← Back to branch summary

~ubuntu-branches/ubuntu/natty/freeradius/natty-updates

« back to all changes in this revision

Viewing changes to src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c

  • Committer: Bazaar Package Importer
  • Author(s): Josip Rodin
  • Date: 2009-11-23 03:57:37 UTC
  • mfrom: (1.2.1 upstream)
  • mto: This revision was merged to the branch mainline in revision 28.
  • Revision ID: james.westby@ubuntu.com-20091123035737-zsgtzhfych8hir68
Tags: 2.1.7+dfsg-1
http://bugs.debian.org/536623
http://bugs.debian.org/513484
http://bugs.debian.org/526175
http://bugs.debian.org/533396
http://bugs.debian.org/550143
* Adopting the package, closes: #536623.
* New upstream version, closes: #513484.
  + Fixes the blooper in unlang evaluation logic, closes: #526175.
* Used quilt (and added README.source), and moved upstream file patching
  into debian/patches/. The source is no longer in collab-maint git
  (to make it simpler for me to finally get this out the door), but
  kept the .gitignore should we need that again.
* Dropped the dialup_admin/bin/backup_radacct patch (integrated upstream).
* Dropped the raddb/Makefile patch (problem no longer exists upstream).
* Dropped the lib/packet.c lib/radius.c main/listen.c patches (was from
  upstream 2.0.5 anyway).
* Dropped references to otp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Dropped references to snmp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Ship /etc/freeradius/modules/* in the freeradius package.
* Stop shipping sites-enabled symlinks in the package and instead create
  them only on initial install, thanks to Matej Vela, closes: #533396.
* Add export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" to the init script
  at the request of John Morrissey, closes: #550143.
* Stop installing /var/run/freeradius in the package to silence Lintian.
  The init script already recreates it at will.
* Remove executable bit from example.pl to silence Lintian.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
1
1
/*
2
2
 * rlm_eap_ttls.c  contains the interfaces that are called from eap
3
3
 *
4
 
 * Version:     $Id: rlm_eap_ttls.c,v 1.16 2007/11/27 16:01:53 aland Exp $
 
4
 * Version:     $Id$
5
5
 *
6
6
 *   This program is free software; you can redistribute it and/or modify
7
7
 *   it under the terms of the GNU General Public License as published by
22
22
 */
23
23
 
24
24
#include <freeradius-devel/ident.h>
25
 
RCSID("$Id: rlm_eap_ttls.c,v 1.16 2007/11/27 16:01:53 aland Exp $")
 
25
RCSID("$Id$")
26
26
 
27
27
#include <freeradius-devel/autoconf.h>
28
28
#include "eap_ttls.h"
48
48
        int     copy_request_to_tunnel;
49
49
 
50
50
        /*
 
51
         *      RFC 5281 (TTLS) says that the length field MUST NOT be
 
52
         *      in fragments after the first one.  However, we've done
 
53
         *      it that way for years, and no one has complained.
 
54
         *
 
55
         *      In the interests of allowing the server to follow the
 
56
         *      RFC, we add the option here.  If set to "no", it sends
 
57
         *      the length field in ONLY the first fragment.
 
58
         */
 
59
        int     include_length;
 
60
 
 
61
        /*
51
62
         *      Virtual server for inner tunnel session.
52
63
         */
53
64
        char    *virtual_server;
67
78
        { "virtual_server", PW_TYPE_STRING_PTR,
68
79
          offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
69
80
 
 
81
        { "include_length", PW_TYPE_BOOLEAN,
 
82
          offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
 
83
 
70
84
        { NULL, -1, 0, NULL, NULL }           /* end the list */
71
85
};
72
86
 
132
146
        if (!t) return;
133
147
 
134
148
        if (t->username) {
135
 
                DEBUG2("  TTLS: Freeing handler for user %s",
 
149
                DEBUG2("rlm_eap_ttls: Freeing handler for user %s",
136
150
                       t->username->vp_strvalue);
137
151
        }
138
152
 
171
185
        rlm_eap_ttls_t *inst = (rlm_eap_ttls_t *) arg;
172
186
        tls_session_t *tls_session = (tls_session_t *) handler->opaque;
173
187
        ttls_tunnel_t *t = (ttls_tunnel_t *) tls_session->opaque;
174
 
 
175
 
        DEBUG2("  rlm_eap_ttls: Authenticate");
 
188
        REQUEST *request = handler->request;
 
189
 
 
190
        RDEBUG2("Authenticate");
 
191
 
 
192
        tls_session->length_flag = inst->include_length;
176
193
 
177
194
        /*
178
195
         *      Process TLS layer until done.
179
196
         */
180
197
        status = eaptls_process(handler);
181
 
        DEBUG2("  eaptls_process returned %d\n", status);
 
198
        RDEBUG2("eaptls_process returned %d\n", status);
182
199
        switch (status) {
183
200
                /*
184
201
                 *      EAP-TLS handshake was successful, tell the
188
205
                 *      an EAP-TLS-Success packet here.
189
206
                 */
190
207
        case EAPTLS_SUCCESS:
 
208
                if (SSL_session_reused(tls_session->ssl)) {
 
209
                        RDEBUG("Skipping Phase2 due to session resumption");
 
210
                        goto do_keys;
 
211
                }
 
212
 
191
213
                if (t && t->authenticated) {
192
214
                        if (t->reply) {
193
215
                                pairmove(&handler->request->reply->vps,
194
216
                                         &t->reply);
195
217
                                pairfree(&t->reply);
196
218
                        }
197
 
                        eaptls_success(handler->eap_ds, 0);
198
 
                        eaptls_gen_mppe_keys(&handler->request->reply->vps,
199
 
                                             tls_session->ssl,
200
 
                                             "ttls keying material");
 
219
                do_keys:
 
220
                        /*
 
221
                         *      Success: Automatically return MPPE keys.
 
222
                         */
 
223
                        return eaptls_success(handler, 0);
201
224
                } else {
202
225
                        eaptls_request(handler->eap_ds, tls_session);
203
226
                }
229
252
         *      Session is established, proceed with decoding
230
253
         *      tunneled data.
231
254
         */
232
 
        DEBUG2("  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.");
 
255
        RDEBUG2("Session established.  Proceeding to decode tunneled attributes.");
233
256
 
234
257
        /*
235
258
         *      We may need TTLS data associated with the session, so
246
269
        rcode = eapttls_process(handler, tls_session);
247
270
        switch (rcode) {
248
271
        case PW_AUTHENTICATION_REJECT:
249
 
                eaptls_fail(handler->eap_ds, 0);
 
272
                eaptls_fail(handler, 0);
250
273
                return 0;
251
274
 
252
275
                /*
257
280
                return 1;
258
281
 
259
282
                /*
260
 
                 *      Success: Return MPPE keys.
 
283
                 *      Success: Automatically return MPPE keys.
261
284
                 */
262
285
        case PW_AUTHENTICATION_ACK:
263
 
                eaptls_success(handler->eap_ds, 0);
264
 
                eaptls_gen_mppe_keys(&handler->request->reply->vps,
265
 
                                     tls_session->ssl,
266
 
                                     "ttls keying material");
267
 
                return 1;
 
286
                return eaptls_success(handler, 0);
268
287
 
269
288
                /*
270
289
                 *      No response packet, MUST be proxying it.
284
303
        /*
285
304
         *      Something we don't understand: Reject it.
286
305
         */
287
 
        eaptls_fail(handler->eap_ds, 0);
 
306
        eaptls_fail(handler, 0);
288
307
        return 0;
289
308
}
290
309