2 * rlm_eap_peap.c contains the interfaces that are called from eap
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2003 Alan DeKok <aland@freeradius.org>
27 typedef struct rlm_eap_peap_t {
29 * Default tunneled EAP type
31 char *default_eap_type_name;
36 static CONF_PARSER module_config[] = {
37 { "default_eap_type", PW_TYPE_STRING_PTR,
38 offsetof(rlm_eap_peap_t, default_eap_type_name), NULL, "mschapv2" },
40 { NULL, -1, 0, NULL, NULL } /* end the list */
46 static int eappeap_detach(void *arg)
48 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
50 if (inst->default_eap_type_name) free(inst->default_eap_type_name);
60 static int eappeap_attach(CONF_SECTION *cs, void **instance)
64 inst = malloc(sizeof(*inst));
66 radlog(L_ERR, "rlm_eap_peap: out of memory");
69 memset(inst, 0, sizeof(*inst));
72 * Parse the configuration attributes.
74 if (cf_section_parse(cs, inst, module_config) < 0) {
80 * Convert the name to an integer, to make it easier to
83 inst->default_eap_type = eaptype_name2type(inst->default_eap_type_name);
84 if (inst->default_eap_type < 0) {
85 radlog(L_ERR, "rlm_eap_peap: Unknown EAP type %s",
86 inst->default_eap_type_name);
97 * Free the PEAP per-session data
99 static void peap_free(void *p)
101 peap_tunnel_t *t = (peap_tunnel_t *) p;
105 pairfree(&t->username);
113 * Free the PEAP per-session data
115 static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst)
119 t = rad_malloc(sizeof(*t));
120 memset(t, 0, sizeof(*t));
122 t->default_eap_type = inst->default_eap_type;
128 * Do authentication, by letting EAP-TLS do most of the work.
130 static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
133 eaptls_status_t status;
134 rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
135 tls_session_t *tls_session = (tls_session_t *) handler->opaque;
137 DEBUG2(" rlm_eap_peap: Authenticate");
139 status = eaptls_process(handler);
140 DEBUG2(" eaptls_process returned %d\n", status);
143 * EAP-TLS handshake was successful, tell the
144 * client to keep talking.
146 * If this was EAP-TLS, we would just return
147 * an EAP-TLS-Success packet here.
151 eap_packet_t eap_packet;
153 eap_packet.code = PW_EAP_REQUEST;
154 eap_packet.id = handler->eap_ds->response->id + 1;
155 eap_packet.length[0] = 0;
156 eap_packet.length[1] = EAP_HEADER_LEN + 1;
157 eap_packet.data[0] = PW_EAP_IDENTITY;
159 record_plus(&tls_session->clean_in,
160 &eap_packet, sizeof(eap_packet));
162 tls_handshake_send(tls_session);
163 record_init(&tls_session->clean_in);
165 eaptls_request(handler->eap_ds, tls_session);
166 DEBUG2(" rlm_eap_peap: EAPTLS_SUCCESS");
170 * The TLS code is still working on the TLS
171 * exchange, and it's a valid TLS request.
175 DEBUG2(" rlm_eap_peap: EAPTLS_HANDLED");
179 * Handshake is done, proceed with decoding tunneled
183 DEBUG2(" rlm_eap_peap: EAPTLS_OK");
187 * Anything else: fail.
190 DEBUG2(" rlm_eap_peap: EAPTLS_OTHERS");
195 * Session is established, proceed with decoding
198 DEBUG2(" rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.");
201 * We may need PEAP data associated with the session, so
202 * allocate it here, if it wasn't already alloacted.
204 if (!tls_session->opaque) {
205 tls_session->opaque = peap_alloc(inst);
206 tls_session->free_opaque = peap_free;
210 * Process the PEAP portion of the request.
212 rcode = eappeap_process(handler, tls_session);
214 case RLM_MODULE_REJECT:
215 eaptls_fail(handler->eap_ds, 0);
218 case RLM_MODULE_HANDLED:
219 eaptls_request(handler->eap_ds, tls_session);
223 eaptls_success(handler->eap_ds, 0);
224 eaptls_gen_mppe_keys(&handler->request->reply->vps,
226 "client EAP encryption");
233 eaptls_fail(handler->eap_ds, 0);
238 * The module name should be the only globally exported symbol.
239 * That is, everything else should be 'static'.
241 EAP_TYPE rlm_eap_peap = {
243 eappeap_attach, /* attach */
245 * Note! There is NO eappeap_initate() function, as the
246 * main EAP module takes care of calling
249 * This is because PEAP is a protocol on top of TLS, so
250 * before we need to do PEAP, we've got to initiate a TLS
253 NULL, /* Start the initial request */
254 NULL, /* authorization */
255 eappeap_authenticate, /* authentication */
256 eappeap_detach /* detach */