XAUTH support
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 6 Dec 2006 10:25:22 +0000 (10:25 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 6 Dec 2006 10:25:22 +0000 (10:25 -0000)
src/pluto/constants.c
src/pluto/constants.h

index db20d19..f2810b8 100644 (file)
@@ -183,6 +183,9 @@ static const char *const state_name[] = {
        "STATE_INFO",
        "STATE_INFO_PROTECTED",
 
        "STATE_INFO",
        "STATE_INFO_PROTECTED",
 
+       "STATE_XAUTH_R0",
+       "STATE_XAUTH_R1",
+
        "STATE_MODE_CFG_R0",
        "STATE_MODE_CFG_R1",
        "STATE_MODE_CFG_R2",
        "STATE_MODE_CFG_R0",
        "STATE_MODE_CFG_R1",
        "STATE_MODE_CFG_R2",
@@ -216,7 +219,10 @@ const char *const state_story[] = {
 
        "got Informational Message in clear",    /* STATE_INFO */
        "got encrypted Informational Message",   /* STATE_INFO_PROTECTED */
 
        "got Informational Message in clear",    /* STATE_INFO */
        "got encrypted Informational Message",   /* STATE_INFO_PROTECTED */
-       
+
+       "sent XAUTH request, expecting reply",   /* STATE_XAUTH_R0 */
+       "sent XAUTH status, expecting ack",      /* STATE_XAUTH_R1 */
+
        "sent ModeCfg reply",                    /* STATE_MODE_CFG_R0 */
        "sent ModeCfg reply",                    /* STATE_MODE_CFG_R1 */
        "received ModeCfg ack",                  /* STATE_MODE_CFG_R2 */
        "sent ModeCfg reply",                    /* STATE_MODE_CFG_R0 */
        "sent ModeCfg reply",                    /* STATE_MODE_CFG_R1 */
        "received ModeCfg ack",                  /* STATE_MODE_CFG_R2 */
@@ -487,6 +493,9 @@ const char *const sa_policy_bit_names[] = {
        "GROUTED",
        "UP",
        "MODECFGPUSH",
        "GROUTED",
        "UP",
        "MODECFGPUSH",
+       "XAUTHPSK",
+       "XAUTHRSASIG",
+       "XAUTHSERVER",
        NULL
     };
 
        NULL
     };
 
@@ -675,7 +684,49 @@ enum_names auth_alg_names =
     { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
        , &extended_auth_alg_names };
 
     { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
        , &extended_auth_alg_names };
 
-const char *const modecfg_attr_name[] = {
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_type_name[] = {
+  "Generic",
+  "RADIUS-CHAP",
+  "OTP",
+  "S/KEY",
+};
+
+enum_names xauth_type_names =
+  { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
+
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_attr_tv_name[] = {
+       "XAUTH_TYPE",
+       NULL,
+       NULL,
+       NULL,
+       NULL,
+       NULL,
+       NULL,
+       "XAUTH_STATUS",
+    };
+
+enum_names xauth_attr_tv_names = {
+    XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
+    XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
+
+static const char *const xauth_attr_name[] = {
+       "XAUTH_USER_NAME",
+       "XAUTH_USER_PASSWORD",
+       "XAUTH_PASSCODE",
+       "XAUTH_MESSAGE",
+       "XAUTH_CHALLENGE",
+       "XAUTH_DOMAIN",
+       "XAUTH_STATUS (wrong TLV syntax, should be TV)",
+       "XAUTH_NEXT_PIN",
+       "XAUTH_ANSWER",
+    };
+
+enum_names xauth_attr_names =
+    { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &xauth_attr_tv_names };
+
+static const char *const modecfg_attr_name[] = {
        "INTERNAL_IP4_ADDRESS",
        "INTERNAL_IP4_NETMASK",
        "INTERNAL_IP4_DNS",
        "INTERNAL_IP4_ADDRESS",
        "INTERNAL_IP4_NETMASK",
        "INTERNAL_IP4_DNS",
@@ -695,7 +746,7 @@ const char *const modecfg_attr_name[] = {
     };
 
 enum_names modecfg_attr_names =
     };
 
 enum_names modecfg_attr_names =
-    { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , NULL };
+    { INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
 
 /* Oakley Lifetime Type attribute */
 
 
 /* Oakley Lifetime Type attribute */
 
index c8946be..bbacd2f 100644 (file)
@@ -506,11 +506,18 @@ enum state_kind {
     STATE_INFO,
     STATE_INFO_PROTECTED,
 
     STATE_INFO,
     STATE_INFO_PROTECTED,
 
-    STATE_MODE_CFG_R0,           /* these states are used on the responder */
+    /* XAUTH states */
+
+    STATE_XAUTH_R0,              /* server state: sent request, awaiting reply */
+    STATE_XAUTH_R1,              /* server state: sent success/fail, awaiting reply */
+
+    /* Mode Config states */
+
+    STATE_MODE_CFG_R0,           /* responder states */
     STATE_MODE_CFG_R1,
     STATE_MODE_CFG_R2,
 
     STATE_MODE_CFG_R1,
     STATE_MODE_CFG_R2,
 
-    STATE_MODE_CFG_I1,           /* this is used on the initiator */
+    STATE_MODE_CFG_I1,           /* initiator states */
     STATE_MODE_CFG_I2,
     STATE_MODE_CFG_I3,
 
     STATE_MODE_CFG_I2,
     STATE_MODE_CFG_I3,
 
@@ -640,7 +647,32 @@ extern enum_names attr_msg_type_names;
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
+#define    MODECFG_ROOF               16
+
 extern enum_names modecfg_attr_names;
 extern enum_names modecfg_attr_names;
+/* XAUTH attribute values */
+#define    XAUTH_TYPE                16520
+#define    XAUTH_USER_NAME           16521
+#define    XAUTH_USER_PASSWORD       16522
+#define    XAUTH_PASSCODE            16523
+#define    XAUTH_MESSAGE             16524
+#define    XAUTH_CHALLENGE           16525
+#define    XAUTH_DOMAIN              16526
+#define    XAUTH_STATUS              16527
+#define    XAUTH_NEXT_PIN            16528
+#define    XAUTH_ANSWER              16529
+
+#define    XAUTH_BASE                XAUTH_TYPE
+
+extern enum_names xauth_attr_names;
+
+/* XAUTH authentication types */
+#define XAUTH_TYPE_GENERIC 0
+#define XAUTH_TYPE_CHAP    1
+#define XAUTH_TYPE_OTP     2
+#define XAUTH_TYPE_SKEY    3
+
+extern enum_names xauth_type_names;
 
 /* Exchange types
  * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
 
 /* Exchange types
  * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
@@ -754,7 +786,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_RSASIG        LELEM(1)
 
 #define POLICY_ISAKMP_SHIFT    0       /* log2(POLICY_PSK) */
 #define POLICY_RSASIG        LELEM(1)
 
 #define POLICY_ISAKMP_SHIFT    0       /* log2(POLICY_PSK) */
-#define POLICY_ID_AUTH_MASK    LRANGES(POLICY_PSK, POLICY_RSASIG)
+#define POLICY_ID_AUTH_MASK    (POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
 #define POLICY_ISAKMP_MASK     POLICY_ID_AUTH_MASK     /* all so far */
 
 /* Quick Mode (IPSEC) attributes */
 #define POLICY_ISAKMP_MASK     POLICY_ID_AUTH_MASK     /* all so far */
 
 /* Quick Mode (IPSEC) attributes */
@@ -796,7 +828,9 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_GROUTED         LELEM(15)       /* do we want this group routed? */
 #define POLICY_UP              LELEM(16)       /* do we want this up? */
 #define POLICY_MODECFG_PUSH    LELEM(17)       /* is modecfg pushed by server? */
 #define POLICY_GROUTED         LELEM(15)       /* do we want this group routed? */
 #define POLICY_UP              LELEM(16)       /* do we want this up? */
 #define POLICY_MODECFG_PUSH    LELEM(17)       /* is modecfg pushed by server? */
-
+#define POLICY_XAUTH_PSK       LELEM(18)       /* do we support XAUTH????PreShared? */
+#define POLICY_XAUTH_RSASIG    LELEM(19)       /* do we support XAUTH????RSA? */
+#define POLICY_XAUTH_SERVER    LELEM(20)       /* are we an XAUTH server? */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
@@ -806,7 +840,7 @@ extern const char *prettypolicy(lset_t policy);
 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
 
 /* Don't allow negotiation? */
 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
 
 /* Don't allow negotiation? */
-#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_PSK | POLICY_RSASIG))
+#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_ID_AUTH_MASK))
 
 
 /* Oakley transform attributes
 
 
 /* Oakley transform attributes