diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-08-09 22:10:37 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-08-15 23:34:22 +0200 |
| commit | 97b1d39de5f1041497fe9de7b3c25d9d28947a50 (patch) | |
| tree | 8509327b874c1ff58db9ca72ee2526d287c56fcb | |
| parent | 6d6100c2bc83688080e24e4f8e25efea21ca9f08 (diff) | |
| download | strongswan-97b1d39de5f1041497fe9de7b3c25d9d28947a50.tar.bz2 strongswan-97b1d39de5f1041497fe9de7b3c25d9d28947a50.tar.xz | |
Extract client identity and authentication type from SASL authentication
| -rw-r--r-- | src/libpttls/pt_tls_server.c | 22 | ||||
| -rw-r--r-- | src/libpttls/sasl/sasl_mechanism.h | 7 | ||||
| -rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.c | 21 | ||||
| -rw-r--r-- | src/libtls/tls.h | 7 | ||||
| -rw-r--r-- | src/libtnccs/plugins/tnccs_11/tnccs_11.c | 8 | ||||
| -rw-r--r-- | src/libtnccs/plugins/tnccs_20/tnccs_20.c | 8 | ||||
| -rw-r--r-- | src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c | 12 |
7 files changed, 76 insertions, 9 deletions
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index 33d97152b..fd5d9520d 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -61,6 +61,7 @@ struct private_pt_tls_server_t { * TNCCS protocol handler, implemented as tls_t */ tls_t *tnccs; + }; /** @@ -111,8 +112,27 @@ static status_t process_sasl(private_pt_tls_server_t *this, sasl_mechanism_t *sasl, chunk_t data) { bio_writer_t *writer; + status_t status; + identification_t *client; + tnccs_t *tnccs; + + status = sasl->process(sasl, data); + if (status != NEED_MORE) + { + client = sasl->get_client(sasl); + if (client) + { + DBG1(DBG_TNC, "SASL client identity is '%Y'", client); + this->tnccs->set_peer_id(this->tnccs, client); + if (streq(sasl->get_name(sasl), "PLAIN")) + { + tnccs = (tnccs_t*)this->tnccs; + tnccs->set_auth_type(tnccs, TNC_AUTH_PASSWORD); + } + } + } - switch (sasl->process(sasl, data)) + switch (status) { case NEED_MORE: return NEED_MORE; diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h index fb1d08097..e8c47c408 100644 --- a/src/libpttls/sasl/sasl_mechanism.h +++ b/src/libpttls/sasl/sasl_mechanism.h @@ -51,6 +51,13 @@ struct sasl_mechanism_t { char* (*get_name)(sasl_mechanism_t *this); /** + * Get the client identity + * + * @return client identity + */ + identification_t* (*get_client)(sasl_mechanism_t *this); + + /** * Build a SASL message to send to remote host. * * A message is returned if the return value is NEED_MORE or SUCCESS. A diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c index e8d6dc80b..fdb3523cb 100644 --- a/src/libpttls/sasl/sasl_plain/sasl_plain.c +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -35,6 +35,12 @@ struct private_sasl_plain_t { identification_t *client; }; +METHOD(sasl_mechanism_t, get_client, identification_t*, + private_sasl_plain_t *this) +{ + return this->client; +} + METHOD(sasl_mechanism_t, get_name, char*, private_sasl_plain_t *this) { @@ -52,7 +58,6 @@ METHOD(sasl_mechanism_t, process_server, status_t, private_sasl_plain_t *this, chunk_t message) { chunk_t authz, authi, password; - identification_t *id; shared_key_t *shared; u_char *pos; @@ -72,22 +77,21 @@ METHOD(sasl_mechanism_t, process_server, status_t, } authi = chunk_create(message.ptr, pos - message.ptr); password = chunk_skip(message, authi.len + 1); - id = identification_create_from_data(authi); - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + DESTROY_IF(this->client); + this->client = identification_create_from_data(authi); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client, + NULL); if (!shared) { - DBG1(DBG_CFG, "no shared secret found for '%Y'", id); - id->destroy(id); + DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client); return FAILED; } if (!chunk_equals(shared->get_key(shared), password)) { - DBG1(DBG_CFG, "shared secret for '%Y' does not match", id); - id->destroy(id); + DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client); shared->destroy(shared); return FAILED; } - id->destroy(id); shared->destroy(shared); return SUCCESS; } @@ -151,6 +155,7 @@ sasl_plain_t *sasl_plain_create(char *name, identification_t *client) .public = { .sasl = { .get_name = _get_name, + .get_client = _get_client, .destroy = _destroy, }, }, diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 7f45b1e09..db332fbbf 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -200,6 +200,13 @@ struct tls_t { identification_t* (*get_server_id)(tls_t *this); /** + * Set the peer identity. + * + * @param id peer identity + */ + void (*set_peer_id)(tls_t *this, identification_t *id); + + /** * Return the peer identity. * * @return peer identity diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c index 715586167..7fc7e6d76 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c @@ -525,6 +525,13 @@ METHOD(tls_t, get_server_id, identification_t*, return this->server; } +METHOD(tls_t, set_peer_id, void, + private_tnccs_11_t *this, identification_t *id) +{ + DESTROY_IF(this->peer); + this->peer = id->clone(id); +} + METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_11_t *this) { @@ -611,6 +618,7 @@ tnccs_t* tnccs_11_create(bool is_server, .build = _build, .is_server = _is_server, .get_server_id = _get_server_id, + .set_peer_id = _set_peer_id, .get_peer_id = _get_peer_id, .get_purpose = _get_purpose, .is_complete = _is_complete, diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index e5117e829..5d2d7ee25 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -834,6 +834,13 @@ METHOD(tls_t, get_server_id, identification_t*, return this->server; } +METHOD(tls_t, set_peer_id, void, + private_tnccs_20_t *this, identification_t *id) +{ + DESTROY_IF(this->peer); + this->peer = id->clone(id); +} + METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_20_t *this) { @@ -922,6 +929,7 @@ tnccs_t* tnccs_20_create(bool is_server, .build = _build, .is_server = _is_server, .get_server_id = _get_server_id, + .set_peer_id = _set_peer_id, .get_peer_id = _get_peer_id, .get_purpose = _get_purpose, .is_complete = _is_complete, diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c index bc3112686..a52ffedbb 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -135,6 +135,17 @@ METHOD(tls_t, get_server_id, identification_t*, return this->server; } +METHOD(tls_t, set_peer_id, void, + private_tnccs_dynamic_t *this, identification_t *id) +{ + DESTROY_IF(this->peer); + this->peer = id->clone(id); + if (this->tls) + { + this->tls->set_peer_id(this->tls, id); + } +} + METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_dynamic_t *this) { @@ -208,6 +219,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .build = _build, .is_server = _is_server, .get_server_id = _get_server_id, + .set_peer_id = _set_peer_id, .get_peer_id = _get_peer_id, .get_purpose = _get_purpose, .is_complete = _is_complete, |