sa/transactions/dead_peer_detection.h sa/transactions/dead_peer_detection.c \
sa/transactions/delete_ike_sa.h sa/transactions/delete_ike_sa.c \
sa/transactions/rekey_ike_sa.h sa/transactions/rekey_ike_sa.c \
+sa/authenticators/authenticator.h sa/authenticators/authenticator.c \
+sa/authenticators/rsa_authenticator.h sa/authenticators/rsa_authenticator.c \
+sa/authenticators/psk_authenticator.h sa/authenticators/psk_authenticator.c \
sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
+sa/ike_sa_id.c sa/ike_sa_id.h encoding/payloads/encryption_payload.c \
encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \
encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
{
static int current_num = 0, stored_num;
- stored_num = (int)pthread_getspecific(this->thread_id);
+ stored_num = (int)(intptr_t)pthread_getspecific(this->thread_id);
if (stored_num == 0)
{ /* first call of current thread */
- pthread_setspecific(this->thread_id, (void*)++current_num);
+ pthread_setspecific(this->thread_id, (void*)(intptr_t)++current_num);
return current_num;
}
else
*thread = listener->thread;
*ike_sa = listener->ike_sa;
*format = listener->format;
- *args = listener->args;
+ va_copy(*args, listener->args);
+ va_end(listener->args);
return listener->signal;
}
bus_listener_t *listener;
active_listener_t *active_listener;
ike_sa_t *ike_sa;
- int thread;
+ long thread;
ike_sa = pthread_getspecific(this->thread_sa);
thread = get_thread_number(this);
{
pthread_cond_wait(&active_listener->cond, &this->mutex);
}
- va_end(active_listener->args);
}
iterator->destroy(iterator);
#ifndef BUS_H_
#define BUS_H_
+typedef enum signal_t signal_t;
+typedef enum level_t level_t;
+typedef struct bus_listener_t bus_listener_t;
+typedef struct bus_t bus_t;
+
#include <stdarg.h>
#include <sa/ike_sa.h>
#include <sa/child_sa.h>
-typedef enum signal_t signal_t;
-
/**
* @brief signals emitted by the daemon.
*
*/
extern enum_name_t *signal_names;
-typedef enum level_t level_t;
-
/**
* Signal levels used to control output verbosity.
*/
#define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig)
-typedef struct bus_listener_t bus_listener_t;
-
/**
* @brief Interface for registering at the signal bus.
*
int thread, ike_sa_t *ike_sa, char* format, va_list args);
};
-
-typedef struct bus_t bus_t;
-
/**
* @brief Signal bus which sends signals to registered listeners.
*
#ifndef FILE_LOGGER_H_
#define FILE_LOGGER_H_
-#include <bus/bus.h>
-
-
typedef struct file_logger_t file_logger_t;
+#include <bus/bus.h>
+
/**
* @brief Logger to files which implements bus_listener_t.
- *
+ *
* @b Constructors:
* - file_logger_create()
- *
+ *
* @ingroup listeners
*/
struct file_logger_t {
#ifndef SYS_LOGGER_H_
#define SYS_LOGGER_H_
+typedef struct sys_logger_t sys_logger_t;
+
#include <syslog.h>
#include <bus/bus.h>
-
-typedef struct sys_logger_t sys_logger_t;
-
/**
* @brief Logger for syslog which implements bus_listener_t.
- *
+ *
* @b Constructors:
* - sys_logger_create()
- *
+ *
* @ingroup listeners
*/
struct sys_logger_t {
#ifndef CONFIGURATION_H_
#define CONFIGURATION_H_
-#include <types.h>
-
-
typedef struct configuration_t configuration_t;
+#include <types.h>
+
/**
* @brief The interface for various daemon related configs.
*
#ifndef CONNECTION_H_
#define CONNECTION_H_
+typedef enum cert_policy_t cert_policy_t;
+typedef struct connection_t connection_t;
+
#include <types.h>
#include <utils/host.h>
#include <utils/linked_list.h>
#include <config/proposal.h>
#include <crypto/diffie_hellman.h>
-typedef enum cert_policy_t cert_policy_t;
/**
* Certificate sending policy. This is also used for certificate
*/
extern enum_name_t *cert_policy_names;
-
-typedef struct connection_t connection_t;
-
/**
* @brief A connection_t defines the rules to set up an IKE_SA.
*
- *
* @b Constructors:
* - connection_create()
- *
+ *
* @ingroup config
*/
struct connection_t {
#ifndef CONNECTION_STORE_H_
#define CONNECTION_STORE_H_
+typedef struct connection_store_t connection_store_t;
+
#include <types.h>
#include <config/connections/connection.h>
#include <utils/iterator.h>
-
-typedef struct connection_store_t connection_store_t;
-
/**
* @brief The interface for a store of connection_t's.
*
#ifndef LOCAL_CONNECTION_H_
#define LOCAL_CONNECTION_H_
+typedef struct local_connection_store_t local_connection_store_t;
+
#include <types.h>
#include <config/connections/connection_store.h>
-
-typedef struct local_connection_store_t local_connection_store_t;
-
/**
* @brief A connection_store_t implementation using a simple connection list.
*
#ifndef CREDENTIAL_STORE_H_
#define CREDENTIAL_STORE_H_
+typedef struct credential_store_t credential_store_t;
+
#include <types.h>
#include <crypto/x509.h>
#include <crypto/rsa/rsa_private_key.h>
#include <utils/identification.h>
-typedef struct credential_store_t credential_store_t;
-
/**
* @brief The interface for a credential_store backend.
- *
+ *
* @b Constructors:
- * - stroke_create()
- *
+ * - stroke_create()
+ *
* @ingroup config
*/
struct credential_store_t {
this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key;
this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate;
this->public.credential_store.get_ca_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_ca_certificate;
- this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,identification_t*))get_ca_certificate_by_keyid;
+ this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid;
this->public.credential_store.get_issuer_certificate = (x509_t* (*) (credential_store_t*,const x509_t*))get_issuer_certificate;
this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify;
this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate;
#ifndef LOCAL_CREDENTIAL_H_
#define LOCAL_CREDENTIAL_H_
+typedef struct local_credential_store_t local_credential_store_t;
+
#include <types.h>
#include <daemon.h>
#include <config/credentials/credential_store.h>
-typedef struct local_credential_store_t local_credential_store_t;
-
/**
* @brief A credential_store_t implementation using simple credentail lists.
*
#ifndef LOCAL_POLICY_STORE_H_
#define LOCAL_POLICY_STORE_H_
+typedef struct local_policy_store_t local_policy_store_t;
+
#include <types.h>
#include <config/policies/policy_store.h>
-typedef struct local_policy_store_t local_policy_store_t;
-
/**
* @brief A policy_store_t implementation using a simple policy lists.
*
#include <utils/linked_list.h>
#include <utils/identification.h>
-ENUM(auth_method_names, RSA_DIGITAL_SIGNATURE, DSS_DIGITAL_SIGNATURE,
- "RSA signature",
- "pre-shared key",
- "DSS signature"
-);
-
-
ENUM(dpd_action_names, DPD_NONE, DPD_RESTART,
"DPD_NONE",
"DPD_CLEAR",
#ifndef POLICY_H_
#define POLICY_H_
+typedef enum dpd_action_t dpd_action_t;
+typedef struct policy_t policy_t;
+
#include <types.h>
#include <utils/identification.h>
#include <config/traffic_selector.h>
#include <config/proposal.h>
+#include <sa/authenticators/authenticator.h>
-typedef enum auth_method_t auth_method_t;
-
-/**
- * AUTH Method to use.
- *
- * @ingroup config
- */
-enum auth_method_t {
- /**
- * Computed as specified in section 2.15 of RFC using
- * an RSA private key over a PKCS#1 padded hash.
- */
- RSA_DIGITAL_SIGNATURE = 1,
-
- /**
- * Computed as specified in section 2.15 of RFC using the
- * shared key associated with the identity in the ID payload
- * and the negotiated prf function
- */
- SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
-
- /**
- * Computed as specified in section 2.15 of RFC using a
- * DSS private key over a SHA-1 hash.
- */
- DSS_DIGITAL_SIGNATURE = 3,
-};
-
-/**
- * enum names for auth_method_t.
- *
- * @ingroup config
- */
-extern enum_name_t *auth_method_names;
-
-
-typedef enum dpd_action_t dpd_action_t;
/**
* @brief Actions to take when a peer does not respond (dead peer detected).
*/
extern enum_name_t *dpd_action_names;
-
-typedef struct policy_t policy_t;
-
/**
* @brief A policy_t defines the policies to apply to CHILD_SAs.
- *
+ *
* The given two IDs identify a policy. These rules define how
* child SAs may be set up and which traffic may be IPsec'ed.
- *
+ *
* @b Constructors:
* - policy_create()
- *
+ *
* @ingroup config
*/
struct policy_t {
#ifndef POLICY_STORE_H_
#define POLICY_STORE_H_
+typedef struct policy_store_t policy_store_t;
+
#include <types.h>
#include <config/policies/policy.h>
#include <utils/linked_list.h>
-typedef struct policy_store_t policy_store_t;
-
/**
* @brief The interface for a store of policy_t's.
*
#ifndef PROPOSAL_H_
#define PROPOSAL_H_
+typedef enum protocol_id_t protocol_id_t;
+typedef enum transform_type_t transform_type_t;
+typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
+typedef struct algorithm_t algorithm_t;
+typedef struct proposal_t proposal_t;
+
#include <types.h>
#include <utils/identification.h>
#include <utils/linked_list.h>
#include <crypto/diffie_hellman.h>
#include <config/traffic_selector.h>
-
-typedef enum protocol_id_t protocol_id_t;
-
/**
* Protocol ID of a proposal.
- *
+ *
* @ingroup config
*/
enum protocol_id_t {
extern enum_name_t *protocol_id_names;
-typedef enum transform_type_t transform_type_t;
-
/**
* Type of a transform, as in IKEv2 RFC 3.3.2.
- *
+ *
* @ingroup config
*/
enum transform_type_t {
extern enum_name_t *transform_type_names;
-typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
-
-/**
+/**
* Extended sequence numbers, as in IKEv2 RFC 3.3.2.
- *
+ *
* @ingroup config
*/
enum extended_sequence_numbers_t {
extern enum_name_t *extended_sequence_numbers_names;
-typedef struct algorithm_t algorithm_t;
/**
* Struct used to store different kinds of algorithms. The internal
u_int16_t key_size;
};
-typedef struct proposal_t proposal_t;
-
/**
* @brief Stores a set of algorithms used for an SA.
*
#ifndef TRAFFIC_SELECTOR_H_
#define TRAFFIC_SELECTOR_H_
+typedef enum ts_type_t ts_type_t;
+typedef struct traffic_selector_t traffic_selector_t;
+
#include <types.h>
#include <utils/host.h>
*/
#define TRAFFIC_SELECTOR_PRINTF_SPEC 'R'
-typedef enum ts_type_t ts_type_t;
-
/**
* Traffic selector types.
*
*/
extern enum_name_t *ts_type_name;
-
-typedef struct traffic_selector_t traffic_selector_t;
-
/**
* @brief Object representing a traffic selector entry.
- *
+ *
* A traffic selector defines an range of addresses
* and a range of ports. IPv6 is not fully supported yet.
- *
+ *
* @b Constructors:
* - traffic_selector_create_from_bytes()
* - traffic_selector_create_from_string()
- *
+ *
* @todo Add IPv6 support
- *
+ *
* @ingroup config
*/
struct traffic_selector_t {
#ifndef DAEMON_H_
#define DAEMON_H_
+typedef struct daemon_t daemon_t;
+
#include <threads/sender.h>
#include <threads/receiver.h>
#include <threads/scheduler.h>
*/
#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
-
-typedef struct daemon_t daemon_t;
-
/**
* @brief Main class of daemon, contains some globals.
- *
+ *
* @ingroup charon
- */
+ */
struct daemon_t {
/**
* A socket_t instance.
#ifndef GENERATOR_H_
#define GENERATOR_H_
+typedef struct generator_t generator_t;
+
#include <types.h>
#include <encoding/payloads/encodings.h>
#include <encoding/payloads/payload.h>
/**
* Generating is done in a data buffer.
* This is thehe start size of this buffer in bytes.
- *
+ *
* @ingroup enconding
*/
#define GENERATOR_DATA_BUFFER_SIZE 500
/**
* Number of bytes to increase the buffer, if it is to small.
- *
+ *
* @ingroup enconding
*/
#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
-typedef struct generator_t generator_t;
-
/**
* @brief A generator_t class used to generate IKEv2 payloads.
- *
+ *
* After creation, multiple payloads can be generated with the generate_payload
* method. The generated bytes are appended. After all payloads are added,
* the write_to_chunk method writes out all generated data since
#ifndef MESSAGE_H_
#define MESSAGE_H_
+typedef struct message_t message_t;
+
#include <types.h>
#include <sa/ike_sa_id.h>
#include <network/packet.h>
*/
#define MESSAGE_PRINTF_SPEC 'M'
-
-typedef struct message_t message_t;
-
/**
* @brief This class is used to represent an IKEv2-Message.
*
#ifndef PARSER_H_
#define PARSER_H_
+typedef struct parser_t parser_t;
+
#include <types.h>
#include <encoding/payloads/encodings.h>
#include <encoding/payloads/payload.h>
-
-typedef struct parser_t parser_t;
-
/**
* @brief A parser_t class to parse IKEv2 payloads.
- *
+ *
* A parser is used for parsing one chunk of data. Multiple
* payloads can be parsed out of the chunk using parse_payload.
* The parser remains the state until destroyed.
- *
+ *
* @b Constructors:
* - parser_create()
- *
+ *
* @ingroup encoding
*/
struct parser_t {
*
* The defined offsets are the positions in a object of type
* private_auth_payload_t.
- *
*/
encoding_rule_t auth_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
/* the critical bit */
{ FLAG, offsetof(private_auth_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole payload*/
{ PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length)},
/* 1 Byte AUTH type*/
{ U_INT_8, offsetof(private_auth_payload_t, auth_method) },
/* 3 reserved bytes */
- { RESERVED_BYTE, 0 },
- { RESERVED_BYTE, 0 },
- { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
- { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) }
+ { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) }
};
/*
*/
static status_t verify(private_auth_payload_t *this)
{
- if ((this->auth_method == 0) ||
- ((this->auth_method >= 4) && (this->auth_method <= 200)))
+ if (this->auth_method == 0 ||
+ (this->auth_method >= 4 && this->auth_method <= 200))
{
/* reserved IDs */
return FAILED;
* for more details.
*/
-
#ifndef AUTH_PAYLOAD_H_
#define AUTH_PAYLOAD_H_
+typedef struct auth_payload_t auth_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
-#include <config/policies/policy.h>
+#include <sa/authenticators/authenticator.h>
/**
* Length of a auth payload without the auth data in bytes.
*/
#define AUTH_PAYLOAD_HEADER_LENGTH 8
-
-typedef struct auth_payload_t auth_payload_t;
-
/**
* @brief Class representing an IKEv2 AUTH payload.
- *
+ *
* The AUTH payload format is described in RFC section 3.8.
- *
+ *
* @b Constructors:
* - auth_payload_create()
- *
+ *
* @ingroup payloads
*/
struct auth_payload_t {
#ifndef CERT_PAYLOAD_H_
#define CERT_PAYLOAD_H_
+typedef enum cert_encoding_t cert_encoding_t;
+typedef struct cert_payload_t cert_payload_t;
+
#include <types.h>
#include <crypto/x509.h>
#include <encoding/payloads/payload.h>
*/
#define CERT_PAYLOAD_HEADER_LENGTH 5
-
-typedef enum cert_encoding_t cert_encoding_t;
-
/**
* @brief Certificate encoding, as described in IKEv2 RFC section 3.6
- *
+ *
* @ingroup payloads
*/
enum cert_encoding_t {
*/
extern enum_name_t *cert_encoding_names;
-typedef struct cert_payload_t cert_payload_t;
-
/**
* @brief Class representing an IKEv2 CERT payload.
- *
+ *
* The CERT payload format is described in RFC section 3.6.
* This is just a dummy implementation to fullfill the standards
* requirements. A full implementation would offer setters/getters
*
* @b Constructors:
* - cert_payload_create()
- *
+ *
* @todo Implement setters/getters for the different certificate encodings.
- *
+ *
* @ingroup payloads
*/
struct cert_payload_t {
#ifndef CERTREQ_PAYLOAD_H_
#define CERTREQ_PAYLOAD_H_
+typedef struct certreq_payload_t certreq_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/cert_payload.h>
#define CERTREQ_PAYLOAD_HEADER_LENGTH 5
-typedef struct certreq_payload_t certreq_payload_t;
-
/**
* @brief Class representing an IKEv2 CERTREQ payload.
- *
+ *
* The CERTREQ payload format is described in RFC section 3.7.
* This is just a dummy implementation to fullfill the standards
* requirements. A full implementation would offer setters/getters
* for the different encoding types.
- *
+ *
* @b Constructors:
* - certreq_payload_create()
- *
+ *
* @todo Implement payload functionality.
- *
+ *
* @ingroup payloads
*/
struct certreq_payload_t {
#ifndef CONFIGURATION_ATTRIBUTE_H_
#define CONFIGURATION_ATTRIBUTE_H_
+typedef enum configuration_attribute_type_t configuration_attribute_type_t;
+typedef struct configuration_attribute_t configuration_attribute_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
-
/**
* Configuration attribute header length in bytes.
*
*/
#define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
-
-typedef enum configuration_attribute_type_t configuration_attribute_type_t;
-
/**
* Type of the attribute, as in IKEv2 RFC 3.15.1.
*
*/
extern enum_name_t *configuration_attribute_type_names;
-typedef struct configuration_attribute_t configuration_attribute_t;
-
/**
* @brief Class representing an IKEv2-CONFIGURATION Attribute.
*
#ifndef CP_PAYLOAD_H_
#define CP_PAYLOAD_H_
+typedef enum config_type_t config_type_t;
+typedef struct cp_payload_t cp_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/configuration_attribute.h>
*/
#define CP_PAYLOAD_HEADER_LENGTH 8
-
-typedef enum config_type_t config_type_t;
-
/**
* Config Type of an Configuration Payload.
- *
+ *
* @ingroup payloads
*/
enum config_type_t {
*/
extern enum_name_t *config_type_names;
-
-typedef struct cp_payload_t cp_payload_t;
-
/**
* @brief Class representing an IKEv2-CP Payload.
*
#ifndef DELETE_PAYLOAD_H_
#define DELETE_PAYLOAD_H_
+typedef struct delete_payload_t delete_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/proposal_substructure.h>
/**
* Length of a delete payload without the SPI in bytes.
- *
+ *
* @ingroup payloads
*/
#define DELETE_PAYLOAD_HEADER_LENGTH 8
-
-
-typedef struct delete_payload_t delete_payload_t;
-
/**
* @brief Class representing an IKEv2 DELETE payload.
- *
+ *
* The DELETE payload format is described in RFC section 3.11.
- *
+ *
* @b Constructors:
* - delete_payload_create()
- *
+ *
* @todo Implement better setter/getters
- *
+ *
* @ingroup payloads
*/
struct delete_payload_t {
#ifndef EAP_PAYLOAD_H_
#define EAP_PAYLOAD_H_
+typedef struct eap_payload_t eap_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
*/
#define EAP_PAYLOAD_HEADER_LENGTH 4
-
-typedef struct eap_payload_t eap_payload_t;
-
/**
* @brief Class representing an IKEv2 EAP payload.
- *
+ *
* The EAP payload format is described in RFC section 3.16.
*
* @b Constructors:
* - eap_payload_create()
- *
+ *
* @todo Implement functionality for this payload
- *
+ *
* @ingroup payloads
*/
struct eap_payload_t {
#ifndef ENCODINGS_H_
#define ENCODINGS_H_
-#include <types.h>
-#include <definitions.h>
+typedef enum encoding_type_t encoding_type_t;
+typedef struct encoding_rule_t encoding_rule_t;
-typedef enum encoding_type_t encoding_type_t;
+#include <types.h>
+#include <definitions.h>
/**
* @brief All different kinds of encoding types.
* Each field of an IKEv2-Message (in header or payload)
* which has to be parsed or generated differently has its own
* type defined here.
- *
+ *
* Header is parsed like a payload and gets its one payload_id
* from PRIVATE USE space. Also the substructures
* of specific payload types get their own payload_id
* from PRIVATE_USE space. See IKEv2-Draft for more informations.
- *
+ *
* @ingroup payloads
*/
enum encoding_type_t {
*/
extern enum_name_t *encoding_type_names;
-
-typedef struct encoding_rule_t encoding_rule_t;
-
/**
* An encoding rule is a mapping of a specific encoding type to
* a location in the data struct where the current field is stored to
#ifndef ENCRYPTION_PAYLOAD_H_
#define ENCRYPTION_PAYLOAD_H_
+typedef struct encryption_payload_t encryption_payload_t;
+
#include <types.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
-typedef struct encryption_payload_t encryption_payload_t;
-
-/**
+/**
* @brief The encryption payload as described in RFC section 3.14.
- *
+ *
* Before any crypt/decrypt/sign/verify operation can occur,
* the transforms must be set. After that, a parsed encryption payload
* can be decrypted, which also will parse the contained payloads.
* must be builded after generation of all payloads and the encryption
* of the encryption payload.
* Signature verificatin is done before decryption.
- *
+ *
* @b Constructors:
* - encryption_payload_create()
- *
+ *
* @ingroup payloads
*/
struct encryption_payload_t {
#ifndef ID_PAYLOAD_H_
#define ID_PAYLOAD_H_
+typedef struct id_payload_t id_payload_t;
+
#include <types.h>
#include <utils/identification.h>
#include <encoding/payloads/payload.h>
*/
#define ID_PAYLOAD_HEADER_LENGTH 8
-
-typedef struct id_payload_t id_payload_t;
-
/**
* Object representing an IKEv2 ID payload.
- *
+ *
* The ID payload format is described in RFC section 3.5.
- *
+ *
* @b Constructors:
* - id_payload_create_from_identification()
* - id_payload_create()
- *
+ *
* @ingroup payloads
*/
struct id_payload_t {
#ifndef IKE_HEADER_H_
#define IKE_HEADER_H_
+typedef enum exchange_type_t exchange_type_t;
+typedef struct ike_header_t ike_header_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
*/
#define IKE_HEADER_LENGTH 28
-typedef enum exchange_type_t exchange_type_t;
-
/**
* @brief Different types of IKE-Exchanges.
*
*/
extern enum_name_t *exchange_type_names;
-
-typedef struct ike_header_t ike_header_t;
-
/**
* @brief An object of this type represents an IKEv2 header and is used to
* generate and parse IKEv2 headers.
#ifndef KE_PAYLOAD_H_
#define KE_PAYLOAD_H_
+typedef struct ke_payload_t ke_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/transform_substructure.h>
*/
#define KE_PAYLOAD_HEADER_LENGTH 8
-
-typedef struct ke_payload_t ke_payload_t;
-
/**
* @brief Class representing an IKEv2-KE Payload.
- *
+ *
* The KE Payload format is described in RFC section 3.4.
- *
+ *
* @b Constructors:
* - ke_payload_create()
- *
+ *
* @ingroup payloads
*/
struct ke_payload_t {
#ifndef NONCE_PAYLOAD_H_
#define NONCE_PAYLOAD_H_
+typedef struct nonce_payload_t nonce_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
*/
#define NONCE_PAYLOAD_HEADER_LENGTH 4
-typedef struct nonce_payload_t nonce_payload_t;
-
/**
* Object representing an IKEv2 Nonce payload.
*
#ifndef NOTIFY_PAYLOAD_H_
#define NOTIFY_PAYLOAD_H_
+typedef enum notify_type_t notify_type_t;
+typedef struct notify_payload_t notify_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/proposal_substructure.h>
*/
#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
-typedef enum notify_type_t notify_type_t;
-
-
-/**
+/**
* @brief Notify message types.
- *
+ *
* See IKEv2 RFC 3.10.1.
- *
+ *
* @ingroup payloads
*/
enum notify_type_t {
extern enum_name_t *notify_type_names;
-typedef struct notify_payload_t notify_payload_t;
-
/**
* @brief Class representing an IKEv2-Notify Payload.
*
#ifndef PAYLOAD_H_
#define PAYLOAD_H_
+typedef enum payload_type_t payload_type_t;
+typedef struct payload_t payload_t;
+
#include <types.h>
#include <definitions.h>
#include <encoding/payloads/encodings.h>
-typedef enum payload_type_t payload_type_t;
-
/**
* @brief Payload-Types of a IKEv2-Message.
- *
+ *
* Header and substructures are also defined as
* payload types with values from PRIVATE USE space.
- *
+ *
* @ingroup payloads
*/
enum payload_type_t{
*/
extern enum_name_t *payload_type_short_names;
-
-typedef struct payload_t payload_t;
-
/**
* @brief Generic interface for all payload types (incl.header and substructures).
*
#ifndef PROPOSAL_SUBSTRUCTURE_H_
#define PROPOSAL_SUBSTRUCTURE_H_
+typedef struct proposal_substructure_t proposal_substructure_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/transform_substructure.h>
*/
#define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8
-
-typedef struct proposal_substructure_t proposal_substructure_t;
-
/**
* @brief Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
*
#ifndef SA_PAYLOAD_H_
#define SA_PAYLOAD_H_
+typedef struct sa_payload_t sa_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <encoding/payloads/proposal_substructure.h>
*/
#define SA_PAYLOAD_HEADER_LENGTH 4
-typedef struct sa_payload_t sa_payload_t;
-
/**
* @brief Class representing an IKEv2-SA Payload.
- *
+ *
* The SA Payload format is described in RFC section 3.3.
- *
+ *
* @b Constructors:
* - sa_payload_create()
* - sa_payload_create_from_ike_proposals()
* - sa_payload_create_from_proposal()
- *
+ *
* @todo Add support of algorithms without specified keylength in get_proposals and get_ike_proposals.
- *
+ *
* @ingroup payloads
*/
struct sa_payload_t {
#ifndef TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
#define TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
+typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#include <utils/host.h>
*/
#define TRAFFIC_SELECTOR_HEADER_LENGTH 8
-typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
-
/**
* @brief Class representing an IKEv2 TRAFFIC SELECTOR.
*
#ifndef TRANSFORM_ATTRIBUTE_H_
#define TRANSFORM_ATTRIBUTE_H_
+typedef enum transform_attribute_type_t transform_attribute_type_t;
+typedef struct transform_attribute_t transform_attribute_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
-typedef enum transform_attribute_type_t transform_attribute_type_t;
-
/**
* Type of the attribute, as in IKEv2 RFC 3.3.5.
*
*/
extern enum_name_t *transform_attribute_type_names;
-typedef struct transform_attribute_t transform_attribute_t;
-
/**
* @brief Class representing an IKEv2- TRANSFORM Attribute.
*
#ifndef TRANSFORM_SUBSTRUCTURE_H_
#define TRANSFORM_SUBSTRUCTURE_H_
+typedef struct transform_substructure_t transform_substructure_t;
+
#include <types.h>
#include <definitions.h>
#include <encoding/payloads/payload.h>
#define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
-typedef struct transform_substructure_t transform_substructure_t;
-
/**
* @brief Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
*
#ifndef TS_PAYLOAD_H_
#define TS_PAYLOAD_H_
+typedef struct ts_payload_t ts_payload_t;
+
#include <types.h>
#include <utils/linked_list.h>
#include <config/traffic_selector.h>
#define TS_PAYLOAD_HEADER_LENGTH 8
-typedef struct ts_payload_t ts_payload_t;
-
/**
* @brief Class representing an IKEv2 TS payload.
- *
+ *
* The TS payload format is described in RFC section 3.13.
- *
+ *
* @b Constructors:
* - ts_payload_create()
* - ts_payload_create_from_traffic_selectors()
- *
+ *
* @ingroup payloads
*/
struct ts_payload_t {
#ifndef UNKNOWN_PAYLOAD_H_
#define UNKNOWN_PAYLOAD_H_
+typedef struct unknown_payload_t unknown_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
*/
#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
-
-typedef struct unknown_payload_t unknown_payload_t;
-
/**
* @brief Payload which can't be processed further.
- *
+ *
* When the parser finds an unknown payload, he builds an instance of
* this class. This allows further processing of this payload, such as
* a check for the critical bit in the header.
- *
+ *
* @b Constructors:
* - unknown_payload_create()
- *
+ *
* @ingroup payloads
*/
struct unknown_payload_t {
#ifndef VENDOR_ID_PAYLOAD_H_
#define VENDOR_ID_PAYLOAD_H_
+typedef struct vendor_id_payload_t vendor_id_payload_t;
+
#include <types.h>
#include <encoding/payloads/payload.h>
#define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
-typedef struct vendor_id_payload_t vendor_id_payload_t;
-
/**
* @brief Class representing an IKEv2 VENDOR ID payload.
- *
+ *
* The VENDOR ID payload format is described in RFC section 3.12.
- *
+ *
* @b Constructors:
* - vendor_id_payload_create()
- *
+ *
* @ingroup payloads
*/
struct vendor_id_payload_t {
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#ifndef PACKET_H_
#define PACKET_H_
+typedef struct packet_t packet_t;
#include <types.h>
#include <utils/host.h>
-
-typedef struct packet_t packet_t;
-
/**
* @brief Abstraction of an UDP-Packet, contains data, sender and receiver.
- *
+ *
* @b Constructors:
* - packet_create()
- *
+ *
* @ingroup network
*/
struct packet_t {
#ifndef SOCKET_H_
#define SOCKET_H_
+typedef struct socket_t socket_t;
#include <types.h>
#include <network/packet.h>
#include <utils/host.h>
#include <utils/linked_list.h>
-
/**
* @brief Maximum size of a packet.
- *
+ *
* 3000 Bytes should be sufficient, see IKEv2 RFC.
- *
+ *
* @ingroup network
*/
#define MAX_PACKET 3000
-
-typedef struct socket_t socket_t;
-
/**
* @brief Abstraction of all sockets (IPv6/IPv6 send/receive).
*
#ifndef EVENT_QUEUE_H_
#define EVENT_QUEUE_H_
+typedef struct event_queue_t event_queue_t;
+
#include <sys/time.h>
#include <types.h>
#include <queues/jobs/job.h>
-typedef struct event_queue_t event_queue_t;
-
/**
* @brief Event-Queue used to store timed events.
*
#ifndef JOB_QUEUE_H_
#define JOB_QUEUE_H_
+typedef struct job_queue_t job_queue_t;
+
#include <types.h>
#include <queues/jobs/job.h>
-typedef struct job_queue_t job_queue_t;
-
/**
* @brief The job queue stores jobs, which will be processed by the thread_pool_t.
*
#ifndef ACQUIRE_JOB_H_
#define ACQUIRE_JOB_H_
+typedef struct acquire_job_t acquire_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
-
-typedef struct acquire_job_t acquire_job_t;
-
/**
* @brief Class representing an ACQUIRE Job.
*
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#ifndef DELETE_CHILD_SA_JOB_H_
#define DELETE_CHILD_SA_JOB_H_
+typedef struct delete_child_sa_job_t delete_child_sa_job_t;
+
#include <types.h>
#include <sa/ike_sa_id.h>
#include <queues/jobs/job.h>
#include <config/proposal.h>
-typedef struct delete_child_sa_job_t delete_child_sa_job_t;
-
/**
* @brief Class representing an DELETE_CHILD_SA Job.
*
#ifndef DELETE_IKE_SA_JOB_H_
#define DELETE_IKE_SA_JOB_H_
+typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
+
#include <types.h>
#include <sa/ike_sa_id.h>
#include <queues/jobs/job.h>
-typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
-
/**
* @brief Class representing an DELETE_IKE_SA Job.
- *
+ *
* This job is responsible for deleting established or half open IKE_SAs.
* A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
* state.
- *
+ *
* @b Constructors:
* - delete_ike_sa_job_create()
- *
+ *
* @ingroup jobs
*/
struct delete_ike_sa_job_t {
#ifndef INCOMING_PACKET_JOB_H_
#define INCOMING_PACKET_JOB_H_
+typedef struct incoming_packet_job_t incoming_packet_job_t;
+
#include <types.h>
#include <network/packet.h>
#include <queues/jobs/job.h>
-
-typedef struct incoming_packet_job_t incoming_packet_job_t;
-
/**
* @brief Class representing an INCOMING_PACKET Job.
- *
+ *
* An incoming pack job is created from the receiver, which has
* read a packet to process from the socket.
- *
+ *
* @b Constructors:
* - incoming_packet_job_create()
- *
+ *
* @ingroup jobs
*/
struct incoming_packet_job_t {
#ifndef INITIATE_IKE_SA_JOB_H_
#define INITIATE_IKE_SA_JOB_H_
+typedef struct initiate_job_t initiate_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
#include <config/connections/connection.h>
#include <config/policies/policy.h>
-
-typedef struct initiate_job_t initiate_job_t;
-
/**
* @brief Class representing an INITIATE_IKE_SA Job.
*
#ifndef JOB_H_
#define JOB_H_
+typedef enum job_type_t job_type_t;
+typedef struct job_t job_t;
+
#include <types.h>
#include <definitions.h>
-
-typedef enum job_type_t job_type_t;
-
/**
* @brief Definition of the various job types.
- *
+ *
* @ingroup jobs
*/
enum job_type_t {
extern enum_name_t *job_type_names;
-typedef struct job_t job_t;
-
/**
* @brief Job-Interface as it is stored in the job queue.
*
#ifndef REKEY_CHILD_SA_JOB_H_
#define REKEY_CHILD_SA_JOB_H_
+typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
+
#include <types.h>
#include <sa/ike_sa_id.h>
#include <queues/jobs/job.h>
#include <config/proposal.h>
-
-typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
-
/**
* @brief Class representing an REKEY_CHILD_SA Job.
- *
+ *
* This job initiates the rekeying of a CHILD SA.
- *
+ *
* @b Constructors:
* - rekey_child_sa_job_create()
- *
+ *
* @ingroup jobs
*/
struct rekey_child_sa_job_t {
#ifndef REKEY_IKE_SA_JOB_H_
#define REKEY_IKE_SA_JOB_H_
+typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
+
#include <types.h>
#include <sa/ike_sa_id.h>
#include <queues/jobs/job.h>
-
-typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
-
/**
* @brief Class representing an REKEY_IKE_SA Job.
*
#ifndef RESEND_MESSAGE_JOB_H_
#define RESEND_MESSAGE_JOB_H_
+typedef struct retransmit_request_job_t retransmit_request_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
#include <sa/ike_sa_id.h>
-
-typedef struct retransmit_request_job_t retransmit_request_job_t;
-
/**
* @brief Class representing an RETRANSMIT_REQUEST Job.
- *
+ *
* This job is scheduled every time a request is sent over the
* wire. If the response to the request is not received at schedule
* time, the retransmission will be initiated.
- *
+ *
* @b Constructors:
* - retransmit_request_job_create()
- *
+ *
* @ingroup jobs
*/
struct retransmit_request_job_t {
#ifndef ROUTE_JOB_H_
#define ROUTE_JOB_H_
+typedef struct route_job_t route_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
#include <config/policies/policy.h>
#include <config/connections/connection.h>
-
-typedef struct route_job_t route_job_t;
-
/**
* @brief Class representing an ROUTE Job.
- *
+ *
* @b Constructors:
* - route_job_create()
- *
+ *
* @ingroup jobs
*/
struct route_job_t {
#ifndef SEND_DPD_JOB_H_
#define SEND_DPD_JOB_H_
+typedef struct send_dpd_job_t send_dpd_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
#include <config/connections/connection.h>
#include <sa/ike_sa_id.h>
-
-typedef struct send_dpd_job_t send_dpd_job_t;
-
/**
* @brief Class representing a SEND_DPD Job.
*
#ifndef SEND_KEEPALIVE_JOB_H_
#define SEND_KEEPALIVE_JOB_H_
+typedef struct send_keepalive_job_t send_keepalive_job_t;
+
#include <types.h>
#include <queues/jobs/job.h>
#include <config/connections/connection.h>
#include <sa/ike_sa_id.h>
-
-typedef struct send_keepalive_job_t send_keepalive_job_t;
-
/**
* @brief Class representing a SEND_KEEPALIVE Job.
*
#ifndef SEND_QUEUE_H_
#define SEND_QUEUE_H_
+typedef struct send_queue_t send_queue_t;
+
#include <types.h>
#include <network/packet.h>
-
-typedef struct send_queue_t send_queue_t;
-
/**
* @brief The send queue stores packet for the sender_t instance.
*
+++ /dev/null
-/**
- * @file authenticator.c
- *
- * @brief Implementation of authenticator_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "authenticator.h"
-
-#include <config/policies/policy.h>
-#include <daemon.h>
-
-/**
- * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-#define IKEV2_KEY_PAD "Key Pad for IKEv2"
-
-
-typedef struct private_authenticator_t private_authenticator_t;
-
-/**
- * Private data of an authenticator_t object.
- */
-struct private_authenticator_t {
-
- /**
- * Public authenticator_t interface.
- */
- authenticator_t public;
-
- /**
- * Assigned IKE_SA
- */
- ike_sa_t *ike_sa;
-
- /**
- * auth_method to create own signature/mac/whatever..
- */
- auth_method_t auth_method;
-
- /**
- * PRF taken from the IKE_SA.
- */
- prf_t *prf;
-};
-
-/**
- * Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306
- */
-static chunk_t build_tbs_octets(private_authenticator_t *this,
- chunk_t last_message,
- chunk_t other_nonce,
- identification_t *id,
- bool initiator)
-{
- prf_t *prf;
-
- chunk_t id_encoding = id->get_encoding(id);
- u_int8_t id_with_header[4 + id_encoding.len];
- chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
-
- u_int8_t *current_pos;
- chunk_t octets;
-
- id_with_header[0] = id->get_type(id);
- id_with_header[1] = 0x00;
- id_with_header[2] = 0x00;
- id_with_header[3] = 0x00;
- memcpy(id_with_header + 4, id_encoding.ptr, id_encoding.len);
-
- if (initiator)
- {
- prf = this->ike_sa->get_prf_auth_i(this->ike_sa);
- }
- else
- {
- prf = this->ike_sa->get_prf_auth_r(this->ike_sa);
- }
-
- /* 4 bytes are id type and reserved fields of id payload */
- octets.len = last_message.len + other_nonce.len + prf->get_block_size(prf);
- octets.ptr = malloc(octets.len);
- current_pos = octets.ptr;
- memcpy(current_pos, last_message.ptr, last_message.len);
- current_pos += last_message.len;
- memcpy(current_pos, other_nonce.ptr, other_nonce.len);
- current_pos += other_nonce.len;
- prf->get_bytes(prf, id_with_header_chunk, current_pos);
-
- return octets;
-}
-
-/**
- * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-static chunk_t build_shared_key_signature(private_authenticator_t *this,
- chunk_t last_message,
- chunk_t nonce,
- identification_t *id,
- bool initiator,
- chunk_t secret)
-{
- chunk_t key_pad = {ptr: IKEV2_KEY_PAD, len:strlen(IKEV2_KEY_PAD)};
- u_int8_t key_buffer[this->prf->get_block_size(this->prf)];
- chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)};
- chunk_t auth_data;
-
- chunk_t octets = build_tbs_octets(this, last_message, nonce, id, initiator);
-
- /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
- this->prf->set_key(this->prf, secret);
- this->prf->get_bytes(this->prf, key_pad, key_buffer);
- this->prf->set_key(this->prf, key);
- this->prf->allocate_bytes(this->prf, octets, &auth_data);
- DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
- DBG3(DBG_IKE, "secret %B", &secret);
- DBG3(DBG_IKE, "keypad %B", &key_pad);
- DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
- DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
- chunk_free(&octets);
-
- return auth_data;
-}
-
-/**
- * Implementation of authenticator_t.verify_auth_data.
- */
-static status_t verify_auth_data (private_authenticator_t *this,
- auth_payload_t *auth_payload,
- chunk_t last_received_packet,
- chunk_t my_nonce,
- identification_t *my_id,
- identification_t *other_id,
- bool initiator)
-{
- status_t status;
- chunk_t auth_data = auth_payload->get_data(auth_payload);
- auth_method_t auth_method = auth_payload->get_auth_method(auth_payload);
-
- switch (auth_method)
- {
- case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
- {
- chunk_t shared_key;
- chunk_t my_auth_data;
-
- status = charon->credentials->get_shared_key(charon->credentials,
- my_id,
- other_id,
- &shared_key);
- if (status != SUCCESS)
- {
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
- my_id, other_id);
- chunk_free(&shared_key);
- break;
- }
-
- my_auth_data = build_shared_key_signature(this, last_received_packet,
- my_nonce, other_id,
- initiator, shared_key);
- chunk_free(&shared_key);
-
-
- status = (auth_data.len == my_auth_data.len &&
- memeq(auth_data.ptr, my_auth_data.ptr, my_auth_data.len))
- ? SUCCESS : FAILED;
- chunk_free(&my_auth_data);
- break;
- }
- case RSA_DIGITAL_SIGNATURE:
- {
- chunk_t octets;
-
- rsa_public_key_t *public_key =
- charon->credentials->get_trusted_public_key(charon->credentials, other_id);
-
- if (public_key == NULL)
- {
- DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
- status = NOT_FOUND;
- break;
- }
-
- octets = build_tbs_octets(this, last_received_packet, my_nonce,
- other_id, initiator);
- status = public_key->verify_emsa_pkcs1_signature(public_key, octets,
- auth_data);
- chunk_free(&octets);
- break;
- }
- default:
- {
- return NOT_SUPPORTED;
- }
- }
-
- if (status == SUCCESS)
- {
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
- other_id, auth_method_names, auth_method);
- }
-
- return status;
-}
-
-/**
- * Implementation of authenticator_t.compute_auth_data.
- */
-static status_t compute_auth_data (private_authenticator_t *this,
- auth_payload_t **auth_payload,
- chunk_t last_sent_packet,
- chunk_t other_nonce,
- identification_t *my_id,
- identification_t *other_id,
- bool initiator)
-{
- DBG1(DBG_IKE, "authentication of '%D' with %N (myself)",
- my_id, auth_method_names, this->auth_method);
-
- switch (this->auth_method)
- {
- case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
- {
- chunk_t shared_key;
- chunk_t auth_data;
-
- status_t status = charon->credentials->get_shared_key(charon->credentials,
- my_id,
- other_id,
- &shared_key);
-
- if (status != SUCCESS)
- {
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
- my_id, other_id);
- return status;
- }
-
- auth_data = build_shared_key_signature(this, last_sent_packet,
- other_nonce, my_id,
- initiator, shared_key);
- chunk_free(&shared_key);
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload,
- SHARED_KEY_MESSAGE_INTEGRITY_CODE);
- (*auth_payload)->set_data(*auth_payload, auth_data);
-
- chunk_free(&auth_data);
- return SUCCESS;
- }
- case RSA_DIGITAL_SIGNATURE:
- {
- chunk_t chunk;
- chunk_t octets;
- chunk_t auth_data;
- status_t status;
- rsa_public_key_t *my_pubkey;
- rsa_private_key_t *my_key;
-
- DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'",
- my_id);
-
- my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
- if (my_pubkey == NULL)
- {
- DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
- return NOT_FOUND;
- }
- DBG2(DBG_IKE, "matching RSA public key found");
-
- chunk = my_pubkey->get_keyid(my_pubkey);
- DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
-
- my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
- if (my_key == NULL)
- {
- DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B",
- my_id, &chunk);
- return NOT_FOUND;
- }
- DBG2(DBG_IKE, "matching RSA private key found");
-
- octets = build_tbs_octets(this, last_sent_packet, other_nonce,
- my_id, initiator);
- status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1,
- octets, &auth_data);
- chunk_free(&octets);
-
- if (status != SUCCESS)
- {
- my_key->destroy(my_key);
- return status;
- }
- DBG2(DBG_IKE, "successfully signed with RSA private key");
-
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
- (*auth_payload)->set_data(*auth_payload, auth_data);
-
- my_key->destroy(my_key);
- chunk_free(&auth_data);
- return SUCCESS;
- }
- default:
- {
- return NOT_SUPPORTED;
- }
- }
-}
-
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy (private_authenticator_t *this)
-{
- free(this);
-}
-
-/*
- * Described in header.
- */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method)
-{
- private_authenticator_t *this = malloc_thing(private_authenticator_t);
-
- /* Public functions */
- this->public.destroy = (void(*)(authenticator_t*))destroy;
- this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
- this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
-
- /* private data */
- this->ike_sa = ike_sa;
- this->auth_method = auth_method;
- this->prf = this->ike_sa->get_prf(this->ike_sa);
-
- return &(this->public);
-}
+++ /dev/null
-/**
- * @file authenticator.h
- *
- * @brief Interface of authenticator_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef AUTHENTICATOR_H_
-#define AUTHENTICATOR_H_
-
-#include <types.h>
-#include <sa/ike_sa.h>
-#include <network/packet.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/id_payload.h>
-
-
-typedef struct authenticator_t authenticator_t;
-
-/**
- * @brief Class used to authenticate a peer.
- *
- * Currently the following two AUTH methods are supported:
- * - SHARED_KEY_MESSAGE_INTEGRITY_CODE
- * - RSA_DIGITAL_SIGNATURE
- *
- * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.)
- * over an internal stored protected_ike_sa_t object or directly from the configuration_t over
- * the daemon_t object "charon".
- *
- * @b Constructors:
- * - authenticator_create()
- *
- * @ingroup sa
- */
-struct authenticator_t {
-
- /**
- * @brief Verify's given authentication data.
- *
- * To verify a received AUTH payload the following data must be provided:
- * - the last received IKEv2 Message from the other peer in binary form
- * - the nonce value sent to the other peer
- * - the ID payload of the other peer
- *
- * @param this calling object
- * @param last_received_packet binary representation of the last received IKEv2-Message
- * @param my_nonce the sent nonce (without payload header)
- * @param my_id my ID
- * @param other_id peer ID
- * @param initiator type of peer. TRUE, if it is original initiator, FALSE otherwise
- *
- * @todo Document RSA error status types
- *
- * @return
- * - SUCCESS if verification successful
- * - FAILED if verification failed
- * - NOT_SUPPORTED if AUTH method not supported
- * - NOT_FOUND if the data for specific AUTH method could not be found
- * (e.g. shared secret, rsa key)
- */
- status_t (*verify_auth_data) (authenticator_t *this,
- auth_payload_t *auth_payload,
- chunk_t last_received_packet,
- chunk_t my_nonce,
- identification_t *my_id,
- identification_t *other_id,
- bool initiator);
-
- /**
- * @brief Computes authentication data and creates specific AUTH payload.
- *
- * To create an AUTH payload, the following data must be provided:
- * - the last sent IKEv2 Message in binary form
- * - the nonce value received from the other peer
- * - the ID payload of myself
- *
- * @param this calling object
- * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location
- * @param last_sent_packet binary representation of the last sent IKEv2-Message
- * @param other_nonce the received nonce (without payload header)
- * @param my_id my ID
- * @param other_id peer ID
- * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise
- *
- * @todo Document RSA error status types
- *
- * @return
- * - SUCCESS if authentication data could be computed
- * - NOT_SUPPORTED if AUTH method not supported
- * - NOT_FOUND if the data for AUTH method could not be found
- */
- status_t (*compute_auth_data) (authenticator_t *this,
- auth_payload_t **auth_payload,
- chunk_t last_sent_packet,
- chunk_t other_nonce,
- identification_t *my_id,
- identification_t *other_id,
- bool initiator);
-
- /**
- * @brief Destroys a authenticator_t object.
- *
- * @param this calling object
- */
- void (*destroy) (authenticator_t *this);
-};
-
-/**
- * @brief Creates an authenticator object.
- *
- * @param ike_sa associated ike_sa
- * @param auth_method authentication method to use for own signature/mac
- *
- * @return authenticator_t object
- *
- * @ingroup sa
- */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
-
-#endif /* AUTHENTICATOR_H_ */
--- /dev/null
+/**
+ * @file authenticator.c
+ *
+ * @brief Generic constructor for authenticators.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "authenticator.h"
+
+#include <sa/authenticators/rsa_authenticator.h>
+#include <sa/authenticators/psk_authenticator.h>
+
+
+ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
+ "RSA signature",
+ "pre-shared key",
+ "DSS signature");
+ENUM_NEXT(auth_method_names, AUTH_EAP, AUTH_EAP, AUTH_DSS,
+ "EAP");
+ENUM_END(auth_method_names, AUTH_EAP);
+
+/*
+ * Described in header.
+ */
+authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method)
+{
+ switch (auth_method)
+ {
+ case AUTH_RSA:
+ return (authenticator_t*)rsa_authenticator_create(ike_sa);
+ case AUTH_PSK:
+ return (authenticator_t*)psk_authenticator_create(ike_sa);
+ default:
+ return NULL;
+ }
+}
--- /dev/null
+/**
+ * @file authenticator.h
+ *
+ * @brief Interface of authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AUTHENTICATOR_H_
+#define AUTHENTICATOR_H_
+
+typedef enum auth_method_t auth_method_t;
+typedef struct authenticator_t authenticator_t;
+
+#include <types.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/auth_payload.h>
+
+/**
+ * Method to use for authentication.
+ *
+ * @ingroup authenticator
+ */
+enum auth_method_t {
+ /**
+ * Computed as specified in section 2.15 of RFC using
+ * an RSA private key over a PKCS#1 padded hash.
+ */
+ AUTH_RSA = 1,
+
+ /**
+ * Computed as specified in section 2.15 of RFC using the
+ * shared key associated with the identity in the ID payload
+ * and the negotiated prf function
+ */
+ AUTH_PSK = 2,
+
+ /**
+ * Computed as specified in section 2.15 of RFC using a
+ * DSS private key over a SHA-1 hash.
+ */
+ AUTH_DSS = 3,
+
+ /**
+ * EAP authentication. This value is never negotiated and therefore
+ * a value from private use.
+ */
+ AUTH_EAP = 201,
+};
+
+/**
+ * enum names for auth_method_t.
+ *
+ * @ingroup authenticator
+ */
+extern enum_name_t *auth_method_names;
+
+/**
+ * @brief Authenticator interface implemented by the various authenticators.
+ *
+ * Currently the following two AUTH methods are supported:
+ * - shared key message integrity code (AUTH_PSK)
+ * - RSA digital signature (AUTH_RSA)
+ *
+ * @b Constructors:
+ * - authenticator_create()
+ *
+ * @ingroup authenticator
+ */
+struct authenticator_t {
+
+ /**
+ * @brief Verify a received authentication payload.
+ *
+ * @param this calling object
+ * @param ike_sa_init binary representation of received ike_sa_init
+ * @param my_nonce the sent nonce
+ * @param auth_payload authentication payload to verify
+ *
+ * @return
+ * - SUCCESS,
+ * - FAILED if verification failed
+ * - INVALID_ARG if auth_method does not match
+ * - NOT_FOUND if credentials not found
+ */
+ status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t my_nonce, auth_payload_t *auth_payload);
+
+ /**
+ * @brief Build an authentication payload to send to the other peer.
+ *
+ * @param this calling object
+ * @param ike_sa_init binary representation of sent ike_sa_init
+ * @param other_nonce the received nonce
+ * @param[out] auth_payload the resulting authentication payload
+ *
+ * @return
+ * - SUCCESS,
+ * - NOT_FOUND if the data for AUTH method could not be found
+ */
+ status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t other_nonce, auth_payload_t **auth_payload);
+
+ /**
+ * @brief Destroys a authenticator_t object.
+ *
+ * @param this calling object
+ */
+ void (*destroy) (authenticator_t *this);
+};
+
+/**
+ * @brief Creates an authenticator for the specified auth method.
+ *
+ * @param ike_sa associated ike_sa
+ * @param auth_method authentication method to use for build()/verify()
+ *
+ * @return authenticator_t object
+ *
+ * @ingroup sa
+ */
+authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
+
+#endif /* AUTHENTICATOR_H_ */
--- /dev/null
+/**
+ * @file authenticator.c
+ *
+ * @brief Implementation of authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "psk_authenticator.h"
+
+#include <config/policies/policy.h>
+#include <daemon.h>
+
+/**
+ * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+#define IKEV2_KEY_PAD "Key Pad for IKEv2"
+#define IKEV2_KEY_PAD_LENGTH 17
+
+
+typedef struct private_psk_authenticator_t private_psk_authenticator_t;
+
+/**
+ * Private data of an psk_authenticator_t object.
+ */
+struct private_psk_authenticator_t {
+
+ /**
+ * Public authenticator_t interface.
+ */
+ psk_authenticator_t public;
+
+ /**
+ * Assigned IKE_SA
+ */
+ ike_sa_t *ike_sa;
+};
+
+/**
+ * Function implemented in rsa_authenticator.c
+ */
+extern chunk_t build_tbs_octets(private_psk_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t nonce, identification_t *id, prf_t *prf);
+
+/**
+ * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+static chunk_t build_shared_key_signature(private_psk_authenticator_t *this,
+ chunk_t ike_sa_init,
+ chunk_t nonce,
+ chunk_t secret,
+ identification_t *id,
+ prf_t *prf)
+{
+ chunk_t key_pad, key, auth_data, octets;
+
+ octets = build_tbs_octets(this, ike_sa_init, nonce, id, prf);
+ /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
+ key_pad.ptr = IKEV2_KEY_PAD;
+ key_pad.len = IKEV2_KEY_PAD_LENGTH;
+ prf->set_key(prf, secret);
+ prf->allocate_bytes(prf, key_pad, &key);
+ prf->set_key(prf, key);
+ prf->allocate_bytes(prf, octets, &auth_data);
+ DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+ DBG3(DBG_IKE, "secret %B", &secret);
+ DBG3(DBG_IKE, "keypad %B", &key_pad);
+ DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
+ DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
+ chunk_free(&octets);
+ chunk_free(&key);
+
+ return auth_data;
+}
+
+/**
+ * Implementation of authenticator_t.verify.
+ */
+static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t my_nonce, auth_payload_t *auth_payload)
+{
+ status_t status;
+ chunk_t auth_data, recv_auth_data, shared_key;
+ identification_t *my_id, *other_id;
+
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ status = charon->credentials->get_shared_key(charon->credentials, my_id,
+ other_id, &shared_key);
+ if (status != SUCCESS)
+ {
+ DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ return status;
+ }
+
+ auth_data = build_shared_key_signature(this, ike_sa_init, my_nonce,
+ shared_key, other_id,
+ this->ike_sa->get_auth_verify(this->ike_sa));
+ chunk_free(&shared_key);
+
+ recv_auth_data = auth_payload->get_data(auth_payload);
+ if (auth_data.len != recv_auth_data.len ||
+ !memeq(auth_data.ptr, recv_auth_data.ptr, auth_data.len))
+ {
+ DBG1(DBG_IKE, "PSK MAC verification failed");
+ chunk_free(&auth_data);
+ return FAILED;
+ }
+ chunk_free(&auth_data);
+
+ DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ other_id, auth_method_names, AUTH_PSK);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.build.
+ */
+static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t other_nonce, auth_payload_t **auth_payload)
+{
+ chunk_t shared_key;
+ chunk_t auth_data;
+ status_t status;
+ identification_t *my_id, *other_id;
+
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+ my_id, auth_method_names, AUTH_PSK);
+ status = charon->credentials->get_shared_key(charon->credentials, my_id,
+ other_id, &shared_key);
+ if (status != SUCCESS)
+ {
+ DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ return status;
+ }
+
+ auth_data = build_shared_key_signature(this, ike_sa_init,
+ other_nonce, shared_key, my_id,
+ this->ike_sa->get_auth_build(this->ike_sa));
+ DBG2(DBG_IKE, "successfully created shared key MAC");
+ chunk_free(&shared_key);
+ *auth_payload = auth_payload_create();
+ (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
+ (*auth_payload)->set_data(*auth_payload, auth_data);
+
+ chunk_free(&auth_data);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_psk_authenticator_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+{
+ private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+
+ /* public functions */
+ this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
+ this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
+ this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+
+ /* private data */
+ this->ike_sa = ike_sa;
+
+ return &this->public;
+}
--- /dev/null
+/**
+ * @file psk_authenticator.h
+ *
+ * @brief Interface of psk_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PSK_AUTHENTICATOR_H_
+#define PSK_AUTHENTICATOR_H_
+
+typedef struct psk_authenticator_t psk_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * @brief Implementation of the authenticator_t interface using AUTH_PSK.
+ *
+ * @b Constructors:
+ * - psk_authenticator_create()
+ * - authenticator_create() using auth_method AUTH_PSK
+ *
+ * @ingroup authenticator
+ */
+struct psk_authenticator_t {
+
+ /**
+ * Implemented authenticator_t interface.
+ */
+ authenticator_t authenticator_interface;
+};
+
+/**
+ * @brief Creates an authenticator for AUTH_PSK.
+ *
+ * @param ike_sa associated ike_sa
+ * @return psk_authenticator_t object
+ *
+ * @ingroup authenticator
+ */
+psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
+
+#endif /* PSK_AUTHENTICATOR_H_ */
--- /dev/null
+/**
+ * @file authenticator.c
+ *
+ * @brief Implementation of authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "rsa_authenticator.h"
+
+#include <config/policies/policy.h>
+#include <daemon.h>
+
+
+typedef struct private_rsa_authenticator_t private_rsa_authenticator_t;
+
+/**
+ * Private data of an rsa_authenticator_t object.
+ */
+struct private_rsa_authenticator_t {
+
+ /**
+ * Public authenticator_t interface.
+ */
+ rsa_authenticator_t public;
+
+ /**
+ * Assigned IKE_SA
+ */
+ ike_sa_t *ike_sa;
+};
+
+/**
+ * Builds the octets to be signed as described in section 2.15 of RFC 4306
+ */
+chunk_t build_tbs_octets(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t nonce, identification_t *id, prf_t *prf)
+{
+ u_int8_t id_header_buf[] = {0x00, 0x00, 0x00, 0x00};
+ chunk_t id_header = chunk_from_buf(id_header_buf);
+ chunk_t id_with_header, id_prfd, id_encoding;
+
+ id_header_buf[0] = id->get_type(id);
+ id_encoding = id->get_encoding(id);
+
+ id_with_header = chunk_cat("cc", id_header, id_encoding);
+ prf->allocate_bytes(prf, id_with_header, &id_prfd);
+ chunk_free(&id_with_header);
+
+ return chunk_cat("ccm", ike_sa_init, nonce, id_prfd);
+}
+
+/**
+ * Implementation of authenticator_t.verify.
+ */
+static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t my_nonce, auth_payload_t *auth_payload)
+{
+ status_t status;
+ chunk_t auth_data, octets;
+ rsa_public_key_t *public_key;
+ identification_t *other_id;
+
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+
+ if (auth_payload->get_auth_method(auth_payload) != AUTH_RSA)
+ {
+ return INVALID_ARG;
+ }
+ auth_data = auth_payload->get_data(auth_payload);
+ public_key = charon->credentials->get_trusted_public_key(charon->credentials,
+ other_id);
+ if (public_key == NULL)
+ {
+ DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
+ return NOT_FOUND;
+ }
+ octets = build_tbs_octets(this, ike_sa_init, my_nonce, other_id,
+ this->ike_sa->get_auth_verify(this->ike_sa));
+ status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+ chunk_free(&octets);
+
+ if (status != SUCCESS)
+ {
+ DBG1(DBG_IKE, "RSA signature verification failed");
+ return status;
+ }
+
+ DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ other_id, auth_method_names, AUTH_RSA);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.build.
+ */
+static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
+ chunk_t other_nonce, auth_payload_t **auth_payload)
+{
+ chunk_t chunk;
+ chunk_t octets;
+ chunk_t auth_data;
+ status_t status;
+ rsa_public_key_t *my_pubkey;
+ rsa_private_key_t *my_key;
+ identification_t *my_id;
+
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ DBG1(DBG_IKE, "authentication of '%D' with %N (myself)",
+ my_id, auth_method_names, AUTH_RSA);
+ DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id);
+
+ my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
+ if (my_pubkey == NULL)
+ {
+ DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
+ return NOT_FOUND;
+ }
+ DBG2(DBG_IKE, "matching RSA public key found");
+ chunk = my_pubkey->get_keyid(my_pubkey);
+ DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
+ my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
+ if (my_key == NULL)
+ {
+ DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B",
+ my_id, &chunk);
+ return NOT_FOUND;
+ }
+ DBG2(DBG_IKE, "matching RSA private key found");
+
+ octets = build_tbs_octets(this, ike_sa_init, other_nonce, my_id,
+ this->ike_sa->get_auth_build(this->ike_sa));
+ status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+ chunk_free(&octets);
+
+ if (status != SUCCESS)
+ {
+ my_key->destroy(my_key);
+ DBG1(DBG_IKE, "build signature of SHA1 hash failed");
+ return status;
+ }
+ DBG2(DBG_IKE, "successfully signed with RSA private key");
+
+ *auth_payload = auth_payload_create();
+ (*auth_payload)->set_auth_method(*auth_payload, AUTH_RSA);
+ (*auth_payload)->set_data(*auth_payload, auth_data);
+
+ my_key->destroy(my_key);
+ chunk_free(&auth_data);
+ return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_rsa_authenticator_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa)
+{
+ private_rsa_authenticator_t *this = malloc_thing(private_rsa_authenticator_t);
+
+ /* public functions */
+ this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
+ this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
+ this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+
+ /* private data */
+ this->ike_sa = ike_sa;
+
+ return &this->public;
+}
--- /dev/null
+/**
+ * @file rsa_authenticator.h
+ *
+ * @brief Interface of rsa_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RSA_AUTHENTICATOR_H_
+#define RSA_AUTHENTICATOR_H_
+
+typedef struct rsa_authenticator_t rsa_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * @brief Implementation of the authenticator_t interface using AUTH_RSA.
+ *
+ * @b Constructors:
+ * - rsa_authenticator_create()
+ * - authenticator_create() using auth_method AUTH_RSA
+ *
+ * @ingroup authenticator
+ */
+struct rsa_authenticator_t {
+
+ /**
+ * Implemented authenticator_t interface.
+ */
+ authenticator_t authenticator_interface;
+};
+
+/**
+ * @brief Creates an authenticator for AUTH_RSA.
+ *
+ * @param ike_sa associated ike_sa
+ * @return rsa_authenticator_t object
+ *
+ * @ingroup authenticator
+ */
+rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa);
+
+#endif /* RSA_AUTHENTICATOR_H_ */
/**
* transaction which is rekeying this CHILD_SA
*/
- void *rekeying_transaction;
+ transaction_t *rekeying_transaction;
/**
* Updown script
/**
* Implementation of child_sa_t.set_rekeying_transaction.
*/
-static void set_rekeying_transaction(private_child_sa_t *this, void *transaction)
+static void set_rekeying_transaction(private_child_sa_t *this, transaction_t *transaction)
{
this->rekeying_transaction = transaction;
}
/**
* Implementation of child_sa_t.get_rekeying_transaction.
*/
-static void* get_rekeying_transaction(private_child_sa_t *this)
+static transaction_t* get_rekeying_transaction(private_child_sa_t *this)
{
return this->rekeying_transaction;
}
this->public.get_my_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_my_traffic_selectors;
this->public.get_other_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_other_traffic_selectors;
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
- this->public.set_rekeying_transaction = (void (*)(child_sa_t*,void*))set_rekeying_transaction;
- this->public.get_rekeying_transaction = (void* (*)(child_sa_t*))get_rekeying_transaction;
+ this->public.set_rekeying_transaction = (void (*)(child_sa_t*,transaction_t*))set_rekeying_transaction;
+ this->public.get_rekeying_transaction = (transaction_t* (*)(child_sa_t*))get_rekeying_transaction;
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
this->public.destroy = (void(*)(child_sa_t*))destroy;
#ifndef CHILD_SA_H_
#define CHILD_SA_H_
+typedef enum child_sa_state_t child_sa_state_t;
+typedef struct child_sa_t child_sa_t;
+
#include <types.h>
#include <crypto/prf_plus.h>
#include <encoding/payloads/proposal_substructure.h>
#include <config/proposal.h>
+#include <sa/transactions/transaction.h>
/**
* Where we should start with reqid enumeration
*/
#define CHILD_SA_PRINTF_SPEC 'P'
-typedef enum child_sa_state_t child_sa_state_t;
-
/**
* @brief States of a CHILD_SA
*/
*/
extern enum_name_t *child_sa_state_names;
-typedef struct child_sa_t child_sa_t;
-
/**
* @brief Represents an IPsec SAs between two hosts.
*
* such situations to handle them cleanly. A rekeying transaction
* registers itself to the CHILD_SA, and checks later if another
* transaction is in progress of a rekey.
- *
- * @todo Fix include problematics to allow inclusion of
- * the create_child_sa_t transaction.
*
* @param this calling object
*/
- void (*set_rekeying_transaction) (child_sa_t *this, void *transaction);
+ void (*set_rekeying_transaction) (child_sa_t *this, transaction_t *transaction);
/**
* @brief Get the transaction which rekeys this CHILD_SA.
*
- * @see set_rekeying_transactoin().
- *
* @param this calling object
*/
- void* (*get_rekeying_transaction) (child_sa_t *this);
+ transaction_t* (*get_rekeying_transaction) (child_sa_t *this);
/**
* @brief Destroys a child_sa.
prf_t *child_prf;
/**
- * PRF, with key set to pi_key, used for authentication
+ * PRF to build outging authentication data
*/
- prf_t *prf_auth_i;
+ prf_t *auth_build;
/**
- * PRF, with key set to pr_key, used for authentication
+ * PRF to verify incoming authentication data
*/
- prf_t *prf_auth_r;
+ prf_t *auth_verify;
/**
* NAT hasher.
/**
* Transaction which rekeys this IKE_SA, used do detect simultaneus rekeying
*/
- rekey_ike_sa_t *rekeying_transaction;
+ transaction_t *rekeying_transaction;
};
/**
}
/**
- * Implementation of ike_sa_t.get_prf_auth_i.
+ * Implementation of ike_sa_t.get_auth_bild
*/
-static prf_t *get_prf_auth_i(private_ike_sa_t *this)
+static prf_t *get_auth_build(private_ike_sa_t *this)
{
- return this->prf_auth_i;
+ return this->auth_build;
}
/**
- * Implementation of ike_sa_t.get_prf_auth_r.
+ * Implementation of ike_sa_t.get_auth_verify
*/
-static prf_t *get_prf_auth_r(private_ike_sa_t *this)
+static prf_t *get_auth_verify(private_ike_sa_t *this)
{
- return this->prf_auth_r;
+ return this->auth_verify;
}
/**
size_t key_size;
crypter_t *crypter_i, *crypter_r;
signer_t *signer_i, *signer_r;
+ prf_t *prf_i, *prf_r;
u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
chunk_t spi_i = chunk_from_buf(spi_i_buf);
chunk_t spi_r = chunk_from_buf(spi_r_buf);
/* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
- this->prf_auth_i = prf_create(algo->algorithm);
- this->prf_auth_r = prf_create(algo->algorithm);
+ prf_i = prf_create(algo->algorithm);
+ prf_r = prf_create(algo->algorithm);
- key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
+ key_size = prf_i->get_key_size(prf_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_pi secret %B", &key);
- this->prf_auth_i->set_key(this->prf_auth_i, key);
+ prf_i->set_key(prf_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_pr secret %B", &key);
- this->prf_auth_r->set_key(this->prf_auth_r, key);
+ prf_r->set_key(prf_r, key);
chunk_free(&key);
+ if (initiator)
+ {
+ this->auth_verify = prf_r;
+ this->auth_build = prf_i;
+ }
+ else
+ {
+ this->auth_verify = prf_i;
+ this->auth_build = prf_r;
+ }
+
/* all done, prf_plus not needed anymore */
prf_plus->destroy(prf_plus);
/**
* Implementation of ike_sa_t.get_rekeying_transaction.
*/
-static rekey_ike_sa_t* get_rekeying_transaction(private_ike_sa_t *this)
+static transaction_t* get_rekeying_transaction(private_ike_sa_t *this)
{
return this->rekeying_transaction;
}
/**
* Implementation of ike_sa_t.set_rekeying_transaction.
*/
-static void set_rekeying_transaction(private_ike_sa_t *this, rekey_ike_sa_t *rekey)
+static void set_rekeying_transaction(private_ike_sa_t *this, transaction_t *rekey)
{
this->rekeying_transaction = rekey;
}
DESTROY_IF(this->signer_out);
DESTROY_IF(this->prf);
DESTROY_IF(this->child_prf);
- DESTROY_IF(this->prf_auth_i);
- DESTROY_IF(this->prf_auth_r);
+ DESTROY_IF(this->auth_verify);
+ DESTROY_IF(this->auth_build);
DESTROY_IF(this->my_host);
DESTROY_IF(this->other_host);
this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
- this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i;
- this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r;
+ this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify;
+ this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build;
this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa;
this->public.set_lifetimes = (void(*)(ike_sa_t*,u_int32_t,u_int32_t))set_lifetimes;
this->public.apply_connection = (void(*)(ike_sa_t*,connection_t*))apply_connection;
this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
- this->public.get_rekeying_transaction = (void*(*)(ike_sa_t*))get_rekeying_transaction;
- this->public.set_rekeying_transaction = (void(*)(ike_sa_t*,void*))set_rekeying_transaction;
+ this->public.get_rekeying_transaction = (transaction_t*(*)(ike_sa_t*))get_rekeying_transaction;
+ this->public.set_rekeying_transaction = (void(*)(ike_sa_t*,transaction_t*))set_rekeying_transaction;
this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children;
/* initialize private fields */
this->signer_in = NULL;
this->signer_out = NULL;
this->prf = NULL;
- this->prf_auth_i = NULL;
- this->prf_auth_r = NULL;
+ this->auth_verify = NULL;
+ this->auth_build = NULL;
this->child_prf = NULL;
this->nat_here = FALSE;
this->nat_there = FALSE;
#ifndef IKE_SA_H_
#define IKE_SA_H_
+typedef enum ike_sa_state_t ike_sa_state_t;
+typedef struct ike_sa_t ike_sa_t;
+
#include <types.h>
#include <encoding/message.h>
#include <encoding/payloads/proposal_substructure.h>
#include <sa/ike_sa_id.h>
#include <sa/child_sa.h>
+#include <sa/transactions/transaction.h>
#include <config/configuration.h>
#include <utils/randomizer.h>
#include <crypto/prfs/prf.h>
#include <config/policies/policy.h>
#include <config/proposal.h>
-
#define IKE_SA_PRINTF_SPEC 'K'
-typedef enum ike_sa_state_t ike_sa_state_t;
-
/**
* @brief State of an IKE_SA.
*
*/
extern enum_name_t *ike_sa_state_names;
-
-typedef struct ike_sa_t ike_sa_t;
-
/**
* @brief Class ike_sa_t representing an IKE_SA.
*
prf_t *(*get_child_prf) (ike_sa_t *this);
/**
- * @brief Get the prf used for authentication of initiator.
+ * @brief Get the prf to build outgoing authentication data.
*
* @param this calling object
* @return pointer to prf_t object
*/
- prf_t *(*get_prf_auth_i) (ike_sa_t *this);
+ prf_t *(*get_auth_build) (ike_sa_t *this);
/**
- * @brief Get the prf used for authentication of responder.
+ * @brief Get the prf to verify incoming authentication data.
*
* @param this calling object
* @return pointer to prf_t object
*/
- prf_t *(*get_prf_auth_r) (ike_sa_t *this);
+ prf_t *(*get_auth_verify) (ike_sa_t *this);
/**
* @brief Associates a child SA to this IKE SA
/**
* @brief Get the transaction which rekeys this IKE_SA.
- *
- * @todo Fix include for rekey_ike_sa.h
*
* @param this calling object
* @return rekey_ike_sa_t transaction or NULL
*/
- void* (*get_rekeying_transaction) (ike_sa_t *this);
+ transaction_t* (*get_rekeying_transaction) (ike_sa_t *this);
/**
* @brief Set the transaction which rekeys this IKE_SA.
* @param this calling object
* @param rekey rekey_ike_sa_t transaction or NULL
*/
- void (*set_rekeying_transaction) (ike_sa_t *this, void *rekey);
+ void (*set_rekeying_transaction) (ike_sa_t *this, transaction_t *rekey);
/**
* @brief Move all children from other IKE_SA to this IKE_SA.
#ifndef IKE_SA_ID_H_
#define IKE_SA_ID_H_
+typedef struct ike_sa_id_t ike_sa_id_t;
+
#include <types.h>
/**
*/
#define IKE_SA_ID_PRINTF_SPEC 'J'
-typedef struct ike_sa_id_t ike_sa_id_t;
-
/**
* @brief An object of type ike_sa_id_t is used to identify an IKE_SA.
*
#ifndef IKE_SA_MANAGER_H_
#define IKE_SA_MANAGER_H_
+typedef struct ike_sa_manager_t ike_sa_manager_t;
+
#include <types.h>
#include <sa/ike_sa.h>
-typedef struct ike_sa_manager_t ike_sa_manager_t;
-
/**
* @brief The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's.
*
request->add_payload(request, (payload_t*)notify);
/* register us as rekeying to detect multiple rekeying */
- this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
+ this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa,
+ &this->public.transaction);
}
this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
{
private_create_child_sa_t *other;
- other = this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa);
+ other = (private_create_child_sa_t*)
+ this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa);
if (other)
{
/* store our lower nonce in the simultaneus transaction, it
#ifndef CREATE_CHILD_SA_H_
#define CREATE_CHILD_SA_H_
+typedef struct create_child_sa_t create_child_sa_t;
+
+#include <sa/transactions/transaction.h>
#include <sa/ike_sa.h>
#include <sa/child_sa.h>
-#include <sa/transactions/transaction.h>
-
-
-typedef struct create_child_sa_t create_child_sa_t;
/**
* @brief A transaction to create a new or rekey an existing CHILD_SA.
#ifndef DEAD_PEER_DETECTION_H_
#define DEAD_PEER_DETECTION_H_
+typedef struct dead_peer_detection_t dead_peer_detection_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
-
-typedef struct dead_peer_detection_t dead_peer_detection_t;
-
/**
* @brief A transaction used to detect dead peers.
*
DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting",
protocol_id_names, protocol, ntohl(spi));
- rekey = child_sa->get_rekeying_transaction(child_sa);
+ rekey = (create_child_sa_t*)child_sa->get_rekeying_transaction(child_sa);
if (rekey)
{
/* we have received a delete for an SA which we are still rekeying.
#ifndef DELETE_CHILD_SA_H_
#define DELETE_CHILD_SA_H_
+typedef struct delete_child_sa_t delete_child_sa_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
-typedef struct delete_child_sa_t delete_child_sa_t;
-
/**
* @brief A transaction used to delete a CHILD_SA.
*
#ifndef DELETE_IKE_SA_H_
#define DELETE_IKE_SA_H_
+typedef struct delete_ike_sa_t delete_ike_sa_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
-
-typedef struct delete_ike_sa_t delete_ike_sa_t;
-
/**
* @brief A transaction used to delete the IKE_SA.
*
#include <encoding/payloads/certreq_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/ts_payload.h>
-#include <sa/authenticator.h>
+#include <sa/authenticators/authenticator.h>
#include <sa/child_sa.h>
}
/* build certificate payload. TODO: Handle certreq from init_ike_sa. */
- if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
+ if (this->policy->get_auth_method(this->policy) == AUTH_RSA
&& this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
{
cert_payload_t *cert_payload;
auth_method = this->policy->get_auth_method(this->policy);
authenticator = authenticator_create(this->ike_sa, auth_method);
- status = authenticator->compute_auth_data(authenticator,
- &auth_payload,
- this->init_request,
- this->nonce_r,
- my_id,
- other_id,
- TRUE);
+ if (authenticator == NULL)
+ {
+ SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
+ auth_method_names, auth_method);
+ SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+ return DESTROY_ME;
+ }
+ status = authenticator->build(authenticator, this->init_request,
+ this->nonce_r, &auth_payload);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
response->add_payload(response, (payload_t*)idr_response);
}
- if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE
+ if (this->policy->get_auth_method(this->policy) == AUTH_RSA
&& this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND)
{ /* build certificate payload */
x509_t *cert;
auth_method_t auth_method;
status_t status;
- auth_method = this->policy->get_auth_method(this->policy);
+ auth_method = auth_request->get_auth_method(auth_request);
authenticator = authenticator_create(this->ike_sa, auth_method);
- status = authenticator->verify_auth_data(authenticator, auth_request,
- this->init_request,
- this->nonce_r,
- my_id,
- other_id,
- TRUE);
+ if (authenticator == NULL)
+ {
+ SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
+ auth_method_names, auth_method);
+ SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+ return DESTROY_ME;
+ }
+ status = authenticator->verify(authenticator, this->init_request,
+ this->nonce_r, auth_request);
+ authenticator->destroy(authenticator);
if (status != SUCCESS)
{
SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
build_notify(AUTHENTICATION_FAILED, response, TRUE);
- authenticator->destroy(authenticator);
return DESTROY_ME;
}
- status = authenticator->compute_auth_data(authenticator, &auth_response,
- this->init_response,
- this->nonce_i,
- my_id,
- other_id,
- FALSE);
+
+ auth_method = this->policy->get_auth_method(this->policy);
+ authenticator = authenticator_create(this->ike_sa, auth_method);
+ if (authenticator == NULL)
+ {
+ SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
+ auth_method_names, auth_method);
+ SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+ return DESTROY_ME;
+ }
+ status = authenticator->build(authenticator, this->init_response,
+ this->nonce_i, &auth_response);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
auth_method_t auth_method;
status_t status;
- auth_method = this->policy->get_auth_method(this->policy);
- authenticator = authenticator_create(this->ike_sa, auth_method);
my_id = this->policy->get_my_id(this->policy);
-
- status = authenticator->verify_auth_data(authenticator,
- auth_payload,
- this->init_response,
- this->nonce_i,
- my_id,
- other_id,
- FALSE);
+ auth_method = auth_payload->get_auth_method(auth_payload);
+ authenticator = authenticator_create(this->ike_sa, auth_method);
+ if (authenticator == NULL)
+ {
+ SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA",
+ auth_method_names, auth_method);
+ SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
+ return DESTROY_ME;
+ }
+ status = authenticator->verify(authenticator, this->init_response,
+ this->nonce_i, auth_payload);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
#ifndef IKE_AUTH_H_
#define IKE_AUTH_H_
+typedef struct ike_auth_t ike_auth_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
-
-typedef struct ike_auth_t ike_auth_t;
-
/**
* @brief A transaction for the second message exchange to authenticate an IKE_SA.
*
#ifndef IKE_SA_INIT_H_
#define IKE_SA_INIT_H_
+typedef struct ike_sa_init_t ike_sa_init_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
-
-typedef struct ike_sa_init_t ike_sa_init_t;
-
/**
* @brief A transaction for the first message exchange to set up an IKE_SA.
*
/* register us as rekeying to detect multiple rekeying */
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
- this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public);
+ this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public.transaction);
return SUCCESS;
}
{
private_rekey_ike_sa_t *other;
- other = this->ike_sa->get_rekeying_transaction(this->ike_sa);
+ other = (private_rekey_ike_sa_t*)
+ this->ike_sa->get_rekeying_transaction(this->ike_sa);
if (other)
{
/* store our lower nonce in the simultaneus transaction, we
other->nonce_s = chunk_clone(this->nonce_r);
}
/* overwrite "other" in IKE_SA, allows "other" to access "this" */
- this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public);
+ this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public.transaction);
}
else
{
* of the SA. If it changed, we are not alone. Then we must compare the nonces.
* If no simultaneous rekeying is going on, we just initiate the delete of
* the superseded SA. */
- other_trans = this->ike_sa->get_rekeying_transaction(this->ike_sa);
+ other_trans = (private_rekey_ike_sa_t*)
+ this->ike_sa->get_rekeying_transaction(this->ike_sa);
this->ike_sa->set_rekeying_transaction(this->ike_sa, NULL);
if (this->nonce_s.ptr)
#ifndef REKEY_IKE_SA_H
#define REKEY_IKE_SA_H
+typedef struct rekey_ike_sa_t rekey_ike_sa_t;
+
#include <sa/ike_sa.h>
#include <sa/transactions/transaction.h>
#include <crypto/diffie_hellman.h>
-typedef struct rekey_ike_sa_t rekey_ike_sa_t;
-
/**
* @brief A transaction to rekey an established IKE_SA
*
#ifndef TRANSACTION_H_
#define TRANSACTION_H_
-
typedef struct transaction_t transaction_t;
#include <types.h>
#include <encoding/message.h>
#include <sa/ike_sa.h>
-
-
/**
* @brief This interface represents a transaction an established IKE_SA can do.
*
#ifndef KERNEL_INTERFACE_H_
#define KERNEL_INTERFACE_H_
+typedef struct natt_conf_t natt_conf_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef struct kernel_interface_t kernel_interface_t;
+
#include <utils/host.h>
#include <crypto/prf_plus.h>
#include <encoding/payloads/proposal_substructure.h>
-typedef struct natt_conf_t natt_conf_t;
-
/**
* Configuration for NAT-T
*/
u_int16_t dport;
};
-typedef enum policy_dir_t policy_dir_t;
-
/**
* Direction of a policy. These are equal to those
* defined in xfrm.h, but we want to stay implementation
POLICY_FWD = 2,
};
-typedef struct kernel_interface_t kernel_interface_t;
-
/**
* @brief Interface to the kernel.
*
#ifndef RECEIVER_H_
#define RECEIVER_H_
-#include <types.h>
-
-
typedef struct receiver_t receiver_t;
+#include <types.h>
+
/**
* @brief Receives packets from the socket and adds them to the job queue.
*
#ifndef SCHEDULER_H_
#define SCHEDULER_H_
-#include <types.h>
-
typedef struct scheduler_t scheduler_t;
+#include <types.h>
+
/**
* @brief The scheduler thread is responsible for timed events.
- *
+ *
* The scheduler thread takes out jobs from the event-queue and adds them
* to the job-queue.
- *
+ *
* Starts a thread which does the work, since event-queue is blocking.
- *
+ *
* @b Constructors:
* - scheduler_create()
- *
+ *
* @ingroup threads
*/
struct scheduler_t {
#ifndef SENDER_H_
#define SENDER_H_
-#include <types.h>
-
typedef struct sender_t sender_t;
+#include <types.h>
+
/**
* @brief Thread responsible for sending packets over the socket.
*
#ifndef STROKE_INTERFACE_H_
#define STROKE_INTERFACE_H_
-
-
typedef struct stroke_t stroke_t;
/**
#ifndef THREAD_POOL_H_
#define THREAD_POOL_H_
+typedef struct thread_pool_t thread_pool_t;
+
#include <stdlib.h>
#include <types.h>
-
-typedef struct thread_pool_t thread_pool_t;
-
/**
* @brief A thread_pool consists of a pool of threads processing jobs from the job queue.
- *
+ *
* Current implementation uses as many threads as specified in constructor.
* A more improved version would dynamically increase thread count if necessary.
- *
+ *
* @b Constructors:
* - thread_pool_create()
- *
+ *
* @todo Add support for dynamic thread handling
*
* @ingroup threads
#ifndef CERTINFO_H_
#define CERTINFO_H_
+typedef enum cert_status_t cert_status_t;
+typedef enum crl_reason_t crl_reason_t;
+typedef struct certinfo_t certinfo_t;
+
#include <types.h>
#include <definitions.h>
/**
* RFC 2560 OCSP - certificate status
*/
-typedef enum {
+enum cert_status_t {
CERT_GOOD = 0,
CERT_REVOKED = 1,
CERT_UNKNOWN = 2,
CERT_UNDEFINED = 3,
CERT_UNTRUSTED = 4 /* private use */
-} cert_status_t;
+};
extern enum_name_t *cert_status_names;
/**
* RFC 2459 CRL reason codes
*/
-typedef enum {
+enum crl_reason_t {
REASON_UNSPECIFIED = 0,
REASON_KEY_COMPROMISE = 1,
REASON_CA_COMPROMISE = 2,
REASON_CESSATION_OF_OPERATON = 5,
REASON_CERTIFICATE_HOLD = 6,
REASON_REMOVE_FROM_CRL = 8
-} crl_reason_t;
+};
extern enum_name_t *crl_reason_names;
-typedef struct certinfo_t certinfo_t;
-
/**
* @brief X.509 certificate status information
- *
- *
+ *
* @ingroup transforms
*/
struct certinfo_t {
#ifndef CRL_H_
#define CRL_H_
+typedef struct crl_t crl_t;
+
#include <types.h>
#include <definitions.h>
#include <crypto/rsa/rsa_public_key.h>
*/
#define CRL_PRINTF_SPEC 'U'
-typedef struct crl_t crl_t;
-
/**
* @brief X.509 certificate revocation list
*
#ifndef AES_CBC_CRYPTER_H_
#define AES_CBC_CRYPTER_H_
-#include <crypto/crypters/crypter.h>
-
-
typedef struct aes_cbc_crypter_t aes_cbc_crypter_t;
+#include <crypto/crypters/crypter.h>
+
/**
* @brief Class implementing the AES symmetric encryption algorithm.
- *
+ *
* @b Constructors:
* - aes_cbc_crypter_create()
- *
+ *
* @ingroup crypters
*/
struct aes_cbc_crypter_t {
#ifndef CRYPTER_H_
#define CRYPTER_H_
-#include <types.h>
-
typedef enum encryption_algorithm_t encryption_algorithm_t;
+typedef struct crypter_t crypter_t;
+
+#include <types.h>
/**
* @brief Encryption algorithm, as in IKEv2 RFC 3.3.2.
- *
+ *
* Currently only the following algorithms are implemented:
* - ENCR_AES_CBC
* - ENCR_DES
* - ENCR_3DES
- *
+ *
* @ingroup crypters
*/
enum encryption_algorithm_t {
*/
extern enum_name_t *encryption_algorithm_names;
-
-typedef struct crypter_t crypter_t;
-
/**
* @brief Generic interface for symmetric encryption algorithms.
- *
+ *
* @b Constructors:
* - crypter_create()
- *
+ *
* @ingroup crypters
*/
struct crypter_t {
#ifndef DES_CRYPTER_H_
#define DES_CRYPTER_H_
-#include <crypto/crypters/crypter.h>
+typedef struct des_crypter_t des_crypter_t;
+#include <crypto/crypters/crypter.h>
-typedef struct des_crypter_t des_crypter_t;
/**
* @brief Class implementing the DES and 3DES encryption algorithms.
#ifndef DIFFIE_HELLMAN_H_
#define DIFFIE_HELLMAN_H_
-#include <types.h>
-
-
typedef enum diffie_hellman_group_t diffie_hellman_group_t;
+typedef struct diffie_hellman_t diffie_hellman_t;
-/**
+#include <types.h>
+
+/**
* @brief Diffie-Hellman group.
- *
+ *
* The modulus (or group) to use for a Diffie-Hellman calculation.
- *
+ *
* See IKEv2 RFC 3.3.2 and RFC 3526.
- *
+ *
* @ingroup transforms
*/
enum diffie_hellman_group_t {
*/
extern enum_name_t *diffie_hellman_group_names;
-
-typedef struct diffie_hellman_t diffie_hellman_t;
-
/**
* @brief Implementation of the widely used Diffie-Hellman algorithm.
*
#ifndef HASHER_H_
#define HASHER_H_
+typedef enum hash_algorithm_t hash_algorithm_t;
+typedef struct hasher_t hasher_t;
#include <types.h>
-
-typedef enum hash_algorithm_t hash_algorithm_t;
-
/**
* @brief Algorithms to use for hashing.
- *
+ *
* Currently only the following algorithms are implemented:
* - HASH_MD5
* - HASH_SHA1
extern enum_name_t *hash_algorithm_names;
-typedef struct hasher_t hasher_t;
-
/**
* @brief Generic interface for all hash functions.
*
#ifndef MD5_HASHER_H_
#define MD5_HASHER_H_
-#include <crypto/hashers/hasher.h>
-
-
typedef struct md5_hasher_t md5_hasher_t;
+#include <crypto/hashers/hasher.h>
+
/**
* @brief Implementation of hasher_t interface using the
* MD5 algorithm.
- *
+ *
* @b Constructors:
* - hasher_create() using HASH_MD5 as algorithm
* - md5_hasher_create()
- *
+ *
* @see hasher_t
- *
+ *
* @ingroup hashers
*/
struct md5_hasher_t {
#ifndef SHA1_HASHER_H_
#define SHA1_HASHER_H_
-#include <crypto/hashers/hasher.h>
-
-
typedef struct sha1_hasher_t sha1_hasher_t;
+#include <crypto/hashers/hasher.h>
+
/**
* @brief Implementation of hasher_t interface using the
* SHA1 algorithm.
#ifndef SHA2_HASHER_H_
#define SHA2_HASHER_H_
-#include <crypto/hashers/hasher.h>
-
-
typedef struct sha2_hasher_t sha2_hasher_t;
+#include <crypto/hashers/hasher.h>
+
/**
* @brief Implementation of hasher_t interface using the SHA2 algorithms.
- *
+ *
* SHA2 is an other name for the SHA-256, SHA-384 and SHA-512 variants of
* the SHA hash algorithm.
- *
+ *
* @b Constructors:
* - hasher_create() using HASH_SHA256, HASH_SHA384 or HASH_SHA512 as algorithm
* - sha2_hasher_create()
- *
+ *
* @see hasher_t
*
* @ingroup hashers
#ifndef HMAC_H_
#define HMAC_H_
+typedef struct hmac_t hmac_t;
+
#include <crypto/hashers/hasher.h>
#include <definitions.h>
-
-typedef struct hmac_t hmac_t;
-
/**
* @brief Message authentication using hash functions.
- *
+ *
* This class implements the message authenticaion algorithm
* described in RFC2104. It uses a hash function, wich must
* be implemented as a hasher_t class.
- *
+ *
* See http://www.faqs.org/rfcs/rfc2104.html for RFC.
* @see
* - hasher_t
* - prf_hmac_t
- *
+ *
* @b Constructors:
* - hmac_create()
- *
+ *
* @ingroup transforms
*/
struct hmac_t {
#ifndef PRF_PLUS_H_
#define PRF_PLUS_H_
+typedef struct prf_plus_t prf_plus_t;
#include <crypto/prfs/prf.h>
-
-typedef struct prf_plus_t prf_plus_t;
-
/**
* @brief Implementation of the prf+ function described in IKEv2 RFC.
*
#ifndef PRF_HMAC_H_
#define PRF_HMAC_H_
+typedef struct hmac_prf_t hmac_prf_t;
+
#include <types.h>
#include <crypto/prfs/prf.h>
#include <crypto/hashers/hasher.h>
-typedef struct hmac_prf_t hmac_prf_t;
-
/**
* @brief Implementation of prf_t interface using the
* HMAC algorithm.
#ifndef PRF_H_
#define PRF_H_
-#include <types.h>
-
typedef enum pseudo_random_function_t pseudo_random_function_t;
+typedef struct prf_t prf_t;
+
+#include <types.h>
/**
* @brief Pseudo random function, as in IKEv2 RFC 3.3.2.
*/
extern enum_name_t *pseudo_random_function_names;
-
-typedef struct prf_t prf_t;
-
/**
* @brief Generic interface for pseudo-random-functions.
*
#ifndef RSA_PRIVATE_KEY_H_
#define RSA_PRIVATE_KEY_H_
+typedef struct rsa_private_key_t rsa_private_key_t;
+
#include <types.h>
#include <definitions.h>
#include <crypto/rsa/rsa_public_key.h>
#include <crypto/hashers/hasher.h>
-
-typedef struct rsa_private_key_t rsa_private_key_t;
-
/**
* @brief RSA private key with associated functions.
- *
+ *
* Currently only supports signing using EMSA encoding.
- *
+ *
* @b Constructors:
* - rsa_private_key_create()
* - rsa_private_key_create_from_chunk()
* - rsa_private_key_create_from_file()
*
* @see rsa_public_key_t
- *
+ *
* @todo Implement get_key(), save_key(), get_public_key()
*
* @ingroup rsa
#ifndef RSA_PUBLIC_KEY_H_
#define RSA_PUBLIC_KEY_H_
+typedef struct rsa_public_key_t rsa_public_key_t;
+
#include <gmp.h>
#include <types.h>
#include <definitions.h>
-
-typedef struct rsa_public_key_t rsa_public_key_t;
-
/**
* @brief RSA public key with associated functions.
*
#ifndef HMAC_SIGNER_H_
#define HMAC_SIGNER_H_
+typedef struct hmac_signer_t hmac_signer_t;
+
#include <crypto/signers/signer.h>
#include <crypto/hashers/hasher.h>
-typedef struct hmac_signer_t hmac_signer_t;
-
/**
* @brief Implementation of signer_t interface using the
* HMAC algorithm in combination with either MD5 or SHA1.
#ifndef SIGNER_H_
#define SIGNER_H_
+typedef enum integrity_algorithm_t integrity_algorithm_t;
+typedef struct signer_t signer_t;
+
#include <types.h>
#include <definitions.h>
-typedef enum integrity_algorithm_t integrity_algorithm_t;
-
/**
* @brief Integrity algorithm, as in IKEv2 RFC 3.3.2.
*
*/
extern enum_name_t *integrity_algorithm_names;
-
-typedef struct signer_t signer_t;
-
/**
* @brief Generig interface for a symmetric signature algorithm.
- *
+ *
* @b Constructors:
* - signer_create()
* - hmac_signer_create()
- *
+ *
* @todo Implement more integrity algorithms
- *
+ *
* @ingroup signers
*/
struct signer_t {
#ifndef X509_H_
#define X509_H_
+typedef struct x509_t x509_t;
+
#include <types.h>
#include <definitions.h>
#include <crypto/rsa/rsa_public_key.h>
*/
#define X509_PRINTF_SPEC 'Q'
-typedef struct x509_t x509_t;
-
/**
* @brief X.509 certificate.
*
#ifndef HOST_H_
#define HOST_H_
+typedef enum host_diff_t host_diff_t;
+typedef struct host_t host_t;
+
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <types.h>
-
/**
* printf() specifier to print a host.
* The specifier option '#' does include the port number, e.g.:
*/
#define HOST_PRINTF_SPEC 'H'
-typedef enum host_diff_t host_diff_t;
-
/**
* Differences between two hosts. They differ in
* address, port, or both.
HOST_DIFF_PORT = 2,
};
-typedef struct host_t host_t;
-
/**
* @brief Representates a Host
*
#ifndef IDENTIFICATION_H_
#define IDENTIFICATION_H_
-#include "types.h"
+typedef enum id_type_t id_type_t;
+typedef struct identification_t identification_t;
+
+#include <types.h>
#define MAX_WILDCARDS 14
/**
*/
#define IDENTIFICATION_PRINTF_SPEC 'D'
-typedef enum id_type_t id_type_t;
-
/**
* @brief ID Types in a ID payload.
*
*/
extern enum_name_t *id_type_names;
-typedef struct identification_t identification_t;
-
/**
* @brief Generic identification, such as used in ID payload.
*
/**
* @brief Iterator interface, allows iteration over collections.
- *
+ *
* iterator_t defines an interface for iterating over collections.
* It allows searching, deleting, updating and inserting.
- *
+ *
* Thanks to JMP for iterator lessons :-)
- *
+ *
* @b Constructors:
* - via linked_list_t.create_iterator, or
* - any other class which supports the iterator_t interface
- *
+ *
* @see linked_list_t
- *
+ *
* @ingroup utils
*/
struct iterator_t {
#ifndef LINKED_LIST_H_
#define LINKED_LIST_H_
+typedef struct linked_list_t linked_list_t;
+
#include <pthread.h>
#include <types.h>
#include <utils/iterator.h>
-
-typedef struct linked_list_t linked_list_t;
-
/**
* @brief Class implementing a double linked list.
*
* General purpose linked list. This list is not synchronized.
- *
+ *
* @b Costructors:
* - linked_list_create()
*
#ifndef RANDOMIZER_H_
#define RANDOMIZER_H_
-#include <types.h>
+typedef struct randomizer_t randomizer_t;
+#include <types.h>
#ifndef DEV_RANDOM
/**
# define DEV_URANDOM "/dev/urandom"
#endif
-typedef struct randomizer_t randomizer_t;
-
/**
* @brief Class used to get random and pseudo random values.
*