Extract client identity and authentication type from SASL authentication
This commit is contained in:
parent
6d6100c2bc
commit
97b1d39de5
|
@ -61,6 +61,7 @@ struct private_pt_tls_server_t {
|
|||
* TNCCS protocol handler, implemented as tls_t
|
||||
*/
|
||||
tls_t *tnccs;
|
||||
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -111,8 +112,27 @@ static status_t process_sasl(private_pt_tls_server_t *this,
|
|||
sasl_mechanism_t *sasl, chunk_t data)
|
||||
{
|
||||
bio_writer_t *writer;
|
||||
status_t status;
|
||||
identification_t *client;
|
||||
tnccs_t *tnccs;
|
||||
|
||||
switch (sasl->process(sasl, data))
|
||||
status = sasl->process(sasl, data);
|
||||
if (status != NEED_MORE)
|
||||
{
|
||||
client = sasl->get_client(sasl);
|
||||
if (client)
|
||||
{
|
||||
DBG1(DBG_TNC, "SASL client identity is '%Y'", client);
|
||||
this->tnccs->set_peer_id(this->tnccs, client);
|
||||
if (streq(sasl->get_name(sasl), "PLAIN"))
|
||||
{
|
||||
tnccs = (tnccs_t*)this->tnccs;
|
||||
tnccs->set_auth_type(tnccs, TNC_AUTH_PASSWORD);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
switch (status)
|
||||
{
|
||||
case NEED_MORE:
|
||||
return NEED_MORE;
|
||||
|
|
|
@ -50,6 +50,13 @@ struct sasl_mechanism_t {
|
|||
*/
|
||||
char* (*get_name)(sasl_mechanism_t *this);
|
||||
|
||||
/**
|
||||
* Get the client identity
|
||||
*
|
||||
* @return client identity
|
||||
*/
|
||||
identification_t* (*get_client)(sasl_mechanism_t *this);
|
||||
|
||||
/**
|
||||
* Build a SASL message to send to remote host.
|
||||
*
|
||||
|
|
|
@ -35,6 +35,12 @@ struct private_sasl_plain_t {
|
|||
identification_t *client;
|
||||
};
|
||||
|
||||
METHOD(sasl_mechanism_t, get_client, identification_t*,
|
||||
private_sasl_plain_t *this)
|
||||
{
|
||||
return this->client;
|
||||
}
|
||||
|
||||
METHOD(sasl_mechanism_t, get_name, char*,
|
||||
private_sasl_plain_t *this)
|
||||
{
|
||||
|
@ -52,7 +58,6 @@ METHOD(sasl_mechanism_t, process_server, status_t,
|
|||
private_sasl_plain_t *this, chunk_t message)
|
||||
{
|
||||
chunk_t authz, authi, password;
|
||||
identification_t *id;
|
||||
shared_key_t *shared;
|
||||
u_char *pos;
|
||||
|
||||
|
@ -72,22 +77,21 @@ METHOD(sasl_mechanism_t, process_server, status_t,
|
|||
}
|
||||
authi = chunk_create(message.ptr, pos - message.ptr);
|
||||
password = chunk_skip(message, authi.len + 1);
|
||||
id = identification_create_from_data(authi);
|
||||
shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
|
||||
DESTROY_IF(this->client);
|
||||
this->client = identification_create_from_data(authi);
|
||||
shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client,
|
||||
NULL);
|
||||
if (!shared)
|
||||
{
|
||||
DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
|
||||
id->destroy(id);
|
||||
DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client);
|
||||
return FAILED;
|
||||
}
|
||||
if (!chunk_equals(shared->get_key(shared), password))
|
||||
{
|
||||
DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
|
||||
id->destroy(id);
|
||||
DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client);
|
||||
shared->destroy(shared);
|
||||
return FAILED;
|
||||
}
|
||||
id->destroy(id);
|
||||
shared->destroy(shared);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
@ -151,6 +155,7 @@ sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
|
|||
.public = {
|
||||
.sasl = {
|
||||
.get_name = _get_name,
|
||||
.get_client = _get_client,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
|
|
|
@ -199,6 +199,13 @@ struct tls_t {
|
|||
*/
|
||||
identification_t* (*get_server_id)(tls_t *this);
|
||||
|
||||
/**
|
||||
* Set the peer identity.
|
||||
*
|
||||
* @param id peer identity
|
||||
*/
|
||||
void (*set_peer_id)(tls_t *this, identification_t *id);
|
||||
|
||||
/**
|
||||
* Return the peer identity.
|
||||
*
|
||||
|
|
|
@ -525,6 +525,13 @@ METHOD(tls_t, get_server_id, identification_t*,
|
|||
return this->server;
|
||||
}
|
||||
|
||||
METHOD(tls_t, set_peer_id, void,
|
||||
private_tnccs_11_t *this, identification_t *id)
|
||||
{
|
||||
DESTROY_IF(this->peer);
|
||||
this->peer = id->clone(id);
|
||||
}
|
||||
|
||||
METHOD(tls_t, get_peer_id, identification_t*,
|
||||
private_tnccs_11_t *this)
|
||||
{
|
||||
|
@ -611,6 +618,7 @@ tnccs_t* tnccs_11_create(bool is_server,
|
|||
.build = _build,
|
||||
.is_server = _is_server,
|
||||
.get_server_id = _get_server_id,
|
||||
.set_peer_id = _set_peer_id,
|
||||
.get_peer_id = _get_peer_id,
|
||||
.get_purpose = _get_purpose,
|
||||
.is_complete = _is_complete,
|
||||
|
|
|
@ -834,6 +834,13 @@ METHOD(tls_t, get_server_id, identification_t*,
|
|||
return this->server;
|
||||
}
|
||||
|
||||
METHOD(tls_t, set_peer_id, void,
|
||||
private_tnccs_20_t *this, identification_t *id)
|
||||
{
|
||||
DESTROY_IF(this->peer);
|
||||
this->peer = id->clone(id);
|
||||
}
|
||||
|
||||
METHOD(tls_t, get_peer_id, identification_t*,
|
||||
private_tnccs_20_t *this)
|
||||
{
|
||||
|
@ -922,6 +929,7 @@ tnccs_t* tnccs_20_create(bool is_server,
|
|||
.build = _build,
|
||||
.is_server = _is_server,
|
||||
.get_server_id = _get_server_id,
|
||||
.set_peer_id = _set_peer_id,
|
||||
.get_peer_id = _get_peer_id,
|
||||
.get_purpose = _get_purpose,
|
||||
.is_complete = _is_complete,
|
||||
|
|
|
@ -135,6 +135,17 @@ METHOD(tls_t, get_server_id, identification_t*,
|
|||
return this->server;
|
||||
}
|
||||
|
||||
METHOD(tls_t, set_peer_id, void,
|
||||
private_tnccs_dynamic_t *this, identification_t *id)
|
||||
{
|
||||
DESTROY_IF(this->peer);
|
||||
this->peer = id->clone(id);
|
||||
if (this->tls)
|
||||
{
|
||||
this->tls->set_peer_id(this->tls, id);
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(tls_t, get_peer_id, identification_t*,
|
||||
private_tnccs_dynamic_t *this)
|
||||
{
|
||||
|
@ -208,6 +219,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
|
|||
.build = _build,
|
||||
.is_server = _is_server,
|
||||
.get_server_id = _get_server_id,
|
||||
.set_peer_id = _set_peer_id,
|
||||
.get_peer_id = _get_peer_id,
|
||||
.get_purpose = _get_purpose,
|
||||
.is_complete = _is_complete,
|
||||
|
|
Loading…
Reference in New Issue