Show result of RADIUS authentication along with EAP identity
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17
18 #include "radius_message.h"
19 #include "radius_client.h"
20
21 #include <daemon.h>
22
23 #define TUNNEL_TYPE_ESP 9
24
25 typedef struct private_eap_radius_t private_eap_radius_t;
26
27 /**
28 * Private data of an eap_radius_t object.
29 */
30 struct private_eap_radius_t {
31
32 /**
33 * Public authenticator_t interface.
34 */
35 eap_radius_t public;
36
37 /**
38 * ID of the server
39 */
40 identification_t *server;
41
42 /**
43 * ID of the peer
44 */
45 identification_t *peer;
46
47 /**
48 * EAP method type we are proxying
49 */
50 eap_type_t type;
51
52 /**
53 * EAP vendor, if any
54 */
55 u_int32_t vendor;
56
57 /**
58 * RADIUS client instance
59 */
60 radius_client_t *client;
61
62 /**
63 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
64 */
65 bool eap_start;
66
67 /**
68 * Prefix to prepend to EAP identity
69 */
70 char *id_prefix;
71
72 /**
73 * Handle the Class attribute as group membership information?
74 */
75 bool class_group;
76
77 /**
78 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
79 */
80 bool filter_id;
81 };
82
83 /**
84 * Add EAP-Identity to RADIUS message
85 */
86 static void add_eap_identity(private_eap_radius_t *this,
87 radius_message_t *request)
88 {
89 struct {
90 /** EAP code (REQUEST/RESPONSE) */
91 u_int8_t code;
92 /** unique message identifier */
93 u_int8_t identifier;
94 /** length of whole message */
95 u_int16_t length;
96 /** EAP type */
97 u_int8_t type;
98 /** identity data */
99 u_int8_t data[];
100 } __attribute__((__packed__)) *hdr;
101 chunk_t id, prefix;
102 size_t len;
103
104 id = this->peer->get_encoding(this->peer);
105 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
106 len = sizeof(*hdr) + prefix.len + id.len;
107
108 hdr = alloca(len);
109 hdr->code = EAP_RESPONSE;
110 hdr->identifier = 0;
111 hdr->length = htons(len);
112 hdr->type = EAP_IDENTITY;
113 memcpy(hdr->data, prefix.ptr, prefix.len);
114 memcpy(hdr->data + prefix.len, id.ptr, id.len);
115
116 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
117 }
118
119 /**
120 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
121 */
122 static bool radius2ike(private_eap_radius_t *this,
123 radius_message_t *msg, eap_payload_t **out)
124 {
125 enumerator_t *enumerator;
126 eap_payload_t *payload;
127 chunk_t data, message = chunk_empty;
128 int type;
129
130 enumerator = msg->create_enumerator(msg);
131 while (enumerator->enumerate(enumerator, &type, &data))
132 {
133 if (type == RAT_EAP_MESSAGE && data.len)
134 {
135 message = chunk_cat("mc", message, data);
136 }
137 }
138 enumerator->destroy(enumerator);
139 if (message.len)
140 {
141 *out = payload = eap_payload_create_data(message);
142 free(message.ptr);
143 /* apply EAP method selected by RADIUS server */
144 this->type = payload->get_type(payload, &this->vendor);
145 return TRUE;
146 }
147 return FALSE;
148 }
149
150 METHOD(eap_method_t, initiate, status_t,
151 private_eap_radius_t *this, eap_payload_t **out)
152 {
153 radius_message_t *request, *response;
154 status_t status = FAILED;
155 chunk_t username;
156
157 request = radius_message_create_request();
158 username = chunk_create(this->id_prefix, strlen(this->id_prefix));
159 username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
160 request->add(request, RAT_USER_NAME, username);
161
162 if (this->eap_start)
163 {
164 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
165 }
166 else
167 {
168 add_eap_identity(this, request);
169 }
170
171 response = this->client->request(this->client, request);
172 if (response)
173 {
174 if (radius2ike(this, response, out))
175 {
176 status = NEED_MORE;
177 }
178 response->destroy(response);
179 }
180 request->destroy(request);
181 return status;
182 }
183
184 /**
185 * Handle the Class attribute as group membership information
186 */
187 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
188 {
189 enumerator_t *enumerator;
190 chunk_t data;
191 int type;
192
193 enumerator = msg->create_enumerator(msg);
194 while (enumerator->enumerate(enumerator, &type, &data))
195 {
196 if (type == RAT_CLASS)
197 {
198 identification_t *id;
199 ike_sa_t *ike_sa;
200 auth_cfg_t *auth;
201
202 if (data.len >= 44)
203 { /* quirk: ignore long class attributes, these are used for
204 * other purposes by some RADIUS servers (such as NPS). */
205 continue;
206 }
207
208 ike_sa = charon->bus->get_sa(charon->bus);
209 if (ike_sa)
210 {
211 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
212 id = identification_create_from_data(data);
213 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
214 auth->add(auth, AUTH_RULE_GROUP, id);
215 }
216 }
217 }
218 enumerator->destroy(enumerator);
219 }
220
221 /**
222 * Handle the Filter-Id attribute as IPsec CHILD_SA name
223 */
224 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
225 {
226 enumerator_t *enumerator;
227 int type;
228 u_int8_t tunnel_tag;
229 u_int32_t tunnel_type;
230 chunk_t filter_id = chunk_empty, data;
231 bool is_esp_tunnel = FALSE;
232
233 enumerator = msg->create_enumerator(msg);
234 while (enumerator->enumerate(enumerator, &type, &data))
235 {
236 switch (type)
237 {
238 case RAT_TUNNEL_TYPE:
239 if (data.len != 4)
240 {
241 continue;
242 }
243 tunnel_tag = *data.ptr;
244 *data.ptr = 0x00;
245 tunnel_type = untoh32(data.ptr);
246 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
247 "tag = %u, value = %u", tunnel_tag, tunnel_type);
248 is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP);
249 break;
250 case RAT_FILTER_ID:
251 filter_id = data;
252 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
253 "'%.*s'", filter_id.len, filter_id.ptr);
254 break;
255 default:
256 break;
257 }
258 }
259 enumerator->destroy(enumerator);
260
261 if (is_esp_tunnel && filter_id.len)
262 {
263 identification_t *id;
264 ike_sa_t *ike_sa;
265 auth_cfg_t *auth;
266
267 ike_sa = charon->bus->get_sa(charon->bus);
268 if (ike_sa)
269 {
270 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
271 id = identification_create_from_data(filter_id);
272 auth->add(auth, AUTH_RULE_GROUP, id);
273 }
274 }
275 }
276
277 METHOD(eap_method_t, process, status_t,
278 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
279 {
280 radius_message_t *request, *response;
281 status_t status = FAILED;
282 chunk_t data;
283
284 request = radius_message_create_request();
285 request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
286 data = in->get_data(in);
287 /* fragment data suitable for RADIUS (not more than 253 bytes) */
288 while (data.len > 253)
289 {
290 request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr, 253));
291 data = chunk_skip(data, 253);
292 }
293 request->add(request, RAT_EAP_MESSAGE, data);
294
295 response = this->client->request(this->client, request);
296 if (response)
297 {
298 switch (response->get_code(response))
299 {
300 case RMC_ACCESS_CHALLENGE:
301 if (radius2ike(this, response, out))
302 {
303 status = NEED_MORE;
304 break;
305 }
306 status = FAILED;
307 break;
308 case RMC_ACCESS_ACCEPT:
309 if (this->class_group)
310 {
311 process_class(this, response);
312 }
313 if (this->filter_id)
314 {
315 process_filter_id(this, response);
316 }
317 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
318 this->peer);
319 status = SUCCESS;
320 break;
321 case RMC_ACCESS_REJECT:
322 default:
323 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
324 status = FAILED;
325 break;
326 }
327 response->destroy(response);
328 }
329 request->destroy(request);
330 return status;
331 }
332
333 METHOD(eap_method_t, get_type, eap_type_t,
334 private_eap_radius_t *this, u_int32_t *vendor)
335 {
336 *vendor = this->vendor;
337 return this->type;
338 }
339
340 METHOD(eap_method_t, get_msk, status_t,
341 private_eap_radius_t *this, chunk_t *out)
342 {
343 chunk_t msk;
344
345 msk = this->client->get_msk(this->client);
346 if (msk.len)
347 {
348 *out = msk;
349 return SUCCESS;
350 }
351 return FAILED;
352 }
353
354 METHOD(eap_method_t, is_mutual, bool,
355 private_eap_radius_t *this)
356 {
357 switch (this->type)
358 {
359 case EAP_AKA:
360 case EAP_SIM:
361 return TRUE;
362 default:
363 return FALSE;
364 }
365 }
366
367 METHOD(eap_method_t, destroy, void,
368 private_eap_radius_t *this)
369 {
370 this->peer->destroy(this->peer);
371 this->server->destroy(this->server);
372 this->client->destroy(this->client);
373 free(this);
374 }
375
376 /**
377 * Generic constructor
378 */
379 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
380 {
381 private_eap_radius_t *this;
382
383 INIT(this,
384 .public = {
385 .eap_method = {
386 .initiate = _initiate,
387 .process = _process,
388 .get_type = _get_type,
389 .is_mutual = _is_mutual,
390 .get_msk = _get_msk,
391 .destroy = _destroy,
392 },
393 },
394 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
395 .type = EAP_RADIUS,
396 .eap_start = lib->settings->get_bool(lib->settings,
397 "charon.plugins.eap-radius.eap_start", FALSE),
398 .id_prefix = lib->settings->get_str(lib->settings,
399 "charon.plugins.eap-radius.id_prefix", ""),
400 .class_group = lib->settings->get_bool(lib->settings,
401 "charon.plugins.eap-radius.class_group", FALSE),
402 .filter_id = lib->settings->get_bool(lib->settings,
403 "charon.plugins.eap-radius.filter_id", FALSE),
404
405 );
406 this->client = radius_client_create();
407 if (!this->client)
408 {
409 free(this);
410 return NULL;
411 }
412 this->peer = peer->clone(peer);
413 this->server = server->clone(server);
414 return &this->public;
415 }
416