src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c

   1 /*
   2  * rlm_eap_ttls.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_ttls.h"
  29
  30
  31 typedef struct rlm_eap_ttls_t {
  32         /*
  33          *      Default tunneled EAP type
  34          */
  35         char    *default_eap_type_name;
  36         int     default_eap_type;
  37
  38         /*
  39          *      Use the reply attributes from the tunneled session in
  40          *      the non-tunneled reply to the client.
  41          */
  42         int     use_tunneled_reply;
  43
  44         /*
  45          *      Use SOME of the request attributes from outside of the
  46          *      tunneled session in the tunneled request
  47          */
  48         int     copy_request_to_tunnel;
  49
  50         /*
  51          *      Virtual server for inner tunnel session.
  52          */
  53         char    *virtual_server;
  54 } rlm_eap_ttls_t;
  55
  56
  57 static CONF_PARSER module_config[] = {
  58         { "default_eap_type", PW_TYPE_STRING_PTR,
  59           offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
  60
  61         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  62           offsetof(rlm_eap_ttls_t, copy_request_to_tunnel), NULL, "no" },
  63
  64         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  65           offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
  66
  67         { "virtual_server", PW_TYPE_STRING_PTR,
  68           offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
  69
  70         { NULL, -1, 0, NULL, NULL }           /* end the list */
  71 };
  72
  73 /*
  74  *      Detach the module.
  75  */
  76 static int eapttls_detach(void *arg)
  77 {
  78         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
  79
  80
  81         free(inst);
  82
  83         return 0;
  84 }
  85
  86 /*
  87  *      Attach the module.
  88  */
  89 static int eapttls_attach(CONF_SECTION *cs, void **instance)
  90 {
  91         rlm_eap_ttls_t *inst;
  92
  93         inst = malloc(sizeof(*inst));
  94         if (!inst) {
  95                 radlog(L_ERR, "rlm_eap_ttls: out of memory");
  96                 return -1;
  97         }
  98         memset(inst, 0, sizeof(*inst));
  99
 100         /*
 101          *      Parse the configuration attributes.
 102          */
 103         if (cf_section_parse(cs, inst, module_config) < 0) {
 104                 eapttls_detach(inst);
 105                 return -1;
 106         }
 107
 108         /*
 109          *      Convert the name to an integer, to make it easier to
 110          *      handle.
 111          */
 112         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 113         if (inst->default_eap_type < 0) {
 114                 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
 115                        inst->default_eap_type_name);
 116                 eapttls_detach(inst);
 117                 return -1;
 118         }
 119
 120         /*
 121          *      Can't tunnel TLS inside of TLS, we don't like it.
 122          *
 123          *      More realistically, we haven't tested it, so we don't
 124          *      claim it works.
 125          */
 126         if ((inst->default_eap_type == PW_EAP_TLS) ||
 127             (inst->default_eap_type == PW_EAP_TTLS) ||
 128             (inst->default_eap_type == PW_EAP_PEAP)) {
 129                 radlog(L_ERR, "rlm_eap_ttls: Cannot tunnel EAP-Type/%s inside of TTLS",
 130                        inst->default_eap_type_name);
 131                 eapttls_detach(inst);
 132                 return -1;
 133         }
 134
 135         *instance = inst;
 136         return 0;
 137 }
 138
 139
 140 /*
 141  *      Free the TTLS per-session data
 142  */
 143 static void ttls_free(void *p)
 144 {
 145         ttls_tunnel_t *t = (ttls_tunnel_t *) p;
 146
 147         if (!t) return;
 148
 149         if (t->username) {
 150                 DEBUG2("  TTLS: Freeing handler for user %s",
 151                        t->username->vp_strvalue);
 152         }
 153
 154         pairfree(&t->username);
 155         pairfree(&t->state);
 156         pairfree(&t->reply);
 157         free(t);
 158 }
 159
 160
 161 /*
 162  *      Allocate the TTLS per-session data
 163  */
 164 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
 165 {
 166         ttls_tunnel_t *t;
 167
 168         t = rad_malloc(sizeof(*t));
 169         memset(t, 0, sizeof(*t));
 170
 171         t->default_eap_type = inst->default_eap_type;
 172         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 173         t->use_tunneled_reply = inst->use_tunneled_reply;
 174         t->virtual_server = inst->virtual_server;
 175         return t;
 176 }
 177
 178
 179 /*
 180  *      Do authentication, by letting EAP-TLS do most of the work.
 181  */
 182 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 183 {
 184         int rcode;
 185         eaptls_status_t status;
 186         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
 187         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 188         ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
 189
 190         DEBUG2("  rlm_eap_ttls: Authenticate");
 191
 192         /*
 193          *      Process TLS layer until done.
 194          */
 195         status = eaptls_process(handler);
 196         DEBUG2("  eaptls_process returned %d\n", status);
 197         switch (status) {
 198                 /*
 199                  *      EAP-TLS handshake was successful, tell the
 200                  *      client to keep talking.
 201                  *
 202                  *      If this was EAP-TLS, we would just return
 203                  *      an EAP-TLS-Success packet here.
 204                  */
 205         case EAPTLS_SUCCESS:
 206                 if (t->authenticated) {
 207                         if (t->reply) {
 208                                 pairadd(&handler->request->reply->vps, t->reply);
 209                                 t->reply = NULL;
 210                         }
 211                         eaptls_success(handler->eap_ds, 0);
 212                         eaptls_gen_mppe_keys(&handler->request->reply->vps,
 213                                              tls_session->ssl,
 214                                              "ttls keying material");
 215                 } else {
 216                         eaptls_request(handler->eap_ds, tls_session);
 217                 }
 218                 return 1;
 219
 220                 /*
 221                  *      The TLS code is still working on the TLS
 222                  *      exchange, and it's a valid TLS request.
 223                  *      do nothing.
 224                  */
 225         case EAPTLS_HANDLED:
 226                 return 1;
 227
 228                 /*
 229                  *      Handshake is done, proceed with decoding tunneled
 230                  *      data.
 231                  */
 232         case EAPTLS_OK:
 233                 break;
 234
 235                 /*
 236                  *      Anything else: fail.
 237                  */
 238         default:
 239                 return 0;
 240         }
 241
 242         /*
 243          *      Session is established, proceed with decoding
 244          *      tunneled data.
 245          */
 246         DEBUG2("  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.");
 247
 248         /*
 249          *      We may need TTLS data associated with the session, so
 250          *      allocate it here, if it wasn't already alloacted.
 251          */
 252         if (!tls_session->opaque) {
 253                 tls_session->opaque = ttls_alloc(inst);
 254                 tls_session->free_opaque = ttls_free;
 255         }
 256
 257         /*
 258          *      Process the TTLS portion of the request.
 259          */
 260         rcode = eapttls_process(handler, tls_session);
 261         switch (rcode) {
 262         case PW_AUTHENTICATION_REJECT:
 263                 eaptls_fail(handler->eap_ds, 0);
 264                 return 0;
 265
 266                 /*
 267                  *      Access-Challenge, continue tunneled conversation.
 268                  */
 269         case PW_ACCESS_CHALLENGE:
 270                 eaptls_request(handler->eap_ds, tls_session);
 271                 return 1;
 272
 273                 /*
 274                  *      Success: Return MPPE keys.
 275                  */
 276         case PW_AUTHENTICATION_ACK:
 277                 eaptls_success(handler->eap_ds, 0);
 278                 eaptls_gen_mppe_keys(&handler->request->reply->vps,
 279                                      tls_session->ssl,
 280                                      "ttls keying material");
 281                 return 1;
 282
 283                 /*
 284                  *      No response packet, MUST be proxying it.
 285                  *      The main EAP module will take care of discovering
 286                  *      that the request now has a "proxy" packet, and
 287                  *      will proxy it, rather than returning an EAP packet.
 288                  */
 289         case PW_STATUS_CLIENT:
 290                 rad_assert(handler->request->proxy != NULL);
 291                 return 1;
 292                 break;
 293
 294         default:
 295                 break;
 296         }
 297
 298         /*
 299          *      Something we don't understand: Reject it.
 300          */
 301         eaptls_fail(handler->eap_ds, 0);
 302         return 0;
 303 }
 304
 305 /*
 306  *      The module name should be the only globally exported symbol.
 307  *      That is, everything else should be 'static'.
 308  */
 309 EAP_TYPE rlm_eap_ttls = {
 310         "eap_ttls",
 311         eapttls_attach,                 /* attach */
 312         /*
 313          *      Note! There is NO eapttls_initate() function, as the
 314          *      main EAP module takes care of calling
 315          *      eaptls_initiate().
 316          *
 317          *      This is because TTLS is a protocol on top of TLS, so
 318          *      before we need to do TTLS, we've got to initiate a TLS
 319          *      session.
 320          */
 321         NULL,                           /* Start the initial request */
 322         NULL,                           /* authorization */
 323         eapttls_authenticate,           /* authentication */
 324         eapttls_detach                  /* detach */
 325 };