/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eapttls_initiate(void *type_arg, EAP_HANDLER *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_ttls_t *inst;
VALUE_PAIR *vp;
int client_cert = FALSE;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = TRUE;
handler->finished = FALSE;
/*
* Check if we need a client certificate.
*/
client_cert = inst->req_client_cert;
/*
* EAP-TLS-Require-Client-Cert attribute will override
* the require_client_cert configuration option.
*/
vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
if (vp) {
client_cert = vp->vp_integer;
}
ssn = eaptls_session(inst->tls_conf, handler, client_cert);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
/*
* Set up type-specific information.
*/
ssn->prf_label = "ttls keying material";
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eaptls_initiate(void *type_arg, eap_handler_t *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_tls_t *inst;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = true;
handler->finished = false;
/*
* EAP-TLS always requires a client certificate.
*/
ssn = eaptls_session(inst->tls_conf, handler, true);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
/*
* Set up type-specific information.
*/
ssn->prf_label = "client EAP encryption";
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
/*
* Send an initial eap-tls request to the peer, using the libeap functions.
*/
static int eappeap_initiate(void *type_arg, eap_handler_t *handler)
{
int status;
tls_session_t *ssn;
rlm_eap_peap_t *inst;
VALUE_PAIR *vp;
bool client_cert;
REQUEST *request = handler->request;
inst = type_arg;
handler->tls = true;
handler->finished = false;
/*
* Check if we need a client certificate.
*/
/*
* EAP-TLS-Require-Client-Cert attribute will override
* the require_client_cert configuration option.
*/
vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
if (vp) {
client_cert = vp->vp_integer ? true : false;
} else {
client_cert = inst->req_client_cert;
}
ssn = eaptls_session(handler, inst->tls_conf, client_cert);
if (!ssn) {
return 0;
}
handler->opaque = ((void *)ssn);
/*
* Set up type-specific information.
*/
ssn->prf_label = "client EAP encryption";
/*
* As it is a poorly designed protocol, PEAP uses
* bits in the TLS header to indicate PEAP
* version numbers. For now, we only support
* PEAP version 0, so it doesn't matter too much.
* However, if we support later versions of PEAP,
* we will need this flag to indicate which
* version we're currently dealing with.
*/
ssn->peap_flag = 0x00;
/*
* PEAP version 0 requires 'include_length = no',
* so rather than hoping the user figures it out,
* we force it here.
*/
ssn->length_flag = 0;
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0) {
return 0;
}
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
