04204cb0fa7a576bf5090d673ca0b47ff40a5200
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.c
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <string.h>
19
20 #include "eap_authenticator.h"
21
22 #include <daemon.h>
23 #include <config/peer_cfg.h>
24 #include <sa/authenticators/eap/eap_method.h>
25
26 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
27
28 /**
29 * Private data of an eap_authenticator_t object.
30 */
31 struct private_eap_authenticator_t {
32
33 /**
34 * Public authenticator_t interface.
35 */
36 eap_authenticator_t public;
37
38 /**
39 * Assigned IKE_SA
40 */
41 ike_sa_t *ike_sa;
42
43 /**
44 * Role of this authenticator, PEER or SERVER
45 */
46 eap_role_t role;
47
48 /**
49 * Current EAP method processing
50 */
51 eap_method_t *method;
52
53 /**
54 * MSK used to build and verify auth payload
55 */
56 chunk_t msk;
57
58 /**
59 * should we do a EAP-Identity exchange as server?
60 */
61 bool do_eap_identity;
62
63 /**
64 * saved EAP type if we do eap_identity
65 */
66 eap_type_t type;
67
68 /**
69 * saved vendor id if we do eap_identity
70 */
71 u_int32_t vendor;
72 };
73
74 /**
75 * reuse shared key signature function from PSK authenticator
76 */
77 extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
78 chunk_t secret, identification_t *id,
79 chunk_t skp, prf_t *prf);
80 /**
81 * Implementation of authenticator_t.verify.
82 */
83 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
84 chunk_t my_nonce, auth_payload_t *auth_payload)
85 {
86 chunk_t auth_data, recv_auth_data, secret;
87 identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
88
89 if (this->msk.len)
90 { /* use MSK if EAP method established one... */
91 secret = this->msk;
92 }
93 else
94 { /* ... or use SKp if not */
95 secret = this->ike_sa->get_skp_verify(this->ike_sa);
96 }
97 auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
98 other_id, this->ike_sa->get_skp_verify(this->ike_sa),
99 this->ike_sa->get_prf(this->ike_sa));
100
101 recv_auth_data = auth_payload->get_data(auth_payload);
102 if (!chunk_equals(auth_data, recv_auth_data))
103 {
104 DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
105 chunk_free(&auth_data);
106 return FAILED;
107 }
108 chunk_free(&auth_data);
109
110 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
111 other_id, auth_class_names, AUTH_CLASS_EAP);
112 return SUCCESS;
113 }
114
115 /**
116 * Implementation of authenticator_t.build.
117 */
118 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
119 chunk_t other_nonce, auth_payload_t **auth_payload)
120 {
121 chunk_t auth_data, secret;
122 identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
123
124 DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
125 my_id, auth_class_names, AUTH_CLASS_EAP);
126
127 if (this->msk.len)
128 { /* use MSK if EAP method established one... */
129 secret = this->msk;
130 }
131 else
132 { /* ... or use SKp if not */
133 secret = this->ike_sa->get_skp_build(this->ike_sa);
134 }
135 auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
136 my_id, this->ike_sa->get_skp_build(this->ike_sa),
137 this->ike_sa->get_prf(this->ike_sa));
138
139 *auth_payload = auth_payload_create();
140 (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
141 (*auth_payload)->set_data(*auth_payload, auth_data);
142 chunk_free(&auth_data);
143
144 return SUCCESS;
145 }
146
147 /**
148 * get the peers identity to use in the EAP method
149 */
150 static identification_t *get_peer_id(private_eap_authenticator_t *this)
151 {
152 identification_t *id;
153 peer_cfg_t *config;
154 auth_info_t *auth;
155
156 id = this->ike_sa->get_eap_identity(this->ike_sa);
157 if (!id)
158 {
159 config = this->ike_sa->get_peer_cfg(this->ike_sa);
160 auth = config->get_auth(config);
161 if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
162 {
163 if (this->role == EAP_PEER)
164 {
165 id = this->ike_sa->get_my_id(this->ike_sa);
166 }
167 else
168 {
169 id = this->ike_sa->get_other_id(this->ike_sa);
170 }
171 }
172 }
173 if (id->get_type(id) == ID_EAP)
174 {
175 return id->clone(id);
176 }
177 return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
178 }
179
180 /**
181 * get the servers identity to use in the EAP method
182 */
183 static identification_t *get_server_id(private_eap_authenticator_t *this)
184 {
185 identification_t *id;
186
187 if (this->role == EAP_SERVER)
188 {
189 id = this->ike_sa->get_my_id(this->ike_sa);
190 }
191 else
192 {
193 id = this->ike_sa->get_other_id(this->ike_sa);
194 }
195 if (id->get_type(id) == ID_EAP)
196 {
197 return id->clone(id);
198 }
199 return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
200 }
201
202 /**
203 * load an EAP method using the correct identities
204 */
205 static eap_method_t *load_method(private_eap_authenticator_t *this,
206 eap_type_t type, u_int32_t vendor, eap_role_t role)
207 {
208 identification_t *server, *peer;
209 eap_method_t *method;
210
211 server = get_server_id(this);
212 peer = get_peer_id(this);
213 method = charon->eap->create_instance(charon->eap, type, vendor, role,
214 server, peer);
215 server->destroy(server);
216 peer->destroy(peer);
217 return method;
218 }
219
220 /**
221 * Implementation of eap_authenticator_t.initiate
222 */
223 static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
224 u_int32_t vendor, eap_payload_t **out)
225 {
226 /* if initiate() is called, role is always server */
227 this->role = EAP_SERVER;
228
229 if (this->do_eap_identity)
230 { /* do an EAP-Identity request first */
231 this->type = type;
232 this->vendor = vendor;
233 vendor = 0;
234 type = EAP_IDENTITY;
235 }
236
237 if (type == 0)
238 {
239 DBG1(DBG_IKE,
240 "client requested EAP authentication, but configuration forbids it");
241 *out = eap_payload_create_code(EAP_FAILURE, 0);
242 return FAILED;
243 }
244
245 if (vendor)
246 {
247 DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
248 type, vendor);
249 }
250 else
251 {
252 DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
253 }
254 this->method = load_method(this, type, vendor, this->role);
255 if (this->method == NULL)
256 {
257 if (vendor == 0 && type == EAP_IDENTITY)
258 {
259 DBG1(DBG_IKE, "skipping %N, no implementation found",
260 eap_type_names, type);
261 this->do_eap_identity = FALSE;
262 return initiate(this, this->type, this->vendor, out);
263 }
264 DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
265 eap_code_names, EAP_FAILURE);
266 *out = eap_payload_create_code(EAP_FAILURE, 0);
267 return FAILED;
268 }
269 if (this->method->initiate(this->method, out) != NEED_MORE)
270 {
271 DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
272 eap_type_names, type, eap_code_names, EAP_FAILURE);
273 *out = eap_payload_create_code(EAP_FAILURE, 0);
274 return FAILED;
275 }
276 return NEED_MORE;
277 }
278
279 /**
280 * Processing method for a peer
281 */
282 static status_t process_peer(private_eap_authenticator_t *this,
283 eap_payload_t *in, eap_payload_t **out)
284 {
285 eap_type_t type;
286 u_int32_t vendor;
287
288 type = in->get_type(in, &vendor);
289
290 if (!vendor && type == EAP_IDENTITY)
291 {
292 eap_method_t *method;
293
294 method = load_method(this, type, 0, EAP_PEER);
295 if (method == NULL || method->process(method, in, out) != SUCCESS)
296 {
297 DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
298 eap_type_names, type);
299 DESTROY_IF(method);
300 return FAILED;
301 }
302 DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);
303 method->destroy(method);
304 return NEED_MORE;
305 }
306
307 /* create an eap_method for the first call */
308 if (this->method == NULL)
309 {
310 if (vendor)
311 {
312 DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
313 type, vendor);
314 }
315 else
316 {
317 DBG1(DBG_IKE, "EAP server requested %N authentication",
318 eap_type_names, type);
319 }
320 this->method = load_method(this, type, vendor, EAP_PEER);
321 if (this->method == NULL)
322 {
323 DBG1(DBG_IKE, "EAP server requested unsupported "
324 "EAP method, sending EAP_NAK");
325 *out = eap_payload_create_nak(in->get_identifier(in));
326 return NEED_MORE;
327 }
328 }
329
330 type = this->method->get_type(this->method, &vendor);
331
332 switch (this->method->process(this->method, in, out))
333 {
334 case NEED_MORE:
335 return NEED_MORE;
336 case SUCCESS:
337 if (vendor)
338 {
339 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
340 type, vendor);
341 }
342 else
343 {
344 DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
345 }
346 return SUCCESS;
347 case FAILED:
348 default:
349 if (vendor)
350 {
351 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
352 type, vendor);
353 }
354 else
355 {
356 DBG1(DBG_IKE, "EAP method %N failed",
357 eap_type_names, type);
358 }
359 return FAILED;
360 }
361 }
362
363 /**
364 * handle an EAP-Identity response on the server
365 */
366 static status_t process_eap_identity(private_eap_authenticator_t *this,
367 eap_payload_t **out)
368 {
369 chunk_t data;
370 identification_t *id;
371
372 if (this->method->get_msk(this->method, &data) == SUCCESS)
373 {
374 id = identification_create_from_encoding(ID_EAP, data);
375 DBG1(DBG_IKE, "using EAP identity '%D'", id);
376 this->ike_sa->set_eap_identity(this->ike_sa, id);
377 }
378 /* restart EAP exchange, but with real method */
379 this->method->destroy(this->method);
380 this->do_eap_identity = FALSE;
381 return initiate(this, this->type, this->vendor, out);
382 }
383
384 /**
385 * Processing method for a server
386 */
387 static status_t process_server(private_eap_authenticator_t *this,
388 eap_payload_t *in, eap_payload_t **out)
389 {
390 eap_type_t type;
391 u_int32_t vendor;
392
393 type = this->method->get_type(this->method, &vendor);
394
395 switch (this->method->process(this->method, in, out))
396 {
397 case NEED_MORE:
398 return NEED_MORE;
399 case SUCCESS:
400 if (this->do_eap_identity)
401 {
402 return process_eap_identity(this, out);
403 }
404 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
405 {
406 this->msk = chunk_clone(this->msk);
407 }
408 if (vendor)
409 {
410 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
411 "%sMSK established", type, vendor,
412 this->msk.ptr ? "" : "no ");
413 }
414 else
415 {
416 DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
417 eap_type_names, type, this->msk.ptr ? "" : "no ");
418 }
419 *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
420 return SUCCESS;
421 case FAILED:
422 default:
423 if (vendor)
424 {
425 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
426 "peer %D", type, vendor,
427 this->ike_sa->get_other_id(this->ike_sa));
428 }
429 else
430 {
431 DBG1(DBG_IKE, "EAP method %N failed for peer %D",
432 eap_type_names, type,
433 this->ike_sa->get_other_id(this->ike_sa));
434 }
435 *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
436 return FAILED;
437 }
438 }
439
440 /**
441 * Implementation of eap_authenticator_t.process
442 */
443 static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
444 eap_payload_t **out)
445 {
446 eap_code_t code = in->get_code(in);
447
448 switch (this->role)
449 {
450 case EAP_SERVER:
451 {
452 switch (code)
453 {
454 case EAP_RESPONSE:
455 {
456 return process_server(this, in, out);
457 }
458 default:
459 {
460 DBG1(DBG_IKE, "received %N, sending %N",
461 eap_code_names, code, eap_code_names, EAP_FAILURE);
462 *out = eap_payload_create_code(EAP_FAILURE,
463 in->get_identifier(in));
464 return FAILED;
465 }
466 }
467 }
468 case EAP_PEER:
469 {
470 switch (code)
471 {
472 case EAP_REQUEST:
473 {
474 return process_peer(this, in, out);
475 }
476 case EAP_SUCCESS:
477 {
478 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
479 {
480 this->msk = chunk_clone(this->msk);
481 }
482 return SUCCESS;
483 }
484 case EAP_FAILURE:
485 default:
486 {
487 DBG1(DBG_IKE, "received %N, EAP authentication failed",
488 eap_code_names, code);
489 return FAILED;
490 }
491 }
492 }
493 default:
494 {
495 return FAILED;
496 }
497 }
498 }
499
500 /**
501 * Implementation of authenticator_t.is_mutual.
502 */
503 static bool is_mutual(private_eap_authenticator_t *this)
504 {
505 if (this->method)
506 {
507 return this->method->is_mutual(this->method);
508 }
509 return FALSE;
510 }
511
512 /**
513 * Implementation of authenticator_t.destroy.
514 */
515 static void destroy(private_eap_authenticator_t *this)
516 {
517 DESTROY_IF(this->method);
518 chunk_free(&this->msk);
519 free(this);
520 }
521
522 /*
523 * Described in header.
524 */
525 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
526 {
527 peer_cfg_t *config;
528 auth_info_t *auth;
529 identification_t *id;
530 private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
531
532 /* public functions */
533 this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
534 this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
535 this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
536
537 this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
538 this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
539 this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
540
541 /* private data */
542 this->ike_sa = ike_sa;
543 this->role = EAP_PEER;
544 this->method = NULL;
545 this->msk = chunk_empty;
546 this->do_eap_identity = FALSE;
547 this->type = 0;
548 this->vendor = 0;
549
550 config = ike_sa->get_peer_cfg(ike_sa);
551 if (config)
552 {
553 auth = config->get_auth(config);
554 if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
555 {
556 if (id->get_type(id) == ID_ANY)
557 { /* %any as configured EAP identity runs EAP-Identity first */
558 this->do_eap_identity = TRUE;
559 }
560 else
561 {
562 ike_sa->set_eap_identity(ike_sa, id->clone(id));
563 }
564 }
565 }
566 return &this->public;
567 }