Class: PacketGen::Header::IKE::Auth

Inherits:

Payload

• Object
• Types::Fields
• Base
• Payload
• PacketGen::Header::IKE::Auth

Defined in:

lib/packetgen/header/ike/auth.rb

Overview

This class handles Authentication payloads.

A AUTH payload consists of the IKE generic payload header (see Payload) and some specific fields:

                     1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload  |C|  RESERVED   |         Payload Length        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth Method   |                RESERVED                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
~                      Authentication Data                      ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

These specific fields are:

• #type (ID type),

• #reserved,

• and Payload#content (Identification Data).

Create a KE payload

# create a IKE packet with a Auth payload
pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Auth', method: 'SHARED_KEY')
pkt.calc_length

Author:

• Sylvain Daubert

Since:

• 2.0.0

Constant Summary

PAYLOAD_TYPE =

Payload type number

Since:

• 2.0.0

39

METHOD_RSA_SIGNATURE =

Since:

• 2.0.0

1

METHOD_SHARED_KEY =

Since:

• 2.0.0

2

METHOD_DSA_SIGNATURE =

Since:

• 2.0.0

3

METHOD_ECDSA256 =

Since:

• 2.0.0

9

METHOD_ECDSA384 =

Since:

• 2.0.0

10

METHOD_ECDSA512 =

Since:

• 2.0.0

11

METHOD_PASSWORD =

Since:

• 2.0.0

12

METHOD_NULL =

Since:

• 2.0.0

13

METHOD_DIGITAL_SIGNATURE =

Since:

• 2.0.0

14

Instance Attribute Summary

• #:u32(: u32) ⇒ Integer

  32-bit word including ID Type and RESERVED fields.

• #method ⇒ Integer

  8-bit Auth Method.

• #reserved ⇒ Integer

  24-bit reserved field.

Attributes inherited from Payload

#content, #critical, #flags, #hreserved, #length, #next

Attributes inherited from Base

#packet

Instance Method Summary

• #check?(init_msg: nil, nonce: '', sk_p: '', prf: 1, shared_secret: '', cert: nil) ⇒ Boolean

  Check authentication (see RFC 7296 §2.15).

• #human_method ⇒ String

  Get authentication method name.

• #inspect ⇒ String

Methods inherited from Payload

#base_read, #calc_length, #initialize, #read

Methods inherited from Base

bind_header, #header_id, inherited, #ip_header, known_headers, #method_name, #parse?, protocol_name, #protocol_name

Methods inherited from Types::Fields

#[], #[]=, #body=, define_bit_fields_on, define_field, define_field_after, define_field_before, delete_field, #fields, #force_binary, inherited, #initialize, #is_optional?, #is_present?, #optional_fields, #read, #sz, #to_h, #to_s

Constructor Details

This class inherits a constructor from PacketGen::Header::IKE::Payload

Instance Attribute Details

#:u32(: u32) ⇒ Integer

32-bit word including ID Type and RESERVED fields

Returns:

• (Integer)

# File 'lib/packetgen/header/ike/auth.rb', line 49

define_field_before :content, :u32, Types::Int32

#method ⇒ Integer

8-bit Auth Method

Returns:

• (Integer)

# File 'lib/packetgen/header/ike/auth.rb', line 56

define_bit_fields_on :u32, :method, 8, :reserved, 24

#reserved ⇒ Integer

24-bit reserved field

Returns:

• (Integer)

# File 'lib/packetgen/header/ike/auth.rb', line 56

define_bit_fields_on :u32, :method, 8, :reserved, 24

Instance Method Details

#check?(init_msg: nil, nonce: '', sk_p: '', prf: 1, shared_secret: '', cert: nil) ⇒ Boolean

Note:

For now, only NULL, SHARED_KEY and RSA, DSA and ECDSA signatures are supported.

Note:

For certificates, only check AUTH authenticity with given (or guessed from packet) certificate, but certificate chain is not verified.

Check authentication (see RFC 7296 §2.15)

Parameters:

• init_msg (Packet) (defaults to: nil) —

  first IKE message sent by peer

• nonce (String) (defaults to: '') —

  my nonce, sent in first message

• sk_p (String) (defaults to: '') —

  secret key used to compute prf(SK_px, IDx’)

• prf (Integer) (defaults to: 1) —

  PRF type to use (see Transform::PRF_* constants)

• shared_secret (String) (defaults to: '') —

  shared secret to use as PSK (shared secret method only)

• cert (OpenSSL::X509::Certificate) (defaults to: nil) —

  certificate to check AUTH signature, if not embedded in IKE message

Returns:

• (Boolean)

Raises:

• (TypeError)

Since:

• 2.0.0

# File 'lib/packetgen/header/ike/auth.rb', line 72

def check?(init_msg: nil, nonce: '', sk_p: '', prf: 1, shared_secret: '',
           cert: nil)
  raise TypeError, 'init_msg should be a Packet' unless init_msg.is_a?(Packet)
  signed_octets = init_msg.ike.to_s
  signed_octets << nonce
  id = packet.ike.flag_i? ? packet.ike_idi : packet.ike_idr
  signed_octets << prf(prf, sk_p, id.to_s[4, id.length - 4])

  case method
  when METHOD_SHARED_KEY
    auth  = prf(prf(shared_secret, 'Key Pad for IKEv2'), signed_octets)
    auth == content
  when METHOD_RSA_SIGNATURE, METHOD_ECDSA256, METHOD_ECDSA384, METHOD_ECDSA512
    if packet.ike_cert
      # FIXME: Expect a ENCODING_X509_CERT_SIG
      #        Others types not supported for now...
      cert = OpenSSL::X509::Certificate.new(packet.ike_cert.content)
    elsif cert.nil?
      raise CryptoError, 'a certificate should be provided'
    end

    text = cert.to_text
    m = text.match(/Public Key Algorithm: ([a-zA-Z0-9-]+)/)
    digest = case m[1]
             when 'id-ecPublicKey'
               m2 = text.match(/Public-Key: \((\d+) bit\)/)
               case m2[1]
               when '256'
                 OpenSSL::Digest::SHA256.new
               when '384'
                 OpenSSL::Digest::SHA384.new
               when '521'
                 OpenSSL::Digest::SHA512.new
               end
             when /sha([235]\d+)/
               OpenSSL::Digest.const_get("SHA#{$1}").new
             when /sha1/, 'rsaEncryption'
               OpenSSL::Digest::SHA1.new
             end
    signature = format_signature(cert.public_key, content.to_s)
    cert.public_key.verify(digest, signature, signed_octets)
  when METHOD_NULL
    true
  else
    raise NotImplementedError, "unsupported method #{human_method}"
  end
end

#human_method ⇒ String

Get authentication method name

Returns:

• (String)

Since:

• 2.0.0

# File 'lib/packetgen/header/ike/auth.rb', line 137

def human_method
  name = self.class.constants.grep(/METHOD_/).
         select { |c| self.class.const_get(c) == method }.
         first || "method #{method}"
  name.to_s.sub(/METHOD_/, '')
end

#inspect ⇒ String

Returns:

• (String)

Since:

• 2.0.0

# File 'lib/packetgen/header/ike/auth.rb', line 145

def inspect
  str = Inspect.dashed_line(self.class, 2)
  fields.each do |attr|
    case attr
    when :body
      next
    when :u32
      str << Inspect.shift_level(2)
      str << Inspect::FMT_ATTR % ['Int8', :method, human_method]
      str << Inspect.inspect_attribute(:reserved, self.reserved, 2)
    else
      str << Inspect.inspect_attribute(attr, self[attr], 2)
    end
  end
  str
end