[Openswan dev] CheckPoint SecureClient Hybrid mode authentication
Chris Poon
dev-null at telus.net
Tue May 25 10:09:29 CEST 2004
Quoting Ken Bantoft <ken at xelerance.com>:
>
> Post code, and it'll have a higher chance of being integrated :) The
> biggest issue against it is 'How do we test this?' in some easy fashion.
>
> Having client-mode only code is still quite useful, as server mode could
> be written, and then testing is much simpler to do in an automated way
> under UML.
I will attach the patch as well as pasting the patch in the actual message. It's
pretty ugly - hope you don't mind.
diff -urbw openswan-2.1.2.orig/programs/_confread/_confread.in
openswan-2.1.2/programs/_confread/_confread.in
--- openswan-2.1.2.orig/programs/_confread/_confread.in 2004-05-14
08:39:52.000000000 -0700
+++ openswan-2.1.2/programs/_confread/_confread.in 2004-05-23 22:19:35.166547920
-0700
@@ -133,7 +133,7 @@
good = "also alsoflip type auto authby _plutodevel"
left = " left leftsubnet leftnexthop leftfirewall leftupdown"
akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
- akey = akey " xauth"
+ akey = akey " xauth cpsc"
akey = akey " compress"
akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt"
mkey = " spibase spi esp espenckey espauthkey espreplay_window"
diff -urbw openswan-2.1.2.orig/programs/auto/auto.in
openswan-2.1.2/programs/auto/auto.in
--- openswan-2.1.2.orig/programs/auto/auto.in 2004-04-30 21:53:57.000000000 -0700
+++ openswan-2.1.2/programs/auto/auto.in 2004-05-23 22:19:35.166547920 -0700
@@ -347,6 +347,8 @@
fail("only know how to do auth=esp or auth=ah")
yesno("pfs")
default("pfs", "yes")
+ yesno("cpsc")
+ default("cpsc", "no")
yesno("xauth")
default("xauth", "no")
yesno("xauthserver")
@@ -449,6 +451,8 @@
settings = settings " --authenticate"
if (s["pfs"] == "yes")
settings = settings " --pfs"
+ if (s["cpsc"] == "yes")
+ settings = settings " --cpsc"
if (s["xauth"] == "yes")
settings = settings " --xauth"
if (s["compress"] == "yes")
diff -urbw openswan-2.1.2.orig/programs/pluto/constants.c
openswan-2.1.2/programs/pluto/constants.c
--- openswan-2.1.2.orig/programs/pluto/constants.c 2004-05-06 20:17:06.000000000
-0700
+++ openswan-2.1.2/programs/pluto/constants.c 2004-05-23 23:11:18.410783088 -0700
@@ -160,6 +160,10 @@
"STATE_XAUTH_I0",
"STATE_XAUTH_I1",
+ "STATE_CPSC_I0",
+ "STATE_CPSC_I1",
+ "STATE_CPSC_I2",
+
"STATE_IKE_ROOF" /* one */
};
@@ -193,7 +197,10 @@
"ModeCfg Set sent, expecting Ack", /* STATE_MODE_CFG_R1 */
"ModeCfg R2", /* STATE_MODE_CFG_R2 */
"XAUTH client - awaiting CFG_request", /* MODE_XAUTH_I0 */
- "XAUTH client - awaiting CFG_set" /* MODE_XAUTH_I1 */
+ "XAUTH client - awaiting CFG_set", /* MODE_XAUTH_I1 */
+ "CP SecureClient - awaiting username request", /* MODE_CPSC_I0 */
+ "CP SecureClient - awaiting password request", /* MODE_CPSC_I1 */
+ "CP SecureClient - awaiting authentication status", /* MODE_CPSC_I2 */
};
/* kind of struct connection */
@@ -437,6 +444,7 @@
"UP",
"XAUTH",
"MODECFG",
+ "CPSC",
NULL
};
diff -urbw openswan-2.1.2.orig/programs/pluto/constants.h
openswan-2.1.2/programs/pluto/constants.h
--- openswan-2.1.2.orig/programs/pluto/constants.h 2004-05-06 20:17:06.000000000
-0700
+++ openswan-2.1.2/programs/pluto/constants.h 2004-05-23 22:19:35.167547768 -0700
@@ -332,6 +332,10 @@
STATE_XAUTH_I0, /* client state is awaiting request */
STATE_XAUTH_I1, /* client state is awaiting result code */
+ STATE_CPSC_I0, /* client state is awaiting request */
+ STATE_CPSC_I1, /* client state is awaiting for challenge */
+ STATE_CPSC_I2, /* client state is awaiting result code */
+
STATE_IKE_ROOF
};
@@ -345,6 +349,8 @@
#define IS_PHASE1(s) (STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4)
#define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
#define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4 \
+ || (s) == STATE_CPSC_I0 || (s) == STATE_CPSC_I1 \
+ || (s) == STATE_CPSC_I2 \
|| (s) == STATE_XAUTH_R0 || (s) == STATE_XAUTH_R1 \
|| (s) == STATE_XAUTH_I0 || (s) ==
STATE_XAUTH_I1)
#define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
@@ -473,6 +479,18 @@
#define XAUTH_NEXT_PIN 16528
#define XAUTH_ANSWER 16529
+/* Checkpoint attribute values */
+#define CPSC_TYPE 13
+#define CPSC_USER_NAME 14
+#define CPSC_USER_PASSWORD 15
+#define CPSC_MESSAGE 17
+#define CPSC_CHALLENGE 18
+#define CPSC_STATUS 20
+
+#define CPSC_INTERNAL_DOMAIN_NAME 16387
+#define CPSC_CHKPT_MAC_ADDRESS 16388
+#define CPSC_MARCIPAN_REASON_CODE 16389
+
#define XAUTH_TYPE_GENERIC 0
#define XAUTH_TYPE_CHAP 1
#define XAUTH_TYPE_OTP 2
@@ -631,6 +649,7 @@
#define POLICY_UP LELEM(16) /* do we want this up? */
#define POLICY_XAUTH LELEM(17) /* do we offer XAUTH? */
#define POLICY_MODE_CFG LELEM(18) /* do we offer mode configuration? */
+#define POLICY_CPSC LELEM(19) /* do we offer CP SecureClient? */
/* Any IPsec policy? If not, a connection description
diff -urbw openswan-2.1.2.orig/programs/pluto/demux.c
openswan-2.1.2/programs/pluto/demux.c
--- openswan-2.1.2.orig/programs/pluto/demux.c 2004-03-20 21:23:32.000000000 -0800
+++ openswan-2.1.2/programs/pluto/demux.c 2004-05-23 23:45:17.122851744 -0700
@@ -508,6 +508,23 @@
, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
, P(ATTR) | P(HASH), P(VID), PT(HASH)
, EVENT_SA_REPLACE, xauth_inI1 },
+
+ /* CheckPoint 2 stage authentication - Stage 1, ID only */
+ { STATE_CPSC_I0, STATE_CPSC_I1
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, xauth_inI0 },
+
+ /* Stage 2, Password/Challenge */
+ { STATE_CPSC_I1, STATE_CPSC_I2
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, xauth_inI0 },
+
+ { STATE_CPSC_I2, STATE_MAIN_I4
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, xauth_inI1 },
#endif
#undef P
@@ -1550,6 +1567,9 @@
else if(st->st_connection->spd.this.xauth_client
&& IS_PHASE1(st->st_state))
{
+ if(st->st_connection->policy & POLICY_CPSC)
+ from_state = STATE_CPSC_I0;
+ else
from_state = STATE_XAUTH_I0;
}
else if(st->st_connection->spd.this.xauth_client
diff -urbw openswan-2.1.2.orig/programs/pluto/id.c
openswan-2.1.2/programs/pluto/id.c
--- openswan-2.1.2.orig/programs/pluto/id.c 2004-04-16 05:33:10.000000000 -0700
+++ openswan-2.1.2/programs/pluto/id.c 2004-05-23 22:19:35.168547616 -0700
@@ -256,6 +256,13 @@
}
id->name.len = len;
}
+ else if (*(src+1) == '!')
+ {
+ /* Special CheckPoint Handling - use @! */
+ id->kind = ID_USER_FQDN;
+ id->name.ptr = src+2; /* discard @! */
+ id->name.len = 0; /* ID protection - empty */
+ }
else
{
id->kind = ID_FQDN;
diff -urbw openswan-2.1.2.orig/programs/pluto/ipsec_doi.c
openswan-2.1.2/programs/pluto/ipsec_doi.c
--- openswan-2.1.2.orig/programs/pluto/ipsec_doi.c 2004-05-06 20:07:22.000000000
-0700
+++ openswan-2.1.2/programs/pluto/ipsec_doi.c 2004-05-23 22:19:35.171547160 -0700
@@ -3193,7 +3193,12 @@
struct state *const st = md->st;
pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
int auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
+#ifdef XAUTH
+ ? ISAKMP_NEXT_HASH : (st->st_oakley.xauth == HybridInitRSA
+ ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG);
+#else
? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
+#endif
pb_stream id_pbs; /* ID Payload; also used for hash calculation */
bool send_cert = FALSE;
bool send_cr = FALSE;
diff -urbw openswan-2.1.2.orig/programs/pluto/spdb.c
openswan-2.1.2/programs/pluto/spdb.c
--- openswan-2.1.2.orig/programs/pluto/spdb.c 2004-05-23 22:31:52.408470112 -0700
+++ openswan-2.1.2/programs/pluto/spdb.c 2004-05-23 22:32:12.884357304 -0700
@@ -228,6 +228,21 @@
{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
};
+/* Checkpoint SecureClient proposal */
+static struct db_attr otrsasig1024des3md5CP_xauthc[] = {
+ { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
+ { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
+ { OAKLEY_AUTHENTICATION_METHOD, HybridInitRSA },
+ { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
+ };
+
+static struct db_attr otrsasig1024des3shaCP_xauthc[] = {
+ { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
+ { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
+ { OAKLEY_AUTHENTICATION_METHOD, HybridInitRSA },
+ { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
+ };
+
/* arrays of attributes for transforms, RSA signatures, with/Xauth */
/*
* xauth s is when the Responder will be the xauth client
@@ -316,6 +331,8 @@
{ KEY_IKE, AD(otrsasig1536des3sha_xauthc) },
{ KEY_IKE, AD(otrsasig1024des3sha_xauthc) },
{ KEY_IKE, AD(otrsasig1024des3md5_xauthc) },
+ { KEY_IKE, AD(otrsasig1024des3shaCP_xauthc) },
+ { KEY_IKE, AD(otrsasig1024des3md5CP_xauthc) },
};
static struct db_trans oakley_trans_rsasig_xauths[] = {
{ KEY_IKE, AD(otrsasig1536des3md5_xauths) },
@@ -1299,6 +1316,7 @@
}
break;
#ifdef XAUTH
+ case HybridInitRSA:
case XAUTHInitRSA:
if(!xauth_init)
{
diff -urbw openswan-2.1.2.orig/programs/pluto/whack.c
openswan-2.1.2/programs/pluto/whack.c
--- openswan-2.1.2.orig/programs/pluto/whack.c 2004-03-20 21:23:34.000000000 -0800
+++ openswan-2.1.2/programs/pluto/whack.c 2004-05-23 22:19:35.173546856 -0700
@@ -102,6 +102,7 @@
" [--keyingtries <count>]"
" [--dontrekey]"
#ifdef XAUTH
+ " [--cpsc]"
" [--xauth]"
" [--xauthserver]"
" [--xauthclient]"
@@ -338,6 +339,7 @@
CD_UP, /* same order as POLICY_* */
CD_DUMMY, /* same order as POLICY_* */
CD_MODECFG, /* same order as POLICY_* */
+ CD_CPSC, /* same order as POLICY_* */
CD_TUNNELIPV4,
CD_TUNNELIPV6,
CD_CONNIPV4,
@@ -492,6 +494,7 @@
, CD_FAIL0 + (POLICY_FAIL_REJECT >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
{ "dontrekey", no_argument, NULL, CD_DONT_REKEY + OO },
#ifdef XAUTH
+ { "cpsc", no_argument, NULL, CD_CPSC + OO },
{ "xauth", no_argument, NULL, END_XAUTHSERVER + OO },
{ "xauthserver", no_argument, NULL, END_XAUTHSERVER + OO },
{ "xauthclient", no_argument, NULL, END_XAUTHCLIENT + OO },
@@ -1114,6 +1117,10 @@
continue;
#ifdef XAUTH
+ case CD_CPSC: /* --cpsc */
+ msg.policy |= POLICY_CPSC;
+ continue;
+
case END_XAUTHSERVER: /* --xauthserver */
msg.right.xauth_server = TRUE;
continue;
@@ -1122,6 +1129,7 @@
msg.right.xauth_client = TRUE;
continue;
#else
+ case CD_CPSC:
case END_XAUTHSERVER:
case END_XAUTHCLIENT:
diag("pluto is not built with XAUTH support");
diff -urbw openswan-2.1.2.orig/programs/pluto/xauth.c
openswan-2.1.2/programs/pluto/xauth.c
--- openswan-2.1.2.orig/programs/pluto/xauth.c 2004-05-11 09:35:30.000000000 -0700
+++ openswan-2.1.2/programs/pluto/xauth.c 2004-05-23 23:51:14.360543360 -0700
@@ -1260,12 +1260,18 @@
switch(attr_type)
{
case XAUTH_TYPE:
+ if (st->st_connection->policy & POLICY_CPSC)
+ attr.isaat_af_type = CPSC_TYPE | ISAKMP_ATTR_AF_TV;
+ else
attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
attr.isaat_lv = XAUTH_TYPE_GENERIC;
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
break;
case XAUTH_USER_NAME:
+ if (st->st_connection->policy & POLICY_CPSC)
+ attr.isaat_af_type = CPSC_USER_NAME | ISAKMP_ATTR_AF_TLV;
+ else
attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
if(st->st_whack_sock == -1)
@@ -1288,6 +1294,9 @@
break;
case XAUTH_USER_PASSWORD:
+ if (st->st_connection->policy & POLICY_CPSC)
+ attr.isaat_af_type = CPSC_USER_PASSWORD | ISAKMP_ATTR_AF_TLV;
+ else
attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
if(st->st_whack_sock == -1)
@@ -1436,11 +1445,13 @@
switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
{
+ case CPSC_STATUS:
case XAUTH_STATUS:
got_status = TRUE;
status = attr.isaat_lv;
break;
+ case CPSC_MESSAGE:
case XAUTH_MESSAGE:
if(len > 80) len=80;
memcpy(msgbuf, dat, len);
@@ -1448,6 +1459,9 @@
loglog(RC_LOG_SERIOUS, "XAUTH-Message: %s", msgbuf);
break;
+ case CPSC_TYPE:
+ attr.isaat_af_type = XAUTH_TYPE;
+
case XAUTH_TYPE:
type = val;
if(type != XAUTH_TYPE_GENERIC)
@@ -1458,6 +1472,12 @@
xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
break;
+ case CPSC_USER_NAME:
+ attr.isaat_af_type = XAUTH_USER_NAME;
+ goto cp_hybrid_common;
+ case CPSC_USER_PASSWORD:
+ attr.isaat_af_type = XAUTH_USER_PASSWORD;
+cp_hybrid_common:
case XAUTH_USER_NAME:
case XAUTH_USER_PASSWORD:
xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
@@ -1528,8 +1548,10 @@
}
/* reset the message ID, tentatively */
+ if (!(st->st_connection->policy & POLICY_CPSC)) {
st->st_msgid2 = st->st_msgid;
st->st_msgid = 0;
+ }
DBG(DBG_CONTROLMORE, DBG_log("xauth_inI0(STF_OK)"));
return STF_OK;
@@ -1578,6 +1600,9 @@
attr_type = XAUTH_TYPE;
/* ISAKMP attr out */
+ if (st->st_connection->policy & POLICY_CPSC)
+ attr.isaat_af_type = CPSC_STATUS | ISAKMP_ATTR_AF_TV;
+ else
attr.isaat_af_type = XAUTH_STATUS | ISAKMP_ATTR_AF_TV;
attr.isaat_lv = 1;
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
@@ -1658,6 +1683,9 @@
switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
{
+ case CPSC_STATUS:
+ attr.isaat_af_type = XAUTH_STATUS;
+
case XAUTH_STATUS:
xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
got_status = TRUE;
@@ -1679,6 +1707,9 @@
{
/* oops, something seriously wrong */
plog("did not get status attribute in xauth_inI1, looking for new challenge.");
+ if (st->st_connection->policy & POLICY_CPSC)
+ st->st_state = STATE_CPSC_I0;
+ else
st->st_state = STATE_XAUTH_I0;
return xauth_inI0(md);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-cp-hybrid-new.patch
Type: application/octet-stream
Size: 13964 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20040525/c7df1ff2/openswan-cp-hybrid-new-0001.obj
More information about the Dev
mailing list