diff options
Diffstat (limited to 'src/libpttls')
-rw-r--r-- | src/libpttls/Makefile.am | 9 | ||||
-rw-r--r-- | src/libpttls/Makefile.in | 294 | ||||
-rw-r--r-- | src/libpttls/pt_tls.c | 81 | ||||
-rw-r--r-- | src/libpttls/pt_tls.h | 25 | ||||
-rw-r--r-- | src/libpttls/pt_tls_client.c | 83 | ||||
-rw-r--r-- | src/libpttls/pt_tls_dispatcher.c | 4 | ||||
-rw-r--r-- | src/libpttls/pt_tls_server.c | 238 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_mechanism.h | 7 | ||||
-rw-r--r-- | src/libpttls/sasl/sasl_plain/sasl_plain.c | 24 |
9 files changed, 472 insertions, 293 deletions
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am index 225d0e48f..f2bcf44d5 100644 --- a/src/libpttls/Makefile.am +++ b/src/libpttls/Makefile.am @@ -4,8 +4,15 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs +AM_LDFLAGS = \ + -no-undefined + ipseclib_LTLIBRARIES = libpttls.la -libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la + +libpttls_la_LIBADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtls/libtls.la + libpttls_la_SOURCES = pt_tls.c pt_tls.h \ pt_tls_client.c pt_tls_client.h \ pt_tls_server.c pt_tls_server.h \ diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index 21acb7889..c9d6c3935 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.6 from Makefile.am. +# Makefile.in generated by automake 1.13.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software -# Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,23 +15,51 @@ @SET_MAKE@ VPATH = @srcdir@ -am__make_dryrun = \ - { \ - am__dry=no; \ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ - echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ - | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ - *) \ - for am__flg in $$MAKEFLAGS; do \ - case $$am__flg in \ - *=*|--*) ;; \ - *n*) am__dry=yes; break;; \ - esac; \ - done;; \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ - test $$am__dry = yes; \ - } + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -52,13 +79,15 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/libpttls -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ $(top_srcdir)/m4/config/ltsugar.m4 \ $(top_srcdir)/m4/config/ltversion.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ @@ -98,13 +127,30 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(ipseclibdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) -libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la +libpttls_la_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtls/libtls.la +am__dirstamp = $(am__leading_dot)dirstamp am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \ - pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo + pt_tls_dispatcher.lo sasl/sasl_plain/sasl_plain.lo \ + sasl/sasl_mechanism.lo libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent +am__v_lt_1 = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -117,20 +163,16 @@ LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = SOURCES = $(libpttls_la_SOURCES) DIST_SOURCES = $(libpttls_la_SOURCES) am__can_run_installinfo = \ @@ -138,6 +180,23 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -214,6 +273,10 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ @@ -330,6 +393,7 @@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -343,8 +407,14 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs +AM_LDFLAGS = \ + -no-undefined + ipseclib_LTLIBRARIES = libpttls.la -libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libpttls_la_LIBADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtls/libtls.la + libpttls_la_SOURCES = pt_tls.c pt_tls.h \ pt_tls_client.c pt_tls_client.h \ pt_tls_server.c pt_tls_server.h \ @@ -386,6 +456,7 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES) @$(NORMAL_INSTALL) @list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \ @@ -412,17 +483,40 @@ uninstall-ipseclibLTLIBRARIES: clean-ipseclibLTLIBRARIES: -test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES) - @list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done + @list='$(ipseclib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } +sasl/sasl_plain/$(am__dirstamp): + @$(MKDIR_P) sasl/sasl_plain + @: > sasl/sasl_plain/$(am__dirstamp) +sasl/sasl_plain/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) sasl/sasl_plain/$(DEPDIR) + @: > sasl/sasl_plain/$(DEPDIR)/$(am__dirstamp) +sasl/sasl_plain/sasl_plain.lo: sasl/sasl_plain/$(am__dirstamp) \ + sasl/sasl_plain/$(DEPDIR)/$(am__dirstamp) +sasl/$(am__dirstamp): + @$(MKDIR_P) sasl + @: > sasl/$(am__dirstamp) +sasl/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) sasl/$(DEPDIR) + @: > sasl/$(DEPDIR)/$(am__dirstamp) +sasl/sasl_mechanism.lo: sasl/$(am__dirstamp) \ + sasl/$(DEPDIR)/$(am__dirstamp) + libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) $(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) + -rm -f sasl/*.$(OBJEXT) + -rm -f sasl/*.lo + -rm -f sasl/sasl_plain/*.$(OBJEXT) + -rm -f sasl/sasl_plain/*.lo distclean-compile: -rm -f *.tab.c @@ -431,70 +525,50 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@sasl/$(DEPDIR)/sasl_mechanism.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@sasl/sasl_plain/$(DEPDIR)/sasl_plain.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< -sasl_plain.lo: sasl/sasl_plain/sasl_plain.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c - -sasl_mechanism.lo: sasl/sasl_mechanism.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c - mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs + -rm -rf sasl/.libs sasl/_libs + -rm -rf sasl/sasl_plain/.libs sasl/sasl_plain/_libs -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ @@ -506,15 +580,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $$unique; \ fi; \ fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique @@ -523,6 +593,21 @@ GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -590,6 +675,10 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f sasl/$(DEPDIR)/$(am__dirstamp) + -rm -f sasl/$(am__dirstamp) + -rm -f sasl/sasl_plain/$(DEPDIR)/$(am__dirstamp) + -rm -f sasl/sasl_plain/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -600,7 +689,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -rf ./$(DEPDIR) sasl/$(DEPDIR) sasl/sasl_plain/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -646,7 +735,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -rf ./$(DEPDIR) sasl/$(DEPDIR) sasl/sasl_plain/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -667,19 +756,20 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am \ - install-ipseclibLTLIBRARIES install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-ipseclibLTLIBRARIES install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-ipseclibLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c index 0fee343b8..3c1f874d7 100644 --- a/src/libpttls/pt_tls.c +++ b/src/libpttls/pt_tls.c @@ -16,6 +16,14 @@ #include "pt_tls.h" #include <utils/debug.h> +#include <pen/pen.h> +/** + * Described in header. + */ +void libpttls_init(void) +{ + /* empty */ +} /* * PT-TNC Message format: @@ -34,6 +42,26 @@ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +ENUM(pt_tls_message_type_names, PT_TLS_EXPERIMENTAL, PT_TLS_ERROR, + "Experimental", + "Version Request", + "Version Response", + "SASL Mechanisms", + "SASL Mechanism Selection", + "SASL Authentication Data", + "SASL Result", + "PB-TNC Batch", + "PT-TLS Error" +); + +ENUM(pt_tls_sasl_result_names, PT_TLS_SASL_RESULT_SUCCESS, + PT_TLS_SASL_RESULT_MECH_FAILURE, + "Success", + "Failure", + "Abort", + "Mechanism Failure" +); + /** * Read a chunk of data from TLS, returning a reader for it */ @@ -87,34 +115,51 @@ bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor, DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len); return NULL; } + + if (*vendor == PEN_IETF) + { + DBG2(DBG_TNC, "received PT-TLS message #%d of type '%N' (%d bytes)", + *identifier, pt_tls_message_type_names, *type, len); + } + else + { + DBG2(DBG_TNC, "received PT-TLS message #%d of unknown type " + "0x%06x/0x%08x (%d bytes)", + *identifier, *vendor, *type, len); + } + return read_tls(tls, len - PT_TLS_HEADER_LEN); } /** * Prepend a PT-TLS header to a writer, send data, destroy writer */ -bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer, - pt_tls_message_type_t type, u_int32_t identifier) +bool pt_tls_write(tls_socket_t *tls, pt_tls_message_type_t type, + u_int32_t identifier, chunk_t data) { - bio_writer_t *header; + bio_writer_t *writer; + chunk_t out; ssize_t len; - chunk_t data; - data = writer->get_buf(writer); len = PT_TLS_HEADER_LEN + data.len; - header = bio_writer_create(len); - header->write_uint8(header, 0); - header->write_uint24(header, 0); - header->write_uint32(header, type); - header->write_uint32(header, len); - header->write_uint32(header, identifier); - - header->write_data(header, data); - writer->destroy(writer); + writer = bio_writer_create(len); - data = header->get_buf(header); - len = tls->write(tls, data.ptr, data.len); - header->destroy(header); + /* write PT-TLS header */ + writer->write_uint8 (writer, 0); + writer->write_uint24(writer, 0); + writer->write_uint32(writer, type); + writer->write_uint32(writer, len); + writer->write_uint32(writer, identifier); + + /* write PT-TLS body */ + writer->write_data(writer, data); + + DBG2(DBG_TNC, "sending PT-TLS message #%d of type '%N' (%d bytes)", + identifier, pt_tls_message_type_names, type, len); + + out = writer->get_buf(writer); + len = tls->write(tls, out.ptr, out.len); + writer->destroy(writer); - return len == data.len; + return len == out.len; } diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h index 92a040f3f..275dc89e9 100644 --- a/src/libpttls/pt_tls.h +++ b/src/libpttls/pt_tls.h @@ -37,6 +37,16 @@ */ #define PT_TLS_HEADER_LEN 16 +/** + * Maximum size of a PT-TLS message + */ +#define PT_TLS_MAX_MESSAGE_LEN 8 * TLS_MAX_FRAGMENT_LEN - PT_TLS_HEADER_LEN + +/** + * Default PT-TLS port + */ +#define PT_TLS_PORT 271 + typedef enum pt_tls_message_type_t pt_tls_message_type_t; typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t; typedef enum pt_tls_auth_t pt_tls_auth_t; @@ -56,6 +66,8 @@ enum pt_tls_message_type_t { PT_TLS_ERROR = 8, }; +extern enum_name_t *pt_tls_message_type_names; + /** * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT */ @@ -66,6 +78,8 @@ enum pt_tls_sasl_result_t { PT_TLS_SASL_RESULT_MECH_FAILURE = 3, }; +extern enum_name_t *pt_tls_sasl_result_names; + /** * Client authentication to require as PT-TLS server. */ @@ -98,12 +112,17 @@ bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor, * Prepend a PT-TLS header to a writer, send data, destroy writer. * * @param tls TLS socket to write to - * @param writer prepared Message value to write * @param type Message Type to write * @param identifier Message Identifier to write + * @param data Message value to write * @return TRUE if data written successfully */ -bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer, - pt_tls_message_type_t type, u_int32_t identifier); +bool pt_tls_write(tls_socket_t *tls, pt_tls_message_type_t type, + u_int32_t identifier, chunk_t data); + +/** + * Dummy libpttls initialization function needed for integrity test + */ +void libpttls_init(void); #endif /** PT_TLS_H_ @}*/ diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index d3ac936a2..01a84cd14 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -102,6 +102,7 @@ static bool negotiate_version(private_pt_tls_client_t *this) bio_reader_t *reader; u_int32_t type, vendor, identifier, reserved; u_int8_t version; + bool res; DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION); @@ -110,8 +111,10 @@ static bool negotiate_version(private_pt_tls_client_t *this) writer->write_uint8(writer, PT_TLS_VERSION); writer->write_uint8(writer, PT_TLS_VERSION); writer->write_uint8(writer, PT_TLS_VERSION); - if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST, - this->identifier++)) + res = pt_tls_write(this->tls, PT_TLS_VERSION_REQUEST, this->identifier++, + writer->get_buf(writer)); + writer->destroy(writer); + if (!res) { return FALSE; } @@ -144,6 +147,7 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) bio_reader_t *reader; bio_writer_t *writer; chunk_t data; + bool res; writer = bio_writer_create(32); writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl))); @@ -164,8 +168,10 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) writer->destroy(writer); return FAILED; } - if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION, - this->identifier++)) + res = pt_tls_write(this->tls, PT_TLS_SASL_MECH_SELECTION, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + if (!res) { return FAILED; } @@ -203,14 +209,15 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) reader->destroy(reader); return FAILED; } + DBG1(DBG_TNC, "received SASL %N result", + pt_tls_sasl_result_names, result); + switch (result) { case PT_TLS_SASL_RESULT_ABORT: - DBG1(DBG_TNC, "received SASL abort result"); reader->destroy(reader); return FAILED; case PT_TLS_SASL_RESULT_SUCCESS: - DBG1(DBG_TNC, "received SASL success result"); switch (sasl->process(sasl, reader->peek(reader))) { case SUCCESS: @@ -226,7 +233,6 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) break; case PT_TLS_SASL_RESULT_MECH_FAILURE: case PT_TLS_SASL_RESULT_FAILURE: - DBG1(DBG_TNC, "received SASL failure result"); /* non-fatal failure, try again */ reader->destroy(reader); return NEED_MORE; @@ -253,8 +259,10 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl) writer->destroy(writer); return FAILED; } - if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA, - this->identifier++)) + res = pt_tls_write(this->tls, PT_TLS_SASL_AUTH_DATA, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + if (!res) { return FAILED; } @@ -351,44 +359,30 @@ static bool assess(private_pt_tls_client_t *this, tls_t *tnccs) { while (TRUE) { - bio_writer_t *writer; + size_t msglen; + size_t buflen = PT_TLS_MAX_MESSAGE_LEN; + char buf[buflen]; bio_reader_t *reader; u_int32_t vendor, type, identifier; chunk_t data; - writer = bio_writer_create(32); - while (TRUE) + switch (tnccs->build(tnccs, buf, &buflen, &msglen)) { - char buf[2048]; - size_t buflen, msglen; - - buflen = sizeof(buf); - switch (tnccs->build(tnccs, buf, &buflen, &msglen)) - { - case SUCCESS: - writer->destroy(writer); - return tnccs->is_complete(tnccs); - case FAILED: - default: - writer->destroy(writer); + case SUCCESS: + return tnccs->is_complete(tnccs); + case ALREADY_DONE: + data = chunk_create(buf, buflen); + if (!pt_tls_write(this->tls, PT_TLS_PB_TNC_BATCH, + this->identifier++, data)) + { return FALSE; - case INVALID_STATE: - writer->destroy(writer); - break; - case NEED_MORE: - writer->write_data(writer, chunk_create(buf, buflen)); - continue; - case ALREADY_DONE: - writer->write_data(writer, chunk_create(buf, buflen)); - if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH, - this->identifier++)) - { - return FALSE; - } - writer = bio_writer_create(32); - continue; - } - break; + } + break; + case INVALID_STATE: + break; + case FAILED: + default: + return FALSE; } reader = pt_tls_read(this->tls, &vendor, &type, &identifier); @@ -437,19 +431,26 @@ METHOD(pt_tls_client_t, run_assessment, status_t, { if (!this->tls) { + DBG1(DBG_TNC, "entering PT-TLS setup phase"); if (!make_connection(this)) { return FAILED; } } + + DBG1(DBG_TNC, "entering PT-TLS negotiation phase"); if (!negotiate_version(this)) { return FAILED; } + + DBG1(DBG_TNC, "doing SASL client authentication"); if (!authenticate(this)) { return FAILED; } + + DBG1(DBG_TNC, "entering PT-TLS data transport phase"); if (!assess(this, (tls_t*)tnccs)) { return FAILED; diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c index 469951616..5c306371c 100644 --- a/src/libpttls/pt_tls_dispatcher.c +++ b/src/libpttls/pt_tls_dispatcher.c @@ -185,7 +185,7 @@ pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address, .dispatch = _dispatch, .destroy = _destroy, }, - .server = id, + .server = id->clone(id), /* we currently don't authenticate the peer, use %any identity */ .peer = identification_create_from_encoding(ID_ANY, chunk_empty), .fd = -1, @@ -194,11 +194,9 @@ pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address, if (!open_socket(this, address)) { - address->destroy(address); destroy(this); return NULL; } - address->destroy(address); return &this->public; } diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index 3e134f0dd..9af00e7c2 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -61,6 +61,7 @@ struct private_pt_tls_server_t { * TNCCS protocol handler, implemented as tls_t */ tls_t *tnccs; + }; /** @@ -72,6 +73,7 @@ static bool negotiate_version(private_pt_tls_server_t *this) bio_writer_t *writer; u_int32_t vendor, type, identifier; u_int8_t reserved, vmin, vmax, vpref; + bool res; reader = pt_tls_read(this->tls, &vendor, &type, &identifier); if (!reader) @@ -99,9 +101,10 @@ static bool negotiate_version(private_pt_tls_server_t *this) writer = bio_writer_create(4); writer->write_uint24(writer, 0); writer->write_uint8(writer, PT_TLS_VERSION); - - return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE, - this->identifier++); + res = pt_tls_write(this->tls, PT_TLS_VERSION_RESPONSE, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + return res; } /** @@ -111,6 +114,9 @@ static status_t process_sasl(private_pt_tls_server_t *this, sasl_mechanism_t *sasl, chunk_t data) { bio_writer_t *writer; + identification_t *client; + tnccs_t *tnccs; + bool res; switch (sasl->process(sasl, data)) { @@ -119,14 +125,23 @@ static status_t process_sasl(private_pt_tls_server_t *this, case SUCCESS: DBG1(DBG_TNC, "SASL %s authentication successful", sasl->get_name(sasl)); - writer = bio_writer_create(1); - writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS); - if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, - this->identifier++)) + client = sasl->get_client(sasl); + if (client) { - return SUCCESS; + DBG1(DBG_TNC, "SASL client identity is '%Y'", client); + this->tnccs->set_peer_id(this->tnccs, client); + if (streq(sasl->get_name(sasl), "PLAIN")) + { + tnccs = (tnccs_t*)this->tnccs; + tnccs->set_auth_type(tnccs, TNC_AUTH_PASSWORD); + } } - return FAILED; + writer = bio_writer_create(1); + writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS); + res = pt_tls_write(this->tls, PT_TLS_SASL_RESULT, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + return res ? SUCCESS : FAILED; case FAILED: default: DBG1(DBG_TNC, "SASL %s authentication failed", @@ -134,8 +149,8 @@ static status_t process_sasl(private_pt_tls_server_t *this, writer = bio_writer_create(1); /* sending abort does not allow the client to retry */ writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT); - pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, - this->identifier++); + pt_tls_write(this->tls, PT_TLS_SASL_RESULT, + this->identifier++, writer->get_buf(writer)); return FAILED; } } @@ -175,19 +190,15 @@ static status_t write_sasl(private_pt_tls_server_t *this, { bio_writer_t *writer; chunk_t chunk; + bool res; switch (sasl->build(sasl, &chunk)) { case NEED_MORE: - writer = bio_writer_create(chunk.len); - writer->write_data(writer, chunk); + res = pt_tls_write(this->tls, PT_TLS_SASL_AUTH_DATA, + this->identifier++, chunk); free(chunk.ptr); - if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA, - this->identifier++)) - { - return NEED_MORE; - } - return FAILED; + return res ? NEED_MORE : FAILED; case SUCCESS: DBG1(DBG_TNC, "SASL %s authentication successful", sasl->get_name(sasl)); @@ -195,21 +206,18 @@ static status_t write_sasl(private_pt_tls_server_t *this, writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS); writer->write_data(writer, chunk); free(chunk.ptr); - if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, - this->identifier++)) - { - return SUCCESS; - } - return FAILED; + res = pt_tls_write(this->tls, PT_TLS_SASL_RESULT, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + return res ? SUCCESS : FAILED; case FAILED: default: DBG1(DBG_TNC, "SASL %s authentication failed", sasl->get_name(sasl)); - writer = bio_writer_create(1); /* sending abort does not allow the client to retry */ - writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT); - pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT, - this->identifier++); + chunk = chunk_from_chars(PT_TLS_SASL_RESULT_ABORT); + pt_tls_write(this->tls, PT_TLS_SASL_RESULT, + this->identifier++, chunk); return FAILED; } } @@ -222,6 +230,7 @@ static bool send_sasl_mechs(private_pt_tls_server_t *this) enumerator_t *enumerator; bio_writer_t *writer = NULL; char *name; + bool res; enumerator = sasl_mechanism_create_enumerator(TRUE); while (enumerator->enumerate(enumerator, &name)) @@ -239,8 +248,10 @@ static bool send_sasl_mechs(private_pt_tls_server_t *this) { /* no mechanisms available? */ return FALSE; } - return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS, - this->identifier++); + res = pt_tls_write(this->tls, PT_TLS_SASL_MECHS, + this->identifier++, writer->get_buf(writer)); + writer->destroy(writer); + return res; } /** @@ -307,34 +318,45 @@ static status_t read_sasl_mech_selection(private_pt_tls_server_t *this, static bool do_sasl(private_pt_tls_server_t *this) { sasl_mechanism_t *sasl; + identification_t *client_id; + tnccs_t *tnccs; status_t status; + client_id = this->tls->get_peer_id(this->tls); + tnccs = (tnccs_t*)this->tnccs; + switch (this->auth) { case PT_TLS_AUTH_NONE: return TRUE; case PT_TLS_AUTH_TLS: - if (this->tls->get_peer_id(this->tls)) + if (client_id) { + this->tnccs->set_peer_id(this->tnccs, client_id); + tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT); return TRUE; } - DBG1(DBG_TNC, "requiring TLS certificate client authentication"); + DBG1(DBG_TNC, "requiring TLS certificate-based " + "client authentication"); return FALSE; case PT_TLS_AUTH_SASL: break; case PT_TLS_AUTH_TLS_OR_SASL: - if (this->tls->get_peer_id(this->tls)) + if (client_id) { - DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS " - "certificate"); + this->tnccs->set_peer_id(this->tnccs, client_id); + tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT); + DBG1(DBG_TNC, "skipping SASL, client already authenticated by " + "TLS certificate"); return TRUE; } break; case PT_TLS_AUTH_TLS_AND_SASL: default: - if (!this->tls->get_peer_id(this->tls)) + if (!client_id) { - DBG1(DBG_TNC, "requiring TLS certificate client authentication"); + DBG1(DBG_TNC, "requiring TLS certificate-based " + "client authentication"); return FALSE; } break; @@ -369,11 +391,8 @@ static bool authenticate(private_pt_tls_server_t *this) if (do_sasl(this)) { /* complete SASL with emtpy mechanism list */ - bio_writer_t *writer; - - writer = bio_writer_create(0); - return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS, - this->identifier++); + return pt_tls_write(this->tls, PT_TLS_SASL_MECHS, this->identifier++, + chunk_empty); } return FALSE; } @@ -381,89 +400,66 @@ static bool authenticate(private_pt_tls_server_t *this) /** * Perform assessment */ -static bool assess(private_pt_tls_server_t *this, tls_t *tnccs) +static status_t assess(private_pt_tls_server_t *this, tls_t *tnccs) { - while (TRUE) - { - bio_writer_t *writer; - bio_reader_t *reader; - u_int32_t vendor, type, identifier; - chunk_t data; + size_t msglen; + size_t buflen = PT_TLS_MAX_MESSAGE_LEN; + char buf[buflen]; + bio_reader_t *reader; + u_int32_t vendor, type, identifier; + chunk_t data; + status_t status; - writer = bio_writer_create(32); - while (TRUE) + reader = pt_tls_read(this->tls, &vendor, &type, &identifier); + if (!reader) + { + return FAILED; + } + if (vendor == 0) + { + if (type == PT_TLS_ERROR) { - char buf[2048]; - size_t buflen, msglen; - - buflen = sizeof(buf); - switch (tnccs->build(tnccs, buf, &buflen, &msglen)) - { - case SUCCESS: - writer->destroy(writer); - return tnccs->is_complete(tnccs); - case FAILED: - default: - writer->destroy(writer); - return FALSE; - case INVALID_STATE: - writer->destroy(writer); - break; - case NEED_MORE: - writer->write_data(writer, chunk_create(buf, buflen)); - continue; - case ALREADY_DONE: - writer->write_data(writer, chunk_create(buf, buflen)); - if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH, - this->identifier++)) - { - return FALSE; - } - writer = bio_writer_create(32); - continue; - } - break; + DBG1(DBG_TNC, "received PT-TLS error"); + reader->destroy(reader); + return FAILED; } - - reader = pt_tls_read(this->tls, &vendor, &type, &identifier); - if (!reader) + if (type != PT_TLS_PB_TNC_BATCH) { - return FALSE; + DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type); + reader->destroy(reader); + return FAILED; } - if (vendor == 0) + data = reader->peek(reader); + switch (tnccs->process(tnccs, data.ptr, data.len)) { - if (type == PT_TLS_ERROR) - { - DBG1(DBG_TNC, "received PT-TLS error"); + case SUCCESS: reader->destroy(reader); - return FALSE; - } - if (type != PT_TLS_PB_TNC_BATCH) - { - DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type); + return tnccs->is_complete(tnccs) ? SUCCESS : FAILED; + case FAILED: + default: reader->destroy(reader); return FALSE; - } - data = reader->peek(reader); - switch (tnccs->process(tnccs, data.ptr, data.len)) - { - case SUCCESS: - reader->destroy(reader); - return tnccs->is_complete(tnccs); - case FAILED: - default: - reader->destroy(reader); - return FALSE; - case NEED_MORE: - break; - } + case NEED_MORE: + break; } - else + } + else + { + DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message"); + } + reader->destroy(reader); + + status = tnccs->build(tnccs, buf, &buflen, &msglen); + if (status == ALREADY_DONE) + { + data = chunk_create(buf, buflen); + if (!pt_tls_write(this->tls, PT_TLS_PB_TNC_BATCH, + this->identifier++, data)) { - DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message"); + return FAILED; } - reader->destroy(reader); } + return status; } METHOD(pt_tls_server_t, handle, status_t, @@ -472,27 +468,35 @@ METHOD(pt_tls_server_t, handle, status_t, switch (this->state) { case PT_TLS_SERVER_VERSION: + DBG1(DBG_TNC, "entering PT-TLS negotiation phase"); if (!negotiate_version(this)) { return FAILED; } DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION); this->state = PT_TLS_SERVER_AUTH; - break; + /* fall through to next state */ case PT_TLS_SERVER_AUTH: + DBG1(DBG_TNC, "doing SASL client authentication"); if (!authenticate(this)) { return FAILED; } this->state = PT_TLS_SERVER_TNCCS; + DBG1(DBG_TNC, "entering PT-TLS data transport phase"); break; case PT_TLS_SERVER_TNCCS: - if (!assess(this, (tls_t*)this->tnccs)) + switch (assess(this, (tls_t*)this->tnccs)) { - return FAILED; + case SUCCESS: + this->state = PT_TLS_SERVER_END; + return SUCCESS; + case FAILED: + return FAILED; + default: + break; } - this->state = PT_TLS_SERVER_END; - return SUCCESS; + break; default: return FAILED; } diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h index fb1d08097..e8c47c408 100644 --- a/src/libpttls/sasl/sasl_mechanism.h +++ b/src/libpttls/sasl/sasl_mechanism.h @@ -51,6 +51,13 @@ struct sasl_mechanism_t { char* (*get_name)(sasl_mechanism_t *this); /** + * Get the client identity + * + * @return client identity + */ + identification_t* (*get_client)(sasl_mechanism_t *this); + + /** * Build a SASL message to send to remote host. * * A message is returned if the return value is NEED_MORE or SUCCESS. A diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c index e8d6dc80b..019c1b011 100644 --- a/src/libpttls/sasl/sasl_plain/sasl_plain.c +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -35,6 +35,12 @@ struct private_sasl_plain_t { identification_t *client; }; +METHOD(sasl_mechanism_t, get_client, identification_t*, + private_sasl_plain_t *this) +{ + return this->client; +} + METHOD(sasl_mechanism_t, get_name, char*, private_sasl_plain_t *this) { @@ -52,7 +58,6 @@ METHOD(sasl_mechanism_t, process_server, status_t, private_sasl_plain_t *this, chunk_t message) { chunk_t authz, authi, password; - identification_t *id; shared_key_t *shared; u_char *pos; @@ -72,22 +77,21 @@ METHOD(sasl_mechanism_t, process_server, status_t, } authi = chunk_create(message.ptr, pos - message.ptr); password = chunk_skip(message, authi.len + 1); - id = identification_create_from_data(authi); - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + DESTROY_IF(this->client); + this->client = identification_create_from_data(authi); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client, + NULL); if (!shared) { - DBG1(DBG_CFG, "no shared secret found for '%Y'", id); - id->destroy(id); + DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client); return FAILED; } if (!chunk_equals(shared->get_key(shared), password)) { - DBG1(DBG_CFG, "shared secret for '%Y' does not match", id); - id->destroy(id); + DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client); shared->destroy(shared); return FAILED; } - id->destroy(id); shared->destroy(shared); return SUCCESS; } @@ -113,11 +117,14 @@ METHOD(sasl_mechanism_t, build_client, status_t, len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s", "", 0, this->client, 0, (int)password.len, password.ptr); + shared->destroy(shared); + if (len < 0 || len >= sizeof(buf)) { return FAILED; } *message = chunk_clone(chunk_create(buf, len)); + return NEED_MORE; } @@ -151,6 +158,7 @@ sasl_plain_t *sasl_plain_create(char *name, identification_t *client) .public = { .sasl = { .get_name = _get_name, + .get_client = _get_client, .destroy = _destroy, }, }, |