Migrated psk/pubkey_authenticators to INIT/METHOD macros
[strongswan.git] / src / libcharon / sa / authenticators / psk_authenticator.c
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "psk_authenticator.h"
18
19 #include <daemon.h>
20 #include <encoding/payloads/auth_payload.h>
21
22 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
23
24 /**
25 * Private data of an psk_authenticator_t object.
26 */
27 struct private_psk_authenticator_t {
28
29 /**
30 * Public authenticator_t interface.
31 */
32 psk_authenticator_t public;
33
34 /**
35 * Assigned IKE_SA
36 */
37 ike_sa_t *ike_sa;
38
39 /**
40 * nonce to include in AUTH calculation
41 */
42 chunk_t nonce;
43
44 /**
45 * IKE_SA_INIT message data to include in AUTH calculation
46 */
47 chunk_t ike_sa_init;
48 };
49
50 METHOD(authenticator_t, build, status_t,
51 private_psk_authenticator_t *this, message_t *message)
52 {
53 identification_t *my_id, *other_id;
54 auth_payload_t *auth_payload;
55 shared_key_t *key;
56 chunk_t auth_data;
57 keymat_t *keymat;
58
59 keymat = this->ike_sa->get_keymat(this->ike_sa);
60 my_id = this->ike_sa->get_my_id(this->ike_sa);
61 other_id = this->ike_sa->get_other_id(this->ike_sa);
62 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
63 my_id, auth_method_names, AUTH_PSK);
64 key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
65 if (key == NULL)
66 {
67 DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
68 return NOT_FOUND;
69 }
70 auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
71 this->nonce, key->get_key(key), my_id);
72 key->destroy(key);
73 DBG2(DBG_IKE, "successfully created shared key MAC");
74 auth_payload = auth_payload_create();
75 auth_payload->set_auth_method(auth_payload, AUTH_PSK);
76 auth_payload->set_data(auth_payload, auth_data);
77 chunk_free(&auth_data);
78 message->add_payload(message, (payload_t*)auth_payload);
79
80 return SUCCESS;
81 }
82
83 METHOD(authenticator_t, process, status_t,
84 private_psk_authenticator_t *this, message_t *message)
85 {
86 chunk_t auth_data, recv_auth_data;
87 identification_t *my_id, *other_id;
88 auth_payload_t *auth_payload;
89 auth_cfg_t *auth;
90 shared_key_t *key;
91 enumerator_t *enumerator;
92 bool authenticated = FALSE;
93 int keys_found = 0;
94 keymat_t *keymat;
95
96 auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
97 if (!auth_payload)
98 {
99 return FAILED;
100 }
101 keymat = this->ike_sa->get_keymat(this->ike_sa);
102 recv_auth_data = auth_payload->get_data(auth_payload);
103 my_id = this->ike_sa->get_my_id(this->ike_sa);
104 other_id = this->ike_sa->get_other_id(this->ike_sa);
105 enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
106 SHARED_IKE, my_id, other_id);
107 while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
108 {
109 keys_found++;
110
111 auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
112 this->nonce, key->get_key(key), other_id);
113 if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
114 {
115 DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
116 other_id, auth_method_names, AUTH_PSK);
117 authenticated = TRUE;
118 }
119 chunk_free(&auth_data);
120 }
121 enumerator->destroy(enumerator);
122
123 if (!authenticated)
124 {
125 if (keys_found == 0)
126 {
127 DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
128 return NOT_FOUND;
129 }
130 DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
131 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
132 return FAILED;
133 }
134
135 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
136 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
137 return SUCCESS;
138 }
139
140 METHOD(authenticator_t, destroy, void,
141 private_psk_authenticator_t *this)
142 {
143 free(this);
144 }
145
146 /*
147 * Described in header.
148 */
149 psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
150 chunk_t received_nonce, chunk_t sent_init)
151 {
152 private_psk_authenticator_t *this;
153
154 INIT(this,
155 .public = {
156 .authenticator = {
157 .build = _build,
158 .process = (void*)return_failed,
159 .is_mutual = (void*)return_false,
160 .destroy = _destroy,
161 },
162 }.
163 .ike_sa = ike_sa,
164 .ike_sa_init = sent_init,
165 .nonce = received_nonce,
166 );
167 return &this->public;
168 }
169
170 /*
171 * Described in header.
172 */
173 psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
174 chunk_t sent_nonce, chunk_t received_init)
175 {
176 private_psk_authenticator_t *this;
177
178 INIT(this,
179 .public = {
180 .authenticator = {
181 .build = (void*)return_failed,
182 .process = _process,
183 .is_mutual = (void*)return_false,
184 .destroy = _destroy,
185 },
186 },
187 .ike_sa = ike_sa,
188 .ike_sa_init = received_init,
189 .nonce = sent_nonce,
190 );
191 return &this->public;
192 }
193