src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c

   1 /*
   2  * rlm_eap_peap.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 RCSID("$Id$")
  25
  26 #include "eap_peap.h"
  27
  28 typedef struct rlm_eap_peap_t {
  29         char const *tls_conf_name;              //!< TLS configuration.
  30         fr_tls_server_conf_t *tls_conf;
  31         char const *default_method_name;        //!< Default tunneled EAP type.
  32         int default_method;
  33         bool use_tunneled_reply;                //!< Use the reply attributes from the tunneled session in
  34                                                 //!< the non-tunneled reply to the client.
  35
  36         bool copy_request_to_tunnel;            //!< Use SOME of the request attributes from outside of the
  37                                                 //!< tunneled session in the tunneled request.
  38 #ifdef WITH_PROXY
  39         bool proxy_tunneled_request_as_eap;     //!< Proxy tunneled session as EAP, or as de-capsulated
  40                                                 //!< protocol.
  41 #endif
  42         char const *virtual_server;             //!< Virtual server for inner tunnel session.
  43
  44         bool soh;                               //!< Do we do SoH request?
  45         char const *soh_virtual_server;
  46         bool req_client_cert;                   //!< Do we do require a client cert?
  47 } rlm_eap_peap_t;
  48
  49
  50 static CONF_PARSER module_config[] = {
  51         { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, tls_conf_name), NULL },
  52
  53         { "default_method", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, default_method_name), "mschapv2" },
  54
  55         { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, copy_request_to_tunnel), "no" },
  56
  57         { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, use_tunneled_reply), "no" },
  58
  59 #ifdef WITH_PROXY
  60         { "proxy_tunneled_request_as_eap", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, proxy_tunneled_request_as_eap), "yes" },
  61 #endif
  62
  63         { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, virtual_server), NULL },
  64
  65         { "soh", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, soh), "no" },
  66
  67         { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, req_client_cert), "no" },
  68
  69         { "soh_virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, soh_virtual_server), NULL },
  70
  71         { NULL, -1, 0, NULL, NULL }        /* end the list */
  72 };
  73
  74
  75 /*
  76  *      Attach the module.
  77  */
  78 static int eappeap_attach(CONF_SECTION *cs, void **instance)
  79 {
  80         rlm_eap_peap_t          *inst;
  81
  82         *instance = inst = talloc_zero(cs, rlm_eap_peap_t);
  83         if (!inst) return -1;
  84
  85         /*
  86          *      Parse the configuration attributes.
  87          */
  88         if (cf_section_parse(cs, inst, module_config) < 0) {
  89                 return -1;
  90         }
  91
  92         /*
  93          *      Convert the name to an integer, to make it easier to
  94          *      handle.
  95          */
  96         inst->default_method = eap_name2type(inst->default_method_name);
  97         if (inst->default_method < 0) {
  98                 ERROR("rlm_eap_peap: Unknown EAP type %s",
  99                        inst->default_method_name);
 100                 return -1;
 101         }
 102
 103         /*
 104          *      Read tls configuration, either from group given by 'tls'
 105          *      option, or from the eap-tls configuration.
 106          */
 107         inst->tls_conf = eaptls_conf_parse(cs, "tls");
 108
 109         if (!inst->tls_conf) {
 110                 ERROR("rlm_eap_peap: Failed initializing SSL context");
 111                 return -1;
 112         }
 113
 114         return 0;
 115 }
 116
 117 /*
 118  *      Allocate the PEAP per-session data
 119  */
 120 static peap_tunnel_t *peap_alloc(TALLOC_CTX *ctx, rlm_eap_peap_t *inst)
 121 {
 122         peap_tunnel_t *t;
 123
 124         t = talloc_zero(ctx, peap_tunnel_t);
 125
 126         t->default_method = inst->default_method;
 127         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 128         t->use_tunneled_reply = inst->use_tunneled_reply;
 129 #ifdef WITH_PROXY
 130         t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 131 #endif
 132         t->virtual_server = inst->virtual_server;
 133         t->soh = inst->soh;
 134         t->soh_virtual_server = inst->soh_virtual_server;
 135         t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
 136
 137         return t;
 138 }
 139
 140 /*
 141  *      Send an initial eap-tls request to the peer, using the libeap functions.
 142  */
 143 static int eappeap_initiate(void *type_arg, eap_handler_t *handler)
 144 {
 145         int             status;
 146         tls_session_t   *ssn;
 147         rlm_eap_peap_t  *inst;
 148         VALUE_PAIR      *vp;
 149         bool            client_cert;
 150         REQUEST         *request = handler->request;
 151
 152         inst = type_arg;
 153
 154         handler->tls = true;
 155         handler->finished = false;
 156
 157         /*
 158          *      Check if we need a client certificate.
 159          */
 160
 161         /*
 162          * EAP-TLS-Require-Client-Cert attribute will override
 163          * the require_client_cert configuration option.
 164          */
 165         vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
 166         if (vp) {
 167                 client_cert = vp->vp_integer ? true : false;
 168         } else {
 169                 client_cert = inst->req_client_cert;
 170         }
 171
 172         ssn = eaptls_session(handler, inst->tls_conf, client_cert);
 173         if (!ssn) {
 174                 return 0;
 175         }
 176
 177         handler->opaque = ((void *)ssn);
 178
 179         /*
 180          *      Set up type-specific information.
 181          */
 182         ssn->prf_label = "client EAP encryption";
 183
 184         /*
 185          *      As it is a poorly designed protocol, PEAP uses
 186          *      bits in the TLS header to indicate PEAP
 187          *      version numbers.  For now, we only support
 188          *      PEAP version 0, so it doesn't matter too much.
 189          *      However, if we support later versions of PEAP,
 190          *      we will need this flag to indicate which
 191          *      version we're currently dealing with.
 192          */
 193         ssn->peap_flag = 0x00;
 194
 195         /*
 196          *      PEAP version 0 requires 'include_length = no',
 197          *      so rather than hoping the user figures it out,
 198          *      we force it here.
 199          */
 200         ssn->length_flag = 0;
 201
 202         /*
 203          *      TLS session initialization is over.  Now handle TLS
 204          *      related handshaking or application data.
 205          */
 206         status = eaptls_start(handler->eap_ds, ssn->peap_flag);
 207         RDEBUG2("Start returned %d", status);
 208         if (status == 0) {
 209                 return 0;
 210         }
 211
 212         /*
 213          *      The next stage to process the packet.
 214          */
 215         handler->stage = AUTHENTICATE;
 216
 217         return 1;
 218 }
 219
 220 /*
 221  *      Do authentication, by letting EAP-TLS do most of the work.
 222  */
 223 static int mod_authenticate(void *arg, eap_handler_t *handler)
 224 {
 225         int rcode;
 226         fr_tls_status_t status;
 227         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 228         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 229         peap_tunnel_t *peap = tls_session->opaque;
 230         REQUEST *request = handler->request;
 231
 232         /*
 233          *      Session resumption requires the storage of data, so
 234          *      allocate it if it doesn't already exist.
 235          */
 236         if (!tls_session->opaque) {
 237                 peap = tls_session->opaque = peap_alloc(tls_session, inst);
 238         }
 239
 240         status = eaptls_process(handler);
 241         RDEBUG2("eaptls_process returned %d\n", status);
 242         switch (status) {
 243                 /*
 244                  *      EAP-TLS handshake was successful, tell the
 245                  *      client to keep talking.
 246                  *
 247                  *      If this was EAP-TLS, we would just return
 248                  *      an EAP-TLS-Success packet here.
 249                  */
 250         case FR_TLS_SUCCESS:
 251                 RDEBUG2("FR_TLS_SUCCESS");
 252                 peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
 253                 break;
 254
 255                 /*
 256                  *      The TLS code is still working on the TLS
 257                  *      exchange, and it's a valid TLS request.
 258                  *      do nothing.
 259                  */
 260         case FR_TLS_HANDLED:
 261           /*
 262            *    FIXME: If the SSL session is established, grab the state
 263            *    and EAP id from the inner tunnel, and update it with
 264            *    the expected EAP id!
 265            */
 266                 RDEBUG2("FR_TLS_HANDLED");
 267                 return 1;
 268
 269                 /*
 270                  *      Handshake is done, proceed with decoding tunneled
 271                  *      data.
 272                  */
 273         case FR_TLS_OK:
 274                 RDEBUG2("FR_TLS_OK");
 275                 break;
 276
 277                 /*
 278                  *      Anything else: fail.
 279                  */
 280         default:
 281                 RDEBUG2("FR_TLS_OTHERS");
 282                 return 0;
 283         }
 284
 285         /*
 286          *      Session is established, proceed with decoding
 287          *      tunneled data.
 288          */
 289         RDEBUG2("Session established.  Decoding tunneled attributes");
 290
 291         /*
 292          *      We may need PEAP data associated with the session, so
 293          *      allocate it here, if it wasn't already alloacted.
 294          */
 295         if (!tls_session->opaque) {
 296                 tls_session->opaque = peap_alloc(tls_session, inst);
 297         }
 298
 299         /*
 300          *      Process the PEAP portion of the request.
 301          */
 302         rcode = eappeap_process(handler, tls_session);
 303         switch (rcode) {
 304         case RLM_MODULE_REJECT:
 305                 eaptls_fail(handler, 0);
 306                 return 0;
 307
 308         case RLM_MODULE_HANDLED:
 309                 eaptls_request(handler->eap_ds, tls_session);
 310                 return 1;
 311
 312         case RLM_MODULE_OK:
 313                 /*
 314                  *      Move the saved VP's from the Access-Accept to
 315                  *      our Access-Accept.
 316                  */
 317                 peap = tls_session->opaque;
 318                 if (peap->soh_reply_vps) {
 319                         RDEBUG2("Using saved attributes from the SoH reply");
 320                         debug_pair_list(peap->soh_reply_vps);
 321                         pairfilter(handler->request->reply,
 322                                   &handler->request->reply->vps,
 323                                   &peap->soh_reply_vps, 0, 0, TAG_ANY);
 324                 }
 325                 if (peap->accept_vps) {
 326                         RDEBUG2("Using saved attributes from the original Access-Accept");
 327                         debug_pair_list(peap->accept_vps);
 328                         pairfilter(handler->request->reply,
 329                                   &handler->request->reply->vps,
 330                                   &peap->accept_vps, 0, 0, TAG_ANY);
 331                 }
 332
 333                 /*
 334                  *      Success: Automatically return MPPE keys.
 335                  */
 336                 return eaptls_success(handler, 0);
 337
 338                 /*
 339                  *      No response packet, MUST be proxying it.
 340                  *      The main EAP module will take care of discovering
 341                  *      that the request now has a "proxy" packet, and
 342                  *      will proxy it, rather than returning an EAP packet.
 343                  */
 344         case RLM_MODULE_UPDATED:
 345 #ifdef WITH_PROXY
 346                 rad_assert(handler->request->proxy != NULL);
 347 #endif
 348                 return 1;
 349                 break;
 350
 351         default:
 352                 break;
 353         }
 354
 355         eaptls_fail(handler, 0);
 356         return 0;
 357 }
 358
 359
 360 /*
 361  *      The module name should be the only globally exported symbol.
 362  *      That is, everything else should be 'static'.
 363  */
 364 rlm_eap_module_t rlm_eap_peap = {
 365         "eap_peap",
 366         eappeap_attach,                 /* attach */
 367         eappeap_initiate,               /* Start the initial request */
 368         NULL,                           /* authorization */
 369         mod_authenticate,               /* authentication */
 370         NULL                            /* detach */
 371 };