IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.

src/libcharon/Makefile.am

@@ -93,7 +93,8 @@ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
 sa/tasks/main_mode.c sa/tasks/main_mode.h \
 sa/tasks/quick_mode.c sa/tasks/quick_mode.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/tasks/task.c sa/tasks/task.h \
+sa/tasks/xauth_request.c sa/tasks/xauth_request.h
 
 daemon.lo :		$(top_builddir)/config.status
 

src/libcharon/plugins/stroke/stroke_config.c

@@ -469,6 +469,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	}
+	else if (streq(auth, "xauthpsk"))
+	{
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH_PSK);
+	}
 	else if (strneq(auth, "eap", 3))
 	{
 		enumerator_t *enumerator;

src/libcharon/sa/ike_sa.c

@@ -46,6 +46,7 @@
 #include <sa/tasks/child_rekey.h>
 #include <sa/tasks/main_mode.h>
 #include <sa/tasks/quick_mode.h>
+#include <sa/tasks/xauth_request.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/send_dpd_job.h>
@@ -2128,6 +2129,15 @@ METHOD(ike_sa_t, destroy, void,
 	free(this);
 }
 
+METHOD(ike_sa_t, initiate_xauth, void,
+			 private_ike_sa_t *this)
+{
+	xauth_request_t *xauth_request_task = xauth_request_create(this, TRUE);
+	this->task_manager->queue_task(this->task_manager, (task_t*)xauth_request_task);
+
+	this->task_manager->initiate_later(this->task_manager);
+}
+
 /*
  * Described in header.
  */

src/libcharon/sa/ike_sa.h

@@ -102,6 +102,11 @@ enum ike_extension_t {
 	 * peer is probably a Windows 7 RAS client
 	 */
 	EXT_MS_WINDOWS = (1<<6),
+
+	/**
+	 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
+	 */
+	EXT_XAUTH = (1<<7),
 };
 
 /**
@@ -953,6 +958,11 @@ struct ike_sa_t {
 	 * Destroys a ike_sa_t object.
 	 */
 	void (*destroy) (ike_sa_t *this);
+
+	/**
+	 * Initiate XAUTH authentication
+	 */
+	status_t (*initiate_xauth)(ike_sa_t *this);
 };
 
 /**

src/libcharon/sa/task_manager_v1.c

@@ -131,6 +131,13 @@ struct private_task_manager_t {
 	 * Base to calculate retransmission timeout
 	 */
 	double retransmit_base;
+
+	/**
+	 * Flag to tell the task manager to initiate a transaction at
+	 * a later time.
+	 */
+	bool initiate_later_flag;
+
 };
 
 /**
@@ -149,12 +156,6 @@ static void flush(private_task_manager_t *this)
 	this->active_tasks = linked_list_create();
 }
 
-METHOD(task_manager_t, retransmit, status_t,
-	private_task_manager_t *this, u_int32_t message_id)
-{
-	return FAILED;
-}
-
 /**
  * move a task of a specific type from the queue to the active list
  */
@@ -180,6 +181,49 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
 	return found;
 }
 
+METHOD(task_manager_t, retransmit, status_t,
+	private_task_manager_t *this, u_int32_t message_id)
+{
+	if (message_id == this->initiating.mid)
+	{
+		u_int32_t timeout;
+		job_t *job;
+		enumerator_t *enumerator;
+		packet_t *packet;
+		task_t *task;
+
+		if (this->initiating.retransmitted <= this->retransmit_tries)
+		{
+			timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+				pow(this->retransmit_base, this->initiating.retransmitted));
+		}
+		else
+		{
+			DBG1(DBG_IKE, "giving up after %d retransmits",
+				 this->initiating.retransmitted - 1);
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+			{
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+			}
+			return DESTROY_ME;
+		}
+
+		if (this->initiating.retransmitted)
+		{
+			DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
+				 this->initiating.retransmitted, message_id);
+		}
+		packet = this->initiating.packet->clone(this->initiating.packet);
+		charon->sender->send(charon->sender, packet);
+
+		this->initiating.retransmitted++;
+		job = (job_t*)retransmit_job_create(this->initiating.mid,
+											this->ike_sa->get_id(this->ike_sa));
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
+	}
+	return SUCCESS;
+}
+
 METHOD(task_manager_t, initiate, status_t,
 	private_task_manager_t *this)
 {
@@ -220,6 +264,11 @@ METHOD(task_manager_t, initiate, status_t,
 				{
 					exchange = QUICK_MODE;
 				}
+
+				if (activate_task(this, TASK_XAUTH_REQUEST))
+				{
+					exchange = TRANSACTION;
+				}
 				break;
 			default:
 				break;

src/libcharon/sa/tasks/ike_vendor.c

@@ -49,6 +49,10 @@ static chunk_t strongswan_vid = chunk_from_chars(
 	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
 );
 
+static chunk_t xauth6_vid = chunk_from_chars(
+	0x09,0x00,0x26,0x89,0xdf,0xd6,0xb7,0x12
+);
+
 METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
@@ -60,6 +64,11 @@ METHOD(task_t, build, status_t,
 		vid = vendor_id_payload_create_data(VENDOR_ID,
 											chunk_clone(strongswan_vid));
 		message->add_payload(message, &vid->payload_interface);
+
+		vid = vendor_id_payload_create_data(VENDOR_ID,
+											chunk_clone(xauth6_vid));
+		message->add_payload(message, &vid->payload_interface);
+
 	}
 
 	return this->initiator ? NEED_MORE : SUCCESS;
@@ -92,6 +101,25 @@ METHOD(task_t, process, status_t,
 				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
 			}
 		}
+
+		if (payload->get_type(payload) == VENDOR_ID_V1)
+		{
+			vendor_id_payload_t *vid;
+			chunk_t data;
+
+			vid = (vendor_id_payload_t*)payload;
+			data = vid->get_data(vid);
+
+			if (chunk_equals(data, xauth6_vid))
+			{
+				DBG1(DBG_IKE, "received XAuth vendor id");
+				this->ike_sa->enable_extension(this->ike_sa, EXT_XAUTH);
+			}
+			else
+			{
+				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
+			}
+		}
 	}
 	enumerator->destroy(enumerator);
 

src/libcharon/sa/tasks/task.h

@@ -73,6 +73,8 @@ enum task_type_t {
 	TASK_MAIN_MODE,
 	/** IKEv1 quick mode */
 	TASK_QUICK_MODE,
+	/** Request the user/pass with XAUTH */
+	TASK_XAUTH_REQUEST,
 };
 
 /**

src/libcharon/sa/tasks/xauth_request.c

@@ -0,0 +1,185 @@
+
+#include "xauth_request.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/attribute_payload_v1.h>
+#include <encoding/payloads/data_attribute_v1.h>
+#include <encoding/payloads/hash_payload.h>
+#include <encoding/generator.h>
+
+typedef struct private_xauth_request_t private_xauth_request_t;
+
+/**
+ * Private members of a xauth_request_t task.
+ */
+struct private_xauth_request_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	xauth_request_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * virtual ip
+	 */
+	host_t *virtual_ip;
+
+	/**
+	 * list of attributes requested and its handler, entry_t
+	 */
+	linked_list_t *requested;
+};
+
+/**
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+	/** attribute requested */
+	configuration_attribute_type_t type;
+	/** handler requesting this attribute */
+	attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_xauth_request_t *this, message_t *message)
+{
+}
+
+METHOD(task_t, build_i, status_t,
+	private_xauth_request_t *this, message_t *message)
+{
+	attribute_payload_v1_t *ap = NULL;
+	chunk_t chunk = chunk_empty;
+	data_attribute_v1_t *da = NULL;
+	hash_payload_t *hash_payload = NULL;
+	generator_t *generator;
+	chunk_t attr_chunk;
+	chunk_t mid_chunk;
+	u_int32_t *lenpos;
+	u_int32_t message_id;
+	keymat_t *keymat;
+	prf_t *prf;
+	chunk_t hash_in, hash_out;
+
+	DBG1(DBG_IKE, "BUILDING XAUTH REQUEST PACKET");
+	/* TODO1: Create ATTR payload */
+	ap = attribute_payload_v1_create();
+
+	da = data_attribute_v1_create_value(XAUTH_USER_NAME, chunk);
+	ap->add_attribute(ap, da);
+
+	da = data_attribute_v1_create_value(XAUTH_USER_PASSWORD, chunk);
+	ap->add_attribute(ap, da);
+
+	/* Create HASH payload */
+	hash_payload = hash_payload_create();
+	/* TODO1: Add data into the hash */
+
+	/* Calculate the chunk for the ATTR payload */
+	generator = generator_create();
+	ap->payload_interface.set_next_type(&ap->payload_interface, NO_PAYLOAD);
+	generator->generate_payload(generator, (payload_t *)ap);
+	attr_chunk = generator->get_chunk(generator, &lenpos);
+
+	/* Get the message ID in network order */
+	htoun32(&message_id, message->get_message_id(message));
+	mid_chunk = chunk_from_thing(message_id);
+
+	/* Get the hashed data */
+	hash_in = chunk_cat("cc", mid_chunk, attr_chunk);
+
+	message->add_payload(message, (payload_t *)hash_payload);
+	message->add_payload(message, (payload_t *)ap);
+
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_xauth_request_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_xauth_request_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_xauth_request_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_xauth_request_t *this)
+{
+	return TASK_XAUTH_REQUEST;
+}
+
+METHOD(task_t, migrate, void,
+	private_xauth_request_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->virtual_ip);
+
+	this->ike_sa = ike_sa;
+	this->virtual_ip = NULL;
+	this->requested->destroy_function(this->requested, free);
+	this->requested = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+	private_xauth_request_t *this)
+{
+	DESTROY_IF(this->virtual_ip);
+	this->requested->destroy_function(this->requested, free);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_request_t *xauth_request_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_xauth_request_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+		.requested = linked_list_create(),
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}

src/libcharon/sa/tasks/xauth_request.h

@@ -0,0 +1,37 @@
+
+/**
+ * @defgroup xauth_request xauth_request
+ * @{ @ingroup tasks
+ */
+
+#ifndef XAUTH_REQUEST_H_
+#define XAUTH_REQUEST_H_
+
+typedef struct xauth_request_t xauth_request_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * Task of type XAUTH_REQUEST, gets the username and password from the ISAKMP_SA
+ * initializer.
+ */
+struct xauth_request_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new xauth_request task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator
+ * @return				ike_config task to handle by the task_manager
+ */
+xauth_request_t *xauth_request_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** XAUTH_REQUEST_H_ @}*/

src/libstrongswan/credentials/auth_cfg.h

@@ -42,6 +42,8 @@ enum auth_class_t {
 	AUTH_CLASS_PSK = 2,
 	/** authentication using EAP */
 	AUTH_CLASS_EAP = 3,
+	/** authentication using pre-shared secrets in combination with XAuth */
+	AUTH_CLASS_XAUTH_PSK = 4,
 };
 
 /**