XAUTH support

src/pluto/constants.c

@@ -183,6 +183,9 @@ static const char *const state_name[] = {
 	"STATE_INFO",
 	"STATE_INFO_PROTECTED",
 
+	"STATE_XAUTH_R0",
+	"STATE_XAUTH_R1",
+
 	"STATE_MODE_CFG_R0",
 	"STATE_MODE_CFG_R1",
 	"STATE_MODE_CFG_R2",
@@ -216,7 +219,10 @@ const char *const state_story[] = {
 
 	"got Informational Message in clear",	 /* STATE_INFO */
 	"got encrypted Informational Message",	 /* STATE_INFO_PROTECTED */
-	
+
+	"sent XAUTH request, expecting reply",	 /* STATE_XAUTH_R0 */
+	"sent XAUTH status, expecting ack",	 /* STATE_XAUTH_R1 */
+
 	"sent ModeCfg reply",			 /* STATE_MODE_CFG_R0 */
 	"sent ModeCfg reply",			 /* STATE_MODE_CFG_R1 */
 	"received ModeCfg ack",			 /* STATE_MODE_CFG_R2 */
@@ -487,6 +493,9 @@ const char *const sa_policy_bit_names[] = {
 	"GROUTED",
 	"UP",
 	"MODECFGPUSH",
+	"XAUTHPSK",
+	"XAUTHRSASIG",
+	"XAUTHSERVER",
 	NULL
     };
 
@@ -675,7 +684,49 @@ enum_names auth_alg_names =
     { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
 	, &extended_auth_alg_names };
 
-const char *const modecfg_attr_name[] = {
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_type_name[] = {
+  "Generic",
+  "RADIUS-CHAP",
+  "OTP",
+  "S/KEY",
+};
+
+enum_names xauth_type_names =
+  { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
+
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_attr_tv_name[] = {
+	"XAUTH_TYPE",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	"XAUTH_STATUS",
+    };
+
+enum_names xauth_attr_tv_names = {
+    XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
+    XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
+
+static const char *const xauth_attr_name[] = {
+	"XAUTH_USER_NAME",
+	"XAUTH_USER_PASSWORD",
+	"XAUTH_PASSCODE",
+	"XAUTH_MESSAGE",
+	"XAUTH_CHALLENGE",
+	"XAUTH_DOMAIN",
+	"XAUTH_STATUS (wrong TLV syntax, should be TV)",
+	"XAUTH_NEXT_PIN",
+	"XAUTH_ANSWER",
+    };
+
+enum_names xauth_attr_names =
+    { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &xauth_attr_tv_names };
+
+static const char *const modecfg_attr_name[] = {
 	"INTERNAL_IP4_ADDRESS",
 	"INTERNAL_IP4_NETMASK",
 	"INTERNAL_IP4_DNS",
@@ -695,7 +746,7 @@ const char *const modecfg_attr_name[] = {
     };
 
 enum_names modecfg_attr_names =
-    { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , NULL };
+    { INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
 
 /* Oakley Lifetime Type attribute */
 

src/pluto/constants.h

@@ -506,11 +506,18 @@ enum state_kind {
     STATE_INFO,
     STATE_INFO_PROTECTED,
 
-    STATE_MODE_CFG_R0,           /* these states are used on the responder */
+    /* XAUTH states */
+
+    STATE_XAUTH_R0,              /* server state: sent request, awaiting reply */
+    STATE_XAUTH_R1,              /* server state: sent success/fail, awaiting reply */
+
+    /* Mode Config states */
+
+    STATE_MODE_CFG_R0,           /* responder states */
     STATE_MODE_CFG_R1,
     STATE_MODE_CFG_R2,
 
-    STATE_MODE_CFG_I1,           /* this is used on the initiator */
+    STATE_MODE_CFG_I1,           /* initiator states */
     STATE_MODE_CFG_I2,
     STATE_MODE_CFG_I3,
 
@@ -640,7 +647,32 @@ extern enum_names attr_msg_type_names;
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
+#define    MODECFG_ROOF               16
+
 extern enum_names modecfg_attr_names;
+/* XAUTH attribute values */
+#define    XAUTH_TYPE                16520
+#define    XAUTH_USER_NAME           16521
+#define    XAUTH_USER_PASSWORD       16522
+#define    XAUTH_PASSCODE            16523
+#define    XAUTH_MESSAGE             16524
+#define    XAUTH_CHALLENGE           16525
+#define    XAUTH_DOMAIN              16526
+#define    XAUTH_STATUS              16527
+#define    XAUTH_NEXT_PIN            16528
+#define    XAUTH_ANSWER              16529
+
+#define    XAUTH_BASE                XAUTH_TYPE
+
+extern enum_names xauth_attr_names;
+
+/* XAUTH authentication types */
+#define XAUTH_TYPE_GENERIC 0
+#define XAUTH_TYPE_CHAP    1
+#define XAUTH_TYPE_OTP     2
+#define XAUTH_TYPE_SKEY    3
+
+extern enum_names xauth_type_names;
 
 /* Exchange types
  * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
@@ -754,7 +786,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_RSASIG        LELEM(1)
 
 #define POLICY_ISAKMP_SHIFT	0	/* log2(POLICY_PSK) */
-#define POLICY_ID_AUTH_MASK	LRANGES(POLICY_PSK, POLICY_RSASIG)
+#define POLICY_ID_AUTH_MASK	(POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
 #define POLICY_ISAKMP_MASK	POLICY_ID_AUTH_MASK	/* all so far */
 
 /* Quick Mode (IPSEC) attributes */
@@ -796,7 +828,9 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_GROUTED		LELEM(15)	/* do we want this group routed? */
 #define POLICY_UP		LELEM(16)	/* do we want this up? */
 #define POLICY_MODECFG_PUSH	LELEM(17)	/* is modecfg pushed by server? */
-
+#define POLICY_XAUTH_PSK	LELEM(18)	/* do we support XAUTH????PreShared? */
+#define POLICY_XAUTH_RSASIG	LELEM(19)	/* do we support XAUTH????RSA? */
+#define POLICY_XAUTH_SERVER	LELEM(20)	/* are we an XAUTH server? */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
@@ -806,7 +840,7 @@ extern const char *prettypolicy(lset_t policy);
 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
 
 /* Don't allow negotiation? */
-#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_PSK | POLICY_RSASIG))
+#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_ID_AUTH_MASK))
 
 
 /* Oakley transform attributes