11e6cd0f380f5bcffcfd7dd57f92a4bfa92b00aa
[strongswan.git] / src / libcharon / plugins / eap_ttls / eap_ttls_peer.c
1 /*
2 * Copyright (C) 2010 Andreas Steffen
3 * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_ttls_peer.h"
17 #include "eap_ttls_avp.h"
18
19 #include <debug.h>
20 #include <daemon.h>
21
22 #include <sa/authenticators/eap/eap_method.h>
23
24 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
25
26 /**
27 * Private data of an eap_ttls_peer_t object.
28 */
29 struct private_eap_ttls_peer_t {
30
31 /**
32 * Public eap_ttls_peer_t interface.
33 */
34 eap_ttls_peer_t public;
35
36 /**
37 * Server identity
38 */
39 identification_t *server;
40
41 /**
42 * Peer identity
43 */
44 identification_t *peer;
45
46 /**
47 * Current EAP-TTLS state
48 */
49 bool start_phase2;
50
51 /**
52 * Current phase 2 EAP method
53 */
54 eap_method_t *method;
55
56 /**
57 * Pending outbound EAP message
58 */
59 eap_payload_t *out;
60
61 /**
62 * AVP handler
63 */
64 eap_ttls_avp_t *avp;
65 };
66
67 METHOD(tls_application_t, process, status_t,
68 private_eap_ttls_peer_t *this, tls_reader_t *reader)
69 {
70 chunk_t data = chunk_empty;
71 status_t status;
72 payload_t *payload;
73 eap_payload_t *in;
74 eap_code_t code;
75 eap_type_t type, received_type;
76 u_int32_t vendor, received_vendor;
77
78 status = this->avp->process(this->avp, reader, &data);
79 switch (status)
80 {
81 case SUCCESS:
82 break;
83 case NEED_MORE:
84 DBG1(DBG_IKE, "need more AVP data");
85 return NEED_MORE;
86 case FAILED:
87 default:
88 return FAILED;
89 }
90 in = eap_payload_create_data(data);
91 chunk_free(&data);
92 payload = (payload_t*)in;
93
94 if (payload->verify(payload) != SUCCESS)
95 {
96 in->destroy(in);
97 return FAILED;
98 }
99 code = in->get_code(in);
100 received_type = in->get_type(in, &received_vendor);
101 DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
102 eap_code_short_names, code,
103 eap_type_short_names, received_type);
104 if (code != EAP_REQUEST)
105 {
106 DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
107 in->destroy(in);
108 return FAILED;
109 }
110
111 if (this->method == NULL)
112 {
113 if (received_vendor)
114 {
115 DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
116 received_type, received_vendor);
117 }
118 else
119 {
120 DBG1(DBG_IKE, "server requested %N authentication",
121 eap_type_names, received_type);
122 }
123 this->method = charon->eap->create_instance(charon->eap,
124 received_type, received_vendor,
125 EAP_PEER, this->server, this->peer);
126 if (!this->method)
127 {
128 DBG1(DBG_IKE, "EAP method not supported");
129 this->out = eap_payload_create_nak(in->get_identifier(in));
130 in->destroy(in);
131 return NEED_MORE;
132 }
133 }
134
135 type = this->method->get_type(this->method, &vendor);
136
137 if (type != received_type || vendor != received_vendor)
138 {
139 DBG1(DBG_IKE, "received invalid EAP request");
140 in->destroy(in);
141 return FAILED;
142 }
143
144 status = this->method->process(this->method, in, &this->out);
145 in->destroy(in);
146
147 switch (status)
148 {
149 case SUCCESS:
150 this->method->destroy(this->method);
151 this->method = NULL;
152 return NEED_MORE;
153 case NEED_MORE:
154 if (type != EAP_TNC)
155 {
156 this->method->destroy(this->method);
157 this->method = NULL;
158 }
159 return NEED_MORE;
160 case FAILED:
161 default:
162 if (vendor)
163 {
164 DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
165 type, vendor);
166 }
167 else
168 {
169 DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
170 }
171 return FAILED;
172 }
173 }
174
175 METHOD(tls_application_t, build, status_t,
176 private_eap_ttls_peer_t *this, tls_writer_t *writer)
177 {
178 chunk_t data;
179 eap_code_t code;
180 eap_type_t type;
181 u_int32_t vendor;
182
183 if (this->method == NULL && this->start_phase2)
184 {
185 /* generate an EAP Identity response */
186 this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
187 0, EAP_PEER, this->server, this->peer);
188 if (this->method == NULL)
189 {
190 DBG1(DBG_IKE, "EAP_IDENTITY method not available");
191 return FAILED;
192 }
193 this->method->process(this->method, NULL, &this->out);
194 this->method->destroy(this->method);
195 this->method = NULL;
196 this->start_phase2 = FALSE;
197 }
198
199 if (this->out)
200 {
201 code = this->out->get_code(this->out);
202 type = this->out->get_type(this->out, &vendor);
203 DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
204 eap_code_short_names, code, eap_type_short_names, type);
205
206 /* get the raw EAP message data */
207 data = this->out->get_data(this->out);
208 this->avp->build(this->avp, writer, data);
209
210 this->out->destroy(this->out);
211 this->out = NULL;
212 }
213 return INVALID_STATE;
214 }
215
216 METHOD(tls_application_t, destroy, void,
217 private_eap_ttls_peer_t *this)
218 {
219 this->server->destroy(this->server);
220 this->peer->destroy(this->peer);
221 DESTROY_IF(this->method);
222 DESTROY_IF(this->out);
223 this->avp->destroy(this->avp);
224 free(this);
225 }
226
227 /**
228 * See header
229 */
230 eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
231 identification_t *peer)
232 {
233 private_eap_ttls_peer_t *this;
234
235 INIT(this,
236 .public = {
237 .application = {
238 .process = _process,
239 .build = _build,
240 .destroy = _destroy,
241 },
242 },
243 .server = server->clone(server),
244 .peer = peer->clone(peer),
245 .start_phase2 = TRUE,
246 .avp = eap_ttls_avp_create(),
247 );
248
249 return &this->public;
250 }