src/eap_server/eap_tnc.c

   1 /*
   2  * EAP server method: EAP-TNC (Trusted Network Connect)
   3  * Copyright (c) 2007-2010, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "base64.h"
  19 #include "eap_i.h"
  20 #include "tncs.h"
  21
  22
  23 struct eap_tnc_data {
  24         enum { START, CONTINUE, RECOMMENDATION, FRAG_ACK, WAIT_FRAG_ACK, DONE,
  25                FAIL } state;
  26         enum { ALLOW, ISOLATE, NO_ACCESS, NO_RECOMMENDATION } recommendation;
  27         struct tncs_data *tncs;
  28         struct wpabuf *in_buf;
  29         struct wpabuf *out_buf;
  30         size_t out_used;
  31         size_t fragment_size;
  32         int was_done:1;
  33         int was_fail:1;
  34 };
  35
  36
  37 /* EAP-TNC Flags */
  38 #define EAP_TNC_FLAGS_LENGTH_INCLUDED 0x80
  39 #define EAP_TNC_FLAGS_MORE_FRAGMENTS 0x40
  40 #define EAP_TNC_FLAGS_START 0x20
  41 #define EAP_TNC_VERSION_MASK 0x07
  42
  43 #define EAP_TNC_VERSION 1
  44
  45
  46 static void * eap_tnc_init(struct eap_sm *sm)
  47 {
  48         struct eap_tnc_data *data;
  49
  50         data = os_zalloc(sizeof(*data));
  51         if (data == NULL)
  52                 return NULL;
  53         data->state = START;
  54         data->tncs = tncs_init();
  55         if (data->tncs == NULL) {
  56                 os_free(data);
  57                 return NULL;
  58         }
  59
  60         data->fragment_size = 1300;
  61
  62         return data;
  63 }
  64
  65
  66 static void eap_tnc_reset(struct eap_sm *sm, void *priv)
  67 {
  68         struct eap_tnc_data *data = priv;
  69         wpabuf_free(data->in_buf);
  70         wpabuf_free(data->out_buf);
  71         tncs_deinit(data->tncs);
  72         os_free(data);
  73 }
  74
  75
  76 static struct wpabuf * eap_tnc_build_start(struct eap_sm *sm,
  77                                            struct eap_tnc_data *data, u8 id)
  78 {
  79         struct wpabuf *req;
  80
  81         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TNC, 1, EAP_CODE_REQUEST,
  82                             id);
  83         if (req == NULL) {
  84                 wpa_printf(MSG_ERROR, "EAP-TNC: Failed to allocate memory for "
  85                            "request");
  86                 data->state = FAIL;
  87                 return NULL;
  88         }
  89
  90         wpabuf_put_u8(req, EAP_TNC_FLAGS_START | EAP_TNC_VERSION);
  91
  92         data->state = CONTINUE;
  93
  94         return req;
  95 }
  96
  97
  98 static struct wpabuf * eap_tnc_build(struct eap_sm *sm,
  99                                      struct eap_tnc_data *data)
 100 {
 101         struct wpabuf *req;
 102         u8 *rpos, *rpos1;
 103         size_t rlen;
 104         char *start_buf, *end_buf;
 105         size_t start_len, end_len;
 106         size_t imv_len;
 107
 108         imv_len = tncs_total_send_len(data->tncs);
 109
 110         start_buf = tncs_if_tnccs_start(data->tncs);
 111         if (start_buf == NULL)
 112                 return NULL;
 113         start_len = os_strlen(start_buf);
 114         end_buf = tncs_if_tnccs_end();
 115         if (end_buf == NULL) {
 116                 os_free(start_buf);
 117                 return NULL;
 118         }
 119         end_len = os_strlen(end_buf);
 120
 121         rlen = start_len + imv_len + end_len;
 122         req = wpabuf_alloc(rlen);
 123         if (req == NULL) {
 124                 os_free(start_buf);
 125                 os_free(end_buf);
 126                 return NULL;
 127         }
 128
 129         wpabuf_put_data(req, start_buf, start_len);
 130         os_free(start_buf);
 131
 132         rpos1 = wpabuf_put(req, 0);
 133         rpos = tncs_copy_send_buf(data->tncs, rpos1);
 134         wpabuf_put(req, rpos - rpos1);
 135
 136         wpabuf_put_data(req, end_buf, end_len);
 137         os_free(end_buf);
 138
 139         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TNC: Request",
 140                           wpabuf_head(req), wpabuf_len(req));
 141
 142         return req;
 143 }
 144
 145
 146 static struct wpabuf * eap_tnc_build_recommendation(struct eap_sm *sm,
 147                                                     struct eap_tnc_data *data)
 148 {
 149         switch (data->recommendation) {
 150         case ALLOW:
 151                 data->state = DONE;
 152                 break;
 153         case ISOLATE:
 154                 data->state = FAIL;
 155                 /* TODO: support assignment to a different VLAN */
 156                 break;
 157         case NO_ACCESS:
 158                 data->state = FAIL;
 159                 break;
 160         case NO_RECOMMENDATION:
 161                 data->state = DONE;
 162                 break;
 163         default:
 164                 wpa_printf(MSG_DEBUG, "EAP-TNC: Unknown recommendation");
 165                 return NULL;
 166         }
 167
 168         return eap_tnc_build(sm, data);
 169 }
 170
 171
 172 static struct wpabuf * eap_tnc_build_frag_ack(u8 id, u8 code)
 173 {
 174         struct wpabuf *msg;
 175
 176         msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TNC, 1, code, id);
 177         if (msg == NULL) {
 178                 wpa_printf(MSG_ERROR, "EAP-TNC: Failed to allocate memory "
 179                            "for fragment ack");
 180                 return NULL;
 181         }
 182         wpabuf_put_u8(msg, EAP_TNC_VERSION); /* Flags */
 183
 184         wpa_printf(MSG_DEBUG, "EAP-TNC: Send fragment ack");
 185
 186         return msg;
 187 }
 188
 189
 190 static struct wpabuf * eap_tnc_build_msg(struct eap_tnc_data *data, u8 id)
 191 {
 192         struct wpabuf *req;
 193         u8 flags;
 194         size_t send_len, plen;
 195
 196         wpa_printf(MSG_DEBUG, "EAP-TNC: Generating Request");
 197
 198         flags = EAP_TNC_VERSION;
 199         send_len = wpabuf_len(data->out_buf) - data->out_used;
 200         if (1 + send_len > data->fragment_size) {
 201                 send_len = data->fragment_size - 1;
 202                 flags |= EAP_TNC_FLAGS_MORE_FRAGMENTS;
 203                 if (data->out_used == 0) {
 204                         flags |= EAP_TNC_FLAGS_LENGTH_INCLUDED;
 205                         send_len -= 4;
 206                 }
 207         }
 208
 209         plen = 1 + send_len;
 210         if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
 211                 plen += 4;
 212         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TNC, plen,
 213                             EAP_CODE_REQUEST, id);
 214         if (req == NULL)
 215                 return NULL;
 216
 217         wpabuf_put_u8(req, flags); /* Flags */
 218         if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)
 219                 wpabuf_put_be32(req, wpabuf_len(data->out_buf));
 220
 221         wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
 222                         send_len);
 223         data->out_used += send_len;
 224
 225         if (data->out_used == wpabuf_len(data->out_buf)) {
 226                 wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
 227                            "(message sent completely)",
 228                            (unsigned long) send_len);
 229                 wpabuf_free(data->out_buf);
 230                 data->out_buf = NULL;
 231                 data->out_used = 0;
 232         } else {
 233                 wpa_printf(MSG_DEBUG, "EAP-TNC: Sending out %lu bytes "
 234                            "(%lu more to send)", (unsigned long) send_len,
 235                            (unsigned long) wpabuf_len(data->out_buf) -
 236                            data->out_used);
 237                 if (data->state == FAIL)
 238                         data->was_fail = 1;
 239                 else if (data->state == DONE)
 240                         data->was_done = 1;
 241                 data->state = WAIT_FRAG_ACK;
 242         }
 243
 244         return req;
 245 }
 246
 247
 248 static struct wpabuf * eap_tnc_buildReq(struct eap_sm *sm, void *priv, u8 id)
 249 {
 250         struct eap_tnc_data *data = priv;
 251
 252         switch (data->state) {
 253         case START:
 254                 tncs_init_connection(data->tncs);
 255                 return eap_tnc_build_start(sm, data, id);
 256         case CONTINUE:
 257                 if (data->out_buf == NULL) {
 258                         data->out_buf = eap_tnc_build(sm, data);
 259                         if (data->out_buf == NULL) {
 260                                 wpa_printf(MSG_DEBUG, "EAP-TNC: Failed to "
 261                                            "generate message");
 262                                 return NULL;
 263                         }
 264                         data->out_used = 0;
 265                 }
 266                 return eap_tnc_build_msg(data, id);
 267         case RECOMMENDATION:
 268                 if (data->out_buf == NULL) {
 269                         data->out_buf = eap_tnc_build_recommendation(sm, data);
 270                         if (data->out_buf == NULL) {
 271                                 wpa_printf(MSG_DEBUG, "EAP-TNC: Failed to "
 272                                            "generate recommendation message");
 273                                 return NULL;
 274                         }
 275                         data->out_used = 0;
 276                 }
 277                 return eap_tnc_build_msg(data, id);
 278         case WAIT_FRAG_ACK:
 279                 return eap_tnc_build_msg(data, id);
 280         case FRAG_ACK:
 281                 return eap_tnc_build_frag_ack(id, EAP_CODE_REQUEST);
 282         case DONE:
 283         case FAIL:
 284                 return NULL;
 285         }
 286
 287         return NULL;
 288 }
 289
 290
 291 static Boolean eap_tnc_check(struct eap_sm *sm, void *priv,
 292                              struct wpabuf *respData)
 293 {
 294         struct eap_tnc_data *data = priv;
 295         const u8 *pos;
 296         size_t len;
 297
 298         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TNC, respData,
 299                                &len);
 300         if (pos == NULL) {
 301                 wpa_printf(MSG_INFO, "EAP-TNC: Invalid frame");
 302                 return TRUE;
 303         }
 304
 305         if (len == 0 && data->state != WAIT_FRAG_ACK) {
 306                 wpa_printf(MSG_INFO, "EAP-TNC: Invalid frame (empty)");
 307                 return TRUE;
 308         }
 309
 310         if (len == 0)
 311                 return FALSE; /* Fragment ACK does not include flags */
 312
 313         if ((*pos & EAP_TNC_VERSION_MASK) != EAP_TNC_VERSION) {
 314                 wpa_printf(MSG_DEBUG, "EAP-TNC: Unsupported version %d",
 315                            *pos & EAP_TNC_VERSION_MASK);
 316                 return TRUE;
 317         }
 318
 319         if (*pos & EAP_TNC_FLAGS_START) {
 320                 wpa_printf(MSG_DEBUG, "EAP-TNC: Peer used Start flag");
 321                 return TRUE;
 322         }
 323
 324         return FALSE;
 325 }
 326
 327
 328 static void tncs_process(struct eap_tnc_data *data, struct wpabuf *inbuf)
 329 {
 330         enum tncs_process_res res;
 331
 332         res = tncs_process_if_tnccs(data->tncs, wpabuf_head(inbuf),
 333                                     wpabuf_len(inbuf));
 334         switch (res) {
 335         case TNCCS_RECOMMENDATION_ALLOW:
 336                 wpa_printf(MSG_DEBUG, "EAP-TNC: TNCS allowed access");
 337                 data->state = RECOMMENDATION;
 338                 data->recommendation = ALLOW;
 339                 break;
 340         case TNCCS_RECOMMENDATION_NO_RECOMMENDATION:
 341                 wpa_printf(MSG_DEBUG, "EAP-TNC: TNCS has no recommendation");
 342                 data->state = RECOMMENDATION;
 343                 data->recommendation = NO_RECOMMENDATION;
 344                 break;
 345         case TNCCS_RECOMMENDATION_ISOLATE:
 346                 wpa_printf(MSG_DEBUG, "EAP-TNC: TNCS requested isolation");
 347                 data->state = RECOMMENDATION;
 348                 data->recommendation = ISOLATE;
 349                 break;
 350         case TNCCS_RECOMMENDATION_NO_ACCESS:
 351                 wpa_printf(MSG_DEBUG, "EAP-TNC: TNCS rejected access");
 352                 data->state = RECOMMENDATION;
 353                 data->recommendation = NO_ACCESS;
 354                 break;
 355         case TNCCS_PROCESS_ERROR:
 356                 wpa_printf(MSG_DEBUG, "EAP-TNC: TNCS processing error");
 357                 data->state = FAIL;
 358                 break;
 359         default:
 360                 break;
 361         }
 362 }
 363
 364
 365 static int eap_tnc_process_cont(struct eap_tnc_data *data,
 366                                 const u8 *buf, size_t len)
 367 {
 368         /* Process continuation of a pending message */
 369         if (len > wpabuf_tailroom(data->in_buf)) {
 370                 wpa_printf(MSG_DEBUG, "EAP-TNC: Fragment overflow");
 371                 data->state = FAIL;
 372                 return -1;
 373         }
 374
 375         wpabuf_put_data(data->in_buf, buf, len);
 376         wpa_printf(MSG_DEBUG, "EAP-TNC: Received %lu bytes, waiting for %lu "
 377                    "bytes more", (unsigned long) len,
 378                    (unsigned long) wpabuf_tailroom(data->in_buf));
 379
 380         return 0;
 381 }
 382
 383
 384 static int eap_tnc_process_fragment(struct eap_tnc_data *data,
 385                                     u8 flags, u32 message_length,
 386                                     const u8 *buf, size_t len)
 387 {
 388         /* Process a fragment that is not the last one of the message */
 389         if (data->in_buf == NULL && !(flags & EAP_TNC_FLAGS_LENGTH_INCLUDED)) {
 390                 wpa_printf(MSG_DEBUG, "EAP-TNC: No Message Length field in a "
 391                            "fragmented packet");
 392                 return -1;
 393         }
 394
 395         if (data->in_buf == NULL) {
 396                 /* First fragment of the message */
 397                 data->in_buf = wpabuf_alloc(message_length);
 398                 if (data->in_buf == NULL) {
 399                         wpa_printf(MSG_DEBUG, "EAP-TNC: No memory for "
 400                                    "message");
 401                         return -1;
 402                 }
 403                 wpabuf_put_data(data->in_buf, buf, len);
 404                 wpa_printf(MSG_DEBUG, "EAP-TNC: Received %lu bytes in first "
 405                            "fragment, waiting for %lu bytes more",
 406                            (unsigned long) len,
 407                            (unsigned long) wpabuf_tailroom(data->in_buf));
 408         }
 409
 410         return 0;
 411 }
 412
 413
 414 static void eap_tnc_process(struct eap_sm *sm, void *priv,
 415                             struct wpabuf *respData)
 416 {
 417         struct eap_tnc_data *data = priv;
 418         const u8 *pos, *end;
 419         size_t len;
 420         u8 flags;
 421         u32 message_length = 0;
 422         struct wpabuf tmpbuf;
 423
 424         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TNC, respData, &len);
 425         if (pos == NULL)
 426                 return; /* Should not happen; message already verified */
 427
 428         end = pos + len;
 429
 430         if (len == 1 && (data->state == DONE || data->state == FAIL)) {
 431                 wpa_printf(MSG_DEBUG, "EAP-TNC: Peer acknowledged the last "
 432                            "message");
 433                 return;
 434         }
 435
 436         if (len == 0) {
 437                 /* fragment ack */
 438                 flags = 0;
 439         } else
 440                 flags = *pos++;
 441
 442         if (flags & EAP_TNC_FLAGS_LENGTH_INCLUDED) {
 443                 if (end - pos < 4) {
 444                         wpa_printf(MSG_DEBUG, "EAP-TNC: Message underflow");
 445                         data->state = FAIL;
 446                         return;
 447                 }
 448                 message_length = WPA_GET_BE32(pos);
 449                 pos += 4;
 450
 451                 if (message_length < (u32) (end - pos)) {
 452                         wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message "
 453                                    "Length (%d; %ld remaining in this msg)",
 454                                    message_length, (long) (end - pos));
 455                         data->state = FAIL;
 456                         return;
 457                 }
 458         }
 459         wpa_printf(MSG_DEBUG, "EAP-TNC: Received packet: Flags 0x%x "
 460                    "Message Length %u", flags, message_length);
 461
 462         if (data->state == WAIT_FRAG_ACK) {
 463                 if (len > 1) {
 464                         wpa_printf(MSG_DEBUG, "EAP-TNC: Unexpected payload "
 465                                    "in WAIT_FRAG_ACK state");
 466                         data->state = FAIL;
 467                         return;
 468                 }
 469                 wpa_printf(MSG_DEBUG, "EAP-TNC: Fragment acknowledged");
 470                 if (data->was_fail)
 471                         data->state = FAIL;
 472                 else if (data->was_done)
 473                         data->state = DONE;
 474                 else
 475                         data->state = CONTINUE;
 476                 return;
 477         }
 478
 479         if (data->in_buf && eap_tnc_process_cont(data, pos, end - pos) < 0) {
 480                 data->state = FAIL;
 481                 return;
 482         }
 483
 484         if (flags & EAP_TNC_FLAGS_MORE_FRAGMENTS) {
 485                 if (eap_tnc_process_fragment(data, flags, message_length,
 486                                              pos, end - pos) < 0)
 487                         data->state = FAIL;
 488                 else
 489                         data->state = FRAG_ACK;
 490                 return;
 491         } else if (data->state == FRAG_ACK) {
 492                 wpa_printf(MSG_DEBUG, "EAP-TNC: All fragments received");
 493                 data->state = CONTINUE;
 494         }
 495
 496         if (data->in_buf == NULL) {
 497                 /* Wrap unfragmented messages as wpabuf without extra copy */
 498                 wpabuf_set(&tmpbuf, pos, end - pos);
 499                 data->in_buf = &tmpbuf;
 500         }
 501
 502         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TNC: Received payload",
 503                           wpabuf_head(data->in_buf), wpabuf_len(data->in_buf));
 504         tncs_process(data, data->in_buf);
 505
 506         if (data->in_buf != &tmpbuf)
 507                 wpabuf_free(data->in_buf);
 508         data->in_buf = NULL;
 509 }
 510
 511
 512 static Boolean eap_tnc_isDone(struct eap_sm *sm, void *priv)
 513 {
 514         struct eap_tnc_data *data = priv;
 515         return data->state == DONE || data->state == FAIL;
 516 }
 517
 518
 519 static Boolean eap_tnc_isSuccess(struct eap_sm *sm, void *priv)
 520 {
 521         struct eap_tnc_data *data = priv;
 522         return data->state == DONE;
 523 }
 524
 525
 526 int eap_server_tnc_register(void)
 527 {
 528         struct eap_method *eap;
 529         int ret;
 530
 531         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
 532                                       EAP_VENDOR_IETF, EAP_TYPE_TNC, "TNC");
 533         if (eap == NULL)
 534                 return -1;
 535
 536         eap->init = eap_tnc_init;
 537         eap->reset = eap_tnc_reset;
 538         eap->buildReq = eap_tnc_buildReq;
 539         eap->check = eap_tnc_check;
 540         eap->process = eap_tnc_process;
 541         eap->isDone = eap_tnc_isDone;
 542         eap->isSuccess = eap_tnc_isSuccess;
 543
 544         ret = eap_server_method_register(eap);
 545         if (ret)
 546                 eap_server_method_free(eap);
 547         return ret;
 548 }