Extract client identity and authentication type from SASL authentication
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 9 Aug 2013 20:10:37 +0000 (22:10 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 15 Aug 2013 21:34:22 +0000 (23:34 +0200)
src/libpttls/pt_tls_server.c
src/libpttls/sasl/sasl_mechanism.h
src/libpttls/sasl/sasl_plain/sasl_plain.c
src/libtls/tls.h
src/libtnccs/plugins/tnccs_11/tnccs_11.c
src/libtnccs/plugins/tnccs_20/tnccs_20.c
src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c

index 33d9715..fd5d952 100644 (file)
@@ -61,6 +61,7 @@ struct private_pt_tls_server_t {
         * TNCCS protocol handler, implemented as tls_t
         */
        tls_t *tnccs;
+
 };
 
 /**
@@ -111,8 +112,27 @@ static status_t process_sasl(private_pt_tls_server_t *this,
                                                         sasl_mechanism_t *sasl, chunk_t data)
 {
        bio_writer_t *writer;
+       status_t status;
+       identification_t *client;
+       tnccs_t *tnccs;
+
+       status = sasl->process(sasl, data);
+       if (status != NEED_MORE)
+       {
+               client = sasl->get_client(sasl);
+               if (client)
+               {
+                       DBG1(DBG_TNC, "SASL client identity is '%Y'", client);
+                       this->tnccs->set_peer_id(this->tnccs, client);
+                       if (streq(sasl->get_name(sasl), "PLAIN"))
+                       {
+                               tnccs = (tnccs_t*)this->tnccs;
+                               tnccs->set_auth_type(tnccs, TNC_AUTH_PASSWORD);
+                       }
+               }
+       }
 
-       switch (sasl->process(sasl, data))
+       switch (status)
        {
                case NEED_MORE:
                        return NEED_MORE;
index fb1d080..e8c47c4 100644 (file)
@@ -51,6 +51,13 @@ struct sasl_mechanism_t {
        char* (*get_name)(sasl_mechanism_t *this);
 
        /**
+        * Get the client identity
+        *
+        * @return                      client identity
+        */
+       identification_t* (*get_client)(sasl_mechanism_t *this);
+
+       /**
         * Build a SASL message to send to remote host.
         *
         * A message is returned if the return value is NEED_MORE or SUCCESS. A
index e8d6dc8..fdb3523 100644 (file)
@@ -35,6 +35,12 @@ struct private_sasl_plain_t {
        identification_t *client;
 };
 
+METHOD(sasl_mechanism_t, get_client, identification_t*,
+       private_sasl_plain_t *this)
+{
+       return this->client;
+}
+
 METHOD(sasl_mechanism_t, get_name, char*,
        private_sasl_plain_t *this)
 {
@@ -52,7 +58,6 @@ METHOD(sasl_mechanism_t, process_server, status_t,
        private_sasl_plain_t *this, chunk_t message)
 {
        chunk_t authz, authi, password;
-       identification_t *id;
        shared_key_t *shared;
        u_char *pos;
 
@@ -72,22 +77,21 @@ METHOD(sasl_mechanism_t, process_server, status_t,
        }
        authi = chunk_create(message.ptr, pos - message.ptr);
        password = chunk_skip(message, authi.len + 1);
-       id = identification_create_from_data(authi);
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+       DESTROY_IF(this->client);
+       this->client = identification_create_from_data(authi);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client,
+                                                                         NULL);
        if (!shared)
        {
-               DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
-               id->destroy(id);
+               DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client);
                return FAILED;
        }
        if (!chunk_equals(shared->get_key(shared), password))
        {
-               DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
-               id->destroy(id);
+               DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client);
                shared->destroy(shared);
                return FAILED;
        }
-       id->destroy(id);
        shared->destroy(shared);
        return SUCCESS;
 }
@@ -151,6 +155,7 @@ sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
                .public = {
                        .sasl = {
                                .get_name = _get_name,
+                               .get_client = _get_client,
                                .destroy = _destroy,
                        },
                },
index 7f45b1e..db332fb 100644 (file)
@@ -200,6 +200,13 @@ struct tls_t {
        identification_t* (*get_server_id)(tls_t *this);
 
        /**
+        * Set the peer identity.
+        *
+        * @param id            peer identity
+        */
+       void (*set_peer_id)(tls_t *this, identification_t *id);
+
+       /**
         * Return the peer identity.
         *
         * @return                      peer identity
index 7155861..7fc7e6d 100644 (file)
@@ -525,6 +525,13 @@ METHOD(tls_t, get_server_id, identification_t*,
        return this->server;
 }
 
+METHOD(tls_t, set_peer_id, void,
+       private_tnccs_11_t *this, identification_t *id)
+{
+       DESTROY_IF(this->peer);
+       this->peer = id->clone(id);
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_11_t *this)
 {
@@ -611,6 +618,7 @@ tnccs_t* tnccs_11_create(bool is_server,
                                .build = _build,
                                .is_server = _is_server,
                                .get_server_id = _get_server_id,
+                               .set_peer_id = _set_peer_id,
                                .get_peer_id = _get_peer_id,
                                .get_purpose = _get_purpose,
                                .is_complete = _is_complete,
index e5117e8..5d2d7ee 100644 (file)
@@ -834,6 +834,13 @@ METHOD(tls_t, get_server_id, identification_t*,
        return this->server;
 }
 
+METHOD(tls_t, set_peer_id, void,
+       private_tnccs_20_t *this, identification_t *id)
+{
+       DESTROY_IF(this->peer);
+       this->peer = id->clone(id);
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_20_t *this)
 {
@@ -922,6 +929,7 @@ tnccs_t* tnccs_20_create(bool is_server,
                                .build = _build,
                                .is_server = _is_server,
                                .get_server_id = _get_server_id,
+                               .set_peer_id = _set_peer_id,
                                .get_peer_id = _get_peer_id,
                                .get_purpose = _get_purpose,
                                .is_complete = _is_complete,
index bc31126..a52ffed 100644 (file)
@@ -135,6 +135,17 @@ METHOD(tls_t, get_server_id, identification_t*,
        return this->server;
 }
 
+METHOD(tls_t, set_peer_id, void,
+       private_tnccs_dynamic_t *this, identification_t *id)
+{
+       DESTROY_IF(this->peer);
+       this->peer = id->clone(id);
+       if (this->tls)
+       {
+               this->tls->set_peer_id(this->tls, id);
+       }
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_dynamic_t *this)
 {
@@ -208,6 +219,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
                                .build = _build,
                                .is_server = _is_server,
                                .get_server_id = _get_server_id,
+                               .set_peer_id = _set_peer_id,
                                .get_peer_id = _get_peer_id,
                                .get_purpose = _get_purpose,
                                .is_complete = _is_complete,