src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c

   1 /*
   2  * rlm_eap_ttls.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_ttls.h"
  29
  30
  31 typedef struct rlm_eap_ttls_t {
  32         /*
  33          *      Default tunneled EAP type
  34          */
  35         char    *default_eap_type_name;
  36         int     default_eap_type;
  37
  38         /*
  39          *      Use the reply attributes from the tunneled session in
  40          *      the non-tunneled reply to the client.
  41          */
  42         int     use_tunneled_reply;
  43
  44         /*
  45          *      Use SOME of the request attributes from outside of the
  46          *      tunneled session in the tunneled request
  47          */
  48         int     copy_request_to_tunnel;
  49
  50         /*
  51          *      Virtual server for inner tunnel session.
  52          */
  53         char    *virtual_server;
  54 } rlm_eap_ttls_t;
  55
  56
  57 static CONF_PARSER module_config[] = {
  58         { "default_eap_type", PW_TYPE_STRING_PTR,
  59           offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
  60
  61         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  62           offsetof(rlm_eap_ttls_t, copy_request_to_tunnel), NULL, "no" },
  63
  64         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  65           offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
  66
  67         { "virtual_server", PW_TYPE_STRING_PTR,
  68           offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
  69
  70         { NULL, -1, 0, NULL, NULL }           /* end the list */
  71 };
  72
  73 /*
  74  *      Detach the module.
  75  */
  76 static int eapttls_detach(void *arg)
  77 {
  78         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
  79
  80
  81         free(inst);
  82
  83         return 0;
  84 }
  85
  86 /*
  87  *      Attach the module.
  88  */
  89 static int eapttls_attach(CONF_SECTION *cs, void **instance)
  90 {
  91         rlm_eap_ttls_t *inst;
  92
  93         inst = malloc(sizeof(*inst));
  94         if (!inst) {
  95                 radlog(L_ERR, "rlm_eap_ttls: out of memory");
  96                 return -1;
  97         }
  98         memset(inst, 0, sizeof(*inst));
  99
 100         /*
 101          *      Parse the configuration attributes.
 102          */
 103         if (cf_section_parse(cs, inst, module_config) < 0) {
 104                 eapttls_detach(inst);
 105                 return -1;
 106         }
 107
 108         /*
 109          *      Convert the name to an integer, to make it easier to
 110          *      handle.
 111          */
 112         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 113         if (inst->default_eap_type < 0) {
 114                 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
 115                        inst->default_eap_type_name);
 116                 eapttls_detach(inst);
 117                 return -1;
 118         }
 119
 120         *instance = inst;
 121         return 0;
 122 }
 123
 124
 125 /*
 126  *      Free the TTLS per-session data
 127  */
 128 static void ttls_free(void *p)
 129 {
 130         ttls_tunnel_t *t = (ttls_tunnel_t *) p;
 131
 132         if (!t) return;
 133
 134         if (t->username) {
 135                 DEBUG2("rlm_eap_ttls: Freeing handler for user %s",
 136                        t->username->vp_strvalue);
 137         }
 138
 139         pairfree(&t->username);
 140         pairfree(&t->state);
 141         pairfree(&t->reply);
 142         free(t);
 143 }
 144
 145
 146 /*
 147  *      Allocate the TTLS per-session data
 148  */
 149 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
 150 {
 151         ttls_tunnel_t *t;
 152
 153         t = rad_malloc(sizeof(*t));
 154         memset(t, 0, sizeof(*t));
 155
 156         t->default_eap_type = inst->default_eap_type;
 157         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 158         t->use_tunneled_reply = inst->use_tunneled_reply;
 159         t->virtual_server = inst->virtual_server;
 160         return t;
 161 }
 162
 163
 164 /*
 165  *      Do authentication, by letting EAP-TLS do most of the work.
 166  */
 167 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 168 {
 169         int rcode;
 170         eaptls_status_t status;
 171         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
 172         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 173         ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
 174         REQUEST *request = handler->request;
 175
 176         RDEBUG2("Authenticate");
 177
 178         /*
 179          *      Process TLS layer until done.
 180          */
 181         status = eaptls_process(handler);
 182         RDEBUG2("eaptls_process returned %d\n", status);
 183         switch (status) {
 184                 /*
 185                  *      EAP-TLS handshake was successful, tell the
 186                  *      client to keep talking.
 187                  *
 188                  *      If this was EAP-TLS, we would just return
 189                  *      an EAP-TLS-Success packet here.
 190                  */
 191         case EAPTLS_SUCCESS:
 192                 if (SSL_session_reused(tls_session->ssl)) {
 193                         RDEBUG("Skipping Phase2 due to session resumption");
 194                         goto do_keys;
 195                 }
 196
 197                 if (t && t->authenticated) {
 198                         if (t->reply) {
 199                                 pairmove(&handler->request->reply->vps,
 200                                          &t->reply);
 201                                 pairfree(&t->reply);
 202                         }
 203                 do_keys:
 204                         /*
 205                          *      Success: Automatically return MPPE keys.
 206                          */
 207                         eaptls_success(handler, 0);
 208                 } else {
 209                         eaptls_request(handler->eap_ds, tls_session);
 210                 }
 211                 return 1;
 212
 213                 /*
 214                  *      The TLS code is still working on the TLS
 215                  *      exchange, and it's a valid TLS request.
 216                  *      do nothing.
 217                  */
 218         case EAPTLS_HANDLED:
 219                 return 1;
 220
 221                 /*
 222                  *      Handshake is done, proceed with decoding tunneled
 223                  *      data.
 224                  */
 225         case EAPTLS_OK:
 226                 break;
 227
 228                 /*
 229                  *      Anything else: fail.
 230                  */
 231         default:
 232                 return 0;
 233         }
 234
 235         /*
 236          *      Session is established, proceed with decoding
 237          *      tunneled data.
 238          */
 239         RDEBUG2("Session established.  Proceeding to decode tunneled attributes.");
 240
 241         /*
 242          *      We may need TTLS data associated with the session, so
 243          *      allocate it here, if it wasn't already alloacted.
 244          */
 245         if (!tls_session->opaque) {
 246                 tls_session->opaque = ttls_alloc(inst);
 247                 tls_session->free_opaque = ttls_free;
 248         }
 249
 250         /*
 251          *      Process the TTLS portion of the request.
 252          */
 253         rcode = eapttls_process(handler, tls_session);
 254         switch (rcode) {
 255         case PW_AUTHENTICATION_REJECT:
 256                 eaptls_fail(handler, 0);
 257                 return 0;
 258
 259                 /*
 260                  *      Access-Challenge, continue tunneled conversation.
 261                  */
 262         case PW_ACCESS_CHALLENGE:
 263                 eaptls_request(handler->eap_ds, tls_session);
 264                 return 1;
 265
 266                 /*
 267                  *      Success: Automatically return MPPE keys.
 268                  */
 269         case PW_AUTHENTICATION_ACK:
 270                 eaptls_success(handler, 0);
 271                 return 1;
 272
 273                 /*
 274                  *      No response packet, MUST be proxying it.
 275                  *      The main EAP module will take care of discovering
 276                  *      that the request now has a "proxy" packet, and
 277                  *      will proxy it, rather than returning an EAP packet.
 278                  */
 279         case PW_STATUS_CLIENT:
 280                 rad_assert(handler->request->proxy != NULL);
 281                 return 1;
 282                 break;
 283
 284         default:
 285                 break;
 286         }
 287
 288         /*
 289          *      Something we don't understand: Reject it.
 290          */
 291         eaptls_fail(handler, 0);
 292         return 0;
 293 }
 294
 295 /*
 296  *      The module name should be the only globally exported symbol.
 297  *      That is, everything else should be 'static'.
 298  */
 299 EAP_TYPE rlm_eap_ttls = {
 300         "eap_ttls",
 301         eapttls_attach,                 /* attach */
 302         /*
 303          *      Note! There is NO eapttls_initate() function, as the
 304          *      main EAP module takes care of calling
 305          *      eaptls_initiate().
 306          *
 307          *      This is because TTLS is a protocol on top of TLS, so
 308          *      before we need to do TTLS, we've got to initiate a TLS
 309          *      session.
 310          */
 311         NULL,                           /* Start the initial request */
 312         NULL,                           /* authorization */
 313         eapttls_authenticate,           /* authentication */
 314         eapttls_detach                  /* detach */
 315 };