/*
* Attach the module.
*/
static int eappeap_attach(CONF_SECTION *cs, void **instance)
{
rlm_eap_peap_t *inst;
*instance = inst = talloc_zero(cs, rlm_eap_peap_t);
if (!inst) return -1;
/*
* Parse the configuration attributes.
*/
if (cf_section_parse(cs, inst, module_config) < 0) {
return -1;
}
/*
* Convert the name to an integer, to make it easier to
* handle.
*/
inst->default_method = eap_name2type(inst->default_method_name);
if (inst->default_method < 0) {
ERROR("rlm_eap_peap: Unknown EAP type %s",
inst->default_method_name);
return -1;
}
/*
* Read tls configuration, either from group given by 'tls'
* option, or from the eap-tls configuration.
*/
inst->tls_conf = eaptls_conf_parse(cs, "tls");
if (!inst->tls_conf) {
ERROR("rlm_eap_peap: Failed initializing SSL context");
return -1;
}
return 0;
}
/*
* Attach the module.
*/
static int mod_instantiate(CONF_SECTION *cs, void **instance)
{
rlm_eap_fast_t *inst;
*instance = inst = talloc_zero(cs, rlm_eap_fast_t);
if (!inst) return -1;
/*
* Parse the configuration attributes.
*/
if (cf_section_parse(cs, inst, module_config) < 0) {
return -1;
}
if (!cf_section_sub_find_name2(main_config.config, "server", inst->virtual_server)) {
ERROR("rlm_eap_fast.virtual_server: Unknown virtual server '%s'", inst->virtual_server);
return -1;
}
inst->default_method = eap_name2type(inst->default_method_name);
if (!inst->default_method) {
ERROR("rlm_eap_fast.default_provisioning_eap_type: "
"Unknown EAP type %s",
inst->default_method_name);
return -1;
}
/*
* Read tls configuration, either from group given by 'tls'
* option, or from the eap-tls configuration.
*/
inst->tls_conf = eaptls_conf_parse(cs, "tls");
if (!inst->tls_conf) {
ERROR("rlm_eap_fast.tls: Failed initializing SSL context");
return -1;
}
if (talloc_array_length(inst->pac_opaque_key) - 1 != 32) {
ERROR("rlm_eap_fast.pac_opaque_key: Must be 32 bytes long");
return -1;
}
// FIXME TLSv1.2 uses a different PRF and SSL_export_keying_material("key expansion") is forbidden
if (!inst->tls_conf->disable_tlsv1_2) {
ERROR("rlm_eap_fast.disable_tlsv1_2: require disable_tlsv1_2=yes");
return -1;
}
if (!inst->pac_lifetime) {
ERROR("rlm_eap_fast.pac_lifetime: must be non-zero");
return -1;
}
rad_assert(PAC_A_ID_LENGTH == MD5_DIGEST_LENGTH);
FR_MD5_CTX ctx;
fr_md5_init(&ctx);
fr_md5_update(&ctx, inst->authority_identity, talloc_array_length(inst->authority_identity) - 1);
fr_md5_final(inst->a_id, &ctx);
return 0;
}
/*
* read the config section and load all the eap authentication types present.
*/
static int mod_instantiate(CONF_SECTION *cs, void *instance)
{
int i, ret;
eap_type_t method;
int num_methods;
CONF_SECTION *scs;
rlm_eap_t *inst = instance;
/*
* Create our own random pool.
*/
for (i = 0; i < 256; i++) {
inst->rand_pool.randrsl[i] = fr_rand();
}
fr_randinit(&inst->rand_pool, 1);
inst->rand_pool.randcnt = 0;
inst->xlat_name = cf_section_name2(cs);
if (!inst->xlat_name) inst->xlat_name = "EAP";
/* Load all the configured EAP-Types */
num_methods = 0;
for(scs = cf_subsection_find_next(cs, NULL, NULL);
scs != NULL;
scs = cf_subsection_find_next(cs, scs, NULL)) {
const char *name;
name = cf_section_name1(scs);
if (!name) continue;
if (!strcmp(name, TLS_CONFIG_SECTION)) continue;
method = eap_name2type(name);
if (method == PW_EAP_INVALID) {
cf_log_err_cs(cs, "Unknown EAP method %s", name);
return -1;
}
if ((method < PW_EAP_MD5) || (method >= PW_EAP_MAX_TYPES)) {
cf_log_err_cs(cs, "Invalid EAP method %s (unsupported)", name);
return -1;
}
#if !defined(HAVE_OPENSSL_SSL_H) || !defined(HAVE_LIBSSL)
/*
* This allows the default configuration to be
* shipped with EAP-TLS, etc. enabled. If the
* system doesn't have OpenSSL, they will be
* ignored.
*
* If the system does have OpenSSL, then this
* code will not be used. The administrator will
* then have to delete the tls,
* etc. configurations from eap.conf in order to
* have EAP without the TLS types.
*/
if ((method == PW_EAP_TLS) ||
(method == PW_EAP_TTLS) ||
(method == PW_EAP_PEAP)) {
DEBUG2("rlm_eap (%s): Ignoring EAP method %s because we do not have OpenSSL support",
inst->xlat_name, name);
continue;
}
#endif
/*
* Load the type.
*/
ret = eap_module_load(inst, &inst->methods[method], method, scs);
(void) talloc_get_type_abort(inst->methods[method], eap_module_t);
if (ret < 0) {
(void) talloc_steal(inst, inst->methods[method]);
return -1;
}
(void) talloc_steal(inst, inst->methods[method]);
num_methods++; /* successfully loaded one more methods */
}
if (num_methods == 0) {
cf_log_err_cs(cs, "No EAP method configured, module cannot do anything");
return -1;
}
/*
* Ensure that the default EAP type is loaded.
*/
method = eap_name2type(inst->default_method_name);
if (method == PW_EAP_INVALID) {
cf_log_err_cs(cs, "Unknown default EAP method '%s'",
inst->default_method_name);
return -1;
}
if (!inst->methods[method]) {
cf_log_err_cs(cs, "No such sub-type for default EAP method %s",
inst->default_method_name);
return -1;
}
inst->default_method = method; /* save the numerical method */
/*
* List of sessions are set to NULL by the memset
* of 'inst', above.
*/
/*
* Lookup sessions in the tree. We don't free them in
* the tree, as that's taken care of elsewhere...
*/
inst->session_tree = rbtree_create(eap_handler_cmp, NULL, 0);
if (!inst->session_tree) {
radlog(L_ERR, "rlm_eap (%s): Cannot initialize tree", inst->xlat_name);
return -1;
}
if (fr_debug_flag) {
inst->handler_tree = rbtree_create(eap_handler_ptr_cmp, NULL, 0);
if (!inst->handler_tree) {
radlog(L_ERR, "rlm_eap (%s): Cannot initialize tree", inst->xlat_name);
return -1;
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_init(&(inst->handler_mutex), NULL) < 0) {
radlog(L_ERR, "rlm_eap (%s): Failed initializing mutex: %s", inst->xlat_name, strerror(errno));
return -1;
}
#endif
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_init(&(inst->session_mutex), NULL) < 0) {
radlog(L_ERR, "rlm_eap (%s): Failed initializing mutex: %s", inst->xlat_name, strerror(errno));
return -1;
}
#endif
return 0;
}
