src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c

   1 /*
   2  * rlm_eap_ttls.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_ttls.h"
  29
  30
  31 typedef struct rlm_eap_ttls_t {
  32         /*
  33          *      Default tunneled EAP type
  34          */
  35         char    *default_eap_type_name;
  36         int     default_eap_type;
  37
  38         /*
  39          *      Use the reply attributes from the tunneled session in
  40          *      the non-tunneled reply to the client.
  41          */
  42         int     use_tunneled_reply;
  43
  44         /*
  45          *      Use SOME of the request attributes from outside of the
  46          *      tunneled session in the tunneled request
  47          */
  48         int     copy_request_to_tunnel;
  49 } rlm_eap_ttls_t;
  50
  51
  52 static CONF_PARSER module_config[] = {
  53         { "default_eap_type", PW_TYPE_STRING_PTR,
  54           offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
  55
  56         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  57           offsetof(rlm_eap_ttls_t, copy_request_to_tunnel), NULL, "no" },
  58
  59         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  60           offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
  61
  62         { NULL, -1, 0, NULL, NULL }           /* end the list */
  63 };
  64
  65 /*
  66  *      Detach the module.
  67  */
  68 static int eapttls_detach(void *arg)
  69 {
  70         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
  71
  72
  73         free(inst);
  74
  75         return 0;
  76 }
  77
  78 /*
  79  *      Attach the module.
  80  */
  81 static int eapttls_attach(CONF_SECTION *cs, void **instance)
  82 {
  83         rlm_eap_ttls_t *inst;
  84
  85         inst = malloc(sizeof(*inst));
  86         if (!inst) {
  87                 radlog(L_ERR, "rlm_eap_ttls: out of memory");
  88                 return -1;
  89         }
  90         memset(inst, 0, sizeof(*inst));
  91
  92         /*
  93          *      Parse the configuration attributes.
  94          */
  95         if (cf_section_parse(cs, inst, module_config) < 0) {
  96                 eapttls_detach(inst);
  97                 return -1;
  98         }
  99
 100         /*
 101          *      Convert the name to an integer, to make it easier to
 102          *      handle.
 103          */
 104         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 105         if (inst->default_eap_type < 0) {
 106                 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
 107                        inst->default_eap_type_name);
 108                 eapttls_detach(inst);
 109                 return -1;
 110         }
 111
 112         /*
 113          *      Can't tunnel TLS inside of TLS, we don't like it.
 114          *
 115          *      More realistically, we haven't tested it, so we don't
 116          *      claim it works.
 117          */
 118         if ((inst->default_eap_type == PW_EAP_TLS) ||
 119             (inst->default_eap_type == PW_EAP_TTLS) ||
 120             (inst->default_eap_type == PW_EAP_PEAP)) {
 121                 radlog(L_ERR, "rlm_eap_ttls: Cannot tunnel EAP-Type/%s inside of TTLS",
 122                        inst->default_eap_type_name);
 123                 eapttls_detach(inst);
 124                 return -1;
 125         }
 126
 127         *instance = inst;
 128         return 0;
 129 }
 130
 131
 132 /*
 133  *      Free the TTLS per-session data
 134  */
 135 static void ttls_free(void *p)
 136 {
 137         ttls_tunnel_t *t = (ttls_tunnel_t *) p;
 138
 139         if (!t) return;
 140
 141         if (t->username) {
 142                 DEBUG2("  TTLS: Freeing handler for user %s",
 143                        t->username->vp_strvalue);
 144         }
 145
 146         pairfree(&t->username);
 147         pairfree(&t->state);
 148         pairfree(&t->reply);
 149         free(t);
 150 }
 151
 152
 153 /*
 154  *      Allocate the TTLS per-session data
 155  */
 156 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
 157 {
 158         ttls_tunnel_t *t;
 159
 160         t = rad_malloc(sizeof(*t));
 161         memset(t, 0, sizeof(*t));
 162
 163         t->default_eap_type = inst->default_eap_type;
 164         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 165         t->use_tunneled_reply = inst->use_tunneled_reply;
 166         return t;
 167 }
 168
 169
 170 /*
 171  *      Do authentication, by letting EAP-TLS do most of the work.
 172  */
 173 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 174 {
 175         int rcode;
 176         eaptls_status_t status;
 177         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
 178         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 179         ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
 180
 181         DEBUG2("  rlm_eap_ttls: Authenticate");
 182
 183         /*
 184          *      Process TLS layer until done.
 185          */
 186         status = eaptls_process(handler);
 187         DEBUG2("  eaptls_process returned %d\n", status);
 188         switch (status) {
 189                 /*
 190                  *      EAP-TLS handshake was successful, tell the
 191                  *      client to keep talking.
 192                  *
 193                  *      If this was EAP-TLS, we would just return
 194                  *      an EAP-TLS-Success packet here.
 195                  */
 196         case EAPTLS_SUCCESS:
 197                 if (t->authenticated) {
 198                         if (t->reply) {
 199                                 pairadd(&handler->request->reply->vps, t->reply);
 200                                 t->reply = NULL;
 201                         }
 202                         eaptls_success(handler->eap_ds, 0);
 203                         eaptls_gen_mppe_keys(&handler->request->reply->vps,
 204                                              tls_session->ssl,
 205                                              "ttls keying material");
 206                 } else {
 207                         eaptls_request(handler->eap_ds, tls_session);
 208                 }
 209                 return 1;
 210
 211                 /*
 212                  *      The TLS code is still working on the TLS
 213                  *      exchange, and it's a valid TLS request.
 214                  *      do nothing.
 215                  */
 216         case EAPTLS_HANDLED:
 217                 return 1;
 218
 219                 /*
 220                  *      Handshake is done, proceed with decoding tunneled
 221                  *      data.
 222                  */
 223         case EAPTLS_OK:
 224                 break;
 225
 226                 /*
 227                  *      Anything else: fail.
 228                  */
 229         default:
 230                 return 0;
 231         }
 232
 233         /*
 234          *      Session is established, proceed with decoding
 235          *      tunneled data.
 236          */
 237         DEBUG2("  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.");
 238
 239         /*
 240          *      We may need TTLS data associated with the session, so
 241          *      allocate it here, if it wasn't already alloacted.
 242          */
 243         if (!tls_session->opaque) {
 244                 tls_session->opaque = ttls_alloc(inst);
 245                 tls_session->free_opaque = ttls_free;
 246         }
 247
 248         /*
 249          *      Process the TTLS portion of the request.
 250          */
 251         rcode = eapttls_process(handler, tls_session);
 252         switch (rcode) {
 253         case PW_AUTHENTICATION_REJECT:
 254                 eaptls_fail(handler->eap_ds, 0);
 255                 return 0;
 256
 257                 /*
 258                  *      Access-Challenge, continue tunneled conversation.
 259                  */
 260         case PW_ACCESS_CHALLENGE:
 261                 eaptls_request(handler->eap_ds, tls_session);
 262                 return 1;
 263
 264                 /*
 265                  *      Success: Return MPPE keys.
 266                  */
 267         case PW_AUTHENTICATION_ACK:
 268                 eaptls_success(handler->eap_ds, 0);
 269                 eaptls_gen_mppe_keys(&handler->request->reply->vps,
 270                                      tls_session->ssl,
 271                                      "ttls keying material");
 272                 return 1;
 273
 274                 /*
 275                  *      No response packet, MUST be proxying it.
 276                  *      The main EAP module will take care of discovering
 277                  *      that the request now has a "proxy" packet, and
 278                  *      will proxy it, rather than returning an EAP packet.
 279                  */
 280         case PW_STATUS_CLIENT:
 281                 rad_assert(handler->request->proxy != NULL);
 282                 return 1;
 283                 break;
 284
 285         default:
 286                 break;
 287         }
 288
 289         /*
 290          *      Something we don't understand: Reject it.
 291          */
 292         eaptls_fail(handler->eap_ds, 0);
 293         return 0;
 294 }
 295
 296 /*
 297  *      The module name should be the only globally exported symbol.
 298  *      That is, everything else should be 'static'.
 299  */
 300 EAP_TYPE rlm_eap_ttls = {
 301         "eap_ttls",
 302         eapttls_attach,                 /* attach */
 303         /*
 304          *      Note! There is NO eapttls_initate() function, as the
 305          *      main EAP module takes care of calling
 306          *      eaptls_initiate().
 307          *
 308          *      This is because TTLS is a protocol on top of TLS, so
 309          *      before we need to do TTLS, we've got to initiate a TLS
 310          *      session.
 311          */
 312         NULL,                           /* Start the initial request */
 313         NULL,                           /* authorization */
 314         eapttls_authenticate,           /* authentication */
 315         eapttls_detach                  /* detach */
 316 };