From: aland Date: Fri, 16 Feb 2007 09:49:23 +0000 (+0000) Subject: Port "use_tunneled_reply" fix for MS-CHAP from branch_1_1 X-Git-Tag: release_2_0_0_pre1~257 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=52b9428533c5bfced6dbea240a8c442b1f25965d;hp=-c;p=freeradius.git Port "use_tunneled_reply" fix for MS-CHAP from branch_1_1 --- 52b9428533c5bfced6dbea240a8c442b1f25965d diff --combined src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h index a771c43,e255037..30ebf85 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h @@@ -15,22 -15,19 +15,23 @@@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2003 Alan DeKok + * Copyright 2006 The FreeRADIUS server project */ #ifndef _EAP_TTLS_H #define _EAP_TTLS_H +#include +RCSIDH(eap_ttls_h, "$Id$") + #include "eap_tls.h" typedef struct ttls_tunnel_t { VALUE_PAIR *username; VALUE_PAIR *state; + VALUE_PAIR *reply; int authenticated; int default_eap_type; int copy_request_to_tunnel; diff --combined src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c index b320937,7cd8eb7..8b08930 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c @@@ -15,16 -15,12 +15,16 @@@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2003 Alan DeKok + * Copyright 2006 The FreeRADIUS server project */ -#include "autoconf.h" +#include +RCSID("$Id$") + +#include #include "eap_ttls.h" @@@ -69,6 -65,7 +69,6 @@@ static int eapttls_detach(void *arg { rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg; - if (inst->default_eap_type_name) free(inst->default_eap_type_name); free(inst); @@@ -140,17 -137,18 +140,18 @@@ static void ttls_free(void *p if (t->username) { DEBUG2(" TTLS: Freeing handler for user %s", - t->username->strvalue); + t->username->vp_strvalue); } pairfree(&t->username); pairfree(&t->state); + pairfree(&t->reply); free(t); } /* - * Free the TTLS per-session data + * Allocate the TTLS per-session data */ static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst) { @@@ -194,12 -192,16 +195,16 @@@ static int eapttls_authenticate(void *a */ case EAPTLS_SUCCESS: if (t->authenticated) { + if (t->reply) { + pairadd(&handler->request->reply->vps, t->reply); + t->reply = NULL; + } eaptls_success(handler->eap_ds, 0); eaptls_gen_mppe_keys(&handler->request->reply->vps, tls_session->ssl, "ttls keying material"); } else { - eaptls_request(handler->eap_ds, tls_session); + eaptls_request(handler->eap_ds, tls_session); } return 1; diff --combined src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index 8320d61,d31d73c..bd5d270 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@@ -15,15 -15,10 +15,15 @@@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2003 Alan DeKok + * Copyright 2006 The FreeRADIUS server project */ + +#include +RCSID("$Id$") + #include "eap_ttls.h" /* @@@ -297,7 -292,7 +297,7 @@@ static VALUE_PAIR *diameter2vp(SSL *ssl */ default: vp->length = size; - memcpy(vp->strvalue, data, vp->length); + memcpy(vp->vp_strvalue, data, vp->length); break; } @@@ -317,8 -312,8 +317,8 @@@ * If the password is exactly 16 octets, * it won't be zero-terminated. */ - vp->strvalue[vp->length] = '\0'; - vp->length = strlen(vp->strvalue); + vp->vp_strvalue[vp->length] = '\0'; + vp->length = strlen(vp->vp_strvalue); break; /* @@@ -359,7 -354,7 +359,7 @@@ sizeof(challenge)); for (i = 0; i < vp->length; i++) { - if (challenge[i] != vp->strvalue[i]) { + if (challenge[i] != vp->vp_strvalue[i]) { DEBUG2(" TTLS: Tunneled challenge is incorrect"); pairfree(&first); return NULL; @@@ -504,7 -499,7 +504,7 @@@ static int vp2diameter(tls_session_t *t case PW_TYPE_STRING: case PW_TYPE_OCTETS: default: - memcpy(p, vp->strvalue, vp->length); + memcpy(p, vp->vp_strvalue, vp->length); length = vp->length; break; } @@@ -616,6 -611,24 +616,24 @@@ static int process_reply(EAP_HANDLER *h DEBUG2(" TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge."); rcode = RLM_MODULE_HANDLED; t->authenticated = TRUE; + + /* + * Delete MPPE keys & encryption policy. We don't + * want these here. + */ + pairdelete(&reply->vps, ((311 << 16) | 7)); + pairdelete(&reply->vps, ((311 << 16) | 8)); + pairdelete(&reply->vps, ((311 << 16) | 16)); + pairdelete(&reply->vps, ((311 << 16) | 17)); + + /* + * Use the tunneled reply, but not now. + */ + if (t->use_tunneled_reply) { + t->reply = reply->vps; + reply->vps = NULL; + } + } else { /* no MS-CHAP2-Success */ /* * Can only have EAP-Message if there's @@@ -983,7 -996,7 +1001,7 @@@ int eapttls_process(EAP_HANDLER *handle * Update other items in the REQUEST data structure. */ fake->username = pairfind(fake->packet->vps, PW_USER_NAME); - fake->password = pairfind(fake->packet->vps, PW_PASSWORD); + fake->password = pairfind(fake->packet->vps, PW_USER_PASSWORD); /* * No User-Name, try to create one from stored data. @@@ -997,22 -1010,22 +1015,22 @@@ vp = pairfind(fake->packet->vps, PW_EAP_MESSAGE); if (vp && (vp->length >= EAP_HEADER_LEN + 2) && - (vp->strvalue[0] == PW_EAP_RESPONSE) && - (vp->strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && - (vp->strvalue[EAP_HEADER_LEN + 1] != 0)) { + (vp->vp_strvalue[0] == PW_EAP_RESPONSE) && + (vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && + (vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { /* * Create & remember a User-Name */ t->username = pairmake("User-Name", "", T_OP_EQ); rad_assert(t->username != NULL); - memcpy(t->username->strvalue, vp->strvalue + 5, + memcpy(t->username->vp_strvalue, vp->vp_strvalue + 5, vp->length - 5); t->username->length = vp->length - 5; - t->username->strvalue[t->username->length] = 0; + t->username->vp_strvalue[t->username->length] = 0; DEBUG2(" TTLS: Got tunneled identity of %s", - t->username->strvalue); + t->username->vp_strvalue); /* * If there's a default EAP type, @@@ -1049,7 -1062,7 +1067,7 @@@ */ if (t->state) { DEBUG2(" TTLS: Adding old state with %02x %02x", - t->state->strvalue[0], t->state->strvalue[1]); + t->state->vp_strvalue[0], t->state->vp_strvalue[1]); vp = paircopy(t->state); if (vp) pairadd(&fake->packet->vps, vp); } @@@ -1162,7 -1175,7 +1180,7 @@@ vp = pairfind(fake->config_items, PW_PROXY_TO_REALM); if (vp) { eap_tunnel_data_t *tunnel; - DEBUG2(" TTLS: Tunneled authentication will be proxied to %s", vp->strvalue); + DEBUG2(" TTLS: Tunneled authentication will be proxied to %s", vp->vp_strvalue); /* * Tell the original request that it's going