reintegrated eap-radius branch into trunk
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.c
1 /*
2 * Copyright (C) 2006-2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <string.h>
19
20 #include "eap_authenticator.h"
21
22 #include <daemon.h>
23 #include <config/peer_cfg.h>
24 #include <sa/authenticators/eap/eap_method.h>
25
26 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
27
28 /**
29 * Private data of an eap_authenticator_t object.
30 */
31 struct private_eap_authenticator_t {
32
33 /**
34 * Public authenticator_t interface.
35 */
36 eap_authenticator_t public;
37
38 /**
39 * Assigned IKE_SA
40 */
41 ike_sa_t *ike_sa;
42
43 /**
44 * Role of this authenticator, PEER or SERVER
45 */
46 eap_role_t role;
47
48 /**
49 * Current EAP method processing
50 */
51 eap_method_t *method;
52
53 /**
54 * MSK used to build and verify auth payload
55 */
56 chunk_t msk;
57
58 /**
59 * should we do a EAP-Identity exchange as server?
60 */
61 bool do_eap_identity;
62
63 /**
64 * saved EAP type if we do eap_identity
65 */
66 eap_type_t type;
67
68 /**
69 * saved vendor id if we do eap_identity
70 */
71 u_int32_t vendor;
72 };
73 /**
74 * Implementation of authenticator_t.verify.
75 */
76 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
77 chunk_t my_nonce, auth_payload_t *auth_payload)
78 {
79 chunk_t auth_data, recv_auth_data;
80 identification_t *other_id;
81 keymat_t *keymat;
82
83 other_id = this->ike_sa->get_other_id(this->ike_sa);
84 keymat = this->ike_sa->get_keymat(this->ike_sa);
85
86 auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
87 this->msk, other_id);
88
89 recv_auth_data = auth_payload->get_data(auth_payload);
90 if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
91 {
92 DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
93 chunk_free(&auth_data);
94 return FAILED;
95 }
96 chunk_free(&auth_data);
97
98 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
99 other_id, auth_class_names, AUTH_CLASS_EAP);
100 return SUCCESS;
101 }
102
103 /**
104 * Implementation of authenticator_t.build.
105 */
106 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
107 chunk_t other_nonce, auth_payload_t **auth_payload)
108 {
109 identification_t *my_id;
110 chunk_t auth_data;
111 keymat_t *keymat;
112
113 my_id = this->ike_sa->get_my_id(this->ike_sa);
114 keymat = this->ike_sa->get_keymat(this->ike_sa);
115
116 DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
117 my_id, auth_class_names, AUTH_CLASS_EAP);
118
119 auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
120 this->msk, my_id);
121
122 *auth_payload = auth_payload_create();
123 (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
124 (*auth_payload)->set_data(*auth_payload, auth_data);
125 chunk_free(&auth_data);
126
127 return SUCCESS;
128 }
129
130 /**
131 * get the peers identity to use in the EAP method
132 */
133 static identification_t *get_peer_id(private_eap_authenticator_t *this)
134 {
135 identification_t *id;
136 peer_cfg_t *config;
137 auth_info_t *auth;
138
139 id = this->ike_sa->get_eap_identity(this->ike_sa);
140 if (!id)
141 {
142 config = this->ike_sa->get_peer_cfg(this->ike_sa);
143 auth = config->get_auth(config);
144 if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) ||
145 id->get_type(id) == ID_ANY)
146 {
147 if (this->role == EAP_PEER)
148 {
149 id = this->ike_sa->get_my_id(this->ike_sa);
150 }
151 else
152 {
153 id = this->ike_sa->get_other_id(this->ike_sa);
154 }
155 }
156 }
157 if (id->get_type(id) == ID_EAP)
158 {
159 return id->clone(id);
160 }
161 return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
162 }
163
164 /**
165 * get the servers identity to use in the EAP method
166 */
167 static identification_t *get_server_id(private_eap_authenticator_t *this)
168 {
169 identification_t *id;
170
171 if (this->role == EAP_SERVER)
172 {
173 id = this->ike_sa->get_my_id(this->ike_sa);
174 }
175 else
176 {
177 id = this->ike_sa->get_other_id(this->ike_sa);
178 }
179 if (id->get_type(id) == ID_EAP)
180 {
181 return id->clone(id);
182 }
183 return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
184 }
185
186 /**
187 * load an EAP method using the correct identities
188 */
189 static eap_method_t *load_method(private_eap_authenticator_t *this,
190 eap_type_t type, u_int32_t vendor, eap_role_t role)
191 {
192 identification_t *server, *peer;
193 eap_method_t *method;
194
195 server = get_server_id(this);
196 peer = get_peer_id(this);
197 method = charon->eap->create_instance(charon->eap, type, vendor, role,
198 server, peer);
199 server->destroy(server);
200 peer->destroy(peer);
201 return method;
202 }
203
204 /**
205 * Implementation of eap_authenticator_t.initiate
206 */
207 static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
208 u_int32_t vendor, eap_payload_t **out)
209 {
210 /* if initiate() is called, role is always server */
211 this->role = EAP_SERVER;
212
213 if (this->do_eap_identity)
214 { /* do an EAP-Identity request first */
215 this->type = type;
216 this->vendor = vendor;
217 vendor = 0;
218 type = EAP_IDENTITY;
219 }
220
221 if (type == 0)
222 {
223 DBG1(DBG_IKE,
224 "client requested EAP authentication, but configuration forbids it");
225 *out = eap_payload_create_code(EAP_FAILURE, 0);
226 return FAILED;
227 }
228
229 if (vendor)
230 {
231 DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
232 type, vendor);
233 }
234 else
235 {
236 DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
237 }
238 this->method = load_method(this, type, vendor, this->role);
239 if (this->method == NULL)
240 {
241 if (vendor == 0 && type == EAP_IDENTITY)
242 {
243 DBG1(DBG_IKE, "skipping %N, no implementation found",
244 eap_type_names, type);
245 this->do_eap_identity = FALSE;
246 return initiate(this, this->type, this->vendor, out);
247 }
248 DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
249 eap_code_names, EAP_FAILURE);
250 *out = eap_payload_create_code(EAP_FAILURE, 0);
251 return FAILED;
252 }
253 if (this->method->initiate(this->method, out) != NEED_MORE)
254 {
255 DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
256 eap_code_names, EAP_FAILURE);
257 *out = eap_payload_create_code(EAP_FAILURE, 0);
258 return FAILED;
259 }
260 return NEED_MORE;
261 }
262
263 /**
264 * Processing method for a peer
265 */
266 static status_t process_peer(private_eap_authenticator_t *this,
267 eap_payload_t *in, eap_payload_t **out)
268 {
269 eap_type_t type;
270 u_int32_t vendor;
271
272 type = in->get_type(in, &vendor);
273
274 if (!vendor && type == EAP_IDENTITY)
275 {
276 eap_method_t *method;
277
278 method = load_method(this, type, 0, EAP_PEER);
279 if (method == NULL || method->process(method, in, out) != SUCCESS)
280 {
281 DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
282 eap_type_names, type);
283 DESTROY_IF(method);
284 return FAILED;
285 }
286 DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);
287 method->destroy(method);
288 return NEED_MORE;
289 }
290
291 /* create an eap_method for the first call */
292 if (this->method == NULL)
293 {
294 if (vendor)
295 {
296 DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
297 type, vendor);
298 }
299 else
300 {
301 DBG1(DBG_IKE, "EAP server requested %N authentication",
302 eap_type_names, type);
303 }
304 this->method = load_method(this, type, vendor, EAP_PEER);
305 if (this->method == NULL)
306 {
307 DBG1(DBG_IKE, "EAP server requested unsupported "
308 "EAP method, sending EAP_NAK");
309 *out = eap_payload_create_nak(in->get_identifier(in));
310 return NEED_MORE;
311 }
312 }
313
314 type = this->method->get_type(this->method, &vendor);
315
316 switch (this->method->process(this->method, in, out))
317 {
318 case NEED_MORE:
319 return NEED_MORE;
320 case SUCCESS:
321 if (vendor)
322 {
323 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
324 type, vendor);
325 }
326 else
327 {
328 DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
329 }
330 return SUCCESS;
331 case FAILED:
332 default:
333 if (vendor)
334 {
335 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
336 type, vendor);
337 }
338 else
339 {
340 DBG1(DBG_IKE, "EAP method %N failed",
341 eap_type_names, type);
342 }
343 return FAILED;
344 }
345 }
346
347 /**
348 * handle an EAP-Identity response on the server
349 */
350 static status_t process_eap_identity(private_eap_authenticator_t *this,
351 eap_payload_t **out)
352 {
353 chunk_t data;
354 identification_t *id;
355
356 if (this->method->get_msk(this->method, &data) == SUCCESS)
357 {
358 id = identification_create_from_encoding(ID_EAP, data);
359 DBG1(DBG_IKE, "using EAP identity '%D'", id);
360 this->ike_sa->set_eap_identity(this->ike_sa, id);
361 }
362 /* restart EAP exchange, but with real method */
363 this->method->destroy(this->method);
364 this->method = NULL;
365 this->do_eap_identity = FALSE;
366 return initiate(this, this->type, this->vendor, out);
367 }
368
369 /**
370 * Processing method for a server
371 */
372 static status_t process_server(private_eap_authenticator_t *this,
373 eap_payload_t *in, eap_payload_t **out)
374 {
375 eap_type_t type;
376 u_int32_t vendor;
377
378 type = this->method->get_type(this->method, &vendor);
379
380 switch (this->method->process(this->method, in, out))
381 {
382 case NEED_MORE:
383 return NEED_MORE;
384 case SUCCESS:
385 if (this->do_eap_identity)
386 {
387 return process_eap_identity(this, out);
388 }
389 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
390 {
391 this->msk = chunk_clone(this->msk);
392 }
393 if (vendor)
394 {
395 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
396 "%sMSK established", type, vendor,
397 this->msk.ptr ? "" : "no ");
398 }
399 else
400 {
401 DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
402 eap_type_names, type, this->msk.ptr ? "" : "no ");
403 }
404 *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
405 return SUCCESS;
406 case FAILED:
407 default:
408 if (vendor)
409 {
410 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
411 "peer %D", type, vendor,
412 this->ike_sa->get_other_id(this->ike_sa));
413 }
414 else
415 {
416 DBG1(DBG_IKE, "EAP method %N failed for peer %D",
417 eap_type_names, type,
418 this->ike_sa->get_other_id(this->ike_sa));
419 }
420 *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
421 return FAILED;
422 }
423 }
424
425 /**
426 * Implementation of eap_authenticator_t.process
427 */
428 static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
429 eap_payload_t **out)
430 {
431 eap_code_t code = in->get_code(in);
432
433 switch (this->role)
434 {
435 case EAP_SERVER:
436 {
437 switch (code)
438 {
439 case EAP_RESPONSE:
440 {
441 return process_server(this, in, out);
442 }
443 default:
444 {
445 DBG1(DBG_IKE, "received %N, sending %N",
446 eap_code_names, code, eap_code_names, EAP_FAILURE);
447 *out = eap_payload_create_code(EAP_FAILURE,
448 in->get_identifier(in));
449 return FAILED;
450 }
451 }
452 }
453 case EAP_PEER:
454 {
455 switch (code)
456 {
457 case EAP_REQUEST:
458 {
459 return process_peer(this, in, out);
460 }
461 case EAP_SUCCESS:
462 {
463 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
464 {
465 this->msk = chunk_clone(this->msk);
466 }
467 return SUCCESS;
468 }
469 case EAP_FAILURE:
470 default:
471 {
472 DBG1(DBG_IKE, "received %N, EAP authentication failed",
473 eap_code_names, code);
474 return FAILED;
475 }
476 }
477 }
478 default:
479 {
480 return FAILED;
481 }
482 }
483 }
484
485 /**
486 * Implementation of authenticator_t.is_mutual.
487 */
488 static bool is_mutual(private_eap_authenticator_t *this)
489 {
490 if (this->method)
491 {
492 return this->method->is_mutual(this->method);
493 }
494 return FALSE;
495 }
496
497 /**
498 * Implementation of authenticator_t.destroy.
499 */
500 static void destroy(private_eap_authenticator_t *this)
501 {
502 DESTROY_IF(this->method);
503 chunk_free(&this->msk);
504 free(this);
505 }
506
507 /*
508 * Described in header.
509 */
510 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
511 {
512 peer_cfg_t *config;
513 auth_info_t *auth;
514 identification_t *id;
515 private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
516
517 /* public functions */
518 this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
519 this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
520 this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
521
522 this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
523 this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
524 this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
525
526 /* private data */
527 this->ike_sa = ike_sa;
528 this->role = EAP_PEER;
529 this->method = NULL;
530 this->msk = chunk_empty;
531 this->do_eap_identity = FALSE;
532 this->type = 0;
533 this->vendor = 0;
534
535 config = ike_sa->get_peer_cfg(ike_sa);
536 if (config)
537 {
538 auth = config->get_auth(config);
539 if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
540 {
541 if (id->get_type(id) == ID_ANY)
542 { /* %any as configured EAP identity runs EAP-Identity first */
543 this->do_eap_identity = TRUE;
544 }
545 else
546 {
547 ike_sa->set_eap_identity(ike_sa, id->clone(id));
548 }
549 }
550 }
551 return &this->public;
552 }