From: Alan T. DeKok Date: Wed, 2 Dec 2015 18:21:17 +0000 (-0500) Subject: Dynamically check Auth-Type values X-Git-Tag: release_3_0_11~119 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9a2b4723d7814c8f8d4dffaca39afd1574abcde;p=thirdparty%2Ffreeradius-server.git Dynamically check Auth-Type values --- diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index c31660d2878..09a824b903a 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -595,15 +595,12 @@ ATTRIBUTE Radclient-Test-Name 2200 string VALUE Auth-Type Local 1 VALUE Auth-Type Reject 4 -VALUE Auth-Type EAP 6 # # FreeRADIUS extensions (most originally from Cistron) # VALUE Auth-Type Accept 254 -VALUE Auth-Type MS-CHAP 1028 - # # Authorization type, too. # diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c index 8cf90948e57..ec54d9f422e 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -33,6 +33,7 @@ typedef struct rlm_eap_mschapv2_t { bool with_ntdomain_hack; bool send_error; char const *identity; + int auth_type_mschap; } rlm_eap_mschapv2_t; static CONF_PARSER module_config[] = { @@ -58,6 +59,7 @@ static void fix_mppe_keys(eap_handler_t *handler, mschapv2_opaque_t *data) static int mod_instantiate(CONF_SECTION *cs, void **instance) { rlm_eap_mschapv2_t *inst; + DICT_VALUE const *dv; *instance = inst = talloc_zero(cs, rlm_eap_mschapv2_t); if (!inst) return -1; @@ -78,6 +80,14 @@ static int mod_instantiate(CONF_SECTION *cs, void **instance) inst->identity = talloc_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING); } + dv = dict_valbyname(PW_AUTH_TYPE, 0, "MSCHAP"); + if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, 0, "MS-CHAP"); + if (!dv) { + cf_log_err_cs(cs, "Failed to find 'Auth-Type MS-CHAP' section. Cannot authenticate users."); + return -1; + } + inst->auth_type_mschap = dv->value; + return 0; } @@ -662,7 +672,7 @@ packet_ready: /* * This is a wild & crazy hack. */ - rcode = process_authenticate(PW_AUTH_TYPE_MS_CHAP, request); + rcode = process_authenticate(inst->auth_type_mschap, request); /* * Delete MPPE keys & encryption policy. We don't diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h b/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h index b456befa55f..7b803f8c610 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h +++ b/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h @@ -72,5 +72,5 @@ typedef struct peap_tunnel_t { /* * Process the PEAP portion of an EAP-PEAP request. */ -rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) CC_HINT(nonnull); +rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session, int auth_type_eap) CC_HINT(nonnull); #endif /* _EAP_PEAP_H */ diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 79c30d11ab1..06677cd8827 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -722,7 +722,7 @@ static void print_tunneled_data(uint8_t const *data, size_t data_len) /* * Process the pseudo-EAP contents of the tunneled data. */ -rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) +rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session, int auth_type_eap) { peap_tunnel_t *t = tls_session->opaque; REQUEST *fake; @@ -1051,7 +1051,7 @@ rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) * Run the EAP authentication. */ RDEBUG2("Calling authenticate in order to initiate tunneled EAP session"); - rcode = process_authenticate(PW_AUTH_TYPE_EAP, fake); + rcode = process_authenticate(auth_type_eap, fake); if (rcode == RLM_MODULE_OK) { /* * Authentication succeeded! Rah! diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c index 15ea8128dfe..98c4ac5fd10 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c @@ -30,6 +30,8 @@ typedef struct rlm_eap_peap_t { fr_tls_server_conf_t *tls_conf; char const *default_method_name; //!< Default tunneled EAP type. int default_method; + + int auth_type_eap; bool use_tunneled_reply; //!< Use the reply attributes from the tunneled session in //!< the non-tunneled reply to the client. @@ -67,6 +69,7 @@ static CONF_PARSER module_config[] = { { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, req_client_cert), "no" }, { "soh_virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, soh_virtual_server), NULL }, + CONF_PARSER_TERMINATOR }; @@ -77,6 +80,7 @@ static CONF_PARSER module_config[] = { static int mod_instantiate(CONF_SECTION *cs, void **instance) { rlm_eap_peap_t *inst; + DICT_VALUE const *dv; *instance = inst = talloc_zero(cs, rlm_eap_peap_t); if (!inst) return -1; @@ -110,6 +114,12 @@ static int mod_instantiate(CONF_SECTION *cs, void **instance) return -1; } + dv = dict_valbyname(PW_AUTH_TYPE, 0, "eap"); + if (!dv) { + cf_log_err_cs(cs, "Failed to find 'Auth-Type mschap' section. Cannot authenticate users."); + return -1; + } + inst->auth_type_eap = dv->value; return 0; } @@ -300,7 +310,7 @@ static int mod_process(void *arg, eap_handler_t *handler) /* * Process the PEAP portion of the request. */ - rcode = eappeap_process(handler, tls_session); + rcode = eappeap_process(handler, tls_session, inst->auth_type_eap); switch (rcode) { case RLM_MODULE_REJECT: eaptls_fail(handler, 0);