Added xauth-noauth plugin
authorTobias Brunner <tobias@strongswan.org>
Mon, 4 Feb 2013 17:55:54 +0000 (18:55 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 10:23:03 +0000 (11:23 +0100)
This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange.  This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.

configure.in
src/libcharon/Makefile.am
src/libcharon/plugins/xauth_noauth/Makefile.am [new file with mode: 0644]
src/libcharon/plugins/xauth_noauth/xauth_noauth.c [new file with mode: 0644]
src/libcharon/plugins/xauth_noauth/xauth_noauth.h [new file with mode: 0644]
src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c [new file with mode: 0644]
src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/xauth.c

index 996c8dd..716bad5 100644 (file)
@@ -167,6 +167,7 @@ ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
 ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
 ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
 ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
+ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
 ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module.])
 ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
 ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
@@ -996,6 +997,7 @@ ADD_PLUGIN([eap-tnc],              [c charon])
 ADD_PLUGIN([xauth-generic],        [c charon])
 ADD_PLUGIN([xauth-eap],            [c charon])
 ADD_PLUGIN([xauth-pam],            [c charon])
+ADD_PLUGIN([xauth-noauth],         [c charon])
 ADD_PLUGIN([tnc-ifmap],            [c charon])
 ADD_PLUGIN([tnc-pdp],              [c charon])
 ADD_PLUGIN([tnc-imc],              [c charon])
@@ -1136,6 +1138,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
 AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
 AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
 AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
 AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
 AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
@@ -1328,6 +1331,7 @@ AC_CONFIG_FILES([
        src/libcharon/plugins/xauth_generic/Makefile
        src/libcharon/plugins/xauth_eap/Makefile
        src/libcharon/plugins/xauth_pam/Makefile
+       src/libcharon/plugins/xauth_noauth/Makefile
        src/libcharon/plugins/tnc_ifmap/Makefile
        src/libcharon/plugins/tnc_pdp/Makefile
        src/libcharon/plugins/tnc_imc/Makefile
index 536bab4..f0736c5 100644 (file)
@@ -596,3 +596,10 @@ if MONOLITHIC
   libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la
 endif
 endif
+
+if USE_XAUTH_NOAUTH
+  SUBDIRS += plugins/xauth_noauth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+endif
+endif
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
new file mode 100644 (file)
index 0000000..b838af6
--- /dev/null
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+       -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+endif
+
+libstrongswan_xauth_noauth_la_SOURCES = \
+       xauth_noauth_plugin.h xauth_noauth_plugin.c \
+       xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c
new file mode 100644 (file)
index 0000000..a9d9512
--- /dev/null
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_noauth_t private_xauth_noauth_t;
+
+/**
+ * Private data of an xauth_noauth_t object.
+ */
+struct private_xauth_noauth_t {
+
+       /**
+        * Public interface.
+        */
+       xauth_noauth_t public;
+
+       /**
+        * ID of the peer (not really used here)
+        */
+       identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+       private_xauth_noauth_t *this, cp_payload_t **out)
+{
+       /* XAuth task handles the details for us */
+       return SUCCESS;
+}
+
+METHOD(xauth_method_t, process, status_t,
+       private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+       /* this should never be called */
+       return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+       private_xauth_noauth_t *this)
+{
+       /* this should never be called, but lets still return a valid ID */
+       return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+       private_xauth_noauth_t *this)
+{
+       this->peer->destroy(this->peer);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+                                                                                  identification_t *peer)
+{
+       private_xauth_noauth_t *this;
+
+       INIT(this,
+               .public = {
+                       .xauth_method = {
+                               .initiate = _initiate,
+                               .process = _process,
+                               .get_identity = _get_identity,
+                               .destroy = _destroy,
+                       },
+               },
+               .peer = identification_create_from_string("%any"),
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h
new file mode 100644 (file)
index 0000000..8984b0a
--- /dev/null
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth_i xauth_noauth
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_H_
+#define XAUTH_NOAUTH_H_
+
+typedef struct xauth_noauth_t xauth_noauth_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface that does not actually do
+ * any authentication but simply concludes the XAuth exchange successfully.
+ */
+struct xauth_noauth_t {
+
+       /**
+        * Implemented xauth_method_t interface.
+        */
+       xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the noauth XAuth method, acting as server.
+ *
+ * @param server       ID of the XAuth server
+ * @param peer         ID of the XAuth client
+ * @return                     xauth_noauth_t object
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+                                                                                  identification_t *peer);
+
+#endif /** XAUTH_NOAUTH_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
new file mode 100644 (file)
index 0000000..e7ee4df
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth_plugin.h"
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+       xauth_noauth_plugin_t *this)
+{
+       return "xauth-noauth";
+}
+
+METHOD(plugin_t, get_features, int,
+       xauth_noauth_plugin_t *this, plugin_feature_t *features[])
+{
+       static plugin_feature_t f[] = {
+               PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server),
+                       PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"),
+       };
+       *features = f;
+       return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+       xauth_noauth_plugin_t *this)
+{
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_noauth_plugin_create()
+{
+       xauth_noauth_plugin_t *this;
+
+       INIT(this,
+               .plugin = {
+                       .get_name = _get_name,
+                       .get_features = _get_features,
+                       .destroy = _destroy,
+               },
+       );
+
+       return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
new file mode 100644 (file)
index 0000000..d174ac2
--- /dev/null
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth xauth_noauth
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_noauth_plugin xauth_noauth_plugin
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_PLUGIN_H_
+#define XAUTH_NOAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t;
+
+/**
+ * XAuth plugin that does not actually do any authentication but simply
+ * concludes the XAuth exchange successfully.  This could be used to implement
+ * basic RSA authentication in cases where the client does not offer an option
+ * to disable XAuth.
+ */
+struct xauth_noauth_plugin_t {
+
+       /**
+        * implements plugin interface
+        */
+       plugin_t plugin;
+};
+
+#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/
index 10bea56..31114e5 100644 (file)
@@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t,
        return NEED_MORE;
 }
 
+METHOD(task_t, process_i_status, status_t,
+       private_xauth_t *this, message_t *message)
+{
+       cp_payload_t *cp;
+
+       cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+       if (!cp || cp->get_type(cp) != CFG_ACK)
+       {
+               DBG1(DBG_IKE, "received invalid XAUTH status response");
+               return FAILED;
+       }
+       if (this->status != XAUTH_OK)
+       {
+               DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
+               return FAILED;
+       }
+       if (!establish(this))
+       {
+               return FAILED;
+       }
+       this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
+       lib->processor->queue_job(lib->processor, (job_t*)
+                               adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+       return SUCCESS;
+}
+
 METHOD(task_t, build_i, status_t,
        private_xauth_t *this, message_t *message)
 {
        if (!this->xauth)
        {
-               cp_payload_t *cp;
+               cp_payload_t *cp = NULL;
 
                this->xauth = load_method(this);
                if (!this->xauth)
                {
                        return FAILED;
                }
-               if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE)
+               switch (this->xauth->initiate(this->xauth, &cp))
                {
-                       return FAILED;
+                       case NEED_MORE:
+                               break;
+                       case SUCCESS:
+                               DESTROY_IF(cp);
+                               this->status = XAUTH_OK;
+                               this->public.task.process = _process_i_status;
+                               return build_i_status(this, message);
+                       default:
+                               return FAILED;
                }
                message->add_payload(message, (payload_t *)cp);
                return NEED_MORE;
@@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t,
        return NEED_MORE;
 }
 
-METHOD(task_t, process_i_status, status_t,
-       private_xauth_t *this, message_t *message)
-{
-       cp_payload_t *cp;
-
-       cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
-       if (!cp || cp->get_type(cp) != CFG_ACK)
-       {
-               DBG1(DBG_IKE, "received invalid XAUTH status response");
-               return FAILED;
-       }
-       if (this->status != XAUTH_OK)
-       {
-               DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
-               return FAILED;
-       }
-       if (!establish(this))
-       {
-               return FAILED;
-       }
-       this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-       lib->processor->queue_job(lib->processor, (job_t*)
-                               adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
-       return SUCCESS;
-}
-
 METHOD(task_t, process_i, status_t,
        private_xauth_t *this, message_t *message)
 {