Added generic XAuth backend, using secrets provided by credential sets.
This commit is contained in:
parent
41e1e435d9
commit
3d44d735c6
|
@ -129,6 +129,7 @@ ARG_ENABL_SET([eap-ttls], [enable EAP TTLS authentication module.])
|
|||
ARG_ENABL_SET([eap-peap], [enable EAP PEAP authentication module.])
|
||||
ARG_ENABL_SET([eap-tnc], [enable EAP TNC trusted network connect module.])
|
||||
ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.])
|
||||
ARG_ENABL_SET([xauth-generic], [enable generic XAuth backend.])
|
||||
ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module.])
|
||||
ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
|
||||
ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.])
|
||||
|
@ -842,6 +843,7 @@ ADD_PLUGIN([eap-tls], [c libcharon])
|
|||
ADD_PLUGIN([eap-ttls], [c libcharon])
|
||||
ADD_PLUGIN([eap-peap], [c libcharon])
|
||||
ADD_PLUGIN([eap-tnc], [c libcharon])
|
||||
ADD_PLUGIN([xauth-generic], [c libcharon])
|
||||
ADD_PLUGIN([tnc-ifmap], [c libcharon])
|
||||
ADD_PLUGIN([tnc-imc], [c libcharon])
|
||||
ADD_PLUGIN([tnc-imv], [c libcharon])
|
||||
|
@ -961,6 +963,7 @@ AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
|
|||
AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
|
||||
AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
|
||||
AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
|
||||
AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
|
||||
AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
|
||||
|
@ -1139,6 +1142,7 @@ AC_OUTPUT(
|
|||
src/libcharon/plugins/eap_peap/Makefile
|
||||
src/libcharon/plugins/eap_tnc/Makefile
|
||||
src/libcharon/plugins/eap_radius/Makefile
|
||||
src/libcharon/plugins/xauth_generic/Makefile
|
||||
src/libcharon/plugins/tnc_ifmap/Makefile
|
||||
src/libcharon/plugins/tnc_imc/Makefile
|
||||
src/libcharon/plugins/tnc_imv/Makefile
|
||||
|
|
|
@ -503,4 +503,10 @@ if MONOLITHIC
|
|||
endif
|
||||
endif
|
||||
|
||||
if USE_XAUTH_GENERIC
|
||||
SUBDIRS += plugins/xauth_generic
|
||||
if MONOLITHIC
|
||||
libcharon_la_LIBADD += plugins/xauth_generic/libstrongswan-xauth-generic.la
|
||||
endif
|
||||
endif
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
|
||||
-I$(top_srcdir)/src/libcharon
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
|
||||
if MONOLITHIC
|
||||
noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
|
||||
else
|
||||
plugin_LTLIBRARIES = libstrongswan-xauth-generic.la
|
||||
endif
|
||||
|
||||
libstrongswan_xauth_generic_la_SOURCES = \
|
||||
xauth_generic_plugin.h xauth_generic_plugin.c \
|
||||
xauth_generic.h xauth_generic.c
|
||||
|
||||
libstrongswan_xauth_generic_la_LDFLAGS = -module -avoid-version
|
|
@ -0,0 +1,210 @@
|
|||
/*
|
||||
* Copyright (C) 2011 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "xauth_generic.h"
|
||||
|
||||
#include <daemon.h>
|
||||
#include <library.h>
|
||||
|
||||
typedef struct private_xauth_generic_t private_xauth_generic_t;
|
||||
|
||||
/**
|
||||
* Private data of an xauth_generic_t object.
|
||||
*/
|
||||
struct private_xauth_generic_t {
|
||||
|
||||
/**
|
||||
* Public interface.
|
||||
*/
|
||||
xauth_generic_t public;
|
||||
|
||||
/**
|
||||
* ID of the server
|
||||
*/
|
||||
identification_t *server;
|
||||
|
||||
/**
|
||||
* ID of the peer
|
||||
*/
|
||||
identification_t *peer;
|
||||
|
||||
};
|
||||
|
||||
METHOD(xauth_method_t, initiate_peer, status_t,
|
||||
private_xauth_generic_t *this, cp_payload_t **out)
|
||||
{
|
||||
/* peer never initiates */
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
METHOD(xauth_method_t, process_peer, status_t,
|
||||
private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
|
||||
{
|
||||
shared_key_t *shared;
|
||||
cp_payload_t *cp;
|
||||
chunk_t user, pass;
|
||||
|
||||
shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->peer,
|
||||
this->server);
|
||||
if (!shared)
|
||||
{
|
||||
DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->peer,
|
||||
this->server);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
user = this->peer->get_encoding(this->peer);
|
||||
pass = shared->get_key(shared);
|
||||
|
||||
cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
|
||||
cp->add_attribute(cp, configuration_attribute_create_chunk(
|
||||
CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user));
|
||||
cp->add_attribute(cp, configuration_attribute_create_chunk(
|
||||
CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass));
|
||||
*out = cp;
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(xauth_method_t, initiate_server, status_t,
|
||||
private_xauth_generic_t *this, cp_payload_t **out)
|
||||
{
|
||||
cp_payload_t *cp;
|
||||
|
||||
cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
|
||||
cp->add_attribute(cp, configuration_attribute_create_chunk(
|
||||
CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
|
||||
cp->add_attribute(cp, configuration_attribute_create_chunk(
|
||||
CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
|
||||
*out = cp;
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
||||
METHOD(xauth_method_t, process_server, status_t,
|
||||
private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
|
||||
{
|
||||
configuration_attribute_t *attr;
|
||||
enumerator_t *enumerator;
|
||||
shared_key_t *shared;
|
||||
identification_t *id = NULL, *peer;
|
||||
chunk_t user = chunk_empty, pass = chunk_empty;
|
||||
status_t status = SUCCESS;
|
||||
|
||||
enumerator = in->create_attribute_enumerator(in);
|
||||
while (enumerator->enumerate(enumerator, &attr))
|
||||
{
|
||||
switch (attr->get_type(attr))
|
||||
{
|
||||
case XAUTH_USER_NAME:
|
||||
user = attr->get_chunk(attr);
|
||||
break;
|
||||
case XAUTH_USER_PASSWORD:
|
||||
pass = attr->get_chunk(attr);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (!user.ptr || !pass.ptr)
|
||||
{
|
||||
DBG1(DBG_IKE, "peer did not respond to our XAuth request");
|
||||
return FAILED;
|
||||
}
|
||||
if (user.len)
|
||||
{
|
||||
id = identification_create_from_data(user);
|
||||
if (!id)
|
||||
{
|
||||
DBG1(DBG_IKE, "failed to parse provided XAuth username");
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
peer = id ?: this->peer;
|
||||
shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->server,
|
||||
peer);
|
||||
if (!shared)
|
||||
{
|
||||
DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->server,
|
||||
peer);
|
||||
status = FAILED;
|
||||
}
|
||||
else if (!chunk_equals(shared->get_key(shared), pass))
|
||||
{
|
||||
DBG1(DBG_IKE, "failed to authenticate '%Y' with XAuth", peer);
|
||||
status = FAILED;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG2(DBG_IKE, "authentication of '%Y' with XAuth successful", peer);
|
||||
}
|
||||
DESTROY_IF(id);
|
||||
return status;
|
||||
}
|
||||
|
||||
METHOD(xauth_method_t, destroy, void,
|
||||
private_xauth_generic_t *this)
|
||||
{
|
||||
this->server->destroy(this->server);
|
||||
this->peer->destroy(this->peer);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
xauth_generic_t *xauth_generic_create_peer(identification_t *server,
|
||||
identification_t *peer)
|
||||
{
|
||||
private_xauth_generic_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.xauth_method = {
|
||||
.initiate = _initiate_peer,
|
||||
.process = _process_peer,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
.server = server->clone(server),
|
||||
.peer = peer->clone(peer),
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
xauth_generic_t *xauth_generic_create_server(identification_t *server,
|
||||
identification_t *peer)
|
||||
{
|
||||
private_xauth_generic_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.xauth_method = {
|
||||
.initiate = _initiate_server,
|
||||
.process = _process_server,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
.server = server->clone(server),
|
||||
.peer = peer->clone(peer),
|
||||
);
|
||||
|
||||
return &this->public;
|
||||
}
|
|
@ -0,0 +1,60 @@
|
|||
/*
|
||||
* Copyright (C) 2011 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup xauth_generic_i xauth_generic
|
||||
* @{ @ingroup xauth_generic
|
||||
*/
|
||||
|
||||
#ifndef XAUTH_GENERIC_H_
|
||||
#define XAUTH_GENERIC_H_
|
||||
|
||||
typedef struct xauth_generic_t xauth_generic_t;
|
||||
|
||||
#include <sa/authenticators/xauth/xauth_method.h>
|
||||
|
||||
/**
|
||||
* Implementation of the xauth_method_t interface using cleartext secrets
|
||||
* from any credential set.
|
||||
*/
|
||||
struct xauth_generic_t {
|
||||
|
||||
/**
|
||||
* Implemented xauth_method_t interface.
|
||||
*/
|
||||
xauth_method_t xauth_method;
|
||||
};
|
||||
|
||||
/**
|
||||
* Creates the generic XAuth method, acting as server.
|
||||
*
|
||||
* @param server ID of the XAuth server
|
||||
* @param peer ID of the XAuth client
|
||||
* @return xauth_generic_t object
|
||||
*/
|
||||
xauth_generic_t *xauth_generic_create_server(identification_t *server,
|
||||
identification_t *peer);
|
||||
|
||||
/**
|
||||
* Creates the generic XAuth method, acting as peer.
|
||||
*
|
||||
* @param server ID of the XAuth server
|
||||
* @param peer ID of the XAuth client
|
||||
* @return xauth_generic_t object
|
||||
*/
|
||||
xauth_generic_t *xauth_generic_create_peer(identification_t *server,
|
||||
identification_t *peer);
|
||||
|
||||
#endif /** XAUTH_GENERIC_H_ @}*/
|
|
@ -0,0 +1,62 @@
|
|||
/*
|
||||
* Copyright (C) 2011 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "xauth_generic_plugin.h"
|
||||
#include "xauth_generic.h"
|
||||
|
||||
#include <daemon.h>
|
||||
|
||||
METHOD(plugin_t, get_name, char*,
|
||||
xauth_generic_plugin_t *this)
|
||||
{
|
||||
return "xauth-generic";
|
||||
}
|
||||
|
||||
METHOD(plugin_t, get_features, int,
|
||||
xauth_generic_plugin_t *this, plugin_feature_t *features[])
|
||||
{
|
||||
static plugin_feature_t f[] = {
|
||||
PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_server),
|
||||
PLUGIN_PROVIDE(XAUTH_SERVER, "generic"),
|
||||
PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_peer),
|
||||
PLUGIN_PROVIDE(XAUTH_PEER, "generic"),
|
||||
};
|
||||
*features = f;
|
||||
return countof(f);
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
xauth_generic_plugin_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *xauth_generic_plugin_create()
|
||||
{
|
||||
xauth_generic_plugin_t *this;
|
||||
|
||||
INIT(this,
|
||||
.plugin = {
|
||||
.get_name = _get_name,
|
||||
.get_features = _get_features,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
);
|
||||
|
||||
return &this->plugin;
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
/*
|
||||
* Copyright (C) 2011 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup xauth_generic xauth_generic
|
||||
* @ingroup cplugins
|
||||
*
|
||||
* @defgroup xauth_generic_plugin xauth_generic_plugin
|
||||
* @{ @ingroup xauth_generic
|
||||
*/
|
||||
|
||||
#ifndef XAUTH_GENERIC_PLUGIN_H_
|
||||
#define XAUTH_GENERIC_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct xauth_generic_plugin_t xauth_generic_plugin_t;
|
||||
|
||||
/**
|
||||
* XAuth generic plugin using secrets defined in ipsec.secrets.
|
||||
*/
|
||||
struct xauth_generic_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
#endif /** XAUTH_GENERIC_PLUGIN_H_ @}*/
|
|
@ -100,7 +100,7 @@ struct xauth_method_t {
|
|||
* @return implementation of the eap_method_t interface
|
||||
*/
|
||||
typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
|
||||
identification_t *peer);
|
||||
identification_t *peer);
|
||||
|
||||
/**
|
||||
* Helper function to (un-)register XAuth methods from plugin features.
|
||||
|
|
Loading…
Reference in New Issue