Handle type of first EAP-RADIUS response more sophisticated
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17 #include "eap_radius_plugin.h"
18 #include "eap_radius_forward.h"
19
20 #include <radius_message.h>
21 #include <radius_client.h>
22
23 #include <daemon.h>
24
25 typedef struct private_eap_radius_t private_eap_radius_t;
26
27 /**
28 * Private data of an eap_radius_t object.
29 */
30 struct private_eap_radius_t {
31
32 /**
33 * Public authenticator_t interface.
34 */
35 eap_radius_t public;
36
37 /**
38 * ID of the server
39 */
40 identification_t *server;
41
42 /**
43 * ID of the peer
44 */
45 identification_t *peer;
46
47 /**
48 * EAP method type we are proxying
49 */
50 eap_type_t type;
51
52 /**
53 * EAP vendor, if any
54 */
55 u_int32_t vendor;
56
57 /**
58 * EAP message identifier
59 */
60 u_int8_t identifier;
61
62 /**
63 * RADIUS client instance
64 */
65 radius_client_t *client;
66
67 /**
68 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
69 */
70 bool eap_start;
71
72 /**
73 * Prefix to prepend to EAP identity
74 */
75 char *id_prefix;
76
77 /**
78 * Handle the Class attribute as group membership information?
79 */
80 bool class_group;
81
82 /**
83 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
84 */
85 bool filter_id;
86 };
87
88 /**
89 * Add EAP-Identity to RADIUS message
90 */
91 static void add_eap_identity(private_eap_radius_t *this,
92 radius_message_t *request)
93 {
94 struct {
95 /** EAP code (REQUEST/RESPONSE) */
96 u_int8_t code;
97 /** unique message identifier */
98 u_int8_t identifier;
99 /** length of whole message */
100 u_int16_t length;
101 /** EAP type */
102 u_int8_t type;
103 /** identity data */
104 u_int8_t data[];
105 } __attribute__((__packed__)) *hdr;
106 chunk_t id, prefix;
107 size_t len;
108
109 id = this->peer->get_encoding(this->peer);
110 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
111 len = sizeof(*hdr) + prefix.len + id.len;
112
113 hdr = alloca(len);
114 hdr->code = EAP_RESPONSE;
115 hdr->identifier = this->identifier;
116 hdr->length = htons(len);
117 hdr->type = EAP_IDENTITY;
118 memcpy(hdr->data, prefix.ptr, prefix.len);
119 memcpy(hdr->data + prefix.len, id.ptr, id.len);
120
121 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
122 }
123
124 /**
125 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
126 */
127 static bool radius2ike(private_eap_radius_t *this,
128 radius_message_t *msg, eap_payload_t **out)
129 {
130 enumerator_t *enumerator;
131 eap_payload_t *payload;
132 chunk_t data, message = chunk_empty;
133 int type;
134
135 enumerator = msg->create_enumerator(msg);
136 while (enumerator->enumerate(enumerator, &type, &data))
137 {
138 if (type == RAT_EAP_MESSAGE && data.len)
139 {
140 message = chunk_cat("mc", message, data);
141 }
142 }
143 enumerator->destroy(enumerator);
144 if (message.len)
145 {
146 *out = payload = eap_payload_create_data(message);
147
148 /* apply EAP method selected by RADIUS server */
149 this->type = payload->get_type(payload, &this->vendor);
150
151 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
152 free(message.ptr);
153 return TRUE;
154 }
155 return FALSE;
156 }
157
158 METHOD(eap_method_t, initiate, status_t,
159 private_eap_radius_t *this, eap_payload_t **out)
160 {
161 radius_message_t *request, *response;
162 status_t status = FAILED;
163 chunk_t username;
164
165 request = radius_message_create(RMC_ACCESS_REQUEST);
166 username = chunk_create(this->id_prefix, strlen(this->id_prefix));
167 username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
168 request->add(request, RAT_USER_NAME, username);
169
170 if (this->eap_start)
171 {
172 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
173 }
174 else
175 {
176 add_eap_identity(this, request);
177 }
178 eap_radius_forward_from_ike(request);
179
180 response = this->client->request(this->client, request);
181 if (response)
182 {
183 eap_radius_forward_to_ike(response);
184 switch (response->get_code(response))
185 {
186 case RMC_ACCESS_CHALLENGE:
187 if (radius2ike(this, response, out))
188 {
189 status = NEED_MORE;
190 }
191 break;
192 case RMC_ACCESS_ACCEPT:
193 /* Microsoft RADIUS servers can run in a mode where they respond
194 * like this on the first request (i.e. without authentication),
195 * we treat this as Access-Reject */
196 case RMC_ACCESS_REJECT:
197 default:
198 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
199 this->peer);
200 break;
201 }
202 response->destroy(response);
203 }
204 else
205 {
206 charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
207 }
208 request->destroy(request);
209 return status;
210 }
211
212 /**
213 * Handle the Class attribute as group membership information
214 */
215 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
216 {
217 enumerator_t *enumerator;
218 chunk_t data;
219 int type;
220
221 enumerator = msg->create_enumerator(msg);
222 while (enumerator->enumerate(enumerator, &type, &data))
223 {
224 if (type == RAT_CLASS)
225 {
226 identification_t *id;
227 ike_sa_t *ike_sa;
228 auth_cfg_t *auth;
229
230 if (data.len >= 44)
231 { /* quirk: ignore long class attributes, these are used for
232 * other purposes by some RADIUS servers (such as NPS). */
233 continue;
234 }
235
236 ike_sa = charon->bus->get_sa(charon->bus);
237 if (ike_sa)
238 {
239 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
240 id = identification_create_from_data(data);
241 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
242 auth->add(auth, AUTH_RULE_GROUP, id);
243 }
244 }
245 }
246 enumerator->destroy(enumerator);
247 }
248
249 /**
250 * Handle the Filter-Id attribute as IPsec CHILD_SA name
251 */
252 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
253 {
254 enumerator_t *enumerator;
255 int type;
256 u_int8_t tunnel_tag;
257 u_int32_t tunnel_type;
258 chunk_t filter_id = chunk_empty, data;
259 bool is_esp_tunnel = FALSE;
260
261 enumerator = msg->create_enumerator(msg);
262 while (enumerator->enumerate(enumerator, &type, &data))
263 {
264 switch (type)
265 {
266 case RAT_TUNNEL_TYPE:
267 if (data.len != 4)
268 {
269 continue;
270 }
271 tunnel_tag = *data.ptr;
272 *data.ptr = 0x00;
273 tunnel_type = untoh32(data.ptr);
274 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
275 "tag = %u, value = %u", tunnel_tag, tunnel_type);
276 is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP);
277 break;
278 case RAT_FILTER_ID:
279 filter_id = data;
280 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
281 "'%.*s'", (int)filter_id.len, filter_id.ptr);
282 break;
283 default:
284 break;
285 }
286 }
287 enumerator->destroy(enumerator);
288
289 if (is_esp_tunnel && filter_id.len)
290 {
291 identification_t *id;
292 ike_sa_t *ike_sa;
293 auth_cfg_t *auth;
294
295 ike_sa = charon->bus->get_sa(charon->bus);
296 if (ike_sa)
297 {
298 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
299 id = identification_create_from_data(filter_id);
300 auth->add(auth, AUTH_RULE_GROUP, id);
301 }
302 }
303 }
304
305 /**
306 * Handle Session-Timeout attribte
307 */
308 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
309 {
310 enumerator_t *enumerator;
311 ike_sa_t *ike_sa;
312 chunk_t data;
313 int type;
314
315 enumerator = msg->create_enumerator(msg);
316 while (enumerator->enumerate(enumerator, &type, &data))
317 {
318 if (type == RAT_SESSION_TIMEOUT && data.len == 4)
319 {
320 ike_sa = charon->bus->get_sa(charon->bus);
321 if (ike_sa)
322 {
323 ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
324 }
325 }
326 }
327 enumerator->destroy(enumerator);
328 }
329
330 METHOD(eap_method_t, process, status_t,
331 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
332 {
333 radius_message_t *request, *response;
334 status_t status = FAILED;
335 chunk_t data;
336
337 request = radius_message_create(RMC_ACCESS_REQUEST);
338 request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
339 data = in->get_data(in);
340 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
341
342 /* fragment data suitable for RADIUS */
343 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
344 {
345 request->add(request, RAT_EAP_MESSAGE,
346 chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE));
347 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
348 }
349 request->add(request, RAT_EAP_MESSAGE, data);
350
351 eap_radius_forward_from_ike(request);
352 response = this->client->request(this->client, request);
353 if (response)
354 {
355 eap_radius_forward_to_ike(response);
356 switch (response->get_code(response))
357 {
358 case RMC_ACCESS_CHALLENGE:
359 if (radius2ike(this, response, out))
360 {
361 status = NEED_MORE;
362 break;
363 }
364 status = FAILED;
365 break;
366 case RMC_ACCESS_ACCEPT:
367 if (this->class_group)
368 {
369 process_class(this, response);
370 }
371 if (this->filter_id)
372 {
373 process_filter_id(this, response);
374 }
375 process_timeout(this, response);
376 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
377 this->peer);
378 status = SUCCESS;
379 break;
380 case RMC_ACCESS_REJECT:
381 default:
382 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
383 this->peer);
384 status = FAILED;
385 break;
386 }
387 response->destroy(response);
388 }
389 request->destroy(request);
390 return status;
391 }
392
393 METHOD(eap_method_t, get_type, eap_type_t,
394 private_eap_radius_t *this, u_int32_t *vendor)
395 {
396 *vendor = this->vendor;
397 return this->type;
398 }
399
400 METHOD(eap_method_t, get_msk, status_t,
401 private_eap_radius_t *this, chunk_t *out)
402 {
403 chunk_t msk;
404
405 msk = this->client->get_msk(this->client);
406 if (msk.len)
407 {
408 *out = msk;
409 return SUCCESS;
410 }
411 return FAILED;
412 }
413
414 METHOD(eap_method_t, get_identifier, u_int8_t,
415 private_eap_radius_t *this)
416 {
417 return this->identifier;
418 }
419
420 METHOD(eap_method_t, set_identifier, void,
421 private_eap_radius_t *this, u_int8_t identifier)
422 {
423 this->identifier = identifier;
424 }
425
426 METHOD(eap_method_t, is_mutual, bool,
427 private_eap_radius_t *this)
428 {
429 switch (this->type)
430 {
431 case EAP_AKA:
432 case EAP_SIM:
433 return TRUE;
434 default:
435 return FALSE;
436 }
437 }
438
439 METHOD(eap_method_t, destroy, void,
440 private_eap_radius_t *this)
441 {
442 this->peer->destroy(this->peer);
443 this->server->destroy(this->server);
444 this->client->destroy(this->client);
445 free(this);
446 }
447
448 /**
449 * Generic constructor
450 */
451 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
452 {
453 private_eap_radius_t *this;
454
455 INIT(this,
456 .public = {
457 .eap_method = {
458 .initiate = _initiate,
459 .process = _process,
460 .get_type = _get_type,
461 .is_mutual = _is_mutual,
462 .get_msk = _get_msk,
463 .get_identifier = _get_identifier,
464 .set_identifier = _set_identifier,
465 .destroy = _destroy,
466 },
467 },
468 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
469 .type = EAP_RADIUS,
470 .eap_start = lib->settings->get_bool(lib->settings,
471 "%s.plugins.eap-radius.eap_start", FALSE,
472 charon->name),
473 .id_prefix = lib->settings->get_str(lib->settings,
474 "%s.plugins.eap-radius.id_prefix", "",
475 charon->name),
476 .class_group = lib->settings->get_bool(lib->settings,
477 "%s.plugins.eap-radius.class_group", FALSE,
478 charon->name),
479 .filter_id = lib->settings->get_bool(lib->settings,
480 "%s.plugins.eap-radius.filter_id", FALSE,
481 charon->name),
482 );
483 this->client = eap_radius_create_client();
484 if (!this->client)
485 {
486 free(this);
487 return NULL;
488 }
489 this->peer = peer->clone(peer);
490 this->server = server->clone(server);
491 return &this->public;
492 }
493