ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.])
ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.])
ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
+ARG_ENABL_SET([tnc-pt-tls], [enable PT-TLS protocol support.])
ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module. Requires libxml])
ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.])
ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
ADD_PLUGIN([xauth-eap], [c charon])
ADD_PLUGIN([xauth-pam], [c charon])
ADD_PLUGIN([xauth-noauth], [c charon])
+ADD_PLUGIN([tnc-pt-tls], [c charon])
ADD_PLUGIN([tnc-ifmap], [c charon])
ADD_PLUGIN([tnc-pdp], [c charon])
ADD_PLUGIN([tnc-imc], [t charon])
AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
+AM_CONDITIONAL(USE_TNC_PT_TLS, test x$tnc_pt_tls = xtrue)
AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
AM_CONDITIONAL(USE_TNC_TNCCS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue -o x$tnc_pt_tls = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
src/libcharon/plugins/xauth_noauth/Makefile
src/libcharon/plugins/tnc_ifmap/Makefile
src/libcharon/plugins/tnc_pdp/Makefile
+ src/libcharon/plugins/tnc_pt_tls/Makefile
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/farp/Makefile
endif
endif
+if USE_TNC_PT_TLS
+ SUBDIRS += plugins/tnc_pt_tls
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/tnc_pt_tls/libstrongswan-tnc-pt-tls.la
+endif
+endif
+
if USE_LIBTNCCS
if MONOLITHIC
# otherwise this library is linked to the respective plugins
#include <tncifimv.h>
#include <tncif_names.h>
-#include <pt_tls_client.h>
+#include <pt_tls_manager.h>
+#include <pt_tls_connection.h>
/**
* Maximum size of an EAP-TNC message
METHOD(eap_method_t, destroy, void,
private_eap_tnc_t *this)
{
- pt_tls_client_t *pt_tls_client;
+ pt_tls_manager_t *manager;
+ pt_tls_connection_t *connection;
identification_t *server, *client;
char *pdp_server;
u_int16_t pdp_port;
host_t *host;
tls_t *tls;
- tls = &this->tnccs->tls;
pdp_server = this->tnccs->get_pdp_server(this->tnccs, &pdp_port);
- if (pdp_server)
+ manager = lib->get(lib, "pt-tls-manager");
+ if (manager && pdp_server)
{
host = host_create_from_dns(pdp_server, AF_UNSPEC, pdp_port);
- server = identification_create_from_string(pdp_server);
- client = tls->get_peer_id(tls);
if (host)
{
- DBG2(DBG_TNC, "TODO: setup PT-TLS connection to '%s' at %#H",
- pdp_server, host);
- pt_tls_client = pt_tls_client_create(host, server,
- client->clone(client));
- pt_tls_client->destroy(pt_tls_client);
+ server = identification_create_from_string(pdp_server);
+ this->tnccs = this->tnccs->get_ref(this->tnccs);
+ tls = &this->tnccs->tls;
+ client = tls->get_peer_id(tls);
+ client = client->clone(client);
+ connection = manager->create_connection(manager, this->tnccs, host,
+ server, client);
+ manager->add_connection(manager, connection);
+ }
+ else
+ {
+ DBG1(DBG_TNC, "could not resolve hostname '%s'", pdp_server);
}
}
- tls->destroy(tls);
this->tls_eap->destroy(this->tls_eap);
free(this);
}
PLUGIN_PROVIDE(EAP_PEER, EAP_TNC),
PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+ PLUGIN_SDEPEND(CUSTOM, "pt-tls-manager"),
};
*features = f;
return countof(f);
--- /dev/null
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon \
+ -I$(top_srcdir)/src/libtls \
+ -I$(top_srcdir)/src/libpttls \
+ -I$(top_srcdir)/src/libtncif \
+ -I$(top_srcdir)/src/libtnccs
+
+AM_CFLAGS = \
+ -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-pt-tls.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-pt-tls.la
+libstrongswan_tnc_pt_tls_la_LIBADD = \
+ $(top_builddir)/src/libtls/libtls.la \
+ $(top_builddir)/src/libpttls/libpttls.la \
+ $(top_builddir)/src/libtnccs/libtnccs.la
+endif
+
+libstrongswan_tnc_pt_tls_la_SOURCES = \
+ tnc_pt_tls_plugin.h tnc_pt_tls_plugin.c \
+ tnc_pt_tls_connection.h tnc_pt_tls_connection.c
+
+libstrongswan_tnc_pt_tls_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_pt_tls_connection.h"
+
+#include <pt_tls_client.h>
+
+typedef struct private_tnc_pt_tls_connection_t private_tnc_pt_tls_connection_t;
+
+/**
+ * Private data of an tnc_pt_tls_connection_t object.
+ */
+struct private_tnc_pt_tls_connection_t {
+
+ /**
+ * Public pt_tls_connection_t interface.
+ */
+ pt_tls_connection_t public;
+
+ /**
+ * PT-TLS client instance
+ */
+ pt_tls_client_t *pt_tls_client;
+
+};
+
+METHOD(pt_tls_connection_t, destroy, void,
+ private_tnc_pt_tls_connection_t *this)
+{
+ DBG2(DBG_TNC, "destroying PT-TLS connection");
+ this->pt_tls_client->destroy(this->pt_tls_client);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_connection_t *tnc_pt_tls_connection_create(tnccs_t *tnccs, host_t *host,
+ identification_t *server, identification_t *client)
+{
+ private_tnc_pt_tls_connection_t *this;
+
+ DBG2(DBG_TNC, "TODO: setup PT-TLS connection to '%Y' at %#H", server, host);
+
+ INIT(this,
+ .public = {
+ .destroy = _destroy,
+ },
+ .pt_tls_client = pt_tls_client_create(host, server, client),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_pt_tls_connection tnc_pt_tls_connection
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef TNC_PT_TLS_CONNECTION_H_
+#define TNC_PT_TLS_CONNECTION_H_
+
+
+#include <library.h>
+
+#include <pt_tls_connection.h>
+
+/**
+ * Create a PT-TLS connection instance.
+ *
+ * @param tnccs IF-TNCCS connection to be transported
+ * @param host IP address of PDP server
+ * @param server Hostname of PDP server
+ * @param client Access Requestor Identity
+ */
+pt_tls_connection_t* tnc_pt_tls_connection_create(tnccs_t *tnccs, host_t *host,
+ identification_t *server, identification_t *client);
+
+#endif /** TNC_PT_TLS_CONNECTION_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_pt_tls_plugin.h"
+#include "tnc_pt_tls_connection.h"
+
+#include "pt_tls_manager.h"
+
+#include <daemon.h>
+
+typedef struct private_tnc_pt_tls_plugin_t private_tnc_pt_tls_plugin_t;
+
+/**
+ * Private data of a tnc_pt_tls_plugin_t object.
+ */
+struct private_tnc_pt_tls_plugin_t {
+
+ /**
+ * Public interface.
+ */
+ pt_tls_plugin_t public;
+
+ /**
+ * PT-TLS backend manager
+ */
+ pt_tls_manager_t *mgr;
+};
+
+
+METHOD(plugin_t, get_name, char*,
+ private_tnc_pt_tls_plugin_t *this)
+{
+ return "tnc-pt-tls";
+}
+
+/**
+ * Register PT-TLS manager
+ */
+static bool plugin_cb(private_tnc_pt_tls_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ lib->set(lib, "pt-tls-manager", this->mgr);
+ }
+ else
+ {
+ lib->set(lib, "pt-tls-manager", NULL);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_tnc_pt_tls_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "pt-tls-manager"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_tnc_pt_tls_plugin_t *this)
+{
+ this->mgr->destroy(this->mgr);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_pt_tls_plugin_create()
+{
+ private_tnc_pt_tls_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ .mgr = pt_tls_manager_create(tnc_pt_tls_connection_create),
+ );
+
+ return &this->public.plugin;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls pt_tls
+ * @ingroup cplugins
+ *
+ * @defgroup pt_tls_plugin pt_tls_plugin
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_PLUGIN_H_
+#define PT_TLS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pt_tls_plugin_t pt_tls_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct pt_tls_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** PT_TLS_PLUGIN_H_ @}*/
pt_tls_client.c pt_tls_client.h \
pt_tls_server.c pt_tls_server.h \
pt_tls_dispatcher.c pt_tls_dispatcher.h \
+ pt_tls_manager.h pt_tls_manager.c pt_tls_connection.h \
sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
sasl/sasl_mechanism.c sasl/sasl_mechanism.h
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_connection pt_tls_connection
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CONNECTION_H_
+#define PT_TLS_CONNECTION_H_
+
+typedef struct pt_tls_connection_t pt_tls_connection_t;
+
+#include <library.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+/**
+ * Constructor function for PT-TLS connection
+ */
+typedef pt_tls_connection_t* (*pt_tls_connection_constructor_t)(tnccs_t *tnccs,
+ host_t *host, identification_t *server,
+ identification_t *client);
+
+/**
+ * Public interface of a PT-TLS connection.
+ */
+struct pt_tls_connection_t {
+
+ /**
+ * Destroy a pt_tls_connection_t object.
+ */
+ void (*destroy)(pt_tls_connection_t *this);
+};
+
+#endif /** PT_TLS_CONNECTION_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_manager.h"
+
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_pt_tls_manager_t private_pt_tls_manager_t;
+
+/**
+ * Private data of an pt_tls_manager_t object.
+ */
+struct private_pt_tls_manager_t {
+
+ /**
+ * Public pt_tls_manager_t interface.
+ */
+ pt_tls_manager_t public;
+
+ /**
+ * Constructor for PT-TLS connection instance
+ */
+ pt_tls_connection_constructor_t create;
+
+ /**
+ * list of added PT-TLS connections
+ */
+ linked_list_t *connections;
+
+ /**
+ * lock for lists above
+ */
+ rwlock_t *lock;
+};
+
+METHOD(pt_tls_manager_t, create_connection, pt_tls_connection_t*,
+ private_pt_tls_manager_t *this, tnccs_t *tnccs, host_t *host,
+ identification_t *server, identification_t *client)
+{
+ return this->create(tnccs, host, server, client);
+}
+
+METHOD(pt_tls_manager_t, add_connection, void,
+ private_pt_tls_manager_t *this, pt_tls_connection_t *connection)
+{
+ this->lock->write_lock(this->lock);
+ this->connections->insert_last(this->connections, connection);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(pt_tls_manager_t, remove_connection, void,
+ private_pt_tls_manager_t *this, pt_tls_connection_t *connection)
+{
+ this->lock->write_lock(this->lock);
+ this->connections->remove(this->connections, connection, NULL);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(pt_tls_manager_t, destroy, void,
+ private_pt_tls_manager_t *this)
+{
+ this->connections->destroy_offset(this->connections,
+ offsetof(pt_tls_connection_t, destroy));
+ this->lock->destroy(this->lock);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_manager_t *pt_tls_manager_create(pt_tls_connection_constructor_t create)
+{
+ private_pt_tls_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .create_connection = _create_connection,
+ .add_connection = _add_connection,
+ .remove_connection = _remove_connection,
+ .destroy = _destroy,
+ },
+ .create = create,
+ .connections = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_manager pt_tls_manager
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_MANAGER_H_
+#define PT_TLS_MANAGER_H_
+
+typedef struct pt_tls_manager_t pt_tls_manager_t;
+
+#include "pt_tls_connection.h"
+
+/**
+ * The PT-TLS manager handles multiple PT-TLS connections.
+ */
+struct pt_tls_manager_t {
+
+ /**
+ * Create a PT-TLS connection instance.
+ *
+ * @param tnccs IF-TNCCS connection to be transported
+ * @param host IP address of PDP server
+ * @param server Hostname of PDP server
+ * @param client Access Requestor Identity
+ */
+ pt_tls_connection_t* (*create_connection)(pt_tls_manager_t *this,
+ tnccs_t *tnccs, host_t *host,
+ identification_t *server,
+ identification_t *client);
+
+ /**
+ * Register a PT-TLS connection with the manager.
+ *
+ * @param connection PT-TLS connection to register
+ */
+ void (*add_connection)(pt_tls_manager_t *this,
+ pt_tls_connection_t *connection);
+
+ /**
+ * Unregister a previously registered connection from the manager.
+ *
+ * @param connection PT-TLS connection to unregister
+ */
+ void (*remove_connection)(pt_tls_manager_t *this,
+ pt_tls_connection_t *connection);
+
+ /**
+ * Destroy a manager instance.
+ */
+ void (*destroy)(pt_tls_manager_t *this);
+};
+
+/**
+ * Create a PT-TLS manager to handle multiple PT-TLS connections.
+ *
+ * @return pt_tls_manager_t object
+ */
+pt_tls_manager_t *pt_tls_manager_create();
+
+#endif /** PT_TLS_MANAGER_H_ @}*/
--enable-eap-tnc \
--enable-tnc-ifmap \
--enable-tnc-pdp \
+ --enable-tnc-pt-tls \
--enable-tnc-imc \
--enable-tnc-imv \
--enable-tnccs-11 \
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-pt-tls tnc-imc tnc-tnccs tnccs-20 updown
plugins {
eap-tnc {
protocol = tnccs-2.0
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-pt-tls tnc-imc tnc-tnccs tnccs-20 updown
plugins {
eap-tnc {
protocol = tnccs-2.0
projects / thirdparty / strongswan.git / commitdiff
