packetgen-plugin-ipsec 1.0.2 → 1.1.0

data/lib/packetgen/plugin/ike/auth.rb

@@ -1,163 +1,176 @@
 # coding: utf-8
+# frozen_string_literal: true
+
 # This file is part of IPsec packetgen plugin.
 # See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
 # Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
+module PacketGen::Plugin
+  class IKE
+    # This class handles Authentication payloads.
+    #
+    # A AUTH payload consists of the IKE generic payload Plugin (see {Payload})
+    # and some specific fields:
+    #                        1                   2                   3
+    #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Auth Method   |                RESERVED                       |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   |                                                               |
+    #   ~                      Authentication Data                      ~
+    #   |                                                               |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # These specific fields are:
+    # * {#type} (ID type),
+    # * {#reserved},
+    # * and {#content} (Identification Data).
+    #
+    # == Create a KE payload
+    #   # create a IKE packet with a Auth payload
+    #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Auth', auth_method: 'SHARED_KEY')
+    #   pkt.calc_length
+    # @author Sylvain Daubert
+    class Auth < Payload
+      # Payload type number
+      PAYLOAD_TYPE = 39
+
+      # Authentication methods
+      METHODS = {
+        'RSA_SIGNATURE' => 1,
+        'SHARED_KEY' => 2,
+        'DSA_SIGNATURE' => 3,
+        'ECDSA256' => 9,
+        'ECDSA384' => 10,
+        'ECDSA512' => 11,
+        'PASSWORD' => 12,
+        'NULL' => 13,
+        'DIGITAL_SIGNATURE' => 14
+      }.freeze
 
-module PacketGen
-  module Plugin
-    class IKE
-      # This class handles Authentication payloads.
-      #
-      # A AUTH payload consists of the IKE generic payload Plugin (see {Payload})
-      # and some specific fields:
-      #                        1                   2                   3
-      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Auth Method   |                RESERVED                       |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   |                                                               |
-      #   ~                      Authentication Data                      ~
-      #   |                                                               |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      # These specific fields are:
-      # * {#type} (ID type),
-      # * {#reserved},
-      # * and {#content} (Identification Data).
-      #
-      # == Create a KE payload
-      #   # create a IKE packet with a Auth payload
-      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Auth', auth_method: 'SHARED_KEY')
-      #   pkt.calc_length
-      # @author Sylvain Daubert
-      class Auth < Payload
-        # Payload type number
-        PAYLOAD_TYPE = 39
+      # @attribute [r] auth_method
+      #   8-bit Auth Method
+      #   @return [Integer]
+      define_attr_before :content, :auth_method, BinStruct::Int8Enum, enum: METHODS
+      # @attribute reserved
+      #   24-bit reserved field
+      #   @return [Integer]
+      define_attr_before :content, :reserved, BinStruct::Int24
 
-        METHODS = {
-          'RSA_SIGNATURE'     => 1,
-          'SHARED_KEY'        => 2,
-          'DSA_SIGNATURE'     => 3,
-          'ECDSA256'          => 9,
-          'ECDSA384'          => 10,
-          'ECDSA512'          => 11,
-          'PASSWORD'          => 12,
-          'NULL'              => 13,
-          'DIGITAL_SIGNATURE' => 14
-        }.freeze
+      # Check authentication (see RFC 7296 §2.15)
+      # @param [Packet] init_msg first IKE message sent by peer
+      # @param [String] nonce my nonce, sent in first message
+      # @param [String] sk_p secret key used to compute prf(SK_px, IDx')
+      # @param [Integer] prf PRF type to use (see {Transform}+::PRF_*+ constants)
+      # @param [String] shared_secret shared secret to use as PSK (shared secret
+      #    method only)
+      # @param [OpenSSL::X509::Certificate] cert certificate to check AUTH signature,
+      #   if not embedded in IKE message
+      # @return [Boolean]
+      # @note For now, only NULL, SHARED_KEY and RSA, DSA and ECDSA signatures are
+      #   supported.
+      # @note For certificates, only check AUTH authenticity with given (or guessed
+      #   from packet) certificate, but certificate chain is not verified.
+      def check?(init_msg: nil, nonce: '', sk_p: '', prf: 1, shared_secret: '', # rubocop:disable Metrics/ParameterLists
+                 cert: nil)
+        raise TypeError, 'init_msg should be a Packet' unless init_msg.is_a?(PacketGen::Packet)
 
-        # @attribute [r] auth_method
-        #   8-bit Auth Method
-        #   @return [Integer]
-        define_field_before :content, :auth_method, PacketGen::Types::Int8Enum, enum: METHODS
-        # @attribute reserved
-        #   24-bit reserved field
-        #   @return [Integer]
-        define_field_before :content, :reserved, PacketGen::Types::Int24
+        signed_octets = build_signed_octets(init_msg, nonce, sk_p, prf)
+        case auth_method
+        when METHODS['SHARED_KEY']
+          check_shared_key?(shared_secret, signed_octets)
+        when METHODS['RSA_SIGNATURE'], METHODS['ECDSA256'], METHODS['ECDSA384'],
+             METHODS['ECDSA512']
+          check_signature?(cert, signed_octets)
+        when METHOD_NULL
+          true
+        else
+          raise NotImplementedError, "unsupported auth method #{human_auth_method}"
+        end
+      end
 
-        # Check authentication (see RFC 7296 §2.15)
-        # @param [Packet] init_msg first IKE message sent by peer
-        # @param [String] nonce my nonce, sent in first message
-        # @param [String] sk_p secret key used to compute prf(SK_px, IDx')
-        # @param [Integer] prf PRF type to use (see {Transform}+::PRF_*+ constants)
-        # @param [String] shared_secret shared secret to use as PSK (shared secret
-        #    method only)
-        # @param [OpenSSL::X509::Certificate] cert certificate to check AUTH signature,
-        #   if not embedded in IKE message
-        # @return [Boolean]
-        # @note For now, only NULL, SHARED_KEY and RSA, DSA and ECDSA signatures are
-        #   supported.
-        # @note For certificates, only check AUTH authenticity with given (or guessed
-        #   from packet) certificate, but certificate chain is not verified.
-        def check?(init_msg: nil, nonce: '', sk_p: '', prf: 1, shared_secret: '',
-                   cert: nil)
-          raise TypeError, 'init_msg should be a Packet' unless init_msg.is_a?(Packet)
-          signed_octets = init_msg.ike.to_s
-          signed_octets << nonce
-          id = packet.ike.flag_i? ? packet.ike_idi : packet.ike_idr
-          signed_octets << prf(prf, sk_p, id.to_s[4, id.length - 4])
+      # Get authentication method name
+      # @return [String]
+      def human_auth_method
+        self[:auth_method].to_human
+      end
 
-          case auth_method
-          when METHODS['SHARED_KEY']
-            auth  = prf(prf(shared_secret, 'Key Pad for IKEv2'), signed_octets)
-            auth == content
-          when METHODS['RSA_SIGNATURE'], METHODS['ECDSA256'], METHODS['ECDSA384'],
-               METHODS['ECDSA512']
-            if packet.ike_cert
-              # FIXME: Expect a ENCODING_X509_CERT_SIG
-              #        Others types not supported for now...
-              cert = OpenSSL::X509::Certificate.new(packet.ike_cert.content)
-            elsif cert.nil?
-              raise CryptoError, 'a certificate should be provided'
-            end
+      private
 
-            text = cert.to_text
-            m = text.match(/Public Key Algorithm: ([a-zA-Z0-9-]+)/)
-            digest = case m[1]
-                     when 'id-ecPublicKey'
-                       m2 = text.match(/Public-Key: \((\d+) bit\)/)
-                       case m2[1]
-                       when '256'
-                         OpenSSL::Digest::SHA256.new
-                       when '384'
-                         OpenSSL::Digest::SHA384.new
-                       when '521'
-                         OpenSSL::Digest::SHA512.new
-                       end
-                     when /sha([235]\d+)/
-                       OpenSSL::Digest.const_get("SHA#{$1}").new
-                     when /sha1/, 'rsaEncryption'
-                       OpenSSL::Digest::SHA1.new
-                     end
-            signature = format_signature(cert.public_key, content.to_s)
-            cert.public_key.verify(digest, signature, signed_octets)
-          when METHOD_NULL
-            true
-          else
-            raise NotImplementedError, "unsupported auth method #{human_auth_method}"
-          end
+      def build_signed_octets(init_msg, nonce, sk_p, prf)
+        signed_octets = init_msg.ike.to_s
+        signed_octets << nonce
+        id = packet.ike.flag_i? ? packet.ike_idi : packet.ike_idr
+        signed_octets << prf(prf, sk_p, id.to_s[4, id.length - 4])
+      end
+
+      def prf(type, key, msg)
+        case type
+        when Transform::PRF_HMAC_MD5, Transform::PRF_HMAC_SHA1,
+             Transform::PRF_HMAC_SHA2_256, Transform::PRF_HMAC_SHA2_384,
+             Transform::PRF_HMAC_SHA2_512
+          digestname = Transform.constants.grep(/PRF_/)
+                                .detect { |c| Transform.const_get(c) == type }
+                                .to_s.sub(/^PRF_HMAC_/, '').sub('2_', '')
+          digest = OpenSSL::Digest.const_get(digestname).new
+        else
+          raise NotImplementedError, 'for now, only HMAC-based PRF are supported'
         end
+        hmac = OpenSSL::HMAC.new(key, digest)
+        hmac << msg
+        hmac.digest
+      end
+
+      def check_shared_key?(shared_secret, signed_octets)
+        auth = prf(prf(shared_secret, 'Key Pad for IKEv2'), signed_octets)
+        auth == content
+      end
 
-        # Get authentication method name
-        # @return [String]
-        def human_auth_method
-          self[:auth_method].to_human
+      def check_signature?(cert, signed_octets)
+        if packet.ike_cert
+          # FIXME: Expect a ENCODING_X509_CERT_SIG
+          #        Others types not supported for now...
+          cert = OpenSSL::X509::Certificate.new(packet.ike_cert.content)
+        elsif cert.nil?
+          raise CryptoError, 'a certificate should be provided'
         end
 
-        private
+        text = cert.to_text
+        digest = build_digest_object(text)
+        signature = format_signature(cert.public_key, content.to_s)
+        cert.public_key.verify(digest, signature, signed_octets)
+      end
 
-        def prf(type, key, msg)
-          case type
-          when Transform::PRF_HMAC_MD5, Transform::PRF_HMAC_SHA1,
-               Transform::PRF_HMAC_SHA2_256, Transform::PRF_HMAC_SHA2_384,
-               Transform::PRF_HMAC_SHA2_512
-            digestname = Transform.constants.grep(/PRF_/)
-                                  .detect { |c| Transform.const_get(c) == type }
-                                  .to_s.sub(/^PRF_HMAC_/, '').sub(/2_/, '')
-            digest = OpenSSL::Digest.const_get(digestname).new
-          else
-            raise NotImplementedError, 'for now, only HMAC-based PRF are supported'
+      def build_digest_object(text)
+        m = text.match(/Public Key Algorithm: ([a-zA-Z0-9-]+)/)
+        case m[1]
+        when 'id-ecPublicKey'
+          m2 = text.match(/Public-Key: \((\d+) bit\)/)
+          case m2[1]
+          when '256', '384'
+            OpenSSL::Digest.new("SHA#{m2[1]}")
+          when '521'
+            OpenSSL::Digest.new(SHA512)
           end
-          hmac = OpenSSL::HMAC.new(key, digest)
-          hmac << msg
-          hmac.digest
+        when /sha([235]\d+)/
+          OpenSSL::Digest.new("SHA#{$1}")
+        when /sha1/, 'rsaEncryption'
+          OpenSSL::Digest.new('SHA1')
         end
+      end
 
-        def format_signature(pkey, sig)
-          if pkey.is_a?(OpenSSL::PKey::EC)
-            # PKey::EC need a signature as a DER string representing a sequence of
-            # 2 integers: r and s
-            r = OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(sig[0, sig.size / 2], 2).to_i)
-            s = OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(sig[sig.size / 2,
-                                                               sig.size / 2], 2).to_i)
-            OpenSSL::ASN1::Sequence.new([r, s]).to_der
-          else
-            sig
-          end
+      def format_signature(pkey, sig)
+        if pkey.is_a?(OpenSSL::PKey::EC)
+          # PKey::EC need a signature as a DER string representing a sequence of
+          # 2 integers: r and s
+          r = OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(sig[0, sig.size / 2], 2).to_i)
+          s = OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(sig[sig.size / 2,
+                                                             sig.size / 2], 2).to_i)
+          OpenSSL::ASN1::Sequence.new([r, s]).to_der
+        else
+          sig
         end
       end
     end

data/lib/packetgen/plugin/ike/cert.rb

@@ -1,76 +1,75 @@
 # coding: utf-8
+# frozen_string_literal: true
+
 # This file is part of IPsec packetgen plugin.
 # See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
 # Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
-module PacketGen
-  module Plugin
-    class IKE
-      # This class handles Certificate payloads.
-      #
-      # A Cert payload consists of the IKE generic payload Plugin (see {Payload})
-      # and some specific fields:
-      #                        1                   2                   3
-      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Cert Encoding |                                               |
-      #   +-+-+-+-+-+-+-+-+                                               +
-      #   |                                                               |
-      #   ~                       Certificate Data                        ~
-      #   |                                                               |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      # These specific fields are:
-      # * {#encoding},
-      # * and {#content} (Certificate Data).
-      #
-      # == Create a Cert payload
-      #   # Create a IKE packet with a Cert payload
-      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Cert', encoding: 'X509_CERT_SIG')
-      #   certs = cert.to_der << ca_cert.to_der
-      #   pkt.ike_cert.content.read certs
-      #   pkt.calc_length
-      # @author Sylvain Daubert
-      class Cert < Payload
-        # Payload type number
-        PAYLOAD_TYPE = 37
+module PacketGen::Plugin
+  class IKE
+    # This class handles Certificate payloads.
+    #
+    # A Cert payload consists of the IKE generic payload Plugin (see {Payload})
+    # and some specific fields:
+    #                        1                   2                   3
+    #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Cert Encoding |                                               |
+    #   +-+-+-+-+-+-+-+-+                                               +
+    #   |                                                               |
+    #   ~                       Certificate Data                        ~
+    #   |                                                               |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # These specific fields are:
+    # * {#encoding},
+    # * and {#content} (Certificate Data).
+    #
+    # == Create a Cert payload
+    #   # Create a IKE packet with a Cert payload
+    #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Cert', encoding: 'X509_CERT_SIG')
+    #   certs = cert.to_der << ca_cert.to_der
+    #   pkt.ike_cert.content.read certs
+    #   pkt.calc_length
+    # @author Sylvain Daubert
+    class Cert < Payload
+      # Payload type number
+      PAYLOAD_TYPE = 37
 
-        ENCODINGS = {
-          'PKCS7_WRAPPED_X509'   => 1,
-          'PGP'                  => 2,
-          'DNS_SIGNED_KEY'       => 3,
-          'X509_CERT_SIG'        => 4,
-          'KERBEROS_TOKEN'       => 6,
-          'X509_CRL'             => 7,
-          'X509_ARL'             => 8,
-          'SPKI_CERT'            => 9,
-          'X509_CERT_ATTR'       => 10,
-          'HASH_URL_X509_CERT'   => 12,
-          'HASH_URL_X509_BUNDLE' => 13
-        }.freeze
+      # Certificate encoding
+      ENCODINGS = {
+        'PKCS7_WRAPPED_X509' => 1,
+        'PGP' => 2,
+        'DNS_SIGNED_KEY' => 3,
+        'X509_CERT_SIG' => 4,
+        'KERBEROS_TOKEN' => 6,
+        'X509_CRL' => 7,
+        'X509_ARL' => 8,
+        'SPKI_CERT' => 9,
+        'X509_CERT_ATTR' => 10,
+        'HASH_URL_X509_CERT' => 12,
+        'HASH_URL_X509_BUNDLE' => 13
+      }.freeze
 
-        # @attribute encoding
-        #   8-bit certificate encoding
-        #   @return [Integer]
-        define_field_before :content, :encoding, PacketGen::Types::Int8Enum, enum: ENCODINGS
+      # @attribute encoding
+      #   8-bit certificate encoding
+      #   @return [Integer]
+      define_attr_before :content, :encoding, BinStruct::Int8Enum, enum: ENCODINGS
 
-        def initialize(options={})
-          super
-          self.encoding = options[:encoding] if options[:encoding]
-        end
+      def initialize(options={})
+        super
+        self.encoding = options[:encoding] if options[:encoding]
+      end
 
-        # Get encoding name
-        # @return [String]
-        def human_encoding
-          self[:encoding].to_human
-        end
+      # Get encoding name
+      # @return [String]
+      def human_encoding
+        self[:encoding].to_human
       end
     end
-
-    Header.add_class IKE::Cert
   end
+
+  PacketGen::Header.add_class IKE::Cert
 end

data/lib/packetgen/plugin/ike/certreq.rb

@@ -1,66 +1,65 @@
 # coding: utf-8
+# frozen_string_literal: true
+
 # This file is part of IPsec packetgen plugin.
 # See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
 # Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
-module PacketGen
-  module Plugin
-    class IKE
-      # This class handles Certificate Request payloads.
-      #
-      # A CertReq payload consists of the IKE generic payload Plugin (see {Payload})
-      # and some specific fields:
-      #                        1                   2                   3
-      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #   | Cert Encoding |                                               |
-      #   +-+-+-+-+-+-+-+-+                                               +
-      #   |                                                               |
-      #   ~                      Certification Authority                  ~
-      #   |                                                               |
-      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      # These specific fields are:
-      # * {#encoding},
-      # * and {#content} (Certification Authority).
-      #
-      # == Create a CertReq payload
-      #   # Create a IKE packet with a CertReq payload
-      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::CertReq', encoding: 'X509_CERT_SIG')
-      #   pkt.ike_certreq.content.read OpenSSL::Digest::SHA1.digest(ca_cert.to_der)
-      #   pkt.calc_length
-      # @author Sylvain Daubert
-      class CertReq < Cert
-        # Payload type number
-        PAYLOAD_TYPE = 38
+module PacketGen::Plugin
+  class IKE
+    # This class handles Certificate Request payloads.
+    #
+    # A CertReq payload consists of the IKE generic payload Plugin (see {Payload})
+    # and some specific fields:
+    #                        1                   2                   3
+    #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   | Cert Encoding |                                               |
+    #   +-+-+-+-+-+-+-+-+                                               +
+    #   |                                                               |
+    #   ~                      Certification Authority                  ~
+    #   |                                                               |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # These specific fields are:
+    # * {#encoding},
+    # * and {#content} (Certification Authority).
+    #
+    # == Create a CertReq payload
+    #   # Create a IKE packet with a CertReq payload
+    #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::CertReq', encoding: 'X509_CERT_SIG')
+    #   pkt.ike_certreq.content.read OpenSSL::Digest::SHA1.digest(ca_cert.to_der)
+    #   pkt.calc_length
+    # @author Sylvain Daubert
+    class CertReq < Cert
+      # Payload type number
+      PAYLOAD_TYPE = 38
 
-        # Get list of 20-byte string (SHA-1 hashes)
-        # @return [String]
-        def human_content
-          strs = []
-          idx = 0
-          while idx < content.size
-            strs << content[idx, 20]
-            idx += 20
-          end
-          strs.map(&:inspect).join(',')
+      # Get list of 20-byte string (SHA-1 hashes)
+      # @return [String]
+      def human_content
+        strs = []
+        idx = 0
+        while idx < content.size
+          strs << content[idx, 20]
+          idx += 20
         end
+        strs.map(&:inspect).join(',')
+      end
+
+      # @return [String]
+      def inspect
+        super do |attr|
+          next unless attr == :content
 
-        # @return [String]
-        def inspect
-          super do |attr|
-            next unless attr == :content
-            str = Inspect.shift_level
-            str << Inspect::FMT_ATTR % ['hashes', :content, human_content]
-          end
+          str = PacketGen::Inspect.shift_level
+          str << (PacketGen::Inspect::FMT_ATTR % ['hashes', :content, human_content])
         end
       end
     end
-
-    Header.add_class IKE::CertReq
   end
+
+  PacketGen::Header.add_class IKE::CertReq
 end