ARG_ENABL_SET([eap-mschapv2], [enable EAP MS-CHAPv2 authentication module.])
ARG_ENABL_SET([eap-tls], [enable EAP TLS authentication module.])
ARG_ENABL_SET([eap-ttls], [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-peap], [enable EAP PEAP authentication module.])
ARG_ENABL_SET([eap-tnc], [enable EAP TNC trusted network connect module.])
ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.])
ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.])
simaka=true;
fi
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
tls=true;
fi
ADD_PLUGIN([eap-radius], [c libcharon])
ADD_PLUGIN([eap-tls], [c libcharon])
ADD_PLUGIN([eap-ttls], [c libcharon])
+ADD_PLUGIN([eap-peap], [c libcharon])
ADD_PLUGIN([eap-tnc], [c libcharon])
ADD_PLUGIN([tnccs-20], [c libcharon])
ADD_PLUGIN([tnccs-11], [c libcharon])
AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
src/libcharon/plugins/eap_mschapv2/Makefile
src/libcharon/plugins/eap_tls/Makefile
src/libcharon/plugins/eap_ttls/Makefile
+ src/libcharon/plugins/eap_peap/Makefile
src/libcharon/plugins/eap_tnc/Makefile
src/libcharon/plugins/eap_radius/Makefile
src/libcharon/plugins/tnc_imc/Makefile
endif
endif
+if USE_EAP_PEAP
+ SUBDIRS += plugins/eap_peap
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/eap_peap/libstrongswan-eap-peap.la
+endif
+endif
+
if USE_EAP_TNC
SUBDIRS += plugins/eap_tnc
if MONOLITHIC
--- /dev/null
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-peap.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-peap.la
+libstrongswan_eap_peap_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_peap_la_SOURCES = \
+ eap_peap_plugin.h eap_peap_plugin.c \
+ eap_peap.h eap_peap.c \
+ eap_peap_peer.h eap_peap_peer.c \
+ eap_peap_server.h eap_peap_server.c \
+ eap_peap_avp.h eap_peap_avp.c
+
+libstrongswan_eap_peap_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2010 Martin Willi, revosec AG
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap.h"
+#include "eap_peap_peer.h"
+#include "eap_peap_server.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_peap_t private_eap_peap_t;
+
+/**
+ * Private data of an eap_peap_t object.
+ */
+struct private_eap_peap_t {
+
+ /**
+ * Public interface.
+ */
+ eap_peap_t public;
+
+ /**
+ * TLS stack, wrapped by EAP helper
+ */
+ tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-PEAP messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32
+/** Default size of a EAP-PEAP fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+ private_eap_peap_t *this, eap_payload_t **out)
+{
+ chunk_t data;
+
+ if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+ {
+ *out = eap_payload_create_data(data);
+ free(data.ptr);
+ return NEED_MORE;
+ }
+ return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+ private_eap_peap_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+ status_t status;
+ chunk_t data;
+
+ data = in->get_data(in);
+ status = this->tls_eap->process(this->tls_eap, data, &data);
+ if (status == NEED_MORE)
+ {
+ *out = eap_payload_create_data(data);
+ free(data.ptr);
+ }
+ return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+ private_eap_peap_t *this, u_int32_t *vendor)
+{
+ *vendor = 0;
+ return EAP_PEAP;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+ private_eap_peap_t *this, chunk_t *msk)
+{
+ *msk = this->tls_eap->get_msk(this->tls_eap);
+ if (msk->len)
+ {
+ return SUCCESS;
+ }
+ return FAILED;
+}
+
+METHOD(eap_method_t, get_identifier, u_int8_t,
+ private_eap_peap_t *this)
+{
+ return this->tls_eap->get_identifier(this->tls_eap);
+}
+
+METHOD(eap_method_t, set_identifier, void,
+ private_eap_peap_t *this, u_int8_t identifier)
+{
+ this->tls_eap->set_identifier(this->tls_eap, identifier);
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+ private_eap_peap_t *this)
+{
+ return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+ private_eap_peap_t *this)
+{
+ this->tls_eap->destroy(this->tls_eap);
+ free(this);
+}
+
+/**
+ * Create an empty private eap_peap_t object
+ */
+static private_eap_peap_t *eap_peap_create_empty(void)
+{
+ private_eap_peap_t *this;
+
+ INIT(this,
+ .public = {
+ .eap_method = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ },
+ );
+ return this;
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
+ identification_t *server,
+ identification_t *peer, bool is_server,
+ tls_application_t *application)
+{
+ size_t frag_size;
+ int max_msg_count;
+ tls_t *tls;
+
+ if (is_server && !lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.request_peer_auth", FALSE))
+ {
+ peer = NULL;
+ }
+ frag_size = lib->settings->get_int(lib->settings,
+ "charon.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN);
+ max_msg_count = lib->settings->get_int(lib->settings,
+ "charon.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT);
+ tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP, application);
+ this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count);
+ if (!this->tls_eap)
+ {
+ application->destroy(application);
+ free(this);
+ return NULL;
+ }
+ return &this->public;
+}
+
+eap_peap_t *eap_peap_create_server(identification_t *server,
+ identification_t *peer)
+{
+ private_eap_peap_t *eap_peap;
+ eap_method_t *eap_method;
+ eap_peap_server_t *eap_peap_server;
+ tls_application_t *application;
+
+ /* the tunneled application needs a reference to the outer EAP-PEAP method */
+ eap_peap = eap_peap_create_empty();
+ eap_method = &eap_peap->public.eap_method;
+ eap_peap_server = eap_peap_server_create(server, peer, eap_method);
+ application = &eap_peap_server->application;
+
+ return eap_peap_create(eap_peap, server, peer, TRUE, application);
+}
+
+eap_peap_t *eap_peap_create_peer(identification_t *server,
+ identification_t *peer)
+{
+ private_eap_peap_t *eap_peap;
+ eap_method_t *eap_method;
+ eap_peap_peer_t *eap_peap_peer;
+ tls_application_t *application;
+
+ /* the tunneled application needs a reference to the outer EAP-PEAP method */
+ eap_peap = eap_peap_create_empty();
+ eap_method = &eap_peap->public.eap_method;
+ eap_peap_peer = eap_peap_peer_create(server, peer, eap_method);
+ application = &eap_peap_peer->application;
+
+ return eap_peap_create(eap_peap, server, peer, FALSE, application);
+}
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_i eap_peap
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_H_
+#define EAP_PEAP_H_
+
+typedef struct eap_peap_t eap_peap_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-PEAP.
+ */
+struct eap_peap_t {
+
+ /**
+ * Implements eap_method_t interface.
+ */
+ eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-PEAP acting as server.
+ *
+ * @param server ID of the EAP server
+ * @param peer ID of the EAP client
+ * @return eap_peap_t object
+ */
+eap_peap_t *eap_peap_create_server(identification_t *server,
+ identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-PEAP acting as peer.
+ *
+ * @param server ID of the EAP server
+ * @param peer ID of the EAP client
+ * @return eap_peap_t object
+ */
+eap_peap_t *eap_peap_create_peer(identification_t *server,
+ identification_t *peer);
+
+#endif /** EAP_PEAP_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_avp.h"
+
+#include <eap/eap.h>
+#include <debug.h>
+
+/**
+ * Microsoft Success and Failure Result AVPs
+ */
+static const chunk_t MS_AVP_Success = chunk_from_chars(
+ 0x80, 0x03, 0x00, 0x02, 0x00, 0x01);
+static const chunk_t MS_AVP_Failure = chunk_from_chars(
+ 0x80, 0x03, 0x00, 0x02, 0x00, 0x02);
+
+typedef struct private_eap_peap_avp_t private_eap_peap_avp_t;
+
+/**
+ * Private data of an eap_peap_avp_t object.
+ */
+struct private_eap_peap_avp_t {
+
+ /**
+ * Public eap_peap_avp_t interface.
+ */
+ eap_peap_avp_t public;
+
+ /**
+ * EAP server or peer
+ */
+ bool is_server;
+};
+
+METHOD(eap_peap_avp_t, build, void,
+ private_eap_peap_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+ u_int8_t code;
+ eap_packet_t *pkt;
+ chunk_t avp_data;
+
+ pkt = (eap_packet_t*)data.ptr;
+
+ if (pkt->code == EAP_SUCCESS || pkt->code == EAP_FAILURE)
+ {
+ code = (this->is_server) ? EAP_REQUEST : EAP_RESPONSE;
+ writer->write_uint8(writer, code);
+ writer->write_uint8(writer, pkt->identifier);
+ writer->write_uint16(writer, 11);
+ writer->write_uint8(writer, EAP_MSTLV);
+ avp_data = (pkt->code == EAP_SUCCESS) ? MS_AVP_Success : MS_AVP_Failure;
+ }
+ else
+ {
+ avp_data = chunk_skip(data, 4);
+ }
+ writer->write_data(writer, avp_data);
+}
+
+METHOD(eap_peap_avp_t, process, status_t,
+ private_eap_peap_avp_t* this, tls_reader_t *reader, chunk_t *data,
+ u_int8_t identifier)
+{
+ u_int8_t code;
+ u_int16_t len;
+ eap_packet_t *pkt;
+ chunk_t avp_data;
+
+ code = (this->is_server) ? EAP_RESPONSE : EAP_REQUEST;
+ len = reader->remaining(reader);
+ if (!reader->read_data(reader, len, &avp_data))
+ {
+ return FAILED;
+ }
+ pkt = (eap_packet_t*)avp_data.ptr;
+
+ if (len == 11 && pkt->code == code && untoh16(&pkt->length) == len &&
+ pkt->type == EAP_MSTLV)
+ {
+ if (memeq(&pkt->data, MS_AVP_Success.ptr, MS_AVP_Success.len))
+ {
+ DBG2(DBG_IKE, "MS Success Result AVP");
+ code = EAP_SUCCESS;
+ }
+ else if (memeq(&pkt->data, MS_AVP_Failure.ptr, MS_AVP_Failure.len))
+ {
+ DBG2(DBG_IKE, "MS Failure Result AVP");
+ code = EAP_FAILURE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "unknown MS AVP message");
+ return FAILED;
+ }
+ identifier = pkt->identifier;
+ len = 0;
+ }
+
+ *data = chunk_alloc(4 + len);
+ pkt = (eap_packet_t*)data->ptr;
+ pkt->code = code;
+ pkt->identifier = identifier;
+ htoun16(&pkt->length, data->len);
+ memcpy(data->ptr + 4, avp_data.ptr, len);
+
+ return SUCCESS;
+}
+
+METHOD(eap_peap_avp_t, destroy, void,
+ private_eap_peap_avp_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_avp_t *eap_peap_avp_create(bool is_server)
+{
+ private_eap_peap_avp_t *this;
+
+ INIT(this,
+ .public= {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ .is_server = is_server,
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_avp eap_peap_avp
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_AVP_H_
+#define EAP_PEAP_AVP_H_
+
+typedef struct eap_peap_avp_t eap_peap_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-PEAP Attribute-Value Pair (AVP) handler.
+ */
+struct eap_peap_avp_t {
+
+ /**
+ * Process received EAP-PEAP Message AVP.
+ *
+ * @param reader TLS data buffer
+ * @param data received EAP Message
+ * @param identifier EAP-PEAP message identifier
+ * @return
+ * - SUCCESS if AVP processing succeeded
+ * - FAILED if AVP processing failed
+ * - NEED_MORE if another invocation of process/build needed
+ */
+ status_t (*process)(eap_peap_avp_t *this, tls_reader_t *reader,
+ chunk_t *data, u_int8_t identifier);
+
+ /**
+ * Build EAP-PEAP Message AVP to send out.
+ *
+ * @param writer TLS data buffer to write to
+ * @param data EAP Message to send
+ */
+ void (*build)(eap_peap_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+ /**
+ * Destroy a eap_peap_application_t.
+ */
+ void (*destroy)(eap_peap_avp_t *this);
+};
+
+/**
+ * Create an eap_peap_avp instance.
+ *
+ * @param is_server TRUE iv eap server, FALSE if eap peer
+ */
+eap_peap_avp_t *eap_peap_avp_create(bool is_server);
+
+#endif /** EAP_PEAP_AVP_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_peer.h"
+#include "eap_peap_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+typedef struct private_eap_peap_peer_t private_eap_peap_peer_t;
+
+/**
+ * Private data of an eap_peap_peer_t object.
+ */
+struct private_eap_peap_peer_t {
+
+ /**
+ * Public eap_peap_peer_t interface.
+ */
+ eap_peap_peer_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * Current EAP-PEAP state
+ */
+ bool start_phase2;
+
+ /**
+ * Outer phase 1 EAP method
+ */
+ eap_method_t *ph1_method;
+
+ /**
+ * Current phase 2 EAP method
+ */
+ eap_method_t *ph2_method;
+
+ /**
+ * Pending outbound EAP message
+ */
+ eap_payload_t *out;
+
+ /**
+ * AVP handler
+ */
+ eap_peap_avp_t *avp;
+};
+
+METHOD(tls_application_t, process, status_t,
+ private_eap_peap_peer_t *this, tls_reader_t *reader)
+{
+ chunk_t data = chunk_empty;
+ status_t status;
+ payload_t *payload;
+ eap_payload_t *in;
+ eap_code_t code;
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
+
+ status = this->avp->process(this->avp, reader, &data,
+ this->ph1_method->get_identifier(this->ph1_method));
+ switch (status)
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ case FAILED:
+ default:
+ return FAILED;
+ }
+
+ in = eap_payload_create_data(data);
+ DBG3(DBG_IKE, "%B", &data);
+ chunk_free(&data);
+ payload = (payload_t*)in;
+
+ if (payload->verify(payload) != SUCCESS)
+ {
+ in->destroy(in);
+ return FAILED;
+ }
+
+ code = in->get_code(in);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ received_type = in->get_type(in, &received_vendor);
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
+ if (code != EAP_REQUEST)
+ {
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ this->out = eap_payload_create_code(code, in->get_identifier(in));
+ in->destroy(in);
+ return NEED_MORE;
+ }
+
+ if (this->ph2_method == NULL)
+ {
+ if (received_vendor)
+ {
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d "
+ "(id: %u)", received_type, received_vendor,
+ in->get_identifier(in));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "server requested %N authentication (id: %u)",
+ eap_type_names, received_type, in->get_identifier(in));
+ }
+ this->ph2_method = charon->eap->create_instance(charon->eap,
+ received_type, received_vendor,
+ EAP_PEER, this->server, this->peer);
+ if (!this->ph2_method)
+ {
+ DBG1(DBG_IKE, "EAP method not supported");
+ this->out = eap_payload_create_nak(in->get_identifier(in));
+ in->destroy(in);
+ return NEED_MORE;
+ }
+ this->start_phase2 = FALSE;
+ }
+
+ type = this->ph2_method->get_type(this->ph2_method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ DBG1(DBG_IKE, "received invalid EAP request");
+ in->destroy(in);
+ return FAILED;
+ }
+
+ status = this->ph2_method->process(this->ph2_method, in, &this->out);
+ in->destroy(in);
+
+ switch (status)
+ {
+ case SUCCESS:
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+ return NEED_MORE;
+ case NEED_MORE:
+ if (type != EAP_TNC)
+ {
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+ }
+ return NEED_MORE;
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+ type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ }
+ return FAILED;
+ }
+}
+
+METHOD(tls_application_t, build, status_t,
+ private_eap_peap_peer_t *this, tls_writer_t *writer)
+{
+ chunk_t data;
+ eap_code_t code;
+ eap_type_t type;
+ u_int32_t vendor;
+
+ if (this->ph2_method == NULL && this->start_phase2)
+ {
+ /* generate an EAP Identity response */
+ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+ 0, EAP_PEER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "EAP_IDENTITY method not available");
+ return FAILED;
+ }
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method));
+
+ this->ph2_method->process(this->ph2_method, NULL, &this->out);
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+ this->start_phase2 = FALSE;
+ }
+
+ if (this->out)
+ {
+ code = this->out->get_code(this->out);
+ type = this->out->get_type(this->out, &vendor);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code, eap_type_short_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ }
+
+ /* get the raw EAP message data */
+ data = this->out->get_data(this->out);
+ DBG3(DBG_IKE, "%B", &data);
+ this->avp->build(this->avp, writer, data);
+
+ this->out->destroy(this->out);
+ this->out = NULL;
+ }
+ return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+ private_eap_peap_peer_t *this)
+{
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ DESTROY_IF(this->ph2_method);
+ DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_peer_t *eap_peap_peer_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method)
+{
+ private_eap_peap_peer_t *this;
+
+ INIT(this,
+ .public = {
+ .application = {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ },
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .ph1_method = eap_method,
+ .start_phase2 = TRUE,
+ .avp = eap_peap_avp_create(FALSE),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_peer eap_peap_peer
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_PEER_H_
+#define EAP_PEAP_PEER_H_
+
+typedef struct eap_peap_peer_t eap_peap_peer_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * TLS application data handler as peer.
+ */
+struct eap_peap_peer_t {
+
+ /**
+ * Implements the TLS application data handler.
+ */
+ tls_application_t application;
+};
+
+/**
+ * Create an eap_peap_peer instance.
+ */
+eap_peap_peer_t *eap_peap_peer_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method);
+
+#endif /** EAP_PEAP_PEER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_plugin.h"
+
+#include "eap_peap.h"
+
+#include <daemon.h>
+
+
+METHOD(plugin_t, destroy, void,
+ eap_peap_plugin_t *this)
+{
+ charon->eap->remove_method(charon->eap,
+ (eap_constructor_t)eap_peap_create_server);
+ charon->eap->remove_method(charon->eap,
+ (eap_constructor_t)eap_peap_create_peer);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_peap_plugin_create()
+{
+ eap_peap_plugin_t *this;
+
+ INIT(this,
+ .plugin = {
+ .destroy = _destroy,
+ },
+ );
+
+ charon->eap->add_method(charon->eap, EAP_PEAP, 0, EAP_SERVER,
+ (eap_constructor_t)eap_peap_create_server);
+ charon->eap->add_method(charon->eap, EAP_PEAP, 0, EAP_PEER,
+ (eap_constructor_t)eap_peap_create_peer);
+
+ return &this->plugin;
+}
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap eap_peap
+ * @ingroup cplugins
+ *
+ * @defgroup eap_peap_plugin eap_peap_plugin
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_PLUGIN_H_
+#define EAP_PEAP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_peap_plugin_t eap_peap_plugin_t;
+
+/**
+ * EAP-PEAP plugin
+ */
+struct eap_peap_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a eap_peap_plugin instance.
+ */
+plugin_t *eap_peap_plugin_create();
+
+#endif /** EAP_PEAP_PLUGIN_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_peap_server.h"
+#include "eap_peap_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+typedef struct private_eap_peap_server_t private_eap_peap_server_t;
+
+/**
+ * Private data of an eap_peap_server_t object.
+ */
+struct private_eap_peap_server_t {
+
+ /**
+ * Public eap_peap_server_t interface.
+ */
+ eap_peap_server_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * Current EAP-PEAP phase2 state
+ */
+ bool start_phase2;
+
+ /**
+ * Current EAP-PEAP phase2 TNC state
+ */
+ bool start_phase2_tnc;
+
+ /**
+ * Final EAP-PEAP phase2 result
+ */
+ eap_code_t phase2_result;
+
+ /**
+ * Outer phase 1 EAP method
+ */
+ eap_method_t *ph1_method;
+
+ /**
+ * Current phase 2 EAP method
+ */
+ eap_method_t *ph2_method;
+
+ /**
+ * Pending outbound EAP message
+ */
+ eap_payload_t *out;
+
+ /**
+ * AVP handler
+ */
+ eap_peap_avp_t *avp;
+};
+
+/**
+ * Start EAP client authentication protocol
+ */
+static status_t start_phase2_auth(private_eap_peap_server_t *this)
+{
+ char *eap_type_str;
+ eap_type_t type;
+
+ eap_type_str = lib->settings->get_str(lib->settings,
+ "charon.plugins.eap-peap.phase2_method", "md5");
+ type = eap_type_from_string(eap_type_str);
+ if (type == 0)
+ {
+ DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+ return FAILED;
+ }
+ DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+ this->ph2_method = charon->eap->create_instance(charon->eap, type, 0,
+ EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+ return FAILED;
+ }
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method) + 1);
+
+ if (this->ph2_method->initiate(this->ph2_method, &this->out) == NEED_MORE)
+ {
+ return NEED_MORE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ return FAILED;
+ }
+}
+
+/**
+ * If configured, start EAP-TNC protocol
+ */
+static status_t start_phase2_tnc(private_eap_peap_server_t *this)
+{
+ if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.phase2_tnc", FALSE))
+ {
+ DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
+ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_TNC,
+ 0, EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+ return FAILED;
+ }
+ this->start_phase2_tnc = FALSE;
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method) + 1);
+
+ if (this->ph2_method->initiate(this->ph2_method, &this->out) == NEED_MORE)
+ {
+ return NEED_MORE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+ return FAILED;
+ }
+ }
+ return SUCCESS;
+}
+
+METHOD(tls_application_t, process, status_t,
+ private_eap_peap_server_t *this, tls_reader_t *reader)
+{
+ chunk_t data = chunk_empty;
+ status_t status;
+ payload_t *payload;
+ eap_payload_t *in;
+ eap_code_t code;
+ eap_type_t type = EAP_NAK, received_type;
+ u_int32_t vendor, received_vendor;
+
+ status = this->avp->process(this->avp, reader, &data,
+ this->ph1_method->get_identifier(this->ph1_method));
+ switch (status)
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ case FAILED:
+ default:
+ return FAILED;
+ }
+
+ in = eap_payload_create_data(data);
+ DBG3(DBG_IKE, "%B", &data);
+ chunk_free(&data);
+ payload = (payload_t*)in;
+
+ if (payload->verify(payload) != SUCCESS)
+ {
+ in->destroy(in);
+ return FAILED;
+ }
+
+ code = in->get_code(in);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ received_type = in->get_type(in, &received_vendor);
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
+ if (code != EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+
+ /* if EAP_SUCCESS check if to continue phase2 with EAP-TNC */
+ return (this->phase2_result == EAP_SUCCESS && code == EAP_SUCCESS) ?
+ start_phase2_tnc(this) : FAILED;
+ }
+
+ if (this->ph2_method)
+ {
+ type = this->ph2_method->get_type(this->ph2_method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ if (received_vendor == 0 && received_type == EAP_NAK)
+ {
+ DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received invalid EAP response");
+ }
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+
+ if (!received_vendor && received_type == EAP_IDENTITY)
+ {
+ chunk_t eap_id;
+
+ if (this->ph2_method == NULL)
+ {
+ /* Received an EAP Identity response without a matching request */
+ this->ph2_method = charon->eap->create_instance(charon->eap,
+ EAP_IDENTITY, 0, EAP_SERVER,
+ this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available",
+ eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+ }
+
+ if (this->ph2_method->process(this->ph2_method, in, &this->out) != SUCCESS)
+ {
+
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+
+ if (this->ph2_method->get_msk(this->ph2_method, &eap_id) == SUCCESS)
+ {
+ this->peer->destroy(this->peer);
+ this->peer = identification_create_from_data(eap_id);
+ DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+ }
+
+ in->destroy(in);
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+
+ /* Start Phase 2 of EAP-PEAP authentication */
+ if (lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.request_peer_auth", FALSE))
+ {
+ return start_phase2_tnc(this);
+ }
+ else
+ {
+ return start_phase2_auth(this);
+ }
+ }
+
+ if (this->ph2_method == 0)
+ {
+ DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_PEAP);
+ in->destroy(in);
+ return FAILED;
+ }
+
+ status = this->ph2_method->process(this->ph2_method, in, &this->out);
+ in->destroy(in);
+
+ switch (status)
+ {
+ case SUCCESS:
+ DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+ eap_type_names, EAP_PEAP, this->peer,
+ eap_type_names, type);
+ this->ph2_method->destroy(this->ph2_method);
+ this->ph2_method = NULL;
+
+ /* EAP-PEAP requires the sending of an inner EAP_SUCCESS message */
+ this->phase2_result = EAP_SUCCESS;
+ this->out = eap_payload_create_code(this->phase2_result, 1 +
+ this->ph1_method->get_identifier(this->ph1_method));
+ return NEED_MORE;
+ case NEED_MORE:
+ break;
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+ type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ }
+ /* EAP-PEAP requires the sending of an inner EAP_FAILURE message */
+ this->phase2_result = EAP_FAILURE;
+ this->out = eap_payload_create_code(this->phase2_result, 1 +
+ this->ph1_method->get_identifier(this->ph1_method));
+ return NEED_MORE;
+ }
+ return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+ private_eap_peap_server_t *this, tls_writer_t *writer)
+{
+ chunk_t data;
+ eap_code_t code;
+ eap_type_t type;
+ u_int32_t vendor;
+
+ if (this->ph2_method == NULL && this->start_phase2 &&
+ lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.phase2_piggyback", FALSE))
+ {
+ /* generate an EAP Identity request which will be piggybacked right
+ * onto the TLS Finished message thus initiating EAP-PEAP phase2
+ */
+ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+ 0, EAP_SERVER, this->server, this->peer);
+ if (this->ph2_method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available",
+ eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+
+ /* synchronize EAP message identifiers of inner protocol with outer */
+ this->ph2_method->set_identifier(this->ph2_method,
+ this->ph1_method->get_identifier(this->ph1_method) + 1);
+
+ this->ph2_method->initiate(this->ph2_method, &this->out);
+ this->start_phase2 = FALSE;
+ }
+
+ if (this->out)
+ {
+ code = this->out->get_code(this->out);
+ type = this->out->get_type(this->out, &vendor);
+ if (code == EAP_REQUEST || code == EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N/%N]",
+ eap_code_short_names, code, eap_type_short_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "sending tunneled EAP-PEAP AVP [EAP/%N]",
+ eap_code_short_names, code);
+ }
+
+ /* get the raw EAP message data */
+ data = this->out->get_data(this->out);
+ DBG3(DBG_IKE, "%B", &data);
+ this->avp->build(this->avp, writer, data);
+
+ this->out->destroy(this->out);
+ this->out = NULL;
+ }
+ return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+ private_eap_peap_server_t *this)
+{
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ DESTROY_IF(this->ph2_method);
+ DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_peap_server_t *eap_peap_server_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method)
+{
+ private_eap_peap_server_t *this;
+
+ INIT(this,
+ .public = {
+ .application = {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ },
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .ph1_method = eap_method,
+ .start_phase2 = TRUE,
+ .start_phase2_tnc = TRUE,
+ .phase2_result = EAP_FAILURE,
+ .avp = eap_peap_avp_create(TRUE),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_peap_server eap_peap_server
+ * @{ @ingroup eap_peap
+ */
+
+#ifndef EAP_PEAP_SERVER_H_
+#define EAP_PEAP_SERVER_H_
+
+typedef struct eap_peap_server_t eap_peap_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_peap_server_t {
+
+ /**
+ * Implements the TLS application data handler.
+ */
+ tls_application_t application;
+};
+
+/**
+ * Create an eap_peap_server instance.
+ */
+eap_peap_server_t *eap_peap_server_create(identification_t *server,
+ identification_t *peer,
+ eap_method_t *eap_method);
+
+#endif /** EAP_PEAP_SERVER_H_ @}*/
echo -n " --enable-eap-ttls" >> $INSTALLSHELL
fi
+if [ "$USE_EAP_PEAP" = "yes" ]
+then
+ echo -n " --enable-eap-peap" >> $INSTALLSHELL
+fi
+
if [ "$USE_EAP_TNC" = "yes" ]
then
echo -n " --enable-eap-tnc" >> $INSTALLSHELL
USE_EAP_RADIUS="yes"
USE_EAP_TLS="yes"
USE_EAP_TTLS="yes"
+USE_EAP_PEAP="yes"
USE_EAP_TNC="yes"
USE_TNC_IMC="yes"
USE_TNC_IMV="yes"