/* * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include "xauth.h" #include #include #include typedef struct private_xauth_t private_xauth_t; /** * Status types exchanged */ typedef enum { XAUTH_FAILED = 0, XAUTH_OK = 1, } xauth_status_t; /** * Private members of a xauth_t task. */ struct private_xauth_t { /** * Public methods and task_t interface. */ xauth_t public; /** * Assigned IKE_SA. */ ike_sa_t *ike_sa; /** * Are we the XAUTH initiator? */ bool initiator; /** * XAuth backend to use */ xauth_method_t *xauth; /** * Generated configuration payload */ cp_payload_t *cp; /** * status of Xauth exchange */ xauth_status_t status; }; /** * Load XAuth backend */ static xauth_method_t *load_method(ike_sa_t *ike_sa, bool initiator) { identification_t *server, *peer; enumerator_t *enumerator; xauth_method_t *xauth; xauth_role_t role; peer_cfg_t *peer_cfg; auth_cfg_t *auth; char *name; if (initiator) { server = ike_sa->get_my_id(ike_sa); peer = ike_sa->get_other_id(ike_sa); role = XAUTH_SERVER; } else { peer = ike_sa->get_my_id(ike_sa); server = ike_sa->get_other_id(ike_sa); role = XAUTH_PEER; } peer_cfg = ike_sa->get_peer_cfg(ike_sa); enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, !initiator); if (!enumerator->enumerate(enumerator, &auth) || !enumerator->enumerate(enumerator, &auth)) { DBG1(DBG_CFG, "no second authentication round found for XAuth"); enumerator->destroy(enumerator); return NULL; } name = auth->get(auth, AUTH_RULE_XAUTH_BACKEND); enumerator->destroy(enumerator); xauth = charon->xauth->create_instance(charon->xauth, name, role, server, peer); if (!xauth) { if (name) { DBG1(DBG_CFG, "no XAuth method found named '%s'"); } else { DBG1(DBG_CFG, "no XAuth method found"); } } return xauth; } /** * Set IKE_SA to established state */ static void establish(private_xauth_t *this) { DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); } METHOD(task_t, build_i_status, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET); cp->add_attribute(cp, configuration_attribute_create_value(XAUTH_STATUS, this->status)); message->add_payload(message, (payload_t *)cp); return NEED_MORE; } METHOD(task_t, build_i, status_t, private_xauth_t *this, message_t *message) { if (!this->xauth) { cp_payload_t *cp; this->xauth = load_method(this->ike_sa, this->initiator); if (!this->xauth) { return FAILED; } if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE) { return FAILED; } message->add_payload(message, (payload_t *)cp); return NEED_MORE; } if (this->cp) { /* send previously generated payload */ message->add_payload(message, (payload_t *)this->cp); this->cp = NULL; return NEED_MORE; } return FAILED; } METHOD(task_t, build_r_ack, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK); cp->add_attribute(cp, configuration_attribute_create_chunk( CONFIGURATION_ATTRIBUTE_V1, XAUTH_STATUS, chunk_empty)); message->add_payload(message, (payload_t *)cp); if (this->status == XAUTH_OK) { establish(this); return SUCCESS; } return FAILED; } METHOD(task_t, process_r, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; if (!this->xauth) { this->xauth = load_method(this->ike_sa, this->initiator); if (!this->xauth) { /* send empty reply */ return NEED_MORE; } } cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth request"); return FAILED; } if (cp->get_type(cp) == CFG_REQUEST) { switch (this->xauth->process(this->xauth, cp, &this->cp)) { case NEED_MORE: return NEED_MORE; case SUCCESS: DBG1(DBG_IKE, "XAuth authentication successful"); establish(this); break; case FAILED: default: DBG1(DBG_IKE, "XAuth authentication failed"); break; } this->cp = NULL; return NEED_MORE; } if (cp->get_type(cp) == CFG_SET) { configuration_attribute_t *attribute; enumerator_t *enumerator; enumerator = cp->create_attribute_enumerator(cp); while (enumerator->enumerate(enumerator, &attribute)) { if (attribute->get_type(attribute) == XAUTH_STATUS) { this->status = attribute->get_value(attribute); } } enumerator->destroy(enumerator); } this->public.task.build = _build_r_ack; return NEED_MORE; } METHOD(task_t, build_r, status_t, private_xauth_t *this, message_t *message) { if (!this->cp) { /* send empty reply if building data failed */ this->cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); } message->add_payload(message, (payload_t *)this->cp); this->cp = NULL; return NEED_MORE; } METHOD(task_t, process_i_status, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp || cp->get_type(cp) != CFG_ACK) { DBG1(DBG_IKE, "received invalid XAUTH status response"); return FAILED; } establish(this); return SUCCESS; } METHOD(task_t, process_i, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth response"); return FAILED; } switch (this->xauth->process(this->xauth, cp, &this->cp)) { case NEED_MORE: return NEED_MORE; case SUCCESS: DBG1(DBG_IKE, "XAuth authentication successful"); this->status = XAUTH_OK; break; case FAILED: DBG1(DBG_IKE, "XAuth authentication failed"); break; default: return FAILED; } this->public.task.build = _build_i_status; this->public.task.process = _process_i_status; return NEED_MORE; } METHOD(task_t, get_type, task_type_t, private_xauth_t *this) { return TASK_XAUTH; } METHOD(task_t, migrate, void, private_xauth_t *this, ike_sa_t *ike_sa) { this->ike_sa = ike_sa; } METHOD(task_t, destroy, void, private_xauth_t *this) { DESTROY_IF(this->xauth); DESTROY_IF(this->cp); free(this); } /* * Described in header. */ xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator) { private_xauth_t *this; INIT(this, .public = { .task = { .get_type = _get_type, .migrate = _migrate, .destroy = _destroy, }, }, .initiator = initiator, .ike_sa = ike_sa, .status = XAUTH_FAILED, ); if (initiator) { this->public.task.build = _build_i; this->public.task.process = _process_i; } else { this->public.task.build = _build_r; this->public.task.process = _process_r; } return &this->public; }