Implemented IKEv1 pubkey SIG payload processing in an authenticator
authorMartin Willi <martin@revosec.ch>
Wed, 7 Dec 2011 14:08:06 +0000 (14:08 +0000)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:14 +0000 (17:31 +0100)
src/libcharon/Makefile.am
src/libcharon/sa/authenticators/pubkey_v1_authenticator.c [new file with mode: 0644]
src/libcharon/sa/authenticators/pubkey_v1_authenticator.h [new file with mode: 0644]

index eb58768..bf409d2 100644 (file)
@@ -65,6 +65,7 @@ sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
 sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
 sa/authenticators/psk_v1_authenticator.c sa/authenticators/psk_v1_authenticator.h \
+sa/authenticators/pubkey_v1_authenticator.c sa/authenticators/pubkey_v1_authenticator.h \
 sa/authenticators/xauth_authenticator.c sa/authenticators/xauth_authenticator.h \
 sa/authenticators/xauth/xauth_method.c sa/authenticators/xauth/xauth_method.h \
 sa/authenticators/xauth/xauth_manager.c sa/authenticators/xauth/xauth_manager.h \
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c
new file mode 100644 (file)
index 0000000..82fc8cf
--- /dev/null
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pubkey_v1_authenticator.h"
+
+#include <daemon.h>
+#include <sa/keymat_v1.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
+
+/**
+ * Private data of an pubkey_v1_authenticator_t object.
+ */
+struct private_pubkey_v1_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       pubkey_v1_authenticator_t public;
+
+       /**
+        * Assigned IKE_SA
+        */
+       ike_sa_t *ike_sa;
+
+       /**
+        * TRUE if we are initiator
+        */
+       bool initiator;
+
+       /**
+        * DH key exchange
+        */
+       diffie_hellman_t *dh;
+
+       /**
+        * Others DH public value
+        */
+       chunk_t dh_value;
+
+       /**
+        * Encoded SA payload, without fixed header
+        */
+       chunk_t sa_payload;
+};
+
+METHOD(authenticator_t, build, status_t,
+       private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+       hash_payload_t *sig_payload;
+       chunk_t hash, sig, dh;
+       keymat_v1_t *keymat;
+       status_t status;
+       private_key_t *private;
+       identification_t *id;
+       auth_cfg_t *auth;
+       key_type_t type;
+       signature_scheme_t scheme;
+
+       /* TODO-IKEv1: other key types */
+       type = KEY_RSA;
+       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+       id = this->ike_sa->get_my_id(this->ike_sa);
+       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+       private = lib->credmgr->get_private(lib->credmgr, KEY_RSA, id, auth);
+       if (!private)
+       {
+               DBG1(DBG_IKE, "no private key found for '%Y'", id);
+               return NOT_FOUND;
+       }
+
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+       hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
+                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
+       free(dh.ptr);
+
+       if (private->sign(private, scheme, hash, &sig))
+       {
+               sig_payload = hash_payload_create(SIGNATURE_V1);
+               sig_payload->set_hash(sig_payload, sig);
+               free(sig.ptr);
+               message->add_payload(message, &sig_payload->payload_interface);
+               status = SUCCESS;
+               DBG1(DBG_IKE, "authentication of '%Y' (myself) successful", id);
+       }
+       else
+       {
+               DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
+               status = FAILED;
+       }
+       private->destroy(private);
+       free(hash.ptr);
+
+       return status;
+}
+
+METHOD(authenticator_t, process, status_t,
+       private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+       chunk_t hash, sig, dh;
+       keymat_v1_t *keymat;
+       public_key_t *public;
+       hash_payload_t *sig_payload;
+       auth_cfg_t *auth, *current_auth;
+       enumerator_t *enumerator;
+       status_t status = NOT_FOUND;
+       key_type_t type;
+       signature_scheme_t scheme;
+       identification_t *id;
+
+       /* TODO-IKEv1: currently RSA only */
+       type = KEY_RSA;
+       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+       sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1);
+       if (!sig_payload)
+       {
+               DBG1(DBG_IKE, "SIG payload missing in message");
+               return FALSE;
+       }
+
+       id = this->ike_sa->get_other_id(this->ike_sa);
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+       hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
+                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
+       free(dh.ptr);
+
+       sig = sig_payload->get_hash(sig_payload);
+       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+       enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, type,
+                                                                                                               id, auth);
+       while (enumerator->enumerate(enumerator, &public, &current_auth))
+       {
+               if (public->verify(public, scheme, hash, sig))
+               {
+                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+                                id, key_type_names, type);
+                       status = SUCCESS;
+                       auth->merge(auth, current_auth, FALSE);
+                       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+                       break;
+               }
+               else
+               {
+                       DBG1(DBG_IKE, "signature validation failed, looking for another key");
+                       status = FAILED;
+               }
+       }
+       enumerator->destroy(enumerator);
+       free(hash.ptr);
+       if (status != SUCCESS)
+       {
+               DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+                        key_type_names, type, id);
+       }
+       return status;
+}
+
+METHOD(authenticator_t, destroy, void,
+       private_pubkey_v1_authenticator_t *this)
+{
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload)
+{
+       private_pubkey_v1_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .build = _build,
+                               .process = _process,
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .ike_sa = ike_sa,
+               .initiator = initiator,
+               .dh = dh,
+               .dh_value = dh_value,
+               .sa_payload = sa_payload,
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h
new file mode 100644 (file)
index 0000000..ed6d77c
--- /dev/null
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pubkey_v1_authenticator pubkey_v1_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef PUBKEY_V1_AUTHENTICATOR_H_
+#define PUBKEY_V1_AUTHENTICATOR_H_
+
+typedef struct pubkey_v1_authenticator_t pubkey_v1_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using public keys for IKEv1.
+ */
+struct pubkey_v1_authenticator_t {
+
+       /**
+        * Implemented authenticator_t interface.
+        */
+       authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build and verify public key signatures.
+ *
+ * @param ike_sa                       associated IKE_SA
+ * @param dh                           diffie hellman key exchange
+ * @param dh_value                     others public diffie hellman value
+ * @param sa_payload           generated SA payload data, without payload header
+ * @return                                     pubkey authenticator
+ */
+pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload);
+
+#endif /** PUBKEY_V1_AUTHENTICATOR_H_ @}*/