2 * rlm_eap_ttls.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
31 typedef struct rlm_eap_ttls_t {
33 * Default tunneled EAP type
35 char *default_eap_type_name;
39 * Use the reply attributes from the tunneled session in
40 * the non-tunneled reply to the client.
42 int use_tunneled_reply;
45 * Use SOME of the request attributes from outside of the
46 * tunneled session in the tunneled request
48 int copy_request_to_tunnel;
51 * RFC 5281 (TTLS) says that the length field MUST NOT be
52 * in fragments after the first one. However, we've done
53 * it that way for years, and no one has complained.
55 * In the interests of allowing the server to follow the
56 * RFC, we add the option here. If set to "no", it sends
57 * the length field in ONLY the first fragment.
62 * Virtual server for inner tunnel session.
68 static CONF_PARSER module_config[] = {
69 { "default_eap_type", PW_TYPE_STRING_PTR,
70 offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
72 { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
73 offsetof(rlm_eap_ttls_t, copy_request_to_tunnel), NULL, "no" },
75 { "use_tunneled_reply", PW_TYPE_BOOLEAN,
76 offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
78 { "virtual_server", PW_TYPE_STRING_PTR,
79 offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
81 { "include_length", PW_TYPE_BOOLEAN,
82 offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
84 { NULL, -1, 0, NULL, NULL } /* end the list */
90 static int eapttls_detach(void *arg)
92 rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
103 static int eapttls_attach(CONF_SECTION *cs, void **instance)
105 rlm_eap_ttls_t *inst;
107 inst = malloc(sizeof(*inst));
109 radlog(L_ERR, "rlm_eap_ttls: out of memory");
112 memset(inst, 0, sizeof(*inst));
115 * Parse the configuration attributes.
117 if (cf_section_parse(cs, inst, module_config) < 0) {
118 eapttls_detach(inst);
123 * Convert the name to an integer, to make it easier to
126 inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
127 if (inst->default_eap_type < 0) {
128 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
129 inst->default_eap_type_name);
130 eapttls_detach(inst);
140 * Free the TTLS per-session data
142 static void ttls_free(void *p)
144 ttls_tunnel_t *t = (ttls_tunnel_t *) p;
149 DEBUG2("rlm_eap_ttls: Freeing handler for user %s",
150 t->username->vp_strvalue);
153 pairfree(&t->username);
155 pairfree(&t->accept_vps);
161 * Allocate the TTLS per-session data
163 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
167 t = rad_malloc(sizeof(*t));
168 memset(t, 0, sizeof(*t));
170 t->default_eap_type = inst->default_eap_type;
171 t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
172 t->use_tunneled_reply = inst->use_tunneled_reply;
173 t->virtual_server = inst->virtual_server;
179 * Do authentication, by letting EAP-TLS do most of the work.
181 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
184 eaptls_status_t status;
185 rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
186 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
187 ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
188 REQUEST *request = handler->request;
190 RDEBUG2("Authenticate");
192 tls_session->length_flag = inst->include_length;
195 * Process TLS layer until done.
197 status = eaptls_process(handler);
198 RDEBUG2("eaptls_process returned %d\n", status);
201 * EAP-TLS handshake was successful, tell the
202 * client to keep talking.
204 * If this was EAP-TLS, we would just return
205 * an EAP-TLS-Success packet here.
208 if (SSL_session_reused(tls_session->ssl)) {
209 RDEBUG("Skipping Phase2 due to session resumption");
213 if (t && t->authenticated) {
215 pairadd(&handler->request->reply->vps,
217 t->accept_vps = NULL;
221 * Success: Automatically return MPPE keys.
223 return eaptls_success(handler, 0);
225 eaptls_request(handler->eap_ds, tls_session);
230 * The TLS code is still working on the TLS
231 * exchange, and it's a valid TLS request.
238 * Handshake is done, proceed with decoding tunneled
245 * Anything else: fail.
252 * Session is established, proceed with decoding
255 RDEBUG2("Session established. Proceeding to decode tunneled attributes.");
258 * We may need TTLS data associated with the session, so
259 * allocate it here, if it wasn't already alloacted.
261 if (!tls_session->opaque) {
262 tls_session->opaque = ttls_alloc(inst);
263 tls_session->free_opaque = ttls_free;
267 * Process the TTLS portion of the request.
269 rcode = eapttls_process(handler, tls_session);
271 case PW_AUTHENTICATION_REJECT:
272 eaptls_fail(handler, 0);
276 * Access-Challenge, continue tunneled conversation.
278 case PW_ACCESS_CHALLENGE:
279 eaptls_request(handler->eap_ds, tls_session);
283 * Success: Automatically return MPPE keys.
285 case PW_AUTHENTICATION_ACK:
286 return eaptls_success(handler, 0);
289 * No response packet, MUST be proxying it.
290 * The main EAP module will take care of discovering
291 * that the request now has a "proxy" packet, and
292 * will proxy it, rather than returning an EAP packet.
294 case PW_STATUS_CLIENT:
296 rad_assert(handler->request->proxy != NULL);
306 * Something we don't understand: Reject it.
308 eaptls_fail(handler, 0);
313 * The module name should be the only globally exported symbol.
314 * That is, everything else should be 'static'.
316 EAP_TYPE rlm_eap_ttls = {
318 eapttls_attach, /* attach */
320 * Note! There is NO eapttls_initate() function, as the
321 * main EAP module takes care of calling
324 * This is because TTLS is a protocol on top of TLS, so
325 * before we need to do TTLS, we've got to initiate a TLS
328 NULL, /* Start the initial request */
329 NULL, /* authorization */
330 eapttls_authenticate, /* authentication */
331 eapttls_detach /* detach */