src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c

   1 /*
   2  * rlm_eap_leap.c    Handles that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28
  29 #include <stdio.h>
  30 #include <stdlib.h>
  31
  32 #include "eap_leap.h"
  33
  34
  35 /*
  36  * send an initial eap-leap request
  37  * ie access challenge to the user/peer.
  38
  39  * Frame eap reply packet.
  40  * len = header + type + leap_typedata
  41  * leap_typedata = value_size + value
  42  */
  43 static int leap_initiate(UNUSED void *instance, EAP_HANDLER *handler)
  44 {
  45         leap_session_t  *session;
  46         LEAP_PACKET     *reply;
  47
  48         DEBUG2("  rlm_eap_leap: Stage 2");
  49
  50         /*
  51          *      LEAP requires a User-Name attribute
  52          */
  53         if (!handler->request->username) {
  54                 DEBUG2("  rlm_eap_leap: User-Name is required for EAP-LEAP authentication.");
  55                 return 0;
  56         }
  57
  58         reply = eapleap_initiate(handler->eap_ds, handler->request->username);
  59         if (reply == NULL)
  60                 return 0;
  61
  62         eapleap_compose(handler->eap_ds, reply);
  63
  64         handler->opaque = malloc(sizeof(leap_session_t));
  65         if (!handler->opaque) {
  66           radlog(L_ERR, "rlm_eap_leap: Out of memory");
  67           eapleap_free(&reply);
  68           return 0;
  69         }
  70
  71         /*
  72          *      Remember which stage we're in, and which challenge
  73          *      we sent to the AP.  The later stages will take care
  74          *      of filling in the peer response.
  75          */
  76         session = (leap_session_t *) handler->opaque;
  77         handler->free_opaque = free; /* just malloc'd memory */
  78
  79         session->stage = 4;     /* the next stage we're in */
  80         memcpy(session->peer_challenge, reply->challenge, reply->count);
  81
  82         DEBUG2("  rlm_eap_leap: Successfully initiated");
  83
  84         /*
  85          *      The next stage to process the packet.
  86          */
  87         handler->stage = AUTHENTICATE;
  88
  89         eapleap_free(&reply);
  90         return 1;
  91 }
  92
  93 static int leap_authenticate(UNUSED void *instance, EAP_HANDLER *handler)
  94 {
  95         int             rcode;
  96         leap_session_t  *session;
  97         LEAP_PACKET     *packet;
  98         LEAP_PACKET     *reply;
  99         char*           username;
 100         VALUE_PAIR      *password;
 101
 102         if (!handler->opaque) {
 103                 radlog(L_ERR, "rlm_eap_leap: Cannot authenticate without LEAP history");
 104                 return 0;
 105         }
 106         session = (leap_session_t *) handler->opaque;
 107         reply = NULL;
 108
 109         /*
 110          *      Extract the LEAP packet.
 111          */
 112         if (!(packet = eapleap_extract(handler->eap_ds)))
 113                 return 0;
 114
 115         username = (char *)handler->request->username->vp_strvalue;
 116
 117         /*
 118          *      The password is never sent over the wire.
 119          *      Always get the configured password, for each user.
 120          */
 121         password = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD);
 122         if (!password) password = pairfind(handler->request->config_items, PW_NT_PASSWORD);
 123         if (!password) {
 124                 radlog(L_INFO, "rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user");
 125                 eapleap_free(&packet);
 126                 return 0;
 127         }
 128
 129         /*
 130          *      We've already sent the AP challenge.  This packet
 131          *      should contain the NtChallengeResponse
 132          */
 133         switch (session->stage) {
 134         case 4:                 /* Verify NtChallengeResponse */
 135                 DEBUG2("  rlm_eap_leap: Stage 4");
 136                 rcode = eapleap_stage4(packet, password, session);
 137                 session->stage = 6;
 138
 139                 /*
 140                  *      We send EAP-Success or EAP-Fail, and not
 141                  *      any LEAP packet.  So we return here.
 142                  */
 143                 if (!rcode) {
 144                         handler->eap_ds->request->code = PW_EAP_FAILURE;
 145                         eapleap_free(&packet);
 146                         return 0;
 147                 }
 148
 149                 handler->eap_ds->request->code = PW_EAP_SUCCESS;
 150
 151                 /*
 152                  *      Do this only for Success.
 153                  */
 154                 handler->eap_ds->request->id = handler->eap_ds->response->id + 1;
 155                 handler->eap_ds->set_request_id = 1;
 156
 157                 /*
 158                  *      LEAP requires a challenge in stage 4, not
 159                  *      an Access-Accept, which is normally returned
 160                  *      by eap_compose() in eap.c, when the EAP reply code
 161                  *      is EAP_SUCCESS.
 162                  */
 163                 handler->request->reply->code = PW_ACCESS_CHALLENGE;
 164                 return 1;
 165                 break;
 166
 167         case 6:                 /* Issue session key */
 168                 DEBUG2("  rlm_eap_leap: Stage 6");
 169                 reply = eapleap_stage6(packet, handler->request,
 170                                        handler->request->username, password,
 171                                        session, &handler->request->reply->vps);
 172                 break;
 173
 174                 /*
 175                  *      Stages 1, 3, and 5 are requests from the AP.
 176                  *      Stage 2 is handled by initiate()
 177                  */
 178         default:
 179                 radlog(L_ERR, "  rlm_eap_leap: Internal sanity check failed on stage");
 180                 break;
 181         }
 182
 183         eapleap_free(&packet);
 184
 185         /*
 186          *      Process the packet.  We don't care about any previous
 187          *      EAP packets, as
 188          */
 189         if (!reply) {
 190                 return 0;
 191         }
 192
 193         eapleap_compose(handler->eap_ds, reply);
 194
 195         eapleap_free(&reply);
 196         return 1;
 197 }
 198
 199 /*
 200  *      The module name should be the only globally exported symbol.
 201  *      That is, everything else should be 'static'.
 202  */
 203 EAP_TYPE rlm_eap_leap = {
 204         "eap_leap",
 205         NULL,                   /* attach */
 206         leap_initiate,          /* Start the initial request, after Identity */
 207         NULL,                   /* authorization */
 208         leap_authenticate,      /* authentication */
 209         NULL,                   /* detach */
 210 };