Added xauth-noauth plugin

This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange.  This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.
This commit is contained in:
Tobias Brunner 2013-02-04 18:55:54 +01:00
parent 41131528a9
commit e4013bb904
8 changed files with 309 additions and 29 deletions

View File

@ -167,6 +167,7 @@ ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.])
ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.])
ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.])
ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.])
ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module.])
ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.])
ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
@ -996,6 +997,7 @@ ADD_PLUGIN([eap-tnc], [c charon])
ADD_PLUGIN([xauth-generic], [c charon])
ADD_PLUGIN([xauth-eap], [c charon])
ADD_PLUGIN([xauth-pam], [c charon])
ADD_PLUGIN([xauth-noauth], [c charon])
ADD_PLUGIN([tnc-ifmap], [c charon])
ADD_PLUGIN([tnc-pdp], [c charon])
ADD_PLUGIN([tnc-imc], [c charon])
@ -1136,6 +1138,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
@ -1328,6 +1331,7 @@ AC_CONFIG_FILES([
src/libcharon/plugins/xauth_generic/Makefile
src/libcharon/plugins/xauth_eap/Makefile
src/libcharon/plugins/xauth_pam/Makefile
src/libcharon/plugins/xauth_noauth/Makefile
src/libcharon/plugins/tnc_ifmap/Makefile
src/libcharon/plugins/tnc_pdp/Makefile
src/libcharon/plugins/tnc_imc/Makefile

View File

@ -596,3 +596,10 @@ if MONOLITHIC
libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la
endif
endif
if USE_XAUTH_NOAUTH
SUBDIRS += plugins/xauth_noauth
if MONOLITHIC
libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
endif
endif

View File

@ -0,0 +1,17 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon
AM_CFLAGS = -rdynamic
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
else
plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
endif
libstrongswan_xauth_noauth_la_SOURCES = \
xauth_noauth_plugin.h xauth_noauth_plugin.c \
xauth_noauth.h xauth_noauth.c
libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version

View File

@ -0,0 +1,89 @@
/*
* Copyright (C) 2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "xauth_noauth.h"
#include <daemon.h>
#include <library.h>
typedef struct private_xauth_noauth_t private_xauth_noauth_t;
/**
* Private data of an xauth_noauth_t object.
*/
struct private_xauth_noauth_t {
/**
* Public interface.
*/
xauth_noauth_t public;
/**
* ID of the peer (not really used here)
*/
identification_t *peer;
};
METHOD(xauth_method_t, initiate, status_t,
private_xauth_noauth_t *this, cp_payload_t **out)
{
/* XAuth task handles the details for us */
return SUCCESS;
}
METHOD(xauth_method_t, process, status_t,
private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out)
{
/* this should never be called */
return FAILED;
}
METHOD(xauth_method_t, get_identity, identification_t*,
private_xauth_noauth_t *this)
{
/* this should never be called, but lets still return a valid ID */
return this->peer;
}
METHOD(xauth_method_t, destroy, void,
private_xauth_noauth_t *this)
{
this->peer->destroy(this->peer);
free(this);
}
/*
* Described in header.
*/
xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
identification_t *peer)
{
private_xauth_noauth_t *this;
INIT(this,
.public = {
.xauth_method = {
.initiate = _initiate,
.process = _process,
.get_identity = _get_identity,
.destroy = _destroy,
},
},
.peer = identification_create_from_string("%any"),
);
return &this->public;
}

View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup xauth_noauth_i xauth_noauth
* @{ @ingroup xauth_noauth
*/
#ifndef XAUTH_NOAUTH_H_
#define XAUTH_NOAUTH_H_
typedef struct xauth_noauth_t xauth_noauth_t;
#include <sa/xauth/xauth_method.h>
/**
* Implementation of the xauth_method_t interface that does not actually do
* any authentication but simply concludes the XAuth exchange successfully.
*/
struct xauth_noauth_t {
/**
* Implemented xauth_method_t interface.
*/
xauth_method_t xauth_method;
};
/**
* Creates the noauth XAuth method, acting as server.
*
* @param server ID of the XAuth server
* @param peer ID of the XAuth client
* @return xauth_noauth_t object
*/
xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
identification_t *peer);
#endif /** XAUTH_NOAUTH_H_ @}*/

View File

@ -0,0 +1,60 @@
/*
* Copyright (C) 2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "xauth_noauth_plugin.h"
#include "xauth_noauth.h"
#include <daemon.h>
METHOD(plugin_t, get_name, char*,
xauth_noauth_plugin_t *this)
{
return "xauth-noauth";
}
METHOD(plugin_t, get_features, int,
xauth_noauth_plugin_t *this, plugin_feature_t *features[])
{
static plugin_feature_t f[] = {
PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server),
PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"),
};
*features = f;
return countof(f);
}
METHOD(plugin_t, destroy, void,
xauth_noauth_plugin_t *this)
{
free(this);
}
/*
* see header file
*/
plugin_t *xauth_noauth_plugin_create()
{
xauth_noauth_plugin_t *this;
INIT(this,
.plugin = {
.get_name = _get_name,
.get_features = _get_features,
.destroy = _destroy,
},
);
return &this->plugin;
}

View File

@ -0,0 +1,45 @@
/*
* Copyright (C) 2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup xauth_noauth xauth_noauth
* @ingroup cplugins
*
* @defgroup xauth_noauth_plugin xauth_noauth_plugin
* @{ @ingroup xauth_noauth
*/
#ifndef XAUTH_NOAUTH_PLUGIN_H_
#define XAUTH_NOAUTH_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t;
/**
* XAuth plugin that does not actually do any authentication but simply
* concludes the XAuth exchange successfully. This could be used to implement
* basic RSA authentication in cases where the client does not offer an option
* to disable XAuth.
*/
struct xauth_noauth_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/

View File

@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t,
return NEED_MORE;
}
METHOD(task_t, process_i_status, status_t,
private_xauth_t *this, message_t *message)
{
cp_payload_t *cp;
cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
if (!cp || cp->get_type(cp) != CFG_ACK)
{
DBG1(DBG_IKE, "received invalid XAUTH status response");
return FAILED;
}
if (this->status != XAUTH_OK)
{
DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
return FAILED;
}
if (!establish(this))
{
return FAILED;
}
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
return SUCCESS;
}
METHOD(task_t, build_i, status_t,
private_xauth_t *this, message_t *message)
{
if (!this->xauth)
{
cp_payload_t *cp;
cp_payload_t *cp = NULL;
this->xauth = load_method(this);
if (!this->xauth)
{
return FAILED;
}
if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE)
switch (this->xauth->initiate(this->xauth, &cp))
{
return FAILED;
case NEED_MORE:
break;
case SUCCESS:
DESTROY_IF(cp);
this->status = XAUTH_OK;
this->public.task.process = _process_i_status;
return build_i_status(this, message);
default:
return FAILED;
}
message->add_payload(message, (payload_t *)cp);
return NEED_MORE;
@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t,
return NEED_MORE;
}
METHOD(task_t, process_i_status, status_t,
private_xauth_t *this, message_t *message)
{
cp_payload_t *cp;
cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
if (!cp || cp->get_type(cp) != CFG_ACK)
{
DBG1(DBG_IKE, "received invalid XAUTH status response");
return FAILED;
}
if (this->status != XAUTH_OK)
{
DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
return FAILED;
}
if (!establish(this))
{
return FAILED;
}
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
return SUCCESS;
}
METHOD(task_t, process_i, status_t,
private_xauth_t *this, message_t *message)
{