2 * rlm_eap_peap.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
30 typedef struct rlm_eap_peap_t {
32 * Default tunneled EAP type
34 char *default_eap_type_name;
38 * Use the reply attributes from the tunneled session in
39 * the non-tunneled reply to the client.
41 int use_tunneled_reply;
44 * Use SOME of the request attributes from outside of the
45 * tunneled session in the tunneled request
47 int copy_request_to_tunnel;
51 * Proxy tunneled session as EAP, or as de-capsulated
54 int proxy_tunneled_request_as_eap;
58 * Virtual server for inner tunnel session.
64 static CONF_PARSER module_config[] = {
65 { "default_eap_type", PW_TYPE_STRING_PTR,
66 offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
68 { "copy_request_to_tunnel", PW_TYPE_BOOLEAN,
69 offsetof(rlm_eap_peap_t, copy_request_to_tunnel), NULL, "no" },
71 { "use_tunneled_reply", PW_TYPE_BOOLEAN,
72 offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
75 { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
76 offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
79 { "virtual_server", PW_TYPE_STRING_PTR,
80 offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL },
82 { NULL, -1, 0, NULL, NULL } /* end the list */
88 static int eappeap_detach(void *arg)
90 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
101 static int eappeap_attach(CONF_SECTION *cs, void **instance)
103 rlm_eap_peap_t *inst;
105 inst = malloc(sizeof(*inst));
107 radlog(L_ERR, "rlm_eap_peap: out of memory");
110 memset(inst, 0, sizeof(*inst));
113 * Parse the configuration attributes.
115 if (cf_section_parse(cs, inst, module_config) < 0) {
116 eappeap_detach(inst);
121 * Convert the name to an integer, to make it easier to
124 inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
125 if (inst->default_eap_type < 0) {
126 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
127 inst->default_eap_type_name);
128 eappeap_detach(inst);
138 * Free the PEAP per-session data
140 static void peap_free(void *p)
142 peap_tunnel_t *t = (peap_tunnel_t *) p;
146 pairfree(&t->username);
148 pairfree(&t->accept_vps);
155 * Free the PEAP per-session data
157 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
161 t = rad_malloc(sizeof(*t));
162 memset(t, 0, sizeof(*t));
164 t->default_eap_type = inst->default_eap_type;
165 t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
166 t->use_tunneled_reply = inst->use_tunneled_reply;
168 t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
170 t->virtual_server = inst->virtual_server;
171 t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
177 * Do authentication, by letting EAP-TLS do most of the work.
179 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
182 eaptls_status_t status;
183 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
184 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
185 peap_tunnel_t *peap = tls_session->opaque;
186 REQUEST *request = handler->request;
189 * Session resumption requires the storage of data, so
190 * allocate it if it doesn't already exist.
192 if (!tls_session->opaque) {
193 peap = tls_session->opaque = peap_alloc(inst);
194 tls_session->free_opaque = peap_free;
197 status = eaptls_process(handler);
198 RDEBUG2("eaptls_process returned %d\n", status);
201 * EAP-TLS handshake was successful, tell the
202 * client to keep talking.
204 * If this was EAP-TLS, we would just return
205 * an EAP-TLS-Success packet here.
208 if (SSL_session_reused(tls_session->ssl)) {
209 uint8_t tlv_packet[11];
211 RDEBUG2("Skipping Phase2 because of session resumption.");
212 peap->session_resumption_state = PEAP_RESUMPTION_YES;
214 tlv_packet[0] = PW_EAP_REQUEST;
215 tlv_packet[1] = handler->eap_ds->response->id +1;
217 tlv_packet[3] = 11; /* length of this packet */
218 tlv_packet[4] = PW_EAP_TLV;
219 tlv_packet[5] = 0x80;
220 tlv_packet[6] = EAP_TLV_ACK_RESULT;
222 tlv_packet[8] = 2; /* length of the data portion */
224 tlv_packet[10] = EAP_TLV_SUCCESS;
226 peap->status = PEAP_STATUS_SENT_TLV_SUCCESS;
228 (tls_session->record_plus)(&tls_session->clean_in, tlv_packet, 11);
229 tls_handshake_send(tls_session);
230 (tls_session->record_init)(&tls_session->clean_in);
233 eap_packet_t eap_packet;
235 eap_packet.code = PW_EAP_REQUEST;
236 eap_packet.id = handler->eap_ds->response->id + 1;
237 eap_packet.length[0] = 0;
238 eap_packet.length[1] = EAP_HEADER_LEN + 1;
239 eap_packet.data[0] = PW_EAP_IDENTITY;
241 (tls_session->record_plus)(&tls_session->clean_in,
242 &eap_packet, sizeof(eap_packet));
244 tls_handshake_send(tls_session);
245 (tls_session->record_init)(&tls_session->clean_in);
248 eaptls_request(handler->eap_ds, tls_session);
249 RDEBUG2("EAPTLS_SUCCESS");
253 * The TLS code is still working on the TLS
254 * exchange, and it's a valid TLS request.
259 * FIXME: If the SSL session is established, grab the state
260 * and EAP id from the inner tunnel, and update it with
261 * the expected EAP id!
263 RDEBUG2("EAPTLS_HANDLED");
267 * Handshake is done, proceed with decoding tunneled
271 RDEBUG2("EAPTLS_OK");
275 * Anything else: fail.
278 RDEBUG2("EAPTLS_OTHERS");
283 * Session is established, proceed with decoding
286 RDEBUG2("Session established. Decoding tunneled attributes.");
289 * We may need PEAP data associated with the session, so
290 * allocate it here, if it wasn't already alloacted.
292 if (!tls_session->opaque) {
293 tls_session->opaque = peap_alloc(inst);
294 tls_session->free_opaque = peap_free;
298 * Process the PEAP portion of the request.
300 rcode = eappeap_process(handler, tls_session);
302 case RLM_MODULE_REJECT:
303 eaptls_fail(handler, 0);
306 case RLM_MODULE_HANDLED:
307 eaptls_request(handler->eap_ds, tls_session);
312 * Move the saved VP's from the Access-Accept to
315 peap = tls_session->opaque;
316 if (peap->accept_vps) {
317 RDEBUG2("Using saved attributes from the original Access-Accept");
318 pairadd(&handler->request->reply->vps, &peap->accept_vps);
319 pairfree(&peap->accept_vps);
323 * Success: Automatically return MPPE keys.
325 return eaptls_success(handler, 0);
328 * No response packet, MUST be proxying it.
329 * The main EAP module will take care of discovering
330 * that the request now has a "proxy" packet, and
331 * will proxy it, rather than returning an EAP packet.
333 case RLM_MODULE_UPDATED:
335 rad_assert(handler->request->proxy != NULL);
344 eaptls_fail(handler, 0);
350 * The module name should be the only globally exported symbol.
351 * That is, everything else should be 'static'.
353 EAP_TYPE rlm_eap_peap = {
355 eappeap_attach, /* attach */
357 * Note! There is NO eappeap_initate() function, as the
358 * main EAP module takes care of calling
361 * This is because PEAP is a protocol on top of TLS, so
362 * before we need to do PEAP, we've got to initiate a TLS
365 NULL, /* Start the initial request */
366 NULL, /* authorization */
367 eappeap_authenticate, /* authentication */
368 eappeap_detach /* detach */