int eaptls_fail(eap_handler_t *handler, int peap_flag)
{
EAPTLS_PACKET reply;
tls_session_t *tls_session = handler->opaque;
handler->finished = true;
reply.code = FR_TLS_FAIL;
reply.length = TLS_HEADER_LEN;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
tls_fail(tls_session);
eaptls_compose(handler->eap_ds, &reply);
return 1;
}
/*
* To process the TLS,
* INCOMING DATA:
* 1. EAP-TLS should get the compelete TLS data from the peer.
* 2. Store that data in a data structure with any other required info
* 3. Handle that data structure to the TLS module.
* 4. TLS module will perform its operations on the data and
* handle back to EAP-TLS
*
* OUTGOING DATA:
* 1. EAP-TLS if necessary will fragment it and send it to the
* destination.
*
* During EAP-TLS initialization, TLS Context object will be
* initialized and stored. For every new authentication
* requests, TLS will open a new session object and that session
* object should be maintained even after the session is
* completed for session resumption. (Probably later as a feature
* as we donot know who maintains these session objects ie,
* SSL_CTX (internally) or TLS module(explicitly). If TLS module,
* then how to let SSL API know about these sessions.)
*/
static fr_tls_status_t eaptls_operation(fr_tls_status_t status, eap_handler_t *handler)
{
REQUEST *request = handler->request;
tls_session_t *tls_session = handler->opaque;
if ((status == FR_TLS_MORE_FRAGMENTS) ||
(status == FR_TLS_FIRST_FRAGMENT)) {
/*
* Send the ACK.
*/
eaptls_send_ack(handler, tls_session->peap_flag);
return FR_TLS_HANDLED;
}
/*
* We have the complete TLS-data or TLS-message.
*
* Clean the dirty message.
*
* Authenticate the user and send
* Success/Failure.
*
* If more info
* is required then send another request.
*/
if (!tls_handshake_recv(handler->request, tls_session)) {
REDEBUG("TLS receive handshake failed during operation");
tls_fail(tls_session);
return FR_TLS_FAIL;
}
/*
* FIXME: return success/fail.
*
* TLS proper can decide what to do, then.
*/
if (tls_session->dirty_out.used > 0) {
eaptls_request(handler->eap_ds, tls_session);
return FR_TLS_HANDLED;
}
/*
* If there is no data to send i.e
* dirty_out.used <=0 and if the SSL
* handshake is finished, then return a
* EPTLS_SUCCESS
*/
if (SSL_is_init_finished(tls_session->ssl)) {
/*
* Init is finished. The rest is
* application data.
*/
tls_session->info.content_type = application_data;
return FR_TLS_SUCCESS;
}
/*
* Who knows what happened...
*/
REDEBUG("TLS failed during operation");
return FR_TLS_FAIL;
}
/*
* Do authentication, by letting EAP-TLS do most of the work.
*/
static int CC_HINT(nonnull) mod_authenticate(void *type_arg, eap_handler_t *handler)
{
fr_tls_status_t status;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
REQUEST *request = handler->request;
rlm_eap_tls_t *inst;
inst = type_arg;
RDEBUG2("Authenticate");
status = eaptls_process(handler);
RDEBUG2("eaptls_process returned %d\n", status);
switch (status) {
/*
* EAP-TLS handshake was successful, return an
* EAP-TLS-Success packet here.
*
* If a virtual server was configured, check that
* it accepts the certificates, too.
*/
case FR_TLS_SUCCESS:
if (inst->virtual_server) {
VALUE_PAIR *vp;
REQUEST *fake;
/* create a fake request */
fake = request_alloc_fake(request);
rad_assert(!fake->packet->vps);
fake->packet->vps = paircopy(fake->packet, request->packet->vps);
/* set the virtual server to use */
if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else {
fake->server = inst->virtual_server;
}
RDEBUG("Processing EAP-TLS Certificate check:");
debug_pair_list(fake->packet->vps);
RDEBUG("server %s {", fake->server);
rad_virtual_server(fake);
RDEBUG("} # server %s", fake->server);
/* copy the reply vps back to our reply */
pairfilter(request->reply, &request->reply->vps,
&fake->reply->vps, 0, 0, TAG_ANY);
/* reject if virtual server didn't return accept */
if (fake->reply->code != PW_CODE_AUTHENTICATION_ACK) {
RDEBUG2("Certificates were rejected by the virtual server");
request_free(&fake);
eaptls_fail(handler, 0);
return 0;
}
request_free(&fake);
/* success */
}
break;
/*
* The TLS code is still working on the TLS
* exchange, and it's a valid TLS request.
* do nothing.
*/
case FR_TLS_HANDLED:
return 1;
/*
* Handshake is done, proceed with decoding tunneled
* data.
*/
case FR_TLS_OK:
RDEBUG2("Received unexpected tunneled data after successful handshake");
#ifndef NDEBUG
if ((debug_flag > 2) && fr_log_fp) {
unsigned int i;
unsigned int data_len;
unsigned char buffer[1024];
data_len = (tls_session->record_minus)(&tls_session->dirty_in,
buffer, sizeof(buffer));
DEBUG(" Tunneled data (%u bytes)", data_len);
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, " %x: ", i);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
fprintf(fr_log_fp, "%02x ", buffer[i]);
}
fprintf(fr_log_fp, "\n");
}
#endif
eaptls_fail(handler, 0);
return 0;
break;
/*
* Anything else: fail.
*
* Also, remove the session from the cache so that
* the client can't re-use it.
*/
default:
tls_fail(tls_session);
return 0;
}
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
}
