* Copyright 2006 The FreeRADIUS server project
*/
-#include <freeradius-devel/ident.h>
RCSID("$Id$")
-#include <freeradius-devel/autoconf.h>
#include "eap_peap.h"
typedef struct rlm_eap_peap_t {
- /*
- * Default tunneled EAP type
- */
- char *default_eap_type_name;
- int default_eap_type;
+ char const *tls_conf_name; //!< TLS configuration.
+ fr_tls_server_conf_t *tls_conf;
+ char const *default_method_name; //!< Default tunneled EAP type.
+ int default_method;
+
+ char const *inner_eap_module; //!< module name for inner EAP
+ int auth_type_eap;
+ bool use_tunneled_reply; //!< Use the reply attributes from the tunneled session in
+ //!< the non-tunneled reply to the client.
+
+ bool copy_request_to_tunnel; //!< Use SOME of the request attributes from outside of the
+ //!< tunneled session in the tunneled request.
+#ifdef WITH_PROXY
+ bool proxy_tunneled_request_as_eap; //!< Proxy tunneled session as EAP, or as de-capsulated
+ //!< protocol.
+#endif
+ char const *virtual_server; //!< Virtual server for inner tunnel session.
+
+ bool soh; //!< Do we do SoH request?
+ char const *soh_virtual_server;
+ bool req_client_cert; //!< Do we do require a client cert?
+} rlm_eap_peap_t;
- /*
- * Use the reply attributes from the tunneled session in
- * the non-tunneled reply to the client.
- */
- int use_tunneled_reply;
- /*
- * Use SOME of the request attributes from outside of the
- * tunneled session in the tunneled request
- */
- int copy_request_to_tunnel;
+static CONF_PARSER module_config[] = {
+ { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, tls_conf_name), NULL },
- /*
- * Proxy tunneled session as EAP, or as de-capsulated
- * protocol.
- */
- int proxy_tunneled_request_as_eap;
-} rlm_eap_peap_t;
+ { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, default_method_name), "mschapv2" },
+ { "inner_eap_module", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, inner_eap_module), NULL },
-static CONF_PARSER module_config[] = {
- { "default_eap_type", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
+ { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, copy_request_to_tunnel), "no" },
- { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
+ { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, use_tunneled_reply), "no" },
- { "use_tunneled_reply", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
+#ifdef WITH_PROXY
+ { "proxy_tunneled_request_as_eap", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, proxy_tunneled_request_as_eap), "yes" },
+#endif
- { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
+ { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, virtual_server), NULL },
- { NULL, -1, 0, NULL, NULL } /* end the list */
-};
+ { "soh", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, soh), "no" },
-/*
- * Detach the module.
- */
-static int eappeap_detach(void *arg)
-{
- rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
+ { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, req_client_cert), "no" },
+ { "soh_virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, soh_virtual_server), NULL },
- free(inst);
+ CONF_PARSER_TERMINATOR
+};
- return 0;
-}
/*
* Attach the module.
*/
-static int eappeap_attach(CONF_SECTION *cs, void **instance)
+static int mod_instantiate(CONF_SECTION *cs, void **instance)
{
- rlm_eap_peap_t *inst;
+ rlm_eap_peap_t *inst;
+ DICT_VALUE const *dv;
- inst = malloc(sizeof(*inst));
- if (!inst) {
- radlog(L_ERR, "rlm_eap_peap: out of memory");
- return -1;
- }
- memset(inst, 0, sizeof(*inst));
+ *instance = inst = talloc_zero(cs, rlm_eap_peap_t);
+ if (!inst) return -1;
/*
* Parse the configuration attributes.
*/
if (cf_section_parse(cs, inst, module_config) < 0) {
- eappeap_detach(inst);
+ return -1;
+ }
+
+ if (!inst->virtual_server) {
+ ERROR("rlm_eap_peap: A 'virtual_server' MUST be defined for security");
return -1;
}
* Convert the name to an integer, to make it easier to
* handle.
*/
- inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
- if (inst->default_eap_type < 0) {
- radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
- inst->default_eap_type_name);
- eappeap_detach(inst);
+ inst->default_method = eap_name2type(inst->default_method_name);
+ if (inst->default_method < 0) {
+ ERROR("rlm_eap_peap: Unknown EAP type %s",
+ inst->default_method_name);
+ return -1;
+ }
+
+ /*
+ * Read tls configuration, either from group given by 'tls'
+ * option, or from the eap-tls configuration.
+ */
+ inst->tls_conf = eaptls_conf_parse(cs, "tls");
+
+ if (!inst->tls_conf) {
+ ERROR("rlm_eap_peap: Failed initializing SSL context");
return -1;
}
- *instance = inst;
+ /*
+ * Don't expose this if we don't need it.
+ */
+ if (!inst->inner_eap_module) inst->inner_eap_module = "eap";
+
+ dv = dict_valbyname(PW_AUTH_TYPE, 0, inst->inner_eap_module);
+ if (!dv) {
+ WARN("Failed to find 'Auth-Type %s' section in virtual server %s. The server cannot proxy inner-tunnel EAP packets.",
+ inst->inner_eap_module, inst->virtual_server);
+ } else {
+ inst->auth_type_eap = dv->value;
+ }
return 0;
}
/*
- * Free the PEAP per-session data
+ * Allocate the PEAP per-session data
*/
-static void peap_free(void *p)
+static peap_tunnel_t *peap_alloc(TALLOC_CTX *ctx, rlm_eap_peap_t *inst)
{
- peap_tunnel_t *t = (peap_tunnel_t *) p;
+ peap_tunnel_t *t;
- if (!t) return;
+ t = talloc_zero(ctx, peap_tunnel_t);
- pairfree(&t->username);
- pairfree(&t->state);
- pairfree(&t->accept_vps);
+ t->default_method = inst->default_method;
+ t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
+ t->use_tunneled_reply = inst->use_tunneled_reply;
+#ifdef WITH_PROXY
+ t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
+#endif
+ t->virtual_server = inst->virtual_server;
+ t->soh = inst->soh;
+ t->soh_virtual_server = inst->soh_virtual_server;
+ t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
- free(t);
+ return t;
}
-
/*
- * Free the PEAP per-session data
+ * Send an initial eap-tls request to the peer, using the libeap functions.
*/
-static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
+static int mod_session_init(void *type_arg, eap_handler_t *handler)
{
- peap_tunnel_t *t;
+ int status;
+ tls_session_t *ssn;
+ rlm_eap_peap_t *inst;
+ VALUE_PAIR *vp;
+ bool client_cert;
+ REQUEST *request = handler->request;
- t = rad_malloc(sizeof(*t));
- memset(t, 0, sizeof(*t));
+ inst = type_arg;
- t->default_eap_type = inst->default_eap_type;
- t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
- t->use_tunneled_reply = inst->use_tunneled_reply;
- t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
+ handler->tls = true;
- return t;
+ /*
+ * Check if we need a client certificate.
+ */
+
+ /*
+ * EAP-TLS-Require-Client-Cert attribute will override
+ * the require_client_cert configuration option.
+ */
+ vp = fr_pair_find_by_num(handler->request->config, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
+ if (vp) {
+ client_cert = vp->vp_integer ? true : false;
+ } else {
+ client_cert = inst->req_client_cert;
+ }
+
+ ssn = eaptls_session(handler, inst->tls_conf, client_cert);
+ if (!ssn) {
+ return 0;
+ }
+
+ handler->opaque = ((void *)ssn);
+
+ /*
+ * Set up type-specific information.
+ */
+ ssn->prf_label = "client EAP encryption";
+
+ /*
+ * As it is a poorly designed protocol, PEAP uses
+ * bits in the TLS header to indicate PEAP
+ * version numbers. For now, we only support
+ * PEAP version 0, so it doesn't matter too much.
+ * However, if we support later versions of PEAP,
+ * we will need this flag to indicate which
+ * version we're currently dealing with.
+ */
+ ssn->peap_flag = 0x00;
+
+ /*
+ * PEAP version 0 requires 'include_length = no',
+ * so rather than hoping the user figures it out,
+ * we force it here.
+ */
+ ssn->length_flag = false;
+
+ /*
+ * TLS session initialization is over. Now handle TLS
+ * related handshaking or application data.
+ */
+ status = eaptls_start(handler->eap_ds, ssn->peap_flag);
+ if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
+ REDEBUG("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
+ } else {
+ RDEBUG2("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
+ }
+ if (status == 0) return 0;
+
+ /*
+ * The next stage to process the packet.
+ */
+ handler->stage = PROCESS;
+
+ return 1;
}
/*
* Do authentication, by letting EAP-TLS do most of the work.
*/
-static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
+static int mod_process(void *arg, eap_handler_t *handler)
{
int rcode;
- eaptls_status_t status;
+ fr_tls_status_t status;
rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
+ peap_tunnel_t *peap = tls_session->opaque;
+ REQUEST *request = handler->request;
- DEBUG2(" rlm_eap_peap: Authenticate");
+ /*
+ * Session resumption requires the storage of data, so
+ * allocate it if it doesn't already exist.
+ */
+ if (!tls_session->opaque) {
+ peap = tls_session->opaque = peap_alloc(tls_session, inst);
+ }
+
+ /*
+ * Negotiate PEAP versions down.
+ */
+ if ((handler->eap_ds->response->type.data[0] & 0x03) < tls_session->peap_flag) {
+ tls_session->peap_flag = handler->eap_ds->response->type.data[0] & 0x03;
+ }
status = eaptls_process(handler);
- DEBUG2(" eaptls_process returned %d\n", status);
+ if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
+ REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
+ } else {
+ RDEBUG2("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
+ }
+
switch (status) {
- /*
- * EAP-TLS handshake was successful, tell the
- * client to keep talking.
- *
- * If this was EAP-TLS, we would just return
- * an EAP-TLS-Success packet here.
- */
- case EAPTLS_SUCCESS:
- {
- eap_packet_t eap_packet;
-
- eap_packet.code = PW_EAP_REQUEST;
- eap_packet.id = handler->eap_ds->response->id + 1;
- eap_packet.length[0] = 0;
- eap_packet.length[1] = EAP_HEADER_LEN + 1;
- eap_packet.data[0] = PW_EAP_IDENTITY;
-
- (tls_session->record_plus)(&tls_session->clean_in,
- &eap_packet, sizeof(eap_packet));
-
- tls_handshake_send(tls_session);
- (tls_session->record_init)(&tls_session->clean_in);
- }
- eaptls_request(handler->eap_ds, tls_session);
- DEBUG2(" rlm_eap_peap: EAPTLS_SUCCESS");
- return 1;
+ /*
+ * EAP-TLS handshake was successful, tell the
+ * client to keep talking.
+ *
+ * If this was EAP-TLS, we would just return
+ * an EAP-TLS-Success packet here.
+ */
+ case FR_TLS_SUCCESS:
+ peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
+ break;
+ /*
+ * The TLS code is still working on the TLS
+ * exchange, and it's a valid TLS request.
+ * do nothing.
+ */
+ case FR_TLS_HANDLED:
/*
- * The TLS code is still working on the TLS
- * exchange, and it's a valid TLS request.
- * do nothing.
+ * FIXME: If the SSL session is established, grab the state
+ * and EAP id from the inner tunnel, and update it with
+ * the expected EAP id!
*/
- case EAPTLS_HANDLED:
- DEBUG2(" rlm_eap_peap: EAPTLS_HANDLED");
return 1;
- /*
- * Handshake is done, proceed with decoding tunneled
- * data.
- */
- case EAPTLS_OK:
- DEBUG2(" rlm_eap_peap: EAPTLS_OK");
+ /*
+ * Handshake is done, proceed with decoding tunneled
+ * data.
+ */
+ case FR_TLS_OK:
break;
/*
* Anything else: fail.
*/
default:
- DEBUG2(" rlm_eap_peap: EAPTLS_OTHERS");
return 0;
}
* Session is established, proceed with decoding
* tunneled data.
*/
- DEBUG2(" rlm_eap_peap: Session established. Decoding tunneled attributes.");
+ RDEBUG2("Session established. Decoding tunneled attributes");
/*
* We may need PEAP data associated with the session, so
* allocate it here, if it wasn't already alloacted.
*/
if (!tls_session->opaque) {
- tls_session->opaque = peap_alloc(inst);
- tls_session->free_opaque = peap_free;
+ tls_session->opaque = peap_alloc(tls_session, inst);
}
/*
* Process the PEAP portion of the request.
*/
- rcode = eappeap_process(handler, tls_session);
+ rcode = eappeap_process(handler, tls_session, inst->auth_type_eap);
switch (rcode) {
case RLM_MODULE_REJECT:
- eaptls_fail(handler->eap_ds, 0);
+ eaptls_fail(handler, 0);
return 0;
case RLM_MODULE_HANDLED:
return 1;
case RLM_MODULE_OK:
- eaptls_success(handler->eap_ds, 0);
-
/*
* Move the saved VP's from the Access-Accept to
* our Access-Accept.
*/
- if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) {
- DEBUG2(" Using saved attributes from the original Access-Accept");
+ peap = tls_session->opaque;
+ if (peap->soh_reply_vps) {
+ RDEBUG2("Using saved attributes from the SoH reply");
+ rdebug_pair_list(L_DBG_LVL_2, request, peap->soh_reply_vps, NULL);
+ fr_pair_list_mcopy_by_num(handler->request->reply,
+ &handler->request->reply->vps,
+ &peap->soh_reply_vps, 0, 0, TAG_ANY);
+ }
+ if (peap->accept_vps) {
+ RDEBUG2("Using saved attributes from the original Access-Accept");
+ rdebug_pair_list(L_DBG_LVL_2, request, peap->accept_vps, NULL);
+ fr_pair_list_mcopy_by_num(handler->request->reply,
+ &handler->request->reply->vps,
+ &peap->accept_vps, 0, 0, TAG_ANY);
+ } else if (peap->use_tunneled_reply) {
+ RDEBUG2("No saved attributes in the original Access-Accept");
}
- pairadd(&handler->request->reply->vps,
- ((peap_tunnel_t *) tls_session->opaque)->accept_vps);
- ((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL;
-
- eaptls_gen_mppe_keys(&handler->request->reply->vps,
- tls_session->ssl,
- "client EAP encryption");
- return 1;
+ /*
+ * Success: Automatically return MPPE keys.
+ */
+ return eaptls_success(handler, 0);
/*
* No response packet, MUST be proxying it.
* will proxy it, rather than returning an EAP packet.
*/
case RLM_MODULE_UPDATED:
+#ifdef WITH_PROXY
rad_assert(handler->request->proxy != NULL);
+#endif
return 1;
- break;
default:
break;
}
- eaptls_fail(handler->eap_ds, 0);
+ eaptls_fail(handler, 0);
return 0;
}
* The module name should be the only globally exported symbol.
* That is, everything else should be 'static'.
*/
-EAP_TYPE rlm_eap_peap = {
- "eap_peap",
- eappeap_attach, /* attach */
- /*
- * Note! There is NO eappeap_initate() function, as the
- * main EAP module takes care of calling
- * eaptls_initiate().
- *
- * This is because PEAP is a protocol on top of TLS, so
- * before we need to do PEAP, we've got to initiate a TLS
- * session.
- */
- NULL, /* Start the initial request */
- NULL, /* authorization */
- eappeap_authenticate, /* authentication */
- eappeap_detach /* detach */
+extern rlm_eap_module_t rlm_eap_peap;
+rlm_eap_module_t rlm_eap_peap = {
+ .name = "eap_peap",
+ .instantiate = mod_instantiate, /* Create new submodule instance */
+ .session_init = mod_session_init, /* Initialise a new EAP session */
+ .process = mod_process /* Process next round of EAP method */
};
projects / freeradius.git / blobdiff