The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
peap.c
Go to the documentation of this file.
1/*
2 * peap.c contains the interfaces that are called from eap
3 *
4 * Version: $Id: e5f6ed03242fd2239a4e62d98e7226757f98b3c3 $
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 * @copyright 2003 Alan DeKok (aland@freeradius.org)
21 * @copyright 2006 The FreeRADIUS server project
22 */
23
24RCSID("$Id: e5f6ed03242fd2239a4e62d98e7226757f98b3c3 $")
25USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
26
27#include <freeradius-devel/radius/radius.h>
28#include <freeradius-devel/radius/defs.h>
29
30#include "eap_peap.h"
31
32/*
33 * Send protected EAP-Failure
34 *
35 * Result-TLV = Failure
36 */
37static int eap_peap_failure(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
38{
39 uint8_t tlv_packet[11];
40
41 RDEBUG2("FAILURE");
42
43 tlv_packet[0] = FR_EAP_CODE_REQUEST;
44 tlv_packet[1] = eap_session->this_round->response->id +1;
45 tlv_packet[2] = 0;
46 tlv_packet[3] = 11; /* length of this packet */
47 tlv_packet[4] = FR_PEAP_EXTENSIONS_TYPE;
48 tlv_packet[5] = 0x80;
49 tlv_packet[6] = EAP_TLV_ACK_RESULT;
50 tlv_packet[7] = 0;
51 tlv_packet[8] = 2; /* length of the data portion */
52 tlv_packet[9] = 0;
53 tlv_packet[10] = EAP_TLV_FAILURE;
54
55 (tls_session->record_from_buff)(&tls_session->clean_in, tlv_packet, 11);
56
57 /*
58 * FIXME: Check the return code.
59 */
60 fr_tls_session_send(request, tls_session);
61
62 return 1;
63}
64
65
66/*
67 * Send protected EAP-Success
68 *
69 * Result-TLV = Success
70 */
71static int eap_peap_success(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
72{
73 uint8_t tlv_packet[11];
74
75 RDEBUG2("SUCCESS");
76
77 tlv_packet[0] = FR_EAP_CODE_REQUEST;
78 tlv_packet[1] = eap_session->this_round->response->id +1;
79 tlv_packet[2] = 0;
80 tlv_packet[3] = 11; /* length of this packet */
81 tlv_packet[4] = FR_PEAP_EXTENSIONS_TYPE;
82 tlv_packet[5] = 0x80; /* mandatory AVP */
83 tlv_packet[6] = EAP_TLV_ACK_RESULT;
84 tlv_packet[7] = 0;
85 tlv_packet[8] = 2; /* length of the data portion */
86 tlv_packet[9] = 0;
87 tlv_packet[10] = EAP_TLV_SUCCESS;
88
89 (tls_session->record_from_buff)(&tls_session->clean_in, tlv_packet, 11);
90
91 /*
92 * FIXME: Check the return code.
93 */
94 fr_tls_session_send(request, tls_session);
95
96 return 1;
97}
98
99
100static int eap_peap_identity(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
101{
102 eap_packet_raw_t eap_packet;
103
104 eap_packet.code = FR_EAP_CODE_REQUEST;
105 eap_packet.id = eap_session->this_round->response->id + 1;
106 eap_packet.length[0] = 0;
107 eap_packet.length[1] = EAP_HEADER_LEN + 1;
108 eap_packet.data[0] = FR_EAP_METHOD_IDENTITY;
109
110 (tls_session->record_from_buff)(&tls_session->clean_in, &eap_packet, sizeof(eap_packet));
111 fr_tls_session_send(request, tls_session);
112 (tls_session->record_init)(&tls_session->clean_in);
113
114 return 1;
115}
116
117/*
118 * Verify the tunneled EAP message.
119 */
120static int eap_peap_verify(request_t *request, peap_tunnel_t *peap_tunnel,
121 uint8_t const *data, size_t data_len)
122{
123 eap_packet_raw_t const *eap_packet = (eap_packet_raw_t const *) data;
124 eap_type_t eap_method;
125
126 /*
127 * No data, OR only 1 byte of EAP type.
128 */
129 if (!data || (data_len == 0) || ((data_len <= 1) && (data[0] != FR_EAP_METHOD_IDENTITY))) return 0;
130
131 /*
132 * Since the full EAP header is sent for the EAP Extensions type (Type 33),
133 * but not for other Types, it is difficult for the implementation to distinguish
134 * an Extensions Request (Code 1) from an EAP Type 1 (Identity) Request packet.
135 *
136 * i.e. The only way to validate PEAP inner method packets properly is to know
137 * we just send a protected success/failure.
138 */
139 switch (peap_tunnel->status) {
140 case PEAP_STATUS_SENT_TLV_SUCCESS:
141 case PEAP_STATUS_SENT_TLV_FAILURE:
142 if (eap_packet->data[0] != FR_PEAP_EXTENSIONS_TYPE) {
143 REDEBUG("Invalid inner tunnel data, expected method (%u), got (%u)",
144 FR_PEAP_EXTENSIONS_TYPE, eap_packet->data[0]);
145 return -1;
146 }
147 return 0;
148
149 default:
150 break;
151 }
152
153 eap_method = data[0]; /* Inner EAP header misses off code and identifier */
154 switch (eap_method) {
155 case FR_EAP_METHOD_IDENTITY:
156 RDEBUG2("Received EAP-Identity-Response");
157 return 0;
158
159 /*
160 * We normally do Microsoft MS-CHAPv2 (26), versus
161 * Cisco MS-CHAPv2 (29).
162 */
163 case FR_EAP_METHOD_MSCHAPV2:
164 default:
165 RDEBUG2("EAP method %s (%d)", eap_type2name(eap_method), eap_method);
166 return 0;
167 }
168
169}
170
171/*
172 * Convert a pseudo-EAP packet to a list of fr_pair_t's.
173 */
174static void eap_peap_inner_to_pairs(TALLOC_CTX *ctx, fr_pair_list_t *pairs,
175 eap_round_t *eap_round,
176 uint8_t const *data, size_t data_len)
177{
178 size_t total;
179 uint8_t *p;
180 fr_pair_t *vp = NULL;
181
182 if (data_len > 65535) return; /* paranoia */
183
184 MEM(vp = fr_pair_afrom_da(ctx, attr_eap_message));
185 total = data_len;
186 if (total > 249) total = 249;
187
188 /*
189 * Hand-build an EAP packet from the crap in PEAP version 0.
190 */
191 MEM(fr_pair_value_mem_alloc(vp, &p, EAP_HEADER_LEN + total, false) == 0);
192 p[0] = FR_EAP_CODE_RESPONSE;
193 p[1] = eap_round->response->id;
194 p[2] = (data_len + EAP_HEADER_LEN) >> 8;
195 p[3] = (data_len + EAP_HEADER_LEN) & 0xff;
196 memcpy(p + EAP_HEADER_LEN, data, total);
197
198 fr_pair_append(pairs, vp);
199 while (total < data_len) {
200 MEM(vp = fr_pair_afrom_da(ctx, attr_eap_message));
201 fr_pair_value_memdup(vp, data + total, (data_len - total), false);
202
203 total += vp->vp_length;
204
205 fr_pair_append(pairs, vp);
206 }
207}
208
209
210/*
211 * Convert a list of fr_pair_t's to an EAP packet, through the
212 * simple expedient of dumping the EAP message
213 */
214static int eap_peap_inner_from_pairs(request_t *request, fr_tls_session_t *tls_session, fr_pair_list_t *vps)
215{
216 fr_pair_t *this;
217
218 fr_assert(!fr_pair_list_empty(vps));
219
220 /*
221 * Send the EAP data in the first attribute, WITHOUT the
222 * header.
223 */
224 this = fr_pair_list_head(vps);
225 (tls_session->record_from_buff)(&tls_session->clean_in, this->vp_octets + EAP_HEADER_LEN,
226 this->vp_length - EAP_HEADER_LEN);
227
228 /*
229 * Send the rest of the EAP data, but skipping the first VP.
230 */
231 for (this = fr_pair_list_next(vps, this);
232 this;
233 this = fr_pair_list_next(vps, this)) {
234 (tls_session->record_from_buff)(&tls_session->clean_in, this->vp_octets, this->vp_length);
235 }
236
237 fr_tls_session_send(request, tls_session);
238
239 return 1;
240}
241
242
243/*
244 * See if there's a TLV in the response.
245 */
246static int eap_peap_check_tlv(request_t *request, uint8_t const *data, size_t data_len)
247{
248 eap_packet_raw_t const *eap_packet = (eap_packet_raw_t const *) data;
249
250 if (data_len < 11) return 0;
251
252 /*
253 * Look for success or failure.
254 */
255 if ((eap_packet->code == FR_EAP_CODE_RESPONSE) &&
256 (eap_packet->data[0] == FR_PEAP_EXTENSIONS_TYPE)) {
257 if (data[10] == EAP_TLV_SUCCESS) {
258 return 1;
259 }
260
261 if (data[10] == EAP_TLV_FAILURE) {
262 RDEBUG2("Client rejected our response. The password is probably incorrect");
263 return 0;
264 }
265 }
266
267 RDEBUG2("Unknown TLV %02x", data[10]);
268
269 return 0;
270}
271
272
273/*
274 * Use a reply packet to determine what to do.
275 */
276static unlang_action_t process_reply(rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx)
277{
278 eap_session_t *eap_session = talloc_get_type_abort(uctx, eap_session_t);
279 eap_tls_session_t *eap_tls_session = talloc_get_type_abort(eap_session->opaque, eap_tls_session_t);
280 fr_tls_session_t *tls_session = eap_tls_session->tls_session;
281 fr_pair_list_t vps;
282 peap_tunnel_t *t = tls_session->opaque;
283 request_t *parent = request->parent;
284 fr_packet_t *reply = request->reply;
285
286 if (RDEBUG_ENABLED2) {
287
288 /*
289 * Note that we don't do *anything* with the reply
290 * attributes.
291 */
292 if (FR_RADIUS_PACKET_CODE_VALID(reply->code)) {
293 RDEBUG2("Got tunneled reply %s", fr_radius_packet_name[reply->code]);
294 } else {
295 RDEBUG2("Got tunneled reply code %i", reply->code);
296 }
297 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->reply_pairs, NULL);
298 }
299
300 switch (reply->code) {
301 case FR_RADIUS_CODE_ACCESS_ACCEPT:
302 RDEBUG2("Tunneled authentication was successful");
303 t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
304 eap_peap_success(request, eap_session, tls_session);
305 RETURN_MODULE_HANDLED;
306
307 case FR_RADIUS_CODE_ACCESS_REJECT:
308 RDEBUG2("Tunneled authentication was rejected");
309 t->status = PEAP_STATUS_SENT_TLV_FAILURE;
310 eap_peap_failure(request, eap_session, tls_session);
311 RETURN_MODULE_HANDLED;
312
313 case FR_RADIUS_CODE_ACCESS_CHALLENGE:
314 RDEBUG2("Got tunneled Access-Challenge");
315
316 /*
317 * PEAP takes only EAP-Message attributes inside
318 * of the tunnel. Any Reply-Message in the
319 * Access-Challenge is ignored.
320 */
321 fr_pair_list_init(&vps);
322 MEM(fr_pair_list_copy_by_da(t, &vps, &request->reply_pairs, attr_eap_message, 0) >= 0);
323
324 /*
325 * Handle the ACK, by tunneling any necessary reply
326 * VP's back to the client.
327 */
328 if (!fr_pair_list_empty(&vps)) {
329 eap_peap_inner_from_pairs(parent, tls_session, &vps);
330 fr_pair_list_free(&vps);
331 }
332
333 RETURN_MODULE_HANDLED;
334
335 default:
336 RDEBUG2("Unknown RADIUS packet type %d: rejecting tunneled user", reply->code);
337 RETURN_MODULE_REJECT;
338 }
339}
340
341
342static char const *peap_state(peap_tunnel_t *t)
343{
344 switch (t->status) {
345 case PEAP_STATUS_TUNNEL_ESTABLISHED:
346 return "TUNNEL ESTABLISHED";
347
348 case PEAP_STATUS_INNER_IDENTITY_REQ_SENT:
349 return "WAITING FOR INNER IDENTITY";
350
351 case PEAP_STATUS_SENT_TLV_SUCCESS:
352 return "send tlv success";
353
354 case PEAP_STATUS_SENT_TLV_FAILURE:
355 return "send tlv failure";
356
357 case PEAP_STATUS_PHASE2_INIT:
358 return "phase2_init";
359
360 case PEAP_STATUS_PHASE2:
361 return "phase2";
362
363 default:
364 break;
365 }
366 return "?";
367}
368
369/*
370 * Process the pseudo-EAP contents of the tunneled data.
371 */
372unlang_action_t eap_peap_process(rlm_rcode_t *p_result, request_t *request,
373 eap_session_t *eap_session, fr_tls_session_t *tls_session)
374{
375 peap_tunnel_t *t = tls_session->opaque;
376 request_t *child = NULL;
377 fr_pair_t *vp;
378 rlm_rcode_t rcode = RLM_MODULE_REJECT;
379 uint8_t const *data;
380 size_t data_len;
381 eap_round_t *eap_round = eap_session->this_round;
382
383 /*
384 * Just look at the buffer directly, without doing
385 * record_to_buff. This lets us avoid another data copy.
386 */
387 data_len = tls_session->clean_out.used;
388 tls_session->clean_out.used = 0;
389 data = tls_session->clean_out.data;
390
391 RDEBUG2("PEAP state %s", peap_state(t));
392
393 if ((t->status != PEAP_STATUS_TUNNEL_ESTABLISHED) && (eap_peap_verify(request, t, data, data_len) < 0)) {
394 REDEBUG("Tunneled data is invalid");
395 RETURN_MODULE_REJECT;
396 }
397
398 switch (t->status) {
399 case PEAP_STATUS_TUNNEL_ESTABLISHED:
400 /* FIXME: should be no data in the buffer here, check & assert? */
401
402 if (SSL_session_reused(tls_session->ssl)) {
403 RDEBUG2("Skipping Phase2 because of session resumption");
404 t->session_resumption_state = PEAP_RESUMPTION_YES;
405 /* we're good, send success TLV */
406 t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
407 eap_peap_success(request, eap_session, tls_session);
408
409 } else {
410 /* send an identity request */
411 t->session_resumption_state = PEAP_RESUMPTION_NO;
412 t->status = PEAP_STATUS_INNER_IDENTITY_REQ_SENT;
413 eap_peap_identity(request, eap_session, tls_session);
414 }
415 rcode = RLM_MODULE_HANDLED;
416 goto finish;
417
418 case PEAP_STATUS_INNER_IDENTITY_REQ_SENT:
419 /* we're expecting an identity response */
420 if (data[0] != FR_EAP_METHOD_IDENTITY) {
421 REDEBUG("Expected EAP-Identity, got something else");
422 rcode = RLM_MODULE_REJECT;
423 goto finish;
424 }
425
426 /*
427 * Save it for later.
428 */
429 MEM(t->username = fr_pair_afrom_da(t, attr_user_name));
430 t->username->vp_tainted = true;
431
432 fr_pair_value_bstrndup(t->username, (char const *)data + 1, data_len - 1, true);
433
434 RDEBUG2("Got inner identity \"%pV\"", &t->username->data);
435 t->status = PEAP_STATUS_PHASE2_INIT;
436 break;
437
438 /*
439 * If we authenticated the user, then it's OK.
440 */
441 case PEAP_STATUS_SENT_TLV_SUCCESS:
442 if (eap_peap_check_tlv(request, data, data_len)) {
443 RDEBUG2("Success");
444 rcode = RLM_MODULE_OK;
445 goto finish;
446 }
447
448 /*
449 * Otherwise, the client rejected the session
450 * resumption. If the session is being re-used,
451 * we need to do a full authentication.
452 *
453 * We do this by sending an EAP-Identity request
454 * inside of the PEAP tunnel.
455 */
456 if (t->session_resumption_state == PEAP_RESUMPTION_YES) {
457 RDEBUG2("Client rejected session resumption. Re-starting full authentication");
458
459 /*
460 * Mark session resumption status.
461 */
462 t->status = PEAP_STATUS_INNER_IDENTITY_REQ_SENT;
463 t->session_resumption_state = PEAP_RESUMPTION_NO;
464
465 eap_peap_identity(request, eap_session, tls_session);
466 rcode = RLM_MODULE_HANDLED;
467 goto finish;
468 }
469
470 REDEBUG("Sent a success, but received something weird in return");
471 rcode = RLM_MODULE_REJECT;
472 goto finish;
473
474 /*
475 * Supplicant ACKs our failure.
476 */
477 case PEAP_STATUS_SENT_TLV_FAILURE:
478 RINDENT();
479 REDEBUG("The users session was previously rejected: returning reject (again.)");
480 RIDEBUG("This means you need to read the PREVIOUS messages in the debug output");
481 RIDEBUG("to find out the reason why the user was rejected");
482 RIDEBUG("Look for \"reject\" or \"fail\". Those earlier messages will tell you");
483 RIDEBUG("what went wrong, and how to fix the problem");
484 REXDENT();
485
486 RETURN_MODULE_REJECT;
487
488 case PEAP_STATUS_PHASE2_INIT:
489 RDEBUG2("In state machine in phase2 init?");
490 break;
491
492 case PEAP_STATUS_PHASE2:
493 break;
494
495 default:
496 REDEBUG("Unhandled state in peap");
497 rcode = RLM_MODULE_REJECT;
498 goto finish;
499 }
500
501 MEM(child = unlang_subrequest_alloc(request, request->dict));
502 fr_assert(fr_pair_list_empty(&child->request_pairs));
503
504 switch (t->status) {
505 /*
506 * If we're in PHASE2_INIT, the phase2 method hasn't been
507 * sent an Identity packet yet; do so from the stored
508 * username and this will kick off the phase2 eap method
509 */
510 case PEAP_STATUS_PHASE2_INIT:
511 {
512 size_t len;
513 uint8_t *q;
514
515 fr_assert(t->username);
516
517 len = t->username->vp_length + EAP_HEADER_LEN + 1;
518 t->status = PEAP_STATUS_PHASE2;
519
520 MEM(vp = fr_pair_afrom_da(child->request_ctx, attr_eap_message));
521 MEM(fr_pair_value_mem_alloc(vp, &q, len, false) == 0);
522 q[0] = FR_EAP_CODE_RESPONSE;
523 q[1] = eap_round->response->id;
524 q[2] = (len >> 8) & 0xff;
525 q[3] = len & 0xff;
526 q[4] = FR_EAP_METHOD_IDENTITY;
527 memcpy(q + EAP_HEADER_LEN + 1,
528 t->username->vp_strvalue, t->username->vp_length);
529 fr_pair_append(&child->request_pairs, vp);
530 }
531 break;
532
533 case PEAP_STATUS_PHASE2:
534 eap_peap_inner_to_pairs(child->request_ctx, &child->request_pairs,
535 eap_round, data, data_len);
536 if (fr_pair_list_empty(&child->request_pairs)) {
537 talloc_free(child);
538 RDEBUG2("Unable to convert tunneled EAP packet to internal server data structures");
539 rcode = RLM_MODULE_REJECT;
540 goto finish;
541 }
542 break;
543
544 default:
545 REDEBUG("Invalid state change in PEAP");
546 rcode = RLM_MODULE_REJECT;
547 goto finish;
548 }
549
550 RDEBUG2("Got tunneled request");
551 log_request_pair_list(L_DBG_LVL_2, request, NULL, &child->request_pairs, NULL);
552
553 /*
554 * Update other items in the request_t data structure.
555 */
556 if (!t->username) {
557 /*
558 * There's no User-Name in the tunneled session,
559 * so we add one here, by pulling it out of the
560 * EAP-Identity packet.
561 */
562 if ((data[0] == FR_EAP_METHOD_IDENTITY) && (data_len > 1)) {
563 MEM(t->username = fr_pair_afrom_da(t, attr_user_name));
564 fr_assert(t->username != NULL);
565 t->username->vp_tainted = true;
566
567 fr_pair_value_bstrndup(t->username, (char const *)data + 1, data_len - 1, true);
568
569 RDEBUG2("Got tunneled identity of %pV", &t->username->data);
570 }
571 } /* else there WAS a t->username */
572
573 if (t->username) {
574 vp = fr_pair_copy(child->request_ctx, t->username);
575 fr_pair_append(&child->request_pairs, vp);
576 RDEBUG2("Setting &request.User-Name from tunneled (inner) identity \"%s\"",
577 vp->vp_strvalue);
578 } else {
579 RDEBUG2("No tunnel username (SSL resumption?)");
580 }
581
582 if (unlang_subrequest_child_push(&eap_session->submodule_rcode, child,
583 &(unlang_subrequest_session_t){ .enable = true, .unique_ptr = child },
584 false, UNLANG_SUB_FRAME) < 0) goto finish;
585 if (unlang_function_push(child, NULL, process_reply, NULL, 0,
586 UNLANG_SUB_FRAME, eap_session) != UNLANG_ACTION_PUSHED_CHILD) goto finish;
587
588 /*
589 * Call authentication recursively, which will
590 * do PAP, CHAP, MS-CHAP, etc.
591 */
592 return eap_virtual_server(child, eap_session, t->server_cs);
593
594finish:
595 if (child) request_detach(child);
596
597 RETURN_MODULE_RCODE(rcode);
598}
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_PUSHED_CHILD
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition action.h:39
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:470
RCSID
#define RCSID(id)
Definition build.h:483
UNUSED
#define UNUSED
Definition build.h:315
eap_round_t::response
eap_packet_t * response
Packet we received from the peer.
Definition compose.h:49
eap_packet_t::id
uint8_t id
Definition compose.h:37
eap_round_t
Contains a pair of request and response packets.
Definition compose.h:48
MEM
#define MEM(x)
Definition debug.h:36
FR_RADIUS_CODE_ACCESS_CHALLENGE
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
FR_RADIUS_CODE_ACCESS_ACCEPT
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
FR_RADIUS_CODE_ACCESS_REJECT
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
eap_type2name
char const * eap_type2name(eap_type_t method)
Return an EAP-name for a particular type.
Definition types.c:54
FR_EAP_CODE_RESPONSE
@ FR_EAP_CODE_RESPONSE
Definition types.h:38
FR_EAP_CODE_REQUEST
@ FR_EAP_CODE_REQUEST
Definition types.h:37
eap_packet_raw_t::data
uint8_t data[1]
Definition types.h:125
eap_type_t
enum eap_type eap_type_t
eap_packet_raw_t::code
uint8_t code
Definition types.h:122
EAP_HEADER_LEN
#define EAP_HEADER_LEN
Definition types.h:34
eap_packet_raw_t::length
uint8_t length[2]
Definition types.h:124
eap_packet_raw_t::id
uint8_t id
Definition types.h:123
FR_EAP_METHOD_MSCHAPV2
@ FR_EAP_METHOD_MSCHAPV2
Definition types.h:71
FR_EAP_METHOD_IDENTITY
@ FR_EAP_METHOD_IDENTITY
Definition types.h:46
eap_packet_raw_t
Structure to represent packet format of eap on wire
Definition types.h:121
eap_peap.h
EAP_TLV_FAILURE
#define EAP_TLV_FAILURE
Definition eap_peap.h:61
PEAP_STATUS_PHASE2_INIT
@ PEAP_STATUS_PHASE2_INIT
Definition eap_peap.h:34
PEAP_STATUS_TUNNEL_ESTABLISHED
@ PEAP_STATUS_TUNNEL_ESTABLISHED
Definition eap_peap.h:32
PEAP_STATUS_PHASE2
@ PEAP_STATUS_PHASE2
Definition eap_peap.h:35
PEAP_STATUS_INNER_IDENTITY_REQ_SENT
@ PEAP_STATUS_INNER_IDENTITY_REQ_SENT
Definition eap_peap.h:33
PEAP_STATUS_SENT_TLV_SUCCESS
@ PEAP_STATUS_SENT_TLV_SUCCESS
Definition eap_peap.h:30
PEAP_STATUS_SENT_TLV_FAILURE
@ PEAP_STATUS_SENT_TLV_FAILURE
Definition eap_peap.h:31
PEAP_RESUMPTION_YES
@ PEAP_RESUMPTION_YES
Definition eap_peap.h:40
PEAP_RESUMPTION_NO
@ PEAP_RESUMPTION_NO
Definition eap_peap.h:39
FR_PEAP_EXTENSIONS_TYPE
#define FR_PEAP_EXTENSIONS_TYPE
Definition eap_peap.h:64
peap_tunnel_t::status
peap_status status
Definition eap_peap.h:46
peap_tunnel_t::session_resumption_state
peap_resumption session_resumption_state
Definition eap_peap.h:50
EAP_TLV_SUCCESS
#define EAP_TLV_SUCCESS
Definition eap_peap.h:60
peap_tunnel_t::server_cs
CONF_SECTION * server_cs
Definition eap_peap.h:49
peap_tunnel_t::username
fr_pair_t * username
Definition eap_peap.h:45
EAP_TLV_ACK_RESULT
#define EAP_TLV_ACK_RESULT
Definition eap_peap.h:62
peap_tunnel_t
Definition eap_peap.h:44
unlang_function_push
#define unlang_function_push(_request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack.
Definition function.h:111
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition interpret.h:36
attr_eap_message
HIDDEN fr_dict_attr_t const * attr_eap_message
Definition base.c:96
eap_virtual_server
unlang_action_t eap_virtual_server(request_t *request, eap_session_t *eap_session, CONF_SECTION *server_cs)
Run a subrequest through a virtual server.
Definition base.c:427
eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition session.h:62
eap_session_s::submodule_rcode
rlm_rcode_t submodule_rcode
Result of last submodule call.
Definition session.h:46
eap_session_s::this_round
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:59
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:40
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:830
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
talloc_free
talloc_free(reap)
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
request_t
Definition merged_model.c:210
fr_pair_list_copy_by_da
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
Definition pair.c:2406
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2981
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1345
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:283
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2784
fr_pair_copy
fr_pair_t * fr_pair_copy(TALLOC_CTX *ctx, fr_pair_t const *vp)
Copy a single valuepair.
Definition pair.c:489
fr_pair_value_mem_alloc
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
Definition pair.c:2930
eap_peap_failure
static USES_APPLE_DEPRECATED_API int eap_peap_failure(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
Definition peap.c:37
process_reply
static unlang_action_t process_reply(rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx)
Definition peap.c:276
eap_peap_success
static int eap_peap_success(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
Definition peap.c:71
eap_peap_identity
static int eap_peap_identity(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
Definition peap.c:100
eap_peap_check_tlv
static int eap_peap_check_tlv(request_t *request, uint8_t const *data, size_t data_len)
Definition peap.c:246
eap_peap_inner_to_pairs
static void eap_peap_inner_to_pairs(TALLOC_CTX *ctx, fr_pair_list_t *pairs, eap_round_t *eap_round, uint8_t const *data, size_t data_len)
Definition peap.c:174
eap_peap_inner_from_pairs
static int eap_peap_inner_from_pairs(request_t *request, fr_tls_session_t *tls_session, fr_pair_list_t *vps)
Definition peap.c:214
peap_state
static char const * peap_state(peap_tunnel_t *t)
Definition peap.c:342
eap_peap_process
unlang_action_t eap_peap_process(rlm_rcode_t *p_result, request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
Definition peap.c:372
eap_peap_verify
static int eap_peap_verify(request_t *request, peap_tunnel_t *peap_tunnel, uint8_t const *data, size_t data_len)
Definition peap.c:120
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:112
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition radclient-ng.c:128
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition radclient.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
FR_RADIUS_PACKET_CODE_VALID
#define FR_RADIUS_PACKET_CODE_VALID(_x)
Definition radius.h:52
RIDEBUG
#define RIDEBUG(fmt,...)
Definition radsniff.h:65
RETURN_MODULE_REJECT
#define RETURN_MODULE_REJECT
Definition rcode.h:55
RETURN_MODULE_RCODE
#define RETURN_MODULE_RCODE(_rcode)
Definition rcode.h:64
RETURN_MODULE_HANDLED
#define RETURN_MODULE_HANDLED
Definition rcode.h:58
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:44
request_detach
int request_detach(request_t *child)
Unlink a subrequest from its parent.
Definition request.c:668
vp
fr_pair_t * vp
Definition state_machine.c:2262
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
unlang_subrequest_alloc
request_t * unlang_subrequest_alloc(request_t *parent, fr_dict_t const *namespace)
Allocate a subrequest to run through a virtual server at some point in the future.
Definition subrequest.c:287
unlang_subrequest_child_push
int unlang_subrequest_child_push(rlm_rcode_t *out, request_t *child, unlang_subrequest_session_t const *session, bool free_child, bool top_frame)
Push a pre-existing child back onto the stack as a subrequest.
Definition subrequest_child.c:329
unlang_subrequest_session_t
Definition subrequest.h:34
eap_tls_session_t::tls_session
fr_tls_session_t * tls_session
TLS session used to authenticate peer or tunnel sensitive data.
Definition tls.h:129
eap_tls_session_t
Tracks the state of an EAP-TLS session.
Definition tls.h:126
fr_packet_t::code
unsigned int code
Packet code (type).
Definition packet.h:61
fr_packet_t
Definition packet.h:56
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:125
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:70
fr_pair_list_free
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
Definition pair_inline.c:113
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:43
parent
static fr_slen_t parent
Definition pair.h:851
data
static fr_slen_t data
Definition value.h:1265
Generated by   doxygen 1.9.8