IKEv1 XAuth: Added plugin support for XAuth, which allows us to have plugins to talk...
authorClavister OpenSource <opensource@clavister.com>
Thu, 1 Dec 2011 13:08:24 +0000 (14:08 +0100)
committerClavister OpenSource <opensource@clavister.com>
Tue, 20 Mar 2012 16:31:11 +0000 (17:31 +0100)
src/libcharon/Makefile.am
src/libcharon/daemon.c
src/libcharon/daemon.h
src/libcharon/sa/authenticators/xauth/xauth_manager.c [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth/xauth_manager.h [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth/xauth_method.c [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth/xauth_method.h [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth_authenticator.c [new file with mode: 0644]
src/libcharon/sa/authenticators/xauth_authenticator.h [new file with mode: 0644]
src/libstrongswan/plugins/plugin_feature.c
src/libstrongswan/plugins/plugin_feature.h

index aab293d..7192e3d 100644 (file)
@@ -64,6 +64,9 @@ sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
 sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
 sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/authenticators/xauth_authenticator.c sa/authenticators/xauth_authenticator.h \
+sa/authenticators/xauth/xauth_method.c sa/authenticators/xauth/xauth_method.h \
+sa/authenticators/xauth/xauth_manager.c sa/authenticators/xauth/xauth_manager.h \
 sa/child_sa.c sa/child_sa.h \
 sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
index 9b6af22..343063b 100644 (file)
@@ -122,6 +122,7 @@ static void destroy(private_daemon_t *this)
        DESTROY_IF(this->public.ike_sa_manager);
        DESTROY_IF(this->public.controller);
        DESTROY_IF(this->public.eap);
+       DESTROY_IF(this->public.xauth);
 #ifdef ME
        DESTROY_IF(this->public.connect_manager);
        DESTROY_IF(this->public.mediation_manager);
@@ -291,6 +292,7 @@ private_daemon_t *daemon_create()
        charon = &this->public;
        this->public.controller = controller_create();
        this->public.eap = eap_manager_create();
+       this->public.xauth = xauth_manager_create();
        this->public.backends = backend_manager_create();
        this->public.socket = socket_manager_create();
        this->public.traps = trap_manager_create();
index 2e01c8d..a887eab 100644 (file)
@@ -149,6 +149,7 @@ typedef struct daemon_t daemon_t;
 #include <sa/shunt_manager.h>
 #include <config/backend_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
+#include <sa/authenticators/xauth/xauth_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -235,6 +236,11 @@ struct daemon_t {
         */
        eap_manager_t *eap;
 
+       /**
+        * XAuth manager to maintain registered XAuth methods
+        */
+       xauth_manager_t *xauth;
+
 #ifdef ME
        /**
         * Connect manager
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.c b/src/libcharon/sa/authenticators/xauth/xauth_manager.c
new file mode 100644 (file)
index 0000000..3cddf64
--- /dev/null
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_xauth_manager_t private_xauth_manager_t;
+typedef struct xauth_entry_t xauth_entry_t;
+
+/**
+ * XAuth constructor entry
+ */
+struct xauth_entry_t {
+
+       /**
+        * XAuth method type, vendor specific if vendor is set
+        */
+       xauth_type_t type;
+
+       /**
+        * vendor ID, 0 for default XAuth methods
+        */
+       u_int32_t vendor;
+
+       /**
+        * Role of the method returned by the constructor, XAUTH_SERVER or XAUTH_PEER
+        */
+       xauth_role_t role;
+
+       /**
+        * constructor function to create instance
+        */
+       xauth_constructor_t constructor;
+};
+
+/**
+ * private data of xauth_manager
+ */
+struct private_xauth_manager_t {
+
+       /**
+        * public functions
+        */
+       xauth_manager_t public;
+
+       /**
+        * list of eap_entry_t's
+        */
+       linked_list_t *methods;
+
+       /**
+        * rwlock to lock methods
+        */
+       rwlock_t *lock;
+};
+
+METHOD(xauth_manager_t, add_method, void,
+       private_xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+       xauth_role_t role, xauth_constructor_t constructor)
+{
+       xauth_entry_t *entry = malloc_thing(xauth_entry_t);
+
+       entry->type = type;
+       entry->vendor = vendor;
+       entry->role = role;
+       entry->constructor = constructor;
+
+       this->lock->write_lock(this->lock);
+       this->methods->insert_last(this->methods, entry);
+       this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, remove_method, void,
+       private_xauth_manager_t *this, xauth_constructor_t constructor)
+{
+       enumerator_t *enumerator;
+       xauth_entry_t *entry;
+
+       this->lock->write_lock(this->lock);
+       enumerator = this->methods->create_enumerator(this->methods);
+       while (enumerator->enumerate(enumerator, &entry))
+       {
+               if (constructor == entry->constructor)
+               {
+                       this->methods->remove_at(this->methods, enumerator);
+                       free(entry);
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, create_instance, xauth_method_t*,
+       private_xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+       xauth_role_t role, identification_t *server, identification_t *peer)
+{
+       enumerator_t *enumerator;
+       xauth_entry_t *entry;
+       xauth_method_t *method = NULL;
+
+       this->lock->read_lock(this->lock);
+       enumerator = this->methods->create_enumerator(this->methods);
+       while (enumerator->enumerate(enumerator, &entry))
+       {
+               if (type == entry->type && vendor == entry->vendor &&
+                       role == entry->role)
+               {
+                       method = entry->constructor(server, peer);
+                       if (method)
+                       {
+                               break;
+                       }
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+       return method;
+}
+
+METHOD(xauth_manager_t, destroy, void,
+       private_xauth_manager_t *this)
+{
+       this->methods->destroy_function(this->methods, free);
+       this->lock->destroy(this->lock);
+       free(this);
+}
+
+/*
+ * See header
+ */
+xauth_manager_t *xauth_manager_create()
+{
+       private_xauth_manager_t *this;
+
+       INIT(this,
+                       .public = {
+                               .add_method = _add_method,
+                               .remove_method = _remove_method,
+                               .create_instance = _create_instance,
+                               .destroy = _destroy,
+                       },
+                       .methods = linked_list_create(),
+                       .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.h b/src/libcharon/sa/authenticators/xauth/xauth_manager.h
new file mode 100644 (file)
index 0000000..401c13e
--- /dev/null
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_manager xauth_manager
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_MANAGER_H_
+#define XAUTH_MANAGER_H_
+
+#include <sa/authenticators/xauth/xauth_method.h>
+
+typedef struct xauth_manager_t xauth_manager_t;
+
+/**
+ * The XAuth manager manages all XAuth implementations and creates instances.
+ *
+ * A plugin registers it's implemented XAuth method at the manager by
+ * providing type and a contructor function. The manager then instanciates
+ * xauth_method_t instances through the provided constructor to handle
+ * XAuth authentication.
+ */
+struct xauth_manager_t {
+
+       /**
+        * Register a XAuth method implementation.
+        *
+        * @param method                vendor specific method, if vendor != 0
+        * @param vendor                vendor ID, 0 for non-vendor (default) XAuth methods
+        * @param role                  XAuth role of the registered method
+        * @param constructor   constructor function, returns an xauth_method_t
+        */
+       void (*add_method)(xauth_manager_t *this, xauth_type_t type, u_int32_t vendor,
+                                          xauth_role_t role, xauth_constructor_t constructor);
+
+       /**
+        * Unregister a XAuth method implementation using it's constructor.
+        *
+        * @param constructor   constructor function to remove, as added in add_method
+        */
+       void (*remove_method)(xauth_manager_t *this, xauth_constructor_t constructor);
+
+       /**
+        * Create a new XAuth method instance.
+        *
+        * @param vendor                vendor ID, 0 for non-vendor (default) XAuth methods
+        * @param role                  role of XAuth method, either XAUTH_SERVER or XAUTH_PEER
+        * @param server                identity of the server
+        * @param peer                  identity of the peer (client)
+        * @return                              XAUTH method instance, NULL if no constructor found
+        */
+       xauth_method_t* (*create_instance)(xauth_manager_t *this, xauth_type_t type,
+                                                                        u_int32_t vendor, xauth_role_t role,
+                                                                        identification_t *server,
+                                                                        identification_t *peer);
+
+       /**
+        * Destroy a eap_manager instance.
+        */
+       void (*destroy)(xauth_manager_t *this);
+};
+
+/**
+ * Create a eap_manager instance.
+ */
+xauth_manager_t *xauth_manager_create();
+
+#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.c b/src/libcharon/sa/authenticators/xauth/xauth_method.c
new file mode 100644 (file)
index 0000000..14da7b9
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_method.h"
+
+#include <daemon.h>
+
+ENUM(xauth_role_names, XAUTH_SERVER, XAUTH_PEER,
+       "XAUTH_SERVER",
+       "XAUTH_PEER",
+);
+
+/**
+ * See header
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+                                                bool reg, void *data)
+{
+       if (reg)
+       {
+               charon->xauth->add_method(charon->xauth, feature->arg.xauth, 0,
+                                       feature->type == FEATURE_XAUTH_SERVER ? XAUTH_SERVER : XAUTH_PEER,
+                                       (xauth_constructor_t)data);
+       }
+       else
+       {
+               charon->xauth->remove_method(charon->xauth, (xauth_constructor_t)data);
+       }
+       return TRUE;
+}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.h b/src/libcharon/sa/authenticators/xauth/xauth_method.h
new file mode 100644 (file)
index 0000000..fb289a2
--- /dev/null
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_method xauth_method
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_METHOD_H_
+#define XAUTH_METHOD_H_
+
+typedef struct xauth_method_t xauth_method_t;
+typedef enum xauth_role_t xauth_role_t;
+
+#include <library.h>
+#include <plugins/plugin.h>
+#include <utils/identification.h>
+#include <encoding/payloads/cp_payload.h>
+#include <xauth/xauth.h>
+
+/**
+ * Role of an xauth_method, SERVER or PEER (client)
+ */
+enum xauth_role_t {
+       XAUTH_SERVER,
+       XAUTH_PEER,
+};
+/**
+ * enum names for xauth_role_t.
+ */
+extern enum_name_t *xauth_role_names;
+
+/**
+ * Interface of an XAuth method for server and client side.
+ *
+ * An XAuth method initiates an XAuth exchange and processes requests and
+ * responses. An XAuth method may need multiple exchanges before succeeding, and
+ * the xauth_authentication may use multiple XAuth methods to authenticate a peer.
+ * To accomplish these requirements, all XAuth methods have their own
+ * implementation while the xauth_authenticatior uses one or more of these
+ * XAuth methods. Sending of XAUTH(STATUS) message is not the job
+ * of the method, the xauth_authenticator does this.
+ */
+struct xauth_method_t {
+
+       /**
+        * Initiate the XAuth exchange.
+        *
+        * initiate() is only useable for server implementations, as clients only
+        * reply to server requests.
+        * A cp_payload is created in "out" if result is NEED_MORE.
+        *
+        * @param out           cp_payload to send to the client
+        * @return
+        *                                      - NEED_MORE, if an other exchange is required
+        *                                      - FAILED, if unable to create XAuth request payload
+        */
+       status_t (*initiate) (xauth_method_t *this, cp_payload_t **out);
+
+       /**
+        * Process a received XAuth message.
+        *
+        * A cp_payload is created in "out" if result is NEED_MORE.
+        *
+        * @param in            cp_payload response received
+        * @param out           created cp_payload to send
+        * @return
+        *                                      - NEED_MORE, if an other exchange is required
+        *                                      - FAILED, if XAuth method failed
+        *                                      - SUCCESS, if XAuth method succeeded
+        */
+       status_t (*process) (xauth_method_t *this, cp_payload_t *in,
+                                                cp_payload_t **out);
+
+       /**
+        * Get the XAuth type implemented in this method.
+        *
+        * @param vendor        pointer receiving vendor identifier for type, 0 for none
+        * @return                      type of the XAuth method
+        */
+       xauth_type_t (*get_type) (xauth_method_t *this, u_int32_t *vendor);
+
+       /**
+        * Destroys a eap_method_t object.
+        */
+       void (*destroy) (xauth_method_t *this);
+};
+
+/**
+ * Constructor definition for a pluggable XAuth method.
+ *
+ * Each XAuth module must define a constructor function which will return
+ * an initialized object with the methods defined in xauth_method_t.
+ * Constructors for server and peers are identical, to support both roles
+ * of a XAuth method, a plugin needs register two constructors in the
+ * xauth_manager_t.
+ * The passed identites are of type ID_EAP and valid only during the
+ * constructor invocation.
+ *
+ * @param server               ID of the server to use for credential lookup
+ * @param peer                 ID of the peer to use for credential lookup
+ * @return                             implementation of the eap_method_t interface
+ */
+typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
+                                                                                  identification_t *peer);
+
+/**
+ * Helper function to (un-)register XAuth methods from plugin features.
+ *
+ * This function is a plugin_feature_callback_t and can be used with the
+ * PLUGIN_CALLBACK macro to register a XAuth method constructor.
+ *
+ * @param plugin               plugin registering the XAuth method constructor
+ * @param feature              associated plugin feature
+ * @param reg                  TRUE to register, FALSE to unregister.
+ * @param data                 data passed to callback, an xauth_constructor_t
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+                                                bool reg, void *data);
+
+#endif /** XAUTH_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth_authenticator.c b/src/libcharon/sa/authenticators/xauth_authenticator.c
new file mode 100644 (file)
index 0000000..3f0e591
--- /dev/null
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_authenticator.h"
+
+#include <daemon.h>
+#include <encoding/payloads/cp_payload.h>
+#include <sa/keymat_v2.h>
+
+typedef struct private_xauth_authenticator_t private_xauth_authenticator_t;
+
+/**
+ * Private data of an xauth_authenticator_t object.
+ */
+struct private_xauth_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       xauth_authenticator_t public;
+
+       /**
+        * Assigned IKE_SA
+        */
+       ike_sa_t *ike_sa;
+
+       /**
+        * The payload to send
+        */
+       cp_payload_t *cp_payload;
+
+       /**
+        * Whether the authenticator is for an XAUTH server or client
+        */
+       xauth_role_t role;
+};
+
+/**
+ * load an XAuth method
+ */
+static xauth_method_t *load_method(private_xauth_authenticator_t *this,
+                                                       xauth_type_t type, u_int32_t vendor)
+{
+       identification_t *server, *peer, *aaa;
+       auth_cfg_t *auth;
+
+       if (this->role == XAUTH_SERVER)
+       {
+               server = this->ike_sa->get_my_id(this->ike_sa);
+               peer = this->ike_sa->get_other_id(this->ike_sa);
+               auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+       }
+       else
+       {
+               server = this->ike_sa->get_other_id(this->ike_sa);
+               peer = this->ike_sa->get_my_id(this->ike_sa);
+               auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+       }
+       aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
+       if (aaa)
+       {
+               server = aaa;
+       }
+       return charon->xauth->create_instance(charon->xauth, type, vendor,
+                                                                               this->role, server, peer);
+}
+
+METHOD(authenticator_t, build, status_t,
+       private_xauth_authenticator_t *this, message_t *message)
+{
+       if(this->cp_payload != NULL)
+       {
+               message->add_payload(message, (payload_t *)this->cp_payload);
+               return NEED_MORE;
+       }
+       return SUCCESS;
+}
+
+METHOD(authenticator_t, process, status_t,
+       private_xauth_authenticator_t *this, message_t *message)
+{
+       xauth_method_t *xauth_method = NULL;
+       cp_payload_t *cp_in, *cp_out;
+       status_t status = FAILED;
+
+       cp_in = (cp_payload_t *)message->get_payload(message, CONFIGURATION_V1);
+
+       xauth_method = load_method(this, XAUTH_RADIUS, 0);
+
+       if(xauth_method != NULL)
+       {
+               status = xauth_method->process(xauth_method, cp_in, &cp_out);
+               if(status == NEED_MORE)
+               {
+                       this->cp_payload = cp_out;
+               }
+               else
+               {
+                       xauth_method->destroy(xauth_method);
+               }
+       }
+       else
+       {
+               DBG1(DBG_IKE, "Couldn't locate valid xauth method.");
+       }
+
+       return status;
+}
+
+METHOD(authenticator_t, destroy, void,
+       private_xauth_authenticator_t *this)
+{
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_authenticator_t *xauth_authenticator_create_builder(ike_sa_t *ike_sa)
+{
+       private_xauth_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .build = _build,
+                               .process = _process,
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .ike_sa = ike_sa,
+               .cp_payload = NULL,
+               .role = XAUTH_PEER,
+       );
+
+       return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_authenticator_t *xauth_authenticator_create_verifier(ike_sa_t *ike_sa)
+{
+       private_xauth_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .build = _build,
+                               .process = _process,
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .ike_sa = ike_sa,
+               .cp_payload = NULL,
+               .role = XAUTH_SERVER,
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/sa/authenticators/xauth_authenticator.h b/src/libcharon/sa/authenticators/xauth_authenticator.h
new file mode 100644 (file)
index 0000000..d316b16
--- /dev/null
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_authenticator xauth_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef XAUTH_AUTHENTICATOR_H_
+#define XAUTH_AUTHENTICATOR_H_
+
+typedef struct xauth_authenticator_t xauth_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using XAuth.
+ */
+struct xauth_authenticator_t {
+
+       /**
+        * Implemented authenticator_t interface.
+        */
+       authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build XAuth response payloads.
+ *
+ * @param ike_sa                       associated ike_sa
+ * @return                                     PSK authenticator
+ */
+xauth_authenticator_t *xauth_authenticator_create_builder(ike_sa_t *ike_sa);
+
+/**
+ * Create an authenticator to verify using XAuth payloads.
+ *
+ * @param ike_sa                       associated ike_sa
+ * @return                                     PSK authenticator
+ */
+xauth_authenticator_t *xauth_authenticator_create_verifier(ike_sa_t *ike_sa);
+
+#endif /** XAUTH_AUTHENTICATOR_H_ @}*/
index 2a97205..b2bf419 100644 (file)
@@ -96,6 +96,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
                                           streq(a->arg.fetcher, b->arg.fetcher);
                        case FEATURE_CUSTOM:
                                return streq(a->arg.custom, b->arg.custom);
+                       case FEATURE_XAUTH_SERVER:
+                       case FEATURE_XAUTH_PEER:
+                               return a->arg.xauth == b->arg.xauth;
                }
        }
        return FALSE;
@@ -229,6 +232,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
                                return str;
                        }
                        break;
+               case FEATURE_XAUTH_SERVER:
+               case FEATURE_XAUTH_PEER:
+                       if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+                                       xauth_method_type_short_names, feature->arg.xauth) > 0)
+                       {
+                               return str;
+                       }
+                       break;
        }
        if (!str)
        {
index b1500fe..89c9544 100644 (file)
@@ -25,6 +25,7 @@ typedef struct plugin_feature_t plugin_feature_t;
 
 #include <library.h>
 #include <eap/eap.h>
+#include <xauth/xauth.h>
 #include <plugins/plugin.h>
 
 /**
@@ -135,6 +136,10 @@ struct plugin_feature_t {
                FEATURE_FETCHER,
                /** custom feature, described with a string */
                FEATURE_CUSTOM,
+               /** XAuth server implementation */
+               FEATURE_XAUTH_SERVER,
+               /** XAuth peer implementation */
+               FEATURE_XAUTH_PEER,
        } type;
        /** More specific data for each type */
        union {
@@ -182,6 +187,8 @@ struct plugin_feature_t {
                char *fetcher;
                /** FEATURE_CUSTOM */
                char *custom;
+               /** FEATURE_XAUTH_SERVER/CLIENT */
+               xauth_type_t xauth;
 
                /** FEATURE_REGISTER */
                struct {
@@ -266,6 +273,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_DATABASE(kind, type)                           __PLUGIN_FEATURE(kind, DATABASE, .database = type)
 #define _PLUGIN_FEATURE_FETCHER(kind, type)                                    __PLUGIN_FEATURE(kind, FETCHER, .fetcher = type)
 #define _PLUGIN_FEATURE_CUSTOM(kind, name)                                     __PLUGIN_FEATURE(kind, CUSTOM, .custom = name)
+#define _PLUGIN_FEATURE_XAUTH_SERVER(kind, type)                       __PLUGIN_FEATURE(kind, XAUTH_SERVER, .xauth = type)
+#define _PLUGIN_FEATURE_XAUTH_PEER(kind, type)                         __PLUGIN_FEATURE(kind, XAUTH_PEER, .xauth = type)
 
 #define __PLUGIN_FEATURE_REGISTER(type, _f)                                    (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
 #define __PLUGIN_FEATURE_REGISTER_BUILDER(type, _f, _final)    (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg = {.f = _f, .final = _final, }}