Implement a SASL PLAIN mechanism using shared secrets

author: Martin Willi <martin@revosec.ch> 2013-02-27 16:27:59 +0100
committer: Martin Willi <martin@revosec.ch> 2013-02-28 16:46:07 +0100
commit: 2ae0c9e6181421fc589798c64276a6310f13f1a2 (patch)
tree: f16c8ec3a61ee7d021c1a80d7e48d1c6da77dd0e
parent: 66d8fd690c7817659e93bdecd79160fbfb79f7d0 (diff)
download: strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.bz2
strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.xz
4 files changed, 224 insertions, 0 deletions
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
index b019d2302..48123181b 100644
--- a/src/libpttls/Makefile.am
+++ b/src/libpttls/Makefile.am
@@ -8,4 +8,5 @@ libpttls_la_SOURCES = pt_tls.c pt_tls.h \
 	pt_tls_client.c pt_tls_client.h \
 	pt_tls_server.c pt_tls_server.h \
 	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
 	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c
index 4e0f876be..05a02e56d 100644
--- a/src/libpttls/sasl/sasl_mechanism.c
+++ b/src/libpttls/sasl/sasl_mechanism.c
@@ -15,6 +15,8 @@
 
 #include "sasl_mechanism.h"
 
+#include "sasl_plain/sasl_plain.h"
+
 /**
  * Available SASL mechanisms.
  */
@@ -23,6 +25,8 @@ static struct {
 	bool server;
 	sasl_mechanism_constructor_t create;
 } mechs[] = {
+	{ "PLAIN",		TRUE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+	{ "PLAIN",		FALSE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
 };
 
 /**
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644
index 000000000..e8d6dc80b
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+	/**
+	 * Public sasl_plain_t interface.
+	 */
+	sasl_plain_t public;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+	private_sasl_plain_t *this)
+{
+	return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	/* gets never called */
+	return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	chunk_t authz, authi, password;
+	identification_t *id;
+	shared_key_t *shared;
+	u_char *pos;
+
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authz encoding");
+		return FAILED;
+	}
+	authz = chunk_create(message.ptr, pos - message.ptr);
+	message = chunk_skip(message, authz.len + 1);
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authi encoding");
+		return FAILED;
+	}
+	authi = chunk_create(message.ptr, pos - message.ptr);
+	password = chunk_skip(message, authi.len + 1);
+	id = identification_create_from_data(authi);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+		id->destroy(id);
+		return FAILED;
+	}
+	if (!chunk_equals(shared->get_key(shared), password))
+	{
+		DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+		id->destroy(id);
+		shared->destroy(shared);
+		return FAILED;
+	}
+	id->destroy(id);
+	shared->destroy(shared);
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	shared_key_t *shared;
+	chunk_t password;
+	char buf[256];
+	ssize_t len;
+
+	/* we currently use the EAP type of shared secret */
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+									  this->client, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+		return FAILED;
+	}
+
+	password = shared->get_key(shared);
+	len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+				   "", 0, this->client, 0,
+				   (int)password.len, password.ptr);
+	if (len < 0 || len >= sizeof(buf))
+	{
+		return FAILED;
+	}
+	*message = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	/* if the server sends a result, authentication successful */
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+	private_sasl_plain_t *this)
+{
+	DESTROY_IF(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+	private_sasl_plain_t *this;
+
+	if (!streq(get_name(NULL), name))
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.sasl = {
+				.get_name = _get_name,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (client)
+	{
+		this->public.sasl.build = _build_client;
+		this->public.sasl.process = _process_client;
+		this->client = client->clone(client);
+	}
+	else
+	{
+		this->public.sasl.build = _build_server;
+		this->public.sasl.process = _process_server;
+	}
+	return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644
index 000000000..08b7fc76f
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+	/**
+	 * Implements sasl_mechanism_t
+	 */
+	sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name			name of mechanism, must be "PLAIN"
+ * @param client		client identity, NULL to act as server
+ * @return				mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/
author	Martin Willi <martin@revosec.ch>	2013-02-27 16:27:59 +0100
committer	Martin Willi <martin@revosec.ch>	2013-02-28 16:46:07 +0100
commit	2ae0c9e6181421fc589798c64276a6310f13f1a2 (patch)
tree	f16c8ec3a61ee7d021c1a80d7e48d1c6da77dd0e
parent	66d8fd690c7817659e93bdecd79160fbfb79f7d0 (diff)
download	strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.bz2 strongswan-2ae0c9e6181421fc589798c64276a6310f13f1a2.tar.xz