src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c

   1 /*
   2  * rlm_eap_peap.c  contains the interfaces that are called from eap
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  19  *
  20  * Copyright 2003 Alan DeKok <aland@freeradius.org>
  21  */
  22
  23 #include "autoconf.h"
  24 #include "eap_peap.h"
  25
  26 typedef struct rlm_eap_peap_t {
  27         /*
  28          *      Default tunneled EAP type
  29          */
  30         char    *default_eap_type_name;
  31         int     default_eap_type;
  32
  33         /*
  34          *      Use the reply attributes from the tunneled session in
  35          *      the non-tunneled reply to the client.
  36          */
  37         int     use_tunneled_reply;
  38
  39         /*
  40          *      Use SOME of the request attributes from outside of the
  41          *      tunneled session in the tunneled request
  42          */
  43         int     copy_request_to_tunnel;
  44
  45         /*
  46          *      Proxy tunneled session as EAP, or as de-capsulated
  47          *      protocol.
  48          */
  49         int     proxy_tunneled_request_as_eap;
  50 } rlm_eap_peap_t;
  51
  52
  53 static CONF_PARSER module_config[] = {
  54         { "default_eap_type", PW_TYPE_STRING_PTR,
  55           offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
  56
  57         { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
  58           offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
  59
  60         { "use_tunneled_reply", PW_TYPE_BOOLEAN,
  61           offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
  62
  63         { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
  64           offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
  65
  66         { NULL, -1, 0, NULL, NULL }           /* end the list */
  67 };
  68
  69 /*
  70  *      Detach the module.
  71  */
  72 static int eappeap_detach(void *arg)
  73 {
  74         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
  75
  76         if (inst->default_eap_type_name) free(inst->default_eap_type_name);
  77
  78         free(inst);
  79
  80         return 0;
  81 }
  82
  83 /*
  84  *      Attach the module.
  85  */
  86 static int eappeap_attach(CONF_SECTION *cs, void **instance)
  87 {
  88         rlm_eap_peap_t *inst;
  89
  90         inst = malloc(sizeof(*inst));
  91         if (!inst) {
  92                 radlog(L_ERR, "rlm_eap_peap: out of memory");
  93                 return -1;
  94         }
  95         memset(inst, 0, sizeof(*inst));
  96
  97         /*
  98          *      Parse the configuration attributes.
  99          */
 100         if (cf_section_parse(cs, inst, module_config) < 0) {
 101                 eappeap_detach(inst);
 102                 return -1;
 103         }
 104
 105         /*
 106          *      Convert the name to an integer, to make it easier to
 107          *      handle.
 108          */
 109         inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
 110         if (inst->default_eap_type < 0) {
 111                 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
 112                        inst->default_eap_type_name);
 113                 eappeap_detach(inst);
 114                 return -1;
 115         }
 116
 117         *instance = inst;
 118
 119         return 0;
 120 }
 121
 122 /*
 123  *      Free the PEAP per-session data
 124  */
 125 static void peap_free(void *p)
 126 {
 127         peap_tunnel_t *t = (peap_tunnel_t *) p;
 128
 129         if (!t) return;
 130
 131         pairfree(&t->username);
 132         pairfree(&t->state);
 133         pairfree(&t->accept_vps);
 134
 135         free(t);
 136 }
 137
 138
 139 /*
 140  *      Free the PEAP per-session data
 141  */
 142 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
 143 {
 144         peap_tunnel_t *t;
 145
 146         t = rad_malloc(sizeof(*t));
 147         memset(t, 0, sizeof(*t));
 148
 149         t->default_eap_type = inst->default_eap_type;
 150         t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
 151         t->use_tunneled_reply = inst->use_tunneled_reply;
 152         t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 153
 154         return t;
 155 }
 156
 157 /*
 158  *      Do authentication, by letting EAP-TLS do most of the work.
 159  */
 160 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 161 {
 162         int rcode;
 163         eaptls_status_t status;
 164         rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
 165         tls_session_t *tls_session = (tls_session_t *) handler->opaque;
 166
 167         DEBUG2("  rlm_eap_peap: Authenticate");
 168
 169         status = eaptls_process(handler);
 170         DEBUG2("  eaptls_process returned %d\n", status);
 171         switch (status) {
 172                 /*
 173                  *      EAP-TLS handshake was successful, tell the
 174                  *      client to keep talking.
 175                  *
 176                  *      If this was EAP-TLS, we would just return
 177                  *      an EAP-TLS-Success packet here.
 178                  */
 179         case EAPTLS_SUCCESS:
 180                 {
 181                         eap_packet_t eap_packet;
 182
 183                         eap_packet.code = PW_EAP_REQUEST;
 184                         eap_packet.id = handler->eap_ds->response->id + 1;
 185                         eap_packet.length[0] = 0;
 186                         eap_packet.length[1] = EAP_HEADER_LEN + 1;
 187                         eap_packet.data[0] = PW_EAP_IDENTITY;
 188
 189                         (tls_session->record_plus)(&tls_session->clean_in,
 190                                                   &eap_packet, sizeof(eap_packet));
 191
 192                         tls_handshake_send(tls_session);
 193                         (tls_session->record_init)(&tls_session->clean_in);
 194                 }
 195                 eaptls_request(handler->eap_ds, tls_session);
 196                 DEBUG2("  rlm_eap_peap: EAPTLS_SUCCESS");
 197                 return 1;
 198
 199                 /*
 200                  *      The TLS code is still working on the TLS
 201                  *      exchange, and it's a valid TLS request.
 202                  *      do nothing.
 203                  */
 204         case EAPTLS_HANDLED:
 205                 DEBUG2("  rlm_eap_peap: EAPTLS_HANDLED");
 206                 return 1;
 207
 208                 /*
 209                  *      Handshake is done, proceed with decoding tunneled
 210                  *      data.
 211                  */
 212         case EAPTLS_OK:
 213                 DEBUG2("  rlm_eap_peap: EAPTLS_OK");
 214                 break;
 215
 216                 /*
 217                  *      Anything else: fail.
 218                  */
 219         default:
 220                 DEBUG2("  rlm_eap_peap: EAPTLS_OTHERS");
 221                 return 0;
 222         }
 223
 224         /*
 225          *      Session is established, proceed with decoding
 226          *      tunneled data.
 227          */
 228         DEBUG2("  rlm_eap_peap: Session established.  Decoding tunneled attributes.");
 229
 230         /*
 231          *      We may need PEAP data associated with the session, so
 232          *      allocate it here, if it wasn't already alloacted.
 233          */
 234         if (!tls_session->opaque) {
 235                 tls_session->opaque = peap_alloc(inst);
 236                 tls_session->free_opaque = peap_free;
 237         }
 238
 239         /*
 240          *      Process the PEAP portion of the request.
 241          */
 242         rcode = eappeap_process(handler, tls_session);
 243         switch (rcode) {
 244         case RLM_MODULE_REJECT:
 245                 eaptls_fail(handler->eap_ds, 0);
 246                 return 0;
 247
 248         case RLM_MODULE_HANDLED:
 249                 eaptls_request(handler->eap_ds, tls_session);
 250                 return 1;
 251
 252         case RLM_MODULE_OK:
 253                 eaptls_success(handler->eap_ds, 0);
 254
 255                 /*
 256                  *      Move the saved VP's from the Access-Accept to
 257                  *      our Access-Accept.
 258                  */
 259                 if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) {
 260                         DEBUG2("  Using saved attributes from the original Access-Accept");
 261                 }
 262                 pairadd(&handler->request->reply->vps,
 263                         ((peap_tunnel_t *) tls_session->opaque)->accept_vps);
 264                 ((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL;
 265
 266                 eaptls_gen_mppe_keys(&handler->request->reply->vps,
 267                                      tls_session->ssl,
 268                                      "client EAP encryption");
 269
 270                 return 1;
 271
 272                 /*
 273                  *      No response packet, MUST be proxying it.
 274                  *      The main EAP module will take care of discovering
 275                  *      that the request now has a "proxy" packet, and
 276                  *      will proxy it, rather than returning an EAP packet.
 277                  */
 278         case RLM_MODULE_UPDATED:
 279                 rad_assert(handler->request->proxy != NULL);
 280                 return 1;
 281                 break;
 282
 283         default:
 284                 break;
 285         }
 286
 287         eaptls_fail(handler->eap_ds, 0);
 288         return 0;
 289 }
 290
 291
 292 /*
 293  *      The module name should be the only globally exported symbol.
 294  *      That is, everything else should be 'static'.
 295  */
 296 EAP_TYPE rlm_eap_peap = {
 297         "eap_peap",
 298         eappeap_attach,                 /* attach */
 299         /*
 300          *      Note! There is NO eappeap_initate() function, as the
 301          *      main EAP module takes care of calling
 302          *      eaptls_initiate().
 303          *
 304          *      This is because PEAP is a protocol on top of TLS, so
 305          *      before we need to do PEAP, we've got to initiate a TLS
 306          *      session.
 307          */
 308         NULL,                           /* Start the initial request */
 309         NULL,                           /* authorization */
 310         eappeap_authenticate,           /* authentication */
 311         eappeap_detach                  /* detach */
 312 };