Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
[strongswan.git] / src / conftest / hooks / rebuild_auth.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "hook.h"
17
18 #include <sa/ikev2/keymat_v2.h>
19 #include <encoding/generator.h>
20 #include <encoding/payloads/nonce_payload.h>
21 #include <encoding/payloads/auth_payload.h>
22 #include <encoding/payloads/id_payload.h>
23
24 typedef struct private_rebuild_auth_t private_rebuild_auth_t;
25
26 /**
27 * Private data of an rebuild_auth_t object.
28 */
29 struct private_rebuild_auth_t {
30
31 /**
32 * Implements the hook_t interface.
33 */
34 hook_t hook;
35
36 /**
37 * Our IKE_SA_INIT data, required to rebuild AUTH
38 */
39 chunk_t ike_init;
40
41 /**
42 * Received NONCE, required to rebuild AUTH
43 */
44 chunk_t nonce;
45
46 /**
47 * ID to use for key lookup, if not from IDi
48 */
49 identification_t *id;
50 };
51
52 /**
53 * Rebuild our AUTH data
54 */
55 static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
56 message_t *message)
57 {
58 enumerator_t *enumerator;
59 chunk_t octets, auth_data;
60 private_key_t *private;
61 auth_cfg_t *auth;
62 payload_t *payload;
63 auth_payload_t *auth_payload;
64 auth_method_t auth_method;
65 signature_scheme_t scheme;
66 keymat_v2_t *keymat;
67 identification_t *id;
68 char reserved[3];
69 generator_t *generator;
70 chunk_t data;
71 u_int32_t *lenpos;
72
73 payload = message->get_payload(message,
74 message->get_request(message) ? ID_INITIATOR : ID_RESPONDER);
75 if (!payload)
76 {
77 DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
78 return FALSE;
79 }
80
81 generator = generator_create();
82 generator->generate_payload(generator, payload);
83 data = generator->get_chunk(generator, &lenpos);
84 if (data.len < 8)
85 {
86 DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH");
87 generator->destroy(generator);
88 return FALSE;
89 }
90 memcpy(reserved, data.ptr + 5, 3);
91 id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
92 generator->destroy(generator);
93
94 auth = auth_cfg_create();
95 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
96 this->id ?: id, auth);
97 auth->destroy(auth);
98 if (private == NULL)
99 {
100 DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
101 this->id ?: id);
102 id->destroy(id);
103 return FALSE;
104 }
105
106 switch (private->get_type(private))
107 {
108 case KEY_RSA:
109 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
110 auth_method = AUTH_RSA;
111 break;
112 case KEY_ECDSA:
113 /* we try to deduct the signature scheme from the keysize */
114 switch (private->get_keysize(private))
115 {
116 case 256:
117 scheme = SIGN_ECDSA_256;
118 auth_method = AUTH_ECDSA_256;
119 break;
120 case 384:
121 scheme = SIGN_ECDSA_384;
122 auth_method = AUTH_ECDSA_384;
123 break;
124 case 521:
125 scheme = SIGN_ECDSA_521;
126 auth_method = AUTH_ECDSA_521;
127 break;
128 default:
129 DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
130 private->get_keysize(private));
131 id->destroy(id);
132 return FALSE;
133 }
134 break;
135 default:
136 DBG1(DBG_CFG, "private key of type %N not supported",
137 key_type_names, private->get_type(private));
138 id->destroy(id);
139 return FALSE;
140 }
141 keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
142 octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
143 this->nonce, id, reserved);
144 if (!private->sign(private, scheme, octets, &auth_data))
145 {
146 chunk_free(&octets);
147 private->destroy(private);
148 id->destroy(id);
149 return FALSE;
150 }
151 auth_payload = auth_payload_create();
152 auth_payload->set_auth_method(auth_payload, auth_method);
153 auth_payload->set_data(auth_payload, auth_data);
154 chunk_free(&auth_data);
155 chunk_free(&octets);
156 private->destroy(private);
157
158 enumerator = message->create_payload_enumerator(message);
159 while (enumerator->enumerate(enumerator, &payload))
160 {
161 if (payload->get_type(payload) == AUTHENTICATION)
162 {
163 message->remove_payload_at(message, enumerator);
164 payload->destroy(payload);
165 }
166 }
167 enumerator->destroy(enumerator);
168
169 message->add_payload(message, (payload_t*)auth_payload);
170 DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N",
171 id, auth_method_names, auth_method);
172 id->destroy(id);
173 return TRUE;
174 }
175
176 METHOD(listener_t, message, bool,
177 private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
178 bool incoming, bool plain)
179 {
180 if (plain)
181 {
182 if (!incoming && message->get_message_id(message) == 1)
183 {
184 rebuild_auth(this, ike_sa, message);
185 }
186 if (message->get_exchange_type(message) == IKE_SA_INIT)
187 {
188 if (incoming)
189 {
190 nonce_payload_t *nonce;
191
192 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
193 if (nonce)
194 {
195 free(this->nonce.ptr);
196 this->nonce = nonce->get_nonce(nonce);
197 }
198 }
199 else
200 {
201 packet_t *packet;
202
203 if (message->generate(message, NULL, &packet) == SUCCESS)
204 {
205 free(this->ike_init.ptr);
206 this->ike_init = chunk_clone(packet->get_data(packet));
207 packet->destroy(packet);
208 }
209 }
210 }
211 }
212 return TRUE;
213 }
214
215 METHOD(hook_t, destroy, void,
216 private_rebuild_auth_t *this)
217 {
218 free(this->ike_init.ptr);
219 free(this->nonce.ptr);
220 DESTROY_IF(this->id);
221 free(this);
222 }
223
224 /**
225 * Create the IKE_AUTH fill hook
226 */
227 hook_t *rebuild_auth_hook_create(char *name)
228 {
229 private_rebuild_auth_t *this;
230 char *id;
231
232 INIT(this,
233 .hook = {
234 .listener = {
235 .message = _message,
236 },
237 .destroy = _destroy,
238 },
239 );
240 id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name);
241 if (id)
242 {
243 this->id = identification_create_from_string(id);
244 }
245
246 return &this->hook;
247 }