📄 xauth.c
字号:
/* loglog(LOG_DEBUG,"ModeCfg ACK: %x",resp); */ } } /* we are done with this exchange, clear things so that we can start phase 2 properly */ st->st_msgid = 0; if(resp) { st->hidden_variables.st_modecfg_vars_set = TRUE; } DBG(DBG_CONTROL, DBG_log("modecfg_inR1(STF_OK)")); return STF_OK;}/** XAUTH client code - response to challenge. May open filehandle to console * in order to prompt user for password * * @param st State * @param xauth_resp XAUTH Reponse * @param rbody Reply Body * @param ap_id * @return stf_status */stf_status xauth_client_resp(struct state *st ,unsigned int xauth_resp ,pb_stream *rbody ,u_int16_t ap_id){ unsigned char *r_hash_start,*r_hashval; char xauth_username[64], xauth_password[64]; struct connection *c = st->st_connection; /* START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_ATTR); */ { pb_stream hash_pbs; int np = ISAKMP_NEXT_ATTR; if (!out_generic(np, &isakmp_hash_desc, rbody, &hash_pbs)) return STF_INTERNAL_ERROR; r_hashval = hash_pbs.cur; /* remember where to plant value */ if (!out_zero(st->st_oakley.hasher->hash_digest_len, &hash_pbs, "HASH")) return STF_INTERNAL_ERROR; close_output_pbs(&hash_pbs); r_hash_start = (rbody)->cur; /* hash from after HASH payload */ } /* ATTR out */ { struct isakmp_mode_attr attrh; struct isakmp_attribute attr; pb_stream strattr,attrval; int attr_type; int dns_idx, wins_idx; bool dont_advance; attrh.isama_np = ISAKMP_NEXT_NONE; attrh.isama_type = ISAKMP_CFG_REPLY; attrh.isama_identifier = ap_id; if(!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) return STF_INTERNAL_ERROR; dns_idx = 0; wins_idx = 0; attr_type = XAUTH_TYPE; while(xauth_resp != 0) { dont_advance = FALSE; if(xauth_resp & 1) { /* ISAKMP attr out */ switch(attr_type) { case XAUTH_TYPE: attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; attr.isaat_lv = XAUTH_TYPE_GENERIC; out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL); break; case XAUTH_USER_NAME: attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV; out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval); if(st->st_whack_sock == -1) { loglog(RC_LOG_SERIOUS, "XAUTH username requested, but no file descriptor available for prompt"); return STF_FAIL; } if(!whack_prompt_for(st->st_whack_sock , c->name, "Username", TRUE , xauth_username , sizeof(xauth_username))) { loglog(RC_LOG_SERIOUS, "XAUTH username prompt failed."); return STF_FAIL; } /* trip any trailing white space */ { char *u = xauth_username; strsep(&u, " \n\t"); } out_raw(xauth_username, strlen(xauth_username) ,&attrval, "XAUTH username"); close_output_pbs(&attrval); break; case XAUTH_USER_PASSWORD: attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV; out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval); if(st->st_whack_sock == -1) { loglog(RC_LOG_SERIOUS, "XAUTH password requested, but no file descriptor available for prompt"); return STF_FAIL; } if(!whack_prompt_for(st->st_whack_sock , c->name, "Password", FALSE , xauth_password , sizeof(xauth_password))) { loglog(RC_LOG_SERIOUS, "XAUTH password prompt failed."); return STF_FAIL; } /* trip any trailing white space */ { char *u = xauth_password; strsep(&u, " \n\t"); } out_raw(xauth_password, strlen(xauth_password) ,&attrval, "XAUTH password"); close_output_pbs(&attrval); break; default: openswan_log("trying to send XAUTH reply, sending %s instead." , enum_show(&modecfg_attr_names, attr_type)); break; } } if (!dont_advance) { attr_type++; xauth_resp >>= 1; } } /* do not PAD here, */ close_output_pbs(&strattr); } openswan_log("XAUTH: Answering XAUTH challenge with user='%s'", xauth_username); xauth_mode_cfg_hash(r_hashval,r_hash_start,rbody->cur,st); close_message(rbody); encrypt_message(rbody, st); return STF_OK;}/** * STATE_XAUTH_I0 * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP) * * This state occurs in initiator. * * In the initating client, it occurs in XAUTH, when the responding server * demands a password, and we have to supply it. * * @param md Message Digest * @return stf_status */stf_statusxauth_inI0(struct msg_digest *md){ struct state *const st = md->st; struct payload_digest *p; pb_stream *attrs; char msgbuf[81]; int len; unsigned type; char *dat; int status; unsigned val; stf_status stat; bool gotrequest = FALSE; bool gotset = FALSE; bool got_status = FALSE; if(st->hidden_variables.st_xauth_client_done) { return modecfg_inI2(md); } DBG(DBG_CONTROLMORE, DBG_log("arrived in xauth_inI0")); st->st_msgid = md->hdr.isa_msgid; CHECK_QUICK_HASH(md, xauth_mode_cfg_hash(hash_val ,hash_pbs->roof , md->message_pbs.roof, st) , "MODECFG-HASH", "XAUTH I0"); stat = STF_FAIL; /* process the MODECFG payloads therein */ for(p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next) { struct isakmp_attribute attr; pb_stream strattr; unsigned int xauth_resp = LEMPTY;#define XAUTHLELEM(x) (LELEM(x - XAUTH_TYPE)) attrs = &p->pbs; switch(p->payload.attribute.isama_type) { default: openswan_log("Expecting ISAKMP_CFG_REQUEST, got %s instead (ignored)." , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type)); case ISAKMP_CFG_SET: gotset = TRUE; break; case ISAKMP_CFG_REQUEST: gotrequest = TRUE; break; } while(attrs->cur < attrs->roof) { memset(&attr, 0, sizeof(attr)); if (!in_struct(&attr, &isakmp_xauth_attribute_desc , attrs, &strattr)) { /* Skip unknown */ int len; if (attr.isaat_af_type & 0x8000) len = 4; else len = attr.isaat_lv; if(len < 4) { openswan_log("Attribute was too short: %d", len); return STF_FAIL; } attrs->cur += len; continue; } if (attr.isaat_af_type & 0x8000) { len = 4; val = attr.isaat_lv; dat = NULL; } else { len = attr.isaat_lv; val = ntohs(*(u_int16_t *)strattr.cur); dat = strattr.cur; } switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK ) { case XAUTH_STATUS: got_status = TRUE; status = attr.isaat_lv; break; case XAUTH_MESSAGE: if(len > 80) len=80; memcpy(msgbuf, dat, len); msgbuf[len]='\0'; loglog(RC_LOG_SERIOUS, "XAUTH: Bad Message: %s", msgbuf); break; case XAUTH_TYPE: type = val; if(type != XAUTH_TYPE_GENERIC) { openswan_log("XAUTH: Unsupported type: %d", type); return STF_IGNORE; } xauth_resp |= XAUTHLELEM(attr.isaat_af_type); break; case XAUTH_USER_NAME: case XAUTH_USER_PASSWORD: xauth_resp |= XAUTHLELEM(attr.isaat_af_type); break; case INTERNAL_IP4_ADDRESS: case INTERNAL_IP4_NETMASK: case INTERNAL_IP4_DNS: case INTERNAL_IP4_SUBNET: case INTERNAL_IP4_NBNS: xauth_resp |= LELEM(attr.isaat_af_type); break; default: openswan_log("XAUTH: Unsupported attribute: %s" , enum_show(&modecfg_attr_names, (attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))); break; } } if(gotset && got_status) { /* ACK whatever it was that we got */ stat = xauth_client_ackstatus(st, &md->rbody ,md->chain[ISAKMP_NEXT_ATTR]->payload.attribute.isama_identifier); /* must have gotten a status */ if(status && stat == STF_OK) { st->hidden_variables.st_xauth_client_done = TRUE; openswan_log("XAUTH: Successfully Authenticated"); st->st_oakley.xauth = 0; return STF_OK; } else { return STF_FATAL; } } if(gotrequest) { if(xauth_resp & (XAUTHLELEM(XAUTH_USER_NAME)|XAUTHLELEM(XAUTH_USER_PASSWORD))) { DBG(DBG_CONTROL, DBG_log("XAUTH: Username/password request received")); } /* sanitize what we were asked to reply to */ if(st->st_connection->spd.this.xauth_client && (xauth_resp &( XAUTHLELEM(XAUTH_USER_NAME) | XAUTHLELEM(XAUTH_USER_PASSWORD)))==0) { openswan_log("XAUTH: No username/password request was received."); return STF_IGNORE; } /* now, opposite */ if(!st->st_connection->spd.this.xauth_client && (xauth_resp & (XAUTHLELEM(XAUTH_USER_NAME) |XAUTHLELEM(XAUTH_USER_PASSWORD)))!=0) { openswan_log("XAUTH: Username/password request was received, but XAUTH client mode not enabled."); return STF_IGNORE; } stat = xauth_client_resp(st, xauth_resp , &md->rbody ,md->chain[ISAKMP_NEXT_ATTR]->payload.attribute.isama_identifier); } if(stat != STF_OK) { /* notification payload - not exactly the right choice, but okay */ md->note = CERTIFICATE_UNAVAILABLE; return stat; } } /* reset the message ID, tentatively */ st->st_msgid2 = st->st_msgid; st->st_msgid = 0; DBG(DBG_CONTROLMORE, DBG_log("xauth_inI0(STF_OK)")); return STF_OK;}/** XAUTH client code - Acknowledge status * * @param st State * @param rbody Response Body * @param ap_id * @return stf_status */stf_status xauth_client_ackstatus(struct state *st ,pb_stream *rbody ,u_int16_t ap_id){ unsigned char *r_hash_start,*r_hashval; /* START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_ATTR); */ { pb_stream hash_pbs; int np = ISAKMP_NEXT_ATTR; if (!out_generic(np, &isakmp_hash_desc, rbody, &hash_pbs)) return STF_INTERNAL_ERROR; r_hashval = hash_pbs.cur; /* remember where to plant value */ if (!out_zero(st->st_oakley.hasher->hash_digest_len, &hash_pbs, "HASH")) return STF_INTERNAL_ERROR; close_output_pbs(&hash_pbs); r_hash_start = (rbody)->cur; /* hash from after HASH payload */ } /* ATTR out */ { struct isakmp_mode_attr attrh; struct isakmp_attribute attr; pb_stream strattr,attrval; int attr_type; int dns_idx, wins_idx; attrh.isama_np = ISAKMP_NEXT_NONE; attrh.isama_type = ISAKMP_CFG_ACK; attrh.isama_identifier = ap_id; if(!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) return STF_INTERNAL_ERROR; dns_idx = 0; wins_idx = 0; attr_type = XAUTH_TYPE; /* ISAKMP attr out */ attr.isaat_af_type = XAUTH_STATUS | ISAKMP_ATTR_AF_TV; attr.isaat_lv = 1; out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval); close_output_pbs(&attrval); close_message(&strattr); } xauth_mode_cfg_hash(r_hashval,r_hash_start,rbody->cur,st); close_message(rbody); encrypt_message(rbody, st); return STF_OK;}/** STATE_XAUTH_I1 * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) * * @param md Message Digest * @return stf_status */stf_statusxauth_inI1(struct msg_digest *md){ struct state *const st = md->st; pb_stream *attrs = &md->chain[ISAKMP_NEXT_ATTR]->pbs; bool got_status, status; stf_status stat; struct payload_digest *p; unsigned int xauth_resp = LEMPTY; if(st->hidden_variables.st_xauth_client_done) { return modecfg_inI2(md); } DBG(DBG_CONTROLMORE, DBG_log("xauth_inI1")); st->st_msgid = md->hdr.isa_msgid; CHECK_QUICK_HASH(md , xauth_mode_cfg_hash(hash_val ,hash_pbs->roof , md->message_pbs.roof, st) , "MODECFG-HASH", "XAUTH I1"); got_status = FALSE; status = FALSE; for(p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next) { struct isakmp_attribute attr; pb_stream strattr; attrs = &p->pbs; switch(p->payload.attribute.isama_type) { default: openswan_log("Expecting MODE_CFG_SET, got %x instead." , p->payload.attribute.isama_type); return STF_IGNORE; case ISAKMP_CFG_SET: /* CHECK that SET has been received. */ while(attrs->cur < attrs->roof) { memset(&attr, 0, sizeof(attr)); if (!in_struct(&attr, &isakmp_xauth_attribute_desc , attrs, &strattr)) { /* Skip unknown */ int len; if (attr.isaat_af_type & 0x8000) len = 4; else len = attr.isaat_lv; if(len < 4) { openswan_log("Attribute was too short: %d", len); return STF_FAIL; } attrs->cur += len; } switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK ) { case XAUTH_STATUS: xauth_resp |= XAUTHLELEM(attr.isaat_af_type); got_status = TRUE; status = attr.isaat_lv; break; default: openswan_log("while waiting for XAUTH_STATUS, got %s instead." , enum_show(&modecfg_attr_names, (attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))); break; } } break; } } /* first check if we might be done! */ if(!got_status || status==FALSE) { /* oops, something seriously wrong */ openswan_log("did not get status attribute in xauth_inI1, looking for new challenge."); st->st_state = STATE_XAUTH_I0; return xauth_inI0(md); } /* ACK whatever it was that we got */ stat = xauth_client_ackstatus(st, &md->rbody ,md->chain[ISAKMP_NEXT_ATTR]->payload.attribute.isama_identifier); /* must have gotten a status */ if(status && stat == STF_OK) { st->hidden_variables.st_xauth_client_done = TRUE; openswan_log("successfully logged in"); st->st_oakley.xauth = 0; return STF_OK; } /* what? */ return stat;}/* * Local Variables: * c-basic-offset:4 * c-style: pluto * End: */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -