Imported Upstream version 5.0.1

4 files changed, 514 insertions, 0 deletions

diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
new file mode 100644
index 000000000..520c0ce56
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_eap_manager_t private_eap_manager_t;
+typedef struct eap_entry_t eap_entry_t;
+
+/**
+ * EAP constructor entry
+ */
+struct eap_entry_t {
+
+	/**
+	 * EAP method type, vendor specific if vendor is set
+	 */
+	eap_type_t type;
+
+	/**
+	 * vendor ID, 0 for default EAP methods
+	 */
+	u_int32_t vendor;
+
+	/**
+	 * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
+	 */
+	eap_role_t role;
+
+	/**
+	 * constructor function to create instance
+	 */
+	eap_constructor_t constructor;
+};
+
+/**
+ * private data of eap_manager
+ */
+struct private_eap_manager_t {
+
+	/**
+	 * public functions
+	 */
+	eap_manager_t public;
+
+	/**
+	 * list of eap_entry_t's
+	 */
+	linked_list_t *methods;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(eap_manager_t, add_method, void,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, eap_constructor_t constructor)
+{
+	eap_entry_t *entry = malloc_thing(eap_entry_t);
+
+	entry->type = type;
+	entry->vendor = vendor;
+	entry->role = role;
+	entry->constructor = constructor;
+
+	this->lock->write_lock(this->lock);
+	this->methods->insert_last(this->methods, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(eap_manager_t, remove_method, void,
+	private_eap_manager_t *this, eap_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	eap_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->methods->remove_at(this->methods, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * filter the registered methods
+ */
+static bool filter_methods(uintptr_t role, eap_entry_t **entry,
+						   eap_type_t *type, void *in, u_int32_t *vendor)
+{
+	if ((*entry)->role != (eap_role_t)role)
+	{
+		return FALSE;
+	}
+	if ((*entry)->vendor == 0 &&
+	   ((*entry)->type < 4 || (*entry)->type == EAP_EXPANDED ||
+	    (*entry)->type > EAP_EXPERIMENTAL))
+	{	/* filter invalid types */
+		return FALSE;
+	}
+	if (type)
+	{
+		*type = (*entry)->type;
+	}
+	if (vendor)
+	{
+		*vendor = (*entry)->vendor;
+	}
+	return TRUE;
+}
+
+METHOD(eap_manager_t, create_enumerator, enumerator_t*,
+	private_eap_manager_t *this, eap_role_t role)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+				enumerator_create_filter(
+					this->methods->create_enumerator(this->methods),
+					(void*)filter_methods, (void*)(uintptr_t)role, NULL),
+				(void*)this->lock->unlock, this->lock);
+}
+
+METHOD(eap_manager_t, create_instance, eap_method_t*,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, identification_t *server, identification_t *peer)
+{
+	enumerator_t *enumerator;
+	eap_entry_t *entry;
+	eap_method_t *method = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type && vendor == entry->vendor &&
+			role == entry->role)
+		{
+			method = entry->constructor(server, peer);
+			if (method)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return method;
+}
+
+METHOD(eap_manager_t, destroy, void,
+	private_eap_manager_t *this)
+{
+	this->methods->destroy_function(this->methods, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+eap_manager_t *eap_manager_create()
+{
+	private_eap_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_enumerator = _create_enumerator,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.methods = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h
new file mode 100644
index 000000000..e318ef57a
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_manager.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_manager eap_manager
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_MANAGER_H_
+#define EAP_MANAGER_H_
+
+#include <sa/eap/eap_method.h>
+
+typedef struct eap_manager_t eap_manager_t;
+
+/**
+ * The EAP manager manages all EAP implementations and creates instances.
+ *
+ * A plugin registers it's implemented EAP method at the manager by
+ * providing type and a contructor function. The manager then instanciates
+ * eap_method_t instances through the provided constructor to handle
+ * EAP authentication.
+ */
+struct eap_manager_t {
+
+	/**
+	 * Register a EAP method implementation.
+	 *
+	 * @param method		vendor specific method, if vendor != 0
+	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
+	 * @param role			EAP role of the registered method
+	 * @param constructor	constructor function, returns an eap_method_t
+	 */
+	void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+					   eap_role_t role, eap_constructor_t constructor);
+
+	/**
+	 * Unregister a EAP method implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
+
+	/**
+	 * Enumerate the registered EAP authentication methods for the given role.
+	 *
+	 * @note Only authentication types are enumerated (e.g. EAP-Identity is not
+	 * even though it is registered as method with this manager).
+	 *
+	 * @param role			EAP role of methods to enumerate
+	 * @return				enumerator over (eap_type_t type, u_int32_t vendor)
+	 */
+	enumerator_t* (*create_enumerator)(eap_manager_t *this, eap_role_t role);
+
+	/**
+	 * Create a new EAP method instance.
+	 *
+	 * @param type			type of the EAP method
+	 * @param vendor		vendor ID, 0 for non-vendor (default) EAP methods
+	 * @param role			role of EAP method, either EAP_SERVER or EAP_PEER
+	 * @param server		identity of the server
+	 * @param peer			identity of the peer (client)
+	 * @return				EAP method instance, NULL if no constructor found
+	 */
+	eap_method_t* (*create_instance)(eap_manager_t *this, eap_type_t type,
+									 u_int32_t vendor, eap_role_t role,
+									 identification_t *server,
+									 identification_t *peer);
+
+	/**
+	 * Destroy a eap_manager instance.
+	 */
+	void (*destroy)(eap_manager_t *this);
+};
+
+/**
+ * Create a eap_manager instance.
+ */
+eap_manager_t *eap_manager_create();
+
+#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/eap/eap_method.c b/src/libcharon/sa/eap/eap_method.c
new file mode 100644
index 000000000..a05e8c59a
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_method.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_method.h"
+
+#include <daemon.h>
+
+ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
+	"EAP_SERVER",
+	"EAP_PEER",
+);
+
+/**
+ * See header
+ */
+bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						 bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->eap->add_method(charon->eap, feature->arg.eap, 0,
+					feature->type == FEATURE_EAP_SERVER ? EAP_SERVER : EAP_PEER,
+					(eap_constructor_t)data);
+	}
+	else
+	{
+		charon->eap->remove_method(charon->eap, (eap_constructor_t)data);
+	}
+	return TRUE;
+}
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
new file mode 100644
index 000000000..6242a5a6e
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_method eap_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_METHOD_H_
+#define EAP_METHOD_H_
+
+typedef struct eap_method_t eap_method_t;
+typedef enum eap_role_t eap_role_t;
+
+#include <library.h>
+#include <plugins/plugin.h>
+#include <utils/identification.h>
+#include <eap/eap.h>
+#include <encoding/payloads/eap_payload.h>
+
+/**
+ * Role of an eap_method, SERVER or PEER (client)
+ */
+enum eap_role_t {
+	EAP_SERVER,
+	EAP_PEER,
+};
+/**
+ * enum names for eap_role_t.
+ */
+extern enum_name_t *eap_role_names;
+
+/**
+ * Interface of an EAP method for server and client side.
+ *
+ * An EAP method initiates an EAP exchange and processes requests and
+ * responses. An EAP method may need multiple exchanges before succeeding, and
+ * the eap_authentication may use multiple EAP methods to authenticate a peer.
+ * To accomplish these requirements, all EAP methods have their own
+ * implementation while the eap_authenticatior uses one or more of these
+ * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
+ * of the method, the eap_authenticator does this.
+ * An EAP method may establish a MSK, this is used the complete the
+ * authentication. Even if a mutual EAP method is used, the traditional
+ * AUTH payloads are required. Only these include the nonces and messages from
+ * ike_sa_init and therefore prevent man in the middle attacks.
+ * The EAP method must use an initial EAP identifier value != 0, as a preceding
+ * EAP-Identity exchange always uses identifier 0.
+ */
+struct eap_method_t {
+
+	/**
+	 * Initiate the EAP exchange.
+	 *
+	 * initiate() is only useable for server implementations, as clients only
+	 * reply to server requests.
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param out		eap_payload to send to the client
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if unable to create eap request payload
+	 */
+	status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
+
+	/**
+	 * Process a received EAP message.
+	 *
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param in		eap_payload response received
+	 * @param out		created eap_payload to send
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if EAP method failed
+	 * 					- SUCCESS, if EAP method succeeded
+	 */
+	status_t (*process) (eap_method_t *this, eap_payload_t *in,
+						 eap_payload_t **out);
+
+	/**
+	 * Get the EAP type implemented in this method.
+	 *
+	 * @param vendor	pointer receiving vendor identifier for type, 0 for none
+	 * @return			type of the EAP method
+	 */
+	eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
+
+	/**
+	 * Check if this EAP method authenticates the server.
+	 *
+	 * Some EAP methods provide mutual authentication and
+	 * allow authentication using only EAP, if the peer supports it.
+	 *
+	 * @return			TRUE if methods provides mutual authentication
+	 */
+	bool (*is_mutual) (eap_method_t *this);
+
+	/**
+	 * Get the MSK established by this EAP method.
+	 *
+	 * Not all EAP methods establish a shared secret. For implementations of
+	 * the EAP-Identity method, get_msk() returns the received identity.
+	 *
+	 * @param msk			chunk receiving internal stored MSK
+	 * @return
+	 *						- SUCCESS, or
+	 * 						- FAILED, if MSK not established (yet)
+	 */
+	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+
+	/**
+	 * Get the current EAP identifier.
+	 *
+	 * @return				current EAP identifier
+	 */
+	u_int8_t (*get_identifier) (eap_method_t *this);
+
+	/**
+	 * Set the EAP identifier to a deterministic value, overwriting
+	 * the randomly initialized default value.
+	 *
+	 * @param identifier	current EAP identifier
+	 */
+	void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
+
+	/**
+	 * Destroys a eap_method_t object.
+	 */
+	void (*destroy) (eap_method_t *this);
+};
+
+/**
+ * Constructor definition for a pluggable EAP method.
+ *
+ * Each EAP module must define a constructor function which will return
+ * an initialized object with the methods defined in eap_method_t.
+ * Constructors for server and peers are identical, to support both roles
+ * of a EAP method, a plugin needs register two constructors in the
+ * eap_manager_t.
+ * The passed identites are of type ID_EAP and valid only during the
+ * constructor invocation.
+ *
+ * @param server		ID of the server to use for credential lookup
+ * @param peer			ID of the peer to use for credential lookup
+ * @return				implementation of the eap_method_t interface
+ */
+typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
+										   identification_t *peer);
+
+/**
+ * Helper function to (un-)register EAP methods from plugin features.
+ *
+ * This function is a plugin_feature_callback_t and can be used with the
+ * PLUGIN_CALLBACK macro to register a EAP method constructor.
+ *
+ * @param plugin		plugin registering the EAP method constructor
+ * @param feature		associated plugin feature
+ * @param reg			TRUE to register, FALSE to unregister.
+ * @param data			data passed to callback, an eap_constructor_t
+ */
+bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						 bool reg, void *data);
+
+#endif /** EAP_METHOD_H_ @}*/