diff options
Diffstat (limited to 'src/libpttls')
-rw-r--r-- | src/libpttls/Makefile.am | 12 | ||||
-rw-r--r-- | src/libpttls/Makefile.in | 660 | ||||
-rw-r--r-- | src/libpttls/pt_tls.c | 120 | ||||
-rw-r--r-- | src/libpttls/pt_tls.h | 109 | ||||
-rw-r--r-- | src/libpttls/pt_tls_client.c | 497 | ||||
-rw-r--r-- | src/libpttls/pt_tls_client.h | 65 | ||||
-rw-r--r-- | src/libpttls/pt_tls_dispatcher.c | 204 | ||||
-rw-r--r-- | src/libpttls/pt_tls_dispatcher.h | 75 | ||||
-rw-r--r-- | src/libpttls/pt_tls_server.c | 544 | ||||
-rw-r--r-- | src/libpttls/pt_tls_server.h | 72 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_mechanism.c | 92 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_mechanism.h | 103 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.c | 171 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.h | 48 |
14 files changed, 2772 insertions, 0 deletions
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am new file mode 100644 index 000000000..48123181b --- /dev/null +++ b/src/libpttls/Makefile.am @@ -0,0 +1,12 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \ + -I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs + +ipseclib_LTLIBRARIES = libpttls.la +libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libpttls_la_SOURCES = pt_tls.c pt_tls.h \ + pt_tls_client.c pt_tls_client.h \ + pt_tls_server.c pt_tls_server.h \ + pt_tls_dispatcher.c pt_tls_dispatcher.h \ + sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \ + sasl/sasl_mechanism.c sasl/sasl_mechanism.h diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in new file mode 100644 index 000000000..aec424f1a --- /dev/null +++ b/src/libpttls/Makefile.in @@ -0,0 +1,660 @@ +# Makefile.in generated by automake 1.11.6 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libpttls +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(ipseclibdir)" +LTLIBRARIES = $(ipseclib_LTLIBRARIES) +libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la +am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \ + pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo +libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libpttls_la_SOURCES) +DIST_SOURCES = $(libpttls_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \ + -I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs + +ipseclib_LTLIBRARIES = libpttls.la +libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libpttls_la_SOURCES = pt_tls.c pt_tls.h \ + pt_tls_client.c pt_tls_client.h \ + pt_tls_server.c pt_tls_server.h \ + pt_tls_dispatcher.c pt_tls_dispatcher.h \ + sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \ + sasl/sasl_mechanism.c sasl/sasl_mechanism.h + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpttls/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libpttls/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \ + } + +uninstall-ipseclibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \ + done + +clean-ipseclibLTLIBRARIES: + -test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES) + @list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) + $(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +sasl_plain.lo: sasl/sasl_plain/sasl_plain.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c + +sasl_mechanism.lo: sasl/sasl_mechanism.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(ipseclibdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-ipseclibLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-ipseclibLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-ipseclibLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c new file mode 100644 index 000000000..0fee343b8 --- /dev/null +++ b/src/libpttls/pt_tls.c @@ -0,0 +1,120 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pt_tls.h" + +#include <utils/debug.h> + +/* + * PT-TNC Message format: + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Message Type Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Message Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Message Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Message Identifier | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Message Value (e.g. PB-TNC Batch) . . . | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +/** + * Read a chunk of data from TLS, returning a reader for it + */ +static bio_reader_t* read_tls(tls_socket_t *tls, size_t len) +{ + ssize_t got, total = 0; + char *buf; + + buf = malloc(len); + while (total < len) + { + got = tls->read(tls, buf + total, len - total, TRUE); + if (got <= 0) + { + free(buf); + return NULL; + } + total += got; + } + return bio_reader_create_own(chunk_create(buf, len)); +} + +/** + * Read a PT-TLS message, return header data + */ +bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor, + u_int32_t *type, u_int32_t *identifier) +{ + bio_reader_t *reader; + u_int32_t len; + u_int8_t reserved; + + reader = read_tls(tls, PT_TLS_HEADER_LEN); + if (!reader) + { + return NULL; + } + if (!reader->read_uint8(reader, &reserved) || + !reader->read_uint24(reader, vendor) || + !reader->read_uint32(reader, type) || + !reader->read_uint32(reader, &len) || + !reader->read_uint32(reader, identifier)) + { + reader->destroy(reader); + return NULL; + } + reader->destroy(reader); + + if (len < PT_TLS_HEADER_LEN) + { + DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len); + return NULL; + } + return read_tls(tls, len - PT_TLS_HEADER_LEN); +} + +/** + * Prepend a PT-TLS header to a writer, send data, destroy writer + */ +bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer, + pt_tls_message_type_t type, u_int32_t identifier) +{ + bio_writer_t *header; + ssize_t len; + chunk_t data; + + data = writer->get_buf(writer); + len = PT_TLS_HEADER_LEN + data.len; + header = bio_writer_create(len); + header->write_uint8(header, 0); + header->write_uint24(header, 0); + header->write_uint32(header, type); + header->write_uint32(header, len); + header->write_uint32(header, identifier); + + header->write_data(header, data); + writer->destroy(writer); + + data = header->get_buf(header); + len = tls->write(tls, data.ptr, data.len); + header->destroy(header); + + return len == data.len; +} diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h new file mode 100644 index 000000000..cb8bde05c --- /dev/null +++ b/src/libpttls/pt_tls.h @@ -0,0 +1,109 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pt_tls pt_tls + * + * @addtogroup pt_tls + * @{ + */ + +#ifndef PT_TLS_H_ +#define PT_TLS_H_ + +#include <bio/bio_reader.h> +#include <bio/bio_writer.h> +#include <tls_socket.h> + +/** + * PT-TLS version we support + */ +#define PT_TLS_VERSION 1 + +/** + * Length of a PT-TLS header + */ +#define PT_TLS_HEADER_LEN 16 + +typedef enum pt_tls_message_type_t pt_tls_message_type_t; +typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t; +typedef enum pt_tls_auth_t pt_tls_auth_t; + +/** + * Message types, as defined by NEA PT-TLS + */ +enum pt_tls_message_type_t { + PT_TLS_EXPERIMENTAL = 0, + PT_TLS_VERSION_REQUEST = 1, + PT_TLS_VERSION_RESPONSE = 2, + PT_TLS_SASL_MECHS = 3, + PT_TLS_SASL_MECH_SELECTION = 4, + PT_TLS_SASL_AUTH_DATA = 5, + PT_TLS_SASL_RESULT = 6, + PT_TLS_PB_TNC_BATCH = 7, + PT_TLS_ERROR = 8, +}; + +/** + * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT + */ +enum pt_tls_sasl_result_t { + PT_TLS_SASL_RESULT_SUCCESS = 0, + PT_TLS_SASL_RESULT_FAILURE = 1, + PT_TLS_SASL_RESULT_ABORT = 2, + PT_TLS_SASL_RESULT_MECH_FAILURE = 3, +}; + +/** + * Client authentication to require as PT-TLS server. + */ +enum pt_tls_auth_t { + /** don't require TLS client certificate or request SASL authentication */ + PT_TLS_AUTH_NONE, + /** require TLS certificate authentication, no SASL */ + PT_TLS_AUTH_TLS, + /** do SASL regardless of TLS certificate authentication */ + PT_TLS_AUTH_SASL, + /* if client does not authenticate with a TLS certificate, request SASL */ + PT_TLS_AUTH_TLS_OR_SASL, + /* require both, TLS certificate authentication and SASL */ + PT_TLS_AUTH_TLS_AND_SASL, +}; + +/** + * Read a PT-TLS message, create reader over Message Value. + * + * @param tls TLS socket to read from + * @param vendor receives Message Type Vendor ID from header + * @param type receives Message Type from header + * @param identifier receives Message Identifer + * @return reader over message value, NULL on error + */ +bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor, + u_int32_t *type, u_int32_t *identifier); + +/** + * Prepend a PT-TLS header to a writer, send data, destroy writer. + * + * @param tls TLS socket to write to + * @param writer prepared Message value to write + * @param type Message Type to write + * @param identifier Message Identifier to write + * @return TRUE if data written successfully + */ +bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer, + pt_tls_message_type_t type, u_int32_t identifier); + +#endif /** PT_TLS_H_ @}*/ diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c new file mode 100644 index 000000000..d3ac936a2 --- /dev/null +++ b/src/libpttls/pt_tls_client.c @@ -0,0 +1,497 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pt_tls_client.h" +#include "pt_tls.h" + +#include <sasl/sasl_mechanism.h> + +#include <tls_socket.h> +#include <utils/debug.h> + +#include <errno.h> +#include <stdio.h> +#include <unistd.h> + +typedef struct private_pt_tls_client_t private_pt_tls_client_t; + +/** + * Private data of an pt_tls_client_t object. + */ +struct private_pt_tls_client_t { + + /** + * Public pt_tls_client_t interface. + */ + pt_tls_client_t public; + + /** + * TLS secured socket used by PT-TLS + */ + tls_socket_t *tls; + + /** + * Server address/port + */ + host_t *address; + + /** + * Server identity + */ + identification_t *server; + + /** + * Client authentication identity + */ + identification_t *client; + + /** + * Current PT-TLS message identifier + */ + u_int32_t identifier; +}; + +/** + * Establish TLS secured TCP connection to TNC server + */ +static bool make_connection(private_pt_tls_client_t *this) +{ + int fd; + + fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0); + if (fd == -1) + { + DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno)); + return FALSE; + } + if (connect(fd, this->address->get_sockaddr(this->address), + *this->address->get_sockaddr_len(this->address)) == -1) + { + DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno)); + close(fd); + return FALSE; + } + + this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL); + if (!this->tls) + { + close(fd); + return FALSE; + } + return TRUE; +} + +/** + * Negotiate PT-TLS version + */ +static bool negotiate_version(private_pt_tls_client_t *this) +{ + bio_writer_t *writer; + bio_reader_t *reader; + u_int32_t type, vendor, identifier, reserved; + u_int8_t version; + + DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION); + + writer = bio_writer_create(4); + writer->write_uint8(writer, 0); + writer->write_uint8(writer, PT_TLS_VERSION); + writer->write_uint8(writer, PT_TLS_VERSION); + writer->write_uint8(writer, PT_TLS_VERSION); + if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST, + this->identifier++)) + { + return FALSE; + } + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FALSE; + } + if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE || + !reader->read_uint24(reader, &reserved) || + !reader->read_uint8(reader, &version) || + version != PT_TLS_VERSION) + { + DBG1(DBG_TNC, "PT-TLS version negotiation failed"); + reader->destroy(reader); + return FALSE; + } + reader->destroy(reader); + return TRUE; +} + +/** + * Run a SASL mechanism + */ +static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) +{ + u_int32_t type, vendor, identifier; + u_int8_t result; + bio_reader_t *reader; + bio_writer_t *writer; + chunk_t data; + + writer = bio_writer_create(32); + writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl))); + switch (sasl->build(sasl, &data)) + { + case INVALID_STATE: + break; + case NEED_MORE: + writer->write_data(writer, data); + free(data.ptr); + break; + case SUCCESS: + /* shouldn't happen */ + free(data.ptr); + /* FALL */ + case FAILED: + default: + writer->destroy(writer); + return FAILED; + } + if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION, + this->identifier++)) + { + return FAILED; + } + while (TRUE) + { + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FAILED; + } + if (vendor != 0) + { + reader->destroy(reader); + return FAILED; + } + switch (type) + { + case PT_TLS_SASL_AUTH_DATA: + switch (sasl->process(sasl, reader->peek(reader))) + { + case NEED_MORE: + reader->destroy(reader); + break; + case SUCCESS: + /* should not happen, as it would come in a RESULT */ + case FAILED: + default: + reader->destroy(reader); + return FAILED; + } + break; + case PT_TLS_SASL_RESULT: + if (!reader->read_uint8(reader, &result)) + { + reader->destroy(reader); + return FAILED; + } + switch (result) + { + case PT_TLS_SASL_RESULT_ABORT: + DBG1(DBG_TNC, "received SASL abort result"); + reader->destroy(reader); + return FAILED; + case PT_TLS_SASL_RESULT_SUCCESS: + DBG1(DBG_TNC, "received SASL success result"); + switch (sasl->process(sasl, reader->peek(reader))) + { + case SUCCESS: + reader->destroy(reader); + return SUCCESS; + case NEED_MORE: + /* inacceptable, it won't get more. FALL */ + case FAILED: + default: + reader->destroy(reader); + return FAILED; + } + break; + case PT_TLS_SASL_RESULT_MECH_FAILURE: + case PT_TLS_SASL_RESULT_FAILURE: + DBG1(DBG_TNC, "received SASL failure result"); + /* non-fatal failure, try again */ + reader->destroy(reader); + return NEED_MORE; + } + /* fall-through */ + default: + reader->destroy(reader); + return FAILED; + } + + writer = bio_writer_create(32); + switch (sasl->build(sasl, &data)) + { + case INVALID_STATE: + break; + case SUCCESS: + /* shoudln't happen, continue until we get a result */ + case NEED_MORE: + writer->write_data(writer, data); + free(data.ptr); + break; + case FAILED: + default: + writer->destroy(writer); + return FAILED; + } + if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA, + this->identifier++)) + { + return FAILED; + } + } +} + +/** + * Read SASL mechanism list, select and run mechanism + */ +static status_t select_and_do_sasl(private_pt_tls_client_t *this) +{ + bio_reader_t *reader; + sasl_mechanism_t *sasl = NULL; + u_int32_t type, vendor, identifier; + u_int8_t len; + chunk_t chunk; + char buf[21]; + status_t status = NEED_MORE; + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FAILED; + } + if (vendor != 0 || type != PT_TLS_SASL_MECHS) + { + reader->destroy(reader); + return FAILED; + } + if (!reader->remaining(reader)) + { /* mechanism list empty, SASL completed */ + DBG1(DBG_TNC, "PT-TLS authentication complete"); + reader->destroy(reader); + return SUCCESS; + } + while (reader->remaining(reader)) + { + if (!reader->read_uint8(reader, &len) || + !reader->read_data(reader, len & 0x1F, &chunk)) + { + reader->destroy(reader); + return FAILED; + } + snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr); + sasl = sasl_mechanism_create(buf, this->client); + if (sasl) + { + break; + } + } + reader->destroy(reader); + + if (!sasl) + { + /* TODO: send PT-TLS error (5) */ + return FAILED; + } + while (status == NEED_MORE) + { + status = do_sasl(this, sasl); + } + sasl->destroy(sasl); + if (status == SUCCESS) + { /* continue until we receive empty SASL mechanism list */ + return NEED_MORE; + } + return FAILED; +} + +/** + * Authenticate session using SASL + */ +static bool authenticate(private_pt_tls_client_t *this) +{ + while (TRUE) + { + switch (select_and_do_sasl(this)) + { + case NEED_MORE: + continue; + case SUCCESS: + return TRUE; + case FAILED: + default: + return FALSE; + } + } +} + +/** + * Perform assessment + */ +static bool assess(private_pt_tls_client_t *this, tls_t *tnccs) +{ + while (TRUE) + { + bio_writer_t *writer; + bio_reader_t *reader; + u_int32_t vendor, type, identifier; + chunk_t data; + + writer = bio_writer_create(32); + while (TRUE) + { + char buf[2048]; + size_t buflen, msglen; + + buflen = sizeof(buf); + switch (tnccs->build(tnccs, buf, &buflen, &msglen)) + { + case SUCCESS: + writer->destroy(writer); + return tnccs->is_complete(tnccs); + case FAILED: + default: + writer->destroy(writer); + return FALSE; + case INVALID_STATE: + writer->destroy(writer); + break; + case NEED_MORE: + writer->write_data(writer, chunk_create(buf, buflen)); + continue; + case ALREADY_DONE: + writer->write_data(writer, chunk_create(buf, buflen)); + if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH, + this->identifier++)) + { + return FALSE; + } + writer = bio_writer_create(32); + continue; + } + break; + } + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FALSE; + } + if (vendor == 0) + { + if (type == PT_TLS_ERROR) + { + DBG1(DBG_TNC, "received PT-TLS error"); + reader->destroy(reader); + return FALSE; + } + if (type != PT_TLS_PB_TNC_BATCH) + { + DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type); + reader->destroy(reader); + return FALSE; + } + data = reader->peek(reader); + switch (tnccs->process(tnccs, data.ptr, data.len)) + { + case SUCCESS: + reader->destroy(reader); + return tnccs->is_complete(tnccs); + case FAILED: + default: + reader->destroy(reader); + return FALSE; + case NEED_MORE: + break; + } + } + else + { + DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message"); + } + reader->destroy(reader); + } +} + +METHOD(pt_tls_client_t, run_assessment, status_t, + private_pt_tls_client_t *this, tnccs_t *tnccs) +{ + if (!this->tls) + { + if (!make_connection(this)) + { + return FAILED; + } + } + if (!negotiate_version(this)) + { + return FAILED; + } + if (!authenticate(this)) + { + return FAILED; + } + if (!assess(this, (tls_t*)tnccs)) + { + return FAILED; + } + return SUCCESS; +} + + +METHOD(pt_tls_client_t, destroy, void, + private_pt_tls_client_t *this) +{ + if (this->tls) + { + int fd; + + fd = this->tls->get_fd(this->tls); + this->tls->destroy(this->tls); + close(fd); + } + this->address->destroy(this->address); + this->server->destroy(this->server); + this->client->destroy(this->client); + free(this); +} + +/** + * See header + */ +pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server, + identification_t *client) +{ + private_pt_tls_client_t *this; + + INIT(this, + .public = { + .run_assessment = _run_assessment, + .destroy = _destroy, + }, + .address = address, + .server = server, + .client = client, + ); + + return &this->public; +} diff --git a/src/libpttls/pt_tls_client.h b/src/libpttls/pt_tls_client.h new file mode 100644 index 000000000..1d418d181 --- /dev/null +++ b/src/libpttls/pt_tls_client.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pt_tls_client pt_tls_client + * @{ @ingroup pt_tls + */ + +#ifndef PT_TLS_CLIENT_H_ +#define PT_TLS_CLIENT_H_ + +#include <networking/host.h> +#include <utils/identification.h> + +#include <tnc/tnccs/tnccs.h> + +typedef struct pt_tls_client_t pt_tls_client_t; + +/** + * IF-T for TLS aka PT-TLS transport client. + */ +struct pt_tls_client_t { + + /** + * Perform an assessment. + * + * @param tnccs upper layer TNC client used for assessment + * @return status of assessment + */ + status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs); + + /** + * Destroy a pt_tls_client_t. + */ + void (*destroy)(pt_tls_client_t *this); +}; + +/** + * Create a pt_tls_client instance. + * + * The client identity is used for: + * - TLS authentication if an appropirate certificate is found + * - SASL authentication if requested from the server + * + * @param address address/port to run assessments against, gets owned + * @param server server identity to use for authentication, gets owned + * @param client client identity to use for authentication, gets owned + * @return PT-TLS context + */ +pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server, + identification_t *client); + +#endif /** PT_TLS_CLIENT_H_ @}*/ diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c new file mode 100644 index 000000000..469951616 --- /dev/null +++ b/src/libpttls/pt_tls_dispatcher.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pt_tls_dispatcher.h" +#include "pt_tls_server.h" + +#include <threading/thread.h> +#include <utils/debug.h> +#include <processing/jobs/callback_job.h> + +#include <errno.h> +#include <string.h> +#include <unistd.h> + +typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t; + +/** + * Private data of an pt_tls_dispatcher_t object. + */ +struct private_pt_tls_dispatcher_t { + + /** + * Public pt_tls_dispatcher_t interface. + */ + pt_tls_dispatcher_t public; + + /** + * Listening socket + */ + int fd; + + /** + * Client authentication requirements + */ + pt_tls_auth_t auth; + + /** + * Server identity + */ + identification_t *server; + + /** + * Peer identity + */ + identification_t *peer; + + /** + * TNCCS protocol handler constructor + */ + pt_tls_tnccs_constructor_t *create; +}; + +/** + * Open listening server socket + */ +static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host) +{ + this->fd = socket(AF_INET, SOCK_STREAM, 0); + if (this->fd == -1) + { + DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno)); + return FALSE; + } + if (bind(this->fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) == -1) + { + DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno)); + return FALSE; + } + if (listen(this->fd, 5) == -1) + { + DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Handle a single PT-TLS client connection + */ +static job_requeue_t handle(pt_tls_server_t *connection) +{ + while (TRUE) + { + switch (connection->handle(connection)) + { + case NEED_MORE: + continue; + case FAILED: + case SUCCESS: + default: + break; + } + break; + } + return JOB_REQUEUE_NONE; +} + +/** + * Clean up connection state + */ +static void cleanup(pt_tls_server_t *connection) +{ + int fd; + + fd = connection->get_fd(connection); + connection->destroy(connection); + close(fd); +} + +METHOD(pt_tls_dispatcher_t, dispatch, void, + private_pt_tls_dispatcher_t *this, + pt_tls_tnccs_constructor_t *create) +{ + while (TRUE) + { + pt_tls_server_t *connection; + tnccs_t *tnccs; + bool old; + int fd; + + old = thread_cancelability(TRUE); + fd = accept(this->fd, NULL, NULL); + thread_cancelability(old); + if (fd == -1) + { + DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno)); + continue; + } + + tnccs = create(this->server, this->peer); + if (!tnccs) + { + close(fd); + continue; + } + connection = pt_tls_server_create(this->server, fd, this->auth, tnccs); + if (!connection) + { + close(fd); + continue; + } + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)handle, + connection, (void*)cleanup, + (callback_job_cancel_t)return_false, + JOB_PRIO_CRITICAL)); + } +} + +METHOD(pt_tls_dispatcher_t, destroy, void, + private_pt_tls_dispatcher_t *this) +{ + if (this->fd != -1) + { + close(this->fd); + } + this->server->destroy(this->server); + this->peer->destroy(this->peer); + free(this); +} + +/** + * See header + */ +pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address, + identification_t *id, pt_tls_auth_t auth) +{ + private_pt_tls_dispatcher_t *this; + + INIT(this, + .public = { + .dispatch = _dispatch, + .destroy = _destroy, + }, + .server = id, + /* we currently don't authenticate the peer, use %any identity */ + .peer = identification_create_from_encoding(ID_ANY, chunk_empty), + .fd = -1, + .auth = auth, + ); + + if (!open_socket(this, address)) + { + address->destroy(address); + destroy(this); + return NULL; + } + address->destroy(address); + + return &this->public; +} diff --git a/src/libpttls/pt_tls_dispatcher.h b/src/libpttls/pt_tls_dispatcher.h new file mode 100644 index 000000000..080197263 --- /dev/null +++ b/src/libpttls/pt_tls_dispatcher.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pt_tls_dispatcher pt_tls_dispatcher + * @{ @ingroup pt_tls + */ + +#ifndef PT_TLS_DISPATCHER_H_ +#define PT_TLS_DISPATCHER_H_ + +#include <networking/host.h> +#include <utils/identification.h> + +#include <tnc/tnccs/tnccs.h> + +#include "pt_tls.h" + +typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t; + +/** + * Constructor callback to create TNCCS to use within PT-TLS. + * + * @param server server identity + * @param peer peer identity + */ +typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server, + identification_t *peer); + +/** + * PT-TLS dispatcher service, handles PT-TLS connections as a server. + */ +struct pt_tls_dispatcher_t { + + /** + * Dispatch and handle PT-TLS connections. + * + * This call is blocking and a thread cancellation point. The passed + * constructor gets called for each dispatched connection. + * + * @param create TNCCS constructor function to use + */ + void (*dispatch)(pt_tls_dispatcher_t *this, + pt_tls_tnccs_constructor_t *create); + + /** + * Destroy a pt_tls_dispatcher_t. + */ + void (*destroy)(pt_tls_dispatcher_t *this); +}; + +/** + * Create a pt_tls_dispatcher instance. + * + * @param address server address with port to listen on, gets owned + * @param id TLS server identity, gets owned + * @param auth client authentication to perform + * @return dispatcher service + */ +pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address, + identification_t *id, pt_tls_auth_t auth); + +#endif /** PT_TLS_DISPATCHER_H_ @}*/ diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c new file mode 100644 index 000000000..3e134f0dd --- /dev/null +++ b/src/libpttls/pt_tls_server.c @@ -0,0 +1,544 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pt_tls_server.h" + +#include <sasl/sasl_mechanism.h> + +#include <utils/debug.h> + +typedef struct private_pt_tls_server_t private_pt_tls_server_t; + +/** + * Private data of an pt_tls_server_t object. + */ +struct private_pt_tls_server_t { + + /** + * Public pt_tls_server_t interface. + */ + pt_tls_server_t public; + + /** + * TLS protected socket + */ + tls_socket_t *tls; + + /** + * Client authentication requirements + */ + pt_tls_auth_t auth; + + enum { + /* expecting version negotiation */ + PT_TLS_SERVER_VERSION, + /* expecting an SASL exchange */ + PT_TLS_SERVER_AUTH, + /* expecting TNCCS exchange */ + PT_TLS_SERVER_TNCCS, + /* terminating state */ + PT_TLS_SERVER_END, + } state; + + /** + * Message Identifier + */ + u_int32_t identifier; + + /** + * TNCCS protocol handler, implemented as tls_t + */ + tls_t *tnccs; +}; + +/** + * Negotiate PT-TLS version + */ +static bool negotiate_version(private_pt_tls_server_t *this) +{ + bio_reader_t *reader; + bio_writer_t *writer; + u_int32_t vendor, type, identifier; + u_int8_t reserved, vmin, vmax, vpref; + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FALSE; + } + if (vendor != 0 || type != PT_TLS_VERSION_REQUEST || + !reader->read_uint8(reader, &reserved) || + !reader->read_uint8(reader, &vmin) || + !reader->read_uint8(reader, &vmax) || + !reader->read_uint8(reader, &vpref)) + { + DBG1(DBG_TNC, "PT-TLS version negotiation failed"); + reader->destroy(reader); + return FALSE; + } + reader->destroy(reader); + + if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION) + { + /* TODO: send error */ + return FALSE; + } + + writer = bio_writer_create(4); + writer->write_uint24(writer, 0); + writer->write_uint8(writer, PT_TLS_VERSION); + + return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE, + this->identifier++); +} + +/** + * Process SASL data, send result + */ +static status_t process_sasl(private_pt_tls_server_t *this, + sasl_mechanism_t *sasl, chunk_t data) +{ + bio_writer_t *writer; + + switch (sasl->process(sasl, data)) + { + case NEED_MORE: + return NEED_MORE; + case SUCCESS: + DBG1(DBG_TNC, "SASL %s authentication successful", + sasl->get_name(sasl)); + writer = bio_writer_create(1); + writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS); + if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, + this->identifier++)) + { + return SUCCESS; + } + return FAILED; + case FAILED: + default: + DBG1(DBG_TNC, "SASL %s authentication failed", + sasl->get_name(sasl)); + writer = bio_writer_create(1); + /* sending abort does not allow the client to retry */ + writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT); + pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, + this->identifier++); + return FAILED; + } +} + +/** + * Read a SASL message and process it + */ +static status_t read_sasl(private_pt_tls_server_t *this, + sasl_mechanism_t *sasl) +{ + u_int32_t vendor, type, identifier; + bio_reader_t *reader; + status_t status; + chunk_t data; + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FAILED; + } + if (vendor != 0 || type != PT_TLS_SASL_AUTH_DATA || + !reader->read_data(reader, reader->remaining(reader), &data)) + { + reader->destroy(reader); + return FAILED; + } + status = process_sasl(this, sasl, data); + reader->destroy(reader); + return status; +} + +/** + * Build and write SASL message, or result message + */ +static status_t write_sasl(private_pt_tls_server_t *this, + sasl_mechanism_t *sasl) +{ + bio_writer_t *writer; + chunk_t chunk; + + switch (sasl->build(sasl, &chunk)) + { + case NEED_MORE: + writer = bio_writer_create(chunk.len); + writer->write_data(writer, chunk); + free(chunk.ptr); + if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA, + this->identifier++)) + { + return NEED_MORE; + } + return FAILED; + case SUCCESS: + DBG1(DBG_TNC, "SASL %s authentication successful", + sasl->get_name(sasl)); + writer = bio_writer_create(1 + chunk.len); + writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS); + writer->write_data(writer, chunk); + free(chunk.ptr); + if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, + this->identifier++)) + { + return SUCCESS; + } + return FAILED; + case FAILED: + default: + DBG1(DBG_TNC, "SASL %s authentication failed", + sasl->get_name(sasl)); + writer = bio_writer_create(1); + /* sending abort does not allow the client to retry */ + writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT); + pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, + this->identifier++); + return FAILED; + } +} + +/** + * Send the list of supported SASL mechanisms + */ +static bool send_sasl_mechs(private_pt_tls_server_t *this) +{ + enumerator_t *enumerator; + bio_writer_t *writer = NULL; + char *name; + + enumerator = sasl_mechanism_create_enumerator(TRUE); + while (enumerator->enumerate(enumerator, &name)) + { + if (!writer) + { + writer = bio_writer_create(32); + } + DBG1(DBG_TNC, "offering SASL %s", name); + writer->write_data8(writer, chunk_from_str(name)); + } + enumerator->destroy(enumerator); + + if (!writer) + { /* no mechanisms available? */ + return FALSE; + } + return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS, + this->identifier++); +} + +/** + * Read the selected SASL mechanism, and process piggybacked data + */ +static status_t read_sasl_mech_selection(private_pt_tls_server_t *this, + sasl_mechanism_t **out) +{ + u_int32_t vendor, type, identifier; + sasl_mechanism_t *sasl; + bio_reader_t *reader; + chunk_t chunk; + u_int8_t len; + char buf[21]; + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FAILED; + } + if (vendor != 0 || type != PT_TLS_SASL_MECH_SELECTION || + !reader->read_uint8(reader, &len) || + !reader->read_data(reader, len & 0x1F, &chunk)) + { + reader->destroy(reader); + return FAILED; + } + snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr); + + DBG1(DBG_TNC, "client starts SASL %s authentication", buf); + + sasl = sasl_mechanism_create(buf, NULL); + if (!sasl) + { + reader->destroy(reader); + return FAILED; + } + /* initial SASL data piggybacked? */ + if (reader->remaining(reader)) + { + switch (process_sasl(this, sasl, reader->peek(reader))) + { + case NEED_MORE: + break; + case SUCCESS: + reader->destroy(reader); + *out = sasl; + return SUCCESS; + case FAILED: + default: + reader->destroy(reader); + sasl->destroy(sasl); + return FAILED; + } + } + reader->destroy(reader); + *out = sasl; + return NEED_MORE; +} + +/** + * Do a single SASL exchange + */ +static bool do_sasl(private_pt_tls_server_t *this) +{ + sasl_mechanism_t *sasl; + status_t status; + + switch (this->auth) + { + case PT_TLS_AUTH_NONE: + return TRUE; + case PT_TLS_AUTH_TLS: + if (this->tls->get_peer_id(this->tls)) + { + return TRUE; + } + DBG1(DBG_TNC, "requiring TLS certificate client authentication"); + return FALSE; + case PT_TLS_AUTH_SASL: + break; + case PT_TLS_AUTH_TLS_OR_SASL: + if (this->tls->get_peer_id(this->tls)) + { + DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS " + "certificate"); + return TRUE; + } + break; + case PT_TLS_AUTH_TLS_AND_SASL: + default: + if (!this->tls->get_peer_id(this->tls)) + { + DBG1(DBG_TNC, "requiring TLS certificate client authentication"); + return FALSE; + } + break; + } + + if (!send_sasl_mechs(this)) + { + return FALSE; + } + status = read_sasl_mech_selection(this, &sasl); + if (status == FAILED) + { + return FALSE; + } + while (status == NEED_MORE) + { + status = write_sasl(this, sasl); + if (status == NEED_MORE) + { + status = read_sasl(this, sasl); + } + } + sasl->destroy(sasl); + return status == SUCCESS; +} + +/** + * Authenticated PT-TLS session with a single SASL method + */ +static bool authenticate(private_pt_tls_server_t *this) +{ + if (do_sasl(this)) + { + /* complete SASL with emtpy mechanism list */ + bio_writer_t *writer; + + writer = bio_writer_create(0); + return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS, + this->identifier++); + } + return FALSE; +} + +/** + * Perform assessment + */ +static bool assess(private_pt_tls_server_t *this, tls_t *tnccs) +{ + while (TRUE) + { + bio_writer_t *writer; + bio_reader_t *reader; + u_int32_t vendor, type, identifier; + chunk_t data; + + writer = bio_writer_create(32); + while (TRUE) + { + char buf[2048]; + size_t buflen, msglen; + + buflen = sizeof(buf); + switch (tnccs->build(tnccs, buf, &buflen, &msglen)) + { + case SUCCESS: + writer->destroy(writer); + return tnccs->is_complete(tnccs); + case FAILED: + default: + writer->destroy(writer); + return FALSE; + case INVALID_STATE: + writer->destroy(writer); + break; + case NEED_MORE: + writer->write_data(writer, chunk_create(buf, buflen)); + continue; + case ALREADY_DONE: + writer->write_data(writer, chunk_create(buf, buflen)); + if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH, + this->identifier++)) + { + return FALSE; + } + writer = bio_writer_create(32); + continue; + } + break; + } + + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FALSE; + } + if (vendor == 0) + { + if (type == PT_TLS_ERROR) + { + DBG1(DBG_TNC, "received PT-TLS error"); + reader->destroy(reader); + return FALSE; + } + if (type != PT_TLS_PB_TNC_BATCH) + { + DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type); + reader->destroy(reader); + return FALSE; + } + data = reader->peek(reader); + switch (tnccs->process(tnccs, data.ptr, data.len)) + { + case SUCCESS: + reader->destroy(reader); + return tnccs->is_complete(tnccs); + case FAILED: + default: + reader->destroy(reader); + return FALSE; + case NEED_MORE: + break; + } + } + else + { + DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message"); + } + reader->destroy(reader); + } +} + +METHOD(pt_tls_server_t, handle, status_t, + private_pt_tls_server_t *this) +{ + switch (this->state) + { + case PT_TLS_SERVER_VERSION: + if (!negotiate_version(this)) + { + return FAILED; + } + DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION); + this->state = PT_TLS_SERVER_AUTH; + break; + case PT_TLS_SERVER_AUTH: + if (!authenticate(this)) + { + return FAILED; + } + this->state = PT_TLS_SERVER_TNCCS; + break; + case PT_TLS_SERVER_TNCCS: + if (!assess(this, (tls_t*)this->tnccs)) + { + return FAILED; + } + this->state = PT_TLS_SERVER_END; + return SUCCESS; + default: + return FAILED; + } + return NEED_MORE; +} + +METHOD(pt_tls_server_t, get_fd, int, + private_pt_tls_server_t *this) +{ + return this->tls->get_fd(this->tls); +} + +METHOD(pt_tls_server_t, destroy, void, + private_pt_tls_server_t *this) +{ + this->tnccs->destroy(this->tnccs); + this->tls->destroy(this->tls); + free(this); +} + +/** + * See header + */ +pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, + pt_tls_auth_t auth, tnccs_t *tnccs) +{ + private_pt_tls_server_t *this; + + INIT(this, + .public = { + .handle = _handle, + .get_fd = _get_fd, + .destroy = _destroy, + }, + .state = PT_TLS_SERVER_VERSION, + .tls = tls_socket_create(TRUE, server, NULL, fd, NULL), + .tnccs = (tls_t*)tnccs, + .auth = auth, + ); + + if (!this->tls) + { + this->tnccs->destroy(this->tnccs); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libpttls/pt_tls_server.h b/src/libpttls/pt_tls_server.h new file mode 100644 index 000000000..3e18aee8f --- /dev/null +++ b/src/libpttls/pt_tls_server.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pt_tls_server pt_tls_server + * @{ @ingroup pt_tls + */ + +#ifndef PT_TLS_SERVER_H_ +#define PT_TLS_SERVER_H_ + +#include <utils/identification.h> + +#include <tnc/tnccs/tnccs.h> + +#include "pt_tls.h" + +typedef struct pt_tls_server_t pt_tls_server_t; + +/** + * IF-T for TLS aka PT-TLS transport server. + */ +struct pt_tls_server_t { + + /** + * Handle assessment data read from socket. + * + * @return + * - NEED_MORE if more exchanges required, + * - SUCCESS if assessment complete + * - FAILED if assessment failed + */ + status_t (*handle)(pt_tls_server_t *this); + + /** + * Get the underlying client connection socket. + * + * @return socket fd, suitable to select() + */ + int (*get_fd)(pt_tls_server_t *this); + + /** + * Destroy a pt_tls_server_t. + */ + void (*destroy)(pt_tls_server_t *this); +}; + +/** + * Create a pt_tls_server connection instance. + * + * @param server TLS server identity + * @param fd client connection socket + * @param auth client authentication requirements + * @param tnccs inner TNCCS protocol handler to use for this connection + * @return PT-TLS server + */ +pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, + pt_tls_auth_t auth, tnccs_t *tnccs); + +#endif /** PT_TLS_SERVER_H_ @}*/ diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c new file mode 100644 index 000000000..05a02e56d --- /dev/null +++ b/src/libpttls/sasl/sasl_mechanism.c @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "sasl_mechanism.h" + +#include "sasl_plain/sasl_plain.h" + +/** + * Available SASL mechanisms. + */ +static struct { + char *name; + bool server; + sasl_mechanism_constructor_t create; +} mechs[] = { + { "PLAIN", TRUE, (sasl_mechanism_constructor_t)sasl_plain_create }, + { "PLAIN", FALSE, (sasl_mechanism_constructor_t)sasl_plain_create }, +}; + +/** + * See header. + */ +sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client) +{ + int i; + + for (i = 0; i < countof(mechs); i++) + { + if (streq(mechs[i].name, name) && mechs[i].server == (client == NULL)) + { + return mechs[i].create(name, client); + } + } + return NULL; +} + +/** + * SASL mechanism enumerator + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** looking for client or server? */ + bool server; + /** position in mechs[] */ + int i; +} mech_enumerator_t; + +METHOD(enumerator_t, mech_enumerate, bool, + mech_enumerator_t *this, char **name) +{ + while (this->i < countof(mechs)) + { + if (mechs[this->i].server == this->server) + { + *name = mechs[this->i].name; + this->i++; + return TRUE; + } + this->i++; + } + return FALSE; +} + +/** + * See header. + */ +enumerator_t* sasl_mechanism_create_enumerator(bool server) +{ + mech_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_mech_enumerate, + .destroy = (void*)free, + }, + .server = server, + ); + return &enumerator->public; +} diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h new file mode 100644 index 000000000..1a23a119e --- /dev/null +++ b/src/libpttls/sasl/sasl_mechanism.h @@ -0,0 +1,103 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sasl_mechanism sasl_mechanism + * @{ @ingroup sasl + */ + +#ifndef SASL_MECHANISM_H_ +#define SASL_MECHANISM_H_ + +typedef struct sasl_mechanism_t sasl_mechanism_t; + +#include <library.h> + +/** + * Constructor function for SASL mechansims. + * + * @param name name of the requested SASL mechanism + * @param client client identity, NULL to act as server + * @return SASL mechanism, NULL on failure + */ +typedef sasl_mechanism_t*(*sasl_mechanism_constructor_t)(char *name, + identification_t *client); + +/** + * Generic interface for SASL mechanisms. + */ +struct sasl_mechanism_t { + + /** + * Get the name of this SASL mechanism. + * + * @return name of SASL mechanism + */ + char* (*get_name)(sasl_mechanism_t *this); + + /** + * Build a SASL message to send to remote host. + * + * A message is returned if the return value is NEED_MORE or SUCCESS. A + * client MUST NOT return SUCCESS in build(), as the final message + * is always from server to client (even if it is an empty result message). + * + * @param message receives allocated SASL message, to free + * @return + * - FAILED if mechanism failed + * - NEED_MORE if additional exchanges required + * - INVALID_STATE if currently nothing to build + * - SUCCESS if mechanism authenticated successfully + */ + status_t (*build)(sasl_mechanism_t *this, chunk_t *message); + + /** + * Process a SASL message received from remote host. + * + * If a server returns SUCCESS during process(), an empty result message + * is sent to complete the SASL exchange. + * + * @param message received SASL message to process + * @return + * - FAILED if mechanism failed + * - NEED_MORE if additional exchanges required + * - SUCCESS if mechanism authenticated successfully + */ + status_t (*process)(sasl_mechanism_t *this, chunk_t message); + + /** + * Destroy a sasl_mechanism_t. + */ + void (*destroy)(sasl_mechanism_t *this); +}; + +/** + * Create a sasl_mechanism instance. + * + * @param name name of SASL mechanism to create + * @param client client identity, NULL to act as server + * @return SASL mechanism instance, NULL if not found + */ +sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client); + +/** + * Create an enumerator over supported SASL mechanism names. + * + * @param server TRUE for server instance, FALSE for client + * @return enumerator over char* + */ +enumerator_t* sasl_mechanism_create_enumerator(bool server); + +#endif /** SASL_MECHANISM_H_ @}*/ diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c new file mode 100644 index 000000000..e8d6dc80b --- /dev/null +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -0,0 +1,171 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "sasl_plain.h" + +#include <utils/debug.h> + +typedef struct private_sasl_plain_t private_sasl_plain_t; + +/** + * Private data of an sasl_plain_t object. + */ +struct private_sasl_plain_t { + + /** + * Public sasl_plain_t interface. + */ + sasl_plain_t public; + + /** + * Client identity + */ + identification_t *client; +}; + +METHOD(sasl_mechanism_t, get_name, char*, + private_sasl_plain_t *this) +{ + return "PLAIN"; +} + +METHOD(sasl_mechanism_t, build_server, status_t, + private_sasl_plain_t *this, chunk_t *message) +{ + /* gets never called */ + return FAILED; +} + +METHOD(sasl_mechanism_t, process_server, status_t, + private_sasl_plain_t *this, chunk_t message) +{ + chunk_t authz, authi, password; + identification_t *id; + shared_key_t *shared; + u_char *pos; + + pos = memchr(message.ptr, 0, message.len); + if (!pos) + { + DBG1(DBG_CFG, "invalid authz encoding"); + return FAILED; + } + authz = chunk_create(message.ptr, pos - message.ptr); + message = chunk_skip(message, authz.len + 1); + pos = memchr(message.ptr, 0, message.len); + if (!pos) + { + DBG1(DBG_CFG, "invalid authi encoding"); + return FAILED; + } + authi = chunk_create(message.ptr, pos - message.ptr); + password = chunk_skip(message, authi.len + 1); + id = identification_create_from_data(authi); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + if (!shared) + { + DBG1(DBG_CFG, "no shared secret found for '%Y'", id); + id->destroy(id); + return FAILED; + } + if (!chunk_equals(shared->get_key(shared), password)) + { + DBG1(DBG_CFG, "shared secret for '%Y' does not match", id); + id->destroy(id); + shared->destroy(shared); + return FAILED; + } + id->destroy(id); + shared->destroy(shared); + return SUCCESS; +} + +METHOD(sasl_mechanism_t, build_client, status_t, + private_sasl_plain_t *this, chunk_t *message) +{ + shared_key_t *shared; + chunk_t password; + char buf[256]; + ssize_t len; + + /* we currently use the EAP type of shared secret */ + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, + this->client, NULL); + if (!shared) + { + DBG1(DBG_CFG, "no shared secret found for %Y", this->client); + return FAILED; + } + + password = shared->get_key(shared); + len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s", + "", 0, this->client, 0, + (int)password.len, password.ptr); + if (len < 0 || len >= sizeof(buf)) + { + return FAILED; + } + *message = chunk_clone(chunk_create(buf, len)); + return NEED_MORE; +} + +METHOD(sasl_mechanism_t, process_client, status_t, + private_sasl_plain_t *this, chunk_t message) +{ + /* if the server sends a result, authentication successful */ + return SUCCESS; +} + +METHOD(sasl_mechanism_t, destroy, void, + private_sasl_plain_t *this) +{ + DESTROY_IF(this->client); + free(this); +} + +/** + * See header + */ +sasl_plain_t *sasl_plain_create(char *name, identification_t *client) +{ + private_sasl_plain_t *this; + + if (!streq(get_name(NULL), name)) + { + return NULL; + } + + INIT(this, + .public = { + .sasl = { + .get_name = _get_name, + .destroy = _destroy, + }, + }, + ); + + if (client) + { + this->public.sasl.build = _build_client; + this->public.sasl.process = _process_client; + this->client = client->clone(client); + } + else + { + this->public.sasl.build = _build_server; + this->public.sasl.process = _process_server; + } + return &this->public; +} diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h new file mode 100644 index 000000000..08b7fc76f --- /dev/null +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sasl_plain sasl_plain + * @{ @ingroup sasl + */ + +#ifndef SASL_PLAIN_H_ +#define SASL_PLAIN_H_ + +#include <sasl/sasl_mechanism.h> + +typedef struct sasl_plain_t sasl_plain_t; + +/** + * SASL Mechanism implementing PLAIN. + */ +struct sasl_plain_t { + + /** + * Implements sasl_mechanism_t + */ + sasl_mechanism_t sasl; +}; + +/** + * Create a sasl_plain instance. + * + * @param name name of mechanism, must be "PLAIN" + * @param client client identity, NULL to act as server + * @return mechanism implementing PLAIN, NULL on error + */ +sasl_plain_t *sasl_plain_create(char *name, identification_t *client); + +#endif /** SASL_PLAIN_H_ @}*/ |