#include "rlm_eap.h"
+#include <sys/stat.h>
+
static const CONF_PARSER module_config[] = {
{ "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_t, default_method_name), "md5" },
{ "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, timer_limit), "60" },
{ "ignore_unknown_eap_types", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_t, ignore_unknown_types), "no" },
{ "cisco_accounting_username_bug", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_t, mod_accounting_username_bug), "no" },
{ "max_sessions", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, max_sessions), "2048" },
-
- { NULL, -1, 0, NULL, NULL } /* end the list */
+ CONF_PARSER_TERMINATOR
};
/*
inst->xlat_name = cf_section_name2(cs);
if (!inst->xlat_name) inst->xlat_name = "EAP";
+ if (!dict_valbyname(PW_AUTH_TYPE, 0, inst->xlat_name)) {
+ cf_log_err_cs(cs, "Failed to find 'Auth-Type %s' section. Cannot authenticate users.",
+ inst->xlat_name);
+ return -1;
+ }
+
/* Load all the configured EAP-Types */
num_methods = 0;
for(scs = cf_subsection_find_next(cs, NULL, NULL);
* etc. configurations from eap.conf in order to
* have EAP without the TLS types.
*/
- if ((method == PW_EAP_TLS) ||
- (method == PW_EAP_TTLS) ||
- (method == PW_EAP_PEAP)) {
- DEBUG2("rlm_eap (%s): Ignoring EAP method %s because we do not have OpenSSL support",
- inst->xlat_name, name);
+ switch (method) {
+ case PW_EAP_TLS:
+ case PW_EAP_TTLS:
+ case PW_EAP_PEAP:
+ case PW_EAP_PWD:
+ WARN("rlm_eap (%s): Ignoring EAP method %s because we don't have OpenSSL support",
+ inst->xlat_name, name);
continue;
+
+ default:
+ break;
}
#endif
inst = (rlm_eap_t *) instance;
if (!fr_pair_find_by_num(request->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY)) {
- REDEBUG("You set 'Auth-Type = EAP' for a request that does "
- "not contain an EAP-Message attribute!");
+ REDEBUG("You set 'Auth-Type = %s' for a request that does "
+ "not contain an EAP-Message attribute!", inst->xlat_name);
return RLM_MODULE_INVALID;
}
*/
fr_pair_delete_by_num(&request->proxy->vps, PW_FREERADIUS_PROXIED_TO, VENDORPEC_FREERADIUS, TAG_ANY);
- RDEBUG2("Tunneled session will be proxied. Not doing EAP");
+ RWDEBUG2("Tunneled session will be proxied. Not doing EAP");
return RLM_MODULE_HANDLED;
}
#endif
}
} else {
+ /*
+ * Enable the cached entry on success.
+ */
+ if (handler->eap_ds->request->code == PW_EAP_SUCCESS) {
+ VALUE_PAIR *vp;
+
+ vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY);
+ if (vp) (void) chmod(vp->vp_strvalue, S_IRUSR | S_IWUSR);
+ }
+
+ /*
+ * Disable the cached entry on failure.
+ */
+ if (handler->eap_ds->request->code == PW_EAP_FAILURE) {
+ VALUE_PAIR *vp;
+
+ vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY);
+ if (vp) (void) unlink(vp->vp_strvalue);
+ }
+
RDEBUG2("Freeing handler");
/* handler is not required any more, free it now */
talloc_free(handler);
/*
* Cisco AP1230 has a bug and needs a zero
- * terminated string in Access-Accept.
+ * terminated string in Access-Accept. This
+ * means it requires 2 trailing zeros. One to
+ * send in the RADIUS packet, and the other to
+ * convince the rest of the server that
+ * vp->vp_strvalue is still a NUL-terminated C
+ * string.
*/
if (inst->mod_accounting_username_bug) {
char const *old = vp->vp_strvalue;
- char *new = talloc_zero_array(vp, char, vp->vp_length + 1);
+ char *new;
+
+ vp->vp_length++; /* account for an additional zero */
+
+ new = talloc_array(vp, char, vp->vp_length + 1);
memcpy(new, old, vp->vp_length);
+ new[vp->length] = '\0';
+ new[vp->length + 1] = '\0';
vp->vp_strvalue = new;
- vp->vp_length++;
rad_const_free(old);
+ VERIFY_VP(vp);
}
}
{
size_t i;
size_t len;
+ ssize_t ret;
char *p;
VALUE_PAIR *vp;
eap_handler_t *handler;
i = 34;
p = talloc_memdup(vp, vp->vp_strvalue, vp->vp_length + 1);
talloc_set_type(p, uint8_t);
- len = rad_tunnel_pwdecode((uint8_t *)p + 17, &i, request->home_server->secret, request->proxy->vector);
+ ret = rad_tunnel_pwdecode((uint8_t *)p + 17, &i, request->home_server->secret, request->proxy->vector);
+ if (ret < 0) {
+ REDEBUG("Decoding leap:session-key failed");
+ talloc_free(p);
+ return RLM_MODULE_FAIL;
+ }
+ len = i;
- /*
- * FIXME: Assert that i == 16.
- */
+ if (i != 16) {
+ REDEBUG("Decoded key length is incorrect, must be 16 bytes");
+ talloc_free(p);
+ return RLM_MODULE_FAIL;
+ }
/*
* Encrypt the session key again, using the request data.
*/
- rad_tunnel_pwencode(p + 17, &len,
- request->client->secret,
- request->packet->vector);
+ ret = rad_tunnel_pwencode(p + 17, &len, request->client->secret, request->packet->vector);
+ if (ret < 0) {
+ REDEBUG("Decoding leap:session-key failed");
+ talloc_free(p);
+ return RLM_MODULE_FAIL;
+ }
+
fr_pair_value_strsteal(vp, p);
return RLM_MODULE_UPDATED;