a (incomplete) implementation of draft-sheffer-ikev2-gtc-00.txt using PAM

This commit is contained in:
Martin Willi 2008-08-21 12:10:07 +00:00
parent dc6a2edd0d
commit 1caa265c61
12 changed files with 1009 additions and 6 deletions

View File

@ -401,6 +401,14 @@ AC_ARG_ENABLE(
fi]
)
AC_ARG_ENABLE(
[eap-gtc],
AS_HELP_STRING([--enable-eap-gtc],[build PAM based GTC authenication module for EAP (default is NO).]),
[if test x$enableval = xyes; then
eap_gtc=true
fi]
)
AC_ARG_ENABLE(
[eap-aka],
AS_HELP_STRING([--enable-eap-aka],[build AKA authentication module for EAP (default is NO).]),
@ -719,6 +727,11 @@ if test x$nm = xtrue; then
AC_SUBST(nm_LIBS)
fi
if test x$eap_gtc = xtrue; then
AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
fi
dnl ======================================
dnl collect all plugins for libstrongswan
dnl ======================================
@ -820,6 +833,7 @@ AM_CONDITIONAL(USE_UNIT_TESTS, test x$unittest = xtrue)
AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
dnl other options
@ -887,6 +901,7 @@ AC_OUTPUT(
src/charon/plugins/eap_aka/Makefile
src/charon/plugins/eap_identity/Makefile
src/charon/plugins/eap_md5/Makefile
src/charon/plugins/eap_gtc/Makefile
src/charon/plugins/eap_sim/Makefile
src/charon/plugins/smp/Makefile
src/charon/plugins/sql/Makefile

View File

@ -0,0 +1,505 @@
Network Working Group Y. Sheffer
Internet-Draft Check Point
Intended status: Informational July 6, 2008
Expires: January 7, 2009
Using EAP-GTC for Simple User Authentication in IKEv2
draft-sheffer-ikev2-gtc-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 7, 2009.
Abstract
Despite many years of effort, simple username-password authentication
is still prevalent. In many cases a password is the only credential
available to the end user. IKEv2 uses EAP as a sub-protocol for user
authentication. This provides a well-specified and extensible
architecture. To this day EAP does not provide a simple password-
based authentication method. The only existing password
authentication methods either require the peer to know the password
in advance (EAP-MD5), or are needlessly complex when used within
IKEv2 (e.g. PEAP). This document codifies the common practice of
using EAP-GTC for this type of authentication, with the goal of
achieving maximum interoperability. The various security issues are
extensively analyzed.
Sheffer Expires January 7, 2009 [Page 1]
Internet-Draft EAP-GTC in IKEv2 July 2008
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Alternatives to EAP-GTC in IKEv2 . . . . . . . . . . . . . . . 4
3.1. Non-password credentials . . . . . . . . . . . . . . . . . 4
3.2. Using the IKE preshared secret . . . . . . . . . . . . . . 4
3.3. EAP-MD5 , EAP-MSCHAPv2 and mutual authentication
schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Using EAP-GTC in IKE: Details . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6.1. Key generation and MITM protection . . . . . . . . . . . . 6
6.2. Protection of credentials between the IKE gateway and
the AAA server . . . . . . . . . . . . . . . . . . . . . . 6
6.3. Server authentication . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . . 7
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . . 8
A.1. -00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Sheffer Expires January 7, 2009 [Page 2]
Internet-Draft EAP-GTC in IKEv2 July 2008
1. Introduction
"Oh dear! It's possible that we have added EAP to IKE to support a
case that EAP can't support." -- C. Kaufman.
Despite many years of effort, simple username-password authentication
is still prevalent. In many cases a password is the only credential
available to the end user.
IKEv2 [RFC4306] uses the Extensible Authentication Protocol (EAP) as
a sub-protocol for user authentication. This provides a well-
specified and extensible architecture and enables useful capabilities
like SIM authentication. Unfortunately, for a number of reasons EAP
still does not provide a simple password-based authentication method.
The only existing password authentication methods either require the
peer to know the password in advance (EAP-MD5), or are needlessly
complex when used within IKEv2 (e.g. PEAP).
Technically, the IKE preshared secret authentication mode can be used
for password authentication. In fact even the IKEv2 RFC winks at
this practice. But this use jeopardizes the protocol's security and
should clearly be avoided (more details below).
EAP is used in IKEv2 at a stage when the remote access gateway has
already been authenticated. At this point the user has a high enough
level of trust to send his or her password to the gateway. Such an
exchange is enabled by the EAP Generic Token Card (GTC) method, which
is a simple text transport between the two EAP peers. To quote
[RFC3748]:
The EAP GTC method is intended for use with the Token Cards
supporting challenge/response authentication and MUST NOT be used
to provide support for cleartext passwords in the absence of a
protected tunnel with server authentication.
IKEv2 does indeed provide "a protected tunnel with server
authentication". The current document updates [RFC3748] by making an
exception and allowing the use of GTC to carry secret credentials, in
this specific situation. Section 6 further elaborates on the
security properties of this solution.
Other protocols provide a similar protected tunnel, for example TLS-
EAP, described in [I-D.nir-tls-eap]. These protocols however are out
of scope for this document.
Sheffer Expires January 7, 2009 [Page 3]
Internet-Draft EAP-GTC in IKEv2 July 2008
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Alternatives to EAP-GTC in IKEv2
This section presents a few of the alternatives to EAP-GTC, and
explains why they are either insecure or impractical given today's
common identity management infrastructure.
3.1. Non-password credentials
Certificate-based authentication, especially when combined with
hardware protection (e.g. a hardware token), can be deployed in a
more secure manner than the form of password authentication which we
discuss. However, due to a host of issues to do with cost,
inconvenience and reliability this solution has not gained wide
market acceptance over the last 10 years.
3.2. Using the IKE preshared secret
Sec. 2.15 of RFC 4306 points out that the generation of the IKE
preshared secret from a weak password is insecure. Such use is
vulnerable to off line password guessing by an active attacker. All
the attacker needs to do is respond correctly to the first IKE_INIT
message, and then record the third IKE message. This is then
followed by a dictionary attack to obtain the password.
3.3. EAP-MD5 , EAP-MSCHAPv2 and mutual authentication schemes
Challenge-response schemes, like EAP-MD5 and EAP-MSCHAPv2, have a
clear security advantage over sending the plaintext password to the
gateway. Password-based mutual authentication schemes like SRP have
a further advantage in that the gateway's authentication is much
stronger than when using certificates alone, since the AAA server
proves its knowledge of a per-client credential, and the gateway
proves that it has been authorized by the AAA server for that
particular client.
Unfortunately all of these methods also suffer from a major drawback:
the gateway must have a priori access to the plaintext password.
While many RADIUS servers may indeed have such access, other very
common deployments do not provide it. One typical example is when
the gateway directly accesses an LDAP directory (or a Microsoft
Active Directory) to authenticate the user. The usual way to do that
Sheffer Expires January 7, 2009 [Page 4]
Internet-Draft EAP-GTC in IKEv2 July 2008
is by issuing an LDAP Bind operation into the directory, using the
just-received plaintext password. Often in this case it is the IKE
gateway that terminates the EAP protocol, and it needs a way to
obtain the raw password.
An additional issue with mutual authentication schemes is their heavy
IP encumbrance, which has resulted in a scarcity of standards using
them and a low rate of market adoption.
4. Using EAP-GTC in IKE: Details
EAP-GTC is specified in [RFC3748], Sec. 5.6. This section is non-
normative, and is merely an interpretation of this specification in
the context of IKEv2.
Simple authentication requires a non secret identity ("user name")
and a secret credential ("password"). Both of these are arbitrary
Unicode strings, although implementations may impose length
constraints.
In the case of EAP-GTC, the user name is conveyed in the IKE IDi
payload. According to [RFC4718], Sec. 3.4, the user name can be
encoded in one of two ways: as a simple user name, in which case the
ID_KEY_ID identification type is used; or as a combination user name
plus realm, in which case the format is a NAI [RFC4282] and the
identification type is ID_RFC822_ADDR. In either case, the user name
is a Unicode string encoded as UTF-8. Using the EAP Identity payload
is redundant, and if it is used, it should be identical to the IDi
payload.
EAP-GTC consists of a simple 2-message exchange. The contents of the
Type-Data field in the Request should not be interpreted in any way,
and should be displayed to the user. This field contains a Unicode
string, encoded as UTF-8.
The password is sent in the EAP Response. The Type-Data field of the
Response is also a Unicode string encoded as UTF-8. Note that none
of the IDi payload, the EAP Request or the EAP Response is null-
terminated.
If either or both the user name and the password are non-ASCII, they
should be normalized by the IKE client before the IKE/EAP message is
constructed. The normalization method is SASLprep, [RFC4013].
Sheffer Expires January 7, 2009 [Page 5]
Internet-Draft EAP-GTC in IKEv2 July 2008
5. IANA Considerations
This document does not require any action by IANA.
6. Security Considerations
6.1. Key generation and MITM protection
Modern EAP methods generate a key shared between the two protocol
peers. GTC does not (and cannot) generate such a key. RFC 4306
mandates that:
EAP methods that do not establish a shared key SHOULD NOT be used,
as they are subject to a number of man-in-the-middle attacks
[EAPMITM] if these EAP methods are used in other protocols that do
not use a server-authenticated tunnel.
However GTC must never be used in such a situation, since the client
would be sending its credentials openly to an unauthenticated server.
When using GTC with IKEv2, the implementation (or local
administrators) MUST ensure that the same credentials are never used
in such a manner.
6.2. Protection of credentials between the IKE gateway and the AAA
server
In the proposed solution, the raw credentials are sent from the IKE
gateway to a AAA server, typically a RADIUS server. These
credentials and the associated messaging MUST be strongly protected.
Some of the existing options include:
o An IPsec tunnel between the gateway and the AAA server.
o RADIUS over TCP with TLS, [I-D.winter-radsec].
o RADIUS over UDP with DTLS, [I-D.dekok-radext-dtls] (expired).
The legacy RADIUS security mechanism (Sec. 5.2 of [RFC2865]) is
considered weak and SHOULD NOT be used when better alternatives are
available.
6.3. Server authentication
The client may only send its cleartext credentials after it has
positively authenticated the server. This authentication is
specified, albeit rather vaguely, in [RFC4306] and is out of scope of
the current document. Unauthenticated (BTNS) derivatives of IKE MUST
NOT be used with EAP-GTC.
Sheffer Expires January 7, 2009 [Page 6]
Internet-Draft EAP-GTC in IKEv2 July 2008
7. Acknowledgments
I would like to thank Yoav Nir and Charlie Kaufman for their helpful
comments.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004.
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names
and Passwords", RFC 4013, February 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
8.2. Informative References
[EAPMITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunneled Authentication Protocols", November 2002,
<http://eprint.iacr.org/2002/163>.
[I-D.dekok-radext-dtls]
DeKok, A., "DTLS as a Transport Layer for RADIUS",
draft-dekok-radext-dtls-00 (work in progress),
February 2007.
[I-D.nir-tls-eap]
Nir, Y., Tschofenig, H., and P. Gutmann, "TLS using EAP
Authentication", draft-nir-tls-eap-03 (work in progress),
April 2008.
[I-D.winter-radsec]
Winter, S., McCauley, M., and S. Venaas, "RadSec Version 2
- A Secure and Reliable Transport for the RADIUS
Protocol", draft-winter-radsec-01 (work in progress),
February 2008.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
Sheffer Expires January 7, 2009 [Page 7]
Internet-Draft EAP-GTC in IKEv2 July 2008
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", RFC 4282, December 2005.
[RFC4718] Eronen, P. and P. Hoffman, "IKEv2 Clarifications and
Implementation Guidelines", RFC 4718, October 2006.
Appendix A. Change Log
A.1. -00
Initial version.
Author's Address
Yaron Sheffer
Check Point Software Technologies Ltd.
5 Hasolelim St.
Tel Aviv 67897
Israel
Email: yaronf@checkpoint.com
Sheffer Expires January 7, 2009 [Page 8]
Internet-Draft EAP-GTC in IKEv2 July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Sheffer Expires January 7, 2009 [Page 9]

View File

@ -165,6 +165,11 @@ if USE_EAP_MD5
PLUGINS += eapmd5
endif
if USE_EAP_GTC
SUBDIRS += plugins/eap_gtc
PLUGINS += eapgtc
endif
if USE_EAP_AKA
SUBDIRS += plugins/eap_aka
PLUGINS += eapaka

View File

@ -0,0 +1,10 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapgtc.la
libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
libstrongswan_eapgtc_la_LDFLAGS = -module -lpam

View File

@ -0,0 +1,300 @@
/*
* Copyright (C) 2007 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $
*/
#include "eap_gtc.h"
#include <daemon.h>
#include <library.h>
#include <crypto/hashers/hasher.h>
#include <security/pam_appl.h>
#define GTC_REQUEST_MSG "login"
#define GTC_PAM_SERVICE "login"
typedef struct private_eap_gtc_t private_eap_gtc_t;
/**
* Private data of an eap_gtc_t object.
*/
struct private_eap_gtc_t {
/**
* Public authenticator_t interface.
*/
eap_gtc_t public;
/**
* ID of the server
*/
identification_t *server;
/**
* ID of the peer
*/
identification_t *peer;
/**
* EAP message identififier
*/
u_int8_t identifier;
};
typedef struct eap_gtc_header_t eap_gtc_header_t;
/**
* packed eap GTC header struct
*/
struct eap_gtc_header_t {
/** EAP code (REQUEST/RESPONSE) */
u_int8_t code;
/** unique message identifier */
u_int8_t identifier;
/** length of whole message */
u_int16_t length;
/** EAP type */
u_int8_t type;
/** type data */
u_int8_t data[];
} __attribute__((__packed__));
/**
* Implementation of eap_method_t.initiate for the peer
*/
static status_t initiate_peer(private_eap_gtc_t *this, eap_payload_t **out)
{
/* peer never initiates */
return FAILED;
}
/**
* PAM conv callback function
*/
static int auth_conv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, char *password)
{
struct pam_response *response;
if (num_msg != 1)
{
return PAM_CONV_ERR;
}
response = malloc(sizeof(struct pam_response));
response->resp = strdup(password);
response->resp_retcode = 0;
*resp = response;
return PAM_SUCCESS;
}
/**
* Authenticate a username/password using PAM
*/
static bool authenticate(char *service, char *user, char *password)
{
pam_handle_t *pamh;
static struct pam_conv conv;
int ret;
conv.conv = (void*)auth_conv;
conv.appdata_ptr = password;
if (pam_start(service, user, &conv, &pamh) != PAM_SUCCESS)
{
return FALSE;
}
ret = pam_authenticate(pamh, 0);
pam_end(pamh, ret);
return ret == PAM_SUCCESS;
}
/**
* Implementation of eap_method_t.initiate for the server
*/
static status_t initiate_server(private_eap_gtc_t *this, eap_payload_t **out)
{
eap_gtc_header_t *req;
size_t len;
len = strlen(GTC_REQUEST_MSG);
req = alloca(sizeof(eap_gtc_header_t) + len);
req->length = htons(sizeof(eap_gtc_header_t) + len);
req->code = EAP_REQUEST;
req->identifier = this->identifier;
req->type = EAP_GTC;
memcpy(req->data, GTC_REQUEST_MSG, len);
*out = eap_payload_create_data(chunk_create((void*)req,
sizeof(eap_gtc_header_t) + len));
return NEED_MORE;
}
/**
* Implementation of eap_method_t.process for the peer
*/
static status_t process_peer(private_eap_gtc_t *this,
eap_payload_t *in, eap_payload_t **out)
{
eap_gtc_header_t *res;
shared_key_t *shared;
chunk_t key;
size_t len;
shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP,
this->server, this->peer);
if (shared == NULL)
{
DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
this->server, this->peer);
return FAILED;
}
key = shared->get_key(shared);
len = key.len;
res = alloca(sizeof(eap_gtc_header_t) + len);
res->length = htons(sizeof(eap_gtc_header_t) + len);
res->code = EAP_RESPONSE;
res->identifier = in->get_identifier(in);
res->type = EAP_GTC;
memcpy(res->data, key.ptr, len);
shared->destroy(shared);
*out = eap_payload_create_data(chunk_create((void*)res,
sizeof(eap_gtc_header_t) + len));
return NEED_MORE;
}
/**
* Implementation of eap_method_t.process for the server
*/
static status_t process_server(private_eap_gtc_t *this,
eap_payload_t *in, eap_payload_t **out)
{
chunk_t data, encoding;
char *user, *password, *service;
data = chunk_skip(in->get_data(in), 5);
if (this->identifier != in->get_identifier(in) || !data.len)
{
DBG1(DBG_IKE, "received invalid EAP-GTC message");
return FAILED;
}
encoding = this->peer->get_encoding(this->peer);
user = alloca(encoding.len + 1);
memcpy(user, encoding.ptr, encoding.len);
user[encoding.len] = '\0';
password = alloca(data.len + 1);
memcpy(password, data.ptr, data.len);
password[data.len] = '\0';
service = lib->settings->get_str(lib->settings,
"charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE);
/* TODO: According to the draft we should "SASLprep" username and
* passwords... RFC4013 */
if (!authenticate(service, user, password))
{
DBG1(DBG_IKE, "EAP-GTC PAM authentication failed");
return FAILED;
}
return SUCCESS;
}
/**
* Implementation of eap_method_t.get_type.
*/
static eap_type_t get_type(private_eap_gtc_t *this, u_int32_t *vendor)
{
*vendor = 0;
return EAP_GTC;
}
/**
* Implementation of eap_method_t.get_msk.
*/
static status_t get_msk(private_eap_gtc_t *this, chunk_t *msk)
{
return FAILED;
}
/**
* Implementation of eap_method_t.is_mutual.
*/
static bool is_mutual(private_eap_gtc_t *this)
{
return FALSE;
}
/**
* Implementation of eap_method_t.destroy.
*/
static void destroy(private_eap_gtc_t *this)
{
free(this);
}
/**
* Generic constructor
*/
static private_eap_gtc_t *eap_gtc_create_generic(identification_t *server,
identification_t *peer)
{
private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
/* private data */
this->peer = peer;
this->server = server;
this->identifier = random();
return this;
}
/*
* see header
*/
eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
return &this->public;
}
/*
* see header
*/
eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
return &this->public;
}

View File

@ -0,0 +1,62 @@
/*
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $
*/
/**
* @defgroup eap_gtc_i eap_gtc
* @{ @ingroup eap_gtc
*/
#ifndef EAP_GTC_H_
#define EAP_GTC_H_
typedef struct eap_gtc_t eap_gtc_t;
#include <sa/authenticators/eap/eap_method.h>
/**
* Implementation of the eap_method_t interface using EAP-GTC.
*
* This implementation of draft-sheffer-ikev2-gtc-00.txt uses PAM to
* verify user credentials.
*/
struct eap_gtc_t {
/**
* Implemented eap_method_t interface.
*/
eap_method_t eap_method_interface;
};
/**
* Creates the EAP method EAP-GTC acting as server.
*
* @param server ID of the EAP server
* @param peer ID of the EAP client
* @return eap_gtc_t object
*/
eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer);
/**
* Creates the EAP method EAP-GTC acting as peer.
*
* @param server ID of the EAP server
* @param peer ID of the EAP client
* @return eap_gtc_t object
*/
eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer);
#endif /* EAP_GTC_H_ @}*/

View File

@ -0,0 +1,52 @@
/*
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* $Id$
*/
#include "eap_gtc_plugin.h"
#include "eap_gtc.h"
#include <daemon.h>
/**
* Implementation of plugin_t.destroy
*/
static void destroy(eap_gtc_plugin_t *this)
{
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_gtc_create_server);
charon->eap->remove_method(charon->eap,
(eap_constructor_t)eap_gtc_create_peer);
free(this);
}
/*
* see header file
*/
plugin_t *plugin_create()
{
eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
this->plugin.destroy = (void(*)(plugin_t*))destroy;
charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
(eap_constructor_t)eap_gtc_create_server);
charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
(eap_constructor_t)eap_gtc_create_peer);
return &this->plugin;
}

View File

@ -0,0 +1,49 @@
/*
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* $Id$
*/
/**
* @defgroup eap_gtc eap_gtc
* @ingroup cplugins
*
* @defgroup eap_gtc_plugin eap_gtc_plugin
* @{ @ingroup eap_gtc
*/
#ifndef EAP_GTC_PLUGIN_H_
#define EAP_GTC_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct eap_gtc_plugin_t eap_gtc_plugin_t;
/**
* EAP-GTC plugin
*/
struct eap_gtc_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
/**
* Create a eap_gtc_plugin instance.
*/
plugin_t *plugin_create();
#endif /* EAP_GTC_PLUGIN_H_ @}*/

View File

@ -17,14 +17,14 @@
#include "eap_method.h"
ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_TOKEN_CARD,
ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
"EAP_IDENTITY",
"EAP_NOTIFICATION",
"EAP_NAK",
"EAP_MD5",
"EAP_ONE_TIME_PASSWORD",
"EAP_TOKEN_CARD");
ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TOKEN_CARD,
"EAP_OTP",
"EAP_GTC");
ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
"EAP_SIM");
ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
"EAP_AKA");

View File

@ -52,8 +52,8 @@ enum eap_type_t {
EAP_NOTIFICATION = 2,
EAP_NAK = 3,
EAP_MD5 = 4,
EAP_ONE_TIME_PASSWORD = 5,
EAP_TOKEN_CARD = 6,
EAP_OTP = 5,
EAP_GTC = 6,
EAP_SIM = 18,
EAP_AKA = 23,
EAP_EXPANDED = 254,

View File

@ -262,6 +262,7 @@ char *whitelist[] = {
/* ignore dlopen, as we do not dlclose to get proper leak reports */
"dlopen",
"dlerror",
"dlclose",
/* mysql functions */
"mysql_init_character_set",
"init_client_errs",

View File

@ -588,6 +588,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
{
conn->eap_type = 4;
}
else if (streq(kw->value, "gtc"))
{
conn->eap_type = 6;
}
else
{
conn->eap_type = atoi(kw->value);