diff --git a/configure.in b/configure.in index 996c8dd9c..716bad5b1 100644 --- a/configure.in +++ b/configure.in @@ -167,6 +167,7 @@ ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.]) ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.]) ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.]) ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.]) +ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.]) ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module.]) ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.]) ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) @@ -996,6 +997,7 @@ ADD_PLUGIN([eap-tnc], [c charon]) ADD_PLUGIN([xauth-generic], [c charon]) ADD_PLUGIN([xauth-eap], [c charon]) ADD_PLUGIN([xauth-pam], [c charon]) +ADD_PLUGIN([xauth-noauth], [c charon]) ADD_PLUGIN([tnc-ifmap], [c charon]) ADD_PLUGIN([tnc-pdp], [c charon]) ADD_PLUGIN([tnc-imc], [c charon]) @@ -1136,6 +1138,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue) AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue) AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue) AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue) +AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue) AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue) AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue) AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue) @@ -1328,6 +1331,7 @@ AC_CONFIG_FILES([ src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile + src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 536bab473..f0736c5ca 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -596,3 +596,10 @@ if MONOLITHIC libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la endif endif + +if USE_XAUTH_NOAUTH + SUBDIRS += plugins/xauth_noauth +if MONOLITHIC + libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la +endif +endif diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am new file mode 100644 index 000000000..b838af63a --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la +else +plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la +endif + +libstrongswan_xauth_noauth_la_SOURCES = \ + xauth_noauth_plugin.h xauth_noauth_plugin.c \ + xauth_noauth.h xauth_noauth.c + +libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c new file mode 100644 index 000000000..a9d95126a --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_noauth.h" + +#include +#include + +typedef struct private_xauth_noauth_t private_xauth_noauth_t; + +/** + * Private data of an xauth_noauth_t object. + */ +struct private_xauth_noauth_t { + + /** + * Public interface. + */ + xauth_noauth_t public; + + /** + * ID of the peer (not really used here) + */ + identification_t *peer; + +}; + +METHOD(xauth_method_t, initiate, status_t, + private_xauth_noauth_t *this, cp_payload_t **out) +{ + /* XAuth task handles the details for us */ + return SUCCESS; +} + +METHOD(xauth_method_t, process, status_t, + private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out) +{ + /* this should never be called */ + return FAILED; +} + +METHOD(xauth_method_t, get_identity, identification_t*, + private_xauth_noauth_t *this) +{ + /* this should never be called, but lets still return a valid ID */ + return this->peer; +} + +METHOD(xauth_method_t, destroy, void, + private_xauth_noauth_t *this) +{ + this->peer->destroy(this->peer); + free(this); +} + +/* + * Described in header. + */ +xauth_noauth_t *xauth_noauth_create_server(identification_t *server, + identification_t *peer) +{ + private_xauth_noauth_t *this; + + INIT(this, + .public = { + .xauth_method = { + .initiate = _initiate, + .process = _process, + .get_identity = _get_identity, + .destroy = _destroy, + }, + }, + .peer = identification_create_from_string("%any"), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h new file mode 100644 index 000000000..8984b0a7c --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_noauth_i xauth_noauth + * @{ @ingroup xauth_noauth + */ + +#ifndef XAUTH_NOAUTH_H_ +#define XAUTH_NOAUTH_H_ + +typedef struct xauth_noauth_t xauth_noauth_t; + +#include + +/** + * Implementation of the xauth_method_t interface that does not actually do + * any authentication but simply concludes the XAuth exchange successfully. + */ +struct xauth_noauth_t { + + /** + * Implemented xauth_method_t interface. + */ + xauth_method_t xauth_method; +}; + +/** + * Creates the noauth XAuth method, acting as server. + * + * @param server ID of the XAuth server + * @param peer ID of the XAuth client + * @return xauth_noauth_t object + */ +xauth_noauth_t *xauth_noauth_create_server(identification_t *server, + identification_t *peer); + +#endif /** XAUTH_NOAUTH_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c new file mode 100644 index 000000000..e7ee4dfe3 --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_noauth_plugin.h" +#include "xauth_noauth.h" + +#include + +METHOD(plugin_t, get_name, char*, + xauth_noauth_plugin_t *this) +{ + return "xauth-noauth"; +} + +METHOD(plugin_t, get_features, int, + xauth_noauth_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server), + PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + xauth_noauth_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *xauth_noauth_plugin_create() +{ + xauth_noauth_plugin_t *this; + + INIT(this, + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + ); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h new file mode 100644 index 000000000..d174ac29c --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_noauth xauth_noauth + * @ingroup cplugins + * + * @defgroup xauth_noauth_plugin xauth_noauth_plugin + * @{ @ingroup xauth_noauth + */ + +#ifndef XAUTH_NOAUTH_PLUGIN_H_ +#define XAUTH_NOAUTH_PLUGIN_H_ + +#include + +typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t; + +/** + * XAuth plugin that does not actually do any authentication but simply + * concludes the XAuth exchange successfully. This could be used to implement + * basic RSA authentication in cases where the client does not offer an option + * to disable XAuth. + */ +struct xauth_noauth_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/ diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 10bea5636..31114e592 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t, return NEED_MORE; } +METHOD(task_t, process_i_status, status_t, + private_xauth_t *this, message_t *message) +{ + cp_payload_t *cp; + + cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); + if (!cp || cp->get_type(cp) != CFG_ACK) + { + DBG1(DBG_IKE, "received invalid XAUTH status response"); + return FAILED; + } + if (this->status != XAUTH_OK) + { + DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication"); + return FAILED; + } + if (!establish(this)) + { + return FAILED; + } + this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE); + lib->processor->queue_job(lib->processor, (job_t*) + adopt_children_job_create(this->ike_sa->get_id(this->ike_sa))); + return SUCCESS; +} + METHOD(task_t, build_i, status_t, private_xauth_t *this, message_t *message) { if (!this->xauth) { - cp_payload_t *cp; + cp_payload_t *cp = NULL; this->xauth = load_method(this); if (!this->xauth) { return FAILED; } - if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE) + switch (this->xauth->initiate(this->xauth, &cp)) { - return FAILED; + case NEED_MORE: + break; + case SUCCESS: + DESTROY_IF(cp); + this->status = XAUTH_OK; + this->public.task.process = _process_i_status; + return build_i_status(this, message); + default: + return FAILED; } message->add_payload(message, (payload_t *)cp); return NEED_MORE; @@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t, return NEED_MORE; } -METHOD(task_t, process_i_status, status_t, - private_xauth_t *this, message_t *message) -{ - cp_payload_t *cp; - - cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); - if (!cp || cp->get_type(cp) != CFG_ACK) - { - DBG1(DBG_IKE, "received invalid XAUTH status response"); - return FAILED; - } - if (this->status != XAUTH_OK) - { - DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication"); - return FAILED; - } - if (!establish(this)) - { - return FAILED; - } - this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE); - lib->processor->queue_job(lib->processor, (job_t*) - adopt_children_job_create(this->ike_sa->get_id(this->ike_sa))); - return SUCCESS; -} - METHOD(task_t, process_i, status_t, private_xauth_t *this, message_t *message) {