diff options
Diffstat (limited to 'src/conftest/hooks/rebuild_auth.c')
-rw-r--r-- | src/conftest/hooks/rebuild_auth.c | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c new file mode 100644 index 000000000..993c952e0 --- /dev/null +++ b/src/conftest/hooks/rebuild_auth.c @@ -0,0 +1,243 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/generator.h> +#include <encoding/payloads/nonce_payload.h> +#include <encoding/payloads/auth_payload.h> +#include <encoding/payloads/id_payload.h> + +typedef struct private_rebuild_auth_t private_rebuild_auth_t; + +/** + * Private data of an rebuild_auth_t object. + */ +struct private_rebuild_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Our IKE_SA_INIT data, required to rebuild AUTH + */ + chunk_t ike_init; + + /** + * Received NONCE, required to rebuild AUTH + */ + chunk_t nonce; + + /** + * ID to use for key lookup, if not from IDi + */ + identification_t *id; +}; + +/** + * Rebuild our AUTH data + */ +static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, + message_t *message) +{ + enumerator_t *enumerator; + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + payload_t *payload; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + identification_t *id; + char reserved[3]; + generator_t *generator; + chunk_t data; + u_int32_t *lenpos; + + payload = message->get_payload(message, + message->get_request(message) ? ID_INITIATOR : ID_RESPONDER); + if (!payload) + { + DBG1(DBG_CFG, "ID payload not found to rebuild AUTH"); + return FALSE; + } + + generator = generator_create(); + generator->generate_payload(generator, payload); + data = generator->get_chunk(generator, &lenpos); + if (data.len < 8) + { + DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH"); + generator->destroy(generator); + return FALSE; + } + memcpy(reserved, data.ptr + 5, 3); + id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8)); + generator->destroy(generator); + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, + this->id ?: id, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH", + this->id ?: id); + id->destroy(id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + id->destroy(id); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + id->destroy(id); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init, + this->nonce, id, reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + id->destroy(id); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == AUTHENTICATION) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + } + enumerator->destroy(enumerator); + + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N", + id, auth_method_names, auth_method); + id->destroy(id); + return TRUE; +} + +METHOD(listener_t, message, bool, + private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && message->get_message_id(message) == 1) + { + rebuild_auth(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + if (incoming) + { + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } + } + else + { + packet_t *packet; + + if (message->generate(message, NULL, &packet) == SUCCESS) + { + free(this->ike_init.ptr); + this->ike_init = chunk_clone(packet->get_data(packet)); + packet->destroy(packet); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_rebuild_auth_t *this) +{ + free(this->ike_init.ptr); + free(this->nonce.ptr); + DESTROY_IF(this->id); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *rebuild_auth_hook_create(char *name) +{ + private_rebuild_auth_t *this; + char *id; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name); + if (id) + { + this->id = identification_create_from_string(id); + } + + return &this->hook; +} |