2 * rlm_eap_peap.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
23 #include <freeradius-devel/autoconf.h>
26 typedef struct rlm_eap_peap_t {
28 * Default tunneled EAP type
30 char *default_eap_type_name;
34 * Use the reply attributes from the tunneled session in
35 * the non-tunneled reply to the client.
37 int use_tunneled_reply;
40 * Use SOME of the request attributes from outside of the
41 * tunneled session in the tunneled request
43 int copy_request_to_tunnel;
46 * Proxy tunneled session as EAP, or as de-capsulated
49 int proxy_tunneled_request_as_eap;
53 static CONF_PARSER module_config[] = {
54 { "default_eap_type", PW_TYPE_STRING_PTR,
55 offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
57 { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
58 offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
60 { "use_tunneled_reply", PW_TYPE_BOOLEAN,
61 offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
63 { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
64 offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
66 { NULL, -1, 0, NULL, NULL } /* end the list */
72 static int eappeap_detach(void *arg)
74 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
76 if (inst->default_eap_type_name) free(inst->default_eap_type_name);
86 static int eappeap_attach(CONF_SECTION *cs, void **instance)
90 inst = malloc(sizeof(*inst));
92 radlog(L_ERR, "rlm_eap_peap: out of memory");
95 memset(inst, 0, sizeof(*inst));
98 * Parse the configuration attributes.
100 if (cf_section_parse(cs, inst, module_config) < 0) {
101 eappeap_detach(inst);
106 * Convert the name to an integer, to make it easier to
109 inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
110 if (inst->default_eap_type < 0) {
111 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
112 inst->default_eap_type_name);
113 eappeap_detach(inst);
123 * Free the PEAP per-session data
125 static void peap_free(void *p)
127 peap_tunnel_t *t = (peap_tunnel_t *) p;
131 pairfree(&t->username);
133 pairfree(&t->accept_vps);
140 * Free the PEAP per-session data
142 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
146 t = rad_malloc(sizeof(*t));
147 memset(t, 0, sizeof(*t));
149 t->default_eap_type = inst->default_eap_type;
150 t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
151 t->use_tunneled_reply = inst->use_tunneled_reply;
152 t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
158 * Do authentication, by letting EAP-TLS do most of the work.
160 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
163 eaptls_status_t status;
164 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
165 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
167 DEBUG2(" rlm_eap_peap: Authenticate");
169 status = eaptls_process(handler);
170 DEBUG2(" eaptls_process returned %d\n", status);
173 * EAP-TLS handshake was successful, tell the
174 * client to keep talking.
176 * If this was EAP-TLS, we would just return
177 * an EAP-TLS-Success packet here.
181 eap_packet_t eap_packet;
183 eap_packet.code = PW_EAP_REQUEST;
184 eap_packet.id = handler->eap_ds->response->id + 1;
185 eap_packet.length[0] = 0;
186 eap_packet.length[1] = EAP_HEADER_LEN + 1;
187 eap_packet.data[0] = PW_EAP_IDENTITY;
189 (tls_session->record_plus)(&tls_session->clean_in,
190 &eap_packet, sizeof(eap_packet));
192 tls_handshake_send(tls_session);
193 (tls_session->record_init)(&tls_session->clean_in);
195 eaptls_request(handler->eap_ds, tls_session);
196 DEBUG2(" rlm_eap_peap: EAPTLS_SUCCESS");
200 * The TLS code is still working on the TLS
201 * exchange, and it's a valid TLS request.
205 DEBUG2(" rlm_eap_peap: EAPTLS_HANDLED");
209 * Handshake is done, proceed with decoding tunneled
213 DEBUG2(" rlm_eap_peap: EAPTLS_OK");
217 * Anything else: fail.
220 DEBUG2(" rlm_eap_peap: EAPTLS_OTHERS");
225 * Session is established, proceed with decoding
228 DEBUG2(" rlm_eap_peap: Session established. Decoding tunneled attributes.");
231 * We may need PEAP data associated with the session, so
232 * allocate it here, if it wasn't already alloacted.
234 if (!tls_session->opaque) {
235 tls_session->opaque = peap_alloc(inst);
236 tls_session->free_opaque = peap_free;
240 * Process the PEAP portion of the request.
242 rcode = eappeap_process(handler, tls_session);
244 case RLM_MODULE_REJECT:
245 eaptls_fail(handler->eap_ds, 0);
248 case RLM_MODULE_HANDLED:
249 eaptls_request(handler->eap_ds, tls_session);
253 eaptls_success(handler->eap_ds, 0);
256 * Move the saved VP's from the Access-Accept to
259 if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) {
260 DEBUG2(" Using saved attributes from the original Access-Accept");
262 pairadd(&handler->request->reply->vps,
263 ((peap_tunnel_t *) tls_session->opaque)->accept_vps);
264 ((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL;
266 eaptls_gen_mppe_keys(&handler->request->reply->vps,
268 "client EAP encryption");
273 * No response packet, MUST be proxying it.
274 * The main EAP module will take care of discovering
275 * that the request now has a "proxy" packet, and
276 * will proxy it, rather than returning an EAP packet.
278 case RLM_MODULE_UPDATED:
279 rad_assert(handler->request->proxy != NULL);
287 eaptls_fail(handler->eap_ds, 0);
293 * The module name should be the only globally exported symbol.
294 * That is, everything else should be 'static'.
296 EAP_TYPE rlm_eap_peap = {
298 eappeap_attach, /* attach */
300 * Note! There is NO eappeap_initate() function, as the
301 * main EAP module takes care of calling
304 * This is because PEAP is a protocol on top of TLS, so
305 * before we need to do PEAP, we've got to initiate a TLS
308 NULL, /* Start the initial request */
309 NULL, /* authorization */
310 eappeap_authenticate, /* authentication */
311 eappeap_detach /* detach */