- Updated to new upstream.

author: Rene Mayrhofer <rene@mayrhofer.eu.org> 2008-12-05 16:44:41 +0000
committer: Rene Mayrhofer <rene@mayrhofer.eu.org> 2008-12-05 16:44:41 +0000
commit: 2db1ef4ac8928944958712923b9c89c263a337d2 (patch)
tree: 700043d9d97b7e7ba344b448918728af0a8be8d1 /src/charon/sa/authenticators
parent: 5dc75410286b0e3a16845b44dd696ba0f40df573 (diff)
download: vyos-strongswan-2db1ef4ac8928944958712923b9c89c263a337d2.tar.gz
vyos-strongswan-2db1ef4ac8928944958712923b9c89c263a337d2.zip
4 files changed, 71 insertions, 152 deletions
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index 44d84156c..c1c2d6fce 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -12,14 +12,13 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_manager.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $
  */
 
 #include "eap_manager.h"
 
-#include <pthread.h>
-
 #include <utils/linked_list.h>
+#include <utils/mutex.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
 typedef struct eap_entry_t eap_entry_t;
@@ -68,7 +67,7 @@ struct private_eap_manager_t {
 	/**
 	 * mutex to lock methods
 	 */
-	pthread_mutex_t mutex;
+	mutex_t *mutex;
 };
 
 /**
@@ -85,9 +84,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 	entry->role = role;
 	entry->constructor = constructor;
 
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	this->methods->insert_last(this->methods, entry);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -98,7 +97,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -109,7 +108,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 }
 
 /**
@@ -124,7 +123,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	eap_entry_t *entry;
 	eap_method_t *method = NULL;
 	
-	pthread_mutex_lock(&this->mutex);
+	this->mutex->lock(this->mutex);
 	enumerator = this->methods->create_enumerator(this->methods);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -139,7 +138,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pthread_mutex_unlock(&this->mutex);
+	this->mutex->unlock(this->mutex);
 	return method;
 }
 
@@ -149,6 +148,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 static void destroy(private_eap_manager_t *this)
 {
 	this->methods->destroy_function(this->methods, free);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -165,7 +165,7 @@ eap_manager_t *eap_manager_create()
 	this->public.destroy = (void(*)(eap_manager_t*))destroy;
 	
 	this->methods = linked_list_create();
-	pthread_mutex_init(&this->mutex, NULL);
+	this->mutex = mutex_create(MUTEX_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 0909d6563..5c22f3df2 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_authenticator.c 4292 2008-08-26 19:54:47Z andreas $
+ * $Id: eap_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -70,36 +70,24 @@ struct private_eap_authenticator_t {
 	 */
 	u_int32_t vendor;
 };
-
-/**
- * reuse shared key signature function from PSK authenticator
- */
-extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
-										  chunk_t secret, identification_t *id,
-										  chunk_t skp, prf_t *prf);
 /**
  * Implementation of authenticator_t.verify.
  */
 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					   chunk_t my_nonce, auth_payload_t *auth_payload)
 {
-	chunk_t auth_data, recv_auth_data, secret;
-	identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
+	chunk_t auth_data, recv_auth_data;
+	identification_t *other_id;
+	keymat_t *keymat;
 	
-	if (this->msk.len)
-	{	/* use MSK if EAP method established one... */
-		secret = this->msk;
-	}
-	else
-	{	/* ... or use SKp if not */
-		secret = this->ike_sa->get_skp_verify(this->ike_sa);
-	}
-	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
-						other_id, this->ike_sa->get_skp_verify(this->ike_sa),
-						this->ike_sa->get_prf(this->ike_sa));
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	
+	auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
+									this->msk, other_id);
 	
 	recv_auth_data = auth_payload->get_data(auth_payload);
-	if (!chunk_equals(auth_data, recv_auth_data))
+	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
 	{
 		DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
 		chunk_free(&auth_data);
@@ -118,23 +106,18 @@ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					  chunk_t other_nonce, auth_payload_t **auth_payload)
 {
-	chunk_t auth_data, secret;
-	identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
+	identification_t *my_id;
+	chunk_t auth_data;
+	keymat_t *keymat;
+	
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
-
-	if (this->msk.len)
-	{	/* use MSK if EAP method established one... */
-		secret = this->msk;
-	}
-	else
-	{	/* ... or use SKp if not */
-		secret = this->ike_sa->get_skp_build(this->ike_sa);
-	}
-	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
-							my_id, this->ike_sa->get_skp_build(this->ike_sa),
-							this->ike_sa->get_prf(this->ike_sa));
+	
+	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
+									this->msk, my_id);
 	
 	*auth_payload = auth_payload_create();
 	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index d003dc2c9..ae5a66479 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: psk_authenticator.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -23,12 +23,6 @@
 #include <daemon.h>
 #include <credentials/auth_info.h>
 
-/**
- * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-#define IKEV2_KEY_PAD "Key Pad for IKEv2"
-#define IKEV2_KEY_PAD_LENGTH 17
-
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -49,55 +43,6 @@ struct private_psk_authenticator_t {
 };
 
 /**
- * Builds the octets to be signed as described in section 2.15 of RFC 4306
- */
-chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
-						 identification_t *id, prf_t *prf)
-{
-	u_int8_t id_header_buf[] = {0x00, 0x00, 0x00, 0x00};
-	chunk_t id_header = chunk_from_buf(id_header_buf);
-	chunk_t id_with_header, id_prfd, id_encoding;
-	
-	id_header_buf[0] = id->get_type(id);
-	id_encoding = id->get_encoding(id);
-	
-	id_with_header = chunk_cat("cc", id_header, id_encoding);
-	prf->allocate_bytes(prf, id_with_header, &id_prfd);
-	chunk_free(&id_with_header);
-	
-	return chunk_cat("ccm", ike_sa_init, nonce, id_prfd);
-}
-
-/**
- * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
-								   chunk_t secret, identification_t *id,
-								   chunk_t skp, prf_t *prf)
-{
-	chunk_t key_pad, key, auth_data, octets;
-	
-	prf->set_key(prf, skp);
-	octets = build_tbs_octets(ike_sa_init, nonce, id, prf);
-	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
-	key_pad.ptr = IKEV2_KEY_PAD;
-	key_pad.len = IKEV2_KEY_PAD_LENGTH;
-	prf->set_key(prf, secret);
-	prf->allocate_bytes(prf, key_pad, &key);
-	prf->set_key(prf, key);
-	prf->allocate_bytes(prf, octets, &auth_data);
-	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-	DBG3(DBG_IKE, "secret %B", &secret);
-	DBG3(DBG_IKE, "keypad %B", &key_pad);
-	DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
-	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
-	chunk_free(&octets);
-	chunk_free(&key);
-	
-	return auth_data;
-}
-
-/**
  * Implementation of authenticator_t.verify.
  */
 static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
@@ -105,25 +50,25 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 {
 	chunk_t auth_data, recv_auth_data;
 	identification_t *my_id, *other_id;
-	shared_key_t *shared_key;
+	shared_key_t *key;
 	enumerator_t *enumerator;
 	bool authenticated = FALSE;
 	int keys_found = 0;
+	keymat_t *keymat;
 	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	enumerator = charon->credentials->create_shared_enumerator(
 							charon->credentials, SHARED_IKE, my_id, other_id);
-	while (!authenticated && enumerator->enumerate(enumerator, &shared_key, NULL, NULL))
+	while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
 	{
 		keys_found++;
-		auth_data = build_shared_key_signature(ike_sa_init, my_nonce,
-									shared_key->get_key(shared_key), other_id,
-									this->ike_sa->get_skp_verify(this->ike_sa),
-									this->ike_sa->get_prf(this->ike_sa));
-		recv_auth_data = auth_payload->get_data(auth_payload);
-		if (auth_data.len == recv_auth_data.len &&
-			memeq(auth_data.ptr, recv_auth_data.ptr, auth_data.len))
+		
+		auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
+										key->get_key(key), other_id);
+		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
 				 other_id, auth_method_names, AUTH_PSK);
@@ -153,26 +98,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 					  chunk_t other_nonce, auth_payload_t **auth_payload)
 {
-	shared_key_t *shared_key;
-	chunk_t auth_data;
 	identification_t *my_id, *other_id;
+	shared_key_t *key;
+	chunk_t auth_data;
+	keymat_t *keymat;
 	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
-	shared_key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-												 my_id, other_id);
-	if (shared_key == NULL)
+	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+										  my_id, other_id);
+	if (key == NULL)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
 		return NOT_FOUND;
 	}
-	auth_data = build_shared_key_signature(ike_sa_init, other_nonce,
-									shared_key->get_key(shared_key), my_id,
-									this->ike_sa->get_skp_build(this->ike_sa),
-									this->ike_sa->get_prf(this->ike_sa));
-	shared_key->destroy(shared_key);
+	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
+									key->get_key(key), my_id);
+	key->destroy(key);
 	DBG2(DBG_IKE, "successfully created shared key MAC");
 	*auth_payload = auth_payload_create();
 	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index 2c02ca84c..c16f3b888 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: pubkey_authenticator.c 4054 2008-06-10 20:31:53Z andreas $
+ * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $
  */
 
 #include <string.h>
@@ -44,12 +44,6 @@ struct private_pubkey_authenticator_t {
 };
 
 /**
- * Function implemented in psk_authenticator.c
- */
-extern chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
-								identification_t *id, prf_t *prf);
-
-/**
  * Implementation of authenticator_t.verify.
  */
 static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
@@ -58,15 +52,15 @@ static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init
 	public_key_t *public;
 	auth_method_t auth_method;
 	chunk_t auth_data, octets;
-	identification_t *other_id;
-	prf_t *prf;
+	identification_t *id;
 	auth_info_t *auth, *current_auth;
 	enumerator_t *enumerator;
 	key_type_t key_type = KEY_ECDSA;
 	signature_scheme_t scheme;
 	status_t status = FAILED;
+	keymat_t *keymat;
 	
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	id = this->ike_sa->get_other_id(this->ike_sa);
 	auth_method = auth_payload->get_auth_method(auth_payload);
 	switch (auth_method)
 	{
@@ -89,19 +83,17 @@ static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init
 			return INVALID_ARG;
 	}
 	auth_data = auth_payload->get_data(auth_payload);
-	prf = this->ike_sa->get_prf(this->ike_sa);
-	prf->set_key(prf, this->ike_sa->get_skp_verify(this->ike_sa));
-	octets = build_tbs_octets(ike_sa_init, my_nonce, other_id, prf);
-	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id);
 	auth = this->ike_sa->get_other_auth(this->ike_sa);
 	enumerator = charon->credentials->create_public_enumerator(
-								charon->credentials, key_type, other_id, auth);
+										charon->credentials, key_type, id, auth);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-						   other_id, auth_method_names, auth_method);
+						   id, auth_method_names, auth_method);
 			status = SUCCESS;
 			auth->merge(auth, current_auth);
 			break;
@@ -125,19 +117,19 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 	chunk_t octets, auth_data;
 	status_t status = FAILED;
 	private_key_t *private;
-	identification_t *my_id;
-	prf_t *prf;
+	identification_t *id;
 	auth_info_t *auth;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
+	keymat_t *keymat;
 
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	id = this->ike_sa->get_my_id(this->ike_sa);
 	auth = this->ike_sa->get_my_auth(this->ike_sa);
 	private = charon->credentials->get_private(charon->credentials, KEY_ANY,
-											   my_id, auth);
+											   id, auth);
 	if (private == NULL)
 	{
-		DBG1(DBG_IKE, "no private key found for '%D'", my_id);
+		DBG1(DBG_IKE, "no private key found for '%D'", id);
 		return NOT_FOUND;
 	}
 	
@@ -176,9 +168,8 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 					key_type_names, private->get_type(private));
 			return status;
 	}
-	prf = this->ike_sa->get_prf(this->ike_sa);
-	prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa));
-	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf);
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id);
 	
 	if (private->sign(private, scheme, octets, &auth_data))
 	{
@@ -189,9 +180,9 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
 		chunk_free(&auth_data);
 		status = SUCCESS;
 	}
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", my_id,
-			auth_method_names, auth_method,
-			(status == SUCCESS)? "successful":"failed");
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+		 auth_method_names, auth_method, 
+		 (status == SUCCESS)? "successful":"failed");
 	chunk_free(&octets);
 	private->destroy(private);
author	Rene Mayrhofer <rene@mayrhofer.eu.org>	2008-12-05 16:44:41 +0000
committer	Rene Mayrhofer <rene@mayrhofer.eu.org>	2008-12-05 16:44:41 +0000
commit	2db1ef4ac8928944958712923b9c89c263a337d2 (patch)
tree	700043d9d97b7e7ba344b448918728af0a8be8d1 /src/charon/sa/authenticators
parent	5dc75410286b0e3a16845b44dd696ba0f40df573 (diff)
download	vyos-strongswan-2db1ef4ac8928944958712923b9c89c263a337d2.tar.gz vyos-strongswan-2db1ef4ac8928944958712923b9c89c263a337d2.zip