*/
int copy_request_to_tunnel;
+#ifdef WITH_PROXY
/*
* Proxy tunneled session as EAP, or as de-capsulated
* protocol.
*/
int proxy_tunneled_request_as_eap;
+#endif
/*
* Virtual server for inner tunnel session.
*/
char *virtual_server;
+
+ /*
+ * Do we do SoH request?
+ */
+ int soh;
+ char *soh_virtual_server;
} rlm_eap_peap_t;
{ "use_tunneled_reply", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_peap_t, use_tunneled_reply), NULL, "no" },
+#ifdef WITH_PROXY
{ "proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_peap_t, proxy_tunneled_request_as_eap), NULL, "yes" },
+#endif
{ "virtual_server", PW_TYPE_STRING_PTR,
offsetof(rlm_eap_peap_t, virtual_server), NULL, NULL },
+ { "soh", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_peap_t, soh), NULL, "no" },
+
+ { "soh_virtual_server", PW_TYPE_STRING_PTR,
+ offsetof(rlm_eap_peap_t, soh_virtual_server), NULL, NULL },
+
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
pairfree(&t->username);
pairfree(&t->state);
pairfree(&t->accept_vps);
+ pairfree(&t->soh_reply_vps);
free(t);
}
t->default_eap_type = inst->default_eap_type;
t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
t->use_tunneled_reply = inst->use_tunneled_reply;
+#ifdef WITH_PROXY
t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
+#endif
t->virtual_server = inst->virtual_server;
+ t->soh = inst->soh;
+ t->soh_virtual_server = inst->soh_virtual_server;
+ t->session_resumption_state = PEAP_RESUMPTION_MAYBE;
return t;
}
eaptls_status_t status;
rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
- peap_tunnel_t *peap = NULL;
+ peap_tunnel_t *peap = tls_session->opaque;
+ REQUEST *request = handler->request;
- DEBUG2(" rlm_eap_peap: Authenticate");
+ /*
+ * Session resumption requires the storage of data, so
+ * allocate it if it doesn't already exist.
+ */
+ if (!tls_session->opaque) {
+ peap = tls_session->opaque = peap_alloc(inst);
+ tls_session->free_opaque = peap_free;
+ }
status = eaptls_process(handler);
- DEBUG2(" eaptls_process returned %d\n", status);
+ RDEBUG2("eaptls_process returned %d\n", status);
switch (status) {
/*
* EAP-TLS handshake was successful, tell the
* an EAP-TLS-Success packet here.
*/
case EAPTLS_SUCCESS:
- {
- eap_packet_t eap_packet;
-
- eap_packet.code = PW_EAP_REQUEST;
- eap_packet.id = handler->eap_ds->response->id + 1;
- eap_packet.length[0] = 0;
- eap_packet.length[1] = EAP_HEADER_LEN + 1;
- eap_packet.data[0] = PW_EAP_IDENTITY;
-
- (tls_session->record_plus)(&tls_session->clean_in,
- &eap_packet, sizeof(eap_packet));
-
- tls_handshake_send(tls_session);
- (tls_session->record_init)(&tls_session->clean_in);
- }
- eaptls_request(handler->eap_ds, tls_session);
- DEBUG2(" rlm_eap_peap: EAPTLS_SUCCESS");
- return 1;
+ RDEBUG2("EAPTLS_SUCCESS");
+ peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
+ break;
/*
* The TLS code is still working on the TLS
* and EAP id from the inner tunnel, and update it with
* the expected EAP id!
*/
- DEBUG2(" rlm_eap_peap: EAPTLS_HANDLED");
+ RDEBUG2("EAPTLS_HANDLED");
return 1;
/*
* data.
*/
case EAPTLS_OK:
- DEBUG2(" rlm_eap_peap: EAPTLS_OK");
+ RDEBUG2("EAPTLS_OK");
break;
/*
* Anything else: fail.
*/
default:
- DEBUG2(" rlm_eap_peap: EAPTLS_OTHERS");
+ RDEBUG2("EAPTLS_OTHERS");
return 0;
}
* Session is established, proceed with decoding
* tunneled data.
*/
- DEBUG2(" rlm_eap_peap: Session established. Decoding tunneled attributes.");
+ RDEBUG2("Session established. Decoding tunneled attributes.");
/*
* We may need PEAP data associated with the session, so
rcode = eappeap_process(handler, tls_session);
switch (rcode) {
case RLM_MODULE_REJECT:
- eaptls_fail(handler->eap_ds, 0);
+ eaptls_fail(handler, 0);
return 0;
case RLM_MODULE_HANDLED:
return 1;
case RLM_MODULE_OK:
- eaptls_success(handler->eap_ds, 0);
-
/*
* Move the saved VP's from the Access-Accept to
* our Access-Accept.
*/
peap = tls_session->opaque;
+ if (peap->soh_reply_vps) {
+ RDEBUG2("Using saved attributes from the SoH reply");
+ debug_pair_list(peap->soh_reply_vps);
+ pairadd(&handler->request->reply->vps, peap->soh_reply_vps);
+ peap->soh_reply_vps = NULL;
+ }
if (peap->accept_vps) {
- DEBUG2(" Using saved attributes from the original Access-Accept");
+ RDEBUG2("Using saved attributes from the original Access-Accept");
+ debug_pair_list(peap->accept_vps);
+ pairadd(&handler->request->reply->vps, peap->accept_vps);
+ peap->accept_vps = NULL;
}
- pairmove(&handler->request->reply->vps, &peap->accept_vps);
- pairfree(&peap->accept_vps);
-
- eaptls_gen_mppe_keys(&handler->request->reply->vps,
- tls_session->ssl,
- "client EAP encryption");
- return 1;
+ /*
+ * Success: Automatically return MPPE keys.
+ */
+ return eaptls_success(handler, 0);
/*
* No response packet, MUST be proxying it.
* will proxy it, rather than returning an EAP packet.
*/
case RLM_MODULE_UPDATED:
+#ifdef WITH_PROXY
rad_assert(handler->request->proxy != NULL);
+#endif
return 1;
break;
break;
}
- eaptls_fail(handler->eap_ds, 0);
+ eaptls_fail(handler, 0);
return 0;
}