generalized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 8 Sep 2010 09:01:47 +0000 (11:01 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 8 Sep 2010 09:01:53 +0000 (11:01 +0200)
src/libcharon/plugins/eap_tls/eap_tls.c
src/libcharon/plugins/eap_tnc/Makefile.am
src/libcharon/plugins/eap_tnc/eap_tnc.c
src/libcharon/plugins/eap_tnc/tnc_if_tnccs.c [new file with mode: 0644]
src/libcharon/plugins/eap_tnc/tnc_if_tnccs.h [new file with mode: 0644]
src/libcharon/plugins/eap_ttls/eap_ttls.c
src/libtls/tls.h
src/libtls/tls_eap.c
src/libtls/tls_eap.h

index 09b46ff..2980d74 100644 (file)
@@ -123,6 +123,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 {
        private_eap_tls_t *this;
        size_t frag_size;
+       tls_t *tls;
 
        INIT(this,
                .public = {
@@ -139,8 +140,13 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 
        frag_size = lib->settings->get_int(lib->settings,
                                        "charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
-       this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer,
-                                                                  NULL, frag_size);
+       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
+       if (!tls)
+       {
+               free(this);
+               return NULL;
+       }
+       this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size);
        if (!this->tls_eap)
        {
                free(this);
index ad77155..004a3eb 100644 (file)
@@ -1,6 +1,6 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-       -I$(top_srcdir)/src/libcharon
+       -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
@@ -8,9 +8,11 @@ if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
 else
 plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
 endif
 
 libstrongswan_eap_tnc_la_SOURCES = \
-       eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+       eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c \
+       tnc_if_tnccs.h tnc_if_tnccs.c
 
 libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
index 6208774..432d5ef 100644 (file)
@@ -14,6 +14,9 @@
  */
 
 #include "eap_tnc.h"
+#include "tnc_if_tnccs.h"
+
+#include <tls_eap.h>
 
 #include <daemon.h>
 #include <library.h>
@@ -31,84 +34,56 @@ struct private_eap_tnc_t {
        eap_tnc_t public;
 
        /**
-        * ID of the server
+        * Number of EAP-TNC messages processed so far
         */
-       identification_t *server;
+       int processed;
 
        /**
-        * ID of the peer
+        * TLS stack, wrapped by EAP helper
         */
-       identification_t *peer;
+       tls_eap_t *tls_eap;
 };
 
-/**
- * Flags of an EAP-TNC message
- */
-typedef enum {
-       EAP_TNC_LENGTH = (1<<7),
-       EAP_TNC_MORE_FRAGS = (1<<6),
-       EAP_TNC_START = (1<<5),
-       EAP_TNC_DH = (1<<4),
-       EAP_TNC_VERSION = 0x07
-} eap_tnc_flags_t;
 
-/**
- * EAP-TNC packet format
- */
-typedef struct __attribute__((packed)) {
-       u_int8_t code;
-       u_int8_t identifier;
-       u_int16_t length;
-       u_int8_t type;
-       u_int8_t flags;
-} eap_tnc_packet_t;
-
-METHOD(eap_method_t, initiate_peer, status_t,
-       private_eap_tnc_t *this, eap_payload_t **out)
-{
-       /* peer never initiates */
-       return FAILED;
-}
+/** Maximum number of EAP-TNC messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 2 
+/** Default size of a EAP-TNC fragment */
+#define MAX_FRAGMENT_LEN 50000
 
-METHOD(eap_method_t, initiate_server, status_t,
+METHOD(eap_method_t, initiate, status_t,
        private_eap_tnc_t *this, eap_payload_t **out)
 {
-       return NEED_MORE;
-}
-
-METHOD(eap_method_t, process_peer, status_t,
-       private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
-{
-       eap_tnc_packet_t *pkt;
        chunk_t data;
 
-       data = in->get_data(in);
-
-       pkt = (eap_tnc_packet_t*)data.ptr;
-       if (data.len < sizeof(eap_tnc_packet_t) ||
-               untoh16(&pkt->length) != data.len)
+       if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
        {
-               DBG1(DBG_IKE, "invalid EAP-TNC packet length");
-               return FAILED;
+               *out = eap_payload_create_data(data);
+               free(data.ptr);
+               return NEED_MORE;
        }
-       if (pkt->flags & EAP_TNC_START)
-       {
-               DBG1(DBG_IKE, "EAP-TNC version is v%u", pkt->flags & EAP_TNC_VERSION);
-       }
-       *out = eap_payload_create_nak(in->get_identifier(in));
-
-       return NEED_MORE;
+       return FAILED;
 }
 
-METHOD(eap_method_t, process_server, status_t,
+METHOD(eap_method_t, process, status_t,
        private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
 {
+       status_t status;
        chunk_t data;
 
+       if (++this->processed > MAX_MESSAGE_COUNT)
+       {
+               DBG1(DBG_IKE, "EAP-TNC packet count exceeded (%d > %d)",
+                        this->processed, MAX_MESSAGE_COUNT);
+               return FAILED;
+       }
        data = in->get_data(in);
-       DBG2(DBG_IKE, "received EAP-TNC data: %B", &data);
-
-       return SUCCESS;
+       status = this->tls_eap->process(this->tls_eap, data, &data);
+       if (status == NEED_MORE)
+       {
+               *out = eap_payload_create_data(data);
+               free(data.ptr);
+       }
+       return status;
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
@@ -121,6 +96,11 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
        private_eap_tnc_t *this, chunk_t *msk)
 {
+       *msk = this->tls_eap->get_msk(this->tls_eap);
+       if (msk->len)
+       {
+               return SUCCESS;
+       }
        return FAILED;
 }
 
@@ -133,58 +113,58 @@ METHOD(eap_method_t, is_mutual, bool,
 METHOD(eap_method_t, destroy, void,
        private_eap_tnc_t *this)
 {
-       this->peer->destroy(this->peer);
-       this->server->destroy(this->server);
+       this->tls_eap->destroy(this->tls_eap);
        free(this);
 }
 
-/*
- * See header
+/**
+ * Generic private constructor
  */
-eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer)
+static eap_tnc_t *eap_tnc_create(identification_t *server,
+                                                                identification_t *peer, bool is_server)
 {
        private_eap_tnc_t *this;
+       size_t frag_size;
+       tls_t *tnc_if_tnccs;
 
        INIT(this,
                .public = {
                        .eap_method = {
-                               .initiate = _initiate_server,
-                               .process = _process_server,
+                               .initiate = _initiate,
+                               .process = _process,
                                .get_type = _get_type,
                                .is_mutual = _is_mutual,
                                .get_msk = _get_msk,
                                .destroy = _destroy,
                        },
                },
-               .peer = peer->clone(peer),
-               .server = server->clone(server),
        );
 
+       frag_size = lib->settings->get_int(lib->settings,
+                                       "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
+       tnc_if_tnccs = tnc_if_tnccs_create(is_server, TLS_PURPOSE_EAP_TNC);
+       if (!tnc_if_tnccs)
+       {
+               free(this);
+               return NULL;
+       }
+       this->tls_eap = tls_eap_create(EAP_TNC, tnc_if_tnccs, frag_size);
+       if (!this->tls_eap)
+       {
+               free(this);
+               return NULL;
+       }
        return &this->public;
 }
 
-/*
- * See header
- */
-eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer)
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+                                                                identification_t *peer)
 {
-       private_eap_tnc_t *this;
-
-       INIT(this,
-               .public = {
-                       .eap_method = {
-                               .initiate = _initiate_peer,
-                               .process = _process_peer,
-                               .get_type = _get_type,
-                               .is_mutual = _is_mutual,
-                               .get_msk = _get_msk,
-                               .destroy = _destroy,
-                       },
-               },
-               .peer = peer->clone(peer),
-               .server = server->clone(server),
-       );
-
-       return &this->public;
+       return eap_tnc_create(server, peer, TRUE);
 }
 
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+                                                          identification_t *peer)
+{
+       return eap_tnc_create(server, peer, FALSE);
+}
diff --git a/src/libcharon/plugins/eap_tnc/tnc_if_tnccs.c b/src/libcharon/plugins/eap_tnc/tnc_if_tnccs.c
new file mode 100644 (file)
index 0000000..fc3500c
--- /dev/null
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_if_tnccs.h"
+
+#include <debug.h>
+
+typedef struct private_tnc_if_tnccs_t private_tnc_if_tnccs_t;
+
+/**
+ * Private data of a tnc_if_tnccs_t object.
+ */
+struct private_tnc_if_tnccs_t {
+
+       /**
+        * Public tls_t interface.
+        */
+       tls_t public;
+
+       /**
+        * Role this TNC IF-TNCCS stack acts as.
+        */
+       bool is_server;
+
+       /**
+        * TLS stack purpose, as given to constructor
+        */
+       tls_purpose_t purpose;
+};
+
+METHOD(tls_t, process, status_t,
+       private_tnc_if_tnccs_t *this, void *buf, size_t buflen)
+{
+       /* TODO */
+       return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+       private_tnc_if_tnccs_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+       char output[] = "Hello World";
+       size_t len = strlen(output);
+       
+       /* TODO */
+       *buflen = len;
+       *msglen = len;
+       memcpy(buf, output, len);
+
+       return ALREADY_DONE;
+}
+
+METHOD(tls_t, is_server, bool,
+       private_tnc_if_tnccs_t *this)
+{
+       return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+       private_tnc_if_tnccs_t *this)
+{
+       return this->purpose;
+}
+
+METHOD(tls_t, is_complete, bool,
+       private_tnc_if_tnccs_t *this)
+{
+       /* TODO */
+       return TRUE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+       private_tnc_if_tnccs_t *this)
+{
+       return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+       private_tnc_if_tnccs_t *this)
+{
+       free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnc_if_tnccs_create(bool is_server, tls_purpose_t purpose)
+{
+       private_tnc_if_tnccs_t *this;
+
+       switch (purpose)
+       {
+               case TLS_PURPOSE_EAP_TNC:
+                       break;
+               default:
+                       return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .process = _process,
+                       .build = _build,
+                       .is_server = _is_server,
+                       .get_purpose = _get_purpose,
+                       .is_complete = _is_complete,
+                       .get_eap_msk = _get_eap_msk,
+                       .destroy = _destroy,
+               },
+               .is_server = is_server,
+               .purpose = purpose,
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_tnc/tnc_if_tnccs.h b/src/libcharon/plugins/eap_tnc/tnc_if_tnccs.h
new file mode 100644 (file)
index 0000000..5c0d51c
--- /dev/null
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_if_tnccs tnc_if_tnccs
+ * @{ @ingroup tnc_if_tnccs
+ */
+
+#ifndef TNC_IF_TNCCS_H_
+#define TNC_IF_TNCCS_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
+ *
+ * @param is_server                    TRUE to act as server, FALSE for client
+ * @param purpose                      purpose this TLS stack instance is used for
+ * @return                                     TNC_IF_TNCCS stack
+ */
+tls_t *tnc_if_tnccs_create(bool is_server, tls_purpose_t purpose);
+
+#endif /** TNC_IF_TNCCS_H_ @}*/
index d450c23..6b52acc 100644 (file)
@@ -126,6 +126,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 {
        private_eap_ttls_t *this;
        size_t frag_size;
+       tls_t *tls;
 
        INIT(this,
                .public = {
@@ -146,8 +147,13 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
        }
        frag_size = lib->settings->get_int(lib->settings,
                                        "charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
-       this->tls_eap = tls_eap_create(EAP_TTLS, is_server, server, peer,
-                                                                  application, frag_size);
+       tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+       if (!tls)
+       {
+               free(this);
+               return NULL;
+       }
+       this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size);
        if (!this->tls_eap)
        {
                application->destroy(application);
index 3b1a8a2..1908f5d 100644 (file)
@@ -98,6 +98,8 @@ enum tls_purpose_t {
        TLS_PURPOSE_EAP_TTLS,
        /** non-EAP TLS */
        TLS_PURPOSE_GENERIC,
+       /** EAP binding for TNC */
+       TLS_PURPOSE_EAP_TNC
 };
 
 /**
index 25c909a..f74030b 100644 (file)
@@ -71,6 +71,9 @@ typedef enum {
        EAP_TTLS_VERSION = (0x07),
 } eap_tls_flags_t;
 
+#define EAP_TTLS_SUPPORTED_VERSION     0
+#define EAP_TNC_SUPPORTED_VERSION      1
+
 /**
  * EAP-TLS/TTLS packet format
  */
@@ -92,6 +95,17 @@ METHOD(tls_eap_t, initiate, status_t,
                        .code = EAP_REQUEST,
                        .flags = EAP_TLS_START,
                };
+               switch (this->type)
+               {
+                       case EAP_TTLS:
+                               pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+                               break;
+                       case EAP_TNC:
+                               pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+                               break;
+                       default:
+                               break;
+               }
                htoun16(&pkt.length, sizeof(eap_tls_packet_t));
                do
                {       /* start with non-zero random identifier */
@@ -154,9 +168,21 @@ static status_t build_pkt(private_tls_eap_t *this,
        pkt->type = this->type;
        pkt->flags = 0;
 
+       switch (this->type)
+       {
+               case EAP_TTLS:
+                       pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
+                       break;
+               case EAP_TNC:
+                       pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
+                       break;
+               default:
+                       break;
+       }
+
        if (this->first_fragment)
        {
-               pkt->flags = EAP_TLS_LENGTH;
+               pkt->flags |= EAP_TLS_LENGTH;
                len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
                status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
                                                                  sizeof(u_int32_t), &len, &reclen);
@@ -235,9 +261,9 @@ METHOD(tls_eap_t, process, status_t,
        }
        if (pkt->flags & EAP_TLS_START)
        {
-               if (this->type == EAP_TTLS)
+               if (this->type == EAP_TTLS || this->type == EAP_TNC)
                {
-                       DBG1(DBG_TLS, "EAP-TTLS version is v%u",
+                       DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
                                 pkt->flags & EAP_TTLS_VERSION);
                }
        }
@@ -295,24 +321,9 @@ METHOD(tls_eap_t, destroy, void,
 /**
  * See header
  */
-tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
-                                                 identification_t *server, identification_t *peer,
-                                                 tls_application_t *application, size_t frag_size)
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size)
 {
        private_tls_eap_t *this;
-       tls_purpose_t purpose;
-
-       switch (type)
-       {
-               case EAP_TLS:
-                       purpose = TLS_PURPOSE_EAP_TLS;
-                       break;
-               case EAP_TTLS:
-                       purpose = TLS_PURPOSE_EAP_TTLS;
-                       break;
-               default:
-                       return NULL;
-       };
 
        INIT(this,
                .public = {
@@ -322,15 +333,11 @@ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
                        .destroy = _destroy,
                },
                .type = type,
-               .is_server = is_server,
+               .is_server = tls->is_server(tls),
                .first_fragment = TRUE,
                .frag_size = frag_size,
-               .tls = tls_create(is_server, server, peer, purpose, application),
+               .tls = tls,
        );
-       if (!this->tls)
-       {
-               free(this);
-               return NULL;
-       }
+
        return &this->public;
 }
index 8aa2dce..7d25ba7 100644 (file)
@@ -25,7 +25,7 @@ typedef struct tls_eap_t tls_eap_t;
 
 #include <eap/eap.h>
 
-#include "tls_application.h"
+#include "tls.h"
 
 /**
  * TLS over EAP helper, as used by EAP-TLS and EAP-TTLS.
@@ -33,7 +33,7 @@ typedef struct tls_eap_t tls_eap_t;
 struct tls_eap_t {
 
        /**
-        * Initiate TLS over EAP exchange (as client).
+        * Initiate TLS/TTLS/TNC over EAP exchange (as client).
         *
         * @param out                   allocated EAP packet data to send
         * @return
@@ -43,7 +43,7 @@ struct tls_eap_t {
        status_t (*initiate)(tls_eap_t *this, chunk_t *out);
 
        /**
-        * Process a received EAP-TLS/TTLS packet, create response.
+        * Process a received EAP-TLS/TTLS/TNC packet, create response.
         *
         * @param in                    EAP packet data to process
         * @param out                   allocated EAP packet data to send
@@ -71,14 +71,9 @@ struct tls_eap_t {
  * Create a tls_eap instance.
  *
  * @param type                         EAP type, EAP-TLS or EAP-TTLS
- * @param is_server                    role
- * @param server                       server identity
- * @param peer                         peer identity, NULL to omit peer authentication
- * @param application          TLS application layer, if any
+ * @param tls                          TLS implementation
  * @param frag_size                    maximum size of a TLS fragment we send
  */
-tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
-                                                 identification_t *server, identification_t *peer,
-                                                 tls_application_t *application, size_t frag_size);
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size);
 
 #endif /** TLS_EAP_H_ @}*/