Implemented TCG/PB-PDP_Referral message
[strongswan.git] / src / libcharon / plugins / tnc_pdp / tnc_pdp.c
1 /*
2 * Copyright (C) 2012-2013 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tnc_pdp.h"
17 #include "tnc_pdp_connections.h"
18
19 #include <errno.h>
20 #include <unistd.h>
21
22 #include <radius_message.h>
23 #include <radius_mppe.h>
24
25 #include <pt_tls_server.h>
26
27 #include <tnc/tnc.h>
28
29 #include <tncifimv.h>
30 #include <tncif_names.h>
31
32 #include <daemon.h>
33 #include <utils/debug.h>
34 #include <pen/pen.h>
35 #include <threading/thread.h>
36 #include <processing/jobs/callback_job.h>
37 #include <sa/eap/eap_method.h>
38
39 typedef struct private_tnc_pdp_t private_tnc_pdp_t;
40
41 /**
42 * Default RADIUS port, when not configured
43 */
44 #define RADIUS_PORT 1812
45
46 /**
47 * Maximum size of a RADIUS IP packet
48 */
49 #define MAX_PACKET 4096
50
51 /**
52 * private data of tnc_pdp_t
53 */
54 struct private_tnc_pdp_t {
55
56 /**
57 * implements tnc_pdp_t interface
58 */
59 tnc_pdp_t public;
60
61 /**
62 * ID of the server
63 */
64 identification_t *server;
65
66 /**
67 * EAP method type to be used
68 */
69 eap_type_t type;
70
71 /**
72 * PT-TLS port of the server
73 */
74 u_int16_t pt_tls_port;
75
76 /**
77 * PT-TLS IPv4 socket
78 */
79 int pt_tls_ipv4;
80
81 /**
82 * PT-TLS IPv6 socket
83 */
84 int pt_tls_ipv6;
85
86 /**
87 * RADIUS IPv4 socket
88 */
89 int radius_ipv4;
90
91 /**
92 * RADIUS IPv6 socket
93 */
94 int radius_ipv6;
95
96 /**
97 * RADIUS shared secret
98 */
99 chunk_t secret;
100
101 /**
102 * MD5 hasher
103 */
104 hasher_t *hasher;
105
106 /**
107 * HMAC MD5 signer, with secret set
108 */
109 signer_t *signer;
110
111 /**
112 * Nonce generator for MS-MPPE salt values
113 */
114 nonce_gen_t *ng;
115
116 /**
117 * List of registered TNC-PDP connections
118 */
119 tnc_pdp_connections_t *connections;
120
121 };
122
123 /**
124 * Open IPv4 or IPv6 UDP socket
125 */
126 static int open_udp_socket(int family, u_int16_t port)
127 {
128 int on = TRUE;
129 struct sockaddr_storage addr;
130 socklen_t addrlen;
131 int skt;
132
133 memset(&addr, 0, sizeof(addr));
134 addr.ss_family = family;
135
136 /* precalculate constants depending on address family */
137 switch (family)
138 {
139 case AF_INET:
140 {
141 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
142
143 htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
144 htoun16(&sin->sin_port, port);
145 addrlen = sizeof(struct sockaddr_in);
146 break;
147 }
148 case AF_INET6:
149 {
150 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
151
152 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
153 htoun16(&sin6->sin6_port, port);
154 addrlen = sizeof(struct sockaddr_in6);
155 break;
156 }
157 default:
158 return 0;
159 }
160
161 /* open the socket */
162 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
163 if (skt < 0)
164 {
165 DBG1(DBG_CFG, "opening UDP socket failed: %s", strerror(errno));
166 return 0;
167 }
168 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
169 {
170 DBG1(DBG_CFG, "unable to set SO_REUSEADDR on socket: %s",
171 strerror(errno));
172 close(skt);
173 return 0;
174 }
175 if (family == AF_INET6)
176 {
177 if (setsockopt(skt, IPPROTO_IPV6, IPV6_V6ONLY,
178 (void *)&on, sizeof(on)) < 0)
179 {
180 DBG1(DBG_CFG, "unable to set IPV6_V6ONLY on socket: %s",
181 strerror(errno));
182 close(skt);
183 return 0;
184 }
185 }
186
187 /* bind the socket */
188 if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
189 {
190 DBG1(DBG_CFG, "unable to bind UDP socket: %s", strerror(errno));
191 close(skt);
192 return 0;
193 }
194
195 return skt;
196 }
197
198 /**
199 * Open IPv4 or IPv6 TCP socket
200 */
201 static int open_tcp_socket(int family, u_int16_t port)
202 {
203 int on = TRUE;
204 struct sockaddr_storage addr;
205 socklen_t addrlen;
206 int skt;
207
208 memset(&addr, 0, sizeof(addr));
209 addr.ss_family = family;
210
211 /* precalculate constants depending on address family */
212 switch (family)
213 {
214 case AF_INET:
215 {
216 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
217
218 htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
219 htoun16(&sin->sin_port, port);
220 addrlen = sizeof(struct sockaddr_in);
221 break;
222 }
223 case AF_INET6:
224 {
225 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
226
227 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
228 htoun16(&sin6->sin6_port, port);
229 addrlen = sizeof(struct sockaddr_in6);
230 break;
231 }
232 default:
233 return 0;
234 }
235
236 /* open the socket */
237 skt = socket(family, SOCK_STREAM, IPPROTO_TCP);
238 if (skt < 0)
239 {
240 DBG1(DBG_CFG, "opening TCP socket failed: %s", strerror(errno));
241 return 0;
242 }
243 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
244 {
245 DBG1(DBG_CFG, "unable to set SO_REUSEADDR on socket: %s",
246 strerror(errno));
247 close(skt);
248 return 0;
249 }
250 if (family == AF_INET6)
251 {
252 if (setsockopt(skt, IPPROTO_IPV6, IPV6_V6ONLY,
253 (void *)&on, sizeof(on)) < 0)
254 {
255 DBG1(DBG_CFG, "unable to set IPV6_V6ONLY on socket: %s",
256 strerror(errno));
257 close(skt);
258 return 0;
259 }
260 }
261
262 /* bind the socket */
263 if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
264 {
265 DBG1(DBG_CFG, "unable to bind TCP socket: %s", strerror(errno));
266 close(skt);
267 return 0;
268 }
269
270 /* start listening on socket */
271 if (listen(skt, 5) == -1)
272 {
273 DBG1(DBG_TNC, "listen on TCP socket failed: %s", strerror(errno));
274 close(skt);
275 return 0;
276 }
277
278 return skt;
279 }
280
281 /**
282 * Send a RADIUS message to client
283 */
284 static void send_message(private_tnc_pdp_t *this, radius_message_t *message,
285 host_t *client)
286 {
287 int fd;
288 chunk_t data;
289
290 fd = (client->get_family(client) == AF_INET) ?
291 this->radius_ipv4 : this->radius_ipv6;
292 data = message->get_encoding(message);
293
294 DBG2(DBG_CFG, "sending RADIUS packet to %#H", client);
295 DBG3(DBG_CFG, "%B", &data);
296
297 if (sendto(fd, data.ptr, data.len, 0, client->get_sockaddr(client),
298 *client->get_sockaddr_len(client)) != data.len)
299 {
300 DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
301 }
302 }
303
304 /**
305 * Encrypt a MS-MPPE-Send/Recv-Key
306 */
307 static chunk_t encrypt_mppe_key(private_tnc_pdp_t *this, u_int8_t type,
308 chunk_t key, u_int16_t *salt,
309 radius_message_t *request)
310 {
311 chunk_t a, r, seed, data;
312 u_char b[HASH_SIZE_MD5], *c;
313 mppe_key_t *mppe_key;
314
315 /**
316 * From RFC2548 (encryption):
317 * b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
318 * b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
319 * . . .
320 * b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
321 */
322
323 data = chunk_alloc(sizeof(mppe_key_t) +
324 HASH_SIZE_MD5 * (1 + key.len / HASH_SIZE_MD5));
325 memset(data.ptr, 0x00, data.len);
326
327 mppe_key = (mppe_key_t*)data.ptr;
328 mppe_key->id = htonl(PEN_MICROSOFT);
329 mppe_key->type = type;
330 mppe_key->length = data.len - sizeof(mppe_key->id);
331 mppe_key->key[0] = key.len;
332
333 memcpy(&mppe_key->key[1], key.ptr, key.len);
334
335 /**
336 * generate a 16 bit unique random salt value for the MPPE stream cipher
337 * the MSB of the salt MUST be set to 1
338 */
339 a = chunk_create((u_char*)&(mppe_key->salt), sizeof(mppe_key->salt));
340 do
341 {
342 if (!this->ng->get_nonce(this->ng, a.len, a.ptr))
343 {
344 free(data.ptr);
345 return chunk_empty;
346 }
347 *a.ptr |= 0x80;
348 }
349 while (mppe_key->salt == *salt);
350
351 /* update the salt value */
352 *salt = mppe_key->salt;
353
354 r = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
355 seed = chunk_cata("cc", r, a);
356
357 c = mppe_key->key;
358 while (c < data.ptr + data.len)
359 {
360 /* b(i) = MD5(S + c(i-1)) */
361 if (!this->hasher->get_hash(this->hasher, this->secret, NULL) ||
362 !this->hasher->get_hash(this->hasher, seed, b))
363 {
364 free(data.ptr);
365 return chunk_empty;
366 }
367
368 /* c(i) = b(i) xor p(1) */
369 memxor(c, b, HASH_SIZE_MD5);
370
371 /* prepare next round */
372 seed = chunk_create(c, HASH_SIZE_MD5);
373 c += HASH_SIZE_MD5;
374 }
375
376 return data;
377 }
378
379 /**
380 * Send a RADIUS response for a request
381 */
382 static void send_response(private_tnc_pdp_t *this, radius_message_t *request,
383 radius_message_code_t code, eap_payload_t *eap,
384 identification_t *group, chunk_t msk, host_t *client)
385 {
386 radius_message_t *response;
387 chunk_t data, recv, send;
388 u_int32_t tunnel_type;
389 u_int16_t salt = 0;
390
391 response = radius_message_create(code);
392 data = eap->get_data(eap);
393 DBG3(DBG_CFG, "%N payload %B", eap_type_names, this->type, &data);
394
395 /* fragment data suitable for RADIUS */
396 while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
397 {
398 response->add(response, RAT_EAP_MESSAGE,
399 chunk_create(data.ptr, MAX_RADIUS_ATTRIBUTE_SIZE));
400 data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
401 }
402 response->add(response, RAT_EAP_MESSAGE, data);
403
404 if (group)
405 {
406 tunnel_type = RADIUS_TUNNEL_TYPE_ESP;
407 htoun32(data.ptr, tunnel_type);
408 data.len = sizeof(tunnel_type);
409 response->add(response, RAT_TUNNEL_TYPE, data);
410 response->add(response, RAT_FILTER_ID, group->get_encoding(group));
411 }
412 if (msk.len)
413 {
414 recv = chunk_create(msk.ptr, msk.len / 2);
415 data = encrypt_mppe_key(this, MS_MPPE_RECV_KEY, recv, &salt, request);
416 response->add(response, RAT_VENDOR_SPECIFIC, data);
417 chunk_free(&data);
418
419 send = chunk_create(msk.ptr + recv.len, msk.len - recv.len);
420 data = encrypt_mppe_key(this, MS_MPPE_SEND_KEY, send, &salt, request);
421 response->add(response, RAT_VENDOR_SPECIFIC, data);
422 chunk_free(&data);
423 }
424 response->set_identifier(response, request->get_identifier(request));
425 if (response->sign(response, request->get_authenticator(request),
426 this->secret, this->hasher, this->signer, NULL, TRUE))
427 {
428 DBG1(DBG_CFG, "sending RADIUS %N to client '%H'",
429 radius_message_code_names, code, client);
430 send_message(this, response, client);
431 }
432 response->destroy(response);
433 }
434
435 /**
436 * Process EAP message
437 */
438 static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
439 host_t *source)
440 {
441 enumerator_t *enumerator;
442 eap_payload_t *in, *out = NULL;
443 eap_method_t *method;
444 eap_type_t eap_type;
445 u_int32_t eap_vendor;
446 chunk_t data, message = chunk_empty, msk = chunk_empty;
447 chunk_t user_name = chunk_empty, nas_id = chunk_empty;
448 identification_t *group = NULL;
449 radius_message_code_t code = RMC_ACCESS_CHALLENGE;
450 int type;
451
452 enumerator = request->create_enumerator(request);
453 while (enumerator->enumerate(enumerator, &type, &data))
454 {
455 switch (type)
456 {
457 case RAT_USER_NAME:
458 user_name = data;
459 break;
460 case RAT_NAS_IDENTIFIER:
461 nas_id = data;
462 break;
463 case RAT_EAP_MESSAGE:
464 if (data.len)
465 {
466 message = chunk_cat("mc", message, data);
467 }
468 break;
469 default:
470 break;
471 }
472 }
473 enumerator->destroy(enumerator);
474
475 if (message.len)
476 {
477 in = eap_payload_create_data(message);
478
479 /* apply EAP method selected by RADIUS server */
480 eap_type = in->get_type(in, &eap_vendor);
481
482 DBG3(DBG_CFG, "%N payload %B", eap_type_names, eap_type, &message);
483
484 if (eap_type == EAP_IDENTITY)
485 {
486 identification_t *peer;
487 chunk_t eap_identity;
488
489 if (message.len < 5)
490 {
491 goto end;
492 }
493 eap_identity = chunk_create(message.ptr + 5, message.len - 5);
494 peer = identification_create_from_data(eap_identity);
495 method = charon->eap->create_instance(charon->eap, this->type,
496 0, EAP_SERVER, this->server, peer);
497 if (!method)
498 {
499 peer->destroy(peer);
500 goto end;
501 }
502 this->connections->add(this->connections, nas_id, user_name, peer,
503 method);
504 if (method->initiate(method, &out) == NEED_MORE)
505 {
506 send_response(this, request, code, out, group, msk, source);
507 }
508 }
509 else
510 {
511 ike_sa_t *ike_sa;
512 auth_cfg_t *auth;
513 auth_rule_t type;
514 identification_t *data;
515 enumerator_t *e;
516
517 method = this->connections->get_state(this->connections, nas_id,
518 user_name, &ike_sa);
519 if (!method)
520 {
521 goto end;
522 }
523 charon->bus->set_sa(charon->bus, ike_sa);
524
525 switch (method->process(method, in, &out))
526 {
527 case NEED_MORE:
528 code = RMC_ACCESS_CHALLENGE;
529 break;
530 case SUCCESS:
531 code = RMC_ACCESS_ACCEPT;
532 method->get_msk(method, &msk);
533 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
534 e = auth->create_enumerator(auth);
535 while (e->enumerate(e, &type, &data))
536 {
537 /* look for group memberships */
538 if (type == AUTH_RULE_GROUP)
539 {
540 group = data;
541 }
542 }
543 e->destroy(e);
544
545 DESTROY_IF(out);
546 out = eap_payload_create_code(EAP_SUCCESS,
547 in->get_identifier(in));
548 break;
549 case FAILED:
550 default:
551 code = RMC_ACCESS_REJECT;
552 DESTROY_IF(out);
553 out = eap_payload_create_code(EAP_FAILURE,
554 in->get_identifier(in));
555 }
556 charon->bus->set_sa(charon->bus, NULL);
557 send_response(this, request, code, out, group, msk, source);
558 this->connections->unlock(this->connections);
559 }
560
561 if (code == RMC_ACCESS_ACCEPT || code == RMC_ACCESS_REJECT)
562 {
563 this->connections->remove(this->connections, nas_id, user_name);
564 }
565
566 out->destroy(out);
567 end:
568 free(message.ptr);
569 in->destroy(in);
570 }
571 }
572
573 /**
574 * Callback function to get recommendation from TNCCS connection
575 */
576 static bool get_recommendation(TNC_IMV_Action_Recommendation rec,
577 TNC_IMV_Evaluation_Result eval)
578 {
579 DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
580 TNC_IMV_Action_Recommendation_names, rec,
581 TNC_IMV_Evaluation_Result_names, eval);
582
583 return TRUE;
584 }
585
586 /**
587 * Get more data on a PT-TLS connection
588 */
589 static bool pt_tls_receive_more(pt_tls_server_t *this, int fd,
590 watcher_event_t event)
591 {
592 switch (this->handle(this))
593 {
594 case NEED_MORE:
595 return TRUE;
596 case FAILED:
597 case SUCCESS:
598 default:
599 DBG1(DBG_TNC, "PT-TLS connection terminates");
600 this->destroy(this);
601 close(fd);
602 return FALSE;
603 }
604 }
605
606 /**
607 * Accept TCP connection received on the PT-TLS listening socket
608 */
609 static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t event)
610 {
611 int pt_tls_fd;
612 struct sockaddr_storage addr;
613 socklen_t addrlen = sizeof(addr);
614 identification_t *peer;
615 host_t *host;
616 pt_tls_server_t *pt_tls;
617 tnccs_t *tnccs;
618 pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL;
619
620 pt_tls_fd = accept(fd, (sockaddr_t*)&addr, &addrlen);
621 if (pt_tls_fd == -1)
622 {
623 DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno));
624 return FALSE;
625 }
626 host = host_create_from_sockaddr((sockaddr_t*)&addr);
627 DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host);
628 host->destroy(host);
629
630 /* At this moment the peer identity is not known yet */
631 peer = identification_create_from_encoding(ID_ANY, chunk_empty),
632
633 tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
634 this->server, peer, TNC_IFT_TLS_2_0,
635 (tnccs_cb_t)get_recommendation);
636 peer->destroy(peer);
637
638 if (!tnccs)
639 {
640 DBG1(DBG_TNC, "could not create TNCCS 2.0 connection instance");
641 close(pt_tls_fd);
642 return FALSE;
643 }
644
645 pt_tls = pt_tls_server_create(this->server, pt_tls_fd, auth, tnccs);
646 if (!pt_tls)
647 {
648 DBG1(DBG_TNC, "could not create PT-TLS connection instance");
649 close(pt_tls_fd);
650 return FALSE;
651 }
652
653 lib->watcher->add(lib->watcher, pt_tls_fd, WATCHER_READ,
654 (watcher_cb_t)pt_tls_receive_more, pt_tls);
655
656 return TRUE;
657 }
658
659 /**
660 * Process packets received on the RADIUS socket
661 */
662 static bool radius_receive(private_tnc_pdp_t *this, int fd, watcher_event_t event)
663 {
664 radius_message_t *request;
665 char buffer[MAX_PACKET];
666 int bytes_read = 0;
667 host_t *source;
668 union {
669 struct sockaddr_in in4;
670 struct sockaddr_in6 in6;
671 } src;
672 struct iovec iov = {
673 .iov_base = buffer,
674 .iov_len = MAX_PACKET,
675 };
676 struct msghdr msg = {
677 .msg_name = &src,
678 .msg_namelen = sizeof(src),
679 .msg_iov = &iov,
680 .msg_iovlen = 1,
681 };
682
683 /* read received packet */
684 bytes_read = recvmsg(fd, &msg, 0);
685 if (bytes_read < 0)
686 {
687 DBG1(DBG_CFG, "error reading RADIUS socket: %s", strerror(errno));
688 return FALSE;
689 }
690 if (msg.msg_flags & MSG_TRUNC)
691 {
692 DBG1(DBG_CFG, "receive buffer too small, RADIUS packet discarded");
693 return FALSE;
694 }
695 source = host_create_from_sockaddr((sockaddr_t*)&src);
696 DBG2(DBG_CFG, "received RADIUS packet from %#H", source);
697 DBG3(DBG_CFG, "%b", buffer, bytes_read);
698 request = radius_message_parse(chunk_create(buffer, bytes_read));
699 if (request)
700 {
701 DBG1(DBG_CFG, "received RADIUS %N from client '%H'",
702 radius_message_code_names, request->get_code(request), source);
703
704 if (request->verify(request, NULL, this->secret, this->hasher,
705 this->signer))
706 {
707 process_eap(this, request, source);
708 }
709 request->destroy(request);
710 }
711 else
712 {
713 DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
714 }
715 source->destroy(source);
716 return TRUE;
717 }
718
719 METHOD(tnc_pdp_t, destroy, void,
720 private_tnc_pdp_t *this)
721 {
722 if (this->pt_tls_ipv4)
723 {
724 lib->watcher->remove(lib->watcher, this->pt_tls_ipv4);
725 close(this->pt_tls_ipv4);
726 }
727 if (this->pt_tls_ipv6)
728 {
729 lib->watcher->remove(lib->watcher, this->pt_tls_ipv6);
730 close(this->pt_tls_ipv6);
731 }
732 if (this->radius_ipv4)
733 {
734 lib->watcher->remove(lib->watcher, this->radius_ipv4);
735 close(this->radius_ipv4);
736 }
737 if (this->radius_ipv6)
738 {
739 lib->watcher->remove(lib->watcher, this->radius_ipv6);
740 close(this->radius_ipv6);
741 }
742 DESTROY_IF(this->server);
743 DESTROY_IF(this->signer);
744 DESTROY_IF(this->hasher);
745 DESTROY_IF(this->ng);
746 DESTROY_IF(this->connections);
747 free(this);
748 }
749
750 /*
751 * see header file
752 */
753 tnc_pdp_t *tnc_pdp_create(void)
754 {
755 private_tnc_pdp_t *this;
756 char *secret, *server, *eap_type_str;
757 int radius_port, pt_tls_port;
758 bool radius_enable, pt_tls_enable;
759
760 server = lib->settings->get_str(lib->settings,
761 "%s.plugins.tnc-pdp.server", NULL, charon->name);
762 pt_tls_enable = lib->settings->get_bool(lib->settings,
763 "%s.plugins.tnc-pdp.pt_tls.enable", TRUE, charon->name);
764 pt_tls_port = lib->settings->get_int(lib->settings,
765 "%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
766 radius_enable = lib->settings->get_bool(lib->settings,
767 "%s.plugins.tnc-pdp.radius.enable", TRUE, charon->name);
768 radius_port = lib->settings->get_int(lib->settings,
769 "%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
770 secret = lib->settings->get_str(lib->settings,
771 "%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
772 eap_type_str = lib->settings->get_str(lib->settings,
773 "%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
774
775 if (!pt_tls_enable && !radius_enable)
776 {
777 DBG1(DBG_CFG, " neither PT-TLS and RADIUS protocols enabled, PDP disabled");
778 return NULL;
779 }
780 if (!server)
781 {
782 DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
783 return NULL;
784 }
785
786 INIT(this,
787 .public = {
788 .destroy = _destroy,
789 },
790 .server = identification_create_from_string(server),
791 .connections = tnc_pdp_connections_create(),
792 );
793
794 /* Create IPv4 and IPv6 PT-TLS listening sockets */
795 if (pt_tls_enable)
796 {
797 this->pt_tls_ipv4 = open_tcp_socket(AF_INET, pt_tls_port);
798 this->pt_tls_ipv6 = open_tcp_socket(AF_INET6, pt_tls_port);
799
800 if (!this->pt_tls_ipv4 && !this->pt_tls_ipv6)
801 {
802 DBG1(DBG_NET, "could not create any PT-TLS sockets");
803 destroy(this);
804 return NULL;
805 }
806 this->pt_tls_port = pt_tls_port;
807
808 if (this->pt_tls_ipv4)
809 {
810 lib->watcher->add(lib->watcher, this->pt_tls_ipv4, WATCHER_READ,
811 (watcher_cb_t)pt_tls_receive, this);
812 }
813 else
814 {
815 DBG1(DBG_NET, "could not open IPv4 PT-TLS socket, IPv4 disabled");
816 }
817
818 if (this->pt_tls_ipv6)
819 {
820 lib->watcher->add(lib->watcher, this->pt_tls_ipv6, WATCHER_READ,
821 (watcher_cb_t)pt_tls_receive, this);
822 }
823 else
824 {
825 DBG1(DBG_NET, "could not open IPv6 PT-TLS socket, IPv6 disabled");
826 }
827
828 /* register PT-TLS service */
829 lib->set(lib, "pt-tls-server", this->server);
830 lib->set(lib, "pt-tls-port", &this->pt_tls_port);
831 }
832
833 /* Create IPv4 and IPv6 RADIUS listening sockets */
834 if (radius_enable)
835 {
836 if (!secret)
837 {
838 DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
839 destroy(this);
840 return NULL;
841 }
842
843 this->radius_ipv4 = open_udp_socket(AF_INET, radius_port);
844 this->radius_ipv6 = open_udp_socket(AF_INET6, radius_port);
845 this->secret = chunk_from_str(secret);
846 this->type = eap_type_from_string(eap_type_str);
847 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
848 this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
849 this->ng = lib->crypto->create_nonce_gen(lib->crypto);
850
851 if (!this->hasher || !this->signer || !this->ng)
852 {
853 DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/NG required");
854 destroy(this);
855 return NULL;
856 }
857 if (!this->radius_ipv4 && !this->radius_ipv6)
858 {
859 DBG1(DBG_NET, "could not create any RADIUS sockets");
860 destroy(this);
861 return NULL;
862 }
863 if (this->radius_ipv4)
864 {
865 lib->watcher->add(lib->watcher, this->radius_ipv4, WATCHER_READ,
866 (watcher_cb_t)radius_receive, this);
867 }
868 else
869 {
870 DBG1(DBG_NET, "could not open IPv4 RADIUS socket, IPv4 disabled");
871 }
872 if (this->radius_ipv6)
873 {
874 lib->watcher->add(lib->watcher, this->radius_ipv6, WATCHER_READ,
875 (watcher_cb_t)radius_receive, this);
876 }
877 else
878 {
879 DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
880 }
881
882 if (!this->signer->set_key(this->signer, this->secret))
883 {
884 DBG1(DBG_CFG, "could not set signer key");
885 destroy(this);
886 return NULL;
887 }
888 if (this->type == 0)
889 {
890 DBG1(DBG_CFG, "unrecognized eap method \"%s\"", eap_type_str);
891 destroy(this);
892 return NULL;
893 }
894 DBG1(DBG_IKE, "eap method %N selected", eap_type_names, this->type);
895 }
896
897 return &this->public;
898 }