From: James Rouzier Date: Wed, 7 Sep 2016 18:23:56 +0000 (-0400) Subject: Manually copy PW_STATE, PW_EAP_MESSAGE, and PW_REPLY_MESSAGE when a challage happens X-Git-Tag: release_3_0_12~74^2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98fb788de11ed49453ecb432cd8d9ed740219911;p=thirdparty%2Ffreeradius-server.git Manually copy PW_STATE, PW_EAP_MESSAGE, and PW_REPLY_MESSAGE when a challage happens --- diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c index 2bad4ee82ba..76cb6b5f953 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c @@ -671,32 +671,34 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply( eap_handler_t *eap_session, case PW_CODE_ACCESS_CHALLENGE: RDEBUG("Got tunneled Access-Challenge"); - fr_cursor_init(&to_tunnel, &tunnel_vps); - /* - * Copy what we need into the TTLS tunnel and leave - * the rest to be cleaned up. + * Keep the State attribute, if necessary. + * + * Get rid of the old State, too. */ - for (vp = fr_cursor_init(&cursor, &reply->vps); - vp; - vp = fr_cursor_next(&cursor)) { - switch (vp->da->vendor) { - case 0: - switch (vp->da->attr) { - case PW_EAP_MESSAGE: - case PW_REPLY_MESSAGE: - fr_cursor_prepend(&to_tunnel, fr_pair_copy(tls_session, vp)); - break; + fr_pair_list_free(&t->state); + fr_pair_list_mcopy_by_num(t, &t->state, &reply->vps, PW_STATE, 0, TAG_ANY); - default: - break; + /* + * We should really be a bit smarter about this, + * and move over only those attributes which + * are relevant to the authentication request, + * but that's a lot more work, and this "dumb" + * method works in 99.9% of the situations. + */ + vp = NULL; + fr_pair_list_mcopy_by_num(t, &vp, &reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY); - } + /* + * There MUST be a Reply-Message in the challenge, + * which we tunnel back to the client. + * + * If there isn't one in the reply VP's, then + * we MUST create one, with an empty string as + * it's value. + */ + fr_pair_list_mcopy_by_num(t, &vp, &reply->vps, PW_REPLY_MESSAGE, 0, TAG_ANY); - default: - continue; - } - } rcode = RLM_MODULE_HANDLED; break; @@ -1090,7 +1092,7 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) /* * See if the tunneled data is well formed. */ - if (!eap_fast_verify(request, tls_session, data, data_len)) return PW_CODE_ACCESS_REJECT; + if (!eap_fast_verify(request, tls_session, data, data_len)) return RLM_MODULE_REJECT; if (t->stage == TLS_SESSION_HANDSHAKE) { rad_assert(t->mode == EAP_FAST_UNKNOWN); @@ -1132,7 +1134,7 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) fr_pair_list_free(&fast_vps); - if (code == PW_CODE_ACCESS_REJECT) return PW_CODE_ACCESS_REJECT; + if (code == RLM_MODULE_REJECT) return RLM_MODULE_REJECT; switch (t->stage) { case AUTHENTICATION: @@ -1156,7 +1158,7 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) eap_fast_append_result(tls_session, code); - if (code == PW_CODE_ACCESS_REJECT) + if (code == RLM_MODULE_REJECT) break; if (t->pac.send) { @@ -1174,7 +1176,7 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) */ if ((t->pac.type && t->pac.expired) || t->mode == EAP_FAST_PROVISIONING_ANON) { RDEBUG("Rejecting expired PAC or unauthenticated provisioning"); - code = PW_CODE_ACCESS_REJECT; + code = RLM_MODULE_REJECT; break; } @@ -1191,7 +1193,7 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) break; default: RERROR("no idea! %d", t->stage); - code = PW_CODE_ACCESS_REJECT; + code = RLM_MODULE_REJECT; } return code;