2008-08-21 12:10:07 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2007 Martin Willi
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
#include "eap_gtc.h"
|
|
|
|
|
|
|
|
#include <daemon.h>
|
|
|
|
#include <library.h>
|
|
|
|
#include <crypto/hashers/hasher.h>
|
|
|
|
|
|
|
|
#include <security/pam_appl.h>
|
|
|
|
|
2008-08-25 07:47:16 +00:00
|
|
|
#define GTC_REQUEST_MSG "password"
|
2008-08-21 12:10:07 +00:00
|
|
|
#define GTC_PAM_SERVICE "login"
|
|
|
|
|
|
|
|
typedef struct private_eap_gtc_t private_eap_gtc_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Private data of an eap_gtc_t object.
|
|
|
|
*/
|
|
|
|
struct private_eap_gtc_t {
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
/**
|
|
|
|
* Public authenticator_t interface.
|
|
|
|
*/
|
|
|
|
eap_gtc_t public;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
/**
|
|
|
|
* ID of the server
|
|
|
|
*/
|
|
|
|
identification_t *server;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
/**
|
|
|
|
* ID of the peer
|
|
|
|
*/
|
|
|
|
identification_t *peer;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
/**
|
|
|
|
* EAP message identififier
|
|
|
|
*/
|
|
|
|
u_int8_t identifier;
|
|
|
|
};
|
|
|
|
|
|
|
|
typedef struct eap_gtc_header_t eap_gtc_header_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* packed eap GTC header struct
|
|
|
|
*/
|
|
|
|
struct eap_gtc_header_t {
|
|
|
|
/** EAP code (REQUEST/RESPONSE) */
|
|
|
|
u_int8_t code;
|
|
|
|
/** unique message identifier */
|
|
|
|
u_int8_t identifier;
|
|
|
|
/** length of whole message */
|
|
|
|
u_int16_t length;
|
|
|
|
/** EAP type */
|
|
|
|
u_int8_t type;
|
|
|
|
/** type data */
|
|
|
|
u_int8_t data[];
|
|
|
|
} __attribute__((__packed__));
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, initiate_peer, status_t,
|
|
|
|
private_eap_gtc_t *this, eap_payload_t **out)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
/* peer never initiates */
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* PAM conv callback function
|
|
|
|
*/
|
|
|
|
static int auth_conv(int num_msg, const struct pam_message **msg,
|
2009-09-04 12:50:23 +00:00
|
|
|
struct pam_response **resp, char *password)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
struct pam_response *response;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
if (num_msg != 1)
|
|
|
|
{
|
|
|
|
return PAM_CONV_ERR;
|
|
|
|
}
|
|
|
|
response = malloc(sizeof(struct pam_response));
|
|
|
|
response->resp = strdup(password);
|
|
|
|
response->resp_retcode = 0;
|
|
|
|
*resp = response;
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Authenticate a username/password using PAM
|
|
|
|
*/
|
|
|
|
static bool authenticate(char *service, char *user, char *password)
|
|
|
|
{
|
2009-09-04 12:50:23 +00:00
|
|
|
pam_handle_t *pamh = NULL;
|
2008-08-21 12:10:07 +00:00
|
|
|
static struct pam_conv conv;
|
2009-09-04 12:50:23 +00:00
|
|
|
int ret;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
conv.conv = (void*)auth_conv;
|
|
|
|
conv.appdata_ptr = password;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 14:40:03 +00:00
|
|
|
ret = pam_start(service, user, &conv, &pamh);
|
|
|
|
if (ret != PAM_SUCCESS)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
2008-08-21 14:40:03 +00:00
|
|
|
DBG1(DBG_IKE, "EAP-GTC pam_start failed: %s",
|
|
|
|
pam_strerror(pamh, ret));
|
2008-08-21 12:10:07 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
ret = pam_authenticate(pamh, 0);
|
2008-08-27 13:48:54 +00:00
|
|
|
if (ret == PAM_SUCCESS)
|
|
|
|
{
|
|
|
|
ret = pam_acct_mgmt(pamh, 0);
|
|
|
|
if (ret != PAM_SUCCESS)
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "EAP-GTC pam_acct_mgmt failed: %s",
|
|
|
|
pam_strerror(pamh, ret));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
2008-08-21 14:40:03 +00:00
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "EAP-GTC pam_authenticate failed: %s",
|
|
|
|
pam_strerror(pamh, ret));
|
|
|
|
}
|
2008-08-21 12:10:07 +00:00
|
|
|
pam_end(pamh, ret);
|
|
|
|
return ret == PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, initiate_server, status_t,
|
|
|
|
private_eap_gtc_t *this, eap_payload_t **out)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
eap_gtc_header_t *req;
|
|
|
|
size_t len;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
len = strlen(GTC_REQUEST_MSG);
|
|
|
|
req = alloca(sizeof(eap_gtc_header_t) + len);
|
|
|
|
req->length = htons(sizeof(eap_gtc_header_t) + len);
|
|
|
|
req->code = EAP_REQUEST;
|
|
|
|
req->identifier = this->identifier;
|
|
|
|
req->type = EAP_GTC;
|
|
|
|
memcpy(req->data, GTC_REQUEST_MSG, len);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
*out = eap_payload_create_data(chunk_create((void*)req,
|
|
|
|
sizeof(eap_gtc_header_t) + len));
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, process_peer, status_t,
|
|
|
|
private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
eap_gtc_header_t *res;
|
|
|
|
shared_key_t *shared;
|
|
|
|
chunk_t key;
|
|
|
|
size_t len;
|
|
|
|
|
2010-07-05 09:54:25 +00:00
|
|
|
shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
|
|
|
|
this->peer, this->server);
|
2008-08-21 12:10:07 +00:00
|
|
|
if (shared == NULL)
|
|
|
|
{
|
2009-04-30 11:37:54 +00:00
|
|
|
DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
|
2008-08-25 07:47:16 +00:00
|
|
|
this->peer, this->server);
|
2008-08-21 12:10:07 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
key = shared->get_key(shared);
|
|
|
|
len = key.len;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 14:40:03 +00:00
|
|
|
/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
|
2008-08-21 12:10:07 +00:00
|
|
|
|
|
|
|
res = alloca(sizeof(eap_gtc_header_t) + len);
|
|
|
|
res->length = htons(sizeof(eap_gtc_header_t) + len);
|
|
|
|
res->code = EAP_RESPONSE;
|
|
|
|
res->identifier = in->get_identifier(in);
|
|
|
|
res->type = EAP_GTC;
|
|
|
|
memcpy(res->data, key.ptr, len);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
shared->destroy(shared);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
*out = eap_payload_create_data(chunk_create((void*)res,
|
|
|
|
sizeof(eap_gtc_header_t) + len));
|
|
|
|
return NEED_MORE;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, process_server, status_t,
|
|
|
|
private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
chunk_t data, encoding;
|
2008-08-25 07:47:16 +00:00
|
|
|
char *user, *password, *service, *pos;
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
data = chunk_skip(in->get_data(in), 5);
|
|
|
|
if (this->identifier != in->get_identifier(in) || !data.len)
|
|
|
|
{
|
|
|
|
DBG1(DBG_IKE, "received invalid EAP-GTC message");
|
|
|
|
return FAILED;
|
|
|
|
}
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
encoding = this->peer->get_encoding(this->peer);
|
2008-08-25 07:47:16 +00:00
|
|
|
/* if a RFC822_ADDR id is provided, we use the username part only */
|
|
|
|
pos = memchr(encoding.ptr, '@', encoding.len);
|
|
|
|
if (pos)
|
|
|
|
{
|
|
|
|
encoding.len = (u_char*)pos - encoding.ptr;
|
|
|
|
}
|
2008-08-21 12:10:07 +00:00
|
|
|
user = alloca(encoding.len + 1);
|
|
|
|
memcpy(user, encoding.ptr, encoding.len);
|
|
|
|
user[encoding.len] = '\0';
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
password = alloca(data.len + 1);
|
|
|
|
memcpy(password, data.ptr, data.len);
|
|
|
|
password[data.len] = '\0';
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
service = lib->settings->get_str(lib->settings,
|
2009-10-15 08:13:25 +00:00
|
|
|
"charon.plugins.eap-gtc.pam_service", GTC_PAM_SERVICE);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
if (!authenticate(service, user, password))
|
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, get_type, eap_type_t,
|
|
|
|
private_eap_gtc_t *this, u_int32_t *vendor)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
*vendor = 0;
|
|
|
|
return EAP_GTC;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, get_msk, status_t,
|
|
|
|
private_eap_gtc_t *this, chunk_t *msk)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, is_mutual, bool,
|
|
|
|
private_eap_gtc_t *this)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
METHOD(eap_method_t, destroy, void,
|
|
|
|
private_eap_gtc_t *this)
|
2008-08-21 12:10:07 +00:00
|
|
|
{
|
2008-08-22 10:44:51 +00:00
|
|
|
this->peer->destroy(this->peer);
|
|
|
|
this->server->destroy(this->server);
|
2008-08-21 12:10:07 +00:00
|
|
|
free(this);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Generic constructor
|
|
|
|
*/
|
|
|
|
static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
|
|
|
|
identification_t *peer)
|
|
|
|
{
|
2011-04-05 12:44:26 +00:00
|
|
|
private_eap_gtc_t *this;
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
.public = {
|
|
|
|
.eap_method_interface = {
|
|
|
|
.get_type = _get_type,
|
|
|
|
.is_mutual = _is_mutual,
|
|
|
|
.get_msk = _get_msk,
|
|
|
|
.destroy = _destroy,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
.peer = peer->clone(peer),
|
|
|
|
.server = server->clone(server),
|
|
|
|
);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
return this;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* see header
|
|
|
|
*/
|
|
|
|
eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
|
|
|
|
{
|
|
|
|
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
this->public.eap_method_interface.initiate = _initiate_server;
|
|
|
|
this->public.eap_method_interface.process = _process_server;
|
2008-08-21 12:10:07 +00:00
|
|
|
|
2008-08-22 10:44:51 +00:00
|
|
|
/* generate a non-zero identifier */
|
|
|
|
do {
|
|
|
|
this->identifier = random();
|
|
|
|
} while (!this->identifier);
|
|
|
|
|
2008-08-21 12:10:07 +00:00
|
|
|
return &this->public;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* see header
|
|
|
|
*/
|
|
|
|
eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
|
|
|
|
{
|
|
|
|
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
|
2009-09-04 11:46:09 +00:00
|
|
|
|
2011-04-05 12:44:26 +00:00
|
|
|
this->public.eap_method_interface.initiate = _initiate_peer;
|
|
|
|
this->public.eap_method_interface.process = _process_peer;
|
2008-08-21 12:10:07 +00:00
|
|
|
|
|
|
|
return &this->public;
|
|
|
|
}
|
|
|
|
|