src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c

   1 /*
   2  * rlm_eap_leap.c    Handles that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  */
  22
  23 #include <freeradius-devel/autoconf.h>
  24
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27
  28 #include "eap_leap.h"
  29
  30
  31 /*
  32  * send an initial eap-leap request
  33  * ie access challenge to the user/peer.
  34
  35  * Frame eap reply packet.
  36  * len = header + type + leap_typedata
  37  * leap_typedata = value_size + value
  38  */
  39 static int leap_initiate(UNUSED void *instance, EAP_HANDLER *handler)
  40 {
  41         leap_session_t  *session;
  42         LEAP_PACKET     *reply;
  43
  44         DEBUG2("  rlm_eap_leap: Stage 2");
  45
  46         /*
  47          *      LEAP requires a User-Name attribute
  48          */
  49         if (!handler->request->username) {
  50                 DEBUG2("  rlm_eap_leap: User-Name is required for EAP-LEAP authentication.");
  51                 return 0;
  52         }
  53
  54         reply = eapleap_initiate(handler->eap_ds, handler->request->username);
  55         if (reply == NULL)
  56                 return 0;
  57
  58         eapleap_compose(handler->eap_ds, reply);
  59
  60         handler->opaque = malloc(sizeof(leap_session_t));
  61         if (!handler->opaque) {
  62           radlog(L_ERR, "rlm_eap_leap: Out of memory");
  63           eapleap_free(&reply);
  64           return 0;
  65         }
  66
  67         /*
  68          *      Remember which stage we're in, and which challenge
  69          *      we sent to the AP.  The later stages will take care
  70          *      of filling in the peer response.
  71          */
  72         session = (leap_session_t *) handler->opaque;
  73         handler->free_opaque = free; /* just malloc'd memory */
  74
  75         session->stage = 4;     /* the next stage we're in */
  76         memcpy(session->peer_challenge, reply->challenge, reply->count);
  77
  78         DEBUG2("  rlm_eap_leap: Successfully initiated");
  79
  80         /*
  81          *      The next stage to process the packet.
  82          */
  83         handler->stage = AUTHENTICATE;
  84
  85         eapleap_free(&reply);
  86         return 1;
  87 }
  88
  89 static int leap_authenticate(UNUSED void *instance, EAP_HANDLER *handler)
  90 {
  91         int             rcode;
  92         leap_session_t  *session;
  93         LEAP_PACKET     *packet;
  94         LEAP_PACKET     *reply;
  95         char*           username;
  96         VALUE_PAIR      *password;
  97
  98         if (!handler->opaque) {
  99                 radlog(L_ERR, "rlm_eap_leap: Cannot authenticate without LEAP history");
 100                 return 0;
 101         }
 102         session = (leap_session_t *) handler->opaque;
 103         reply = NULL;
 104
 105         /*
 106          *      Extract the LEAP packet.
 107          */
 108         if (!(packet = eapleap_extract(handler->eap_ds)))
 109                 return 0;
 110
 111         username = (char *)handler->request->username->vp_strvalue;
 112
 113         /*
 114          *      The password is never sent over the wire.
 115          *      Always get the configured password, for each user.
 116          */
 117         password = pairfind(handler->request->config_items, PW_PASSWORD);
 118         if (!password) password = pairfind(handler->request->config_items, PW_NT_PASSWORD);
 119         if (!password) {
 120                 radlog(L_INFO, "rlm_eap_leap: No User-Password or NT-Password configured for this user");
 121                 eapleap_free(&packet);
 122                 return 0;
 123         }
 124
 125         /*
 126          *      We've already sent the AP challenge.  This packet
 127          *      should contain the NtChallengeResponse
 128          */
 129         switch (session->stage) {
 130         case 4:                 /* Verify NtChallengeResponse */
 131                 DEBUG2("  rlm_eap_leap: Stage 4");
 132                 rcode = eapleap_stage4(packet, password, session);
 133                 session->stage = 6;
 134
 135                 /*
 136                  *      We send EAP-Success or EAP-Fail, and not
 137                  *      any LEAP packet.  So we return here.
 138                  */
 139                 if (!rcode) {
 140                         handler->eap_ds->request->code = PW_EAP_FAILURE;
 141                         eapleap_free(&packet);
 142                         return 0;
 143                 }
 144
 145                 handler->eap_ds->request->code = PW_EAP_SUCCESS;
 146
 147                 /*
 148                  *      Do this only for Success.
 149                  */
 150                 handler->eap_ds->request->id = handler->eap_ds->response->id + 1;
 151                 handler->eap_ds->set_request_id = 1;
 152
 153                 /*
 154                  *      LEAP requires a challenge in stage 4, not
 155                  *      an Access-Accept, which is normally returned
 156                  *      by eap_compose() in eap.c, when the EAP reply code
 157                  *      is EAP_SUCCESS.
 158                  */
 159                 handler->request->reply->code = PW_ACCESS_CHALLENGE;
 160                 return 1;
 161                 break;
 162
 163         case 6:                 /* Issue session key */
 164                 DEBUG2("  rlm_eap_leap: Stage 6");
 165                 reply = eapleap_stage6(packet, handler->request,
 166                                        handler->request->username, password,
 167                                        session, &handler->request->reply->vps);
 168                 break;
 169
 170                 /*
 171                  *      Stages 1, 3, and 5 are requests from the AP.
 172                  *      Stage 2 is handled by initiate()
 173                  */
 174         default:
 175                 radlog(L_ERR, "  rlm_eap_leap: Internal sanity check failed on stage");
 176                 break;
 177         }
 178
 179         eapleap_free(&packet);
 180
 181         /*
 182          *      Process the packet.  We don't care about any previous
 183          *      EAP packets, as
 184          */
 185         if (!reply) {
 186                 return 0;
 187         }
 188
 189         eapleap_compose(handler->eap_ds, reply);
 190
 191         eapleap_free(&reply);
 192         return 1;
 193 }
 194
 195 /*
 196  *      The module name should be the only globally exported symbol.
 197  *      That is, everything else should be 'static'.
 198  */
 199 EAP_TYPE rlm_eap_leap = {
 200         "eap_leap",
 201         NULL,                   /* attach */
 202         leap_initiate,          /* Start the initial request, after Identity */
 203         NULL,                   /* authorization */
 204         leap_authenticate,      /* authentication */
 205         NULL,                   /* detach */
 206 };