X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Frlm_eap%2Ftypes%2Frlm_eap_peap%2Frlm_eap_peap.c;h=cb460ac829952f6cfc46095836a1181c08426261;hb=2023c9f3d4df8c7160485b36dcfd23faf7cfca80;hp=59d8b2ccb0b1e6dd9e3611b8d3ca2fb19905541d;hpb=d45d39763fa0afd5e4985d0056bbd65583e26af5;p=freeradius.git diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c index 59d8b2c..cb460ac 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c @@ -15,12 +15,16 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2003 Alan DeKok + * Copyright 2006 The FreeRADIUS server project */ -#include "autoconf.h" +#include +RCSID("$Id$") + +#include #include "eap_peap.h" typedef struct rlm_eap_peap_t { @@ -42,11 +46,24 @@ typedef struct rlm_eap_peap_t { */ int copy_request_to_tunnel; +#ifdef WITH_PROXY /* * Proxy tunneled session as EAP, or as de-capsulated * protocol. */ int proxy_tunneled_request_as_eap; +#endif + + /* + * Virtual server for inner tunnel session. + */ + char *virtual_server; + + /* + * Do we do SoH request? + */ + int soh; + char *soh_virtual_server; } rlm_eap_peap_t; @@ -60,8 +77,19 @@ static CONF_PARSER module_config[] = { { "use_tunneled_reply", PW_TYPE_BOOLEAN, offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" }, +#ifdef WITH_PROXY { "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN, offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" }, +#endif + + { "virtual_server", PW_TYPE_STRING_PTR, + offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL }, + + { "soh", PW_TYPE_BOOLEAN, + offsetof(rlm_eap_peap_t, soh), NULL, "no" }, + + { "soh_virtual_server", PW_TYPE_STRING_PTR, + offsetof(rlm_eap_peap_t, soh_virtual_server), NULL, NULL }, { NULL, -1, 0, NULL, NULL } /* end the list */ }; @@ -73,7 +101,6 @@ static int eappeap_detach(void *arg) { rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg; - if (inst->default_eap_type_name) free(inst->default_eap_type_name); free(inst); @@ -131,6 +158,7 @@ static void peap_free(void *p) pairfree(&t->username); pairfree(&t->state); pairfree(&t->accept_vps); + pairfree(&t->soh_reply_vps); free(t); } @@ -149,7 +177,13 @@ static peap_tunnel_t *peap_alloc(rlm_eap_peap_t *inst) t->default_eap_type = inst->default_eap_type; t->copy_request_to_tunnel = inst->copy_request_to_tunnel; t->use_tunneled_reply = inst->use_tunneled_reply; +#ifdef WITH_PROXY t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap; +#endif + t->virtual_server = inst->virtual_server; + t->soh = inst->soh; + t->soh_virtual_server = inst->soh_virtual_server; + t->session_resumption_state = PEAP_RESUMPTION_MAYBE; return t; } @@ -163,11 +197,20 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) eaptls_status_t status; rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg; tls_session_t *tls_session = (tls_session_t *) handler->opaque; + peap_tunnel_t *peap = tls_session->opaque; + REQUEST *request = handler->request; - DEBUG2(" rlm_eap_peap: Authenticate"); + /* + * Session resumption requires the storage of data, so + * allocate it if it doesn't already exist. + */ + if (!tls_session->opaque) { + peap = tls_session->opaque = peap_alloc(inst); + tls_session->free_opaque = peap_free; + } status = eaptls_process(handler); - DEBUG2(" eaptls_process returned %d\n", status); + RDEBUG2("eaptls_process returned %d\n", status); switch (status) { /* * EAP-TLS handshake was successful, tell the @@ -177,24 +220,9 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) * an EAP-TLS-Success packet here. */ case EAPTLS_SUCCESS: - { - eap_packet_t eap_packet; - - eap_packet.code = PW_EAP_REQUEST; - eap_packet.id = handler->eap_ds->response->id + 1; - eap_packet.length[0] = 0; - eap_packet.length[1] = EAP_HEADER_LEN + 1; - eap_packet.data[0] = PW_EAP_IDENTITY; - - (tls_session->record_plus)(&tls_session->clean_in, - &eap_packet, sizeof(eap_packet)); - - tls_handshake_send(tls_session); - (tls_session->record_init)(&tls_session->clean_in); - } - eaptls_request(handler->eap_ds, tls_session); - DEBUG2(" rlm_eap_peap: EAPTLS_SUCCESS"); - return 1; + RDEBUG2("EAPTLS_SUCCESS"); + peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED; + break; /* * The TLS code is still working on the TLS @@ -202,7 +230,12 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) * do nothing. */ case EAPTLS_HANDLED: - DEBUG2(" rlm_eap_peap: EAPTLS_HANDLED"); + /* + * FIXME: If the SSL session is established, grab the state + * and EAP id from the inner tunnel, and update it with + * the expected EAP id! + */ + RDEBUG2("EAPTLS_HANDLED"); return 1; /* @@ -210,14 +243,14 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) * data. */ case EAPTLS_OK: - DEBUG2(" rlm_eap_peap: EAPTLS_OK"); + RDEBUG2("EAPTLS_OK"); break; /* * Anything else: fail. */ default: - DEBUG2(" rlm_eap_peap: EAPTLS_OTHERS"); + RDEBUG2("EAPTLS_OTHERS"); return 0; } @@ -225,7 +258,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) * Session is established, proceed with decoding * tunneled data. */ - DEBUG2(" rlm_eap_peap: Session established. Decoding tunneled attributes."); + RDEBUG2("Session established. Decoding tunneled attributes."); /* * We may need PEAP data associated with the session, so @@ -242,7 +275,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) rcode = eappeap_process(handler, tls_session); switch (rcode) { case RLM_MODULE_REJECT: - eaptls_fail(handler->eap_ds, 0); + eaptls_fail(handler, 0); return 0; case RLM_MODULE_HANDLED: @@ -250,24 +283,28 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) return 1; case RLM_MODULE_OK: - eaptls_success(handler->eap_ds, 0); - /* * Move the saved VP's from the Access-Accept to * our Access-Accept. */ - if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) { - DEBUG2(" Using saved attributes from the original Access-Accept"); + peap = tls_session->opaque; + if (peap->soh_reply_vps) { + RDEBUG2("Using saved attributes from the SoH reply"); + debug_pair_list(peap->soh_reply_vps); + pairadd(&handler->request->reply->vps, peap->soh_reply_vps); + peap->soh_reply_vps = NULL; + } + if (peap->accept_vps) { + RDEBUG2("Using saved attributes from the original Access-Accept"); + debug_pair_list(peap->accept_vps); + pairadd(&handler->request->reply->vps, peap->accept_vps); + peap->accept_vps = NULL; } - pairadd(&handler->request->reply->vps, - ((peap_tunnel_t *) tls_session->opaque)->accept_vps); - ((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL; - - eaptls_gen_mppe_keys(&handler->request->reply->vps, - tls_session->ssl, - "client EAP encryption"); - return 1; + /* + * Success: Automatically return MPPE keys. + */ + return eaptls_success(handler, 0); /* * No response packet, MUST be proxying it. @@ -276,7 +313,9 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) * will proxy it, rather than returning an EAP packet. */ case RLM_MODULE_UPDATED: +#ifdef WITH_PROXY rad_assert(handler->request->proxy != NULL); +#endif return 1; break; @@ -284,7 +323,7 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) break; } - eaptls_fail(handler->eap_ds, 0); + eaptls_fail(handler, 0); return 0; }