msipipsecapi.cxx

MiniSip Client with DomainKeys Authentication, Sip, Audio communications, Echo Cancel

}


//---------------------------------------------------------------------------------------------------//
// Authenticate the answered message
bool MsipIpsecAPI::initiatorAuthenticate( string message ){

	try{
		if(!securityConfig.use_ipsec)
			return false;
		MikeyMessage * resp_mes = new MikeyMessage( message );
		ka->setResponderData( resp_mes );
		switch( securityConfig.ka_type ){
			case KEY_MGMT_METHOD_MIKEY_DH:	
				if( resp_mes->authenticate( ((KeyAgreementDH *)*ka) ) ){
					throw MikeyExceptionAuthentication(
						  "Authentication of the DH response message failed" );
					}
				if( securityConfig.check_cert ){
					if( ((KeyAgreementDH *)*ka)->controlPeerCertificate() == 0)
						throw MikeyExceptionAuthentication(
									"Certificate control failed" );
				}
				securityConfig.use_ipsec = true;
				return true;
			case KEY_MGMT_METHOD_MIKEY_PSK:
				if( resp_mes->authenticate( ((KeyAgreementPSK *)*ka) ) ){
					throw MikeyExceptionAuthentication(
						"Authentication of the PSK verification message failed" );
				}
				securityConfig.use_ipsec = true;
				return true;
			case KEY_MGMT_METHOD_MIKEY_PK:
				throw MikeyExceptionUnimplemented(
					"PK type of KA unimplemented" );
			default:
				throw MikeyException(
					"Invalid type of KA" );
		}
	}
	catch(MikeyExceptionAuthentication & exc){
		merr << "MikeyException caught: " << exc->message() << end;
		//FIXME! send SIP Authorization failed with Mikey Error message
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.use_ipsec=false;
		return false;
	}
	catch(MikeyExceptionMessageContent & exc){
		MikeyMessage * error_mes;
		merr << "MikeyExceptionMessageContent caught: " << exc->message() << end;
		if( ( error_mes = exc->errorMessage() ) != NULL ){
			//FIXME: send the error message!
		}
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.use_ipsec=false;
		return false;
	}		
	catch(MikeyException & exc){
		merr << "MikeyException caught: " << exc->message() << end;
		securityConfig.ka_type = KEY_MGMT_METHOD_NULL;
		securityConfig.use_ipsec=false;
		return false;
	}
}



//---------------------------------------------------------------------------------------------------//
//---------------------------------------------------------------------------------------------------//
//IpSec requests
//---------------------------------------------------------------------------------------------------//
//Constructor
MsipIpsecRequest::MsipIpsecRequest(struct sockaddr *src, struct sockaddr * dst, int so, u_int32_t seq, int otype){
	exist = false;
	valid = true;
	this->so = so;
	this->seq = seq;
	//Here might be a good idea to check for ipv6
	struct sockaddr_in *source;
	struct sockaddr_in *destination;
	source = new struct sockaddr_in;
	destination = new struct sockaddr_in;
	source->sin_family = ((struct sockaddr_in *)src)->sin_family;
	source->sin_port   = ((struct sockaddr_in *)src)->sin_port;
	source->sin_addr   = ((struct sockaddr_in *)src)->sin_addr;
	destination->sin_family = ((struct sockaddr_in *)dst)->sin_family;
	destination->sin_port   = ((struct sockaddr_in *)dst)->sin_port;
	destination->sin_addr   = ((struct sockaddr_in *)dst)->sin_addr;
	this->src = (struct sockaddr *) source;
	this->dst = (struct sockaddr *) destination;
	this->otype = otype;
	
}
//Destructor
MsipIpsecRequest::~MsipIpsecRequest(){
	delete dst;
	delete src;
}

//---------------------------------------------------------------------------------------------------//
//---------------------------------------------------------------------------------------------------//
// IpSec SA handling
//---------------------------------------------------------------------------------------------------//
//Constructor
MsipIpsecSA::MsipIpsecSA(int so, u_int satype, u_int mode, u_int32_t reqid, u_int32_t seq, 
				struct sockaddr * src, struct sockaddr * dst,
				u_int32_t spi,
				u_int e_type,
				u_int a_type,
				u_int e_keylen,
				u_int a_keylen,
				char * e_key,
				char * a_key,
				u_int wsize,
				u_int flags,
				u_int32_t l_alloc,
				u_int64_t l_bytes,
				u_int64_t l_addtime,
				u_int64_t l_usetime ):MsipIpsecRequest(src, dst, so, seq, 1){
	this->satype = satype;
	this->mode = mode;
	this->reqid = reqid;
	this->spi = spi;
	this->e_type = e_type;
	this->a_type = a_type;
	this->e_keylen = e_keylen;
	this->a_keylen = a_keylen;
	this->wsize = wsize;
	this->flags = flags;
	this->l_alloc = l_alloc;
	this->l_bytes = l_bytes;
	this->l_addtime = l_addtime;
	this->l_usetime = l_usetime;
	int i;
	this->e_key = (char *) malloc (e_keylen);
	for(i=0; i< e_keylen; i++)
			this->e_key[i] = e_key[i];
	this->a_key = (char *) malloc (a_keylen);
	for(i=0; i< a_keylen; i++)
			this->a_key[i] = a_key[i];
}
//---------------------------------------------------------------------------------------------------//
//Destructor
MsipIpsecSA::~MsipIpsecSA(){
	free(e_key);
	free(a_key);
}

//-MsipIpsecSA-PUBLIC--------------------------------------------------------------------------------//
//---------------------------------------------------------------------------------------------------//
//Set SA into kernel -1 = error, 0 = already exist
int MsipIpsecSA::set(){
	int result;
	struct sadb_msg * msg;
	// There might be a good idea to check the result & return values below!!!
	if(!spi && !exist && valid){
		struct sadb_sa * m_sa;
		u_int32_t min = 5000;
		u_int32_t max = 12000;
		//u_int32_t min = htonl(5000);
		//u_int32_t max = htonl(12000);
/* Depending on IPSEC kernel-----------------------------------------------------------**********************/
		result = pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq);
/* end --------------------------------------------------------------------------------**********************/
		if (result == -1){
			return result;
		}
		caddr_t next[18];
		if ((msg = pfkey_recv(so)) == NULL)
			cerr << "ERROR: pfkey_recv failure!";
		if (pfkey_align(msg, next) < 0)
			cerr << "ERROR: pfkey_align failure!";
		result = pfkey_check(next);
		m_sa = (struct sadb_sa *)next[SADB_EXT_SA];
		spi = m_sa->sadb_sa_spi;
		exist = true;
		free(msg);
		return (int)spi;
	}
	if(spi && !exist && valid) {
		caddr_t keymat;
		keymat = (caddr_t)malloc(e_keylen + a_keylen);
		int i;
		for (i = 0; i < e_keylen; i++)
			keymat[i] = e_key[i];
		for (int j = 0; j < a_keylen ; j++){
			keymat[i] = a_key[j];
			i++;
		}
		
/* Depending on IPSEC kernel-----------------------------------------------------------**********************/
		result = pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, 
					keymat, e_type, e_keylen, a_type, a_keylen, 
					flags, l_alloc, l_bytes, l_addtime, l_usetime, seq);
		msg = pfkey_recv(so);
/* end---------------------------------------------------------------------------------**********************/
		if (result == -1){
			merr << "Problem with IPSEC pfkey_send_add: " << end;
			return result;
		}
		exist = true;
		free (keymat);
		free(msg);
		return spi;
	}	
	return 0;
}

//---------------------------------------------------------------------------------------------------//
//Update SA in kernel
int MsipIpsecSA::update(){return 0;}

//---------------------------------------------------------------------------------------------------//
//Remove SA from kernel  -1 = error, 0 = don't exist
int MsipIpsecSA::remove(bool valid){
	int result;
	struct sadb_msg *msg;
	if(exist){
/* Depending on IPSEC kernel-----------------------------------------------------------**********************/
		result = pfkey_send_delete (so, satype, mode, src, dst, spi);
		msg = pfkey_recv(so);
/* end --------------------------------------------------------------------------------**********************/
		exist = false;
		this->valid = valid;
		free(msg);
		return result;
	}
	else
		return 0;
}

//---------------------------------------------------------------------------------------------------//
//---------------------------------------------------------------------------------------------------//
//IpSec policy handling
//---------------------------------------------------------------------------------------------------//
//Constructor
MsipIpsecPolicy::MsipIpsecPolicy(int so, struct sockaddr * src, struct sockaddr * dst, u_int proto,
					char * policy, int policylen, u_int32_t seq,
					u_int prefs, u_int prefd ):MsipIpsecRequest(src, dst, so, seq, 0){
	this->prefs = prefs;
	this->prefd = prefd;
	this->proto = proto;
	this->spid = 0;
	this->policylen = policylen;
	this->policy = (char *)calloc( policylen, sizeof(char) );
	for(int i=0; i< policylen; i++){
		this->policy[i] = policy[i];
	}
}
//---------------------------------------------------------------------------------------------------//
//Destructor
MsipIpsecPolicy::~MsipIpsecPolicy(){
	free(policy);
}

//-MsipIpsecPolicy-PUBLIC----------------------------------------------------------------------------//
//---------------------------------------------------------------------------------------------------//
//Set policy into kernel -1 = error, 0 = already exist
int MsipIpsecPolicy::set(){
	if(exist || !valid)
		return 0;
	int result;
	struct sadb_msg *msg;
	caddr_t pol = ipsec_set_policy(policy, policylen);
	int len = ipsec_get_policylen(pol);
	// There might be a good idea to check the result & return values below!!!
/* Depending on IPSEC kernel-----------------------------------------------------------**********************/
	result = pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, pol, len, seq); 
	caddr_t mhp[SADB_EXT_MAX + 1];
	if ((msg = pfkey_recv(so)) == NULL)
		cerr << "ERROR: pfkey_recv failure!";
	if (pfkey_align(msg, mhp) < 0)
		cerr << "ERROR: pfkey_align failure!";

	this->spid = ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
	
/* end --------------------------------------------------------------------------------**********************/
	exist = true;
	free(pol);
	free(msg);
	return result;
}

//---------------------------------------------------------------------------------------------------//
//Update policy in kernel
int MsipIpsecPolicy::update(){return 0;}

//---------------------------------------------------------------------------------------------------//
//Remove policy from kernel -1 = error, 0 = don't exist
int MsipIpsecPolicy::remove(bool valid){
	int result;
	struct sadb_msg *msg;
	if(exist){
			
/* Depending on IPSEC kernel-----------------------------------------------------------**********************/
		result = pfkey_send_spddelete2(so, spid);
		msg = pfkey_recv(so);
/* end --------------------------------------------------------------------------------**********************/
		exist = false;
		this->valid = valid;
		free(msg);
		return result;
	}
	return 0;
}