#include "eap_ttls.h"
/*
- * 0 1 2 3
+ * 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | AVP Code |
+ * | AVP Code |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |V M r r r r r r| AVP Length |
+ * |V M r r r r r r| AVP Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Vendor-ID (opt) |
+ * | Vendor-ID (opt) |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Data ...
* +-+-+-+-+-+-+-+-+
hdr_len = 12;
if (remaining < hdr_len) {
- RDEBUG2(" Diameter attribute is too small (%u) to contain a Diameter header", remaining);
+ RDEBUG2("Diameter attribute is too small (%u) to contain a Diameter header", remaining);
return 0;
}
if ((data[4] & 0x80) != 0) {
if (remaining < 16) {
- RDEBUG2(" Diameter attribute is too small to contain a Diameter header with Vendor-Id");
+ RDEBUG2("Diameter attribute is too small to contain a Diameter header with Vendor-Id");
return 0;
}
RADIUS_PACKET *packet = fake->packet; /* FIXME: api issues */
vp_cursor_t out;
- paircursor(&out, &first);
+ fr_cursor_init(&out, &first);
while (data_left > 0) {
rad_assert(data_left <= data_len);
memcpy(buffer + 2, data, size);
vp = NULL;
- decoded = rad_attr2vp(NULL, NULL, NULL,
+ decoded = rad_attr2vp(packet, NULL, NULL, NULL,
buffer, size + 2, &vp);
if (decoded < 0) {
REDEBUG2("diameter2vp failed decoding attr: %s",
goto do_octets;
}
- pairinsert(&out, vp);
+ fr_cursor_insert(&out, vp);
goto next_attr;
}
if (vp) pairfree(&vp);
da = dict_attrunknown(attr, vendor, true);
if (!da) return NULL;
- vp = pairalloc(NULL, da);
+ vp = pairalloc(packet, da);
if (!vp) return NULL;
pairmemcpy(vp, data, size);
break;
vp->vp_integer64 = ntohll(vp->vp_integer64);
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
if (size != vp->length) {
RDEBUG2("Invalid length attribute %d",
attr);
vp->vp_signed = ntohl(vp->vp_signed);
break;
- case PW_TYPE_IPV6ADDR:
+ case PW_TYPE_IPV6_ADDR:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6addr, data, vp->length);
break;
- case PW_TYPE_IPV6PREFIX:
+ case PW_TYPE_IPV6_PREFIX:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6prefix, data, vp->length);
break;
/*
* Update the list.
*/
- pairinsert(&out, vp);
+ fr_cursor_insert(&out, vp);
next_attr:
/*
p = buffer;
total = 0;
- for (vp = paircursor(&cursor, &first); vp; vp = pairnext(&cursor)) {
+ for (vp = fr_cursor_init(&cursor, &first); vp; vp = fr_cursor_next(&cursor)) {
/*
* Too much data: die.
*/
length = 8;
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
memcpy(p, &vp->vp_ipaddr, 4); /* network order */
length = 4;
break;
/*
* Use a reply packet to determine what to do.
*/
-static rlm_rcode_t process_reply(UNUSED eap_handler_t *handler, tls_session_t *tls_session,
- REQUEST *request, RADIUS_PACKET *reply)
+static rlm_rcode_t CC_HINT(nonnull) process_reply(UNUSED eap_handler_t *handler, tls_session_t *tls_session,
+ REQUEST *request, RADIUS_PACKET *reply)
{
rlm_rcode_t rcode = RLM_MODULE_REJECT;
VALUE_PAIR *vp;
ttls_tunnel_t *t = tls_session->opaque;
- rad_assert(request != NULL);
rad_assert(handler->request == request);
/*
* NOT 'eap start', so we should check for that....
*/
switch (reply->code) {
- case PW_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
RDEBUG("Got tunneled Access-Accept");
rcode = RLM_MODULE_OK;
vp = NULL;
pairfilter(tls_session, &vp, &reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
if (vp) {
- RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
+ RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge");
rcode = RLM_MODULE_HANDLED;
t->authenticated = true;
break;
- case PW_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
RDEBUG("Got tunneled Access-Reject");
rcode = RLM_MODULE_REJECT;
break;
* an Access-Challenge means that we MUST tunnel
* a Reply-Message to the client.
*/
- case PW_ACCESS_CHALLENGE:
+ case PW_CODE_ACCESS_CHALLENGE:
RDEBUG("Got tunneled Access-Challenge");
/*
/*
* Do post-proxy processing,
*/
-static int eapttls_postproxy(eap_handler_t *handler, void *data)
+static int CC_HINT(nonnull) eapttls_postproxy(eap_handler_t *handler, void *data)
{
int rcode;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
- rad_assert(request != NULL);
- RDEBUG("Passing reply from proxy back into the tunnel.");
+ RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
/*
* Do the callback, if it exists, and if it was a success.
*/
- if (fake &&
- handler->request->proxy_reply &&
- (handler->request->proxy_reply->code == PW_AUTHENTICATION_ACK)) {
+ if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
- fake->packet = request->proxy;
+ fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
- fake->reply = request->proxy_reply;
+ fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((debug_flag > 0) && fr_log_fp) {
* Perform a post-auth stage for the tunneled
* session.
*/
- fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ fake->log.lvl &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
/*
* Terrible hacks.
*/
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
- request->proxy_reply = fake->reply;
+ request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
switch (rcode) {
case RLM_MODULE_FAIL:
- request_free(&fake);
+ talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
- break;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
break;
}
}
- request_free(&fake); /* robust if !fake */
+ talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
*/
- rcode = process_reply(handler, tls_session, handler->request,
- handler->request->proxy_reply);
+ rcode = process_reply(handler, tls_session, handler->request, handler->request->proxy_reply);
/*
* The proxy code uses the reply from the home server as
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
+ request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
return eaptls_success(handler, 0);
default:
- RDEBUG("Reply was unknown.");
+ RDEBUG("Reply was unknown");
break;
}
*/
int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
- int code = PW_AUTHENTICATION_REJECT;
+ int code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
size_t data_len;
REQUEST *request = handler->request;
- rad_assert(request != NULL);
-
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
if (data_len == 0) {
if (t->authenticated) {
- RDEBUG("Got ACK, and the user was already authenticated.");
- return PW_AUTHENTICATION_ACK;
+ RDEBUG("Got ACK, and the user was already authenticated");
+ return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* wrong.
*/
RDEBUG2("SSL_read Error");
- return PW_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
#endif
if (!diameter_verify(request, data, data_len)) {
- return PW_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
/*
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
- request_free(&fake);
- return PW_AUTHENTICATION_REJECT;
+ talloc_free(fake);
+ return PW_CODE_ACCESS_REJECT;
}
/*
* set it here.
*/
if (t->default_method != 0) {
- RDEBUG("Setting default EAP type for tunneled EAP session.");
+ RDEBUG("Setting default EAP type for tunneled EAP session");
vp = paircreate(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
* as it's permitted to do EAP without
* user-name.
*/
- RWDEBUG2("No EAP-Identity found to start EAP conversation.");
+ RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
VALUE_PAIR *copy;
vp_cursor_t cursor;
- for (vp = paircursor(&cursor, &request->packet->vps); vp; vp = pairnext(&cursor)) {
+ for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
-
- debug_pair_list(fake->packet->vps);
-
- fprintf(fr_log_fp, "server %s {\n",
- (!fake->server) ? "" : fake->server);
}
/*
rad_virtual_server(fake);
/*
- * Note that we don't do *anything* with the reply
- * attributes.
- */
- if ((debug_flag > 0) && fr_log_fp) {
- fprintf(fr_log_fp, "} # server %s\n",
- (!fake->server) ? "" : fake->server);
-
- RDEBUG("Got tunneled reply code %d", fake->reply->code);
-
- debug_pair_list(fake->reply->vps);
- }
-
- /*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
* Tell the original request that it's going
* to be proxied.
*/
- pairfilter(request, &(request->config_items),
- &(fake->config_items),
+ pairfilter(request, &request->config_items,
+ &fake->config_items,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* tunneled request.
*/
rad_assert(!request->proxy);
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
* So we associate the fake request with
* this request.
*/
- talloc_set_destructor(fake, request_opaque_free);
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
* Didn't authenticate the packet, but
* we're proxying it.
*/
- code = PW_STATUS_CLIENT;
+ code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
- code = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
}
break;
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
- code = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
- code = PW_ACCESS_CHALLENGE;
+ code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
- code = PW_AUTHENTICATION_ACK;
+ code = PW_CODE_ACCESS_ACCEPT;
break;
default:
- code = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
- request_free(&fake);
+ talloc_free(fake);
return code;
}