some improvements in signaling code
[strongswan.git] / src / charon / sa / authenticator.c
1 /**
2 * @file authenticator.c
3 *
4 * @brief Implementation of authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <string.h>
25
26 #include "authenticator.h"
27
28 #include <config/policies/policy.h>
29 #include <daemon.h>
30
31 /**
32 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
33 */
34 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
35
36
37 typedef struct private_authenticator_t private_authenticator_t;
38
39 /**
40 * Private data of an authenticator_t object.
41 */
42 struct private_authenticator_t {
43
44 /**
45 * Public authenticator_t interface.
46 */
47 authenticator_t public;
48
49 /**
50 * Assigned IKE_SA
51 */
52 ike_sa_t *ike_sa;
53
54 /**
55 * auth_method to create own signature/mac/whatever..
56 */
57 auth_method_t auth_method;
58
59 /**
60 * PRF taken from the IKE_SA.
61 */
62 prf_t *prf;
63 };
64
65 /**
66 * Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306
67 */
68 static chunk_t build_tbs_octets(private_authenticator_t *this,
69 chunk_t last_message,
70 chunk_t other_nonce,
71 identification_t *id,
72 bool initiator)
73 {
74 prf_t *prf;
75
76 chunk_t id_encoding = id->get_encoding(id);
77 u_int8_t id_with_header[4 + id_encoding.len];
78 chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
79
80 u_int8_t *current_pos;
81 chunk_t octets;
82
83 id_with_header[0] = id->get_type(id);
84 id_with_header[1] = 0x00;
85 id_with_header[2] = 0x00;
86 id_with_header[3] = 0x00;
87 memcpy(id_with_header + 4, id_encoding.ptr, id_encoding.len);
88
89 if (initiator)
90 {
91 prf = this->ike_sa->get_prf_auth_i(this->ike_sa);
92 }
93 else
94 {
95 prf = this->ike_sa->get_prf_auth_r(this->ike_sa);
96 }
97
98 /* 4 bytes are id type and reserved fields of id payload */
99 octets.len = last_message.len + other_nonce.len + prf->get_block_size(prf);
100 octets.ptr = malloc(octets.len);
101 current_pos = octets.ptr;
102 memcpy(current_pos, last_message.ptr, last_message.len);
103 current_pos += last_message.len;
104 memcpy(current_pos, other_nonce.ptr, other_nonce.len);
105 current_pos += other_nonce.len;
106 prf->get_bytes(prf, id_with_header_chunk, current_pos);
107
108 return octets;
109 }
110
111 /**
112 * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
113 */
114 static chunk_t build_shared_key_signature(private_authenticator_t *this,
115 chunk_t last_message,
116 chunk_t nonce,
117 identification_t *id,
118 bool initiator,
119 chunk_t secret)
120 {
121 chunk_t key_pad = {ptr: IKEV2_KEY_PAD, len:strlen(IKEV2_KEY_PAD)};
122 u_int8_t key_buffer[this->prf->get_block_size(this->prf)];
123 chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)};
124 chunk_t auth_data;
125
126 chunk_t octets = build_tbs_octets(this, last_message, nonce, id, initiator);
127
128 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
129 this->prf->set_key(this->prf, secret);
130 this->prf->get_bytes(this->prf, key_pad, key_buffer);
131 this->prf->set_key(this->prf, key);
132 this->prf->allocate_bytes(this->prf, octets, &auth_data);
133 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
134 DBG3(DBG_IKE, "secret %B", &secret);
135 DBG3(DBG_IKE, "keypad %B", &key_pad);
136 DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
137 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
138 chunk_free(&octets);
139
140 return auth_data;
141 }
142
143 /**
144 * Implementation of authenticator_t.verify_auth_data.
145 */
146 static status_t verify_auth_data (private_authenticator_t *this,
147 auth_payload_t *auth_payload,
148 chunk_t last_received_packet,
149 chunk_t my_nonce,
150 identification_t *my_id,
151 identification_t *other_id,
152 bool initiator)
153 {
154 status_t status;
155 chunk_t auth_data = auth_payload->get_data(auth_payload);
156 auth_method_t auth_method = auth_payload->get_auth_method(auth_payload);
157
158 switch (auth_method)
159 {
160 case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
161 {
162 chunk_t shared_key;
163 chunk_t my_auth_data;
164
165 status = charon->credentials->get_shared_key(charon->credentials,
166 my_id,
167 other_id,
168 &shared_key);
169 if (status != SUCCESS)
170 {
171 DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
172 my_id, other_id);
173 chunk_free(&shared_key);
174 break;
175 }
176
177 my_auth_data = build_shared_key_signature(this, last_received_packet,
178 my_nonce, other_id,
179 initiator, shared_key);
180 chunk_free(&shared_key);
181
182
183 status = (auth_data.len == my_auth_data.len &&
184 memeq(auth_data.ptr, my_auth_data.ptr, my_auth_data.len))
185 ? SUCCESS : FAILED;
186 chunk_free(&my_auth_data);
187 break;
188 }
189 case RSA_DIGITAL_SIGNATURE:
190 {
191 chunk_t octets;
192
193 rsa_public_key_t *public_key =
194 charon->credentials->get_trusted_public_key(charon->credentials, other_id);
195
196 if (public_key == NULL)
197 {
198 DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
199 status = NOT_FOUND;
200 break;
201 }
202
203 octets = build_tbs_octets(this, last_received_packet, my_nonce,
204 other_id, initiator);
205 status = public_key->verify_emsa_pkcs1_signature(public_key, octets,
206 auth_data);
207 chunk_free(&octets);
208 break;
209 }
210 default:
211 {
212 return NOT_SUPPORTED;
213 }
214 }
215
216 if (status == SUCCESS)
217 {
218 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
219 other_id, auth_method_names, auth_method);
220 }
221
222 return status;
223 }
224
225 /**
226 * Implementation of authenticator_t.compute_auth_data.
227 */
228 static status_t compute_auth_data (private_authenticator_t *this,
229 auth_payload_t **auth_payload,
230 chunk_t last_sent_packet,
231 chunk_t other_nonce,
232 identification_t *my_id,
233 identification_t *other_id,
234 bool initiator)
235 {
236 DBG1(DBG_IKE, "authentication of '%D' with %N (myself)",
237 my_id, auth_method_names, this->auth_method);
238
239 switch (this->auth_method)
240 {
241 case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
242 {
243 chunk_t shared_key;
244 chunk_t auth_data;
245
246 status_t status = charon->credentials->get_shared_key(charon->credentials,
247 my_id,
248 other_id,
249 &shared_key);
250
251 if (status != SUCCESS)
252 {
253 DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
254 my_id, other_id);
255 return status;
256 }
257
258 auth_data = build_shared_key_signature(this, last_sent_packet,
259 other_nonce, my_id,
260 initiator, shared_key);
261 chunk_free(&shared_key);
262 *auth_payload = auth_payload_create();
263 (*auth_payload)->set_auth_method(*auth_payload,
264 SHARED_KEY_MESSAGE_INTEGRITY_CODE);
265 (*auth_payload)->set_data(*auth_payload, auth_data);
266
267 chunk_free(&auth_data);
268 return SUCCESS;
269 }
270 case RSA_DIGITAL_SIGNATURE:
271 {
272 chunk_t chunk;
273 chunk_t octets;
274 chunk_t auth_data;
275 status_t status;
276 rsa_public_key_t *my_pubkey;
277 rsa_private_key_t *my_key;
278
279 DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'",
280 my_id);
281
282 my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
283 if (my_pubkey == NULL)
284 {
285 DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
286 return NOT_FOUND;
287 }
288 DBG2(DBG_IKE, "matching RSA public key found");
289
290 chunk = my_pubkey->get_keyid(my_pubkey);
291 DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
292
293 my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
294 if (my_key == NULL)
295 {
296 DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B",
297 my_id, &chunk);
298 return NOT_FOUND;
299 }
300 DBG2(DBG_IKE, "matching RSA private key found");
301
302 octets = build_tbs_octets(this, last_sent_packet, other_nonce,
303 my_id, initiator);
304 status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1,
305 octets, &auth_data);
306 chunk_free(&octets);
307
308 if (status != SUCCESS)
309 {
310 my_key->destroy(my_key);
311 return status;
312 }
313 DBG2(DBG_IKE, "successfully signed with RSA private key");
314
315 *auth_payload = auth_payload_create();
316 (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
317 (*auth_payload)->set_data(*auth_payload, auth_data);
318
319 my_key->destroy(my_key);
320 chunk_free(&auth_data);
321 return SUCCESS;
322 }
323 default:
324 {
325 return NOT_SUPPORTED;
326 }
327 }
328 }
329
330 /**
331 * Implementation of authenticator_t.destroy.
332 */
333 static void destroy (private_authenticator_t *this)
334 {
335 free(this);
336 }
337
338 /*
339 * Described in header.
340 */
341 authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method)
342 {
343 private_authenticator_t *this = malloc_thing(private_authenticator_t);
344
345 /* Public functions */
346 this->public.destroy = (void(*)(authenticator_t*))destroy;
347 this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
348 this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
349
350 /* private data */
351 this->ike_sa = ike_sa;
352 this->auth_method = auth_method;
353 this->prf = this->ike_sa->get_prf(this->ike_sa);
354
355 return &(this->public);
356 }