + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - /* private data */ this->ike_sa = ike_sa; + this->ike_sa_init = sent_init; + this->nonce = received_nonce; return &this->public; } + +/* + * Described in header. + */ +psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init) +{ + private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = received_init; + this->nonce = sent_nonce; + + return &this->public; +} + diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h index df65076a4..5bb743d93 100644 --- a/src/charon/sa/authenticators/psk_authenticator.h +++ b/src/charon/sa/authenticators/psk_authenticator.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: psk_authenticator.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -28,22 +26,36 @@ typedef struct psk_authenticator_t psk_authenticator_t; #include <sa/authenticators/authenticator.h> /** - * Implementation of the authenticator_t interface using AUTH_PSK. + * Implementation of authenticator_t using pre-shared keys. */ struct psk_authenticator_t { /** * Implemented authenticator_t interface. */ - authenticator_t authenticator_interface; + authenticator_t authenticator; }; /** - * Creates an authenticator for AUTH_PSK. + * Create an authenticator to build PSK signatures. * - * @param ike_sa associated ike_sa - * @return psk_authenticator_t object + * @param ike_sa associated ike_sa + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_init sent IKE_SA_INIT message data + * @return PSK authenticator + */ +psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init); + +/** + * Create an authenticator to verify PSK signatures. + * + * @param ike_sa associated ike_sa + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @return PSK authenticator */ -psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa); +psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init); #endif /** PSK_AUTHENTICATOR_H_ @}*/ diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c index c16f3b888..44cabfb94 100644 --- a/src/charon/sa/authenticators/pubkey_authenticator.c +++ b/src/charon/sa/authenticators/pubkey_authenticator.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -13,17 +13,12 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $ */ -#include <string.h> - #include "pubkey_authenticator.h" #include <daemon.h> -#include <credentials/auth_info.h> - +#include <encoding/payloads/auth_payload.h> typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t; @@ -41,95 +36,40 @@ struct private_pubkey_authenticator_t { * Assigned IKE_SA */ ike_sa_t *ike_sa; -}; - -/** - * Implementation of authenticator_t.verify. - */ -static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init, - chunk_t my_nonce, auth_payload_t *auth_payload) -{ - public_key_t *public; - auth_method_t auth_method; - chunk_t auth_data, octets; - identification_t *id; - auth_info_t *auth, *current_auth; - enumerator_t *enumerator; - key_type_t key_type = KEY_ECDSA; - signature_scheme_t scheme; - status_t status = FAILED; - keymat_t *keymat; - id = this->ike_sa->get_other_id(this->ike_sa); - auth_method = auth_payload->get_auth_method(auth_payload); - switch (auth_method) - { - case AUTH_RSA: - /* We are currently fixed to SHA1 hashes. - * TODO: allow other hash algorithms and note it in "auth" */ - key_type = KEY_RSA; - scheme = SIGN_RSA_EMSA_PKCS1_SHA1; - break; - case AUTH_ECDSA_256: - scheme = SIGN_ECDSA_256; - break; - case AUTH_ECDSA_384: - scheme = SIGN_ECDSA_384; - break; - case AUTH_ECDSA_521: - scheme = SIGN_ECDSA_521; - break; - default: - return INVALID_ARG; - } - auth_data = auth_payload->get_data(auth_payload); - keymat = this->ike_sa->get_keymat(this->ike_sa); - octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id); - auth = this->ike_sa->get_other_auth(this->ike_sa); - enumerator = charon->credentials->create_public_enumerator( - charon->credentials, key_type, id, auth); - while (enumerator->enumerate(enumerator, &public, ¤t_auth)) - { - if (public->verify(public, scheme, octets, auth_data)) - { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", - id, auth_method_names, auth_method); - status = SUCCESS; - auth->merge(auth, current_auth); - break; - } - else - { - DBG1(DBG_IKE, "signature validation failed, looking for another key"); - } - } - enumerator->destroy(enumerator); - chunk_free(&octets); - return status; -} + /** + * nonce to include in AUTH calculation + */ + chunk_t nonce; + + /** + * IKE_SA_INIT message data to include in AUTH calculation + */ + chunk_t ike_sa_init; +}; /** - * Implementation of authenticator_t.build. + * Implementation of authenticator_t.build for builder */ -static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init, - chunk_t other_nonce, auth_payload_t **auth_payload) +static status_t build(private_pubkey_authenticator_t *this, message_t *message) { chunk_t octets, auth_data; status_t status = FAILED; private_key_t *private; identification_t *id; - auth_info_t *auth; + auth_cfg_t *auth; + auth_payload_t *auth_payload; auth_method_t auth_method; signature_scheme_t scheme; keymat_t *keymat; id = this->ike_sa->get_my_id(this->ike_sa); - auth = this->ike_sa->get_my_auth(this->ike_sa); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); private = charon->credentials->get_private(charon->credentials, KEY_ANY, id, auth); if (private == NULL) { - DBG1(DBG_IKE, "no private key found for '%D'", id); + DBG1(DBG_IKE, "no private key found for '%Y'", id); return NOT_FOUND; } @@ -169,18 +109,18 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init, return status; } keymat = this->ike_sa->get_keymat(this->ike_sa); - octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id); - + octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, + this->nonce, id); if (private->sign(private, scheme, octets, &auth_data)) { - auth_payload_t *payload = auth_payload_create(); - payload->set_auth_method(payload, auth_method); - payload->set_data(payload, auth_data); - *auth_payload = payload; + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); chunk_free(&auth_data); + message->add_payload(message, (payload_t*)auth_payload); status = SUCCESS; } - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id, + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, auth_method_names, auth_method, (status == SUCCESS)? "successful":"failed"); chunk_free(&octets); @@ -190,6 +130,93 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init, } /** + * Implementation of authenticator_t.process for verifier + */ +static status_t process(private_pubkey_authenticator_t *this, message_t *message) +{ + public_key_t *public; + auth_method_t auth_method; + auth_payload_t *auth_payload; + chunk_t auth_data, octets; + identification_t *id; + auth_cfg_t *auth, *current_auth; + enumerator_t *enumerator; + key_type_t key_type = KEY_ECDSA; + signature_scheme_t scheme; + status_t status = NOT_FOUND; + keymat_t *keymat; + + auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + if (!auth_payload) + { + return FAILED; + } + auth_method = auth_payload->get_auth_method(auth_payload); + switch (auth_method) + { + case AUTH_RSA: + /* We currently accept SHA1 signatures only + * TODO: allow other hash algorithms and note it in "auth" */ + key_type = KEY_RSA; + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + break; + case AUTH_ECDSA_256: + scheme = SIGN_ECDSA_256; + break; + case AUTH_ECDSA_384: + scheme = SIGN_ECDSA_384; + break; + case AUTH_ECDSA_521: + scheme = SIGN_ECDSA_521; + break; + default: + return INVALID_ARG; + } + auth_data = auth_payload->get_data(auth_payload); + id = this->ike_sa->get_other_id(this->ike_sa); + keymat = this->ike_sa->get_keymat(this->ike_sa); + octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, + this->nonce, id); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + enumerator = charon->credentials->create_public_enumerator( + charon->credentials, key_type, id, auth); + while (enumerator->enumerate(enumerator, &public, ¤t_auth)) + { + if (public->verify(public, scheme, octets, auth_data)) + { + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", + id, auth_method_names, auth_method); + status = SUCCESS; + auth->merge(auth, current_auth, FALSE); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + break; + } + else + { + status = FAILED; + DBG1(DBG_IKE, "signature validation failed, looking for another key"); + } + } + enumerator->destroy(enumerator); + chunk_free(&octets); + if (status == NOT_FOUND) + { + DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", + key_type_names, key_type, id); + } + return status; +} + +/** + * Implementation of authenticator_t.process for builder + * Implementation of authenticator_t.build for verifier + */ +static status_t return_failed() +{ + return FAILED; +} + +/** * Implementation of authenticator_t.destroy. */ static void destroy(private_pubkey_authenticator_t *this) @@ -200,17 +227,37 @@ static void destroy(private_pubkey_authenticator_t *this) /* * Described in header. */ -pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa) +pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init) +{ + private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); + + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + + this->ike_sa = ike_sa; + this->ike_sa_init = sent_init; + this->nonce = received_nonce; + + return &this->public; +} + +/* + * Described in header. + */ +pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init) { private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); - /* public functions */ - this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify; - this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build; - this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy; + this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed; + this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; + this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - /* private data */ this->ike_sa = ike_sa; + this->ike_sa_init = received_init; + this->nonce = sent_nonce; return &this->public; } diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h index d2189fa97..e67f020ff 100644 --- a/src/charon/sa/authenticators/pubkey_authenticator.h +++ b/src/charon/sa/authenticators/pubkey_authenticator.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: pubkey_authenticator.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -29,22 +27,36 @@ typedef struct pubkey_authenticator_t pubkey_authenticator_t; #include <sa/authenticators/authenticator.h> /** - * Implementation of the authenticator_t interface using AUTH_PUBKEY. + * Implementation of authenticator_t using public key authenitcation. */ struct pubkey_authenticator_t { /** * Implemented authenticator_t interface. */ - authenticator_t authenticator_interface; + authenticator_t authenticator; }; /** - * Creates an authenticator for AUTH_PUBKEY. + * Create an authenticator to build public key signatures. * - * @param ike_sa associated ike_sa - * @return pubkey_authenticator_t object + * @param ike_sa associated ike_sa + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_init sent IKE_SA_INIT message data + * @return public key authenticator + */ +pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, + chunk_t received_nonce, chunk_t sent_init); + +/** + * Create an authenticator to verify public key signatures. + * + * @param ike_sa associated ike_sa + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @return public key authenticator */ -pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa); +pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, + chunk_t sent_nonce, chunk_t received_init); #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/ |