6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
26 * TLS Packet Format in EAP
27 * --- ------ ------ -- ---
29 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
30 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
31 * | Code | Identifier | Length |
32 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
33 * | Type | Flags | TLS Message Length
34 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
35 * | TLS Message Length | TLS Data...
36 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
43 * Allocate a new TLS_PACKET
45 EAPTLS_PACKET *eaptls_alloc(void)
49 if ((rp = malloc(sizeof(EAPTLS_PACKET))) == NULL) {
50 radlog(L_ERR, "rlm_eap_tls: out of memory");
53 memset(rp, 0, sizeof(EAPTLS_PACKET));
60 void eaptls_free(EAPTLS_PACKET **eaptls_packet_ptr)
62 EAPTLS_PACKET *eaptls_packet;
64 if (!eaptls_packet_ptr) return;
65 eaptls_packet = *eaptls_packet_ptr;
66 if (eaptls_packet == NULL) return;
68 if (eaptls_packet->data) {
69 free(eaptls_packet->data);
70 eaptls_packet->data = NULL;
74 *eaptls_packet_ptr = NULL;
78 The S flag is set only within the EAP-TLS start message
79 sent from the EAP server to the peer.
81 int eaptls_start(EAP_DS *eap_ds, int peap_flag)
85 reply.code = EAPTLS_START;
86 reply.length = TLS_HEADER_LEN + 1/*flags*/;
88 reply.flags = peap_flag;
89 reply.flags = SET_START(reply.flags);
94 eaptls_compose(eap_ds, &reply);
99 int eaptls_success(EAP_DS *eap_ds, int peap_flag)
103 reply.code = EAPTLS_SUCCESS;
104 reply.length = TLS_HEADER_LEN;
105 reply.flags = peap_flag;
109 eaptls_compose(eap_ds, &reply);
114 int eaptls_fail(EAP_DS *eap_ds, int peap_flag)
118 reply.code = EAPTLS_FAIL;
119 reply.length = TLS_HEADER_LEN;
120 reply.flags = peap_flag;
124 eaptls_compose(eap_ds, &reply);
130 A single TLS record may be up to 16384 octets in length, but a TLS
131 message may span multiple TLS records, and a TLS certificate message
132 may in principle be as long as 16MB.
136 * Frame the Dirty data that needs to be send to the client in an
137 * EAP-Request. We always embed the TLS-length in all EAP-TLS
138 * packets that we send, for easy reference purpose. Handle
139 * fragmentation and sending the next fragment etc.
141 int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn)
146 unsigned int lbit = 0;
148 /* This value determines whether we set (L)ength flag for
149 EVERY packet we send and add corresponding
150 "TLS Message Length" field.
153 This means we include L flag and "TLS Msg Len" in EVERY
157 This means we include L flag and "TLS Msg Len" **ONLY**
158 in First packet of a fragment series. We do not use
161 Having L flag in every packet is prefered.
164 if (ssn->length_flag) {
167 if (ssn->fragment == 0) {
168 ssn->tls_msg_len = ssn->dirty_out.used;
171 reply.code = EAPTLS_REQUEST;
172 reply.flags = ssn->peap_flag;
174 /* Send data, NOT more than the FRAGMENT size */
175 if (ssn->dirty_out.used > ssn->offset) {
177 reply.flags = SET_MORE_FRAGMENTS(reply.flags);
178 /* Length MUST be included if it is the First Fragment */
179 if (ssn->fragment == 0) {
184 size = ssn->dirty_out.used;
188 reply.dlen = lbit + size;
189 reply.length = TLS_HEADER_LEN + 1/*flags*/ + reply.dlen;
191 reply.data = malloc(reply.dlen);
193 nlen = htonl(ssn->tls_msg_len);
194 memcpy(reply.data, &nlen, lbit);
195 reply.flags = SET_LENGTH_INCLUDED(reply.flags);
197 record_minus(&ssn->dirty_out, reply.data + lbit, size);
199 eaptls_compose(eap_ds, &reply);
207 * Acknowledge received is for one of the following messages sent earlier
208 * 1. Handshake completed Message, so now send, EAP-Success
209 * 2. Alert Message, now send, EAP-Failure
210 * 3. Fragment Message, now send, next Fragment
212 static eaptls_status_t eaptls_ack_handler(EAP_HANDLER *handler)
214 tls_session_t *tls_session;
216 tls_session = (tls_session_t *)handler->opaque;
217 if (tls_session == NULL){
218 radlog(L_ERR, "rlm_eap_tls: Unexpected ACK received");
221 if (tls_session->info.initialized == 0) {
222 DEBUG(" rlm_eap_tls: No SSL info available. Waiting for more SSL data.");
223 return EAPTLS_REQUEST;
225 if (tls_session->info.origin == 0) {
226 radlog(L_ERR, "rlm_eap_tls: Unexpected ACK received");
230 switch (tls_session->info.content_type) {
232 DEBUG2(" rlm_eap_tls: ack alert");
233 eaptls_fail(handler->eap_ds, tls_session->peap_flag);
237 if (tls_session->info.handshake_type == finished) {
238 DEBUG2(" rlm_eap_tls: ack handshake is finished");
239 return EAPTLS_SUCCESS;
240 } else if (tls_session->fragment > 0) {
241 DEBUG2(" rlm_eap_tls: ack handshake fragment handler");
242 /* Fragmentation handler, send next fragment */
243 return EAPTLS_REQUEST;
247 * We're done sending fragments.
249 return EAPTLS_SUCCESS;
252 * For the rest of the conditions, switch over
253 * to the default section below.
256 DEBUG2(" rlm_eap_tls: ack default");
257 radlog(L_ERR, "rlm_eap_tls: Invalid ACK received: %d",
258 tls_session->info.content_type);
264 * Similarly, when the EAP server receives an EAP-Response with
265 * the M bit set, it MUST respond with an EAP-Request with
266 * EAP-Type=EAP-TLS and no data. This serves as a fragment ACK.
268 * In order to prevent errors in the processing of fragments, the
269 * EAP server MUST use increment the Identifier value for each
270 * fragment ACK contained within an EAP-Request, and the peer
271 * MUST include this Identifier value in the subsequent fragment
272 * contained within an EAP- Reponse.
274 * EAP server sends an ACK when it determines there are More
275 * fragments to receive to make the complete
276 * TLS-record/TLS-Message
278 static int eaptls_send_ack(EAP_DS *eap_ds, int peap_flag)
282 reply.code = EAPTLS_ACK;
283 reply.length = TLS_HEADER_LEN + 1/*flags*/;
284 reply.flags = peap_flag;
288 eaptls_compose(eap_ds, &reply);
294 * The S flag is set only within the EAP-TLS start message sent
295 * from the EAP server to the peer.
297 * Similarly, when the EAP server receives an EAP-Response with
298 * the M bit set, it MUST respond with an EAP-Request with
299 * EAP-Type=EAP-TLS and no data. This serves as a fragment
300 * ACK. The EAP peer MUST wait.
302 static eaptls_status_t eaptls_verify(EAP_HANDLER *handler)
304 EAP_DS *eap_ds = handler->eap_ds;
305 EAP_DS *prev_eap_ds = handler->prev_eapds;
306 eaptls_packet_t *eaptls_packet, *eaptls_prev = NULL;
309 * We don't check ANY of the input parameters. It's all
310 * code which works together, so if something is wrong,
311 * we SHOULD core dump.
313 * e.g. if eap_ds is NULL, of if eap_ds->response is
314 * NULL, of if it's NOT an EAP-Response, or if the packet
315 * is too short. See eap_validation()., in ../../eap.c
317 * Also, eaptype_select() takes care of selecting the
318 * appropriate type, so we don't need to check
319 * eap_ds->response->type.type == PW_EAP_TLS, or anything
322 eaptls_packet = (eaptls_packet_t *)eap_ds->response->type.data;
323 if (prev_eap_ds && prev_eap_ds->response)
324 eaptls_prev = (eaptls_packet_t *)prev_eap_ds->response->type.data;
329 * If there's no TLS data, or there's 1 byte of TLS data,
330 * with the flags set to zero, then it's an ACK.
332 * Find if this is a reply to the previous request sent
334 if ((eaptls_packet == NULL) ||
335 ((eap_ds->response->length == EAP_HEADER_LEN + 2) &&
336 ((eaptls_packet->flags & 0xc0) == 0x00))) {
338 if (prev_eap_ds->request->id == eap_ds->response->id) {
340 * Run the ACK handler directly from here.
342 radlog(L_INFO, "rlm_eap_tls: Received EAP-TLS ACK message");
343 return eaptls_ack_handler(handler);
345 radlog(L_ERR, "rlm_eap_tls: Received Invalid EAP-TLS ACK message");
346 return EAPTLS_INVALID;
351 * We send TLS_START, but do not receive it.
353 if (TLS_START(eaptls_packet->flags)) {
354 radlog(L_ERR, "rlm_eap_tls: Received unexpected EAP-TLS Start message");
355 return EAPTLS_INVALID;
359 * The L bit (length included) is set to indicate the
360 * presence of the four octet TLS Message Length field,
361 * and MUST be set for the first fragment of a fragmented
362 * TLS message or set of messages.
364 * The M bit (more fragments) is set on all but the last
367 * The S bit (EAP-TLS start) is set in an EAP-TLS Start
368 * message. This differentiates the EAP-TLS Start message
369 * from a fragment acknowledgement.
371 if (TLS_LENGTH_INCLUDED(eaptls_packet->flags)) {
372 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
374 * FIRST_FRAGMENT is identified
375 * 1. If there is no previous EAP-response received.
376 * 2. If EAP-response received, then its M bit not set.
377 * (It is because Last fragment will not have M bit set)
379 if ((prev_eap_ds->response == NULL) ||
380 (eaptls_prev == NULL) ||
381 !TLS_MORE_FRAGMENTS(eaptls_prev->flags)) {
383 radlog(L_INFO, "rlm_eap_tls: Received EAP-TLS First Fragment of the message");
384 return EAPTLS_FIRST_FRAGMENT;
387 radlog(L_INFO, "rlm_eap_tls: More Fragments with length included");
388 return EAPTLS_MORE_FRAGMENTS_WITH_LENGTH;
392 radlog(L_INFO, "rlm_eap_tls: Length Included");
393 return EAPTLS_LENGTH_INCLUDED;
397 if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
398 radlog(L_INFO, "rlm_eap_tls: More fragments to follow");
399 return EAPTLS_MORE_FRAGMENTS;
403 * None of the flags are set, but it's still a valid
413 * length = code + id + length + flags + tlsdata
414 * = 1 + 1 + 2 + 1 + X
415 * length = EAP-length - 1(EAP-Type = 1 octet)
416 * flags = EAP-typedata[0] (1 octet)
417 * dlen = EAP-typedata[1-4] (4 octets), if L flag set
418 * = length - 5(code+id+length+flags), otherwise
419 * data = EAP-typedata[5-n], if L flag set
420 * = EAP-typedata[1-n], otherwise
421 * packet = EAP-typedata (complete typedata)
423 * Points to consider during EAP-TLS data extraction
424 * 1. In the received packet, No data will be present incase of ACK-NAK
425 * 2. Incase if more fragments need to be received then ACK after retreiving this fragment.
427 * RFC 2716 Section 4.2. PPP EAP TLS Request Packet
430 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
431 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
432 * | Code | Identifier | Length |
433 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
434 * | Type | Flags | TLS Message Length
435 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
436 * | TLS Message Length | TLS Data...
437 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
439 * The Length field is two octets and indicates the length of the EAP
440 * packet including the Code, Identifir, Length, Type, and TLS data
443 static EAPTLS_PACKET *eaptls_extract(EAP_DS *eap_ds, eaptls_status_t status)
445 EAPTLS_PACKET *tlspacket;
446 uint32_t data_len = 0;
448 uint8_t *data = NULL;
450 if (status == EAPTLS_INVALID)
454 * The main EAP code & eaptls_verify() take care of
455 * ensuring that the packet is OK, and that we can
456 * extract the various fields we want.
458 * e.g. a TLS packet with zero data is allowed as an ACK,
459 * but we will never see it here, as we will simply
460 * send another fragment, instead of trying to extract
463 * MUST have TLS type octet, followed by flags, followed
466 rad_assert(eap_ds->response->length > 2);
468 tlspacket = eaptls_alloc();
469 if (tlspacket == NULL) return NULL;
472 * Code & id for EAPTLS & EAP are same
473 * but eaptls_length = eap_length - 1(EAP-Type = 1 octet)
475 * length = code + id + length + type + tlsdata
476 * = 1 + 1 + 2 + 1 + X
478 tlspacket->code = eap_ds->response->code;
479 tlspacket->id = eap_ds->response->id;
480 tlspacket->length = eap_ds->response->length - 1; /* EAP type */
481 tlspacket->flags = eap_ds->response->type.data[0];
484 * A quick sanity check of the flags. If we've been told
485 * that there's a length, and there isn't one, then stop.
487 if (TLS_LENGTH_INCLUDED(tlspacket->flags) &&
488 (tlspacket->length < 5)) { /* flags + TLS message length */
489 radlog(L_ERR, "rlm_eap_tls: Invalid EAP-TLS packet received. (Length bit is set, but no length was found.)");
490 eaptls_free(&tlspacket);
495 * If the final TLS packet is larger than we can handle, die
498 * Likewise, if the EAP packet says N bytes, and the TLS
499 * packet says there's fewer bytes, it's a problem.
501 * FIXME: Try to ensure that the claimed length is
502 * consistent across multiple TLS fragments.
504 if (TLS_LENGTH_INCLUDED(tlspacket->flags)) {
505 memcpy(&data_len, &eap_ds->response->type.data[1], 4);
506 data_len = ntohl(data_len);
507 if (data_len > MAX_RECORD_SIZE) {
508 radlog(L_ERR, "rlm_eap_tls: The EAP-TLS packet will contain more data than we can process.");
509 eaptls_free(&tlspacket);
514 DEBUG2(" TLS: %d %d\n", data_len, tlspacket->length);
516 if (data_len < tlspacket->length) {
517 radlog(L_ERR, "rlm_eap_tls: EAP-TLS packet claims to be smaller than the encapsulating EAP packet.");
518 eaptls_free(&tlspacket);
526 * The TLS Message Length field is four octets, and
527 * provides the total length of the TLS message or set of
528 * messages that is being fragmented; this simplifies
531 * Dynamic allocation of buffers as & when we know the
532 * length should solve the problem.
534 case EAPTLS_FIRST_FRAGMENT:
535 case EAPTLS_LENGTH_INCLUDED:
536 case EAPTLS_MORE_FRAGMENTS_WITH_LENGTH:
537 if (tlspacket->length < 5) { /* flags + TLS message length */
538 radlog(L_ERR, "rlm_eap_tls: Invalid EAP-TLS packet received. (Expected length, got none.)");
539 eaptls_free(&tlspacket);
544 * Extract all the TLS fragments from the
545 * previous eap_ds Start appending this
546 * fragment to the above ds
548 memcpy(&data_len, &eap_ds->response->type.data[1], sizeof(uint32_t));
549 data_len = ntohl(data_len);
550 data = (eap_ds->response->type.data + 5/*flags+TLS-Length*/);
551 len = eap_ds->response->type.length - 5/*flags+TLS-Length*/;
554 * Hmm... this should be an error, too.
556 if (data_len > len) {
562 * Data length is implicit, from the EAP header.
564 case EAPTLS_MORE_FRAGMENTS:
566 data_len = eap_ds->response->type.length - 1/*flags*/;
567 data = eap_ds->response->type.data + 1/*flags*/;
571 radlog(L_ERR, "rlm_eap_tls: Invalid EAP-TLS packet received");
572 eaptls_free(&tlspacket);
576 tlspacket->dlen = data_len;
578 tlspacket->data = (unsigned char *)malloc(data_len);
579 if (tlspacket->data == NULL) {
580 radlog(L_ERR, "rlm_eap_tls: out of memory");
581 eaptls_free(&tlspacket);
584 memcpy(tlspacket->data, data, data_len);
593 * To process the TLS,
595 * 1. EAP-TLS should get the compelete TLS data from the peer.
596 * 2. Store that data in a data structure with any other required info
597 * 3. Handle that data structure to the TLS module.
598 * 4. TLS module will perform its operations on the data and
599 * handle back to EAP-TLS
602 * 1. EAP-TLS if necessary will fragment it and send it to the
605 * During EAP-TLS initialization, TLS Context object will be
606 * initialized and stored. For every new authentication
607 * requests, TLS will open a new session object and that session
608 * object should be maintained even after the session is
609 * completed for session resumption. (Probably later as a feature
610 * as we donot know who maintains these session objects ie,
611 * SSL_CTX (internally) or TLS module(explicitly). If TLS module,
612 * then how to let SSL API know about these sessions.)
614 static void eaptls_operation(EAPTLS_PACKET *eaptls_packet UNUSED,
615 eaptls_status_t status, EAP_HANDLER *handler)
617 tls_session_t *tls_session;
619 tls_session = (tls_session_t *)handler->opaque;
621 if ((status == EAPTLS_MORE_FRAGMENTS) ||
622 (status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) ||
623 (status == EAPTLS_FIRST_FRAGMENT)) {
627 eaptls_send_ack(handler->eap_ds, tls_session->peap_flag);
630 * We have the complete TLS-data or TLS-message.
632 * Clean the dirty message.
634 * Authenticate the user and send
638 * is required then send another request. */
639 if (tls_handshake_recv(tls_session)) {
641 * FIXME: return success/fail.
643 * TLS proper can decide what to do, then.
645 eaptls_request(handler->eap_ds, tls_session);
647 eaptls_fail(handler->eap_ds, tls_session->peap_flag);
655 * In the actual authentication first verify the packet and then create the data structure
658 * To process the TLS,
660 * 1. EAP-TLS should get the compelete TLS data from the peer.
661 * 2. Store that data in a data structure with any other required info
662 * 3. Hand this data structure to the TLS module.
663 * 4. TLS module will perform its operations on the data and hands back to EAP-TLS
665 * 1. EAP-TLS if necessary will fragment it and send it to the destination.
667 * During EAP-TLS initialization, TLS Context object will be
668 * initialized and stored. For every new authentication
669 * requests, TLS will open a new session object and that
670 * session object SHOULD be maintained even after the session
671 * is completed, for session resumption. (Probably later as a
672 * feature, as we do not know who maintains these session
673 * objects ie, SSL_CTX (internally) or TLS module (explicitly). If
674 * TLS module, then how to let SSL API know about these
679 * Process an EAP request
681 eaptls_status_t eaptls_process(EAP_HANDLER *handler)
683 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
684 EAPTLS_PACKET *tlspacket;
685 eaptls_status_t status;
687 DEBUG2(" rlm_eap_tls: processing TLS");
689 /* This case is when SSL generates Alert then we
690 * send that alert to the client and then send the EAP-Failure
692 status = eaptls_verify(handler);
693 DEBUG2(" eaptls_verify returned %d\n", status);
701 * Success means that we're done the initial
702 * handshake. For TTLS, this means send stuff
703 * back to the client, and the client sends us
704 * more tunneled data.
711 * Normal TLS request, continue with the "get rest
712 * of fragments" phase.
715 eaptls_request(handler->eap_ds, tls_session);
716 return EAPTLS_HANDLED;
720 * The handshake is done, and we're in the "tunnel
724 DEBUG2(" rlm_eap_tls: Done initial handshake");
727 * Get the rest of the fragments.
729 case EAPTLS_FIRST_FRAGMENT:
730 case EAPTLS_MORE_FRAGMENTS:
731 case EAPTLS_LENGTH_INCLUDED:
732 case EAPTLS_MORE_FRAGMENTS_WITH_LENGTH:
737 * Extract the TLS packet from the buffer.
739 if ((tlspacket = eaptls_extract(handler->eap_ds, status)) == NULL)
743 * Get the session struct from the handler
745 * update the dirty_in buffer
747 * NOTE: This buffer will contain partial data when M bit is set.
749 * CAUTION while reinitializing this buffer, it should be
750 * reinitialized only when this M bit is NOT set.
752 if (tlspacket->dlen !=
753 record_plus(&tls_session->dirty_in, tlspacket->data, tlspacket->dlen)) {
754 eaptls_free(&tlspacket);
755 radlog(L_ERR, "rlm_eap_tls: Exceeded maximum record size");
760 * SSL initalization is done. Return.
762 * The TLS data will be in the tls_session structure.
764 if (SSL_is_init_finished(tls_session->ssl)) {
765 eaptls_free(&tlspacket);
770 * Continue the handshake.
772 eaptls_operation(tlspacket, status, handler);
774 eaptls_free(&tlspacket);
775 return EAPTLS_HANDLED;
780 * compose the TLS reply packet in the EAP reply typedata
782 int eaptls_compose(EAP_DS *eap_ds, EAPTLS_PACKET *reply)
787 * Don't set eap_ds->request->type.type, as the main EAP
788 * handler will do that for us. This allows the TLS
789 * module to be called from TTLS & PEAP.
793 * When the EAP server receives an EAP-Response with the
794 * M bit set, it MUST respond with an EAP-Request with
795 * EAP-Type=EAP-TLS and no data. This serves as a
796 * fragment ACK. The EAP peer MUST wait until it receives
797 * the EAP-Request before sending another fragment.
799 * In order to prevent errors in the processing of
800 * fragments, the EAP server MUST use increment the
801 * Identifier value for each fragment ACK contained
802 * within an EAP-Request, and the peer MUST include this
803 * Identifier value in the subsequent fragment contained
804 * within an EAP- Reponse.
806 eap_ds->request->type.data = malloc(reply->length - TLS_HEADER_LEN + 1);
807 if (eap_ds->request->type.data == NULL) {
808 radlog(L_ERR, "rlm_eap_tls: out of memory");
812 /* EAPTLS Header length is excluded while computing EAP typelen */
813 eap_ds->request->type.length = reply->length - TLS_HEADER_LEN;
815 ptr = eap_ds->request->type.data;
816 *ptr++ = (uint8_t)(reply->flags & 0xFF);
818 if (reply->dlen) memcpy(ptr, reply->data, reply->dlen);
820 switch (reply->code) {
824 eap_ds->request->code = PW_EAP_REQUEST;
827 eap_ds->request->code = PW_EAP_SUCCESS;
830 eap_ds->request->code = PW_EAP_FAILURE;
833 /* Should never enter here */
834 eap_ds->request->code = PW_EAP_FAILURE;