- authentication with preshared key working but code MUST be cleaned
authorJan Hutter <jhutter@hsr.ch>
Sat, 3 Dec 2005 14:47:58 +0000 (14:47 -0000)
committerJan Hutter <jhutter@hsr.ch>
Sat, 3 Dec 2005 14:47:58 +0000 (14:47 -0000)
19 files changed:
Source/charon/encoding/message.c
Source/charon/encoding/message.h
Source/charon/encoding/payloads/auth_payload.c
Source/charon/encoding/payloads/auth_payload.h
Source/charon/encoding/payloads/id_payload.c
Source/charon/encoding/payloads/id_payload.h
Source/charon/sa/authenticator.c
Source/charon/sa/authenticator.h
Source/charon/sa/ike_sa.c
Source/charon/sa/ike_sa.h
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_auth_requested.h
Source/charon/sa/states/ike_sa_init_requested.c
Source/charon/sa/states/ike_sa_init_requested.h
Source/charon/sa/states/ike_sa_init_responded.c
Source/charon/sa/states/ike_sa_init_responded.h
Source/charon/sa/states/initiator_init.c
Source/charon/sa/states/responder_init.c
Source/charon/testcases/parser_test.c

index 7fea8ae..996f8fb 100644 (file)
@@ -640,6 +640,14 @@ static packet_t *get_packet (private_message_t *this)
 }
 
 /**
+ * Implementation of message_t.get_packet_data.
+ */
+static chunk_t get_packet_data (private_message_t *this)
+{
+       return allocator_clone_chunk(this->packet->data);
+}
+
+/**
  * Implementation of message_t.parse_header.
  */
 static status_t parse_header(private_message_t *this)
@@ -1163,6 +1171,7 @@ message_t *message_create_from_packet(packet_t *packet)
        this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
        this->public.verify =  (status_t (*) (message_t*)) verify;
        this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
+       this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
        this->public.destroy = (void(*)(message_t*))destroy;
                
        /* private values */
index dfbb10d..e3be836 100644 (file)
@@ -290,6 +290,15 @@ struct message_t {
        packet_t * (*get_packet) (message_t *this);
        
        /**
+        * Returns a clone of the internal stored packet_t data.
+        *
+        * @param this          message_t object
+        * @return                      clone of the internal stored packet_t data.
+        */     
+       chunk_t (*get_packet_data) (message_t *this);
+       
+       
+       /**
         * @brief Destroys a message and all including objects.
         *
         * @param this          message_t object
index 1070826..e9dad81 100644 (file)
@@ -215,6 +215,14 @@ static void set_data (private_auth_payload_t *this, chunk_t data)
  */
 static chunk_t get_data (private_auth_payload_t *this)
 {
+       return (this->auth_data);
+}
+
+/**
+ * Implementation of auth_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_auth_payload_t *this)
+{
        chunk_t cloned_data;
        if (this->auth_data.ptr == NULL)
        {
@@ -259,6 +267,7 @@ auth_payload_t *auth_payload_create()
        this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
        this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method;
        this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
+       this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
        this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
        
        /* private variables */
index 3a2d445..2613288 100644 (file)
@@ -115,6 +115,16 @@ struct auth_payload_t {
         * @param this                  calling auth_payload_t object
         * @return                              AUTH data as chunk_t
         */
+       chunk_t (*get_data_clone) (auth_payload_t *this);
+       
+       /**
+        * @brief Get the AUTH data.
+        * 
+        * Returned data are NOT copied
+        *
+        * @param this                  calling auth_payload_t object
+        * @return                              AUTH data as chunk_t
+        */
        chunk_t (*get_data) (auth_payload_t *this);
        
        /**
index 2857912..9560d4f 100644 (file)
@@ -214,11 +214,20 @@ static void set_data (private_id_payload_t *this, chunk_t data)
        this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len;
 }
 
+
 /**
- * Implementation of id_payload_t.get_data.
+ * Implementation of id_payload_t.get_data_clone.
  */
 static chunk_t get_data (private_id_payload_t *this)
 {
+       return (this->id_data);
+}
+
+/**
+ * Implementation of id_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_id_payload_t *this)
+{
        chunk_t cloned_data;
        if (this->id_data.ptr == NULL)
        {
@@ -288,6 +297,8 @@ id_payload_t *id_payload_create(bool is_initiator)
        this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type;
        this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
        this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
+       this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
+       
        this->public.get_initiator = (bool (*) (id_payload_t *)) get_initiator;
        this->public.set_initiator = (void (*) (id_payload_t *,bool)) set_initiator;
        this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
index 7348f26..c395113 100644 (file)
@@ -87,9 +87,19 @@ struct id_payload_t {
         * @param this                  calling id_payload_t object
         * @return                              ID data as chunk_t
         */
-       chunk_t (*get_data) (id_payload_t *this);
+       chunk_t (*get_data_clone) (id_payload_t *this);
        
        /**
+        * @brief Get the ID data.
+        * 
+        * Returned data are NOT copied.
+        *
+        * @param this                  calling id_payload_t object
+        * @return                              ID data as chunk_t
+        */
+       chunk_t (*get_data) (id_payload_t *this);
+
+       /**
         * @brief Creates an identification object of this id payload.
         * 
         * Returned object has to get destroyed by the caller.
index 6ab1b00..978106b 100644 (file)
@@ -51,7 +51,7 @@ struct private_authenticator_t {
        /**
         * TODO
         */
-       chunk_t (*allocate_octets) (private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,identification_t *my_id);
+       chunk_t (*allocate_octets) (private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id);
        
        chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this,chunk_t octets,chunk_t preshared_secret);
 };
@@ -59,16 +59,16 @@ struct private_authenticator_t {
 /**
  * Implementation of authenticator_t.private_authenticator_t.
  */
-static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,identification_t *my_id)
+static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id)
 {
-       chunk_t id_chunk = my_id->get_encoding(my_id);
+       chunk_t id_chunk = my_id->get_data(my_id);
        u_int8_t id_with_header[4 + id_chunk.len];
        chunk_t id_with_header_chunk;
        chunk_t octets;
        u_int8_t *current_pos;
        prf_t *prf;
        
-       id_with_header[0] = my_id->get_type(my_id);
+       id_with_header[0] = my_id->get_id_type(my_id);
        id_with_header[1] = 0x00;
        id_with_header[2] = 0x00;
        id_with_header[3] = 0x00;
@@ -91,7 +91,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
        current_pos += other_nonce.len;
        prf->get_bytes(prf,id_with_header_chunk,current_pos);
        
-       this->logger->log_chunk(this->logger,RAW | MORE, "Octets (Mesage + Nonce + prf(Sk_px,Idx)",&octets);
+       this->logger->log_chunk(this->logger,RAW | MOST, "Octets (Mesage + Nonce + prf(Sk_px,Idx)",&octets);
        return octets;
 }
 
@@ -120,25 +120,25 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t
 
 
 /**
- * Implementation of authenticator_t.verify_authentication.
+ * Implementation of authenticator_t.private_authenticator_t.
  */
-static status_t verify_authentication (private_authenticator_t *this,auth_method_t auth_method, chunk_t auth_data, chunk_t last_message, chunk_t other_nonce,identification_t *my_id,bool *verified)
+
+static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool *verified)
 {
-       switch(auth_method)
+       switch(auth_payload->get_auth_method(auth_payload))
        {
                case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
                {
-                       
                        chunk_t preshared_secret;
+                       chunk_t auth_data = auth_payload->get_data(auth_payload);
                        
                        preshared_secret.ptr = "secret";
                        preshared_secret.len = strlen(preshared_secret.ptr);
                        
-                       chunk_t octets = this->allocate_octets(this,last_message, other_nonce,my_id);
+                       chunk_t octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload);
                        chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this,octets,preshared_secret);
-
-                       allocator_free_chunk(&octets);                          
-
+                       allocator_free_chunk(&octets);
+                       
                        if (auth_data.len != my_auth_data.len)
                        {
                                *verified = FALSE;
@@ -164,33 +164,40 @@ static status_t verify_authentication (private_authenticator_t *this,auth_method
 }
 
 /**
- * Implementation of authenticator_t.allocate_auth_data.
+ * Implementation of authenticator_t.compute_auth_data.
  */
-static status_t allocate_auth_data (private_authenticator_t *this,auth_method_t auth_method,chunk_t last_message, chunk_t other_nonce,identification_t *my_id,chunk_t *auth_data)
+static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload)
 {
-       switch(auth_method)
+       
+/*     switch(auth_method)
        {
                case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
-               {
+               {*/
+
                        chunk_t preshared_secret;
                        
                        preshared_secret.ptr = "secret";
                        preshared_secret.len = strlen(preshared_secret.ptr);
                        
-                       chunk_t octets = this->allocate_octets(this,last_message, other_nonce,my_id);
-                       chunk_t my_auth_data = allocate_auth_data_with_preshared_secret(this,octets,preshared_secret);
-                       
+                       chunk_t octets = this->allocate_octets(this,last_sent_packet,other_nonce,my_id_payload);
+                       chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this,octets,preshared_secret);
+
+                       allocator_free_chunk(&octets);
+
+                       *auth_payload = auth_payload_create();
+                       (*auth_payload)->set_auth_method((*auth_payload),SHARED_KEY_MESSAGE_INTEGRITY_CODE);
+                       (*auth_payload)->set_data((*auth_payload),auth_data);
+
+                       allocator_free_chunk(&auth_data);
                        allocator_free_chunk(&octets);
-                       
-                       *auth_data = my_auth_data;
                        
                        return SUCCESS;
-               }
+/*             }
                default:
                {
                        return NOT_SUPPORTED;
                }
-       }
+       }*/
 }
 
 /**
@@ -210,8 +217,8 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
 
        /* Public functions */
        this->public.destroy = (void(*)(authenticator_t*))destroy;
-       this->public.verify_authentication = (status_t (*) (authenticator_t *,auth_method_t , chunk_t , chunk_t , chunk_t ,identification_t *,bool *) )verify_authentication;
-       this->public.allocate_auth_data = (status_t (*)  (authenticator_t *,auth_method_t ,chunk_t , chunk_t ,identification_t *,chunk_t *)) allocate_auth_data;
+       this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool *)) verify_auth_data;
+       this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *)) compute_auth_data;
        
        /* private functions */
        this->allocate_octets = allocate_octets;
index 3978cf1..06cb96d 100644 (file)
@@ -27,7 +27,8 @@
 
 #include <types.h>
 #include <encoding/payloads/auth_payload.h>
-#include <utils/identification.h>
+#include <encoding/payloads/id_payload.h>
+#include <network/packet.h>
 #include <sa/ike_sa.h>
 
 
@@ -51,7 +52,7 @@ struct authenticator_t {
         * @return
         *                                              - NOT_SUPPORTED if auth_method is not supported
         */
-       status_t (*verify_authentication) (authenticator_t *this,auth_method_t auth_method, chunk_t auth_data, chunk_t last_message, chunk_t other_nonce,identification_t *my_id,bool *verified);
+       status_t (*verify_auth_data) (authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool *verified);
 
        /**
         * @brief Verifying of given authentication data.
@@ -61,9 +62,7 @@ struct authenticator_t {
         * @return
         *                                              - NOT_SUPPORTED if auth_method is not supported
         */
-       status_t (*allocate_auth_data) (authenticator_t *this,auth_method_t auth_method,chunk_t last_message, chunk_t other_nonce,identification_t *my_id,chunk_t *auth_data);
-
-
+       status_t (*compute_auth_data) (authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload);
        /**
         * @brief Destroys a authenticator_t object.
         *
index 05f317f..1c18e3c 100644 (file)
@@ -784,20 +784,19 @@ static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t messag
 }
 
 /**
- * Implementation of protected_ike_sa_t.get_last_sent_message_data.
+ * Implementation of protected_ike_sa_t.get_last_responded_message.
  */
-static chunk_t get_last_sent_message_data (private_ike_sa_t *this)
+static message_t * get_last_responded_message (private_ike_sa_t *this)
 {
-       chunk_t last_sent_message_data = CHUNK_INITIALIZER;
-       packet_t *packet;
-       
-       if (this->last_requested_message != NULL)
-       {
-               packet = this->last_requested_message->get_packet(this->last_requested_message);
-               last_sent_message_data = packet->data;
-       }
-       
-       return last_sent_message_data;
+       return this->last_responded_message;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_last_requested_message.
+ */
+static message_t * get_last_requested_message (private_ike_sa_t *this)
+{
+       return this->last_requested_message;
 }
 
 /**
@@ -960,7 +959,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
        this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;     
        this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
-       this->protected.get_last_sent_message_data = (chunk_t (*) (protected_ike_sa_t *this)) get_last_sent_message_data;
+       this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
+       this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
+       
        this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
        
        /* private functions */
index c561b99..9402bf1 100644 (file)
@@ -329,16 +329,27 @@ struct protected_ike_sa_t {
        prf_t *(*get_prf) (protected_ike_sa_t *this);
        
        /**
-        * Gets the data of last sent message.
-        * 
-        * Data are not getting cloned.
-        * 
+        * Gets the last responded message.
+        *  
         * @param this                          calling object
-        * @return                                      chunk_t pointing to data
+        * @return                                      
+        *                                                      - last received as message_t object 
+        *                                                      - NULL if no last request available
         */
-       chunk_t (*get_last_sent_message_data) (protected_ike_sa_t *this);
+       message_t *(*get_last_responded_message) (protected_ike_sa_t *this);
        
        /**
+        * Gets the last requested message.
+        *  
+        * @param this                          calling object
+        * @return                                      
+        *                                                      - last sent as message_t object 
+        *                                                      - NULL if no last request available
+        */
+       message_t *(*get_last_requested_message) (protected_ike_sa_t *this);
+
+
+       /**
         * Gets the Shared key SK_pr.
         * 
         * Returned value is not cloned!
index cfbd986..33c050e 100644 (file)
@@ -60,6 +60,16 @@ struct private_ike_auth_requested_t {
         * Received nonce from responder
         */
        chunk_t received_nonce;
+       
+       /**
+        * Sent nonce in IKE_SA_INIT request.
+        */
+       chunk_t sent_nonce;
+       
+       /**
+        * IKE_SA_INIT-Request in binary form.
+        */
+       chunk_t ike_sa_init_reply_data;
         
        /**
         * Logger used to log data 
@@ -336,26 +346,28 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
  */
 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
 {
-       
-       chunk_t received_auth_data = auth_payload->get_data(auth_payload);
-       chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
-       bool verified;
-       identification_t *identification;
        authenticator_t *authenticator;
-       
-       identification = other_id_payload->get_identification(other_id_payload);
-       
+       status_t status;
+       bool verified;
+               
        /* TODO VERIFY auth here */
        authenticator = authenticator_create(this->ike_sa);
 
-       authenticator->verify_authentication(authenticator,auth_payload->get_auth_method(auth_payload),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
-       
+       status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,&verified);
        authenticator->destroy(authenticator);
-       
-       allocator_free_chunk(&received_auth_data);
-       
-       
-       /* TODO VERIFY auth here */
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Could not verify AUTH data. Error status: %s",mapping_find(status_m,status));
+               return FAILED;  
+       }
+
+       if (!verified)
+       {
+               this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified");
+               return FAILED;  
+       }
+
+       this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
        return SUCCESS; 
 }
 
@@ -415,13 +427,15 @@ static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
 static void destroy(private_ike_auth_requested_t *this)
 {
        allocator_free_chunk(&(this->received_nonce));
+       allocator_free_chunk(&(this->sent_nonce));
+       allocator_free_chunk(&(this->ike_sa_init_reply_data));  
        allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data)
 {
        private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
 
@@ -440,6 +454,8 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chun
        /* private data */
        this->ike_sa = ike_sa;
        this->received_nonce = received_nonce;
+       this->sent_nonce = sent_nonce;
+       this->ike_sa_init_reply_data = ike_sa_init_reply_data;
        this->logger = this->ike_sa->get_logger(this->ike_sa);
        
        return &(this->public);
index 5f1e042..c4caaca 100644 (file)
@@ -55,6 +55,6 @@ struct ike_auth_requested_t {
  * 
  * @ingroup states
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_repy_data);
 
 #endif /*IKE_AUTH_REQUESTED_H_*/
index 68e34a5..1013eae 100644 (file)
@@ -34,6 +34,7 @@
 #include <transforms/diffie_hellman.h>
 #include <sa/states/ike_auth_requested.h>
 #include <sa/states/initiator_init.h>
+#include <sa/authenticator.h>
 
 
 typedef struct private_ike_sa_init_requested_t private_ike_sa_init_requested_t;
@@ -74,6 +75,11 @@ struct private_ike_sa_init_requested_t {
        chunk_t received_nonce;
        
        /**
+        * Packet data of ike_sa_init request
+        */
+       chunk_t ike_sa_init_request_data;
+       
+       /**
         * DH group priority used to get dh_group_number from configuration manager.
         * 
         * Currently unused but usable if informational messages of unsupported dh group number are processed.
@@ -92,8 +98,11 @@ struct private_ike_sa_init_requested_t {
         * 
         * @param this          calling object
         * @param message       the created message will be stored at this location
+        * @return
+        *                                      - SUCCESS
+        *                                      - FAILED
         */
-       void (*build_ike_auth_request) (private_ike_sa_init_requested_t *this, message_t **message);
+       status_t (*build_ike_auth_request) (private_ike_sa_init_requested_t *this, message_t **message);
        
        /**
         * Builds the id payload for this state.
@@ -110,8 +119,11 @@ struct private_ike_sa_init_requested_t {
         * @param this          calling object
         * @param payload       The generated payload object of type auth_payload_t is 
         *                                      stored at this location.
+        * @return
+        *                                      - SUCCESS
+        *                                      - FAILED
         */
-       void (*build_auth_payload) (private_ike_sa_init_requested_t *this, payload_t **payload);
+       status_t (*build_auth_payload) (private_ike_sa_init_requested_t *this, payload_t **payload,id_payload_t *my_id_payload);
        
        /**
         * Builds the SA payload for this state.
@@ -156,6 +168,7 @@ struct private_ike_sa_init_requested_t {
 static status_t process_message(private_ike_sa_init_requested_t *this, message_t *ike_sa_init_reply)
 {
        ike_auth_requested_t *next_state;
+       chunk_t ike_sa_init_reply_data;
        exchange_type_t exchange_type;
        init_config_t *init_config;     
        u_int64_t responder_spi;
@@ -381,8 +394,14 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        this->ike_sa->compute_secrets(this->ike_sa,this->shared_secret,this->sent_nonce, this->received_nonce);
 
        /* build the complete IKE_AUTH request */
-       this->build_ike_auth_request (this,&request);
-
+       status = this->build_ike_auth_request (this,&request);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Could not build request message");
+               return DELETE_ME;
+       }
+       
+       
        /* message can now be sent (must not be destroyed) */
        status = this->ike_sa->send_request(this->ike_sa, request);
        if (status != SUCCESS)
@@ -394,9 +413,11 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        
        this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
 
+       ike_sa_init_reply_data = ike_sa_init_reply->get_packet_data(ike_sa_init_reply);
+
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
-       next_state = ike_auth_requested_create(this->ike_sa,this->received_nonce);
+       next_state = ike_auth_requested_create(this->ike_sa,this->sent_nonce,this->received_nonce,ike_sa_init_reply_data);
 
        /* state can now be changed */ 
        this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
@@ -412,10 +433,11 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 /**
  * implements private_ike_sa_init_requested_t.build_ike_auth_request
  */
-static void build_ike_auth_request (private_ike_sa_init_requested_t *this, message_t **request)
+static status_t build_ike_auth_request (private_ike_sa_init_requested_t *this, message_t **request)
 {
        payload_t *payload;
        message_t *message;
+       status_t status;
        
        /* going to build message */
        this->logger->log(this->logger, CONTROL|MOST, "Going to build empty message");
@@ -427,7 +449,14 @@ static void build_ike_auth_request (private_ike_sa_init_requested_t *this, messa
        message->add_payload(message, payload);
 
        /* build auth payload */
-       this->build_auth_payload(this, &payload);
+       status = this->build_auth_payload(this, &payload,(id_payload_t *) payload);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Could not create auth payload");
+               message->destroy(message);
+               return status;
+       }
+       
        this->logger->log(this->logger, CONTROL|MOST, "add AUTH payload to message");
        message->add_payload(message, payload);
        
@@ -447,6 +476,7 @@ static void build_ike_auth_request (private_ike_sa_init_requested_t *this, messa
        message->add_payload(message, payload); 
        
        *request = message;
+       return SUCCESS;
 }
 
 /**
@@ -469,19 +499,23 @@ static void build_id_payload (private_ike_sa_init_requested_t *this, payload_t *
 /**
  * Implementation of private_ike_sa_init_requested_t.build_auth_payload.
  */
-static void build_auth_payload (private_ike_sa_init_requested_t *this, payload_t **payload)
+static status_t build_auth_payload (private_ike_sa_init_requested_t *this, payload_t **payload,id_payload_t *my_id_payload)
 {
+       authenticator_t *authenticator;
        auth_payload_t *auth_payload;
-       sa_config_t *sa_config;
-
-       sa_config = this->ike_sa->get_sa_config(this->ike_sa);
-       auth_payload = auth_payload_create();
-       auth_payload->set_auth_method(auth_payload,sa_config->get_auth_method(sa_config));
-       /*
-        * TODO generate AUTH DATA 
-        */
-
+       status_t status;
+       
+       authenticator = authenticator_create(this->ike_sa);
+       status = authenticator->compute_auth_data(authenticator,&auth_payload,this->ike_sa_init_request_data,this->received_nonce,my_id_payload);       
+       authenticator->destroy(authenticator);
+       
+       if (status != SUCCESS)
+       {
+               return status;          
+       }
+       
        *payload = (payload_t *) auth_payload;
+       return SUCCESS;
 }
 
 /**
@@ -575,10 +609,10 @@ static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
        
        this->logger->log(this->logger, CONTROL | MOST, "Destroy diffie hellman object");
        this->diffie_hellman->destroy(this->diffie_hellman);
-       this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");  
-       allocator_free(this->sent_nonce.ptr);
-       this->logger->log(this->logger, CONTROL | MOST, "Destroy shared secret (secrets allready derived)");
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy shared secret");       
        allocator_free_chunk(&(this->shared_secret));
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy ike_sa_init_request_data");    
+       allocator_free_chunk(&(this->ike_sa_init_request_data));
        this->logger->log(this->logger, CONTROL | MOST, "Destroy object itself");
        allocator_free(this);   
 }
@@ -598,6 +632,8 @@ static void destroy(private_ike_sa_init_requested_t *this)
        allocator_free(this->received_nonce.ptr);
        this->logger->log(this->logger, CONTROL | MOST, "Destroy shared secret (secrets allready derived)");
        allocator_free_chunk(&(this->shared_secret));
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy ike_sa_init_request_data");    
+       allocator_free_chunk(&(this->ike_sa_init_request_data));
        this->logger->log(this->logger, CONTROL | MOST, "Destroy object itself");
        allocator_free(this);
 }
@@ -605,7 +641,7 @@ static void destroy(private_ike_sa_init_requested_t *this)
 /* 
  * Described in header.
  */
-ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, u_int16_t dh_group_priority, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce)
+ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, u_int16_t dh_group_priority, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce,chunk_t ike_sa_init_request_data)
 {
        private_ike_sa_init_requested_t *this = allocator_alloc_thing(private_ike_sa_init_requested_t);
        
@@ -630,6 +666,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
        this->logger = this->ike_sa->get_logger(this->ike_sa);
        this->diffie_hellman = diffie_hellman;
        this->sent_nonce = sent_nonce;
+       this->ike_sa_init_request_data = ike_sa_init_request_data;
        this->dh_group_priority = dh_group_priority;
        
        return &(this->public);
index 01bef93..d5de504 100644 (file)
@@ -53,6 +53,6 @@ struct ike_sa_init_requested_t {
  * 
  * @ingroup states
  */
-ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, u_int16_t dh_group_priority, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce);
+ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, u_int16_t dh_group_priority, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce, chunk_t ike_sa_init_request_data);
 
 #endif /*IKE_SA_INIT_REQUESTED_H_*/
index 6e7fb69..31d41cb 100644 (file)
@@ -57,6 +57,21 @@ struct private_ike_sa_init_responded_t {
        chunk_t received_nonce;
        
        /**
+        * Sent nonce.
+        */
+       chunk_t sent_nonce;
+       
+       /**
+        * Data of the IKE_SA_INIT response.
+        */
+       chunk_t ike_sa_init_response_data;
+
+       /**
+        * Data of the IKE_SA_INIT request.
+        */     
+       chunk_t ike_sa_init_request_data;
+       
+       /**
         * sa config to use
         */
        sa_config_t *sa_config;
@@ -68,9 +83,9 @@ struct private_ike_sa_init_responded_t {
         */
        logger_t *logger;
        
-       status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response);
+       status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response,id_payload_t **response_idr);
        status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
-       status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response);
+       status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
        status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
 };
 
@@ -84,7 +99,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
        crypter_t *crypter;
        iterator_t *payloads;
        exchange_type_t exchange_type;
-       id_payload_t *idi_request, *idr_request = NULL;
+       id_payload_t *idi_request, *idr_request = NULL,*idr_response;
        auth_payload_t *auth_request;
        sa_payload_t *sa_request;
        ts_payload_t *tsi_request, *tsr_request;
@@ -182,7 +197,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
        
        /* add payloads to it */
        
-       status = this->build_idr_payload(this, idi_request, idr_request, response);
+       status = this->build_idr_payload(this, idi_request, idr_request, response,&idr_response);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Building idr payload failed");
@@ -196,7 +211,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                response->destroy(response);
                return status;
        }
-       status = this->build_auth_payload(this, auth_request,idi_request, response);
+       status = this->build_auth_payload(this, auth_request,idi_request, idr_response,response);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Building auth payload failed");
@@ -240,7 +255,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
 /**
  * Implements private_ike_sa_init_responded_t.build_idr_payload
  */
-static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response)
+static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response,id_payload_t **response_idr)
 {
        identification_t *other_id, *my_id = NULL;
        init_config_t *init_config;
@@ -280,7 +295,7 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
        /*  build response */
        idr_response = id_payload_create_from_identification(FALSE, my_id);
        response->add_payload(response, (payload_t*)idr_response);
-       
+       *response_idr = idr_response;
        
        return SUCCESS;
 }
@@ -331,37 +346,41 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
 /**
  * Implements private_ike_sa_init_responded_t.build_auth_payload
  */
-static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response)
+static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *auth_request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response)
 {
-       auth_payload_t *dummy;
-       u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03};
-       chunk_t auth_data;
-       auth_data.ptr = data;
-       auth_data.len = sizeof(data);
        authenticator_t *authenticator;
-       chunk_t received_auth_data = request->get_data(request);
-       chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
-       bool verified;
-       identification_t *identification;
-       
-       identification = other_id_payload->get_identification(other_id_payload);
+       auth_payload_t *auth_reply;
+       status_t status;
+       bool verified;  
        
-       /* TODO VERIFY auth here */
        authenticator = authenticator_create(this->ike_sa);
 
-       authenticator->verify_authentication(authenticator,request->get_auth_method(request),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
-       
+
+       status =  authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,&verified);
+
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
+               authenticator->destroy(authenticator);
+               return status;
+       }
+       if (!verified)
+       {
+               this->logger->log(this->logger, ERROR, "Verification of AUTH failed.");
+               authenticator->destroy(authenticator);
+               return FAILED;
+       }
+
+       status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload);
        authenticator->destroy(authenticator);
-       
-       allocator_free_chunk(&received_auth_data);
-       
-       dummy = auth_payload_create();
-       dummy->set_data(dummy, auth_data);
-       dummy->set_auth_method(dummy, RSA_DIGITAL_SIGNATURE);
-       
-       /* TODO replace dummy */
-       
-       response->add_payload(response, (payload_t *)dummy);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Could not compute AUTH payload.");
+               return FAILED;
+               
+       }
+
+       response->add_payload(response, (payload_t *)auth_reply);
        return SUCCESS; 
 }
 
@@ -427,14 +446,22 @@ static void destroy(private_ike_sa_init_responded_t *this)
 {
        this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object");
        
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
        allocator_free_chunk(&(this->received_nonce));
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
+       allocator_free_chunk(&(this->sent_nonce));
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy IKE_SA_INIT response octets");
+       allocator_free_chunk(&(this->ike_sa_init_response_data));
+       this->logger->log(this->logger, CONTROL | MOST, "Destroy IKE_SA_INIT request octets");
+       allocator_free_chunk(&(this->ike_sa_init_request_data));
+
        allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce,chunk_t ike_sa_init_request_data, chunk_t ike_sa_init_response_data)
 {
        private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
 
@@ -452,6 +479,9 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
        /* private data */
        this->ike_sa = ike_sa;
        this->received_nonce = received_nonce;
+       this->sent_nonce = sent_nonce;
+       this->ike_sa_init_response_data = ike_sa_init_response_data;
+       this->ike_sa_init_request_data = ike_sa_init_request_data;
        this->logger = this->ike_sa->get_logger(this->ike_sa);
        
        return &(this->public);
index fdcc055..6dd6342 100644 (file)
@@ -54,6 +54,6 @@ struct ike_sa_init_responded_t {
  * 
  * @ingroup states
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce,chunk_t sent_nonce,chunk_t ike_sa_init_request_data,chunk_t ike_sa_init_response_data);
 
 #endif /*IKE_SA_INIT_RESPONDED_H_*/
index 59a6a2e..e0a6092 100644 (file)
@@ -134,6 +134,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
        init_config_t *init_config;
        sa_config_t *sa_config;
        status_t status;
+
        
        this->logger->log(this->logger, CONTROL, "Initializing connection %s",name);
        
@@ -177,11 +178,13 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
 status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group_priority)
 {
        ike_sa_init_requested_t *next_state;
+       chunk_t ike_sa_init_request_data;
        init_config_t *init_config;
        randomizer_t *randomizer;
+       ike_sa_id_t *ike_sa_id;
        message_t *message;
        status_t status;
-       ike_sa_id_t *ike_sa_id;
+
        
        this->dh_group_priority = dh_group_priority;
                
@@ -218,10 +221,14 @@ status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group
                message->destroy(message);
                return DELETE_ME;
        }
+       
+       message = this->ike_sa->get_last_requested_message(this->ike_sa);
+       
+       ike_sa_init_request_data = message->get_packet_data(message);
 
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
-       next_state = ike_sa_init_requested_create(this->ike_sa, this->dh_group_priority, this->diffie_hellman, this->sent_nonce);
+       next_state = ike_sa_init_requested_create(this->ike_sa, this->dh_group_priority, this->diffie_hellman, this->sent_nonce,ike_sa_init_request_data);
 
        /* state can now be changed */ 
        this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
index 72e11e3..e112f42 100644 (file)
@@ -155,6 +155,8 @@ struct private_responder_init_t {
 static status_t process_message(private_responder_init_t *this, message_t *message)
 {
        ike_sa_init_responded_t *next_state;
+       chunk_t ike_sa_init_response_data;
+       chunk_t ike_sa_init_request_data;
        exchange_type_t exchange_type;
        host_t *source, *destination;
        init_config_t *init_config;
@@ -166,6 +168,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        host_t *my_host;
        status_t status;
 
+
        exchange_type = message->get_exchange_type(message);
        if (exchange_type != IKE_SA_INIT)
        {
@@ -357,12 +360,14 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                return DELETE_ME;
        }
 
-
-
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
 
-       next_state = ike_sa_init_responded_create(this->ike_sa, this->received_nonce);
+       response = this->ike_sa->get_last_responded_message(this->ike_sa);
+       ike_sa_init_response_data = response->get_packet_data(response);
+       ike_sa_init_request_data = message->get_packet_data(message);
+
+       next_state = ike_sa_init_responded_create(this->ike_sa, this->received_nonce, this->sent_nonce,ike_sa_init_request_data,ike_sa_init_response_data);
        
        /* state can now be changed */
        this->ike_sa->set_new_state(this->ike_sa, (state_t *) next_state);
@@ -534,8 +539,6 @@ static void destroy_after_state_change (private_responder_init_t *this)
                this->diffie_hellman->destroy(this->diffie_hellman);
        }
        
-       this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
-       allocator_free_chunk(&(this->sent_nonce));
        this->logger->log(this->logger, CONTROL | MOST, "Destroy object");      
        allocator_free(this);
 }
index 81e26d9..2815c63 100644 (file)
@@ -471,7 +471,7 @@ void test_parser_with_id_payload(tester_t *tester)
        {
                return; 
        }
-       result = id_payload->get_data(id_payload);
+       result = id_payload->get_data_clone(id_payload);
        tester->assert_true(tester,(id_payload->get_initiator(id_payload) == TRUE), "is IDi payload");
        tester->assert_true(tester,(id_payload->get_id_type(id_payload) == ID_IPV6_ADDR), "is ID_IPV6_ADDR ID type");
        tester->assert_true(tester,(result.len == 12), "parsed data lenght");
@@ -597,7 +597,7 @@ void test_parser_with_auth_payload(tester_t *tester)
        {
                return; 
        }
-       result = auth_payload->get_data(auth_payload);
+       result = auth_payload->get_data_clone(auth_payload);
        tester->assert_true(tester,(auth_payload->get_auth_method(auth_payload) == DSS_DIGITAL_SIGNATURE), "is DSS_DIGITAL_SIGNATURE method");
        tester->assert_true(tester,(result.len == 12), "parsed data lenght");
        tester->assert_false(tester,(memcmp(auth_bytes + 8, result.ptr, result.len)), "parsed nonce data");