195853626b94422077c4cecb233572e82c398120
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.c
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <string.h>
19
20 #include "eap_authenticator.h"
21
22 #include <daemon.h>
23 #include <config/peer_cfg.h>
24 #include <sa/authenticators/eap/eap_method.h>
25
26 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
27
28 /**
29 * Private data of an eap_authenticator_t object.
30 */
31 struct private_eap_authenticator_t {
32
33 /**
34 * Public authenticator_t interface.
35 */
36 eap_authenticator_t public;
37
38 /**
39 * Assigned IKE_SA
40 */
41 ike_sa_t *ike_sa;
42
43 /**
44 * Role of this authenticator, PEER or SERVER
45 */
46 eap_role_t role;
47
48 /**
49 * Current EAP method processing
50 */
51 eap_method_t *method;
52
53 /**
54 * MSK used to build and verify auth payload
55 */
56 chunk_t msk;
57 };
58
59 /**
60 * reuse shared key signature function from PSK authenticator
61 */
62 extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
63 chunk_t secret, identification_t *id,
64 chunk_t skp, prf_t *prf);
65 /**
66 * Implementation of authenticator_t.verify.
67 */
68 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
69 chunk_t my_nonce, auth_payload_t *auth_payload)
70 {
71 chunk_t auth_data, recv_auth_data, secret;
72 identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
73
74 if (this->msk.len)
75 { /* use MSK if EAP method established one... */
76 secret = this->msk;
77 }
78 else
79 { /* ... or use SKp if not */
80 secret = this->ike_sa->get_skp_verify(this->ike_sa);
81 }
82 auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
83 other_id, this->ike_sa->get_skp_verify(this->ike_sa),
84 this->ike_sa->get_prf(this->ike_sa));
85
86 recv_auth_data = auth_payload->get_data(auth_payload);
87 if (!chunk_equals(auth_data, recv_auth_data))
88 {
89 DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
90 chunk_free(&auth_data);
91 return FAILED;
92 }
93 chunk_free(&auth_data);
94
95 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
96 other_id, auth_method_names, AUTH_EAP);
97 return SUCCESS;
98 }
99
100 /**
101 * Implementation of authenticator_t.build.
102 */
103 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
104 chunk_t other_nonce, auth_payload_t **auth_payload)
105 {
106 chunk_t auth_data, secret;
107 identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
108
109 DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
110 my_id, auth_method_names, AUTH_EAP);
111
112 if (this->msk.len)
113 { /* use MSK if EAP method established one... */
114 secret = this->msk;
115 }
116 else
117 { /* ... or use SKp if not */
118 secret = this->ike_sa->get_skp_build(this->ike_sa);
119 }
120 auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
121 my_id, this->ike_sa->get_skp_build(this->ike_sa),
122 this->ike_sa->get_prf(this->ike_sa));
123
124 *auth_payload = auth_payload_create();
125 (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
126 (*auth_payload)->set_data(*auth_payload, auth_data);
127 chunk_free(&auth_data);
128
129 return SUCCESS;
130 }
131
132 /**
133 * Implementation of eap_authenticator_t.initiate
134 */
135 static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
136 u_int32_t vendor, eap_payload_t **out)
137 {
138 /* if initiate() is called, role is always server */
139 this->role = EAP_SERVER;
140
141 if (type == 0)
142 {
143 DBG1(DBG_IKE,
144 "client requested EAP authentication, but configuration forbids it");
145 *out = eap_payload_create_code(EAP_FAILURE, 0);
146 return FAILED;
147 }
148
149 if (vendor)
150 {
151 DBG1(DBG_IKE, "requesting vendor specific EAP authentication %d-%d",
152 type, vendor);
153 }
154 else
155 {
156 DBG1(DBG_IKE, "requesting %N authentication", eap_type_names, type);
157 }
158 this->method = charon->eap->create_instance(charon->eap, type, vendor,
159 this->role, this->ike_sa->get_my_id(this->ike_sa),
160 this->ike_sa->get_other_id(this->ike_sa));
161
162 if (this->method == NULL)
163 {
164
165 DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
166 eap_code_names, EAP_FAILURE);
167 *out = eap_payload_create_code(EAP_FAILURE, 0);
168 return FAILED;
169 }
170 if (this->method->initiate(this->method, out) != NEED_MORE)
171 {
172 DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
173 eap_type_names, type, eap_code_names, EAP_FAILURE);
174 *out = eap_payload_create_code(EAP_FAILURE, 0);
175 return FAILED;
176 }
177 return NEED_MORE;
178 }
179
180 /**
181 * Processing method for a peer
182 */
183 static status_t process_peer(private_eap_authenticator_t *this,
184 eap_payload_t *in, eap_payload_t **out)
185 {
186 eap_type_t type;
187 u_int32_t vendor;
188
189 type = in->get_type(in, &vendor);
190
191 if (!vendor && type == EAP_IDENTITY)
192 {
193 eap_method_t *method;
194
195 method = charon->eap->create_instance(charon->eap, type, 0, EAP_PEER,
196 this->ike_sa->get_other_id(this->ike_sa),
197 this->ike_sa->get_my_id(this->ike_sa));
198
199 if (method == NULL || method->process(method, in, out) != SUCCESS)
200 {
201 DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
202 eap_type_names, type);
203 DESTROY_IF(method);
204 return FAILED;
205 }
206
207 DBG1(DBG_IKE, "EAP server requested %N, sending IKE identity",
208 eap_type_names, type);
209
210 method->destroy(method);
211 return NEED_MORE;
212 }
213
214 /* create an eap_method for the first call */
215 if (this->method == NULL)
216 {
217 if (vendor)
218 {
219 DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
220 type, vendor);
221 }
222 else
223 {
224 DBG1(DBG_IKE, "EAP server requested %N authentication",
225 eap_type_names, type);
226 }
227 this->method = charon->eap->create_instance(charon->eap,
228 type, vendor, EAP_PEER,
229 this->ike_sa->get_other_id(this->ike_sa),
230 this->ike_sa->get_my_id(this->ike_sa));
231 if (this->method == NULL)
232 {
233 DBG1(DBG_IKE, "EAP server requested unsupported "
234 "EAP method, sending EAP_NAK");
235 *out = eap_payload_create_nak(in->get_identifier(in));
236 return NEED_MORE;
237 }
238 }
239
240 type = this->method->get_type(this->method, &vendor);
241
242 switch (this->method->process(this->method, in, out))
243 {
244 case NEED_MORE:
245 return NEED_MORE;
246 case SUCCESS:
247 if (vendor)
248 {
249 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
250 type, vendor);
251 }
252 else
253 {
254 DBG1(DBG_IKE, "EAP method %N succeded", eap_type_names, type);
255 }
256 return SUCCESS;
257 case FAILED:
258 default:
259 if (vendor)
260 {
261 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
262 type, vendor);
263 }
264 else
265 {
266 DBG1(DBG_IKE, "EAP method %N failed",
267 eap_type_names, type);
268 }
269 return FAILED;
270 }
271 }
272
273 /**
274 * Processing method for a server
275 */
276 static status_t process_server(private_eap_authenticator_t *this,
277 eap_payload_t *in, eap_payload_t **out)
278 {
279 eap_type_t type;
280 u_int32_t vendor;
281
282 type = this->method->get_type(this->method, &vendor);
283
284 switch (this->method->process(this->method, in, out))
285 {
286 case NEED_MORE:
287 return NEED_MORE;
288 case SUCCESS:
289 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
290 {
291 this->msk = chunk_clone(this->msk);
292 }
293 if (vendor)
294 {
295 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
296 "%sMSK established", type, vendor,
297 this->msk.ptr ? "" : "no ");
298 }
299 else
300 {
301 DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
302 eap_type_names, type, this->msk.ptr ? "" : "no ");
303 }
304 *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
305 return SUCCESS;
306 case FAILED:
307 default:
308 if (vendor)
309 {
310 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
311 "peer %D", type, vendor,
312 this->ike_sa->get_other_id(this->ike_sa));
313 }
314 else
315 {
316 DBG1(DBG_IKE, "EAP method %N failed for peer %D",
317 eap_type_names, type,
318 this->ike_sa->get_other_id(this->ike_sa));
319 }
320 *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
321 return FAILED;
322 }
323 }
324
325 /**
326 * Implementation of eap_authenticator_t.process
327 */
328 static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
329 eap_payload_t **out)
330 {
331 eap_code_t code = in->get_code(in);
332
333 switch (this->role)
334 {
335 case EAP_SERVER:
336 {
337 switch (code)
338 {
339 case EAP_RESPONSE:
340 {
341 return process_server(this, in, out);
342 }
343 default:
344 {
345 DBG1(DBG_IKE, "received %N, sending %N",
346 eap_code_names, code, eap_code_names, EAP_FAILURE);
347 *out = eap_payload_create_code(EAP_FAILURE,
348 in->get_identifier(in));
349 return FAILED;
350 }
351 }
352 }
353 case EAP_PEER:
354 {
355 switch (code)
356 {
357 case EAP_REQUEST:
358 {
359 return process_peer(this, in, out);
360 }
361 case EAP_SUCCESS:
362 {
363 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
364 {
365 this->msk = chunk_clone(this->msk);
366 }
367 return SUCCESS;
368 }
369 case EAP_FAILURE:
370 default:
371 {
372 DBG1(DBG_IKE, "received %N, EAP authentication failed",
373 eap_code_names, code);
374 return FAILED;
375 }
376 }
377 }
378 default:
379 {
380 return FAILED;
381 }
382 }
383 }
384
385 /**
386 * Implementation of authenticator_t.is_mutual.
387 */
388 static bool is_mutual(private_eap_authenticator_t *this)
389 {
390 if (this->method)
391 {
392 return this->method->is_mutual(this->method);
393 }
394 return FALSE;
395 }
396
397 /**
398 * Implementation of authenticator_t.destroy.
399 */
400 static void destroy(private_eap_authenticator_t *this)
401 {
402 DESTROY_IF(this->method);
403 chunk_free(&this->msk);
404 free(this);
405 }
406
407 /*
408 * Described in header.
409 */
410 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
411 {
412 private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
413
414 /* public functions */
415 this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
416 this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
417 this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
418
419 this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
420 this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
421 this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
422
423 /* private data */
424 this->ike_sa = ike_sa;
425 this->role = EAP_PEER;
426 this->method = NULL;
427 this->msk = chunk_empty;
428
429 return &this->public;
430 }