projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
support non EAP-TTLS conformant RADIUS-type attribute segmentation
[strongswan.git] / src / libcharon / plugins / eap_ttls / eap_ttls_peer.c
1 /*
2 * Copyright (C) 2010 Andreas Steffen
3 * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_ttls_peer.h"
17 #include "eap_ttls_avp.h"
18
19 #include <debug.h>
20 #include <daemon.h>
21
22 #include <sa/authenticators/eap/eap_method.h>
23
24 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
25
26 /**
27 * Private data of an eap_ttls_peer_t object.
28 */
29 struct private_eap_ttls_peer_t {
30
31 /**
32 * Public eap_ttls_peer_t interface.
33 */
34 eap_ttls_peer_t public;
35
36 /**
37 * Server identity
38 */
39 identification_t *server;
40
41 /**
42 * Peer identity
43 */
44 identification_t *peer;
45
46 /**
47 * Current EAP-TTLS state
48 */
49 bool start_phase2;
50
51 /**
52 * Current phase 2 EAP method
53 */
54 eap_method_t *method;
55
56 /**
57 * Pending outbound EAP message
58 */
59 eap_payload_t *out;
60
61 /**
62 * AVP handler
63 */
64 eap_ttls_avp_t *avp;
65 };
66
67 /**
68 * EAP packet format
69 */
70 typedef struct __attribute__((packed)) {
71 u_int8_t code;
72 u_int8_t identifier;
73 u_int16_t length;
74 u_int8_t type;
75 u_int8_t data;
76 } eap_packet_t;
77
78 #define MAX_RADIUS_ATTRIBUTE_SIZE 253
79
80 METHOD(tls_application_t, process, status_t,
81 private_eap_ttls_peer_t *this, tls_reader_t *reader)
82 {
83 chunk_t avp_data = chunk_empty;
84 chunk_t eap_data = chunk_empty;
85 status_t status;
86 payload_t *payload;
87 eap_payload_t *in;
88 eap_packet_t *pkt;
89 eap_code_t code;
90 eap_type_t type, received_type;
91 u_int32_t vendor, received_vendor;
92 u_int16_t eap_len;
93 size_t eap_pos = 0;
94 bool concatenated = FALSE;
95
96 do
97 {
98 status = this->avp->process(this->avp, reader, &avp_data);
99 switch (status)
100 {
101 case SUCCESS:
102 break;
103 case NEED_MORE:
104 DBG1(DBG_IKE, "need more AVP data");
105 return NEED_MORE;
106 case FAILED:
107 default:
108 return FAILED;
109 }
110
111 if (eap_data.len == 0)
112 {
113 if (avp_data.len < 4)
114 {
115 DBG1(DBG_IKE, "AVP size to small to contain EAP header");
116 chunk_free(&avp_data);
117 return FAILED;
118 }
119 pkt = (eap_packet_t*)avp_data.ptr;
120 eap_len = untoh16(&pkt->length);
121
122 if (eap_len <= avp_data.len)
123 {
124 /* standard: EAP packet contained in a single AVP */
125 eap_data = avp_data;
126 break;
127 }
128 else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE)
129 {
130 /* non-standard: EAP packet segmented into multiple AVPs */
131 eap_data = chunk_alloc(eap_len);
132 concatenated = TRUE;
133 }
134 else
135 {
136 DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs");
137 chunk_free(&avp_data);
138 return FAILED;
139 }
140 }
141
142 if (avp_data.len > eap_data.len - eap_pos)
143 {
144 DBG1(DBG_IKE, "AVP size to large to fit into EAP packet");
145 chunk_free(&avp_data);
146 chunk_free(&eap_data);
147 return FAILED;
148 }
149 memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len);
150 eap_pos += avp_data.len;
151 chunk_free(&avp_data);
152 }
153 while (eap_pos < eap_data.len);
154
155 in = eap_payload_create_data(eap_data);
156 chunk_free(&eap_data);
157 payload = (payload_t*)in;
158
159 if (payload->verify(payload) != SUCCESS)
160 {
161 in->destroy(in);
162 return FAILED;
163 }
164 code = in->get_code(in);
165 received_type = in->get_type(in, &received_vendor);
166 DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]",
167 concatenated ? "s" : "",
168 eap_code_short_names, code,
169 eap_type_short_names, received_type);
170 if (code != EAP_REQUEST)
171 {
172 DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
173 in->destroy(in);
174 return FAILED;
175 }
176
177 if (this->method == NULL)
178 {
179 if (received_vendor)
180 {
181 DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
182 received_type, received_vendor);
183 }
184 else
185 {
186 DBG1(DBG_IKE, "server requested %N authentication",
187 eap_type_names, received_type);
188 }
189 this->method = charon->eap->create_instance(charon->eap,
190 received_type, received_vendor,
191 EAP_PEER, this->server, this->peer);
192 if (!this->method)
193 {
194 DBG1(DBG_IKE, "EAP method not supported");
195 this->out = eap_payload_create_nak(in->get_identifier(in));
196 in->destroy(in);
197 return NEED_MORE;
198 }
199 }
200
201 type = this->method->get_type(this->method, &vendor);
202
203 if (type != received_type || vendor != received_vendor)
204 {
205 DBG1(DBG_IKE, "received invalid EAP request");
206 in->destroy(in);
207 return FAILED;
208 }
209
210 status = this->method->process(this->method, in, &this->out);
211 in->destroy(in);
212
213 switch (status)
214 {
215 case SUCCESS:
216 this->method->destroy(this->method);
217 this->method = NULL;
218 return NEED_MORE;
219 case NEED_MORE:
220 if (type != EAP_TNC)
221 {
222 this->method->destroy(this->method);
223 this->method = NULL;
224 }
225 return NEED_MORE;
226 case FAILED:
227 default:
228 if (vendor)
229 {
230 DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
231 type, vendor);
232 }
233 else
234 {
235 DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
236 }
237 return FAILED;
238 }
239 }
240
241 METHOD(tls_application_t, build, status_t,
242 private_eap_ttls_peer_t *this, tls_writer_t *writer)
243 {
244 chunk_t data;
245 eap_code_t code;
246 eap_type_t type;
247 u_int32_t vendor;
248
249 if (this->method == NULL && this->start_phase2)
250 {
251 /* generate an EAP Identity response */
252 this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
253 0, EAP_PEER, this->server, this->peer);
254 if (this->method == NULL)
255 {
256 DBG1(DBG_IKE, "EAP_IDENTITY method not available");
257 return FAILED;
258 }
259 this->method->process(this->method, NULL, &this->out);
260 this->method->destroy(this->method);
261 this->method = NULL;
262 this->start_phase2 = FALSE;
263 }
264
265 if (this->out)
266 {
267 code = this->out->get_code(this->out);
268 type = this->out->get_type(this->out, &vendor);
269 DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
270 eap_code_short_names, code, eap_type_short_names, type);
271
272 /* get the raw EAP message data */
273 data = this->out->get_data(this->out);
274 this->avp->build(this->avp, writer, data);
275
276 this->out->destroy(this->out);
277 this->out = NULL;
278 }
279 return INVALID_STATE;
280 }
281
282 METHOD(tls_application_t, destroy, void,
283 private_eap_ttls_peer_t *this)
284 {
285 this->server->destroy(this->server);
286 this->peer->destroy(this->peer);
287 DESTROY_IF(this->method);
288 DESTROY_IF(this->out);
289 this->avp->destroy(this->avp);
290 free(this);
291 }
292
293 /**
294 * See header
295 */
296 eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
297 identification_t *peer)
298 {
299 private_eap_ttls_peer_t *this;
300
301 INIT(this,
302 .public = {
303 .application = {
304 .process = _process,
305 .build = _build,
306 .destroy = _destroy,
307 },
308 },
309 .server = server->clone(server),
310 .peer = peer->clone(peer),
311 .start_phase2 = TRUE,
312 .avp = eap_ttls_avp_create(),
313 );
314
315 return &this->public;
316 }
strongSwan - IPsec VPN