processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
#include <utils/debug.h>
#include <daemon.h>
+#include <tncifimv.h>
+
/**
* Maximum size of an EAP-TNC message
*/
*/
eap_tnc_t public;
+ /**
+ * Outer EAP authentication type
+ */
+ eap_type_t auth_type;
+
/**
* TLS stack, wrapped by EAP helper
*/
tls_eap_t *tls_eap;
+
+ /**
+ * TNCCS instance running over EAP-TNC
+ */
+ tnccs_t *tnccs;
+
};
METHOD(eap_method_t, initiate, status_t,
private_eap_tnc_t *this, eap_payload_t **out)
{
chunk_t data;
+ u_int32_t auth_type;
+
+ /* Determine TNC Client Authentication Type */
+ switch (this->auth_type)
+ {
+ case EAP_TLS:
+ case EAP_TTLS:
+ case EAP_PEAP:
+ auth_type = TNC_AUTH_CERT;
+ break;
+ case EAP_MD5:
+ case EAP_MSCHAPV2:
+ case EAP_GTC:
+ case EAP_OTP:
+ auth_type = TNC_AUTH_PASSWORD;
+ break;
+ case EAP_SIM:
+ case EAP_AKA:
+ auth_type = TNC_AUTH_SIM;
+ break;
+ default:
+ auth_type = TNC_AUTH_UNKNOWN;
+ }
+ this->tnccs->set_auth_type(this->tnccs, auth_type);
if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
{
free(this);
}
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+ private_eap_tnc_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+ private_eap_tnc_t *this, eap_type_t type)
+{
+ this->auth_type = type;
+}
+
/**
* Generic private constructor
*/
int max_msg_count;
char* protocol;
tnccs_type_t type;
- tnccs_t *tnccs;
INIT(this,
.public = {
- .eap_method = {
- .initiate = _initiate,
- .process = _process,
- .get_type = _get_type,
- .is_mutual = _is_mutual,
- .get_msk = _get_msk,
- .get_identifier = _get_identifier,
- .set_identifier = _set_identifier,
- .destroy = _destroy,
+ .eap_inner_method = {
+ .eap_method = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
},
);
free(this);
return NULL;
}
- tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
- server, peer, TNC_IFT_EAP_1_1);
- this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
+ this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+ server, peer, TNC_IFT_EAP_1_1);
+ this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
EAP_TNC_MAX_MESSAGE_LEN,
max_msg_count, FALSE);
if (!this->tls_eap)
typedef struct eap_tnc_t eap_tnc_t;
-#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
/**
* Implementation of the eap_method_t interface using EAP-TNC.
struct eap_tnc_t {
/**
- * Implemented eap_method_t interface.
+ * Implemented eap_inner_method_t interface.
*/
- eap_method_t eap_method;
+ eap_inner_method_t eap_inner_method;
};
/**
#include <daemon.h>
#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
/**
* If configured, start EAP-TNC protocol
*/
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+ eap_type_t auth_type)
{
+ eap_inner_method_t *inner_method;
+
if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
{
DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
return FAILED;
}
+ inner_method = (eap_inner_method_t *)this->method;
+ inner_method->set_auth_type(inner_method, auth_type);
+
this->start_phase2_tnc = FALSE;
if (this->method->initiate(this->method, &this->out) == NEED_MORE)
{
if (lib->settings->get_bool(lib->settings,
"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
{
- return start_phase2_tnc(this);
+ return start_phase2_tnc(this, EAP_TLS);
}
else
{
this->method = NULL;
/* continue phase2 with EAP-TNC? */
- return start_phase2_tnc(this);
+ return start_phase2_tnc(this, type);
case NEED_MORE:
break;
case FAILED:
case TNC_ATTRIBUTEID_AR_IDENTITIES:
{
linked_list_t *list;
- tls_t *tnccs;
identification_t *peer;
+ tnccs_t *tnccs;
tncif_identity_t *tnc_id;
u_int32_t id_type, subject_type;
TNC_Result result;
list = linked_list_create();
- tnccs = &entry->tnccs->tls;
- peer = tnccs->get_peer_id(tnccs);
+ tnccs = entry->tnccs;
+ peer = tnccs->tls.get_peer_id(&tnccs->tls);
if (peer)
{
switch (peer->get_type(peer))
pen_type_create(PEN_TCG, id_type),
peer->get_encoding(peer),
pen_type_create(PEN_TCG, subject_type),
- pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+ pen_type_create(PEN_TCG,
+ tnccs->get_auth_type(tnccs)));
list->insert_last(list, tnc_id);
}
}
*/
tnc_ift_type_t transport;
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
/**
* Connection ID assigned to this TNCCS connection
*/
this->transport = transport;
}
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_11_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_11_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
},
.get_transport = _get_transport,
.set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
.is_server = is_server,
.server = server->clone(server),
*/
tnc_ift_type_t transport;
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
/**
* PB-TNC State Machine
*/
this->transport = transport;
}
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_20_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_20_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
},
.get_transport = _get_transport,
.set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
.is_server = is_server,
.server = server->clone(server),
*/
tnc_ift_type_t transport;
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
};
/**
private_tnccs_dynamic_t *this, void *buf, size_t buflen)
{
tnccs_type_t type;
+ tnccs_t *tnccs;
if (!this->tls)
{
type = determine_tnccs_protocol(*(char*)buf);
DBG1(DBG_TNC, "%N protocol detected dynamically",
tnccs_type_names, type);
- this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
- this->server, this->peer, this->transport);
- if (!this->tls)
+ tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
+ this->server, this->peer, this->transport);
+ if (!tnccs)
{
DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
return FAILED;
}
+ tnccs->set_auth_type(tnccs, this->auth_type);
+ this->tls = &tnccs->tls;
}
return this->tls->process(this->tls, buf, buflen);
}
this->transport = transport;
}
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_dynamic_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_dynamic_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
},
.get_transport = _get_transport,
.set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
.server = server->clone(server),
.peer = peer->clone(peer),
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_inner_method eap_inner_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_INNER_METHOD_H_
+#define EAP_INNER_METHOD_H_
+
+typedef struct eap_inner_method_t eap_inner_method_t;
+
+#include <library.h>
+
+#include "eap_method.h"
+
+/**
+ * Interface of a weak inner EAP method like EAP-TNC or PT-EAP
+ * that must be encapsulated in a strong TLS-based EAP method
+ */
+struct eap_inner_method_t {
+
+ /*
+ * Public EAP method interface
+ */
+ eap_method_t eap_method;
+
+ /*
+ * Get type of outer EAP authentication method
+ *
+ * @return outer EAP authentication type
+ */
+ eap_type_t (*get_auth_type)(eap_inner_method_t *this);
+
+ /*
+ * Set type of outer EAP Client/Server authentication
+ *
+ * @param type outer EAP authentication type
+ */
+ void (*set_auth_type)(eap_inner_method_t *this, eap_type_t type);
+
+};
+
+#endif /** EAP_INNER_METHOD_H_ @}*/
/**
* Set underlying TNC IF-T transport protocol
+
*/
void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
+ /**
+ * Get type of TNC Client authentication
+ */
+ u_int32_t (*get_auth_type)(tnccs_t *this);
+
+ /**
+ * Set type of TNC Client authentication
+ */
+ void (*set_auth_type)(tnccs_t *this, u_int32_t auth_type);
+
};
/**
projects / thirdparty / strongswan.git / commitdiff
