Added generic XAuth backend, using secrets provided by credential sets.

8 files changed, 402 insertions, 1 deletions

diff --git a/configure.in b/configure.in
index 5ab5417a8..0be86058a 100755
--- a/configure.in
+++ b/configure.in
@@ -129,6 +129,7 @@ ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
 ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
 ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([xauth-generic],  [enable generic XAuth backend.])
 ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module.])
 ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
 ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
@@ -842,6 +843,7 @@ ADD_PLUGIN([eap-tls],              [c libcharon])
 ADD_PLUGIN([eap-ttls],             [c libcharon])
 ADD_PLUGIN([eap-peap],             [c libcharon])
 ADD_PLUGIN([eap-tnc],              [c libcharon])
+ADD_PLUGIN([xauth-generic],        [c libcharon])
 ADD_PLUGIN([tnc-ifmap],            [c libcharon])
 ADD_PLUGIN([tnc-imc],              [c libcharon])
 ADD_PLUGIN([tnc-imv],              [c libcharon])
@@ -961,6 +963,7 @@ AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
 AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
 AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
+AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
 AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
 AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
 AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
@@ -1139,6 +1142,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_peap/Makefile
 	src/libcharon/plugins/eap_tnc/Makefile
 	src/libcharon/plugins/eap_radius/Makefile
+	src/libcharon/plugins/xauth_generic/Makefile
 	src/libcharon/plugins/tnc_ifmap/Makefile
 	src/libcharon/plugins/tnc_imc/Makefile
 	src/libcharon/plugins/tnc_imv/Makefile
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 4c6718340..4e77b4f4f 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -503,4 +503,10 @@ if MONOLITHIC
 endif
 endif
 
+if USE_XAUTH_GENERIC
+  SUBDIRS += plugins/xauth_generic
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_generic/libstrongswan-xauth-generic.la
+endif
+endif
 
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.am b/src/libcharon/plugins/xauth_generic/Makefile.am
new file mode 100644
index 000000000..0f25e74a2
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-generic.la
+endif
+
+libstrongswan_xauth_generic_la_SOURCES = \
+	xauth_generic_plugin.h xauth_generic_plugin.c \
+	xauth_generic.h xauth_generic.c
+
+libstrongswan_xauth_generic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c
new file mode 100644
index 000000000..cac740a34
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_generic.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_generic_t private_xauth_generic_t;
+
+/**
+ * Private data of an xauth_generic_t object.
+ */
+struct private_xauth_generic_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_generic_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate_peer, status_t,
+	private_xauth_generic_t *this, cp_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, process_peer, status_t,
+	private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	shared_key_t *shared;
+	cp_payload_t *cp;
+	chunk_t user, pass;
+
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->peer,
+									  this->server);
+	if (!shared)
+	{
+		DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->peer,
+			 this->server);
+		return FAILED;
+	}
+
+	user = this->peer->get_encoding(this->peer);
+	pass = shared->get_key(shared);
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass));
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, initiate_server, status_t,
+	private_xauth_generic_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, process_server, status_t,
+	private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	identification_t *id = NULL, *peer;
+	chunk_t user = chunk_empty, pass = chunk_empty;
+	status_t status = SUCCESS;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				user = attr->get_chunk(attr);
+				break;
+			case XAUTH_USER_PASSWORD:
+				pass = attr->get_chunk(attr);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user.ptr || !pass.ptr)
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+	if (user.len)
+	{
+		id = identification_create_from_data(user);
+		if (!id)
+		{
+			DBG1(DBG_IKE, "failed to parse provided XAuth username");
+			return FAILED;
+		}
+	}
+
+	peer = id ?: this->peer;
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->server,
+									  peer);
+	if (!shared)
+	{
+		DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->server,
+			 peer);
+		status = FAILED;
+	}
+	else if (!chunk_equals(shared->get_key(shared), pass))
+	{
+		DBG1(DBG_IKE, "failed to authenticate '%Y' with XAuth", peer);
+		status = FAILED;
+	}
+	else
+	{
+		DBG2(DBG_IKE, "authentication of '%Y' with XAuth successful", peer);
+	}
+	DESTROY_IF(id);
+	return status;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_generic_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_generic_t *xauth_generic_create_peer(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_generic_t *this;
+
+	INIT(this,
+		.public =  {
+			.xauth_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_generic_t *xauth_generic_create_server(identification_t *server,
+											 identification_t *peer)
+{
+	private_xauth_generic_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.h b/src/libcharon/plugins/xauth_generic/xauth_generic.h
new file mode 100644
index 000000000..dfb759b82
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_generic_i xauth_generic
+ * @{ @ingroup xauth_generic
+ */
+
+#ifndef XAUTH_GENERIC_H_
+#define XAUTH_GENERIC_H_
+
+typedef struct xauth_generic_t xauth_generic_t;
+
+#include <sa/authenticators/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface using cleartext secrets
+ * from any credential set.
+ */
+struct xauth_generic_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the generic XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+xauth_generic_t *xauth_generic_create_server(identification_t *server,
+											 identification_t *peer);
+
+/**
+ * Creates the generic XAuth method, acting as peer.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+xauth_generic_t *xauth_generic_create_peer(identification_t *server,
+										   identification_t *peer);
+
+#endif /** XAUTH_GENERIC_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c
new file mode 100644
index 000000000..a87084e20
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_generic_plugin.h"
+#include "xauth_generic.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_generic_plugin_t *this)
+{
+	return "xauth-generic";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_generic_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "generic"),
+		PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_peer),
+			PLUGIN_PROVIDE(XAUTH_PEER, "generic"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_generic_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_generic_plugin_create()
+{
+	xauth_generic_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h
new file mode 100644
index 000000000..426f806a7
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_generic xauth_generic
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_generic_plugin xauth_generic_plugin
+ * @{ @ingroup xauth_generic
+ */
+
+#ifndef XAUTH_GENERIC_PLUGIN_H_
+#define XAUTH_GENERIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_generic_plugin_t xauth_generic_plugin_t;
+
+/**
+ * XAuth generic plugin using secrets defined in ipsec.secrets.
+ */
+struct xauth_generic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_GENERIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.h b/src/libcharon/sa/authenticators/xauth/xauth_method.h
index cc3c77540..c544724b8 100644
--- a/src/libcharon/sa/authenticators/xauth/xauth_method.h
+++ b/src/libcharon/sa/authenticators/xauth/xauth_method.h
@@ -100,7 +100,7 @@ struct xauth_method_t {
  * @return				implementation of the eap_method_t interface
  */
 typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
-										   identification_t *peer);
+											   identification_t *peer);
 
 /**
  * Helper function to (un-)register XAuth methods from plugin features.