]> git.ipfire.org Git - thirdparty/strongswan.git/blame_incremental - src/libcharon/plugins/eap_tls/eap_tls.c
nm: Don't set DL_LIBS to 'none required' in configure script
[thirdparty/strongswan.git] / src / libcharon / plugins / eap_tls / eap_tls.c
... / ...
CommitLineData
1/*
2 * Copyright (C) 2023 Tobias Brunner
3 * Copyright (C) 2010 Martin Willi
4 *
5 * Copyright (C) secunet Security Networks AG
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18#include "eap_tls.h"
19
20#include <tls_eap.h>
21
22#include <daemon.h>
23#include <library.h>
24
25typedef struct private_eap_tls_t private_eap_tls_t;
26
27/**
28 * Private data of an eap_tls_t object.
29 */
30struct private_eap_tls_t {
31
32 /**
33 * Public interface.
34 */
35 eap_tls_t public;
36
37 /**
38 * TLS stack, wrapped by EAP helper below
39 */
40 tls_t *tls;
41
42 /**
43 * EAP helper
44 */
45 tls_eap_t *tls_eap;
46
47 /**
48 * Whether the "protected success indication" has been sent/received with
49 * TLS 1.3
50 */
51 bool indication_sent_received;
52};
53
54/** Maximum number of EAP-TLS messages/fragments allowed */
55#define MAX_MESSAGE_COUNT 32
56/** Default size of a EAP-TLS fragment */
57#define MAX_FRAGMENT_LEN 1024
58
59METHOD(eap_method_t, initiate, status_t,
60 private_eap_tls_t *this, eap_payload_t **out)
61{
62 chunk_t data;
63
64 if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
65 {
66 *out = eap_payload_create_data(data);
67 free(data.ptr);
68 return NEED_MORE;
69 }
70 return FAILED;
71}
72
73METHOD(eap_method_t, process, status_t,
74 private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out)
75{
76 status_t status;
77 chunk_t data;
78
79 data = in->get_data(in);
80 status = this->tls_eap->process(this->tls_eap, data, &data);
81 if (status == NEED_MORE)
82 {
83 *out = eap_payload_create_data(data);
84 free(data.ptr);
85 }
86 return status;
87}
88
89METHOD(eap_method_t, get_type, eap_type_t,
90 private_eap_tls_t *this, pen_t *vendor)
91{
92 *vendor = 0;
93 return EAP_TLS;
94}
95
96METHOD(eap_method_t, get_msk, status_t,
97 private_eap_tls_t *this, chunk_t *msk)
98{
99 if (this->tls->get_version_max(this->tls) < TLS_1_3 ||
100 this->indication_sent_received)
101 {
102 *msk = this->tls_eap->get_msk(this->tls_eap);
103 if (msk->len)
104 {
105 return SUCCESS;
106 }
107 }
108 else
109 {
110 DBG1(DBG_TLS, "missing protected success indication for EAP-TLS with "
111 "%N", tls_version_names, this->tls->get_version_max(this->tls));
112 }
113 return FAILED;
114}
115
116METHOD(eap_method_t, get_identifier, uint8_t,
117 private_eap_tls_t *this)
118{
119 return this->tls_eap->get_identifier(this->tls_eap);
120}
121
122METHOD(eap_method_t, set_identifier, void,
123 private_eap_tls_t *this, uint8_t identifier)
124{
125 this->tls_eap->set_identifier(this->tls_eap, identifier);
126}
127
128METHOD(eap_method_t, is_mutual, bool,
129 private_eap_tls_t *this)
130{
131 return TRUE;
132}
133
134METHOD(eap_method_t, get_auth, auth_cfg_t*,
135 private_eap_tls_t *this)
136{
137 return this->tls_eap->get_auth(this->tls_eap);
138}
139
140METHOD(eap_method_t, destroy, void,
141 private_eap_tls_t *this)
142{
143 this->tls_eap->destroy(this->tls_eap);
144 free(this);
145}
146
147/**
148 * Application to send/process the "protected success indication" with TLS 1.3
149 * as specified in RFC 9190
150 */
151typedef struct {
152
153 /**
154 * Public interface
155 */
156 tls_application_t public;
157
158 /**
159 * Reference to the EAP-TLS object
160 */
161 private_eap_tls_t *this;
162
163 /**
164 * Whether the server sent the indication
165 */
166 bool indication_sent;
167
168} eap_tls_app_t;
169
170METHOD(tls_application_t, server_process, status_t,
171 eap_tls_app_t *app, bio_reader_t *reader)
172{
173 /* we don't expect any data from the client, the empty response to our
174 * indication is handled as ACK in tls_eap_t */
175 DBG1(DBG_TLS, "peer sent unexpected TLS data");
176 return FAILED;
177}
178
179METHOD(tls_application_t, server_build, status_t,
180 eap_tls_app_t *app, bio_writer_t *writer)
181{
182 if (app->this->indication_sent_received)
183 {
184 return SUCCESS;
185 }
186 if (app->this->tls->get_version_max(app->this->tls) >= TLS_1_3)
187 {
188 /* build() is called twice when sending the indication, return the same
189 * status but data only once */
190 if (app->indication_sent)
191 {
192 app->this->indication_sent_received = TRUE;
193 }
194 else
195 { /* send a single 0x00 */
196 DBG2(DBG_TLS, "sending protected success indication via TLS");
197 writer->write_uint8(writer, 0);
198 app->indication_sent = TRUE;
199 }
200 }
201 else
202 {
203 /* with earlier TLS versions, return INVALID_STATE without data to send
204 * the final handshake messages (returning SUCCESS immediately would
205 * prevent that) */
206 app->this->indication_sent_received = TRUE;
207 }
208 return INVALID_STATE;
209}
210
211METHOD(tls_application_t, client_process, status_t,
212 eap_tls_app_t *app, bio_reader_t *reader)
213{
214 uint8_t indication;
215
216 if (app->this->tls->get_version_max(app->this->tls) < TLS_1_3 ||
217 app->this->indication_sent_received)
218 {
219 DBG1(DBG_TLS, "peer sent unexpected TLS data");
220 return FAILED;
221 }
222 if (!reader->read_uint8(reader, &indication) || indication != 0)
223 {
224 DBG1(DBG_TLS, "received incorrect protected success indication via TLS");
225 return FAILED;
226 }
227 DBG2(DBG_TLS, "received protected success indication via TLS");
228 app->this->indication_sent_received = TRUE;
229 return NEED_MORE;
230}
231
232METHOD(tls_application_t, client_build, status_t,
233 eap_tls_app_t *app, bio_writer_t *writer)
234{
235 if (app->this->tls->get_version_max(app->this->tls) < TLS_1_3 ||
236 app->this->indication_sent_received)
237 { /* trigger an empty response/ACK */
238 return INVALID_STATE;
239 }
240 return FAILED;
241}
242
243METHOD(tls_application_t, app_destroy, void,
244 eap_tls_app_t *this)
245{
246 free(this);
247}
248
249/**
250 * Create the server/peer implementation to handle the "protected success
251 * indication" with TLS 1.3
252 */
253tls_application_t *eap_tls_app_create(private_eap_tls_t *this, bool is_server)
254{
255 eap_tls_app_t *app;
256
257 INIT(app,
258 .public = {
259 .process = _client_process,
260 .build = _client_build,
261 .destroy = _app_destroy,
262 },
263 .this = this,
264 );
265 if (is_server)
266 {
267 app->public.process = _server_process;
268 app->public.build = _server_build;
269 }
270 return &app->public;
271}
272
273/**
274 * Generic private constructor
275 */
276static eap_tls_t *eap_tls_create(identification_t *server,
277 identification_t *peer, bool is_server)
278{
279 private_eap_tls_t *this;
280 tls_application_t *app;
281 size_t frag_size;
282 int max_msg_count;
283 bool include_length;
284
285 INIT(this,
286 .public = {
287 .eap_method = {
288 .initiate = _initiate,
289 .process = _process,
290 .get_type = _get_type,
291 .is_mutual = _is_mutual,
292 .get_msk = _get_msk,
293 .get_identifier = _get_identifier,
294 .set_identifier = _set_identifier,
295 .get_auth = _get_auth,
296 .destroy = _destroy,
297 },
298 },
299 );
300
301 frag_size = lib->settings->get_int(lib->settings,
302 "%s.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN,
303 lib->ns);
304 max_msg_count = lib->settings->get_int(lib->settings,
305 "%s.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT,
306 lib->ns);
307 include_length = lib->settings->get_bool(lib->settings,
308 "%s.plugins.eap-tls.include_length", TRUE, lib->ns);
309 app = eap_tls_app_create(this, is_server);
310 this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, app,
311 NULL, 0);
312 this->tls_eap = tls_eap_create(EAP_TLS, this->tls, frag_size, max_msg_count,
313 include_length);
314 if (!this->tls_eap)
315 {
316 free(this);
317 return NULL;
318 }
319 return &this->public;
320}
321
322eap_tls_t *eap_tls_create_server(identification_t *server,
323 identification_t *peer)
324{
325 return eap_tls_create(server, peer, TRUE);
326}
327
328eap_tls_t *eap_tls_create_peer(identification_t *server,
329 identification_t *peer)
330{
331 return eap_tls_create(server, peer, FALSE);
332}