Remove support for use_tunneled_reply and copy_request_to_tunnel

It's time for them to die as their functionality can be emulated with unlang.
FreeRADIUS · May 26, 2016 · 5d4d38d · 5d4d38d
1 parent 66283fb
commit 5d4d38d
Show file tree

Hide file tree

Showing 9 changed files with 103 additions and 489 deletions.
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
@@ -741,32 +741,33 @@ eap {
 		tls = tls-common
 
 		#
-		#  The tunneled authentication request does not usually contain
-		#  useful attributes like 'Calling-Station-Id', etc.  These
-		#  attributes are outside of the tunnel, and normally
-		#  unavailable to the tunneled authentication request.
+		#  copy_request_to_tunnel has been removed in 3.2.0
 		#
-		#  By setting this configuration entry to 'yes', any attribute
-		#  which is NOT in the tunneled authentication request, but
-		#  which IS available outside of the tunnel, is copied to the
-		#  tunneled request.
+		#  Attributes from the outer request may be accessed with:
 		#
-		#  allowed values: {no, yes}
+		#	&outer:request:<attribute>
 		#
-		copy_request_to_tunnel = no
-
+		#  The old behaviour may be emulated by adding the following
+		#  to the top of the authorize section of the inner tunnel.
 		#
-		#  As of version 3.0.5, this configuration item
-		#  is deprecated.  Instead, you should use copy any required
-		#  authorizational attributes to outer.session-state.
+		#	update {
+		#		&request: += &reply:[*]
+		#	}
+		#
+
+		#  
+		#  use_tunneled_reply has been removed in 3.2.0	
+		# 
+		#  Attributes that should be provided in the reply should
+		#  be copied to the outer.session-state list.
 		#
 		# 	update outer.session-state {
 		#		...
 		#
 		#	}
 		#
-		#  In the post-auth section of the outer server, attributes can
-		#  then be copied to the reply list.
+		#  In the post-auth section of the outer server, these attributes
+		#  can then be copied to the reply list.
 		#
 		#  If you want to copy the entire session-state list to the reply
 		#  the following statement may be used:
@@ -775,16 +776,6 @@ eap {
 		#		&reply: += &session-state:[*]
 		#	}
 		#
-		#  The reply attributes sent to the NAS are usually based on the
-		#  name of the user 'outside' of the tunnel (usually
-		#  'anonymous').  If you want to send the reply attributes based
-		#  on the user name inside of the tunnel, then set this
-		#  configuration entry to 'yes', and the reply to the NAS will
-		#  be taken from the reply to the tunneled request.
-		#
-		#  allowed values: {no, yes}
-		#
-		use_tunneled_reply = no
 
 		#
 		#  The inner tunneled request can be sent through a virtual
@@ -887,24 +878,17 @@ eap {
 		default_eap_type = mschapv2
 
 		#
-		#  The PEAP module also has these configuration items, which are
-		#  the same as for TTLS.
+		#  copy_request_to_tunnel has been removed in 3.2.0
 		#
-		copy_request_to_tunnel = no
-
-		#
-		#  As of version 3.0.5, this configuration item is deprecated.
-		#  Instead, you should use
+		#  See notes in the ttls section about emulating this behaviour.
 		#
-		# 	update outer.session-state {
-		#		...
+
 		#
-		#	}
+		#  use_tunneled_reply has been removed in 3.2.0
 		#
-		#  This will cache attributes for the final Access-Accept.
+		#  See notes in the ttls section about emulating this behaviour.
 		#
-		use_tunneled_reply = no
-
+
 		#
 		#  When the tunneled session is proxied, the home server may not
 		#  understand EAP-MSCHAP-V2. Set this entry to "no" to proxy the

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h b/src/modules/rlm_eap/types/rlm_eap_peap/eap_peap.h
@@ -47,13 +47,9 @@ typedef enum {
 
 typedef struct peap_tunnel_t {
 	VALUE_PAIR	*username;
-	VALUE_PAIR	*state;
-	VALUE_PAIR	*accept_vps;
 	peap_status	status;
 	bool		home_access_accept;
 	int		default_method;
-	bool		copy_request_to_tunnel;
-	bool		use_tunneled_reply;
 	bool		proxy_tunneled_request_as_eap;
 	char const	*virtual_server;
 	bool		soh;

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -397,41 +397,6 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_session_t *eap_session, tl
 		t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
 		eap_peap_success(eap_session, tls_session);
 		rcode = RLM_MODULE_HANDLED;
-
-		/*
-		 *	If we've been told to use the attributes from
-		 *	the reply, then do so.
-		 *
-		 *	WARNING: This may leak information about the
-		 *	tunneled user!
-		 */
-		if (t->use_tunneled_reply) {
-			RDEBUG2("Saving tunneled attributes for later");
-
-			/*
-			 *	Clean up the tunneled reply.
-			 */
-			fr_pair_delete_by_num(&reply->vps, 0, PW_PROXY_STATE, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 0, PW_EAP_MESSAGE, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 0, PW_MESSAGE_AUTHENTICATOR, TAG_ANY);
-
-			/*
-			 *	Delete MPPE keys & encryption policy.  We don't
-			 *	want these here.
-			 */
-			fr_pair_delete_by_num(&reply->vps, VENDORPEC_MICROSOFT,
-					      PW_MSCHAP_MPPE_ENCRYPTION_POLICY, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, VENDORPEC_MICROSOFT,
-					      PW_MSCHAP_MPPE_ENCRYPTION_TYPES, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, VENDORPEC_MICROSOFT,
-					      PW_MSCHAP_MPPE_SEND_KEY, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, VENDORPEC_MICROSOFT,
-					      PW_MSCHAP_MPPE_RECV_KEY, TAG_ANY);
-
-			fr_pair_list_free(&t->accept_vps); /* for proxying MS-CHAP2 */
-			fr_pair_list_mcopy_by_num(t, &t->accept_vps, &reply->vps, 0, 0, TAG_ANY);
-			rad_assert(!reply->vps);
-		}
 		break;
 
 	case PW_CODE_ACCESS_REJECT:
@@ -444,14 +409,6 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_session_t *eap_session, tl
 	case PW_CODE_ACCESS_CHALLENGE:
 		RDEBUG2("Got tunneled Access-Challenge");
 
-		/*
-		 *	Keep the State attribute, if necessary.
-		 *
-		 *	Get rid of the old State, too.
-		 */
-		fr_pair_list_free(&t->state);
-		fr_pair_list_mcopy_by_num(t, &t->state, &reply->vps, 0, PW_STATE, TAG_ANY);
-
 		/*
 		 *	PEAP takes only EAP-Message attributes inside
 		 *	of the tunnel.  Any Reply-Message in the
@@ -460,27 +417,6 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_session_t *eap_session, tl
 		vp = NULL;
 		fr_pair_list_mcopy_by_num(t, &vp, &reply->vps, 0, PW_EAP_MESSAGE, TAG_ANY);
 
-		/*
-		 *	Handle EAP-MSCHAP-V2, where Access-Accept's
-		 *	from the home server may contain MS-CHAP2-Success,
-		 *	which the module turns into challenges, so that
-		 *	the client may respond to the challenge with
-		 *	an "ack" packet.
-		 */
-		if (t->home_access_accept && t->use_tunneled_reply) {
-			RDEBUG2("Saving tunneled attributes for later");
-
-			/*
-			 *	Clean up the tunneled reply.
-			 */
-			fr_pair_delete_by_num(&reply->vps, 0, PW_PROXY_STATE, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 0, PW_MESSAGE_AUTHENTICATOR, TAG_ANY);
-
-			rad_assert(!t->accept_vps);
-			fr_pair_list_mcopy_by_num(t, &t->accept_vps, &reply->vps, 0, 0, TAG_ANY);
-			rad_assert(!reply->vps);
-		}
-
 		/*
 		 *	Handle the ACK, by tunneling any necessary reply
 		 *	VP's back to the client.
@@ -1135,84 +1071,5 @@ static int CC_HINT(nonnull) setup_fake_request(REQUEST *request, REQUEST *fake,
 		RDEBUG2("No tunnel username (SSL resumption?)");
 	}
 
-
-	/*
-	 *	Add the State attribute, too, if it exists.
-	 */
-	if (t->state) {
-		vp = fr_pair_list_copy(fake->packet, t->state);
-		if (vp) fr_pair_add(&fake->packet->vps, vp);
-	}
-
-	/*
-	 *	If this is set, we copy SOME of the request attributes
-	 *	from outside of the tunnel to inside of the tunnel.
-	 *
-	 *	We copy ONLY those attributes which do NOT already
-	 *	exist in the tunneled request.
-	 *
-	 *	This code is copied from ../rlm_eap_ttls/ttls.c
-	 */
-	if (t->copy_request_to_tunnel) {
-		VALUE_PAIR *copy;
-		vp_cursor_t cursor;
-
-		for (vp = fr_cursor_init(&cursor, &request->packet->vps);
-		     vp;
-		     vp = fr_cursor_next(&cursor)) {
-			/*
-			 *	The attribute is a server-side thingy,
-			 *	don't copy it.
-			 */
-			if ((vp->da->attr > 255) && (((vp->da->attr >> 16) & 0xffff) == 0)) {
-				continue;
-			}
-
-			/*
-			 *	The outside attribute is already in the
-			 *	tunnel, don't copy it.
-			 *
-			 *	This works for BOTH attributes which
-			 *	are originally in the tunneled request,
-			 *	AND attributes which are copied there
-			 *	from below.
-			 */
-			if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) continue;
-
-			/*
-			 *	Some attributes are handled specially.
-			 */
-			if (!vp->da->vendor) switch (vp->da->attr) {
-				/*
-				 *	NEVER copy Message-Authenticator,
-				 *	EAP-Message, or State.  They're
-				 *	only for outside of the tunnel.
-				 */
-			case PW_USER_NAME:
-			case PW_USER_PASSWORD:
-			case PW_CHAP_PASSWORD:
-			case PW_CHAP_CHALLENGE:
-			case PW_PROXY_STATE:
-			case PW_MESSAGE_AUTHENTICATOR:
-			case PW_EAP_MESSAGE:
-			case PW_STATE:
-				continue;
-
-				/*
-				 *	By default, copy it over.
-				 */
-			default:
-				break;
-			}
-
-			/*
-			 *	Don't copy from the head, we've already
-			 *	checked it.
-			 */
-			copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->vendor, vp->da->attr, TAG_ANY);
-			fr_pair_add(&fake->packet->vps, copy);
-		}
-	}
-
 	return 0;
 }
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
@@ -54,9 +54,9 @@ static CONF_PARSER module_config[] = {
 
 	{ FR_CONF_OFFSET("inner_eap_module", PW_TYPE_STRING, rlm_eap_peap_t, inner_eap_module), },
 
-	{ FR_CONF_OFFSET("copy_request_to_tunnel", PW_TYPE_BOOLEAN, rlm_eap_peap_t, copy_request_to_tunnel), .dflt = "no" },
+	{ FR_CONF_DEPRECATED("copy_request_to_tunnel", PW_TYPE_BOOLEAN, rlm_eap_peap_t, NULL), .dflt = "no" },
 
-	{ FR_CONF_OFFSET("use_tunneled_reply", PW_TYPE_BOOLEAN, rlm_eap_peap_t, use_tunneled_reply), .dflt = "no" },
+	{ FR_CONF_DEPRECATED("use_tunneled_reply", PW_TYPE_BOOLEAN, rlm_eap_peap_t, NULL), .dflt = "no" },
 
 #ifdef WITH_PROXY
 	{ FR_CONF_OFFSET("proxy_tunneled_request_as_eap", PW_TYPE_BOOLEAN, rlm_eap_peap_t, proxy_tunneled_request_as_eap), .dflt = "yes" },
@@ -137,8 +137,6 @@ static peap_tunnel_t *peap_alloc(TALLOC_CTX *ctx, rlm_eap_peap_t *inst)
 
 	t = talloc_zero(ctx, peap_tunnel_t);
 
-	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
-	t->use_tunneled_reply = inst->use_tunneled_reply;
 #ifdef WITH_PROXY
 	t->proxy_tunneled_request_as_eap = inst->proxy_tunneled_request_as_eap;
 #endif
@@ -316,20 +314,6 @@ static int mod_process(void *arg, eap_session_t *eap_session)
 		 *	our Access-Accept.
 		 */
 		peap = tls_session->opaque;
-		if (peap->soh_reply_vps) {
-			RDEBUG2("Using saved attributes from the SoH reply");
-			rdebug_pair_list(L_DBG_LVL_2, request, peap->soh_reply_vps, NULL);
-			fr_pair_list_mcopy_by_num(eap_session->request->reply, &eap_session->request->reply->vps,
-						  &peap->soh_reply_vps, 0, 0, TAG_ANY);
-		}
-		if (peap->accept_vps) {
-			RDEBUG2("Using saved attributes from the original Access-Accept");
-			rdebug_pair_list(L_DBG_LVL_2, request, peap->accept_vps, NULL);
-			fr_pair_list_mcopy_by_num(eap_session->request->reply, &eap_session->request->reply->vps,
-						  &peap->accept_vps, 0, 0, TAG_ANY);
-		} else if (peap->use_tunneled_reply) {
-			RDEBUG2("No saved attributes in the original Access-Accept");
-		}
 
 		/*
 		 *	Success: Automatically return MPPE keys.

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h b/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
@@ -29,11 +29,7 @@ RCSIDH(eap_ttls_h, "$Id$")
 
 typedef struct ttls_tunnel_t {
 	VALUE_PAIR	*username;
-	VALUE_PAIR	*state;
-	VALUE_PAIR	*accept_vps;
 	bool		authenticated;
-	bool		copy_request_to_tunnel;
-	bool		use_tunneled_reply;
 	char const	*virtual_server;
 } ttls_tunnel_t;
 

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
@@ -35,18 +35,6 @@ typedef struct rlm_eap_ttls_t {
 	char const	*tls_conf_name;
 	fr_tls_conf_t	*tls_conf;
 
-	/*
-	 *	Use the reply attributes from the tunneled session in
-	 *	the non-tunneled reply to the client.
-	 */
-	bool		use_tunneled_reply;
-
-	/*
-	 *	Use SOME of the request attributes from outside of the
-	 *	tunneled session in the tunneled request
-	 */
-	bool		copy_request_to_tunnel;
-
 	/*
 	 *	RFC 5281 (TTLS) says that the length field MUST NOT be
 	 *	in fragments after the first one.  However, we've done
@@ -72,8 +60,8 @@ typedef struct rlm_eap_ttls_t {
 
 static CONF_PARSER module_config[] = {
 	{ FR_CONF_OFFSET("tls", PW_TYPE_STRING, rlm_eap_ttls_t, tls_conf_name) },
-	{ FR_CONF_OFFSET("copy_request_to_tunnel", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, copy_request_to_tunnel), .dflt = "no" },
-	{ FR_CONF_OFFSET("use_tunneled_reply", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, use_tunneled_reply), .dflt = "no" },
+	{ FR_CONF_DEPRECATED("copy_request_to_tunnel", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, NULL), .dflt = "no" },
+	{ FR_CONF_DEPRECATED("use_tunneled_reply", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, NULL), .dflt = "no" },
 	{ FR_CONF_OFFSET("virtual_server", PW_TYPE_STRING | PW_TYPE_REQUIRED | PW_TYPE_NOT_EMPTY, rlm_eap_ttls_t, virtual_server) },
 	{ FR_CONF_OFFSET("include_length", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, include_length), .dflt = "yes" },
 	{ FR_CONF_OFFSET("require_client_cert", PW_TYPE_BOOLEAN, rlm_eap_ttls_t, req_client_cert), .dflt = "no" },
@@ -124,8 +112,6 @@ static ttls_tunnel_t *ttls_alloc(TALLOC_CTX *ctx, rlm_eap_ttls_t *inst)
 	ttls_tunnel_t *t;
 
 	t = talloc_zero(ctx, ttls_tunnel_t);
-	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
-	t->use_tunneled_reply = inst->use_tunneled_reply;
 	t->virtual_server = inst->virtual_server;
 
 	return t;
@@ -221,16 +207,6 @@ static int mod_process(void *arg, eap_session_t *eap_session)
 		}
 
 		if (tunnel && tunnel->authenticated) {
-			if (tunnel->accept_vps) {
-				RDEBUG2("Using saved attributes from the original Access-Accept");
-				rdebug_pair_list(L_DBG_LVL_2, request, tunnel->accept_vps, NULL);
-				fr_pair_list_mcopy_by_num(eap_session->request->reply,
-							  &eap_session->request->reply->vps, &tunnel->accept_vps, 0, 0,
-							  TAG_ANY);
-			} else if (tunnel->use_tunneled_reply) {
-				RDEBUG2("No saved attributes in the original Access-Accept");
-			}
-
 		do_keys:
 			/*
 			 *	Success: Automatically return MPPE keys.