6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
22 * Copyright 2006 The FreeRADIUS server project
27 * TLS Packet Format in EAP
28 * --- ------ ------ -- ---
30 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
31 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
32 * | Code | Identifier | Length |
33 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
34 * | Type | Flags | TLS Message Length
35 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 * | TLS Message Length | TLS Data...
37 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 #include <freeradius-devel/ident.h>
44 #include <freeradius-devel/autoconf.h>
49 * Allocate a new TLS_PACKET
51 EAPTLS_PACKET *eaptls_alloc(void)
55 if ((rp = malloc(sizeof(EAPTLS_PACKET))) == NULL) {
56 radlog(L_ERR, "rlm_eap_tls: out of memory");
59 memset(rp, 0, sizeof(EAPTLS_PACKET));
66 void eaptls_free(EAPTLS_PACKET **eaptls_packet_ptr)
68 EAPTLS_PACKET *eaptls_packet;
70 if (!eaptls_packet_ptr) return;
71 eaptls_packet = *eaptls_packet_ptr;
72 if (eaptls_packet == NULL) return;
74 if (eaptls_packet->data) {
75 free(eaptls_packet->data);
76 eaptls_packet->data = NULL;
80 *eaptls_packet_ptr = NULL;
84 The S flag is set only within the EAP-TLS start message
85 sent from the EAP server to the peer.
87 int eaptls_start(EAP_DS *eap_ds, int peap_flag)
91 reply.code = EAPTLS_START;
92 reply.length = TLS_HEADER_LEN + 1/*flags*/;
94 reply.flags = peap_flag;
95 reply.flags = SET_START(reply.flags);
100 eaptls_compose(eap_ds, &reply);
105 int eaptls_success(EAP_HANDLER *handler, int peap_flag)
108 VALUE_PAIR *vp, *vps = NULL;
109 REQUEST *request = handler->request;
110 tls_session_t *tls_session = handler->opaque;
112 handler->finished = TRUE;
113 reply.code = EAPTLS_SUCCESS;
114 reply.length = TLS_HEADER_LEN;
115 reply.flags = peap_flag;
120 * If there's no session resumption, delete the entry
121 * from the cache. This means either it's disabled
122 * globally for this SSL context, OR we were told to
123 * disable it for this user.
125 * This also means you can't turn it on just for one
128 if ((!tls_session->allow_session_resumption) ||
129 (((vp = pairfind(request->config_items, 1127, 0)) != NULL) &&
130 (vp->vp_integer == 0))) {
131 SSL_CTX_remove_session(tls_session->ctx,
132 tls_session->ssl->session);
133 tls_session->allow_session_resumption = 0;
136 * If we're in a resumed session and it's
139 if (SSL_session_reused(tls_session->ssl)) {
140 RDEBUG("FAIL: Forcibly stopping session resumption as it is not allowed.");
141 return eaptls_fail(handler, peap_flag);
145 * Else resumption IS allowed, so we store the
146 * user data in the cache.
148 } else if (!SSL_session_reused(tls_session->ssl)) {
149 RDEBUG2("Saving response in the cache");
151 vp = paircopy2(request->reply->vps, PW_USER_NAME, 0);
152 if (vp) pairadd(&vps, vp);
154 vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME, 0);
155 if (vp) pairadd(&vps, vp);
157 vp = paircopy2(request->reply->vps, PW_CACHED_SESSION_POLICY, 0);
158 if (vp) pairadd(&vps, vp);
161 SSL_SESSION_set_ex_data(tls_session->ssl->session,
162 eaptls_session_idx, vps);
164 RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
165 SSL_CTX_remove_session(tls_session->ctx,
166 tls_session->ssl->session);
170 * Else the session WAS allowed. Copy the cached
175 vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
178 RDEBUG("WARNING: No information in cached session!");
179 return eaptls_fail(handler, peap_flag);
181 RDEBUG("Adding cached attributes to the reply:");
183 pairadd(&request->reply->vps, paircopy(vp));
186 * Mark the request as resumed.
188 vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
189 if (vp) pairadd(&request->packet->vps, vp);
194 * Call compose AFTER checking for cached data.
196 eaptls_compose(handler->eap_ds, &reply);
199 * Automatically generate MPPE keying material.
201 if (tls_session->prf_label) {
202 eaptls_gen_mppe_keys(&handler->request->reply->vps,
203 tls_session->ssl, tls_session->prf_label);
205 RDEBUG("WARNING: Not adding MPPE keys because there is no PRF label");
211 int eaptls_fail(EAP_HANDLER *handler, int peap_flag)
214 tls_session_t *tls_session = handler->opaque;
216 handler->finished = TRUE;
217 reply.code = EAPTLS_FAIL;
218 reply.length = TLS_HEADER_LEN;
219 reply.flags = peap_flag;
224 * Force the session to NOT be cached.
226 SSL_CTX_remove_session(tls_session->ctx, tls_session->ssl->session);
228 eaptls_compose(handler->eap_ds, &reply);
234 A single TLS record may be up to 16384 octets in length, but a TLS
235 message may span multiple TLS records, and a TLS certificate message
236 may in principle be as long as 16MB.
240 * Frame the Dirty data that needs to be send to the client in an
241 * EAP-Request. We always embed the TLS-length in all EAP-TLS
242 * packets that we send, for easy reference purpose. Handle
243 * fragmentation and sending the next fragment etc.
245 int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn)
250 unsigned int lbit = 0;
252 /* This value determines whether we set (L)ength flag for
253 EVERY packet we send and add corresponding
254 "TLS Message Length" field.
257 This means we include L flag and "TLS Msg Len" in EVERY
261 This means we include L flag and "TLS Msg Len" **ONLY**
262 in First packet of a fragment series. We do not use
265 Having L flag in every packet is prefered.
268 if (ssn->length_flag) {
271 if (ssn->fragment == 0) {
272 ssn->tls_msg_len = ssn->dirty_out.used;
275 reply.code = EAPTLS_REQUEST;
276 reply.flags = ssn->peap_flag;
278 /* Send data, NOT more than the FRAGMENT size */
279 if (ssn->dirty_out.used > ssn->offset) {
281 reply.flags = SET_MORE_FRAGMENTS(reply.flags);
282 /* Length MUST be included if it is the First Fragment */
283 if (ssn->fragment == 0) {
288 size = ssn->dirty_out.used;
292 reply.dlen = lbit + size;
293 reply.length = TLS_HEADER_LEN + 1/*flags*/ + reply.dlen;
295 reply.data = malloc(reply.dlen);
297 nlen = htonl(ssn->tls_msg_len);
298 memcpy(reply.data, &nlen, lbit);
299 reply.flags = SET_LENGTH_INCLUDED(reply.flags);
301 (ssn->record_minus)(&ssn->dirty_out, reply.data + lbit, size);
303 eaptls_compose(eap_ds, &reply);
311 * Acknowledge received is for one of the following messages sent earlier
312 * 1. Handshake completed Message, so now send, EAP-Success
313 * 2. Alert Message, now send, EAP-Failure
314 * 3. Fragment Message, now send, next Fragment
316 static eaptls_status_t eaptls_ack_handler(EAP_HANDLER *handler)
318 tls_session_t *tls_session;
319 REQUEST *request = handler->request;
321 tls_session = (tls_session_t *)handler->opaque;
322 if (tls_session == NULL){
323 radlog_request(L_ERR, 0, request, "FAIL: Unexpected ACK received. Could not obtain session information.");
326 if (tls_session->info.initialized == 0) {
327 RDEBUG("No SSL info available. Waiting for more SSL data.");
328 return EAPTLS_REQUEST;
330 if ((tls_session->info.content_type == handshake) &&
331 (tls_session->info.origin == 0)) {
332 radlog_request(L_ERR, 0, request, "FAIL: ACK without earlier message.");
336 switch (tls_session->info.content_type) {
338 RDEBUG2("ACK alert");
339 eaptls_fail(handler, tls_session->peap_flag);
343 if ((tls_session->info.handshake_type == finished) &&
344 (tls_session->dirty_out.used == 0)) {
345 RDEBUG2("ACK handshake is finished");
348 * From now on all the content is
349 * application data set it here as nobody else
352 tls_session->info.content_type = application_data;
353 return EAPTLS_SUCCESS;
354 } /* else more data to send */
356 RDEBUG2("ACK handshake fragment handler");
357 /* Fragmentation handler, send next fragment */
358 return EAPTLS_REQUEST;
360 case application_data:
361 RDEBUG2("ACK handshake fragment handler in application data");
362 return EAPTLS_REQUEST;
365 * For the rest of the conditions, switch over
366 * to the default section below.
369 RDEBUG2("ACK default");
370 radlog_request(L_ERR, 0, request, "Invalid ACK received: %d",
371 tls_session->info.content_type);
377 * Similarly, when the EAP server receives an EAP-Response with
378 * the M bit set, it MUST respond with an EAP-Request with
379 * EAP-Type=EAP-TLS and no data. This serves as a fragment ACK.
381 * In order to prevent errors in the processing of fragments, the
382 * EAP server MUST use increment the Identifier value for each
383 * fragment ACK contained within an EAP-Request, and the peer
384 * MUST include this Identifier value in the subsequent fragment
385 * contained within an EAP- Reponse.
387 * EAP server sends an ACK when it determines there are More
388 * fragments to receive to make the complete
389 * TLS-record/TLS-Message
391 static int eaptls_send_ack(EAP_DS *eap_ds, int peap_flag)
395 reply.code = EAPTLS_ACK;
396 reply.length = TLS_HEADER_LEN + 1/*flags*/;
397 reply.flags = peap_flag;
401 eaptls_compose(eap_ds, &reply);
407 * The S flag is set only within the EAP-TLS start message sent
408 * from the EAP server to the peer.
410 * Similarly, when the EAP server receives an EAP-Response with
411 * the M bit set, it MUST respond with an EAP-Request with
412 * EAP-Type=EAP-TLS and no data. This serves as a fragment
413 * ACK. The EAP peer MUST wait.
415 static eaptls_status_t eaptls_verify(EAP_HANDLER *handler)
417 EAP_DS *eap_ds = handler->eap_ds;
418 EAP_DS *prev_eap_ds = handler->prev_eapds;
419 eaptls_packet_t *eaptls_packet, *eaptls_prev = NULL;
420 REQUEST *request = handler->request;
423 * We don't check ANY of the input parameters. It's all
424 * code which works together, so if something is wrong,
425 * we SHOULD core dump.
427 * e.g. if eap_ds is NULL, of if eap_ds->response is
428 * NULL, of if it's NOT an EAP-Response, or if the packet
429 * is too short. See eap_validation()., in ../../eap.c
431 * Also, eaptype_select() takes care of selecting the
432 * appropriate type, so we don't need to check
433 * eap_ds->response->type.type == PW_EAP_TLS, or anything
436 eaptls_packet = (eaptls_packet_t *)eap_ds->response->type.data;
437 if (prev_eap_ds && prev_eap_ds->response)
438 eaptls_prev = (eaptls_packet_t *)prev_eap_ds->response->type.data;
443 * If there's no TLS data, or there's 1 byte of TLS data,
444 * with the flags set to zero, then it's an ACK.
446 * Find if this is a reply to the previous request sent
448 if ((eaptls_packet == NULL) ||
449 ((eap_ds->response->length == EAP_HEADER_LEN + 2) &&
450 ((eaptls_packet->flags & 0xc0) == 0x00))) {
454 * Un-comment this for TLS inside of TTLS/PEAP
456 RDEBUG2("Received EAP-TLS ACK message");
457 return eaptls_ack_handler(handler);
460 (prev_eap_ds->request->id == eap_ds->response->id)) {
462 * Run the ACK handler directly from here.
464 RDEBUG2("Received TLS ACK");
465 return eaptls_ack_handler(handler);
467 radlog_request(L_ERR, 0, request, "Received Invalid TLS ACK");
468 return EAPTLS_INVALID;
474 * We send TLS_START, but do not receive it.
476 if (TLS_START(eaptls_packet->flags)) {
477 RDEBUG("Received unexpected EAP-TLS Start message");
478 return EAPTLS_INVALID;
482 * The L bit (length included) is set to indicate the
483 * presence of the four octet TLS Message Length field,
484 * and MUST be set for the first fragment of a fragmented
485 * TLS message or set of messages.
487 * The M bit (more fragments) is set on all but the last
490 * The S bit (EAP-TLS start) is set in an EAP-TLS Start
491 * message. This differentiates the EAP-TLS Start message
492 * from a fragment acknowledgement.
494 if (TLS_LENGTH_INCLUDED(eaptls_packet->flags)) {
495 DEBUG2(" TLS Length %d",
496 eaptls_packet->data[2] * 256 | eaptls_packet->data[3]);
497 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
499 * FIRST_FRAGMENT is identified
500 * 1. If there is no previous EAP-response received.
501 * 2. If EAP-response received, then its M bit not set.
502 * (It is because Last fragment will not have M bit set)
505 (prev_eap_ds->response == NULL) ||
506 (eaptls_prev == NULL) ||
507 !TLS_MORE_FRAGMENTS(eaptls_prev->flags)) {
509 RDEBUG2("Received EAP-TLS First Fragment of the message");
510 return EAPTLS_FIRST_FRAGMENT;
513 RDEBUG2("More Fragments with length included");
514 return EAPTLS_MORE_FRAGMENTS_WITH_LENGTH;
517 RDEBUG2("Length Included");
518 return EAPTLS_LENGTH_INCLUDED;
522 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
523 RDEBUG2("More fragments to follow");
524 return EAPTLS_MORE_FRAGMENTS;
528 * None of the flags are set, but it's still a valid
538 * length = code + id + length + flags + tlsdata
539 * = 1 + 1 + 2 + 1 + X
540 * length = EAP-length - 1(EAP-Type = 1 octet)
541 * flags = EAP-typedata[0] (1 octet)
542 * dlen = EAP-typedata[1-4] (4 octets), if L flag set
543 * = length - 5(code+id+length+flags), otherwise
544 * data = EAP-typedata[5-n], if L flag set
545 * = EAP-typedata[1-n], otherwise
546 * packet = EAP-typedata (complete typedata)
548 * Points to consider during EAP-TLS data extraction
549 * 1. In the received packet, No data will be present incase of ACK-NAK
550 * 2. Incase if more fragments need to be received then ACK after retreiving this fragment.
552 * RFC 2716 Section 4.2. PPP EAP TLS Request Packet
555 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
556 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
557 * | Code | Identifier | Length |
558 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
559 * | Type | Flags | TLS Message Length
560 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
561 * | TLS Message Length | TLS Data...
562 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
564 * The Length field is two octets and indicates the length of the EAP
565 * packet including the Code, Identifir, Length, Type, and TLS data
568 static EAPTLS_PACKET *eaptls_extract(REQUEST *request, EAP_DS *eap_ds, eaptls_status_t status)
570 EAPTLS_PACKET *tlspacket;
571 uint32_t data_len = 0;
573 uint8_t *data = NULL;
575 if (status == EAPTLS_INVALID)
579 * The main EAP code & eaptls_verify() take care of
580 * ensuring that the packet is OK, and that we can
581 * extract the various fields we want.
583 * e.g. a TLS packet with zero data is allowed as an ACK,
584 * but we will never see it here, as we will simply
585 * send another fragment, instead of trying to extract
588 * MUST have TLS type octet, followed by flags, followed
591 assert(eap_ds->response->length > 2);
593 tlspacket = eaptls_alloc();
594 if (tlspacket == NULL) return NULL;
597 * Code & id for EAPTLS & EAP are same
598 * but eaptls_length = eap_length - 1(EAP-Type = 1 octet)
600 * length = code + id + length + type + tlsdata
601 * = 1 + 1 + 2 + 1 + X
603 tlspacket->code = eap_ds->response->code;
604 tlspacket->id = eap_ds->response->id;
605 tlspacket->length = eap_ds->response->length - 1; /* EAP type */
606 tlspacket->flags = eap_ds->response->type.data[0];
609 * A quick sanity check of the flags. If we've been told
610 * that there's a length, and there isn't one, then stop.
612 if (TLS_LENGTH_INCLUDED(tlspacket->flags) &&
613 (tlspacket->length < 5)) { /* flags + TLS message length */
614 RDEBUG("Invalid EAP-TLS packet received. (Length bit is set, but no length was found.)");
615 eaptls_free(&tlspacket);
620 * If the final TLS packet is larger than we can handle, die
623 * Likewise, if the EAP packet says N bytes, and the TLS
624 * packet says there's fewer bytes, it's a problem.
626 * FIXME: Try to ensure that the claimed length is
627 * consistent across multiple TLS fragments.
629 if (TLS_LENGTH_INCLUDED(tlspacket->flags)) {
630 memcpy(&data_len, &eap_ds->response->type.data[1], 4);
631 data_len = ntohl(data_len);
632 if (data_len > MAX_RECORD_SIZE) {
633 RDEBUG("The EAP-TLS packet will contain more data than we can process.");
634 eaptls_free(&tlspacket);
639 DEBUG2(" TLS: %d %d\n", data_len, tlspacket->length);
641 if (data_len < tlspacket->length) {
642 RDEBUG("EAP-TLS packet claims to be smaller than the encapsulating EAP packet.");
643 eaptls_free(&tlspacket);
651 * The TLS Message Length field is four octets, and
652 * provides the total length of the TLS message or set of
653 * messages that is being fragmented; this simplifies
656 * Dynamic allocation of buffers as & when we know the
657 * length should solve the problem.
659 case EAPTLS_FIRST_FRAGMENT:
660 case EAPTLS_LENGTH_INCLUDED:
661 case EAPTLS_MORE_FRAGMENTS_WITH_LENGTH:
662 if (tlspacket->length < 5) { /* flags + TLS message length */
663 RDEBUG("Invalid EAP-TLS packet received. (Expected length, got none.)");
664 eaptls_free(&tlspacket);
669 * Extract all the TLS fragments from the
670 * previous eap_ds Start appending this
671 * fragment to the above ds
673 memcpy(&data_len, &eap_ds->response->type.data[1], sizeof(uint32_t));
674 data_len = ntohl(data_len);
675 data = (eap_ds->response->type.data + 5/*flags+TLS-Length*/);
676 len = eap_ds->response->type.length - 5/*flags+TLS-Length*/;
679 * Hmm... this should be an error, too.
681 if (data_len > len) {
687 * Data length is implicit, from the EAP header.
689 case EAPTLS_MORE_FRAGMENTS:
691 data_len = eap_ds->response->type.length - 1/*flags*/;
692 data = eap_ds->response->type.data + 1/*flags*/;
696 RDEBUG("Invalid EAP-TLS packet received");
697 eaptls_free(&tlspacket);
701 tlspacket->dlen = data_len;
703 tlspacket->data = (unsigned char *)malloc(data_len);
704 if (tlspacket->data == NULL) {
705 RDEBUG("out of memory");
706 eaptls_free(&tlspacket);
709 memcpy(tlspacket->data, data, data_len);
718 * To process the TLS,
720 * 1. EAP-TLS should get the compelete TLS data from the peer.
721 * 2. Store that data in a data structure with any other required info
722 * 3. Handle that data structure to the TLS module.
723 * 4. TLS module will perform its operations on the data and
724 * handle back to EAP-TLS
727 * 1. EAP-TLS if necessary will fragment it and send it to the
730 * During EAP-TLS initialization, TLS Context object will be
731 * initialized and stored. For every new authentication
732 * requests, TLS will open a new session object and that session
733 * object should be maintained even after the session is
734 * completed for session resumption. (Probably later as a feature
735 * as we donot know who maintains these session objects ie,
736 * SSL_CTX (internally) or TLS module(explicitly). If TLS module,
737 * then how to let SSL API know about these sessions.)
739 static eaptls_status_t eaptls_operation(eaptls_status_t status,
740 EAP_HANDLER *handler)
742 tls_session_t *tls_session;
744 tls_session = (tls_session_t *)handler->opaque;
746 if ((status == EAPTLS_MORE_FRAGMENTS) ||
747 (status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) ||
748 (status == EAPTLS_FIRST_FRAGMENT)) {
752 eaptls_send_ack(handler->eap_ds, tls_session->peap_flag);
753 return EAPTLS_HANDLED;
758 * We have the complete TLS-data or TLS-message.
760 * Clean the dirty message.
762 * Authenticate the user and send
766 * is required then send another request.
768 if (!tls_handshake_recv(handler->request, tls_session)) {
769 DEBUG2("TLS receive handshake failed during operation");
770 eaptls_fail(handler, tls_session->peap_flag);
775 * FIXME: return success/fail.
777 * TLS proper can decide what to do, then.
779 if (tls_session->dirty_out.used > 0) {
780 eaptls_request(handler->eap_ds, tls_session);
781 return EAPTLS_HANDLED;
785 * If there is no data to send i.e
786 * dirty_out.used <=0 and if the SSL
787 * handshake is finished, then return a
791 if (SSL_is_init_finished(tls_session->ssl)) {
793 * Init is finished. The rest is
796 tls_session->info.content_type = application_data;
797 return EAPTLS_SUCCESS;
801 * Who knows what happened...
803 DEBUG2("TLS failed during operation");
809 * In the actual authentication first verify the packet and then create the data structure
812 * To process the TLS,
814 * 1. EAP-TLS should get the compelete TLS data from the peer.
815 * 2. Store that data in a data structure with any other required info
816 * 3. Hand this data structure to the TLS module.
817 * 4. TLS module will perform its operations on the data and hands back to EAP-TLS
819 * 1. EAP-TLS if necessary will fragment it and send it to the destination.
821 * During EAP-TLS initialization, TLS Context object will be
822 * initialized and stored. For every new authentication
823 * requests, TLS will open a new session object and that
824 * session object SHOULD be maintained even after the session
825 * is completed, for session resumption. (Probably later as a
826 * feature, as we do not know who maintains these session
827 * objects ie, SSL_CTX (internally) or TLS module (explicitly). If
828 * TLS module, then how to let SSL API know about these
833 * Process an EAP request
835 eaptls_status_t eaptls_process(EAP_HANDLER *handler)
837 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
838 EAPTLS_PACKET *tlspacket;
839 eaptls_status_t status;
840 REQUEST *request = handler->request;
842 rad_assert(request != NULL);
844 RDEBUG2("processing EAP-TLS");
845 if (handler->certs) pairadd(&request->packet->vps,
846 paircopy(handler->certs));
848 /* This case is when SSL generates Alert then we
849 * send that alert to the client and then send the EAP-Failure
851 status = eaptls_verify(handler);
852 RDEBUG2("eaptls_verify returned %d\n", status);
860 * Success means that we're done the initial
861 * handshake. For TTLS, this means send stuff
862 * back to the client, and the client sends us
863 * more tunneled data.
870 * Normal TLS request, continue with the "get rest
871 * of fragments" phase.
874 eaptls_request(handler->eap_ds, tls_session);
875 return EAPTLS_HANDLED;
879 * The handshake is done, and we're in the "tunnel
883 RDEBUG2("Done initial handshake");
886 * Get the rest of the fragments.
888 case EAPTLS_FIRST_FRAGMENT:
889 case EAPTLS_MORE_FRAGMENTS:
890 case EAPTLS_LENGTH_INCLUDED:
891 case EAPTLS_MORE_FRAGMENTS_WITH_LENGTH:
896 * Extract the TLS packet from the buffer.
898 if ((tlspacket = eaptls_extract(request, handler->eap_ds, status)) == NULL)
902 * Get the session struct from the handler
904 * update the dirty_in buffer
906 * NOTE: This buffer will contain partial data when M bit is set.
908 * CAUTION while reinitializing this buffer, it should be
909 * reinitialized only when this M bit is NOT set.
911 if (tlspacket->dlen !=
912 (tls_session->record_plus)(&tls_session->dirty_in, tlspacket->data, tlspacket->dlen)) {
913 eaptls_free(&tlspacket);
914 RDEBUG("Exceeded maximum record size");
921 eaptls_free(&tlspacket);
924 * SSL initalization is done. Return.
926 * The TLS data will be in the tls_session structure.
928 if (SSL_is_init_finished(tls_session->ssl)) {
932 * The initialization may be finished, but if
933 * there more fragments coming, then send ACK,
934 * and get the caller to continue the
937 if ((status == EAPTLS_MORE_FRAGMENTS) ||
938 (status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) ||
939 (status == EAPTLS_FIRST_FRAGMENT)) {
943 eaptls_send_ack(handler->eap_ds,
944 tls_session->peap_flag);
945 RDEBUG2("Init is done, but tunneled data is fragmented");
946 return EAPTLS_HANDLED;
950 * Decrypt the complete record.
952 BIO_write(tls_session->into_ssl, tls_session->dirty_in.data,
953 tls_session->dirty_in.used);
956 * Clear the dirty buffer now that we are done with it
957 * and init the clean_out buffer to store decrypted data
959 (tls_session->record_init)(&tls_session->dirty_in);
960 (tls_session->record_init)(&tls_session->clean_out);
963 * Read (and decrypt) the tunneled data from the
964 * SSL session, and put it into the decrypted
967 err = SSL_read(tls_session->ssl, tls_session->clean_out.data,
968 sizeof(tls_session->clean_out.data));
971 RDEBUG("SSL_read Error");
973 switch (SSL_get_error(tls_session->ssl, err)) {
974 case SSL_ERROR_WANT_READ:
975 case SSL_ERROR_WANT_WRITE:
976 RDEBUG("Error in fragmentation logic");
980 * FIXME: Call int_ssl_check?
988 RDEBUG("WARNING: No data inside of the tunnel.");
992 * Passed all checks, successfully decrypted data
994 tls_session->clean_out.used = err;
1000 * Continue the handshake.
1002 return eaptls_operation(status, handler);
1007 * compose the TLS reply packet in the EAP reply typedata
1009 int eaptls_compose(EAP_DS *eap_ds, EAPTLS_PACKET *reply)
1014 * Don't set eap_ds->request->type.type, as the main EAP
1015 * handler will do that for us. This allows the TLS
1016 * module to be called from TTLS & PEAP.
1020 * When the EAP server receives an EAP-Response with the
1021 * M bit set, it MUST respond with an EAP-Request with
1022 * EAP-Type=EAP-TLS and no data. This serves as a
1023 * fragment ACK. The EAP peer MUST wait until it receives
1024 * the EAP-Request before sending another fragment.
1026 * In order to prevent errors in the processing of
1027 * fragments, the EAP server MUST use increment the
1028 * Identifier value for each fragment ACK contained
1029 * within an EAP-Request, and the peer MUST include this
1030 * Identifier value in the subsequent fragment contained
1031 * within an EAP- Reponse.
1033 eap_ds->request->type.data = malloc(reply->length - TLS_HEADER_LEN + 1);
1034 if (eap_ds->request->type.data == NULL) {
1035 radlog(L_ERR, "out of memory");
1039 /* EAPTLS Header length is excluded while computing EAP typelen */
1040 eap_ds->request->type.length = reply->length - TLS_HEADER_LEN;
1042 ptr = eap_ds->request->type.data;
1043 *ptr++ = (uint8_t)(reply->flags & 0xFF);
1045 if (reply->dlen) memcpy(ptr, reply->data, reply->dlen);
1047 switch (reply->code) {
1050 case EAPTLS_REQUEST:
1051 eap_ds->request->code = PW_EAP_REQUEST;
1053 case EAPTLS_SUCCESS:
1054 eap_ds->request->code = PW_EAP_SUCCESS;
1057 eap_ds->request->code = PW_EAP_FAILURE;
1060 /* Should never enter here */
1061 eap_ds->request->code = PW_EAP_FAILURE;