diff options
Diffstat (limited to 'src/libcharon/plugins')
| -rw-r--r-- | src/libcharon/plugins/eap_gtc/eap_gtc.c | 1 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_xauth.c | 182 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_xauth.h | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_eap/xauth_eap.c | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_eap/xauth_eap.h | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_generic/xauth_generic.c | 73 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_generic/xauth_generic.h | 8 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_noauth/xauth_noauth.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_noauth/xauth_noauth.h | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_pam/xauth_pam.c | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/xauth_pam/xauth_pam.h | 3 |
11 files changed, 235 insertions, 51 deletions
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c index f090e94a8..2f64f325c 100644 --- a/src/libcharon/plugins/eap_gtc/eap_gtc.c +++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c @@ -280,4 +280,3 @@ eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer) return &this->public; } - diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c index bd960d2bc..e66bbf38f 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c @@ -20,9 +20,21 @@ #include <daemon.h> #include <radius_client.h> +#include <collections/array.h> typedef struct private_eap_radius_xauth_t private_eap_radius_xauth_t; +typedef struct xauth_round_t xauth_round_t; + +/** + * Configuration for an XAuth authentication exchange + */ +struct xauth_round_t { + /** XAuth message type to send */ + configuration_attribute_type_t type; + /** Message to present to user */ + char *message; +}; /** * Private data of an eap_radius_xauth_t object. @@ -48,33 +60,74 @@ struct private_eap_radius_xauth_t { * RADIUS connection */ radius_client_t *client; + + /** + * XAuth authentication rounds, as xauth_round_t + */ + array_t *rounds; + + /** + * XAuth round currently in progress + */ + xauth_round_t round; + + /** + * Concatentated password of all rounds + */ + chunk_t pass; }; +/** + * Fetch next XAuth round, add attributes to CP payload + */ +static bool build_round(private_eap_radius_xauth_t *this, cp_payload_t *cp) +{ + if (!array_remove(this->rounds, ARRAY_HEAD, &this->round)) + { + return FALSE; + } + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, this->round.type, chunk_empty)); + + if (this->round.message && strlen(this->round.message)) + { + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_MESSAGE, + chunk_from_str(this->round.message))); + } + return TRUE; +} + METHOD(xauth_method_t, initiate, status_t, private_eap_radius_xauth_t *this, cp_payload_t **out) { cp_payload_t *cp; cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST); + /* first message always comes with username */ cp->add_attribute(cp, configuration_attribute_create_chunk( CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty)); - cp->add_attribute(cp, configuration_attribute_create_chunk( - CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty)); - *out = cp; - return NEED_MORE; + + if (build_round(this, cp)) + { + *out = cp; + return NEED_MORE; + } + cp->destroy(cp); + return FAILED; } /** * Verify a password using RADIUS User-Name/User-Password attributes */ -static status_t verify_radius(private_eap_radius_xauth_t *this, chunk_t pass) +static status_t verify_radius(private_eap_radius_xauth_t *this) { radius_message_t *request, *response; status_t status = FAILED; request = radius_message_create(RMC_ACCESS_REQUEST); request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); - request->add(request, RAT_USER_PASSWORD, pass); + request->add(request, RAT_USER_PASSWORD, this->pass); eap_radius_build_attributes(request); eap_radius_forward_from_ike(request); @@ -114,34 +167,34 @@ METHOD(xauth_method_t, process, status_t, configuration_attribute_t *attr; enumerator_t *enumerator; identification_t *id; + cp_payload_t *cp; chunk_t user = chunk_empty, pass = chunk_empty; enumerator = in->create_attribute_enumerator(in); while (enumerator->enumerate(enumerator, &attr)) { - switch (attr->get_type(attr)) + if (attr->get_type(attr) == XAUTH_USER_NAME) { - case XAUTH_USER_NAME: - user = attr->get_chunk(attr); - break; - case XAUTH_USER_PASSWORD: - pass = attr->get_chunk(attr); - /* trim password to any null termination. As User-Password - * uses null padding, we can't have any null in it, and some - * clients actually send null terminated strings (Android). */ - pass.len = strnlen(pass.ptr, pass.len); - break; - default: - break; + user = attr->get_chunk(attr); + } + else if (attr->get_type(attr) == this->round.type) + { + pass = attr->get_chunk(attr); + /* trim password to any null termination. As User-Password + * uses null padding, we can't have any null in it, and some + * clients actually send null terminated strings (Android). */ + pass.len = strnlen(pass.ptr, pass.len); } } enumerator->destroy(enumerator); - if (!user.ptr || !pass.ptr) + if (!pass.ptr) { - DBG1(DBG_IKE, "peer did not respond to our XAuth request"); + DBG1(DBG_IKE, "peer did not respond to our XAuth %N request", + configuration_attribute_type_names, this->round.type); return FAILED; } + this->pass = chunk_cat("mc", this->pass, pass); if (user.len) { id = identification_create_from_data(user); @@ -153,7 +206,19 @@ METHOD(xauth_method_t, process, status_t, this->peer->destroy(this->peer); this->peer = id; } - return verify_radius(this, pass); + + if (array_count(this->rounds) == 0) + { + return verify_radius(this); + } + cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST); + if (build_round(this, cp)) + { + *out = cp; + return NEED_MORE; + } + cp->destroy(cp); + return FAILED; } METHOD(xauth_method_t, get_identity, identification_t*, @@ -162,10 +227,74 @@ METHOD(xauth_method_t, get_identity, identification_t*, return this->peer; } +/** + * Parse XAuth round configuration + */ +static bool parse_rounds(private_eap_radius_xauth_t *this, char *profile) +{ + struct { + char *str; + configuration_attribute_type_t type; + } map[] = { + { "password", XAUTH_USER_PASSWORD, }, + { "passcode", XAUTH_PASSCODE, }, + { "nextpin", XAUTH_NEXT_PIN, }, + { "answer", XAUTH_ANSWER, }, + }; + enumerator_t *enumerator; + char *type, *message; + xauth_round_t round; + int i; + + if (!profile || strlen(profile) == 0) + { + /* no config, fallback to password */ + round.type = XAUTH_USER_PASSWORD; + round.message = NULL; + array_insert(this->rounds, ARRAY_TAIL, &round); + return TRUE; + } + + enumerator = lib->settings->create_key_value_enumerator(lib->settings, + "%s.plugins.eap-radius.xauth.%s", charon->name, profile); + while (enumerator->enumerate(enumerator, &type, &message)) + { + bool invalid = TRUE; + + for (i = 0; i < countof(map); i++) + { + if (strcaseeq(map[i].str, type)) + { + round.type = map[i].type; + round.message = message; + array_insert(this->rounds, ARRAY_TAIL, &round); + invalid = FALSE; + break; + } + } + if (invalid) + { + DBG1(DBG_CFG, "invalid XAuth round type: '%s'", type); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + if (array_count(this->rounds) == 0) + { + DBG1(DBG_CFG, "XAuth configuration profile '%s' invalid", profile); + return FALSE; + } + return TRUE; +} + METHOD(xauth_method_t, destroy, void, private_eap_radius_xauth_t *this) { DESTROY_IF(this->client); + chunk_clear(&this->pass); + array_destroy(this->rounds); this->server->destroy(this->server); this->peer->destroy(this->peer); free(this); @@ -175,7 +304,8 @@ METHOD(xauth_method_t, destroy, void, * Described in header. */ eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server, - identification_t *peer) + identification_t *peer, + char *profile) { private_eap_radius_xauth_t *this; @@ -191,8 +321,14 @@ eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server, .server = server->clone(server), .peer = peer->clone(peer), .client = eap_radius_create_client(), + .rounds = array_create(sizeof(xauth_round_t), 0), ); + if (!parse_rounds(this, profile)) + { + destroy(this); + return NULL; + } if (!this->client) { destroy(this); diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.h b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h index 8571bbc9f..5baacfbe8 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h @@ -41,9 +41,11 @@ struct eap_radius_xauth_t { * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_generic_t object */ eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server, - identification_t *peer); + identification_t *peer, + char *profile); #endif /** EAP_RADIUS_XAUTH_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c index 1da1d9f85..5ac4f10d2 100644 --- a/src/libcharon/plugins/xauth_eap/xauth_eap.c +++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c @@ -266,7 +266,7 @@ METHOD(xauth_method_t, destroy, void, * Described in header. */ xauth_eap_t *xauth_eap_create_server(identification_t *server, - identification_t *peer) + identification_t *peer, char *profile) { private_xauth_eap_t *this; diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.h b/src/libcharon/plugins/xauth_eap/xauth_eap.h index 70927247e..7da243a11 100644 --- a/src/libcharon/plugins/xauth_eap/xauth_eap.h +++ b/src/libcharon/plugins/xauth_eap/xauth_eap.h @@ -47,9 +47,11 @@ struct xauth_eap_t { * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_eap_t object */ xauth_eap_t *xauth_eap_create_server(identification_t *server, - identification_t *peer); + identification_t *peer, + char *profile); #endif /** XAUTH_EAP_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c index f0e675ac0..5df8aadee 100644 --- a/src/libcharon/plugins/xauth_generic/xauth_generic.c +++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c @@ -39,7 +39,6 @@ struct private_xauth_generic_t { * ID of the peer */ identification_t *peer; - }; METHOD(xauth_method_t, initiate_peer, status_t, @@ -52,28 +51,64 @@ METHOD(xauth_method_t, initiate_peer, status_t, METHOD(xauth_method_t, process_peer, status_t, private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out) { + configuration_attribute_t *attr; + enumerator_t *enumerator; shared_key_t *shared; cp_payload_t *cp; - chunk_t user, pass; + chunk_t msg; - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->peer, - this->server); - if (!shared) + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &attr)) { - DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->peer, - this->server); - return FAILED; + if (attr->get_type(attr) == XAUTH_MESSAGE) + { + chunk_printable(attr->get_chunk(attr), &msg, '?'); + DBG1(DBG_CFG, "XAuth message: %.*s", (int)msg.len, msg.ptr); + free(msg.ptr); + } } - - user = this->peer->get_encoding(this->peer); - pass = shared->get_key(shared); + enumerator->destroy(enumerator); cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); - cp->add_attribute(cp, configuration_attribute_create_chunk( - CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user)); - cp->add_attribute(cp, configuration_attribute_create_chunk( - CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass)); - shared->destroy(shared); + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &attr)) + { + shared_key_type_t type = SHARED_EAP; + + switch (attr->get_type(attr)) + { + case XAUTH_USER_NAME: + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, + this->peer->get_encoding(this->peer))); + break; + case XAUTH_NEXT_PIN: + type = SHARED_PIN; + /* FALL */ + case XAUTH_USER_PASSWORD: + shared = lib->credmgr->get_shared(lib->credmgr, type, + this->peer, this->server); + if (!shared) + { + DBG1(DBG_IKE, "no XAuth %s found for '%Y' - '%Y'", + type == SHARED_EAP ? "password" : "PIN", + this->peer, this->server); + enumerator->destroy(enumerator); + cp->destroy(cp); + return FAILED; + } + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, attr->get_type(attr), + shared->get_key(shared))); + shared->destroy(shared); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + *out = cp; return NEED_MORE; } @@ -187,7 +222,8 @@ METHOD(xauth_method_t, destroy, void, * Described in header. */ xauth_generic_t *xauth_generic_create_peer(identification_t *server, - identification_t *peer) + identification_t *peer, + char *profile) { private_xauth_generic_t *this; @@ -211,7 +247,8 @@ xauth_generic_t *xauth_generic_create_peer(identification_t *server, * Described in header. */ xauth_generic_t *xauth_generic_create_server(identification_t *server, - identification_t *peer) + identification_t *peer, + char *profile) { private_xauth_generic_t *this; diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.h b/src/libcharon/plugins/xauth_generic/xauth_generic.h index 5773589cb..52744d0a6 100644 --- a/src/libcharon/plugins/xauth_generic/xauth_generic.h +++ b/src/libcharon/plugins/xauth_generic/xauth_generic.h @@ -42,19 +42,23 @@ struct xauth_generic_t { * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_generic_t object */ xauth_generic_t *xauth_generic_create_server(identification_t *server, - identification_t *peer); + identification_t *peer, + char *profile); /** * Creates the generic XAuth method, acting as peer. * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_generic_t object */ xauth_generic_t *xauth_generic_create_peer(identification_t *server, - identification_t *peer); + identification_t *peer, + char *profile); #endif /** XAUTH_GENERIC_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c index a9d95126a..4b8ad8ecd 100644 --- a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c @@ -69,7 +69,8 @@ METHOD(xauth_method_t, destroy, void, * Described in header. */ xauth_noauth_t *xauth_noauth_create_server(identification_t *server, - identification_t *peer) + identification_t *peer, + char *profile) { private_xauth_noauth_t *this; diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h index 8984b0a7c..2ac358ee0 100644 --- a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h @@ -42,9 +42,11 @@ struct xauth_noauth_t { * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_noauth_t object */ xauth_noauth_t *xauth_noauth_create_server(identification_t *server, - identification_t *peer); + identification_t *peer, + char *profile); #endif /** XAUTH_NOAUTH_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.c b/src/libcharon/plugins/xauth_pam/xauth_pam.c index 98c1a97a4..6cbe1c263 100644 --- a/src/libcharon/plugins/xauth_pam/xauth_pam.c +++ b/src/libcharon/plugins/xauth_pam/xauth_pam.c @@ -195,7 +195,7 @@ METHOD(xauth_method_t, destroy, void, * Described in header. */ xauth_pam_t *xauth_pam_create_server(identification_t *server, - identification_t *peer) + identification_t *peer, char *profile) { private_xauth_pam_t *this; diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.h b/src/libcharon/plugins/xauth_pam/xauth_pam.h index f2d310c0d..8b9fffefe 100644 --- a/src/libcharon/plugins/xauth_pam/xauth_pam.h +++ b/src/libcharon/plugins/xauth_pam/xauth_pam.h @@ -41,9 +41,10 @@ struct xauth_pam_t { * * @param server ID of the XAuth server * @param peer ID of the XAuth client + * @param profile configuration string * @return xauth_pam_t object */ xauth_pam_t *xauth_pam_create_server(identification_t *server, - identification_t *peer); + identification_t *peer, char *profile); #endif /** XAUTH_PAM_H_ @}*/ |