src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c

   1 /*
   2  * rlm_eap_peap.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 RCSID("$Id$")
  25
  26 #include "eap_peap.h"
  27
  28 typedef struct rlm_eap_peap_t {
  29         char const *tls_conf_name;              //!< TLS configuration.
  30         fr_tls_server_conf_t *tls_conf;
  31         char const *default_method_name;        //!< Default tunneled EAP type.
  32         int default_method;
  33         bool use_tunneled_reply;                //!< Use the reply attributes from the tunneled session in
  34                                                 //!< the non-tunneled reply to the client.
  35
  36         bool copy_request_to_tunnel;            //!< Use SOME of the request attributes from outside of the
  37                                                 //!< tunneled session in the tunneled request.
  38 #ifdef WITH_PROXY
  39         bool proxy_tunneled_request_as_eap;     //!< Proxy tunneled session as EAP, or as de-capsulated
  40                                                 //!< protocol.
  41 #endif
  42         char const *virtual_server;             //!< Virtual server for inner tunnel session.
  43
  44         bool soh;                               //!< Do we do SoH request?
  45         char const *soh_virtual_server;
  46         bool req_client_cert;                   //!< Do we do require a client cert?
  47 } rlm_eap_peap_t;
  48
  49
  50 static CONF_PARSER module_config[] = {
  51         { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, tls_conf_name), NULL },
  52
  53         { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, default_method_name), "mschapv2" },
  54
  55         { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, copy_request_to_tunnel), "no" },
  56
  57         { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, use_tunneled_reply), "no" },
  58
  59 #ifdef WITH_PROXY
  60         { "proxy_tunneled_request_as_eap", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, proxy_tunneled_request_as_eap), "yes" },
  61 #endif
  62
  63         { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, virtual_server), NULL },
  64
  65         { "soh", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, soh), "no" },
  66
  67         { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, req_client_cert), "no" },
  68
  69         { "soh_virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, soh_virtual_server), NULL },
  70
  71         { NULL, -1, 0, NULL, NULL }        /* end the list */
  72 };
  73
  74
  75 /*
  76  *      Attach the module.
  77  */
  78 static int mod_instantiate(CONF_SECTION *cs, void **instance)
  79 {
  80         rlm_eap_peap_t          *inst;
  81
  82         *instance = inst = talloc_zero(cs, rlm_eap_peap_t);
  83         if (!inst) return -1;
  84
  85         /*
  86          *      Parse the configuration attributes.
  87          */
  88         if (cf_section_parse(cs, inst, module_config) < 0) {
  89                 return -1;
  90         }
  91
  92         /*
  93          *      Convert the name to an integer, to make it easier to
  94          *      handle.
  95          */
  96         inst->default_method = eap_name2type(inst->default_method_name);
  97         if (inst->default_method < 0) {
  98                 ERROR("rlm_eap_peap: Unknown EAP type %s",
  99                        inst->default_method_name);
 100                 return -1;
 101         }
 102
 103         /*
 104          *      Read tls configuration, either from group given by 'tls'
 105          *      option, or from the eap-tls configuration.
 106          */
 107         inst->tls_conf = eaptls_conf_parse(cs, "tls");
 108
 109         if (!inst->tls_conf) {
 110                 ERROR("rlm_eap_peap: Failed initializing SSL context");
 111                 return -1;
 112         }
 113
 114         return 0;
 115 }
 116
 117 /*
 118  *      Allocate the PEAP per-session data
 119  */
 120 static peap_tunnel_t *peap_alloc(TALLOC_CTX *ctx, rlm_eap_peap_t *inst)
 121 {
 122         peap_tunnel_t *t;
 123
 124         t = talloc_zero(ctx, peap_tunnel_t);
 125
 126         t->default_method = inst->default_method;
 127         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 128         t->use_tunneled_reply = inst->use_tunneled_reply;
 129 #ifdef WITH_PROXY
 130         t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 131 #endif
 132         t->virtual_server = inst->virtual_server;
 133         t->soh = inst->soh;
 134         t->soh_virtual_server = inst->soh_virtual_server;
 135         t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
 136
 137         return t;
 138 }
 139
 140 /*
 141  *      Send an initial eap-tls request to the peer, using the libeap functions.
 142  */
 143 static int mod_session_init(void *type_arg, eap_handler_t *handler)
 144 {
 145         int             status;
 146         tls_session_t   *ssn;
 147         rlm_eap_peap_t  *inst;
 148         VALUE_PAIR      *vp;
 149         bool            client_cert;
 150         REQUEST         *request = handler->request;
 151
 152         inst = type_arg;
 153
 154         handler->tls = true;
 155
 156         /*
 157          *      Check if we need a client certificate.
 158          */
 159
 160         /*
 161          * EAP-TLS-Require-Client-Cert attribute will override
 162          * the require_client_cert configuration option.
 163          */
 164         vp = pairfind(handler->request->config, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
 165         if (vp) {
 166                 client_cert = vp->vp_integer ? true : false;
 167         } else {
 168                 client_cert = inst->req_client_cert;
 169         }
 170
 171         ssn = eaptls_session(handler, inst->tls_conf, client_cert);
 172         if (!ssn) {
 173                 return 0;
 174         }
 175
 176         handler->opaque = ((void *)ssn);
 177
 178         /*
 179          *      Set up type-specific information.
 180          */
 181         ssn->prf_label = "client EAP encryption";
 182
 183         /*
 184          *      As it is a poorly designed protocol, PEAP uses
 185          *      bits in the TLS header to indicate PEAP
 186          *      version numbers.  For now, we only support
 187          *      PEAP version 0, so it doesn't matter too much.
 188          *      However, if we support later versions of PEAP,
 189          *      we will need this flag to indicate which
 190          *      version we're currently dealing with.
 191          */
 192         ssn->peap_flag = 0x00;
 193
 194         /*
 195          *      PEAP version 0 requires 'include_length = no',
 196          *      so rather than hoping the user figures it out,
 197          *      we force it here.
 198          */
 199         ssn->length_flag = false;
 200
 201         /*
 202          *      TLS session initialization is over.  Now handle TLS
 203          *      related handshaking or application data.
 204          */
 205         status = eaptls_start(handler->eap_ds, ssn->peap_flag);
 206         if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
 207                 REDEBUG("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
 208         } else {
 209                 RDEBUG2("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
 210         }
 211         if (status == 0) return 0;
 212
 213         /*
 214          *      The next stage to process the packet.
 215          */
 216         handler->stage = PROCESS;
 217
 218         return 1;
 219 }
 220
 221 /*
 222  *      Do authentication, by letting EAP-TLS do most of the work.
 223  */
 224 static int mod_process(void *arg, eap_handler_t *handler)
 225 {
 226         int rcode;
 227         fr_tls_status_t status;
 228         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 229         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 230         peap_tunnel_t *peap = tls_session->opaque;
 231         REQUEST *request = handler->request;
 232
 233         /*
 234          *      Session resumption requires the storage of data, so
 235          *      allocate it if it doesn't already exist.
 236          */
 237         if (!tls_session->opaque) {
 238                 peap = tls_session->opaque = peap_alloc(tls_session, inst);
 239         }
 240
 241         status = eaptls_process(handler);
 242         if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
 243                 REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
 244         } else {
 245                 RDEBUG2("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
 246         }
 247
 248         switch (status) {
 249         /*
 250          *      EAP-TLS handshake was successful, tell the
 251          *      client to keep talking.
 252          *
 253          *      If this was EAP-TLS, we would just return
 254          *      an EAP-TLS-Success packet here.
 255          */
 256         case FR_TLS_SUCCESS:
 257                 peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
 258                 break;
 259
 260         /*
 261          *      The TLS code is still working on the TLS
 262          *      exchange, and it's a valid TLS request.
 263          *      do nothing.
 264          */
 265         case FR_TLS_HANDLED:
 266                 /*
 267                  *      FIXME: If the SSL session is established, grab the state
 268                  *      and EAP id from the inner tunnel, and update it with
 269                  *      the expected EAP id!
 270                  */
 271                 return 1;
 272
 273         /*
 274          *      Handshake is done, proceed with decoding tunneled
 275          *      data.
 276          */
 277         case FR_TLS_OK:
 278                 break;
 279
 280                 /*
 281                  *      Anything else: fail.
 282                  */
 283         default:
 284                 return 0;
 285         }
 286
 287         /*
 288          *      Session is established, proceed with decoding
 289          *      tunneled data.
 290          */
 291         RDEBUG2("Session established.  Decoding tunneled attributes");
 292
 293         /*
 294          *      We may need PEAP data associated with the session, so
 295          *      allocate it here, if it wasn't already alloacted.
 296          */
 297         if (!tls_session->opaque) {
 298                 tls_session->opaque = peap_alloc(tls_session, inst);
 299         }
 300
 301         /*
 302          *      Process the PEAP portion of the request.
 303          */
 304         rcode = eappeap_process(handler, tls_session);
 305         switch (rcode) {
 306         case RLM_MODULE_REJECT:
 307                 eaptls_fail(handler, 0);
 308                 return 0;
 309
 310         case RLM_MODULE_HANDLED:
 311                 eaptls_request(handler->eap_ds, tls_session);
 312                 return 1;
 313
 314         case RLM_MODULE_OK:
 315                 /*
 316                  *      Move the saved VP's from the Access-Accept to
 317                  *      our Access-Accept.
 318                  */
 319                 peap = tls_session->opaque;
 320                 if (peap->soh_reply_vps) {
 321                         RDEBUG2("Using saved attributes from the SoH reply");
 322                         rdebug_pair_list(L_DBG_LVL_2, request, peap->soh_reply_vps, NULL);
 323                         pairfilter(handler->request->reply,
 324                                   &handler->request->reply->vps,
 325                                   &peap->soh_reply_vps, 0, 0, TAG_ANY);
 326                 }
 327                 if (peap->accept_vps) {
 328                         RDEBUG2("Using saved attributes from the original Access-Accept");
 329                         rdebug_pair_list(L_DBG_LVL_2, request, peap->accept_vps, NULL);
 330                         pairfilter(handler->request->reply,
 331                                   &handler->request->reply->vps,
 332                                   &peap->accept_vps, 0, 0, TAG_ANY);
 333                 } else if (peap->use_tunneled_reply) {
 334                         RDEBUG2("No saved attributes in the original Access-Accept");
 335                 }
 336
 337                 /*
 338                  *      Success: Automatically return MPPE keys.
 339                  */
 340                 return eaptls_success(handler, 0);
 341
 342                 /*
 343                  *      No response packet, MUST be proxying it.
 344                  *      The main EAP module will take care of discovering
 345                  *      that the request now has a "proxy" packet, and
 346                  *      will proxy it, rather than returning an EAP packet.
 347                  */
 348         case RLM_MODULE_UPDATED:
 349 #ifdef WITH_PROXY
 350                 rad_assert(handler->request->proxy != NULL);
 351 #endif
 352                 return 1;
 353
 354         default:
 355                 break;
 356         }
 357
 358         eaptls_fail(handler, 0);
 359         return 0;
 360 }
 361
 362
 363 /*
 364  *      The module name should be the only globally exported symbol.
 365  *      That is, everything else should be 'static'.
 366  */
 367 extern rlm_eap_module_t rlm_eap_peap;
 368 rlm_eap_module_t rlm_eap_peap = {
 369         .name           = "eap_peap",
 370         .instantiate    = mod_instantiate,      /* Create new submodule instance */
 371         .session_init   = mod_session_init,     /* Initialise a new EAP session */
 372         .process        = mod_process           /* Process next round of EAP method */
 373 };