839425d5953de772a853e64f78523fe8c991ba6d
[strongswan.git] / src / libcharon / plugins / eap_tnc / eap_tnc.c
1 /*
2 * Copyright (C) 2010-2013 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_tnc.h"
17
18 #include <tnc/tnc.h>
19 #include <tnc/tnccs/tnccs_manager.h>
20 #include <tls_eap.h>
21 #include <utils/debug.h>
22 #include <daemon.h>
23
24 #include <tncifimv.h>
25
26 /**
27 * Maximum size of an EAP-TNC message
28 */
29 #define EAP_TNC_MAX_MESSAGE_LEN 65535
30
31 /**
32 * Maximum number of EAP-TNC messages allowed
33 */
34 #define EAP_TNC_MAX_MESSAGE_COUNT 10
35
36 typedef struct private_eap_tnc_t private_eap_tnc_t;
37
38 /**
39 * Private data of an eap_tnc_t object.
40 */
41 struct private_eap_tnc_t {
42
43 /**
44 * Public authenticator_t interface.
45 */
46 eap_tnc_t public;
47
48 /**
49 * Outer EAP authentication type
50 */
51 eap_type_t auth_type;
52
53 /**
54 * TLS stack, wrapped by EAP helper
55 */
56 tls_eap_t *tls_eap;
57
58 /**
59 * TNCCS instance running over EAP-TNC
60 */
61 tnccs_t *tnccs;
62
63 };
64
65 METHOD(eap_method_t, initiate, status_t,
66 private_eap_tnc_t *this, eap_payload_t **out)
67 {
68 chunk_t data;
69 u_int32_t auth_type;
70
71 /* Determine TNC Client Authentication Type */
72 switch (this->auth_type)
73 {
74 case EAP_TLS:
75 case EAP_TTLS:
76 case EAP_PEAP:
77 auth_type = TNC_AUTH_X509_CERT;
78 break;
79 case EAP_MD5:
80 case EAP_MSCHAPV2:
81 case EAP_GTC:
82 case EAP_OTP:
83 auth_type = TNC_AUTH_PASSWORD;
84 break;
85 case EAP_SIM:
86 case EAP_AKA:
87 auth_type = TNC_AUTH_SIM;
88 break;
89 default:
90 auth_type = TNC_AUTH_UNKNOWN;
91 }
92 this->tnccs->set_auth_type(this->tnccs, auth_type);
93
94 if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
95 {
96 *out = eap_payload_create_data(data);
97 free(data.ptr);
98 return NEED_MORE;
99 }
100 return FAILED;
101 }
102
103 METHOD(eap_method_t, process, status_t,
104 private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
105 {
106 status_t status;
107 chunk_t data;
108
109 data = in->get_data(in);
110 status = this->tls_eap->process(this->tls_eap, data, &data);
111 if (status == NEED_MORE)
112 {
113 *out = eap_payload_create_data(data);
114 free(data.ptr);
115 }
116 return status;
117 }
118
119 METHOD(eap_method_t, get_type, eap_type_t,
120 private_eap_tnc_t *this, u_int32_t *vendor)
121 {
122 *vendor = 0;
123 return EAP_TNC;
124 }
125
126 METHOD(eap_method_t, get_msk, status_t,
127 private_eap_tnc_t *this, chunk_t *msk)
128 {
129 *msk = this->tls_eap->get_msk(this->tls_eap);
130 if (msk->len)
131 {
132 return SUCCESS;
133 }
134 return FAILED;
135 }
136
137 METHOD(eap_method_t, get_identifier, u_int8_t,
138 private_eap_tnc_t *this)
139 {
140 return this->tls_eap->get_identifier(this->tls_eap);
141 }
142
143 METHOD(eap_method_t, set_identifier, void,
144 private_eap_tnc_t *this, u_int8_t identifier)
145 {
146 this->tls_eap->set_identifier(this->tls_eap, identifier);
147 }
148
149 METHOD(eap_method_t, is_mutual, bool,
150 private_eap_tnc_t *this)
151 {
152 return FALSE;
153 }
154
155 METHOD(eap_method_t, destroy, void,
156 private_eap_tnc_t *this)
157 {
158 this->tls_eap->destroy(this->tls_eap);
159 free(this);
160 }
161
162 METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
163 private_eap_tnc_t *this)
164 {
165 return this->auth_type;
166 }
167
168 METHOD(eap_inner_method_t, set_auth_type, void,
169 private_eap_tnc_t *this, eap_type_t type)
170 {
171 this->auth_type = type;
172 }
173
174 /**
175 * Generic private constructor
176 */
177 static eap_tnc_t *eap_tnc_create(identification_t *server,
178 identification_t *peer, bool is_server)
179 {
180 private_eap_tnc_t *this;
181 int max_msg_count;
182 char* protocol;
183 tnccs_type_t type;
184
185 INIT(this,
186 .public = {
187 .eap_inner_method = {
188 .eap_method = {
189 .initiate = _initiate,
190 .process = _process,
191 .get_type = _get_type,
192 .is_mutual = _is_mutual,
193 .get_msk = _get_msk,
194 .get_identifier = _get_identifier,
195 .set_identifier = _set_identifier,
196 .destroy = _destroy,
197 },
198 .get_auth_type = _get_auth_type,
199 .set_auth_type = _set_auth_type,
200 },
201 },
202 );
203
204 max_msg_count = lib->settings->get_int(lib->settings,
205 "%s.plugins.eap-tnc.max_message_count",
206 EAP_TNC_MAX_MESSAGE_COUNT, charon->name);
207 protocol = lib->settings->get_str(lib->settings,
208 "%s.plugins.eap-tnc.protocol", "tnccs-1.1", charon->name);
209 if (strcaseeq(protocol, "tnccs-2.0"))
210 {
211 type = TNCCS_2_0;
212 }
213 else if (strcaseeq(protocol, "tnccs-1.1"))
214 {
215 type = TNCCS_1_1;
216 }
217 else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
218 {
219 type = TNCCS_DYNAMIC;
220 }
221 else
222 {
223 DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol);
224 free(this);
225 return NULL;
226 }
227 this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
228 server, peer, TNC_IFT_EAP_1_1);
229 this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
230 EAP_TNC_MAX_MESSAGE_LEN,
231 max_msg_count, FALSE);
232 if (!this->tls_eap)
233 {
234 free(this);
235 return NULL;
236 }
237 return &this->public;
238 }
239
240 eap_tnc_t *eap_tnc_create_server(identification_t *server,
241 identification_t *peer)
242 {
243 return eap_tnc_create(server, peer, TRUE);
244 }
245
246 eap_tnc_t *eap_tnc_create_peer(identification_t *server,
247 identification_t *peer)
248 {
249 return eap_tnc_create(server, peer, FALSE);
250 }