- started to implement authenticator_t
authorJan Hutter <jhutter@hsr.ch>
Fri, 2 Dec 2005 19:26:01 +0000 (19:26 -0000)
committerJan Hutter <jhutter@hsr.ch>
Fri, 2 Dec 2005 19:26:01 +0000 (19:26 -0000)
Source/charon/daemon.c
Source/charon/sa/Makefile.sa
Source/charon/sa/ike_sa.c
Source/charon/sa/ike_sa.h
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_auth_requested.h
Source/charon/sa/states/ike_sa_init_requested.c
Source/charon/sa/states/ike_sa_init_responded.c
Source/charon/sa/states/ike_sa_init_responded.h
Source/charon/sa/states/responder_init.c

index 649f0b4..d1e0c13 100644 (file)
@@ -156,10 +156,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 static void build_test_jobs(private_daemon_t *this)
 {
        int i;
-       for(i = 0; i<0; i++)
+       for(i = 0; i<1; i++)
        {
                initiate_ike_sa_job_t *initiate_job;
-               initiate_job = initiate_ike_sa_job_create("pinflb30");
+               initiate_job = initiate_ike_sa_job_create("localhost");
                this->public.job_queue->add(this->public.job_queue, (job_t*)initiate_job);
        }
 }
index 0badb15..b22a58b 100644 (file)
@@ -25,5 +25,9 @@ $(BUILD_DIR)ike_sa_manager.o :        $(SA_DIR)ike_sa_manager.c $(SA_DIR)ike_sa_manager
 OBJS+= $(BUILD_DIR)ike_sa.o
 $(BUILD_DIR)ike_sa.o :                 $(SA_DIR)ike_sa.c $(SA_DIR)ike_sa.h
                                                                $(CC) $(CFLAGS) -c -o $@ $<
+                                                               
+OBJS+= $(BUILD_DIR)authenticator.o
+$(BUILD_DIR)authenticator.o :  $(SA_DIR)authenticator.c $(SA_DIR)authenticator.h
+                                                               $(CC) $(CFLAGS) -c -o $@ $<
 
 include $(SA_DIR)states/Makefile.states
\ No newline at end of file
index b9f80df..05f317f 100644 (file)
@@ -552,6 +552,22 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
 }
 
 /**
+ * Implementation of protected_ike_sa_t.get_prf.
+ */
+static prf_t *get_prf (private_ike_sa_t *this)
+{
+       return this->prf;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_key_pr.
+ */
+static chunk_t get_key_pr (private_ike_sa_t *this)
+{
+       return this->secrets.pr_key;
+}
+
+/**
  * Implementation of protected_ike_sa_t.set_prf.
  */
 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
@@ -768,6 +784,23 @@ static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t messag
 }
 
 /**
+ * Implementation of protected_ike_sa_t.get_last_sent_message_data.
+ */
+static chunk_t get_last_sent_message_data (private_ike_sa_t *this)
+{
+       chunk_t last_sent_message_data = CHUNK_INITIALIZER;
+       packet_t *packet;
+       
+       if (this->last_requested_message != NULL)
+       {
+               packet = this->last_requested_message->get_packet(this->last_requested_message);
+               last_sent_message_data = packet->data;
+       }
+       
+       return last_sent_message_data;
+}
+
+/**
  * Implementation of protected_ike_sa_t.reset_message_buffers.
  */
 static void reset_message_buffers (private_ike_sa_t *this)
@@ -906,6 +939,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        /* protected functions */
        this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
        this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
+       this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;  
+       this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;   
        this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;         
        this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
        this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
@@ -925,6 +960,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
        this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;     
        this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
+       this->protected.get_last_sent_message_data = (chunk_t (*) (protected_ike_sa_t *this)) get_last_sent_message_data;
        this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
        
        /* private functions */
index b8a897a..c561b99 100644 (file)
@@ -35,8 +35,6 @@
 #include <transforms/crypters/crypter.h>
 #include <transforms/signers/signer.h>
 
-
-
 /**
  * Nonce size in bytes of all sent nonces
  * 
@@ -101,6 +99,8 @@ struct ike_sa_t {
 
 typedef struct protected_ike_sa_t protected_ike_sa_t;
 
+
+
 /**
  * @brief Protected data of an ike_sa_t object.
  * 
@@ -319,6 +319,34 @@ struct protected_ike_sa_t {
         * @return                                      pointer to signer_t object
         */
        signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
+       
+       /**
+        * Gets the internal stored prf_t object.
+        * 
+        * @param this                          calling object
+        * @return                                      pointer to prf_t object
+        */
+       prf_t *(*get_prf) (protected_ike_sa_t *this);
+       
+       /**
+        * Gets the data of last sent message.
+        * 
+        * Data are not getting cloned.
+        * 
+        * @param this                          calling object
+        * @return                                      chunk_t pointing to data
+        */
+       chunk_t (*get_last_sent_message_data) (protected_ike_sa_t *this);
+       
+       /**
+        * Gets the Shared key SK_pr.
+        * 
+        * Returned value is not cloned!
+        * 
+        * @param this                          calling object
+        * @return                                      SK_pr key
+        */
+       chunk_t (*get_key_pr) (protected_ike_sa_t *this);
 
        /**
         * Resets message id counters and does destroy stored received and sent messages.
@@ -326,6 +354,7 @@ struct protected_ike_sa_t {
         * @param this                          calling object
         */     
        void (*reset_message_buffers) (protected_ike_sa_t *this);
+
 };
 
 
index e432421..cfbd986 100644 (file)
@@ -32,6 +32,7 @@
 #include <transforms/signers/signer.h>
 #include <transforms/crypters/crypter.h>
 #include <sa/states/ike_sa_established.h>
+#include <sa/authenticator.h>
 
 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
 
@@ -54,6 +55,11 @@ struct private_ike_auth_requested_t {
         * SA config, just a copy of the one stored in the ike_sa
         */
        sa_config_t *sa_config; 
+       
+       /**
+        * Received nonce from responder
+        */
+       chunk_t received_nonce;
         
        /**
         * Logger used to log data 
@@ -75,7 +81,7 @@ struct private_ike_auth_requested_t {
        /**
         * process the AUTH payload (check authenticity of message)
         */
-       status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload);
+       status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
        
        /**
         * process the TS payload (check if selected traffic selectors are valid)
@@ -223,7 +229,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
                this->logger->log(this->logger, ERROR, "Processing sa payload failed");
                return status;
        }
-       status = this->process_auth_payload(this, auth_payload);
+       status = this->process_auth_payload(this, auth_payload,idr_payload);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Processing auth payload failed");
@@ -264,6 +270,10 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
        configured_other_id = this->sa_config->get_other_id(this->sa_config);
        if (configured_other_id)
        {
+               this->logger->log(this->logger, CONTROL, "configured ID: %s, ID of responder: %s",
+                                                       configured_other_id->get_string(configured_other_id),
+                                                       other_id->get_string(other_id));
+
                if (!other_id->equals(other_id, configured_other_id))
                {
                        other_id->destroy(other_id);
@@ -324,8 +334,27 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
 /**
  * Implements private_ike_auth_requested_t.process_auth_payload
  */
-static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload)
+static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
 {
+       
+       chunk_t received_auth_data = auth_payload->get_data(auth_payload);
+       chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
+       bool verified;
+       identification_t *identification;
+       authenticator_t *authenticator;
+       
+       identification = other_id_payload->get_identification(other_id_payload);
+       
+       /* TODO VERIFY auth here */
+       authenticator = authenticator_create(this->ike_sa);
+
+       authenticator->verify_authentication(authenticator,auth_payload->get_auth_method(auth_payload),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
+       
+       authenticator->destroy(authenticator);
+       
+       allocator_free_chunk(&received_auth_data);
+       
+       
        /* TODO VERIFY auth here */
        return SUCCESS; 
 }
@@ -385,13 +414,14 @@ static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
  */
 static void destroy(private_ike_auth_requested_t *this)
 {
+       allocator_free_chunk(&(this->received_nonce));
        allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa)
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
 {
        private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
 
@@ -409,6 +439,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa)
        
        /* private data */
        this->ike_sa = ike_sa;
+       this->received_nonce = received_nonce;
        this->logger = this->ike_sa->get_logger(this->ike_sa);
        
        return &(this->public);
index ac2c4ba..5f1e042 100644 (file)
@@ -50,12 +50,11 @@ struct ike_auth_requested_t {
  * Constructor of class ike_auth_requested_t
  * 
  * @param ike_sa               assigned ike_sa object
- * @param sent_nonce   Sent nonce value
  * @param received_nonce       Received nonce value
  * @return                             created ike_auth_requested_t object
  * 
  * @ingroup states
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa);
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
 
 #endif /*IKE_AUTH_REQUESTED_H_*/
index 806c024..68e34a5 100644 (file)
@@ -396,7 +396,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
-       next_state = ike_auth_requested_create(this->ike_sa);
+       next_state = ike_auth_requested_create(this->ike_sa,this->received_nonce);
 
        /* state can now be changed */ 
        this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
@@ -577,8 +577,6 @@ static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
        this->diffie_hellman->destroy(this->diffie_hellman);
        this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");  
        allocator_free(this->sent_nonce.ptr);
-       this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
-       allocator_free(this->received_nonce.ptr);
        this->logger->log(this->logger, CONTROL | MOST, "Destroy shared secret (secrets allready derived)");
        allocator_free_chunk(&(this->shared_secret));
        this->logger->log(this->logger, CONTROL | MOST, "Destroy object itself");
index 0399bc9..6e7fb69 100644 (file)
@@ -24,6 +24,7 @@
 
 #include <daemon.h>
 #include <utils/allocator.h>
+#include <sa/authenticator.h>
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/id_payload.h>
@@ -51,6 +52,11 @@ struct private_ike_sa_init_responded_t {
        protected_ike_sa_t *ike_sa;
        
        /**
+        * Received nonce.
+        */
+       chunk_t received_nonce;
+       
+       /**
         * sa config to use
         */
        sa_config_t *sa_config;
@@ -64,7 +70,7 @@ struct private_ike_sa_init_responded_t {
        
        status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response);
        status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
-       status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response);
+       status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response);
        status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
 };
 
@@ -190,7 +196,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                response->destroy(response);
                return status;
        }
-       status = this->build_auth_payload(this, auth_request, response);
+       status = this->build_auth_payload(this, auth_request,idi_request, response);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Building auth payload failed");
@@ -325,15 +331,29 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
 /**
  * Implements private_ike_sa_init_responded_t.build_auth_payload
  */
-static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response)
+static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response)
 {
        auth_payload_t *dummy;
        u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03};
        chunk_t auth_data;
        auth_data.ptr = data;
        auth_data.len = sizeof(data);
+       authenticator_t *authenticator;
+       chunk_t received_auth_data = request->get_data(request);
+       chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
+       bool verified;
+       identification_t *identification;
+       
+       identification = other_id_payload->get_identification(other_id_payload);
        
        /* TODO VERIFY auth here */
+       authenticator = authenticator_create(this->ike_sa);
+
+       authenticator->verify_authentication(authenticator,request->get_auth_method(request),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
+       
+       authenticator->destroy(authenticator);
+       
+       allocator_free_chunk(&received_auth_data);
        
        dummy = auth_payload_create();
        dummy->set_data(dummy, auth_data);
@@ -406,14 +426,15 @@ static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
 static void destroy(private_ike_sa_init_responded_t *this)
 {
        this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object");
-               
+       
+       allocator_free_chunk(&(this->received_nonce));
        allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa)
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
 {
        private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
 
@@ -430,6 +451,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
        
        /* private data */
        this->ike_sa = ike_sa;
+       this->received_nonce = received_nonce;
        this->logger = this->ike_sa->get_logger(this->ike_sa);
        
        return &(this->public);
index 1e7dd03..fdcc055 100644 (file)
@@ -49,11 +49,11 @@ struct ike_sa_init_responded_t {
 /**
  * @brief Constructor of class ike_sa_init_responded_t
  * 
- * @param ike_sa               assigned IKE_SA
- * @todo Params description
+ * @param ike_sa                       assigned IKE_SA
+ * @param received_nonce       received nonce data
  * 
  * @ingroup states
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa);
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
 
 #endif /*IKE_SA_INIT_RESPONDED_H_*/
index 9409d57..72e11e3 100644 (file)
@@ -362,7 +362,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
 
-       next_state = ike_sa_init_responded_create(this->ike_sa);
+       next_state = ike_sa_init_responded_create(this->ike_sa, this->received_nonce);
        
        /* state can now be changed */
        this->ike_sa->set_new_state(this->ike_sa, (state_t *) next_state);
@@ -536,9 +536,6 @@ static void destroy_after_state_change (private_responder_init_t *this)
        
        this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
        allocator_free_chunk(&(this->sent_nonce));
-       this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
-       allocator_free_chunk(&(this->received_nonce));
-
        this->logger->log(this->logger, CONTROL | MOST, "Destroy object");      
        allocator_free(this);
 }