merged multi-auth branch back into trunk

1 files changed, 93 insertions, 46 deletions

diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index a3c84c491..45baa8e9c 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,13 +16,10 @@
  * $Id$
  */
 
-#include <string.h>
-
 #include "psk_authenticator.h"
 
 #include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -40,22 +37,74 @@ struct private_psk_authenticator_t {
 	 * Assigned IKE_SA
 	 */
 	ike_sa_t *ike_sa;
+	
+	/**
+	 * nonce to include in AUTH calculation
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * IKE_SA_INIT message data to include in AUTH calculation
+	 */
+	chunk_t ike_sa_init;
 };
 
+/*
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_psk_authenticator_t *this, message_t *message)
+{
+	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	shared_key_t *key;
+	chunk_t auth_data;
+	keymat_t *keymat;
+	
+	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+		 my_id, auth_method_names, AUTH_PSK);
+	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+										  my_id, other_id);
+	if (key == NULL)
+	{
+		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+		return NOT_FOUND;
+	}
+	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
+									this->nonce, key->get_key(key), my_id);
+	key->destroy(key);
+	DBG2(DBG_IKE, "successfully created shared key MAC");
+	auth_payload = auth_payload_create();
+	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+	auth_payload->set_data(auth_payload, auth_data);
+	chunk_free(&auth_data);
+	message->add_payload(message, (payload_t*)auth_payload);
+	
+	return SUCCESS;
+}
+
 /**
- * Implementation of authenticator_t.verify.
+ * Implementation of authenticator_t.process for verifier
  */
-static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- 					   chunk_t my_nonce, auth_payload_t *auth_payload)
+static status_t process(private_psk_authenticator_t *this, message_t *message)
 {
 	chunk_t auth_data, recv_auth_data;
 	identification_t *my_id, *other_id;
+	auth_payload_t *auth_payload;
+	auth_cfg_t *auth;
 	shared_key_t *key;
 	enumerator_t *enumerator;
 	bool authenticated = FALSE;
 	int keys_found = 0;
 	keymat_t *keymat;
 	
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (!auth_payload)
+	{
+		return FAILED;
+	}
 	keymat = this->ike_sa->get_keymat(this->ike_sa);
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
@@ -66,8 +115,8 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 	{
 		keys_found++;
 		
-		auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
-										key->get_key(key), other_id);
+		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
+									this->nonce, key->get_key(key), other_id);
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%D' with %N successful",
@@ -89,42 +138,19 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 			 keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
 		return FAILED;
 	}
+	
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	return SUCCESS;
 }
 
 /**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
  */
-static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
-					  chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t return_failed()
 {
-	identification_t *my_id, *other_id;
-	shared_key_t *key;
-	chunk_t auth_data;
-	keymat_t *keymat;
-	
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
-		 my_id, auth_method_names, AUTH_PSK);
-	key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
-										  my_id, other_id);
-	if (key == NULL)
-	{
-		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
-		return NOT_FOUND;
-	}
-	auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
-									key->get_key(key), my_id);
-	key->destroy(key);
-	DBG2(DBG_IKE, "successfully created shared key MAC");
-	*auth_payload = auth_payload_create();
-	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
-	(*auth_payload)->set_data(*auth_payload, auth_data);
-	
-	chunk_free(&auth_data);
-	return SUCCESS;
+	return FAILED;
 }
 
 /**
@@ -138,17 +164,38 @@ static void destroy(private_psk_authenticator_t *this)
 /*
  * Described in header.
  */
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+									chunk_t received_nonce, chunk_t sent_init)
+{
+	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+	
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+	
+	this->ike_sa = ike_sa;
+	this->ike_sa_init = sent_init;
+	this->nonce = received_nonce;
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+									chunk_t sent_nonce, chunk_t received_init)
 {
 	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
 	
-	/* public functions */
-	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
-	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
-	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
+	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
 	
-	/* private data */
 	this->ike_sa = ike_sa;
+	this->ike_sa_init = received_init;
+	this->nonce = sent_nonce;
 	
 	return &this->public;
 }
+