24 RCSID(
"$Id: 887d0d10918dbd4e261f67120d541a88e872f0f8 $")
99 ERROR(
"rlm_eap_peap: Unknown EAP type %s",
111 ERROR(
"rlm_eap_peap: Failed initializing SSL context");
117 cf_log_err_cs(cs,
"Failed to find 'Auth-Type EAP' section. Cannot authenticate users.");
155 tls_session_t *tls_session;
162 eap_session->tls =
true;
174 client_cert = vp->vp_integer ?
true :
false;
180 if (!tls_session)
return 0;
182 eap_session->opaque = ((
void *)tls_session);
187 tls_session->prf_label =
"client EAP encryption";
198 tls_session->base_flags = 0x00;
205 tls_session->length_flag =
false;
212 talloc_free(tls_session);
227 fr_tls_status_t status;
229 tls_session_t *tls_session = (tls_session_t *) eap_session->
opaque;
237 if (!tls_session->opaque) peap = tls_session->opaque =
peap_alloc(tls_session, inst);
240 if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
241 REDEBUG(
"[eap-tls process] = %s",
fr_int2str(fr_tls_status_table, status,
"<INVALID>"));
243 RDEBUG2(
"[eap-tls process] = %s",
fr_int2str(fr_tls_status_table, status,
"<INVALID>"));
275 case FR_TLS_RECORD_COMPLETE:
289 RDEBUG2(
"Session established. Decoding tunneled attributes");
295 if (!tls_session->opaque) {
296 tls_session->opaque =
peap_alloc(tls_session, inst);
317 peap = tls_session->opaque;
318 if (peap->soh_reply_vps) {
319 RDEBUG2(
"Using saved attributes from the SoH reply");
322 &peap->soh_reply_vps, 0, 0,
TAG_ANY);
324 if (peap->accept_vps) {
325 RDEBUG2(
"Using saved attributes from the original Access-Accept");
328 &peap->accept_vps, 0, 0,
TAG_ANY);
329 }
else if (peap->use_tunneled_reply) {
330 RDEBUG2(
"No saved attributes in the original Access-Accept");
2nd highest priority debug messages (-xx | -X).
bool proxy_tunneled_request_as_eap
static CONF_PARSER module_config[]
The module is OK, continue.
void fr_pair_list_mcopy_by_num(TALLOC_CTX *ctx, VALUE_PAIR **to, VALUE_PAIR **from, unsigned int vendor, unsigned int attr, int8_t tag)
Copy / delete matching pairs between VALUE_PAIR lists.
eap_type_t eap_name2type(char const *name)
Return an EAP-Type for a particular name.
char const * soh_virtual_server
bool copy_request_to_tunnel
VALUE_PAIR * vps
Result of decoding the packet into VALUE_PAIRs.
#define CONF_PARSER_TERMINATOR
static int mod_process(void *arg, eap_session_t *eap_session)
void * opaque
Opaque data used by EAP methods.
bool use_tunneled_reply
Use the reply attributes from the tunneled session in the non-tunneled reply to the client...
Defines a CONF_PAIR to C data type mapping.
fr_dict_enum_t * fr_dict_enum_by_name(fr_dict_t *dict, fr_dict_attr_t const *da, char const *val)
REQUEST * request
Request that contains the response we're processing.
static int mod_session_init(void *instance, eap_session_t *eap_session)
RADIUS_PACKET * proxy
Outgoing request to proxy server.
char const * virtual_server
Virtual server for inner tunnel session.
char const * default_method_name
Default tunneled EAP type.
peap_resumption session_resumption_state
static int mod_instantiate(CONF_SECTION *cs, void **instance)
char const * virtual_server
int eap_tls_success(eap_session_t *eap_session)
Send an EAP-TLS success.
Tracks the progress of a single session of any EAP method.
int cf_section_parse(CONF_SECTION *, void *base, CONF_PARSER const *variables)
Parse a configuration section into user-supplied variables.
bool copy_request_to_tunnel
Use SOME of the request attributes from outside of the tunneled session in the tunneled request...
Immediately reject the request.
bool proxy_tunneled_request_as_eap
Proxy tunneled session as EAP, or as de-capsulated protocol.
Stores an attribute, a value and various bits of other data.
RADIUS_PACKET * reply
Outgoing response.
void void cf_log_err_cs(CONF_SECTION const *cs, char const *fmt,...) CC_HINT(format(printf
fr_tls_status_t eap_tls_process(eap_session_t *eap_session)
Process an EAP TLS request.
char const * name
The name of the sub-module (without rlm_ prefix).
char const * tls_conf_name
TLS configuration.
void rdebug_pair_list(log_lvl_t level, REQUEST *, VALUE_PAIR *, char const *)
Print a list of VALUE_PAIRs.
rlm_rcode_t eap_peap_process(eap_session_t *eap_session, tls_session_t *tls_session, int auth_type_eap) CC_HINT(nonnull)
tls_session_t * eap_tls_session_init(eap_session_t *eap_session, fr_tls_server_conf_t *tls_conf, bool client_cert)
Create a new tls_session_t associated with an eap_session_t.
Interface to call EAP sub mdoules.
char const * soh_virtual_server
#define FR_CONF_OFFSET(_n, _t, _s, _f)
struct rlm_eap_peap_t rlm_eap_peap_t
fr_tls_server_conf_t * tls_conf
VALUE_PAIR * fr_pair_find_by_num(VALUE_PAIR *head, unsigned int vendor, unsigned int attr, int8_t tag)
Find the pair with the matching attribute.
int eap_tls_fail(eap_session_t *eap_session)
Send an EAP-TLS failure.
char const * fr_int2str(FR_NAME_NUMBER const *table, int number, char const *def)
fr_tls_server_conf_t * eap_tls_conf_parse(CONF_SECTION *cs, char const *attr)
Parse TLS configuration.
fr_dict_attr_t const * fr_dict_attr_by_num(fr_dict_t *dict, unsigned int vendor, unsigned int attr)
Lookup a fr_dict_attr_t by its vendor and attribute numbers.
String of printable characters.
bool soh
Do we do SoH request?
int eap_tls_request(eap_session_t *eap_session)
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.
bool req_client_cert
Do we do require a client cert?
int eap_tls_start(eap_session_t *eap_session)
Send an initial EAP-TLS request to the peer.
The module handled the request, so stop.
rlm_eap_module_t rlm_eap_peap
Value of an enumerated attribute.
static int CC_HINT(nonnull)
static peap_tunnel_t * peap_alloc(TALLOC_CTX *ctx, rlm_eap_peap_t *inst)