Fixed compiler warning
[strongswan.git] / src / libcharon / plugins / eap_ttls / eap_ttls_server.c
1 /*
2 * Copyright (C) 2010 Andreas Steffen
3 * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_ttls_server.h"
17 #include "eap_ttls_avp.h"
18
19 #include <debug.h>
20 #include <daemon.h>
21
22 #include <sa/authenticators/eap/eap_method.h>
23
24 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
25
26 /**
27 * Private data of an eap_ttls_server_t object.
28 */
29 struct private_eap_ttls_server_t {
30
31 /**
32 * Public eap_ttls_server_t interface.
33 */
34 eap_ttls_server_t public;
35
36 /**
37 * Server identity
38 */
39 identification_t *server;
40
41 /**
42 * Peer identity
43 */
44 identification_t *peer;
45
46 /**
47 * Current EAP-TTLS state
48 */
49 bool start_phase2;
50
51 /**
52 * Current phase 2 EAP method
53 */
54 eap_method_t *method;
55
56 /**
57 * Pending outbound EAP message
58 */
59 eap_payload_t *out;
60
61 /**
62 * AVP handler
63 */
64 eap_ttls_avp_t *avp;
65 };
66
67 METHOD(tls_application_t, process, status_t,
68 private_eap_ttls_server_t *this, tls_reader_t *reader)
69 {
70 chunk_t data;
71 status_t status;
72 payload_t *payload;
73 eap_payload_t *in;
74 eap_code_t code;
75 eap_type_t type = EAP_NAK, received_type;
76 u_int32_t vendor, received_vendor;
77
78 status = this->avp->process(this->avp, reader, &data);
79 if (status == FAILED)
80 {
81 return FAILED;
82 }
83 in = eap_payload_create_data(data);
84 payload = (payload_t*)in;
85
86 if (payload->verify(payload) != SUCCESS)
87 {
88 in->destroy(in);
89 return FAILED;
90 }
91 code = in->get_code(in);
92 received_type = in->get_type(in, &received_vendor);
93 DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
94 eap_code_short_names, code,
95 eap_type_short_names, received_type);
96 if (code != EAP_RESPONSE)
97 {
98 DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
99 in->destroy(in);
100 return FAILED;
101 }
102
103 if (this->method)
104 {
105 type = this->method->get_type(this->method, &vendor);
106
107 if (type != received_type || vendor != received_vendor)
108 {
109 if (received_vendor == 0 && received_type == EAP_NAK)
110 {
111 DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
112 }
113 else
114 {
115 DBG1(DBG_IKE, "received invalid EAP response");
116 }
117 in->destroy(in);
118 return FAILED;
119 }
120 }
121
122 if (!received_vendor && received_type == EAP_IDENTITY)
123 {
124 chunk_t eap_id;
125 char * eap_type_str;
126
127 if (this->method == NULL)
128 {
129 /* Received an EAP Identity response without a matching request */
130 this->method = charon->eap->create_instance(charon->eap,
131 EAP_IDENTITY, 0, EAP_SERVER,
132 this->server, this->peer);
133 if (this->method == NULL)
134 {
135 DBG1(DBG_IKE, "%N method not available",
136 eap_type_names, EAP_IDENTITY);
137 return FAILED;
138 }
139 }
140
141 if (this->method->process(this->method, in, &this->out) != SUCCESS)
142 {
143
144 DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
145 return FAILED;
146 }
147
148 if (this->method->get_msk(this->method, &eap_id) == SUCCESS)
149 {
150 this->peer->destroy(this->peer);
151 this->peer = identification_create_from_data(eap_id);
152 DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
153 }
154
155 in->destroy(in);
156 this->method->destroy(this->method);
157 this->method = NULL;
158
159 /* Start Phase 2 of EAP-TTLS authentication */
160 eap_type_str = lib->settings->get_str(lib->settings,
161 "charon.plugins.eap-ttls.phase2_method", "md5");
162 type = eap_type_from_string(eap_type_str);
163 if (type == 0)
164 {
165 DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
166 return FAILED;
167 }
168 DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
169
170 this->method = charon->eap->create_instance(charon->eap, type, 0,
171 EAP_SERVER, this->server, this->peer);
172 if (this->method == NULL)
173 {
174 DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
175 return FAILED;
176 }
177 if (this->method->initiate(this->method, &this->out) == NEED_MORE)
178 {
179 return NEED_MORE;
180 }
181 else
182 {
183 DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
184 return FAILED;
185 }
186 }
187
188 if (this->method == 0)
189 {
190 DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS);
191 in->destroy(in);
192 return FAILED;
193 }
194
195 status = this->method->process(this->method, in, &this->out);
196 in->destroy(in);
197
198 switch (status)
199 {
200 case SUCCESS:
201 DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
202 eap_type_names, EAP_TTLS, this->peer,
203 eap_type_names, type);
204 this->method->destroy(this->method);
205 this->method = NULL;
206 break;
207 case NEED_MORE:
208 break;
209 case FAILED:
210 default:
211 if (vendor)
212 {
213 DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
214 type, vendor);
215 }
216 else
217 {
218 DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
219 }
220 return FAILED;
221 }
222 return status;
223 }
224
225 METHOD(tls_application_t, build, status_t,
226 private_eap_ttls_server_t *this, tls_writer_t *writer)
227 {
228 chunk_t data;
229 eap_code_t code;
230 eap_type_t type;
231 u_int32_t vendor;
232
233 if (this->method == NULL && this->start_phase2 &&
234 lib->settings->get_bool(lib->settings,
235 "charon.plugins.eap-ttls.phase2_piggyback", FALSE))
236 {
237 /* generate an EAP Identity request which will be piggybacked right
238 * onto the TLS Finished message thus initiating EAP-TTLS phase2
239 */
240 this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
241 0, EAP_SERVER, this->server, this->peer);
242 if (this->method == NULL)
243 {
244 DBG1(DBG_IKE, "EAP_IDENTITY method not available");
245 return FAILED;
246 }
247 this->method->initiate(this->method, &this->out);
248 this->start_phase2 = FALSE;
249 }
250
251 if (this->out)
252 {
253 code = this->out->get_code(this->out);
254 type = this->out->get_type(this->out, &vendor);
255 DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
256 eap_code_short_names, code, eap_type_short_names, type);
257
258 /* get the raw EAP message data */
259 data = this->out->get_data(this->out);
260 this->avp->build(this->avp, writer, data);
261
262 this->out->destroy(this->out);
263 this->out = NULL;
264 }
265 return INVALID_STATE;
266 }
267
268 METHOD(tls_application_t, destroy, void,
269 private_eap_ttls_server_t *this)
270 {
271 this->server->destroy(this->server);
272 this->peer->destroy(this->peer);
273 DESTROY_IF(this->method);
274 DESTROY_IF(this->out);
275 this->avp->destroy(this->avp);
276 free(this);
277 }
278
279 /**
280 * See header
281 */
282 eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
283 identification_t *peer)
284 {
285 private_eap_ttls_server_t *this;
286
287 INIT(this,
288 .public = {
289 .application = {
290 .process = _process,
291 .build = _build,
292 .destroy = _destroy,
293 },
294 },
295 .server = server->clone(server),
296 .peer = peer->clone(peer),
297 .start_phase2 = TRUE,
298 .avp = eap_ttls_avp_create(),
299 );
300
301 return &this->public;
302 }