1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/* IKEv2 Authentication helper, for libreswan
*
* Copyright (C) 2007 Michael Richardson <mcr@xelerance.com>
* Copyright (C) 2008 David McCullough <david_mccullough@securecomputing.com>
* Copyright (C) 2009 Avesh Agarwal <avagarwa@redhat.com>
* Copyright (C) 2003-2010 Paul Wouters <paul@xelerance.com>
* Copyright (C) 2012-2013 Paul Wouters <paul@libreswan.org>
* Copyright (C) 2013-2019 D. Hugh Redelmeier <hugh@mimosa.com>
* Copyright (C) 2018 Sahana Prasad <sahana.prasad07@gmail.com>
* Copyright (C) 2019 Andrew Cagney <cagney@gnu.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <https://www.gnu.org/licenses/gpl2.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
*/
#include "crypt_mac.h"
#include "defs.h"
#include "ikev2_auth.h"
#include "keys.h"
#include "server_pool.h"
#include "state.h"
#include "secrets.h"
#include "log.h"
#include "connections.h"
#include "ike_alg_hash.h"
struct task {
/* in */
const struct crypt_mac hash_to_sign;
const struct hash_desc *hash_algo;
v2_auth_signature_cb *cb;
struct secret_pubkey_stuff *pks;
const struct pubkey_signer *signer;
/* out */
struct hash_signature signature;
};
static task_computer_fn v2_auth_signature_computer; /* type check */
static task_completed_cb v2_auth_signature_completed; /* type check */
static task_cleanup_cb v2_auth_signature_cleanup; /* type check */
struct task_handler v2_auth_signature_handler = {
.name = "signature",
.computer_fn = v2_auth_signature_computer,
.completed_cb = v2_auth_signature_completed,
.cleanup_cb = v2_auth_signature_cleanup,
};
bool submit_v2_auth_signature(struct ike_sa *ike, struct msg_digest *md,
const struct crypt_mac *hash_to_sign,
const struct hash_desc *hash_algo,
const struct pubkey_signer *signer,
v2_auth_signature_cb *cb,
where_t where)
{
const struct connection *c = ike->sa.st_connection;
struct secret_pubkey_stuff *pks = get_local_private_key(c, signer->type,
ike->sa.logger);
if (pks == NULL) {
/* failure: no key to use */
return false;
}
struct task task = {
.cb = cb,
.hash_algo = hash_algo,
.hash_to_sign = *hash_to_sign,
.signer = signer,
.pks = secret_pubkey_stuff_addref(pks, HERE),
.signature = {0},
};
submit_task(/*callback*/&ike->sa, /*task*/&ike->sa, md,
/*detach_whack*/false,
clone_thing(task, "signature task"),
&v2_auth_signature_handler, where);
return true;
}
static struct hash_signature v2_auth_signature(struct logger *logger,
const struct crypt_mac *hash_to_sign,
const struct hash_desc *hash_algo,
const struct secret_pubkey_stuff *pks,
const struct pubkey_signer *signer)
{
passert(hash_to_sign->len <= sizeof(hash_to_sign->ptr/*array*/)); /*hint to coverity*/
logtime_t start = logtime_start(logger);
if (DBGP(DBG_BASE)) {
DBG_dump_hunk("hash to sign", *hash_to_sign);
}
logtime_t sign_time = logtime_start(logger);
struct hash_signature sig = signer->sign_hash(pks,
hash_to_sign->ptr,
hash_to_sign->len,
hash_algo,
logger);
logtime_stop(&sign_time, "%s() calling sign_hash()", __func__);
passert(sig.len <= sizeof(sig.ptr/*array*/));
logtime_stop(&start, "%s()", __func__);
return sig;
}
static void v2_auth_signature_computer(struct logger *logger, struct task *task,
int unused_my_thread UNUSED)
{
task->signature = v2_auth_signature(logger, &task->hash_to_sign, task->hash_algo,
task->pks, task->signer);
}
static stf_status v2_auth_signature_completed(struct state *st,
struct msg_digest *md,
struct task *task)
{
stf_status status = task->cb(pexpect_ike_sa(st), md, &task->signature);
return status;
}
static void v2_auth_signature_cleanup(struct task **task)
{
secret_pubkey_stuff_delref(&(*task)->pks, HERE);
pfreeany(*task);
}
|
