ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- preshared secrets are now retrieved over configuration_manager

This commit is contained in:
Jan Hutter 2005-12-03 16:02:06 +00:00
parent 8d68033e5c
commit aebb38a093
10 changed files with 230 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
Source/charon/config/configuration_manager.c
View File

@ -30,6 +30,26 @@
#include <daemon.h>
#include <utils/allocator.h>
typedef struct preshared_secret_entry_t preshared_secret_entry_t;
/**
* An preshared secret entry combines an identifier with a
* preshared secret.
*/
struct preshared_secret_entry_t {
/**
* Identification.
*/
identification_t *identification;
/**
* Preshared secret as chunk
*/
chunk_t preshared_secret;
};
typedef struct configuration_entry_t configuration_entry_t;
/* A configuration entry combines a configuration name with a init and sa
@ -117,7 +137,11 @@ struct private_configuration_manager_t {
* Holding all init_configs.
*/
linked_list_t *sa_configs;
/**
* Holding all preshared secrets.
*/
linked_list_t *preshared_secrets;
/**
* Assigned logger object.
@ -136,7 +160,7 @@ struct private_configuration_manager_t {
u_int32_t first_retransmit_timeout;
/**
* Load default configuration
* Adds a new IKE_SA configuration
*
*
* @param this calling object
@ -146,6 +170,17 @@ struct private_configuration_manager_t {
*/
void (*add_new_configuration) (private_configuration_manager_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config);
/**
* Adds a new IKE_SA configuration
*
*
* @param this calling object
* @param type type of identification
* @param id_string identification as string
* @param preshared_secret preshared secret as string
*/
void (*add_new_preshared_secret) (private_configuration_manager_t *this,id_type_t type, char *id_string, char *preshared_secret);
/**
* Load default configuration
*
@ -242,6 +277,9 @@ static void load_default_config (private_configuration_manager_t *this)
this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","das ist ein sicheres wort");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","das ist ein sicheres wort");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","das ist ein sicheres wort");
}
/**
@ -474,6 +512,48 @@ static void add_new_configuration (private_configuration_manager_t *this, char *
this->configurations->insert_first(this->configurations,configuration_entry_create(name,init_config,sa_config));
}
/**
* Implementation of private_configuration_manager_t.add_new_preshared_secret.
*/
static void add_new_preshared_secret (private_configuration_manager_t *this,id_type_t type, char *id_string, char *preshared_secret)
{
preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t);
entry->identification = identification_create_from_string(type,id_string);
entry->preshared_secret.len = strlen(preshared_secret);
entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len);
memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len);
this->preshared_secrets->insert_last(this->preshared_secrets,entry);
}
/**
* Implementation of configuration_manager_t.get_shared_secret.
*/
static status_t get_shared_secret(private_configuration_manager_t *this, identification_t *identification, chunk_t *preshared_secret)
{
iterator_t *iterator;
iterator = this->preshared_secrets->create_iterator(this->preshared_secrets,TRUE);
while (iterator->has_next(iterator))
{
preshared_secret_entry_t *entry;
iterator->current(iterator,(void **) &entry);
if (entry->identification->equals(entry->identification,identification))
{
*preshared_secret = entry->preshared_secret;
iterator->destroy(iterator);
return SUCCESS;
}
}
iterator->destroy(iterator);
return NOT_FOUND;
}
/**
* Implementation of configuration_manager_t.destroy.
*/
static status_t get_retransmit_timeout (private_configuration_manager_t *this, u_int32_t retransmit_count, u_int32_t *timeout)
{
if ((retransmit_count > this->max_retransmit_count) && (this->max_retransmit_count != 0))
@ -523,6 +603,16 @@ static void destroy(private_configuration_manager_t *this)
}
this->init_configs->destroy(this->init_configs);
while (this->preshared_secrets->get_count(this->preshared_secrets) > 0)
{
preshared_secret_entry_t *entry;
this->preshared_secrets->remove_first(this->preshared_secrets,(void **) &entry);
entry->identification->destroy(entry->identification);
allocator_free_chunk(&(entry->preshared_secret));
allocator_free(entry);
}
this->preshared_secrets->destroy(this->preshared_secrets);
this->logger->log(this->logger,CONTROL | MOST, "Destroy assigned logger");
charon->logger_manager->destroy_logger(charon->logger_manager,this->logger);
allocator_free(this);
@ -542,16 +632,19 @@ configuration_manager_t *configuration_manager_create(u_int32_t first_retransmit
this->public.get_sa_config_for_name =(status_t (*) (configuration_manager_t *, char *, sa_config_t **)) get_sa_config_for_name;
this->public.get_sa_config_for_init_config_and_id =(status_t (*) (configuration_manager_t *, init_config_t *, identification_t *, identification_t *,sa_config_t **)) get_sa_config_for_init_config_and_id;
this->public.get_retransmit_timeout = (status_t (*) (configuration_manager_t *, u_int32_t retransmit_count, u_int32_t *timeout))get_retransmit_timeout;
this->public.get_shared_secret = (status_t (*) (configuration_manager_t *, identification_t *, chunk_t *))get_shared_secret;
/* private functions */
this->load_default_config = load_default_config;
this->add_new_configuration = add_new_configuration;
this->add_new_preshared_secret = add_new_preshared_secret;
/* private variables */
this->logger = charon->logger_manager->create_logger(charon->logger_manager,CONFIGURATION_MANAGER,NULL);
this->configurations = linked_list_create();
this->sa_configs = linked_list_create();
this->init_configs = linked_list_create();
this->preshared_secrets = linked_list_create();
this->max_retransmit_count = max_retransmit_count;
this->first_retransmit_timeout = first_retransmit_timeout;

17
Source/charon/config/configuration_manager.h
View File

@ -114,10 +114,25 @@ struct configuration_manager_t {
* @param[out] timeout the new retransmit timeout in milliseconds
*
* @return
* - FAILED if the message should not be resent again
* - FAILED, if the message should not be resent again
* - SUCCESS
*/
status_t (*get_retransmit_timeout) (configuration_manager_t *this, u_int32_t retransmit_count, u_int32_t *timeout);
/**
* Get the preshared secret of a specific ID.
*
* The preshared secret gets not cloned.
*
* @param this calling object
* @param identification identification_t object identifiying the ID.
* @param[out] preshared_secret the preshared secret will be written there
*
* @return
* - NOT_FOUND if no preshared secrets is configured for specific id
* - SUCCESS
*/
status_t (*get_shared_secret) (configuration_manager_t *this, identification_t *identification, chunk_t *preshared_secret);
/**
* Destroys configuration manager

142
Source/charon/sa/authenticator.c
View File

@ -23,6 +23,17 @@
#include "authenticator.h"
#include <utils/allocator.h>
#include <daemon.h>
/**
* Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
*/
#define IKE_V2_KEY_PAD "Key Pad for IKEv2"
/**
* Length of key pad in bytes.
*/
#define IKE_V2_KEY_PAD_LEN 17
typedef struct private_authenticator_t private_authenticator_t;
@ -37,9 +48,14 @@ struct private_authenticator_t {
authenticator_t public;
/**
* IKE_SA.
* Assigned IKE_SA. Needed to get prf function.
*/
protected_ike_sa_t *ike_sa;
/**
* PRF function. Taken from the IKE_SA.
*/
prf_t *prf;
/**
* A logger for.
@ -51,45 +67,49 @@ struct private_authenticator_t {
/**
* TODO
*/
chunk_t (*allocate_octets) (private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id);
chunk_t (*allocate_octets) (private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id, bool initiator);
chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this,chunk_t octets,chunk_t preshared_secret);
chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this,chunk_t last_message, chunk_t nonce,id_payload_t *id_payload, bool initiator,chunk_t preshared_secret);
};
/**
* Implementation of authenticator_t.private_authenticator_t.
*/
static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id)
static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id, bool initiator)
{
chunk_t id_chunk = my_id->get_data(my_id);
u_int8_t id_with_header[4 + id_chunk.len];
chunk_t id_with_header_chunk;
chunk_t octets;
chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) };
u_int8_t *current_pos;
prf_t *prf;
chunk_t octets;
id_with_header[0] = my_id->get_id_type(my_id);
/* TODO
* Reserved bytes are not in any case zero
*/
id_with_header[1] = 0x00;
id_with_header[2] = 0x00;
id_with_header[3] = 0x00;
memcpy(id_with_header + 4,id_chunk.ptr,id_chunk.len);
id_with_header_chunk.ptr = id_with_header;
id_with_header_chunk.len = sizeof(id_with_header);
prf = this->ike_sa->get_prf(this->ike_sa);
prf->set_key(prf,this->ike_sa->get_key_pr(this->ike_sa));
if (initiator)
{
this->prf->set_key(this->prf,this->ike_sa->get_key_pi(this->ike_sa));
}
else
{
this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa));
}
/* 4 bytes are id type and reserved fields of id payload */
octets.len = last_message.len + other_nonce.len + prf->get_block_size(prf);
octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf);
octets.ptr = allocator_alloc(octets.len);
current_pos = octets.ptr;
memcpy(current_pos,last_message.ptr,last_message.len);
current_pos += last_message.len;
memcpy(current_pos,other_nonce.ptr,other_nonce.len);
current_pos += other_nonce.len;
prf->get_bytes(prf,id_with_header_chunk,current_pos);
this->prf->get_bytes(this->prf,id_with_header_chunk,current_pos);
this->logger->log_chunk(this->logger,RAW | MOST, "Octets (Mesage + Nonce + prf(Sk_px,Idx)",&octets);
return octets;
@ -98,46 +118,53 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
/**
* Implementation of authenticator_t.allocate_auth_data_with_preshared_secret.
*/
static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t *this,chunk_t octets,chunk_t preshared_secret)
static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t *this,chunk_t last_message, chunk_t nonce,id_payload_t *id_payload, bool initiator,chunk_t preshared_secret)
{
prf_t *prf = this->ike_sa->get_prf(this->ike_sa);
chunk_t auth_data;
chunk_t key_pad;
chunk_t key;
key_pad.ptr = "Key Pad for IKEv2";
key_pad.len = strlen(key_pad.ptr);
chunk_t key_pad = {ptr: IKE_V2_KEY_PAD, len:IKE_V2_KEY_PAD_LEN};
u_int8_t key_buffer[this->prf->get_block_size(this->prf)];
chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)};
chunk_t auth_data;
chunk_t octets = this->allocate_octets(this,last_message,nonce,id_payload,initiator);
/*
* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>)
*/
this->prf->set_key(this->prf,preshared_secret);
this->prf->get_bytes(this->prf,key_pad,key_buffer);
this->prf->set_key(this->prf,key);
this->prf->allocate_bytes(this->prf,octets,&auth_data);
allocator_free_chunk(&octets);
this->logger->log_chunk(this->logger,RAW | MOST, "Authenticated data",&auth_data);
prf->set_key(prf,preshared_secret);
prf->allocate_bytes(prf,key_pad,&key);
prf->set_key(prf,key);
allocator_free_chunk(&key);
prf->allocate_bytes(prf,octets,&auth_data);
this->logger->log_chunk(this->logger,RAW | MORE, "Authenticated data",&auth_data);
return auth_data;
}
/**
* Implementation of authenticator_t.private_authenticator_t.
*/
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool *verified)
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified)
{
switch(auth_payload->get_auth_method(auth_payload))
{
case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
{
chunk_t preshared_secret;
identification_t *other_id =other_id_payload->get_identification(other_id_payload);
chunk_t auth_data = auth_payload->get_data(auth_payload);
chunk_t preshared_secret;
status_t status;
status = charon->configuration_manager->get_shared_secret(charon->configuration_manager,other_id,&preshared_secret);
other_id->destroy(other_id);
if (status != SUCCESS)
{
return status;
}
preshared_secret.ptr = "secret";
preshared_secret.len = strlen(preshared_secret.ptr);
chunk_t octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload);
chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this,octets,preshared_secret);
allocator_free_chunk(&octets);
chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this,last_received_packet,my_nonce,other_id_payload,initiator,preshared_secret);
if (auth_data.len != my_auth_data.len)
{
@ -166,38 +193,42 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
/**
* Implementation of authenticator_t.compute_auth_data.
*/
static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload)
static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload,bool initiator)
{
sa_config_t *sa_config = this->ike_sa->get_sa_config(this->ike_sa);
/* switch(auth_method)
switch(sa_config->get_auth_method(sa_config))
{
case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
{*/
{
identification_t *my_id =my_id_payload->get_identification(my_id_payload);
chunk_t preshared_secret;
status_t status;
preshared_secret.ptr = "secret";
preshared_secret.len = strlen(preshared_secret.ptr);
chunk_t octets = this->allocate_octets(this,last_sent_packet,other_nonce,my_id_payload);
chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this,octets,preshared_secret);
allocator_free_chunk(&octets);
status = charon->configuration_manager->get_shared_secret(charon->configuration_manager,my_id,&preshared_secret);
my_id->destroy(my_id);
if (status != SUCCESS)
{
return status;
}
chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this,last_sent_packet,other_nonce,my_id_payload,initiator,preshared_secret);
*auth_payload = auth_payload_create();
(*auth_payload)->set_auth_method((*auth_payload),SHARED_KEY_MESSAGE_INTEGRITY_CODE);
(*auth_payload)->set_data((*auth_payload),auth_data);
allocator_free_chunk(&auth_data);
allocator_free_chunk(&octets);
return SUCCESS;
/* }
}
default:
{
return NOT_SUPPORTED;
}
}*/
}
}
/**
@ -217,8 +248,8 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
/* Public functions */
this->public.destroy = (void(*)(authenticator_t*))destroy;
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool *)) verify_auth_data;
this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *)) compute_auth_data;
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data;
this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data;
/* private functions */
this->allocate_octets = allocate_octets;
@ -226,6 +257,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
/* private data */
this->ike_sa = ike_sa;
this->prf = this->ike_sa->get_prf(this->ike_sa);
this->logger = this->ike_sa->get_logger(this->ike_sa);
return &(this->public);

4
Source/charon/sa/authenticator.h
View File

@ -52,7 +52,7 @@ struct authenticator_t {
* @return
* - NOT_SUPPORTED if auth_method is not supported
*/
status_t (*verify_auth_data) (authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool *verified);
status_t (*verify_auth_data) (authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload, bool initiator,bool *verified);
/**
* @brief Verifying of given authentication data.
@ -62,7 +62,7 @@ struct authenticator_t {
* @return
* - NOT_SUPPORTED if auth_method is not supported
*/
status_t (*compute_auth_data) (authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload);
status_t (*compute_auth_data) (authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload, bool initiator);
/**
* @brief Destroys a authenticator_t object.
*

10
Source/charon/sa/ike_sa.c
View File

@ -567,6 +567,15 @@ static chunk_t get_key_pr (private_ike_sa_t *this)
return this->secrets.pr_key;
}
/**
* Implementation of protected_ike_sa_t.get_key_pi.
*/
static chunk_t get_key_pi (private_ike_sa_t *this)
{
return this->secrets.pi_key;
}
/**
* Implementation of protected_ike_sa_t.set_prf.
*/
@ -940,6 +949,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;

10
Source/charon/sa/ike_sa.h
View File

@ -358,6 +358,16 @@ struct protected_ike_sa_t {
* @return SK_pr key
*/
chunk_t (*get_key_pr) (protected_ike_sa_t *this);
/**
* Gets the Shared key SK_pi.
*
* Returned value is not cloned!
*
* @param this calling object
* @return SK_pr key
*/
chunk_t (*get_key_pi) (protected_ike_sa_t *this);
/**
* Resets message id counters and does destroy stored received and sent messages.

2
Source/charon/sa/states/ike_auth_requested.c
View File

@ -353,7 +353,7 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
/* TODO VERIFY auth here */
authenticator = authenticator_create(this->ike_sa);
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,&verified);
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{

2
Source/charon/sa/states/ike_sa_init_requested.c
View File

@ -506,7 +506,7 @@ static status_t build_auth_payload (private_ike_sa_init_requested_t *this, paylo
status_t status;
authenticator = authenticator_create(this->ike_sa);
status = authenticator->compute_auth_data(authenticator,&auth_payload,this->ike_sa_init_request_data,this->received_nonce,my_id_payload);
status = authenticator->compute_auth_data(authenticator,&auth_payload,this->ike_sa_init_request_data,this->received_nonce,my_id_payload,TRUE);
authenticator->destroy(authenticator);
if (status != SUCCESS)

4
Source/charon/sa/states/ike_sa_init_responded.c
View File

@ -356,7 +356,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
authenticator = authenticator_create(this->ike_sa);
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,&verified);
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified);
if (status != SUCCESS)
{
@ -371,7 +371,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
return FAILED;
}
status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload);
status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{

10
Source/charon/utils/logger_manager.c
View File

@ -148,12 +148,12 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
case IKE_SA:
logger_level |= FULL;
case IKE_SA_MANAGER:
case MESSAGE:
case ENCRYPTION_PAYLOAD:
case WORKER:
case CONFIGURATION_MANAGER:
logger_level |= ALL;
case PARSER:
case MESSAGE:
case ENCRYPTION_PAYLOAD:
case GENERATOR:
case THREAD_POOL:
case SCHEDULER:
@ -161,8 +161,10 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
case RECEIVER:
case SOCKET:
case DAEMON:
logger_level |= CONTROL;
case PARSER:
log_thread_ids = FALSE;
logger_level |= ERROR|CONTROL;
logger_level |= ERROR;
break;
}