From e4013bb90404aea5728bca9da9ae71abcbd935ea Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 4 Feb 2013 18:55:54 +0100 Subject: [PATCH] Added xauth-noauth plugin This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication. --- configure.in | 4 + src/libcharon/Makefile.am | 7 ++ .../plugins/xauth_noauth/Makefile.am | 17 ++++ .../plugins/xauth_noauth/xauth_noauth.c | 89 +++++++++++++++++++ .../plugins/xauth_noauth/xauth_noauth.h | 50 +++++++++++ .../xauth_noauth/xauth_noauth_plugin.c | 60 +++++++++++++ .../xauth_noauth/xauth_noauth_plugin.h | 45 ++++++++++ src/libcharon/sa/ikev1/tasks/xauth.c | 66 ++++++++------ 8 files changed, 309 insertions(+), 29 deletions(-) create mode 100644 src/libcharon/plugins/xauth_noauth/Makefile.am create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth.c create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth.h create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c create mode 100644 src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h diff --git a/configure.in b/configure.in index 996c8dd9c..716bad5b1 100644 --- a/configure.in +++ b/configure.in @@ -167,6 +167,7 @@ ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.]) ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.]) ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.]) ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.]) +ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.]) ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module.]) ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.]) ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) @@ -996,6 +997,7 @@ ADD_PLUGIN([eap-tnc], [c charon]) ADD_PLUGIN([xauth-generic], [c charon]) ADD_PLUGIN([xauth-eap], [c charon]) ADD_PLUGIN([xauth-pam], [c charon]) +ADD_PLUGIN([xauth-noauth], [c charon]) ADD_PLUGIN([tnc-ifmap], [c charon]) ADD_PLUGIN([tnc-pdp], [c charon]) ADD_PLUGIN([tnc-imc], [c charon]) @@ -1136,6 +1138,7 @@ AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue) AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue) AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue) AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue) +AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue) AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue) AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue) AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue) @@ -1328,6 +1331,7 @@ AC_CONFIG_FILES([ src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile + src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 536bab473..f0736c5ca 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -596,3 +596,10 @@ if MONOLITHIC libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la endif endif + +if USE_XAUTH_NOAUTH + SUBDIRS += plugins/xauth_noauth +if MONOLITHIC + libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la +endif +endif diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am new file mode 100644 index 000000000..b838af63a --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la +else +plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la +endif + +libstrongswan_xauth_noauth_la_SOURCES = \ + xauth_noauth_plugin.h xauth_noauth_plugin.c \ + xauth_noauth.h xauth_noauth.c + +libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c new file mode 100644 index 000000000..a9d95126a --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_noauth.h" + +#include +#include + +typedef struct private_xauth_noauth_t private_xauth_noauth_t; + +/** + * Private data of an xauth_noauth_t object. + */ +struct private_xauth_noauth_t { + + /** + * Public interface. + */ + xauth_noauth_t public; + + /** + * ID of the peer (not really used here) + */ + identification_t *peer; + +}; + +METHOD(xauth_method_t, initiate, status_t, + private_xauth_noauth_t *this, cp_payload_t **out) +{ + /* XAuth task handles the details for us */ + return SUCCESS; +} + +METHOD(xauth_method_t, process, status_t, + private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out) +{ + /* this should never be called */ + return FAILED; +} + +METHOD(xauth_method_t, get_identity, identification_t*, + private_xauth_noauth_t *this) +{ + /* this should never be called, but lets still return a valid ID */ + return this->peer; +} + +METHOD(xauth_method_t, destroy, void, + private_xauth_noauth_t *this) +{ + this->peer->destroy(this->peer); + free(this); +} + +/* + * Described in header. + */ +xauth_noauth_t *xauth_noauth_create_server(identification_t *server, + identification_t *peer) +{ + private_xauth_noauth_t *this; + + INIT(this, + .public = { + .xauth_method = { + .initiate = _initiate, + .process = _process, + .get_identity = _get_identity, + .destroy = _destroy, + }, + }, + .peer = identification_create_from_string("%any"), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h new file mode 100644 index 000000000..8984b0a7c --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_noauth_i xauth_noauth + * @{ @ingroup xauth_noauth + */ + +#ifndef XAUTH_NOAUTH_H_ +#define XAUTH_NOAUTH_H_ + +typedef struct xauth_noauth_t xauth_noauth_t; + +#include + +/** + * Implementation of the xauth_method_t interface that does not actually do + * any authentication but simply concludes the XAuth exchange successfully. + */ +struct xauth_noauth_t { + + /** + * Implemented xauth_method_t interface. + */ + xauth_method_t xauth_method; +}; + +/** + * Creates the noauth XAuth method, acting as server. + * + * @param server ID of the XAuth server + * @param peer ID of the XAuth client + * @return xauth_noauth_t object + */ +xauth_noauth_t *xauth_noauth_create_server(identification_t *server, + identification_t *peer); + +#endif /** XAUTH_NOAUTH_H_ @}*/ diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c new file mode 100644 index 000000000..e7ee4dfe3 --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_noauth_plugin.h" +#include "xauth_noauth.h" + +#include + +METHOD(plugin_t, get_name, char*, + xauth_noauth_plugin_t *this) +{ + return "xauth-noauth"; +} + +METHOD(plugin_t, get_features, int, + xauth_noauth_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server), + PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + xauth_noauth_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *xauth_noauth_plugin_create() +{ + xauth_noauth_plugin_t *this; + + INIT(this, + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + ); + + return &this->plugin; +} diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h new file mode 100644 index 000000000..d174ac29c --- /dev/null +++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_noauth xauth_noauth + * @ingroup cplugins + * + * @defgroup xauth_noauth_plugin xauth_noauth_plugin + * @{ @ingroup xauth_noauth + */ + +#ifndef XAUTH_NOAUTH_PLUGIN_H_ +#define XAUTH_NOAUTH_PLUGIN_H_ + +#include + +typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t; + +/** + * XAuth plugin that does not actually do any authentication but simply + * concludes the XAuth exchange successfully. This could be used to implement + * basic RSA authentication in cases where the client does not offer an option + * to disable XAuth. + */ +struct xauth_noauth_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/ diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 10bea5636..31114e592 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t, return NEED_MORE; } +METHOD(task_t, process_i_status, status_t, + private_xauth_t *this, message_t *message) +{ + cp_payload_t *cp; + + cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); + if (!cp || cp->get_type(cp) != CFG_ACK) + { + DBG1(DBG_IKE, "received invalid XAUTH status response"); + return FAILED; + } + if (this->status != XAUTH_OK) + { + DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication"); + return FAILED; + } + if (!establish(this)) + { + return FAILED; + } + this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE); + lib->processor->queue_job(lib->processor, (job_t*) + adopt_children_job_create(this->ike_sa->get_id(this->ike_sa))); + return SUCCESS; +} + METHOD(task_t, build_i, status_t, private_xauth_t *this, message_t *message) { if (!this->xauth) { - cp_payload_t *cp; + cp_payload_t *cp = NULL; this->xauth = load_method(this); if (!this->xauth) { return FAILED; } - if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE) + switch (this->xauth->initiate(this->xauth, &cp)) { - return FAILED; + case NEED_MORE: + break; + case SUCCESS: + DESTROY_IF(cp); + this->status = XAUTH_OK; + this->public.task.process = _process_i_status; + return build_i_status(this, message); + default: + return FAILED; } message->add_payload(message, (payload_t *)cp); return NEED_MORE; @@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t, return NEED_MORE; } -METHOD(task_t, process_i_status, status_t, - private_xauth_t *this, message_t *message) -{ - cp_payload_t *cp; - - cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); - if (!cp || cp->get_type(cp) != CFG_ACK) - { - DBG1(DBG_IKE, "received invalid XAUTH status response"); - return FAILED; - } - if (this->status != XAUTH_OK) - { - DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication"); - return FAILED; - } - if (!establish(this)) - { - return FAILED; - } - this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE); - lib->processor->queue_job(lib->processor, (job_t*) - adopt_children_job_create(this->ike_sa->get_id(this->ike_sa))); - return SUCCESS; -} - METHOD(task_t, process_i, status_t, private_xauth_t *this, message_t *message) {