- started to implement authenticator_t

9 files changed, 139 insertions, 23 deletions

diff --git a/Source/charon/sa/Makefile.sa b/Source/charon/sa/Makefile.sa
index 0badb15d2..b22a58b93 100644
--- a/Source/charon/sa/Makefile.sa
+++ b/Source/charon/sa/Makefile.sa
@@ -25,5 +25,9 @@ $(BUILD_DIR)ike_sa_manager.o :	$(SA_DIR)ike_sa_manager.c $(SA_DIR)ike_sa_manager
 OBJS+= $(BUILD_DIR)ike_sa.o
 $(BUILD_DIR)ike_sa.o :			$(SA_DIR)ike_sa.c $(SA_DIR)ike_sa.h
 								$(CC) $(CFLAGS) -c -o $@ $<
+								
+OBJS+= $(BUILD_DIR)authenticator.o
+$(BUILD_DIR)authenticator.o :	$(SA_DIR)authenticator.c $(SA_DIR)authenticator.h
+								$(CC) $(CFLAGS) -c -o $@ $<
 
 include $(SA_DIR)states/Makefile.states
\ No newline at end of file
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index b9f80dfbb..05f317ff8 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -552,6 +552,22 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
 }
 
 /**
+ * Implementation of protected_ike_sa_t.get_prf.
+ */
+static prf_t *get_prf (private_ike_sa_t *this)
+{
+	return this->prf;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_key_pr.
+ */
+static chunk_t get_key_pr (private_ike_sa_t *this)
+{
+	return this->secrets.pr_key;
+}
+
+/**
  * Implementation of protected_ike_sa_t.set_prf.
  */
 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
@@ -768,6 +784,23 @@ static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t messag
 }
 
 /**
+ * Implementation of protected_ike_sa_t.get_last_sent_message_data.
+ */
+static chunk_t get_last_sent_message_data (private_ike_sa_t *this)
+{
+	chunk_t last_sent_message_data = CHUNK_INITIALIZER;
+	packet_t *packet;
+	
+	if (this->last_requested_message != NULL)
+	{
+		packet = this->last_requested_message->get_packet(this->last_requested_message);
+		last_sent_message_data = packet->data;
+	}
+	
+	return last_sent_message_data;
+}
+
+/**
  * Implementation of protected_ike_sa_t.reset_message_buffers.
  */
 static void reset_message_buffers (private_ike_sa_t *this)
@@ -906,6 +939,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	/* protected functions */
 	this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
 	this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
+	this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;	
+	this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;	
 	this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;		
 	this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
 	this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
@@ -925,6 +960,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
 	this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;	
 	this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
+	this->protected.get_last_sent_message_data = (chunk_t (*) (protected_ike_sa_t *this)) get_last_sent_message_data;
 	this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
 	
 	/* private functions */
diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h
index b8a897af5..c561b99b1 100644
--- a/Source/charon/sa/ike_sa.h
+++ b/Source/charon/sa/ike_sa.h
@@ -35,8 +35,6 @@
 #include <transforms/crypters/crypter.h>
 #include <transforms/signers/signer.h>
 
-
-
 /**
  * Nonce size in bytes of all sent nonces
  * 
@@ -101,6 +99,8 @@ struct ike_sa_t {
 
 typedef struct protected_ike_sa_t protected_ike_sa_t;
 
+
+
 /**
  * @brief Protected data of an ike_sa_t object.
  * 
@@ -319,6 +319,34 @@ struct protected_ike_sa_t {
 	 * @return					pointer to signer_t object
 	 */
 	signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
+	
+	/**
+	 * Gets the internal stored prf_t object.
+	 * 
+	 * @param this 				calling object
+	 * @return					pointer to prf_t object
+	 */
+	prf_t *(*get_prf) (protected_ike_sa_t *this);
+	
+	/**
+	 * Gets the data of last sent message.
+	 * 
+	 * Data are not getting cloned.
+	 * 
+	 * @param this 				calling object
+	 * @return					chunk_t pointing to data
+	 */
+	chunk_t (*get_last_sent_message_data) (protected_ike_sa_t *this);
+	
+	/**
+	 * Gets the Shared key SK_pr.
+	 * 
+	 * Returned value is not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @return					SK_pr key
+	 */
+	chunk_t (*get_key_pr) (protected_ike_sa_t *this);
 
 	/**
 	 * Resets message id counters and does destroy stored received and sent messages.
@@ -326,6 +354,7 @@ struct protected_ike_sa_t {
 	 * @param this 				calling object
 	 */	
 	void (*reset_message_buffers) (protected_ike_sa_t *this);
+
 };
 
 
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index e43242180..cfbd986fe 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -32,6 +32,7 @@
 #include <transforms/signers/signer.h>
 #include <transforms/crypters/crypter.h>
 #include <sa/states/ike_sa_established.h>
+#include <sa/authenticator.h>
 
 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
 
@@ -54,6 +55,11 @@ struct private_ike_auth_requested_t {
 	 * SA config, just a copy of the one stored in the ike_sa
 	 */
 	sa_config_t *sa_config; 
+	
+	/**
+	 * Received nonce from responder
+	 */
+	chunk_t received_nonce;
 	 
 	/**
 	 * Logger used to log data 
@@ -75,7 +81,7 @@ struct private_ike_auth_requested_t {
 	/**
 	 * process the AUTH payload (check authenticity of message)
 	 */
-	status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload);
+	status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
 	
 	/**
 	 * process the TS payload (check if selected traffic selectors are valid)
@@ -223,7 +229,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
 		this->logger->log(this->logger, ERROR, "Processing sa payload failed");
 		return status;
 	}
-	status = this->process_auth_payload(this, auth_payload);
+	status = this->process_auth_payload(this, auth_payload,idr_payload);
 	if (status != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR, "Processing auth payload failed");
@@ -264,6 +270,10 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
 	configured_other_id = this->sa_config->get_other_id(this->sa_config);
 	if (configured_other_id)
 	{
+		this->logger->log(this->logger, CONTROL, "configured ID: %s, ID of responder: %s",
+							configured_other_id->get_string(configured_other_id),
+							other_id->get_string(other_id));
+
 		if (!other_id->equals(other_id, configured_other_id))
 		{
 			other_id->destroy(other_id);
@@ -324,8 +334,27 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
 /**
  * Implements private_ike_auth_requested_t.process_auth_payload
  */
-static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload)
+static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
 {
+	
+	chunk_t received_auth_data = auth_payload->get_data(auth_payload);
+	chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
+	bool verified;
+	identification_t *identification;
+	authenticator_t *authenticator;
+	
+	identification = other_id_payload->get_identification(other_id_payload);
+	
+	/* TODO VERIFY auth here */
+	authenticator = authenticator_create(this->ike_sa);
+
+	authenticator->verify_authentication(authenticator,auth_payload->get_auth_method(auth_payload),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
+	
+	authenticator->destroy(authenticator);
+	
+	allocator_free_chunk(&received_auth_data);
+	
+	
 	/* TODO VERIFY auth here */
 	return SUCCESS;	
 }
@@ -385,13 +414,14 @@ static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
  */
 static void destroy(private_ike_auth_requested_t *this)
 {
+	allocator_free_chunk(&(this->received_nonce));
 	allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa)
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
 {
 	private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
 
@@ -409,6 +439,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa)
 	
 	/* private data */
 	this->ike_sa = ike_sa;
+	this->received_nonce = received_nonce;
 	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	
 	return &(this->public);
diff --git a/Source/charon/sa/states/ike_auth_requested.h b/Source/charon/sa/states/ike_auth_requested.h
index ac2c4bade..5f1e04217 100644
--- a/Source/charon/sa/states/ike_auth_requested.h
+++ b/Source/charon/sa/states/ike_auth_requested.h
@@ -50,12 +50,11 @@ struct ike_auth_requested_t {
  * Constructor of class ike_auth_requested_t
  * 
  * @param ike_sa		assigned ike_sa object
- * @param sent_nonce	Sent nonce value
  * @param received_nonce	Received nonce value
  * @return				created ike_auth_requested_t object
  * 
  * @ingroup states
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa);
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
 
 #endif /*IKE_AUTH_REQUESTED_H_*/
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 806c024c5..68e34a5c0 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -396,7 +396,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 
 	/* state can now be changed */
 	this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
-	next_state = ike_auth_requested_create(this->ike_sa);
+	next_state = ike_auth_requested_create(this->ike_sa,this->received_nonce);
 
 	/* state can now be changed */ 
 	this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
@@ -577,8 +577,6 @@ static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
 	this->diffie_hellman->destroy(this->diffie_hellman);
 	this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");	
 	allocator_free(this->sent_nonce.ptr);
-	this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
-	allocator_free(this->received_nonce.ptr);
 	this->logger->log(this->logger, CONTROL | MOST, "Destroy shared secret (secrets allready derived)");
 	allocator_free_chunk(&(this->shared_secret));
 	this->logger->log(this->logger, CONTROL | MOST, "Destroy object itself");
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 0399bc9a8..6e7fb69c4 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -24,6 +24,7 @@
 
 #include <daemon.h>
 #include <utils/allocator.h>
+#include <sa/authenticator.h>
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/id_payload.h>
@@ -51,6 +52,11 @@ struct private_ike_sa_init_responded_t {
 	protected_ike_sa_t *ike_sa;
 	
 	/**
+	 * Received nonce.
+	 */
+	chunk_t received_nonce;
+	
+	/**
 	 * sa config to use
 	 */
 	sa_config_t *sa_config;
@@ -64,7 +70,7 @@ struct private_ike_sa_init_responded_t {
 	
 	status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response);
 	status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
-	status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response);
+	status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response);
 	status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
 };
 
@@ -190,7 +196,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
 		response->destroy(response);
 		return status;
 	}
-	status = this->build_auth_payload(this, auth_request, response);
+	status = this->build_auth_payload(this, auth_request,idi_request, response);
 	if (status != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR, "Building auth payload failed");
@@ -325,15 +331,29 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
 /**
  * Implements private_ike_sa_init_responded_t.build_auth_payload
  */
-static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response)
+static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload, message_t *response)
 {
 	auth_payload_t *dummy;
 	u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03};
 	chunk_t auth_data;
 	auth_data.ptr = data;
 	auth_data.len = sizeof(data);
+	authenticator_t *authenticator;
+	chunk_t received_auth_data = request->get_data(request);
+	chunk_t last_message_data = this->ike_sa->get_last_sent_message_data(this->ike_sa);
+	bool verified;
+	identification_t *identification;
+	
+	identification = other_id_payload->get_identification(other_id_payload);
 	
 	/* TODO VERIFY auth here */
+	authenticator = authenticator_create(this->ike_sa);
+
+	authenticator->verify_authentication(authenticator,request->get_auth_method(request),received_auth_data,last_message_data,this->received_nonce,identification,&verified);
+	
+	authenticator->destroy(authenticator);
+	
+	allocator_free_chunk(&received_auth_data);
 	
 	dummy = auth_payload_create();
 	dummy->set_data(dummy, auth_data);
@@ -406,14 +426,15 @@ static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
 static void destroy(private_ike_sa_init_responded_t *this)
 {
 	this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object");
-		
+	
+	allocator_free_chunk(&(this->received_nonce));
 	allocator_free(this);
 }
 
 /* 
  * Described in header.
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa)
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce)
 {
 	private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
 
@@ -430,6 +451,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
 	
 	/* private data */
 	this->ike_sa = ike_sa;
+	this->received_nonce = received_nonce;
 	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	
 	return &(this->public);
diff --git a/Source/charon/sa/states/ike_sa_init_responded.h b/Source/charon/sa/states/ike_sa_init_responded.h
index 1e7dd030a..fdcc055c7 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.h
+++ b/Source/charon/sa/states/ike_sa_init_responded.h
@@ -49,11 +49,11 @@ struct ike_sa_init_responded_t {
 /**
  * @brief Constructor of class ike_sa_init_responded_t
  * 
- * @param ike_sa 		assigned IKE_SA
- * @todo Params description
+ * @param ike_sa 			assigned IKE_SA
+ * @param received_nonce	received nonce data
  * 
  * @ingroup states
  */
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa);
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce);
 
 #endif /*IKE_SA_INIT_RESPONDED_H_*/
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index 9409d57df..72e11e392 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -362,7 +362,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 	/* state can now be changed */
 	this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
 
-	next_state = ike_sa_init_responded_create(this->ike_sa);
+	next_state = ike_sa_init_responded_create(this->ike_sa, this->received_nonce);
 	
 	/* state can now be changed */
 	this->ike_sa->set_new_state(this->ike_sa, (state_t *) next_state);
@@ -536,9 +536,6 @@ static void destroy_after_state_change (private_responder_init_t *this)
 	
 	this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
 	allocator_free_chunk(&(this->sent_nonce));
-	this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
-	allocator_free_chunk(&(this->received_nonce));
-
 	this->logger->log(this->logger, CONTROL | MOST, "Destroy object");	
 	allocator_free(this);
 }