src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c

   1 /*
   2  * rlm_eap_ttls.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_ttls.h"
  29
  30
  31 typedef struct rlm_eap_ttls_t {
  32         /*
  33          *      Default tunneled EAP type
  34          */
  35         char    *default_eap_type_name;
  36         int     default_eap_type;
  37
  38         /*
  39          *      Use the reply attributes from the tunneled session in
  40          *      the non-tunneled reply to the client.
  41          */
  42         int     use_tunneled_reply;
  43
  44         /*
  45          *      Use SOME of the request attributes from outside of the
  46          *      tunneled session in the tunneled request
  47          */
  48         int     copy_request_to_tunnel;
  49
  50         /*
  51          *      Virtual server for inner tunnel session.
  52          */
  53         char    *virtual_server;
  54 } rlm_eap_ttls_t;
  55
  56
  57 static CONF_PARSER module_config[] = {
  58         { "default_eap_type", PW_TYPE_STRING_PTR,
  59           offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
  60
  61         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  62           offsetof(rlm_eap_ttls_t, copy_request_to_tunnel), NULL, "no" },
  63
  64         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  65           offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
  66
  67         { "virtual_server", PW_TYPE_STRING_PTR,
  68           offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
  69
  70         { NULL, -1, 0, NULL, NULL }           /* end the list */
  71 };
  72
  73 /*
  74  *      Detach the module.
  75  */
  76 static int eapttls_detach(void *arg)
  77 {
  78         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
  79
  80
  81         free(inst);
  82
  83         return 0;
  84 }
  85
  86 /*
  87  *      Attach the module.
  88  */
  89 static int eapttls_attach(CONF_SECTION *cs, void **instance)
  90 {
  91         rlm_eap_ttls_t *inst;
  92
  93         inst = malloc(sizeof(*inst));
  94         if (!inst) {
  95                 radlog(L_ERR, "rlm_eap_ttls: out of memory");
  96                 return -1;
  97         }
  98         memset(inst, 0, sizeof(*inst));
  99
 100         /*
 101          *      Parse the configuration attributes.
 102          */
 103         if (cf_section_parse(cs, inst, module_config) < 0) {
 104                 eapttls_detach(inst);
 105                 return -1;
 106         }
 107
 108         /*
 109          *      Convert the name to an integer, to make it easier to
 110          *      handle.
 111          */
 112         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 113         if (inst->default_eap_type < 0) {
 114                 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
 115                        inst->default_eap_type_name);
 116                 eapttls_detach(inst);
 117                 return -1;
 118         }
 119
 120         *instance = inst;
 121         return 0;
 122 }
 123
 124
 125 /*
 126  *      Free the TTLS per-session data
 127  */
 128 static void ttls_free(void *p)
 129 {
 130         ttls_tunnel_t *t = (ttls_tunnel_t *) p;
 131
 132         if (!t) return;
 133
 134         if (t->username) {
 135                 DEBUG2("rlm_eap_ttls: Freeing handler for user %s",
 136                        t->username->vp_strvalue);
 137         }
 138
 139         pairfree(&t->username);
 140         pairfree(&t->state);
 141         pairfree(&t->reply);
 142         free(t);
 143 }
 144
 145
 146 /*
 147  *      Allocate the TTLS per-session data
 148  */
 149 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
 150 {
 151         ttls_tunnel_t *t;
 152
 153         t = rad_malloc(sizeof(*t));
 154         memset(t, 0, sizeof(*t));
 155
 156         t->default_eap_type = inst->default_eap_type;
 157         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 158         t->use_tunneled_reply = inst->use_tunneled_reply;
 159         t->virtual_server = inst->virtual_server;
 160         return t;
 161 }
 162
 163
 164 /*
 165  *      Do authentication, by letting EAP-TLS do most of the work.
 166  */
 167 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 168 {
 169         int rcode;
 170         eaptls_status_t status;
 171         rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
 172         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 173         ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
 174         REQUEST *request = handler->request;
 175
 176         RDEBUG2("Authenticate");
 177
 178         /*
 179          *      Process TLS layer until done.
 180          */
 181         status = eaptls_process(handler);
 182         RDEBUG2("eaptls_process returned %d\n", status);
 183         switch (status) {
 184                 /*
 185                  *      EAP-TLS handshake was successful, tell the
 186                  *      client to keep talking.
 187                  *
 188                  *      If this was EAP-TLS, we would just return
 189                  *      an EAP-TLS-Success packet here.
 190                  */
 191         case EAPTLS_SUCCESS:
 192                 if (t && t->authenticated) {
 193                         if (t->reply) {
 194                                 pairmove(&handler->request->reply->vps,
 195                                          &t->reply);
 196                                 pairfree(&t->reply);
 197                         }
 198                         eaptls_success(handler->eap_ds, 0);
 199                         eaptls_gen_mppe_keys(&handler->request->reply->vps,
 200                                              tls_session->ssl,
 201                                              "ttls keying material");
 202                 } else {
 203                         eaptls_request(handler->eap_ds, tls_session);
 204                 }
 205                 return 1;
 206
 207                 /*
 208                  *      The TLS code is still working on the TLS
 209                  *      exchange, and it's a valid TLS request.
 210                  *      do nothing.
 211                  */
 212         case EAPTLS_HANDLED:
 213                 return 1;
 214
 215                 /*
 216                  *      Handshake is done, proceed with decoding tunneled
 217                  *      data.
 218                  */
 219         case EAPTLS_OK:
 220                 break;
 221
 222                 /*
 223                  *      Anything else: fail.
 224                  */
 225         default:
 226                 return 0;
 227         }
 228
 229         /*
 230          *      Session is established, proceed with decoding
 231          *      tunneled data.
 232          */
 233         RDEBUG2("Session established.  Proceeding to decode tunneled attributes.");
 234
 235         /*
 236          *      We may need TTLS data associated with the session, so
 237          *      allocate it here, if it wasn't already alloacted.
 238          */
 239         if (!tls_session->opaque) {
 240                 tls_session->opaque = ttls_alloc(inst);
 241                 tls_session->free_opaque = ttls_free;
 242         }
 243
 244         /*
 245          *      Process the TTLS portion of the request.
 246          */
 247         rcode = eapttls_process(handler, tls_session);
 248         switch (rcode) {
 249         case PW_AUTHENTICATION_REJECT:
 250                 eaptls_fail(handler->eap_ds, 0);
 251                 return 0;
 252
 253                 /*
 254                  *      Access-Challenge, continue tunneled conversation.
 255                  */
 256         case PW_ACCESS_CHALLENGE:
 257                 eaptls_request(handler->eap_ds, tls_session);
 258                 return 1;
 259
 260                 /*
 261                  *      Success: Return MPPE keys.
 262                  */
 263         case PW_AUTHENTICATION_ACK:
 264                 eaptls_success(handler->eap_ds, 0);
 265                 eaptls_gen_mppe_keys(&handler->request->reply->vps,
 266                                      tls_session->ssl,
 267                                      "ttls keying material");
 268                 return 1;
 269
 270                 /*
 271                  *      No response packet, MUST be proxying it.
 272                  *      The main EAP module will take care of discovering
 273                  *      that the request now has a "proxy" packet, and
 274                  *      will proxy it, rather than returning an EAP packet.
 275                  */
 276         case PW_STATUS_CLIENT:
 277                 rad_assert(handler->request->proxy != NULL);
 278                 return 1;
 279                 break;
 280
 281         default:
 282                 break;
 283         }
 284
 285         /*
 286          *      Something we don't understand: Reject it.
 287          */
 288         eaptls_fail(handler->eap_ds, 0);
 289         return 0;
 290 }
 291
 292 /*
 293  *      The module name should be the only globally exported symbol.
 294  *      That is, everything else should be 'static'.
 295  */
 296 EAP_TYPE rlm_eap_ttls = {
 297         "eap_ttls",
 298         eapttls_attach,                 /* attach */
 299         /*
 300          *      Note! There is NO eapttls_initate() function, as the
 301          *      main EAP module takes care of calling
 302          *      eaptls_initiate().
 303          *
 304          *      This is because TTLS is a protocol on top of TLS, so
 305          *      before we need to do TTLS, we've got to initiate a TLS
 306          *      session.
 307          */
 308         NULL,                           /* Start the initial request */
 309         NULL,                           /* authorization */
 310         eapttls_authenticate,           /* authentication */
 311         eapttls_detach                  /* detach */
 312 };