*
*/
-#include <freeradius-devel/ident.h>
RCSID("$Id$")
+USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#ifdef HAVE_OPENSSL_RAND_H
#include <openssl/rand.h>
#endif
#include "rlm_eap_tls.h"
-#include "config.h"
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
-/*
- * Detach the EAP-TLS module.
- */
-static int eaptls_detach(void *arg)
-{
- rlm_eap_tls_t *inst = (rlm_eap_tls_t *) arg;
+static CONF_PARSER module_config[] = {
+ { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_tls_t, tls_conf_name), NULL },
- free(inst);
+ { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_tls_t, virtual_server), NULL },
- return 0;
-}
+ { NULL, -1, 0, NULL, NULL } /* end the list */
+};
/*
/*
* Parse the config file & get all the configured values
*/
- inst = rad_malloc(sizeof(*inst));
- if (!inst) {
- radlog(L_ERR, "rlm_eap_tls: out of memory");
- return -1;
- }
- memset(inst, 0, sizeof(*inst));
+ *instance = inst = talloc_zero(cs, rlm_eap_tls_t);
+ if (!inst) return -1;
if (cf_section_parse(cs, inst, module_config) < 0) {
- eaptls_detach(inst);
return -1;
}
inst->tls_conf = eaptls_conf_parse(cs, "tls");
if (!inst->tls_conf) {
- radlog(L_ERR, "rlm_eap_tls: Failed initializing SSL context");
- eaptls_detach(inst);
+ ERROR("rlm_eap_tls: Failed initializing SSL context");
return -1;
}
- *instance = inst;
-
return 0;
}
/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
-static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
+static int eaptls_initiate(void *type_arg, eap_handler_t *handler)
{
int status;
tls_session_t *ssn;
inst = type_arg;
- handler->tls = TRUE;
- handler->finished = FALSE;
+ handler->tls = true;
+ handler->finished = false;
/*
* EAP-TLS always requires a client certificate.
*/
- ssn = eaptls_session(inst->tls_conf, handler, TRUE);
+ ssn = eaptls_session(handler, inst->tls_conf, true);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
- handler->free_opaque = session_free;
/*
* Set up type-specific information.
/*
* Do authentication, by letting EAP-TLS do most of the work.
*/
-static int eaptls_authenticate(void *type_arg, EAP_HANDLER *handler)
+static int CC_HINT(nonnull) mod_authenticate(void *type_arg, eap_handler_t *handler)
{
fr_tls_status_t status;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
/* create a fake request */
fake = request_alloc_fake(request);
- rad_assert(fake->packet->vps == NULL);
+ rad_assert(!fake->packet->vps);
- fake->packet->vps = paircopy(request->packet->vps);
+ fake->packet->vps = paircopy(fake->packet, request->packet->vps);
/* set the virtual server to use */
- if ((vp = pairfind(request->config_items,
- PW_VIRTUAL_SERVER, 0)) != NULL) {
+ if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else {
fake->server = inst->virtual_server;
}
RDEBUG("Processing EAP-TLS Certificate check:");
- debug_pair_list(fake->packet->vps);
-
- RDEBUG("server %s {", fake->server);
-
rad_virtual_server(fake);
- RDEBUG("} # server %s", fake->server);
-
/* copy the reply vps back to our reply */
- pairadd(&request->reply->vps, fake->reply->vps);
- fake->reply->vps = NULL;
+ pairfilter(request->reply, &request->reply->vps,
+ &fake->reply->vps, 0, 0, TAG_ANY);
/* reject if virtual server didn't return accept */
- if (fake->reply->code != PW_AUTHENTICATION_ACK) {
- RDEBUG2("Certifictes were rejected by the virtual server");
- request_free(&fake);
+ if (fake->reply->code != PW_CODE_ACCESS_ACCEPT) {
+ RDEBUG2("Certificates were rejected by the virtual server");
+ talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
}
- request_free(&fake);
+ talloc_free(fake);
/* success */
}
break;
* data.
*/
case FR_TLS_OK:
- RDEBUG2("Received unexpected tunneled data after successful handshake.");
+ RDEBUG2("Received unexpected tunneled data after successful handshake");
#ifndef NDEBUG
if ((debug_flag > 2) && fr_log_fp) {
unsigned int i;
data_len = (tls_session->record_minus)(&tls_session->dirty_in,
buffer, sizeof(buffer));
- log_debug(" Tunneled data (%u bytes)\n", data_len);
+ DEBUG(" Tunneled data (%u bytes)", data_len);
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, " %x: ", i);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
* The module name should be the only globally exported symbol.
* That is, everything else should be 'static'.
*/
-EAP_TYPE rlm_eap_tls = {
+rlm_eap_module_t rlm_eap_tls = {
"eap_tls",
eaptls_attach, /* attach */
eaptls_initiate, /* Start the initial request */
NULL, /* authorization */
- eaptls_authenticate, /* authentication */
- eaptls_detach /* detach */
+ mod_authenticate, /* authentication */
+ NULL /* detach */
};