implemented Expanded EAP types to support vendor specific methods
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.c
1 /**
2 * @file eap_authenticator.c
3 *
4 * @brief Implementation of eap_authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <string.h>
24
25 #include "eap_authenticator.h"
26
27 #include <daemon.h>
28 #include <config/peer_cfg.h>
29 #include <sa/authenticators/eap/eap_method.h>
30
31 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
32
33 /**
34 * Private data of an eap_authenticator_t object.
35 */
36 struct private_eap_authenticator_t {
37
38 /**
39 * Public authenticator_t interface.
40 */
41 eap_authenticator_t public;
42
43 /**
44 * Assigned IKE_SA
45 */
46 ike_sa_t *ike_sa;
47
48 /**
49 * Role of this authenticator, PEER or SERVER
50 */
51 eap_role_t role;
52
53 /**
54 * Current EAP method processing
55 */
56 eap_method_t *method;
57
58 /**
59 * MSK used to build and verify auth payload
60 */
61 chunk_t msk;
62 };
63
64 /**
65 * reuse shared key signature function from PSK authenticator
66 */
67 extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
68 chunk_t secret, identification_t *id,
69 chunk_t skp, prf_t *prf);
70 /**
71 * Implementation of authenticator_t.verify.
72 */
73 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
74 chunk_t my_nonce, auth_payload_t *auth_payload)
75 {
76 chunk_t auth_data, recv_auth_data, secret;
77 identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
78
79 if (this->msk.len)
80 { /* use MSK if EAP method established one... */
81 secret = this->msk;
82 }
83 else
84 { /* ... or use SKp if not */
85 secret = this->ike_sa->get_skp_verify(this->ike_sa);
86 }
87 auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
88 other_id, this->ike_sa->get_skp_verify(this->ike_sa),
89 this->ike_sa->get_prf(this->ike_sa));
90
91 recv_auth_data = auth_payload->get_data(auth_payload);
92 if (!chunk_equals(auth_data, recv_auth_data))
93 {
94 DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
95 chunk_free(&auth_data);
96 return FAILED;
97 }
98 chunk_free(&auth_data);
99
100 DBG1(DBG_IKE, "authentication of '%D' with %N successful",
101 other_id, auth_method_names, AUTH_EAP);
102 return SUCCESS;
103 }
104
105 /**
106 * Implementation of authenticator_t.build.
107 */
108 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
109 chunk_t other_nonce, auth_payload_t **auth_payload)
110 {
111 chunk_t auth_data, secret;
112 identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
113
114 DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
115 my_id, auth_method_names, AUTH_EAP);
116
117 if (this->msk.len)
118 { /* use MSK if EAP method established one... */
119 secret = this->msk;
120 }
121 else
122 { /* ... or use SKp if not */
123 secret = this->ike_sa->get_skp_build(this->ike_sa);
124 }
125 auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
126 my_id, this->ike_sa->get_skp_build(this->ike_sa),
127 this->ike_sa->get_prf(this->ike_sa));
128
129 *auth_payload = auth_payload_create();
130 (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
131 (*auth_payload)->set_data(*auth_payload, auth_data);
132 chunk_free(&auth_data);
133
134 return SUCCESS;
135 }
136
137 /**
138 * Implementation of eap_authenticator_t.initiate
139 */
140 static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
141 u_int32_t vendor, eap_payload_t **out)
142 {
143 /* if initiate() is called, role is always server */
144 this->role = EAP_SERVER;
145
146 if (type == 0)
147 {
148 DBG1(DBG_IKE,
149 "client requested EAP authentication, but configuration forbids it");
150 *out = eap_payload_create_code(EAP_FAILURE);
151 return FAILED;
152 }
153
154 if (vendor)
155 {
156 DBG1(DBG_IKE, "requesting vendor specific EAP authentication %d-%d",
157 type, vendor);
158 }
159 else
160 {
161 DBG1(DBG_IKE, "requesting %N authentication", eap_type_names, type);
162 }
163 this->method = eap_method_create(type, vendor, this->role,
164 this->ike_sa->get_my_id(this->ike_sa),
165 this->ike_sa->get_other_id(this->ike_sa));
166
167 if (this->method == NULL)
168 {
169
170 DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
171 eap_code_names, EAP_FAILURE);
172 *out = eap_payload_create_code(EAP_FAILURE);
173 return FAILED;
174 }
175 if (this->method->initiate(this->method, out) != NEED_MORE)
176 {
177 DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
178 eap_type_names, type, eap_code_names, EAP_FAILURE);
179 *out = eap_payload_create_code(EAP_FAILURE);
180 return FAILED;
181 }
182 return NEED_MORE;
183 }
184
185 /**
186 * Processing method for a peer
187 */
188 static status_t process_peer(private_eap_authenticator_t *this,
189 eap_payload_t *in, eap_payload_t **out)
190 {
191 eap_type_t type;
192 u_int32_t vendor;
193
194 type = in->get_type(in, &vendor);
195
196 if (!vendor && type == EAP_IDENTITY)
197 {
198 eap_method_t *method = eap_method_create(type, 0, EAP_PEER,
199 this->ike_sa->get_other_id(this->ike_sa),
200 this->ike_sa->get_my_id(this->ike_sa));
201
202 if (method == NULL || method->process(method, in, out) != SUCCESS)
203 {
204 DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
205 eap_type_names, type);
206 DESTROY_IF(method);
207 return FAILED;
208 }
209
210 DBG1(DBG_IKE, "EAP server requested %N, sending IKE identity",
211 eap_type_names, type);
212
213 method->destroy(method);
214 return NEED_MORE;
215 }
216
217 /* create an eap_method for the first call */
218 if (this->method == NULL)
219 {
220 if (vendor)
221 {
222 DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
223 type, vendor);
224 }
225 else
226 {
227 DBG1(DBG_IKE, "EAP server requested %N authentication",
228 eap_type_names, type);
229 }
230 this->method = eap_method_create(type, vendor, EAP_PEER,
231 this->ike_sa->get_other_id(this->ike_sa),
232 this->ike_sa->get_my_id(this->ike_sa));
233 if (this->method == NULL)
234 {
235 DBG1(DBG_IKE, "EAP server requested unsupported "
236 "EAP method, sending EAP_NAK");
237 *out = eap_payload_create_nak();
238 return NEED_MORE;
239 }
240 }
241
242 type = this->method->get_type(this->method, &vendor);
243
244 switch (this->method->process(this->method, in, out))
245 {
246 case NEED_MORE:
247 return NEED_MORE;
248 case SUCCESS:
249 if (vendor)
250 {
251 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
252 type, vendor);
253 }
254 else
255 {
256 DBG1(DBG_IKE, "EAP method %N succeded", eap_type_names, type);
257 }
258 return SUCCESS;
259 case FAILED:
260 default:
261 if (vendor)
262 {
263 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
264 type, vendor);
265 }
266 else
267 {
268 DBG1(DBG_IKE, "EAP method %N failed",
269 eap_type_names, type);
270 }
271 return FAILED;
272 }
273 }
274
275 /**
276 * Processing method for a server
277 */
278 static status_t process_server(private_eap_authenticator_t *this,
279 eap_payload_t *in, eap_payload_t **out)
280 {
281 eap_type_t type;
282 u_int32_t vendor;
283
284 type = this->method->get_type(this->method, &vendor);
285
286 switch (this->method->process(this->method, in, out))
287 {
288 case NEED_MORE:
289 return NEED_MORE;
290 case SUCCESS:
291 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
292 {
293 this->msk = chunk_clone(this->msk);
294 }
295 if (vendor)
296 {
297 DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
298 "%sMSK established", type, vendor,
299 this->msk.ptr ? "" : "no ");
300 }
301 else
302 {
303 DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
304 eap_type_names, type, this->msk.ptr ? "" : "no ");
305 }
306 *out = eap_payload_create_code(EAP_SUCCESS);
307 return SUCCESS;
308 case FAILED:
309 default:
310 if (vendor)
311 {
312 DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
313 "peer %D", type, vendor,
314 this->ike_sa->get_other_id(this->ike_sa));
315 }
316 else
317 {
318 DBG1(DBG_IKE, "EAP method %N failed for peer %D",
319 eap_type_names, type,
320 this->ike_sa->get_other_id(this->ike_sa));
321 }
322 *out = eap_payload_create_code(EAP_FAILURE);
323 return FAILED;
324 }
325 }
326
327 /**
328 * Implementation of eap_authenticator_t.process
329 */
330 static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
331 eap_payload_t **out)
332 {
333 eap_code_t code = in->get_code(in);
334
335 switch (this->role)
336 {
337 case EAP_SERVER:
338 {
339 switch (code)
340 {
341 case EAP_RESPONSE:
342 {
343 return process_server(this, in, out);
344 }
345 default:
346 {
347 DBG1(DBG_IKE, "received %N, sending %N",
348 eap_code_names, code, eap_code_names, EAP_FAILURE);
349 *out = eap_payload_create_code(EAP_FAILURE);
350 return FAILED;
351 }
352 }
353 }
354 case EAP_PEER:
355 {
356 switch (code)
357 {
358 case EAP_REQUEST:
359 {
360 return process_peer(this, in, out);
361 }
362 case EAP_SUCCESS:
363 {
364 if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
365 {
366 this->msk = chunk_clone(this->msk);
367 }
368 return SUCCESS;
369 }
370 case EAP_FAILURE:
371 default:
372 {
373 DBG1(DBG_IKE, "received %N, EAP authentication failed",
374 eap_code_names, code);
375 return FAILED;
376 }
377 }
378 }
379 default:
380 {
381 return FAILED;
382 }
383 }
384 }
385
386 /**
387 * Implementation of authenticator_t.is_mutual.
388 */
389 static bool is_mutual(private_eap_authenticator_t *this)
390 {
391 if (this->method)
392 {
393 return this->method->is_mutual(this->method);
394 }
395 return FALSE;
396 }
397
398 /**
399 * Implementation of authenticator_t.destroy.
400 */
401 static void destroy(private_eap_authenticator_t *this)
402 {
403 DESTROY_IF(this->method);
404 chunk_free(&this->msk);
405 free(this);
406 }
407
408 /*
409 * Described in header.
410 */
411 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
412 {
413 private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
414
415 /* public functions */
416 this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
417 this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
418 this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
419
420 this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
421 this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
422 this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
423
424 /* private data */
425 this->ike_sa = ike_sa;
426 this->role = EAP_PEER;
427 this->method = NULL;
428 this->msk = chunk_empty;
429
430 return &this->public;
431 }