/* * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include "xauth.h" #include #include #include #include typedef struct private_xauth_t private_xauth_t; /** * Status types exchanged */ typedef enum { XAUTH_FAILED = 0, XAUTH_OK = 1, } xauth_status_t; /** * Private members of a xauth_t task. */ struct private_xauth_t { /** * Public methods and task_t interface. */ xauth_t public; /** * Assigned IKE_SA. */ ike_sa_t *ike_sa; /** * Are we the XAUTH initiator? */ bool initiator; /** * XAuth backend to use */ xauth_method_t *xauth; /** * XAuth username */ identification_t *user; /** * Generated configuration payload */ cp_payload_t *cp; /** * received identifier */ u_int16_t identifier; /** * status of Xauth exchange */ xauth_status_t status; }; /** * Load XAuth backend */ static xauth_method_t *load_method(private_xauth_t* this) { identification_t *server, *peer; enumerator_t *enumerator; xauth_method_t *xauth; xauth_role_t role; peer_cfg_t *peer_cfg; auth_cfg_t *auth; char *name; if (this->initiator) { server = this->ike_sa->get_my_id(this->ike_sa); peer = this->ike_sa->get_other_id(this->ike_sa); role = XAUTH_SERVER; } else { peer = this->ike_sa->get_my_id(this->ike_sa); server = this->ike_sa->get_other_id(this->ike_sa); role = XAUTH_PEER; } peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, !this->initiator); if (!enumerator->enumerate(enumerator, &auth) || (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_XAUTH) { if (!enumerator->enumerate(enumerator, &auth) || (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_XAUTH) { DBG1(DBG_CFG, "no XAuth authentication round found"); enumerator->destroy(enumerator); return NULL; } } name = auth->get(auth, AUTH_RULE_XAUTH_BACKEND); this->user = auth->get(auth, AUTH_RULE_XAUTH_IDENTITY); enumerator->destroy(enumerator); if (!this->initiator && this->user) { /* use XAUTH username, if configured */ peer = this->user; } xauth = charon->xauth->create_instance(charon->xauth, name, role, server, peer); if (!xauth) { if (name) { DBG1(DBG_CFG, "no XAuth method found named '%s'", name); } else { DBG1(DBG_CFG, "no XAuth method found"); } } return xauth; } /** * Check if XAuth connection is allowed to succeed */ static bool allowed(private_xauth_t *this) { if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, this->ike_sa, FALSE)) { DBG1(DBG_IKE, "cancelling XAuth due to uniqueness policy"); return FALSE; } if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling"); return FALSE; } if (!charon->bus->authorize(charon->bus, TRUE)) { DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling"); return FALSE; } return TRUE; } /** * Set IKE_SA to established state */ static bool establish(private_xauth_t *this) { DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); return TRUE; } /** * Check if we are compliant to a given peer config */ static bool is_compliant(private_xauth_t *this, peer_cfg_t *peer_cfg, bool log) { bool complies = TRUE; enumerator_t *e1, *e2; auth_cfg_t *c1, *c2; e1 = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE); e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE); while (e1->enumerate(e1, &c1)) { if (!e2->enumerate(e2, &c2) || !c2->complies(c2, c1, log)) { complies = FALSE; break; } } e1->destroy(e1); e2->destroy(e2); return complies; } /** * Check if we are compliant to current config, switch to another if not */ static bool select_compliant_config(private_xauth_t *this) { peer_cfg_t *peer_cfg = NULL, *old, *current; identification_t *my_id, *other_id; host_t *my_host, *other_host; enumerator_t *enumerator; bool aggressive; old = this->ike_sa->get_peer_cfg(this->ike_sa); if (is_compliant(this, old, TRUE)) { /* current config is fine */ return TRUE; } DBG1(DBG_CFG, "selected peer config '%s' inacceptable", old->get_name(old)); aggressive = old->use_aggressive(old); my_host = this->ike_sa->get_my_host(this->ike_sa); other_host = this->ike_sa->get_other_host(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, my_host, other_host, my_id, other_id, IKEV1); while (enumerator->enumerate(enumerator, ¤t)) { if (!current->equals(current, old) && current->use_aggressive(current) == aggressive && is_compliant(this, current, FALSE)) { peer_cfg = current; break; } } if (peer_cfg) { DBG1(DBG_CFG, "switching to peer config '%s'", peer_cfg->get_name(peer_cfg)); this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg); } else { DBG1(DBG_CFG, "no alternative config found"); } enumerator->destroy(enumerator); return peer_cfg != NULL; } /** * Create auth config after successful authentication */ static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local) { auth_cfg_t *auth; auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH); auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); return select_compliant_config(this); } METHOD(task_t, build_i_status, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET); cp->add_attribute(cp, configuration_attribute_create_value(XAUTH_STATUS, this->status)); message->add_payload(message, (payload_t *)cp); return NEED_MORE; } METHOD(task_t, process_i_status, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp || cp->get_type(cp) != CFG_ACK) { DBG1(DBG_IKE, "received invalid XAUTH status response"); return FAILED; } if (this->status != XAUTH_OK) { DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication"); return FAILED; } if (!establish(this)) { return FAILED; } this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE); lib->processor->queue_job(lib->processor, (job_t*) adopt_children_job_create(this->ike_sa->get_id(this->ike_sa))); return SUCCESS; } METHOD(task_t, build_i, status_t, private_xauth_t *this, message_t *message) { if (!this->xauth) { cp_payload_t *cp = NULL; this->xauth = load_method(this); if (!this->xauth) { return FAILED; } switch (this->xauth->initiate(this->xauth, &cp)) { case NEED_MORE: break; case SUCCESS: DESTROY_IF(cp); this->status = XAUTH_OK; this->public.task.process = _process_i_status; return build_i_status(this, message); default: return FAILED; } message->add_payload(message, (payload_t *)cp); return NEED_MORE; } if (this->cp) { /* send previously generated payload */ message->add_payload(message, (payload_t *)this->cp); this->cp = NULL; return NEED_MORE; } return FAILED; } METHOD(task_t, build_r_ack, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK); cp->set_identifier(cp, this->identifier); cp->add_attribute(cp, configuration_attribute_create_chunk( CONFIGURATION_ATTRIBUTE_V1, XAUTH_STATUS, chunk_empty)); message->add_payload(message, (payload_t *)cp); if (this->status == XAUTH_OK && allowed(this) && establish(this)) { return SUCCESS; } return FAILED; } METHOD(task_t, process_r, status_t, private_xauth_t *this, message_t *message) { cp_payload_t *cp; if (!this->xauth) { this->xauth = load_method(this); if (!this->xauth) { /* send empty reply */ return NEED_MORE; } } cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth request"); return FAILED; } if (cp->get_type(cp) == CFG_REQUEST) { switch (this->xauth->process(this->xauth, cp, &this->cp)) { case NEED_MORE: return NEED_MORE; case SUCCESS: case FAILED: default: break; } this->cp = NULL; return NEED_MORE; } if (cp->get_type(cp) == CFG_SET) { configuration_attribute_t *attribute; enumerator_t *enumerator; enumerator = cp->create_attribute_enumerator(cp); while (enumerator->enumerate(enumerator, &attribute)) { if (attribute->get_type(attribute) == XAUTH_STATUS) { this->status = attribute->get_value(attribute); } } enumerator->destroy(enumerator); if (this->status == XAUTH_OK && add_auth_cfg(this, this->xauth->get_identity(this->xauth), TRUE)) { DBG1(DBG_IKE, "XAuth authentication of '%Y' (myself) successful", this->xauth->get_identity(this->xauth)); } else { DBG1(DBG_IKE, "XAuth authentication of '%Y' (myself) failed", this->xauth->get_identity(this->xauth)); } } this->identifier = cp->get_identifier(cp); this->public.task.build = _build_r_ack; return NEED_MORE; } METHOD(task_t, build_r, status_t, private_xauth_t *this, message_t *message) { if (!this->cp) { /* send empty reply if building data failed */ this->cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); } message->add_payload(message, (payload_t *)this->cp); this->cp = NULL; return NEED_MORE; } METHOD(task_t, process_i, status_t, private_xauth_t *this, message_t *message) { identification_t *id; cp_payload_t *cp; cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth response"); return FAILED; } switch (this->xauth->process(this->xauth, cp, &this->cp)) { case NEED_MORE: return NEED_MORE; case SUCCESS: id = this->xauth->get_identity(this->xauth); if (this->user && !id->matches(id, this->user)) { DBG1(DBG_IKE, "XAuth username '%Y' does not match to " "configured username '%Y'", id, this->user); break; } DBG1(DBG_IKE, "XAuth authentication of '%Y' successful", id); if (add_auth_cfg(this, id, FALSE) && allowed(this)) { this->status = XAUTH_OK; } break; case FAILED: DBG1(DBG_IKE, "XAuth authentication of '%Y' failed", this->xauth->get_identity(this->xauth)); break; default: return FAILED; } this->public.task.build = _build_i_status; this->public.task.process = _process_i_status; return NEED_MORE; } METHOD(task_t, get_type, task_type_t, private_xauth_t *this) { return TASK_XAUTH; } METHOD(task_t, migrate, void, private_xauth_t *this, ike_sa_t *ike_sa) { DESTROY_IF(this->xauth); DESTROY_IF(this->cp); this->ike_sa = ike_sa; this->xauth = NULL; this->cp = NULL; this->user = NULL; this->status = XAUTH_FAILED; if (this->initiator) { this->public.task.build = _build_i; this->public.task.process = _process_i; } else { this->public.task.build = _build_r; this->public.task.process = _process_r; } } METHOD(task_t, destroy, void, private_xauth_t *this) { DESTROY_IF(this->xauth); DESTROY_IF(this->cp); free(this); } /* * Described in header. */ xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator) { private_xauth_t *this; INIT(this, .public = { .task = { .get_type = _get_type, .migrate = _migrate, .destroy = _destroy, }, }, .initiator = initiator, .ike_sa = ike_sa, .status = XAUTH_FAILED, ); if (initiator) { this->public.task.build = _build_i; this->public.task.process = _process_i; } else { this->public.task.build = _build_r; this->public.task.process = _process_r; } return &this->public; }