diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/sa/authenticator.c | 8 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c | 39 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h | 3 |
3 files changed, 32 insertions, 18 deletions
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c index 8d4b04b66..91bb7715f 100644 --- a/src/libcharon/sa/authenticator.c +++ b/src/libcharon/sa/authenticator.c @@ -133,7 +133,13 @@ authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator, case AUTH_XAUTH_RESP_RSA: return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa, initiator, dh, dh_value, sa_payload, - id_payload); + id_payload, KEY_RSA); + case AUTH_ECDSA_256: + case AUTH_ECDSA_384: + case AUTH_ECDSA_521: + return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa, + initiator, dh, dh_value, sa_payload, + id_payload, KEY_ECDSA); case AUTH_HYBRID_INIT_RSA: case AUTH_HYBRID_RESP_RSA: return (authenticator_t*)hybrid_authenticator_create(ike_sa, diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 56fcf2c9d..8d3f21c49 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -60,6 +60,11 @@ struct private_pubkey_v1_authenticator_t { * Encoded ID payload, without fixed header */ chunk_t id_payload; + + /** + * Key type to use + */ + key_type_t type; }; METHOD(authenticator_t, build, status_t, @@ -72,19 +77,20 @@ METHOD(authenticator_t, build, status_t, private_key_t *private; identification_t *id; auth_cfg_t *auth; - key_type_t type; - signature_scheme_t scheme; + signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_NULL; - /* TODO-IKEv1: other key types */ - type = KEY_RSA; - scheme = SIGN_RSA_EMSA_PKCS1_NULL; + if (this->type == KEY_ECDSA) + { + scheme = SIGN_ECDSA_WITH_NULL; + } id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - private = lib->credmgr->get_private(lib->credmgr, type, id, auth); + private = lib->credmgr->get_private(lib->credmgr, this->type, id, auth); if (!private) { - DBG1(DBG_IKE, "no private key found for '%Y'", id); + DBG1(DBG_IKE, "no %N private key found for '%Y'", + key_type_names, this->type, id); return NOT_FOUND; } @@ -125,13 +131,13 @@ METHOD(authenticator_t, process, status_t, auth_cfg_t *auth, *current_auth; enumerator_t *enumerator; status_t status = NOT_FOUND; - key_type_t type; - signature_scheme_t scheme; identification_t *id; + signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_NULL; - /* TODO-IKEv1: currently RSA only */ - type = KEY_RSA; - scheme = SIGN_RSA_EMSA_PKCS1_NULL; + if (this->type == KEY_ECDSA) + { + scheme = SIGN_ECDSA_WITH_NULL; + } sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1); if (!sig_payload) @@ -150,14 +156,14 @@ METHOD(authenticator_t, process, status_t, sig = sig_payload->get_hash(sig_payload); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, type, + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type, id, auth); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, scheme, hash, sig)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", - id, key_type_names, type); + id, key_type_names, this->type); status = SUCCESS; auth->merge(auth, current_auth, FALSE); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); @@ -174,7 +180,7 @@ METHOD(authenticator_t, process, status_t, if (status != SUCCESS) { DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", - key_type_names, type, id); + key_type_names, this->type, id); } return status; } @@ -192,7 +198,7 @@ METHOD(authenticator_t, destroy, void, pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa, bool initiator, diffie_hellman_t *dh, chunk_t dh_value, chunk_t sa_payload, - chunk_t id_payload) + chunk_t id_payload, key_type_t type) { private_pubkey_v1_authenticator_t *this; @@ -211,6 +217,7 @@ pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa, .dh_value = dh_value, .sa_payload = sa_payload, .id_payload = id_payload, + .type = type, ); return &this->public; diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h index bafc3a2b2..154d83c26 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h @@ -46,11 +46,12 @@ struct pubkey_v1_authenticator_t { * @param sa_payload generated SA payload data, without payload header * @param id_payload encoded ID payload of peer to authenticate or verify * without payload header (gets owned) + * @param type key type to use, KEY_RSA or KEY_ECDSA * @return pubkey authenticator */ pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa, bool initiator, diffie_hellman_t *dh, chunk_t dh_value, chunk_t sa_payload, - chunk_t id_payload); + chunk_t id_payload, key_type_t type); #endif /** PUBKEY_V1_AUTHENTICATOR_H_ @}*/ |