implemented get|set_identifier() for eap_radius_t
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17
18 #include "radius_message.h"
19 #include "radius_client.h"
20
21 #include <daemon.h>
22
23 #define TUNNEL_TYPE_ESP 9
24
25 typedef struct private_eap_radius_t private_eap_radius_t;
26
27 /**
28 * Private data of an eap_radius_t object.
29 */
30 struct private_eap_radius_t {
31
32 /**
33 * Public authenticator_t interface.
34 */
35 eap_radius_t public;
36
37 /**
38 * ID of the server
39 */
40 identification_t *server;
41
42 /**
43 * ID of the peer
44 */
45 identification_t *peer;
46
47 /**
48 * EAP method type we are proxying
49 */
50 eap_type_t type;
51
52 /**
53 * EAP vendor, if any
54 */
55 u_int32_t vendor;
56
57 /**
58 * EAP message identifier
59 */
60 u_int8_t identifier;
61
62 /**
63 * RADIUS client instance
64 */
65 radius_client_t *client;
66
67 /**
68 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
69 */
70 bool eap_start;
71
72 /**
73 * Prefix to prepend to EAP identity
74 */
75 char *id_prefix;
76
77 /**
78 * Handle the Class attribute as group membership information?
79 */
80 bool class_group;
81
82 /**
83 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
84 */
85 bool filter_id;
86 };
87
88 /**
89 * Add EAP-Identity to RADIUS message
90 */
91 static void add_eap_identity(private_eap_radius_t *this,
92 radius_message_t *request)
93 {
94 struct {
95 /** EAP code (REQUEST/RESPONSE) */
96 u_int8_t code;
97 /** unique message identifier */
98 u_int8_t identifier;
99 /** length of whole message */
100 u_int16_t length;
101 /** EAP type */
102 u_int8_t type;
103 /** identity data */
104 u_int8_t data[];
105 } __attribute__((__packed__)) *hdr;
106 chunk_t id, prefix;
107 size_t len;
108
109 id = this->peer->get_encoding(this->peer);
110 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
111 len = sizeof(*hdr) + prefix.len + id.len;
112
113 hdr = alloca(len);
114 hdr->code = EAP_RESPONSE;
115 hdr->identifier = this->identifier;
116 hdr->length = htons(len);
117 hdr->type = EAP_IDENTITY;
118 memcpy(hdr->data, prefix.ptr, prefix.len);
119 memcpy(hdr->data + prefix.len, id.ptr, id.len);
120
121 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
122 }
123
124 /**
125 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
126 */
127 static bool radius2ike(private_eap_radius_t *this,
128 radius_message_t *msg, eap_payload_t **out)
129 {
130 enumerator_t *enumerator;
131 eap_payload_t *payload;
132 chunk_t data, message = chunk_empty;
133 int type;
134
135 enumerator = msg->create_enumerator(msg);
136 while (enumerator->enumerate(enumerator, &type, &data))
137 {
138 if (type == RAT_EAP_MESSAGE && data.len)
139 {
140 message = chunk_cat("mc", message, data);
141 }
142 }
143 enumerator->destroy(enumerator);
144 if (message.len)
145 {
146 *out = payload = eap_payload_create_data(message);
147 free(message.ptr);
148 /* apply EAP method selected by RADIUS server */
149 this->type = payload->get_type(payload, &this->vendor);
150 return TRUE;
151 }
152 return FALSE;
153 }
154
155 METHOD(eap_method_t, initiate, status_t,
156 private_eap_radius_t *this, eap_payload_t **out)
157 {
158 radius_message_t *request, *response;
159 status_t status = FAILED;
160 chunk_t username;
161
162 request = radius_message_create_request();
163 username = chunk_create(this->id_prefix, strlen(this->id_prefix));
164 username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
165 request->add(request, RAT_USER_NAME, username);
166
167 if (this->eap_start)
168 {
169 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
170 }
171 else
172 {
173 add_eap_identity(this, request);
174 }
175
176 response = this->client->request(this->client, request);
177 if (response)
178 {
179 if (radius2ike(this, response, out))
180 {
181 status = NEED_MORE;
182 }
183 response->destroy(response);
184 }
185 request->destroy(request);
186 return status;
187 }
188
189 /**
190 * Handle the Class attribute as group membership information
191 */
192 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
193 {
194 enumerator_t *enumerator;
195 chunk_t data;
196 int type;
197
198 enumerator = msg->create_enumerator(msg);
199 while (enumerator->enumerate(enumerator, &type, &data))
200 {
201 if (type == RAT_CLASS)
202 {
203 identification_t *id;
204 ike_sa_t *ike_sa;
205 auth_cfg_t *auth;
206
207 if (data.len >= 44)
208 { /* quirk: ignore long class attributes, these are used for
209 * other purposes by some RADIUS servers (such as NPS). */
210 continue;
211 }
212
213 ike_sa = charon->bus->get_sa(charon->bus);
214 if (ike_sa)
215 {
216 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
217 id = identification_create_from_data(data);
218 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
219 auth->add(auth, AUTH_RULE_GROUP, id);
220 }
221 }
222 }
223 enumerator->destroy(enumerator);
224 }
225
226 /**
227 * Handle the Filter-Id attribute as IPsec CHILD_SA name
228 */
229 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
230 {
231 enumerator_t *enumerator;
232 int type;
233 u_int8_t tunnel_tag;
234 u_int32_t tunnel_type;
235 chunk_t filter_id = chunk_empty, data;
236 bool is_esp_tunnel = FALSE;
237
238 enumerator = msg->create_enumerator(msg);
239 while (enumerator->enumerate(enumerator, &type, &data))
240 {
241 switch (type)
242 {
243 case RAT_TUNNEL_TYPE:
244 if (data.len != 4)
245 {
246 continue;
247 }
248 tunnel_tag = *data.ptr;
249 *data.ptr = 0x00;
250 tunnel_type = untoh32(data.ptr);
251 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
252 "tag = %u, value = %u", tunnel_tag, tunnel_type);
253 is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP);
254 break;
255 case RAT_FILTER_ID:
256 filter_id = data;
257 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
258 "'%.*s'", filter_id.len, filter_id.ptr);
259 break;
260 default:
261 break;
262 }
263 }
264 enumerator->destroy(enumerator);
265
266 if (is_esp_tunnel && filter_id.len)
267 {
268 identification_t *id;
269 ike_sa_t *ike_sa;
270 auth_cfg_t *auth;
271
272 ike_sa = charon->bus->get_sa(charon->bus);
273 if (ike_sa)
274 {
275 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
276 id = identification_create_from_data(filter_id);
277 auth->add(auth, AUTH_RULE_GROUP, id);
278 }
279 }
280 }
281
282 METHOD(eap_method_t, process, status_t,
283 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
284 {
285 radius_message_t *request, *response;
286 status_t status = FAILED;
287 chunk_t data;
288
289 request = radius_message_create_request();
290 request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
291 data = in->get_data(in);
292 /* fragment data suitable for RADIUS (not more than 253 bytes) */
293 while (data.len > 253)
294 {
295 request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr, 253));
296 data = chunk_skip(data, 253);
297 }
298 request->add(request, RAT_EAP_MESSAGE, data);
299
300 response = this->client->request(this->client, request);
301 if (response)
302 {
303 switch (response->get_code(response))
304 {
305 case RMC_ACCESS_CHALLENGE:
306 if (radius2ike(this, response, out))
307 {
308 status = NEED_MORE;
309 break;
310 }
311 status = FAILED;
312 break;
313 case RMC_ACCESS_ACCEPT:
314 if (this->class_group)
315 {
316 process_class(this, response);
317 }
318 if (this->filter_id)
319 {
320 process_filter_id(this, response);
321 }
322 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
323 this->peer);
324 status = SUCCESS;
325 break;
326 case RMC_ACCESS_REJECT:
327 default:
328 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
329 status = FAILED;
330 break;
331 }
332 response->destroy(response);
333 }
334 request->destroy(request);
335 return status;
336 }
337
338 METHOD(eap_method_t, get_type, eap_type_t,
339 private_eap_radius_t *this, u_int32_t *vendor)
340 {
341 *vendor = this->vendor;
342 return this->type;
343 }
344
345 METHOD(eap_method_t, get_msk, status_t,
346 private_eap_radius_t *this, chunk_t *out)
347 {
348 chunk_t msk;
349
350 msk = this->client->get_msk(this->client);
351 if (msk.len)
352 {
353 *out = msk;
354 return SUCCESS;
355 }
356 return FAILED;
357 }
358
359 METHOD(eap_method_t, get_identifier, u_int8_t,
360 private_eap_radius_t *this)
361 {
362 return this->identifier;
363 }
364
365 METHOD(eap_method_t, set_identifier, void,
366 private_eap_radius_t *this, u_int8_t identifier)
367 {
368 this->identifier = identifier;
369 }
370
371 METHOD(eap_method_t, is_mutual, bool,
372 private_eap_radius_t *this)
373 {
374 switch (this->type)
375 {
376 case EAP_AKA:
377 case EAP_SIM:
378 return TRUE;
379 default:
380 return FALSE;
381 }
382 }
383
384 METHOD(eap_method_t, destroy, void,
385 private_eap_radius_t *this)
386 {
387 this->peer->destroy(this->peer);
388 this->server->destroy(this->server);
389 this->client->destroy(this->client);
390 free(this);
391 }
392
393 /**
394 * Generic constructor
395 */
396 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
397 {
398 private_eap_radius_t *this;
399
400 INIT(this,
401 .public = {
402 .eap_method = {
403 .initiate = _initiate,
404 .process = _process,
405 .get_type = _get_type,
406 .is_mutual = _is_mutual,
407 .get_msk = _get_msk,
408 .get_identifier = _get_identifier,
409 .set_identifier = _set_identifier,
410 .destroy = _destroy,
411 },
412 },
413 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
414 .type = EAP_RADIUS,
415 .eap_start = lib->settings->get_bool(lib->settings,
416 "charon.plugins.eap-radius.eap_start", FALSE),
417 .id_prefix = lib->settings->get_str(lib->settings,
418 "charon.plugins.eap-radius.id_prefix", ""),
419 .class_group = lib->settings->get_bool(lib->settings,
420 "charon.plugins.eap-radius.class_group", FALSE),
421 .filter_id = lib->settings->get_bool(lib->settings,
422 "charon.plugins.eap-radius.filter_id", FALSE),
423
424 );
425 this->client = radius_client_create();
426 if (!this->client)
427 {
428 free(this);
429 return NULL;
430 }
431 this->peer = peer->clone(peer);
432 this->server = server->clone(server);
433 return &this->public;
434 }
435