diff options
| -rw-r--r-- | src/pluto/constants.c | 57 | ||||
| -rw-r--r-- | src/pluto/constants.h | 44 |
2 files changed, 93 insertions, 8 deletions
diff --git a/src/pluto/constants.c b/src/pluto/constants.c index db20d1937..f2810b8a1 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -183,6 +183,9 @@ static const char *const state_name[] = { "STATE_INFO", "STATE_INFO_PROTECTED", + "STATE_XAUTH_R0", + "STATE_XAUTH_R1", + "STATE_MODE_CFG_R0", "STATE_MODE_CFG_R1", "STATE_MODE_CFG_R2", @@ -216,7 +219,10 @@ const char *const state_story[] = { "got Informational Message in clear", /* STATE_INFO */ "got encrypted Informational Message", /* STATE_INFO_PROTECTED */ - + + "sent XAUTH request, expecting reply", /* STATE_XAUTH_R0 */ + "sent XAUTH status, expecting ack", /* STATE_XAUTH_R1 */ + "sent ModeCfg reply", /* STATE_MODE_CFG_R0 */ "sent ModeCfg reply", /* STATE_MODE_CFG_R1 */ "received ModeCfg ack", /* STATE_MODE_CFG_R2 */ @@ -487,6 +493,9 @@ const char *const sa_policy_bit_names[] = { "GROUTED", "UP", "MODECFGPUSH", + "XAUTHPSK", + "XAUTHRSASIG", + "XAUTHSERVER", NULL }; @@ -675,7 +684,49 @@ enum_names auth_alg_names = { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name , &extended_auth_alg_names }; -const char *const modecfg_attr_name[] = { +/* From draft-beaulieu-ike-xauth */ +static const char *const xauth_type_name[] = { + "Generic", + "RADIUS-CHAP", + "OTP", + "S/KEY", +}; + +enum_names xauth_type_names = + { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL}; + +/* From draft-beaulieu-ike-xauth */ +static const char *const xauth_attr_tv_name[] = { + "XAUTH_TYPE", + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + "XAUTH_STATUS", + }; + +enum_names xauth_attr_tv_names = { + XAUTH_TYPE + ISAKMP_ATTR_AF_TV, + XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL }; + +static const char *const xauth_attr_name[] = { + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS (wrong TLV syntax, should be TV)", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER", + }; + +enum_names xauth_attr_names = + { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &xauth_attr_tv_names }; + +static const char *const modecfg_attr_name[] = { "INTERNAL_IP4_ADDRESS", "INTERNAL_IP4_NETMASK", "INTERNAL_IP4_DNS", @@ -695,7 +746,7 @@ const char *const modecfg_attr_name[] = { }; enum_names modecfg_attr_names = - { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , NULL }; + { INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names }; /* Oakley Lifetime Type attribute */ diff --git a/src/pluto/constants.h b/src/pluto/constants.h index c8946be37..bbacd2f50 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -506,11 +506,18 @@ enum state_kind { STATE_INFO, STATE_INFO_PROTECTED, - STATE_MODE_CFG_R0, /* these states are used on the responder */ + /* XAUTH states */ + + STATE_XAUTH_R0, /* server state: sent request, awaiting reply */ + STATE_XAUTH_R1, /* server state: sent success/fail, awaiting reply */ + + /* Mode Config states */ + + STATE_MODE_CFG_R0, /* responder states */ STATE_MODE_CFG_R1, STATE_MODE_CFG_R2, - STATE_MODE_CFG_I1, /* this is used on the initiator */ + STATE_MODE_CFG_I1, /* initiator states */ STATE_MODE_CFG_I2, STATE_MODE_CFG_I3, @@ -640,7 +647,32 @@ extern enum_names attr_msg_type_names; #define SUPPORTED_ATTRIBUTES 14 #define INTERNAL_IP6_SUBNET 15 +#define MODECFG_ROOF 16 + extern enum_names modecfg_attr_names; +/* XAUTH attribute values */ +#define XAUTH_TYPE 16520 +#define XAUTH_USER_NAME 16521 +#define XAUTH_USER_PASSWORD 16522 +#define XAUTH_PASSCODE 16523 +#define XAUTH_MESSAGE 16524 +#define XAUTH_CHALLENGE 16525 +#define XAUTH_DOMAIN 16526 +#define XAUTH_STATUS 16527 +#define XAUTH_NEXT_PIN 16528 +#define XAUTH_ANSWER 16529 + +#define XAUTH_BASE XAUTH_TYPE + +extern enum_names xauth_attr_names; + +/* XAUTH authentication types */ +#define XAUTH_TYPE_GENERIC 0 +#define XAUTH_TYPE_CHAP 1 +#define XAUTH_TYPE_OTP 2 +#define XAUTH_TYPE_SKEY 3 + +extern enum_names xauth_type_names; /* Exchange types * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)" @@ -754,7 +786,7 @@ extern const char *prettypolicy(lset_t policy); #define POLICY_RSASIG LELEM(1) #define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */ -#define POLICY_ID_AUTH_MASK LRANGES(POLICY_PSK, POLICY_RSASIG) +#define POLICY_ID_AUTH_MASK (POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG) #define POLICY_ISAKMP_MASK POLICY_ID_AUTH_MASK /* all so far */ /* Quick Mode (IPSEC) attributes */ @@ -796,7 +828,9 @@ extern const char *prettypolicy(lset_t policy); #define POLICY_GROUTED LELEM(15) /* do we want this group routed? */ #define POLICY_UP LELEM(16) /* do we want this up? */ #define POLICY_MODECFG_PUSH LELEM(17) /* is modecfg pushed by server? */ - +#define POLICY_XAUTH_PSK LELEM(18) /* do we support XAUTH????PreShared? */ +#define POLICY_XAUTH_RSASIG LELEM(19) /* do we support XAUTH????RSA? */ +#define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */ /* Any IPsec policy? If not, a connection description * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.) @@ -806,7 +840,7 @@ extern const char *prettypolicy(lset_t policy); #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0) /* Don't allow negotiation? */ -#define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_PSK | POLICY_RSASIG)) +#define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_ID_AUTH_MASK)) /* Oakley transform attributes |