Implemented hook to modify IKE header SPIs
[strongswan.git] / src / conftest / hooks / pretend_auth.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "hook.h"
17
18 #include <encoding/payloads/nonce_payload.h>
19 #include <encoding/payloads/cert_payload.h>
20 #include <encoding/payloads/auth_payload.h>
21 #include <encoding/payloads/id_payload.h>
22 #include <encoding/payloads/sa_payload.h>
23 #include <encoding/payloads/ts_payload.h>
24
25 typedef struct private_pretend_auth_t private_pretend_auth_t;
26
27 /**
28 * Private data of an pretend_auth_t object.
29 */
30 struct private_pretend_auth_t {
31
32 /**
33 * Implements the hook_t interface.
34 */
35 hook_t hook;
36
37 /**
38 * remote peer identity
39 */
40 identification_t *id;
41
42 /**
43 * IKE_SA_INIT data for signature
44 */
45 chunk_t ike_init;
46
47 /**
48 * Nonce for signature
49 */
50 chunk_t nonce;
51
52 /**
53 * Selected CHILD_SA proposal
54 */
55 proposal_t *proposal;
56
57 /**
58 * List of initiators Traffic Selectors
59 */
60 linked_list_t *tsi;
61
62 /**
63 * List of responders Traffic Selectors
64 */
65 linked_list_t *tsr;
66 };
67
68 /**
69 * Process IKE_SA_INIT request message, outgoing
70 */
71 static void process_init_request(private_pretend_auth_t *this,
72 ike_sa_t *ike_sa, message_t *message)
73 {
74 nonce_payload_t *nonce;
75
76 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
77 if (nonce)
78 {
79 free(this->nonce.ptr);
80 this->nonce = nonce->get_nonce(nonce);
81 }
82 }
83
84 /**
85 * Process IKE_AUTH request message, outgoing
86 */
87 static void process_auth_request(private_pretend_auth_t *this,
88 ike_sa_t *ike_sa, message_t *message)
89 {
90 id_payload_t *id;
91 sa_payload_t *sa;
92 ts_payload_t *tsi, *tsr;
93 linked_list_t *proposals;
94
95 id = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
96 if (id)
97 {
98 this->id->destroy(this->id);
99 this->id = id->get_identification(id);
100 }
101 sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION);
102 if (sa)
103 {
104 proposals = sa->get_proposals(sa);
105 proposals->remove_first(proposals, (void**)&this->proposal);
106 if (this->proposal)
107 {
108 this->proposal->set_spi(this->proposal, htonl(0x12345678));
109 }
110 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
111 }
112 tsi = (ts_payload_t*)message->get_payload(message,
113 TRAFFIC_SELECTOR_INITIATOR);
114 if (tsi)
115 {
116 this->tsi = tsi->get_traffic_selectors(tsi);
117 }
118 tsr = (ts_payload_t*)message->get_payload(message,
119 TRAFFIC_SELECTOR_RESPONDER);
120 if (tsr)
121 {
122 this->tsr = tsr->get_traffic_selectors(tsr);
123 }
124
125 }
126
127 /**
128 * Process IKE_SA_INIT response message, incoming
129 */
130 static void process_init_response(private_pretend_auth_t *this,
131 ike_sa_t *ike_sa, message_t *message)
132 {
133 this->ike_init = message->get_packet_data(message);
134 }
135
136 /**
137 * Build CERT payloads
138 */
139 static void build_certs(private_pretend_auth_t *this,
140 ike_sa_t *ike_sa, message_t *message, auth_cfg_t *auth)
141 {
142 enumerator_t *enumerator;
143 cert_payload_t *payload;
144 certificate_t *cert;
145 auth_rule_t type;
146
147 /* get subject cert first, then issuing certificates */
148 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
149 if (cert)
150 {
151 payload = cert_payload_create_from_cert(cert);
152 if (payload)
153 {
154 DBG1(DBG_IKE, "pretending end entity cert \"%Y\"",
155 cert->get_subject(cert));
156 message->add_payload(message, (payload_t*)payload);
157 }
158 }
159 enumerator = auth->create_enumerator(auth);
160 while (enumerator->enumerate(enumerator, &type, &cert))
161 {
162 if (type == AUTH_RULE_IM_CERT)
163 {
164 payload = cert_payload_create_from_cert(cert);
165 if (payload)
166 {
167 DBG1(DBG_IKE, "pretending issuer cert \"%Y\"",
168 cert->get_subject(cert));
169 message->add_payload(message, (payload_t*)payload);
170 }
171 }
172 }
173 enumerator->destroy(enumerator);
174 }
175
176 /**
177 * Build faked AUTH payload
178 */
179 static bool build_auth(private_pretend_auth_t *this,
180 ike_sa_t *ike_sa, message_t *message)
181 {
182 chunk_t octets, auth_data;
183 private_key_t *private;
184 auth_cfg_t *auth;
185 auth_payload_t *auth_payload;
186 auth_method_t auth_method;
187 signature_scheme_t scheme;
188 keymat_t *keymat;
189
190 auth = auth_cfg_create();
191 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth);
192 build_certs(this, ike_sa, message, auth);
193 auth->destroy(auth);
194 if (private == NULL)
195 {
196 DBG1(DBG_CFG, "no private key found for '%Y' to pretend AUTH", this->id);
197 return FALSE;
198 }
199
200 switch (private->get_type(private))
201 {
202 case KEY_RSA:
203 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
204 auth_method = AUTH_RSA;
205 break;
206 case KEY_ECDSA:
207 /* we try to deduct the signature scheme from the keysize */
208 switch (private->get_keysize(private))
209 {
210 case 256:
211 scheme = SIGN_ECDSA_256;
212 auth_method = AUTH_ECDSA_256;
213 break;
214 case 384:
215 scheme = SIGN_ECDSA_384;
216 auth_method = AUTH_ECDSA_384;
217 break;
218 case 521:
219 scheme = SIGN_ECDSA_521;
220 auth_method = AUTH_ECDSA_521;
221 break;
222 default:
223 DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
224 private->get_keysize(private));
225 return FALSE;
226 }
227 break;
228 default:
229 DBG1(DBG_CFG, "private key of type %N not supported",
230 key_type_names, private->get_type(private));
231 return FALSE;
232 }
233 keymat = ike_sa->get_keymat(ike_sa);
234 octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
235 this->nonce, this->id);
236 if (!private->sign(private, scheme, octets, &auth_data))
237 {
238 chunk_free(&octets);
239 private->destroy(private);
240 return FALSE;
241 }
242 auth_payload = auth_payload_create();
243 auth_payload->set_auth_method(auth_payload, auth_method);
244 auth_payload->set_data(auth_payload, auth_data);
245 chunk_free(&auth_data);
246 chunk_free(&octets);
247 private->destroy(private);
248 message->add_payload(message, (payload_t*)auth_payload);
249 DBG1(DBG_CFG, "pretending AUTH payload for '%Y' with %N",
250 this->id, auth_method_names, auth_method);
251 return TRUE;
252 }
253
254 /**
255 * Process IKE_AUTH response message, incoming
256 */
257 static void process_auth_response(private_pretend_auth_t *this,
258 ike_sa_t *ike_sa, message_t *message)
259 {
260 enumerator_t *enumerator;
261 payload_t *payload;
262
263 /* check for, and remove AUTHENTICATION_FAILED notify */
264 enumerator = message->create_payload_enumerator(message);
265 while (enumerator->enumerate(enumerator, &payload))
266 {
267 notify_payload_t *notify = (notify_payload_t*)payload;
268
269 if (payload->get_type(payload) != NOTIFY ||
270 notify->get_notify_type(notify) != AUTHENTICATION_FAILED)
271 {
272 DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending",
273 notify_type_names, AUTHENTICATION_FAILED);
274 enumerator->destroy(enumerator);
275 return;
276 }
277 message->remove_payload_at(message, enumerator);
278 payload->destroy(payload);
279 }
280 enumerator->destroy(enumerator);
281
282 if (!build_auth(this, ike_sa, message))
283 {
284 message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
285 return;
286 }
287 message->add_payload(message, (payload_t*)
288 id_payload_create_from_identification(ID_RESPONDER, this->id));
289 if (this->proposal)
290 {
291 message->add_payload(message, (payload_t*)
292 sa_payload_create_from_proposal(this->proposal));
293 }
294 if (this->tsi)
295 {
296 message->add_payload(message, (payload_t*)
297 ts_payload_create_from_traffic_selectors(TRUE, this->tsi));
298 }
299 if (this->tsr)
300 {
301 message->add_payload(message, (payload_t*)
302 ts_payload_create_from_traffic_selectors(FALSE, this->tsr));
303 }
304 }
305
306 METHOD(listener_t, message, bool,
307 private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message,
308 bool incoming)
309 {
310 if (incoming)
311 {
312 if (!message->get_request(message))
313 {
314 if (message->get_exchange_type(message) == IKE_SA_INIT)
315 {
316 process_init_response(this, ike_sa, message);
317 }
318 if (message->get_exchange_type(message) == IKE_AUTH &&
319 message->get_message_id(message) == 1)
320 {
321 process_auth_response(this, ike_sa, message);
322 }
323 }
324 }
325 else
326 {
327 if (message->get_request(message))
328 {
329 if (message->get_exchange_type(message) == IKE_SA_INIT)
330 {
331 process_init_request(this, ike_sa, message);
332 }
333 if (message->get_exchange_type(message) == IKE_AUTH &&
334 message->get_message_id(message) == 1)
335 {
336 process_auth_request(this, ike_sa, message);
337 }
338 }
339 }
340 return TRUE;
341 }
342
343 METHOD(hook_t, destroy, void,
344 private_pretend_auth_t *this)
345 {
346 if (this->tsi)
347 {
348 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
349 }
350 if (this->tsr)
351 {
352 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
353 }
354 DESTROY_IF(this->proposal);
355 this->id->destroy(this->id);
356 free(this->ike_init.ptr);
357 free(this->nonce.ptr);
358 free(this);
359 }
360
361 /**
362 * Create the IKE_AUTH fill hook
363 */
364 hook_t *pretend_auth_hook_create(char *name)
365 {
366 private_pretend_auth_t *this;
367
368 INIT(this,
369 .hook = {
370 .listener = {
371 .message = _message,
372 },
373 .destroy = _destroy,
374 },
375 .id = identification_create_from_string(
376 conftest->test->get_str(conftest->test,
377 "hooks.%s.peer", "%any", name)),
378 );
379
380 return &this->hook;
381 }