added generic EAP_IDENTITY client implementation using peers IKEv2 ID
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.c
1 /**
2 * @file eap_authenticator.c
3 *
4 * @brief Implementation of eap_authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <string.h>
24
25 #include "eap_authenticator.h"
26
27 #include <daemon.h>
28 #include <config/policies/policy.h>
29 #include <sa/authenticators/eap/eap_method.h>
30
31 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
32
33 /**
34 * Private data of an eap_authenticator_t object.
35 */
36 struct private_eap_authenticator_t {
37
38 /**
39 * Public authenticator_t interface.
40 */
41 eap_authenticator_t public;
42
43 /**
44 * Assigned IKE_SA
45 */
46 ike_sa_t *ike_sa;
47
48 /**
49 * Role of this authenticator, PEER or SERVER
50 */
51 eap_role_t role;
52
53 /**
54 * Current EAP method processing
55 */
56 eap_method_t *method;
57
58 /**
59 * MSK used to build and verify auth payload
60 */
61 chunk_t msk;
62 };
63
64 extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
65 chunk_t secret, identification_t *id,
66 prf_t *prf);
67
68 /**
69 * Implementation of authenticator_t.verify.
70 */
71 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
72 chunk_t my_nonce, auth_payload_t *auth_payload)
73 {
74 chunk_t auth_data, recv_auth_data;
75 identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
76 prf_t *prf = this->ike_sa->get_auth_verify(this->ike_sa);
77
78 auth_data = build_shared_key_signature(ike_sa_init, my_nonce, this->msk,
79 other_id, prf);
80
81 recv_auth_data = auth_payload->get_data(auth_payload);
82 if (!chunk_equals(auth_data, recv_auth_data))
83 {
84 DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
85 chunk_free(&auth_data);
86 return FAILED;
87 }
88 chunk_free(&auth_data);
89
90 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
91 other_id, auth_method_names, AUTH_EAP);
92 return SUCCESS;
93 }
94
95 /**
96 * Implementation of authenticator_t.build.
97 */
98 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
99 chunk_t other_nonce, auth_payload_t **auth_payload)
100 {
101 chunk_t auth_data;
102 identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
103 prf_t *prf = this->ike_sa->get_auth_build(this->ike_sa);
104
105 DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
106 my_id, auth_method_names, AUTH_EAP);
107
108 auth_data = build_shared_key_signature(ike_sa_init, other_nonce,
109 this->msk, my_id, prf);
110
111 *auth_payload = auth_payload_create();
112 (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
113 (*auth_payload)->set_data(*auth_payload, auth_data);
114 chunk_free(&auth_data);
115
116 return SUCCESS;
117 }
118
119 /**
120 * Implementation of eap_authenticator_t.initiate
121 */
122 static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
123 eap_payload_t **out)
124 {
125 /* if initiate() is called, role is always server */
126 this->role = EAP_SERVER;
127
128 if (type == 0)
129 {
130 DBG1(DBG_IKE,
131 "client requested EAP authentication, but configuration forbids it");
132 *out = eap_payload_create_code(EAP_FAILURE);
133 return FAILED;
134 }
135
136 DBG1(DBG_IKE, "requesting %N authentication", eap_type_names, type);
137 this->method = eap_method_create(type, this->role,
138 this->ike_sa->get_my_id(this->ike_sa),
139 this->ike_sa->get_other_id(this->ike_sa));
140
141 if (this->method == NULL)
142 {
143 DBG1(DBG_IKE, "configured EAP server method %N not supported, sending %N",
144 eap_type_names, type, eap_code_names, EAP_FAILURE);
145 *out = eap_payload_create_code(EAP_FAILURE);
146 return FAILED;
147 }
148 if (this->method->initiate(this->method, out) != NEED_MORE)
149 {
150 DBG1(DBG_IKE, "failed to initiate %N, sending %N",
151 eap_type_names, type, eap_code_names, EAP_FAILURE);
152 *out = eap_payload_create_code(EAP_FAILURE);
153 return FAILED;
154 }
155 return NEED_MORE;
156 }
157
158 /**
159 * Processing method for a peer
160 */
161 static status_t process_peer(private_eap_authenticator_t *this,
162 eap_payload_t *in, eap_payload_t **out)
163 {
164 eap_type_t type = in->get_type(in);
165
166 if (type == EAP_IDENTITY)
167 {
168 eap_method_t *method = eap_method_create(type, EAP_PEER,
169 this->ike_sa->get_other_id(this->ike_sa),
170 this->ike_sa->get_my_id(this->ike_sa));
171
172 if (method == NULL || method->process(method, in, out) != SUCCESS)
173 {
174 DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
175 eap_type_names, type);
176 DESTROY_IF(method);
177 return FAILED;
178 }
179
180 DBG1(DBG_IKE, "EAP server requested %N, sending IKE identity",
181 eap_type_names, type);
182
183 method->destroy(method);
184 return NEED_MORE;
185 }
186
187 /* create an eap_method for the first call */
188 if (this->method == NULL)
189 {
190 DBG1(DBG_IKE, "EAP server requested %N authentication",
191 eap_type_names, type);
192 this->method = eap_method_create(type, EAP_PEER,
193 this->ike_sa->get_other_id(this->ike_sa),
194 this->ike_sa->get_my_id(this->ike_sa));
195 if (this->method == NULL)
196 {
197 DBG1(DBG_IKE, "EAP server requested unsupported "
198 "EAP method %N, sending EAP_NAK", eap_type_names, type);
199 *out = eap_payload_create_nak();
200 return NEED_MORE;
201 }
202 }
203
204 switch (this->method->process(this->method, in, out))
205 {
206 case NEED_MORE:
207 return NEED_MORE;
208 case SUCCESS:
209 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
210 {
211 DBG1(DBG_IKE, "EAP method %N succeded, MSK established",
212 eap_type_names, this->method->get_type(this->method));
213 this->msk = chunk_clone(this->msk);
214 return SUCCESS;
215 }
216 DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established",
217 eap_type_names, this->method->get_type(this->method));
218 return FAILED;
219 case FAILED:
220 default:
221 DBG1(DBG_IKE, "EAP method %N failed",
222 eap_type_names, this->method->get_type(this->method));
223 return FAILED;
224 }
225 }
226
227 /**
228 * Processing method for a server
229 */
230 static status_t process_server(private_eap_authenticator_t *this,
231 eap_payload_t *in, eap_payload_t **out)
232 {
233 switch (this->method->process(this->method, in, out))
234 {
235 case NEED_MORE:
236 return NEED_MORE;
237 case SUCCESS:
238 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
239 {
240 DBG1(DBG_IKE, "EAP method %N succeded, MSK established",
241 eap_type_names, this->method->get_type(this->method));
242 this->msk = chunk_clone(this->msk);
243 *out = eap_payload_create_code(EAP_SUCCESS);
244 return SUCCESS;
245 }
246 DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established",
247 eap_type_names, this->method->get_type(this->method));
248 *out = eap_payload_create_code(EAP_FAILURE);
249 return FAILED;
250 case FAILED:
251 default:
252 DBG1(DBG_IKE, "EAP method %N failed for peer %D",
253 eap_type_names, this->method->get_type(this->method),
254 this->ike_sa->get_other_id(this->ike_sa));
255 *out = eap_payload_create_code(EAP_FAILURE);
256 return FAILED;
257 }
258 }
259
260 /**
261 * Implementation of eap_authenticator_t.process
262 */
263 static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
264 eap_payload_t **out)
265 {
266 eap_code_t code = in->get_code(in);
267
268 switch (this->role)
269 {
270 case EAP_SERVER:
271 {
272 switch (code)
273 {
274 case EAP_RESPONSE:
275 {
276 return process_server(this, in, out);
277 }
278 default:
279 {
280 DBG1(DBG_IKE, "received %N, sending %N",
281 eap_code_names, code, eap_code_names, EAP_FAILURE);
282 *out = eap_payload_create_code(EAP_FAILURE);
283 return FAILED;
284 }
285 }
286 }
287 case EAP_PEER:
288 {
289 switch (code)
290 {
291 case EAP_REQUEST:
292 {
293 return process_peer(this, in, out);
294 }
295 case EAP_SUCCESS:
296 {
297 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
298 {
299 DBG1(DBG_IKE, "EAP method %N succeded, MSK established",
300 eap_type_names, this->method->get_type(this->method));
301 this->msk = chunk_clone(this->msk);
302 return SUCCESS;
303 }
304 DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established",
305 eap_type_names, this->method->get_type(this->method));
306 return FAILED;
307 }
308 case EAP_FAILURE:
309 default:
310 {
311 DBG1(DBG_IKE, "received %N, EAP authentication failed",
312 eap_code_names, code);
313 return FAILED;
314 }
315 }
316 }
317 default:
318 {
319 return FAILED;
320 }
321 }
322 }
323
324 /**
325 * Implementation of authenticator_t.is_mutual.
326 */
327 static bool is_mutual(private_eap_authenticator_t *this)
328 {
329 if (this->method)
330 {
331 return this->method->is_mutual(this->method);
332 }
333 return FALSE;
334 }
335
336 /**
337 * Implementation of authenticator_t.destroy.
338 */
339 static void destroy(private_eap_authenticator_t *this)
340 {
341 DESTROY_IF(this->method);
342 chunk_free(&this->msk);
343 free(this);
344 }
345
346 /*
347 * Described in header.
348 */
349 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
350 {
351 private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
352
353 /* public functions */
354 this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
355 this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
356 this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
357
358 this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
359 this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,eap_payload_t**))initiate;
360 this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
361
362 /* private data */
363 this->ike_sa = ike_sa;
364 this->role = EAP_PEER;
365 this->method = NULL;
366 this->msk = chunk_empty;
367
368 return &this->public;
369 }