diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/charon/Makefile.am | 5 | ||||
| -rw-r--r-- | src/charon/plugins/eap_gtc/Makefile.am | 10 | ||||
| -rw-r--r-- | src/charon/plugins/eap_gtc/eap_gtc.c | 300 | ||||
| -rw-r--r-- | src/charon/plugins/eap_gtc/eap_gtc.h | 62 | ||||
| -rw-r--r-- | src/charon/plugins/eap_gtc/eap_gtc_plugin.c | 52 | ||||
| -rw-r--r-- | src/charon/plugins/eap_gtc/eap_gtc_plugin.h | 49 | ||||
| -rw-r--r-- | src/charon/sa/authenticators/eap/eap_method.c | 8 | ||||
| -rw-r--r-- | src/charon/sa/authenticators/eap/eap_method.h | 4 | ||||
| -rw-r--r-- | src/libstrongswan/utils/leak_detective.c | 1 | ||||
| -rw-r--r-- | src/starter/confread.c | 4 |
10 files changed, 489 insertions, 6 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 3ea21a020..82f521fc6 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -165,6 +165,11 @@ if USE_EAP_MD5 PLUGINS += eapmd5 endif +if USE_EAP_GTC + SUBDIRS += plugins/eap_gtc + PLUGINS += eapgtc +endif + if USE_EAP_AKA SUBDIRS += plugins/eap_aka PLUGINS += eapaka diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am new file mode 100644 index 000000000..1057bd506 --- /dev/null +++ b/src/charon/plugins/eap_gtc/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-eapgtc.la + +libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c +libstrongswan_eapgtc_la_LDFLAGS = -module -lpam + diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c new file mode 100644 index 000000000..f178786e4 --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc.c @@ -0,0 +1,300 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $ + */ + +#include "eap_gtc.h" + +#include <daemon.h> +#include <library.h> +#include <crypto/hashers/hasher.h> + +#include <security/pam_appl.h> + +#define GTC_REQUEST_MSG "login" +#define GTC_PAM_SERVICE "login" + +typedef struct private_eap_gtc_t private_eap_gtc_t; + +/** + * Private data of an eap_gtc_t object. + */ +struct private_eap_gtc_t { + + /** + * Public authenticator_t interface. + */ + eap_gtc_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * EAP message identififier + */ + u_int8_t identifier; +}; + +typedef struct eap_gtc_header_t eap_gtc_header_t; + +/** + * packed eap GTC header struct + */ +struct eap_gtc_header_t { + /** EAP code (REQUEST/RESPONSE) */ + u_int8_t code; + /** unique message identifier */ + u_int8_t identifier; + /** length of whole message */ + u_int16_t length; + /** EAP type */ + u_int8_t type; + /** type data */ + u_int8_t data[]; +} __attribute__((__packed__)); + +/** + * Implementation of eap_method_t.initiate for the peer + */ +static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out) +{ + /* peer never initiates */ + return FAILED; +} + +/** + * PAM conv callback function + */ +static int auth_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, char *password) +{ + struct pam_response *response; + + if (num_msg != 1) + { + return PAM_CONV_ERR; + } + response = malloc(sizeof(struct pam_response)); + response->resp = strdup(password); + response->resp_retcode = 0; + *resp = response; + return PAM_SUCCESS; +} + +/** + * Authenticate a username/password using PAM + */ +static bool authenticate(char *service, char *user, char *password) +{ + pam_handle_t *pamh; + static struct pam_conv conv; + int ret; + + conv.conv = (void*)auth_conv; + conv.appdata_ptr = password; + + if (pam_start(service, user, &conv, &pamh) != PAM_SUCCESS) + { + return FALSE; + } + ret = pam_authenticate(pamh, 0); + pam_end(pamh, ret); + return ret == PAM_SUCCESS; +} + +/** + * Implementation of eap_method_t.initiate for the server + */ +static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out) +{ + eap_gtc_header_t *req; + size_t len; + + len = strlen(GTC_REQUEST_MSG); + req = alloca(sizeof(eap_gtc_header_t) + len); + req->length = htons(sizeof(eap_gtc_header_t) + len); + req->code = EAP_REQUEST; + req->identifier = this->identifier; + req->type = EAP_GTC; + memcpy(req->data, GTC_REQUEST_MSG, len); + + *out = eap_payload_create_data(chunk_create((void*)req, + sizeof(eap_gtc_header_t) + len)); + return NEED_MORE; +} + +/** + * Implementation of eap_method_t.process for the peer + */ +static status_t process_peer(private_eap_gtc_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + eap_gtc_header_t *res; + shared_key_t *shared; + chunk_t key; + size_t len; + + shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, + this->server, this->peer); + if (shared == NULL) + { + DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'", + this->server, this->peer); + return FAILED; + } + key = shared->get_key(shared); + len = key.len; + + res = alloca(sizeof(eap_gtc_header_t) + len); + res->length = htons(sizeof(eap_gtc_header_t) + len); + res->code = EAP_RESPONSE; + res->identifier = in->get_identifier(in); + res->type = EAP_GTC; + memcpy(res->data, key.ptr, len); + + shared->destroy(shared); + + *out = eap_payload_create_data(chunk_create((void*)res, + sizeof(eap_gtc_header_t) + len)); + return NEED_MORE; +} + +/** + * Implementation of eap_method_t.process for the server + */ +static status_t process_server(private_eap_gtc_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + chunk_t data, encoding; + char *user, *password, *service; + + data = chunk_skip(in->get_data(in), 5); + if (this->identifier != in->get_identifier(in) || !data.len) + { + DBG1(DBG_IKE, "received invalid EAP-GTC message"); + return FAILED; + } + + encoding = this->peer->get_encoding(this->peer); + user = alloca(encoding.len + 1); + memcpy(user, encoding.ptr, encoding.len); + user[encoding.len] = '\0'; + + password = alloca(data.len + 1); + memcpy(password, data.ptr, data.len); + password[data.len] = '\0'; + + service = lib->settings->get_str(lib->settings, + "charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE); + + /* TODO: According to the draft we should "SASLprep" username and + * passwords... RFC4013 */ + if (!authenticate(service, user, password)) + { + DBG1(DBG_IKE, "EAP-GTC PAM authentication failed"); + return FAILED; + } + return SUCCESS; +} + +/** + * Implementation of eap_method_t.get_type. + */ +static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_GTC; +} + +/** + * Implementation of eap_method_t.get_msk. + */ +static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk) +{ + return FAILED; +} + +/** + * Implementation of eap_method_t.is_mutual. + */ +static bool is_mutual(private_eap_gtc_t *this) +{ + return FALSE; +} + +/** + * Implementation of eap_method_t.destroy. + */ +static void destroy(private_eap_gtc_t *this) +{ + free(this); +} + +/** + * Generic constructor + */ +static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server, + identification_t *peer) +{ + private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t); + + this->public.eap_method_interface.initiate = NULL; + this->public.eap_method_interface.process = NULL; + this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; + this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; + this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; + this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; + + /* private data */ + this->peer = peer; + this->server = server; + this->identifier = random(); + + return this; +} + +/* + * see header + */ +eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer) +{ + private_eap_gtc_t *this = eap_gtc_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + + return &this->public; +} + +/* + * see header + */ +eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer) +{ + private_eap_gtc_t *this = eap_gtc_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + + return &this->public; +} + diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h new file mode 100644 index 000000000..478ac81cf --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc.h @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup eap_gtc_i eap_gtc + * @{ @ingroup eap_gtc + */ + +#ifndef EAP_GTC_H_ +#define EAP_GTC_H_ + +typedef struct eap_gtc_t eap_gtc_t; + +#include <sa/authenticators/eap/eap_method.h> + +/** + * Implementation of the eap_method_t interface using EAP-GTC. + * + * This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to + * verify user credentials. + */ +struct eap_gtc_t { + + /** + * Implemented eap_method_t interface. + */ + eap_method_t eap_method_interface; +}; + +/** + * Creates the EAP method EAP-GTC acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_gtc_t object + */ +eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer); + +/** + * Creates the EAP method EAP-GTC acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_gtc_t object + */ +eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer); + +#endif /* EAP_GTC_H_ @}*/ diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c new file mode 100644 index 000000000..58a231058 --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "eap_gtc_plugin.h" + +#include "eap_gtc.h" + +#include <daemon.h> + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(eap_gtc_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_gtc_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_gtc_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t); + + this->plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER, + (eap_constructor_t)eap_gtc_create_server); + charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER, + (eap_constructor_t)eap_gtc_create_peer); + + return &this->plugin; +} + diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h new file mode 100644 index 000000000..8b2f5435f --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup eap_gtc eap_gtc + * @ingroup cplugins + * + * @defgroup eap_gtc_plugin eap_gtc_plugin + * @{ @ingroup eap_gtc + */ + +#ifndef EAP_GTC_PLUGIN_H_ +#define EAP_GTC_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_gtc_plugin_t eap_gtc_plugin_t; + +/** + * EAP-GTC plugin + */ +struct eap_gtc_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_gtc_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /* EAP_GTC_PLUGIN_H_ @}*/ diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c index a9f7abda0..b87bcca0d 100644 --- a/src/charon/sa/authenticators/eap/eap_method.c +++ b/src/charon/sa/authenticators/eap/eap_method.c @@ -17,14 +17,14 @@ #include "eap_method.h" -ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_TOKEN_CARD, +ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, "EAP_IDENTITY", "EAP_NOTIFICATION", "EAP_NAK", "EAP_MD5", - "EAP_ONE_TIME_PASSWORD", - "EAP_TOKEN_CARD"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TOKEN_CARD, + "EAP_OTP", + "EAP_GTC"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, "EAP_SIM"); ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, "EAP_AKA"); diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h index ca7b36800..2652f6e6f 100644 --- a/src/charon/sa/authenticators/eap/eap_method.h +++ b/src/charon/sa/authenticators/eap/eap_method.h @@ -52,8 +52,8 @@ enum eap_type_t { EAP_NOTIFICATION = 2, EAP_NAK = 3, EAP_MD5 = 4, - EAP_ONE_TIME_PASSWORD = 5, - EAP_TOKEN_CARD = 6, + EAP_OTP = 5, + EAP_GTC = 6, EAP_SIM = 18, EAP_AKA = 23, EAP_EXPANDED = 254, diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index cb7a74f0d..72da4bd37 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -262,6 +262,7 @@ char *whitelist[] = { /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", + "dlclose", /* mysql functions */ "mysql_init_character_set", "init_client_errs", diff --git a/src/starter/confread.c b/src/starter/confread.c index 914024dca..1b3f31a55 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -588,6 +588,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) { conn->eap_type = 4; } + else if (streq(kw->value, "gtc")) + { + conn->eap_type = 6; + } else { conn->eap_type = atoi(kw->value); |