summaryrefslogtreecommitdiff
path: root/src/libpttls
diff options
context:
space:
mode:
Diffstat (limited to 'src/libpttls')
-rw-r--r--src/libpttls/Makefile.am12
-rw-r--r--src/libpttls/Makefile.in660
-rw-r--r--src/libpttls/pt_tls.c120
-rw-r--r--src/libpttls/pt_tls.h109
-rw-r--r--src/libpttls/pt_tls_client.c497
-rw-r--r--src/libpttls/pt_tls_client.h65
-rw-r--r--src/libpttls/pt_tls_dispatcher.c204
-rw-r--r--src/libpttls/pt_tls_dispatcher.h75
-rw-r--r--src/libpttls/pt_tls_server.c544
-rw-r--r--src/libpttls/pt_tls_server.h72
-rw-r--r--src/libpttls/sasl/sasl_mechanism.c92
-rw-r--r--src/libpttls/sasl/sasl_mechanism.h103
-rw-r--r--src/libpttls/sasl/sasl_plain/sasl_plain.c171
-rw-r--r--src/libpttls/sasl/sasl_plain/sasl_plain.h48
14 files changed, 2772 insertions, 0 deletions
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
new file mode 100644
index 000000000..48123181b
--- /dev/null
+++ b/src/libpttls/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+ -I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+ pt_tls_client.c pt_tls_client.h \
+ pt_tls_server.c pt_tls_server.h \
+ pt_tls_dispatcher.c pt_tls_dispatcher.h \
+ sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+ sasl/sasl_mechanism.c sasl/sasl_mechanism.h
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
new file mode 100644
index 000000000..aec424f1a
--- /dev/null
+++ b/src/libpttls/Makefile.in
@@ -0,0 +1,660 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+ { \
+ am__dry=no; \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \
+ | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+ *) \
+ for am__flg in $$MAKEFLAGS; do \
+ case $$am__flg in \
+ *=*|--*) ;; \
+ *n*) am__dry=yes; break;; \
+ esac; \
+ done;; \
+ esac; \
+ test $$am__dry = yes; \
+ }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libpttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la
+am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \
+ pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo
+libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libpttls_la_SOURCES)
+DIST_SOURCES = $(libpttls_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+ -I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+ pt_tls_client.c pt_tls_client.h \
+ pt_tls_server.c pt_tls_server.h \
+ pt_tls_dispatcher.c pt_tls_dispatcher.h \
+ sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+ sasl/sasl_mechanism.c sasl/sasl_mechanism.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpttls/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libpttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
+ }
+
+uninstall-ipseclibLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
+ done
+
+clean-ipseclibLTLIBRARIES:
+ -test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
+ @list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES)
+ $(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+sasl_plain.lo: sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+
+sasl_mechanism.lo: sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ set x; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipseclibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipseclibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am \
+ install-ipseclibLTLIBRARIES install-man install-pdf \
+ install-pdf-am install-ps install-ps-am install-strip \
+ installcheck installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c
new file mode 100644
index 000000000..0fee343b8
--- /dev/null
+++ b/src/libpttls/pt_tls.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+/*
+ * PT-TNC Message format:
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Reserved | Message Type Vendor ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Type |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Length |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Identifier |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Value (e.g. PB-TNC Batch) . . . |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Read a chunk of data from TLS, returning a reader for it
+ */
+static bio_reader_t* read_tls(tls_socket_t *tls, size_t len)
+{
+ ssize_t got, total = 0;
+ char *buf;
+
+ buf = malloc(len);
+ while (total < len)
+ {
+ got = tls->read(tls, buf + total, len - total, TRUE);
+ if (got <= 0)
+ {
+ free(buf);
+ return NULL;
+ }
+ total += got;
+ }
+ return bio_reader_create_own(chunk_create(buf, len));
+}
+
+/**
+ * Read a PT-TLS message, return header data
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+ u_int32_t *type, u_int32_t *identifier)
+{
+ bio_reader_t *reader;
+ u_int32_t len;
+ u_int8_t reserved;
+
+ reader = read_tls(tls, PT_TLS_HEADER_LEN);
+ if (!reader)
+ {
+ return NULL;
+ }
+ if (!reader->read_uint8(reader, &reserved) ||
+ !reader->read_uint24(reader, vendor) ||
+ !reader->read_uint32(reader, type) ||
+ !reader->read_uint32(reader, &len) ||
+ !reader->read_uint32(reader, identifier))
+ {
+ reader->destroy(reader);
+ return NULL;
+ }
+ reader->destroy(reader);
+
+ if (len < PT_TLS_HEADER_LEN)
+ {
+ DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
+ return NULL;
+ }
+ return read_tls(tls, len - PT_TLS_HEADER_LEN);
+}
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+ pt_tls_message_type_t type, u_int32_t identifier)
+{
+ bio_writer_t *header;
+ ssize_t len;
+ chunk_t data;
+
+ data = writer->get_buf(writer);
+ len = PT_TLS_HEADER_LEN + data.len;
+ header = bio_writer_create(len);
+ header->write_uint8(header, 0);
+ header->write_uint24(header, 0);
+ header->write_uint32(header, type);
+ header->write_uint32(header, len);
+ header->write_uint32(header, identifier);
+
+ header->write_data(header, data);
+ writer->destroy(writer);
+
+ data = header->get_buf(header);
+ len = tls->write(tls, data.ptr, data.len);
+ header->destroy(header);
+
+ return len == data.len;
+}
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
new file mode 100644
index 000000000..cb8bde05c
--- /dev/null
+++ b/src/libpttls/pt_tls.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls pt_tls
+ *
+ * @addtogroup pt_tls
+ * @{
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+ PT_TLS_EXPERIMENTAL = 0,
+ PT_TLS_VERSION_REQUEST = 1,
+ PT_TLS_VERSION_RESPONSE = 2,
+ PT_TLS_SASL_MECHS = 3,
+ PT_TLS_SASL_MECH_SELECTION = 4,
+ PT_TLS_SASL_AUTH_DATA = 5,
+ PT_TLS_SASL_RESULT = 6,
+ PT_TLS_PB_TNC_BATCH = 7,
+ PT_TLS_ERROR = 8,
+};
+
+/**
+ * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
+ */
+enum pt_tls_sasl_result_t {
+ PT_TLS_SASL_RESULT_SUCCESS = 0,
+ PT_TLS_SASL_RESULT_FAILURE = 1,
+ PT_TLS_SASL_RESULT_ABORT = 2,
+ PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
+};
+
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+ /** don't require TLS client certificate or request SASL authentication */
+ PT_TLS_AUTH_NONE,
+ /** require TLS certificate authentication, no SASL */
+ PT_TLS_AUTH_TLS,
+ /** do SASL regardless of TLS certificate authentication */
+ PT_TLS_AUTH_SASL,
+ /* if client does not authenticate with a TLS certificate, request SASL */
+ PT_TLS_AUTH_TLS_OR_SASL,
+ /* require both, TLS certificate authentication and SASL */
+ PT_TLS_AUTH_TLS_AND_SASL,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls TLS socket to read from
+ * @param vendor receives Message Type Vendor ID from header
+ * @param type receives Message Type from header
+ * @param identifier receives Message Identifer
+ * @return reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+ u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls TLS socket to write to
+ * @param writer prepared Message value to write
+ * @param type Message Type to write
+ * @param identifier Message Identifier to write
+ * @return TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+ pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
new file mode 100644
index 000000000..d3ac936a2
--- /dev/null
+++ b/src/libpttls/pt_tls_client.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_client.h"
+#include "pt_tls.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <tls_socket.h>
+#include <utils/debug.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_client_t private_pt_tls_client_t;
+
+/**
+ * Private data of an pt_tls_client_t object.
+ */
+struct private_pt_tls_client_t {
+
+ /**
+ * Public pt_tls_client_t interface.
+ */
+ pt_tls_client_t public;
+
+ /**
+ * TLS secured socket used by PT-TLS
+ */
+ tls_socket_t *tls;
+
+ /**
+ * Server address/port
+ */
+ host_t *address;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Client authentication identity
+ */
+ identification_t *client;
+
+ /**
+ * Current PT-TLS message identifier
+ */
+ u_int32_t identifier;
+};
+
+/**
+ * Establish TLS secured TCP connection to TNC server
+ */
+static bool make_connection(private_pt_tls_client_t *this)
+{
+ int fd;
+
+ fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0);
+ if (fd == -1)
+ {
+ DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (connect(fd, this->address->get_sockaddr(this->address),
+ *this->address->get_sockaddr_len(this->address)) == -1)
+ {
+ DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno));
+ close(fd);
+ return FALSE;
+ }
+
+ this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+ if (!this->tls)
+ {
+ close(fd);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_client_t *this)
+{
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t type, vendor, identifier, reserved;
+ u_int8_t version;
+
+ DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION);
+
+ writer = bio_writer_create(4);
+ writer->write_uint8(writer, 0);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE ||
+ !reader->read_uint24(reader, &reserved) ||
+ !reader->read_uint8(reader, &version) ||
+ version != PT_TLS_VERSION)
+ {
+ DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ reader->destroy(reader);
+ return TRUE;
+}
+
+/**
+ * Run a SASL mechanism
+ */
+static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
+{
+ u_int32_t type, vendor, identifier;
+ u_int8_t result;
+ bio_reader_t *reader;
+ bio_writer_t *writer;
+ chunk_t data;
+
+ writer = bio_writer_create(32);
+ writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl)));
+ switch (sasl->build(sasl, &data))
+ {
+ case INVALID_STATE:
+ break;
+ case NEED_MORE:
+ writer->write_data(writer, data);
+ free(data.ptr);
+ break;
+ case SUCCESS:
+ /* shouldn't happen */
+ free(data.ptr);
+ /* FALL */
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FAILED;
+ }
+ if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION,
+ this->identifier++))
+ {
+ return FAILED;
+ }
+ while (TRUE)
+ {
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FAILED;
+ }
+ if (vendor != 0)
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ switch (type)
+ {
+ case PT_TLS_SASL_AUTH_DATA:
+ switch (sasl->process(sasl, reader->peek(reader)))
+ {
+ case NEED_MORE:
+ reader->destroy(reader);
+ break;
+ case SUCCESS:
+ /* should not happen, as it would come in a RESULT */
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FAILED;
+ }
+ break;
+ case PT_TLS_SASL_RESULT:
+ if (!reader->read_uint8(reader, &result))
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ switch (result)
+ {
+ case PT_TLS_SASL_RESULT_ABORT:
+ DBG1(DBG_TNC, "received SASL abort result");
+ reader->destroy(reader);
+ return FAILED;
+ case PT_TLS_SASL_RESULT_SUCCESS:
+ DBG1(DBG_TNC, "received SASL success result");
+ switch (sasl->process(sasl, reader->peek(reader)))
+ {
+ case SUCCESS:
+ reader->destroy(reader);
+ return SUCCESS;
+ case NEED_MORE:
+ /* inacceptable, it won't get more. FALL */
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FAILED;
+ }
+ break;
+ case PT_TLS_SASL_RESULT_MECH_FAILURE:
+ case PT_TLS_SASL_RESULT_FAILURE:
+ DBG1(DBG_TNC, "received SASL failure result");
+ /* non-fatal failure, try again */
+ reader->destroy(reader);
+ return NEED_MORE;
+ }
+ /* fall-through */
+ default:
+ reader->destroy(reader);
+ return FAILED;
+ }
+
+ writer = bio_writer_create(32);
+ switch (sasl->build(sasl, &data))
+ {
+ case INVALID_STATE:
+ break;
+ case SUCCESS:
+ /* shoudln't happen, continue until we get a result */
+ case NEED_MORE:
+ writer->write_data(writer, data);
+ free(data.ptr);
+ break;
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FAILED;
+ }
+ if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+ this->identifier++))
+ {
+ return FAILED;
+ }
+ }
+}
+
+/**
+ * Read SASL mechanism list, select and run mechanism
+ */
+static status_t select_and_do_sasl(private_pt_tls_client_t *this)
+{
+ bio_reader_t *reader;
+ sasl_mechanism_t *sasl = NULL;
+ u_int32_t type, vendor, identifier;
+ u_int8_t len;
+ chunk_t chunk;
+ char buf[21];
+ status_t status = NEED_MORE;
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FAILED;
+ }
+ if (vendor != 0 || type != PT_TLS_SASL_MECHS)
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ if (!reader->remaining(reader))
+ { /* mechanism list empty, SASL completed */
+ DBG1(DBG_TNC, "PT-TLS authentication complete");
+ reader->destroy(reader);
+ return SUCCESS;
+ }
+ while (reader->remaining(reader))
+ {
+ if (!reader->read_uint8(reader, &len) ||
+ !reader->read_data(reader, len & 0x1F, &chunk))
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+ sasl = sasl_mechanism_create(buf, this->client);
+ if (sasl)
+ {
+ break;
+ }
+ }
+ reader->destroy(reader);
+
+ if (!sasl)
+ {
+ /* TODO: send PT-TLS error (5) */
+ return FAILED;
+ }
+ while (status == NEED_MORE)
+ {
+ status = do_sasl(this, sasl);
+ }
+ sasl->destroy(sasl);
+ if (status == SUCCESS)
+ { /* continue until we receive empty SASL mechanism list */
+ return NEED_MORE;
+ }
+ return FAILED;
+}
+
+/**
+ * Authenticate session using SASL
+ */
+static bool authenticate(private_pt_tls_client_t *this)
+{
+ while (TRUE)
+ {
+ switch (select_and_do_sasl(this))
+ {
+ case NEED_MORE:
+ continue;
+ case SUCCESS:
+ return TRUE;
+ case FAILED:
+ default:
+ return FALSE;
+ }
+ }
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_client_t *this, tls_t *tnccs)
+{
+ while (TRUE)
+ {
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t vendor, type, identifier;
+ chunk_t data;
+
+ writer = bio_writer_create(32);
+ while (TRUE)
+ {
+ char buf[2048];
+ size_t buflen, msglen;
+
+ buflen = sizeof(buf);
+ switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+ {
+ case SUCCESS:
+ writer->destroy(writer);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FALSE;
+ case INVALID_STATE:
+ writer->destroy(writer);
+ break;
+ case NEED_MORE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ continue;
+ case ALREADY_DONE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+ writer = bio_writer_create(32);
+ continue;
+ }
+ break;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor == 0)
+ {
+ if (type == PT_TLS_ERROR)
+ {
+ DBG1(DBG_TNC, "received PT-TLS error");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ if (type != PT_TLS_PB_TNC_BATCH)
+ {
+ DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+ reader->destroy(reader);
+ return FALSE;
+ }
+ data = reader->peek(reader);
+ switch (tnccs->process(tnccs, data.ptr, data.len))
+ {
+ case SUCCESS:
+ reader->destroy(reader);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FALSE;
+ case NEED_MORE:
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+ }
+ reader->destroy(reader);
+ }
+}
+
+METHOD(pt_tls_client_t, run_assessment, status_t,
+ private_pt_tls_client_t *this, tnccs_t *tnccs)
+{
+ if (!this->tls)
+ {
+ if (!make_connection(this))
+ {
+ return FAILED;
+ }
+ }
+ if (!negotiate_version(this))
+ {
+ return FAILED;
+ }
+ if (!authenticate(this))
+ {
+ return FAILED;
+ }
+ if (!assess(this, (tls_t*)tnccs))
+ {
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+
+METHOD(pt_tls_client_t, destroy, void,
+ private_pt_tls_client_t *this)
+{
+ if (this->tls)
+ {
+ int fd;
+
+ fd = this->tls->get_fd(this->tls);
+ this->tls->destroy(this->tls);
+ close(fd);
+ }
+ this->address->destroy(this->address);
+ this->server->destroy(this->server);
+ this->client->destroy(this->client);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+ identification_t *client)
+{
+ private_pt_tls_client_t *this;
+
+ INIT(this,
+ .public = {
+ .run_assessment = _run_assessment,
+ .destroy = _destroy,
+ },
+ .address = address,
+ .server = server,
+ .client = client,
+ );
+
+ return &this->public;
+}
diff --git a/src/libpttls/pt_tls_client.h b/src/libpttls/pt_tls_client.h
new file mode 100644
index 000000000..1d418d181
--- /dev/null
+++ b/src/libpttls/pt_tls_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_client pt_tls_client
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CLIENT_H_
+#define PT_TLS_CLIENT_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_client_t pt_tls_client_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport client.
+ */
+struct pt_tls_client_t {
+
+ /**
+ * Perform an assessment.
+ *
+ * @param tnccs upper layer TNC client used for assessment
+ * @return status of assessment
+ */
+ status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs);
+
+ /**
+ * Destroy a pt_tls_client_t.
+ */
+ void (*destroy)(pt_tls_client_t *this);
+};
+
+/**
+ * Create a pt_tls_client instance.
+ *
+ * The client identity is used for:
+ * - TLS authentication if an appropirate certificate is found
+ * - SASL authentication if requested from the server
+ *
+ * @param address address/port to run assessments against, gets owned
+ * @param server server identity to use for authentication, gets owned
+ * @param client client identity to use for authentication, gets owned
+ * @return PT-TLS context
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+ identification_t *client);
+
+#endif /** PT_TLS_CLIENT_H_ @}*/
diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
new file mode 100644
index 000000000..469951616
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_dispatcher.h"
+#include "pt_tls_server.h"
+
+#include <threading/thread.h>
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t;
+
+/**
+ * Private data of an pt_tls_dispatcher_t object.
+ */
+struct private_pt_tls_dispatcher_t {
+
+ /**
+ * Public pt_tls_dispatcher_t interface.
+ */
+ pt_tls_dispatcher_t public;
+
+ /**
+ * Listening socket
+ */
+ int fd;
+
+ /**
+ * Client authentication requirements
+ */
+ pt_tls_auth_t auth;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * TNCCS protocol handler constructor
+ */
+ pt_tls_tnccs_constructor_t *create;
+};
+
+/**
+ * Open listening server socket
+ */
+static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host)
+{
+ this->fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (this->fd == -1)
+ {
+ DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (bind(this->fd, host->get_sockaddr(host),
+ *host->get_sockaddr_len(host)) == -1)
+ {
+ DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (listen(this->fd, 5) == -1)
+ {
+ DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Handle a single PT-TLS client connection
+ */
+static job_requeue_t handle(pt_tls_server_t *connection)
+{
+ while (TRUE)
+ {
+ switch (connection->handle(connection))
+ {
+ case NEED_MORE:
+ continue;
+ case FAILED:
+ case SUCCESS:
+ default:
+ break;
+ }
+ break;
+ }
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up connection state
+ */
+static void cleanup(pt_tls_server_t *connection)
+{
+ int fd;
+
+ fd = connection->get_fd(connection);
+ connection->destroy(connection);
+ close(fd);
+}
+
+METHOD(pt_tls_dispatcher_t, dispatch, void,
+ private_pt_tls_dispatcher_t *this,
+ pt_tls_tnccs_constructor_t *create)
+{
+ while (TRUE)
+ {
+ pt_tls_server_t *connection;
+ tnccs_t *tnccs;
+ bool old;
+ int fd;
+
+ old = thread_cancelability(TRUE);
+ fd = accept(this->fd, NULL, NULL);
+ thread_cancelability(old);
+ if (fd == -1)
+ {
+ DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno));
+ continue;
+ }
+
+ tnccs = create(this->server, this->peer);
+ if (!tnccs)
+ {
+ close(fd);
+ continue;
+ }
+ connection = pt_tls_server_create(this->server, fd, this->auth, tnccs);
+ if (!connection)
+ {
+ close(fd);
+ continue;
+ }
+ lib->processor->queue_job(lib->processor,
+ (job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ connection, (void*)cleanup,
+ (callback_job_cancel_t)return_false,
+ JOB_PRIO_CRITICAL));
+ }
+}
+
+METHOD(pt_tls_dispatcher_t, destroy, void,
+ private_pt_tls_dispatcher_t *this)
+{
+ if (this->fd != -1)
+ {
+ close(this->fd);
+ }
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+ identification_t *id, pt_tls_auth_t auth)
+{
+ private_pt_tls_dispatcher_t *this;
+
+ INIT(this,
+ .public = {
+ .dispatch = _dispatch,
+ .destroy = _destroy,
+ },
+ .server = id,
+ /* we currently don't authenticate the peer, use %any identity */
+ .peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+ .fd = -1,
+ .auth = auth,
+ );
+
+ if (!open_socket(this, address))
+ {
+ address->destroy(address);
+ destroy(this);
+ return NULL;
+ }
+ address->destroy(address);
+
+ return &this->public;
+}
diff --git a/src/libpttls/pt_tls_dispatcher.h b/src/libpttls/pt_tls_dispatcher.h
new file mode 100644
index 000000000..080197263
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_dispatcher pt_tls_dispatcher
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_DISPATCHER_H_
+#define PT_TLS_DISPATCHER_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
+
+/**
+ * Constructor callback to create TNCCS to use within PT-TLS.
+ *
+ * @param server server identity
+ * @param peer peer identity
+ */
+typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server,
+ identification_t *peer);
+
+/**
+ * PT-TLS dispatcher service, handles PT-TLS connections as a server.
+ */
+struct pt_tls_dispatcher_t {
+
+ /**
+ * Dispatch and handle PT-TLS connections.
+ *
+ * This call is blocking and a thread cancellation point. The passed
+ * constructor gets called for each dispatched connection.
+ *
+ * @param create TNCCS constructor function to use
+ */
+ void (*dispatch)(pt_tls_dispatcher_t *this,
+ pt_tls_tnccs_constructor_t *create);
+
+ /**
+ * Destroy a pt_tls_dispatcher_t.
+ */
+ void (*destroy)(pt_tls_dispatcher_t *this);
+};
+
+/**
+ * Create a pt_tls_dispatcher instance.
+ *
+ * @param address server address with port to listen on, gets owned
+ * @param id TLS server identity, gets owned
+ * @param auth client authentication to perform
+ * @return dispatcher service
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+ identification_t *id, pt_tls_auth_t auth);
+
+#endif /** PT_TLS_DISPATCHER_H_ @}*/
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
new file mode 100644
index 000000000..3e134f0dd
--- /dev/null
+++ b/src/libpttls/pt_tls_server.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_server.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <utils/debug.h>
+
+typedef struct private_pt_tls_server_t private_pt_tls_server_t;
+
+/**
+ * Private data of an pt_tls_server_t object.
+ */
+struct private_pt_tls_server_t {
+
+ /**
+ * Public pt_tls_server_t interface.
+ */
+ pt_tls_server_t public;
+
+ /**
+ * TLS protected socket
+ */
+ tls_socket_t *tls;
+
+ /**
+ * Client authentication requirements
+ */
+ pt_tls_auth_t auth;
+
+ enum {
+ /* expecting version negotiation */
+ PT_TLS_SERVER_VERSION,
+ /* expecting an SASL exchange */
+ PT_TLS_SERVER_AUTH,
+ /* expecting TNCCS exchange */
+ PT_TLS_SERVER_TNCCS,
+ /* terminating state */
+ PT_TLS_SERVER_END,
+ } state;
+
+ /**
+ * Message Identifier
+ */
+ u_int32_t identifier;
+
+ /**
+ * TNCCS protocol handler, implemented as tls_t
+ */
+ tls_t *tnccs;
+};
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_server_t *this)
+{
+ bio_reader_t *reader;
+ bio_writer_t *writer;
+ u_int32_t vendor, type, identifier;
+ u_int8_t reserved, vmin, vmax, vpref;
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor != 0 || type != PT_TLS_VERSION_REQUEST ||
+ !reader->read_uint8(reader, &reserved) ||
+ !reader->read_uint8(reader, &vmin) ||
+ !reader->read_uint8(reader, &vmax) ||
+ !reader->read_uint8(reader, &vpref))
+ {
+ DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ reader->destroy(reader);
+
+ if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION)
+ {
+ /* TODO: send error */
+ return FALSE;
+ }
+
+ writer = bio_writer_create(4);
+ writer->write_uint24(writer, 0);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+
+ return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE,
+ this->identifier++);
+}
+
+/**
+ * Process SASL data, send result
+ */
+static status_t process_sasl(private_pt_tls_server_t *this,
+ sasl_mechanism_t *sasl, chunk_t data)
+{
+ bio_writer_t *writer;
+
+ switch (sasl->process(sasl, data))
+ {
+ case NEED_MORE:
+ return NEED_MORE;
+ case SUCCESS:
+ DBG1(DBG_TNC, "SASL %s authentication successful",
+ sasl->get_name(sasl));
+ writer = bio_writer_create(1);
+ writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+ if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+ this->identifier++))
+ {
+ return SUCCESS;
+ }
+ return FAILED;
+ case FAILED:
+ default:
+ DBG1(DBG_TNC, "SASL %s authentication failed",
+ sasl->get_name(sasl));
+ writer = bio_writer_create(1);
+ /* sending abort does not allow the client to retry */
+ writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+ pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+ this->identifier++);
+ return FAILED;
+ }
+}
+
+/**
+ * Read a SASL message and process it
+ */
+static status_t read_sasl(private_pt_tls_server_t *this,
+ sasl_mechanism_t *sasl)
+{
+ u_int32_t vendor, type, identifier;
+ bio_reader_t *reader;
+ status_t status;
+ chunk_t data;
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FAILED;
+ }
+ if (vendor != 0 || type != PT_TLS_SASL_AUTH_DATA ||
+ !reader->read_data(reader, reader->remaining(reader), &data))
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ status = process_sasl(this, sasl, data);
+ reader->destroy(reader);
+ return status;
+}
+
+/**
+ * Build and write SASL message, or result message
+ */
+static status_t write_sasl(private_pt_tls_server_t *this,
+ sasl_mechanism_t *sasl)
+{
+ bio_writer_t *writer;
+ chunk_t chunk;
+
+ switch (sasl->build(sasl, &chunk))
+ {
+ case NEED_MORE:
+ writer = bio_writer_create(chunk.len);
+ writer->write_data(writer, chunk);
+ free(chunk.ptr);
+ if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+ this->identifier++))
+ {
+ return NEED_MORE;
+ }
+ return FAILED;
+ case SUCCESS:
+ DBG1(DBG_TNC, "SASL %s authentication successful",
+ sasl->get_name(sasl));
+ writer = bio_writer_create(1 + chunk.len);
+ writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+ writer->write_data(writer, chunk);
+ free(chunk.ptr);
+ if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+ this->identifier++))
+ {
+ return SUCCESS;
+ }
+ return FAILED;
+ case FAILED:
+ default:
+ DBG1(DBG_TNC, "SASL %s authentication failed",
+ sasl->get_name(sasl));
+ writer = bio_writer_create(1);
+ /* sending abort does not allow the client to retry */
+ writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+ pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+ this->identifier++);
+ return FAILED;
+ }
+}
+
+/**
+ * Send the list of supported SASL mechanisms
+ */
+static bool send_sasl_mechs(private_pt_tls_server_t *this)
+{
+ enumerator_t *enumerator;
+ bio_writer_t *writer = NULL;
+ char *name;
+
+ enumerator = sasl_mechanism_create_enumerator(TRUE);
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ if (!writer)
+ {
+ writer = bio_writer_create(32);
+ }
+ DBG1(DBG_TNC, "offering SASL %s", name);
+ writer->write_data8(writer, chunk_from_str(name));
+ }
+ enumerator->destroy(enumerator);
+
+ if (!writer)
+ { /* no mechanisms available? */
+ return FALSE;
+ }
+ return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+ this->identifier++);
+}
+
+/**
+ * Read the selected SASL mechanism, and process piggybacked data
+ */
+static status_t read_sasl_mech_selection(private_pt_tls_server_t *this,
+ sasl_mechanism_t **out)
+{
+ u_int32_t vendor, type, identifier;
+ sasl_mechanism_t *sasl;
+ bio_reader_t *reader;
+ chunk_t chunk;
+ u_int8_t len;
+ char buf[21];
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FAILED;
+ }
+ if (vendor != 0 || type != PT_TLS_SASL_MECH_SELECTION ||
+ !reader->read_uint8(reader, &len) ||
+ !reader->read_data(reader, len & 0x1F, &chunk))
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+
+ DBG1(DBG_TNC, "client starts SASL %s authentication", buf);
+
+ sasl = sasl_mechanism_create(buf, NULL);
+ if (!sasl)
+ {
+ reader->destroy(reader);
+ return FAILED;
+ }
+ /* initial SASL data piggybacked? */
+ if (reader->remaining(reader))
+ {
+ switch (process_sasl(this, sasl, reader->peek(reader)))
+ {
+ case NEED_MORE:
+ break;
+ case SUCCESS:
+ reader->destroy(reader);
+ *out = sasl;
+ return SUCCESS;
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ sasl->destroy(sasl);
+ return FAILED;
+ }
+ }
+ reader->destroy(reader);
+ *out = sasl;
+ return NEED_MORE;
+}
+
+/**
+ * Do a single SASL exchange
+ */
+static bool do_sasl(private_pt_tls_server_t *this)
+{
+ sasl_mechanism_t *sasl;
+ status_t status;
+
+ switch (this->auth)
+ {
+ case PT_TLS_AUTH_NONE:
+ return TRUE;
+ case PT_TLS_AUTH_TLS:
+ if (this->tls->get_peer_id(this->tls))
+ {
+ return TRUE;
+ }
+ DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+ return FALSE;
+ case PT_TLS_AUTH_SASL:
+ break;
+ case PT_TLS_AUTH_TLS_OR_SASL:
+ if (this->tls->get_peer_id(this->tls))
+ {
+ DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
+ "certificate");
+ return TRUE;
+ }
+ break;
+ case PT_TLS_AUTH_TLS_AND_SASL:
+ default:
+ if (!this->tls->get_peer_id(this->tls))
+ {
+ DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+ return FALSE;
+ }
+ break;
+ }
+
+ if (!send_sasl_mechs(this))
+ {
+ return FALSE;
+ }
+ status = read_sasl_mech_selection(this, &sasl);
+ if (status == FAILED)
+ {
+ return FALSE;
+ }
+ while (status == NEED_MORE)
+ {
+ status = write_sasl(this, sasl);
+ if (status == NEED_MORE)
+ {
+ status = read_sasl(this, sasl);
+ }
+ }
+ sasl->destroy(sasl);
+ return status == SUCCESS;
+}
+
+/**
+ * Authenticated PT-TLS session with a single SASL method
+ */
+static bool authenticate(private_pt_tls_server_t *this)
+{
+ if (do_sasl(this))
+ {
+ /* complete SASL with emtpy mechanism list */
+ bio_writer_t *writer;
+
+ writer = bio_writer_create(0);
+ return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+ this->identifier++);
+ }
+ return FALSE;
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_server_t *this, tls_t *tnccs)
+{
+ while (TRUE)
+ {
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t vendor, type, identifier;
+ chunk_t data;
+
+ writer = bio_writer_create(32);
+ while (TRUE)
+ {
+ char buf[2048];
+ size_t buflen, msglen;
+
+ buflen = sizeof(buf);
+ switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+ {
+ case SUCCESS:
+ writer->destroy(writer);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FALSE;
+ case INVALID_STATE:
+ writer->destroy(writer);
+ break;
+ case NEED_MORE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ continue;
+ case ALREADY_DONE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+ writer = bio_writer_create(32);
+ continue;
+ }
+ break;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor == 0)
+ {
+ if (type == PT_TLS_ERROR)
+ {
+ DBG1(DBG_TNC, "received PT-TLS error");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ if (type != PT_TLS_PB_TNC_BATCH)
+ {
+ DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+ reader->destroy(reader);
+ return FALSE;
+ }
+ data = reader->peek(reader);
+ switch (tnccs->process(tnccs, data.ptr, data.len))
+ {
+ case SUCCESS:
+ reader->destroy(reader);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FALSE;
+ case NEED_MORE:
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+ }
+ reader->destroy(reader);
+ }
+}
+
+METHOD(pt_tls_server_t, handle, status_t,
+ private_pt_tls_server_t *this)
+{
+ switch (this->state)
+ {
+ case PT_TLS_SERVER_VERSION:
+ if (!negotiate_version(this))
+ {
+ return FAILED;
+ }
+ DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION);
+ this->state = PT_TLS_SERVER_AUTH;
+ break;
+ case PT_TLS_SERVER_AUTH:
+ if (!authenticate(this))
+ {
+ return FAILED;
+ }
+ this->state = PT_TLS_SERVER_TNCCS;
+ break;
+ case PT_TLS_SERVER_TNCCS:
+ if (!assess(this, (tls_t*)this->tnccs))
+ {
+ return FAILED;
+ }
+ this->state = PT_TLS_SERVER_END;
+ return SUCCESS;
+ default:
+ return FAILED;
+ }
+ return NEED_MORE;
+}
+
+METHOD(pt_tls_server_t, get_fd, int,
+ private_pt_tls_server_t *this)
+{
+ return this->tls->get_fd(this->tls);
+}
+
+METHOD(pt_tls_server_t, destroy, void,
+ private_pt_tls_server_t *this)
+{
+ this->tnccs->destroy(this->tnccs);
+ this->tls->destroy(this->tls);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+ pt_tls_auth_t auth, tnccs_t *tnccs)
+{
+ private_pt_tls_server_t *this;
+
+ INIT(this,
+ .public = {
+ .handle = _handle,
+ .get_fd = _get_fd,
+ .destroy = _destroy,
+ },
+ .state = PT_TLS_SERVER_VERSION,
+ .tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+ .tnccs = (tls_t*)tnccs,
+ .auth = auth,
+ );
+
+ if (!this->tls)
+ {
+ this->tnccs->destroy(this->tnccs);
+ free(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libpttls/pt_tls_server.h b/src/libpttls/pt_tls_server.h
new file mode 100644
index 000000000..3e18aee8f
--- /dev/null
+++ b/src/libpttls/pt_tls_server.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_server pt_tls_server
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_SERVER_H_
+#define PT_TLS_SERVER_H_
+
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_server_t pt_tls_server_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport server.
+ */
+struct pt_tls_server_t {
+
+ /**
+ * Handle assessment data read from socket.
+ *
+ * @return
+ * - NEED_MORE if more exchanges required,
+ * - SUCCESS if assessment complete
+ * - FAILED if assessment failed
+ */
+ status_t (*handle)(pt_tls_server_t *this);
+
+ /**
+ * Get the underlying client connection socket.
+ *
+ * @return socket fd, suitable to select()
+ */
+ int (*get_fd)(pt_tls_server_t *this);
+
+ /**
+ * Destroy a pt_tls_server_t.
+ */
+ void (*destroy)(pt_tls_server_t *this);
+};
+
+/**
+ * Create a pt_tls_server connection instance.
+ *
+ * @param server TLS server identity
+ * @param fd client connection socket
+ * @param auth client authentication requirements
+ * @param tnccs inner TNCCS protocol handler to use for this connection
+ * @return PT-TLS server
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+ pt_tls_auth_t auth, tnccs_t *tnccs);
+
+#endif /** PT_TLS_SERVER_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c
new file mode 100644
index 000000000..05a02e56d
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_mechanism.h"
+
+#include "sasl_plain/sasl_plain.h"
+
+/**
+ * Available SASL mechanisms.
+ */
+static struct {
+ char *name;
+ bool server;
+ sasl_mechanism_constructor_t create;
+} mechs[] = {
+ { "PLAIN", TRUE, (sasl_mechanism_constructor_t)sasl_plain_create },
+ { "PLAIN", FALSE, (sasl_mechanism_constructor_t)sasl_plain_create },
+};
+
+/**
+ * See header.
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client)
+{
+ int i;
+
+ for (i = 0; i < countof(mechs); i++)
+ {
+ if (streq(mechs[i].name, name) && mechs[i].server == (client == NULL))
+ {
+ return mechs[i].create(name, client);
+ }
+ }
+ return NULL;
+}
+
+/**
+ * SASL mechanism enumerator
+ */
+typedef struct {
+ /** implements enumerator_t */
+ enumerator_t public;
+ /** looking for client or server? */
+ bool server;
+ /** position in mechs[] */
+ int i;
+} mech_enumerator_t;
+
+METHOD(enumerator_t, mech_enumerate, bool,
+ mech_enumerator_t *this, char **name)
+{
+ while (this->i < countof(mechs))
+ {
+ if (mechs[this->i].server == this->server)
+ {
+ *name = mechs[this->i].name;
+ this->i++;
+ return TRUE;
+ }
+ this->i++;
+ }
+ return FALSE;
+}
+
+/**
+ * See header.
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server)
+{
+ mech_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)_mech_enumerate,
+ .destroy = (void*)free,
+ },
+ .server = server,
+ );
+ return &enumerator->public;
+}
diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h
new file mode 100644
index 000000000..1a23a119e
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_mechanism sasl_mechanism
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_MECHANISM_H_
+#define SASL_MECHANISM_H_
+
+typedef struct sasl_mechanism_t sasl_mechanism_t;
+
+#include <library.h>
+
+/**
+ * Constructor function for SASL mechansims.
+ *
+ * @param name name of the requested SASL mechanism
+ * @param client client identity, NULL to act as server
+ * @return SASL mechanism, NULL on failure
+ */
+typedef sasl_mechanism_t*(*sasl_mechanism_constructor_t)(char *name,
+ identification_t *client);
+
+/**
+ * Generic interface for SASL mechanisms.
+ */
+struct sasl_mechanism_t {
+
+ /**
+ * Get the name of this SASL mechanism.
+ *
+ * @return name of SASL mechanism
+ */
+ char* (*get_name)(sasl_mechanism_t *this);
+
+ /**
+ * Build a SASL message to send to remote host.
+ *
+ * A message is returned if the return value is NEED_MORE or SUCCESS. A
+ * client MUST NOT return SUCCESS in build(), as the final message
+ * is always from server to client (even if it is an empty result message).
+ *
+ * @param message receives allocated SASL message, to free
+ * @return
+ * - FAILED if mechanism failed
+ * - NEED_MORE if additional exchanges required
+ * - INVALID_STATE if currently nothing to build
+ * - SUCCESS if mechanism authenticated successfully
+ */
+ status_t (*build)(sasl_mechanism_t *this, chunk_t *message);
+
+ /**
+ * Process a SASL message received from remote host.
+ *
+ * If a server returns SUCCESS during process(), an empty result message
+ * is sent to complete the SASL exchange.
+ *
+ * @param message received SASL message to process
+ * @return
+ * - FAILED if mechanism failed
+ * - NEED_MORE if additional exchanges required
+ * - SUCCESS if mechanism authenticated successfully
+ */
+ status_t (*process)(sasl_mechanism_t *this, chunk_t message);
+
+ /**
+ * Destroy a sasl_mechanism_t.
+ */
+ void (*destroy)(sasl_mechanism_t *this);
+};
+
+/**
+ * Create a sasl_mechanism instance.
+ *
+ * @param name name of SASL mechanism to create
+ * @param client client identity, NULL to act as server
+ * @return SASL mechanism instance, NULL if not found
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client);
+
+/**
+ * Create an enumerator over supported SASL mechanism names.
+ *
+ * @param server TRUE for server instance, FALSE for client
+ * @return enumerator over char*
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server);
+
+#endif /** SASL_MECHANISM_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644
index 000000000..e8d6dc80b
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+ /**
+ * Public sasl_plain_t interface.
+ */
+ sasl_plain_t public;
+
+ /**
+ * Client identity
+ */
+ identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+ private_sasl_plain_t *this)
+{
+ return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+ private_sasl_plain_t *this, chunk_t *message)
+{
+ /* gets never called */
+ return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+ private_sasl_plain_t *this, chunk_t message)
+{
+ chunk_t authz, authi, password;
+ identification_t *id;
+ shared_key_t *shared;
+ u_char *pos;
+
+ pos = memchr(message.ptr, 0, message.len);
+ if (!pos)
+ {
+ DBG1(DBG_CFG, "invalid authz encoding");
+ return FAILED;
+ }
+ authz = chunk_create(message.ptr, pos - message.ptr);
+ message = chunk_skip(message, authz.len + 1);
+ pos = memchr(message.ptr, 0, message.len);
+ if (!pos)
+ {
+ DBG1(DBG_CFG, "invalid authi encoding");
+ return FAILED;
+ }
+ authi = chunk_create(message.ptr, pos - message.ptr);
+ password = chunk_skip(message, authi.len + 1);
+ id = identification_create_from_data(authi);
+ shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+ if (!shared)
+ {
+ DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+ id->destroy(id);
+ return FAILED;
+ }
+ if (!chunk_equals(shared->get_key(shared), password))
+ {
+ DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+ id->destroy(id);
+ shared->destroy(shared);
+ return FAILED;
+ }
+ id->destroy(id);
+ shared->destroy(shared);
+ return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+ private_sasl_plain_t *this, chunk_t *message)
+{
+ shared_key_t *shared;
+ chunk_t password;
+ char buf[256];
+ ssize_t len;
+
+ /* we currently use the EAP type of shared secret */
+ shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+ this->client, NULL);
+ if (!shared)
+ {
+ DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+ return FAILED;
+ }
+
+ password = shared->get_key(shared);
+ len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+ "", 0, this->client, 0,
+ (int)password.len, password.ptr);
+ if (len < 0 || len >= sizeof(buf))
+ {
+ return FAILED;
+ }
+ *message = chunk_clone(chunk_create(buf, len));
+ return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+ private_sasl_plain_t *this, chunk_t message)
+{
+ /* if the server sends a result, authentication successful */
+ return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+ private_sasl_plain_t *this)
+{
+ DESTROY_IF(this->client);
+ free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+ private_sasl_plain_t *this;
+
+ if (!streq(get_name(NULL), name))
+ {
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .sasl = {
+ .get_name = _get_name,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ if (client)
+ {
+ this->public.sasl.build = _build_client;
+ this->public.sasl.process = _process_client;
+ this->client = client->clone(client);
+ }
+ else
+ {
+ this->public.sasl.build = _build_server;
+ this->public.sasl.process = _process_server;
+ }
+ return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644
index 000000000..08b7fc76f
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+ /**
+ * Implements sasl_mechanism_t
+ */
+ sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name name of mechanism, must be "PLAIN"
+ * @param client client identity, NULL to act as server
+ * @return mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/