int eaptls_fail(eap_handler_t *handler, int peap_flag) { EAPTLS_PACKET reply; tls_session_t *tls_session = handler->opaque; handler->finished = true; reply.code = FR_TLS_FAIL; reply.length = TLS_HEADER_LEN; reply.flags = peap_flag; reply.data = NULL; reply.dlen = 0; tls_fail(tls_session); eaptls_compose(handler->eap_ds, &reply); return 1; }
/* * To process the TLS, * INCOMING DATA: * 1. EAP-TLS should get the compelete TLS data from the peer. * 2. Store that data in a data structure with any other required info * 3. Handle that data structure to the TLS module. * 4. TLS module will perform its operations on the data and * handle back to EAP-TLS * * OUTGOING DATA: * 1. EAP-TLS if necessary will fragment it and send it to the * destination. * * During EAP-TLS initialization, TLS Context object will be * initialized and stored. For every new authentication * requests, TLS will open a new session object and that session * object should be maintained even after the session is * completed for session resumption. (Probably later as a feature * as we donot know who maintains these session objects ie, * SSL_CTX (internally) or TLS module(explicitly). If TLS module, * then how to let SSL API know about these sessions.) */ static fr_tls_status_t eaptls_operation(fr_tls_status_t status, eap_handler_t *handler) { REQUEST *request = handler->request; tls_session_t *tls_session = handler->opaque; if ((status == FR_TLS_MORE_FRAGMENTS) || (status == FR_TLS_FIRST_FRAGMENT)) { /* * Send the ACK. */ eaptls_send_ack(handler, tls_session->peap_flag); return FR_TLS_HANDLED; } /* * We have the complete TLS-data or TLS-message. * * Clean the dirty message. * * Authenticate the user and send * Success/Failure. * * If more info * is required then send another request. */ if (!tls_handshake_recv(handler->request, tls_session)) { REDEBUG("TLS receive handshake failed during operation"); tls_fail(tls_session); return FR_TLS_FAIL; } /* * FIXME: return success/fail. * * TLS proper can decide what to do, then. */ if (tls_session->dirty_out.used > 0) { eaptls_request(handler->eap_ds, tls_session); return FR_TLS_HANDLED; } /* * If there is no data to send i.e * dirty_out.used <=0 and if the SSL * handshake is finished, then return a * EPTLS_SUCCESS */ if (SSL_is_init_finished(tls_session->ssl)) { /* * Init is finished. The rest is * application data. */ tls_session->info.content_type = application_data; return FR_TLS_SUCCESS; } /* * Who knows what happened... */ REDEBUG("TLS failed during operation"); return FR_TLS_FAIL; }
/* * Do authentication, by letting EAP-TLS do most of the work. */ static int CC_HINT(nonnull) mod_authenticate(void *type_arg, eap_handler_t *handler) { fr_tls_status_t status; tls_session_t *tls_session = (tls_session_t *) handler->opaque; REQUEST *request = handler->request; rlm_eap_tls_t *inst; inst = type_arg; RDEBUG2("Authenticate"); status = eaptls_process(handler); RDEBUG2("eaptls_process returned %d\n", status); switch (status) { /* * EAP-TLS handshake was successful, return an * EAP-TLS-Success packet here. * * If a virtual server was configured, check that * it accepts the certificates, too. */ case FR_TLS_SUCCESS: if (inst->virtual_server) { VALUE_PAIR *vp; REQUEST *fake; /* create a fake request */ fake = request_alloc_fake(request); rad_assert(!fake->packet->vps); fake->packet->vps = paircopy(fake->packet, request->packet->vps); /* set the virtual server to use */ if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) { fake->server = vp->vp_strvalue; } else { fake->server = inst->virtual_server; } RDEBUG("Processing EAP-TLS Certificate check:"); debug_pair_list(fake->packet->vps); RDEBUG("server %s {", fake->server); rad_virtual_server(fake); RDEBUG("} # server %s", fake->server); /* copy the reply vps back to our reply */ pairfilter(request->reply, &request->reply->vps, &fake->reply->vps, 0, 0, TAG_ANY); /* reject if virtual server didn't return accept */ if (fake->reply->code != PW_CODE_AUTHENTICATION_ACK) { RDEBUG2("Certificates were rejected by the virtual server"); request_free(&fake); eaptls_fail(handler, 0); return 0; } request_free(&fake); /* success */ } break; /* * The TLS code is still working on the TLS * exchange, and it's a valid TLS request. * do nothing. */ case FR_TLS_HANDLED: return 1; /* * Handshake is done, proceed with decoding tunneled * data. */ case FR_TLS_OK: RDEBUG2("Received unexpected tunneled data after successful handshake"); #ifndef NDEBUG if ((debug_flag > 2) && fr_log_fp) { unsigned int i; unsigned int data_len; unsigned char buffer[1024]; data_len = (tls_session->record_minus)(&tls_session->dirty_in, buffer, sizeof(buffer)); DEBUG(" Tunneled data (%u bytes)", data_len); for (i = 0; i < data_len; i++) { if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, " %x: ", i); if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n"); fprintf(fr_log_fp, "%02x ", buffer[i]); } fprintf(fr_log_fp, "\n"); } #endif eaptls_fail(handler, 0); return 0; break; /* * Anything else: fail. * * Also, remove the session from the cache so that * the client can't re-use it. */ default: tls_fail(tls_session); return 0; } /* * Success: Automatically return MPPE keys. */ return eaptls_success(handler, 0); }