moved tnc_imv plugin to libtnccs thanks to recommendation callback function
[strongswan.git] / src / libcharon / plugins / eap_tnc / eap_tnc.c
1 /*
2 * Copyright (C) 2010-2013 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_tnc.h"
17
18 #include <tnc/tnc.h>
19 #include <tnc/tnccs/tnccs_manager.h>
20 #include <tls_eap.h>
21 #include <utils/debug.h>
22 #include <daemon.h>
23
24 #include <tncifimv.h>
25 #include <tncif_names.h>
26
27 /**
28 * Maximum size of an EAP-TNC message
29 */
30 #define EAP_TNC_MAX_MESSAGE_LEN 65535
31
32 /**
33 * Maximum number of EAP-TNC messages allowed
34 */
35 #define EAP_TNC_MAX_MESSAGE_COUNT 10
36
37 typedef struct private_eap_tnc_t private_eap_tnc_t;
38
39 /**
40 * Private data of an eap_tnc_t object.
41 */
42 struct private_eap_tnc_t {
43
44 /**
45 * Public authenticator_t interface.
46 */
47 eap_tnc_t public;
48
49 /**
50 * Outer EAP authentication type
51 */
52 eap_type_t auth_type;
53
54 /**
55 * TLS stack, wrapped by EAP helper
56 */
57 tls_eap_t *tls_eap;
58
59 /**
60 * TNCCS instance running over EAP-TNC
61 */
62 tnccs_t *tnccs;
63
64 };
65
66 /**
67 * Callback function to get recommendation from TNCCS connection
68 */
69 static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec,
70 TNC_IMV_Evaluation_Result eval)
71 {
72 char *group;
73 identification_t *id;
74 ike_sa_t *ike_sa;
75 auth_cfg_t *auth;
76 bool no_access = FALSE;
77
78 DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
79 TNC_IMV_Action_Recommendation_names, rec,
80 TNC_IMV_Evaluation_Result_names, eval);
81
82 switch (rec)
83 {
84 case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
85 group = "allow";
86 break;
87 case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
88 group = "isolate";
89 break;
90 case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
91 case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
92 default:
93 group = "no access";
94 no_access = TRUE;
95 break;
96 }
97
98 ike_sa = charon->bus->get_sa(charon->bus);
99 if (!ike_sa)
100 {
101 DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
102 return FALSE;
103 }
104
105 id = ike_sa->get_other_id(ike_sa);
106 DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
107
108 if (no_access)
109 {
110 return FALSE;
111 }
112 else
113 {
114 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
115 id = identification_create_from_string(group);
116 auth->add(auth, AUTH_RULE_GROUP, id);
117 DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
118 group);
119 }
120 return TRUE;
121 }
122
123 METHOD(eap_method_t, initiate, status_t,
124 private_eap_tnc_t *this, eap_payload_t **out)
125 {
126 chunk_t data;
127 u_int32_t auth_type;
128
129 /* Determine TNC Client Authentication Type */
130 switch (this->auth_type)
131 {
132 case EAP_TLS:
133 case EAP_TTLS:
134 case EAP_PEAP:
135 auth_type = TNC_AUTH_X509_CERT;
136 break;
137 case EAP_MD5:
138 case EAP_MSCHAPV2:
139 case EAP_GTC:
140 case EAP_OTP:
141 auth_type = TNC_AUTH_PASSWORD;
142 break;
143 case EAP_SIM:
144 case EAP_AKA:
145 auth_type = TNC_AUTH_SIM;
146 break;
147 default:
148 auth_type = TNC_AUTH_UNKNOWN;
149 }
150 this->tnccs->set_auth_type(this->tnccs, auth_type);
151
152 if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
153 {
154 *out = eap_payload_create_data(data);
155 free(data.ptr);
156 return NEED_MORE;
157 }
158 return FAILED;
159 }
160
161 METHOD(eap_method_t, process, status_t,
162 private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
163 {
164 status_t status;
165 chunk_t data;
166
167 data = in->get_data(in);
168 status = this->tls_eap->process(this->tls_eap, data, &data);
169 if (status == NEED_MORE)
170 {
171 *out = eap_payload_create_data(data);
172 free(data.ptr);
173 }
174 return status;
175 }
176
177 METHOD(eap_method_t, get_type, eap_type_t,
178 private_eap_tnc_t *this, u_int32_t *vendor)
179 {
180 *vendor = 0;
181 return EAP_TNC;
182 }
183
184 METHOD(eap_method_t, get_msk, status_t,
185 private_eap_tnc_t *this, chunk_t *msk)
186 {
187 *msk = this->tls_eap->get_msk(this->tls_eap);
188 if (msk->len)
189 {
190 return SUCCESS;
191 }
192 return FAILED;
193 }
194
195 METHOD(eap_method_t, get_identifier, u_int8_t,
196 private_eap_tnc_t *this)
197 {
198 return this->tls_eap->get_identifier(this->tls_eap);
199 }
200
201 METHOD(eap_method_t, set_identifier, void,
202 private_eap_tnc_t *this, u_int8_t identifier)
203 {
204 this->tls_eap->set_identifier(this->tls_eap, identifier);
205 }
206
207 METHOD(eap_method_t, is_mutual, bool,
208 private_eap_tnc_t *this)
209 {
210 return FALSE;
211 }
212
213 METHOD(eap_method_t, destroy, void,
214 private_eap_tnc_t *this)
215 {
216 this->tls_eap->destroy(this->tls_eap);
217 free(this);
218 }
219
220 METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
221 private_eap_tnc_t *this)
222 {
223 return this->auth_type;
224 }
225
226 METHOD(eap_inner_method_t, set_auth_type, void,
227 private_eap_tnc_t *this, eap_type_t type)
228 {
229 this->auth_type = type;
230 }
231
232 /**
233 * Generic private constructor
234 */
235 static eap_tnc_t *eap_tnc_create(identification_t *server,
236 identification_t *peer, bool is_server)
237 {
238 private_eap_tnc_t *this;
239 int max_msg_count;
240 char* protocol;
241 tnccs_type_t type;
242
243 INIT(this,
244 .public = {
245 .eap_inner_method = {
246 .eap_method = {
247 .initiate = _initiate,
248 .process = _process,
249 .get_type = _get_type,
250 .is_mutual = _is_mutual,
251 .get_msk = _get_msk,
252 .get_identifier = _get_identifier,
253 .set_identifier = _set_identifier,
254 .destroy = _destroy,
255 },
256 .get_auth_type = _get_auth_type,
257 .set_auth_type = _set_auth_type,
258 },
259 },
260 );
261
262 max_msg_count = lib->settings->get_int(lib->settings,
263 "%s.plugins.eap-tnc.max_message_count",
264 EAP_TNC_MAX_MESSAGE_COUNT, charon->name);
265 protocol = lib->settings->get_str(lib->settings,
266 "%s.plugins.eap-tnc.protocol", "tnccs-1.1", charon->name);
267 if (strcaseeq(protocol, "tnccs-2.0"))
268 {
269 type = TNCCS_2_0;
270 }
271 else if (strcaseeq(protocol, "tnccs-1.1"))
272 {
273 type = TNCCS_1_1;
274 }
275 else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
276 {
277 type = TNCCS_DYNAMIC;
278 }
279 else
280 {
281 DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol);
282 free(this);
283 return NULL;
284 }
285 this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
286 is_server, server, peer, TNC_IFT_EAP_1_1,
287 is_server ? enforce_recommendation : NULL);
288 this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
289 EAP_TNC_MAX_MESSAGE_LEN,
290 max_msg_count, FALSE);
291 if (!this->tls_eap)
292 {
293 free(this);
294 return NULL;
295 }
296 return &this->public;
297 }
298
299 eap_tnc_t *eap_tnc_create_server(identification_t *server,
300 identification_t *peer)
301 {
302 return eap_tnc_create(server, peer, TRUE);
303 }
304
305 eap_tnc_t *eap_tnc_create_peer(identification_t *server,
306 identification_t *peer)
307 {
308 return eap_tnc_create(server, peer, FALSE);
309 }