implemented http basic authentication

3 files changed, 80 insertions, 46 deletions

diff --git a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap.c b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap.c
index b253083f2..887a781bf 100644
--- a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap.c
@@ -75,6 +75,11 @@ struct private_tnc_ifmap2_soap_t {
 	char *uri;
 
 	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
+
+	/**
 	 * IF-MAP Server (IP address and port)
 	 */
 	host_t *host;
@@ -107,7 +112,7 @@ METHOD(tnc_ifmap2_soap_t, newSession, bool,
 	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
 	xmlSetNs(request, this->ns);
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	if (!soap_msg->post(soap_msg, request, "newSessionResult", &result))
 	{
 		soap_msg->destroy(soap_msg);
@@ -145,7 +150,7 @@ METHOD(tnc_ifmap2_soap_t, purgePublisher, bool,
 	xmlNewProp(request, "session-id", this->session_id);
 	xmlNewProp(request, "ifmap-publisher-id", this->ifmap_publisher_id);
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	success = soap_msg->post(soap_msg, request, "purgePublisherReceived", NULL);
 	soap_msg->destroy(soap_msg);
 
@@ -517,7 +522,7 @@ METHOD(tnc_ifmap2_soap_t, publish_ike_sa, bool,
 	}
 	e1->destroy(e1);
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
 	soap_msg->destroy(soap_msg);
 
@@ -541,7 +546,7 @@ METHOD(tnc_ifmap2_soap_t, publish_device_ip, bool,
 	xmlAddChild(update, create_ip_address(this, host));
 	xmlAddChild(update, create_metadata(this, "device-ip"));
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
 	soap_msg->destroy(soap_msg);
 
@@ -565,7 +570,7 @@ METHOD(tnc_ifmap2_soap_t, publish_enforcement_report, bool,
 	xmlAddChild(update, create_device(this));
 	xmlAddChild(update, create_enforcement_report(this, action, reason));
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
 	soap_msg->destroy(soap_msg);
 
@@ -585,7 +590,7 @@ METHOD(tnc_ifmap2_soap_t, endSession, bool,
 	xmlSetNs(request, this->ns);
 	xmlNewProp(request, "session-id", this->session_id);
 
-	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->tls);
+	soap_msg = tnc_ifmap2_soap_msg_create(this->uri, this->user_pass, this->tls);
 	success = soap_msg->post(soap_msg, request, "endSessionResult", NULL);
 	soap_msg->destroy(soap_msg);
 
@@ -611,17 +616,18 @@ METHOD(tnc_ifmap2_soap_t, destroy, void,
 	}
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
 	this->creds->destroy(this->creds);
+	free(this->user_pass.ptr);
 	free(this);
 }
 
 static bool soap_init(private_tnc_ifmap2_soap_t *this)
 {
 	char *server_uri, *server_str, *port_str, *uri_str;
-	char *server_cert, *client_cert, *client_key, *username, *password;
+	char *server_cert, *client_cert, *client_key, *user_pass;
 	int port;
 	certificate_t *cert;
 	private_key_t *key;
-	identification_t *server_id, *client_id;
+	identification_t *server_id, *client_id = NULL;
 
 	/* getting configuration parameters from strongswan.conf */
 	server_uri =  lib->settings->get_str(lib->settings,
@@ -632,10 +638,8 @@ static bool soap_init(private_tnc_ifmap2_soap_t *this)
 					"%s.plugins.tnc-ifmap2.client_cert", NULL, charon->name);
 	client_key =  lib->settings->get_str(lib->settings,
 					"%s.plugins.tnc-ifmap2.client_key", NULL, charon->name);
-	username =    lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.username", NULL, charon->name);
-	password =    lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-ifmap.password", NULL, charon->name);
+	user_pass =   lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap2.username_password", NULL, charon->name);
 
 	/* load [self-signed] MAP server certificate */
 	if (!server_cert)
@@ -655,40 +659,48 @@ static bool soap_init(private_tnc_ifmap2_soap_t *this)
 	server_id = cert->get_subject(cert);
 	this->creds->add_cert(this->creds, TRUE, cert);
 
-	/* load MAP client certificate */
-	if (!client_cert)
-	{
-		DBG1(DBG_TNC, "MAP client certificate not defined");
-		return FALSE;
-	}
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, client_cert, BUILD_END);
-	if (!cert)
+	/* check availability of client credentials */
+	if (!((client_cert && client_key) || user_pass))
 	{
-		DBG1(DBG_TNC, "loading MAP client certificate from '%s' failed",
-					   client_cert);
+		DBG1(DBG_TNC, "neither MAP client certificate and private key "
+					  "nor username:password defined");
 		return FALSE;
 	}
-	DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
-	client_id = cert->get_subject(cert);
-	this->creds->add_cert(this->creds, TRUE, cert);
 
-	/* load MAP client private key */
-	if (!client_key)
+	if (client_cert)
 	{
-		DBG1(DBG_TNC, "MAP client private key not defined");
-		return FALSE;
+		/* load MAP client certificate */
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, client_cert, BUILD_END);
+		if (!cert)
+		{
+			DBG1(DBG_TNC, "loading MAP client certificate from '%s' failed",
+						   client_cert);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
+		this->creds->add_cert(this->creds, TRUE, cert);
+
+		/* load MAP client private key */
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								  BUILD_FROM_FILE, client_key, BUILD_END);
+		if (!key)
+		{
+			DBG1(DBG_TNC, "loading MAP client private key from '%s' failed",
+						   client_key);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'", client_key);
+		this->creds->add_key(this->creds, key);
+
+		/* set client ID to certificate distinguished name */
+		client_id = cert->get_subject(cert);
 	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-							  BUILD_FROM_FILE, client_key, BUILD_END);
-	if (!key)
+	else
 	{
-		DBG1(DBG_TNC, "loading MAP client private key from '%s' failed",
-					   client_key);
-		return FALSE;
+		/* set base64-encoded username:password for HTTP Basic Authentication */
+		this->user_pass = chunk_to_base64(chunk_from_str(user_pass), NULL);
 	}
-	DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'", client_key);
-	this->creds->add_key(this->creds, key);
 
 	/* remove HTTPS prefix if any */
 	if (strlen(server_uri) >= 8 && strncaseeq(server_uri, "https://", 8))
diff --git a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.c b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.c
index 5a86aeb3b..5cf966a29 100644
--- a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.c
+++ b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.c
@@ -42,6 +42,11 @@ struct private_tnc_ifmap2_soap_msg_t {
 	char *uri;
 
 	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
+
+	/**
 	 * TLS Socket
 	 */
 	tls_socket_t *tls;
@@ -59,7 +64,7 @@ struct private_tnc_ifmap2_soap_msg_t {
 static bool http_post(private_tnc_ifmap2_soap_msg_t *this, chunk_t out,
 														   chunk_t *in)
 {
-	char *host, *path, *request, response[2048];
+	char *host, *path, *request, buf[2048];
 	chunk_t line, http, parameter;
 	int len, code, content_len = 0;
 
@@ -77,15 +82,28 @@ static bool http_post(private_tnc_ifmap2_soap_msg_t *this, chunk_t out,
 		*path = '/';
 	}
 
+	/* Use Basic Authentication? */
+	if (this->user_pass.len)
+	{
+		snprintf(buf, sizeof(buf), "Authorization: Basic %.*s\r\n",
+				 this->user_pass.len, this->user_pass.ptr);
+	}
+	else
+	{
+		*buf = '\0';
+	}
+
 	/* Write HTTP POST request */
 	len = asprintf(&request,
 			"POST %s HTTP/1.1\r\n"
 			"Host: %.*s\r\n"
+			"%s"
 			"Content-Type: application/soap+xml;charset=utf-8\r\n"
 			"Content-Length: %d\r\n"
 			"\r\n"
-			"%.*s", path, (path-host), host, out.len, out.len, out.ptr);
+			"%.*s", path, (path-host), host, buf, out.len, out.len, out.ptr);
 	free(host);
+
 	if (len == -1)
 	{
 		return FALSE;
@@ -97,12 +115,12 @@ static bool http_post(private_tnc_ifmap2_soap_msg_t *this, chunk_t out,
 	free(request);
 
 	/* Read HTTP response */
-	len = this->tls->read(this->tls, response, sizeof(response), TRUE);
+	len = this->tls->read(this->tls, buf, sizeof(buf), TRUE);
 	if (len == -1)
 	{
 		return FALSE;
 	}
-	*in = chunk_create(response, len);
+	*in = chunk_create(buf, len);
 
 	/* Process HTTP protocol version */
 	if (!fetchline(in, &line) || !extract_token(&http, ' ', &line) ||
@@ -297,7 +315,8 @@ METHOD(tnc_ifmap2_soap_msg_t, destroy, void,
 /**
  * See header
  */
-tnc_ifmap2_soap_msg_t *tnc_ifmap2_soap_msg_create(char *uri, tls_socket_t *tls)
+tnc_ifmap2_soap_msg_t *tnc_ifmap2_soap_msg_create(char *uri, chunk_t user_pass,
+												  tls_socket_t *tls)
 {
 	private_tnc_ifmap2_soap_msg_t *this;
 
@@ -307,6 +326,7 @@ tnc_ifmap2_soap_msg_t *tnc_ifmap2_soap_msg_create(char *uri, tls_socket_t *tls)
 			.destroy = _destroy,
 		},
 		.uri = uri,
+		.user_pass = user_pass,
 		.tls = tls,
 	);
 
diff --git a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.h b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.h
index 2dd12fe70..2a50bfc8b 100644
--- a/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.h
+++ b/src/libcharon/plugins/tnc_ifmap2/tnc_ifmap2_soap_msg.h
@@ -52,9 +52,11 @@ struct tnc_ifmap2_soap_msg_t {
 /**
  * Create a tnc_ifmap2_soap_msg instance.
  *
- * @param uri	HTTPS URI with https:// prefix removed
- * @param tls	TLS socket protecting the SOAP message
+ * @param uri			HTTPS URI with https:// prefix removed
+ * @param user_pass		Optional username:password for HTTP Basic Authentication
+ * @param tls			TLS socket protecting the SOAP message
  */
-tnc_ifmap2_soap_msg_t *tnc_ifmap2_soap_msg_create(char *uri, tls_socket_t *tls);
+tnc_ifmap2_soap_msg_t *tnc_ifmap2_soap_msg_create(char *uri, chunk_t user_pass,
+												  tls_socket_t *tls);
 
 #endif /** TNC_IFMAP2_SOAP_MSG_H_ @}*/