[apple/ipsec.git] / ipsec-tools / racoon / eap_aka.c

/*
 * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <syslog.h>
#include <sys/fcntl.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CoreFoundation/CFBundle.h>
#include <mach/mach.h>
#include <EAP8021X/EAP.h>
#include <EAP8021X/EAPClientModule.h>
#include <EAP8021X/EAPClientProperties.h>
#if !TARGET_OS_EMBEDDED	// This file is not built for Embedded
#include <Security/SecKeychain.h>
#include <Security/SecKeychainSearch.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecIdentity.h>
#endif /* TARGET_OS_EMBEDDED */
#include <SystemConfiguration/SCNetworkConnection.h>
#include "plog.h"
#include "eap.h"
#include "eap_sim.h"

/*---------------------------------------------------------------------------
 ** Internal routines
 **---------------------------------------------------------------------------
 */

static CFBundleRef 	bundle = 0;		/* our bundle ref */
static char			eapaka_unique[17];

static EAPClientModuleRef  eapRef = NULL;
static EAPClientPluginData eapData;
static CFMutableDictionaryRef eapProperties = NULL;
static CFDictionaryRef eapOptions = NULL;
static struct EAP_Packet	*eapSavePacket = NULL;

extern EAPClientPluginFuncRef
eapaka_introspect(EAPClientPluginFuncName name);

/* ------------------------------------------------------------------------------------
 get the EAP dictionary from the options
 ------------------------------------------------------------------------------------ */
static void
EAPAKAGetOptions (void)
{
	if (eapOptions)
		return;
	
	// no option, use empty dictionary
	if (!eapOptions)
		eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
static int
EAPAKALoad (void)
{
    EAPClientModuleStatus status;
	
	if (eapRef)
		return EAP_NO_ERROR;
	
	status = EAPClientModuleAddBuiltinModule(eapaka_introspect);
	if (status != kEAPClientModuleStatusOK) {
		plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientAddBuiltinModule(eapaka) failed %d\n", status);
		return EAP_ERROR_GENERIC;
	}
	
	eapRef = EAPClientModuleLookup(kEAPTypeEAPAKA);
	if (eapRef == NULL) {
		plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientModuleLookup(eapaka) failed\n");
		return EAP_ERROR_GENERIC;
	}
	
	return EAP_NO_ERROR;
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
int EAPAKAIdentity (char *identity, int maxlen)
{
    CFStringRef			identRef = NULL;
	int					error;
	int					ret = EAP_ERROR_GENERIC;
	
	error = EAPAKALoad();
	if (error)
		return error;
	
	EAPAKAGetOptions();
	if (eapOptions == NULL)
		return ret;
	
	identRef = EAPClientModulePluginUserName(eapRef, eapOptions);
    if (identRef) {
		if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8))
			ret = EAP_NO_ERROR;
		CFRelease(identRef);
	}
	
	return ret;
}

/* ------------------------------------------------------------------------------------
 Init routine called by the EAP engine when it needs the module.
 Identity of the peer is known at this point.
 mode is 0 for client, 1 for server.
 cookie is the EAP engine context, to pass to subsequent calls to EAP.
 context is EAP module context, that will be passed to subsequent calls to the module
 ------------------------------------------------------------------------------------ */
int
EAPAKAInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions)
{
	int error;
    EAPClientModuleStatus status;
	int ret = EAP_ERROR_GENERIC;
    
	error = EAPAKALoad();
	if (error)
		return error;
	
	bundle = (CFBundleRef)eap_in->data;
    if (bundle)
		CFRetain(bundle);
	
	EAPAKAGetOptions();
	
	bzero(&eapData, sizeof(eapData));
	
	/* remaining fields are read-only: */
	uint32_t username_len = strlen(eap_in->username);
	eapData.username = (uint8_t *)strndup(eap_in->username, username_len);
	memcpy((void*)&eapData.username_length, &username_len, sizeof(uint32_t));
	*((bool *)&eapData.log_enabled) = 1;
	*((uint32_t *)&eapData.log_level) = LOG_NOTICE;
	*((uint32_t *)&eapData.mtu) = eap_in->mtu;
	*((uint32_t *)&eapData.generation) = 0;/* changed when user updates */
    
	arc4random_buf(eapaka_unique, sizeof(eapaka_unique) - 1);
	eapaka_unique[sizeof(eapaka_unique)-1] = 0;
	
    eapData.unique_id = eapaka_unique;  /* used for TLS session resumption??? */
	*((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id);
    
	if (eapOptions) {
        CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPAKA);
        if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) {
            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value);
        } else {
            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions);
        }
	} else
		eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	if (eapProperties == NULL) {
		plog(ASL_LEVEL_ERR, "EAP-AKA: Cannot allocate memory\n");
		goto failed;
	}
    
	*((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties;
    
	status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error);
	if (status != kEAPClientStatusOK) {
		plog(ASL_LEVEL_ERR, "EAP-AKA: EAPClientPluginInit(eapaka) failed, error %d\n", status);
		goto failed;
	}
	
	eapSavePacket = NULL;
	
    return EAP_NO_ERROR;
	
failed:
	
    return ret;
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
int EAPAKADispose (void *context)
{
	
	EAPClientModulePluginFree(eapRef, &eapData);
	eapRef = 0;
	
	if (bundle) {
		CFRelease(bundle);
		bundle = 0;
	}
	
	if (eapOptions) {
		CFRelease(eapOptions);
		eapOptions = 0;
	}
	
	if (eapProperties) {
		CFRelease(eapProperties);
		eapProperties = 0;
	}
	
	if (eapSavePacket) {
		free(eapSavePacket);
		eapSavePacket = 0;
	}
	
    return EAP_NO_ERROR;
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
int
EAPAKAProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out)
{
    struct EAP_Packet *pkt_in = NULL;
    struct EAP_Packet *pkt_out = NULL;
	EAPClientStatus status;
	EAPClientState	state;
	EAPClientDomainSpecificError error;
	int do_process = 0;
	
	// by default, ignore the message
	eap_out->action = EAP_ACTION_NONE;
	eap_out->data = 0;
	eap_out->data_len = 0;
	
	switch (eap_in->notification) {
            
		case EAP_NOTIFICATION_DATA_FROM_UI:
			plog(ASL_LEVEL_ERR, "unexpected EAP UI event");
			break;
            
		case EAP_NOTIFICATION_PACKET:
			
			pkt_in = (struct EAP_Packet *)eap_in->data;
			do_process = 1;
			break;
	}
	
	if (do_process) {
		
		state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error);
		switch(state) {
			case kEAPClientStateAuthenticating:
				switch (status) {
						
					case kEAPClientStatusOK:
						eap_out->data = pkt_out;
						eap_out->data_len = ntohs(pkt_out->len);
						eap_out->action = EAP_ACTION_SEND;
						break;
						
					case kEAPClientStatusUserInputRequired:
						plog(ASL_LEVEL_ERR, "unsupported EAP UI input");
					default:
						eap_out->action = EAP_ACTION_ACCESS_DENIED;
				}
				break;
				
			case kEAPClientStateSuccess:
				eap_out->action = EAP_ACTION_ACCESS_GRANTED;
				break;
				
			default:
			case kEAPClientStateFailure:
				eap_out->action = EAP_ACTION_ACCESS_DENIED;
				break;
		}
	}
	
	if (eapSavePacket) {
		free(eapSavePacket);
		eapSavePacket = 0;
	}
	
    return 0;
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
int
EAPAKAFree (void *context, EAP_Output_t *eap_out)
{
	
	EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data);
    return EAP_NO_ERROR;
}

/* ------------------------------------------------------------------------------------
 ------------------------------------------------------------------------------------ */
int
EAPAKAGetAttribute (void *context, EAP_Attribute_t *eap_attr)
{
	void *data = NULL;
	int len = 0;
	
	eap_attr->data = 0;
	
    switch (eap_attr->type) {
			
        case EAP_ATTRIBUTE_MPPE_SEND_KEY:
            data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len);
            break;
        case EAP_ATTRIBUTE_MPPE_RECV_KEY:
            data = EAPClientModulePluginServerKey(eapRef, &eapData, &len);
            break;
    }
	
	if (data == NULL)
		return -1;
	
	eap_attr->data = data;
    if (len == 32)
        eap_attr->data_len = 64;
    else
        eap_attr->data_len = len;
    return 0;
}
Commit	Line	Data
65c25746 A	1	/*
	2	* Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include <stdio.h>
	25	#include <sys/types.h>
	26	#include <sys/uio.h>
	27	#include <unistd.h>
	28	#include <syslog.h>
	29	#include <sys/fcntl.h>
	30	#include <CoreFoundation/CoreFoundation.h>
	31	#include <CoreFoundation/CFBundle.h>
	32	#include <mach/mach.h>
	33	#include <EAP8021X/EAP.h>
	34	#include <EAP8021X/EAPClientModule.h>
	35	#include <EAP8021X/EAPClientProperties.h>
	36	#if !TARGET_OS_EMBEDDED // This file is not built for Embedded
	37	#include <Security/SecKeychain.h>
	38	#include <Security/SecKeychainSearch.h>
	39	#include <Security/SecKeychainItem.h>
	40	#include <Security/SecIdentity.h>
	41	#endif /* TARGET_OS_EMBEDDED */
	42	#include <SystemConfiguration/SCNetworkConnection.h>
	43	#include "plog.h"
	44	#include "eap.h"
	45	#include "eap_sim.h"
	46
	47	/*---------------------------------------------------------------------------
	48	** Internal routines
	49	**---------------------------------------------------------------------------
	50	*/
	51
	52	static CFBundleRef bundle = 0; /* our bundle ref */
	53	static char eapaka_unique[17];
	54
	55	static EAPClientModuleRef eapRef = NULL;
	56	static EAPClientPluginData eapData;
	57	static CFMutableDictionaryRef eapProperties = NULL;
	58	static CFDictionaryRef eapOptions = NULL;
	59	static struct EAP_Packet *eapSavePacket = NULL;
	60
	61	extern EAPClientPluginFuncRef
	62	eapaka_introspect(EAPClientPluginFuncName name);
	63
	64	/* ------------------------------------------------------------------------------------
65	get the EAP dictionary from the options
66	------------------------------------------------------------------------------------ */
67	static void
68	EAPAKAGetOptions (void)
69	{
70	if (eapOptions)
71	return;
72
73	// no option, use empty dictionary
74	if (!eapOptions)
75	eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
76	}
77
78	/* ------------------------------------------------------------------------------------
79	------------------------------------------------------------------------------------ */
80	static int
81	EAPAKALoad (void)
82	{
83	EAPClientModuleStatus status;
84
85	if (eapRef)
86	return EAP_NO_ERROR;
87
88	status = EAPClientModuleAddBuiltinModule(eapaka_introspect);
89	if (status != kEAPClientModuleStatusOK) {
90	plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientAddBuiltinModule(eapaka) failed %d\n", status);
91	return EAP_ERROR_GENERIC;
92	}
93
94	eapRef = EAPClientModuleLookup(kEAPTypeEAPAKA);
95	if (eapRef == NULL) {
96	plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientModuleLookup(eapaka) failed\n");
97	return EAP_ERROR_GENERIC;
98	}
99
100	return EAP_NO_ERROR;
101	}
102
103	/* ------------------------------------------------------------------------------------
104	------------------------------------------------------------------------------------ */
105	int EAPAKAIdentity (char *identity, int maxlen)
106	{
107	CFStringRef identRef = NULL;
108	int error;
109	int ret = EAP_ERROR_GENERIC;
110
111	error = EAPAKALoad();
112	if (error)
113	return error;
114
115	EAPAKAGetOptions();
116	if (eapOptions == NULL)
117	return ret;
118
119	identRef = EAPClientModulePluginUserName(eapRef, eapOptions);
120	if (identRef) {
121	if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8))
122	ret = EAP_NO_ERROR;
123	CFRelease(identRef);
124	}
125
126	return ret;
127	}
128
129	/* ------------------------------------------------------------------------------------
130	Init routine called by the EAP engine when it needs the module.
131	Identity of the peer is known at this point.
132	mode is 0 for client, 1 for server.
133	cookie is the EAP engine context, to pass to subsequent calls to EAP.
134	context is EAP module context, that will be passed to subsequent calls to the module
135	------------------------------------------------------------------------------------ */
136	int
137	EAPAKAInit (EAP_Input_t eap_in, void *context, CFDictionaryRef eapOptions)
138	{
139	int error;
140	EAPClientModuleStatus status;
141	int ret = EAP_ERROR_GENERIC;
142
143	error = EAPAKALoad();
144	if (error)
145	return error;
146
147	bundle = (CFBundleRef)eap_in->data;
148	if (bundle)
149	CFRetain(bundle);
150
151	EAPAKAGetOptions();
152
153	bzero(&eapData, sizeof(eapData));
154
155	/* remaining fields are read-only: */
156	uint32_t username_len = strlen(eap_in->username);
157	eapData.username = (uint8_t *)strndup(eap_in->username, username_len);
158	memcpy((void*)&eapData.username_length, &username_len, sizeof(uint32_t));
159	((bool )&eapData.log_enabled) = 1;
160	((uint32_t )&eapData.log_level) = LOG_NOTICE;
161	((uint32_t )&eapData.mtu) = eap_in->mtu;
162	((uint32_t )&eapData.generation) = 0;/* changed when user updates */
163
164	arc4random_buf(eapaka_unique, sizeof(eapaka_unique) - 1);
165	eapaka_unique[sizeof(eapaka_unique)-1] = 0;
166
167	eapData.unique_id = eapaka_unique; /* used for TLS session resumption??? */
168	((uint32_t )&eapData.unique_id_length) = strlen(eapData.unique_id);
169
170	if (eapOptions) {
171	CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPAKA);
172	if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) {
173	eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value);
174	} else {
175	eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions);
176	}
177	} else
178	eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
179	if (eapProperties == NULL) {
180	plog(ASL_LEVEL_ERR, "EAP-AKA: Cannot allocate memory\n");
181	goto failed;
182	}
183
184	((CFDictionaryRef )&eapData.properties) = (CFDictionaryRef)eapProperties;
185
186	status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error);
187	if (status != kEAPClientStatusOK) {
188	plog(ASL_LEVEL_ERR, "EAP-AKA: EAPClientPluginInit(eapaka) failed, error %d\n", status);
189	goto failed;
190	}
191
192	eapSavePacket = NULL;
193
194	return EAP_NO_ERROR;
195
196	failed:
197
198	return ret;
199	}
200
201	/* ------------------------------------------------------------------------------------
202	------------------------------------------------------------------------------------ */
203	int EAPAKADispose (void *context)
204	{
205
206	EAPClientModulePluginFree(eapRef, &eapData);
207	eapRef = 0;
208
209	if (bundle) {
210	CFRelease(bundle);
211	bundle = 0;
212	}
213
214	if (eapOptions) {
215	CFRelease(eapOptions);
216	eapOptions = 0;
217	}
218
219	if (eapProperties) {
220	CFRelease(eapProperties);
221	eapProperties = 0;
222	}
223
224	if (eapSavePacket) {
225	free(eapSavePacket);
226	eapSavePacket = 0;
227	}
228
229	return EAP_NO_ERROR;
230	}
231
232	/* ------------------------------------------------------------------------------------
233	------------------------------------------------------------------------------------ */
234	int
235	EAPAKAProcess (void context, EAP_Input_t eap_in, EAP_Output_t *eap_out)
236	{
237	struct EAP_Packet *pkt_in = NULL;
238	struct EAP_Packet *pkt_out = NULL;
239	EAPClientStatus status;
240	EAPClientState state;
241	EAPClientDomainSpecificError error;
242	int do_process = 0;
243
244	// by default, ignore the message
245	eap_out->action = EAP_ACTION_NONE;
246	eap_out->data = 0;
247	eap_out->data_len = 0;
248
249	switch (eap_in->notification) {
250
251	case EAP_NOTIFICATION_DATA_FROM_UI:
252	plog(ASL_LEVEL_ERR, "unexpected EAP UI event");
253	break;
254
255	case EAP_NOTIFICATION_PACKET:
256
257	pkt_in = (struct EAP_Packet *)eap_in->data;
258	do_process = 1;
259	break;
260	}
261
262	if (do_process) {
263
264	state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error);
265	switch(state) {
266	case kEAPClientStateAuthenticating:
267	switch (status) {
268
269	case kEAPClientStatusOK:
270	eap_out->data = pkt_out;
271	eap_out->data_len = ntohs(pkt_out->len);
272	eap_out->action = EAP_ACTION_SEND;
273	break;
274
275	case kEAPClientStatusUserInputRequired:
276	plog(ASL_LEVEL_ERR, "unsupported EAP UI input");
277	default:
278	eap_out->action = EAP_ACTION_ACCESS_DENIED;
279	}
280	break;
281
282	case kEAPClientStateSuccess:
283	eap_out->action = EAP_ACTION_ACCESS_GRANTED;
284	break;
285
286	default:
287	case kEAPClientStateFailure:
288	eap_out->action = EAP_ACTION_ACCESS_DENIED;
289	break;
290	}
291	}
292
293	if (eapSavePacket) {
294	free(eapSavePacket);
295	eapSavePacket = 0;
296	}
297
298	return 0;
299	}
300
301	/* ------------------------------------------------------------------------------------
302	------------------------------------------------------------------------------------ */
303	int
304	EAPAKAFree (void context, EAP_Output_t eap_out)
305	{
306
307	EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data);
308	return EAP_NO_ERROR;
309	}
310
311	/* ------------------------------------------------------------------------------------
312	------------------------------------------------------------------------------------ */
313	int
314	EAPAKAGetAttribute (void context, EAP_Attribute_t eap_attr)
315	{
316	void *data = NULL;
317	int len = 0;
318
319	eap_attr->data = 0;
320
321	switch (eap_attr->type) {
322
323	case EAP_ATTRIBUTE_MPPE_SEND_KEY:
324	data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len);
325	break;
326	case EAP_ATTRIBUTE_MPPE_RECV_KEY:
327	data = EAPClientModulePluginServerKey(eapRef, &eapData, &len);
328	break;
329	}
330
331	if (data == NULL)
332	return -1;
333
334	eap_attr->data = data;
335	if (len == 32)
336	eap_attr->data_len = 64;
337	else
338	eap_attr->data_len = len;
339	return 0;
340	}