aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/plugins/eap_radius
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/plugins/eap_radius')
-rw-r--r--src/charon/plugins/eap_radius/eap_radius.c44
-rw-r--r--src/charon/plugins/eap_radius/eap_radius_plugin.c8
-rw-r--r--src/charon/plugins/eap_radius/radius_client.c54
-rw-r--r--src/charon/plugins/eap_radius/radius_client.h8
-rw-r--r--src/charon/plugins/eap_radius/radius_message.c32
-rw-r--r--src/charon/plugins/eap_radius/radius_message.h20
6 files changed, 83 insertions, 83 deletions
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index deb3b648b..f21d6b859 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "eap_radius.h"
#include "radius_message.h"
@@ -26,47 +26,47 @@ typedef struct private_eap_radius_t private_eap_radius_t;
* Private data of an eap_radius_t object.
*/
struct private_eap_radius_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_radius_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* EAP method type we are proxying
*/
eap_type_t type;
-
+
/**
* EAP vendor, if any
*/
u_int32_t vendor;
-
+
/**
* EAP MSK, if method established one
*/
chunk_t msk;
-
+
/**
* RADIUS client instance
*/
radius_client_t *client;
-
+
/**
* TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
*/
bool eap_start;
-
+
/**
* Prefix to prepend to EAP identity
*/
@@ -93,11 +93,11 @@ static void add_eap_identity(private_eap_radius_t *this,
} __attribute__((__packed__)) *hdr;
chunk_t id, prefix;
size_t len;
-
+
id = this->peer->get_encoding(this->peer);
prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
len = sizeof(*hdr) + prefix.len + id.len;
-
+
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
hdr->identifier = 0;
@@ -105,7 +105,7 @@ static void add_eap_identity(private_eap_radius_t *this,
hdr->type = EAP_IDENTITY;
memcpy(hdr->data, prefix.ptr, prefix.len);
memcpy(hdr->data + prefix.len, id.ptr, id.len);
-
+
request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
}
@@ -119,7 +119,7 @@ static bool radius2ike(private_eap_radius_t *this,
eap_payload_t *payload;
chunk_t data;
int type;
-
+
enumerator = msg->create_enumerator(msg);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -144,12 +144,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
radius_message_t *request, *response;
status_t status = FAILED;
chunk_t username;
-
+
request = radius_message_create_request();
username = chunk_create(this->id_prefix, strlen(this->id_prefix));
username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
request->add(request, RAT_USER_NAME, username);
-
+
if (this->eap_start)
{
request->add(request, RAT_EAP_MESSAGE, chunk_empty);
@@ -158,7 +158,7 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
{
add_eap_identity(this, request);
}
-
+
response = this->client->request(this->client, request);
if (response)
{
@@ -180,11 +180,11 @@ static status_t process(private_eap_radius_t *this,
{
radius_message_t *request, *response;
status_t status = FAILED;
-
+
request = radius_message_create_request();
request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
request->add(request, RAT_EAP_MESSAGE, in->get_data(in));
-
+
response = this->client->request(this->client, request);
if (response)
{
@@ -271,14 +271,14 @@ static void destroy(private_eap_radius_t *this)
eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
{
private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
this->client = radius_client_create();
if (!this->client)
{
@@ -291,7 +291,7 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
this->type = EAP_RADIUS;
this->vendor = 0;
this->msk = chunk_empty;
- this->eap_start = lib->settings->get_bool(lib->settings,
+ this->eap_start = lib->settings->get_bool(lib->settings,
"charon.plugins.eap_radius.eap_start", FALSE);
this->id_prefix = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.id_prefix", "");
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
index 7c6a3c9ff..51e6a69c8 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.c
@@ -36,19 +36,19 @@ static void destroy(eap_radius_plugin_t *this)
plugin_t *plugin_create()
{
eap_radius_plugin_t *this;
-
+
if (!radius_client_init())
{
DBG1(DBG_CFG, "RADIUS plugin initialization failed");
return NULL;
}
-
+
this = malloc_thing(eap_radius_plugin_t);
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
EAP_SERVER, (eap_constructor_t)eap_radius_create);
-
+
return &this->plugin;
}
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index de1bafc6d..1b35cd2d6 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -63,12 +63,12 @@ struct entry_t {
* Private data of an radius_client_t object.
*/
struct private_radius_client_t {
-
+
/**
* Public radius_client_t interface.
*/
radius_client_t public;
-
+
/**
* RADIUS servers State attribute
*/
@@ -106,7 +106,7 @@ static chunk_t nas_identifier;
void radius_client_cleanup()
{
entry_t *entry;
-
+
mutex->destroy(mutex);
condvar->destroy(condvar);
while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
@@ -130,11 +130,11 @@ bool radius_client_init()
entry_t *entry;
host_t *host;
char *server;
-
+
nas_identifier.ptr = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.nas_identifier", "strongSwan");
nas_identifier.len = strlen(nas_identifier.ptr);
-
+
secret.ptr = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.secret", NULL);
if (!secret.ptr)
@@ -159,7 +159,7 @@ bool radius_client_init()
}
count = lib->settings->get_int(lib->settings,
"charon.plugins.eap_radius.sockets", 1);
-
+
sockets = linked_list_create();
mutex = mutex_create(MUTEX_TYPE_DEFAULT);
condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
@@ -214,7 +214,7 @@ bool radius_client_init()
static entry_t* get_socket()
{
entry_t *entry;
-
+
mutex->lock(mutex);
while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
{
@@ -243,7 +243,7 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg)
enumerator_t *enumerator;
int type;
chunk_t data;
-
+
enumerator = msg->create_enumerator(msg);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -270,9 +270,9 @@ static radius_message_t* request(private_radius_client_t *this,
entry_t *socket;
chunk_t data;
int i;
-
+
socket = get_socket();
-
+
/* set Message Identifier */
req->set_identifier(req, socket->identifier++);
/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
@@ -286,7 +286,7 @@ static radius_message_t* request(private_radius_client_t *this,
}
/* sign the request */
req->sign(req, socket->rng, socket->signer);
-
+
data = req->get_encoding(req);
/* timeout after 2, 3, 4, 5 seconds */
for (i = 2; i <= 5; i++)
@@ -297,7 +297,7 @@ static radius_message_t* request(private_radius_client_t *this,
char buf[1024];
fd_set fds;
int res;
-
+
if (send(socket->fd, data.ptr, data.len, 0) != data.len)
{
DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
@@ -306,7 +306,7 @@ static radius_message_t* request(private_radius_client_t *this,
}
tv.tv_sec = i;
tv.tv_usec = 0;
-
+
while (TRUE)
{
FD_ZERO(&fds);
@@ -334,7 +334,7 @@ static radius_message_t* request(private_radius_client_t *this,
}
response = radius_message_parse_response(chunk_create(buf, res));
if (response)
- {
+ {
if (response->verify(response, req->get_authenticator(req),
secret, socket->hasher, socket->signer))
{
@@ -366,7 +366,7 @@ static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
chunk_t A, R, P, seed;
u_char *c, *p;
hasher_t *hasher;
-
+
/**
* From RFC2548 (encryption):
* b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
@@ -374,42 +374,42 @@ static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt,
* . . .
* b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
*/
-
+
if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
{
return chunk_empty;
}
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
if (!hasher)
{
return chunk_empty;
}
-
+
A = chunk_create((u_char*)&salt, sizeof(salt));
R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
P = chunk_alloca(C.len);
p = P.ptr;
c = C.ptr;
-
+
seed = chunk_cata("cc", R, A);
-
+
while (c < C.ptr + C.len)
{
/* b(i) = MD5(S + c(i-1)) */
hasher->get_hash(hasher, secret, NULL);
hasher->get_hash(hasher, seed, p);
-
+
/* p(i) = b(i) xor c(1) */
memxor(p, c, HASH_SIZE_MD5);
-
+
/* prepare next round */
seed = chunk_create(c, HASH_SIZE_MD5);
c += HASH_SIZE_MD5;
p += HASH_SIZE_MD5;
}
hasher->destroy(hasher);
-
+
/* remove truncation, first byte is key length */
if (*P.ptr >= P.len)
{ /* decryption failed? */
@@ -434,7 +434,7 @@ static chunk_t decrypt_msk(private_radius_client_t *this,
enumerator_t *enumerator;
chunk_t data, send = chunk_empty, recv = chunk_empty;
int type;
-
+
enumerator = response->create_enumerator(response);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -482,13 +482,13 @@ static void destroy(private_radius_client_t *this)
radius_client_t *radius_client_create()
{
private_radius_client_t *this = malloc_thing(private_radius_client_t);
-
+
this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
this->public.destroy = (void(*)(radius_client_t*))destroy;
-
+
this->state = chunk_empty;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
index 889861a16..77ba94807 100644
--- a/src/charon/plugins/eap_radius/radius_client.h
+++ b/src/charon/plugins/eap_radius/radius_client.h
@@ -33,11 +33,11 @@ typedef struct radius_client_t radius_client_t;
* a socket during request() and releases it afterwards.
*/
struct radius_client_t {
-
+
/**
* Send a RADIUS request and wait for the response.
*
- * The client fills in RADIUS Message identifier, NAS-Identifier,
+ * The client fills in RADIUS Message identifier, NAS-Identifier,
* NAS-Port-Type, builds a Request-Authenticator and calculates the
* Message-Authenticator attribute.
* The received response gets verified using the Response-Identifier
@@ -47,7 +47,7 @@ struct radius_client_t {
* @return response, NULL if timed out/verification failed
*/
radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
-
+
/**
* Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
*
@@ -57,7 +57,7 @@ struct radius_client_t {
*/
chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
radius_message_t *request);
-
+
/**
* Destroy the client, release the socket.
*/
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
index 59a639f31..8b7ef12d4 100644
--- a/src/charon/plugins/eap_radius/radius_message.c
+++ b/src/charon/plugins/eap_radius/radius_message.c
@@ -54,12 +54,12 @@ struct rattr_t {
* Private data of an radius_message_t object.
*/
struct private_radius_message_t {
-
+
/**
* Public radius_message_t interface.
*/
radius_message_t public;
-
+
/**
* message data, allocated
*/
@@ -247,12 +247,12 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
static enumerator_t* create_enumerator(private_radius_message_t *this)
{
attribute_enumerator_t *e;
-
+
if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
{
return enumerator_create_empty();
}
-
+
e = malloc_thing(attribute_enumerator_t);
e->public.enumerate = (void*)attribute_enumerate;
e->public.destroy = (void*)free;
@@ -268,7 +268,7 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type,
chunk_t data)
{
rattr_t *attribute;
-
+
this->msg = realloc(this->msg,
ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
attribute = ((void*)this->msg) + ntohs(this->msg->length);
@@ -284,10 +284,10 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type,
static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
{
char buf[HASH_SIZE_MD5];
-
+
/* build Request-Authenticator */
rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
-
+
/* build Message-Authenticator attribute, using 16 null bytes */
memset(buf, 0, sizeof(buf));
add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
@@ -307,12 +307,12 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
int type;
chunk_t data, msg;
bool has_eap = FALSE, has_auth = FALSE;
-
+
/* replace Response by Request Authenticator for verification */
memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-
+
/* verify Response-Authenticator */
hasher->get_hash(hasher, msg, NULL);
hasher->get_hash(hasher, secret, buf);
@@ -321,7 +321,7 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
return FALSE;
}
-
+
/* verify Message-Authenticator attribute */
enumerator = create_enumerator(this);
while (enumerator->enumerate(enumerator, &type, &data))
@@ -359,7 +359,7 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth,
enumerator->destroy(enumerator);
/* restore Response-Authenticator */
memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
-
+
if (has_eap && !has_auth)
{ /* Message-Authenticator is required if we have an EAP-Message */
DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
@@ -424,7 +424,7 @@ static void destroy(private_radius_message_t *this)
static private_radius_message_t *radius_message_create()
{
private_radius_message_t *this = malloc_thing(private_radius_message_t);
-
+
this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
@@ -435,7 +435,7 @@ static private_radius_message_t *radius_message_create()
this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
this->public.destroy = (void(*)(radius_message_t*))destroy;
-
+
return this;
}
@@ -445,12 +445,12 @@ static private_radius_message_t *radius_message_create()
radius_message_t *radius_message_create_request()
{
private_radius_message_t *this = radius_message_create();
-
+
this->msg = malloc_thing(rmsg_t);
this->msg->code = RMC_ACCESS_REQUEST;
this->msg->identifier = 0;
this->msg->length = htons(sizeof(rmsg_t));
-
+
return &this->public;
}
@@ -460,7 +460,7 @@ radius_message_t *radius_message_create_request()
radius_message_t *radius_message_parse_response(chunk_t data)
{
private_radius_message_t *this = radius_message_create();
-
+
this->msg = malloc(data.len);
memcpy(this->msg, data.ptr, data.len);
if (data.len < sizeof(rmsg_t) ||
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
index d4eec8590..266839d3b 100644
--- a/src/charon/plugins/eap_radius/radius_message.h
+++ b/src/charon/plugins/eap_radius/radius_message.h
@@ -181,14 +181,14 @@ extern enum_name_t *radius_attribute_type_names;
* A RADIUS message, contains attributes.
*/
struct radius_message_t {
-
+
/**
* Create an enumerator over contained RADIUS attributes.
*
* @return enumerator over (int type, chunk_t data)
*/
enumerator_t* (*create_enumerator)(radius_message_t *this);
-
+
/**
* Add a RADIUS attribute to the message.
*
@@ -197,42 +197,42 @@ struct radius_message_t {
*/
void (*add)(radius_message_t *this, radius_attribute_type_t type,
chunk_t data);
-
+
/**
* Get the message type (code).
*
* @return message code
*/
radius_message_code_t (*get_code)(radius_message_t *this);
-
+
/**
* Get the message identifier.
*
* @return message identifier
*/
u_int8_t (*get_identifier)(radius_message_t *this);
-
+
/**
* Set the message identifier.
*
* @param identifier message identifier
*/
void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
-
+
/**
* Get the 16 byte authenticator.
*
* @return pointer to the Authenticator field
*/
u_int8_t* (*get_authenticator)(radius_message_t *this);
-
+
/**
* Get the RADIUS message in its encoded form.
*
* @return chunk pointing to internal RADIUS message.
*/
chunk_t (*get_encoding)(radius_message_t *this);
-
+
/**
* Calculate and add the Message-Authenticator attribute to the message.
*
@@ -240,7 +240,7 @@ struct radius_message_t {
* @param signer HMAC-MD5 signer with secret set
*/
void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
-
+
/**
* Verify the integrity of a received RADIUS response.
*
@@ -251,7 +251,7 @@ struct radius_message_t {
*/
bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
hasher_t *hasher, signer_t *signer);
-
+
/**
* Destroy the message.
*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 08:45:17 +0000