Use pairadd() properly.
[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_ttls / rlm_eap_ttls.c
index c785320..4a48887 100644 (file)
@@ -48,6 +48,17 @@ typedef struct rlm_eap_ttls_t {
        int     copy_request_to_tunnel;
 
        /*
+        *      RFC 5281 (TTLS) says that the length field MUST NOT be
+        *      in fragments after the first one.  However, we've done
+        *      it that way for years, and no one has complained.
+        *
+        *      In the interests of allowing the server to follow the
+        *      RFC, we add the option here.  If set to "no", it sends
+        *      the length field in ONLY the first fragment.
+        */
+       int     include_length;
+
+       /*
         *      Virtual server for inner tunnel session.
         */
        char    *virtual_server;
@@ -67,6 +78,9 @@ static CONF_PARSER module_config[] = {
        { "virtual_server", PW_TYPE_STRING_PTR,
          offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
 
+       { "include_length", PW_TYPE_BOOLEAN,
+         offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 
@@ -117,21 +131,6 @@ static int eapttls_attach(CONF_SECTION *cs, void **instance)
                return -1;
        }
 
-       /*
-        *      Can't tunnel TLS inside of TLS, we don't like it.
-        *
-        *      More realistically, we haven't tested it, so we don't
-        *      claim it works.
-        */
-       if ((inst->default_eap_type == PW_EAP_TLS) ||
-           (inst->default_eap_type == PW_EAP_TTLS) ||
-           (inst->default_eap_type == PW_EAP_PEAP)) {
-               radlog(L_ERR, "rlm_eap_ttls: Cannot tunnel EAP-Type/%s inside of TTLS",
-                      inst->default_eap_type_name);
-               eapttls_detach(inst);
-               return -1;
-       }
-
        *instance = inst;
        return 0;
 }
@@ -147,13 +146,13 @@ static void ttls_free(void *p)
        if (!t) return;
 
        if (t->username) {
-               DEBUG2("  TTLS: Freeing handler for user %s",
+               DEBUG2("rlm_eap_ttls: Freeing handler for user %s",
                       t->username->vp_strvalue);
        }
 
        pairfree(&t->username);
        pairfree(&t->state);
-       pairfree(&t->reply);
+       pairfree(&t->accept_vps);
        free(t);
 }
 
@@ -186,14 +185,17 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
        rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
        tls_session_t *tls_session = (tls_session_t *) handler->opaque;
        ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
+       REQUEST *request = handler->request;
 
-       DEBUG2("  rlm_eap_ttls: Authenticate");
+       RDEBUG2("Authenticate");
+
+       tls_session->length_flag = inst->include_length;
 
        /*
         *      Process TLS layer until done.
         */
        status = eaptls_process(handler);
-       DEBUG2("  eaptls_process returned %d\n", status);
+       RDEBUG2("eaptls_process returned %d\n", status);
        switch (status) {
                /*
                 *      EAP-TLS handshake was successful, tell the
@@ -203,16 +205,22 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
                 *      an EAP-TLS-Success packet here.
                 */
        case EAPTLS_SUCCESS:
-               if (t->authenticated) {
-                       if (t->reply) {
-                               pairmove(&handler->request->reply->vps,
-                                        &t->reply);
-                               pairfree(&t->reply);
+               if (SSL_session_reused(tls_session->ssl)) {
+                       RDEBUG("Skipping Phase2 due to session resumption");
+                       goto do_keys;
+               }
+
+               if (t && t->authenticated) {
+                       if (t->accept_vps) {
+                               pairadd(&handler->request->reply->vps,
+                                       t->accept_vps);
+                               t->accept_vps = NULL;
                        }
-                       eaptls_success(handler->eap_ds, 0);
-                       eaptls_gen_mppe_keys(&handler->request->reply->vps,
-                                            tls_session->ssl,
-                                            "ttls keying material");
+               do_keys:
+                       /*
+                        *      Success: Automatically return MPPE keys.
+                        */
+                       return eaptls_success(handler, 0);
                } else {
                        eaptls_request(handler->eap_ds, tls_session);
                }
@@ -244,7 +252,7 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
         *      Session is established, proceed with decoding
         *      tunneled data.
         */
-       DEBUG2("  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.");
+       RDEBUG2("Session established.  Proceeding to decode tunneled attributes.");
 
        /*
         *      We may need TTLS data associated with the session, so
@@ -261,7 +269,7 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
        rcode = eapttls_process(handler, tls_session);
        switch (rcode) {
        case PW_AUTHENTICATION_REJECT:
-               eaptls_fail(handler->eap_ds, 0);
+               eaptls_fail(handler, 0);
                return 0;
 
                /*
@@ -272,14 +280,10 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
                return 1;
 
                /*
-                *      Success: Return MPPE keys.
+                *      Success: Automatically return MPPE keys.
                 */
        case PW_AUTHENTICATION_ACK:
-               eaptls_success(handler->eap_ds, 0);
-               eaptls_gen_mppe_keys(&handler->request->reply->vps,
-                                    tls_session->ssl,
-                                    "ttls keying material");
-               return 1;
+               return eaptls_success(handler, 0);
 
                /*
                 *      No response packet, MUST be proxying it.
@@ -288,7 +292,9 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
                 *      will proxy it, rather than returning an EAP packet.
                 */
        case PW_STATUS_CLIENT:
+#ifdef WITH_PROXY
                rad_assert(handler->request->proxy != NULL);
+#endif
                return 1;
                break;
 
@@ -299,7 +305,7 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
        /*
         *      Something we don't understand: Reject it.
         */
-       eaptls_fail(handler->eap_ds, 0);
+       eaptls_fail(handler, 0);
        return 0;
 }