24 RCSID(
"$Id: 02eecbca33fd5b9d307addcecbeb5b1d5be2b00f $")
27 #include <freeradius-devel/radius/radius.h>
28 #include <freeradius-devel/radius/defs.h>
57 (tls_session->record_from_buff)(&tls_session->clean_in, tlv_packet, 11);
62 fr_tls_session_send(request, tls_session);
91 (tls_session->record_from_buff)(&tls_session->clean_in, tlv_packet, 11);
96 fr_tls_session_send(request, tls_session);
112 (tls_session->record_from_buff)(&tls_session->clean_in, &eap_packet,
sizeof(eap_packet));
113 fr_tls_session_send(request, tls_session);
114 (tls_session->record_init)(&tls_session->clean_in);
141 switch (peap_tunnel->
status) {
145 REDEBUG(
"Invalid inner tunnel data, expected method (%u), got (%u)",
155 eap_method =
data[0];
156 switch (eap_method) {
158 RDEBUG2(
"Received EAP-Identity-Response");
184 if (data_len > 65535)
return;
188 if (total > 249) total = 249;
201 while (total < data_len) {
205 total +=
vp->vp_length;
227 (tls_session->record_from_buff)(&tls_session->clean_in, this->vp_octets +
EAP_HEADER_LEN,
236 (tls_session->record_from_buff)(&tls_session->clean_in, this->vp_octets, this->vp_length);
239 fr_tls_session_send(request, tls_session);
252 if (data_len < 11)
return 0;
264 RDEBUG2(
"Client rejected our response. The password is probably incorrect");
295 RDEBUG2(
"Got tunneled reply code %i", reply->
code);
300 switch (reply->
code) {
302 RDEBUG2(
"Tunneled authentication was successful");
309 RDEBUG2(
"Tunneled authentication was rejected");
316 RDEBUG2(
"Got tunneled Access-Challenge");
339 RDEBUG2(
"Unknown RADIUS packet type %d: rejecting tunneled user", reply->
code);
352 return "TUNNEL ESTABLISHED";
355 return "WAITING FOR INNER IDENTITY";
358 return "send tlv success";
361 return "send tlv failure";
364 return "phase2_init";
393 data_len = tls_session->clean_out.used;
394 tls_session->clean_out.used = 0;
395 data = tls_session->clean_out.data;
400 REDEBUG(
"Tunneled data is invalid");
408 if (SSL_session_reused(tls_session->ssl)) {
409 RDEBUG2(
"Skipping Phase2 because of session resumption");
427 REDEBUG(
"Expected EAP-Identity, got something else");
463 RDEBUG2(
"Client rejected session resumption. Re-starting full authentication");
476 REDEBUG(
"Sent a success, but received something weird in return");
485 REDEBUG(
"The users session was previously rejected: returning reject (again.)");
486 RIDEBUG(
"This means you need to read the PREVIOUS messages in the debug output");
487 RIDEBUG(
"to find out the reason why the user was rejected");
488 RIDEBUG(
"Look for \"reject\" or \"fail\". Those earlier messages will tell you");
489 RIDEBUG(
"what went wrong, and how to fix the problem");
495 RDEBUG2(
"In state machine in phase2 init?");
502 REDEBUG(
"Unhandled state in peap");
530 q[2] = (len >> 8) & 0xff;
541 eap_round,
data, data_len);
544 RDEBUG2(
"Unable to convert tunneled EAP packet to internal server data structures");
551 REDEBUG(
"Invalid state change in PEAP");
556 RDEBUG2(
"Got tunneled request");
590 if (!
fake->reply->code) {
591 REDEBUG(
"Unknown RADIUS packet type %d: rejecting tunneled user",
fake->reply->code);
616 RDEBUG2(
"Setting &request.User-Name from tunneled (inner) identity \"%s\"",
619 RDEBUG2(
"No tunnel username (SSL resumption?)");
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
#define USES_APPLE_DEPRECATED_API
eap_packet_t * response
Packet we received from the peer.
Contains a pair of request and response packets.
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
char const * eap_type2name(eap_type_t method)
Return an EAP-name for a particular type.
Structure to represent packet format of eap on wire
@ PEAP_STATUS_PHASE2_INIT
@ PEAP_STATUS_TUNNEL_ESTABLISHED
@ PEAP_STATUS_INNER_IDENTITY_REQ_SENT
@ PEAP_STATUS_SENT_TLV_SUCCESS
@ PEAP_STATUS_SENT_TLV_FAILURE
char const * virtual_server
#define FR_PEAP_EXTENSIONS_TYPE
peap_resumption session_resumption_state
#define EAP_TLV_ACK_RESULT
HIDDEN fr_dict_attr_t const * attr_freeradius_proxied_to
HIDDEN fr_dict_attr_t const * attr_eap_message
rlm_rcode_t eap_virtual_server(UNUSED request_t *request, UNUSED eap_session_t *eap_session, UNUSED char const *virtual_server)
Run a subrequest through a virtual server, managing the eap_session_t of the child.
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Tracks the progress of a single session of any EAP method.
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
#define REXDENT()
Exdent (unindent) R* messages by one level.
#define RINDENT()
Indent R* messages by one level.
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
fr_pair_t * fr_pair_copy(TALLOC_CTX *ctx, fr_pair_t const *vp)
Copy a single valuepair.
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
int fr_pair_value_from_str(fr_pair_t *vp, char const *value, size_t inlen, fr_sbuff_unescape_rules_t const *uerules, bool tainted)
Convert string value to native attribute value.
int fr_pair_prepend_by_da(TALLOC_CTX *ctx, fr_pair_t **out, fr_pair_list_t *list, fr_dict_attr_t const *da)
Alloc a new fr_pair_t (and prepend)
static USES_APPLE_DEPRECATED_API int setup_fake_request(request_t *request, request_t *fake, peap_tunnel_t *t)
static int eap_peap_success(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
static int eap_peap_identity(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
static int eap_peap_check_tlv(request_t *request, uint8_t const *data, size_t data_len)
static void eap_peap_inner_to_pairs(TALLOC_CTX *ctx, fr_pair_list_t *pairs, eap_round_t *eap_round, uint8_t const *data, size_t data_len)
static int eap_peap_inner_from_pairs(request_t *request, fr_tls_session_t *tls_session, fr_pair_list_t *vps)
unlang_action_t eap_peap_process(rlm_rcode_t *p_result, request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
static int eap_peap_failure(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
static char const * peap_state(peap_tunnel_t *t)
static int eap_peap_verify(request_t *request, peap_tunnel_t *peap_tunnel, uint8_t const *data, size_t data_len)
static rlm_rcode_t process_reply(eap_session_t *eap_session, fr_tls_session_t *tls_session, request_t *request, fr_packet_t *reply, fr_pair_list_t *reply_list)
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
static fr_dict_attr_t const * attr_user_name
#define RDEBUG_ENABLED2()
#define FR_RADIUS_PACKET_CODE_VALID(_x)
#define RETURN_MODULE_REJECT
#define RETURN_MODULE_RCODE(_rcode)
rlm_rcode_t
Return codes indicating the result of the module call.
@ RLM_MODULE_OK
The module is OK, continue.
@ RLM_MODULE_REJECT
Immediately reject the request.
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
#define request_alloc_internal(_ctx, _args)
Allocate a new internal request.
Optional arguments for initialising requests.
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
Stores an attribute, a value and various bits of other data.
unsigned int code
Packet code (type).
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.