From 04342173ef13996aabd984a9f9cb07ab48c52067 Mon Sep 17 00:00:00 2001 From: aland Date: Sun, 21 Nov 2004 14:32:14 +0000 Subject: [PATCH] Make "use_tunneled_reply" work properly for PEAP, where the Access-Accept from the home server results in the local server sending more Access-Challenges. The VP's from the Access-Accept have to be stored somewhere until the local server sends an Access-Accept --- src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h | 2 ++ src/modules/rlm_eap/types/rlm_eap_peap/peap.c | 28 +++++++++++++++++++++- .../rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c | 14 +++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h b/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h index ec99738..2319c41 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h +++ b/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h @@ -27,7 +27,9 @@ typedef struct peap_tunnel_t { VALUE_PAIR *username; VALUE_PAIR *state; + VALUE_PAIR *accept_vps; int status; + int home_access_accept; int default_eap_type; int copy_request_to_tunnel; int use_tunneled_reply; diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 2ad0514..183943e 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -290,13 +290,16 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * tunneled user! */ if (t->use_tunneled_reply) { + DEBUG2(" Saving tunneled attributes for later"); + /* * Clean up the tunneled reply. */ pairdelete(&reply->vps, PW_PROXY_STATE); pairdelete(&reply->vps, PW_EAP_MESSAGE); + pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR); - pairadd(&request->reply->vps, reply->vps); + t->accept_vps = reply->vps; reply->vps = NULL; } break; @@ -328,6 +331,26 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, pairmove2(&vp, &(reply->vps), PW_EAP_MESSAGE); /* + * Handle EAP-MSCHAP-V2, where Access-Accept's + * from the home server may contain MS-CHAP-Success, + * which the module turns into challenges, so that + * the client may respond to the challenge with + * an "ack" packet. + */ + if (t->home_access_accept && t->use_tunneled_reply) { + DEBUG2(" Saving tunneled attributes for later"); + + /* + * Clean up the tunneled reply. + */ + pairdelete(&reply->vps, PW_PROXY_STATE); + pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR); + + t->accept_vps = reply->vps; + reply->vps = NULL; + } + + /* * Handle the ACK, by tunneling any necessary reply * VP's back to the client. */ @@ -374,6 +397,9 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) if (fake && (handler->request->proxy_reply->code == PW_AUTHENTICATION_ACK)) { VALUE_PAIR *vp; REQUEST *request = handler->request; + peap_tunnel_t *t = tls_session->opaque; + + t->home_access_accept = TRUE; /* * Terrible hacks. diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c index 51617ac..90474a3 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c @@ -131,6 +131,7 @@ static void peap_free(void *p) pairfree(&t->username); pairfree(&t->state); + pairfree(&t->accept_vps); free(t); } @@ -251,9 +252,22 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler) case RLM_MODULE_OK: eaptls_success(handler->eap_ds, 0); + + /* + * Move the saved VP's from the Access-Accept to + * our Access-Accept. + */ + if (((peap_tunnel_t *) tls_session->opaque)->accept_vps) { + DEBUG2(" Using saved attributes from the original Access-Accept"); + } + pairadd(&handler->request->reply->vps, + ((peap_tunnel_t *) tls_session->opaque)->accept_vps); + ((peap_tunnel_t *) tls_session->opaque)->accept_vps = NULL; + eaptls_gen_mppe_keys(&handler->request->reply->vps, tls_session->ssl, "client EAP encryption"); + return 1; /* -- 2.1.4