endif
libstrongswan_eap_ttls_la_SOURCES = \
- eap_ttls_plugin.h eap_ttls_plugin.c eap_ttls.h eap_ttls.c \
- eap_ttls_peer.h eap_ttls_peer.c
+ eap_ttls_plugin.h eap_ttls_plugin.c \
+ eap_ttls_avp.h eap_ttls_avp.c \
+ eap_ttls.h eap_ttls.c \
+ eap_ttls_peer.h eap_ttls_peer.c \
+ eap_ttls_server.h eap_ttls_server.c
libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
#include "eap_ttls.h"
#include "eap_ttls_peer.h"
+#include "eap_ttls_server.h"
#include <tls.h>
* Generic private constructor
*/
static eap_ttls_t *eap_ttls_create(identification_t *server,
- identification_t *peer, bool is_server,
- tls_application_t *application)
+ identification_t *peer, bool is_server,
+ tls_application_t *application)
{
private_eap_ttls_t *this;
}
eap_ttls_t *eap_ttls_create_server(identification_t *server,
- identification_t *peer)
+ identification_t *peer)
{
- return eap_ttls_create(server, peer, TRUE, NULL);
+ return eap_ttls_create(server, peer, TRUE,
+ &eap_ttls_server_create(server, peer)->application);
}
eap_ttls_t *eap_ttls_create_peer(identification_t *server,
- identification_t *peer)
+ identification_t *peer)
{
return eap_ttls_create(server, peer, FALSE,
&eap_ttls_peer_create(server, peer)->application);
* @return eap_ttls_t object
*/
eap_ttls_t *eap_ttls_create_server(identification_t *server,
- identification_t *peer);
+ identification_t *peer);
/**
* Creates the EAP method EAP-TTLS acting as peer.
* @return eap_ttls_t object
*/
eap_ttls_t *eap_ttls_create_peer(identification_t *server,
- identification_t *peer);
+ identification_t *peer);
#endif /** EAP_TTLS_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+
+#define AVP_EAP_MESSAGE 79
+
+typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t;
+
+/**
+ * Private data of an eap_ttls_avp_t object.
+ */
+struct private_eap_ttls_avp_t {
+
+ /**
+ * Public eap_ttls_avp_t interface.
+ */
+ eap_ttls_avp_t public;
+};
+
+METHOD(eap_ttls_avp_t, build, void,
+ private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+ char zero_padding[] = { 0x00, 0x00, 0x00 };
+ chunk_t avp_padding;
+ u_int8_t avp_flags;
+ u_int32_t avp_len;
+
+ avp_flags = 0x40;
+ avp_len = 8 + data.len;
+ avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
+
+ writer->write_uint32(writer, AVP_EAP_MESSAGE);
+ writer->write_uint8(writer, avp_flags);
+ writer->write_uint24(writer, avp_len);
+ writer->write_data(writer, data);
+ writer->write_data(writer, avp_padding);
+}
+
+METHOD(eap_ttls_avp_t, process, status_t,
+ private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data)
+{
+ u_int32_t avp_code;
+ u_int8_t avp_flags;
+ u_int32_t avp_len, data_len;
+
+ if (!reader->read_uint32(reader, &avp_code) ||
+ !reader->read_uint8(reader, &avp_flags) ||
+ !reader->read_uint24(reader, &avp_len))
+ {
+ DBG1(DBG_IKE, "received invalid AVP");
+ return FAILED;
+ }
+ if (avp_code != AVP_EAP_MESSAGE)
+ {
+ DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
+ return FAILED;
+ }
+ data_len = avp_len - 8;
+ if (!reader->read_data(reader, data_len + (4 - avp_len) % 4, data))
+ {
+ DBG1(DBG_IKE, "received insufficient AVP data");
+ return FAILED;
+ }
+ data->len = data_len;
+ return SUCCESS;
+}
+
+METHOD(eap_ttls_avp_t, destroy, void,
+ private_eap_ttls_avp_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void)
+{
+ private_eap_ttls_avp_t *this;
+
+ INIT(this,
+ .public= {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_avp eap_ttls_avp
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_AVP_H_
+#define EAP_TTLS_AVP_H_
+
+typedef struct eap_ttls_avp_t eap_ttls_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-TTLS Attribute-Value Pair (AVP) handler.
+ */
+struct eap_ttls_avp_t {
+
+ /**
+ * Process received EAP-TTLS EAP Message AVP.
+ *
+ * @param reader TLS data buffer
+ * @param data received EAP Message
+ * @return
+ * - SUCCESS if AVP processing succeeded
+ * - FAILED if AVP processing failed
+ * - NEED_MORE if another invocation of process/build needed
+ */
+ status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader,
+ chunk_t *data);
+
+ /**
+ * Build EAP-TTLS EAP Message AVP to send out.
+ *
+ * @param writer TLS data buffer to write to
+ * @param data EAP Message to send
+ */
+ void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+ /**
+ * Destroy a eap_ttls_application_t.
+ */
+ void (*destroy)(eap_ttls_avp_t *this);
+};
+
+/**
+ * Create an eap_ttls_avp instance.
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void);
+
+#endif /** EAP_TTLS_AVP_H_ @}*/
*/
#include "eap_ttls_peer.h"
+#include "eap_ttls_avp.h"
#include <debug.h>
#include <daemon.h>
#include <sa/authenticators/eap/eap_method.h>
-#define AVP_EAP_MESSAGE 79
-
typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
/**
* Pending outbound EAP message
*/
eap_payload_t *out;
-};
-
-/**
- * Send an EAP-Message Attribute-Value Pair
- */
-static void send_avp_eap_message(tls_writer_t *writer, chunk_t data)
-{
- char zero_padding[] = { 0x00, 0x00, 0x00 };
- chunk_t avp_padding;
- u_int8_t avp_flags;
- u_int32_t avp_len;
-
- avp_flags = 0x40;
- avp_len = 8 + data.len;
- avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
-
- writer->write_uint32(writer, AVP_EAP_MESSAGE);
- writer->write_uint8(writer, avp_flags);
- writer->write_uint24(writer, avp_len);
- writer->write_data(writer, data);
- writer->write_data(writer, avp_padding);
-}
-/**
- * Process an EAP-Message Attribute-Value Pair
- */
-static status_t process_avp_eap_message(tls_reader_t *reader, chunk_t *data)
-{
- u_int32_t avp_code;
- u_int8_t avp_flags;
- u_int32_t avp_len, data_len;
-
- if (!reader->read_uint32(reader, &avp_code) ||
- !reader->read_uint8(reader, &avp_flags) ||
- !reader->read_uint24(reader, &avp_len))
- {
- DBG1(DBG_IKE, "received invalid AVP");
- return FAILED;
- }
- if (avp_code != AVP_EAP_MESSAGE)
- {
- DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
- return FAILED;
- }
- data_len = avp_len - 8;
- if (!reader->read_data(reader, data_len + (4 - avp_len) % 4, data))
- {
- DBG1(DBG_IKE, "received insufficient AVP data");
- return FAILED;
- }
- data->len = data_len;
- return SUCCESS;
-}
+ /**
+ * AVP handler
+ */
+ eap_ttls_avp_t *avp;
+};
METHOD(tls_application_t, process, status_t,
private_eap_ttls_peer_t *this, tls_reader_t *reader)
payload_t *payload;
eap_payload_t *in;
eap_code_t code;
- eap_type_t type;
- u_int32_t vendor;
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
- status = process_avp_eap_message(reader, &data);
+ status = this->avp->process(this->avp, reader, &data);
if (status == FAILED)
{
return FAILED;
return FAILED;
}
code = in->get_code(in);
- type = in->get_type(in, &vendor);
+ received_type = in->get_type(in, &received_vendor);
DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
- eap_code_short_names, code, eap_type_short_names, type);
-
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
if (code != EAP_REQUEST)
{
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
in->destroy(in);
return FAILED;
}
if (this->method == NULL)
{
- if (vendor)
+ if (received_vendor)
{
DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
- type, vendor);
+ received_type, received_vendor);
}
else
{
DBG1(DBG_IKE, "server requested %N authentication",
- eap_type_names, type);
+ eap_type_names, received_type);
}
- this->method = charon->eap->create_instance(charon->eap, type, vendor,
+ this->method = charon->eap->create_instance(charon->eap,
+ received_type, received_vendor,
EAP_PEER, this->server, this->peer);
if (!this->method)
{
- u_int8_t identifier = in->get_identifier(in);
-
- DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
- in->destroy(in);
- this->out = eap_payload_create_nak(identifier);
+ DBG1(DBG_IKE, "EAP method not supported");
+ this->out = eap_payload_create_nak(in->get_identifier(in));
in->destroy(in);
return NEED_MORE;
}
type = this->method->get_type(this->method, &vendor);
+ if (type != received_type || vendor != received_vendor)
+ {
+ DBG1(DBG_IKE, "received invalid EAP request");
+ in->destroy(in);
+ return FAILED;
+ }
+
if (this->method->process(this->method, in, &this->out) == NEED_MORE)
{
in->destroy(in);
/* get the raw EAP message data */
data = this->out->get_data(this->out);
- send_avp_eap_message(writer, data);
+ this->avp->build(this->avp, writer, data);
this->out->destroy(this->out);
this->out = NULL;
this->peer->destroy(this->peer);
DESTROY_IF(this->method);
DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
free(this);
}
.start_phase2 = TRUE,
.method = NULL,
.out = NULL,
+ .avp = eap_ttls_avp_create(),
);
return &this->public;
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_server.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
+
+/**
+ * Private data of an eap_ttls_server_t object.
+ */
+struct private_eap_ttls_server_t {
+
+ /**
+ * Public eap_ttls_server_t interface.
+ */
+ eap_ttls_server_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * Current EAP-TTLS state
+ */
+ bool start_phase2;
+
+ /**
+ * Current phase 2 EAP method
+ */
+ eap_method_t *method;
+
+ /**
+ * Pending outbound EAP message
+ */
+ eap_payload_t *out;
+
+ /**
+ * AVP handler
+ */
+ eap_ttls_avp_t *avp;
+};
+
+METHOD(tls_application_t, process, status_t,
+ private_eap_ttls_server_t *this, tls_reader_t *reader)
+{
+ chunk_t data;
+ status_t status;
+ payload_t *payload;
+ eap_payload_t *in;
+ eap_code_t code;
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
+
+ status = this->avp->process(this->avp, reader, &data);
+ if (status == FAILED)
+ {
+ return FAILED;
+ }
+ in = eap_payload_create_data(data);
+ payload = (payload_t*)in;
+
+ if (payload->verify(payload) != SUCCESS)
+ {
+ in->destroy(in);
+ return FAILED;
+ }
+ code = in->get_code(in);
+ received_type = in->get_type(in, &received_vendor);
+ DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
+ eap_code_short_names, code,
+ eap_type_short_names, received_type);
+ if (code != EAP_RESPONSE)
+ {
+ DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+ in->destroy(in);
+ return FAILED;
+ }
+
+ if (this->method)
+ {
+ type = this->method->get_type(this->method, &vendor);
+
+ if (type != received_type || vendor != received_vendor)
+ {
+ if (received_vendor == 0 && received_type == EAP_NAK)
+ {
+ DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received invalid EAP response");
+ }
+ in->destroy(in);
+ return FAILED;
+ }
+ }
+
+ if (!received_vendor && received_type == EAP_IDENTITY)
+ {
+ chunk_t eap_id;
+ char * eap_type_str;
+
+ if (this->method == NULL)
+ {
+ /* Received an EAP Identity response without a matching request */
+ this->method = charon->eap->create_instance(charon->eap,
+ EAP_IDENTITY, 0, EAP_SERVER,
+ this->server, this->peer);
+ if (this->method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available",
+ eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+ }
+
+ if (this->method->process(this->method, in, &this->out) != SUCCESS)
+ {
+
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+ return FAILED;
+ }
+
+ if (this->method->get_msk(this->method, &eap_id) == SUCCESS)
+ {
+ this->peer->destroy(this->peer);
+ this->peer = identification_create_from_data(eap_id);
+ DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+ }
+
+ in->destroy(in);
+ this->method->destroy(this->method);
+ this->method = NULL;
+
+ /* Start Phase 2 of EAP-TTLS authentication */
+ eap_type_str = lib->settings->get_str(lib->settings,
+ "charon.plugins.eap-ttls.phase2_method", "md5");
+ type = eap_type_from_string(eap_type_str);
+ if (type == 0)
+ {
+ DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+ return FAILED;
+ }
+ DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+
+ this->method = charon->eap->create_instance(charon->eap, type, 0,
+ EAP_SERVER, this->server, this->peer);
+ if (this->method == NULL)
+ {
+ DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+ return FAILED;
+ }
+ if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+ {
+ return NEED_MORE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ return FAILED;
+ }
+ }
+
+ if (this->method == 0)
+ {
+ DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS);
+ in->destroy(in);
+ return FAILED;
+ }
+
+ status = this->method->process(this->method, in, &this->out);
+ in->destroy(in);
+
+ switch (status)
+ {
+ case SUCCESS:
+ DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+ eap_type_names, EAP_TTLS, this->peer,
+ eap_type_names, type);
+ break;
+ case NEED_MORE:
+ break;
+ case FAILED:
+ default:
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+ }
+ return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+ private_eap_ttls_server_t *this, tls_writer_t *writer)
+{
+ chunk_t data;
+ eap_code_t code;
+ eap_type_t type;
+ u_int32_t vendor;
+
+ if (this->out)
+ {
+ code = this->out->get_code(this->out);
+ type = this->out->get_type(this->out, &vendor);
+ DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+ eap_code_short_names, code, eap_type_short_names, type);
+
+ /* get the raw EAP message data */
+ data = this->out->get_data(this->out);
+ this->avp->build(this->avp, writer, data);
+
+ this->out->destroy(this->out);
+ this->out = NULL;
+ }
+ return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+ private_eap_ttls_server_t *this)
+{
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ DESTROY_IF(this->method);
+ DESTROY_IF(this->out);
+ this->avp->destroy(this->avp);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+ identification_t *peer)
+{
+ private_eap_ttls_server_t *this;
+
+ INIT(this,
+ .public.application = {
+ .process = _process,
+ .build = _build,
+ .destroy = _destroy,
+ },
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .start_phase2 = TRUE,
+ .method = NULL,
+ .out = NULL,
+ .avp = eap_ttls_avp_create(),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_server eap_ttls_server
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_SERVER_H_
+#define EAP_TTLS_SERVER_H_
+
+typedef struct eap_ttls_server_t eap_ttls_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_ttls_server_t {
+
+ /**
+ * Implements the TLS application data handler.
+ */
+ tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_server instance.
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+ identification_t *peer);
+
+#endif /** EAP_TTLS_SERVER_H_ @}*/