2147c048292e27961ad9e557f32cb6e2766c95e0
[strongswan.git] / src / libcharon / plugins / eap_tnc / eap_tnc.c
1 /*
2 * Copyright (C) 2010-2013 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_tnc.h"
17
18 #include <tnc/tnc.h>
19 #include <tnc/tnccs/tnccs_manager.h>
20 #include <tls_eap.h>
21 #include <utils/debug.h>
22 #include <daemon.h>
23
24 #include <tncifimv.h>
25 #include <tncif_names.h>
26
27 /**
28 * Maximum size of an EAP-TNC message
29 */
30 #define EAP_TNC_MAX_MESSAGE_LEN 65535
31
32 /**
33 * Maximum number of EAP-TNC messages allowed
34 */
35 #define EAP_TNC_MAX_MESSAGE_COUNT 10
36
37 typedef struct private_eap_tnc_t private_eap_tnc_t;
38
39 /**
40 * Private data of an eap_tnc_t object.
41 */
42 struct private_eap_tnc_t {
43
44 /**
45 * Public authenticator_t interface.
46 */
47 eap_tnc_t public;
48
49 /**
50 * Outer EAP authentication type
51 */
52 eap_type_t auth_type;
53
54 /**
55 * TLS stack, wrapped by EAP helper
56 */
57 tls_eap_t *tls_eap;
58
59 /**
60 * TNCCS instance running over EAP-TNC
61 */
62 tnccs_t *tnccs;
63
64 };
65
66 /**
67 * Callback function to get recommendation from TNCCS connection
68 */
69 static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec,
70 TNC_IMV_Evaluation_Result eval)
71 {
72 char *group;
73 identification_t *id;
74 ike_sa_t *ike_sa;
75 auth_cfg_t *auth;
76 bool no_access = FALSE;
77
78 DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
79 TNC_IMV_Action_Recommendation_names, rec,
80 TNC_IMV_Evaluation_Result_names, eval);
81
82 switch (rec)
83 {
84 case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
85 group = "allow";
86 break;
87 case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
88 group = "isolate";
89 break;
90 case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
91 case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
92 default:
93 group = "no access";
94 no_access = TRUE;
95 break;
96 }
97
98 ike_sa = charon->bus->get_sa(charon->bus);
99 if (!ike_sa)
100 {
101 DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
102 return FALSE;
103 }
104
105 id = ike_sa->get_other_id(ike_sa);
106 DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
107
108 if (no_access)
109 {
110 return FALSE;
111 }
112 else
113 {
114 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
115 id = identification_create_from_string(group);
116 auth->add(auth, AUTH_RULE_GROUP, id);
117 DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
118 group);
119 }
120 return TRUE;
121 }
122
123 METHOD(eap_method_t, initiate, status_t,
124 private_eap_tnc_t *this, eap_payload_t **out)
125 {
126 chunk_t data;
127 u_int32_t auth_type;
128
129 /* Determine TNC Client Authentication Type */
130 switch (this->auth_type)
131 {
132 case EAP_TLS:
133 case EAP_TTLS:
134 case EAP_PEAP:
135 auth_type = TNC_AUTH_X509_CERT;
136 break;
137 case EAP_MD5:
138 case EAP_MSCHAPV2:
139 case EAP_GTC:
140 case EAP_OTP:
141 auth_type = TNC_AUTH_PASSWORD;
142 break;
143 case EAP_SIM:
144 case EAP_AKA:
145 auth_type = TNC_AUTH_SIM;
146 break;
147 default:
148 auth_type = TNC_AUTH_UNKNOWN;
149 }
150 this->tnccs->set_auth_type(this->tnccs, auth_type);
151
152 if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
153 {
154 *out = eap_payload_create_data(data);
155 free(data.ptr);
156 return NEED_MORE;
157 }
158 return FAILED;
159 }
160
161 METHOD(eap_method_t, process, status_t,
162 private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
163 {
164 status_t status;
165 chunk_t data;
166
167 data = in->get_data(in);
168 status = this->tls_eap->process(this->tls_eap, data, &data);
169 if (status == NEED_MORE)
170 {
171 *out = eap_payload_create_data(data);
172 free(data.ptr);
173 }
174 return status;
175 }
176
177 METHOD(eap_method_t, get_type, eap_type_t,
178 private_eap_tnc_t *this, u_int32_t *vendor)
179 {
180 *vendor = 0;
181 return EAP_TNC;
182 }
183
184 METHOD(eap_method_t, get_msk, status_t,
185 private_eap_tnc_t *this, chunk_t *msk)
186 {
187 *msk = this->tls_eap->get_msk(this->tls_eap);
188 if (msk->len)
189 {
190 return SUCCESS;
191 }
192 return FAILED;
193 }
194
195 METHOD(eap_method_t, get_identifier, u_int8_t,
196 private_eap_tnc_t *this)
197 {
198 return this->tls_eap->get_identifier(this->tls_eap);
199 }
200
201 METHOD(eap_method_t, set_identifier, void,
202 private_eap_tnc_t *this, u_int8_t identifier)
203 {
204 this->tls_eap->set_identifier(this->tls_eap, identifier);
205 }
206
207 METHOD(eap_method_t, is_mutual, bool,
208 private_eap_tnc_t *this)
209 {
210 return FALSE;
211 }
212
213 METHOD(eap_method_t, destroy, void,
214 private_eap_tnc_t *this)
215 {
216 chunk_t pdp_server;
217 u_int16_t pdp_port;
218 tls_t *tls;
219
220 pdp_server = this->tnccs->get_pdp_server(this->tnccs, &pdp_port);
221 if (pdp_server.len)
222 {
223 DBG2(DBG_TNC, "TODO: setup PT-TLS connection to %.*s:%u",
224 pdp_server.len, pdp_server.ptr, pdp_port);
225 }
226 tls = &this->tnccs->tls;
227 tls->destroy(tls);
228 this->tls_eap->destroy(this->tls_eap);
229 free(this);
230 }
231
232 METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
233 private_eap_tnc_t *this)
234 {
235 return this->auth_type;
236 }
237
238 METHOD(eap_inner_method_t, set_auth_type, void,
239 private_eap_tnc_t *this, eap_type_t type)
240 {
241 this->auth_type = type;
242 }
243
244 /**
245 * Generic private constructor
246 */
247 static eap_tnc_t *eap_tnc_create(identification_t *server,
248 identification_t *peer, bool is_server)
249 {
250 private_eap_tnc_t *this;
251 int max_msg_count;
252 char* protocol;
253 tnccs_t *tnccs;
254 tnccs_type_t type;
255
256 INIT(this,
257 .public = {
258 .eap_inner_method = {
259 .eap_method = {
260 .initiate = _initiate,
261 .process = _process,
262 .get_type = _get_type,
263 .is_mutual = _is_mutual,
264 .get_msk = _get_msk,
265 .get_identifier = _get_identifier,
266 .set_identifier = _set_identifier,
267 .destroy = _destroy,
268 },
269 .get_auth_type = _get_auth_type,
270 .set_auth_type = _set_auth_type,
271 },
272 },
273 );
274
275 max_msg_count = lib->settings->get_int(lib->settings,
276 "%s.plugins.eap-tnc.max_message_count",
277 EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
278 protocol = lib->settings->get_str(lib->settings,
279 "%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
280 if (strcaseeq(protocol, "tnccs-2.0"))
281 {
282 type = TNCCS_2_0;
283 }
284 else if (strcaseeq(protocol, "tnccs-1.1"))
285 {
286 type = TNCCS_1_1;
287 }
288 else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
289 {
290 type = TNCCS_DYNAMIC;
291 }
292 else
293 {
294 DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol);
295 free(this);
296 return NULL;
297 }
298 tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
299 is_server, server, peer, TNC_IFT_EAP_1_1,
300 is_server ? enforce_recommendation : NULL);
301 if (!tnccs)
302 {
303 DBG1(DBG_TNC, "TNCCS protocol '%s' not enabled", protocol);
304 free(this);
305 return NULL;
306 }
307 this->tnccs = tnccs->get_ref(tnccs);
308 this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
309 EAP_TNC_MAX_MESSAGE_LEN,
310 max_msg_count, FALSE);
311 if (!this->tls_eap)
312 {
313 free(this);
314 return NULL;
315 }
316 return &this->public;
317 }
318
319 eap_tnc_t *eap_tnc_create_server(identification_t *server,
320 identification_t *peer)
321 {
322 return eap_tnc_create(server, peer, TRUE);
323 }
324
325 eap_tnc_t *eap_tnc_create_peer(identification_t *server,
326 identification_t *peer)
327 {
328 return eap_tnc_create(server, peer, FALSE);
329 }