d2feb7774aaf2bef2509b325821d3d63d1512ac6
[strongswan.git] / src / libcharon / plugins / eap_ttls / eap_ttls_peer.c
1 /*
2 * Copyright (C) 2010 Andreas Steffen
3 * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_ttls_peer.h"
17 #include "eap_ttls_avp.h"
18
19 #include <debug.h>
20 #include <daemon.h>
21
22 #include <sa/authenticators/eap/eap_method.h>
23
24 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
25
26 /**
27 * Private data of an eap_ttls_peer_t object.
28 */
29 struct private_eap_ttls_peer_t {
30
31 /**
32 * Public eap_ttls_peer_t interface.
33 */
34 eap_ttls_peer_t public;
35
36 /**
37 * Server identity
38 */
39 identification_t *server;
40
41 /**
42 * Peer identity
43 */
44 identification_t *peer;
45
46 /**
47 * Current EAP-TTLS state
48 */
49 bool start_phase2;
50
51 /**
52 * Current phase 2 EAP method
53 */
54 eap_method_t *method;
55
56 /**
57 * Pending outbound EAP message
58 */
59 eap_payload_t *out;
60
61 /**
62 * AVP handler
63 */
64 eap_ttls_avp_t *avp;
65 };
66
67 #define MAX_RADIUS_ATTRIBUTE_SIZE 253
68
69 METHOD(tls_application_t, process, status_t,
70 private_eap_ttls_peer_t *this, bio_reader_t *reader)
71 {
72 chunk_t avp_data = chunk_empty;
73 chunk_t eap_data = chunk_empty;
74 status_t status;
75 payload_t *payload;
76 eap_payload_t *in;
77 eap_packet_t *pkt;
78 eap_code_t code;
79 eap_type_t type, received_type;
80 u_int32_t vendor, received_vendor;
81 u_int16_t eap_len;
82 size_t eap_pos = 0;
83 bool concatenated = FALSE;
84
85 do
86 {
87 status = this->avp->process(this->avp, reader, &avp_data);
88 switch (status)
89 {
90 case SUCCESS:
91 break;
92 case NEED_MORE:
93 DBG1(DBG_IKE, "need more AVP data");
94 return NEED_MORE;
95 case FAILED:
96 default:
97 return FAILED;
98 }
99
100 if (eap_data.len == 0)
101 {
102 if (avp_data.len < 4)
103 {
104 DBG1(DBG_IKE, "AVP size to small to contain EAP header");
105 chunk_free(&avp_data);
106 return FAILED;
107 }
108 pkt = (eap_packet_t*)avp_data.ptr;
109 eap_len = untoh16(&pkt->length);
110
111 if (eap_len <= avp_data.len)
112 {
113 /* standard: EAP packet contained in a single AVP */
114 eap_data = avp_data;
115 break;
116 }
117 else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE)
118 {
119 /* non-standard: EAP packet segmented into multiple AVPs */
120 eap_data = chunk_alloc(eap_len);
121 concatenated = TRUE;
122 }
123 else
124 {
125 DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs");
126 chunk_free(&avp_data);
127 return FAILED;
128 }
129 }
130
131 if (avp_data.len > eap_data.len - eap_pos)
132 {
133 DBG1(DBG_IKE, "AVP size to large to fit into EAP packet");
134 chunk_free(&avp_data);
135 chunk_free(&eap_data);
136 return FAILED;
137 }
138 memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len);
139 eap_pos += avp_data.len;
140 chunk_free(&avp_data);
141 }
142 while (eap_pos < eap_data.len);
143
144 in = eap_payload_create_data(eap_data);
145 chunk_free(&eap_data);
146 payload = (payload_t*)in;
147
148 if (payload->verify(payload) != SUCCESS)
149 {
150 in->destroy(in);
151 return FAILED;
152 }
153 code = in->get_code(in);
154 received_type = in->get_type(in, &received_vendor);
155 DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]",
156 concatenated ? "s" : "",
157 eap_code_short_names, code,
158 eap_type_short_names, received_type);
159 if (code != EAP_REQUEST)
160 {
161 DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
162 in->destroy(in);
163 return FAILED;
164 }
165
166 /* yet another phase2 authentication? */
167 if (this->method)
168 {
169 type = this->method->get_type(this->method, &vendor);
170
171 if (type != received_type || vendor != received_vendor)
172 {
173 this->method->destroy(this->method);
174 this->method = NULL;
175 }
176 }
177
178 if (this->method == NULL)
179 {
180 if (received_vendor)
181 {
182 DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d "
183 "(id 0x%02X)", received_type, received_vendor,
184 in->get_identifier(in));
185 }
186 else
187 {
188 DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
189 eap_type_names, received_type, in->get_identifier(in));
190 }
191 this->method = charon->eap->create_instance(charon->eap,
192 received_type, received_vendor,
193 EAP_PEER, this->server, this->peer);
194 if (!this->method)
195 {
196 DBG1(DBG_IKE, "EAP method not supported");
197 this->out = eap_payload_create_nak(in->get_identifier(in));
198 in->destroy(in);
199 return NEED_MORE;
200 }
201 type = this->method->get_type(this->method, &vendor);
202 this->start_phase2 = FALSE;
203 }
204
205 status = this->method->process(this->method, in, &this->out);
206 in->destroy(in);
207
208 switch (status)
209 {
210 case SUCCESS:
211 this->method->destroy(this->method);
212 this->method = NULL;
213 /* fall through to NEED_MORE */
214 case NEED_MORE:
215 return NEED_MORE;
216 case FAILED:
217 default:
218 if (vendor)
219 {
220 DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
221 type, vendor);
222 }
223 else
224 {
225 DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
226 }
227 return FAILED;
228 }
229 }
230
231 METHOD(tls_application_t, build, status_t,
232 private_eap_ttls_peer_t *this, bio_writer_t *writer)
233 {
234 chunk_t data;
235 eap_code_t code;
236 eap_type_t type;
237 u_int32_t vendor;
238
239 if (this->method == NULL && this->start_phase2)
240 {
241 /* generate an EAP Identity response */
242 this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
243 0, EAP_PEER, this->server, this->peer);
244 if (this->method == NULL)
245 {
246 DBG1(DBG_IKE, "EAP_IDENTITY method not available");
247 return FAILED;
248 }
249 this->method->process(this->method, NULL, &this->out);
250 this->method->destroy(this->method);
251 this->method = NULL;
252 this->start_phase2 = FALSE;
253 }
254
255 if (this->out)
256 {
257 code = this->out->get_code(this->out);
258 type = this->out->get_type(this->out, &vendor);
259 DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
260 eap_code_short_names, code, eap_type_short_names, type);
261
262 /* get the raw EAP message data */
263 data = this->out->get_data(this->out);
264 this->avp->build(this->avp, writer, data);
265
266 this->out->destroy(this->out);
267 this->out = NULL;
268 }
269 return INVALID_STATE;
270 }
271
272 METHOD(tls_application_t, destroy, void,
273 private_eap_ttls_peer_t *this)
274 {
275 this->server->destroy(this->server);
276 this->peer->destroy(this->peer);
277 DESTROY_IF(this->method);
278 DESTROY_IF(this->out);
279 this->avp->destroy(this->avp);
280 free(this);
281 }
282
283 /**
284 * See header
285 */
286 eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
287 identification_t *peer)
288 {
289 private_eap_ttls_peer_t *this;
290
291 INIT(this,
292 .public = {
293 .application = {
294 .process = _process,
295 .build = _build,
296 .destroy = _destroy,
297 },
298 },
299 .server = server->clone(server),
300 .peer = peer->clone(peer),
301 .start_phase2 = TRUE,
302 .avp = eap_ttls_avp_create(),
303 );
304
305 return &this->public;
306 }