2 * rlm_eap_leap.c Handles that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
36 * send an initial eap-leap request
37 * ie access challenge to the user/peer.
39 * Frame eap reply packet.
40 * len = header + type + leap_typedata
41 * leap_typedata = value_size + value
43 static int leap_initiate(UNUSED void *instance, EAP_HANDLER *handler)
45 leap_session_t *session;
48 DEBUG2(" rlm_eap_leap: Stage 2");
51 * LEAP requires a User-Name attribute
53 if (!handler->request->username) {
54 DEBUG2(" rlm_eap_leap: User-Name is required for EAP-LEAP authentication.");
58 reply = eapleap_initiate(handler->eap_ds, handler->request->username);
62 eapleap_compose(handler->eap_ds, reply);
64 handler->opaque = malloc(sizeof(leap_session_t));
65 if (!handler->opaque) {
66 radlog(L_ERR, "rlm_eap_leap: Out of memory");
72 * Remember which stage we're in, and which challenge
73 * we sent to the AP. The later stages will take care
74 * of filling in the peer response.
76 session = (leap_session_t *) handler->opaque;
77 handler->free_opaque = free; /* just malloc'd memory */
79 session->stage = 4; /* the next stage we're in */
80 memcpy(session->peer_challenge, reply->challenge, reply->count);
82 DEBUG2(" rlm_eap_leap: Successfully initiated");
85 * The next stage to process the packet.
87 handler->stage = AUTHENTICATE;
93 static int leap_authenticate(UNUSED void *instance, EAP_HANDLER *handler)
96 leap_session_t *session;
100 VALUE_PAIR *password;
102 if (!handler->opaque) {
103 radlog(L_ERR, "rlm_eap_leap: Cannot authenticate without LEAP history");
106 session = (leap_session_t *) handler->opaque;
110 * Extract the LEAP packet.
112 if (!(packet = eapleap_extract(handler->eap_ds)))
115 username = (char *)handler->request->username->vp_strvalue;
118 * The password is never sent over the wire.
119 * Always get the configured password, for each user.
121 password = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD);
122 if (!password) password = pairfind(handler->request->config_items, PW_NT_PASSWORD);
124 radlog(L_INFO, "rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user");
125 eapleap_free(&packet);
130 * We've already sent the AP challenge. This packet
131 * should contain the NtChallengeResponse
133 switch (session->stage) {
134 case 4: /* Verify NtChallengeResponse */
135 DEBUG2(" rlm_eap_leap: Stage 4");
136 rcode = eapleap_stage4(packet, password, session);
140 * We send EAP-Success or EAP-Fail, and not
141 * any LEAP packet. So we return here.
144 handler->eap_ds->request->code = PW_EAP_FAILURE;
145 eapleap_free(&packet);
149 handler->eap_ds->request->code = PW_EAP_SUCCESS;
152 * Do this only for Success.
154 handler->eap_ds->request->id = handler->eap_ds->response->id + 1;
155 handler->eap_ds->set_request_id = 1;
158 * LEAP requires a challenge in stage 4, not
159 * an Access-Accept, which is normally returned
160 * by eap_compose() in eap.c, when the EAP reply code
163 handler->request->reply->code = PW_ACCESS_CHALLENGE;
167 case 6: /* Issue session key */
168 DEBUG2(" rlm_eap_leap: Stage 6");
169 reply = eapleap_stage6(packet, handler->request,
170 handler->request->username, password,
171 session, &handler->request->reply->vps);
175 * Stages 1, 3, and 5 are requests from the AP.
176 * Stage 2 is handled by initiate()
179 radlog(L_ERR, " rlm_eap_leap: Internal sanity check failed on stage");
183 eapleap_free(&packet);
186 * Process the packet. We don't care about any previous
193 eapleap_compose(handler->eap_ds, reply);
195 eapleap_free(&reply);
200 * The module name should be the only globally exported symbol.
201 * That is, everything else should be 'static'.
203 EAP_TYPE rlm_eap_leap = {
206 leap_initiate, /* Start the initial request, after Identity */
207 NULL, /* authorization */
208 leap_authenticate, /* authentication */