src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c

   1 /*
   2  * rlm_eap_peap.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_peap.h"
  29
  30 typedef struct rlm_eap_peap_t {
  31         /*
  32          *      Default tunneled EAP type
  33          */
  34         char    *default_eap_type_name;
  35         int     default_eap_type;
  36
  37         /*
  38          *      Use the reply attributes from the tunneled session in
  39          *      the non-tunneled reply to the client.
  40          */
  41         int     use_tunneled_reply;
  42
  43         /*
  44          *      Use SOME of the request attributes from outside of the
  45          *      tunneled session in the tunneled request
  46          */
  47         int     copy_request_to_tunnel;
  48
  49 #ifdef WITH_PROXY
  50         /*
  51          *      Proxy tunneled session as EAP, or as de-capsulated
  52          *      protocol.
  53          */
  54         int     proxy_tunneled_request_as_eap;
  55 #endif
  56
  57         /*
  58          *      Virtual server for inner tunnel session.
  59          */
  60         char    *virtual_server;
  61
  62         /*
  63          *      Do we do SoH request?
  64          */
  65         int     soh;
  66         char    *soh_virtual_server;
  67 } rlm_eap_peap_t;
  68
  69
  70 static CONF_PARSER module_config[] = {
  71         { "default_eap_type", PW_TYPE_STRING_PTR,
  72           offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
  73
  74         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  75           offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
  76
  77         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  78           offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
  79
  80 #ifdef WITH_PROXY
  81         { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
  82           offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
  83 #endif
  84
  85         { "virtual_server", PW_TYPE_STRING_PTR,
  86           offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL },
  87
  88         { "soh", PW_TYPE_BOOLEAN,
  89           offsetof(rlm_eap_peap_t, soh), NULL, "no" },
  90
  91         { "soh_virtual_server", PW_TYPE_STRING_PTR,
  92           offsetof(rlm_eap_peap_t, soh_virtual_server), NULL, NULL },
  93
  94         { NULL, -1, 0, NULL, NULL }           /* end the list */
  95 };
  96
  97 /*
  98  *      Detach the module.
  99  */
 100 static int eappeap_detach(void *arg)
 101 {
 102         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 103
 104
 105         free(inst);
 106
 107         return 0;
 108 }
 109
 110 /*
 111  *      Attach the module.
 112  */
 113 static int eappeap_attach(CONF_SECTION *cs, void **instance)
 114 {
 115         rlm_eap_peap_t *inst;
 116
 117         inst = malloc(sizeof(*inst));
 118         if (!inst) {
 119                 radlog(L_ERR, "rlm_eap_peap: out of memory");
 120                 return -1;
 121         }
 122         memset(inst, 0, sizeof(*inst));
 123
 124         /*
 125          *      Parse the configuration attributes.
 126          */
 127         if (cf_section_parse(cs, inst, module_config) < 0) {
 128                 eappeap_detach(inst);
 129                 return -1;
 130         }
 131
 132         /*
 133          *      Convert the name to an integer, to make it easier to
 134          *      handle.
 135          */
 136         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 137         if (inst->default_eap_type < 0) {
 138                 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
 139                        inst->default_eap_type_name);
 140                 eappeap_detach(inst);
 141                 return -1;
 142         }
 143
 144         *instance = inst;
 145
 146         return 0;
 147 }
 148
 149 /*
 150  *      Free the PEAP per-session data
 151  */
 152 static void peap_free(void *p)
 153 {
 154         peap_tunnel_t *t = (peap_tunnel_t *) p;
 155
 156         if (!t) return;
 157
 158         pairfree(&t->username);
 159         pairfree(&t->state);
 160         pairfree(&t->accept_vps);
 161         pairfree(&t->soh_reply_vps);
 162
 163         free(t);
 164 }
 165
 166
 167 /*
 168  *      Free the PEAP per-session data
 169  */
 170 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
 171 {
 172         peap_tunnel_t *t;
 173
 174         t = rad_malloc(sizeof(*t));
 175         memset(t, 0, sizeof(*t));
 176
 177         t->default_eap_type = inst->default_eap_type;
 178         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 179         t->use_tunneled_reply = inst->use_tunneled_reply;
 180 #ifdef WITH_PROXY
 181         t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 182 #endif
 183         t->virtual_server = inst->virtual_server;
 184         t->soh = inst->soh;
 185         t->soh_virtual_server = inst->soh_virtual_server;
 186         t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
 187
 188         return t;
 189 }
 190
 191 /*
 192  *      Do authentication, by letting EAP-TLS do most of the work.
 193  */
 194 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 195 {
 196         int rcode;
 197         eaptls_status_t status;
 198         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 199         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 200         peap_tunnel_t *peap = tls_session->opaque;
 201         REQUEST *request = handler->request;
 202
 203         /*
 204          *      Session resumption requires the storage of data, so
 205          *      allocate it if it doesn't already exist.
 206          */
 207         if (!tls_session->opaque) {
 208                 peap = tls_session->opaque = peap_alloc(inst);
 209                 tls_session->free_opaque = peap_free;
 210         }
 211
 212         status = eaptls_process(handler);
 213         RDEBUG2("eaptls_process returned %d\n", status);
 214         switch (status) {
 215                 /*
 216                  *      EAP-TLS handshake was successful, tell the
 217                  *      client to keep talking.
 218                  *
 219                  *      If this was EAP-TLS, we would just return
 220                  *      an EAP-TLS-Success packet here.
 221                  */
 222         case EAPTLS_SUCCESS:
 223                 RDEBUG2("EAPTLS_SUCCESS");
 224                 peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
 225                 break;
 226
 227                 /*
 228                  *      The TLS code is still working on the TLS
 229                  *      exchange, and it's a valid TLS request.
 230                  *      do nothing.
 231                  */
 232         case EAPTLS_HANDLED:
 233           /*
 234            *    FIXME: If the SSL session is established, grab the state
 235            *    and EAP id from the inner tunnel, and update it with
 236            *    the expected EAP id!
 237            */
 238                 RDEBUG2("EAPTLS_HANDLED");
 239                 return 1;
 240
 241                 /*
 242                  *      Handshake is done, proceed with decoding tunneled
 243                  *      data.
 244                  */
 245         case EAPTLS_OK:
 246                 RDEBUG2("EAPTLS_OK");
 247                 break;
 248
 249                 /*
 250                  *      Anything else: fail.
 251                  */
 252         default:
 253                 RDEBUG2("EAPTLS_OTHERS");
 254                 return 0;
 255         }
 256
 257         /*
 258          *      Session is established, proceed with decoding
 259          *      tunneled data.
 260          */
 261         RDEBUG2("Session established.  Decoding tunneled attributes.");
 262
 263         /*
 264          *      We may need PEAP data associated with the session, so
 265          *      allocate it here, if it wasn't already alloacted.
 266          */
 267         if (!tls_session->opaque) {
 268                 tls_session->opaque = peap_alloc(inst);
 269                 tls_session->free_opaque = peap_free;
 270         }
 271
 272         /*
 273          *      Process the PEAP portion of the request.
 274          */
 275         rcode = eappeap_process(handler, tls_session);
 276         switch (rcode) {
 277         case RLM_MODULE_REJECT:
 278                 eaptls_fail(handler, 0);
 279                 return 0;
 280
 281         case RLM_MODULE_HANDLED:
 282                 eaptls_request(handler->eap_ds, tls_session);
 283                 return 1;
 284
 285         case RLM_MODULE_OK:
 286                 /*
 287                  *      Move the saved VP's from the Access-Accept to
 288                  *      our Access-Accept.
 289                  */
 290                 peap = tls_session->opaque;
 291                 if (peap->soh_reply_vps) {
 292                         RDEBUG2("Using saved attributes from the SoH reply");
 293                         debug_pair_list(peap->soh_reply_vps);
 294                         pairadd(&handler->request->reply->vps, peap->soh_reply_vps);
 295                         peap->soh_reply_vps = NULL;
 296                 }
 297                 if (peap->accept_vps) {
 298                         RDEBUG2("Using saved attributes from the original Access-Accept");
 299                         debug_pair_list(peap->accept_vps);
 300                         pairadd(&handler->request->reply->vps, peap->accept_vps);
 301                         peap->accept_vps = NULL;
 302                 }
 303
 304                 /*
 305                  *      Success: Automatically return MPPE keys.
 306                  */
 307                 return eaptls_success(handler, 0);
 308
 309                 /*
 310                  *      No response packet, MUST be proxying it.
 311                  *      The main EAP module will take care of discovering
 312                  *      that the request now has a "proxy" packet, and
 313                  *      will proxy it, rather than returning an EAP packet.
 314                  */
 315         case RLM_MODULE_UPDATED:
 316 #ifdef WITH_PROXY
 317                 rad_assert(handler->request->proxy != NULL);
 318 #endif
 319                 return 1;
 320                 break;
 321
 322         default:
 323                 break;
 324         }
 325
 326         eaptls_fail(handler, 0);
 327         return 0;
 328 }
 329
 330
 331 /*
 332  *      The module name should be the only globally exported symbol.
 333  *      That is, everything else should be 'static'.
 334  */
 335 EAP_TYPE rlm_eap_peap = {
 336         "eap_peap",
 337         eappeap_attach,                 /* attach */
 338         /*
 339          *      Note! There is NO eappeap_initate() function, as the
 340          *      main EAP module takes care of calling
 341          *      eaptls_initiate().
 342          *
 343          *      This is because PEAP is a protocol on top of TLS, so
 344          *      before we need to do PEAP, we've got to initiate a TLS
 345          *      session.
 346          */
 347         NULL,                           /* Start the initial request */
 348         NULL,                           /* authorization */
 349         eappeap_authenticate,           /* authentication */
 350         eappeap_detach                  /* detach */
 351 };