aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/sa/authenticator.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/sa/authenticator.c')
-rw-r--r--src/charon/sa/authenticator.c167
1 files changed, 48 insertions, 119 deletions
diff --git a/src/charon/sa/authenticator.c b/src/charon/sa/authenticator.c
index f605062c9..d7b994e66 100644
--- a/src/charon/sa/authenticator.c
+++ b/src/charon/sa/authenticator.c
@@ -47,7 +47,7 @@ struct private_authenticator_t {
authenticator_t public;
/**
- * Assigned IKE_SA. Needed to get objects of type prf_t and logger_t.
+ * Assigned IKE_SA
*/
ike_sa_t *ike_sa;
@@ -60,57 +60,10 @@ struct private_authenticator_t {
* PRF taken from the IKE_SA.
*/
prf_t *prf;
-
- /**
- * A logger for.
- *
- * Using logger of IKE_SA.
- */
- logger_t *logger;
-
- /**
- * @brief Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306.
- *
- * @param this calling object
- * @param last_message the last message to include in created octets
- * (either binary form of IKE_SA_INIT request or IKE_SA_INIT response)
- * @param other_nonce Nonce data received from other peer
- * @param id ID of signer
- * @param initiator Type of peer. TRUE, if it is original initiator, FALSE otherwise
- * @return octets as described in section 2.15. Memory gets allocated and has to get
- * destroyed by caller.
- */
- chunk_t (*build_tbs_octets) (private_authenticator_t *this,
- chunk_t last_message,
- chunk_t other_nonce,
- identification_t *id,
- bool initiator);
-
- /**
- * @brief Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- *
- * @param this calling object
- * @param last_message the last message
- * (either binary form of IKE_SA_INIT request or IKE_SA_INIT response)
- * @param nonce Nonce data to include in auth data compution
- * @param id ID of signer
- * @param initiator Type of peer. TRUE, if it is original initiator, FALSE otherwise
- * @param secret shared secret as chunk_t. If shared secret is a string,
- * the NULL termination is not included.
- * @return AUTH data as dscribed in section 2.15 for
- * AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- * Memory gets allocated and has to get destroyed by caller.
- */
- chunk_t (*build_shared_key_signature) (private_authenticator_t *this,
- chunk_t last_message,
- chunk_t nonce,
- identification_t *id,
- bool initiator,
- chunk_t secret);
};
/**
- * Implementation of private_authenticator_t.build_tbs_octets.
+ * Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306
*/
static chunk_t build_tbs_octets(private_authenticator_t *this,
chunk_t last_message,
@@ -156,7 +109,7 @@ static chunk_t build_tbs_octets(private_authenticator_t *this,
}
/**
- * Implementation of private_authenticator_t.build_shared_key_signature.
+ * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
*/
static chunk_t build_shared_key_signature(private_authenticator_t *this,
chunk_t last_message,
@@ -170,23 +123,18 @@ static chunk_t build_shared_key_signature(private_authenticator_t *this,
chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)};
chunk_t auth_data;
- chunk_t octets = this->build_tbs_octets(this, last_message, nonce, id, initiator);
+ chunk_t octets = build_tbs_octets(this, last_message, nonce, id, initiator);
/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
this->prf->set_key(this->prf, secret);
this->prf->get_bytes(this->prf, key_pad, key_buffer);
this->prf->set_key(this->prf, key);
this->prf->allocate_bytes(this->prf, octets, &auth_data);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "octets = message + nonce + prf(Sk_px, IDx')", octets);
- this->logger->log_chunk(this->logger, PRIVATE|LEVEL2,
- "secret", secret);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "keypad", key_pad);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "prf(secret, keypad)", key);
- this->logger->log_chunk(this->logger,RAW | LEVEL2,
- "AUTH = prf(prf(secret, keypad), octets)", auth_data);
+ DBG3(SIG_DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+ DBG3(SIG_DBG_IKE, "secret %B", &secret);
+ DBG3(SIG_DBG_IKE, "keypad %B", &key_pad);
+ DBG3(SIG_DBG_IKE, "prf(secret, keypad) %B", &key);
+ DBG3(SIG_DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
chunk_free(&octets);
return auth_data;
@@ -220,19 +168,15 @@ static status_t verify_auth_data (private_authenticator_t *this,
&shared_key);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "no shared key found for '%D' - '%D'",
- my_id, other_id);
+ DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
+ my_id, other_id);
chunk_free(&shared_key);
break;
}
- my_auth_data = this->build_shared_key_signature(this,
- last_received_packet,
- my_nonce,
- other_id,
- initiator,
- shared_key);
+ my_auth_data = build_shared_key_signature(this, last_received_packet,
+ my_nonce, other_id,
+ initiator, shared_key);
chunk_free(&shared_key);
@@ -251,15 +195,15 @@ static status_t verify_auth_data (private_authenticator_t *this,
if (public_key == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no RSA public key found for '%D'", other_id);
+ DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", other_id);
status = NOT_FOUND;
break;
}
- octets = this->build_tbs_octets(this, last_received_packet, my_nonce, other_id, initiator);
-
- status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+ octets = build_tbs_octets(this, last_received_packet, my_nonce,
+ other_id, initiator);
+ status = public_key->verify_emsa_pkcs1_signature(public_key, octets,
+ auth_data);
chunk_free(&octets);
break;
}
@@ -269,9 +213,9 @@ static status_t verify_auth_data (private_authenticator_t *this,
}
}
- this->logger->log(this->logger, CONTROL, "authentication of '%D' with %s %s",
- other_id, enum_name(&auth_method_names, auth_method),
- (status == SUCCESS)? "successful":"failed");
+ DBG1(SIG_DBG_IKE, "authentication of '%D' with %N %s",
+ other_id, auth_method_names, auth_method,
+ (status == SUCCESS)? "successful":"failed");
return status;
}
@@ -285,10 +229,9 @@ static status_t compute_auth_data (private_authenticator_t *this,
identification_t *my_id,
identification_t *other_id,
bool initiator)
-{
- this->logger->log(this->logger, CONTROL,
- "authentication of '%D' with %s (myself)",
- my_id, enum_name(&auth_method_names, this->auth_method));
+{
+ DBG1(SIG_DBG_IKE, "authentication of '%D' with %N (myself)",
+ my_id, auth_method_names, this->auth_method);
switch (this->auth_method)
{
@@ -304,21 +247,18 @@ static status_t compute_auth_data (private_authenticator_t *this,
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "no shared key found for '%D' - '%D'",
- my_id, other_id);
+ DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
+ my_id, other_id);
return status;
}
- auth_data = this->build_shared_key_signature(this,
- last_sent_packet,
- other_nonce,
- my_id,
- initiator,
- shared_key);
+ auth_data = build_shared_key_signature(this, last_sent_packet,
+ other_nonce, my_id,
+ initiator, shared_key);
chunk_free(&shared_key);
*auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE);
+ (*auth_payload)->set_auth_method(*auth_payload,
+ SHARED_KEY_MESSAGE_INTEGRITY_CODE);
(*auth_payload)->set_data(*auth_payload, auth_data);
chunk_free(&auth_data);
@@ -326,44 +266,40 @@ static status_t compute_auth_data (private_authenticator_t *this,
}
case RSA_DIGITAL_SIGNATURE:
{
- char buf[BUF_LEN];
+ chunk_t chunk;
chunk_t octets;
chunk_t auth_data;
status_t status;
rsa_public_key_t *my_pubkey;
rsa_private_key_t *my_key;
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "looking for RSA public key belonging to '%D'",
+ DBG2(SIG_DBG_IKE, "looking for RSA public key belonging to '%D'",
my_id);
my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
if (my_pubkey == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no RSA public key found for '%D'", my_id);
+ DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", my_id);
return NOT_FOUND;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "matching RSA public key found");
+ DBG2(SIG_DBG_IKE, "matching RSA public key found");
- chunk_to_hex(buf, BUF_LEN, my_pubkey->get_keyid(my_pubkey));
- this->logger->log(this->logger, CONTROL|LEVEL1, "looking for RSA private key with keyid %s", buf);
+ chunk = my_pubkey->get_keyid(my_pubkey);
+ DBG2(SIG_DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
if (my_key == NULL)
{
- char buf[BUF_LEN];
-
- chunk_to_hex(buf, BUF_LEN, my_pubkey->get_keyid(my_pubkey));
- this->logger->log(this->logger, ERROR,
- "no RSA private key found with for %D with keyid %s",
- my_id, buf);
+ DBG1(SIG_DBG_IKE, "no RSA private key found with for %D with keyid %#B",
+ my_id, &chunk);
return NOT_FOUND;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "matching RSA private key found");
+ DBG2(SIG_DBG_IKE, "matching RSA private key found");
- octets = this->build_tbs_octets(this, last_sent_packet, other_nonce, my_id, initiator);
- status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+ octets = build_tbs_octets(this, last_sent_packet, other_nonce,
+ my_id, initiator);
+ status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1,
+ octets, &auth_data);
chunk_free(&octets);
if (status != SUCCESS)
@@ -371,7 +307,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
my_key->destroy(my_key);
return status;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "successfully signed with RSA private key");
+ DBG2(SIG_DBG_IKE, "successfully signed with RSA private key");
*auth_payload = auth_payload_create();
(*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
@@ -405,20 +341,13 @@ authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_metho
/* Public functions */
this->public.destroy = (void(*)(authenticator_t*))destroy;
- this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,
- chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
- this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,
- chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
-
- /* private functions */
- this->build_tbs_octets = build_tbs_octets;
- this->build_shared_key_signature = build_shared_key_signature;
+ this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
+ this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
/* private data */
this->ike_sa = ike_sa;
this->auth_method = auth_method;
this->prf = this->ike_sa->get_prf(this->ike_sa);
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &(this->public);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-12 17:59:51 +0000