ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

added XAUTH server and client support

This commit is contained in:
Andreas Steffen 2007-01-04 14:28:57 +00:00
parent ac048a8d2c
commit b4f3cd5ccf
13 changed files with 577 additions and 424 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/pluto/connections.c
View File

@ -3333,6 +3333,9 @@ refine_host_connection(const struct state *st, const struct id *peer_id
case XAUTHInitPreShared:
case XAUTHRespPreShared:
auth_policy = POLICY_XAUTH_PSK;
psk = get_preshared_secret(c);
if (psk == NULL)
return NULL; /* cannot determine PSK! */
break;
case OAKLEY_RSA_SIG:
auth_policy = POLICY_RSASIG;

34
src/pluto/constants.c
View File

@ -54,8 +54,8 @@ const char compile_time_interop_options[] = ""
#ifdef VENDORID
" VENDORID"
#endif
#ifdef XAUTH_VID
" XAUTH_VID"
#ifdef CISCO_QUIRKS
" CISCO_QUIRKS"
#endif
#ifdef USE_KEYRR
" KEYRR"
@ -183,19 +183,22 @@ static const char *const state_name[] = {
"STATE_INFO",
"STATE_INFO_PROTECTED",
"STATE_XAUTH_R1",
"STATE_XAUTH_R2",
"STATE_XAUTH_R3",
"STATE_XAUTH_I0",
"STATE_XAUTH_R1",
"STATE_XAUTH_I1",
"STATE_XAUTH_R2",
"STATE_XAUTH_I2",
"STATE_XAUTH_R3",
"STATE_MODE_CFG_R0",
"STATE_MODE_CFG_R1",
"STATE_MODE_CFG_R2",
"STATE_MODE_CFG_I1",
"STATE_MODE_CFG_R1",
"STATE_MODE_CFG_I2",
"STATE_MODE_CFG_I0",
"STATE_MODE_CFG_R3",
"STATE_MODE_CFG_I3",
"STATE_MODE_CFG_R4",
"STATE_IKE_ROOF"
};
@ -224,19 +227,22 @@ const char *const state_story[] = {
"got Informational Message in clear", /* STATE_INFO */
"got encrypted Informational Message", /* STATE_INFO_PROTECTED */
"sent XAUTH request, expecting reply", /* STATE_XAUTH_R1 */
"sent XAUTH status, expecting ack", /* STATE_XAUTH_R2 */
"received XAUTH ack, established", /* STATE_XAUTH_R3 */
"expecting XAUTH request", /* STATE_XAUTH_I0 */
"sent XAUTH request, expecting reply", /* STATE_XAUTH_R1 */
"sent XAUTH reply, expecting status", /* STATE_XAUTH_I1 */
"sent XAUTH status, expecting ack", /* STATE_XAUTH_R2 */
"sent XAUTH ack, established", /* STATE_XAUTH_I2 */
"received XAUTH ack, established", /* STATE_XAUTH_R3 */
"expecting ModeCfg request", /* STATE_MODE_CFG_R0 */
"sent ModeCfg reply, expecting ack", /* STATE_MODE_CFG_R1 */
"received ModeCfg ack, established" /* STATE_MODE_CFG_R2 */
"sent ModeCfg request, expecting reply", /* STATE_MODE_CFG_I1 */
"sent ModeCfg ack, established", /* STATE_MODE_CFG_I2 */
"received ModeCfg set, sent ack", /* STATE_MODE_CFG_I3 */
"sent ModeCfg reply, established", /* STATE_MODE_CFG_R1 */
"received ModeCfg reply, established", /* STATE_MODE_CFG_I2 */
"expecting ModeCfg set", /* STATE_MODE_CFG_I0 */
"sent ModeCfg set, expecting ack", /* STATE_MODE_CFG_R3 */
"sent ModeCfg ack, established", /* STATE_MODE_CFG_I3 */
"received ModeCfg ack, established", /* STATE_MODE_CFG_R4 */
};
/* kind of struct connection */

54
src/pluto/constants.h
View File

@ -508,23 +508,27 @@ enum state_kind {
/* XAUTH states */
STATE_XAUTH_R1, /* responder states (server) */
STATE_XAUTH_I0, /* initiator state (client) */
STATE_XAUTH_R1, /* responder state (server) */
STATE_XAUTH_I1,
STATE_XAUTH_R2,
STATE_XAUTH_I2,
STATE_XAUTH_R3,
STATE_XAUTH_I0, /* initiator states (client) */
STATE_XAUTH_I1,
STATE_XAUTH_I2,
/* Mode Config states */
/* Mode Config pull states */
STATE_MODE_CFG_R0, /* responder states */
STATE_MODE_CFG_R0, /* responder state (server) */
STATE_MODE_CFG_I1, /* initiator state (client) */
STATE_MODE_CFG_R1,
STATE_MODE_CFG_R2,
STATE_MODE_CFG_I1, /* initiator states */
STATE_MODE_CFG_I2,
/* Mode Config push states */
STATE_MODE_CFG_I0, /* initiator state (client) */
STATE_MODE_CFG_R3, /* responder state (server) */
STATE_MODE_CFG_I3,
STATE_MODE_CFG_R4,
STATE_IKE_ROOF
};
@ -537,26 +541,26 @@ enum state_kind {
LELEM(STATE_MAIN_R3) | LELEM(STATE_MAIN_I4) \
| LELEM(STATE_XAUTH_R1) | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
| LELEM(STATE_XAUTH_I1) | LELEM(STATE_XAUTH_I2) \
| LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_R2) \
| LELEM(STATE_MODE_CFG_I2) | LELEM(STATE_MODE_CFG_I3))
| LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
| LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
#define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
|| (STATE_XAUTH_R1 <= (s) && (s) <= STATE_XAUTH_I2) \
|| (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_I3))
|| (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
|| (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
#define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
#define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
#define IS_ISAKMP_SA_ESTABLISHED(s) ( \
(s) == STATE_MAIN_R3 \
|| (s) == STATE_MAIN_I4 \
|| (s) == STATE_XAUTH_R1 \
|| (s) == STATE_XAUTH_R2 \
|| (s) == STATE_XAUTH_R3 \
|| (s) == STATE_XAUTH_I1 \
|| (s) == STATE_XAUTH_I2 \
|| (s) == STATE_MODE_CFG_R1 \
|| (s) == STATE_MODE_CFG_R2 \
|| (s) == STATE_MODE_CFG_I2 \
|| (s) == STATE_MODE_CFG_I3)
#define IS_ISAKMP_SA_ESTABLISHED(s) ( \
(s) == STATE_MAIN_R3 \
|| (s) == STATE_MAIN_I4 \
|| (s) == STATE_XAUTH_R3 \
|| (s) == STATE_XAUTH_I2 \
|| (s) == STATE_MODE_CFG_R1 \
|| (s) == STATE_MODE_CFG_I2 \
|| (s) == STATE_MODE_CFG_I3 \
|| (s) == STATE_MODE_CFG_R4)
#define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
#define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)

118
src/pluto/demux.c
View File

@ -436,77 +436,81 @@ static const struct state_microcode state_microcode_table[] = {
, P(HASH), LEMPTY, PT(NONE)
, EVENT_NULL, informational },
/* XAUTH server */
/* XAUTH state transitions */
{ STATE_XAUTH_I0, STATE_XAUTH_I1
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_RETRANSMIT, xauth_inI0 },
{ STATE_XAUTH_R1, STATE_XAUTH_R2
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_RETRANSMIT, xauth_inR1 },
{ STATE_XAUTH_R2, STATE_XAUTH_R3
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(NONE)
, EVENT_SA_REPLACE, xauth_inR2 },
{ STATE_XAUTH_R3, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
/* XAUTH client */
{ STATE_XAUTH_I0, STATE_XAUTH_I1
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, xauth_inI0 },
{ STATE_XAUTH_I1, STATE_XAUTH_I2
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, xauth_inI1 },
{ STATE_XAUTH_R2, STATE_XAUTH_R3
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(NONE)
, EVENT_SA_REPLACE, xauth_inR2 },
{ STATE_XAUTH_I2, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
/* MODE_CFG_x:
* Case R0: Responder -> Initiator
* <- Req(addr=0)
* Reply(ad=x) ->
*
* Case R1: Set(addr=x) ->
* <- Ack(ok)
*/
{ STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inR0 },
{ STATE_MODE_CFG_R1, STATE_MODE_CFG_R2
, SMF_ALL_AUTH | SMF_ENCRYPTED
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inR1 },
{ STATE_MODE_CFG_R2, STATE_UNDEFINED
{ STATE_XAUTH_R3, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
/* ModeCfg pull mode state transitions */
{ STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inR0 },
{ STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inI1 },
{ STATE_MODE_CFG_I2, STATE_MODE_CFG_I3
{ STATE_MODE_CFG_R1, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
{ STATE_MODE_CFG_I2, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
/* ModeCfg push mode state transitions */
{ STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inI2 },
, EVENT_SA_REPLACE, modecfg_inI0 },
{ STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, modecfg_inR3 },
{ STATE_MODE_CFG_I3, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
{ STATE_MODE_CFG_R4, STATE_UNDEFINED
, SMF_ALL_AUTH | SMF_ENCRYPTED
, LEMPTY, LEMPTY, PT(NONE)
, EVENT_NULL, unexpected },
#undef P
#undef PT
};
@ -1464,11 +1468,6 @@ process_packet(struct msg_digest **mdp)
return;
}
if (st->st_state == STATE_MODE_CFG_R2) /* Have we just give an IP address to peer? */
{
st->st_state = STATE_MAIN_R3; /* ISAKMP is up... */
}
set_cur_state(st);
if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
@ -1588,7 +1587,7 @@ process_packet(struct msg_digest **mdp)
& (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
!= LEMPTY;
if (has_xauth_policy
if (has_xauth_policy && !st->st_xauth.started
&& IS_PHASE1(st->st_state))
{
from_state = STATE_XAUTH_I0;
@ -1601,7 +1600,7 @@ process_packet(struct msg_digest **mdp)
else if (st->st_connection->spd.this.modecfg
&& IS_PHASE1(st->st_state))
{
from_state = STATE_MODE_CFG_I2;
from_state = STATE_MODE_CFG_I0;
}
else
{
@ -1616,7 +1615,6 @@ process_packet(struct msg_digest **mdp)
set_cur_state(st);
from_state = st->st_state;
}
break;
#ifdef NOTYET
@ -2358,7 +2356,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
}
if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
|| IS_IPSEC_SA_ESTABLISHED(st->st_state))
|| IS_IPSEC_SA_ESTABLISHED(st->st_state))
{
/* log our success */
plog("%s%s", story, sadetails);
@ -2391,6 +2389,17 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
break;
}
/* Wait for XAUTH request from server */
if (has_xauth_policy && !is_xauth_server
&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
&& !st->st_xauth.started)
{
DBG(DBG_CONTROL,
DBG_log("waiting for XAUTH request from server")
)
break;
}
/* Should we start ModeConfig as a client? */
if (st->st_connection->spd.this.modecfg
&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
@ -2417,17 +2426,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
break;
}
/* Wait for XAUTH request from server */
if (has_xauth_policy && !is_xauth_server
&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
&& !st->st_xauth.started)
{
DBG(DBG_CONTROL,
DBG_log("waiting for XAUTH request from server")
)
break;
}
/* Wait for ModeConfig set from server */
if (st->st_connection->spd.this.modecfg
&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
@ -2453,7 +2451,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
}
if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
|| IS_IPSEC_SA_ESTABLISHED(st->st_state))
|| IS_IPSEC_SA_ESTABLISHED(st->st_state))
release_whack(st);
break;

70
src/pluto/ipsec_doi.c
View File

@ -79,15 +79,6 @@
#define SEND_PLUTO_VID 0
#endif /* !VENDORID */
/*
* are we sending an XAUTH VID (Cisco Mode Config Interoperability)?
*/
#ifdef XAUTH_VID
#define SEND_XAUTH_VID 1
#else /* !XAUTH_VID */
#define SEND_XAUTH_VID 0
#endif /* !XAUTH_VID */
/*
* are we sending a Cisco Unity VID?
*/
@ -900,12 +891,12 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
/* determine how many Vendor ID payloads we will be sending */
if (SEND_PLUTO_VID)
vids_to_send++;
if (SEND_XAUTH_VID)
vids_to_send++;
if (SEND_CISCO_UNITY_VID)
vids_to_send++;
if (c->spd.this.cert.type == CERT_PGP)
vids_to_send++;
/* always send XAUTH Vendor ID */
vids_to_send++;
/* always send DPD Vendor ID */
vids_to_send++;
if (nat_traversal_enabled)
@ -974,17 +965,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
}
}
/* if enabled send XAUTH Vendor ID */
if (SEND_XAUTH_VID)
{
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &rbody, VID_MISC_XAUTH))
{
reset_cur_state();
return STF_INTERNAL_ERROR;
}
}
/* if enabled send Cisco Unity Vendor ID */
if (SEND_CISCO_UNITY_VID)
{
@ -1008,6 +988,14 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
}
}
/* Announce our ability to do eXtended AUTHentication to the peer */
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &rbody, VID_MISC_XAUTH))
{
reset_cur_state();
return STF_INTERNAL_ERROR;
}
/* Announce our ability to do Dead Peer Detection to the peer */
{
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
@ -3118,12 +3106,12 @@ main_inI1_outR1(struct msg_digest *md)
/* determine how many Vendor ID payloads we will be sending */
if (SEND_PLUTO_VID)
vids_to_send++;
if (SEND_XAUTH_VID)
vids_to_send++;
if (SEND_CISCO_UNITY_VID)
vids_to_send++;
if (md->openpgp)
vids_to_send++;
/* always send XAUTH Vendor ID */
vids_to_send++;
/* always send DPD Vendor ID */
vids_to_send++;
if (md->nat_traversal_vid && nat_traversal_enabled)
@ -3167,16 +3155,6 @@ main_inI1_outR1(struct msg_digest *md)
}
}
/* if enabled send XAUTH Vendor ID */
if (SEND_XAUTH_VID)
{
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &md->rbody, VID_MISC_XAUTH))
{
return STF_INTERNAL_ERROR;
}
}
/* if enabled send Cisco Unity Vendor ID */
if (SEND_CISCO_UNITY_VID)
{
@ -3199,13 +3177,18 @@ main_inI1_outR1(struct msg_digest *md)
}
}
/* Announce our ability to do Dead Peer Detection to the peer */
/* Announce our ability to do eXtended AUTHentication to the peer */
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &md->rbody, VID_MISC_XAUTH))
{
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &md->rbody, VID_MISC_DPD))
{
return STF_INTERNAL_ERROR;
}
return STF_INTERNAL_ERROR;
}
/* Announce our ability to do Dead Peer Detection to the peer */
if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
, &md->rbody, VID_MISC_DPD))
{
return STF_INTERNAL_ERROR;
}
if (md->nat_traversal_vid && nat_traversal_enabled)
@ -3486,8 +3469,6 @@ main_inR2_outI3(struct msg_digest *md)
{
struct state *const st = md->st;
pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
int auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
pb_stream id_pbs; /* ID Payload; also used for hash calculation */
certpolicy_t cert_policy = st->st_connection->spd.this.sendcert;
@ -3498,6 +3479,8 @@ main_inR2_outI3(struct msg_digest *md)
|| st->st_oakley.auth == XAUTHInitRSA
|| st->st_oakley.auth == XAUTHRespRSA;
int auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
/* KE in */
RETURN_STF_FAILURE(accept_KE(&st->st_gr, "Gr", st->st_oakley.group, keyex_pbs));
@ -3960,8 +3943,7 @@ main_inI3_outR3_tail(struct msg_digest *md
*/
echo_hdr(md, TRUE, ISAKMP_NEXT_ID);
auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
/* IDir out */
{

83
src/pluto/keys.c
View File

@ -54,6 +54,7 @@
#include "whack.h" /* for RC_LOG_SERIOUS */
#include "timer.h"
#include "fetch.h"
#include "xauth.h"
const char *shared_secrets_file = SHARED_SECRETS_FILE;
@ -97,11 +98,11 @@ allocate_RSA_public_key(const cert_t cert)
default:
plog("RSA public key allocation error");
}
init_RSA_public_key(&pk->u.rsa, e, n);
#ifdef DEBUG
DBG(DBG_PRIVATE, RSA_show_public_key(&pk->u.rsa));
#endif
init_RSA_public_key(&pk->u.rsa, e, n);
DBG(DBG_RAW,
RSA_show_public_key(&pk->u.rsa)
)
pk->alg = PUBKEY_ALG_RSA;
pk->id = empty_id;
@ -182,7 +183,7 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
his_id = &rw_id;
}
else if (kind == PPK_PSK
&& (c->policy & POLICY_PSK)
&& (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
&& ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) ||
(c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
{
@ -414,7 +415,7 @@ process_psk_secret(chunk_t *psk)
}
else
{
char buf[RSA_MAX_ENCODING_BYTES]; /* limit on size of binary representation of key */
char buf[BUF_LEN]; /* limit on size of binary representation of key */
size_t sz;
ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz
@ -589,7 +590,6 @@ static err_t
process_xauth(secret_t *s)
{
chunk_t user_name;
chunk_t user_password;
s->kind = PPK_XAUTH;
@ -605,31 +605,21 @@ process_xauth(secret_t *s)
user_name.ptr = tok;
user_name.len = flp->cur - tok;
}
plog(" loaded xauth credentials of user '%.*s'"
, user_name.len
, user_name.ptr);
clonetochunk(s->u.xauth_secret.user_name
, user_name.ptr, user_name.len, "xauth user name");
if (!shift())
return "missing xauth user password";
if (*tok == '"' || *tok == '\'') /* quoted user password */
{
user_password.ptr = tok + 1;
user_password.len = flp->cur - tok - 2;
}
else
{
user_password.ptr = tok;
user_password.len = flp->cur - tok;
}
if (shift())
return "unexpected token after xauth user passpword";
clonetochunk(s->u.xauth_secret.user_name
, user_name.ptr, user_name.len, "user_name");
clonetochunk(s->u.xauth_secret.user_password
, user_password.ptr, user_password.len, "user_password");
return NULL;
return process_psk_secret(&s->u.xauth_secret.user_password);
}
/* get XAUTH secret from chained secrets lists
* only one entry is currently supported
*/
bool
static bool
xauth_get_secret(xauth_t *xauth_secret)
{
secret_t *s;
@ -656,9 +646,10 @@ xauth_get_secret(xauth_t *xauth_secret)
/*
* find a matching secret
*/
bool
static bool
xauth_verify_secret(const xauth_t *xauth_secret)
{
bool found = FALSE;
secret_t *s;
for (s = secrets; s != NULL; s = s->next)
@ -667,13 +658,44 @@ xauth_verify_secret(const xauth_t *xauth_secret)
{
if (!same_chunk(xauth_secret->user_name, s->u.xauth_secret.user_name))
continue;
found = TRUE;
if (same_chunk(xauth_secret->user_password, s->u.xauth_secret.user_password))
return TRUE;
}
}
plog("xauth user '%.*s' %s"
, xauth_secret->user_name.len, xauth_secret->user_name.ptr
, found? "sent wrong password":"not found");
return FALSE;
}
/*
* the global xauth_module struct is defined here
*/
xauth_module_t xauth_module;
/*
* assign the default xauth functions to any null function pointers
*/
void
xauth_defaults(void)
{
if (xauth_module.get_secret == NULL)
{
DBG(DBG_CONTROL,
DBG_log("xauth_module: using default get_secret() function")
)
xauth_module.get_secret = xauth_get_secret;
}
if (xauth_module.verify_secret == NULL)
{
DBG(DBG_CONTROL,
DBG_log("xauth_module: using default verify_secret() function")
)
xauth_module.verify_secret = xauth_verify_secret;
}
};
/*
* process pin read from ipsec.secrets or prompted for it using whack
*/
@ -1202,14 +1224,11 @@ unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey)
return RSA_MAX_OCTETS_UGH;
init_RSA_public_key(rsa, exp, mod);
#ifdef DEBUG
DBG(DBG_PRIVATE, RSA_show_public_key(rsa));
#endif
rsa->k = mpz_sizeinbase(&rsa->n, 2); /* size in bits, for a start */
rsa->k = (rsa->k + BITS_PER_BYTE - 1) / BITS_PER_BYTE; /* now octets */
DBG(DBG_RAW,
RSA_show_public_key(rsa)
)
if (rsa->k != mod.len)
{

16
src/pluto/keys.h
View File

@ -41,6 +41,11 @@ enum PrivateKeyKind {
PPK_PIN
};
extern void xauth_defaults(void);
/* forward declaration */
struct connection;
extern const chunk_t *get_preshared_secret(const struct connection *c);
extern err_t unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey);
extern const RSA_private_key_t *get_RSA_private_key(const struct connection *c);
@ -86,7 +91,6 @@ extern void delete_public_keys(const struct id *id, enum pubkey_alg alg
extern pubkey_t *reference_key(pubkey_t *pk);
extern void unreference_key(pubkey_t **pkp);
extern err_t add_public_key(const struct id *id
, enum dns_auth_level dns_auth_level
, enum pubkey_alg alg
@ -101,16 +105,6 @@ extern void add_pgp_public_key(pgpcert_t *cert, time_t until
extern void remove_x509_public_key(const x509cert_t *cert);
extern void list_public_keys(bool utc);
/* XAUTH credentials */
typedef struct {
chunk_t user_name;
chunk_t user_password;
} xauth_t;
extern bool xauth_get_secrect(const xauth_t *xauth_secret);
extern bool xauth_verify_secret(const xauth_t *xauth_secret);
struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
extern void transfer_to_public_keys(struct gw_info *gateways_from_dns
#ifdef USE_KEYRR

523
src/pluto/modecfg.c
View File

@ -39,7 +39,9 @@
#include "crypto.h"
#include "modecfg.h"
#include "whack.h"
#include "keys.h"
#include "xauth.h"
#define MAX_XAUTH_TRIES 3
#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \
| LELEM(INTERNAL_IP4_NETMASK) \
@ -410,6 +412,7 @@ modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
, 0 /* XXX isama_id */
);
freeanychunk(st->st_tpacket);
clonetochunk(st->st_tpacket, msg.start, pbs_offset(&msg), "ModeCfg msg");
/* Transmit */
@ -423,67 +426,6 @@ modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
return STF_OK;
}
/*
* Send ModeCfg request message from client to server in pull mode
*/
stf_status
modecfg_send_request(struct state *st)
{
stf_status stat;
internal_addr_t ia;
init_internal_addr(&ia);
ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
| LELEM(INTERNAL_IP4_NETMASK);
plog("sending ModeCfg request");
st->st_state = STATE_MODE_CFG_I1;
stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
if (stat == STF_OK)
st->st_modecfg.started = TRUE;
return stat;
}
/*
* Send ModeCfg set message from server to client in push mode
*/
stf_status
modecfg_send_set(struct state *st)
{
stf_status stat;
internal_addr_t ia;
get_internal_addr(st->st_connection, &ia);
plog("sending ModeCfg set");
st->st_state = STATE_MODE_CFG_R1;
stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
if (stat == STF_OK)
st->st_modecfg.started = TRUE;
return stat;
}
/*
* Send XAUTH credentials request (username + password)
*/
stf_status
xauth_send_request(struct state *st)
{
stf_status stat;
internal_addr_t ia;
init_internal_addr(&ia);
ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)
| LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
plog("sending XAUTH request");
st->st_state = STATE_XAUTH_R1;
stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
if (stat == STF_OK)
st->st_xauth.started = TRUE;
return stat;
}
/*
* Parse a ModeCfg attribute payload
*/
@ -595,6 +537,27 @@ modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
return STF_IGNORE;
}
/*
* Send ModeCfg request message from client to server in pull mode
*/
stf_status
modecfg_send_request(struct state *st)
{
stf_status stat;
internal_addr_t ia;
init_internal_addr(&ia);
ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
| LELEM(INTERNAL_IP4_NETMASK);
plog("sending ModeCfg request");
st->st_state = STATE_MODE_CFG_I1;
stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
if (stat == STF_OK)
st->st_modecfg.started = TRUE;
return stat;
}
/* STATE_MODE_CFG_R0:
* HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP)
*
@ -606,49 +569,22 @@ modecfg_inR0(struct msg_digest *md)
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
stf_status stat, stat_build;
stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
if (stat != STF_OK)
return stat;
get_internal_addr(st->st_connection, &ia);
plog("sending ModeCfg reply");
stat = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_REPLY
, &ia
, isama_id);
if (stat != STF_OK)
{
/* notification payload - not exactly the right choice, but okay */
md->note = ATTRIBUTES_NOT_SUPPORTED;
return stat;
}
st->st_msgid = 0;
return STF_OK;
}
/* STATE_MODE_CFG_R1:
* HDR*, HASH, ATTR(ACK,OK)
*
* used in ModeCfg push mode, on the server (responder)
*/
stf_status
modecfg_inR1(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
plog("parsing ModeCfg ack");
stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
if (stat != STF_OK)
return stat;
stat_build = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_REPLY
, &ia
, isama_id);
if (stat_build != STF_OK)
return stat_build;
st->st_msgid = 0;
return STF_OK;
@ -678,19 +614,39 @@ modecfg_inI1(struct msg_digest *md)
return STF_OK;
}
/* STATE_MODE_CFG_I2:
/*
* Send ModeCfg set message from server to client in push mode
*/
stf_status
modecfg_send_set(struct state *st)
{
stf_status stat;
internal_addr_t ia;
get_internal_addr(st->st_connection, &ia);
plog("sending ModeCfg set");
st->st_state = STATE_MODE_CFG_R3;
stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
if (stat == STF_OK)
st->st_modecfg.started = TRUE;
return stat;
}
/* STATE_MODE_CFG_I0:
* HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK)
*
* used in ModeCfg push mode, on the client (initiator).
*/
stf_status
modecfg_inI2(struct msg_digest *md)
modecfg_inI0(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
lset_t attr_set;
stf_status stat;
stf_status stat, stat_build;
plog("parsing ModeCfg set");
@ -707,21 +663,157 @@ modecfg_inI2(struct msg_digest *md)
plog("sending ModeCfg ack");
stat = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_ACK
, &ia
, isama_id);
if (stat != STF_OK)
{
/* notification payload - not exactly the right choice, but okay */
md->note = ATTRIBUTES_NOT_SUPPORTED;
return stat;
}
stat_build = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_ACK
, &ia
, isama_id);
if (stat_build != STF_OK)
return stat_build;
st->st_msgid = 0;
return STF_OK;
}
/* STATE_MODE_CFG_R3:
* HDR*, HASH, ATTR(ACK,OK)
*
* used in ModeCfg push mode, on the server (responder)
*/
stf_status
modecfg_inR3(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
plog("parsing ModeCfg ack");
stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
if (stat != STF_OK)
return stat;
st->st_msgid = 0;
return STF_OK;
}
/*
* Send XAUTH credentials request (username + password)
*/
stf_status
xauth_send_request(struct state *st)
{
stf_status stat;
internal_addr_t ia;
init_internal_addr(&ia);
ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)
| LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
plog("sending XAUTH request");
st->st_state = STATE_XAUTH_R1;
stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
if (stat == STF_OK)
st->st_xauth.started = TRUE;
return stat;
}
/* STATE_XAUTH_I0:
* HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
*
* used on the XAUTH client (initiator)
*/
stf_status
xauth_inI0(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat, stat_build;
plog("parsing XAUTH request");
stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
if (stat != STF_OK)
return stat;
/* check XAUTH attributes */
if ((ia.attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY
&& ia.xauth_type != XAUTH_TYPE_GENERIC)
{
plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
stat = STF_FAIL;
}
else if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user name attribute is missing in XAUTH request");
stat = STF_FAIL;
}
else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user password attribute is missing in XAUTH request");
stat = STF_FAIL;
}
/* prepare XAUTH reply */
init_internal_addr(&ia);
if (stat == STF_OK)
{
/* get user credentials using a plugin function */
if (!xauth_module.get_secret(&ia.xauth_secret))
{
plog("xauth user credentials not found");
stat = STF_FAIL;
}
}
if (stat == STF_OK)
{
DBG(DBG_CONTROL,
DBG_log("my xauth user name is '%.*s'"
, ia.xauth_secret.user_name.len
, ia.xauth_secret.user_name.ptr)
)
DBG(DBG_PRIVATE,
DBG_log("my xauth user password is '%.*s'"
, ia.xauth_secret.user_password.len
, ia.xauth_secret.user_password.ptr)
)
ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)
| LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
}
else
{
ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF);
ia.xauth_status = FALSE;
}
plog("sending XAUTH reply");
stat_build = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_REPLY
, &ia
, isama_id);
if (stat_build != STF_OK)
return stat_build;
if (stat == STF_OK)
{
st->st_xauth.started = TRUE;
return STF_OK;
}
else
{
/* send XAUTH reply msg and then delete ISAKMP SA */
freeanychunk(st->st_tpacket);
clonetochunk(st->st_tpacket, md->reply.start
, pbs_offset(&md->reply), "XAUTH reply msg");
send_packet(st, "XAUTH reply msg");
delete_state(st);
return STF_IGNORE;
}
}
/* STATE_XAUTH_R1:
* HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS)
*
@ -733,48 +825,119 @@ xauth_inR1(struct msg_digest *md)
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
bool status;
stf_status stat, stat_build;
plog("parsing XAUTH reply");
stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
if (stat != STF_OK)
return stat;
/* check XAUTH reply */
/* did the client return an XAUTH FAIL status? */
if ((ia.attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY)
{
plog("received FAIL status in XAUTH reply");
return STF_INTERNAL_ERROR;
/* client is not able to do XAUTH, delete ISAKMP SA */
delete_state(st);
return STF_IGNORE;
}
/* check XAUTH reply */
if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user name attribute is missing in XAUTH reply");
return STF_SUSPEND;
st->st_xauth.status = FALSE;
}
if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user password attribute is missing in XAUTH reply");
return STF_SUSPEND;
st->st_xauth.status = FALSE;
}
else
{
DBG(DBG_CONTROL,
DBG_log("peer xauth user name is '%.*s'"
, ia.xauth_secret.user_name.len
, ia.xauth_secret.user_name.ptr)
)
DBG(DBG_PRIVATE,
DBG_log("peer xauth user password is '%.*s'"
, ia.xauth_secret.user_password.len
, ia.xauth_secret.user_password.ptr)
)
/* verify the user credentials using a plugn function */
st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret);
plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
}
status = xauth_verify_secret(&ia.xauth_secret);
/* prepare XAUTH set which sends the authentication status */
init_internal_addr(&ia);
ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF);
ia.xauth_status = status;
ia.xauth_status = st->st_xauth.status;
plog("sending XAUTH status: %s", status? "OK":"FAIL");
plog("sending XAUTH status:");
stat = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_SET
, &ia
, isama_id);
stat_build = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_SET
, &ia
, isama_id);
if (stat_build != STF_OK)
return stat_build;
return STF_OK;
}
/* STATE_XAUTH_I1:
* HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
*
* used on the XAUTH client (initiator)
*/
stf_status
xauth_inI1(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat, stat_build;
plog("parsing XAUTH status");
stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
if (stat != STF_OK)
{
/* notification payload - not exactly the right choice, but okay */
md->note = ATTRIBUTES_NOT_SUPPORTED;
return stat;
}
st->st_xauth.status = ia.xauth_status;
plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
plog("sending XAUTH ack");
init_internal_addr(&ia);
stat_build = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_ACK
, &ia
, isama_id);
if (stat_build != STF_OK)
return stat_build;
if (st->st_xauth.status)
{
st->st_msgid = 0;
return STF_OK;
}
else
{
/* send XAUTH ack msg and then delete ISAKMP SA */
freeanychunk(st->st_tpacket);
clonetochunk(st->st_tpacket, md->reply.start
, pbs_offset(&md->reply), "XAUTH ack msg");
send_packet(st, "XAUTH ack msg");
delete_state(st);
return STF_IGNORE;
}
}
/* STATE_XAUTH_R2:
* HDR*, ATTR(STATUS), HASH --> Done
*
@ -795,113 +958,13 @@ xauth_inR2(struct msg_digest *md)
return stat;
st->st_msgid = 0;
return STF_OK;
}
/* STATE_XAUTH_I0:
* HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
*
* used on the XAUTH client (initiator)
*/
stf_status
xauth_inI0(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
plog("parsing XAUTH request");
stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
if (stat != STF_OK)
return stat;
/* check XAUTH request */
if ((ia.attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY
&& ia.xauth_type != XAUTH_TYPE_GENERIC)
if (st->st_xauth.status)
{
plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
stat = STF_FAIL;
}
if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user name attribute is missing in XAUTH request");
stat = STF_FAIL;
}
if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY)
{
plog("user password attribute is missing in XAUTH request");
stat = STF_FAIL;
}
/* prepare XAUTH reply */
init_internal_addr(&ia);
if (stat == STF_OK)
{
/* get user credentials */
if (!xauth_get_secret(&ia.xauth_secret))
{
plog("xauth user credentials not found");
stat = STF_FAIL;
}
}
if (stat == STF_OK)
{
ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)
| LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF);
return STF_OK;
}
else
{
ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF);
ia.xauth_status = FALSE;
delete_state(st);
return STF_IGNORE;
}
plog("sending XAUTH reply");
stat = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_REPLY
, &ia
, isama_id);
if (stat != STF_OK)
{
/* notification payload - not exactly the right choice, but okay */
md->note = ATTRIBUTES_NOT_SUPPORTED;
return stat;
}
st->st_xauth.started = TRUE;
return STF_OK;
}
/* STATE_XAUTH_I1:
* HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
*
* used on the XAUTH client (initiator)
*/
stf_status
xauth_inI1(struct msg_digest *md)
{
struct state *const st = md->st;
u_int16_t isama_id;
internal_addr_t ia;
stf_status stat;
plog("parsing XAUTH status");
stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
if (stat != STF_OK)
return stat;
/* prepare XAUTH set which sends the authentication status */
init_internal_addr(&ia);
plog("sending XAUTH ack");
stat = modecfg_build_msg(st, &md->rbody
, ISAKMP_CFG_ACK
, &ia
, isama_id);
st->st_msgid = 0;
return stat;
}

20
src/pluto/modecfg.h
View File

@ -21,23 +21,27 @@
struct state;
struct msg_digest;
/* ModeConfig starting functions */
/* ModeConfig pull mode start function */
extern stf_status modecfg_send_request(struct state *st);
/* ModeConfig pull mode state transition functions */
extern stf_status modecfg_inR0(struct msg_digest *md);
extern stf_status modecfg_inI1(struct msg_digest *md);
/* ModeConfig push mode start function */
extern stf_status modecfg_send_set(struct state *st);
/* ModeConfig state transition functions */
extern stf_status modecfg_inR0(struct msg_digest *md);
extern stf_status modecfg_inR1(struct msg_digest *md);
extern stf_status modecfg_inI1(struct msg_digest *md);
extern stf_status modecfg_inI2(struct msg_digest *md);
/* ModeConfig push mode state transition functions */
extern stf_status modecfg_inI0(struct msg_digest *md);
extern stf_status modecfg_inR3(struct msg_digest *md);
/* XAUTH start function */
extern stf_status xauth_send_request(struct state *st);
/* XAUTH state transition funcgtions */
extern stf_status xauth_inR1(struct msg_digest *md);
extern stf_status xauth_inR2(struct msg_digest *md);
extern stf_status xauth_inI0(struct msg_digest *md);
extern stf_status xauth_inR1(struct msg_digest *md);
extern stf_status xauth_inI1(struct msg_digest *md);
extern stf_status xauth_inR2(struct msg_digest *md);
#endif /* _MODECFG_H */

1
src/pluto/state.h
View File

@ -216,6 +216,7 @@ struct state
struct {
int attempt;
bool started;
bool status;
} st_xauth;
u_int32_t nat_traversal;

3
src/pluto/vendor.c
View File

@ -394,6 +394,9 @@ handle_known_vendorid (struct msg_digest *md
md->dpd = TRUE;
vid_useful = TRUE;
break;
case VID_MISC_XAUTH:
vid_useful = TRUE;
break;
default:
break;
}

36
src/pluto/xauth.c Normal file
View File

@ -0,0 +1,36 @@
/* Initialization and finalization of the dynamic XAUTH module
* Copyright (C) 2006 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* RCSID $Id: xauth.c,v 1.1 2005/01/06 22:10:15 as Exp $
*/
#include <freeswan.h>
#include "constants.h"
#include "defs.h"
#include "xauth.h"
#include "keys.h"
void
xauth_init(void)
{
/* TODO: locate and load dynamic XAUTH module */
xauth_defaults();
}
void
xauth_finalize(void)
{
/* TODO: unload dynamic XAUTH module */
}

40
src/pluto/xauth.h Normal file
View File

@ -0,0 +1,40 @@
/* Interface definition of the XAUTH server and|or client module
* Copyright (C) 2006 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* RCSID $Id: xauth.h,v 1.1 2005/01/06 22:10:15 as Exp $
*/
#ifndef _XAUTH_H
#define _XAUTH_H
/* XAUTH credentials */
struct chunk_t;
typedef struct {
chunk_t user_name;
chunk_t user_password;
} xauth_t;
typedef struct {
bool (*get_secret) (const xauth_t *xauth_secret);
bool (*verify_secret) (const xauth_t *xauth_secret);
} xauth_module_t;
extern xauth_module_t xauth_module;
extern void xauth_init(void);
extern void xauth_finalize(void);
#endif /* _XAUTH_H */