Added option to use a different key when rebuilding AUTH
[strongswan.git] / src / conftest / hooks / rebuild_auth.c
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "hook.h"
17
18 #include <encoding/generator.h>
19 #include <encoding/payloads/nonce_payload.h>
20 #include <encoding/payloads/auth_payload.h>
21 #include <encoding/payloads/id_payload.h>
22
23 typedef struct private_rebuild_auth_t private_rebuild_auth_t;
24
25 /**
26 * Private data of an rebuild_auth_t object.
27 */
28 struct private_rebuild_auth_t {
29
30 /**
31 * Implements the hook_t interface.
32 */
33 hook_t hook;
34
35 /**
36 * Our IKE_SA_INIT data, required to rebuild AUTH
37 */
38 chunk_t ike_init;
39
40 /**
41 * Received NONCE, required to rebuild AUTH
42 */
43 chunk_t nonce;
44
45 /**
46 * ID to use for key lookup, if not from IDi
47 */
48 identification_t *id;
49 };
50
51 /**
52 * Rebuild our AUTH data
53 */
54 static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
55 message_t *message)
56 {
57 enumerator_t *enumerator;
58 chunk_t octets, auth_data;
59 private_key_t *private;
60 auth_cfg_t *auth;
61 payload_t *payload;
62 auth_payload_t *auth_payload;
63 auth_method_t auth_method;
64 signature_scheme_t scheme;
65 keymat_t *keymat;
66 identification_t *id;
67 char reserved[3];
68 generator_t *generator;
69 chunk_t data;
70 u_int32_t *lenpos;
71
72 payload = message->get_payload(message,
73 message->get_request(message) ? ID_INITIATOR : ID_RESPONDER);
74 if (!payload)
75 {
76 DBG1(DBG_CFG, "ID payload not found to rebuild AUTH");
77 return FALSE;
78 }
79
80 generator = generator_create();
81 generator->generate_payload(generator, payload);
82 data = generator->get_chunk(generator, &lenpos);
83 if (data.len < 8)
84 {
85 DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH");
86 generator->destroy(generator);
87 return FALSE;
88 }
89 memcpy(reserved, data.ptr + 5, 3);
90 id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
91 generator->destroy(generator);
92
93 auth = auth_cfg_create();
94 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
95 this->id ?: id, auth);
96 auth->destroy(auth);
97 if (private == NULL)
98 {
99 DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
100 this->id ?: id);
101 id->destroy(id);
102 return FALSE;
103 }
104
105 switch (private->get_type(private))
106 {
107 case KEY_RSA:
108 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
109 auth_method = AUTH_RSA;
110 break;
111 case KEY_ECDSA:
112 /* we try to deduct the signature scheme from the keysize */
113 switch (private->get_keysize(private))
114 {
115 case 256:
116 scheme = SIGN_ECDSA_256;
117 auth_method = AUTH_ECDSA_256;
118 break;
119 case 384:
120 scheme = SIGN_ECDSA_384;
121 auth_method = AUTH_ECDSA_384;
122 break;
123 case 521:
124 scheme = SIGN_ECDSA_521;
125 auth_method = AUTH_ECDSA_521;
126 break;
127 default:
128 DBG1(DBG_CFG, "%d bit ECDSA private key size not supported",
129 private->get_keysize(private));
130 id->destroy(id);
131 return FALSE;
132 }
133 break;
134 default:
135 DBG1(DBG_CFG, "private key of type %N not supported",
136 key_type_names, private->get_type(private));
137 id->destroy(id);
138 return FALSE;
139 }
140 keymat = ike_sa->get_keymat(ike_sa);
141 octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
142 this->nonce, id, reserved);
143 if (!private->sign(private, scheme, octets, &auth_data))
144 {
145 chunk_free(&octets);
146 private->destroy(private);
147 id->destroy(id);
148 return FALSE;
149 }
150 auth_payload = auth_payload_create();
151 auth_payload->set_auth_method(auth_payload, auth_method);
152 auth_payload->set_data(auth_payload, auth_data);
153 chunk_free(&auth_data);
154 chunk_free(&octets);
155 private->destroy(private);
156
157 enumerator = message->create_payload_enumerator(message);
158 while (enumerator->enumerate(enumerator, &payload))
159 {
160 if (payload->get_type(payload) == AUTHENTICATION)
161 {
162 message->remove_payload_at(message, enumerator);
163 payload->destroy(payload);
164 }
165 }
166 enumerator->destroy(enumerator);
167
168 message->add_payload(message, (payload_t*)auth_payload);
169 DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N",
170 id, auth_method_names, auth_method);
171 id->destroy(id);
172 return TRUE;
173 }
174
175 METHOD(listener_t, message, bool,
176 private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
177 bool incoming)
178 {
179 if (!incoming && message->get_message_id(message) == 1)
180 {
181 rebuild_auth(this, ike_sa, message);
182 }
183 if (message->get_exchange_type(message) == IKE_SA_INIT)
184 {
185 if (incoming)
186 {
187 nonce_payload_t *nonce;
188
189 nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
190 if (nonce)
191 {
192 free(this->nonce.ptr);
193 this->nonce = nonce->get_nonce(nonce);
194 }
195 }
196 else
197 {
198 packet_t *packet;
199
200 if (message->generate(message, NULL, &packet) == SUCCESS)
201 {
202 free(this->ike_init.ptr);
203 this->ike_init = chunk_clone(packet->get_data(packet));
204 packet->destroy(packet);
205 }
206 }
207 }
208 return TRUE;
209 }
210
211 METHOD(hook_t, destroy, void,
212 private_rebuild_auth_t *this)
213 {
214 free(this->ike_init.ptr);
215 free(this->nonce.ptr);
216 DESTROY_IF(this->id);
217 free(this);
218 }
219
220 /**
221 * Create the IKE_AUTH fill hook
222 */
223 hook_t *rebuild_auth_hook_create(char *name)
224 {
225 private_rebuild_auth_t *this;
226 char *id;
227
228 INIT(this,
229 .hook = {
230 .listener = {
231 .message = _message,
232 },
233 .destroy = _destroy,
234 },
235 );
236 id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name);
237 if (id)
238 {
239 this->id = identification_create_from_string(id);
240 }
241
242 return &this->hook;
243 }