eaptls.c

linux下可以用来通过802.1x认证

/**
 * A client-side 802.1x implementation supporting EAP/TLS
 *
 * This code is released under both the GPL version 2 and BSD licenses.
 * Either license may be used.  The respective licenses are found below.
 * 
 * Copyright (C) 2002 Bryan D. Payne & Nick L. Petroni Jr.
 * All Rights Reserved
 *
 * --- GPL Version 2 License ---
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *
 * --- BSD License ---
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *  - Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *  - Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *  - All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *       This product includes software developed by the University of
 *       Maryland at College Park and its contributors.
 *  - Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*******************************************************************
 * EAPTLS Function implementations
 * 
 * File: eaptls.c
 *
 * Authors: bdpayne@cs.umd.edu, npetroni@cs.umd.edu
 *
 * $Id: eaptls.c,v 1.13 2003/03/11 19:30:56 chessing Exp $
 * $Date: 2003/03/11 19:30:56 $
 * $Log: eaptls.c,v $
 * Revision 1.13  2003/03/11 19:30:56  chessing
 * Various code cleanups
 *
 * Revision 1.12  2003/03/11 18:06:32  chessing
 * TLS should now work with IAS and Radiator
 *
 * Revision 1.11  2003/03/10 23:35:45  chessing
 * Patches to try to get TLS working with RADIUS servers other than FreeRADIUS.
 *
 * Revision 1.10  2003/01/24 20:48:23  chessing
 * Cleaned up framing code, TLS no longer sends a malformed frame.
 *
 * Revision 1.9  2003/01/23 22:45:01  chessing
 * Added some global functions to handle packet fragments, and more TLS cleanups.
 *
 * Revision 1.8  2003/01/14 23:52:07  chessing
 * More work on the TLS code.  It should be mostly stable now.  There is a problem if get_pass("") in eaptls_auth_challenge is called twice.
 *
 * Revision 1.7  2003/01/14 19:12:50  chessing
 * TLS code now uses OpenSSL!  Cleaned out some of the no longer needed stuff from the TLS code.  Still needs more work on error checking.
 *
 * Revision 1.6  2003/01/10 22:09:08  galimorerpg
 * SSL_DEBUG define fix for gcc 3.2
 *
 * Revision 1.5  2003/01/09 20:17:29  galimorerpg
 * Logging Updates
 *
 * Revision 1.4  2003/01/09 18:38:01  galimorerpg
 * Makefile fixes
 *
 * Revision 1.3  2003/01/06 22:31:08  chessing
 * Debugging code cleanups....
 *
 * Revision 1.2  2003/01/03 22:25:36  chessing
 * Turned off debugging code, (use the configure options to turn on the debugging) and added -w option to get around some problems with the Intel iANS drivers, and some wired/wireless issues with the MacOS-X wireless code.
 *
 * Revision 1.1  2003/01/02 19:35:47  chessing
 * Add some files that were missed in the last import..
 *
 *
 *******************************************************************/
/***
 *** Specifics for EAPTLS can be found in 
 *** IETF RFC 2716
 ***/

#ifndef SSL_DEBUG
#define SSL_DEBUG 0  /* turn debug info on  deprecated- Use --with-tls-debug*/
#endif

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include "eaptls.h"
#include "eapcrypt.h"
#include "../../userconf.h"
#include "logging.h"
#include "auth_methods/auth_tools.h"

/** GLOBAL VARS **/
char *eaptls_netid;
char *eaptls_config;

//char *root_cert = NULL;
int root_cert_loaded = 0;
int user_cert_loaded = 0;

// The number of bytes that make up our certificate.
uint32_t cert_size = 0;

/** FUNCTION DEFINITIONS **/
 
/**
 * Initialization function for EAPTLS.  This initializes the
 * data needed for the protocol and initializes variables needed to
 * start the eaptls handshake.
 * CHANGED by npetroni to only do those things which happen *once*
 * at TLS startup. Added function eaptls_reset() to prepare TLS
 * for a new handshake
 *
 * (IN)  file name to the config file
 * (OUT) success = 0, failure = -1
 */

int init_eaptls (char *config, char *netid)
{
  eaptls_netid = netid;
  eaptls_config = config;

#if SSL_DEBUG
  xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Changed state to 0\n");
#endif

  return eapcrypt_tls_init();
}

// Shutdown and cleanup anything we need to.
int eaptls_shutdown()
{
  // Don't free one_x_globals here.  That will be handled by shutdown_eap.

#if SSL_DEBUG
  xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Cleaning up.\n");
#endif

  return eapcrypt_tls_shutdown();
}


/**
 * Decodes a packet and creates the data needed for a new packet.
 * This function is called by the eap layer with new packets as
 * they are received.  The input buffer points to the beginning
 * of the EAPTLS portion of the packet (the flags).  The reply
 * packet should be placed in the output buffer.
 *
 * The memory for the output buffer is created here, but will be 
 * freed by the eap layer when it is done using it.
 *
 * (IN)  input and output packet buffers, with lengths
 * (OUT) success = 0, failure = -1
 */
int eaptls_decode_packet (u_char *in, int in_size, u_char *out, int *out_size)
{
  int rtnVal = 0;
  u_char *p = NULL;
  uint8_t *tptr = NULL;
  uint32_t len_long;
  int tcnt;
  long temp_size;

  *out_size = 0;

  // since we are acting as the supplicant, we can safely assume
  // that the request bit is set on all packets that we receive
  
  // see what type of packet this is
  switch(in[0]){
    case (EAPTLS_START):
#if SSL_DEBUG
      xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Recieved eap-tls start packet\n");
#endif //SSL_DEBUG
      /* prepare to start a new handshake */
      eapcrypt_tls_reset();  //This will reset the TLS.
#if SSL_DEBUG
      xlogf(DEBUG_AUTHTYPES, "Changed state to INIT\n");
#endif

      rtnVal = eapcrypt_tls_parse_data(NULL, 0);

      if (rtnVal < 0)
	{
	  xlogf(DEBUG_NORMAL, "(EAPTLS) Parse data failed!\n");
	  return rtnVal;
	}

      rtnVal = eapcrypt_tls_return_data(out, out_size);

      break;
//---------------------------------------------------------------------------
    case (EAPTLS_LENGTH_MORE):
    case (EAPTLS_MORE_FRAGS):
    case (EAPTLS_LENGTH_INCL):
      /* This is a fragment of data we care about.  So, stash it away.  If
         it is the final fragment, start returning data, instead of ACKs. */

      p = in + 1;
      
      // If we have a Length Included tag, then there are two extra bytes.
      if ((in[0] == EAPTLS_LENGTH_MORE) || (in[0] == EAPTLS_LENGTH_INCL))
	{
	  memcpy(&len_long, &in[1], 4);
	  temp_size = ntohl(len_long);
	  cert_size = temp_size;
	  p=&in[5]; // Skip our length bytes.
	  in_size-=1;  // And skip them.
	} else {
	  in_size+=3;
	}

      /* sanity check on the given packet length */
      if (in_size == 0) {
	xlogf(DEBUG_NORMAL, "(EAPTLS) Packet has 0 length! (We should *NEVER* get here!\n");
	rtnVal = eapcrypt_tls_return_data(out, out_size);
	return rtnVal;
      }
      
      if (save_data_fragment(p, in_size) != 0)  
	{
	  xlogf(DEBUG_NORMAL, "(EAPTLS) Couldn't store packet fragment!\n");
	  return -1;
	} else {
	  xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Saved packet fragment.\n");
	}

#if SSL_DEBUG
      xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Saved packet fragment\n");
#endif //SSL_DEBUG

      if (in[0] != EAPTLS_LENGTH_INCL)
	{
	  // we should also return an ack when we are done
	  rtnVal = eaptls_build_ack(out, out_size);
	} else {
	  rtnVal = eapcrypt_tls_parse_data((char *)get_data_fragment(), get_data_frag_size());
	  destroy_data_frags();
	  rtnVal = eapcrypt_tls_return_data(out, out_size);
	}
      break;
//---------------------------------------------------------------------------
    case (0x00): 
      // We have a 0x00 signal, which could be an ACK, if there isn't
      // any data.  Otherwise, we need to pass some data in.
      if (in_size > 1)
	{
	  p = in +1;

	  if (save_data_fragment(p, in_size+3) != 0)
	    {
	      xlogf(DEBUG_NORMAL, "(TLS) Couldn't save final data fragment!\n");
	      return -1;
	    } else {
	      xlogf(DEBUG_AUTHTYPES, "(TLS) Saved final data fragment!\n");
	    }
          tptr = get_data_fragment();
          tcnt = get_data_frag_size();

	  if (tcnt != cert_size)  // Make sure we have enough data in the cert!
	    {
	      xlogf(DEBUG_NORMAL, "(TLS) Not enough data to form the certificate!!!!\n");
	    }

	  rtnVal = eapcrypt_tls_parse_data((char *)get_data_fragment(), get_data_frag_size());
	  destroy_data_frags();
	}

      // We got an ACK, so return some of our data.
     	rtnVal = eapcrypt_tls_return_data(out, out_size);
      break;
//---------------------------------------------------------------------------
    default:
      // we should never get here, return an error and do 
      // absolutly nothing...this packet has funky flags
#if SSL_DEBUG
      xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Recieved packet with incorrect flags!\n");
#endif //SSL_DEBUG
      rtnVal = -1;
      break;
  }

  return rtnVal;
}

/**
 * Builds a simple "ACK" packet.  These packets are just sent to
 * indicate the receipt of a fragmented packet and such.  The
 * packet has only one byte whose value is 0x00.
 *
 * (IN)  output buffer and length
 * (OUT) success = 0, failure = -1
 */
int eaptls_build_ack (u_char *out, int *out_size)
{
  *out_size = 1;
  out = 0x00;

#if SSL_DEBUG
  xlogf(DEBUG_AUTHTYPES, "(EAPTLS) Sending an ack\n");
#endif //SSL_DEBUG
  return 0;
}

int eaptls_auth_challenge()
{
  char *client_cert = NULL;
  char *client_key = NULL;
  char *temp_password = NULL;
  char *temp_username = NULL;
  char *root_cert = NULL;

  temp_username = get_username();

  if (root_cert_loaded == 0)
    {

      // load CA cert.
      root_cert = get_root_cert();   //Get the filename/path for the root cert.
      if (eapcrypt_tls_load_root_cert(root_cert) < 0)
	{
	  return -1;
	}

      if (root_cert != NULL) free(root_cert);
      root_cert_loaded = 1;  // We now have the root cert loaded.
    }

  if (user_cert_loaded == 0)
    {
      // First, get the password for the private key.
      temp_password = get_password();  //See if we have one in the file.
      if (temp_password == NULL)
        {
          xlogf(DEBUG_NORMAL, "(TLS Authentication) %s's Password : ", temp_username);
          temp_password = getpass("");   //This is obsolete! Fix it! (It also causes problems with incorrect passwords.)
        } 

      if (temp_password == NULL)    // This should be impossible at this point!
        {
          if (temp_username != NULL) free(temp_username);
          return -1;
        }

      // Clean up after ourselves..

      if (temp_username != NULL) free(temp_username);

      client_cert = get_client_cert();
      client_key = get_key_file();

      if (eapcrypt_tls_load_user_cert(client_cert, client_key, temp_password) < 0)
	{
	  xlogf(DEBUG_NORMAL, "Couldn't load certificate! (May be an incorrect password!)\n");
	  if (client_cert) free(client_cert);
	  if (client_key) free(client_key);
	  return -1;
	}

      set_password(temp_password);
      user_cert_loaded = 1;
      return 0;
    }
  return 0;
}

/*** EOF ***/