IKEv1 XAuth: Added plugin support for XAuth, which allows us to have plugins to talk to servers with different quirks for XAuth authentication.

11 files changed, 678 insertions, 0 deletions

diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index aab293dd2..7192e3db7 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -64,6 +64,9 @@ sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
 sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
 sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/authenticators/xauth_authenticator.c sa/authenticators/xauth_authenticator.h \
+sa/authenticators/xauth/xauth_method.c sa/authenticators/xauth/xauth_method.h \
+sa/authenticators/xauth/xauth_manager.c sa/authenticators/xauth/xauth_manager.h \
 sa/child_sa.c sa/child_sa.h \
 sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 9b6af22bb..343063be5 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -122,6 +122,7 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
+	DESTROY_IF(this->public.xauth);
 #ifdef ME
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
@@ -291,6 +292,7 @@ private_daemon_t *daemon_create()
 	charon = &this->public;
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
+	this->public.xauth = xauth_manager_create();
 	this->public.backends = backend_manager_create();
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 2e01c8d9b..a887eab79 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -149,6 +149,7 @@ typedef struct daemon_t daemon_t;
 #include <sa/shunt_manager.h>
 #include <config/backend_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
+#include <sa/authenticators/xauth/xauth_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -235,6 +236,11 @@ struct daemon_t {
 	 */
 	eap_manager_t *eap;
 
+	/**
+	 * XAuth manager to maintain registered XAuth methods
+	 */
+	xauth_manager_t *xauth;
+
 #ifdef ME
 	/**
 	 * Connect manager
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.c b/src/libcharon/sa/authenticators/xauth/xauth_manager.c
new file mode 100644
index 000000000..3cddf64bd
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth/xauth_manager.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_xauth_manager_t private_xauth_manager_t;
+typedef struct xauth_entry_t xauth_entry_t;
+
+/**
+ * XAuth constructor entry
+ */
+struct xauth_entry_t {
+
+	/**
+	 * XAuth method type, vendor specific if vendor is set
+	 */
+	xauth_type_t type;
+
+	/**
+	 * vendor ID, 0 for default XAuth methods
+	 */
+	u_int32_t vendor;
+
+	/**
+	 * Role of the method returned by the constructor, XAUTH_SERVER or XAUTH_PEER
+	 */
+	xauth_role_t role;
+
+	/**
+	 * constructor function to create instance
+	 */
+	xauth_constructor_t constructor;
+};
+
+/**
+ * private data of xauth_manager
+ */
+struct private_xauth_manager_t {
+
+	/**
+	 * public functions
+	 */
+	xauth_manager_t public;
+
+	/**
+	 * list of eap_entry_t's
+	 */
+	linked_list_t *methods;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(xauth_manager_t, add_method, void,
+	private_xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+	xauth_role_t role, xauth_constructor_t constructor)
+{
+	xauth_entry_t *entry = malloc_thing(xauth_entry_t);
+
+	entry->type = type;
+	entry->vendor = vendor;
+	entry->role = role;
+	entry->constructor = constructor;
+
+	this->lock->write_lock(this->lock);
+	this->methods->insert_last(this->methods, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, remove_method, void,
+	private_xauth_manager_t *this, xauth_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	xauth_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->methods->remove_at(this->methods, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, create_instance, xauth_method_t*,
+	private_xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+	xauth_role_t role, identification_t *server, identification_t *peer)
+{
+	enumerator_t *enumerator;
+	xauth_entry_t *entry;
+	xauth_method_t *method = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type && vendor == entry->vendor &&
+			role == entry->role)
+		{
+			method = entry->constructor(server, peer);
+			if (method)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return method;
+}
+
+METHOD(xauth_manager_t, destroy, void,
+	private_xauth_manager_t *this)
+{
+	this->methods->destroy_function(this->methods, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+xauth_manager_t *xauth_manager_create()
+{
+	private_xauth_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.methods = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.h b/src/libcharon/sa/authenticators/xauth/xauth_manager.h
new file mode 100644
index 000000000..401c13e99
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth/xauth_manager.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_manager xauth_manager
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_MANAGER_H_
+#define XAUTH_MANAGER_H_
+
+#include <sa/authenticators/xauth/xauth_method.h>
+
+typedef struct xauth_manager_t xauth_manager_t;
+
+/**
+ * The XAuth manager manages all XAuth implementations and creates instances.
+ *
+ * A plugin registers it's implemented XAuth method at the manager by
+ * providing type and a contructor function. The manager then instanciates
+ * xauth_method_t instances through the provided constructor to handle
+ * XAuth authentication.
+ */
+struct xauth_manager_t {
+
+	/**
+	 * Register a XAuth method implementation.
+	 *
+	 * @param method		vendor specific method, if vendor != 0
+	 * @param vendor		vendor ID, 0 for non-vendor (default) XAuth methods
+	 * @param role			XAuth role of the registered method
+	 * @param constructor	constructor function, returns an xauth_method_t
+	 */
+	void (*add_method)(xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+					   xauth_role_t role, xauth_constructor_t constructor);
+
+	/**
+	 * Unregister a XAuth method implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(xauth_manager_t *this, xauth_constructor_t constructor);
+
+	/**
+	 * Create a new XAuth method instance.
+	 *
+	 * @param vendor		vendor ID, 0 for non-vendor (default) XAuth methods
+	 * @param role			role of XAuth method, either XAUTH_SERVER or XAUTH_PEER
+	 * @param server		identity of the server
+	 * @param peer			identity of the peer (client)
+	 * @return				XAUTH method instance, NULL if no constructor found
+	 */
+	xauth_method_t* (*create_instance)(xauth_manager_t *this, xauth_type_t type,
+									 u_int32_t vendor, xauth_role_t role,
+									 identification_t *server,
+									 identification_t *peer);
+
+	/**
+	 * Destroy a eap_manager instance.
+	 */
+	void (*destroy)(xauth_manager_t *this);
+};
+
+/**
+ * Create a eap_manager instance.
+ */
+xauth_manager_t *xauth_manager_create();
+
+#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.c b/src/libcharon/sa/authenticators/xauth/xauth_method.c
new file mode 100644
index 000000000..14da7b9ba
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth/xauth_method.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_method.h"
+
+#include <daemon.h>
+
+ENUM(xauth_role_names, XAUTH_SERVER, XAUTH_PEER,
+	"XAUTH_SERVER",
+	"XAUTH_PEER",
+);
+
+/**
+ * See header
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						 bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->xauth->add_method(charon->xauth, feature->arg.xauth, 0,
+					feature->type == FEATURE_XAUTH_SERVER ? XAUTH_SERVER : XAUTH_PEER,
+					(xauth_constructor_t)data);
+	}
+	else
+	{
+		charon->xauth->remove_method(charon->xauth, (xauth_constructor_t)data);
+	}
+	return TRUE;
+}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.h b/src/libcharon/sa/authenticators/xauth/xauth_method.h
new file mode 100644
index 000000000..fb289a247
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth/xauth_method.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_method xauth_method
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_METHOD_H_
+#define XAUTH_METHOD_H_
+
+typedef struct xauth_method_t xauth_method_t;
+typedef enum xauth_role_t xauth_role_t;
+
+#include <library.h>
+#include <plugins/plugin.h>
+#include <utils/identification.h>
+#include <encoding/payloads/cp_payload.h>
+#include <xauth/xauth.h>
+
+/**
+ * Role of an xauth_method, SERVER or PEER (client)
+ */
+enum xauth_role_t {
+	XAUTH_SERVER,
+	XAUTH_PEER,
+};
+/**
+ * enum names for xauth_role_t.
+ */
+extern enum_name_t *xauth_role_names;
+
+/**
+ * Interface of an XAuth method for server and client side.
+ *
+ * An XAuth method initiates an XAuth exchange and processes requests and
+ * responses. An XAuth method may need multiple exchanges before succeeding, and
+ * the xauth_authentication may use multiple XAuth methods to authenticate a peer.
+ * To accomplish these requirements, all XAuth methods have their own
+ * implementation while the xauth_authenticatior uses one or more of these
+ * XAuth methods. Sending of XAUTH(STATUS) message is not the job
+ * of the method, the xauth_authenticator does this.
+ */
+struct xauth_method_t {
+
+	/**
+	 * Initiate the XAuth exchange.
+	 *
+	 * initiate() is only useable for server implementations, as clients only
+	 * reply to server requests.
+	 * A cp_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param out		cp_payload to send to the client
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if unable to create XAuth request payload
+	 */
+	status_t (*initiate) (xauth_method_t *this, cp_payload_t **out);
+
+	/**
+	 * Process a received XAuth message.
+	 *
+	 * A cp_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param in		cp_payload response received
+	 * @param out		created cp_payload to send
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if XAuth method failed
+	 * 					- SUCCESS, if XAuth method succeeded
+	 */
+	status_t (*process) (xauth_method_t *this, cp_payload_t *in,
+						 cp_payload_t **out);
+
+	/**
+	 * Get the XAuth type implemented in this method.
+	 *
+	 * @param vendor	pointer receiving vendor identifier for type, 0 for none
+	 * @return			type of the XAuth method
+	 */
+	xauth_type_t (*get_type) (xauth_method_t *this, u_int32_t *vendor);
+
+	/**
+	 * Destroys a eap_method_t object.
+	 */
+	void (*destroy) (xauth_method_t *this);
+};
+
+/**
+ * Constructor definition for a pluggable XAuth method.
+ *
+ * Each XAuth module must define a constructor function which will return
+ * an initialized object with the methods defined in xauth_method_t.
+ * Constructors for server and peers are identical, to support both roles
+ * of a XAuth method, a plugin needs register two constructors in the
+ * xauth_manager_t.
+ * The passed identites are of type ID_EAP and valid only during the
+ * constructor invocation.
+ *
+ * @param server		ID of the server to use for credential lookup
+ * @param peer			ID of the peer to use for credential lookup
+ * @return				implementation of the eap_method_t interface
+ */
+typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
+										   identification_t *peer);
+
+/**
+ * Helper function to (un-)register XAuth methods from plugin features.
+ *
+ * This function is a plugin_feature_callback_t and can be used with the
+ * PLUGIN_CALLBACK macro to register a XAuth method constructor.
+ *
+ * @param plugin		plugin registering the XAuth method constructor
+ * @param feature		associated plugin feature
+ * @param reg			TRUE to register, FALSE to unregister.
+ * @param data			data passed to callback, an xauth_constructor_t
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						 bool reg, void *data);
+
+#endif /** XAUTH_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth_authenticator.c b/src/libcharon/sa/authenticators/xauth_authenticator.c
new file mode 100644
index 000000000..3f0e591c6
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth_authenticator.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_authenticator.h"
+
+#include <daemon.h>
+#include <encoding/payloads/cp_payload.h>
+#include <sa/keymat_v2.h>
+
+typedef struct private_xauth_authenticator_t private_xauth_authenticator_t;
+
+/**
+ * Private data of an xauth_authenticator_t object.
+ */
+struct private_xauth_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	xauth_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * The payload to send
+	 */
+	cp_payload_t *cp_payload;
+
+	/**
+	 * Whether the authenticator is for an XAUTH server or client
+	 */
+	xauth_role_t role;
+};
+
+/**
+ * load an XAuth method
+ */
+static xauth_method_t *load_method(private_xauth_authenticator_t *this,
+							xauth_type_t type, u_int32_t vendor)
+{
+	identification_t *server, *peer, *aaa;
+	auth_cfg_t *auth;
+
+	if (this->role == XAUTH_SERVER)
+	{
+		server = this->ike_sa->get_my_id(this->ike_sa);
+		peer = this->ike_sa->get_other_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	}
+	else
+	{
+		server = this->ike_sa->get_other_id(this->ike_sa);
+		peer = this->ike_sa->get_my_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+	}
+	aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
+	if (aaa)
+	{
+		server = aaa;
+	}
+	return charon->xauth->create_instance(charon->xauth, type, vendor,
+										this->role, server, peer);
+}
+
+METHOD(authenticator_t, build, status_t,
+	private_xauth_authenticator_t *this, message_t *message)
+{
+	if(this->cp_payload != NULL)
+	{
+		message->add_payload(message, (payload_t *)this->cp_payload);
+		return NEED_MORE;
+	}
+	return SUCCESS;
+}
+
+METHOD(authenticator_t, process, status_t,
+	private_xauth_authenticator_t *this, message_t *message)
+{
+	xauth_method_t *xauth_method = NULL;
+	cp_payload_t *cp_in, *cp_out;
+	status_t status = FAILED;
+
+	cp_in = (cp_payload_t *)message->get_payload(message, CONFIGURATION_V1);
+
+	xauth_method = load_method(this, XAUTH_RADIUS, 0);
+
+	if(xauth_method != NULL)
+	{
+		status = xauth_method->process(xauth_method, cp_in, &cp_out);
+		if(status == NEED_MORE)
+		{
+			this->cp_payload = cp_out;
+		}
+		else
+		{
+			xauth_method->destroy(xauth_method);
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "Couldn't locate valid xauth method.");
+	}
+
+	return status;
+}
+
+METHOD(authenticator_t, destroy, void,
+	private_xauth_authenticator_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_authenticator_t *xauth_authenticator_create_builder(ike_sa_t *ike_sa)
+{
+	private_xauth_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.cp_payload = NULL,
+		.role = XAUTH_PEER,
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_authenticator_t *xauth_authenticator_create_verifier(ike_sa_t *ike_sa)
+{
+	private_xauth_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.cp_payload = NULL,
+		.role = XAUTH_SERVER,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/xauth_authenticator.h b/src/libcharon/sa/authenticators/xauth_authenticator.h
new file mode 100644
index 000000000..d316b1672
--- /dev/null
+++ b/src/libcharon/sa/authenticators/xauth_authenticator.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_authenticator xauth_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef XAUTH_AUTHENTICATOR_H_
+#define XAUTH_AUTHENTICATOR_H_
+
+typedef struct xauth_authenticator_t xauth_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using XAuth.
+ */
+struct xauth_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build XAuth response payloads.
+ *
+ * @param ike_sa			associated ike_sa
+ * @return					PSK authenticator
+ */
+xauth_authenticator_t *xauth_authenticator_create_builder(ike_sa_t *ike_sa);
+
+/**
+ * Create an authenticator to verify using XAuth payloads.
+ *
+ * @param ike_sa			associated ike_sa
+ * @return					PSK authenticator
+ */
+xauth_authenticator_t *xauth_authenticator_create_verifier(ike_sa_t *ike_sa);
+
+#endif /** XAUTH_AUTHENTICATOR_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 2a97205bb..b2bf41946 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -96,6 +96,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 					   streq(a->arg.fetcher, b->arg.fetcher);
 			case FEATURE_CUSTOM:
 				return streq(a->arg.custom, b->arg.custom);
+			case FEATURE_XAUTH_SERVER:
+			case FEATURE_XAUTH_PEER:
+				return a->arg.xauth == b->arg.xauth;
 		}
 	}
 	return FALSE;
@@ -229,6 +232,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_XAUTH_SERVER:
+		case FEATURE_XAUTH_PEER:
+			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+					xauth_method_type_short_names, feature->arg.xauth) > 0)
+			{
+				return str;
+			}
+			break;
 	}
 	if (!str)
 	{
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index b1500feba..89c954471 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -25,6 +25,7 @@ typedef struct plugin_feature_t plugin_feature_t;
 
 #include <library.h>
 #include <eap/eap.h>
+#include <xauth/xauth.h>
 #include <plugins/plugin.h>
 
 /**
@@ -135,6 +136,10 @@ struct plugin_feature_t {
 		FEATURE_FETCHER,
 		/** custom feature, described with a string */
 		FEATURE_CUSTOM,
+		/** XAuth server implementation */
+		FEATURE_XAUTH_SERVER,
+		/** XAuth peer implementation */
+		FEATURE_XAUTH_PEER,
 	} type;
 	/** More specific data for each type */
 	union {
@@ -182,6 +187,8 @@ struct plugin_feature_t {
 		char *fetcher;
 		/** FEATURE_CUSTOM */
 		char *custom;
+		/** FEATURE_XAUTH_SERVER/CLIENT */
+		xauth_type_t xauth;
 
 		/** FEATURE_REGISTER */
 		struct {
@@ -266,6 +273,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
 #define _PLUGIN_FEATURE_FETCHER(kind, type)					__PLUGIN_FEATURE(kind, FETCHER, .fetcher = type)
 #define _PLUGIN_FEATURE_CUSTOM(kind, name)					__PLUGIN_FEATURE(kind, CUSTOM, .custom = name)
+#define _PLUGIN_FEATURE_XAUTH_SERVER(kind, type)			__PLUGIN_FEATURE(kind, XAUTH_SERVER, .xauth = type)
+#define _PLUGIN_FEATURE_XAUTH_PEER(kind, type)				__PLUGIN_FEATURE(kind, XAUTH_PEER, .xauth = type)
 
 #define __PLUGIN_FEATURE_REGISTER(type, _f)					(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
 #define __PLUGIN_FEATURE_REGISTER_BUILDER(type, _f, _final)	(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg = {.f = _f, .final = _final, }}