embedaddon/strongswan/src/libcharon/plugins/eap_radius/eap_radius.c - view

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / eap_radius / eap_radius.c
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 09:46:44 2020 UTC (4 years, 2 months ago) by misho
Branches: strongswan, MAIN
CVS tags: v5_9_2p0, v5_8_4p7, HEAD

Strongswan

/* * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include "eap_radius.h" #include "eap_radius_plugin.h" #include "eap_radius_forward.h" #include "eap_radius_provider.h" #include "eap_radius_accounting.h" #include <radius_message.h> #include <radius_client.h> #include <bio/bio_writer.h> #include <daemon.h> typedef struct private_eap_radius_t private_eap_radius_t; /** * Private data of an eap_radius_t object. */ struct private_eap_radius_t { /** * Public authenticator_t interface. */ eap_radius_t public; /** * ID of the server */ identification_t *server; /** * ID of the peer */ identification_t *peer; /** * EAP method type we are proxying */ eap_type_t type; /** * EAP vendor, if any */ uint32_t vendor; /** * EAP message identifier */ uint8_t identifier; /** * RADIUS client instance */ radius_client_t *client; /** * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly */ bool eap_start; /** * Prefix to prepend to EAP identity */ char *id_prefix; }; /** * Add EAP-Identity to RADIUS message */ static void add_eap_identity(private_eap_radius_t *this, radius_message_t *request) { struct { /** EAP code (REQUEST/RESPONSE) */ uint8_t code; /** unique message identifier */ uint8_t identifier; /** length of whole message */ uint16_t length; /** EAP type */ uint8_t type; /** identity data */ uint8_t data[]; } __attribute__((__packed__)) *hdr; chunk_t id, prefix; size_t len; id = this->peer->get_encoding(this->peer); prefix = chunk_create(this->id_prefix, strlen(this->id_prefix)); len = sizeof(*hdr) + prefix.len + id.len; hdr = alloca(len); hdr->code = EAP_RESPONSE; hdr->identifier = this->identifier; hdr->length = htons(len); hdr->type = EAP_IDENTITY; memcpy(hdr->data, prefix.ptr, prefix.len); memcpy(hdr->data + prefix.len, id.ptr, id.len); request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len)); } /** * Copy EAP-Message attribute from RADIUS message to an new EAP payload */ static bool radius2ike(private_eap_radius_t *this, radius_message_t *msg, eap_payload_t **out) { enumerator_t *enumerator; eap_payload_t *payload; chunk_t data, message = chunk_empty; int type; enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if (type == RAT_EAP_MESSAGE && data.len) { message = chunk_cat("mc", message, data); } } enumerator->destroy(enumerator); if (message.len) { *out = payload = eap_payload_create_data(message); /* apply EAP method selected by RADIUS server */ this->type = payload->get_type(payload, &this->vendor); DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &message); free(message.ptr); return TRUE; } return FALSE; } /** * See header. */ void eap_radius_build_attributes(radius_message_t *request) { ike_sa_t *ike_sa; host_t *host; char buf[40], *station_id_fmt, *session_id; uint32_t value; chunk_t chunk; /* virtual NAS-Port-Type */ value = htonl(5); request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value)); /* framed ServiceType */ value = htonl(2); request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value)); ike_sa = charon->bus->get_sa(charon->bus); if (ike_sa) { value = htonl(ike_sa->get_unique_id(ike_sa)); request->add(request, RAT_NAS_PORT, chunk_from_thing(value)); request->add(request, RAT_NAS_PORT_ID, chunk_from_str(ike_sa->get_name(ike_sa))); host = ike_sa->get_my_host(ike_sa); chunk = host->get_address(host); switch (host->get_family(host)) { case AF_INET: request->add(request, RAT_NAS_IP_ADDRESS, chunk); break; case AF_INET6: request->add(request, RAT_NAS_IPV6_ADDRESS, chunk); default: break; } if (lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.station_id_with_port", TRUE, lib->ns)) { station_id_fmt = "%#H"; } else { station_id_fmt = "%H"; } snprintf(buf, sizeof(buf), station_id_fmt, host); request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf)); host = ike_sa->get_other_host(ike_sa); snprintf(buf, sizeof(buf), station_id_fmt, host); request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf)); session_id = eap_radius_accounting_session_id(ike_sa); if (session_id) { request->add(request, RAT_ACCT_SESSION_ID, chunk_from_str(session_id)); free(session_id); } } } /** * Add a set of RADIUS attributes to a request message */ static void add_radius_request_attrs(private_eap_radius_t *this, radius_message_t *request) { chunk_t chunk; chunk = chunk_from_str(this->id_prefix); chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer)); request->add(request, RAT_USER_NAME, chunk); eap_radius_build_attributes(request); eap_radius_forward_from_ike(request); } METHOD(eap_method_t, initiate, status_t, private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; request = radius_message_create(RMC_ACCESS_REQUEST); add_radius_request_attrs(this, request); if (this->eap_start) { request->add(request, RAT_EAP_MESSAGE, chunk_empty); } else { add_eap_identity(this, request); } response = this->client->request(this->client, request); if (response) { eap_radius_forward_to_ike(response); switch (response->get_code(response)) { case RMC_ACCESS_CHALLENGE: if (radius2ike(this, response, out)) { status = NEED_MORE; } break; case RMC_ACCESS_ACCEPT: /* Microsoft RADIUS servers can run in a mode where they respond * like this on the first request (i.e. without authentication), * we treat this as Access-Reject */ case RMC_ACCESS_REJECT: default: DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer); break; } response->destroy(response); } else { eap_radius_handle_timeout(NULL); } request->destroy(request); return status; } /** * Handle the Class attribute */ static void process_class(radius_message_t *msg) { enumerator_t *enumerator; ike_sa_t *ike_sa; identification_t *id; auth_cfg_t *auth; chunk_t data; bool class_group, class_send; int type; class_group = lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.class_group", FALSE, lib->ns); class_send = lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.accounting_send_class", FALSE, lib->ns); ike_sa = charon->bus->get_sa(charon->bus); if ((!class_group && !class_send) || !ike_sa) { return; } enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if (type == RAT_CLASS) { if (class_group && data.len < 44) { /* quirk: ignore long class attributes, these are used for * other purposes by some RADIUS servers (such as NPS). */ auth = ike_sa->get_auth_cfg(ike_sa, FALSE); id = identification_create_from_data(data); DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id); auth->add(auth, AUTH_RULE_GROUP, id); } if (class_send) { eap_radius_accounting_add_class(ike_sa, data); } } } enumerator->destroy(enumerator); } /** * Handle the Filter-Id attribute as IPsec CHILD_SA name */ static void process_filter_id(radius_message_t *msg) { enumerator_t *enumerator; int type; uint8_t tunnel_tag; uint32_t tunnel_type; chunk_t filter_id = chunk_empty, data; bool is_esp_tunnel = FALSE; enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { switch (type) { case RAT_TUNNEL_TYPE: if (data.len != 4) { continue; } tunnel_tag = *data.ptr; *data.ptr = 0x00; tunnel_type = untoh32(data.ptr); DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: " "tag = %u, value = %u", tunnel_tag, tunnel_type); is_esp_tunnel = (tunnel_type == RADIUS_TUNNEL_TYPE_ESP); break; case RAT_FILTER_ID: filter_id = data; DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: " "'%.*s'", (int)filter_id.len, filter_id.ptr); break; default: break; } } enumerator->destroy(enumerator); if (is_esp_tunnel && filter_id.len) { identification_t *id; ike_sa_t *ike_sa; auth_cfg_t *auth; ike_sa = charon->bus->get_sa(charon->bus); if (ike_sa) { auth = ike_sa->get_auth_cfg(ike_sa, FALSE); id = identification_create_from_data(filter_id); auth->add(auth, AUTH_RULE_GROUP, id); } } } /** * Handle Session-Timeout attribute and Interim updates */ static void process_timeout(radius_message_t *msg) { enumerator_t *enumerator; ike_sa_t *ike_sa; chunk_t data; int type; ike_sa = charon->bus->get_sa(charon->bus); if (ike_sa) { enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if (type == RAT_SESSION_TIMEOUT && data.len == 4) { ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr)); } else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4) { eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr)); } } enumerator->destroy(enumerator); } } /** * Add a Cisco Unity configuration attribute */ static void add_unity_attribute(eap_radius_provider_t *provider, uint32_t id, int type, chunk_t data) { switch (type) { case 15: /* CVPN3000-IPSec-Banner1 */ case 36: /* CVPN3000-IPSec-Banner2 */ provider->add_attribute(provider, id, UNITY_BANNER, data); break; case 28: /* CVPN3000-IPSec-Default-Domain */ provider->add_attribute(provider, id, UNITY_DEF_DOMAIN, data); break; case 29: /* CVPN3000-IPSec-Split-DNS-Names */ provider->add_attribute(provider, id, UNITY_SPLITDNS_NAME, data); break; } } /** * Add a DNS/NBNS configuration attribute */ static void add_nameserver_attribute(eap_radius_provider_t *provider, uint32_t id, int type, chunk_t data) { /* these are from different vendors, but there is currently no conflict */ switch (type) { case 5: /* CVPN3000-Primary-DNS */ case 6: /* CVPN3000-Secondary-DNS */ case 28: /* MS-Primary-DNS-Server */ case 29: /* MS-Secondary-DNS-Server */ provider->add_attribute(provider, id, INTERNAL_IP4_DNS, data); break; case 7: /* CVPN3000-Primary-WINS */ case 8: /* CVPN3000-Secondary-WINS */ case 30: /* MS-Primary-NBNS-Server */ case 31: /* MS-Secondary-NBNS-Server */ provider->add_attribute(provider, id, INTERNAL_IP4_NBNS, data); break; case RAT_FRAMED_IPV6_DNS_SERVER: provider->add_attribute(provider, id, INTERNAL_IP6_DNS, data); break; } } /** * Add a UNITY_LOCAL_LAN or UNITY_SPLIT_INCLUDE attribute */ static void add_unity_split_attribute(eap_radius_provider_t *provider, uint32_t id, configuration_attribute_type_t type, chunk_t data) { enumerator_t *enumerator; bio_writer_t *writer; char buffer[256], *token, *slash; if (snprintf(buffer, sizeof(buffer), "%.*s", (int)data.len, data.ptr) >= sizeof(buffer)) { return; } writer = bio_writer_create(16); /* two IPv4 addresses and 6 bytes padding */ enumerator = enumerator_create_token(buffer, ",", " "); while (enumerator->enumerate(enumerator, &token)) { host_t *net, *mask = NULL; chunk_t padding; slash = strchr(token, '/'); if (slash) { *slash++ = '\0'; mask = host_create_from_string(slash, 0); } if (!mask) { /* default to /32 */ mask = host_create_from_string("255.255.255.255", 0); } net = host_create_from_string(token, 0); if (!net || net->get_family(net) != AF_INET || mask->get_family(mask) != AF_INET) { mask->destroy(mask); DESTROY_IF(net); continue; } writer->write_data(writer, net->get_address(net)); writer->write_data(writer, mask->get_address(mask)); padding = writer->skip(writer, 6); /* 6 bytes padding */ memset(padding.ptr, 0, padding.len); mask->destroy(mask); net->destroy(net); } enumerator->destroy(enumerator); data = writer->get_buf(writer); if (data.len) { provider->add_attribute(provider, id, type, data); } writer->destroy(writer); } /** * Handle Framed-IP-Address and other IKE configuration attributes */ static void process_cfg_attributes(radius_message_t *msg) { eap_radius_provider_t *provider; enumerator_t *enumerator; ike_sa_t *ike_sa; host_t *host; chunk_t data; configuration_attribute_type_t split_type = 0; int type, vendor; ike_sa = charon->bus->get_sa(charon->bus); provider = eap_radius_provider_get(); if (provider && ike_sa) { enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { if ((type == RAT_FRAMED_IP_ADDRESS && data.len == 4) || (type == RAT_FRAMED_IPV6_ADDRESS && data.len == 16)) { host = host_create_from_chunk(AF_UNSPEC, data, 0); if (host) { provider->add_framed_ip(provider, ike_sa->get_unique_id(ike_sa), host); } } else if (type == RAT_FRAMED_IP_NETMASK && data.len == 4) { provider->add_attribute(provider, ike_sa->get_unique_id(ike_sa), INTERNAL_IP4_NETMASK, data); } else if (type == RAT_FRAMED_IPV6_DNS_SERVER && data.len == 16) { add_nameserver_attribute(provider, ike_sa->get_unique_id(ike_sa), type, data); } } enumerator->destroy(enumerator); enumerator = msg->create_vendor_enumerator(msg); while (enumerator->enumerate(enumerator, &vendor, &type, &data)) { if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */) { switch (type) { case 5: /* CVPN3000-Primary-DNS */ case 6: /* CVPN3000-Secondary-DNS */ case 7: /* CVPN3000-Primary-WINS */ case 8: /* CVPN3000-Secondary-WINS */ if (data.len == 4) { add_nameserver_attribute(provider, ike_sa->get_unique_id(ike_sa), type, data); } break; case 15: /* CVPN3000-IPSec-Banner1 */ case 28: /* CVPN3000-IPSec-Default-Domain */ case 29: /* CVPN3000-IPSec-Split-DNS-Names */ case 36: /* CVPN3000-IPSec-Banner2 */ if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY)) { add_unity_attribute(provider, ike_sa->get_unique_id(ike_sa), type, data); } break; case 55: /* CVPN3000-IPSec-Split-Tunneling-Policy */ if (data.len) { switch (data.ptr[data.len - 1]) { case 0: /* tunnelall */ default: break; case 1: /* tunnelspecified */ split_type = UNITY_SPLIT_INCLUDE; break; case 2: /* excludespecified */ split_type = UNITY_LOCAL_LAN; break; } } break; default: break; } } if (vendor == PEN_MICROSOFT) { switch (type) { case 28: /* MS-Primary-DNS-Server */ case 29: /* MS-Secondary-DNS-Server */ case 30: /* MS-Primary-NBNS-Server */ case 31: /* MS-Secondary-NBNS-Server */ if (data.len == 4) { add_nameserver_attribute(provider, ike_sa->get_unique_id(ike_sa), type, data); } break; } } } enumerator->destroy(enumerator); if (split_type != 0 && ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY)) { enumerator = msg->create_vendor_enumerator(msg); while (enumerator->enumerate(enumerator, &vendor, &type, &data)) { if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */ && type == 27 /* CVPN3000-IPSec-Split-Tunnel-List */) { add_unity_split_attribute(provider, ike_sa->get_unique_id(ike_sa), split_type, data); } } enumerator->destroy(enumerator); } } } /** * See header. */ void eap_radius_process_attributes(radius_message_t *message) { process_class(message); if (lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.filter_id", FALSE, lib->ns)) { process_filter_id(message); } process_timeout(message); process_cfg_attributes(message); } METHOD(eap_method_t, process, status_t, private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; chunk_t data; request = radius_message_create(RMC_ACCESS_REQUEST); add_radius_request_attrs(this, request); data = in->get_data(in); DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data); /* fragment data suitable for RADIUS */ while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE) { request->add(request, RAT_EAP_MESSAGE, chunk_create(data.ptr,MAX_RADIUS_ATTRIBUTE_SIZE)); data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE); } request->add(request, RAT_EAP_MESSAGE, data); response = this->client->request(this->client, request); if (response) { eap_radius_forward_to_ike(response); switch (response->get_code(response)) { case RMC_ACCESS_CHALLENGE: if (radius2ike(this, response, out)) { status = NEED_MORE; break; } status = FAILED; break; case RMC_ACCESS_ACCEPT: eap_radius_process_attributes(response); DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful", this->peer); status = SUCCESS; break; case RMC_ACCESS_REJECT: default: DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer); status = FAILED; break; } response->destroy(response); } request->destroy(request); return status; } METHOD(eap_method_t, get_type, eap_type_t, private_eap_radius_t *this, uint32_t *vendor) { *vendor = this->vendor; return this->type; } METHOD(eap_method_t, get_msk, status_t, private_eap_radius_t *this, chunk_t *out) { chunk_t msk; msk = this->client->get_msk(this->client); if (msk.len) { *out = msk; return SUCCESS; } return FAILED; } METHOD(eap_method_t, get_identifier, uint8_t, private_eap_radius_t *this) { return this->identifier; } METHOD(eap_method_t, set_identifier, void, private_eap_radius_t *this, uint8_t identifier) { this->identifier = identifier; } METHOD(eap_method_t, is_mutual, bool, private_eap_radius_t *this) { switch (this->type) { case EAP_AKA: case EAP_SIM: return TRUE; default: return FALSE; } } METHOD(eap_method_t, destroy, void, private_eap_radius_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); this->client->destroy(this->client); free(this); } /** * Generic constructor */ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer) { private_eap_radius_t *this; INIT(this, .public = { .eap_method = { .initiate = _initiate, .process = _process, .get_type = _get_type, .is_mutual = _is_mutual, .get_msk = _get_msk, .get_identifier = _get_identifier, .set_identifier = _set_identifier, .destroy = _destroy, }, }, /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ .type = EAP_RADIUS, .eap_start = lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.eap_start", FALSE, lib->ns), .id_prefix = lib->settings->get_str(lib->settings, "%s.plugins.eap-radius.id_prefix", "", lib->ns), ); this->client = eap_radius_create_client(); if (!this->client) { free(this); return NULL; } this->peer = peer->clone(peer); this->server = server->clone(server); return &this->public; }