IKEv1 XAuth: Added a "NULL" XAuth plugin which sends a hardcoded user/pass, and blind...
authorClavister OpenSource <opensource@clavister.com>
Thu, 1 Dec 2011 15:34:30 +0000 (16:34 +0100)
committerClavister OpenSource <opensource@clavister.com>
Tue, 20 Mar 2012 16:31:11 +0000 (17:31 +0100)
configure.in
src/libcharon/plugins/xauth_null/Makefile.am [new file with mode: 0644]
src/libcharon/plugins/xauth_null/xauth_null.c [new file with mode: 0644]
src/libcharon/plugins/xauth_null/xauth_null.h [new file with mode: 0644]
src/libcharon/plugins/xauth_null/xauth_null_plugin.c [new file with mode: 0644]
src/libcharon/plugins/xauth_null/xauth_null_plugin.h [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth_authenticator.c
src/libcharon/sa/tasks/xauth_request.c
src/libstrongswan/xauth/xauth.c
src/libstrongswan/xauth/xauth.h

index 8939142..7385570 100755 (executable)
@@ -193,6 +193,7 @@ ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using livene
 ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([xauth-null],     [enable XAuth module which does no actual identity authentication (testing only).])
 
 dnl =========================
 dnl  set up compiler and flags
@@ -864,6 +865,7 @@ ADD_PLUGIN([maemo],                [c libcharon])
 ADD_PLUGIN([uci],                  [c libcharon])
 ADD_PLUGIN([addrblock],            [c libcharon])
 ADD_PLUGIN([unit-tester],          [c libcharon])
+ADD_PLUGIN([xauth-null],           [c libcharon])
 
 AC_SUBST(libcharon_plugins)
 AC_SUBST(pluto_plugins)
@@ -979,6 +981,7 @@ AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NULL, test x$xauth_null = xtrue)
 
 dnl hydra plugins
 dnl =============
@@ -1170,6 +1173,7 @@ AC_OUTPUT(
        src/libcharon/plugins/dhcp/Makefile
        src/libcharon/plugins/unit_tester/Makefile
        src/libcharon/plugins/load_tester/Makefile
+       src/libcharon/plugins/xauth_null/Makefile
        src/stroke/Makefile
        src/ipsec/Makefile
        src/starter/Makefile
diff --git a/src/libcharon/plugins/xauth_null/Makefile.am b/src/libcharon/plugins/xauth_null/Makefile.am
new file mode 100644 (file)
index 0000000..f4ff03c
--- /dev/null
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+       -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-null.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-null.la
+endif
+
+libstrongswan_xauth_null_la_SOURCES = \
+       xauth_null_plugin.h xauth_null_plugin.c xauth_null.h xauth_null.c
+
+libstrongswan_xauth_null_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_null/xauth_null.c b/src/libcharon/plugins/xauth_null/xauth_null.c
new file mode 100644 (file)
index 0000000..34ed495
--- /dev/null
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_null.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_null_t private_xauth_null_t;
+
+/**
+ * Private data of an xauth_null_t object.
+ */
+struct private_xauth_null_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       xauth_null_t public;
+
+       /**
+        * ID of the peer
+        */
+       identification_t *peer;
+};
+
+METHOD(xauth_method_t, process_peer, status_t,
+       private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+       chunk_t user_name = chunk_from_chars('j', 'o', 's', 't');
+       chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't');
+       cp_payload_t *cp;
+
+       /* TODO-IKEv1: Fetch the user/pass from an authenticator */
+       cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+       cp->add_attribute(cp, configuration_attribute_create_chunk(
+                               CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user_name));
+       cp->add_attribute(cp, configuration_attribute_create_chunk(
+                               CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, user_pass));
+       *out = cp;
+       return NEED_MORE;
+}
+
+METHOD(xauth_method_t, initiate_peer, status_t,
+       private_xauth_null_t *this, cp_payload_t **out)
+{
+       /* peer never initiates */
+       return FAILED;
+}
+
+METHOD(xauth_method_t, process_server, status_t,
+       private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+       return SUCCESS;
+}
+
+METHOD(xauth_method_t, initiate_server, status_t,
+       private_xauth_null_t *this, cp_payload_t **out)
+{
+       return NEED_MORE;
+}
+
+METHOD(xauth_method_t, get_type, xauth_type_t,
+       private_xauth_null_t *this, u_int32_t *vendor)
+{
+       return XAUTH_NULL;
+}
+
+METHOD(xauth_method_t, destroy, void,
+       private_xauth_null_t *this)
+{
+       this->peer->destroy(this->peer);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_null_t *xauth_null_create_peer(identification_t *server,
+                                                                                identification_t *peer)
+{
+       private_xauth_null_t *this;
+
+       INIT(this,
+               .public =  {
+                       .xauth_method = {
+                               .initiate = _initiate_peer,
+                               .process = _process_peer,
+                               .get_type = _get_type,
+                               .destroy = _destroy,
+                       },
+               },
+               .peer = peer->clone(peer),
+       );
+
+       return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_null_t *xauth_null_create_server(identification_t *server,
+                                                                                  identification_t *peer)
+{
+       private_xauth_null_t *this;
+
+       INIT(this,
+               .public = {
+                       .xauth_method = {
+                               .initiate = _initiate_server,
+                               .process = _process_server,
+                               .get_type = _get_type,
+                               .destroy = _destroy,
+                       },
+               },
+               .peer = peer->clone(peer),
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_null/xauth_null.h b/src/libcharon/plugins/xauth_null/xauth_null.h
new file mode 100644 (file)
index 0000000..e3ebaa1
--- /dev/null
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_null_i xauth_null
+ * @{ @ingroup xauth_null
+ */
+
+#ifndef XAUTH_NULL_H_
+#define XAUTH_NULL_H_
+
+typedef struct xauth_null_t xauth_null_t;
+
+#include <sa/authenticators/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t providing no actual identity verification.
+ */
+struct xauth_null_t {
+
+       /**
+        * Implemented xauth_method_t interface.
+        */
+       xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the XAuth method XAuth NULL, acting as server.
+ *
+ * @param server       ID of the XAuth server
+ * @param peer         ID of the XAuth client
+ * @return                     xauth_null_t object
+ */
+xauth_null_t *xauth_null_create_server(identification_t *server,
+                                                                                  identification_t *peer);
+
+/**
+ * Creates the XAuth method XAuth NULL, acting as peer.
+ *
+ * @param server       ID of the XAuth server
+ * @param peer         ID of the XAuth client
+ * @return                     xauth_null_t object
+ */
+xauth_null_t *xauth_null_create_peer(identification_t *server,
+                                                                                identification_t *peer);
+
+#endif /** XAUTH_NULL_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_null/xauth_null_plugin.c b/src/libcharon/plugins/xauth_null/xauth_null_plugin.c
new file mode 100644 (file)
index 0000000..25b7b38
--- /dev/null
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_null_plugin.h"
+#include "xauth_null.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+       xauth_null_plugin_t *this)
+{
+       return "xauth-null";
+}
+
+METHOD(plugin_t, get_features, int,
+       xauth_null_plugin_t *this, plugin_feature_t *features[])
+{
+       static plugin_feature_t f[] = {
+               PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_server),
+                       PLUGIN_PROVIDE(XAUTH_SERVER, XAUTH_NULL),
+               PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_peer),
+                       PLUGIN_PROVIDE(XAUTH_PEER, XAUTH_NULL),
+       };
+       *features = f;
+       return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+       xauth_null_plugin_t *this)
+{
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_null_plugin_create()
+{
+       xauth_null_plugin_t *this;
+
+       INIT(this,
+               .plugin = {
+                       .get_name = _get_name,
+                       .get_features = _get_features,
+                       .destroy = _destroy,
+               },
+       );
+
+       return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_null/xauth_null_plugin.h b/src/libcharon/plugins/xauth_null/xauth_null_plugin.h
new file mode 100644 (file)
index 0000000..55f4ae1
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_null xauth_null
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_null_plugin xauth_null_plugin
+ * @{ @ingroup xauth_null
+ */
+
+#ifndef XAUTH_NULL_PLUGIN_H_
+#define XAUTH_NULL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_null_plugin_t xauth_null_plugin_t;
+
+/**
+ * XAUTH Null plugin.
+ */
+struct xauth_null_plugin_t {
+
+       /**
+        * implements plugin interface
+        */
+       plugin_t plugin;
+};
+
+#endif /** XAUTH_NULL_PLUGIN_H_ @}*/
index 3f0e591..871817d 100644 (file)
@@ -98,7 +98,7 @@ METHOD(authenticator_t, process, status_t,
 
        cp_in = (cp_payload_t *)message->get_payload(message, CONFIGURATION_V1);
 
-       xauth_method = load_method(this, XAUTH_RADIUS, 0);
+       xauth_method = load_method(this, XAUTH_NULL, 0);
 
        if(xauth_method != NULL)
        {
index 8e4489e..7da5bf9 100644 (file)
@@ -4,6 +4,7 @@
 #include <daemon.h>
 #include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
+#include <sa/authenticators/xauth_authenticator.h>
 
 typedef struct private_xauth_request_t private_xauth_request_t;
 
@@ -90,6 +91,11 @@ struct private_xauth_request_t {
         * Whether the XAuth status attribute was received
         */
        bool xauth_status_recv;
+
+       /**
+        * The XAuth authenticator_t object
+        */
+       authenticator_t *xauth_authenticator;
 };
 
 /**
@@ -343,6 +349,11 @@ static status_t process_payloads(private_xauth_request_t *this, message_t *messa
                }
        }
        enumerator->destroy(enumerator);
+
+       if(this->xauth_authenticator)
+       {
+               this->xauth_authenticator->process(this->xauth_authenticator, message);
+       }
        return NEED_MORE;
 }
 
@@ -360,6 +371,7 @@ METHOD(task_t, build_i, status_t,
        attribute_handler_t *handler;
        configuration_attribute_type_t type;
        chunk_t data;
+       status_t status;
 
        version = this->ike_sa->get_version(this->ike_sa);
        if(version == IKEV1)
@@ -401,10 +413,11 @@ METHOD(task_t, build_i, status_t,
                                                ca_type, XAUTH_USER_PASSWORD, chunk));
                        break;
                case TASK_XAUTH_PASS_VERIFY:
+                       status = this->xauth_authenticator->build(this->xauth_authenticator, message);
                        cp = cp_payload_create_type(cp_type, CFG_SET);
                        cp->add_attribute(cp, configuration_attribute_create_value(
                                                XAUTH_STATUS,
-                                               (this->status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK)));
+                                               (status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK)));
                        break;
                case TASK_XAUTH_COMPLETE:
                        /* ConfigMode stuff */
@@ -467,6 +480,7 @@ METHOD(task_t, process_r, status_t,
 {
        ike_version_t version;
        payload_type_t cp_type;
+       status_t status;
 
        version = this->ike_sa->get_version(this->ike_sa);
        if(version == IKEV1)
@@ -485,6 +499,10 @@ METHOD(task_t, process_r, status_t,
                                /* We aren't XAuth, so do we should expect ConfigMode stuff */
                                this->state = TASK_XAUTH_COMPLETE;
                }
+               if((this->xauth_authenticator == NULL) && (this->state == TASK_XAUTH_INIT))
+               {
+                       this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_builder(this->ike_sa);
+               }
                cp_type = CONFIGURATION_V1;
        }
        else /* IKEv2 */
@@ -498,14 +516,17 @@ METHOD(task_t, process_r, status_t,
                cp_type = CONFIGURATION;
        }
 
-       return process_payloads(this, message);
+       status = process_payloads(this, message);
+       if(this->xauth_authenticator != NULL)
+       {
+               status = this->xauth_authenticator->process(this->xauth_authenticator, message);
+       }
+       return status;
 }
 
 METHOD(task_t, build_r, status_t,
        private_xauth_request_t *this, message_t *message)
 {
-       chunk_t user_name = chunk_from_chars('j', 'o', 's', 't');
-       chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't');
        status_t status;
        cp_payload_t *cp = NULL;
        payload_type_t cp_type = CONFIGURATION;
@@ -518,11 +539,11 @@ METHOD(task_t, build_r, status_t,
        host_t *vip = NULL;
        peer_cfg_t *config;
 
-       if(this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+       version = this->ike_sa->get_version(this->ike_sa);
+       if ((version == IKEV2) && (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED))
        {
                return NEED_MORE;
        }
-       version = this->ike_sa->get_version(this->ike_sa);
        if(version == IKEV1)
        {
                if(!this->auth_cfg)
@@ -545,17 +566,8 @@ METHOD(task_t, build_r, status_t,
        switch(this->state)
        {
                case TASK_XAUTH_INIT:
-                       /* TODO-IKEv1: Fetch the user/pass from an authenticator */
-                       cp = cp_payload_create_type(cp_type, CFG_REPLY);
-                       cp->add_attribute(cp, configuration_attribute_create_chunk(
-                                               ca_type, XAUTH_USER_NAME, user_name));
-                       cp->add_attribute(cp, configuration_attribute_create_chunk(
-                                               ca_type, XAUTH_USER_PASSWORD, user_pass));
-                       chunk_clear(&user_name);
-                       chunk_clear(&user_pass);
-
+                       status = this->xauth_authenticator->build(this->xauth_authenticator, message);
                        this->state = TASK_XAUTH_PASS_VERIFY;
-                       status = NEED_MORE;
                        break;
                case TASK_XAUTH_PASS_VERIFY:
                        cp = cp_payload_create_type(cp_type, CFG_ACK);
@@ -612,6 +624,10 @@ METHOD(task_t, build_r, status_t,
                default:
                        return FAILED;
        }
+       if(cp != NULL)
+       {
+               message->add_payload(message, (payload_t *)cp);
+       }
        if(status == SUCCESS)
        {
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
@@ -629,6 +645,10 @@ METHOD(task_t, process_i, status_t,
                        (this->ike_sa->get_version(this->ike_sa) == IKEV1))
        {       /* in last IKE_AUTH exchange */
 
+               if(this->xauth_authenticator == NULL)
+               {
+                       this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_verifier(this->ike_sa);
+               }
                status = process_payloads(this, message);
                this->state = this->next_state;
 
@@ -674,6 +694,7 @@ METHOD(task_t, destroy, void,
 {
        DESTROY_IF(this->virtual_ip);
        this->requested->destroy_function(this->requested, free);
+       this->xauth_authenticator->destroy(this->xauth_authenticator);
        free(this);
 }
 
index 8c00463..b2caf37 100644 (file)
 
 #include "xauth.h"
 
-ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_RADIUS,
-       "XAUTH_RADIUS");
-ENUM_END(xauth_method_type_names, XAUTH_RADIUS);
+ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_NULL,
+       "XAUTH_RADIUS",
+       "XAUTH_NULL");
+ENUM_END(xauth_method_type_names, XAUTH_NULL);
 
-ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_RADIUS,
-       "RAD");
-ENUM_END(xauth_method_type_short_names, XAUTH_RADIUS);
+ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_NULL,
+       "RAD",
+       "NULL");
+ENUM_END(xauth_method_type_short_names, XAUTH_NULL);
 
 /*
  * See header
@@ -34,6 +36,7 @@ xauth_type_t xauth_type_from_string(char *name)
                xauth_type_t type;
        } types[] = {
                {"radius",              XAUTH_RADIUS},
+               {"null",                XAUTH_NULL},
        };
 
        for (i = 0; i < countof(types); i++)
index 19274f2..4554ee7 100644 (file)
@@ -30,6 +30,7 @@ typedef enum xauth_type_t xauth_type_t;
  */
 enum xauth_type_t {
        XAUTH_RADIUS = 253,
+       XAUTH_NULL = 254,
 };
 
 /**