Added a IKEv1 hybrid authenticator based on Pubkey/PSK authenticators
authorMartin Willi <martin@revosec.ch>
Wed, 14 Dec 2011 08:40:43 +0000 (09:40 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:21 +0000 (17:31 +0100)
src/libcharon/Makefile.am
src/libcharon/sa/authenticators/authenticator.c
src/libcharon/sa/authenticators/hybrid_authenticator.c [new file with mode: 0644]
src/libcharon/sa/authenticators/hybrid_authenticator.h [new file with mode: 0644]

index 47c52ab..19b5548 100644 (file)
@@ -65,6 +65,7 @@ sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
 sa/authenticators/psk_v1_authenticator.c sa/authenticators/psk_v1_authenticator.h \
 sa/authenticators/pubkey_v1_authenticator.c sa/authenticators/pubkey_v1_authenticator.h \
+sa/authenticators/hybrid_authenticator.c sa/authenticators/hybrid_authenticator.h \
 sa/authenticators/xauth/xauth_method.c sa/authenticators/xauth/xauth_method.h \
 sa/authenticators/xauth/xauth_manager.c sa/authenticators/xauth/xauth_manager.h \
 sa/child_sa.c sa/child_sa.h \
index f2319a4..73029b9 100644 (file)
@@ -23,6 +23,7 @@
 #include <sa/authenticators/eap_authenticator.h>
 #include <sa/authenticators/psk_v1_authenticator.h>
 #include <sa/authenticators/pubkey_v1_authenticator.h>
+#include <sa/authenticators/hybrid_authenticator.h>
 #include <encoding/payloads/auth_payload.h>
 
 
@@ -127,6 +128,11 @@ authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
                        return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
                                                                                initiator, dh, dh_value, sa_payload,
                                                                                id_payload);
+               case AUTH_HYBRID_INIT_RSA:
+               case AUTH_HYBRID_RESP_RSA:
+                       return (authenticator_t*)hybrid_authenticator_create(ike_sa,
+                                                                               initiator, dh, dh_value, sa_payload,
+                                                                               id_payload);
                default:
                        return NULL;
        }
diff --git a/src/libcharon/sa/authenticators/hybrid_authenticator.c b/src/libcharon/sa/authenticators/hybrid_authenticator.c
new file mode 100644 (file)
index 0000000..f1bc1ec
--- /dev/null
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hybrid_authenticator.h"
+
+#include <daemon.h>
+
+typedef struct private_hybrid_authenticator_t private_hybrid_authenticator_t;
+
+/**
+ * Private data of an hybrid_authenticator_t object.
+ */
+struct private_hybrid_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       hybrid_authenticator_t public;
+
+       /**
+        * Public key authenticator
+        */
+       authenticator_t *sig;
+
+       /**
+        * HASH payload authenticator without credentials
+        */
+       authenticator_t *hash;
+};
+
+METHOD(authenticator_t, build_i, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->hash->build(this->hash, message);
+}
+
+METHOD(authenticator_t, process_r, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->hash->process(this->hash, message);
+}
+
+METHOD(authenticator_t, build_r, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->sig->build(this->sig, message);
+}
+
+METHOD(authenticator_t, process_i, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->sig->process(this->sig, message);
+}
+
+METHOD(authenticator_t, destroy, void,
+       private_hybrid_authenticator_t *this)
+{
+       DESTROY_IF(this->hash);
+       DESTROY_IF(this->sig);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload)
+{
+       private_hybrid_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .sig = authenticator_create_v1(ike_sa, initiator, AUTH_RSA, dh,
+                                                       dh_value, sa_payload, id_payload),
+               .hash = authenticator_create_v1(ike_sa, initiator, AUTH_PSK,
+                                                       dh, dh_value, sa_payload, chunk_clone(id_payload)),
+       );
+       if (!this->sig || !this->hash)
+       {
+               destroy(this);
+               return NULL;
+       }
+       if (initiator)
+       {
+               this->public.authenticator.build = _build_i;
+               this->public.authenticator.process = _process_i;
+       }
+       else
+       {
+               this->public.authenticator.build = _build_r;
+               this->public.authenticator.process = _process_r;
+       }
+       return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/hybrid_authenticator.h b/src/libcharon/sa/authenticators/hybrid_authenticator.h
new file mode 100644 (file)
index 0000000..3705747
--- /dev/null
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hybrid_authenticator hybrid_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef HYBRID_AUTHENTICATOR_H_
+#define HYBRID_AUTHENTICATOR_H_
+
+typedef struct hybrid_authenticator_t hybrid_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using IKEv1 hybrid authentication.
+ */
+struct hybrid_authenticator_t {
+
+       /**
+        * Implemented authenticator_t interface.
+        */
+       authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build hybrid signatures.
+ *
+ * @param ike_sa                       associated IKE_SA
+ * @param initiator                    TRUE if we are the IKE_SA initiator
+ * @param dh                           diffie hellman key exchange
+ * @param dh_value                     others public diffie hellman value
+ * @param sa_payload           generated SA payload data, without payload header
+ * @param id_payload           encoded ID payload of peer to authenticate or verify
+ *                                                     without payload header (gets owned)
+ * @return                                     hybrid authenticator
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload);
+
+#endif /** HYBRID_AUTHENTICATOR_H_ @}*/