2 * rlm_eap_ttls.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
21 * Copyright 2006 The FreeRADIUS server project
25 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29 typedef struct rlm_eap_ttls_t {
33 char const *tls_conf_name;
34 fr_tls_server_conf_t *tls_conf;
37 * Default tunneled EAP type
39 char const *default_method_name;
43 * Use the reply attributes from the tunneled session in
44 * the non-tunneled reply to the client.
46 bool use_tunneled_reply;
49 * Use SOME of the request attributes from outside of the
50 * tunneled session in the tunneled request
52 bool copy_request_to_tunnel;
55 * RFC 5281 (TTLS) says that the length field MUST NOT be
56 * in fragments after the first one. However, we've done
57 * it that way for years, and no one has complained.
59 * In the interests of allowing the server to follow the
60 * RFC, we add the option here. If set to "no", it sends
61 * the length field in ONLY the first fragment.
66 * Virtual server for inner tunnel session.
68 char const *virtual_server;
71 * Do we do require a client cert?
77 static CONF_PARSER module_config[] = {
78 { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_ttls_t, tls_conf_name), NULL },
79 { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_ttls_t, default_method_name), "md5" },
80 { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_ttls_t, copy_request_to_tunnel), "no" },
81 { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_ttls_t, use_tunneled_reply), "no" },
82 { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_ttls_t, virtual_server), NULL },
83 { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_ttls_t, include_length), "yes" },
84 { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_ttls_t, req_client_cert), "no" },
85 CONF_PARSER_TERMINATOR
92 static int mod_instantiate(CONF_SECTION *cs, void **instance)
96 *instance = inst = talloc_zero(cs, rlm_eap_ttls_t);
100 * Parse the configuration attributes.
102 if (cf_section_parse(cs, inst, module_config) < 0) {
107 * Convert the name to an integer, to make it easier to
110 inst->default_method = eap_name2type(inst->default_method_name);
111 if (inst->default_method < 0) {
112 ERROR("rlm_eap_ttls: Unknown EAP type %s",
113 inst->default_method_name);
118 * Read tls configuration, either from group given by 'tls'
119 * option, or from the eap-tls configuration.
121 inst->tls_conf = eaptls_conf_parse(cs, "tls");
123 if (!inst->tls_conf) {
124 ERROR("rlm_eap_ttls: Failed initializing SSL context");
132 * Allocate the TTLS per-session data
134 static ttls_tunnel_t *ttls_alloc(TALLOC_CTX *ctx, rlm_eap_ttls_t *inst)
138 t = talloc_zero(ctx, ttls_tunnel_t);
140 t->default_method = inst->default_method;
141 t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
142 t->use_tunneled_reply = inst->use_tunneled_reply;
143 t->virtual_server = inst->virtual_server;
149 * Send an initial eap-tls request to the peer, using the libeap functions.
151 static int mod_session_init(void *type_arg, eap_handler_t *handler)
155 rlm_eap_ttls_t *inst;
158 REQUEST *request = handler->request;
165 * Check if we need a client certificate.
169 * EAP-TLS-Require-Client-Cert attribute will override
170 * the require_client_cert configuration option.
172 vp = fr_pair_find_by_num(handler->request->config, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
174 client_cert = vp->vp_integer ? true : false;
176 client_cert = inst->req_client_cert;
179 ssn = eaptls_session(handler, inst->tls_conf, client_cert);
184 handler->opaque = ((void *)ssn);
187 * Set up type-specific information.
189 ssn->prf_label = "ttls keying material";
192 * TLS session initialization is over. Now handle TLS
193 * related handshaking or application data.
195 status = eaptls_start(handler->eap_ds, ssn->peap_flag);
196 if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
197 REDEBUG("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
199 RDEBUG2("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
201 if (status == 0) return 0;
204 * The next stage to process the packet.
206 handler->stage = PROCESS;
213 * Do authentication, by letting EAP-TLS do most of the work.
215 static int mod_process(void *arg, eap_handler_t *handler)
218 fr_tls_status_t status;
219 rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
220 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
221 ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
222 REQUEST *request = handler->request;
224 RDEBUG2("Authenticate");
226 tls_session->length_flag = inst->include_length;
229 * Process TLS layer until done.
231 status = eaptls_process(handler);
232 if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
233 REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
235 RDEBUG2("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
240 * EAP-TLS handshake was successful, tell the
241 * client to keep talking.
243 * If this was EAP-TLS, we would just return
244 * an EAP-TLS-Success packet here.
247 if (SSL_session_reused(tls_session->ssl)) {
248 RDEBUG("Skipping Phase2 due to session resumption");
252 if (t && t->authenticated) {
254 RDEBUG2("Using saved attributes from the original Access-Accept");
255 rdebug_pair_list(L_DBG_LVL_2, request, t->accept_vps, NULL);
256 fr_pair_list_mcopy_by_num(handler->request->reply,
257 &handler->request->reply->vps,
258 &t->accept_vps, 0, 0, TAG_ANY);
259 } else if (t->use_tunneled_reply) {
260 RDEBUG2("No saved attributes in the original Access-Accept");
265 * Success: Automatically return MPPE keys.
267 return eaptls_success(handler, 0);
269 eaptls_request(handler->eap_ds, tls_session);
274 * The TLS code is still working on the TLS
275 * exchange, and it's a valid TLS request.
282 * Handshake is done, proceed with decoding tunneled
289 * Anything else: fail.
296 * Session is established, proceed with decoding
299 RDEBUG2("Session established. Proceeding to decode tunneled attributes");
302 * We may need TTLS data associated with the session, so
303 * allocate it here, if it wasn't already alloacted.
305 if (!tls_session->opaque) {
306 tls_session->opaque = ttls_alloc(tls_session, inst);
310 * Process the TTLS portion of the request.
312 rcode = eapttls_process(handler, tls_session);
314 case PW_CODE_ACCESS_REJECT:
315 eaptls_fail(handler, 0);
319 * Access-Challenge, continue tunneled conversation.
321 case PW_CODE_ACCESS_CHALLENGE:
322 eaptls_request(handler->eap_ds, tls_session);
326 * Success: Automatically return MPPE keys.
328 case PW_CODE_ACCESS_ACCEPT:
329 return eaptls_success(handler, 0);
332 * No response packet, MUST be proxying it.
333 * The main EAP module will take care of discovering
334 * that the request now has a "proxy" packet, and
335 * will proxy it, rather than returning an EAP packet.
337 case PW_CODE_STATUS_CLIENT:
339 rad_assert(handler->request->proxy != NULL);
348 * Something we don't understand: Reject it.
350 eaptls_fail(handler, 0);
355 * The module name should be the only globally exported symbol.
356 * That is, everything else should be 'static'.
358 extern rlm_eap_module_t rlm_eap_ttls;
359 rlm_eap_module_t rlm_eap_ttls = {
361 .instantiate = mod_instantiate, /* Create new submodule instance */
362 .session_init = mod_session_init, /* Initialise a new EAP session */
363 .process = mod_process /* Process next round of EAP method */