diff options
| -rwxr-xr-x | configure.in | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_null/Makefile.am | 16 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_null/xauth_null.c | 132 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_null/xauth_null.h | 59 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_null/xauth_null_plugin.c | 62 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_null/xauth_null_plugin.h | 42 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticators/xauth_authenticator.c | 2 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/xauth_request.c | 53 | ||||
| -rw-r--r-- | src/libstrongswan/xauth/xauth.c | 15 | ||||
| -rw-r--r-- | src/libstrongswan/xauth/xauth.h | 1 |
10 files changed, 363 insertions, 23 deletions
diff --git a/configure.in b/configure.in index 893914251..7385570b5 100755 --- a/configure.in +++ b/configure.in @@ -193,6 +193,7 @@ ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using livene ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.]) ARG_ENABL_SET([vstr], [enforce using the Vstr string library to replace glibc-like printf hooks.]) ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.]) +ARG_ENABL_SET([xauth-null], [enable XAuth module which does no actual identity authentication (testing only).]) dnl ========================= dnl set up compiler and flags @@ -864,6 +865,7 @@ ADD_PLUGIN([maemo], [c libcharon]) ADD_PLUGIN([uci], [c libcharon]) ADD_PLUGIN([addrblock], [c libcharon]) ADD_PLUGIN([unit-tester], [c libcharon]) +ADD_PLUGIN([xauth-null], [c libcharon]) AC_SUBST(libcharon_plugins) AC_SUBST(pluto_plugins) @@ -979,6 +981,7 @@ AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) AM_CONDITIONAL(USE_FARP, test x$farp = xtrue) AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue) +AM_CONDITIONAL(USE_XAUTH_NULL, test x$xauth_null = xtrue) dnl hydra plugins dnl ============= @@ -1170,6 +1173,7 @@ AC_OUTPUT( src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile + src/libcharon/plugins/xauth_null/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile diff --git a/src/libcharon/plugins/xauth_null/Makefile.am b/src/libcharon/plugins/xauth_null/Makefile.am new file mode 100644 index 000000000..f4ff03c47 --- /dev/null +++ b/src/libcharon/plugins/xauth_null/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-xauth-null.la +else +plugin_LTLIBRARIES = libstrongswan-xauth-null.la +endif + +libstrongswan_xauth_null_la_SOURCES = \ + xauth_null_plugin.h xauth_null_plugin.c xauth_null.h xauth_null.c + +libstrongswan_xauth_null_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/xauth_null/xauth_null.c b/src/libcharon/plugins/xauth_null/xauth_null.c new file mode 100644 index 000000000..34ed4959a --- /dev/null +++ b/src/libcharon/plugins/xauth_null/xauth_null.c @@ -0,0 +1,132 @@ +/* + * Copyright (C) 2007-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_null.h" + +#include <daemon.h> +#include <library.h> + +typedef struct private_xauth_null_t private_xauth_null_t; + +/** + * Private data of an xauth_null_t object. + */ +struct private_xauth_null_t { + + /** + * Public authenticator_t interface. + */ + xauth_null_t public; + + /** + * ID of the peer + */ + identification_t *peer; +}; + +METHOD(xauth_method_t, process_peer, status_t, + private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out) +{ + chunk_t user_name = chunk_from_chars('j', 'o', 's', 't'); + chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't'); + cp_payload_t *cp; + + /* TODO-IKEv1: Fetch the user/pass from an authenticator */ + cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user_name)); + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, user_pass)); + *out = cp; + return NEED_MORE; +} + +METHOD(xauth_method_t, initiate_peer, status_t, + private_xauth_null_t *this, cp_payload_t **out) +{ + /* peer never initiates */ + return FAILED; +} + +METHOD(xauth_method_t, process_server, status_t, + private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out) +{ + return SUCCESS; +} + +METHOD(xauth_method_t, initiate_server, status_t, + private_xauth_null_t *this, cp_payload_t **out) +{ + return NEED_MORE; +} + +METHOD(xauth_method_t, get_type, xauth_type_t, + private_xauth_null_t *this, u_int32_t *vendor) +{ + return XAUTH_NULL; +} + +METHOD(xauth_method_t, destroy, void, + private_xauth_null_t *this) +{ + this->peer->destroy(this->peer); + free(this); +} + +/* + * Described in header. + */ +xauth_null_t *xauth_null_create_peer(identification_t *server, + identification_t *peer) +{ + private_xauth_null_t *this; + + INIT(this, + .public = { + .xauth_method = { + .initiate = _initiate_peer, + .process = _process_peer, + .get_type = _get_type, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + ); + + return &this->public; +} + +/* + * Described in header. + */ +xauth_null_t *xauth_null_create_server(identification_t *server, + identification_t *peer) +{ + private_xauth_null_t *this; + + INIT(this, + .public = { + .xauth_method = { + .initiate = _initiate_server, + .process = _process_server, + .get_type = _get_type, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/xauth_null/xauth_null.h b/src/libcharon/plugins/xauth_null/xauth_null.h new file mode 100644 index 000000000..e3ebaa128 --- /dev/null +++ b/src/libcharon/plugins/xauth_null/xauth_null.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_null_i xauth_null + * @{ @ingroup xauth_null + */ + +#ifndef XAUTH_NULL_H_ +#define XAUTH_NULL_H_ + +typedef struct xauth_null_t xauth_null_t; + +#include <sa/authenticators/xauth/xauth_method.h> + +/** + * Implementation of the xauth_method_t providing no actual identity verification. + */ +struct xauth_null_t { + + /** + * Implemented xauth_method_t interface. + */ + xauth_method_t xauth_method; +}; + +/** + * Creates the XAuth method XAuth NULL, acting as server. + * + * @param server ID of the XAuth server + * @param peer ID of the XAuth client + * @return xauth_null_t object + */ +xauth_null_t *xauth_null_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the XAuth method XAuth NULL, acting as peer. + * + * @param server ID of the XAuth server + * @param peer ID of the XAuth client + * @return xauth_null_t object + */ +xauth_null_t *xauth_null_create_peer(identification_t *server, + identification_t *peer); + +#endif /** XAUTH_NULL_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_null/xauth_null_plugin.c b/src/libcharon/plugins/xauth_null/xauth_null_plugin.c new file mode 100644 index 000000000..25b7b3841 --- /dev/null +++ b/src/libcharon/plugins/xauth_null/xauth_null_plugin.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_null_plugin.h" +#include "xauth_null.h" + +#include <daemon.h> + +METHOD(plugin_t, get_name, char*, + xauth_null_plugin_t *this) +{ + return "xauth-null"; +} + +METHOD(plugin_t, get_features, int, + xauth_null_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_server), + PLUGIN_PROVIDE(XAUTH_SERVER, XAUTH_NULL), + PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_peer), + PLUGIN_PROVIDE(XAUTH_PEER, XAUTH_NULL), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + xauth_null_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *xauth_null_plugin_create() +{ + xauth_null_plugin_t *this; + + INIT(this, + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + ); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/xauth_null/xauth_null_plugin.h b/src/libcharon/plugins/xauth_null/xauth_null_plugin.h new file mode 100644 index 000000000..55f4ae19b --- /dev/null +++ b/src/libcharon/plugins/xauth_null/xauth_null_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_null xauth_null + * @ingroup cplugins + * + * @defgroup xauth_null_plugin xauth_null_plugin + * @{ @ingroup xauth_null + */ + +#ifndef XAUTH_NULL_PLUGIN_H_ +#define XAUTH_NULL_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct xauth_null_plugin_t xauth_null_plugin_t; + +/** + * XAUTH Null plugin. + */ +struct xauth_null_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** XAUTH_NULL_PLUGIN_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/xauth_authenticator.c b/src/libcharon/sa/authenticators/xauth_authenticator.c index 3f0e591c6..871817d70 100644 --- a/src/libcharon/sa/authenticators/xauth_authenticator.c +++ b/src/libcharon/sa/authenticators/xauth_authenticator.c @@ -98,7 +98,7 @@ METHOD(authenticator_t, process, status_t, cp_in = (cp_payload_t *)message->get_payload(message, CONFIGURATION_V1); - xauth_method = load_method(this, XAUTH_RADIUS, 0); + xauth_method = load_method(this, XAUTH_NULL, 0); if(xauth_method != NULL) { diff --git a/src/libcharon/sa/tasks/xauth_request.c b/src/libcharon/sa/tasks/xauth_request.c index 8e4489ed2..7da5bf9e1 100644 --- a/src/libcharon/sa/tasks/xauth_request.c +++ b/src/libcharon/sa/tasks/xauth_request.c @@ -4,6 +4,7 @@ #include <daemon.h> #include <hydra.h> #include <encoding/payloads/cp_payload.h> +#include <sa/authenticators/xauth_authenticator.h> typedef struct private_xauth_request_t private_xauth_request_t; @@ -90,6 +91,11 @@ struct private_xauth_request_t { * Whether the XAuth status attribute was received */ bool xauth_status_recv; + + /** + * The XAuth authenticator_t object + */ + authenticator_t *xauth_authenticator; }; /** @@ -343,6 +349,11 @@ static status_t process_payloads(private_xauth_request_t *this, message_t *messa } } enumerator->destroy(enumerator); + + if(this->xauth_authenticator) + { + this->xauth_authenticator->process(this->xauth_authenticator, message); + } return NEED_MORE; } @@ -360,6 +371,7 @@ METHOD(task_t, build_i, status_t, attribute_handler_t *handler; configuration_attribute_type_t type; chunk_t data; + status_t status; version = this->ike_sa->get_version(this->ike_sa); if(version == IKEV1) @@ -401,10 +413,11 @@ METHOD(task_t, build_i, status_t, ca_type, XAUTH_USER_PASSWORD, chunk)); break; case TASK_XAUTH_PASS_VERIFY: + status = this->xauth_authenticator->build(this->xauth_authenticator, message); cp = cp_payload_create_type(cp_type, CFG_SET); cp->add_attribute(cp, configuration_attribute_create_value( XAUTH_STATUS, - (this->status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK))); + (status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK))); break; case TASK_XAUTH_COMPLETE: /* ConfigMode stuff */ @@ -467,6 +480,7 @@ METHOD(task_t, process_r, status_t, { ike_version_t version; payload_type_t cp_type; + status_t status; version = this->ike_sa->get_version(this->ike_sa); if(version == IKEV1) @@ -485,6 +499,10 @@ METHOD(task_t, process_r, status_t, /* We aren't XAuth, so do we should expect ConfigMode stuff */ this->state = TASK_XAUTH_COMPLETE; } + if((this->xauth_authenticator == NULL) && (this->state == TASK_XAUTH_INIT)) + { + this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_builder(this->ike_sa); + } cp_type = CONFIGURATION_V1; } else /* IKEv2 */ @@ -498,14 +516,17 @@ METHOD(task_t, process_r, status_t, cp_type = CONFIGURATION; } - return process_payloads(this, message); + status = process_payloads(this, message); + if(this->xauth_authenticator != NULL) + { + status = this->xauth_authenticator->process(this->xauth_authenticator, message); + } + return status; } METHOD(task_t, build_r, status_t, private_xauth_request_t *this, message_t *message) { - chunk_t user_name = chunk_from_chars('j', 'o', 's', 't'); - chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't'); status_t status; cp_payload_t *cp = NULL; payload_type_t cp_type = CONFIGURATION; @@ -518,11 +539,11 @@ METHOD(task_t, build_r, status_t, host_t *vip = NULL; peer_cfg_t *config; - if(this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED) + version = this->ike_sa->get_version(this->ike_sa); + if ((version == IKEV2) && (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)) { return NEED_MORE; } - version = this->ike_sa->get_version(this->ike_sa); if(version == IKEV1) { if(!this->auth_cfg) @@ -545,17 +566,8 @@ METHOD(task_t, build_r, status_t, switch(this->state) { case TASK_XAUTH_INIT: - /* TODO-IKEv1: Fetch the user/pass from an authenticator */ - cp = cp_payload_create_type(cp_type, CFG_REPLY); - cp->add_attribute(cp, configuration_attribute_create_chunk( - ca_type, XAUTH_USER_NAME, user_name)); - cp->add_attribute(cp, configuration_attribute_create_chunk( - ca_type, XAUTH_USER_PASSWORD, user_pass)); - chunk_clear(&user_name); - chunk_clear(&user_pass); - + status = this->xauth_authenticator->build(this->xauth_authenticator, message); this->state = TASK_XAUTH_PASS_VERIFY; - status = NEED_MORE; break; case TASK_XAUTH_PASS_VERIFY: cp = cp_payload_create_type(cp_type, CFG_ACK); @@ -612,6 +624,10 @@ METHOD(task_t, build_r, status_t, default: return FAILED; } + if(cp != NULL) + { + message->add_payload(message, (payload_t *)cp); + } if(status == SUCCESS) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); @@ -629,6 +645,10 @@ METHOD(task_t, process_i, status_t, (this->ike_sa->get_version(this->ike_sa) == IKEV1)) { /* in last IKE_AUTH exchange */ + if(this->xauth_authenticator == NULL) + { + this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_verifier(this->ike_sa); + } status = process_payloads(this, message); this->state = this->next_state; @@ -674,6 +694,7 @@ METHOD(task_t, destroy, void, { DESTROY_IF(this->virtual_ip); this->requested->destroy_function(this->requested, free); + this->xauth_authenticator->destroy(this->xauth_authenticator); free(this); } diff --git a/src/libstrongswan/xauth/xauth.c b/src/libstrongswan/xauth/xauth.c index 8c0046337..b2caf374a 100644 --- a/src/libstrongswan/xauth/xauth.c +++ b/src/libstrongswan/xauth/xauth.c @@ -15,13 +15,15 @@ #include "xauth.h" -ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_RADIUS, - "XAUTH_RADIUS"); -ENUM_END(xauth_method_type_names, XAUTH_RADIUS); +ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_NULL, + "XAUTH_RADIUS", + "XAUTH_NULL"); +ENUM_END(xauth_method_type_names, XAUTH_NULL); -ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_RADIUS, - "RAD"); -ENUM_END(xauth_method_type_short_names, XAUTH_RADIUS); +ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_NULL, + "RAD", + "NULL"); +ENUM_END(xauth_method_type_short_names, XAUTH_NULL); /* * See header @@ -34,6 +36,7 @@ xauth_type_t xauth_type_from_string(char *name) xauth_type_t type; } types[] = { {"radius", XAUTH_RADIUS}, + {"null", XAUTH_NULL}, }; for (i = 0; i < countof(types); i++) diff --git a/src/libstrongswan/xauth/xauth.h b/src/libstrongswan/xauth/xauth.h index 19274f2f1..4554ee779 100644 --- a/src/libstrongswan/xauth/xauth.h +++ b/src/libstrongswan/xauth/xauth.h @@ -30,6 +30,7 @@ typedef enum xauth_type_t xauth_type_t; */ enum xauth_type_t { XAUTH_RADIUS = 253, + XAUTH_NULL = 254, }; /** |