X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Frlm_eap%2Ftypes%2Frlm_eap_peap%2Fpeap.c;h=52db99775b896b9d559b2682dd4069a7e164986c;hb=e4bd07a28ea12db9a4633df981ace7bafd3a5445;hp=fbd0e126d9d9bf4e58295187ac079d79be498f4c;hpb=73e197cdd04d0a69da8d173aa3be7b295baa113b;p=freeradius.git diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index fbd0e12..52db997 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -1,5 +1,5 @@ /* - * peap.c contains the interfaces that are called from eap + * peap.c contains the interfaces that are called from eap * * Version: $Id$ * @@ -18,9 +18,16 @@ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2003 Alan DeKok + * Copyright 2006 The FreeRADIUS server project */ + +#include +RCSID("$Id$") + #include "eap_peap.h" +static int setup_fake_request(REQUEST *request, REQUEST *fake, peap_tunnel_t *t); + /* * Send protected EAP-Failure * @@ -29,8 +36,9 @@ static int eappeap_failure(EAP_HANDLER *handler, tls_session_t *tls_session) { uint8_t tlv_packet[11]; + REQUEST *request = handler->request; - DEBUG2(" rlm_eap_peap: FAILURE"); + RDEBUG2("FAILURE"); tlv_packet[0] = PW_EAP_REQUEST; tlv_packet[1] = handler->eap_ds->response->id +1; @@ -49,8 +57,8 @@ static int eappeap_failure(EAP_HANDLER *handler, tls_session_t *tls_session) /* * FIXME: Check the return code. */ - tls_handshake_send(tls_session); - + tls_handshake_send(request, tls_session); + return 1; } @@ -63,8 +71,9 @@ static int eappeap_failure(EAP_HANDLER *handler, tls_session_t *tls_session) static int eappeap_success(EAP_HANDLER *handler, tls_session_t *tls_session) { uint8_t tlv_packet[11]; + REQUEST *request = handler->request; - DEBUG2(" rlm_eap_peap: SUCCESS"); + RDEBUG2("SUCCESS"); tlv_packet[0] = PW_EAP_REQUEST; tlv_packet[1] = handler->eap_ds->response->id +1; @@ -83,31 +92,145 @@ static int eappeap_success(EAP_HANDLER *handler, tls_session_t *tls_session) /* * FIXME: Check the return code. */ - tls_handshake_send(tls_session); + tls_handshake_send(request, tls_session); return 1; } +static int eappeap_identity(EAP_HANDLER *handler, tls_session_t *tls_session) +{ + eap_packet_t eap_packet; + + eap_packet.code = PW_EAP_REQUEST; + eap_packet.id = handler->eap_ds->response->id + 1; + eap_packet.length[0] = 0; + eap_packet.length[1] = EAP_HEADER_LEN + 1; + eap_packet.data[0] = PW_EAP_IDENTITY; + + (tls_session->record_plus)(&tls_session->clean_in, + &eap_packet, sizeof(eap_packet)); + + tls_handshake_send(handler->request, tls_session); + (tls_session->record_init)(&tls_session->clean_in); + + return 1; +} + +/* + * Send an MS SoH request + */ +static int eappeap_soh(EAP_HANDLER *handler, tls_session_t *tls_session) +{ + uint8_t tlv_packet[20]; + + tlv_packet[0] = 254; /* extended type */ + + tlv_packet[1] = 0; + tlv_packet[2] = 0x01; /* ms vendor */ + tlv_packet[3] = 0x37; + + tlv_packet[4] = 0; /* ms soh eap */ + tlv_packet[5] = 0; + tlv_packet[6] = 0; + tlv_packet[7] = 0x21; + + tlv_packet[8] = 0; /* vendor-spec tlv */ + tlv_packet[9] = 7; + + tlv_packet[10] = 0; + tlv_packet[11] = 8; /* payload len */ + + tlv_packet[12] = 0; /* ms vendor */ + tlv_packet[13] = 0; + tlv_packet[14] = 0x01; + tlv_packet[15] = 0x37; + + tlv_packet[16] = 0; + tlv_packet[17] = 2; + tlv_packet[18] = 0; + tlv_packet[19] = 0; + + (tls_session->record_plus)(&tls_session->clean_in, tlv_packet, 20); + tls_handshake_send(handler->request, tls_session); + return 1; +} + +static VALUE_PAIR* eapsoh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len) { + + VALUE_PAIR *vp; + uint8_t eap_type_base; + uint32_t eap_vendor; + uint32_t eap_type; + int rv; + + vp = pairmake("SoH-Supported", "no", T_OP_EQ); + if (data && data[0] == PW_EAP_NAK) { + RDEBUG("SoH - client NAKed"); + goto done; + } + + if (!data || data_len < 8) { + RDEBUG("SoH - eap payload too short"); + goto done; + } + + eap_type_base = *data++; + if (eap_type_base != 254) { + RDEBUG("SoH - response is not extended EAP: %i", eap_type_base); + goto done; + } + + eap_vendor = soh_pull_be_24(data); data += 3; + if (eap_vendor != 0x137) { + RDEBUG("SoH - extended eap vendor %08x is not Microsoft", eap_vendor); + goto done; + } + + eap_type = soh_pull_be_32(data); data += 4; + if (eap_type != 0x21) { + RDEBUG("SoH - response eap type %08x is not EAP-SoH", eap_type); + goto done; + } + + + rv = soh_verify(vp, data, data_len - 8); + if (rv<0) { + RDEBUG("SoH - error decoding payload: %s", fr_strerror()); + } else { + vp->vp_integer = 1; + } +done: + return vp; +} + /* * Verify the tunneled EAP message. */ -static int eapmessage_verify(const uint8_t *data, unsigned int data_len) +static int eapmessage_verify(REQUEST *request, + const uint8_t *data, unsigned int data_len) { const eap_packet_t *eap_packet = (const eap_packet_t *) data; uint8_t eap_type; - char identity[256]; + char buffer[256]; - if (!data || (data_len <= 1)) { + /* + * No data, OR only 1 byte of EAP type. + */ + if (!data || (data_len == 0) || + ((data_len <= 1) && (data[0] != PW_EAP_IDENTITY))) { return 0; } eap_type = *data; switch (eap_type) { case PW_EAP_IDENTITY: - memcpy(identity, data + 1, data_len - 1); - identity[data_len - 1] = '\0'; - DEBUG2(" rlm_eap_peap: Identity - %s", identity); + if (data_len == 1) { + RDEBUG2("Identity - "); + return 1; + } + RDEBUG2("Identity - %*s", + data_len - 1, data + 1); return 1; break; @@ -118,10 +241,10 @@ static int eapmessage_verify(const uint8_t *data, unsigned int data_len) */ case PW_EAP_RESPONSE: if (eap_packet->data[0] == PW_EAP_TLV) { - DEBUG2(" rlm_eap_peap: Received EAP-TLV response."); + RDEBUG2("Received EAP-TLV response."); return 1; } - DEBUG2(" rlm_eap_peap: Got something weird."); + RDEBUG2("Got something weird."); break; @@ -131,9 +254,9 @@ static int eapmessage_verify(const uint8_t *data, unsigned int data_len) */ case PW_EAP_MSCHAPV2: default: - DEBUG2(" rlm_eap_peap: EAP type %s", + RDEBUG2("EAP type %s", eaptype_type2name(eap_type, - identity, sizeof(identity))); + buffer, sizeof(buffer))); return 1; break; } @@ -144,37 +267,58 @@ static int eapmessage_verify(const uint8_t *data, unsigned int data_len) /* * Convert a pseudo-EAP packet to a list of VALUE_PAIR's. */ -static VALUE_PAIR *eap2vp(EAP_DS *eap_ds, - const uint8_t *data, unsigned int data_len) +static VALUE_PAIR *eap2vp(REQUEST *request, EAP_DS *eap_ds, + const uint8_t *data, size_t data_len) { - VALUE_PAIR *vp = NULL; + size_t total; + VALUE_PAIR *vp = NULL, *head, **tail; - /* - * Sanity check this... - */ - if (data_len + EAP_HEADER_LEN > MAX_STRING_LEN) { - radlog(L_ERR, "rlm_eap_peap: EAP Response packet is too large. Code must be fixed to handle this."); - return NULL; - } + if (data_len > 65535) return NULL; /* paranoia */ - vp = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS); + vp = paircreate(PW_EAP_MESSAGE, 0, PW_TYPE_OCTETS); if (!vp) { - DEBUG2(" rlm_eap_peap: Failure in creating VP"); + RDEBUG2("Failure in creating VP"); return NULL; } + total = data_len; + if (total > 249) total = 249; + /* * Hand-build an EAP packet from the crap in PEAP version 0. */ - vp->vp_strvalue[0] = PW_EAP_RESPONSE; - vp->vp_strvalue[1] = eap_ds->response->id; - vp->vp_strvalue[2] = 0; - vp->vp_strvalue[3] = EAP_HEADER_LEN + data_len; + vp->vp_octets[0] = PW_EAP_RESPONSE; + vp->vp_octets[1] = eap_ds->response->id; + vp->vp_octets[2] = (data_len + EAP_HEADER_LEN) >> 8; + vp->vp_octets[3] = (data_len + EAP_HEADER_LEN) & 0xff; - memcpy(vp->vp_strvalue + EAP_HEADER_LEN, data, data_len); - vp->length = EAP_HEADER_LEN + data_len; + memcpy(vp->vp_octets + EAP_HEADER_LEN, data, total); + vp->length = EAP_HEADER_LEN + total; - return vp; + head = vp; + tail = &(vp->next); + while (total < data_len) { + int vp_len; + + + vp = paircreate(PW_EAP_MESSAGE, 0, PW_TYPE_OCTETS); + if (!vp) { + RDEBUG2("Failure in creating VP"); + pairfree(&head); + return NULL; + } + vp_len = (data_len - total); + if (vp_len > 253) vp_len = 253; + + memcpy(vp->vp_octets, data + total, vp_len); + vp->length = vp_len; + + total += vp_len; + *tail = vp; + tail = &(vp->next); + } + + return head; } @@ -182,43 +326,55 @@ static VALUE_PAIR *eap2vp(EAP_DS *eap_ds, * Convert a list of VALUE_PAIR's to an EAP packet, through the * simple expedient of dumping the EAP message */ -static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp) +static int vp2eap(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR *vp) { - if (vp->next != NULL) { - radlog(L_ERR, "rlm_eap_peap: EAP Request packet is too large. Code must be fixed to handle this."); - return 0; - } + rad_assert(vp != NULL); /* * Skip the id, code, and length. Just write the EAP * type & data to the client. */ #ifndef NDEBUG - if (debug_flag > 2) { - int i; - int total = vp->length - 4; + if ((debug_flag > 2) && fr_log_fp) { + size_t i, total; + VALUE_PAIR *this; + + total = 0; - if (debug_flag > 0) for (i = 0; i < total; i++) { - if ((i & 0x0f) == 0) printf(" PEAP tunnel data out %04x: ", i); + for (this = vp; this != NULL; this = this->next) { + int start = 0; - printf("%02x ", vp->vp_strvalue[i + 4]); + if (this == vp) start = EAP_HEADER_LEN; + + for (i = start; i < vp->length; i++) { + if ((total & 0x0f) == 0) fprintf(fr_log_fp, " PEAP tunnel data out %04x: ", (int) total); - if ((i & 0x0f) == 0x0f) printf("\n"); + fprintf(fr_log_fp, "%02x ", vp->vp_octets[i]); + + if ((total & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n"); + total++; + } } - if ((total & 0x0f) != 0) printf("\n"); + if ((total & 0x0f) != 0) fprintf(fr_log_fp, "\n"); } #endif /* * Send the EAP data, WITHOUT the header. */ -#if 1 - (tls_session->record_plus)(&tls_session->clean_in, vp->vp_strvalue + EAP_HEADER_LEN, - vp->length - EAP_HEADER_LEN); -#else - (tls_session->record_plus)(&tls_session->clean_in, vp->vp_strvalue, vp->length); -#endif - tls_handshake_send(tls_session); + (tls_session->record_plus)(&tls_session->clean_in, + vp->vp_octets + EAP_HEADER_LEN, + vp->length - EAP_HEADER_LEN); + + /* + * Send the rest of the EAP data. + */ + for (vp = vp->next; vp != NULL; vp = vp->next) { + (tls_session->record_plus)(&tls_session->clean_in, + vp->vp_octets, vp->length); + } + + tls_handshake_send(request, tls_session); return 1; } @@ -227,7 +383,7 @@ static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp) /* * See if there's a TLV in the response. */ -static int eappeap_check_tlv(const uint8_t *data) +static int eappeap_check_tlv(REQUEST *request, const uint8_t *data) { const eap_packet_t *eap_packet = (const eap_packet_t *) data; @@ -241,7 +397,7 @@ static int eappeap_check_tlv(const uint8_t *data) } if (data[10] == EAP_TLV_FAILURE) { - DEBUG2(" rlm_eap_peap: Client rejected our response. The password is probably incorrect."); + RDEBUG2("Client rejected our response. The password is probably incorrect."); return 0; } } @@ -254,26 +410,22 @@ static int eappeap_check_tlv(const uint8_t *data) * Use a reply packet to determine what to do. */ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, - UNUSED REQUEST *request, RADIUS_PACKET *reply) + REQUEST *request, RADIUS_PACKET *reply) { int rcode = RLM_MODULE_REJECT; VALUE_PAIR *vp; peap_tunnel_t *t = tls_session->opaque; -#ifndef NDEBUG - if (debug_flag > 0) { - printf(" PEAP: Processing from tunneled session code %p %d\n", - reply, reply->code); - - for (vp = reply->vps; vp != NULL; vp = vp->next) { - putchar('\t');vp_print(stdout, vp);putchar('\n'); - } + if ((debug_flag > 0) && fr_log_fp) { + RDEBUG("Got tunneled reply RADIUS code %d", + reply->code); + + debug_pair_list(reply->vps); } -#endif switch (reply->code) { case PW_AUTHENTICATION_ACK: - DEBUG2(" PEAP: Tunneled authentication was successful."); + RDEBUG2("Tunneled authentication was successful."); t->status = PEAP_STATUS_SENT_TLV_SUCCESS; eappeap_success(handler, tls_session); rcode = RLM_MODULE_HANDLED; @@ -286,14 +438,23 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * tunneled user! */ if (t->use_tunneled_reply) { - DEBUG2(" Saving tunneled attributes for later"); + RDEBUG2("Saving tunneled attributes for later"); /* * Clean up the tunneled reply. */ - pairdelete(&reply->vps, PW_PROXY_STATE); - pairdelete(&reply->vps, PW_EAP_MESSAGE); - pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR); + pairdelete(&reply->vps, PW_PROXY_STATE, 0); + pairdelete(&reply->vps, PW_EAP_MESSAGE, 0); + pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0); + + /* + * Delete MPPE keys & encryption policy. We don't + * want these here. + */ + pairdelete(&reply->vps, 7, VENDORPEC_MICROSOFT); + pairdelete(&reply->vps, 8, VENDORPEC_MICROSOFT); + pairdelete(&reply->vps, 16, VENDORPEC_MICROSOFT); + pairdelete(&reply->vps, 17, VENDORPEC_MICROSOFT); t->accept_vps = reply->vps; reply->vps = NULL; @@ -301,14 +462,14 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, break; case PW_AUTHENTICATION_REJECT: - DEBUG2(" PEAP: Tunneled authentication was rejected."); + RDEBUG2("Tunneled authentication was rejected."); t->status = PEAP_STATUS_SENT_TLV_FAILURE; eappeap_failure(handler, tls_session); rcode = RLM_MODULE_HANDLED; break; case PW_ACCESS_CHALLENGE: - DEBUG2(" PEAP: Got tunneled Access-Challenge"); + RDEBUG2("Got tunneled Access-Challenge"); /* * Keep the State attribute, if necessary. @@ -316,7 +477,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * Get rid of the old State, too. */ pairfree(&t->state); - pairmove2(&t->state, &(reply->vps), PW_STATE); + pairmove2(&t->state, &(reply->vps), PW_STATE, 0); /* * PEAP takes only EAP-Message attributes inside @@ -324,7 +485,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * Access-Challenge is ignored. */ vp = NULL; - pairmove2(&vp, &(reply->vps), PW_EAP_MESSAGE); + pairmove2(&vp, &(reply->vps), PW_EAP_MESSAGE, 0); /* * Handle EAP-MSCHAP-V2, where Access-Accept's @@ -334,14 +495,14 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * an "ack" packet. */ if (t->home_access_accept && t->use_tunneled_reply) { - DEBUG2(" Saving tunneled attributes for later"); + RDEBUG2("Saving tunneled attributes for later"); /* * Clean up the tunneled reply. */ - pairdelete(&reply->vps, PW_PROXY_STATE); - pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR); - + pairdelete(&reply->vps, PW_PROXY_STATE, 0); + pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0); + t->accept_vps = reply->vps; reply->vps = NULL; } @@ -351,7 +512,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * VP's back to the client. */ if (vp) { - vp2eap(tls_session, vp); + vp2eap(request, tls_session, vp); pairfree(&vp); } @@ -359,7 +520,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, break; default: - DEBUG2(" PEAP: Unknown RADIUS packet type %d: rejecting tunneled user", reply->code); + RDEBUG2("Unknown RADIUS packet type %d: rejecting tunneled user", reply->code); rcode = RLM_MODULE_REJECT; break; } @@ -367,7 +528,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, return rcode; } - +#ifdef WITH_PROXY /* * Do post-proxy processing, */ @@ -375,9 +536,10 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) { int rcode; tls_session_t *tls_session = (tls_session_t *) data; - REQUEST *fake; + REQUEST *fake, *request = handler->request; - DEBUG2(" PEAP: Passing reply from proxy back into the tunnel."); + rad_assert(request != NULL); + RDEBUG2("Passing reply from proxy back into the tunnel."); /* * If there was a fake request associated with the proxied @@ -386,13 +548,11 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) fake = (REQUEST *) request_data_get(handler->request, handler->request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK); - + /* * Do the callback, if it exists, and if it was a success. */ if (fake && (handler->request->proxy_reply->code == PW_AUTHENTICATION_ACK)) { - VALUE_PAIR *vp; - REQUEST *request = handler->request; peap_tunnel_t *t = tls_session->opaque; t->home_access_accept = TRUE; @@ -402,39 +562,39 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) */ rad_assert(fake->packet == NULL); fake->packet = request->proxy; + fake->packet->src_ipaddr = request->packet->src_ipaddr; request->proxy = NULL; rad_assert(fake->reply == NULL); fake->reply = request->proxy_reply; request->proxy_reply = NULL; + if ((debug_flag > 0) && fr_log_fp) { + fprintf(fr_log_fp, "server %s {\n", fake->server); + } + /* * Perform a post-auth stage, which will get the EAP * handler, too... */ fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; - DEBUG2(" PEAP: Passing reply back for EAP-MS-CHAP-V2 %p %d", - fake, fake->reply->code); - rcode = module_post_proxy(0, fake); + RDEBUG2("Passing reply back for EAP-MS-CHAP-V2"); + module_post_proxy(0, fake); /* * FIXME: If rcode returns fail, do something * intelligent... */ - DEBUG2(" POST-PROXY %d", rcode); rcode = rad_postauth(fake); - DEBUG2(" POST-AUTH %d", rcode); -#ifndef NDEBUG - if (debug_flag > 0) { - printf(" PEAP: Final reply from tunneled session code %d\n", - fake->reply->code); + if ((debug_flag > 0) && fr_log_fp) { + fprintf(fr_log_fp, "} # server %s\n", fake->server); - for (vp = fake->reply->vps; vp != NULL; vp = vp->next) { - putchar('\t');vp_print(stdout, vp);putchar('\n'); - } + RDEBUG("Final reply from tunneled session code %d", + fake->reply->code); + + debug_pair_list(fake->reply->vps); } -#endif /* * Terrible hacks. @@ -451,15 +611,14 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) switch (rcode) { case RLM_MODULE_FAIL: request_free(&fake); - eaptls_fail(handler->eap_ds, 0); + eaptls_fail(handler, 0); return 0; break; - + default: /* Don't Do Anything */ - DEBUG2(" PEAP: Got reply %d", - request->proxy_reply->code); + RDEBUG2("Got reply %d", request->proxy_reply->code); break; - } + } } request_free(&fake); /* robust if fake == NULL */ @@ -485,29 +644,29 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) switch (rcode) { case RLM_MODULE_REJECT: - DEBUG2(" PEAP: Reply was rejected"); - eaptls_fail(handler->eap_ds, 0); + RDEBUG2("Reply was rejected"); + eaptls_fail(handler, 0); return 0; case RLM_MODULE_HANDLED: - DEBUG2(" PEAP: Reply was handled"); + RDEBUG2("Reply was handled"); eaptls_request(handler->eap_ds, tls_session); return 1; case RLM_MODULE_OK: - DEBUG2(" PEAP: Reply was OK"); - eaptls_success(handler->eap_ds, 0); - eaptls_gen_mppe_keys(&handler->request->reply->vps, - tls_session->ssl, - "client EAP encryption"); - return 1; + RDEBUG2("Reply was OK"); + + /* + * Success: Automatically return MPPE keys. + */ + return eaptls_success(handler, 0); default: - DEBUG2(" PEAP: Reply was unknown."); + RDEBUG2("Reply was unknown."); break; } - eaptls_fail(handler->eap_ds, 0); + eaptls_fail(handler, 0); return 0; } @@ -520,6 +679,47 @@ static void my_request_free(void *data) request_free(&request); } +#endif + + +static const char *peap_state(peap_tunnel_t *t) +{ + switch (t->status) { + case PEAP_STATUS_TUNNEL_ESTABLISHED: + return "TUNNEL ESTABLISHED"; + case PEAP_STATUS_WAIT_FOR_SOH_RESPONSE: + return "WAITING FOR SOH RESPONSE"; + case PEAP_STATUS_INNER_IDENTITY_REQ_SENT: + return "WAITING FOR INNER IDENTITY"; + case PEAP_STATUS_SENT_TLV_SUCCESS: + return "send tlv success"; + case PEAP_STATUS_SENT_TLV_FAILURE: + return "send tlv failure"; + case PEAP_STATUS_PHASE2_INIT: + return "phase2_init"; + case PEAP_STATUS_PHASE2: + return "phase2"; + default: + break; + } + return "?"; +} + +static void print_tunneled_data(const uint8_t *data, size_t data_len) +{ + size_t i; + + if ((debug_flag > 2) && fr_log_fp) { + for (i = 0; i < data_len; i++) { + if ((i & 0x0f) == 0) fprintf(fr_log_fp, " PEAP tunnel data in %02x: ", (int) i); + + fprintf(fr_log_fp, "%02x ", data[i]); + + if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n"); + } + if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n"); + } +} /* @@ -527,135 +727,244 @@ static void my_request_free(void *data) */ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) { - int err; peap_tunnel_t *t = tls_session->opaque; REQUEST *fake; VALUE_PAIR *vp; int rcode = RLM_MODULE_REJECT; - const uint8_t *data; + const uint8_t *data; unsigned int data_len; - unsigned char buffer[1024]; -#ifndef NDEBUG - int i; -#endif REQUEST *request = handler->request; EAP_DS *eap_ds = handler->eap_ds; - /* - * Grab the dirty data, and copy it to our buffer. - * - * I *really* don't like these 'record_t' things... - */ - data_len = (tls_session->record_minus)(&tls_session->dirty_in, buffer, sizeof(buffer)); - data = buffer; + rad_assert(request != NULL); /* - * Write the data from the dirty buffer (i.e. packet - * data) into the buffer which we will give to SSL for - * decoding. - * - * Some of this code COULD technically go into the TLS - * module, in eaptls_process(), where it returns EAPTLS_OK. - * - * Similarly, the writing of data to the SSL context could - * go there, too... + * Just look at the buffer directly, without doing + * record_minus. This lets us avoid another data copy. */ - BIO_write(tls_session->into_ssl, buffer, data_len); - (tls_session->record_init)(&tls_session->clean_out); + data_len = tls_session->clean_out.used; + tls_session->clean_out.used = 0; + data = tls_session->clean_out.data; - /* - * Read (and decrypt) the tunneled data from the SSL session, - * and put it into the decrypted data buffer. - */ - err = SSL_read(tls_session->ssl, tls_session->clean_out.data, - sizeof(tls_session->clean_out.data)); - if (err < 0) { - /* - * FIXME: Call SSL_get_error() to see what went - * wrong. - */ - radlog(L_INFO, "rlm_eap_peap: SSL_read Error"); + RDEBUG2("Peap state %s", peap_state(t)); + + if ((t->status != PEAP_STATUS_TUNNEL_ESTABLISHED) && + !eapmessage_verify(request, data, data_len)) { + RDEBUG2("FAILED processing PEAP: Tunneled data is invalid."); + if (debug_flag > 2) print_tunneled_data(data, data_len); return RLM_MODULE_REJECT; } - /* - * If there's no data, maybe this is an ACK to an - * MS-CHAP2-Success. - */ - if (err == 0) { + switch (t->status) { + case PEAP_STATUS_TUNNEL_ESTABLISHED: + /* FIXME: should be no data in the buffer here, check & assert? */ + + if (SSL_session_reused(tls_session->ssl)) { + RDEBUG2("Skipping Phase2 because of session resumption"); + t->session_resumption_state = PEAP_RESUMPTION_YES; + if (t->soh) { + t->status = PEAP_STATUS_WAIT_FOR_SOH_RESPONSE; + RDEBUG2("Requesting SoH from client"); + eappeap_soh(handler, tls_session); + return RLM_MODULE_HANDLED; + } + /* we're good, send success TLV */ + t->status = PEAP_STATUS_SENT_TLV_SUCCESS; + eappeap_success(handler, tls_session); + + } else { + /* send an identity request */ + t->session_resumption_state = PEAP_RESUMPTION_NO; + t->status = PEAP_STATUS_INNER_IDENTITY_REQ_SENT; + eappeap_identity(handler, tls_session); + } + return RLM_MODULE_HANDLED; + + case PEAP_STATUS_INNER_IDENTITY_REQ_SENT: + /* we're expecting an identity response */ + if (data[0] != PW_EAP_IDENTITY) { + RDEBUG("Expected EAP-Identity, got something else."); + return RLM_MODULE_REJECT; + } + + if (data_len >= sizeof(t->username->vp_strvalue)) { + RDEBUG("EAP-Identity is too long"); + return RLM_MODULE_REJECT; + } + /* - * FIXME: Call SSL_get_error() to see what went - * wrong. + * Save it for later. */ - radlog(L_INFO, "rlm_eap_peap: No data inside of the tunnel."); - return RLM_MODULE_REJECT; - } + t->username = pairmake("User-Name", "", T_OP_EQ); + rad_assert(t->username != NULL); + + memcpy(t->username->vp_strvalue, data + 1, data_len - 1); + t->username->length = data_len - 1; + t->username->vp_strvalue[t->username->length] = 0; + RDEBUG("Got inner identity '%s'", t->username->vp_strvalue); + if (t->soh) { + t->status = PEAP_STATUS_WAIT_FOR_SOH_RESPONSE; + RDEBUG2("Requesting SoH from client"); + eappeap_soh(handler, tls_session); + return RLM_MODULE_HANDLED; + } + t->status = PEAP_STATUS_PHASE2_INIT; + break; - data_len = tls_session->clean_out.used = err; - data = tls_session->clean_out.data; + case PEAP_STATUS_WAIT_FOR_SOH_RESPONSE: + fake = request_alloc_fake(request); + rad_assert(fake->packet->vps == NULL); + fake->packet->vps = eapsoh_verify(request, data, data_len); + setup_fake_request(request, fake, t); -#ifndef NDEBUG - if (debug_flag > 2) { - for (i = 0; i < data_len; i++) { - if ((i & 0x0f) == 0) printf(" PEAP tunnel data in %04x: ", i); + if (t->soh_virtual_server) { + fake->server = t->soh_virtual_server; + } + RDEBUG("Sending SoH request to server %s", fake->server ? fake->server : "NULL"); + debug_pair_list(fake->packet->vps); + rad_authenticate(fake); + RDEBUG("Got SoH reply"); + debug_pair_list(fake->reply->vps); + + if (fake->reply->code != PW_AUTHENTICATION_ACK) { + RDEBUG2("SoH was rejected"); + request_free(&fake); + t->status = PEAP_STATUS_SENT_TLV_FAILURE; + eappeap_failure(handler, tls_session); + return RLM_MODULE_HANDLED; + } - printf("%02x ", data[i]); + /* save the SoH VPs */ + t->soh_reply_vps = fake->reply->vps; + fake->reply->vps = NULL; + request_free(&fake); - if ((i & 0x0f) == 0x0f) printf("\n"); + if (t->session_resumption_state == PEAP_RESUMPTION_YES) { + /* we're good, send success TLV */ + t->status = PEAP_STATUS_SENT_TLV_SUCCESS; + eappeap_success(handler, tls_session); + return RLM_MODULE_HANDLED; } - if ((data_len & 0x0f) != 0) printf("\n"); - } -#endif - if (!eapmessage_verify(data, data_len)) { - return RLM_MODULE_REJECT; - } + t->status = PEAP_STATUS_PHASE2_INIT; + break; - DEBUG2(" rlm_eap_peap: Tunneled data is valid."); /* * If we authenticated the user, then it's OK. */ - if (t->status == PEAP_STATUS_SENT_TLV_SUCCESS) { - if (eappeap_check_tlv(data)) { - DEBUG2(" rlm_eap_peap: Success"); + case PEAP_STATUS_SENT_TLV_SUCCESS: + if (eappeap_check_tlv(request, data)) { + RDEBUG2("Success"); return RLM_MODULE_OK; } + /* + * Otherwise, the client rejected the session + * resumption. If the session is being re-used, + * we need to do a full authentication. + * + * We do this by sending an EAP-Identity request + * inside of the PEAP tunnel. + */ + if (t->session_resumption_state == PEAP_RESUMPTION_YES) { + RDEBUG2("Client rejected session resumption. Re-starting full authentication"); + + /* + * Mark session resumption status. + */ + t->status = PEAP_STATUS_INNER_IDENTITY_REQ_SENT; + t->session_resumption_state = PEAP_RESUMPTION_NO; + + eappeap_identity(handler, tls_session); + return RLM_MODULE_HANDLED; + } + + RDEBUG2("We sent a success, but received something weird in return."); return RLM_MODULE_REJECT; - } else if (t->status == PEAP_STATUS_SENT_TLV_FAILURE) { - DEBUG2(" rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session."); + /* + * Damned if I know why the clients continue sending EAP + * packets after we told them to f*ck off. + */ + case PEAP_STATUS_SENT_TLV_FAILURE: + RDEBUG(" The users session was previously rejected: returning reject (again.)"); + RDEBUG(" *** This means you need to read the PREVIOUS messages in the debug output"); + RDEBUG(" *** to find out the reason why the user was rejected."); + RDEBUG(" *** Look for \"reject\" or \"fail\". Those earlier messages will tell you."); + RDEBUG(" *** what went wrong, and how to fix the problem."); return RLM_MODULE_REJECT; + + case PEAP_STATUS_PHASE2_INIT: + RDEBUG("In state machine in phase2 init?"); + + case PEAP_STATUS_PHASE2: + break; + + default: + RDEBUG2("Unhandled state in peap"); + return RLM_MODULE_REJECT; } fake = request_alloc_fake(request); rad_assert(fake->packet->vps == NULL); - fake->packet->vps = eap2vp(eap_ds, data, data_len); - if (!fake->packet->vps) { - DEBUG2(" rlm_eap_peap: Unable to convert tunneled EAP packet to internal server data structures"); - return PW_AUTHENTICATION_REJECT; - } + switch (t->status) { + /* + * If we're in PHASE2_INIT, the phase2 method hasn't been + * sent an Identity packet yet; do so from the stored + * username and this will kick off the phase2 eap method + */ + + case PEAP_STATUS_PHASE2_INIT: { + int len = t->username->length + EAP_HEADER_LEN + 1; -#ifndef NDEBUG - if (debug_flag > 0) { - printf(" PEAP: Got tunneled EAP-Message\n"); + t->status = PEAP_STATUS_PHASE2; - for (vp = fake->packet->vps; vp != NULL; vp = vp->next) { - putchar('\t');vp_print(stdout, vp);putchar('\n'); - } - } -#endif + vp = paircreate(PW_EAP_MESSAGE, 0, PW_TYPE_OCTETS); + + vp->vp_octets[0] = PW_EAP_RESPONSE; + vp->vp_octets[1] = eap_ds->response->id; + vp->vp_octets[2] = (len >> 8) & 0xff; + vp->vp_octets[3] = len & 0xff; + vp->vp_octets[4] = PW_EAP_IDENTITY; + + memcpy(vp->vp_octets + EAP_HEADER_LEN + 1, t->username->vp_strvalue, t->username->length); + vp->length = len; - /* - * Tell the request that it's a fake one. - */ - vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); - if (vp) { pairadd(&fake->packet->vps, vp); + + if (t->default_eap_type != 0) { + RDEBUG2("Setting default EAP type for tunneled EAP session."); + vp = pairmake("EAP-Type", "0", T_OP_EQ); + vp->vp_integer = t->default_eap_type; + pairadd(&fake->config_items, vp); + } + break; } + + case PEAP_STATUS_PHASE2: + fake->packet->vps = eap2vp(request, eap_ds, data, data_len); + if (!fake->packet->vps) { + request_free(&fake); + RDEBUG2("Unable to convert tunneled EAP packet to internal server data structures"); + return PW_AUTHENTICATION_REJECT; + } + break; + + default: + RDEBUG("Invalid state change in PEAP."); + return PW_AUTHENTICATION_REJECT; + } + + if ((debug_flag > 0) && fr_log_fp) { + RDEBUG("Got tunneled request"); + + debug_pair_list(fake->packet->vps); + + fprintf(fr_log_fp, "server %s {\n", + (fake->server == NULL) ? "" : fake->server); } /* @@ -683,110 +992,30 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) if (t->default_eap_type != 0) { DEBUG2(" PEAP: Setting default EAP type for tunneled EAP session."); vp = pairmake("EAP-Type", "0", T_OP_EQ); - vp->lvalue = t->default_eap_type; + vp->vp_integer = t->default_eap_type; pairadd(&fake->config_items, vp); } } } /* else there WAS a t->username */ - if (t->username) { - vp = paircopy(t->username); - pairadd(&fake->packet->vps, vp); - fake->username = pairfind(fake->packet->vps, PW_USER_NAME); - DEBUG2(" PEAP: Setting User-Name to %s", - fake->username->vp_strvalue); - } + setup_fake_request(request, fake, t); - /* - * Add the State attribute, too, if it exists. - */ - if (t->state) { - DEBUG2(" PEAP: Adding old state with %02x %02x", - t->state->vp_strvalue[0], t->state->vp_strvalue[1]); - vp = paircopy(t->state); - if (vp) pairadd(&fake->packet->vps, vp); - } + if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0)) != NULL) { + fake->server = vp->vp_strvalue; - /* - * If this is set, we copy SOME of the request attributes - * from outside of the tunnel to inside of the tunnel. - * - * We copy ONLY those attributes which do NOT already - * exist in the tunneled request. - * - * This code is copied from ../rlm_eap_ttls/ttls.c - */ - if (t->copy_request_to_tunnel) { - VALUE_PAIR *copy; + } else if (t->virtual_server) { + fake->server = t->virtual_server; - for (vp = request->packet->vps; vp != NULL; vp = vp->next) { - /* - * The attribute is a server-side thingy, - * don't copy it. - */ - if ((vp->attribute > 255) && - (((vp->attribute >> 16) & 0xffff) == 0)) { - continue; - } + } /* else fake->server == request->server */ - /* - * The outside attribute is already in the - * tunnel, don't copy it. - * - * This works for BOTH attributes which - * are originally in the tunneled request, - * AND attributes which are copied there - * from below. - */ - if (pairfind(fake->packet->vps, vp->attribute)) { - continue; - } - - /* - * Some attributes are handled specially. - */ - switch (vp->attribute) { - /* - * NEVER copy Message-Authenticator, - * EAP-Message, or State. They're - * only for outside of the tunnel. - */ - case PW_USER_NAME: - case PW_USER_PASSWORD: - case PW_CHAP_PASSWORD: - case PW_CHAP_CHALLENGE: - case PW_PROXY_STATE: - case PW_MESSAGE_AUTHENTICATOR: - case PW_EAP_MESSAGE: - case PW_STATE: - continue; - break; - - /* - * By default, copy it over. - */ - default: - break; - } - - /* - * Don't copy from the head, we've already - * checked it. - */ - copy = paircopy2(vp, vp->attribute); - pairadd(&fake->packet->vps, copy); - } - } + if ((debug_flag > 0) && fr_log_fp) { + fprintf(fr_log_fp, "Sending tunneled request\n"); -#ifndef NDEBUG - if (debug_flag > 0) { - printf(" PEAP: Sending tunneled request\n"); + debug_pair_list(fake->packet->vps); - for (vp = fake->packet->vps; vp != NULL; vp = vp->next) { - putchar('\t');vp_print(stdout, vp);putchar('\n'); - } + fprintf(fr_log_fp, "server %s {\n", + (fake->server == NULL) ? "" : fake->server); } -#endif /* * Call authentication recursively, which will @@ -798,23 +1027,22 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) * Note that we don't do *anything* with the reply * attributes. */ -#ifndef NDEBUG - if (debug_flag > 0) { - printf(" PEAP: Got tunneled reply RADIUS code %d\n", - fake->reply->code); + if ((debug_flag > 0) && fr_log_fp) { + fprintf(fr_log_fp, "} # server %s\n", + (fake->server == NULL) ? "" : fake->server); - for (vp = fake->reply->vps; vp != NULL; vp = vp->next) { - putchar('\t');vp_print(stdout, vp);putchar('\n'); - } + RDEBUG("Got tunneled reply code %d", fake->reply->code); + + debug_pair_list(fake->reply->vps); } -#endif /* * Decide what to do with the reply. */ switch (fake->reply->code) { case 0: /* No reply code, must be proxied... */ - vp = pairfind(fake->config_items, PW_PROXY_TO_REALM); +#ifdef WITH_PROXY + vp = pairfind(fake->config_items, PW_PROXY_TO_REALM, 0); if (vp) { eap_tunnel_data_t *tunnel; @@ -877,7 +1105,7 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) * of attributes. */ pairdelete(&fake->packet->vps, - PW_EAP_MESSAGE); + PW_EAP_MESSAGE, 0); } DEBUG2(" PEAP: Tunneled authentication will be proxied to %s", vp->vp_strvalue); @@ -888,7 +1116,7 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) */ pairmove2(&(request->config_items), &(fake->config_items), - PW_PROXY_TO_REALM); + PW_PROXY_TO_REALM, 0); /* * Seed the proxy packet with the @@ -896,6 +1124,12 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) */ rad_assert(request->proxy == NULL); request->proxy = fake->packet; + memset(&request->proxy->src_ipaddr, 0, + sizeof(request->proxy->src_ipaddr)); + memset(&request->proxy->src_ipaddr, 0, + sizeof(request->proxy->src_ipaddr)); + request->proxy->src_port = 0; + request->proxy->dst_port = 0; fake->packet = NULL; rad_free(&fake->reply); fake->reply = NULL; @@ -937,7 +1171,7 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK, fake, my_request_free); rad_assert(rcode == 0); - + /* * Do NOT free the fake request! */ @@ -950,10 +1184,12 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) */ rcode = RLM_MODULE_UPDATED; - } else { + } else +#endif /* WITH_PROXY */ + { DEBUG2(" PEAP: Unknown RADIUS packet type %d: rejecting tunneled user", fake->reply->code); rcode = RLM_MODULE_REJECT; - } + } break; default: @@ -968,3 +1204,106 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session) return rcode; } + +static int setup_fake_request(REQUEST *request, REQUEST *fake, peap_tunnel_t *t) { + + VALUE_PAIR *vp; + /* + * Tell the request that it's a fake one. + */ + vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); + if (vp) { + pairadd(&fake->packet->vps, vp); + } + + if (t->username) { + vp = paircopy(t->username); + pairadd(&fake->packet->vps, vp); + fake->username = pairfind(fake->packet->vps, PW_USER_NAME, 0); + RDEBUG2("Setting User-Name to %s", fake->username->vp_strvalue); + } else { + RDEBUG2("No tunnel username (SSL resumption?)"); + } + + + /* + * Add the State attribute, too, if it exists. + */ + if (t->state) { + vp = paircopy(t->state); + if (vp) pairadd(&fake->packet->vps, vp); + } + + /* + * If this is set, we copy SOME of the request attributes + * from outside of the tunnel to inside of the tunnel. + * + * We copy ONLY those attributes which do NOT already + * exist in the tunneled request. + * + * This code is copied from ../rlm_eap_ttls/ttls.c + */ + if (t->copy_request_to_tunnel) { + VALUE_PAIR *copy; + + for (vp = request->packet->vps; vp != NULL; vp = vp->next) { + /* + * The attribute is a server-side thingy, + * don't copy it. + */ + if ((vp->attribute > 255) && + (((vp->attribute >> 16) & 0xffff) == 0)) { + continue; + } + + /* + * The outside attribute is already in the + * tunnel, don't copy it. + * + * This works for BOTH attributes which + * are originally in the tunneled request, + * AND attributes which are copied there + * from below. + */ + if (pairfind(fake->packet->vps, vp->attribute, vp->vendor)) { + continue; + } + + /* + * Some attributes are handled specially. + */ + switch (vp->attribute) { + /* + * NEVER copy Message-Authenticator, + * EAP-Message, or State. They're + * only for outside of the tunnel. + */ + case PW_USER_NAME: + case PW_USER_PASSWORD: + case PW_CHAP_PASSWORD: + case PW_CHAP_CHALLENGE: + case PW_PROXY_STATE: + case PW_MESSAGE_AUTHENTICATOR: + case PW_EAP_MESSAGE: + case PW_STATE: + continue; + break; + + /* + * By default, copy it over. + */ + default: + break; + } + + /* + * Don't copy from the head, we've already + * checked it. + */ + copy = paircopy2(vp, vp->attribute, vp->vendor); + pairadd(&fake->packet->vps, copy); + } + } + + return 0; +}