src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c

   1 /*
   2  * rlm_eap_peap.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  * Copyright 2006 The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28 #include "eap_peap.h"
  29
  30 typedef struct rlm_eap_peap_t {
  31         /*
  32          *      Default tunneled EAP type
  33          */
  34         char    *default_eap_type_name;
  35         int     default_eap_type;
  36
  37         /*
  38          *      Use the reply attributes from the tunneled session in
  39          *      the non-tunneled reply to the client.
  40          */
  41         int     use_tunneled_reply;
  42
  43         /*
  44          *      Use SOME of the request attributes from outside of the
  45          *      tunneled session in the tunneled request
  46          */
  47         int     copy_request_to_tunnel;
  48
  49         /*
  50          *      Proxy tunneled session as EAP, or as de-capsulated
  51          *      protocol.
  52          */
  53         int     proxy_tunneled_request_as_eap;
  54
  55         /*
  56          *      Virtual server for inner tunnel session.
  57          */
  58         char    *virtual_server;
  59 } rlm_eap_peap_t;
  60
  61
  62 static CONF_PARSER module_config[] = {
  63         { "default_eap_type", PW_TYPE_STRING_PTR,
  64           offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
  65
  66         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  67           offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
  68
  69         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  70           offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
  71
  72         { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
  73           offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
  74
  75         { "virtual_server", PW_TYPE_STRING_PTR,
  76           offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL },
  77
  78         { NULL, -1, 0, NULL, NULL }           /* end the list */
  79 };
  80
  81 /*
  82  *      Detach the module.
  83  */
  84 static int eappeap_detach(void *arg)
  85 {
  86         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
  87
  88
  89         free(inst);
  90
  91         return 0;
  92 }
  93
  94 /*
  95  *      Attach the module.
  96  */
  97 static int eappeap_attach(CONF_SECTION *cs, void **instance)
  98 {
  99         rlm_eap_peap_t *inst;
 100
 101         inst = malloc(sizeof(*inst));
 102         if (!inst) {
 103                 radlog(L_ERR, "rlm_eap_peap: out of memory");
 104                 return -1;
 105         }
 106         memset(inst, 0, sizeof(*inst));
 107
 108         /*
 109          *      Parse the configuration attributes.
 110          */
 111         if (cf_section_parse(cs, inst, module_config) < 0) {
 112                 eappeap_detach(inst);
 113                 return -1;
 114         }
 115
 116         /*
 117          *      Convert the name to an integer, to make it easier to
 118          *      handle.
 119          */
 120         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 121         if (inst->default_eap_type < 0) {
 122                 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
 123                        inst->default_eap_type_name);
 124                 eappeap_detach(inst);
 125                 return -1;
 126         }
 127
 128         *instance = inst;
 129
 130         return 0;
 131 }
 132
 133 /*
 134  *      Free the PEAP per-session data
 135  */
 136 static void peap_free(void *p)
 137 {
 138         peap_tunnel_t *t = (peap_tunnel_t *) p;
 139
 140         if (!t) return;
 141
 142         pairfree(&t->username);
 143         pairfree(&t->state);
 144         pairfree(&t->accept_vps);
 145
 146         free(t);
 147 }
 148
 149
 150 /*
 151  *      Free the PEAP per-session data
 152  */
 153 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
 154 {
 155         peap_tunnel_t *t;
 156
 157         t = rad_malloc(sizeof(*t));
 158         memset(t, 0, sizeof(*t));
 159
 160         t->default_eap_type = inst->default_eap_type;
 161         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 162         t->use_tunneled_reply = inst->use_tunneled_reply;
 163         t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 164         t->virtual_server = inst->virtual_server;
 165
 166         return t;
 167 }
 168
 169 /*
 170  *      Do authentication, by letting EAP-TLS do most of the work.
 171  */
 172 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 173 {
 174         int rcode;
 175         eaptls_status_t status;
 176         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 177         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 178         peap_tunnel_t *peap = NULL;
 179
 180         DEBUG2("  rlm_eap_peap: Authenticate");
 181
 182         status = eaptls_process(handler);
 183         tls_session->clean_out.used = 0;
 184         DEBUG2("  eaptls_process returned %d\n", status);
 185         switch (status) {
 186                 /*
 187                  *      EAP-TLS handshake was successful, tell the
 188                  *      client to keep talking.
 189                  *
 190                  *      If this was EAP-TLS, we would just return
 191                  *      an EAP-TLS-Success packet here.
 192                  */
 193         case EAPTLS_SUCCESS:
 194                 {
 195                         eap_packet_t eap_packet;
 196
 197                         eap_packet.code = PW_EAP_REQUEST;
 198                         eap_packet.id = handler->eap_ds->response->id + 1;
 199                         eap_packet.length[0] = 0;
 200                         eap_packet.length[1] = EAP_HEADER_LEN + 1;
 201                         eap_packet.data[0] = PW_EAP_IDENTITY;
 202
 203                         (tls_session->record_plus)(&tls_session->clean_in,
 204                                                   &eap_packet, sizeof(eap_packet));
 205
 206                         tls_handshake_send(tls_session);
 207                         (tls_session->record_init)(&tls_session->clean_in);
 208                 }
 209                 eaptls_request(handler->eap_ds, tls_session);
 210                 DEBUG2("  rlm_eap_peap: EAPTLS_SUCCESS");
 211                 return 1;
 212
 213                 /*
 214                  *      The TLS code is still working on the TLS
 215                  *      exchange, and it's a valid TLS request.
 216                  *      do nothing.
 217                  */
 218         case EAPTLS_HANDLED:
 219           /*
 220            *    FIXME: If the SSL session is established, grab the state
 221            *    and EAP id from the inner tunnel, and update it with
 222            *    the expected EAP id!
 223            */
 224                 DEBUG2("  rlm_eap_peap: EAPTLS_HANDLED");
 225                 return 1;
 226
 227                 /*
 228                  *      Handshake is done, proceed with decoding tunneled
 229                  *      data.
 230                  */
 231         case EAPTLS_OK:
 232                 DEBUG2("  rlm_eap_peap: EAPTLS_OK");
 233                 break;
 234
 235                 /*
 236                  *      Anything else: fail.
 237                  */
 238         default:
 239                 DEBUG2("  rlm_eap_peap: EAPTLS_OTHERS");
 240                 return 0;
 241         }
 242
 243         /*
 244          *      Session is established, proceed with decoding
 245          *      tunneled data.
 246          */
 247         DEBUG2("  rlm_eap_peap: Session established.  Decoding tunneled attributes.");
 248
 249         /*
 250          *      We may need PEAP data associated with the session, so
 251          *      allocate it here, if it wasn't already alloacted.
 252          */
 253         if (!tls_session->opaque) {
 254                 tls_session->opaque = peap_alloc(inst);
 255                 tls_session->free_opaque = peap_free;
 256         }
 257
 258         /*
 259          *      Process the PEAP portion of the request.
 260          */
 261         rcode = eappeap_process(handler, tls_session);
 262         switch (rcode) {
 263         case RLM_MODULE_REJECT:
 264                 eaptls_fail(handler->eap_ds, 0);
 265                 return 0;
 266
 267         case RLM_MODULE_HANDLED:
 268                 eaptls_request(handler->eap_ds, tls_session);
 269                 return 1;
 270
 271         case RLM_MODULE_OK:
 272                 eaptls_success(handler->eap_ds, 0);
 273
 274                 /*
 275                  *      Move the saved VP's from the Access-Accept to
 276                  *      our Access-Accept.
 277                  */
 278                 peap = tls_session->opaque;
 279                 if (peap->accept_vps) {
 280                         DEBUG2("  Using saved attributes from the original Access-Accept");
 281                 }
 282                 pairmove(&handler->request->reply->vps, &peap->accept_vps);
 283                 pairfree(&peap->accept_vps);
 284
 285                 eaptls_gen_mppe_keys(&handler->request->reply->vps,
 286                                      tls_session->ssl,
 287                                      "client EAP encryption");
 288
 289                 return 1;
 290
 291                 /*
 292                  *      No response packet, MUST be proxying it.
 293                  *      The main EAP module will take care of discovering
 294                  *      that the request now has a "proxy" packet, and
 295                  *      will proxy it, rather than returning an EAP packet.
 296                  */
 297         case RLM_MODULE_UPDATED:
 298                 rad_assert(handler->request->proxy != NULL);
 299                 return 1;
 300                 break;
 301
 302         default:
 303                 break;
 304         }
 305
 306         eaptls_fail(handler->eap_ds, 0);
 307         return 0;
 308 }
 309
 310
 311 /*
 312  *      The module name should be the only globally exported symbol.
 313  *      That is, everything else should be 'static'.
 314  */
 315 EAP_TYPE rlm_eap_peap = {
 316         "eap_peap",
 317         eappeap_attach,                 /* attach */
 318         /*
 319          *      Note! There is NO eappeap_initate() function, as the
 320          *      main EAP module takes care of calling
 321          *      eaptls_initiate().
 322          *
 323          *      This is because PEAP is a protocol on top of TLS, so
 324          *      before we need to do PEAP, we've got to initiate a TLS
 325          *      session.
 326          */
 327         NULL,                           /* Start the initial request */
 328         NULL,                           /* authorization */
 329         eappeap_authenticate,           /* authentication */
 330         eappeap_detach                  /* detach */
 331 };