/*
 *	Send an initial eap-tls request to the peer, using the libeap functions.
 */
static int eapttls_initiate(void *type_arg, EAP_HANDLER *handler)
{
	int		status;
	tls_session_t	*ssn;
	rlm_eap_ttls_t	*inst;
	VALUE_PAIR	*vp;
	int		client_cert = FALSE;
	REQUEST		*request = handler->request;

	inst = type_arg;

	handler->tls = TRUE;
	handler->finished = FALSE;

	/*
	 *	Check if we need a client certificate.
	 */
	client_cert = inst->req_client_cert;

	/*
	 * EAP-TLS-Require-Client-Cert attribute will override
	 * the require_client_cert configuration option.
	 */
	vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
	if (vp) {
		client_cert = vp->vp_integer;
	}

	ssn = eaptls_session(inst->tls_conf, handler, client_cert);
	if (!ssn) {
		return 0;
	}

	handler->opaque = ((void *)ssn);
	handler->free_opaque = session_free;

	/*
	 *	Set up type-specific information.
	 */
	ssn->prf_label = "ttls keying material";

	/*
	 *	TLS session initialization is over.  Now handle TLS
	 *	related handshaking or application data.
	 */
	status = eaptls_start(handler->eap_ds, ssn->peap_flag);
	RDEBUG2("Start returned %d", status);
	if (status == 0) {
		return 0;
	}

	/*
	 *	The next stage to process the packet.
	 */
	handler->stage = AUTHENTICATE;

	return 1;
}
Exemplo n.º 2
0
/*
 *	Send an initial eap-tls request to the peer, using the libeap functions.
 */
static int eaptls_initiate(void *type_arg, eap_handler_t *handler)
{
	int		status;
	tls_session_t	*ssn;
	rlm_eap_tls_t	*inst;
	REQUEST		*request = handler->request;

	inst = type_arg;

	handler->tls = true;
	handler->finished = false;

	/*
	 *	EAP-TLS always requires a client certificate.
	 */
	ssn = eaptls_session(inst->tls_conf, handler, true);
	if (!ssn) {
		return 0;
	}

	handler->opaque = ((void *)ssn);
	handler->free_opaque = session_free;

	/*
	 *	Set up type-specific information.
	 */
	ssn->prf_label = "client EAP encryption";

	/*
	 *	TLS session initialization is over.  Now handle TLS
	 *	related handshaking or application data.
	 */
	status = eaptls_start(handler->eap_ds, ssn->peap_flag);
	RDEBUG2("Start returned %d", status);
	if (status == 0) {
		return 0;
	}

	/*
	 *	The next stage to process the packet.
	 */
	handler->stage = AUTHENTICATE;

	return 1;
}
/*
 *	Send an initial eap-tls request to the peer, using the libeap functions.
 */
static int eappeap_initiate(void *type_arg, eap_handler_t *handler)
{
    int		status;
    tls_session_t	*ssn;
    rlm_eap_peap_t	*inst;
    VALUE_PAIR	*vp;
    bool		client_cert;
    REQUEST		*request = handler->request;

    inst = type_arg;

    handler->tls = true;
    handler->finished = false;

    /*
     *	Check if we need a client certificate.
     */

    /*
     * EAP-TLS-Require-Client-Cert attribute will override
     * the require_client_cert configuration option.
     */
    vp = pairfind(handler->request->config_items, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY);
    if (vp) {
        client_cert = vp->vp_integer ? true : false;
    } else {
        client_cert = inst->req_client_cert;
    }

    ssn = eaptls_session(handler, inst->tls_conf, client_cert);
    if (!ssn) {
        return 0;
    }

    handler->opaque = ((void *)ssn);

    /*
     *	Set up type-specific information.
     */
    ssn->prf_label = "client EAP encryption";

    /*
     *	As it is a poorly designed protocol, PEAP uses
     *	bits in the TLS header to indicate PEAP
     *	version numbers.  For now, we only support
     *	PEAP version 0, so it doesn't matter too much.
     *	However, if we support later versions of PEAP,
     *	we will need this flag to indicate which
     *	version we're currently dealing with.
     */
    ssn->peap_flag = 0x00;

    /*
     *	PEAP version 0 requires 'include_length = no',
     *	so rather than hoping the user figures it out,
     *	we force it here.
     */
    ssn->length_flag = 0;

    /*
     *	TLS session initialization is over.  Now handle TLS
     *	related handshaking or application data.
     */
    status = eaptls_start(handler->eap_ds, ssn->peap_flag);
    RDEBUG2("Start returned %d", status);
    if (status == 0) {
        return 0;
    }

    /*
     *	The next stage to process the packet.
     */
    handler->stage = AUTHENTICATE;

    return 1;
}