2 * rlm_eap_ttls.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
27 typedef struct rlm_eap_ttls_t {
29 * Use the reply attributes from the tunneled session in
30 * the non-tunneled reply to the client.
32 int use_tunneled_reply;
35 * Default tunneled EAP type
37 char *default_eap_type_name;
42 static CONF_PARSER module_config[] = {
43 { "use_tunneled_reply", PW_TYPE_BOOLEAN,
44 offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
46 { "default_eap_type", PW_TYPE_STRING_PTR,
47 offsetof(rlm_eap_ttls_t, default_eap_type_name), NULL, "md5" },
49 { NULL, -1, 0, NULL, NULL } /* end the list */
55 static int eapttls_detach(void *arg)
57 rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
59 if (inst->default_eap_type_name) free(inst->default_eap_type_name);
69 static int eapttls_attach(CONF_SECTION *cs, void **instance)
73 inst = malloc(sizeof(*inst));
75 radlog(L_ERR, "rlm_eap_ttls: out of memory");
78 memset(inst, 0, sizeof(*inst));
81 * Parse the configuration attributes.
83 if (cf_section_parse(cs, inst, module_config) < 0) {
89 * Convert the name to an integer, to make it easier to
92 inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
93 if (inst->default_eap_type < 0) {
94 radlog(L_ERR, "rlm_eap_ttls: Unknown EAP type %s",
95 inst->default_eap_type_name);
101 * Can't tunnel TLS inside of TLS, we don't like it.
103 * More realistically, we haven't tested it, so we don't
106 if ((inst->default_eap_type == PW_EAP_TLS) ||
107 (inst->default_eap_type == PW_EAP_TTLS) ||
108 (inst->default_eap_type == PW_EAP_PEAP)) {
109 radlog(L_ERR, "rlm_eap_ttls: Cannot tunnel EAP-Type/%s inside of TTLS",
110 inst->default_eap_type_name);
111 eapttls_detach(inst);
121 * Free the TTLS per-session data
123 static void ttls_free(void *p)
125 ttls_tunnel_t *t = (ttls_tunnel_t *) p;
130 DEBUG2(" TTLS: Freeing handler for user %s",
131 t->username->strvalue);
134 pairfree(&t->username);
141 * Free the TTLS per-session data
143 static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
147 t = rad_malloc(sizeof(*t));
148 memset(t, 0, sizeof(*t));
150 t->use_tunneled_reply = inst->use_tunneled_reply;
151 t->default_eap_type = inst->default_eap_type;
157 * Do authentication, by letting EAP-TLS do most of the work.
159 static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
162 eaptls_status_t status;
163 rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
164 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
166 DEBUG2(" rlm_eap_ttls: Authenticate");
169 * Process TLS layer until done.
171 status = eaptls_process(handler);
172 DEBUG2(" eaptls_process returned %d\n", status);
175 * EAP-TLS handshake was successful, tell the
176 * client to keep talking.
178 * If this was EAP-TLS, we would just return
179 * an EAP-TLS-Success packet here.
182 eaptls_request(handler->eap_ds, tls_session);
186 * The TLS code is still working on the TLS
187 * exchange, and it's a valid TLS request.
194 * Handshake is done, proceed with decoding tunneled
201 * Anything else: fail.
208 * Session is established, proceed with decoding
211 DEBUG2(" rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.");
214 * We may need TTLS data associated with the session, so
215 * allocate it here, if it wasn't already alloacted.
217 if (!tls_session->opaque) {
218 tls_session->opaque = ttls_alloc(inst);
219 tls_session->free_opaque = ttls_free;
223 * Process the TTLS portion of the request.
225 rcode = eapttls_process(handler->request, tls_session);
226 if (rcode == PW_AUTHENTICATION_REJECT) {
227 eaptls_fail(handler->eap_ds, 0);
232 * Access-Challenge, continue tunneled conversation.
234 if (rcode == PW_ACCESS_CHALLENGE) {
235 eaptls_request(handler->eap_ds, tls_session);
240 * Success: Return MPPE keys.
242 if (rcode == PW_AUTHENTICATION_ACK) {
243 eaptls_success(handler->eap_ds, 0);
244 eaptls_gen_mppe_keys(&handler->request->reply->vps,
246 "ttls keying material");
251 * Something we don't understand: Reject it.
253 eaptls_fail(handler->eap_ds, 0);
258 * The module name should be the only globally exported symbol.
259 * That is, everything else should be 'static'.
261 EAP_TYPE rlm_eap_ttls = {
263 eapttls_attach, /* attach */
265 * Note! There is NO eapttls_initate() function, as the
266 * main EAP module takes care of calling
269 * This is because TTLS is a protocol on top of TLS, so
270 * before we need to do TTLS, we've got to initiate a TLS
273 NULL, /* Start the initial request */
274 NULL, /* authorization */
275 eapttls_authenticate, /* authentication */
276 eapttls_detach /* detach */