8 files changed, 579 insertions, 42 deletions
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
new file mode 100644
index 000000000..0d07fbf35
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la
+endif
+
+libstrongswan_eap_dynamic_la_SOURCES = \
+	eap_dynamic_plugin.h eap_dynamic_plugin.c eap_dynamic.h eap_dynamic.c
+
+libstrongswan_eap_dynamic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
new file mode 100644
index 000000000..d24cbd128
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_dynamic.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_dynamic_t private_eap_dynamic_t;
+
+/**
+ * Private data of an eap_dynamic_t object.
+ */
+struct private_eap_dynamic_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_dynamic_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * Our supported EAP types (as eap_vendor_type_t*)
+	 */
+	linked_list_t *types;
+
+	/**
+	 * EAP types supported by peer, if any
+	 */
+	linked_list_t *other_types;
+
+	/**
+	 * Prefer types sent by peer
+	 */
+	bool prefer_peer;
+
+	/**
+	 * The proxied EAP method
+	 */
+	eap_method_t *method;
+};
+
+/**
+ * Compare two eap_vendor_type_t objects
+ */
+static bool entry_matches(eap_vendor_type_t *item, eap_vendor_type_t *other)
+{
+	return item->type == other->type && item->vendor == other->vendor;
+}
+
+/**
+ * Load the given EAP method
+ */
+static eap_method_t *load_method(private_eap_dynamic_t *this,
+								 eap_type_t type, u_int32_t vendor)
+{
+	eap_method_t *method;
+
+	method = charon->eap->create_instance(charon->eap, type, vendor, EAP_SERVER,
+										  this->server, this->peer);
+	if (!method)
+	{
+		if (vendor)
+		{
+			DBG1(DBG_IKE, "loading vendor specific EAP method %d-%d failed",
+				 type, vendor);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "loading %N method failed", eap_type_names, type);
+		}
+	}
+	return method;
+}
+
+/**
+ * Select the first method we can instantiate and is supported by both peers.
+ */
+static void select_method(private_eap_dynamic_t *this)
+{
+	eap_vendor_type_t *entry;
+	linked_list_t *outer = this->types, *inner = this->other_types;
+	char *who = "peer";
+
+	if (this->other_types && this->prefer_peer)
+	{
+		outer = this->other_types;
+		inner = this->types;
+		who = "us";
+	}
+
+	while (outer->remove_first(outer, (void*)&entry) == SUCCESS)
+	{
+		if (inner)
+		{
+			if (inner->find_first(inner, (void*)entry_matches,
+								  NULL, entry) != SUCCESS)
+			{
+				if (entry->vendor)
+				{
+					DBG2(DBG_IKE, "proposed vendor specific EAP method %d-%d "
+						 "not supported by %s, skipped", entry->type,
+						  entry->vendor, who);
+				}
+				else
+				{
+					DBG2(DBG_IKE, "proposed %N method not supported by %s, "
+						 "skipped", eap_type_names, entry->type, who);
+				}
+				free(entry);
+				continue;
+			}
+		}
+		this->method = load_method(this, entry->type, entry->vendor);
+		if (this->method)
+		{
+			if (entry->vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d selected",
+					 entry->type, entry->vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method selected", eap_type_names,
+					 entry->type);
+			}
+			free(entry);
+			break;
+		}
+		free(entry);
+	}
+}
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_dynamic_t *this, eap_payload_t **out)
+{
+	if (!this->method)
+	{
+		select_method(this);
+		if (!this->method)
+		{
+			DBG1(DBG_IKE, "no supported EAP method found");
+			return FAILED;
+		}
+	}
+	return this->method->initiate(this->method, out);
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_dynamic_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	eap_type_t received_type, type;
+	u_int32_t received_vendor, vendor;
+
+	received_type = in->get_type(in, &received_vendor);
+	if (received_vendor == 0 && received_type == EAP_NAK)
+	{
+		enumerator_t *enumerator;
+
+		DBG1(DBG_IKE, "received %N, selecting a different EAP method",
+			 eap_type_names, EAP_NAK);
+
+		if (this->other_types)
+		{	/* we already received a Nak or a proper response before */
+			DBG1(DBG_IKE, "%N is not supported in this state", eap_type_names,
+				 EAP_NAK);
+			return FAILED;
+		}
+
+		this->other_types = linked_list_create();
+		enumerator = in->get_types(in);
+		while (enumerator->enumerate(enumerator, &type, &vendor))
+		{
+			eap_vendor_type_t *entry;
+
+			if (!type)
+			{
+				DBG1(DBG_IKE, "peer does not support any other EAP methods");
+				enumerator->destroy(enumerator);
+				return FAILED;
+			}
+			INIT(entry,
+				.type = type,
+				.vendor = vendor,
+			);
+			this->other_types->insert_last(this->other_types, entry);
+		}
+		enumerator->destroy(enumerator);
+
+		/* restart with a different method */
+		this->method->destroy(this->method);
+		this->method = NULL;
+		return initiate(this, out);
+	}
+	if (!this->other_types)
+	{	/* so we don't handle EAP-Naks later */
+		this->other_types = linked_list_create();
+	}
+	if (this->method)
+	{
+		return this->method->process(this->method, in, out);
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_dynamic_t *this, u_int32_t *vendor)
+{
+	if (this->method)
+	{
+		return this->method->get_type(this->method, vendor);
+	}
+	*vendor = 0;
+	return EAP_DYNAMIC;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_dynamic_t *this, chunk_t *msk)
+{
+	if (this->method)
+	{
+		return this->method->get_msk(this->method, msk);
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, get_identifier, u_int8_t,
+	private_eap_dynamic_t *this)
+{
+	if (this->method)
+	{
+		return this->method->get_identifier(this->method);
+	}
+	return 0;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+	private_eap_dynamic_t *this, u_int8_t identifier)
+{
+	if (this->method)
+	{
+		this->method->set_identifier(this->method, identifier);
+	}
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_dynamic_t *this)
+{
+	if (this->method)
+	{
+		return this->method->is_mutual(this->method);
+	}
+	return FALSE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_dynamic_t *this)
+{
+	DESTROY_IF(this->method);
+	this->types->destroy_function(this->types, (void*)free);
+	DESTROY_FUNCTION_IF(this->other_types, (void*)free);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/**
+ * Parse preferred EAP types
+ */
+static void handle_preferred_eap_types(private_eap_dynamic_t *this,
+									   char *methods)
+{
+	enumerator_t *enumerator;
+	eap_vendor_type_t *type, *entry;
+	linked_list_t *preferred;
+	char *method;
+
+	/* parse preferred EAP methods, format: type[-vendor], ... */
+	preferred = linked_list_create();
+	enumerator = enumerator_create_token(methods, ",", " ");
+	while (enumerator->enumerate(enumerator, &method))
+	{
+		type = eap_vendor_type_from_string(method);
+		if (type)
+		{
+			preferred->insert_last(preferred, type);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->types->create_enumerator(this->types);
+	while (preferred->remove_last(preferred, (void**)&type) == SUCCESS)
+	{	/* move (supported) types to the front, maintain the preferred order */
+		this->types->reset_enumerator(this->types, enumerator);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			if (entry_matches(entry, type))
+			{
+				this->types->remove_at(this->types, enumerator);
+				this->types->insert_first(this->types, entry);
+				break;
+			}
+		}
+		free(type);
+	}
+	enumerator->destroy(enumerator);
+	preferred->destroy(preferred);
+}
+
+/**
+ * Get all supported EAP methods
+ */
+static void get_supported_eap_types(private_eap_dynamic_t *this)
+{
+	enumerator_t *enumerator;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	enumerator = charon->eap->create_enumerator(charon->eap, EAP_SERVER);
+	while (enumerator->enumerate(enumerator, &type, &vendor))
+	{
+		eap_vendor_type_t *entry;
+
+		INIT(entry,
+			.type = type,
+			.vendor = vendor,
+		);
+		this->types->insert_last(this->types, entry);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/*
+ * Defined in header
+ */
+eap_dynamic_t *eap_dynamic_create(identification_t *server,
+								  identification_t *peer)
+{
+	private_eap_dynamic_t *this;
+	char *preferred;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.get_identifier = _get_identifier,
+				.set_identifier = _set_identifier,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+		.types = linked_list_create(),
+		.prefer_peer = lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-dynamic.prefer_peer", FALSE, charon->name),
+	);
+
+	/* get all supported EAP methods */
+	get_supported_eap_types(this);
+	/* move preferred methods to the front */
+	preferred = lib->settings->get_str(lib->settings,
+					"%s.plugins.eap-dynamic.preferred", NULL, charon->name);
+	if (preferred)
+	{
+		handle_preferred_eap_types(this, preferred);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h
new file mode 100644
index 000000000..35db4fa26
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_dynamic_i eap_dynamic
+ * @{ @ingroup eap_dynamic
+ */
+
+#ifndef EAP_DYNAMIC_H_
+#define EAP_DYNAMIC_H_
+
+typedef struct eap_dynamic_t eap_dynamic_t;
+
+#include <sa/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface for a virtual EAP method that
+ * proxies other EAP methods and supports the selection of the actual method
+ * by the client.
+ */
+struct eap_dynamic_t {
+
+	/**
+	 * Implemented eap_method_t interface
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Create a dynamic EAP proxy serving any supported real method which is also
+ * supported (or selected) by the client.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_dynamic_t object
+ */
+eap_dynamic_t *eap_dynamic_create(identification_t *server,
+								  identification_t *peer);
+
+#endif /** EAP_DYNAMIC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c
new file mode 100644
index 000000000..d6f38b666
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_dynamic_plugin.h"
+
+#include "eap_dynamic.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	eap_dynamic_plugin_t *this)
+{
+	return "eap-dynamic";
+}
+
+METHOD(plugin_t, get_features, int,
+	eap_dynamic_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(eap_method_register, eap_dynamic_create),
+			PLUGIN_PROVIDE(EAP_SERVER, EAP_DYNAMIC),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	eap_dynamic_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_dynamic_plugin_create()
+{
+	eap_dynamic_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h
new file mode 100644
index 000000000..9b124d8d2
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_dynamic eap_dynamic
+ * @ingroup cplugins
+ *
+ * @defgroup eap_dynamic_plugin eap_dynamic_plugin
+ * @{ @ingroup eap_dynamic
+ */
+
+#ifndef EAP_DYNAMIC_PLUGIN_H_
+#define EAP_DYNAMIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_dynamic_plugin_t eap_dynamic_plugin_t;
+
+/**
+ * EAP plugin that can use any supported EAP method the client supports or
+ * prefers to use.
+ */
+struct eap_dynamic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_DYNAMIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 72e201fb6..79fd667cb 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -85,7 +85,7 @@ METHOD(tls_application_t, process, status_t,
 		default:
 			return FAILED;
 	}
- 		
+
 	in = eap_payload_create_data(data);
 	DBG3(DBG_IKE, "%B", &data);
 	chunk_free(&data);
@@ -151,7 +151,8 @@ METHOD(tls_application_t, process, status_t,
 		if (!this->ph2_method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
-			this->out = eap_payload_create_nak(in->get_identifier(in));
+			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 767111b3e..00a4da3f8 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -138,7 +138,7 @@ METHOD(tls_application_t, process, status_t,
 		chunk_free(&avp_data);
 	}
 	while (eap_pos < eap_data.len);
- 		
+
 	in = eap_payload_create_data(eap_data);
 	chunk_free(&eap_data);
 	payload = (payload_t*)in;
@@ -192,7 +192,8 @@ METHOD(tls_application_t, process, status_t,
 		if (!this->method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
-			this->out = eap_payload_create_nak(in->get_identifier(in));
+			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index bf93f2c34..9dcb9ba0c 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -563,51 +563,20 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 	else if (strneq(auth, "eap", 3))
 	{
-		enumerator_t *enumerator;
-		char *str;
-		int i = 0, type = 0, vendor;
+		eap_vendor_type_t *type;
 
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
 
-		/* parse EAP string, format: eap[-type[-vendor]] */
-		enumerator = enumerator_create_token(auth, "-", " ");
-		while (enumerator->enumerate(enumerator, &str))
+		type = eap_vendor_type_from_string(auth);
+		if (type)
 		{
-			switch (i)
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type);
+			if (type->vendor)
 			{
-				case 1:
-					type = eap_type_from_string(str);
-					if (!type)
-					{
-						type = atoi(str);
-						if (!type)
-						{
-							DBG1(DBG_CFG, "unknown EAP method: %s", str);
-							break;
-						}
-					}
-					cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-					break;
-				case 2:
-					if (type)
-					{
-						vendor = atoi(str);
-						if (vendor)
-						{
-							cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-						}
-						else
-						{
-							DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
-						}
-					}
-					break;
-				default:
-					break;
+				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor);
 			}
-			i++;
+			free(type);
 		}
-		enumerator->destroy(enumerator);
 
 		if (msg->add_conn.eap_identity)
 		{