diff --git a/configure.in b/configure.in index 30a383d70..718fa0e00 100644 --- a/configure.in +++ b/configure.in @@ -401,6 +401,14 @@ AC_ARG_ENABLE( fi] ) +AC_ARG_ENABLE( + [eap-gtc], + AS_HELP_STRING([--enable-eap-gtc],[build PAM based GTC authenication module for EAP (default is NO).]), + [if test x$enableval = xyes; then + eap_gtc=true + fi] +) + AC_ARG_ENABLE( [eap-aka], AS_HELP_STRING([--enable-eap-aka],[build AKA authentication module for EAP (default is NO).]), @@ -719,6 +727,11 @@ if test x$nm = xtrue; then AC_SUBST(nm_LIBS) fi +if test x$eap_gtc = xtrue; then + AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])]) + AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])]) +fi + dnl ====================================== dnl collect all plugins for libstrongswan dnl ====================================== @@ -820,6 +833,7 @@ AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue) AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue) AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue) AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue) +AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue) AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue) dnl other options @@ -887,6 +901,7 @@ AC_OUTPUT( src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile + src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile diff --git a/doc/standards/draft-sheffer-ikev2-gtc-00.txt b/doc/standards/draft-sheffer-ikev2-gtc-00.txt new file mode 100644 index 000000000..037c90215 --- /dev/null +++ b/doc/standards/draft-sheffer-ikev2-gtc-00.txt @@ -0,0 +1,505 @@ + + + +Network Working Group Y. Sheffer +Internet-Draft Check Point +Intended status: Informational July 6, 2008 +Expires: January 7, 2009 + + + Using EAP-GTC for Simple User Authentication in IKEv2 + draft-sheffer-ikev2-gtc-00.txt + +Status of this Memo + + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on January 7, 2009. + +Abstract + + Despite many years of effort, simple username-password authentication + is still prevalent. In many cases a password is the only credential + available to the end user. IKEv2 uses EAP as a sub-protocol for user + authentication. This provides a well-specified and extensible + architecture. To this day EAP does not provide a simple password- + based authentication method. The only existing password + authentication methods either require the peer to know the password + in advance (EAP-MD5), or are needlessly complex when used within + IKEv2 (e.g. PEAP). This document codifies the common practice of + using EAP-GTC for this type of authentication, with the goal of + achieving maximum interoperability. The various security issues are + extensively analyzed. + + + +Sheffer Expires January 7, 2009 [Page 1] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Alternatives to EAP-GTC in IKEv2 . . . . . . . . . . . . . . . 4 + 3.1. Non-password credentials . . . . . . . . . . . . . . . . . 4 + 3.2. Using the IKE preshared secret . . . . . . . . . . . . . . 4 + 3.3. EAP-MD5 , EAP-MSCHAPv2 and mutual authentication + schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 4. Using EAP-GTC in IKE: Details . . . . . . . . . . . . . . . . . 5 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 + 6.1. Key generation and MITM protection . . . . . . . . . . . . 6 + 6.2. Protection of credentials between the IKE gateway and + the AAA server . . . . . . . . . . . . . . . . . . . . . . 6 + 6.3. Server authentication . . . . . . . . . . . . . . . . . . . 6 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 7 + Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . . 8 + A.1. -00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 + Intellectual Property and Copyright Statements . . . . . . . . . . 9 + + + + + + + + + + + + + + + + + + + + + + + + + + + +Sheffer Expires January 7, 2009 [Page 2] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +1. Introduction + + "Oh dear! It's possible that we have added EAP to IKE to support a + case that EAP can't support." -- C. Kaufman. + + Despite many years of effort, simple username-password authentication + is still prevalent. In many cases a password is the only credential + available to the end user. + + IKEv2 [RFC4306] uses the Extensible Authentication Protocol (EAP) as + a sub-protocol for user authentication. This provides a well- + specified and extensible architecture and enables useful capabilities + like SIM authentication. Unfortunately, for a number of reasons EAP + still does not provide a simple password-based authentication method. + The only existing password authentication methods either require the + peer to know the password in advance (EAP-MD5), or are needlessly + complex when used within IKEv2 (e.g. PEAP). + + Technically, the IKE preshared secret authentication mode can be used + for password authentication. In fact even the IKEv2 RFC winks at + this practice. But this use jeopardizes the protocol's security and + should clearly be avoided (more details below). + + EAP is used in IKEv2 at a stage when the remote access gateway has + already been authenticated. At this point the user has a high enough + level of trust to send his or her password to the gateway. Such an + exchange is enabled by the EAP Generic Token Card (GTC) method, which + is a simple text transport between the two EAP peers. To quote + [RFC3748]: + + The EAP GTC method is intended for use with the Token Cards + supporting challenge/response authentication and MUST NOT be used + to provide support for cleartext passwords in the absence of a + protected tunnel with server authentication. + + IKEv2 does indeed provide "a protected tunnel with server + authentication". The current document updates [RFC3748] by making an + exception and allowing the use of GTC to carry secret credentials, in + this specific situation. Section 6 further elaborates on the + security properties of this solution. + + Other protocols provide a similar protected tunnel, for example TLS- + EAP, described in [I-D.nir-tls-eap]. These protocols however are out + of scope for this document. + + + + + + + +Sheffer Expires January 7, 2009 [Page 3] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + +3. Alternatives to EAP-GTC in IKEv2 + + This section presents a few of the alternatives to EAP-GTC, and + explains why they are either insecure or impractical given today's + common identity management infrastructure. + +3.1. Non-password credentials + + Certificate-based authentication, especially when combined with + hardware protection (e.g. a hardware token), can be deployed in a + more secure manner than the form of password authentication which we + discuss. However, due to a host of issues to do with cost, + inconvenience and reliability this solution has not gained wide + market acceptance over the last 10 years. + +3.2. Using the IKE preshared secret + + Sec. 2.15 of RFC 4306 points out that the generation of the IKE + preshared secret from a weak password is insecure. Such use is + vulnerable to off line password guessing by an active attacker. All + the attacker needs to do is respond correctly to the first IKE_INIT + message, and then record the third IKE message. This is then + followed by a dictionary attack to obtain the password. + +3.3. EAP-MD5 , EAP-MSCHAPv2 and mutual authentication schemes + + Challenge-response schemes, like EAP-MD5 and EAP-MSCHAPv2, have a + clear security advantage over sending the plaintext password to the + gateway. Password-based mutual authentication schemes like SRP have + a further advantage in that the gateway's authentication is much + stronger than when using certificates alone, since the AAA server + proves its knowledge of a per-client credential, and the gateway + proves that it has been authorized by the AAA server for that + particular client. + + Unfortunately all of these methods also suffer from a major drawback: + the gateway must have a priori access to the plaintext password. + While many RADIUS servers may indeed have such access, other very + common deployments do not provide it. One typical example is when + the gateway directly accesses an LDAP directory (or a Microsoft + Active Directory) to authenticate the user. The usual way to do that + + + +Sheffer Expires January 7, 2009 [Page 4] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + + is by issuing an LDAP Bind operation into the directory, using the + just-received plaintext password. Often in this case it is the IKE + gateway that terminates the EAP protocol, and it needs a way to + obtain the raw password. + + An additional issue with mutual authentication schemes is their heavy + IP encumbrance, which has resulted in a scarcity of standards using + them and a low rate of market adoption. + + +4. Using EAP-GTC in IKE: Details + + EAP-GTC is specified in [RFC3748], Sec. 5.6. This section is non- + normative, and is merely an interpretation of this specification in + the context of IKEv2. + + Simple authentication requires a non secret identity ("user name") + and a secret credential ("password"). Both of these are arbitrary + Unicode strings, although implementations may impose length + constraints. + + In the case of EAP-GTC, the user name is conveyed in the IKE IDi + payload. According to [RFC4718], Sec. 3.4, the user name can be + encoded in one of two ways: as a simple user name, in which case the + ID_KEY_ID identification type is used; or as a combination user name + plus realm, in which case the format is a NAI [RFC4282] and the + identification type is ID_RFC822_ADDR. In either case, the user name + is a Unicode string encoded as UTF-8. Using the EAP Identity payload + is redundant, and if it is used, it should be identical to the IDi + payload. + + EAP-GTC consists of a simple 2-message exchange. The contents of the + Type-Data field in the Request should not be interpreted in any way, + and should be displayed to the user. This field contains a Unicode + string, encoded as UTF-8. + + The password is sent in the EAP Response. The Type-Data field of the + Response is also a Unicode string encoded as UTF-8. Note that none + of the IDi payload, the EAP Request or the EAP Response is null- + terminated. + + If either or both the user name and the password are non-ASCII, they + should be normalized by the IKE client before the IKE/EAP message is + constructed. The normalization method is SASLprep, [RFC4013]. + + + + + + + +Sheffer Expires January 7, 2009 [Page 5] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +5. IANA Considerations + + This document does not require any action by IANA. + + +6. Security Considerations + +6.1. Key generation and MITM protection + + Modern EAP methods generate a key shared between the two protocol + peers. GTC does not (and cannot) generate such a key. RFC 4306 + mandates that: + + EAP methods that do not establish a shared key SHOULD NOT be used, + as they are subject to a number of man-in-the-middle attacks + [EAPMITM] if these EAP methods are used in other protocols that do + not use a server-authenticated tunnel. + + However GTC must never be used in such a situation, since the client + would be sending its credentials openly to an unauthenticated server. + When using GTC with IKEv2, the implementation (or local + administrators) MUST ensure that the same credentials are never used + in such a manner. + +6.2. Protection of credentials between the IKE gateway and the AAA + server + + In the proposed solution, the raw credentials are sent from the IKE + gateway to a AAA server, typically a RADIUS server. These + credentials and the associated messaging MUST be strongly protected. + Some of the existing options include: + o An IPsec tunnel between the gateway and the AAA server. + o RADIUS over TCP with TLS, [I-D.winter-radsec]. + o RADIUS over UDP with DTLS, [I-D.dekok-radext-dtls] (expired). + The legacy RADIUS security mechanism (Sec. 5.2 of [RFC2865]) is + considered weak and SHOULD NOT be used when better alternatives are + available. + +6.3. Server authentication + + The client may only send its cleartext credentials after it has + positively authenticated the server. This authentication is + specified, albeit rather vaguely, in [RFC4306] and is out of scope of + the current document. Unauthenticated (BTNS) derivatives of IKE MUST + NOT be used with EAP-GTC. + + + + + + +Sheffer Expires January 7, 2009 [Page 6] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +7. Acknowledgments + + I would like to thank Yoav Nir and Charlie Kaufman for their helpful + comments. + + +8. References + +8.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. + Levkowetz, "Extensible Authentication Protocol (EAP)", + RFC 3748, June 2004. + + [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names + and Passwords", RFC 4013, February 2005. + + [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", + RFC 4306, December 2005. + +8.2. Informative References + + [EAPMITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle + in Tunneled Authentication Protocols", November 2002, + . + + [I-D.dekok-radext-dtls] + DeKok, A., "DTLS as a Transport Layer for RADIUS", + draft-dekok-radext-dtls-00 (work in progress), + February 2007. + + [I-D.nir-tls-eap] + Nir, Y., Tschofenig, H., and P. Gutmann, "TLS using EAP + Authentication", draft-nir-tls-eap-03 (work in progress), + April 2008. + + [I-D.winter-radsec] + Winter, S., McCauley, M., and S. Venaas, "RadSec Version 2 + - A Secure and Reliable Transport for the RADIUS + Protocol", draft-winter-radsec-01 (work in progress), + February 2008. + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + + +Sheffer Expires January 7, 2009 [Page 7] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + + [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The + Network Access Identifier", RFC 4282, December 2005. + + [RFC4718] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and + Implementation Guidelines", RFC 4718, October 2006. + + +Appendix A. Change Log + +A.1. -00 + + Initial version. + + +Author's Address + + Yaron Sheffer + Check Point Software Technologies Ltd. + 5 Hasolelim St. + Tel Aviv 67897 + Israel + + Email: yaronf@checkpoint.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Sheffer Expires January 7, 2009 [Page 8] + +Internet-Draft EAP-GTC in IKEv2 July 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + +Sheffer Expires January 7, 2009 [Page 9] + + diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 3ea21a020..82f521fc6 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -165,6 +165,11 @@ if USE_EAP_MD5 PLUGINS += eapmd5 endif +if USE_EAP_GTC + SUBDIRS += plugins/eap_gtc + PLUGINS += eapgtc +endif + if USE_EAP_AKA SUBDIRS += plugins/eap_aka PLUGINS += eapaka diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am new file mode 100644 index 000000000..1057bd506 --- /dev/null +++ b/src/charon/plugins/eap_gtc/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-eapgtc.la + +libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c +libstrongswan_eapgtc_la_LDFLAGS = -module -lpam + diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c new file mode 100644 index 000000000..f178786e4 --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc.c @@ -0,0 +1,300 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $ + */ + +#include "eap_gtc.h" + +#include +#include +#include + +#include + +#define GTC_REQUEST_MSG "login" +#define GTC_PAM_SERVICE "login" + +typedef struct private_eap_gtc_t private_eap_gtc_t; + +/** + * Private data of an eap_gtc_t object. + */ +struct private_eap_gtc_t { + + /** + * Public authenticator_t interface. + */ + eap_gtc_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * EAP message identififier + */ + u_int8_t identifier; +}; + +typedef struct eap_gtc_header_t eap_gtc_header_t; + +/** + * packed eap GTC header struct + */ +struct eap_gtc_header_t { + /** EAP code (REQUEST/RESPONSE) */ + u_int8_t code; + /** unique message identifier */ + u_int8_t identifier; + /** length of whole message */ + u_int16_t length; + /** EAP type */ + u_int8_t type; + /** type data */ + u_int8_t data[]; +} __attribute__((__packed__)); + +/** + * Implementation of eap_method_t.initiate for the peer + */ +static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out) +{ + /* peer never initiates */ + return FAILED; +} + +/** + * PAM conv callback function + */ +static int auth_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, char *password) +{ + struct pam_response *response; + + if (num_msg != 1) + { + return PAM_CONV_ERR; + } + response = malloc(sizeof(struct pam_response)); + response->resp = strdup(password); + response->resp_retcode = 0; + *resp = response; + return PAM_SUCCESS; +} + +/** + * Authenticate a username/password using PAM + */ +static bool authenticate(char *service, char *user, char *password) +{ + pam_handle_t *pamh; + static struct pam_conv conv; + int ret; + + conv.conv = (void*)auth_conv; + conv.appdata_ptr = password; + + if (pam_start(service, user, &conv, &pamh) != PAM_SUCCESS) + { + return FALSE; + } + ret = pam_authenticate(pamh, 0); + pam_end(pamh, ret); + return ret == PAM_SUCCESS; +} + +/** + * Implementation of eap_method_t.initiate for the server + */ +static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out) +{ + eap_gtc_header_t *req; + size_t len; + + len = strlen(GTC_REQUEST_MSG); + req = alloca(sizeof(eap_gtc_header_t) + len); + req->length = htons(sizeof(eap_gtc_header_t) + len); + req->code = EAP_REQUEST; + req->identifier = this->identifier; + req->type = EAP_GTC; + memcpy(req->data, GTC_REQUEST_MSG, len); + + *out = eap_payload_create_data(chunk_create((void*)req, + sizeof(eap_gtc_header_t) + len)); + return NEED_MORE; +} + +/** + * Implementation of eap_method_t.process for the peer + */ +static status_t process_peer(private_eap_gtc_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + eap_gtc_header_t *res; + shared_key_t *shared; + chunk_t key; + size_t len; + + shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, + this->server, this->peer); + if (shared == NULL) + { + DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'", + this->server, this->peer); + return FAILED; + } + key = shared->get_key(shared); + len = key.len; + + res = alloca(sizeof(eap_gtc_header_t) + len); + res->length = htons(sizeof(eap_gtc_header_t) + len); + res->code = EAP_RESPONSE; + res->identifier = in->get_identifier(in); + res->type = EAP_GTC; + memcpy(res->data, key.ptr, len); + + shared->destroy(shared); + + *out = eap_payload_create_data(chunk_create((void*)res, + sizeof(eap_gtc_header_t) + len)); + return NEED_MORE; +} + +/** + * Implementation of eap_method_t.process for the server + */ +static status_t process_server(private_eap_gtc_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + chunk_t data, encoding; + char *user, *password, *service; + + data = chunk_skip(in->get_data(in), 5); + if (this->identifier != in->get_identifier(in) || !data.len) + { + DBG1(DBG_IKE, "received invalid EAP-GTC message"); + return FAILED; + } + + encoding = this->peer->get_encoding(this->peer); + user = alloca(encoding.len + 1); + memcpy(user, encoding.ptr, encoding.len); + user[encoding.len] = '\0'; + + password = alloca(data.len + 1); + memcpy(password, data.ptr, data.len); + password[data.len] = '\0'; + + service = lib->settings->get_str(lib->settings, + "charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE); + + /* TODO: According to the draft we should "SASLprep" username and + * passwords... RFC4013 */ + if (!authenticate(service, user, password)) + { + DBG1(DBG_IKE, "EAP-GTC PAM authentication failed"); + return FAILED; + } + return SUCCESS; +} + +/** + * Implementation of eap_method_t.get_type. + */ +static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_GTC; +} + +/** + * Implementation of eap_method_t.get_msk. + */ +static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk) +{ + return FAILED; +} + +/** + * Implementation of eap_method_t.is_mutual. + */ +static bool is_mutual(private_eap_gtc_t *this) +{ + return FALSE; +} + +/** + * Implementation of eap_method_t.destroy. + */ +static void destroy(private_eap_gtc_t *this) +{ + free(this); +} + +/** + * Generic constructor + */ +static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server, + identification_t *peer) +{ + private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t); + + this->public.eap_method_interface.initiate = NULL; + this->public.eap_method_interface.process = NULL; + this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; + this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; + this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; + this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; + + /* private data */ + this->peer = peer; + this->server = server; + this->identifier = random(); + + return this; +} + +/* + * see header + */ +eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer) +{ + private_eap_gtc_t *this = eap_gtc_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server; + + return &this->public; +} + +/* + * see header + */ +eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer) +{ + private_eap_gtc_t *this = eap_gtc_create_generic(server, peer); + + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer; + + return &this->public; +} + diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h new file mode 100644 index 000000000..478ac81cf --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc.h @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup eap_gtc_i eap_gtc + * @{ @ingroup eap_gtc + */ + +#ifndef EAP_GTC_H_ +#define EAP_GTC_H_ + +typedef struct eap_gtc_t eap_gtc_t; + +#include + +/** + * Implementation of the eap_method_t interface using EAP-GTC. + * + * This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to + * verify user credentials. + */ +struct eap_gtc_t { + + /** + * Implemented eap_method_t interface. + */ + eap_method_t eap_method_interface; +}; + +/** + * Creates the EAP method EAP-GTC acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_gtc_t object + */ +eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer); + +/** + * Creates the EAP method EAP-GTC acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_gtc_t object + */ +eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer); + +#endif /* EAP_GTC_H_ @}*/ diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c new file mode 100644 index 000000000..58a231058 --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "eap_gtc_plugin.h" + +#include "eap_gtc.h" + +#include + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(eap_gtc_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_gtc_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_gtc_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t); + + this->plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER, + (eap_constructor_t)eap_gtc_create_server); + charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER, + (eap_constructor_t)eap_gtc_create_peer); + + return &this->plugin; +} + diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h new file mode 100644 index 000000000..8b2f5435f --- /dev/null +++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup eap_gtc eap_gtc + * @ingroup cplugins + * + * @defgroup eap_gtc_plugin eap_gtc_plugin + * @{ @ingroup eap_gtc + */ + +#ifndef EAP_GTC_PLUGIN_H_ +#define EAP_GTC_PLUGIN_H_ + +#include + +typedef struct eap_gtc_plugin_t eap_gtc_plugin_t; + +/** + * EAP-GTC plugin + */ +struct eap_gtc_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_gtc_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /* EAP_GTC_PLUGIN_H_ @}*/ diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c index a9f7abda0..b87bcca0d 100644 --- a/src/charon/sa/authenticators/eap/eap_method.c +++ b/src/charon/sa/authenticators/eap/eap_method.c @@ -17,14 +17,14 @@ #include "eap_method.h" -ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_TOKEN_CARD, +ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, "EAP_IDENTITY", "EAP_NOTIFICATION", "EAP_NAK", "EAP_MD5", - "EAP_ONE_TIME_PASSWORD", - "EAP_TOKEN_CARD"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TOKEN_CARD, + "EAP_OTP", + "EAP_GTC"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, "EAP_SIM"); ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, "EAP_AKA"); diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h index ca7b36800..2652f6e6f 100644 --- a/src/charon/sa/authenticators/eap/eap_method.h +++ b/src/charon/sa/authenticators/eap/eap_method.h @@ -52,8 +52,8 @@ enum eap_type_t { EAP_NOTIFICATION = 2, EAP_NAK = 3, EAP_MD5 = 4, - EAP_ONE_TIME_PASSWORD = 5, - EAP_TOKEN_CARD = 6, + EAP_OTP = 5, + EAP_GTC = 6, EAP_SIM = 18, EAP_AKA = 23, EAP_EXPANDED = 254, diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index cb7a74f0d..72da4bd37 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -262,6 +262,7 @@ char *whitelist[] = { /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", + "dlclose", /* mysql functions */ "mysql_init_character_set", "init_client_errs", diff --git a/src/starter/confread.c b/src/starter/confread.c index 914024dca..1b3f31a55 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -588,6 +588,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) { conn->eap_type = 4; } + else if (streq(kw->value, "gtc")) + { + conn->eap_type = 6; + } else { conn->eap_type = atoi(kw->value);