eap-radius: export function to process common attributes of Access-Accept
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17 #include "eap_radius_plugin.h"
18 #include "eap_radius_forward.h"
19 #include "eap_radius_provider.h"
20 #include "eap_radius_accounting.h"
21
22 #include <radius_message.h>
23 #include <radius_client.h>
24
25 #include <daemon.h>
26
27 typedef struct private_eap_radius_t private_eap_radius_t;
28
29 /**
30 * Private data of an eap_radius_t object.
31 */
32 struct private_eap_radius_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 eap_radius_t public;
38
39 /**
40 * ID of the server
41 */
42 identification_t *server;
43
44 /**
45 * ID of the peer
46 */
47 identification_t *peer;
48
49 /**
50 * EAP method type we are proxying
51 */
52 eap_type_t type;
53
54 /**
55 * EAP vendor, if any
56 */
57 u_int32_t vendor;
58
59 /**
60 * EAP message identifier
61 */
62 u_int8_t identifier;
63
64 /**
65 * RADIUS client instance
66 */
67 radius_client_t *client;
68
69 /**
70 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
71 */
72 bool eap_start;
73
74 /**
75 * Prefix to prepend to EAP identity
76 */
77 char *id_prefix;
78
79 /**
80 * Format string we use for Called/Calling-Station-Id for a host
81 */
82 char *station_id_fmt;
83 };
84
85 /**
86 * Add EAP-Identity to RADIUS message
87 */
88 static void add_eap_identity(private_eap_radius_t *this,
89 radius_message_t *request)
90 {
91 struct {
92 /** EAP code (REQUEST/RESPONSE) */
93 u_int8_t code;
94 /** unique message identifier */
95 u_int8_t identifier;
96 /** length of whole message */
97 u_int16_t length;
98 /** EAP type */
99 u_int8_t type;
100 /** identity data */
101 u_int8_t data[];
102 } __attribute__((__packed__)) *hdr;
103 chunk_t id, prefix;
104 size_t len;
105
106 id = this->peer->get_encoding(this->peer);
107 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
108 len = sizeof(*hdr) + prefix.len + id.len;
109
110 hdr = alloca(len);
111 hdr->code = EAP_RESPONSE;
112 hdr->identifier = this->identifier;
113 hdr->length = htons(len);
114 hdr->type = EAP_IDENTITY;
115 memcpy(hdr->data, prefix.ptr, prefix.len);
116 memcpy(hdr->data + prefix.len, id.ptr, id.len);
117
118 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
119 }
120
121 /**
122 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
123 */
124 static bool radius2ike(private_eap_radius_t *this,
125 radius_message_t *msg, eap_payload_t **out)
126 {
127 enumerator_t *enumerator;
128 eap_payload_t *payload;
129 chunk_t data, message = chunk_empty;
130 int type;
131
132 enumerator = msg->create_enumerator(msg);
133 while (enumerator->enumerate(enumerator, &type, &data))
134 {
135 if (type == RAT_EAP_MESSAGE && data.len)
136 {
137 message = chunk_cat("mc", message, data);
138 }
139 }
140 enumerator->destroy(enumerator);
141 if (message.len)
142 {
143 *out = payload = eap_payload_create_data(message);
144
145 /* apply EAP method selected by RADIUS server */
146 this->type = payload->get_type(payload, &this->vendor);
147
148 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
149 free(message.ptr);
150 return TRUE;
151 }
152 return FALSE;
153 }
154
155 /**
156 * Add a set of RADIUS attributes to a request message
157 */
158 static void add_radius_request_attrs(private_eap_radius_t *this,
159 radius_message_t *request)
160 {
161 ike_sa_t *ike_sa;
162 host_t *host;
163 char buf[40];
164 u_int32_t value;
165 chunk_t chunk;
166
167 chunk = chunk_from_str(this->id_prefix);
168 chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
169 request->add(request, RAT_USER_NAME, chunk);
170
171 /* virtual NAS-Port-Type */
172 value = htonl(5);
173 request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
174 /* framed ServiceType */
175 value = htonl(2);
176 request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
177
178 ike_sa = charon->bus->get_sa(charon->bus);
179 if (ike_sa)
180 {
181 value = htonl(ike_sa->get_unique_id(ike_sa));
182 request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
183 request->add(request, RAT_NAS_PORT_ID,
184 chunk_from_str(ike_sa->get_name(ike_sa)));
185
186 host = ike_sa->get_my_host(ike_sa);
187 chunk = host->get_address(host);
188 switch (host->get_family(host))
189 {
190 case AF_INET:
191 request->add(request, RAT_NAS_IP_ADDRESS, chunk);
192 break;
193 case AF_INET6:
194 request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
195 default:
196 break;
197 }
198 snprintf(buf, sizeof(buf), this->station_id_fmt, host);
199 request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
200 host = ike_sa->get_other_host(ike_sa);
201 snprintf(buf, sizeof(buf), this->station_id_fmt, host);
202 request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
203 }
204
205 eap_radius_forward_from_ike(request);
206 }
207
208 METHOD(eap_method_t, initiate, status_t,
209 private_eap_radius_t *this, eap_payload_t **out)
210 {
211 radius_message_t *request, *response;
212 status_t status = FAILED;
213
214 request = radius_message_create(RMC_ACCESS_REQUEST);
215 add_radius_request_attrs(this, request);
216
217 if (this->eap_start)
218 {
219 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
220 }
221 else
222 {
223 add_eap_identity(this, request);
224 }
225
226 response = this->client->request(this->client, request);
227 if (response)
228 {
229 eap_radius_forward_to_ike(response);
230 switch (response->get_code(response))
231 {
232 case RMC_ACCESS_CHALLENGE:
233 if (radius2ike(this, response, out))
234 {
235 status = NEED_MORE;
236 }
237 break;
238 case RMC_ACCESS_ACCEPT:
239 /* Microsoft RADIUS servers can run in a mode where they respond
240 * like this on the first request (i.e. without authentication),
241 * we treat this as Access-Reject */
242 case RMC_ACCESS_REJECT:
243 default:
244 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
245 this->peer);
246 break;
247 }
248 response->destroy(response);
249 }
250 else
251 {
252 eap_radius_handle_timeout(NULL);
253 }
254 request->destroy(request);
255 return status;
256 }
257
258 /**
259 * Handle the Class attribute as group membership information
260 */
261 static void process_class(radius_message_t *msg)
262 {
263 enumerator_t *enumerator;
264 chunk_t data;
265 int type;
266
267 enumerator = msg->create_enumerator(msg);
268 while (enumerator->enumerate(enumerator, &type, &data))
269 {
270 if (type == RAT_CLASS)
271 {
272 identification_t *id;
273 ike_sa_t *ike_sa;
274 auth_cfg_t *auth;
275
276 if (data.len >= 44)
277 { /* quirk: ignore long class attributes, these are used for
278 * other purposes by some RADIUS servers (such as NPS). */
279 continue;
280 }
281
282 ike_sa = charon->bus->get_sa(charon->bus);
283 if (ike_sa)
284 {
285 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
286 id = identification_create_from_data(data);
287 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
288 auth->add(auth, AUTH_RULE_GROUP, id);
289 }
290 }
291 }
292 enumerator->destroy(enumerator);
293 }
294
295 /**
296 * Handle the Filter-Id attribute as IPsec CHILD_SA name
297 */
298 static void process_filter_id(radius_message_t *msg)
299 {
300 enumerator_t *enumerator;
301 int type;
302 u_int8_t tunnel_tag;
303 u_int32_t tunnel_type;
304 chunk_t filter_id = chunk_empty, data;
305 bool is_esp_tunnel = FALSE;
306
307 enumerator = msg->create_enumerator(msg);
308 while (enumerator->enumerate(enumerator, &type, &data))
309 {
310 switch (type)
311 {
312 case RAT_TUNNEL_TYPE:
313 if (data.len != 4)
314 {
315 continue;
316 }
317 tunnel_tag = *data.ptr;
318 *data.ptr = 0x00;
319 tunnel_type = untoh32(data.ptr);
320 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
321 "tag = %u, value = %u", tunnel_tag, tunnel_type);
322 is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP);
323 break;
324 case RAT_FILTER_ID:
325 filter_id = data;
326 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
327 "'%.*s'", (int)filter_id.len, filter_id.ptr);
328 break;
329 default:
330 break;
331 }
332 }
333 enumerator->destroy(enumerator);
334
335 if (is_esp_tunnel && filter_id.len)
336 {
337 identification_t *id;
338 ike_sa_t *ike_sa;
339 auth_cfg_t *auth;
340
341 ike_sa = charon->bus->get_sa(charon->bus);
342 if (ike_sa)
343 {
344 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
345 id = identification_create_from_data(filter_id);
346 auth->add(auth, AUTH_RULE_GROUP, id);
347 }
348 }
349 }
350
351 /**
352 * Handle Session-Timeout attribte and Interim updates
353 */
354 static void process_timeout(radius_message_t *msg)
355 {
356 enumerator_t *enumerator;
357 ike_sa_t *ike_sa;
358 chunk_t data;
359 int type;
360
361 ike_sa = charon->bus->get_sa(charon->bus);
362 if (ike_sa)
363 {
364 enumerator = msg->create_enumerator(msg);
365 while (enumerator->enumerate(enumerator, &type, &data))
366 {
367 if (type == RAT_SESSION_TIMEOUT && data.len == 4)
368 {
369 ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
370 }
371 else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4)
372 {
373 eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr));
374 }
375 }
376 enumerator->destroy(enumerator);
377 }
378 }
379
380 /**
381 * Handle Framed-IP-Address and other IKE configuration attributes
382 */
383 static void process_cfg_attributes(radius_message_t *msg)
384 {
385 eap_radius_provider_t *provider;
386 enumerator_t *enumerator;
387 ike_sa_t *ike_sa;
388 host_t *host;
389 chunk_t data;
390 int type, vendor;
391
392 ike_sa = charon->bus->get_sa(charon->bus);
393 provider = eap_radius_provider_get();
394 if (provider && ike_sa)
395 {
396 enumerator = msg->create_enumerator(msg);
397 while (enumerator->enumerate(enumerator, &type, &data))
398 {
399 if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
400 {
401 host = host_create_from_chunk(AF_INET, data, 0);
402 if (host)
403 {
404 provider->add_framed_ip(provider,
405 ike_sa->get_unique_id(ike_sa), host);
406 }
407 }
408 }
409 enumerator->destroy(enumerator);
410
411 enumerator = msg->create_vendor_enumerator(msg);
412 while (enumerator->enumerate(enumerator, &vendor, &type, &data))
413 {
414 if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
415 {
416 switch (type)
417 {
418 case 15: /* CVPN3000-IPSec-Banner1 */
419 case 36: /* CVPN3000-IPSec-Banner2 */
420 if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
421 {
422 provider->add_attribute(provider,
423 ike_sa->get_unique_id(ike_sa),
424 UNITY_BANNER, data);
425 }
426 break;
427 default:
428 break;
429 }
430 }
431 }
432 enumerator->destroy(enumerator);
433 }
434 }
435
436 /**
437 * See header.
438 */
439 void eap_radius_process_attributes(radius_message_t *message)
440 {
441 if (lib->settings->get_bool(lib->settings,
442 "%s.plugins.eap-radius.class_group", FALSE, charon->name))
443 {
444 process_class(message);
445 }
446 if (lib->settings->get_bool(lib->settings,
447 "%s.plugins.eap-radius.filter_id", FALSE, charon->name))
448 {
449 process_filter_id(message);
450 }
451 process_timeout(message);
452 process_cfg_attributes(message);
453 }
454
455 METHOD(eap_method_t, process, status_t,
456 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
457 {
458 radius_message_t *request, *response;
459 status_t status = FAILED;
460 chunk_t data;
461
462 request = radius_message_create(RMC_ACCESS_REQUEST);
463 add_radius_request_attrs(this, request);
464
465 data = in->get_data(in);
466 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
467
468 /* fragment data suitable for RADIUS */
469 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
470 {
471 request->add(request, RAT_EAP_MESSAGE,
472 chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE));
473 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
474 }
475 request->add(request, RAT_EAP_MESSAGE, data);
476
477 response = this->client->request(this->client, request);
478 if (response)
479 {
480 eap_radius_forward_to_ike(response);
481 switch (response->get_code(response))
482 {
483 case RMC_ACCESS_CHALLENGE:
484 if (radius2ike(this, response, out))
485 {
486 status = NEED_MORE;
487 break;
488 }
489 status = FAILED;
490 break;
491 case RMC_ACCESS_ACCEPT:
492 eap_radius_process_attributes(response);
493 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
494 this->peer);
495 status = SUCCESS;
496 break;
497 case RMC_ACCESS_REJECT:
498 default:
499 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
500 this->peer);
501 status = FAILED;
502 break;
503 }
504 response->destroy(response);
505 }
506 request->destroy(request);
507 return status;
508 }
509
510 METHOD(eap_method_t, get_type, eap_type_t,
511 private_eap_radius_t *this, u_int32_t *vendor)
512 {
513 *vendor = this->vendor;
514 return this->type;
515 }
516
517 METHOD(eap_method_t, get_msk, status_t,
518 private_eap_radius_t *this, chunk_t *out)
519 {
520 chunk_t msk;
521
522 msk = this->client->get_msk(this->client);
523 if (msk.len)
524 {
525 *out = msk;
526 return SUCCESS;
527 }
528 return FAILED;
529 }
530
531 METHOD(eap_method_t, get_identifier, u_int8_t,
532 private_eap_radius_t *this)
533 {
534 return this->identifier;
535 }
536
537 METHOD(eap_method_t, set_identifier, void,
538 private_eap_radius_t *this, u_int8_t identifier)
539 {
540 this->identifier = identifier;
541 }
542
543 METHOD(eap_method_t, is_mutual, bool,
544 private_eap_radius_t *this)
545 {
546 switch (this->type)
547 {
548 case EAP_AKA:
549 case EAP_SIM:
550 return TRUE;
551 default:
552 return FALSE;
553 }
554 }
555
556 METHOD(eap_method_t, destroy, void,
557 private_eap_radius_t *this)
558 {
559 this->peer->destroy(this->peer);
560 this->server->destroy(this->server);
561 this->client->destroy(this->client);
562 free(this);
563 }
564
565 /**
566 * Generic constructor
567 */
568 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
569 {
570 private_eap_radius_t *this;
571
572 INIT(this,
573 .public = {
574 .eap_method = {
575 .initiate = _initiate,
576 .process = _process,
577 .get_type = _get_type,
578 .is_mutual = _is_mutual,
579 .get_msk = _get_msk,
580 .get_identifier = _get_identifier,
581 .set_identifier = _set_identifier,
582 .destroy = _destroy,
583 },
584 },
585 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
586 .type = EAP_RADIUS,
587 .eap_start = lib->settings->get_bool(lib->settings,
588 "%s.plugins.eap-radius.eap_start", FALSE,
589 charon->name),
590 .id_prefix = lib->settings->get_str(lib->settings,
591 "%s.plugins.eap-radius.id_prefix", "",
592 charon->name),
593 );
594 if (lib->settings->get_bool(lib->settings,
595 "%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
596 {
597 this->station_id_fmt = "%#H";
598 }
599 else
600 {
601 this->station_id_fmt = "%H";
602 }
603 this->client = eap_radius_create_client();
604 if (!this->client)
605 {
606 free(this);
607 return NULL;
608 }
609 this->peer = peer->clone(peer);
610 this->server = server->clone(server);
611 return &this->public;
612 }