Added xauth-noauth plugin

This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange.  This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.

configure.in

@@ -167,6 +167,7 @@ ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
 ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
 ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
 ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
+ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
 ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module.])
 ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
 ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
@@ -996,6 +997,7 @@ ADD_PLUGIN([eap-tnc],              [c charon])
 ADD_PLUGIN([xauth-generic],        [c charon])
 ADD_PLUGIN([xauth-eap],            [c charon])
 ADD_PLUGIN([xauth-pam],            [c charon])
+ADD_PLUGIN([xauth-noauth],         [c charon])
 ADD_PLUGIN([tnc-ifmap],            [c charon])
 ADD_PLUGIN([tnc-pdp],              [c charon])
 ADD_PLUGIN([tnc-imc],              [c charon])
@@ -1136,6 +1138,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
 AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
 AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
 AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
 AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
 AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
@@ -1328,6 +1331,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/xauth_generic/Makefile
 	src/libcharon/plugins/xauth_eap/Makefile
 	src/libcharon/plugins/xauth_pam/Makefile
+	src/libcharon/plugins/xauth_noauth/Makefile
 	src/libcharon/plugins/tnc_ifmap/Makefile
 	src/libcharon/plugins/tnc_pdp/Makefile
 	src/libcharon/plugins/tnc_imc/Makefile

src/libcharon/Makefile.am

@@ -596,3 +596,10 @@ if MONOLITHIC
   libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la
 endif
 endif
+
+if USE_XAUTH_NOAUTH
+  SUBDIRS += plugins/xauth_noauth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+endif
+endif

src/libcharon/plugins/xauth_noauth/Makefile.am

@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+endif
+
+libstrongswan_xauth_noauth_la_SOURCES = \
+	xauth_noauth_plugin.h xauth_noauth_plugin.c \
+	xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version

src/libcharon/plugins/xauth_noauth/xauth_noauth.c

@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_noauth_t private_xauth_noauth_t;
+
+/**
+ * Private data of an xauth_noauth_t object.
+ */
+struct private_xauth_noauth_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_noauth_t public;
+
+	/**
+	 * ID of the peer (not really used here)
+	 */
+	identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_xauth_noauth_t *this, cp_payload_t **out)
+{
+	/* XAuth task handles the details for us */
+	return SUCCESS;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	/* this should never be called */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_noauth_t *this)
+{
+	/* this should never be called, but lets still return a valid ID */
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_noauth_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_noauth_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.peer = identification_create_from_string("%any"),
+	);
+
+	return &this->public;
+}

src/libcharon/plugins/xauth_noauth/xauth_noauth.h

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth_i xauth_noauth
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_H_
+#define XAUTH_NOAUTH_H_
+
+typedef struct xauth_noauth_t xauth_noauth_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface that does not actually do
+ * any authentication but simply concludes the XAuth exchange successfully.
+ */
+struct xauth_noauth_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the noauth XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_noauth_t object
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer);
+
+#endif /** XAUTH_NOAUTH_H_ @}*/

src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c

@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth_plugin.h"
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_noauth_plugin_t *this)
+{
+	return "xauth-noauth";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_noauth_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_noauth_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_noauth_plugin_create()
+{
+	xauth_noauth_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}

src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth xauth_noauth
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_noauth_plugin xauth_noauth_plugin
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_PLUGIN_H_
+#define XAUTH_NOAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t;
+
+/**
+ * XAuth plugin that does not actually do any authentication but simply
+ * concludes the XAuth exchange successfully.  This could be used to implement
+ * basic RSA authentication in cases where the client does not offer an option
+ * to disable XAuth.
+ */
+struct xauth_noauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/

src/libcharon/sa/ikev1/tasks/xauth.c

@@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t,
 	return NEED_MORE;
 }
 
+METHOD(task_t, process_i_status, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp || cp->get_type(cp) != CFG_ACK)
+	{
+		DBG1(DBG_IKE, "received invalid XAUTH status response");
+		return FAILED;
+	}
+	if (this->status != XAUTH_OK)
+	{
+		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
+		return FAILED;
+	}
+	if (!establish(this))
+	{
+		return FAILED;
+	}
+	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
+	lib->processor->queue_job(lib->processor, (job_t*)
+				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	return SUCCESS;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_xauth_t *this, message_t *message)
 {
 	if (!this->xauth)
 	{
-		cp_payload_t *cp;
+		cp_payload_t *cp = NULL;
 
 		this->xauth = load_method(this);
 		if (!this->xauth)
 		{
 			return FAILED;
 		}
-		if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE)
+		switch (this->xauth->initiate(this->xauth, &cp))
 		{
-			return FAILED;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				DESTROY_IF(cp);
+				this->status = XAUTH_OK;
+				this->public.task.process = _process_i_status;
+				return build_i_status(this, message);
+			default:
+				return FAILED;
 		}
 		message->add_payload(message, (payload_t *)cp);
 		return NEED_MORE;
@@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, process_i_status, status_t,
-	private_xauth_t *this, message_t *message)
-{
-	cp_payload_t *cp;
-
-	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
-	if (!cp || cp->get_type(cp) != CFG_ACK)
-	{
-		DBG1(DBG_IKE, "received invalid XAUTH status response");
-		return FAILED;
-	}
-	if (this->status != XAUTH_OK)
-	{
-		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
-		return FAILED;
-	}
-	if (!establish(this))
-	{
-		return FAILED;
-	}
-	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-	lib->processor->queue_job(lib->processor, (job_t*)
-				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
-	return SUCCESS;
-}
-
 METHOD(task_t, process_i, status_t,
 	private_xauth_t *this, message_t *message)
 {