2 * Copyright (C) 2012 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include <radius_message.h>
25 #include <threading/thread.h>
26 #include <processing/jobs/callback_job.h>
27 #include <sa/authenticators/eap/eap_method.h>
29 typedef struct private_tnc_pdp_t private_tnc_pdp_t
;
32 * Maximum size of a RADIUS IP packet
34 #define MAX_PACKET 4096
37 * private data of tnc_pdp_t
39 struct private_tnc_pdp_t
{
42 * implements tnc_pdp_t interface
57 * Callback job dispatching commands
62 * RADIUS shared secret
72 * HMAC MD5 signer, with secret set
84 * Open IPv4 or IPv6 UDP RADIUS socket
86 static int open_socket(private_tnc_pdp_t
*this, int family
, u_int16_t port
)
89 struct sockaddr_storage addr
;
93 memset(&addr
, 0, sizeof(addr
));
94 addr
.ss_family
= family
;
96 /* precalculate constants depending on address family */
101 struct sockaddr_in
*sin
= (struct sockaddr_in
*)&addr
;
103 htoun32(&sin
->sin_addr
.s_addr
, INADDR_ANY
);
104 htoun16(&sin
->sin_port
, port
);
105 addrlen
= sizeof(struct sockaddr_in
);
110 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)&addr
;
112 memcpy(&sin6
->sin6_addr
, &in6addr_any
, sizeof(in6addr_any
));
113 htoun16(&sin6
->sin6_port
, port
);
114 addrlen
= sizeof(struct sockaddr_in6
);
121 /* open the socket */
122 skt
= socket(family
, SOCK_DGRAM
, IPPROTO_UDP
);
125 DBG1(DBG_CFG
, "opening RADIUS socket failed: %s", strerror(errno
));
128 if (setsockopt(skt
, SOL_SOCKET
, SO_REUSEADDR
, (void*)&on
, sizeof(on
)) < 0)
130 DBG1(DBG_CFG
, "unable to set SO_REUSEADDR on socket: %s", strerror(errno
));
135 /* bind the socket */
136 if (bind(skt
, (struct sockaddr
*)&addr
, addrlen
) < 0)
138 DBG1(DBG_CFG
, "unable to bind RADIUS socket: %s", strerror(errno
));
147 * Send a RADIUS message to client
149 static void send_message(private_tnc_pdp_t
*this, radius_message_t
*message
,
155 fd
= (client
->get_family(client
) == AF_INET
) ?
this->ipv4
: this->ipv6
;
156 data
= message
->get_encoding(message
);
158 DBG2(DBG_CFG
, "sending RADIUS packet to %#H", client
);
159 DBG3(DBG_CFG
, "%B", &data
);
161 if (sendto(fd
, data
.ptr
, data
.len
, 0, client
->get_sockaddr(client
),
162 *client
->get_sockaddr_len(client
)) != data
.len
)
164 DBG1(DBG_CFG
, "sending RADIUS message failed: %s", strerror(errno
));
169 * Send a RADIUS response for a request
171 static void send_response(private_tnc_pdp_t
*this,
172 radius_message_t
*request
, radius_message_code_t code
,
173 eap_payload_t
*eap
, host_t
*client
)
175 radius_message_t
*response
;
178 response
= radius_message_create(code
);
181 data
= eap
->get_data(eap
);
182 response
->add(response
, RAT_EAP_MESSAGE
, data
);
184 response
->set_identifier(response
, request
->get_identifier(request
));
185 response
->sign(response
, request
->get_authenticator(request
),
186 this->secret
, this->hasher
, this->signer
, NULL
, TRUE
);
188 DBG1(DBG_CFG
, "sending RADIUS %N to client '%H'", radius_message_code_names
,
190 send_message(this, response
, client
);
194 * Process EAP message
196 static void process_eap(private_tnc_pdp_t
*this, radius_message_t
*request
,
199 enumerator_t
*enumerator
;
200 eap_payload_t
*in
, *out
= NULL
;
202 chunk_t data
, message
= chunk_empty
;
203 radius_message_code_t code
= RMC_ACCESS_CHALLENGE
;
204 u_int32_t eap_vendor
;
207 enumerator
= request
->create_enumerator(request
);
208 while (enumerator
->enumerate(enumerator
, &type
, &data
))
210 if (type
== RAT_EAP_MESSAGE
&& data
.len
)
212 message
= chunk_cat("mc", message
, data
);
215 enumerator
->destroy(enumerator
);
219 in
= eap_payload_create_data(message
);
221 /* apply EAP method selected by RADIUS server */
222 eap_type
= in
->get_type(in
, &eap_vendor
);
224 DBG3(DBG_CFG
, "%N payload %B", eap_type_names
, eap_type
, &message
);
227 if (eap_type
== EAP_IDENTITY
)
229 identification_t
*server
, *peer
;
231 peer
= identification_create_from_string("carol@strongswan.org");
232 server
= identification_create_from_string("server");
233 this->method
= charon
->eap
->create_instance(charon
->eap
, EAP_MD5
, 0,
234 EAP_SERVER
, server
, peer
);
238 server
->destroy(server
);
242 this->method
->initiate(this->method
, &out
);
246 switch (this->method
->process(this->method
, in
, &out
))
249 code
= RMC_ACCESS_CHALLENGE
;
252 code
= RMC_ACCESS_ACCEPT
;
256 code
= RMC_ACCESS_REJECT
;
260 send_response(this, request
, code
, out
, source
);
268 * Process packets received on the RADIUS socket
270 static job_requeue_t
receive(private_tnc_pdp_t
*this)
274 radius_message_t
*request
;
275 char buffer
[MAX_PACKET
];
276 int max_fd
= 0, selected
= 0, bytes_read
= 0;
283 struct sockaddr_in in4
;
284 struct sockaddr_in6 in6
;
291 FD_SET(this->ipv4
, &rfds
);
295 FD_SET(this->ipv6
, &rfds
);
297 max_fd
= max(this->ipv4
, this->ipv6
);
299 DBG2(DBG_CFG
, "waiting for data on RADIUS sockets");
300 oldstate
= thread_cancelability(TRUE
);
301 if (select(max_fd
+ 1, &rfds
, NULL
, NULL
, NULL
) <= 0)
303 thread_cancelability(oldstate
);
306 thread_cancelability(oldstate
);
308 if (FD_ISSET(this->ipv4
, &rfds
))
310 selected
= this->ipv4
;
312 else if (FD_ISSET(this->ipv6
, &rfds
))
314 selected
= this->ipv6
;
318 /* oops, shouldn't happen */
322 /* read received packet */
324 msg
.msg_namelen
= sizeof(src
);
325 iov
.iov_base
= buffer
;
326 iov
.iov_len
= MAX_PACKET
;
331 bytes_read
= recvmsg(selected
, &msg
, 0);
334 DBG1(DBG_CFG
, "error reading RADIUS socket: %s", strerror(errno
));
337 if (msg
.msg_flags
& MSG_TRUNC
)
339 DBG1(DBG_CFG
, "receive buffer too small, RADIUS packet discarded");
342 source
= host_create_from_sockaddr((sockaddr_t
*)&src
);
343 DBG2(DBG_CFG
, "received RADIUS packet from %#H", source
);
344 DBG3(DBG_CFG
, "%b", buffer
, bytes_read
);
345 request
= radius_message_parse(chunk_create(buffer
, bytes_read
));
348 DBG1(DBG_CFG
, "received RADIUS %N from client '%H'",
349 radius_message_code_names
, request
->get_code(request
), source
);
351 if (request
->verify(request
, NULL
, this->secret
, this->hasher
,
354 process_eap(this, request
, source
);
356 request
->destroy(request
);
361 DBG1(DBG_CFG
, "received invalid RADIUS message, ignored");
363 source
->destroy(source
);
365 return JOB_REQUEUE_FAIR
;
368 METHOD(tnc_pdp_t
, destroy
, void,
369 private_tnc_pdp_t
*this)
373 this->job
->cancel(this->job
);
383 DESTROY_IF(this->signer
);
384 DESTROY_IF(this->hasher
);
385 DESTROY_IF(this->method
);
392 tnc_pdp_t
*tnc_pdp_create(u_int16_t port
)
394 private_tnc_pdp_t
*this;
401 .ipv4
= open_socket(this, AF_INET
, port
),
402 .ipv6
= open_socket(this, AF_INET6
, port
),
403 .hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_MD5
),
404 .signer
= lib
->crypto
->create_signer(lib
->crypto
, AUTH_HMAC_MD5_128
),
407 if (!this->ipv4
&& !this->ipv6
)
409 DBG1(DBG_NET
, "couldd not create any RADIUS sockets");
415 DBG1(DBG_NET
, "could not open IPv4 RADIUS socket, IPv4 disabled");
419 DBG1(DBG_NET
, "could not open IPv6 RADIUS socket, IPv6 disabled");
421 if (!this->hasher
|| !this->signer
)
426 secret
= lib
->settings
->get_str(lib
->settings
,
427 "charon.plugins.tnc-pdp.secret", NULL
);
430 DBG1(DBG_CFG
, "missing RADIUS secret, PDP disabled");
434 this->secret
= chunk_create(secret
, strlen(secret
));
435 this->signer
->set_key(this->signer
, this->secret
);
437 this->job
= callback_job_create_with_prio((callback_job_cb_t
)receive
,
438 this, NULL
, NULL
, JOB_PRIO_CRITICAL
);
439 lib
->processor
->queue_job(lib
->processor
, (job_t
*)this->job
);
441 return &this->public;