In eap-radius, hand out received Framed-IP-Address attributes as virtual IP
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_radius.h"
17 #include "eap_radius_plugin.h"
18 #include "eap_radius_forward.h"
19 #include "eap_radius_provider.h"
20
21 #include <radius_message.h>
22 #include <radius_client.h>
23
24 #include <daemon.h>
25
26 typedef struct private_eap_radius_t private_eap_radius_t;
27
28 /**
29 * Private data of an eap_radius_t object.
30 */
31 struct private_eap_radius_t {
32
33 /**
34 * Public authenticator_t interface.
35 */
36 eap_radius_t public;
37
38 /**
39 * ID of the server
40 */
41 identification_t *server;
42
43 /**
44 * ID of the peer
45 */
46 identification_t *peer;
47
48 /**
49 * EAP method type we are proxying
50 */
51 eap_type_t type;
52
53 /**
54 * EAP vendor, if any
55 */
56 u_int32_t vendor;
57
58 /**
59 * EAP message identifier
60 */
61 u_int8_t identifier;
62
63 /**
64 * RADIUS client instance
65 */
66 radius_client_t *client;
67
68 /**
69 * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
70 */
71 bool eap_start;
72
73 /**
74 * Prefix to prepend to EAP identity
75 */
76 char *id_prefix;
77
78 /**
79 * Handle the Class attribute as group membership information?
80 */
81 bool class_group;
82
83 /**
84 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
85 */
86 bool filter_id;
87 };
88
89 /**
90 * Add EAP-Identity to RADIUS message
91 */
92 static void add_eap_identity(private_eap_radius_t *this,
93 radius_message_t *request)
94 {
95 struct {
96 /** EAP code (REQUEST/RESPONSE) */
97 u_int8_t code;
98 /** unique message identifier */
99 u_int8_t identifier;
100 /** length of whole message */
101 u_int16_t length;
102 /** EAP type */
103 u_int8_t type;
104 /** identity data */
105 u_int8_t data[];
106 } __attribute__((__packed__)) *hdr;
107 chunk_t id, prefix;
108 size_t len;
109
110 id = this->peer->get_encoding(this->peer);
111 prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
112 len = sizeof(*hdr) + prefix.len + id.len;
113
114 hdr = alloca(len);
115 hdr->code = EAP_RESPONSE;
116 hdr->identifier = this->identifier;
117 hdr->length = htons(len);
118 hdr->type = EAP_IDENTITY;
119 memcpy(hdr->data, prefix.ptr, prefix.len);
120 memcpy(hdr->data + prefix.len, id.ptr, id.len);
121
122 request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
123 }
124
125 /**
126 * Copy EAP-Message attribute from RADIUS message to an new EAP payload
127 */
128 static bool radius2ike(private_eap_radius_t *this,
129 radius_message_t *msg, eap_payload_t **out)
130 {
131 enumerator_t *enumerator;
132 eap_payload_t *payload;
133 chunk_t data, message = chunk_empty;
134 int type;
135
136 enumerator = msg->create_enumerator(msg);
137 while (enumerator->enumerate(enumerator, &type, &data))
138 {
139 if (type == RAT_EAP_MESSAGE && data.len)
140 {
141 message = chunk_cat("mc", message, data);
142 }
143 }
144 enumerator->destroy(enumerator);
145 if (message.len)
146 {
147 *out = payload = eap_payload_create_data(message);
148
149 /* apply EAP method selected by RADIUS server */
150 this->type = payload->get_type(payload, &this->vendor);
151
152 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message);
153 free(message.ptr);
154 return TRUE;
155 }
156 return FALSE;
157 }
158
159 METHOD(eap_method_t, initiate, status_t,
160 private_eap_radius_t *this, eap_payload_t **out)
161 {
162 radius_message_t *request, *response;
163 status_t status = FAILED;
164 chunk_t username;
165
166 request = radius_message_create(RMC_ACCESS_REQUEST);
167 username = chunk_create(this->id_prefix, strlen(this->id_prefix));
168 username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
169 request->add(request, RAT_USER_NAME, username);
170
171 if (this->eap_start)
172 {
173 request->add(request, RAT_EAP_MESSAGE, chunk_empty);
174 }
175 else
176 {
177 add_eap_identity(this, request);
178 }
179 eap_radius_forward_from_ike(request);
180
181 response = this->client->request(this->client, request);
182 if (response)
183 {
184 eap_radius_forward_to_ike(response);
185 switch (response->get_code(response))
186 {
187 case RMC_ACCESS_CHALLENGE:
188 if (radius2ike(this, response, out))
189 {
190 status = NEED_MORE;
191 }
192 break;
193 case RMC_ACCESS_ACCEPT:
194 /* Microsoft RADIUS servers can run in a mode where they respond
195 * like this on the first request (i.e. without authentication),
196 * we treat this as Access-Reject */
197 case RMC_ACCESS_REJECT:
198 default:
199 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
200 this->peer);
201 break;
202 }
203 response->destroy(response);
204 }
205 else
206 {
207 charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
208 }
209 request->destroy(request);
210 return status;
211 }
212
213 /**
214 * Handle the Class attribute as group membership information
215 */
216 static void process_class(private_eap_radius_t *this, radius_message_t *msg)
217 {
218 enumerator_t *enumerator;
219 chunk_t data;
220 int type;
221
222 enumerator = msg->create_enumerator(msg);
223 while (enumerator->enumerate(enumerator, &type, &data))
224 {
225 if (type == RAT_CLASS)
226 {
227 identification_t *id;
228 ike_sa_t *ike_sa;
229 auth_cfg_t *auth;
230
231 if (data.len >= 44)
232 { /* quirk: ignore long class attributes, these are used for
233 * other purposes by some RADIUS servers (such as NPS). */
234 continue;
235 }
236
237 ike_sa = charon->bus->get_sa(charon->bus);
238 if (ike_sa)
239 {
240 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
241 id = identification_create_from_data(data);
242 DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
243 auth->add(auth, AUTH_RULE_GROUP, id);
244 }
245 }
246 }
247 enumerator->destroy(enumerator);
248 }
249
250 /**
251 * Handle the Filter-Id attribute as IPsec CHILD_SA name
252 */
253 static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
254 {
255 enumerator_t *enumerator;
256 int type;
257 u_int8_t tunnel_tag;
258 u_int32_t tunnel_type;
259 chunk_t filter_id = chunk_empty, data;
260 bool is_esp_tunnel = FALSE;
261
262 enumerator = msg->create_enumerator(msg);
263 while (enumerator->enumerate(enumerator, &type, &data))
264 {
265 switch (type)
266 {
267 case RAT_TUNNEL_TYPE:
268 if (data.len != 4)
269 {
270 continue;
271 }
272 tunnel_tag = *data.ptr;
273 *data.ptr = 0x00;
274 tunnel_type = untoh32(data.ptr);
275 DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
276 "tag = %u, value = %u", tunnel_tag, tunnel_type);
277 is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP);
278 break;
279 case RAT_FILTER_ID:
280 filter_id = data;
281 DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
282 "'%.*s'", (int)filter_id.len, filter_id.ptr);
283 break;
284 default:
285 break;
286 }
287 }
288 enumerator->destroy(enumerator);
289
290 if (is_esp_tunnel && filter_id.len)
291 {
292 identification_t *id;
293 ike_sa_t *ike_sa;
294 auth_cfg_t *auth;
295
296 ike_sa = charon->bus->get_sa(charon->bus);
297 if (ike_sa)
298 {
299 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
300 id = identification_create_from_data(filter_id);
301 auth->add(auth, AUTH_RULE_GROUP, id);
302 }
303 }
304 }
305
306 /**
307 * Handle Session-Timeout attribte
308 */
309 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
310 {
311 enumerator_t *enumerator;
312 ike_sa_t *ike_sa;
313 chunk_t data;
314 int type;
315
316 enumerator = msg->create_enumerator(msg);
317 while (enumerator->enumerate(enumerator, &type, &data))
318 {
319 if (type == RAT_SESSION_TIMEOUT && data.len == 4)
320 {
321 ike_sa = charon->bus->get_sa(charon->bus);
322 if (ike_sa)
323 {
324 ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
325 }
326 }
327 }
328 enumerator->destroy(enumerator);
329 }
330
331 /**
332 * Handle Framed-IP-Address and other IKE configuration attributes
333 */
334 static void process_cfg_attributes(private_eap_radius_t *this,
335 radius_message_t *msg)
336 {
337 eap_radius_provider_t *provider;
338 enumerator_t *enumerator;
339 host_t *host;
340 chunk_t data;
341 int type;
342
343 provider = eap_radius_provider_get();
344 if (provider)
345 {
346 enumerator = msg->create_enumerator(msg);
347 while (enumerator->enumerate(enumerator, &type, &data))
348 {
349 if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
350 {
351 host = host_create_from_chunk(AF_INET, data, 0);
352 if (host)
353 {
354 provider->add_framed_ip(provider, this->peer, host);
355 }
356 }
357 }
358 enumerator->destroy(enumerator);
359 }
360 }
361
362 METHOD(eap_method_t, process, status_t,
363 private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
364 {
365 radius_message_t *request, *response;
366 status_t status = FAILED;
367 chunk_t data;
368
369 request = radius_message_create(RMC_ACCESS_REQUEST);
370 request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
371 data = in->get_data(in);
372 DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
373
374 /* fragment data suitable for RADIUS */
375 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
376 {
377 request->add(request, RAT_EAP_MESSAGE,
378 chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE));
379 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
380 }
381 request->add(request, RAT_EAP_MESSAGE, data);
382
383 eap_radius_forward_from_ike(request);
384 response = this->client->request(this->client, request);
385 if (response)
386 {
387 eap_radius_forward_to_ike(response);
388 switch (response->get_code(response))
389 {
390 case RMC_ACCESS_CHALLENGE:
391 if (radius2ike(this, response, out))
392 {
393 status = NEED_MORE;
394 break;
395 }
396 status = FAILED;
397 break;
398 case RMC_ACCESS_ACCEPT:
399 if (this->class_group)
400 {
401 process_class(this, response);
402 }
403 if (this->filter_id)
404 {
405 process_filter_id(this, response);
406 }
407 process_timeout(this, response);
408 process_cfg_attributes(this, response);
409 DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
410 this->peer);
411 status = SUCCESS;
412 break;
413 case RMC_ACCESS_REJECT:
414 default:
415 DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
416 this->peer);
417 status = FAILED;
418 break;
419 }
420 response->destroy(response);
421 }
422 request->destroy(request);
423 return status;
424 }
425
426 METHOD(eap_method_t, get_type, eap_type_t,
427 private_eap_radius_t *this, u_int32_t *vendor)
428 {
429 *vendor = this->vendor;
430 return this->type;
431 }
432
433 METHOD(eap_method_t, get_msk, status_t,
434 private_eap_radius_t *this, chunk_t *out)
435 {
436 chunk_t msk;
437
438 msk = this->client->get_msk(this->client);
439 if (msk.len)
440 {
441 *out = msk;
442 return SUCCESS;
443 }
444 return FAILED;
445 }
446
447 METHOD(eap_method_t, get_identifier, u_int8_t,
448 private_eap_radius_t *this)
449 {
450 return this->identifier;
451 }
452
453 METHOD(eap_method_t, set_identifier, void,
454 private_eap_radius_t *this, u_int8_t identifier)
455 {
456 this->identifier = identifier;
457 }
458
459 METHOD(eap_method_t, is_mutual, bool,
460 private_eap_radius_t *this)
461 {
462 switch (this->type)
463 {
464 case EAP_AKA:
465 case EAP_SIM:
466 return TRUE;
467 default:
468 return FALSE;
469 }
470 }
471
472 METHOD(eap_method_t, destroy, void,
473 private_eap_radius_t *this)
474 {
475 this->peer->destroy(this->peer);
476 this->server->destroy(this->server);
477 this->client->destroy(this->client);
478 free(this);
479 }
480
481 /**
482 * Generic constructor
483 */
484 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
485 {
486 private_eap_radius_t *this;
487
488 INIT(this,
489 .public = {
490 .eap_method = {
491 .initiate = _initiate,
492 .process = _process,
493 .get_type = _get_type,
494 .is_mutual = _is_mutual,
495 .get_msk = _get_msk,
496 .get_identifier = _get_identifier,
497 .set_identifier = _set_identifier,
498 .destroy = _destroy,
499 },
500 },
501 /* initially EAP_RADIUS, but is set to the method selected by RADIUS */
502 .type = EAP_RADIUS,
503 .eap_start = lib->settings->get_bool(lib->settings,
504 "%s.plugins.eap-radius.eap_start", FALSE,
505 charon->name),
506 .id_prefix = lib->settings->get_str(lib->settings,
507 "%s.plugins.eap-radius.id_prefix", "",
508 charon->name),
509 .class_group = lib->settings->get_bool(lib->settings,
510 "%s.plugins.eap-radius.class_group", FALSE,
511 charon->name),
512 .filter_id = lib->settings->get_bool(lib->settings,
513 "%s.plugins.eap-radius.filter_id", FALSE,
514 charon->name),
515 );
516 this->client = eap_radius_create_client();
517 if (!this->client)
518 {
519 free(this);
520 return NULL;
521 }
522 this->peer = peer->clone(peer);
523 this->server = server->clone(server);
524 return &this->public;
525 }