*/
#include <freeradius-devel/ident.h>
+#include <freeradius-devel/modpriv.h>
RCSID("$Id$")
#include "rlm_eap.h"
char buffer[64];
char namebuf[64];
const char *eaptype_name;
- lt_dlhandle handle;
EAP_TYPES *node;
eaptype_name = eaptype_type2name(eap_type, namebuf, sizeof(namebuf));
snprintf(buffer, sizeof(buffer), "rlm_eap_%s", eaptype_name);
- /* Link the loaded EAP-Type */
- handle = lt_dlopenext(buffer);
- if (handle == NULL) {
- radlog(L_ERR, "rlm_eap: Failed to link EAP-Type/%s: %s",
- eaptype_name, lt_dlerror());
- return -1;
- }
-
/* Make room for the EAP-Type */
node = (EAP_TYPES *)malloc(sizeof(EAP_TYPES));
if (node == NULL) {
memset(node, 0, sizeof(*node));
/* fill in the structure */
- node->handle = handle;
node->cs = cs;
/*
node->typename = eaptype_name;
node->type_data = NULL;
+#ifdef WITHOUT_LIBLTDL
+#ifdef WITH_DLOPEN
+#include <dlfcn.h>
+
+#ifdef RTLD_SELF
+ node->type = (EAP_TYPE *)lt_dlsym(RTLD_SELF, buffer);
+ if (node->type) goto open_self;
+#endif
+#endif
+#endif
+
+ /* Link the loaded EAP-Type */
+ node->handle = lt_dlopenext(buffer);
+ if (node->handle == NULL) {
+ free(node);
+ radlog(L_ERR, "rlm_eap: Failed to link EAP-Type/%s: %s",
+ eaptype_name, lt_dlerror());
+ return -1;
+ }
+
node->type = (EAP_TYPE *)lt_dlsym(node->handle, buffer);
if (!node->type) {
radlog(L_ERR, "rlm_eap: Failed linking to %s structure in %s: %s",
free(node);
return -1;
}
+
+#if defined(WITHOUT_LIBLTDL) && defined (WITH_DLOPEN) && defined(RTLD_SELF)
+open_self:
+#endif
+ cf_log_module(cs, "Linked to sub-module %s", buffer);
+
+ cf_log_module(cs, "Instantiating eap-%s", eaptype_name);
+
if ((node->type->attach) &&
((node->type->attach)(node->cs, &(node->type_data)) < 0)) {
return -1;
}
- DEBUG("rlm_eap: Loaded and initialized type %s", eaptype_name);
*type = node;
return 0;
}
static int eaptype_call(EAP_TYPES *atype, EAP_HANDLER *handler)
{
int rcode = 1;
+ REQUEST *request = handler->request;
+ const char *module = request->module;
- DEBUG2(" rlm_eap: processing type %s", atype->typename);
+ RDEBUG2("processing type %s", atype->typename);
+ request->module = atype->typename;
rad_assert(atype != NULL);
default:
/* Should never enter here */
- radlog(L_DBG, "rlm_eap: Invalid operation on eap_type");
+ RDEBUG("Internal sanity check failed on eap_type");
rcode = 0;
break;
}
+ request->module = module;
return rcode;
}
*/
int eaptype_select(rlm_eap_t *inst, EAP_HANDLER *handler)
{
+ size_t i;
unsigned int default_eap_type = inst->default_eap_type;
eaptype_t *eaptype;
VALUE_PAIR *vp;
char namebuf[64];
const char *eaptype_name;
+ REQUEST *request = handler->request;
eaptype = &handler->eap_ds->response->type;
*/
if ((eaptype->type == 0) ||
(eaptype->type > PW_EAP_MAX_TYPES)) {
- DEBUG2(" rlm_eap: Asked to select bad type");
+ RDEBUG2("Asked to select bad type");
+ return EAP_INVALID;
+ }
+
+ /*
+ * Multiple levels of nesting are invalid.
+ */
+ if (handler->request->parent && handler->request->parent->parent) {
+ RDEBUG2("Multiple levels of TLS nesting is invalid.");
return EAP_INVALID;
}
*/
switch(eaptype->type) {
case PW_EAP_IDENTITY:
- DEBUG2(" rlm_eap: EAP Identity");
+ RDEBUG2("EAP Identity");
/*
* Allow per-user configuration of EAP types.
*/
vp = pairfind(handler->request->config_items,
- PW_EAP_TYPE);
- if (vp) default_eap_type = vp->lvalue;
+ PW_EAP_TYPE, 0);
+ if (vp) default_eap_type = vp->vp_integer;
do_initiate:
/*
if ((default_eap_type < PW_EAP_MD5) ||
(default_eap_type > PW_EAP_MAX_TYPES) ||
(inst->types[default_eap_type] == NULL)) {
- DEBUG2(" rlm_eap: No such EAP type %s",
+ RDEBUG2("No such EAP type %s",
eaptype_type2name(default_eap_type,
namebuf, sizeof(namebuf)));
return EAP_INVALID;
default_eap_type = PW_EAP_TLS;
}
-
- /*
- * We don't do TLS inside of TLS, as it's a bad
- * idea...
- */
- if (((handler->request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) != 0) &&
- (default_eap_type == PW_EAP_TLS)) {
- DEBUG2(" rlm_eap: Unable to tunnel TLS inside of TLS");
+ if ((default_eap_type == PW_EAP_TNC) &&
+ !handler->request->parent) {
+ RDEBUG2("ERROR: EAP-TNC must be run inside of a TLS method.");
return EAP_INVALID;
}
if (eaptype_call(inst->types[default_eap_type],
handler) == 0) {
- DEBUG2(" rlm_eap: Default EAP type %s failed in initiate",
+ RDEBUG2("Default EAP type %s failed in initiate",
eaptype_type2name(default_eap_type,
namebuf, sizeof(namebuf)));
return EAP_INVALID;
* alternative types, one per octet, or to use
* 0 for no alternative.
*/
- DEBUG2(" rlm_eap: EAP NAK");
+ RDEBUG2("EAP NAK");
/*
* Delete old data, if necessary.
handler->opaque = NULL;
}
- /*
- * It is invalid to request identity,
- * notification & nak in nak
- */
if (eaptype->data == NULL) {
- DEBUG2(" rlm_eap: Empty NAK packet, cannot decide what EAP type the client wants.");
+ RDEBUG2("Empty NAK packet, cannot decide what EAP type the client wants.");
return EAP_INVALID;
}
/*
- * FIXME: Pick one type out of the one they asked
- * for, as they may have asked for many.
+ * Pick one type out of the one they asked for,
+ * as they may have asked for many.
*/
- if ((eaptype->data[0] < PW_EAP_MD5) ||
- (eaptype->data[0] > PW_EAP_MAX_TYPES)) {
- DEBUG2(" rlm_eap: NAK asked for bad type %d",
- eaptype->data[0]);
- return EAP_INVALID;
- }
+ default_eap_type = 0;
+ vp = pairfind(handler->request->config_items,
+ PW_EAP_TYPE, 0);
+ for (i = 0; i < eaptype->length; i++) {
+ /*
+ * It is invalid to request identity,
+ * notification & nak in nak.
+ *
+ * Type 0 is valid, and means there are no
+ * common choices.
+ */
+ if (eaptype->data[i] < PW_EAP_MD5) {
+ RDEBUG2("NAK asked for bad type %d",
+ eaptype->data[i]);
+ return EAP_INVALID;
+ }
- default_eap_type = eaptype->data[0];
- eaptype_name = eaptype_type2name(default_eap_type,
- namebuf, sizeof(namebuf));
- DEBUG2(" rlm_eap: EAP-NAK asked for EAP-Type/%s",
- eaptype_name);
+ if ((eaptype->data[i] > PW_EAP_MAX_TYPES) ||
+ !inst->types[eaptype->data[i]]) {
+ DICT_VALUE *dv;
+
+ dv = dict_valbyattr(PW_EAP_TYPE, 0, eaptype->data[i]);
+ if (dv) {
+ RDEBUG2("NAK asked for unsupported type %s",
+ dv->name);
+ } else {
+ RDEBUG2("NAK asked for unsupported type %d",
+ eaptype->data[i]);
+ }
+ continue;
+ }
- /*
- * Prevent a firestorm if the client is confused.
- */
- if (handler->eap_type == default_eap_type) {
- DEBUG2(" rlm_eap: ERROR! Our request for %s was NAK'd with a request for %s, what is the client thinking?",
- eaptype_name, eaptype_name);
- return EAP_INVALID;
+ eaptype_name = eaptype_type2name(eaptype->data[i],
+ namebuf,
+ sizeof(namebuf));
+
+ /*
+ * Prevent a firestorm if the client is confused.
+ */
+ if (handler->eap_type == eaptype->data[i]) {
+ RDEBUG2("ERROR! Our request for %s was NAK'd with a request for %s. Skipping the requested type.",
+ eaptype_name, eaptype_name);
+ continue;
+ }
+
+ /*
+ * Enforce per-user configuration of EAP
+ * types.
+ */
+ if (vp && (vp->vp_integer != eaptype->data[i])) {
+ char mynamebuf[64];
+ RDEBUG2("Client wants %s, while we require %s. Skipping the requested type.",
+ eaptype_name,
+ eaptype_type2name(vp->vp_integer,
+ mynamebuf,
+ sizeof(mynamebuf)));
+ continue;
+ }
+
+ default_eap_type = eaptype->data[i];
+ break;
}
/*
- * Enforce per-user configuration of EAP types.
+ * We probably want to return 'fail' here...
*/
- vp = pairfind(handler->request->config_items,
- PW_EAP_TYPE);
- if (vp && (vp->lvalue != default_eap_type)) {
- char mynamebuf[64];
- DEBUG2(" rlm_eap: Client wants %s, while we require %s, rejecting the user.",
- eaptype_name,
- eaptype_type2name(vp->lvalue,
- mynamebuf,
- sizeof(mynamebuf)));
+ if (!default_eap_type) {
+ RDEBUG2("No common EAP types found.");
return EAP_INVALID;
}
+ eaptype_name = eaptype_type2name(default_eap_type,
+ namebuf, sizeof(namebuf));
+ RDEBUG2("EAP-NAK asked for EAP-Type/%s",
+ eaptype_name);
+
goto do_initiate;
break;
eaptype_name = eaptype_type2name(eaptype->type,
namebuf,
sizeof(namebuf));
- DEBUG2(" rlm_eap: EAP/%s", eaptype_name);
+ RDEBUG2("EAP/%s", eaptype_name);
/*
* We haven't configured it, it doesn't exit.
*/
if (!inst->types[eaptype->type]) {
- DEBUG2(" rlm_eap: EAP type %d is unsupported",
+ RDEBUG2("EAP type %d is unsupported",
eaptype->type);
return EAP_INVALID;
}
handler->eap_type = eaptype->type;
if (eaptype_call(inst->types[eaptype->type],
handler) == 0) {
- DEBUG2(" rlm_eap: Handler failed in EAP/%s",
+ RDEBUG2("Handler failed in EAP/%s",
eaptype_name);
return EAP_INVALID;
}
/*
- * EAP packet format to be sent over the wire
- *
- * i.e. code+id+length+data where data = null/type+typedata
- * based on code.
- */
-static int eap_wireformat(EAP_PACKET *reply)
-{
- eap_packet_t *hdr;
- uint16_t total_length = 0;
-
- if (reply == NULL) return EAP_INVALID;
-
- total_length = EAP_HEADER_LEN;
- if (reply->code < 3) {
- total_length += 1/*EAPtype*/;
- if (reply->type.data && reply->type.length > 0) {
- total_length += reply->type.length;
- }
- }
-
- reply->packet = (unsigned char *)malloc(total_length);
- hdr = (eap_packet_t *)reply->packet;
- if (!hdr) {
- radlog(L_ERR, "rlm_eap: out of memory");
- return EAP_INVALID;
- }
-
- hdr->code = (reply->code & 0xFF);
- hdr->id = (reply->id & 0xFF);
- total_length = htons(total_length);
- memcpy(hdr->length, &total_length, sizeof(uint16_t));
-
- /*
- * Request and Response packets are special.
- */
- if ((reply->code == PW_EAP_REQUEST) ||
- (reply->code == PW_EAP_RESPONSE)) {
- hdr->data[0] = (reply->type.type & 0xFF);
-
- /*
- * Here since we cannot know the typedata format and length
- *
- * Type_data is expected to be wired by each EAP-Type
- *
- * Zero length/No typedata is supported as long as
- * type is defined
- */
- if (reply->type.data && reply->type.length > 0) {
- memcpy(&hdr->data[1], reply->type.data, reply->type.length);
- free(reply->type.data);
- reply->type.data = reply->packet + EAP_HEADER_LEN + 1/*EAPtype*/;
- }
- }
-
- return EAP_VALID;
-}
-
-/*
* compose EAP reply packet in EAP-Message attr of RADIUS. If
* EAP exceeds 253, frame it in multiple EAP-Message attrs.
*
*/
int eap_compose(EAP_HANDLER *handler)
{
- uint16_t eap_len, len;
- VALUE_PAIR *eap_msg;
VALUE_PAIR *vp;
eap_packet_t *eap_packet;
- unsigned char *ptr;
REQUEST *request = handler->request;
EAP_DS *eap_ds = handler->eap_ds;
EAP_PACKET *reply = eap_ds->request;
++reply->id;
}
} else {
- DEBUG2(" rlm_eap: Underlying EAP-Type set EAP ID to %d",
+ RDEBUG2("Underlying EAP-Type set EAP ID to %d",
reply->id);
}
eap_ds->request->type.type = handler->eap_type;
}
-
+ /*
+ * FIXME: We malloc memory for the eap packet, and then
+ * immediately copy that data into VALUE_PAIRs. This
+ * could be done more efficiently...
+ */
if (eap_wireformat(reply) == EAP_INVALID) {
return RLM_MODULE_INVALID;
}
eap_packet = (eap_packet_t *)reply->packet;
- memcpy(&eap_len, &(eap_packet->length), sizeof(uint16_t));
- len = eap_len = ntohs(eap_len);
- ptr = (unsigned char *)eap_packet;
-
- do {
- if (eap_len > 253) {
- len = 253;
- eap_len -= 253;
- } else {
- len = eap_len;
- eap_len = 0;
- }
-
- /*
- * create a value pair & append it to the request reply list
- * This memory gets freed up when request is freed up
- */
- eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
- memcpy(eap_msg->vp_octets, ptr, len);
- eap_msg->length = len;
- pairadd(&(request->reply->vps), eap_msg);
- ptr += len;
- eap_msg = NULL;
- } while (eap_len);
+ vp = eap_packet2vp(eap_packet);
+ if (!vp) return RLM_MODULE_INVALID;
+ pairadd(&(request->reply->vps), vp);
/*
* EAP-Message is always associated with
* Don't add a Message-Authenticator if it's already
* there.
*/
- vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR);
+ vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR, 0);
if (!vp) {
- vp = paircreate(PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS);
+ vp = paircreate(PW_MESSAGE_AUTHENTICATOR, 0, PW_TYPE_OCTETS);
memset(vp->vp_octets, 0, AUTH_VECTOR_LEN);
vp->length = AUTH_VECTOR_LEN;
pairadd(&(request->reply->vps), vp);
VALUE_PAIR *vp, *proxy;
VALUE_PAIR *eap_msg;
- eap_msg = pairfind(request->packet->vps, PW_EAP_MESSAGE);
+ eap_msg = pairfind(request->packet->vps, PW_EAP_MESSAGE, 0);
if (eap_msg == NULL) {
- DEBUG2(" rlm_eap: No EAP-Message, not doing EAP");
+ RDEBUG2("No EAP-Message, not doing EAP");
return EAP_NOOP;
}
* Look for EAP-Type = None (FreeRADIUS specific attribute)
* this allows you to NOT do EAP for some users.
*/
- vp = pairfind(request->packet->vps, PW_EAP_TYPE);
- if (vp && vp->lvalue == 0) {
- DEBUG2(" rlm_eap: Found EAP-Message, but EAP-Type = None, so we're not doing EAP.");
+ vp = pairfind(request->packet->vps, PW_EAP_TYPE, 0);
+ if (vp && vp->vp_integer == 0) {
+ RDEBUG2("Found EAP-Message, but EAP-Type = None, so we're not doing EAP.");
return EAP_NOOP;
}
* Check for a Proxy-To-Realm. Don't get excited over LOCAL
* realms (sigh).
*/
- proxy = pairfind(request->config_items, PW_PROXY_TO_REALM);
+ proxy = pairfind(request->config_items, PW_PROXY_TO_REALM, 0);
if (proxy) {
REALM *realm;
* If it's a LOCAL realm, then we're not proxying
* to it.
*/
- realm = realm_find(proxy->vp_strvalue, 0);
- rad_assert(realm->ipaddr.af == AF_INET);
- if (realm && (realm->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE))) {
+ realm = realm_find(proxy->vp_strvalue);
+ if (!realm || (realm && (realm->auth_pool == NULL))) {
proxy = NULL;
}
}
*/
if (proxy) {
do_proxy:
- DEBUG2(" rlm_eap: Request is supposed to be proxied to Realm %s. Not doing EAP.", proxy->vp_strvalue);
+ RDEBUG2("Request is supposed to be proxied to Realm %s. Not doing EAP.", proxy->vp_strvalue);
return EAP_NOOP;
}
-
- DEBUG2(" rlm_eap: Got EAP_START message");
+
+ RDEBUG2("Got EAP_START message");
if ((eap_ds = eap_ds_alloc()) == NULL) {
- DEBUG2(" rlm_eap: EAP Start failed in allocation");
+ RDEBUG2("EAP Start failed in allocation");
return EAP_FAIL;
}
-
+
/*
* It's an EAP-Start packet. Tell them to stop wasting
* our time, and give us an EAP-Identity packet.
*/
eap_ds->request->code = PW_EAP_REQUEST;
eap_ds->request->type.type = PW_EAP_IDENTITY;
-
+
/*
* We don't have a handler, but eap_compose needs one,
* (for various reasons), so we fake it out here.
memset(&handler, 0, sizeof(handler));
handler.request = request;
handler.eap_ds = eap_ds;
-
+
eap_compose(&handler);
-
+
eap_ds_free(&eap_ds);
return EAP_FOUND;
} /* end of handling EAP-Start */
if (eap_msg->length < (EAP_HEADER_LEN + 1)) {
if (proxy) goto do_proxy;
- DEBUG2(" rlm_eap: Ignoring EAP-Message which is too short to be meaningful.");
+ RDEBUG2("Ignoring EAP-Message which is too short to be meaningful.");
return EAP_FAIL;
}
* Create an EAP-Type containing the EAP-type
* from the packet.
*/
- vp = paircreate(PW_EAP_TYPE, PW_TYPE_INTEGER);
+ vp = paircreate(PW_EAP_TYPE, 0, PW_TYPE_INTEGER);
if (vp) {
- vp->lvalue = eap_msg->vp_octets[4];
+ vp->vp_integer = eap_msg->vp_octets[4];
pairadd(&(request->packet->vps), vp);
}
*/
if ((eap_msg->vp_octets[0] == 0) ||
(eap_msg->vp_octets[0] > PW_EAP_MAX_CODES)) {
- DEBUG2(" rlm_eap: Unknown EAP packet");
+ RDEBUG2("Unknown EAP packet");
} else {
- DEBUG2(" rlm_eap: EAP packet type %s id %d length %d",
+ RDEBUG2("EAP packet type %s id %d length %d",
eap_codes[eap_msg->vp_octets[0]],
eap_msg->vp_octets[1],
eap_msg->length);
*/
if ((eap_msg->vp_octets[0] != PW_EAP_REQUEST) &&
(eap_msg->vp_octets[0] != PW_EAP_RESPONSE)) {
- DEBUG2(" rlm_eap: Ignoring EAP packet which we don't know how to handle.");
+ RDEBUG2("Ignoring EAP packet which we don't know how to handle.");
return EAP_FAIL;
}
((eap_msg->vp_octets[4] == 0) ||
(eap_msg->vp_octets[4] > PW_EAP_MAX_TYPES) ||
(inst->types[eap_msg->vp_octets[4]] == NULL))) {
- DEBUG2(" rlm_eap: Ignoring Unknown EAP type");
+ RDEBUG2(" Ignoring Unknown EAP type");
return EAP_NOOP;
}
-
+
/*
* They're NAKing the EAP type we wanted to use, and
* asking for one which we don't support.
((eap_msg->vp_octets[5] == 0) ||
(eap_msg->vp_octets[5] > PW_EAP_MAX_TYPES) ||
(inst->types[eap_msg->vp_octets[5]] == NULL))) {
- DEBUG2(" rlm_eap: Ignoring NAK with request for unknown EAP type");
+ RDEBUG2("Ignoring NAK with request for unknown EAP type");
return EAP_NOOP;
}
+ if ((eap_msg->vp_octets[4] == PW_EAP_TTLS) ||
+ (eap_msg->vp_octets[4] == PW_EAP_PEAP)) {
+ RDEBUG2("Continuing tunnel setup.");
+ return EAP_OK;
+ }
+
/*
* Later EAP messages are longer than the 'start'
* message, so if everything is OK, this function returns
* use the State attribute to match this EAP-Message to
* an ongoing conversation.
*/
- DEBUG2(" rlm_eap: No EAP Start, assuming it's an on-going EAP conversation");
+ RDEBUG2("No EAP Start, assuming it's an on-going EAP conversation");
return EAP_NOTFOUND;
}
*/
void eap_fail(EAP_HANDLER *handler)
{
+ /*
+ * Delete any previous replies.
+ */
+ pairdelete(&handler->request->reply->vps, PW_EAP_MESSAGE, 0);
+ pairdelete(&handler->request->reply->vps, PW_STATE, 0);
+
+ eap_packet_free(&handler->eap_ds->request);
+ handler->eap_ds->request = eap_packet_alloc();
+
handler->eap_ds->request->code = PW_EAP_FAILURE;
eap_compose(handler);
}
/*
* Basic EAP packet verfications & validations
*/
-static int eap_validation(eap_packet_t *eap_packet)
+static int eap_validation(REQUEST *request, eap_packet_t *eap_packet)
{
uint16_t len;
(eap_packet->data[0] <= 0) ||
(eap_packet->data[0] > PW_EAP_MAX_TYPES)) {
- radlog(L_AUTH, "rlm_eap: Incorrect EAP Message, "
- "Ignoring the packet");
+ radlog_request(L_AUTH, 0, request,
+ "Badly formatted EAP Message: Ignoring the packet");
return EAP_INVALID;
}
/* we don't expect notification, but we send it */
if (eap_packet->data[0] == PW_EAP_NOTIFICATION) {
- radlog(L_AUTH, "rlm_eap: Got NOTIFICATION, "
- "Ignoring the packet");
+ radlog_request(L_AUTH, 0, request, "Got NOTIFICATION, "
+ "Ignoring the packet");
return EAP_INVALID;
}
/*
* Get the user Identity only from EAP-Identity packets
*/
-static char *eap_identity(eap_packet_t *eap_packet)
+static char *eap_identity(REQUEST *request, eap_packet_t *eap_packet)
{
int size;
uint16_t len;
len = ntohs(len);
if ((len <= 5) || (eap_packet->data[1] == 0x00)) {
- radlog(L_ERR, "rlm_eap: UserIdentity Unknown ");
+ RDEBUG("UserIdentity Unknown ");
return NULL;
}
size = len - 5;
- identity = (char *)malloc(size + 1);
- if (identity == NULL) {
- radlog(L_ERR, "rlm_eap: out of memory");
- return NULL;
- }
+ identity = rad_malloc(size + 1);
memcpy(identity, &eap_packet->data[1], size);
identity[size] = '\0';
/*
* Ensure it's a valid EAP-Request, or EAP-Response.
*/
- if (eap_validation(eap_packet) == EAP_INVALID) {
+ if (eap_validation(request, eap_packet) == EAP_INVALID) {
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
handler = eaplist_find(inst, request, eap_packet);
if (handler == NULL) {
/* Either send EAP_Identity or EAP-Fail */
- radlog(L_ERR, "rlm_eap: Either EAP-request timed out OR"
- " EAP-response to an unknown EAP-request");
+ RDEBUG("Either EAP-request timed out OR"
+ " EAP-response to an unknown EAP-request");
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
*/
if ((eap_packet->data[0] != PW_EAP_NAK) &&
(eap_packet->data[0] != handler->eap_type)) {
- radlog(L_ERR, "rlm_eap: Response appears to match, but EAP type is wrong.");
+ RDEBUG("Response appears to match, but EAP type is wrong.");
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
}
- vp = pairfind(request->packet->vps, PW_USER_NAME);
+ vp = pairfind(request->packet->vps, PW_USER_NAME, 0);
if (!vp) {
/*
* NAS did not set the User-Name
* request vps so that autz's work
* correctly
*/
- radlog(L_INFO, "rlm_eap: Broken NAS did not set User-Name, setting from EAP Identity");
+ RDEBUG2("Broken NAS did not set User-Name, setting from EAP Identity");
vp = pairmake("User-Name", handler->identity, T_OP_EQ);
if (vp == NULL) {
- radlog(L_ERR, "rlm_eap: out of memory");
+ RDEBUG("Out of memory");
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
*/
if (strncmp(handler->identity, vp->vp_strvalue,
MAX_STRING_LEN) != 0) {
- radlog(L_ERR, "rlm_eap: Identity does not match User-Name. Authentication failed.");
+ RDEBUG("Identity does not match User-Name. Authentication failed.");
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
}
}
} else { /* packet was EAP identity */
- handler = eap_handler_alloc();
+ handler = eap_handler_alloc(inst);
if (handler == NULL) {
- radlog(L_ERR, "rlm_eap: out of memory");
+ RDEBUG("Out of memory.");
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
/*
* All fields in the handler are set to zero.
*/
- handler->identity = eap_identity(eap_packet);
+ handler->identity = eap_identity(request, eap_packet);
if (handler->identity == NULL) {
- radlog(L_ERR, "rlm_eap: Identity Unknown, authentication failed");
+ RDEBUG("Identity Unknown, authentication failed");
free(*eap_packet_p);
*eap_packet_p = NULL;
- eap_handler_free(handler);
+ eap_handler_free(inst, handler);
return NULL;
}
- vp = pairfind(request->packet->vps, PW_USER_NAME);
+ vp = pairfind(request->packet->vps, PW_USER_NAME, 0);
if (!vp) {
/*
* NAS did not set the User-Name
* request vps so that autz's work
* correctly
*/
- radlog(L_INFO, "rlm_eap: WARNING NAS did not set User-Name. Setting it locally from EAP Identity");
+ RDEBUG2("WARNING NAS did not set User-Name. Setting it locally from EAP Identity");
vp = pairmake("User-Name", handler->identity, T_OP_EQ);
if (vp == NULL) {
- radlog(L_ERR, "rlm_eap: out of memory");
+ RDEBUG("Out of memory");
free(*eap_packet_p);
*eap_packet_p = NULL;
+ eap_handler_free(inst, handler);
return NULL;
}
vp->next = request->packet->vps;
*/
if (strncmp(handler->identity, vp->vp_strvalue,
MAX_STRING_LEN) != 0) {
- radlog(L_ERR, "rlm_eap: Identity does not match User-Name, setting from EAP Identity.");
+ RDEBUG("Identity does not match User-Name, setting from EAP Identity.");
free(*eap_packet_p);
*eap_packet_p = NULL;
- eap_handler_free(handler);
+ eap_handler_free(inst, handler);
return NULL;
}
}
if (handler->eap_ds == NULL) {
free(*eap_packet_p);
*eap_packet_p = NULL;
- eap_handler_free(handler);
+ eap_handler_free(inst, handler);
return NULL;
}