From d93e2e5409b9d53ea0f2efb303691f0ce2d091ce Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Mon, 30 Aug 2010 15:36:24 +0200
Subject: [PATCH] created an eap-tnc method hull

---
 configure.in                                  |   4 +
 src/libcharon/Makefile.am                     |   7 +
 src/libcharon/plugins/eap_tnc/Makefile.am     |  16 ++
 src/libcharon/plugins/eap_tnc/eap_tnc.c       | 190 ++++++++++++++++++
 src/libcharon/plugins/eap_tnc/eap_tnc.h       |  57 ++++++
 .../plugins/eap_tnc/eap_tnc_plugin.c          |  51 +++++
 .../plugins/eap_tnc/eap_tnc_plugin.h          |  42 ++++
 testing/scripts/build-umlrootfs               |   5 +
 testing/testing.conf                          |   1 +
 9 files changed, 373 insertions(+)
 create mode 100644 src/libcharon/plugins/eap_tnc/Makefile.am
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc.c
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc.h
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
 create mode 100644 src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h

diff --git a/configure.in b/configure.in
index 9802e07c5..f9d034078 100644
--- a/configure.in
+++ b/configure.in
@@ -113,6 +113,7 @@ ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algor
 ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authenication module.])
 ARG_ENABL_SET([eap-tls],        [enable EAP TLS authenication module.])
 ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authenication module.])
+ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authenication module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
@@ -751,6 +752,7 @@ ADD_PLUGIN([eap-mschapv2],         [c libcharon])
 ADD_PLUGIN([eap-radius],           [c libcharon])
 ADD_PLUGIN([eap-tls],              [c libcharon])
 ADD_PLUGIN([eap-ttls],             [c libcharon])
+ADD_PLUGIN([eap-tnc],              [c libcharon])
 ADD_PLUGIN([medsrv],               [c libcharon])
 ADD_PLUGIN([medcli],               [c libcharon])
 ADD_PLUGIN([nm],                   [c libcharon])
@@ -843,6 +845,7 @@ AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
 AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
 AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
@@ -974,6 +977,7 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_mschapv2/Makefile
 	src/libcharon/plugins/eap_tls/Makefile
 	src/libcharon/plugins/eap_ttls/Makefile
+	src/libcharon/plugins/eap_tnc/Makefile
 	src/libcharon/plugins/eap_radius/Makefile
 	src/libcharon/plugins/kernel_netlink/Makefile
 	src/libcharon/plugins/kernel_pfkey/Makefile
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 3d72294bd..07ef13418 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -332,6 +332,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_EAP_TNC
+  SUBDIRS += plugins/eap_tnc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-eap-tnc.la
+endif
+endif
+
 if USE_TLS
 if MONOLITHIC
   # otherwise this library is linked to eap_tls
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
new file mode 100644
index 000000000..ad77155b0
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+endif
+
+libstrongswan_eap_tnc_la_SOURCES = \
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+
+libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
new file mode 100644
index 000000000..5164d9a3a
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_tnc_t private_eap_tnc_t;
+
+/**
+ * Private data of an eap_tnc_t object.
+ */
+struct private_eap_tnc_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_tnc_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+};
+
+/**
+ * Flags of an EAP-TNC message
+ */
+typedef enum {
+	EAP_TNC_LENGTH = (1<<7),
+	EAP_TNC_MORE_FRAGS = (1<<6),
+	EAP_TNC_START = (1<<5),
+	EAP_TNC_DH = (1<<4),
+	EAP_TNC_VERSION = 0x07
+} eap_tnc_flags_t;
+
+/**
+ * EAP-TNC packet format
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t code;
+	u_int8_t identifier;
+	u_int16_t length;
+	u_int8_t type;
+	u_int8_t flags;
+} eap_tnc_packet_t;
+
+METHOD(eap_method_t, initiate_peer, status_t,
+	private_eap_tnc_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+METHOD(eap_method_t, initiate_server, status_t,
+	private_eap_tnc_t *this, eap_payload_t **out)
+{
+	return NEED_MORE;
+}
+
+METHOD(eap_method_t, process_peer, status_t,
+	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	eap_tnc_packet_t *pkt;
+	chunk_t data;
+
+	data = in->get_data(in);
+
+	pkt = (eap_tnc_packet_t*)data.ptr;
+	if (data.len < sizeof(eap_tnc_packet_t) ||
+		untoh16(&pkt->length) != data.len)
+	{
+		DBG1(DBG_IKE, "invalid EAP-TNC packet length");
+		return FAILED;
+	}
+	if (pkt->flags & EAP_TNC_START)
+	{
+		DBG1(DBG_IKE, "EAP-TNC version is v%u", pkt->flags & EAP_TNC_VERSION);
+	}
+	*out = eap_payload_create_nak(in->get_identifier(in));
+
+	return NEED_MORE;
+}
+
+METHOD(eap_method_t, process_server, status_t,
+	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t data;
+
+	data = in->get_data(in);
+	DBG2(DBG_IKE, "received EAP-TNC data: %B", &data);
+
+	return SUCCESS;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_tnc_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TNC;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_tnc_t *this, chunk_t *msk)
+{
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_tnc_t *this)
+{
+	return FALSE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_tnc_t *this)
+{
+	this->peer->destroy(this->peer);
+	this->server->destroy(this->server);
+	free(this);
+}
+
+/*
+ * See header
+ */
+eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer)
+{
+	private_eap_tnc_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
+
+	return &this->public;
+}
+
+/*
+ * See header
+ */
+eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer)
+{
+	private_eap_tnc_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
new file mode 100644
index 000000000..7e166fb60
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc_i eap_tnc
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_H_
+#define EAP_TNC_H_
+
+typedef struct eap_tnc_t eap_tnc_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-TNC.
+ */
+struct eap_tnc_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TNC acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TNC acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_TNC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
new file mode 100644
index 000000000..7430e4cac
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc_plugin.h"
+#include "eap_tnc.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	eap_tnc_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_tnc_plugin_create()
+{
+	eap_tnc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_SERVER,
+							(eap_constructor_t)eap_tnc_create_server);
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_PEER,
+							(eap_constructor_t)eap_tnc_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
new file mode 100644
index 000000000..5ed4647c4
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc eap_tnc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_tnc_plugin eap_tnc_plugin
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_PLUGIN_H_
+#define EAP_TNC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_tnc_plugin_t eap_tnc_plugin_t;
+
+/**
+ * EAP-MD5 plugin
+ */
+struct eap_tnc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_TNC_PLUGIN_H_ @}*/
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 7e6822d17..26b247e72 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -182,6 +182,11 @@ then
     echo -n " --enable-eap-ttls" >> $INSTALLSHELL
 fi
 
+if [ "$USE_EAP_TNC" = "yes" ]
+then
+    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
diff --git a/testing/testing.conf b/testing/testing.conf
index 0a5b1a135..d67d7b3e5 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -44,6 +44,7 @@ USE_EAP_IDENTITY="yes"
 USE_EAP_RADIUS="yes"
 USE_EAP_TLS="yes"
 USE_EAP_TTLS="yes"
+USE_EAP_TNC="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"