diff options
author | Martin Willi <martin@revosec.ch> | 2013-02-27 16:27:59 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2013-02-28 16:46:07 +0100 |
commit | 2ae0c9e6181421fc589798c64276a6310f13f1a2 (patch) | |
tree | f16c8ec3a61ee7d021c1a80d7e48d1c6da77dd0e | |
parent | 66d8fd690c7817659e93bdecd79160fbfb79f7d0 (diff) | |
download | strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.bz2 strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.xz |
Implement a SASL PLAIN mechanism using shared secrets
-rw-r--r-- | src/libpttls/Makefile.am | 1 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_mechanism.c | 4 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.c | 171 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.h | 48 |
4 files changed, 224 insertions, 0 deletions
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am index b019d2302..48123181b 100644 --- a/src/libpttls/Makefile.am +++ b/src/libpttls/Makefile.am @@ -8,4 +8,5 @@ libpttls_la_SOURCES = pt_tls.c pt_tls.h \ pt_tls_client.c pt_tls_client.h \ pt_tls_server.c pt_tls_server.h \ pt_tls_dispatcher.c pt_tls_dispatcher.h \ + sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \ sasl/sasl_mechanism.c sasl/sasl_mechanism.h diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c index 4e0f876be..05a02e56d 100644 --- a/src/libpttls/sasl/sasl_mechanism.c +++ b/src/libpttls/sasl/sasl_mechanism.c @@ -15,6 +15,8 @@ #include "sasl_mechanism.h" +#include "sasl_plain/sasl_plain.h" + /** * Available SASL mechanisms. */ @@ -23,6 +25,8 @@ static struct { bool server; sasl_mechanism_constructor_t create; } mechs[] = { + { "PLAIN", TRUE, (sasl_mechanism_constructor_t)sasl_plain_create }, + { "PLAIN", FALSE, (sasl_mechanism_constructor_t)sasl_plain_create }, }; /** diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c new file mode 100644 index 000000000..e8d6dc80b --- /dev/null +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -0,0 +1,171 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "sasl_plain.h" + +#include <utils/debug.h> + +typedef struct private_sasl_plain_t private_sasl_plain_t; + +/** + * Private data of an sasl_plain_t object. + */ +struct private_sasl_plain_t { + + /** + * Public sasl_plain_t interface. + */ + sasl_plain_t public; + + /** + * Client identity + */ + identification_t *client; +}; + +METHOD(sasl_mechanism_t, get_name, char*, + private_sasl_plain_t *this) +{ + return "PLAIN"; +} + +METHOD(sasl_mechanism_t, build_server, status_t, + private_sasl_plain_t *this, chunk_t *message) +{ + /* gets never called */ + return FAILED; +} + +METHOD(sasl_mechanism_t, process_server, status_t, + private_sasl_plain_t *this, chunk_t message) +{ + chunk_t authz, authi, password; + identification_t *id; + shared_key_t *shared; + u_char *pos; + + pos = memchr(message.ptr, 0, message.len); + if (!pos) + { + DBG1(DBG_CFG, "invalid authz encoding"); + return FAILED; + } + authz = chunk_create(message.ptr, pos - message.ptr); + message = chunk_skip(message, authz.len + 1); + pos = memchr(message.ptr, 0, message.len); + if (!pos) + { + DBG1(DBG_CFG, "invalid authi encoding"); + return FAILED; + } + authi = chunk_create(message.ptr, pos - message.ptr); + password = chunk_skip(message, authi.len + 1); + id = identification_create_from_data(authi); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + if (!shared) + { + DBG1(DBG_CFG, "no shared secret found for '%Y'", id); + id->destroy(id); + return FAILED; + } + if (!chunk_equals(shared->get_key(shared), password)) + { + DBG1(DBG_CFG, "shared secret for '%Y' does not match", id); + id->destroy(id); + shared->destroy(shared); + return FAILED; + } + id->destroy(id); + shared->destroy(shared); + return SUCCESS; +} + +METHOD(sasl_mechanism_t, build_client, status_t, + private_sasl_plain_t *this, chunk_t *message) +{ + shared_key_t *shared; + chunk_t password; + char buf[256]; + ssize_t len; + + /* we currently use the EAP type of shared secret */ + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, + this->client, NULL); + if (!shared) + { + DBG1(DBG_CFG, "no shared secret found for %Y", this->client); + return FAILED; + } + + password = shared->get_key(shared); + len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s", + "", 0, this->client, 0, + (int)password.len, password.ptr); + if (len < 0 || len >= sizeof(buf)) + { + return FAILED; + } + *message = chunk_clone(chunk_create(buf, len)); + return NEED_MORE; +} + +METHOD(sasl_mechanism_t, process_client, status_t, + private_sasl_plain_t *this, chunk_t message) +{ + /* if the server sends a result, authentication successful */ + return SUCCESS; +} + +METHOD(sasl_mechanism_t, destroy, void, + private_sasl_plain_t *this) +{ + DESTROY_IF(this->client); + free(this); +} + +/** + * See header + */ +sasl_plain_t *sasl_plain_create(char *name, identification_t *client) +{ + private_sasl_plain_t *this; + + if (!streq(get_name(NULL), name)) + { + return NULL; + } + + INIT(this, + .public = { + .sasl = { + .get_name = _get_name, + .destroy = _destroy, + }, + }, + ); + + if (client) + { + this->public.sasl.build = _build_client; + this->public.sasl.process = _process_client; + this->client = client->clone(client); + } + else + { + this->public.sasl.build = _build_server; + this->public.sasl.process = _process_server; + } + return &this->public; +} diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h new file mode 100644 index 000000000..08b7fc76f --- /dev/null +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sasl_plain sasl_plain + * @{ @ingroup sasl + */ + +#ifndef SASL_PLAIN_H_ +#define SASL_PLAIN_H_ + +#include <sasl/sasl_mechanism.h> + +typedef struct sasl_plain_t sasl_plain_t; + +/** + * SASL Mechanism implementing PLAIN. + */ +struct sasl_plain_t { + + /** + * Implements sasl_mechanism_t + */ + sasl_mechanism_t sasl; +}; + +/** + * Create a sasl_plain instance. + * + * @param name name of mechanism, must be "PLAIN" + * @param client client identity, NULL to act as server + * @return mechanism implementing PLAIN, NULL on error + */ +sasl_plain_t *sasl_plain_create(char *name, identification_t *client); + +#endif /** SASL_PLAIN_H_ @}*/ |