diff options
Diffstat (limited to 'src')
28 files changed, 1253 insertions, 168 deletions
diff --git a/src/frontends/android/res/values-pl/strings.xml b/src/frontends/android/res/values-pl/strings.xml new file mode 100644 index 000000000..e7d4670d9 --- /dev/null +++ b/src/frontends/android/res/values-pl/strings.xml @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright (C) 2012 Giuliano Grassi + Copyright (C) 2012 Ralf Sager + Copyright (C) 2012 Andreas Steffen + HSR Hochschule fuer Technik Rapperswil + + Copyright (C) 2012 Ewa Steffen-Zolkiewicz + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + for more details. +--> +<resources> + + <!-- Application --> + <string name="app_name">strongSwan klient VPN</string> + <string name="main_activity_name">strongSwan</string> + <string name="reload_trusted_certs">Przeładuj certyfikaty CA</string> + <string name="show_log">Pokaż log</string> + <string name="search">Szukaj</string> + <string name="vpn_not_supported_title">Nie obsługiwany VPN</string> + <string name="vpn_not_supported">Urządzenie nie obsługuje aplikacji VPN.\nProszę skontaktować się z producentem.</string> + + <!-- Log view --> + <string name="log_title">Log</string> + <string name="send_log">Prześlij log</string> + <string name="empty_log">Log jest pusty</string> + <string name="log_mail_subject">strongSwan %1$s Log</string> + + <!-- VPN profile list --> + <string name="no_profiles">Brak profilu VPN</string> + <string name="add_profile">Dodaj profil VPN</string> + <string name="edit_profile">Edytuj</string> + <string name="delete_profile">Usuń</string> + <string name="select_profiles">Wybierz profile</string> + <string name="profiles_deleted">Wybrane profile usunięte</string> + <string name="no_profile_selected">Nie wybrano profilu</string> + <string name="one_profile_selected">Wybrano jeden profil</string> + <string name="x_profiles_selected">Wzbrano %1$d profile"</string> + + <!-- VPN profile details --> + <string name="profile_edit_save">Zapisz</string> + <string name="profile_edit_cancel">Anuluj</string> + <string name="profile_name_label">Nazwa profilu:</string> + <string name="profile_name_hint">(użyj adresu bramki)</string> + <string name="profile_gateway_label">Bramka:</string> + <string name="profile_username_label">Użytkownik:</string> + <string name="profile_password_label">Hasło:</string> + <string name="profile_password_hint">(w razie potrzebz zapromptuj)</string> + <string name="profile_ca_label">Certyfikat CA:</string> + <string name="profile_ca_auto_label">Wybierz automatycznie</string> + <string name="profile_ca_select_certificate_label">Wybierz certyfikat CA</string> + <string name="profile_ca_select_certificate">Wybierz określony certyfikat CA</string> + <!-- Warnings/Notifications in the details view --> + <string name="alert_text_no_input_gateway">Wprowadź adres bramki</string> + <string name="alert_text_no_input_username">Wprowadź swoją nazwę użytkownika</string> + <string name="alert_text_nocertfound_title">Nie wybrano żadnego certyfikatu CA</string> + <string name="alert_text_nocertfound">Wybierz lub uaktywnij jeden <i>Wybierz automatycznie</i></string> + + <!-- Trusted certificate selection --> + <string name="trusted_certs_title">Certyfikaty CA</string> + <string name="no_certificates">Brak certyfikatów</string> + <string name="system_tab">System</string> + <string name="user_tab">Użytkownik</string> + + <!-- VPN state fragment --> + <string name="state_label">Status:</string> + <string name="profile_label">Profil:</string> + <string name="disconnect">Rozłącz</string> + <string name="state_connecting">Łączenie…</string> + <string name="state_connected">Połączony</string> + <string name="state_disconnecting">Przerywam połączenie…</string> + <string name="state_disabled">Brak aktywnego VPN</string> + <string name="state_error">Błąd</string> + + <!-- Dialogs --> + <string name="login_title">Wprowadż hasło</string> + <string name="login_confirm">Połącz</string> + <string name="error_introduction">Nie udało się utworzyć tunelu VPN:</string> + <string name="error_lookup_failed">Nie znaleziono adresu bramki</string> + <string name="error_unreachable">Bramka jest nieosiągalna</string> + <string name="error_peer_auth_failed">Błąd przy weryfikacji bramki</string> + <string name="error_auth_failed">Błąd przy autoryzacji użytkownika</string> + <string name="error_generic">Nieznany błąd w czasie połączenia</string> + <string name="connecting_title">Łączenie: %1$s</string> + <string name="connecting_message">Tworzenie tunelu VPN z \""%1$s\".</string> + +</resources> diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index eada68bf5..3869066a8 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -316,6 +316,13 @@ if MONOLITHIC endif endif +if USE_EAP_DYNAMIC + SUBDIRS += plugins/eap_dynamic +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_dynamic/libstrongswan-eap-dynamic.la +endif +endif + if USE_EAP_RADIUS SUBDIRS += plugins/eap_radius if MONOLITHIC diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 74949be3c..1598ce090 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -171,6 +171,8 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*, } enumerator->destroy(enumerator); + DBG2(DBG_CFG, "configured proposals: %#P", proposals); + return proposals; } diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 5055a931c..acf4b6141 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -150,6 +150,8 @@ METHOD(ike_cfg_t, get_proposals, linked_list_t*, } enumerator->destroy(enumerator); + DBG2(DBG_CFG, "configured proposals: %#P", proposals); + return proposals; } diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index 1b9a5c802..dd2e25795 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -20,6 +21,7 @@ #include <daemon.h> #include <eap/eap.h> +#include <bio/bio_writer.h> typedef struct private_eap_payload_t private_eap_payload_t; @@ -217,28 +219,93 @@ METHOD(eap_payload_t, get_identifier, u_int8_t, return 0; } +/** + * Get the current type at the given offset into this->data. + * @return the new offset or 0 if failed + */ +static size_t extract_type(private_eap_payload_t *this, size_t offset, + eap_type_t *type, u_int32_t *vendor) +{ + if (this->data.len > offset) + { + *vendor = 0; + *type = this->data.ptr[offset]; + if (*type != EAP_EXPANDED) + { + return offset + 1; + } + if (this->data.len >= offset + 8) + { + *vendor = untoh32(this->data.ptr + offset) & 0x00FFFFFF; + *type = untoh32(this->data.ptr + offset + 4); + return offset + 8; + } + } + return 0; +} + METHOD(eap_payload_t, get_type, eap_type_t, private_eap_payload_t *this, u_int32_t *vendor) { eap_type_t type; *vendor = 0; - if (this->data.len > 4) + if (extract_type(this, 4, &type, vendor)) { - type = this->data.ptr[4]; - if (type != EAP_EXPANDED) - { - return type; - } - if (this->data.len >= 12) - { - *vendor = untoh32(this->data.ptr + 4) & 0x00FFFFFF; - return untoh32(this->data.ptr + 8); - } + return type; } return 0; } +/** + * Type enumerator + */ +typedef struct { + /** public interface */ + enumerator_t public; + /** payload */ + private_eap_payload_t *payload; + /** current offset in the data */ + size_t offset; +} type_enumerator_t; + +METHOD(enumerator_t, enumerate_types, bool, + type_enumerator_t *this, eap_type_t *type, u_int32_t *vendor) +{ + this->offset = extract_type(this->payload, this->offset, type, vendor); + return this->offset; +} + +METHOD(eap_payload_t, get_types, enumerator_t*, + private_eap_payload_t *this) +{ + type_enumerator_t *enumerator; + eap_type_t type; + u_int32_t vendor; + size_t offset; + + offset = extract_type(this, 4, &type, &vendor); + if (offset && type == EAP_NAK) + { + INIT(enumerator, + .public = { + .enumerate = (void*)_enumerate_types, + .destroy = (void*)free, + }, + .payload = this, + .offset = offset, + ); + return &enumerator->public; + } + return enumerator_create_empty(); +} + +METHOD(eap_payload_t, is_expanded, bool, + private_eap_payload_t *this) +{ + return this->data.len > 4 ? this->data.ptr[4] == EAP_EXPANDED : FALSE; +} + METHOD2(payload_t, eap_payload_t, destroy, void, private_eap_payload_t *this) { @@ -270,6 +337,8 @@ eap_payload_t *eap_payload_create() .get_code = _get_code, .get_identifier = _get_identifier, .get_type = _get_type, + .get_types = _get_types, + .is_expanded = _is_expanded, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, @@ -313,15 +382,81 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier) return eap_payload_create_data(data); } +/** + * Write the given type either expanded or not + */ +static void write_type(bio_writer_t *writer, eap_type_t type, u_int32_t vendor, + bool expanded) +{ + if (expanded) + { + writer->write_uint8(writer, EAP_EXPANDED); + writer->write_uint24(writer, vendor); + writer->write_uint32(writer, type); + } + else + { + writer->write_uint8(writer, type); + } +} + /* * Described in header */ -eap_payload_t *eap_payload_create_nak(u_int8_t identifier) +eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type, + u_int32_t vendor, bool expanded) { - chunk_t data; + enumerator_t *enumerator; + eap_type_t reg_type; + u_int32_t reg_vendor; + bio_writer_t *writer; + chunk_t length, data; + bool added_any = FALSE, found_vendor = FALSE; + eap_payload_t *payload; + + writer = bio_writer_create(12); + writer->write_uint8(writer, EAP_RESPONSE); + writer->write_uint8(writer, identifier); + length = writer->skip(writer, 2); + + write_type(writer, EAP_NAK, 0, expanded); + + enumerator = charon->eap->create_enumerator(charon->eap, EAP_PEER); + while (enumerator->enumerate(enumerator, ®_type, ®_vendor)) + { + if ((type && type != reg_type) || + (type && vendor && vendor != reg_vendor)) + { /* the preferred type is only sent if we actually find it */ + continue; + } + if (!reg_vendor || expanded) + { + write_type(writer, reg_type, reg_vendor, expanded); + added_any = TRUE; + } + else if (reg_vendor) + { /* found vendor specifc method, but this is not an expanded Nak */ + found_vendor = TRUE; + } + } + enumerator->destroy(enumerator); - data = chunk_from_chars(EAP_RESPONSE, identifier, 0, 0, EAP_NAK); - htoun16(data.ptr + 2, data.len); - return eap_payload_create_data(data); + if (found_vendor) + { /* request an expanded authentication type */ + write_type(writer, EAP_EXPANDED, 0, expanded); + added_any = TRUE; + } + if (!added_any) + { /* no methods added */ + write_type(writer, 0, 0, expanded); + } + + /* set length */ + data = writer->get_buf(writer); + htoun16(length.ptr, data.len); + + payload = eap_payload_create_data(data); + writer->destroy(writer); + return payload; } diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h index 52bc7ac5e..e8ed1c5e7 100644 --- a/src/libcharon/encoding/payloads/eap_payload.h +++ b/src/libcharon/encoding/payloads/eap_payload.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -82,6 +83,21 @@ struct eap_payload_t { eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor); /** + * Enumerate the EAP method types contained in an EAP-Nak (i.e. get_type() + * returns EAP_NAK). + * + * @return enumerator over (eap_type_t type, u_int32_t vendor) + */ + enumerator_t* (*get_types) (eap_payload_t *this); + + /** + * Check if the EAP method type is encoded in the Expanded Type format. + * + * @return TRUE if in Expanded Type format + */ + bool (*is_expanded) (eap_payload_t *this); + + /** * Destroys an eap_payload_t object. */ void (*destroy) (eap_payload_t *this); @@ -126,8 +142,12 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier); * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK. * * @param identifier EAP identifier to use in payload + * @param type preferred auth type, 0 to send all supported types + * @param vendor vendor identifier for auth type, 0 for default + * @param expanded TRUE to send an expanded Nak * @return eap_payload_t object */ -eap_payload_t *eap_payload_create_nak(u_int8_t identifier); +eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type, + u_int32_t vendor, bool expanded); #endif /** EAP_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c index 5787b9ace..059f24b39 100644 --- a/src/libcharon/network/sender.c +++ b/src/libcharon/network/sender.c @@ -83,6 +83,22 @@ struct private_sender_t { METHOD(sender_t, send_no_marker, void, private_sender_t *this, packet_t *packet) { + this->mutex->lock(this->mutex); + this->list->insert_last(this->list, packet); + this->got->signal(this->got); + this->mutex->unlock(this->mutex); +} + +METHOD(sender_t, send_, void, + private_sender_t *this, packet_t *packet) +{ + host_t *src, *dst; + + /* if neither source nor destination port is 500 we add a Non-ESP marker */ + src = packet->get_source(packet); + dst = packet->get_destination(packet); + DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); + if (this->send_delay) { message_t *message; @@ -104,22 +120,6 @@ METHOD(sender_t, send_no_marker, void, message->destroy(message); } - this->mutex->lock(this->mutex); - this->list->insert_last(this->list, packet); - this->got->signal(this->got); - this->mutex->unlock(this->mutex); -} - -METHOD(sender_t, send_, void, - private_sender_t *this, packet_t *packet) -{ - host_t *src, *dst; - - /* if neither source nor destination port is 500 we add a Non-ESP marker */ - src = packet->get_source(packet); - dst = packet->get_destination(packet); - DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); - if (dst->get_port(dst) != IKEV2_UDP_PORT && src->get_port(src) != IKEV2_UDP_PORT) { diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am new file mode 100644 index 000000000..0d07fbf35 --- /dev/null +++ b/src/libcharon/plugins/eap_dynamic/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la +else +plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la +endif + +libstrongswan_eap_dynamic_la_SOURCES = \ + eap_dynamic_plugin.h eap_dynamic_plugin.c eap_dynamic.h eap_dynamic.c + +libstrongswan_eap_dynamic_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c new file mode 100644 index 000000000..d24cbd128 --- /dev/null +++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c @@ -0,0 +1,393 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_dynamic.h" + +#include <daemon.h> +#include <library.h> + +typedef struct private_eap_dynamic_t private_eap_dynamic_t; + +/** + * Private data of an eap_dynamic_t object. + */ +struct private_eap_dynamic_t { + + /** + * Public authenticator_t interface. + */ + eap_dynamic_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * Our supported EAP types (as eap_vendor_type_t*) + */ + linked_list_t *types; + + /** + * EAP types supported by peer, if any + */ + linked_list_t *other_types; + + /** + * Prefer types sent by peer + */ + bool prefer_peer; + + /** + * The proxied EAP method + */ + eap_method_t *method; +}; + +/** + * Compare two eap_vendor_type_t objects + */ +static bool entry_matches(eap_vendor_type_t *item, eap_vendor_type_t *other) +{ + return item->type == other->type && item->vendor == other->vendor; +} + +/** + * Load the given EAP method + */ +static eap_method_t *load_method(private_eap_dynamic_t *this, + eap_type_t type, u_int32_t vendor) +{ + eap_method_t *method; + + method = charon->eap->create_instance(charon->eap, type, vendor, EAP_SERVER, + this->server, this->peer); + if (!method) + { + if (vendor) + { + DBG1(DBG_IKE, "loading vendor specific EAP method %d-%d failed", + type, vendor); + } + else + { + DBG1(DBG_IKE, "loading %N method failed", eap_type_names, type); + } + } + return method; +} + +/** + * Select the first method we can instantiate and is supported by both peers. + */ +static void select_method(private_eap_dynamic_t *this) +{ + eap_vendor_type_t *entry; + linked_list_t *outer = this->types, *inner = this->other_types; + char *who = "peer"; + + if (this->other_types && this->prefer_peer) + { + outer = this->other_types; + inner = this->types; + who = "us"; + } + + while (outer->remove_first(outer, (void*)&entry) == SUCCESS) + { + if (inner) + { + if (inner->find_first(inner, (void*)entry_matches, + NULL, entry) != SUCCESS) + { + if (entry->vendor) + { + DBG2(DBG_IKE, "proposed vendor specific EAP method %d-%d " + "not supported by %s, skipped", entry->type, + entry->vendor, who); + } + else + { + DBG2(DBG_IKE, "proposed %N method not supported by %s, " + "skipped", eap_type_names, entry->type, who); + } + free(entry); + continue; + } + } + this->method = load_method(this, entry->type, entry->vendor); + if (this->method) + { + if (entry->vendor) + { + DBG1(DBG_IKE, "vendor specific EAP method %d-%d selected", + entry->type, entry->vendor); + } + else + { + DBG1(DBG_IKE, "%N method selected", eap_type_names, + entry->type); + } + free(entry); + break; + } + free(entry); + } +} + +METHOD(eap_method_t, initiate, status_t, + private_eap_dynamic_t *this, eap_payload_t **out) +{ + if (!this->method) + { + select_method(this); + if (!this->method) + { + DBG1(DBG_IKE, "no supported EAP method found"); + return FAILED; + } + } + return this->method->initiate(this->method, out); +} + +METHOD(eap_method_t, process, status_t, + private_eap_dynamic_t *this, eap_payload_t *in, eap_payload_t **out) +{ + eap_type_t received_type, type; + u_int32_t received_vendor, vendor; + + received_type = in->get_type(in, &received_vendor); + if (received_vendor == 0 && received_type == EAP_NAK) + { + enumerator_t *enumerator; + + DBG1(DBG_IKE, "received %N, selecting a different EAP method", + eap_type_names, EAP_NAK); + + if (this->other_types) + { /* we already received a Nak or a proper response before */ + DBG1(DBG_IKE, "%N is not supported in this state", eap_type_names, + EAP_NAK); + return FAILED; + } + + this->other_types = linked_list_create(); + enumerator = in->get_types(in); + while (enumerator->enumerate(enumerator, &type, &vendor)) + { + eap_vendor_type_t *entry; + + if (!type) + { + DBG1(DBG_IKE, "peer does not support any other EAP methods"); + enumerator->destroy(enumerator); + return FAILED; + } + INIT(entry, + .type = type, + .vendor = vendor, + ); + this->other_types->insert_last(this->other_types, entry); + } + enumerator->destroy(enumerator); + + /* restart with a different method */ + this->method->destroy(this->method); + this->method = NULL; + return initiate(this, out); + } + if (!this->other_types) + { /* so we don't handle EAP-Naks later */ + this->other_types = linked_list_create(); + } + if (this->method) + { + return this->method->process(this->method, in, out); + } + return FAILED; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_dynamic_t *this, u_int32_t *vendor) +{ + if (this->method) + { + return this->method->get_type(this->method, vendor); + } + *vendor = 0; + return EAP_DYNAMIC; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_dynamic_t *this, chunk_t *msk) +{ + if (this->method) + { + return this->method->get_msk(this->method, msk); + } + return FAILED; +} + +METHOD(eap_method_t, get_identifier, u_int8_t, + private_eap_dynamic_t *this) +{ + if (this->method) + { + return this->method->get_identifier(this->method); + } + return 0; +} + +METHOD(eap_method_t, set_identifier, void, + private_eap_dynamic_t *this, u_int8_t identifier) +{ + if (this->method) + { + this->method->set_identifier(this->method, identifier); + } +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_dynamic_t *this) +{ + if (this->method) + { + return this->method->is_mutual(this->method); + } + return FALSE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_dynamic_t *this) +{ + DESTROY_IF(this->method); + this->types->destroy_function(this->types, (void*)free); + DESTROY_FUNCTION_IF(this->other_types, (void*)free); + this->server->destroy(this->server); + this->peer->destroy(this->peer); + free(this); +} + +/** + * Parse preferred EAP types + */ +static void handle_preferred_eap_types(private_eap_dynamic_t *this, + char *methods) +{ + enumerator_t *enumerator; + eap_vendor_type_t *type, *entry; + linked_list_t *preferred; + char *method; + + /* parse preferred EAP methods, format: type[-vendor], ... */ + preferred = linked_list_create(); + enumerator = enumerator_create_token(methods, ",", " "); + while (enumerator->enumerate(enumerator, &method)) + { + type = eap_vendor_type_from_string(method); + if (type) + { + preferred->insert_last(preferred, type); + } + } + enumerator->destroy(enumerator); + + enumerator = this->types->create_enumerator(this->types); + while (preferred->remove_last(preferred, (void**)&type) == SUCCESS) + { /* move (supported) types to the front, maintain the preferred order */ + this->types->reset_enumerator(this->types, enumerator); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry_matches(entry, type)) + { + this->types->remove_at(this->types, enumerator); + this->types->insert_first(this->types, entry); + break; + } + } + free(type); + } + enumerator->destroy(enumerator); + preferred->destroy(preferred); +} + +/** + * Get all supported EAP methods + */ +static void get_supported_eap_types(private_eap_dynamic_t *this) +{ + enumerator_t *enumerator; + eap_type_t type; + u_int32_t vendor; + + enumerator = charon->eap->create_enumerator(charon->eap, EAP_SERVER); + while (enumerator->enumerate(enumerator, &type, &vendor)) + { + eap_vendor_type_t *entry; + + INIT(entry, + .type = type, + .vendor = vendor, + ); + this->types->insert_last(this->types, entry); + } + enumerator->destroy(enumerator); +} + +/* + * Defined in header + */ +eap_dynamic_t *eap_dynamic_create(identification_t *server, + identification_t *peer) +{ + private_eap_dynamic_t *this; + char *preferred; + + INIT(this, + .public = { + .interface = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .get_identifier = _get_identifier, + .set_identifier = _set_identifier, + .destroy = _destroy, + }, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + .types = linked_list_create(), + .prefer_peer = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-dynamic.prefer_peer", FALSE, charon->name), + ); + + /* get all supported EAP methods */ + get_supported_eap_types(this); + /* move preferred methods to the front */ + preferred = lib->settings->get_str(lib->settings, + "%s.plugins.eap-dynamic.preferred", NULL, charon->name); + if (preferred) + { + handle_preferred_eap_types(this, preferred); + } + return &this->public; +} diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h new file mode 100644 index 000000000..35db4fa26 --- /dev/null +++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_dynamic_i eap_dynamic + * @{ @ingroup eap_dynamic + */ + +#ifndef EAP_DYNAMIC_H_ +#define EAP_DYNAMIC_H_ + +typedef struct eap_dynamic_t eap_dynamic_t; + +#include <sa/eap/eap_method.h> + +/** + * Implementation of the eap_method_t interface for a virtual EAP method that + * proxies other EAP methods and supports the selection of the actual method + * by the client. + */ +struct eap_dynamic_t { + + /** + * Implemented eap_method_t interface + */ + eap_method_t interface; +}; + +/** + * Create a dynamic EAP proxy serving any supported real method which is also + * supported (or selected) by the client. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_dynamic_t object + */ +eap_dynamic_t *eap_dynamic_create(identification_t *server, + identification_t *peer); + +#endif /** EAP_DYNAMIC_H_ @}*/ diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c new file mode 100644 index 000000000..d6f38b666 --- /dev/null +++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_dynamic_plugin.h" + +#include "eap_dynamic.h" + +#include <daemon.h> + +METHOD(plugin_t, get_name, char*, + eap_dynamic_plugin_t *this) +{ + return "eap-dynamic"; +} + +METHOD(plugin_t, get_features, int, + eap_dynamic_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK(eap_method_register, eap_dynamic_create), + PLUGIN_PROVIDE(EAP_SERVER, EAP_DYNAMIC), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + eap_dynamic_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *eap_dynamic_plugin_create() +{ + eap_dynamic_plugin_t *this; + + INIT(this, + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + ); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h new file mode 100644 index 000000000..9b124d8d2 --- /dev/null +++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_dynamic eap_dynamic + * @ingroup cplugins + * + * @defgroup eap_dynamic_plugin eap_dynamic_plugin + * @{ @ingroup eap_dynamic + */ + +#ifndef EAP_DYNAMIC_PLUGIN_H_ +#define EAP_DYNAMIC_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct eap_dynamic_plugin_t eap_dynamic_plugin_t; + +/** + * EAP plugin that can use any supported EAP method the client supports or + * prefers to use. + */ +struct eap_dynamic_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** EAP_DYNAMIC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c index 72e201fb6..79fd667cb 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c +++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c @@ -85,7 +85,7 @@ METHOD(tls_application_t, process, status_t, default: return FAILED; } - + in = eap_payload_create_data(data); DBG3(DBG_IKE, "%B", &data); chunk_free(&data); @@ -151,7 +151,8 @@ METHOD(tls_application_t, process, status_t, if (!this->ph2_method) { DBG1(DBG_IKE, "EAP method not supported"); - this->out = eap_payload_create_nak(in->get_identifier(in)); + this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0, + in->is_expanded(in)); in->destroy(in); return NEED_MORE; } diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c index 767111b3e..00a4da3f8 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -138,7 +138,7 @@ METHOD(tls_application_t, process, status_t, chunk_free(&avp_data); } while (eap_pos < eap_data.len); - + in = eap_payload_create_data(eap_data); chunk_free(&eap_data); payload = (payload_t*)in; @@ -192,7 +192,8 @@ METHOD(tls_application_t, process, status_t, if (!this->method) { DBG1(DBG_IKE, "EAP method not supported"); - this->out = eap_payload_create_nak(in->get_identifier(in)); + this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0, + in->is_expanded(in)); in->destroy(in); return NEED_MORE; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index fe8baf1bd..e3c78f750 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -568,51 +568,20 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } else if (strneq(auth, "eap", 3)) { - enumerator_t *enumerator; - char *str; - int i = 0, type = 0, vendor; + eap_vendor_type_t *type; cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); - /* parse EAP string, format: eap[-type[-vendor]] */ - enumerator = enumerator_create_token(auth, "-", " "); - while (enumerator->enumerate(enumerator, &str)) + type = eap_vendor_type_from_string(auth); + if (type) { - switch (i) + cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type); + if (type->vendor) { - case 1: - type = eap_type_from_string(str); - if (!type) - { - type = atoi(str); - if (!type) - { - DBG1(DBG_CFG, "unknown EAP method: %s", str); - break; - } - } - cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); - break; - case 2: - if (type) - { - vendor = atoi(str); - if (vendor) - { - cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); - } - else - { - DBG1(DBG_CFG, "unknown EAP vendor: %s", str); - } - } - break; - default: - break; + cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor); } - i++; + free(type); } - enumerator->destroy(enumerator); if (msg->add_conn.eap_identity) { diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c index 4d5f983c7..bbad9bf55 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c @@ -68,14 +68,9 @@ struct private_pb_pa_msg_t { bool excl; /** - * PA Message Vendor ID + * Vendor-specific PA Subtype */ - u_int32_t vendor_id; - - /** - * PA Subtype - */ - u_int32_t subtype; + pen_type_t subtype; /** * Posture Validator Identifier @@ -124,8 +119,8 @@ METHOD(pb_tnc_msg_t, build, void, /* build message header */ writer = bio_writer_create(64); writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE); - writer->write_uint24(writer, this->vendor_id); - writer->write_uint32(writer, this->subtype); + writer->write_uint24(writer, this->subtype.vendor_id); + writer->write_uint32(writer, this->subtype.type); writer->write_uint16(writer, this->collector_id); writer->write_uint16(writer, this->validator_id); msg_header = writer->get_buf(writer); @@ -145,8 +140,8 @@ METHOD(pb_tnc_msg_t, process, status_t, /* process message header */ reader = bio_reader_create(this->encoding); reader->read_uint8 (reader, &flags); - reader->read_uint24(reader, &this->vendor_id); - reader->read_uint32(reader, &this->subtype); + reader->read_uint24(reader, &this->subtype.vendor_id); + reader->read_uint32(reader, &this->subtype.type); reader->read_uint16(reader, &this->collector_id); reader->read_uint16(reader, &this->validator_id); this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE); @@ -160,14 +155,14 @@ METHOD(pb_tnc_msg_t, process, status_t, } reader->destroy(reader); - if (this->vendor_id == PEN_RESERVED) + if (this->subtype.vendor_id == PEN_RESERVED) { DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", PEN_RESERVED); *offset = 1; return FAILED; } - if (this->subtype == PA_RESERVED_SUBTYPE) + if (this->subtype.type == PA_RESERVED_SUBTYPE) { DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE); *offset = 4; @@ -184,11 +179,10 @@ METHOD(pb_tnc_msg_t, destroy, void, free(this); } -METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t, - private_pb_pa_msg_t *this, u_int32_t *subtype) +METHOD(pb_pa_msg_t, get_subtype, pen_type_t, + private_pb_pa_msg_t *this) { - *subtype = this->subtype; - return this->vendor_id; + return this->subtype; } METHOD(pb_pa_msg_t, get_collector_id, u_int16_t, @@ -230,7 +224,7 @@ pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data) .process = _process, .destroy = _destroy, }, - .get_vendor_id = _get_vendor_id, + .get_subtype = _get_subtype, .get_collector_id = _get_collector_id, .get_validator_id = _get_validator_id, .get_body = _get_body, @@ -261,15 +255,14 @@ pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, .process = _process, .destroy = _destroy, }, - .get_vendor_id = _get_vendor_id, + .get_subtype= _get_subtype, .get_collector_id = _get_collector_id, .get_validator_id = _get_validator_id, .get_body = _get_body, .get_exclusive_flag = _get_exclusive_flag, }, .type = PB_MSG_PA, - .vendor_id = vendor_id, - .subtype = subtype, + .subtype = { vendor_id, subtype }, .collector_id = collector_id, .validator_id = validator_id, .excl = excl, diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h index d9db9a1ce..5c9b7c0bf 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h @@ -25,6 +25,8 @@ typedef struct pb_pa_msg_t pb_pa_msg_t; #include "pb_tnc_msg.h" +#include <pen/pen.h> + /** * Class representing the PB-PA message type. */ @@ -38,10 +40,9 @@ struct pb_pa_msg_t { /** * Get PA Message Vendor ID and Subtype * - * @param subtype PA Subtype - * @return PA Message Vendor ID + * @return Vendor-specific PA Subtype */ - u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype); + pen_type_t (*get_subtype)(pb_pa_msg_t *this); /** * Get Posture Collector ID diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index cd7f149f6..26edcb576 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -208,30 +208,31 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) case PB_MSG_PA: { pb_pa_msg_t *pa_msg; - u_int32_t msg_vid, msg_subtype; + pen_type_t msg_subtype; u_int16_t imc_id, imv_id; chunk_t msg_body; bool excl; enum_name_t *pa_subtype_names; pa_msg = (pb_pa_msg_t*)msg; - msg_vid = pa_msg->get_vendor_id(pa_msg, &msg_subtype); + msg_subtype = pa_msg->get_subtype(pa_msg); msg_body = pa_msg->get_body(pa_msg); imc_id = pa_msg->get_collector_id(pa_msg); imv_id = pa_msg->get_validator_id(pa_msg); excl = pa_msg->get_exclusive_flag(pa_msg); - pa_subtype_names = get_pa_subtype_names(msg_vid); + pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id); if (pa_subtype_names) { DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x", - pen_names, msg_vid, pa_subtype_names, msg_subtype, - msg_vid, msg_subtype); + pen_names, msg_subtype.vendor_id, pa_subtype_names, + msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type); } else { DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x", - pen_names, msg_vid, msg_vid, msg_subtype); + pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id, + msg_subtype.type); } this->send_msg = TRUE; @@ -239,13 +240,15 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) { tnc->imvs->receive_message(tnc->imvs, this->connection_id, excl, msg_body.ptr, msg_body.len, - msg_vid, msg_subtype, imc_id, imv_id); + msg_subtype.vendor_id, + msg_subtype.type, imc_id, imv_id); } else { tnc->imcs->receive_message(tnc->imcs, this->connection_id, excl, msg_body.ptr, msg_body.len, - msg_vid, msg_subtype, imv_id, imc_id); + msg_subtype.vendor_id, + msg_subtype.type, imv_id, imc_id); } this->send_msg = FALSE; break; diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c index d38754e01..520c0ce56 100644 --- a/src/libcharon/sa/eap/eap_manager.c +++ b/src/libcharon/sa/eap/eap_manager.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -104,6 +105,44 @@ METHOD(eap_manager_t, remove_method, void, this->lock->unlock(this->lock); } +/** + * filter the registered methods + */ +static bool filter_methods(uintptr_t role, eap_entry_t **entry, + eap_type_t *type, void *in, u_int32_t *vendor) +{ + if ((*entry)->role != (eap_role_t)role) + { + return FALSE; + } + if ((*entry)->vendor == 0 && + ((*entry)->type < 4 || (*entry)->type == EAP_EXPANDED || + (*entry)->type > EAP_EXPERIMENTAL)) + { /* filter invalid types */ + return FALSE; + } + if (type) + { + *type = (*entry)->type; + } + if (vendor) + { + *vendor = (*entry)->vendor; + } + return TRUE; +} + +METHOD(eap_manager_t, create_enumerator, enumerator_t*, + private_eap_manager_t *this, eap_role_t role) +{ + this->lock->read_lock(this->lock); + return enumerator_create_cleaner( + enumerator_create_filter( + this->methods->create_enumerator(this->methods), + (void*)filter_methods, (void*)(uintptr_t)role, NULL), + (void*)this->lock->unlock, this->lock); +} + METHOD(eap_manager_t, create_instance, eap_method_t*, private_eap_manager_t *this, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t *server, identification_t *peer) @@ -150,6 +189,7 @@ eap_manager_t *eap_manager_create() .public = { .add_method = _add_method, .remove_method = _remove_method, + .create_enumerator = _create_enumerator, .create_instance = _create_instance, .destroy = _destroy, }, diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h index 868eaef06..e318ef57a 100644 --- a/src/libcharon/sa/eap/eap_manager.h +++ b/src/libcharon/sa/eap/eap_manager.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -54,6 +55,17 @@ struct eap_manager_t { void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor); /** + * Enumerate the registered EAP authentication methods for the given role. + * + * @note Only authentication types are enumerated (e.g. EAP-Identity is not + * even though it is registered as method with this manager). + * + * @param role EAP role of methods to enumerate + * @return enumerator over (eap_type_t type, u_int32_t vendor) + */ + enumerator_t* (*create_enumerator)(eap_manager_t *this, eap_role_t role); + + /** * Create a new EAP method instance. * * @param type type of the EAP method diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index fea2f2c60..4096141ec 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -587,14 +587,26 @@ METHOD(phase1_t, select_config, peer_cfg_t*, METHOD(phase1_t, get_id, identification_t*, private_phase1_t *this, peer_cfg_t *peer_cfg, bool local) { + identification_t *id = NULL; auth_cfg_t *auth; auth = get_auth_cfg(peer_cfg, local); if (auth) { - return auth->get(auth, AUTH_RULE_IDENTITY); + id = auth->get(auth, AUTH_RULE_IDENTITY); + if (local && (!id || id->get_type(id) == ID_ANY)) + { /* no ID configured, use local IP address */ + host_t *me; + + me = this->ike_sa->get_my_host(this->ike_sa); + if (!me->is_anyaddr(me)) + { + id = identification_create_from_sockaddr(me->get_sockaddr(me)); + auth->add(auth, AUTH_RULE_IDENTITY, id); + } + } } - return NULL; + return id; } METHOD(phase1_t, has_virtual_ip, bool, diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index 2c282dc06..aa0644033 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -186,9 +187,9 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this, if (this->method) { action = "initiating"; - type = this->method->get_type(this->method, &vendor); if (this->method->initiate(this->method, &out) == NEED_MORE) { + type = this->method->get_type(this->method, &vendor); if (vendor) { DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method (id 0x%02X)", @@ -201,6 +202,8 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this, } return out; } + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); } if (vendor) { @@ -233,9 +236,10 @@ static void replace_eap_identity(private_eap_authenticator_t *this) static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, eap_payload_t *in) { - eap_type_t type, received_type; - u_int32_t vendor, received_vendor; + eap_type_t type, received_type, conf_type; + u_int32_t vendor, received_vendor, conf_vendor; eap_payload_t *out; + auth_cfg_t *auth; if (in->get_code(in) != EAP_RESPONSE) { @@ -250,15 +254,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, { if (received_vendor == 0 && received_type == EAP_NAK) { - DBG1(DBG_IKE, "received %N, sending %N", - eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE); + conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR); + if ((type == EAP_IDENTITY && !vendor) || + (type == conf_type && vendor == conf_vendor)) + { + DBG1(DBG_IKE, "received %N, sending %N", + eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE); + return eap_payload_create_code(EAP_FAILURE, + in->get_identifier(in)); + } + /* virtual methods handle NAKs in process() */ } else { DBG1(DBG_IKE, "received invalid EAP response, sending %N", eap_code_names, EAP_FAILURE); + return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); } - return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); } switch (this->method->process(this->method, in, &out)) @@ -302,6 +316,8 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); case FAILED: default: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); if (vendor) { DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for " @@ -324,8 +340,8 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, eap_payload_t *in) { - eap_type_t type; - u_int32_t vendor; + eap_type_t type, conf_type; + u_int32_t vendor, conf_vendor; auth_cfg_t *auth; eap_payload_t *out; identification_t *id; @@ -357,9 +373,11 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, this->method->destroy(this->method); this->method = NULL; } + /* FIXME: sending a Nak is not correct here as EAP_IDENTITY (1) is no + * EAP method (types 3-253, 255) */ DBG1(DBG_IKE, "%N not supported, sending EAP_NAK", eap_type_names, type); - return eap_payload_create_nak(in->get_identifier(in)); + return eap_payload_create_nak(in->get_identifier(in), 0, 0, FALSE); } if (this->method == NULL) { @@ -373,11 +391,31 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)", eap_type_names, type, in->get_identifier(in)); } + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE); + conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR); + if (conf_type != EAP_NAK && + (conf_type != type || conf_vendor != vendor)) + { + if (conf_vendor) + { + DBG1(DBG_IKE, "requesting EAP method %d-%d, sending EAP_NAK", + conf_type, conf_vendor); + } + else + { + DBG1(DBG_IKE, "requesting %N authentication, sending EAP_NAK", + eap_type_names, conf_type); + } + return eap_payload_create_nak(in->get_identifier(in), conf_type, + conf_vendor, in->is_expanded(in)); + } this->method = load_method(this, type, vendor, EAP_PEER); if (!this->method) { DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK"); - return eap_payload_create_nak(in->get_identifier(in)); + return eap_payload_create_nak(in->get_identifier(in), 0, 0, + in->is_expanded(in)); } } diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index c7fb7ab2f..dc3ad3f8b 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -16,6 +16,7 @@ */ #include <limits.h> +#include <stdint.h> #include "esp_context.h" diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c index 4593ba5c8..52aeaa209 100644 --- a/src/libipsec/ip_packet.c +++ b/src/libipsec/ip_packet.c @@ -130,19 +130,19 @@ ip_packet_t *ip_packet_create(chunk_t packet) { case 4: { - struct iphdr *ip; + struct ip *ip; - if (packet.len < sizeof(struct iphdr)) + if (packet.len < sizeof(struct ip)) { DBG1(DBG_ESP, "IPv4 packet too short"); goto failed; } - ip = (struct iphdr*)packet.ptr; + ip = (struct ip*)packet.ptr; src = host_create_from_chunk(AF_INET, - chunk_from_thing(ip->saddr), 0); + chunk_from_thing(ip->ip_src), 0); dst = host_create_from_chunk(AF_INET, - chunk_from_thing(ip->daddr), 0); - next_header = ip->protocol; + chunk_from_thing(ip->ip_dst), 0); + next_header = ip->ip_p; break; } #ifdef HAVE_NETINET_IP6_H diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c index efd3ee981..1e4cf11bf 100644 --- a/src/libstrongswan/eap/eap.c +++ b/src/libstrongswan/eap/eap.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -13,8 +14,13 @@ * for more details. */ +#include <stdlib.h> +#include <errno.h> + #include "eap.h" +#include <debug.h> + ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE, "EAP_REQUEST", "EAP_RESPONSE", @@ -51,12 +57,12 @@ ENUM_NEXT(eap_type_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2, "EAP_MSTLV"); ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSTLV, "EAP_TNC"); -ENUM_NEXT(eap_type_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC, - "EAP_DYNAMIC", - "EAP_RADIUS", +ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC, "EAP_EXPANDED", - "EAP_EXPERIMENTAL"); -ENUM_END(eap_type_names, EAP_EXPERIMENTAL); + "EAP_EXPERIMENTAL", + "EAP_RADIUS", + "EAP_DYNAMIC"); +ENUM_END(eap_type_names, EAP_DYNAMIC); ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, "ID", @@ -80,12 +86,12 @@ ENUM_NEXT(eap_type_short_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2, "MSTLV"); ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSTLV, "TNC"); -ENUM_NEXT(eap_type_short_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC, - "DYN", - "RAD", +ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC, "EXP", - "XP"); -ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); + "XP", + "RAD", + "DYN"); +ENUM_END(eap_type_short_names, EAP_DYNAMIC); /* * See header @@ -108,6 +114,7 @@ eap_type_t eap_type_from_string(char *name) {"peap", EAP_PEAP}, {"mschapv2", EAP_MSCHAPV2}, {"tnc", EAP_TNC}, + {"dynamic", EAP_DYNAMIC}, {"radius", EAP_RADIUS}, }; @@ -120,3 +127,56 @@ eap_type_t eap_type_from_string(char *name) } return 0; } + +/* + * See header + */ +eap_vendor_type_t *eap_vendor_type_from_string(char *str) +{ + enumerator_t *enumerator; + eap_vendor_type_t *result = NULL; + eap_type_t type = 0; + u_int32_t vendor = 0; + char *part, *end; + + /* parse EAP method string of the form: [eap-]type[-vendor] */ + enumerator = enumerator_create_token(str, "-", " "); + while (enumerator->enumerate(enumerator, &part)) + { + if (!type) + { + if (streq(part, "eap")) + { /* skip 'eap' at the beginning */ + continue; + } + type = eap_type_from_string(part); + if (!type) + { + type = strtoul(part, &end, 0); + if (*end != '\0' || errno) + { + DBG1(DBG_LIB, "unknown or invalid EAP method: %s", part); + break; + } + } + continue; + } + vendor = strtoul(part, &end, 0); + if (*end != '\0' || errno) + { + DBG1(DBG_LIB, "invalid EAP vendor: %s", part); + type = 0; + } + break; + } + enumerator->destroy(enumerator); + + if (type) + { + INIT(result, + .type = type, + .vendor = vendor, + ); + } + return result; +} diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h index 143232e4b..0e144b123 100644 --- a/src/libstrongswan/eap/eap.h +++ b/src/libstrongswan/eap/eap.h @@ -1,6 +1,8 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -23,6 +25,7 @@ typedef enum eap_code_t eap_code_t; typedef enum eap_type_t eap_type_t; +typedef struct eap_vendor_type_t eap_vendor_type_t; #include <library.h> @@ -64,12 +67,12 @@ enum eap_type_t { EAP_MSCHAPV2 = 26, EAP_MSTLV = 33, EAP_TNC = 38, - /** select EAP method dynamically based on i.e. EAP-Identity */ - EAP_DYNAMIC = 252, - /** not a method, but an implementation providing different methods */ - EAP_RADIUS = 253, EAP_EXPANDED = 254, EAP_EXPERIMENTAL = 255, + /** not a method, but an implementation providing different methods */ + EAP_RADIUS = 256, + /** not a method, select method dynamically based on client selection */ + EAP_DYNAMIC = 257, }; /** @@ -83,6 +86,22 @@ extern enum_name_t *eap_type_names; extern enum_name_t *eap_type_short_names; /** + * Struct that stores EAP type and vendor ID + */ +struct eap_vendor_type_t { + + /** + * EAP type + */ + eap_type_t type; + + /** + * Vendor Id + */ + u_int32_t vendor; +}; + +/** * EAP packet format */ typedef struct __attribute__((packed)) { @@ -101,4 +120,12 @@ typedef struct __attribute__((packed)) { */ eap_type_t eap_type_from_string(char *name); +/** + * Parse a string of the form [eap-]type[-vendor]. + * + * @param str EAP method string + * @return parsed type (gets allocated), NULL if unknown or failed + */ +eap_vendor_type_t *eap_vendor_type_from_string(char *str); + #endif /** EAP_H_ @}*/ diff --git a/src/libstrongswan/utils/tun_device.c b/src/libstrongswan/utils/tun_device.c index 889fe6247..36f3359c0 100644 --- a/src/libstrongswan/utils/tun_device.c +++ b/src/libstrongswan/utils/tun_device.c @@ -3,6 +3,7 @@ * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * Hochschule fuer Technik Rapperswil + * Copyright (C) 2012 Martin Willi * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,8 +25,17 @@ #include <sys/socket.h> #include <sys/stat.h> #include <unistd.h> -#include <linux/if.h> +#include <net/if.h> + +#ifdef __APPLE__ +#include <net/if_utun.h> +#include <netinet/in_var.h> +#include <sys/kern_control.h> +#elif defined(__linux__) #include <linux/if_tun.h> +#else +#include <net/if_tun.h> +#endif #include "tun_device.h" @@ -127,6 +137,14 @@ METHOD(tun_device_t, set_address, bool, this->if_name, strerror(errno)); return FALSE; } +#ifdef __APPLE__ + if (ioctl(this->sock, SIOCSIFDSTADDR, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set dest address on %s: %s", + this->if_name, strerror(errno)); + return FALSE; + } +#endif /* __APPLE__ */ set_netmask(&ifr, family, netmask); @@ -176,6 +194,8 @@ METHOD(tun_device_t, set_mtu, bool, if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0) { + DBG1(DBG_LIB, "failed to set MTU on %s: %s", this->if_name, + strerror(errno)); return FALSE; } this->mtu = mtu; @@ -269,6 +289,20 @@ METHOD(tun_device_t, destroy, void, if (this->tunfd > 0) { close(this->tunfd); +#ifdef __FreeBSD__ + /* tun(4) says the following: "These network interfaces persist until + * the if_tun.ko module is unloaded, or until removed with the + * ifconfig(8) command." So simply closing the FD is not enough. */ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + if (ioctl(this->sock, SIOCIFDESTROY, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to destroy %s: %s", this->if_name, + strerror(errno)); + } +#endif /* __FreeBSD__ */ } if (this->sock > 0) { @@ -278,18 +312,70 @@ METHOD(tun_device_t, destroy, void, } /** - * Allocate a TUN device + * Initialize the tun device */ -static int tun_alloc(char dev[IFNAMSIZ]) +static bool init_tun(private_tun_device_t *this, const char *name_tmpl) { +#ifdef __APPLE__ + + struct ctl_info info; + struct sockaddr_ctl addr; + socklen_t size = IFNAMSIZ; + + memset(&info, 0, sizeof(info)); + memset(&addr, 0, sizeof(addr)); + + this->tunfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); + if (this->tunfd < 0) + { + DBG1(DBG_LIB, "failed to open tundevice PF_SYSTEM socket: %s", + strerror(errno)); + return FALSE; + } + + /* get a control identifier for the utun kernel extension */ + strncpy(info.ctl_name, UTUN_CONTROL_NAME, strlen(UTUN_CONTROL_NAME)); + if (ioctl(this->tunfd, CTLIOCGINFO, &info) < 0) + { + DBG1(DBG_LIB, "failed to ioctl tundevice: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + + addr.sc_id = info.ctl_id; + addr.sc_len = sizeof(addr); + addr.sc_family = AF_SYSTEM; + addr.ss_sysaddr = AF_SYS_CONTROL; + /* allocate identifier dynamically */ + addr.sc_unit = 0; + + if (connect(this->tunfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) + { + DBG1(DBG_LIB, "failed to connect tundevice: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + if (getsockopt(this->tunfd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME, + this->if_name, &size) < 0) + { + DBG1(DBG_LIB, "getting tundevice name failed: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + return TRUE; + +#elif defined(IFF_TUN) + struct ifreq ifr; - int fd; - fd = open("/dev/net/tun", O_RDWR); - if (fd < 0) + strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ); + this->if_name[IFNAMSIZ-1] = '\0'; + + this->tunfd = open("/dev/net/tun", O_RDWR); + if (this->tunfd < 0) { DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno)); - return fd; + return FALSE; } memset(&ifr, 0, sizeof(ifr)); @@ -297,16 +383,42 @@ static int tun_alloc(char dev[IFNAMSIZ]) /* TUN device, no packet info */ ifr.ifr_flags = IFF_TUN | IFF_NO_PI; - strncpy(ifr.ifr_name, dev, IFNAMSIZ); - - if (ioctl(fd, TUNSETIFF, (void*)&ifr) < 0) + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + if (ioctl(this->tunfd, TUNSETIFF, (void*)&ifr) < 0) { DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno)); - close(fd); - return -1; + close(this->tunfd); + return FALSE; + } + strncpy(this->if_name, ifr.ifr_name, IFNAMSIZ); + return TRUE; + +#else /* !IFF_TUN */ + + /* this works on FreeBSD and might also work on Linux with older TUN + * driver versions (no IFF_TUN) */ + char devname[IFNAMSIZ]; + int i; + + if (name_tmpl) + { + DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported"); } - strncpy(dev, ifr.ifr_name, IFNAMSIZ); - return fd; + + for (i = 0; i < 256; i++) + { + snprintf(devname, IFNAMSIZ, "/dev/tun%d", i); + this->tunfd = open(devname, O_RDWR); + if (this->tunfd > 0) + { /* for ioctl(2) calls only the interface name is used */ + snprintf(this->if_name, IFNAMSIZ, "tun%d", i); + break; + } + DBG1(DBG_LIB, "failed to open %s: %s", this->if_name, strerror(errno)); + } + return this->tunfd > 0; + +#endif /* !__APPLE__ */ } /* @@ -331,13 +443,9 @@ tun_device_t *tun_device_create(const char *name_tmpl) .sock = -1, ); - strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ); - this->if_name[IFNAMSIZ-1] = '\0'; - - this->tunfd = tun_alloc(this->if_name); - if (this->tunfd < 0) + if (!init_tun(this, name_tmpl)) { - destroy(this); + free(this); return NULL; } DBG1(DBG_LIB, "created TUN device: %s", this->if_name); diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf index b1e5d5e0c..a33d68c0a 100644 --- a/src/starter/ipsec.conf +++ b/src/starter/ipsec.conf @@ -3,20 +3,14 @@ # basic configuration config setup - # plutodebug=all - # crlcheckinterval=600 # strictcrlpolicy=yes - # cachecrls=yes - # nat_traversal=yes - # charonstart=no - # plutostart=no + # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed -# left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never @@ -26,11 +20,9 @@ config setup # auto=start #conn sample-with-ca-cert -# left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" -# keyexchange=ikev2 # auto=start |