Added ipseckey plugin, which provides support for public keys in IPSECKEY RRs
This commit is contained in:
parent
d786cbda5c
commit
a77bbc3b8c
|
@ -128,6 +128,7 @@ ARG_DISBL_SET([pkcs7], [disable PKCS7 container support plugin.])
|
|||
ARG_DISBL_SET([pkcs8], [disable PKCS8 private key decoding plugin.])
|
||||
ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.])
|
||||
ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
|
||||
ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
|
||||
ARG_DISBL_SET([pem], [disable PEM decoding plugin.])
|
||||
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
|
||||
ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
|
||||
|
@ -943,6 +944,7 @@ ADD_PLUGIN([pkcs7], [s scepclient pki])
|
|||
ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm])
|
||||
ADD_PLUGIN([pgp], [s charon])
|
||||
ADD_PLUGIN([dnskey], [s charon])
|
||||
ADD_PLUGIN([ipseckey], [c charon])
|
||||
ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm])
|
||||
ADD_PLUGIN([padlock], [s charon])
|
||||
ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm])
|
||||
|
@ -1096,6 +1098,7 @@ AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
|
|||
AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
|
||||
AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
|
||||
AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
|
||||
AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
|
||||
AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
|
||||
AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
|
||||
AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
|
||||
|
@ -1335,6 +1338,7 @@ AC_CONFIG_FILES([
|
|||
src/libcharon/plugins/farp/Makefile
|
||||
src/libcharon/plugins/smp/Makefile
|
||||
src/libcharon/plugins/sql/Makefile
|
||||
src/libcharon/plugins/ipseckey/Makefile
|
||||
src/libcharon/plugins/medsrv/Makefile
|
||||
src/libcharon/plugins/medcli/Makefile
|
||||
src/libcharon/plugins/addrblock/Makefile
|
||||
|
|
|
@ -212,6 +212,13 @@ if MONOLITHIC
|
|||
endif
|
||||
endif
|
||||
|
||||
if USE_IPSECKEY
|
||||
SUBDIRS += plugins/ipseckey
|
||||
if MONOLITHIC
|
||||
libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
|
||||
endif
|
||||
endif
|
||||
|
||||
if USE_UPDOWN
|
||||
SUBDIRS += plugins/updown
|
||||
if MONOLITHIC
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
|
||||
INCLUDES = \
|
||||
-I$(top_srcdir)/src/libstrongswan \
|
||||
-I$(top_srcdir)/src/libhydra \
|
||||
-I$(top_srcdir)/src/libcharon
|
||||
|
||||
if MONOLITHIC
|
||||
noinst_LTLIBRARIES = libstrongswan-ipseckey.la
|
||||
else
|
||||
plugin_LTLIBRARIES = libstrongswan-ipseckey.la
|
||||
endif
|
||||
|
||||
libstrongswan_ipseckey_la_SOURCES = \
|
||||
ipseckey_plugin.h ipseckey_plugin.c \
|
||||
ipseckey_cred.h ipseckey_cred.c \
|
||||
ipseckey.h ipseckey.c
|
||||
|
||||
libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
|
|
@ -0,0 +1,211 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "ipseckey.h"
|
||||
|
||||
#include <library.h>
|
||||
#include <utils/debug.h>
|
||||
#include <bio/bio_reader.h>
|
||||
|
||||
typedef struct private_ipseckey_t private_ipseckey_t;
|
||||
|
||||
/**
|
||||
* private data of the ipseckey
|
||||
*/
|
||||
struct private_ipseckey_t {
|
||||
|
||||
/**
|
||||
* public functions
|
||||
*/
|
||||
ipseckey_t public;
|
||||
|
||||
/**
|
||||
* Precedence
|
||||
*/
|
||||
u_int8_t precedence;
|
||||
|
||||
/**
|
||||
* Gateway type
|
||||
*/
|
||||
u_int8_t gateway_type;
|
||||
|
||||
/**
|
||||
* Algorithm
|
||||
*/
|
||||
u_int8_t algorithm;
|
||||
|
||||
/**
|
||||
* Gateway
|
||||
*/
|
||||
chunk_t gateway;
|
||||
|
||||
/**
|
||||
* Public key
|
||||
*/
|
||||
chunk_t public_key;
|
||||
};
|
||||
|
||||
METHOD(ipseckey_t, get_precedence, u_int8_t,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
return this->precedence;
|
||||
}
|
||||
|
||||
METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
return this->gateway_type;
|
||||
}
|
||||
|
||||
METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
return this->algorithm;
|
||||
}
|
||||
|
||||
METHOD(ipseckey_t, get_gateway, chunk_t,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
return this->gateway;
|
||||
}
|
||||
|
||||
METHOD(ipseckey_t, get_public_key, chunk_t,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
return this->public_key;
|
||||
}
|
||||
|
||||
METHOD(ipseckey_t, destroy, void,
|
||||
private_ipseckey_t *this)
|
||||
{
|
||||
chunk_free(&this->gateway);
|
||||
chunk_free(&this->public_key);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* See header
|
||||
*/
|
||||
ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
|
||||
{
|
||||
private_ipseckey_t *this;
|
||||
bio_reader_t *reader = NULL;
|
||||
u_int8_t label;
|
||||
chunk_t tmp;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.get_precedence = _get_precedence,
|
||||
.get_gateway_type = _get_gateway_type,
|
||||
.get_algorithm = _get_algorithm,
|
||||
.get_gateway = _get_gateway,
|
||||
.get_public_key = _get_public_key,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
);
|
||||
|
||||
if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
|
||||
{
|
||||
DBG1(DBG_CFG, "unable to create an ipseckey out of a RR "
|
||||
"whose type is not IPSECKEY");
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/** Parse the content (RDATA field) of the RR */
|
||||
reader = bio_reader_create(rr->get_rdata(rr));
|
||||
if (!reader->read_uint8(reader, &this->precedence) ||
|
||||
!reader->read_uint8(reader, &this->gateway_type) ||
|
||||
!reader->read_uint8(reader, &this->algorithm))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey RR has a wrong format");
|
||||
reader->destroy(reader);
|
||||
free(this);
|
||||
}
|
||||
|
||||
switch (this->gateway_type)
|
||||
{
|
||||
case IPSECKEY_GW_TP_NOT_PRESENT:
|
||||
break;
|
||||
|
||||
case IPSECKEY_GW_TP_IPV4:
|
||||
if (!reader->read_data(reader, 4, &this->gateway))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv4 "
|
||||
"address as expected");
|
||||
reader->destroy(reader);
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
this->gateway = chunk_clone(this->gateway);
|
||||
break;
|
||||
|
||||
case IPSECKEY_GW_TP_IPV6:
|
||||
if (!reader->read_data(reader, 16, &this->gateway))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv6 "
|
||||
"address as expected");
|
||||
reader->destroy(reader);
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
this->gateway = chunk_clone(this->gateway);
|
||||
break;
|
||||
|
||||
case IPSECKEY_GW_TP_WR_ENC_DNAME:
|
||||
/**
|
||||
* Uncompressed domain name as defined in RFC 1035 chapter 3.
|
||||
*
|
||||
* TODO: Currently we ignore wire encoded domain names.
|
||||
*
|
||||
*/
|
||||
while(reader->read_uint8(reader, &label) && label != 0 &&
|
||||
label < 192)
|
||||
{
|
||||
if(!reader->read_data(reader, label, &tmp))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey gateway field: Wire encoded "
|
||||
"domain name has the wrong format");
|
||||
reader->destroy(reader);
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
DBG1(DBG_CFG, "ipseckey gateway field: Unable to parse the "
|
||||
"ipseckey gateway field. The gateway type field "
|
||||
"indicates an unknown gateway type");
|
||||
reader->destroy(reader);
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!reader->read_data(reader, reader->remaining(reader),
|
||||
&this->public_key))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey public key field: Failure while reading "
|
||||
"the public key");
|
||||
reader->destroy(reader);
|
||||
chunk_free(&this->gateway);
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
this->public_key = chunk_clone(this->public_key);
|
||||
reader->destroy(reader);
|
||||
return &this->public;
|
||||
}
|
||||
|
|
@ -0,0 +1,149 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup ipseckey_cred_i ipseckey
|
||||
* @{ @ingroup ipseckey
|
||||
*/
|
||||
|
||||
#ifndef IPSECKEY_H_
|
||||
#define IPSECKEY_H_
|
||||
|
||||
typedef struct ipseckey_t ipseckey_t;
|
||||
typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
|
||||
typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
|
||||
|
||||
#include <library.h>
|
||||
|
||||
/**
|
||||
* IPSECKEY gateway types as defined in RFC 4025.
|
||||
*/
|
||||
enum ipseckey_gw_type_t {
|
||||
/** No gateway is present */
|
||||
IPSECKEY_GW_TP_NOT_PRESENT = 0,
|
||||
/** A 4-byte IPv4 address is present */
|
||||
IPSECKEY_GW_TP_IPV4 = 1,
|
||||
/** A 16-byte IPv6 address is present */
|
||||
IPSECKEY_GW_TP_IPV6 = 2,
|
||||
/** A wire-encoded domain name is present */
|
||||
IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
|
||||
};
|
||||
|
||||
/**
|
||||
* IPSECKEY algorithms as defined in RFC 4025.
|
||||
*/
|
||||
enum ipseckey_algorithm_t {
|
||||
/** No key present */
|
||||
IPSECKEY_ALGORITHM_NONE = 0,
|
||||
/** DSA key */
|
||||
IPSECKEY_ALGORITHM_DSA = 1,
|
||||
/** RSA key */
|
||||
IPSECKEY_ALGORITHM_RSA = 2,
|
||||
};
|
||||
|
||||
/**
|
||||
* An IPSECKEY.
|
||||
*
|
||||
* Represents an IPSECKEY as defined in RFC 4025:
|
||||
*
|
||||
* 0 1 2 3
|
||||
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
* | precedence | gateway type | algorithm | gateway |
|
||||
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
|
||||
* ~ gateway ~
|
||||
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
* | /
|
||||
* / public key /
|
||||
* / /
|
||||
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
|
||||
*
|
||||
*
|
||||
* Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
|
||||
* We use 8 bits instead, because the use of 7 bits is very uncommon
|
||||
* in internet protocols and might be an error in RFC 4025
|
||||
* (also the BIND DNS server uses 8 bits for the algorithm field of the
|
||||
* IPSECKEY resource records).
|
||||
*
|
||||
*/
|
||||
struct ipseckey_t {
|
||||
|
||||
/**
|
||||
* Get the precedence of the IPSECKEY.
|
||||
*
|
||||
* @return precedence
|
||||
*/
|
||||
u_int8_t (*get_precedence)(ipseckey_t *this);
|
||||
|
||||
/**
|
||||
* Get the type of the gateway.
|
||||
*
|
||||
* The "gateway type" determines the format of the gateway field
|
||||
* of the IPSECKEY.
|
||||
*
|
||||
* @return gateway type
|
||||
*/
|
||||
ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
|
||||
|
||||
/**
|
||||
* Get the algorithm.
|
||||
*
|
||||
* The "algorithm" determines the format of the public key field
|
||||
* of the IPSECKEY.
|
||||
*
|
||||
* @return algorithm
|
||||
*/
|
||||
ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
|
||||
|
||||
/**
|
||||
* Get the content of the gateway field as chunk.
|
||||
*
|
||||
* The content is in network byte order and its format depends on the
|
||||
* gateway type.
|
||||
*
|
||||
* The data pointed by the chunk is still owned by the IPSECKEY.
|
||||
* Clone it if necessary.
|
||||
*
|
||||
* @return gateway field as chunk
|
||||
*/
|
||||
chunk_t (*get_gateway)(ipseckey_t *this);
|
||||
|
||||
/**
|
||||
* Get the content of the public key field as chunk.
|
||||
*
|
||||
* The format of the public key depends on the algorithm type.
|
||||
*
|
||||
* The data pointed by the chunk is still owned by the IPSECKEY.
|
||||
* Clone it if necessary.
|
||||
*
|
||||
* @return public key field as chunk
|
||||
*/
|
||||
chunk_t (*get_public_key)(ipseckey_t *this);
|
||||
|
||||
/**
|
||||
* Destroy the IPSECKEY.
|
||||
*/
|
||||
void (*destroy) (ipseckey_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create an ipseckey instance out of a resource record.
|
||||
*
|
||||
* @param rr resource record which contains an IPSECKEY
|
||||
* @return ipseckey, NULL on failure
|
||||
*/
|
||||
ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
|
||||
|
||||
#endif /** IPSECKEY_H_ @}*/
|
|
@ -0,0 +1,278 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "ipseckey_cred.h"
|
||||
#include "ipseckey.h"
|
||||
|
||||
#include <bio/bio_reader.h>
|
||||
#include <daemon.h>
|
||||
|
||||
typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
|
||||
|
||||
/**
|
||||
* Private data of an ipseckey_cred_t object
|
||||
*/
|
||||
struct private_ipseckey_cred_t {
|
||||
|
||||
/**
|
||||
* Public part
|
||||
*/
|
||||
ipseckey_cred_t public;
|
||||
|
||||
/**
|
||||
* DNS resolver
|
||||
*/
|
||||
resolver_t *res;
|
||||
};
|
||||
|
||||
/**
|
||||
* enumerator over certificates
|
||||
*/
|
||||
typedef struct {
|
||||
/** implements enumerator interface */
|
||||
enumerator_t public;
|
||||
/** inner enumerator (enumerates IPSECKEY resource records) */
|
||||
enumerator_t *inner;
|
||||
/** response of the DNS resolver which contains the IPSECKEYs */
|
||||
resolver_response_t *response;
|
||||
/* IPSECKEYs are not valid before this point in time */
|
||||
time_t notBefore;
|
||||
/* IPSECKEYs are not valid after this point in time */
|
||||
time_t notAfter;
|
||||
/* identity to which the IPSECKEY belongs */
|
||||
identification_t *identity;
|
||||
} cert_enumerator_t;
|
||||
|
||||
METHOD(enumerator_t, cert_enumerator_enumerate, bool,
|
||||
cert_enumerator_t *this, certificate_t **cert)
|
||||
{
|
||||
rr_t *cur_rr = NULL;
|
||||
ipseckey_t *cur_ipseckey = NULL;
|
||||
chunk_t pub_key;
|
||||
public_key_t * key = NULL;
|
||||
bool supported_ipseckey_found = FALSE;
|
||||
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Enumerating over IPSECKEY certificates");
|
||||
|
||||
/* Get the next supported IPSECKEY using the inner enumerator. */
|
||||
while (this->inner->enumerate(this->inner, &cur_rr) &&
|
||||
!supported_ipseckey_found)
|
||||
{
|
||||
supported_ipseckey_found = TRUE;
|
||||
|
||||
cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
|
||||
|
||||
if (!cur_ipseckey)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Error while parsing an IPSECKEY. "
|
||||
"Skipping this key");
|
||||
supported_ipseckey_found = FALSE;
|
||||
}
|
||||
|
||||
if (cur_ipseckey &&
|
||||
cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Skipping an IPSECKEY which uses an "
|
||||
"unsupported algorithm");
|
||||
cur_ipseckey->destroy(cur_ipseckey);
|
||||
supported_ipseckey_found = FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
if (supported_ipseckey_found)
|
||||
{
|
||||
/*
|
||||
* Wrap the key of the IPSECKEY in a certificate and return this
|
||||
* certificate.
|
||||
*/
|
||||
pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
|
||||
|
||||
key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
|
||||
BUILD_BLOB_DNSKEY, pub_key,
|
||||
BUILD_END);
|
||||
|
||||
if (!key)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Failed to create a public key "
|
||||
"from the IPSECKEY");
|
||||
cur_ipseckey->destroy(cur_ipseckey);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
|
||||
CERT_TRUSTED_PUBKEY,
|
||||
BUILD_PUBLIC_KEY, key,
|
||||
BUILD_SUBJECT, this->identity,
|
||||
BUILD_NOT_BEFORE_TIME, this->notBefore,
|
||||
BUILD_NOT_AFTER_TIME, this->notAfter,
|
||||
BUILD_END);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(enumerator_t, cert_enumerator_destroy, void,
|
||||
cert_enumerator_t *this)
|
||||
{
|
||||
this->inner->destroy(this->inner);
|
||||
this->response->destroy(this->response);
|
||||
free(this);
|
||||
}
|
||||
|
||||
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
|
||||
private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
|
||||
identification_t *id, bool trusted)
|
||||
{
|
||||
char *fqdn = NULL;
|
||||
resolver_response_t *response = NULL;
|
||||
rr_set_t *rrset = NULL;
|
||||
enumerator_t *rrsig_enum = NULL;
|
||||
rr_t *rrsig = NULL;
|
||||
bio_reader_t *reader = NULL;
|
||||
chunk_t ignore;
|
||||
u_int32_t nBefore, nAfter;
|
||||
cert_enumerator_t *e;
|
||||
|
||||
if (id && id->get_type(id) == ID_FQDN)
|
||||
{
|
||||
/** Query the DNS for the required IPSECKEY RRs */
|
||||
|
||||
if (0 >= asprintf(&fqdn, "%Y", id))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: ID is empty");
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Performing a DNS query for the IPSECKEY "
|
||||
"RRs of the domain %s", fqdn);
|
||||
|
||||
response = this->res->query(this->res, fqdn, RR_CLASS_IN,
|
||||
RR_TYPE_IPSECKEY);
|
||||
if (!response)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: DNS query failed");
|
||||
free(fqdn);
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
if (!response->has_data(response) ||
|
||||
!response->query_name_exist(response) ||
|
||||
!(response->get_security_state(response) == SECURE) )
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Unable to retrieve IPSECKEY RRs "
|
||||
"for the domain %s from the DNS", fqdn);
|
||||
response->destroy(response);
|
||||
free(fqdn);
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
free(fqdn);
|
||||
|
||||
/** Determine the validity period of the retrieved IPSECKEYs
|
||||
*
|
||||
* We use the "Signature Inception" and "Signature Expiration" field
|
||||
* of the RRSIG resource record to determine the validity period of the
|
||||
* IPSECKEY RRs.
|
||||
*/
|
||||
rrset = response->get_rr_set(response);
|
||||
rrsig_enum = rrset->create_rrsig_enumerator(rrset);
|
||||
if (!rrsig_enum)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
|
||||
"period of the RRs, because there are "
|
||||
"no RRSIGs present");
|
||||
response->destroy(response);
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
/**
|
||||
* Currently we use the first RRSIG of the IPSECKEY RRset
|
||||
* to determine the validity period of the IPSECKEYs.
|
||||
* TODO: Take multiple RRSIGs into account.
|
||||
*/
|
||||
if (!rrsig_enum->enumerate(rrsig_enum, &rrsig))
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
|
||||
"period of the IPSECKEY RRs, because there are "
|
||||
"no RRSIGs present");
|
||||
rrsig_enum->destroy(rrsig_enum);
|
||||
response->destroy(response);
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse the RRSIG for its validity period.
|
||||
* For the format of a RRSIG see RFC 4034.
|
||||
*/
|
||||
reader = bio_reader_create(rrsig->get_rdata(rrsig));
|
||||
reader->read_data(reader, 8, &ignore);
|
||||
reader->read_uint32(reader, &nAfter);
|
||||
reader->read_uint32(reader, &nBefore);
|
||||
reader->destroy(reader);
|
||||
|
||||
/** Create and return an iterator over the retrieved IPSECKEYs */
|
||||
INIT(e,
|
||||
.public = {
|
||||
.enumerate = (void*)_cert_enumerator_enumerate,
|
||||
.destroy = _cert_enumerator_destroy,
|
||||
},
|
||||
.inner = response->get_rr_set(response)->create_rr_enumerator(
|
||||
response->get_rr_set(response)),
|
||||
.response = response,
|
||||
.notBefore = nBefore,
|
||||
.notAfter = nAfter,
|
||||
.identity = id,
|
||||
);
|
||||
|
||||
return &e->public;
|
||||
}
|
||||
|
||||
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
METHOD(ipseckey_cred_t, destroy, void,
|
||||
private_ipseckey_cred_t *this)
|
||||
{
|
||||
this->res->destroy(this->res);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
|
||||
{
|
||||
private_ipseckey_cred_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.set = {
|
||||
.create_private_enumerator = (void*)return_null,
|
||||
.create_cert_enumerator = _create_cert_enumerator,
|
||||
.create_shared_enumerator = (void*)return_null,
|
||||
.create_cdp_enumerator = (void*)return_null,
|
||||
.cache_cert = (void*)nop,
|
||||
},
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.res = res,
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup ipseckey_cred_i ipseckey_cred
|
||||
* @{ @ingroup ipseckey
|
||||
*/
|
||||
|
||||
#ifndef IPSECKEY_CRED_H_
|
||||
#define IPSECKEY_CRED_H_
|
||||
|
||||
#include <credentials/credential_set.h>
|
||||
#include <resolver/resolver.h>
|
||||
|
||||
typedef struct ipseckey_cred_t ipseckey_cred_t;
|
||||
|
||||
/**
|
||||
* IPSECKEY credential set.
|
||||
*
|
||||
* The ipseckey credential set contains IPSECKEYs as certificates of type
|
||||
* pubkey_cert_t.
|
||||
*/
|
||||
struct ipseckey_cred_t {
|
||||
|
||||
/**
|
||||
* Implements credential_set_t interface
|
||||
*/
|
||||
credential_set_t set;
|
||||
|
||||
/**
|
||||
* Destroy the ipseckey_cred.
|
||||
*/
|
||||
void (*destroy)(ipseckey_cred_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create an ipseckey_cred instance which uses the given resolver
|
||||
* to query the DNS for IPSECKEY resource records.
|
||||
*
|
||||
* @param res resolver to use
|
||||
* @return credential set
|
||||
*/
|
||||
ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
|
||||
|
||||
#endif /** IPSECKEY_CRED_H_ @}*/
|
|
@ -0,0 +1,91 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "ipseckey_plugin.h"
|
||||
|
||||
#include <daemon.h>
|
||||
#include "ipseckey_cred.h"
|
||||
|
||||
typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
|
||||
|
||||
|
||||
/**
|
||||
* private data of the ipseckey plugin
|
||||
*/
|
||||
struct private_ipseckey_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
ipseckey_plugin_t public;
|
||||
|
||||
/**
|
||||
* DNS resolver instance
|
||||
*/
|
||||
resolver_t *res;
|
||||
|
||||
/**
|
||||
* credential set
|
||||
*/
|
||||
ipseckey_cred_t *cred;
|
||||
};
|
||||
|
||||
METHOD(plugin_t, get_name, char*,
|
||||
private_ipseckey_plugin_t *this)
|
||||
{
|
||||
return "ipseckey";
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
private_ipseckey_plugin_t *this)
|
||||
{
|
||||
lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
|
||||
this->res->destroy(this->res);
|
||||
DESTROY_IF(this->cred);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *ipseckey_plugin_create()
|
||||
{
|
||||
private_ipseckey_plugin_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.plugin = {
|
||||
.get_name = _get_name,
|
||||
.reload = (void*)return_false,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
.res = lib->resolver->create(lib->resolver),
|
||||
);
|
||||
|
||||
if (!this->res)
|
||||
{
|
||||
DBG1(DBG_CFG, "ipseckey_plugin: Failed to create"
|
||||
"a DNS resolver instance");
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
this->cred = ipseckey_cred_create(this->res);
|
||||
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Copyright (C) 2012 Reto Guadagnini
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup ipseckey ipseckey
|
||||
* @ingroup cplugins
|
||||
*
|
||||
* @defgroup ipseckey_plugin ipseckey_plugin
|
||||
* @{ @ingroup ipseckey
|
||||
*/
|
||||
|
||||
#ifndef IPSECKEY_PLUGIN_H_
|
||||
#define IPSECKEY_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct ipseckey_plugin_t ipseckey_plugin_t;
|
||||
|
||||
/**
|
||||
* IPSECKEY plugin
|
||||
*
|
||||
* The IPSECKEY plugin registers a credential set for IPSECKEYs.
|
||||
*
|
||||
* With this credential set it is possible to authenticate tunnel endpoints
|
||||
* using IPSECKEY resource records which are retrieved from the DNS in a secure
|
||||
* way (DNSSEC).
|
||||
*/
|
||||
struct ipseckey_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
#endif /** IPSECKEY_PLUGIN_H_ @}*/
|
Loading…
Reference in New Issue