/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eapttls_initiate(void *type_arg, EAP_HANDLER *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_ttls_t *inst;
VALUE_PAIR *vp;
int client_cert = FALSE;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = TRUE;
handler->finished = FALSE;
/*
* Check if we need a client certificate.
*/
client_cert = inst->req_client_cert;
/*
* EAP-TLS-Require-Client-Cert attribute will override
* the require_client_cert configuration option.
*/
vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
if (vp) {
client_cert = vp->vp_integer;
}
ssn = eaptls_session(inst->tls_conf, handler, client_cert);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
/*
* Set up type-specific information.
*/
ssn->prf_label = "ttls keying material";
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eaptls_initiate(void *type_arg, eap_handler_t *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_tls_t *inst;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = true;
handler->finished = false;
/*
* EAP-TLS always requires a client certificate.
*/
ssn = eaptls_session(inst->tls_conf, handler, true);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
/*
* Set up type-specific information.
*/
ssn->prf_label = "client EAP encryption";
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eappeap_initiate(void *type_arg, eap_handler_t *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_peap_t *inst;
VALUE_PAIR *vp;
bool client_cert;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = true;
handler->finished = false;
/*
* Check if we need a client certificate.
*/
/*
* EAP-TLS-Require-Client-Cert attribute will override
* the require_client_cert configuration option.
*/
vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
if (vp) {
client_cert = vp->vp_integer ? true : false;
} else {
client_cert = inst->req_client_cert;
}
ssn = eaptls_session(handler, inst->tls_conf, client_cert);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
/*
* Set up type-specific information.
*/
ssn->prf_label = "client EAP encryption";
/*
* As it is a poorly designed protocol, PEAP uses
* bits in the TLS header to indicate PEAP
* version numbers. For now, we only support
* PEAP version 0, so it doesn't matter too much.
* However, if we support later versions of PEAP,
* we will need this flag to indicate which
* version we're currently dealing with.
*/
ssn->peap_flag = 0x00;
/*
* PEAP version 0 requires 'include_length = no',
* so rather than hoping the user figures it out,
* we force it here.
*/
ssn->length_flag = 0;
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer.
*
* Frame eap reply packet.
* len = header + type + tls_typedata
* tls_typedata = flags(Start (S) bit set, and no data)
*
* Once having received the peer's Identity, the EAP server MUST
* respond with an EAP-TLS/Start packet, which is an
* EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit
* set, and no data. The EAP-TLS conversation will then begin,
* with the peer sending an EAP-Response packet with
* EAP-Type = EAP-TLS. The data field of that packet will
* be the TLS data.
*
* Fragment length is Framed-MTU - 4.
*
* http://mail.frascone.com/pipermail/public/eap/2003-July/001426.html
*/
static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
{
int status;
tls_session_t *ssn;
eap_tls_t *inst;
VALUE_PAIR *vp;
int client_cert = TRUE;
int verify_mode = 0;
REQUEST *request = handler->request;
inst = (eap_tls_t *)type_arg;
handler->tls = TRUE;
handler->finished = FALSE;
/*
* Manually flush the sessions every so often. If HALF
* of the session lifetime has passed since we last
* flushed, then flush it again.
*
* FIXME: Also do it every N sessions?
*/
if (inst->conf->session_cache_enable &&
((inst->conf->session_last_flushed + (inst->conf->session_timeout * 1800)) <= request->timestamp)) {
RDEBUG2("Flushing SSL sessions (of #%ld)",
SSL_CTX_sess_number(inst->ctx));
SSL_CTX_flush_sessions(inst->ctx, request->timestamp);
inst->conf->session_last_flushed = request->timestamp;
}
/*
* If we're TTLS or PEAP, then do NOT require a client
* certificate.
*
* FIXME: This should be more configurable.
*/
if (handler->eap_type != PW_EAP_TLS) {
vp = pairfind(handler->request->config_items,
PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0);
if (!vp) {
client_cert = FALSE;
} else {
client_cert = vp->vp_integer;
}
}
/*
* Every new session is started only from EAP-TLS-START.
* Before Sending EAP-TLS-START, open a new SSL session.
* Create all the required data structures & store them
* in Opaque. So that we can use these data structures
* when we get the response
*/
ssn = eaptls_new_session(inst->ctx, client_cert);
if (!ssn) {
return 0;
}
/*
* Verify the peer certificate, if asked.
*/
if (client_cert) {
RDEBUG2("Requiring client certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
}
SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
/*
* Create a structure for all the items required to be
* verified for each client and set that as opaque data
* structure.
*
* NOTE: If we want to set each item sepearately then
* this index should be global.
*/
SSL_set_ex_data(ssn->ssl, 0, (void *)handler);
SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf);
#ifdef HAVE_OPENSSL_OCSP_H
SSL_set_ex_data(ssn->ssl, 2, (void *)inst->store);
#endif
ssn->length_flag = inst->conf->include_length;
/*
* We use default fragment size, unless the Framed-MTU
* tells us it's too big. Note that we do NOT account
* for the EAP-TLS headers if conf->fragment_size is
* large, because that config item looks to be confusing.
*
* i.e. it should REALLY be called MTU, and the code here
* should figure out what that means for TLS fragment size.
* asking the administrator to know the internal details
* of EAP-TLS in order to calculate fragment sizes is
* just too much.
*/
ssn->offset = inst->conf->fragment_size;
vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU, 0);
if (vp && ((vp->vp_integer - 14) < ssn->offset)) {
/*
* Discount the Framed-MTU by:
* 4 : EAPOL header
* 4 : EAP header (code + id + length)
* 1 : EAP type == EAP-TLS
* 1 : EAP-TLS Flags
* 4 : EAP-TLS Message length
* (even if conf->include_length == 0,
* just to be lazy).
* ---
* 14
*/
ssn->offset = vp->vp_integer - 14;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
RDEBUG2("Initiate");
/*
* Set up type-specific information.
*/
switch (handler->eap_type) {
case PW_EAP_TLS:
default:
ssn->prf_label = "client EAP encryption";
break;
case PW_EAP_TTLS:
ssn->prf_label = "ttls keying material";
break;
/*
* PEAP-specific breakage.
*/
case PW_EAP_PEAP:
/*
* As it is a poorly designed protocol, PEAP uses
* bits in the TLS header to indicate PEAP
* version numbers. For now, we only support
* PEAP version 0, so it doesn't matter too much.
* However, if we support later versions of PEAP,
* we will need this flag to indicate which
* version we're currently dealing with.
*/
ssn->peap_flag = 0x00;
/*
* PEAP version 0 requires 'include_length = no',
* so rather than hoping the user figures it out,
* we force it here.
*/
ssn->length_flag = 0;
ssn->prf_label = "client EAP encryption";
break;
}
if (inst->conf->session_cache_enable) {
ssn->allow_session_resumption = 1; /* otherwise it's zero */
}
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0)
return 0;
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer.
*
* Frame eap reply packet.
* len = header + type + tls_typedata
* tls_typedata = flags(Start (S) bit set, and no data)
*
* Once having received the peer's Identity, the EAP server MUST
* respond with an EAP-TLS/Start packet, which is an
* EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit
* set, and no data. The EAP-TLS conversation will then begin,
* with the peer sending an EAP-Response packet with
* EAP-Type = EAP-TLS. The data field of that packet will
* be the TLS data.
*
* Fragment length is Framed-MTU - 4.
*
* http://mail.frascone.com/pipermail/public/eap/2003-July/001426.html
*/
static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
{
int status;
tls_session_t *ssn;
eap_tls_t *inst;
VALUE_PAIR *vp;
int client_cert = TRUE;
int verify_mode = SSL_VERIFY_NONE;
inst = (eap_tls_t *)type_arg;
/*
* If we're TTLS or PEAP, then do NOT require a client
* certificate.
*
* FIXME: This should be more configurable.
*/
if (handler->eap_type != PW_EAP_TLS) {
vp = pairfind(handler->request->config_items,
PW_EAP_TLS_REQUIRE_CLIENT_CERT);
if (!vp) {
client_cert = FALSE;
} else {
client_cert = vp->lvalue;
}
}
/*
* Every new session is started only from EAP-TLS-START.
* Before Sending EAP-TLS-START, open a new SSL session.
* Create all the required data structures & store them
* in Opaque. So that we can use these data structures
* when we get the response
*/
ssn = eaptls_new_session(inst->ctx, client_cert);
if (!ssn) {
return 0;
}
/*
* Verify the peer certificate, if asked.
*/
if (client_cert) {
DEBUG2(" rlm_eap_tls: Requiring client certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
}
SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
/*
* Create a structure for all the items required to be
* verified for each client and set that as opaque data
* structure.
*
* NOTE: If we want to set each item sepearately then
* this index should be global.
*/
SSL_set_ex_data(ssn->ssl, 0, (void *)handler);
SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf);
ssn->length_flag = inst->conf->include_length;
/*
* We use default fragment size, unless the Framed-MTU
* tells us it's too big. Note that we do NOT account
* for the EAP-TLS headers if conf->fragment_size is
* large, because that config item looks to be confusing.
*
* i.e. it should REALLY be called MTU, and the code here
* should figure out what that means for TLS fragment size.
* asking the administrator to know the internal details
* of EAP-TLS in order to calculate fragment sizes is
* just too much.
*/
ssn->offset = inst->conf->fragment_size;
vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU);
if (vp && ((vp->lvalue - 14) < ssn->offset)) {
/*
* Discount the Framed-MTU by:
* 4 : EAPOL header
* 4 : EAP header (code + id + length)
* 1 : EAP type == EAP-TLS
* 1 : EAP-TLS Flags
* 4 : EAP-TLS Message length
* (even if conf->include_length == 0,
* just to be lazy).
* ---
* 14
*/
ssn->offset = vp->lvalue - 14;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
DEBUG2(" rlm_eap_tls: Initiate");
/*
* PEAP-specific breakage.
*/
if (handler->eap_type == PW_EAP_PEAP) {
/*
* As it is a poorly designed protocol, PEAP uses
* bits in the TLS header to indicate PEAP
* version numbers. For now, we only support
* PEAP version 0, so it doesn't matter too much.
* However, if we support later versions of PEAP,
* we will need this flag to indicate which
* version we're currently dealing with.
*/
ssn->peap_flag = 0x00;
/*
* PEAP version 0 requires 'include_length = no',
* so rather than hoping the user figures it out,
* we force it here.
*/
ssn->length_flag = 0;
}
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
DEBUG2(" rlm_eap_tls: Start returned %d", status);
if (status == 0)
return 0;
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
