59340df01db73df2d90145b73e8f2cb036a7a3eb
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17 #include "eap_radius_plugin.h"
18 #include "eap_radius_forward.h"
19 #include "eap_radius_provider.h"
20 #include "eap_radius_accounting.h"
21
22 #include <radius_message.h>
23 #include <radius_client.h>
24
25 #include <daemon.h>
26
27 typedef struct private_eap_radius_t private_eap_radius_t;
28
29 /**
30 * Private data of an eap_radius_t object.
31 */
32 struct private_eap_radius_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 eap_radius_t public;
38
39 /**
40 * ID of the server
41 */
42 identification_t *server;
43
44 /**
45 * ID of the peer
46 */
47 identification_t *peer;
48
49 /**
50 * EAP method type we are proxying
51 */
52 eap_type_t type;
53
54 /**
55 * EAP vendor, if any
56 */
57 u_int32_t vendor;
58
59 /**
60 * EAP message identifier
61 */
62 u_int8_t identifier;
63
64 /**
65 * RADIUS client instance
66 */
67 radius_client_t *client;
68
69 /**
70 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
71 */
72 bool eap_start;
73
74 /**
75 * Prefix to prepend to EAP identity
76 */
77 char *id_prefix;
78
79 /**
80 * Handle the Class attribute as group membership information?
81 */
82 bool class_group;
83
84 /**
85 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
86 */
87 bool filter_id;
88 };
89
90 /**
91 * Add EAP-Identity to RADIUS message
92 */
93 static void add_eap_identity(private_eap_radius_t *this,
94 radius_message_t *request)
95 {
96 struct {
97 /** EAP code (REQUEST/RESPONSE) */
98 u_int8_t code;
99 /** unique message identifier */
100 u_int8_t identifier;
101 /** length of whole message */
102 u_int16_t length;
103 /** EAP type */
104 u_int8_t type;
105 /** identity data */
106 u_int8_t data[];
107 } __attribute__((__packed__)) *hdr;
108 chunk_t id, prefix;
109 size_t len;
110
111 id = this->peer->get_encoding(this->peer);
112 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
113 len = sizeof(*hdr) + prefix.len + id.len;
114
115 hdr = alloca(len);
116 hdr->code = EAP_RESPONSE;
117 hdr->identifier = this->identifier;
118 hdr->length = htons(len);
119 hdr->type = EAP_IDENTITY;
120 memcpy(hdr->data, prefix.ptr, prefix.len);
121 memcpy(hdr->data + prefix.len, id.ptr, id.len);
122
123 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
124 }
125
126 /**
127 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
128 */
129 static bool radius2ike(private_eap_radius_t *this,
130 radius_message_t *msg, eap_payload_t **out)
131 {
132 enumerator_t *enumerator;
133 eap_payload_t *payload;
134 chunk_t data, message = chunk_empty;
135 int type;
136
137 enumerator = msg->create_enumerator(msg);
138 while (enumerator->enumerate(enumerator, &type, &data))
139 {
140 if (type == RAT_EAP_MESSAGE && data.len)
141 {
142 message = chunk_cat("mc", message, data);
143 }
144 }
145 enumerator->destroy(enumerator);
146 if (message.len)
147 {
148 *out = payload = eap_payload_create_data(message);
149
150 /* apply EAP method selected by RADIUS server */
151 this->type = payload->get_type(payload, &this->vendor);
152
153 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
154 free(message.ptr);
155 return TRUE;
156 }
157 return FALSE;
158 }
159
160 /**
161 * Add a set of RADIUS attributes to a request message
162 */
163 static void add_radius_request_attrs(private_eap_radius_t *this,
164 radius_message_t *request)
165 {
166 ike_sa_t *ike_sa;
167 host_t *host;
168 char buf[40];
169 u_int32_t value;
170 chunk_t chunk;
171
172 chunk = chunk_from_str(this->id_prefix);
173 chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
174 request->add(request, RAT_USER_NAME, chunk);
175
176 /* virtual NAS-Port-Type */
177 value = htonl(5);
178 request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
179 /* framed ServiceType */
180 value = htonl(2);
181 request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
182
183 ike_sa = charon->bus->get_sa(charon->bus);
184 if (ike_sa)
185 {
186 value = htonl(ike_sa->get_unique_id(ike_sa));
187 request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
188 request->add(request, RAT_NAS_PORT_ID,
189 chunk_from_str(ike_sa->get_name(ike_sa)));
190
191 host = ike_sa->get_my_host(ike_sa);
192 chunk = host->get_address(host);
193 switch (host->get_family(host))
194 {
195 case AF_INET:
196 request->add(request, RAT_NAS_IP_ADDRESS, chunk);
197 break;
198 case AF_INET6:
199 request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
200 default:
201 break;
202 }
203 snprintf(buf, sizeof(buf), "%#H", host);
204 request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
205 host = ike_sa->get_other_host(ike_sa);
206 snprintf(buf, sizeof(buf), "%#H", host);
207 request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
208 }
209
210 eap_radius_forward_from_ike(request);
211 }
212
213 METHOD(eap_method_t, initiate, status_t,
214 private_eap_radius_t *this, eap_payload_t **out)
215 {
216 radius_message_t *request, *response;
217 status_t status = FAILED;
218
219 request = radius_message_create(RMC_ACCESS_REQUEST);
220 add_radius_request_attrs(this, request);
221
222 if (this->eap_start)
223 {
224 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
225 }
226 else
227 {
228 add_eap_identity(this, request);
229 }
230
231 response = this->client->request(this->client, request);
232 if (response)
233 {
234 eap_radius_forward_to_ike(response);
235 switch (response->get_code(response))
236 {
237 case RMC_ACCESS_CHALLENGE:
238 if (radius2ike(this, response, out))
239 {
240 status = NEED_MORE;
241 }
242 break;
243 case RMC_ACCESS_ACCEPT:
244 /* Microsoft RADIUS servers can run in a mode where they respond
245 * like this on the first request (i.e. without authentication),
246 * we treat this as Access-Reject */
247 case RMC_ACCESS_REJECT:
248 default:
249 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
250 this->peer);
251 break;
252 }
253 response->destroy(response);
254 }
255 else
256 {
257 eap_radius_handle_timeout(NULL);
258 }
259 request->destroy(request);
260 return status;
261 }
262
263 /**
264 * Handle the Class attribute as group membership information
265 */
266 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
267 {
268 enumerator_t *enumerator;
269 chunk_t data;
270 int type;
271
272 enumerator = msg->create_enumerator(msg);
273 while (enumerator->enumerate(enumerator, &type, &data))
274 {
275 if (type == RAT_CLASS)
276 {
277 identification_t *id;
278 ike_sa_t *ike_sa;
279 auth_cfg_t *auth;
280
281 if (data.len >= 44)
282 { /* quirk: ignore long class attributes, these are used for
283 * other purposes by some RADIUS servers (such as NPS). */
284 continue;
285 }
286
287 ike_sa = charon->bus->get_sa(charon->bus);
288 if (ike_sa)
289 {
290 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
291 id = identification_create_from_data(data);
292 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
293 auth->add(auth, AUTH_RULE_GROUP, id);
294 }
295 }
296 }
297 enumerator->destroy(enumerator);
298 }
299
300 /**
301 * Handle the Filter-Id attribute as IPsec CHILD_SA name
302 */
303 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
304 {
305 enumerator_t *enumerator;
306 int type;
307 u_int8_t tunnel_tag;
308 u_int32_t tunnel_type;
309 chunk_t filter_id = chunk_empty, data;
310 bool is_esp_tunnel = FALSE;
311
312 enumerator = msg->create_enumerator(msg);
313 while (enumerator->enumerate(enumerator, &type, &data))
314 {
315 switch (type)
316 {
317 case RAT_TUNNEL_TYPE:
318 if (data.len != 4)
319 {
320 continue;
321 }
322 tunnel_tag = *data.ptr;
323 *data.ptr = 0x00;
324 tunnel_type = untoh32(data.ptr);
325 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
326 "tag = %u, value = %u", tunnel_tag, tunnel_type);
327 is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP);
328 break;
329 case RAT_FILTER_ID:
330 filter_id = data;
331 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
332 "'%.*s'", (int)filter_id.len, filter_id.ptr);
333 break;
334 default:
335 break;
336 }
337 }
338 enumerator->destroy(enumerator);
339
340 if (is_esp_tunnel && filter_id.len)
341 {
342 identification_t *id;
343 ike_sa_t *ike_sa;
344 auth_cfg_t *auth;
345
346 ike_sa = charon->bus->get_sa(charon->bus);
347 if (ike_sa)
348 {
349 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
350 id = identification_create_from_data(filter_id);
351 auth->add(auth, AUTH_RULE_GROUP, id);
352 }
353 }
354 }
355
356 /**
357 * Handle Session-Timeout attribte and Interim updates
358 */
359 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
360 {
361 enumerator_t *enumerator;
362 ike_sa_t *ike_sa;
363 chunk_t data;
364 int type;
365
366 ike_sa = charon->bus->get_sa(charon->bus);
367 if (ike_sa)
368 {
369 enumerator = msg->create_enumerator(msg);
370 while (enumerator->enumerate(enumerator, &type, &data))
371 {
372 if (type == RAT_SESSION_TIMEOUT && data.len == 4)
373 {
374 ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
375 }
376 else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4)
377 {
378 eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr));
379 }
380 }
381 enumerator->destroy(enumerator);
382 }
383 }
384
385 /**
386 * Handle Framed-IP-Address and other IKE configuration attributes
387 */
388 static void process_cfg_attributes(private_eap_radius_t *this,
389 radius_message_t *msg)
390 {
391 eap_radius_provider_t *provider;
392 enumerator_t *enumerator;
393 ike_sa_t *ike_sa;
394 host_t *host;
395 chunk_t data;
396 int type, vendor;
397
398 ike_sa = charon->bus->get_sa(charon->bus);
399 provider = eap_radius_provider_get();
400 if (provider && ike_sa)
401 {
402 enumerator = msg->create_enumerator(msg);
403 while (enumerator->enumerate(enumerator, &type, &data))
404 {
405 if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
406 {
407 host = host_create_from_chunk(AF_INET, data, 0);
408 if (host)
409 {
410 provider->add_framed_ip(provider, this->peer, host);
411 }
412 }
413 }
414 enumerator->destroy(enumerator);
415
416 enumerator = msg->create_vendor_enumerator(msg);
417 while (enumerator->enumerate(enumerator, &vendor, &type, &data))
418 {
419 if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
420 {
421 switch (type)
422 {
423 case 15: /* CVPN3000-IPSec-Banner1 */
424 case 36: /* CVPN3000-IPSec-Banner2 */
425 if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
426 {
427 provider->add_attribute(provider, this->peer,
428 UNITY_BANNER, data);
429 }
430 break;
431 default:
432 break;
433 }
434 }
435 }
436 enumerator->destroy(enumerator);
437 }
438 }
439
440 METHOD(eap_method_t, process, status_t,
441 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
442 {
443 radius_message_t *request, *response;
444 status_t status = FAILED;
445 chunk_t data;
446
447 request = radius_message_create(RMC_ACCESS_REQUEST);
448 add_radius_request_attrs(this, request);
449
450 data = in->get_data(in);
451 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
452
453 /* fragment data suitable for RADIUS */
454 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
455 {
456 request->add(request, RAT_EAP_MESSAGE,
457 chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE));
458 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
459 }
460 request->add(request, RAT_EAP_MESSAGE, data);
461
462 response = this->client->request(this->client, request);
463 if (response)
464 {
465 eap_radius_forward_to_ike(response);
466 switch (response->get_code(response))
467 {
468 case RMC_ACCESS_CHALLENGE:
469 if (radius2ike(this, response, out))
470 {
471 status = NEED_MORE;
472 break;
473 }
474 status = FAILED;
475 break;
476 case RMC_ACCESS_ACCEPT:
477 if (this->class_group)
478 {
479 process_class(this, response);
480 }
481 if (this->filter_id)
482 {
483 process_filter_id(this, response);
484 }
485 process_timeout(this, response);
486 process_cfg_attributes(this, response);
487 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
488 this->peer);
489 status = SUCCESS;
490 break;
491 case RMC_ACCESS_REJECT:
492 default:
493 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
494 this->peer);
495 status = FAILED;
496 break;
497 }
498 response->destroy(response);
499 }
500 request->destroy(request);
501 return status;
502 }
503
504 METHOD(eap_method_t, get_type, eap_type_t,
505 private_eap_radius_t *this, u_int32_t *vendor)
506 {
507 *vendor = this->vendor;
508 return this->type;
509 }
510
511 METHOD(eap_method_t, get_msk, status_t,
512 private_eap_radius_t *this, chunk_t *out)
513 {
514 chunk_t msk;
515
516 msk = this->client->get_msk(this->client);
517 if (msk.len)
518 {
519 *out = msk;
520 return SUCCESS;
521 }
522 return FAILED;
523 }
524
525 METHOD(eap_method_t, get_identifier, u_int8_t,
526 private_eap_radius_t *this)
527 {
528 return this->identifier;
529 }
530
531 METHOD(eap_method_t, set_identifier, void,
532 private_eap_radius_t *this, u_int8_t identifier)
533 {
534 this->identifier = identifier;
535 }
536
537 METHOD(eap_method_t, is_mutual, bool,
538 private_eap_radius_t *this)
539 {
540 switch (this->type)
541 {
542 case EAP_AKA:
543 case EAP_SIM:
544 return TRUE;
545 default:
546 return FALSE;
547 }
548 }
549
550 METHOD(eap_method_t, destroy, void,
551 private_eap_radius_t *this)
552 {
553 this->peer->destroy(this->peer);
554 this->server->destroy(this->server);
555 this->client->destroy(this->client);
556 free(this);
557 }
558
559 /**
560 * Generic constructor
561 */
562 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
563 {
564 private_eap_radius_t *this;
565
566 INIT(this,
567 .public = {
568 .eap_method = {
569 .initiate = _initiate,
570 .process = _process,
571 .get_type = _get_type,
572 .is_mutual = _is_mutual,
573 .get_msk = _get_msk,
574 .get_identifier = _get_identifier,
575 .set_identifier = _set_identifier,
576 .destroy = _destroy,
577 },
578 },
579 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
580 .type = EAP_RADIUS,
581 .eap_start = lib->settings->get_bool(lib->settings,
582 "%s.plugins.eap-radius.eap_start", FALSE,
583 charon->name),
584 .id_prefix = lib->settings->get_str(lib->settings,
585 "%s.plugins.eap-radius.id_prefix", "",
586 charon->name),
587 .class_group = lib->settings->get_bool(lib->settings,
588 "%s.plugins.eap-radius.class_group", FALSE,
589 charon->name),
590 .filter_id = lib->settings->get_bool(lib->settings,
591 "%s.plugins.eap-radius.filter_id", FALSE,
592 charon->name),
593 );
594 this->client = eap_radius_create_client();
595 if (!this->client)
596 {
597 free(this);
598 return NULL;
599 }
600 this->peer = peer->clone(peer);
601 this->server = server->clone(server);
602 return &this->public;
603 }