IKEv1 XAuth: Added a "NULL" XAuth plugin which sends a hardcoded user/pass, and blindly accepts whatever user/pass is sent it. Changed the xauth_request task to use this new plugin. Add --enable-xauth-null to your configure line to build with the new plugin.

2011-12-01 16:34:30 +01:00 · 2011-12-01 16:34:30 +01:00 · 4394d96844
parent 9c5366446a
commit 4394d96844
10 changed files with 363 additions and 23 deletions
--- a/configure.in
+++ b/configure.in
@ -193,6 +193,7 @@ ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using livene
 ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([xauth-null],     [enable XAuth module which does no actual identity authentication (testing only).])

 dnl =========================
 dnl  set up compiler and flags
@ -864,6 +865,7 @@ ADD_PLUGIN([maemo],                [c libcharon])
 ADD_PLUGIN([uci],                  [c libcharon])
 ADD_PLUGIN([addrblock],            [c libcharon])
 ADD_PLUGIN([unit-tester],          [c libcharon])
+ADD_PLUGIN([xauth-null],           [c libcharon])

 AC_SUBST(libcharon_plugins)
 AC_SUBST(pluto_plugins)
@ -979,6 +981,7 @@ AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
 AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NULL, test x$xauth_null = xtrue)

 dnl hydra plugins
 dnl =============
@ -1170,6 +1173,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/dhcp/Makefile
 	src/libcharon/plugins/unit_tester/Makefile
 	src/libcharon/plugins/load_tester/Makefile
+	src/libcharon/plugins/xauth_null/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
--- a/src/libcharon/plugins/xauth_null/Makefile.am
+++ b/src/libcharon/plugins/xauth_null/Makefile.am
@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-null.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-null.la
+endif
+
+libstrongswan_xauth_null_la_SOURCES = \
+	xauth_null_plugin.h xauth_null_plugin.c xauth_null.h xauth_null.c
+
+libstrongswan_xauth_null_la_LDFLAGS = -module -avoid-version
--- a/src/libcharon/plugins/xauth_null/xauth_null.c
+++ b/src/libcharon/plugins/xauth_null/xauth_null.c
@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_null.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_null_t private_xauth_null_t;
+
+/**
+ * Private data of an xauth_null_t object.
+ */
+struct private_xauth_null_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	xauth_null_t public;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+};
+
+METHOD(xauth_method_t, process_peer, status_t,
+	private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	chunk_t user_name = chunk_from_chars('j', 'o', 's', 't');
+	chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't');
+	cp_payload_t *cp;
+
+	/* TODO-IKEv1: Fetch the user/pass from an authenticator */
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user_name));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, user_pass));
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, initiate_peer, status_t,
+	private_xauth_null_t *this, cp_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, process_server, status_t,
+	private_xauth_null_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	return SUCCESS;
+}
+
+METHOD(xauth_method_t, initiate_server, status_t,
+	private_xauth_null_t *this, cp_payload_t **out)
+{
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, get_type, xauth_type_t,
+	private_xauth_null_t *this, u_int32_t *vendor)
+{
+	return XAUTH_NULL;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_null_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_null_t *xauth_null_create_peer(identification_t *server,
+										 identification_t *peer)
+{
+	private_xauth_null_t *this;
+
+	INIT(this,
+		.public =  {
+			.xauth_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_null_t *xauth_null_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_null_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
--- a/src/libcharon/plugins/xauth_null/xauth_null.h
+++ b/src/libcharon/plugins/xauth_null/xauth_null.h
@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_null_i xauth_null
+ * @{ @ingroup xauth_null
+ */
+
+#ifndef XAUTH_NULL_H_
+#define XAUTH_NULL_H_
+
+typedef struct xauth_null_t xauth_null_t;
+
+#include <sa/authenticators/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t providing no actual identity verification.
+ */
+struct xauth_null_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the XAuth method XAuth NULL, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_null_t object
+ */
+xauth_null_t *xauth_null_create_server(identification_t *server,
+										   identification_t *peer);
+
+/**
+ * Creates the XAuth method XAuth NULL, acting as peer.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_null_t object
+ */
+xauth_null_t *xauth_null_create_peer(identification_t *server,
+										 identification_t *peer);
+
+#endif /** XAUTH_NULL_H_ @}*/
--- a/src/libcharon/plugins/xauth_null/xauth_null_plugin.c
+++ b/src/libcharon/plugins/xauth_null/xauth_null_plugin.c
@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_null_plugin.h"
+#include "xauth_null.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_null_plugin_t *this)
+{
+	return "xauth-null";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_null_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, XAUTH_NULL),
+		PLUGIN_CALLBACK(xauth_method_register, xauth_null_create_peer),
+			PLUGIN_PROVIDE(XAUTH_PEER, XAUTH_NULL),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_null_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_null_plugin_create()
+{
+	xauth_null_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
--- a/src/libcharon/plugins/xauth_null/xauth_null_plugin.h
+++ b/src/libcharon/plugins/xauth_null/xauth_null_plugin.h
@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_null xauth_null
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_null_plugin xauth_null_plugin
+ * @{ @ingroup xauth_null
+ */
+
+#ifndef XAUTH_NULL_PLUGIN_H_
+#define XAUTH_NULL_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_null_plugin_t xauth_null_plugin_t;
+
+/**
+ * XAUTH Null plugin.
+ */
+struct xauth_null_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_NULL_PLUGIN_H_ @}*/
--- a/src/libcharon/sa/authenticators/xauth_authenticator.c
+++ b/src/libcharon/sa/authenticators/xauth_authenticator.c
@ -98,7 +98,7 @@ METHOD(authenticator_t, process, status_t,

 	cp_in = (cp_payload_t *)message->get_payload(message, CONFIGURATION_V1);

-	xauth_method = load_method(this, XAUTH_RADIUS, 0);
+	xauth_method = load_method(this, XAUTH_NULL, 0);

 	if(xauth_method != NULL)
 	{
--- a/src/libcharon/sa/tasks/xauth_request.c
+++ b/src/libcharon/sa/tasks/xauth_request.c
@ -4,6 +4,7 @@
 #include <daemon.h>
 #include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
+#include <sa/authenticators/xauth_authenticator.h>

 typedef struct private_xauth_request_t private_xauth_request_t;

@ -90,6 +91,11 @@ struct private_xauth_request_t {
 	 * Whether the XAuth status attribute was received
 	 */
 	bool xauth_status_recv;
+
+	/**
+	 * The XAuth authenticator_t object
+	 */
+	authenticator_t *xauth_authenticator;
 };

 /**
@ -343,6 +349,11 @@ static status_t process_payloads(private_xauth_request_t *this, message_t *messa
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	if(this->xauth_authenticator)
+	{
+		this->xauth_authenticator->process(this->xauth_authenticator, message);
+	}
 	return NEED_MORE;
 }

@ -360,6 +371,7 @@ METHOD(task_t, build_i, status_t,
 	attribute_handler_t *handler;
 	configuration_attribute_type_t type;
 	chunk_t data;
+	status_t status;

 	version = this->ike_sa->get_version(this->ike_sa);
 	if(version == IKEV1)
@ -401,10 +413,11 @@ METHOD(task_t, build_i, status_t,
 						ca_type, XAUTH_USER_PASSWORD, chunk));
 			break;
 		case TASK_XAUTH_PASS_VERIFY:
+			status = this->xauth_authenticator->build(this->xauth_authenticator, message);
 			cp = cp_payload_create_type(cp_type, CFG_SET);
 			cp->add_attribute(cp, configuration_attribute_create_value(
 						XAUTH_STATUS,
-						(this->status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK)));
+						(status == FAILED ? XAUTH_STATUS_FAIL : XAUTH_STATUS_OK)));
 			break;
 		case TASK_XAUTH_COMPLETE:
 			/* ConfigMode stuff */
@ -467,6 +480,7 @@ METHOD(task_t, process_r, status_t,
 {
 	ike_version_t version;
 	payload_type_t cp_type;
+	status_t status;

 	version = this->ike_sa->get_version(this->ike_sa);
 	if(version == IKEV1)
@ -485,6 +499,10 @@ METHOD(task_t, process_r, status_t,
 				/* We aren't XAuth, so do we should expect ConfigMode stuff */
 				this->state = TASK_XAUTH_COMPLETE;
 		}
+		if((this->xauth_authenticator == NULL) && (this->state == TASK_XAUTH_INIT))
+		{
+			this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_builder(this->ike_sa);
+		}
 		cp_type = CONFIGURATION_V1;
 	}
 	else /* IKEv2 */
@ -498,14 +516,17 @@ METHOD(task_t, process_r, status_t,
 		cp_type = CONFIGURATION;
 	}

-	return process_payloads(this, message);
+	status = process_payloads(this, message);
+	if(this->xauth_authenticator != NULL)
+	{
+		status = this->xauth_authenticator->process(this->xauth_authenticator, message);
+	}
+	return status;
 }

 METHOD(task_t, build_r, status_t,
 	private_xauth_request_t *this, message_t *message)
 {
-	chunk_t user_name = chunk_from_chars('j', 'o', 's', 't');
-	chunk_t user_pass = chunk_from_chars('j', 'o', 's', 't');
 	status_t status;
 	cp_payload_t *cp = NULL;
 	payload_type_t cp_type = CONFIGURATION;
@ -518,11 +539,11 @@ METHOD(task_t, build_r, status_t,
 	host_t *vip = NULL;
 	peer_cfg_t *config;

-	if(this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	version = this->ike_sa->get_version(this->ike_sa);
+	if ((version == IKEV2) && (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED))
 	{
 		return NEED_MORE;
 	}
-	version = this->ike_sa->get_version(this->ike_sa);
 	if(version == IKEV1)
 	{
 		if(!this->auth_cfg)
@ -545,17 +566,8 @@ METHOD(task_t, build_r, status_t,
 	switch(this->state)
 	{
 		case TASK_XAUTH_INIT:
-			/* TODO-IKEv1: Fetch the user/pass from an authenticator */
-			cp = cp_payload_create_type(cp_type, CFG_REPLY);
-			cp->add_attribute(cp, configuration_attribute_create_chunk(
-						ca_type, XAUTH_USER_NAME, user_name));
-			cp->add_attribute(cp, configuration_attribute_create_chunk(
-						ca_type, XAUTH_USER_PASSWORD, user_pass));
-			chunk_clear(&user_name);
-			chunk_clear(&user_pass);
-
+			status = this->xauth_authenticator->build(this->xauth_authenticator, message);
 			this->state = TASK_XAUTH_PASS_VERIFY;
-			status = NEED_MORE;
 			break;
 		case TASK_XAUTH_PASS_VERIFY:
 			cp = cp_payload_create_type(cp_type, CFG_ACK);
@ -612,6 +624,10 @@ METHOD(task_t, build_r, status_t,
 		default:
 			return FAILED;
 	}
+	if(cp != NULL)
+	{
+		message->add_payload(message, (payload_t *)cp);
+	}
 	if(status == SUCCESS)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
@ -629,6 +645,10 @@ METHOD(task_t, process_i, status_t,
 			(this->ike_sa->get_version(this->ike_sa) == IKEV1))
 	{	/* in last IKE_AUTH exchange */

+		if(this->xauth_authenticator == NULL)
+		{
+			this->xauth_authenticator = (authenticator_t *)xauth_authenticator_create_verifier(this->ike_sa);
+		}
 		status = process_payloads(this, message);
 		this->state = this->next_state;

@ -674,6 +694,7 @@ METHOD(task_t, destroy, void,
 {
 	DESTROY_IF(this->virtual_ip);
 	this->requested->destroy_function(this->requested, free);
+	this->xauth_authenticator->destroy(this->xauth_authenticator);
 	free(this);
 }

--- a/src/libstrongswan/xauth/xauth.c
+++ b/src/libstrongswan/xauth/xauth.c
@ -15,13 +15,15 @@

 #include "xauth.h"

-ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_RADIUS,
-	"XAUTH_RADIUS");
-ENUM_END(xauth_method_type_names, XAUTH_RADIUS);
+ENUM_BEGIN(xauth_method_type_names, XAUTH_RADIUS, XAUTH_NULL,
+	"XAUTH_RADIUS",
+	"XAUTH_NULL");
+ENUM_END(xauth_method_type_names, XAUTH_NULL);

-ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_RADIUS,
-	"RAD");
-ENUM_END(xauth_method_type_short_names, XAUTH_RADIUS);
+ENUM_BEGIN(xauth_method_type_short_names, XAUTH_RADIUS, XAUTH_NULL,
+	"RAD",
+	"NULL");
+ENUM_END(xauth_method_type_short_names, XAUTH_NULL);

 /*
 * See header
@ -34,6 +36,7 @@ xauth_type_t xauth_type_from_string(char *name)
 		xauth_type_t type;
 	} types[] = {
 		{"radius",		XAUTH_RADIUS},
+		{"null",		XAUTH_NULL},
 	};

 	for (i = 0; i < countof(types); i++)
--- a/src/libstrongswan/xauth/xauth.h
+++ b/src/libstrongswan/xauth/xauth.h
@ -30,6 +30,7 @@ typedef enum xauth_type_t xauth_type_t;
 */
 enum xauth_type_t {
 	XAUTH_RADIUS = 253,
+	XAUTH_NULL = 254,
 };

 /**