Implement a SASL PLAIN mechanism using shared secrets
authorMartin Willi <martin@revosec.ch>
Wed, 27 Feb 2013 15:27:59 +0000 (16:27 +0100)
committerMartin Willi <martin@revosec.ch>
Thu, 28 Feb 2013 15:46:07 +0000 (16:46 +0100)
src/libpttls/Makefile.am
src/libpttls/sasl/sasl_mechanism.c
src/libpttls/sasl/sasl_plain/sasl_plain.c [new file with mode: 0644]
src/libpttls/sasl/sasl_plain/sasl_plain.h [new file with mode: 0644]

index b019d23..4812318 100644 (file)
@@ -8,4 +8,5 @@ libpttls_la_SOURCES = pt_tls.c pt_tls.h \
        pt_tls_client.c pt_tls_client.h \
        pt_tls_server.c pt_tls_server.h \
        pt_tls_dispatcher.c pt_tls_dispatcher.h \
+       sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
        sasl/sasl_mechanism.c sasl/sasl_mechanism.h
index 4e0f876..05a02e5 100644 (file)
@@ -15,6 +15,8 @@
 
 #include "sasl_mechanism.h"
 
+#include "sasl_plain/sasl_plain.h"
+
 /**
  * Available SASL mechanisms.
  */
@@ -23,6 +25,8 @@ static struct {
        bool server;
        sasl_mechanism_constructor_t create;
 } mechs[] = {
+       { "PLAIN",              TRUE,   (sasl_mechanism_constructor_t)sasl_plain_create },
+       { "PLAIN",              FALSE,  (sasl_mechanism_constructor_t)sasl_plain_create },
 };
 
 /**
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644 (file)
index 0000000..e8d6dc8
--- /dev/null
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+       /**
+        * Public sasl_plain_t interface.
+        */
+       sasl_plain_t public;
+
+       /**
+        * Client identity
+        */
+       identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+       private_sasl_plain_t *this)
+{
+       return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+       private_sasl_plain_t *this, chunk_t *message)
+{
+       /* gets never called */
+       return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+       private_sasl_plain_t *this, chunk_t message)
+{
+       chunk_t authz, authi, password;
+       identification_t *id;
+       shared_key_t *shared;
+       u_char *pos;
+
+       pos = memchr(message.ptr, 0, message.len);
+       if (!pos)
+       {
+               DBG1(DBG_CFG, "invalid authz encoding");
+               return FAILED;
+       }
+       authz = chunk_create(message.ptr, pos - message.ptr);
+       message = chunk_skip(message, authz.len + 1);
+       pos = memchr(message.ptr, 0, message.len);
+       if (!pos)
+       {
+               DBG1(DBG_CFG, "invalid authi encoding");
+               return FAILED;
+       }
+       authi = chunk_create(message.ptr, pos - message.ptr);
+       password = chunk_skip(message, authi.len + 1);
+       id = identification_create_from_data(authi);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+       if (!shared)
+       {
+               DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+               id->destroy(id);
+               return FAILED;
+       }
+       if (!chunk_equals(shared->get_key(shared), password))
+       {
+               DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+               id->destroy(id);
+               shared->destroy(shared);
+               return FAILED;
+       }
+       id->destroy(id);
+       shared->destroy(shared);
+       return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+       private_sasl_plain_t *this, chunk_t *message)
+{
+       shared_key_t *shared;
+       chunk_t password;
+       char buf[256];
+       ssize_t len;
+
+       /* we currently use the EAP type of shared secret */
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+                                                                         this->client, NULL);
+       if (!shared)
+       {
+               DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+               return FAILED;
+       }
+
+       password = shared->get_key(shared);
+       len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+                                  "", 0, this->client, 0,
+                                  (int)password.len, password.ptr);
+       if (len < 0 || len >= sizeof(buf))
+       {
+               return FAILED;
+       }
+       *message = chunk_clone(chunk_create(buf, len));
+       return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+       private_sasl_plain_t *this, chunk_t message)
+{
+       /* if the server sends a result, authentication successful */
+       return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+       private_sasl_plain_t *this)
+{
+       DESTROY_IF(this->client);
+       free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+       private_sasl_plain_t *this;
+
+       if (!streq(get_name(NULL), name))
+       {
+               return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .sasl = {
+                               .get_name = _get_name,
+                               .destroy = _destroy,
+                       },
+               },
+       );
+
+       if (client)
+       {
+               this->public.sasl.build = _build_client;
+               this->public.sasl.process = _process_client;
+               this->client = client->clone(client);
+       }
+       else
+       {
+               this->public.sasl.build = _build_server;
+               this->public.sasl.process = _process_server;
+       }
+       return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644 (file)
index 0000000..08b7fc7
--- /dev/null
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+       /**
+        * Implements sasl_mechanism_t
+        */
+       sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name                 name of mechanism, must be "PLAIN"
+ * @param client               client identity, NULL to act as server
+ * @return                             mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/