IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
This commit is contained in:
parent
79e9f776dc
commit
23f4e4b42d
|
@ -93,7 +93,8 @@ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
|
|||
sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
|
||||
sa/tasks/main_mode.c sa/tasks/main_mode.h \
|
||||
sa/tasks/quick_mode.c sa/tasks/quick_mode.h \
|
||||
sa/tasks/task.c sa/tasks/task.h
|
||||
sa/tasks/task.c sa/tasks/task.h \
|
||||
sa/tasks/xauth_request.c sa/tasks/xauth_request.h
|
||||
|
||||
daemon.lo : $(top_builddir)/config.status
|
||||
|
||||
|
|
|
@ -469,6 +469,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
|
|||
{
|
||||
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
|
||||
}
|
||||
else if (streq(auth, "xauthpsk"))
|
||||
{
|
||||
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH_PSK);
|
||||
}
|
||||
else if (strneq(auth, "eap", 3))
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
|
|
|
@ -46,6 +46,7 @@
|
|||
#include <sa/tasks/child_rekey.h>
|
||||
#include <sa/tasks/main_mode.h>
|
||||
#include <sa/tasks/quick_mode.h>
|
||||
#include <sa/tasks/xauth_request.h>
|
||||
#include <processing/jobs/retransmit_job.h>
|
||||
#include <processing/jobs/delete_ike_sa_job.h>
|
||||
#include <processing/jobs/send_dpd_job.h>
|
||||
|
@ -2128,6 +2129,15 @@ METHOD(ike_sa_t, destroy, void,
|
|||
free(this);
|
||||
}
|
||||
|
||||
METHOD(ike_sa_t, initiate_xauth, void,
|
||||
private_ike_sa_t *this)
|
||||
{
|
||||
xauth_request_t *xauth_request_task = xauth_request_create(this, TRUE);
|
||||
this->task_manager->queue_task(this->task_manager, (task_t*)xauth_request_task);
|
||||
|
||||
this->task_manager->initiate_later(this->task_manager);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
|
|
|
@ -102,6 +102,11 @@ enum ike_extension_t {
|
|||
* peer is probably a Windows 7 RAS client
|
||||
*/
|
||||
EXT_MS_WINDOWS = (1<<6),
|
||||
|
||||
/**
|
||||
* peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
|
||||
*/
|
||||
EXT_XAUTH = (1<<7),
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -953,6 +958,11 @@ struct ike_sa_t {
|
|||
* Destroys a ike_sa_t object.
|
||||
*/
|
||||
void (*destroy) (ike_sa_t *this);
|
||||
|
||||
/**
|
||||
* Initiate XAUTH authentication
|
||||
*/
|
||||
status_t (*initiate_xauth)(ike_sa_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -131,6 +131,13 @@ struct private_task_manager_t {
|
|||
* Base to calculate retransmission timeout
|
||||
*/
|
||||
double retransmit_base;
|
||||
|
||||
/**
|
||||
* Flag to tell the task manager to initiate a transaction at
|
||||
* a later time.
|
||||
*/
|
||||
bool initiate_later_flag;
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -149,12 +156,6 @@ static void flush(private_task_manager_t *this)
|
|||
this->active_tasks = linked_list_create();
|
||||
}
|
||||
|
||||
METHOD(task_manager_t, retransmit, status_t,
|
||||
private_task_manager_t *this, u_int32_t message_id)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
/**
|
||||
* move a task of a specific type from the queue to the active list
|
||||
*/
|
||||
|
@ -180,6 +181,49 @@ static bool activate_task(private_task_manager_t *this, task_type_t type)
|
|||
return found;
|
||||
}
|
||||
|
||||
METHOD(task_manager_t, retransmit, status_t,
|
||||
private_task_manager_t *this, u_int32_t message_id)
|
||||
{
|
||||
if (message_id == this->initiating.mid)
|
||||
{
|
||||
u_int32_t timeout;
|
||||
job_t *job;
|
||||
enumerator_t *enumerator;
|
||||
packet_t *packet;
|
||||
task_t *task;
|
||||
|
||||
if (this->initiating.retransmitted <= this->retransmit_tries)
|
||||
{
|
||||
timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
|
||||
pow(this->retransmit_base, this->initiating.retransmitted));
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_IKE, "giving up after %d retransmits",
|
||||
this->initiating.retransmitted - 1);
|
||||
if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
|
||||
{
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
|
||||
}
|
||||
return DESTROY_ME;
|
||||
}
|
||||
|
||||
if (this->initiating.retransmitted)
|
||||
{
|
||||
DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
|
||||
this->initiating.retransmitted, message_id);
|
||||
}
|
||||
packet = this->initiating.packet->clone(this->initiating.packet);
|
||||
charon->sender->send(charon->sender, packet);
|
||||
|
||||
this->initiating.retransmitted++;
|
||||
job = (job_t*)retransmit_job_create(this->initiating.mid,
|
||||
this->ike_sa->get_id(this->ike_sa));
|
||||
lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
METHOD(task_manager_t, initiate, status_t,
|
||||
private_task_manager_t *this)
|
||||
{
|
||||
|
@ -220,6 +264,11 @@ METHOD(task_manager_t, initiate, status_t,
|
|||
{
|
||||
exchange = QUICK_MODE;
|
||||
}
|
||||
|
||||
if (activate_task(this, TASK_XAUTH_REQUEST))
|
||||
{
|
||||
exchange = TRANSACTION;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
|
|
@ -49,6 +49,10 @@ static chunk_t strongswan_vid = chunk_from_chars(
|
|||
0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
|
||||
);
|
||||
|
||||
static chunk_t xauth6_vid = chunk_from_chars(
|
||||
0x09,0x00,0x26,0x89,0xdf,0xd6,0xb7,0x12
|
||||
);
|
||||
|
||||
METHOD(task_t, build, status_t,
|
||||
private_ike_vendor_t *this, message_t *message)
|
||||
{
|
||||
|
@ -60,6 +64,11 @@ METHOD(task_t, build, status_t,
|
|||
vid = vendor_id_payload_create_data(VENDOR_ID,
|
||||
chunk_clone(strongswan_vid));
|
||||
message->add_payload(message, &vid->payload_interface);
|
||||
|
||||
vid = vendor_id_payload_create_data(VENDOR_ID,
|
||||
chunk_clone(xauth6_vid));
|
||||
message->add_payload(message, &vid->payload_interface);
|
||||
|
||||
}
|
||||
|
||||
return this->initiator ? NEED_MORE : SUCCESS;
|
||||
|
@ -92,6 +101,25 @@ METHOD(task_t, process, status_t,
|
|||
DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
|
||||
}
|
||||
}
|
||||
|
||||
if (payload->get_type(payload) == VENDOR_ID_V1)
|
||||
{
|
||||
vendor_id_payload_t *vid;
|
||||
chunk_t data;
|
||||
|
||||
vid = (vendor_id_payload_t*)payload;
|
||||
data = vid->get_data(vid);
|
||||
|
||||
if (chunk_equals(data, xauth6_vid))
|
||||
{
|
||||
DBG1(DBG_IKE, "received XAuth vendor id");
|
||||
this->ike_sa->enable_extension(this->ike_sa, EXT_XAUTH);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
|
||||
}
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
|
|
|
@ -73,6 +73,8 @@ enum task_type_t {
|
|||
TASK_MAIN_MODE,
|
||||
/** IKEv1 quick mode */
|
||||
TASK_QUICK_MODE,
|
||||
/** Request the user/pass with XAUTH */
|
||||
TASK_XAUTH_REQUEST,
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -0,0 +1,185 @@
|
|||
|
||||
#include "xauth_request.h"
|
||||
|
||||
#include <daemon.h>
|
||||
#include <hydra.h>
|
||||
#include <encoding/payloads/attribute_payload_v1.h>
|
||||
#include <encoding/payloads/data_attribute_v1.h>
|
||||
#include <encoding/payloads/hash_payload.h>
|
||||
#include <encoding/generator.h>
|
||||
|
||||
typedef struct private_xauth_request_t private_xauth_request_t;
|
||||
|
||||
/**
|
||||
* Private members of a xauth_request_t task.
|
||||
*/
|
||||
struct private_xauth_request_t {
|
||||
|
||||
/**
|
||||
* Public methods and task_t interface.
|
||||
*/
|
||||
xauth_request_t public;
|
||||
|
||||
/**
|
||||
* Assigned IKE_SA.
|
||||
*/
|
||||
ike_sa_t *ike_sa;
|
||||
|
||||
/**
|
||||
* Are we the initiator?
|
||||
*/
|
||||
bool initiator;
|
||||
|
||||
/**
|
||||
* virtual ip
|
||||
*/
|
||||
host_t *virtual_ip;
|
||||
|
||||
/**
|
||||
* list of attributes requested and its handler, entry_t
|
||||
*/
|
||||
linked_list_t *requested;
|
||||
};
|
||||
|
||||
/**
|
||||
* Entry for a requested attribute and the requesting handler
|
||||
*/
|
||||
typedef struct {
|
||||
/** attribute requested */
|
||||
configuration_attribute_type_t type;
|
||||
/** handler requesting this attribute */
|
||||
attribute_handler_t *handler;
|
||||
} entry_t;
|
||||
|
||||
/**
|
||||
* Scan for configuration payloads and attributes
|
||||
*/
|
||||
static void process_payloads(private_xauth_request_t *this, message_t *message)
|
||||
{
|
||||
}
|
||||
|
||||
METHOD(task_t, build_i, status_t,
|
||||
private_xauth_request_t *this, message_t *message)
|
||||
{
|
||||
attribute_payload_v1_t *ap = NULL;
|
||||
chunk_t chunk = chunk_empty;
|
||||
data_attribute_v1_t *da = NULL;
|
||||
hash_payload_t *hash_payload = NULL;
|
||||
generator_t *generator;
|
||||
chunk_t attr_chunk;
|
||||
chunk_t mid_chunk;
|
||||
u_int32_t *lenpos;
|
||||
u_int32_t message_id;
|
||||
keymat_t *keymat;
|
||||
prf_t *prf;
|
||||
chunk_t hash_in, hash_out;
|
||||
|
||||
DBG1(DBG_IKE, "BUILDING XAUTH REQUEST PACKET");
|
||||
/* TODO1: Create ATTR payload */
|
||||
ap = attribute_payload_v1_create();
|
||||
|
||||
da = data_attribute_v1_create_value(XAUTH_USER_NAME, chunk);
|
||||
ap->add_attribute(ap, da);
|
||||
|
||||
da = data_attribute_v1_create_value(XAUTH_USER_PASSWORD, chunk);
|
||||
ap->add_attribute(ap, da);
|
||||
|
||||
/* Create HASH payload */
|
||||
hash_payload = hash_payload_create();
|
||||
/* TODO1: Add data into the hash */
|
||||
|
||||
/* Calculate the chunk for the ATTR payload */
|
||||
generator = generator_create();
|
||||
ap->payload_interface.set_next_type(&ap->payload_interface, NO_PAYLOAD);
|
||||
generator->generate_payload(generator, (payload_t *)ap);
|
||||
attr_chunk = generator->get_chunk(generator, &lenpos);
|
||||
|
||||
/* Get the message ID in network order */
|
||||
htoun32(&message_id, message->get_message_id(message));
|
||||
mid_chunk = chunk_from_thing(message_id);
|
||||
|
||||
/* Get the hashed data */
|
||||
hash_in = chunk_cat("cc", mid_chunk, attr_chunk);
|
||||
|
||||
message->add_payload(message, (payload_t *)hash_payload);
|
||||
message->add_payload(message, (payload_t *)ap);
|
||||
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(task_t, process_r, status_t,
|
||||
private_xauth_request_t *this, message_t *message)
|
||||
{
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(task_t, build_r, status_t,
|
||||
private_xauth_request_t *this, message_t *message)
|
||||
{
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(task_t, process_i, status_t,
|
||||
private_xauth_request_t *this, message_t *message)
|
||||
{
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(task_t, get_type, task_type_t,
|
||||
private_xauth_request_t *this)
|
||||
{
|
||||
return TASK_XAUTH_REQUEST;
|
||||
}
|
||||
|
||||
METHOD(task_t, migrate, void,
|
||||
private_xauth_request_t *this, ike_sa_t *ike_sa)
|
||||
{
|
||||
DESTROY_IF(this->virtual_ip);
|
||||
|
||||
this->ike_sa = ike_sa;
|
||||
this->virtual_ip = NULL;
|
||||
this->requested->destroy_function(this->requested, free);
|
||||
this->requested = linked_list_create();
|
||||
}
|
||||
|
||||
METHOD(task_t, destroy, void,
|
||||
private_xauth_request_t *this)
|
||||
{
|
||||
DESTROY_IF(this->virtual_ip);
|
||||
this->requested->destroy_function(this->requested, free);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
xauth_request_t *xauth_request_create(ike_sa_t *ike_sa, bool initiator)
|
||||
{
|
||||
private_xauth_request_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.task = {
|
||||
.get_type = _get_type,
|
||||
.migrate = _migrate,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
.initiator = initiator,
|
||||
.ike_sa = ike_sa,
|
||||
.requested = linked_list_create(),
|
||||
);
|
||||
|
||||
if (initiator)
|
||||
{
|
||||
this->public.task.build = _build_i;
|
||||
this->public.task.process = _process_i;
|
||||
}
|
||||
else
|
||||
{
|
||||
this->public.task.build = _build_r;
|
||||
this->public.task.process = _process_r;
|
||||
}
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
|
||||
/**
|
||||
* @defgroup xauth_request xauth_request
|
||||
* @{ @ingroup tasks
|
||||
*/
|
||||
|
||||
#ifndef XAUTH_REQUEST_H_
|
||||
#define XAUTH_REQUEST_H_
|
||||
|
||||
typedef struct xauth_request_t xauth_request_t;
|
||||
|
||||
#include <library.h>
|
||||
#include <sa/ike_sa.h>
|
||||
#include <sa/tasks/task.h>
|
||||
|
||||
/**
|
||||
* Task of type XAUTH_REQUEST, gets the username and password from the ISAKMP_SA
|
||||
* initializer.
|
||||
*/
|
||||
struct xauth_request_t {
|
||||
|
||||
/**
|
||||
* Implements the task_t interface
|
||||
*/
|
||||
task_t task;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a new xauth_request task.
|
||||
*
|
||||
* @param ike_sa IKE_SA this task works for
|
||||
* @param initiator TRUE for initiator
|
||||
* @return ike_config task to handle by the task_manager
|
||||
*/
|
||||
xauth_request_t *xauth_request_create(ike_sa_t *ike_sa, bool initiator);
|
||||
|
||||
#endif /** XAUTH_REQUEST_H_ @}*/
|
|
@ -42,6 +42,8 @@ enum auth_class_t {
|
|||
AUTH_CLASS_PSK = 2,
|
||||
/** authentication using EAP */
|
||||
AUTH_CLASS_EAP = 3,
|
||||
/** authentication using pre-shared secrets in combination with XAuth */
|
||||
AUTH_CLASS_XAUTH_PSK = 4,
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue