From: Martin Willi Date: Mon, 11 Jan 2010 13:21:58 +0000 (+0100) Subject: Added EAP-TLS plugin stub X-Git-Tag: 4.5.0~666 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21079538047f9763075fb550df2ca4e6e908c639;p=thirdparty%2Fstrongswan.git Added EAP-TLS plugin stub --- diff --git a/configure.in b/configure.in index b294349104..65f45c8894 100644 --- a/configure.in +++ b/configure.in @@ -111,6 +111,7 @@ ARG_ENABL_SET([eap-gtc], [enable PAM based EAP GTC authenication module.] ARG_ENABL_SET([eap-aka], [enable EAP AKA authentication module.]) ARG_ENABL_SET([eap-aka-3gpp2], [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.]) ARG_ENABL_SET([eap-mschapv2], [enable EAP MS-CHAPv2 authenication module.]) +ARG_ENABL_SET([eap-tls], [enable EAP TLS authenication module.]) ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authenication module.]) ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.]) ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.]) @@ -846,6 +847,7 @@ AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue) AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue) AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue) AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue) +AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue) AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue) AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue) AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue) @@ -969,6 +971,7 @@ AC_OUTPUT( src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile + src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile diff --git a/src/charon/plugins/eap_tls/Makefile.am b/src/charon/plugins/eap_tls/Makefile.am new file mode 100644 index 0000000000..236e50d837 --- /dev/null +++ b/src/charon/plugins/eap_tls/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-eap-tls.la + +libstrongswan_eap_tls_la_SOURCES = eap_tls_plugin.h eap_tls_plugin.c \ + eap_tls.h eap_tls.c +libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_tls/eap_tls.c b/src/charon/plugins/eap_tls/eap_tls.c new file mode 100644 index 0000000000..0ff68b735c --- /dev/null +++ b/src/charon/plugins/eap_tls/eap_tls.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls.h" + +#include +#include + +typedef struct private_eap_tls_t private_eap_tls_t; + +/** + * Private data of an eap_tls_t object. + */ +struct private_eap_tls_t { + + /** + * Public interface. + */ + eap_tls_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * Is this method instance acting as server? + */ + bool is_server; +}; + +METHOD(eap_method_t, initiate, status_t, + private_eap_tls_t *this, eap_payload_t **out) +{ + return FAILED; +} + +METHOD(eap_method_t, process, status_t, + private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out) +{ + return FAILED; +} + +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_tls_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_TLS; +} + +METHOD(eap_method_t, get_msk, status_t, + private_eap_tls_t *this, chunk_t *msk) +{ + return FAILED; +} + +METHOD(eap_method_t, is_mutual, bool, + private_eap_tls_t *this) +{ + return TRUE; +} + +METHOD(eap_method_t, destroy, void, + private_eap_tls_t *this) +{ + this->peer->destroy(this->peer); + this->server->destroy(this->server); + free(this); +} + +/** + * Generic private constructor + */ +static eap_tls_t *eap_tls_create(identification_t *server, + identification_t *peer, bool is_server) +{ + private_eap_tls_t *this; + + INIT(this, + .public.eap_method = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + .peer = peer->clone(peer), + .server = server->clone(server), + .is_server = is_server, + ); + return &this->public; +} + +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, TRUE); +} + +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer) +{ + return eap_tls_create(server, peer, FALSE); +} diff --git a/src/charon/plugins/eap_tls/eap_tls.h b/src/charon/plugins/eap_tls/eap_tls.h new file mode 100644 index 0000000000..6be7b4a4f5 --- /dev/null +++ b/src/charon/plugins/eap_tls/eap_tls.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tls eap_tls + * @{ @ingroup eap_tls + */ + +#ifndef EAP_TLS_H_ +#define EAP_TLS_H_ + +typedef struct eap_tls_t eap_tls_t; + +#include + +/** + * Implementation of eap_method_t using EAP-TLS. + */ +struct eap_tls_t { + + /** + * Implements eap_method_t interface. + */ + eap_method_t eap_method; +}; + +/** + * Creates the EAP method EAP-TLS acting as server. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_server(identification_t *server, + identification_t *peer); + +/** + * Creates the EAP method EAP-TLS acting as peer. + * + * @param server ID of the EAP server + * @param peer ID of the EAP client + * @return eap_tls_t object + */ +eap_tls_t *eap_tls_create_peer(identification_t *server, + identification_t *peer); + +#endif /** EAP_TLS_H_ @}*/ diff --git a/src/charon/plugins/eap_tls/eap_tls_plugin.c b/src/charon/plugins/eap_tls/eap_tls_plugin.c new file mode 100644 index 0000000000..f7da643c29 --- /dev/null +++ b/src/charon/plugins/eap_tls/eap_tls_plugin.c @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_tls_plugin.h" + +#include "eap_tls.h" + +#include + + +METHOD(plugin_t, destroy, void, + eap_tls_plugin_t *this) +{ + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_server); + charon->eap->remove_method(charon->eap, + (eap_constructor_t)eap_tls_create_peer); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + eap_tls_plugin_t *this; + + INIT(this, + .plugin.destroy = _destroy, + ); + + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_SERVER, + (eap_constructor_t)eap_tls_create_server); + charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_PEER, + (eap_constructor_t)eap_tls_create_peer); + + return &this->plugin; +} diff --git a/src/charon/plugins/eap_tls/eap_tls_plugin.h b/src/charon/plugins/eap_tls/eap_tls_plugin.h new file mode 100644 index 0000000000..5ec3836618 --- /dev/null +++ b/src/charon/plugins/eap_tls/eap_tls_plugin.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_tls eap_tls + * @ingroup cplugins + * + * @defgroup eap_tls_plugin eap_tls_plugin + * @{ @ingroup eap_tls + */ + +#ifndef EAP_TLS_PLUGIN_H_ +#define EAP_TLS_PLUGIN_H_ + +#include + +typedef struct eap_tls_plugin_t eap_tls_plugin_t; + +/** + * EAP-TLS plugin + */ +struct eap_tls_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a eap_tls_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /** EAP_TLS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c index ad7b92cfa2..9d6aba51ef 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.c +++ b/src/libcharon/sa/authenticators/eap/eap_method.c @@ -29,6 +29,7 @@ eap_type_t eap_type_from_string(char *name) {"md5", EAP_MD5}, {"otp", EAP_OTP}, {"gtc", EAP_GTC}, + {"tls", EAP_TLS}, {"sim", EAP_SIM}, {"aka", EAP_AKA}, {"mschapv2", EAP_MSCHAPV2}, diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 2573d0327d..0ec2a1be7e 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -36,7 +36,9 @@ ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, "EAP_MD5", "EAP_OTP", "EAP_GTC"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, +ENUM_NEXT(eap_type_names, EAP_TLS, EAP_TLS, EAP_GTC, + "EAP_TLS"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TLS, "EAP_SIM"); ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, "EAP_AKA"); diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 713e16372e..6c9a6b1d3c 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -60,6 +60,7 @@ enum eap_type_t { EAP_MD5 = 4, EAP_OTP = 5, EAP_GTC = 6, + EAP_TLS = 13, EAP_SIM = 18, EAP_AKA = 23, EAP_MSCHAPV2 = 26, diff --git a/src/starter/confread.c b/src/starter/confread.c index 399e17844d..236183dc43 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -687,6 +687,10 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg { conn->eap_type = 6; } + else if (streq(kw->value, "tls")) + { + conn->eap_type = 13; + } else if (streq(kw->value, "mschapv2")) { conn->eap_type = 26; diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in index 3d2940a66b..0f87f6b219 100644 --- a/src/starter/ipsec.conf.5.in +++ b/src/starter/ipsec.conf.5.in @@ -541,6 +541,7 @@ an optional EAP method can be appended. Currently defined methods are .BR eap-aka , .BR eap-gtc , .BR eap-md5 , +.BR eap-tls , .B eap-mschapv2 and .BR eap-sim .