Extract client identity and authentication type from SASL authentication

2013-08-09 22:10:37 +02:00 · 2013-08-09 22:10:37 +02:00 · 97b1d39de5
parent 6d6100c2bc
commit 97b1d39de5
7 changed files with 76 additions and 9 deletions
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@ -61,6 +61,7 @@ struct private_pt_tls_server_t {
 	 * TNCCS protocol handler, implemented as tls_t
 	 */
 	tls_t *tnccs;
+
 };

 /**
@ -111,8 +112,27 @@ static status_t process_sasl(private_pt_tls_server_t *this,
 							 sasl_mechanism_t *sasl, chunk_t data)
 {
 	bio_writer_t *writer;
+	status_t status;
+	identification_t *client;
+	tnccs_t *tnccs;

-	switch (sasl->process(sasl, data))
+	status = sasl->process(sasl, data);
+	if (status != NEED_MORE)
+	{
+		client = sasl->get_client(sasl);
+		if (client)
+		{
+			DBG1(DBG_TNC, "SASL client identity is '%Y'", client);
+			this->tnccs->set_peer_id(this->tnccs, client);
+			if (streq(sasl->get_name(sasl), "PLAIN"))
+			{
+				tnccs = (tnccs_t*)this->tnccs;
+				tnccs->set_auth_type(tnccs, TNC_AUTH_PASSWORD);
+			}
+		}
+	}
+
+	switch (status)
 	{
 		case NEED_MORE:
 			return NEED_MORE;
--- a/src/libpttls/sasl/sasl_mechanism.h
+++ b/src/libpttls/sasl/sasl_mechanism.h
@ -50,6 +50,13 @@ struct sasl_mechanism_t {
 	 */
 	char* (*get_name)(sasl_mechanism_t *this);

+	/**
+	 * Get the client identity
+	 *
+	 * @return			client identity
+	 */
+	identification_t* (*get_client)(sasl_mechanism_t *this);
+
 	/**
 	 * Build a SASL message to send to remote host.
 	 *
--- a/src/libpttls/sasl/sasl_plain/sasl_plain.c
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@ -35,6 +35,12 @@ struct private_sasl_plain_t {
 	identification_t *client;
 };

+METHOD(sasl_mechanism_t, get_client, identification_t*,
+	private_sasl_plain_t *this)
+{
+	return this->client;
+}
+
 METHOD(sasl_mechanism_t, get_name, char*,
 	private_sasl_plain_t *this)
 {
@ -52,7 +58,6 @@ METHOD(sasl_mechanism_t, process_server, status_t,
 	private_sasl_plain_t *this, chunk_t message)
 {
 	chunk_t authz, authi, password;
-	identification_t *id;
 	shared_key_t *shared;
 	u_char *pos;

@ -72,22 +77,21 @@ METHOD(sasl_mechanism_t, process_server, status_t,
 	}
 	authi = chunk_create(message.ptr, pos - message.ptr);
 	password = chunk_skip(message, authi.len + 1);
-	id = identification_create_from_data(authi);
-	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+	DESTROY_IF(this->client);
+	this->client = identification_create_from_data(authi);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client,
+									  NULL);
 	if (!shared)
 	{
-		DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
-		id->destroy(id);
+		DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client);
 		return FAILED;
 	}
 	if (!chunk_equals(shared->get_key(shared), password))
 	{
-		DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
-		id->destroy(id);
+		DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client);
 		shared->destroy(shared);
 		return FAILED;
 	}
-	id->destroy(id);
 	shared->destroy(shared);
 	return SUCCESS;
 }
@ -151,6 +155,7 @@ sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
 		.public = {
 			.sasl = {
 				.get_name = _get_name,
+				.get_client = _get_client,
 				.destroy = _destroy,
 			},
 		},
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@ -199,6 +199,13 @@ struct tls_t {
 	 */
 	identification_t* (*get_server_id)(tls_t *this);

+	/**
+	 * Set the peer identity.
+	 *
+	 * @param id		peer identity
+	 */
+	void (*set_peer_id)(tls_t *this, identification_t *id);
+
 	/**
 	 * Return the peer identity.
 	 *
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@ -525,6 +525,13 @@ METHOD(tls_t, get_server_id, identification_t*,
 	return this->server;
 }

+METHOD(tls_t, set_peer_id, void,
+	private_tnccs_11_t *this, identification_t *id)
+{
+	DESTROY_IF(this->peer);
+	this->peer = id->clone(id);
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_11_t *this)
 {
@ -611,6 +618,7 @@ tnccs_t* tnccs_11_create(bool is_server,
 				.build = _build,
 				.is_server = _is_server,
 				.get_server_id = _get_server_id,
+				.set_peer_id = _set_peer_id,
 				.get_peer_id = _get_peer_id,
 				.get_purpose = _get_purpose,
 				.is_complete = _is_complete,
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@ -834,6 +834,13 @@ METHOD(tls_t, get_server_id, identification_t*,
 	return this->server;
 }

+METHOD(tls_t, set_peer_id, void,
+	private_tnccs_20_t *this, identification_t *id)
+{
+	DESTROY_IF(this->peer);
+	this->peer = id->clone(id);
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_20_t *this)
 {
@ -922,6 +929,7 @@ tnccs_t* tnccs_20_create(bool is_server,
 				.build = _build,
 				.is_server = _is_server,
 				.get_server_id = _get_server_id,
+				.set_peer_id = _set_peer_id,
 				.get_peer_id = _get_peer_id,
 				.get_purpose = _get_purpose,
 				.is_complete = _is_complete,
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
@ -135,6 +135,17 @@ METHOD(tls_t, get_server_id, identification_t*,
 	return this->server;
 }

+METHOD(tls_t, set_peer_id, void,
+	private_tnccs_dynamic_t *this, identification_t *id)
+{
+	DESTROY_IF(this->peer);
+	this->peer = id->clone(id);
+	if (this->tls)
+	{
+		this->tls->set_peer_id(this->tls, id);
+	}
+}
+
 METHOD(tls_t, get_peer_id, identification_t*,
 	private_tnccs_dynamic_t *this)
 {
@ -208,6 +219,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
 				.build = _build,
 				.is_server = _is_server,
 				.get_server_id = _get_server_id,
+				.set_peer_id = _set_peer_id,
 				.get_peer_id = _get_peer_id,
 				.get_purpose = _get_purpose,
 				.is_complete = _is_complete,