hdr_len = 12;
if (remaining < hdr_len) {
- RDEBUG2(" Diameter attribute is too small (%u) to contain a Diameter header", remaining);
+ RDEBUG2("Diameter attribute is too small (%u) to contain a Diameter header", remaining);
return 0;
}
if ((data[4] & 0x80) != 0) {
if (remaining < 16) {
- RDEBUG2(" Diameter attribute is too small to contain a Diameter header with Vendor-Id");
+ RDEBUG2("Diameter attribute is too small to contain a Diameter header with Vendor-Id");
return 0;
}
memcpy(buffer + 2, data, size);
vp = NULL;
- decoded = rad_attr2vp(NULL, NULL, NULL,
+ decoded = rad_attr2vp(packet, NULL, NULL, NULL,
buffer, size + 2, &vp);
if (decoded < 0) {
REDEBUG2("diameter2vp failed decoding attr: %s",
vp->vp_integer64 = ntohll(vp->vp_integer64);
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
if (size != vp->length) {
RDEBUG2("Invalid length attribute %d",
attr);
vp->vp_signed = ntohl(vp->vp_signed);
break;
- case PW_TYPE_IPV6ADDR:
+ case PW_TYPE_IPV6_ADDR:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6addr, data, vp->length);
break;
- case PW_TYPE_IPV6PREFIX:
+ case PW_TYPE_IPV6_PREFIX:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6prefix, data, vp->length);
break;
length = 8;
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
memcpy(p, &vp->vp_ipaddr, 4); /* network order */
length = 4;
break;
* NOT 'eap start', so we should check for that....
*/
switch (reply->code) {
- case PW_CODE_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
RDEBUG("Got tunneled Access-Accept");
rcode = RLM_MODULE_OK;
vp = NULL;
pairfilter(tls_session, &vp, &reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
if (vp) {
- RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
+ RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge");
rcode = RLM_MODULE_HANDLED;
t->authenticated = true;
break;
- case PW_CODE_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
RDEBUG("Got tunneled Access-Reject");
rcode = RLM_MODULE_REJECT;
break;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
- RDEBUG("Passing reply from proxy back into the tunnel.");
+ RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
/*
* Do the callback, if it exists, and if it was a success.
*/
- if (fake && (handler->request->proxy_reply->code == PW_CODE_AUTHENTICATION_ACK)) {
+ if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
- fake->packet = request->proxy;
+ fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
- fake->reply = request->proxy_reply;
+ fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((debug_flag > 0) && fr_log_fp) {
* Perform a post-auth stage for the tunneled
* session.
*/
- fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ fake->log.lvl &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
/*
* Terrible hacks.
*/
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
- request->proxy_reply = fake->reply;
+ request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
switch (rcode) {
case RLM_MODULE_FAIL:
- request_free(&fake);
+ talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
- break;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
break;
}
}
- request_free(&fake); /* robust if !fake */
+ talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
+ request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
return eaptls_success(handler, 0);
default:
- RDEBUG("Reply was unknown.");
+ RDEBUG("Reply was unknown");
break;
}
*/
int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
- int code = PW_CODE_AUTHENTICATION_REJECT;
+ int code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
*/
if (data_len == 0) {
if (t->authenticated) {
- RDEBUG("Got ACK, and the user was already authenticated.");
- return PW_CODE_AUTHENTICATION_ACK;
+ RDEBUG("Got ACK, and the user was already authenticated");
+ return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* wrong.
*/
RDEBUG2("SSL_read Error");
- return PW_CODE_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
#endif
if (!diameter_verify(request, data, data_len)) {
- return PW_CODE_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
/*
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
- request_free(&fake);
- return PW_CODE_AUTHENTICATION_REJECT;
+ talloc_free(fake);
+ return PW_CODE_ACCESS_REJECT;
}
/*
* set it here.
*/
if (t->default_method != 0) {
- RDEBUG("Setting default EAP type for tunneled EAP session.");
+ RDEBUG("Setting default EAP type for tunneled EAP session");
vp = paircreate(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
* as it's permitted to do EAP without
* user-name.
*/
- RWDEBUG2("No EAP-Identity found to start EAP conversation.");
+ RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
-
- debug_pair_list(fake->packet->vps);
-
- fprintf(fr_log_fp, "server %s {\n",
- (!fake->server) ? "" : fake->server);
}
/*
rad_virtual_server(fake);
/*
- * Note that we don't do *anything* with the reply
- * attributes.
- */
- if ((debug_flag > 0) && fr_log_fp) {
- fprintf(fr_log_fp, "} # server %s\n",
- (!fake->server) ? "" : fake->server);
-
- RDEBUG("Got tunneled reply code %d", fake->reply->code);
-
- debug_pair_list(fake->reply->vps);
- }
-
- /*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
* Tell the original request that it's going
* to be proxied.
*/
- pairfilter(request, &(request->config_items),
- &(fake->config_items),
+ pairfilter(request, &request->config_items,
+ &fake->config_items,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* tunneled request.
*/
rad_assert(!request->proxy);
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
* So we associate the fake request with
* this request.
*/
- talloc_set_destructor(fake, request_opaque_free);
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
- code = PW_CODE_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
}
break;
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
- code = PW_CODE_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
break;
case RLM_MODULE_OK:
- code = PW_CODE_AUTHENTICATION_ACK;
+ code = PW_CODE_ACCESS_ACCEPT;
break;
default:
- code = PW_CODE_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
- request_free(&fake);
+ talloc_free(fake);
return code;
}