rlm_rcode_t indexed_modcall(int comp, int idx, REQUEST *request)
{
rlm_rcode_t rcode;
modcallable *list = NULL;
virtual_server_t *server;
/*
* Hack to find the correct virtual server.
*/
server = virtual_server_find(request->server);
if (!server) {
RDEBUG("No such virtual server \"%s\"", request->server);
return RLM_MODULE_FAIL;
}
if (idx == 0) {
list = server->mc[comp];
if (!list) RWDEBUG2("Empty %s section. Using default return values.", section_type_value[comp].section);
} else {
indexed_modcallable *this;
this = lookup_by_index(server->components, comp, idx);
if (this) {
list = this->modulelist;
} else {
RWDEBUG2("Unknown value specified for %s. Cannot perform requested action.",
section_type_value[comp].typename);
}
}
if (server->subcs[comp]) {
if (idx == 0) {
RDEBUG("# Executing section %s from file %s",
section_type_value[comp].section,
cf_section_filename(server->subcs[comp]));
} else {
RDEBUG("# Executing group from file %s",
cf_section_filename(server->subcs[comp]));
}
}
request->component = section_type_value[comp].section;
rcode = modcall(comp, list, request);
request->module = "";
request->component = "<core>";
return rcode;
}
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(UNUSED void *instance, REQUEST *request)
{
if (!pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
return RLM_MODULE_NOOP;
}
if (pairfind(request->config_items, PW_AUTHTYPE, 0, TAG_ANY) != NULL) {
RWDEBUG2("Auth-Type already set. Not setting to CHAP");
return RLM_MODULE_NOOP;
}
RDEBUG("Setting 'Auth-Type := CHAP'");
pairmake_config("Auth-Type", "CHAP", T_OP_EQ);
return RLM_MODULE_OK;
}
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(UNUSED void *instance, REQUEST *request)
{
if (!fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
return RLM_MODULE_NOOP;
}
if (fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY) != NULL) {
RWDEBUG2("&control:Auth-Type already set. Not setting to CHAP");
return RLM_MODULE_NOOP;
}
RINDENT();
RDEBUG("&control:Auth-Type := CHAP");
REXDENT();
pair_make_config("Auth-Type", "CHAP", T_OP_EQ);
return RLM_MODULE_OK;
}
/*
* Do detail, compatible with old accounting
*/
static rlm_rcode_t CC_HINT(nonnull) detail_do(void *instance, REQUEST *request, RADIUS_PACKET *packet, bool compat)
{
int outfd;
char buffer[DIRLEN];
FILE *outfp;
#ifdef HAVE_GRP_H
gid_t gid;
struct group *grp;
char *endptr;
#endif
detail_instance_t *inst = instance;
/*
* Generate the path for the detail file. Use the same
* format, but truncate at the last /. Then feed it
* through radius_xlat() to expand the variables.
*/
if (radius_xlat(buffer, sizeof(buffer), request, inst->filename, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
RDEBUG2("%s expands to %s", inst->filename, buffer);
#ifdef WITH_ACCOUNTING
#if defined(HAVE_FNMATCH_H) && defined(FNM_FILE_NAME)
/*
* If we read it from a detail file, and we're about to
* write it back to the SAME detail file directory, then
* suppress the write. This check prevents an infinite
* loop.
*/
if ((request->listener->type == RAD_LISTEN_DETAIL) &&
(fnmatch(((listen_detail_t *)request->listener->data)->filename,
buffer, FNM_FILE_NAME | FNM_PERIOD ) == 0)) {
RWDEBUG2("Suppressing infinite loop");
return RLM_MODULE_NOOP;
}
#endif
#endif
outfd = fr_logfile_open(inst->lf, buffer, inst->perm);
if (outfd < 0) {
RERROR("Couldn't open file %s: %s", buffer, fr_strerror());
return RLM_MODULE_FAIL;
}
#ifdef HAVE_GRP_H
if (inst->group != NULL) {
gid = strtol(inst->group, &endptr, 10);
if (*endptr != '\0') {
grp = rad_getgrnam(inst->group);
if (!grp) {
RDEBUG2("Unable to find system group '%s'", inst->group);
goto skip_group;
}
gid = grp->gr_gid;
}
if (chown(buffer, -1, gid) == -1) {
RDEBUG2("Unable to change system group of '%s'", buffer);
}
}
skip_group:
#endif
/*
* Open the output fp for buffering.
*/
if ((outfp = fdopen(outfd, "a")) == NULL) {
RERROR("Couldn't open file %s: %s", buffer, fr_syserror(errno));
fail:
if (outfp) fclose(outfp);
fr_logfile_unlock(inst->lf, outfd);
return RLM_MODULE_FAIL;
}
if (detail_write(outfp, inst, request, packet, compat) < 0) goto fail;
/*
* Flush everything
*/
fclose(outfp);
fr_logfile_unlock(inst->lf, outfd); /* do NOT close outfp */
/*
* And everything is fine.
*/
return RLM_MODULE_OK;
}
/*
* Process and reply to an authentication request
*
* The return value of this function isn't actually used right now, so
* it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_authenticate(REQUEST *request)
{
#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
#endif
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
char autz_retry = 0;
int autz_type = 0;
#ifdef WITH_PROXY
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
*
* request->proxy gets set only AFTER authorization, so
* it's safe to check it here. If it exists, it means
* we're doing a second pass through rad_authenticate().
*/
if (request->proxy) {
int code = 0;
if (request->proxy_reply) code = request->proxy_reply->code;
switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
case PW_CODE_ACCESS_ACCEPT:
tmp = radius_paircreate(request,
&request->config,
PW_AUTH_TYPE, 0);
if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
goto authenticate;
/*
* Challenges are punted back to the NAS without any
* further processing.
*/
case PW_CODE_ACCESS_CHALLENGE:
request->reply->code = PW_CODE_ACCESS_CHALLENGE;
fr_state_put_vps(request, request->packet, request->reply);
return RLM_MODULE_OK;
/*
* ALL other replies mean reject. (this is fail-safe)
*
* Do NOT do any authorization or authentication. They
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
request->reply->code = PW_CODE_ACCESS_REJECT;
fr_state_discard(request, request->packet);
return RLM_MODULE_REJECT;
default:
rad_authlog("Login incorrect (Home Server failed to respond)",
request, 0);
fr_state_discard(request, request->packet);
return RLM_MODULE_REJECT;
}
}
#endif
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
if (!request->password) {
request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
/*
* Grab the VPS associated with the State attribute.
*/
fr_state_get_vps(request, request->packet);
/*
* Get the user's authorization information from the database
*/
autz_redo:
result = process_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
case RLM_MODULE_HANDLED:
return result;
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
char msg[MAX_STRING_LEN + 16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->vp_strvalue);
rad_authlog(msg,request,0);
} else {
rad_authlog("Invalid user", request, 0);
}
request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
tmp = pairfind(request->config, PW_AUTZ_TYPE, 0, TAG_ANY);
if (tmp) {
autz_type = tmp->vp_integer;
RDEBUG2("Using Autz-Type %s",
dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
autz_retry = 1;
goto autz_redo;
}
}
/*
* If we haven't already proxied the packet, then check
* to see if we should. Maybe one of the authorize
* modules has decided that a proxy should be used. If
* so, get out of here and send the packet.
*/
if (
#ifdef WITH_PROXY
(request->proxy == NULL) &&
#endif
((tmp = pairfind(request->config, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
REALM *realm;
realm = realm_find2(tmp->vp_strvalue);
/*
* Don't authenticate, as the request is going to
* be proxied.
*/
if (realm && realm->auth_pool) {
return RLM_MODULE_OK;
}
/*
* Catch users who set Proxy-To-Realm to a LOCAL
* realm (sigh). But don't complain if it is
* *the* LOCAL realm.
*/
if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
}
if (!realm) {
RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
}
}
#ifdef WITH_PROXY
authenticate:
#endif
/*
* Validate the user
*/
do {
result = rad_check_password(request);
if (result > 0) {
return RLM_MODULE_HANDLED;
}
} while(0);
/*
* Failed to validate the user.
*
* We PRESUME that the code which failed will clean up
* request->reply->vps, to be ONLY the reply items it
* wants to send back.
*/
if (result < 0) {
RDEBUG2("Failed to authenticate the user");
request->reply->code = PW_CODE_ACCESS_REJECT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
snprintf(msg, sizeof(msg), "Login incorrect (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 0);
} else {
rad_authlog("Login incorrect", request, 0);
}
if (request->password) {
VERIFY_VP(request->password);
/* double check: maybe the secret is wrong? */
if ((debug_flag > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
uint8_t const *p;
p = (uint8_t const *) request->password->vp_strvalue;
while (*p) {
int size;
size = fr_utf8_char(p);
if (!size) {
RWDEBUG("Unprintable characters in the password. Double-check the "
"shared secret on the server and the NAS!");
break;
}
p += size;
}
}
}
}
#ifdef WITH_SESSION_MGMT
if (result >= 0 &&
(check_item = pairfind(request->config, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
int r, session_type = 0;
char logstr[1024];
char umsg[MAX_STRING_LEN + 1];
tmp = pairfind(request->config, PW_SESSION_TYPE, 0, TAG_ANY);
if (tmp) {
session_type = tmp->vp_integer;
RDEBUG2("Using Session-Type %s",
dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
}
/*
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
if (request->username &&
(r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
if (r == 2){
/* Multilink attempt. Check if port-limit > simultaneous-use */
VALUE_PAIR *port_limit;
if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
port_limit->vp_integer > check_item->vp_integer){
RDEBUG2("MPP is OK");
mpp_ok = 1;
}
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
snprintf(umsg, sizeof(umsg), "%s (%u)", main_config.denied_msg,
check_item->vp_integer);
} else {
strlcpy(umsg, main_config.denied_msg, sizeof(umsg));
}
request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
pairmake_reply("Reply-Message", umsg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
r == 2 ? "[MPP attempt]" : "");
rad_authlog(logstr, request, 1);
result = -1;
}
}
}
#endif
/*
* Result should be >= 0 here - if not, it means the user
* is rejected, so we just process post-auth and return.
*/
if (result < 0) {
return RLM_MODULE_REJECT;
}
/*
* Set the reply to Access-Accept, if it hasn't already
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
request->reply->code = PW_CODE_ACCESS_ACCEPT;
if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
snprintf(msg, sizeof(msg), "Login OK (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 1);
} else {
rad_authlog("Login OK", request, 1);
}
return result;
}
/*
* Check password.
*
* Returns: 0 OK
* -1 Password fail
* -2 Rejected (Auth-Type = Reject, send Port-Message back)
* 1 End check & return, don't reply
*
* NOTE: NOT the same as the RLM_ values !
*/
static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
{
vp_cursor_t cursor;
VALUE_PAIR *auth_type_pair;
int auth_type = -1;
int result;
int auth_type_count = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
fr_cursor_init(&cursor, &request->config);
while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
auth_type = auth_type_pair->vp_integer;
auth_type_count++;
RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
if (auth_type == PW_AUTHTYPE_REJECT) {
RDEBUG2("Auth-Type = Reject, rejecting user");
return -2;
}
}
/*
* Warn if more than one Auth-Type was found, because only the last
* one found will actually be used.
*/
if ((auth_type_count > 1) && (debug_flag)) {
RERROR("Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->vp_strvalue);
}
/*
* This means we have a proxy reply or an accept and it wasn't
* rejected in the above loop. So that means it is accepted and we
* do no further authentication.
*/
if ((auth_type == PW_AUTHTYPE_ACCEPT)
#ifdef WITH_PROXY
|| (request->proxy)
#endif
) {
RDEBUG2("Auth-Type = Accept, accepting the user");
return 0;
}
/*
* Check that Auth-Type has been set, and reject if not.
*
* Do quick checks to see if Cleartext-Password or Crypt-Password have
* been set, and complain if so.
*/
if (auth_type < 0) {
if (pairfind(request->config, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
RWDEBUG2("Use the PAP module instead");
}
else if (pairfind(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
RWDEBUG2("Use the PAP or CHAP modules instead");
}
/*
* The admin hasn't told us how to
* authenticate the user, so we reject them!
*
* This is fail-safe.
*/
REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
return -2;
}
/*
* See if there is a module that handles
* this Auth-Type, and turn the RLM_ return
* status into the values as defined at
* the top of this function.
*/
result = process_authenticate(auth_type, request);
switch (result) {
/*
* An authentication module FAIL
* return code, or any return code that
* is not expected from authentication,
* is the same as an explicit REJECT!
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_REJECT:
case RLM_MODULE_UPDATED:
case RLM_MODULE_USERLOCK:
default:
result = -1;
break;
case RLM_MODULE_OK:
result = 0;
break;
case RLM_MODULE_HANDLED:
result = 1;
break;
}
return result;
}
/** Copy packet to multiple servers
*
* Create a duplicate of the packet and send it to a list of realms
* defined by the presence of the Replicate-To-Realm VP in the control
* list of the current request.
*
* This is pretty hacky and is 100% fire and forget. If you're looking
* to forward authentication requests to multiple realms and process
* the responses, this function will not allow you to do that.
*
* @param[in] instance of this module.
* @param[in] request The current request.
* @param[in] list of attributes to copy to the duplicate packet.
* @param[in] code to write into the code field of the duplicate packet.
* @return RCODE fail on error, invalid if list does not exist, noop if no replications succeeded, else ok.
*/
static rlm_rcode_t replicate_packet(UNUSED void *instance, REQUEST *request, pair_lists_t list, PW_CODE code)
{
int rcode = RLM_MODULE_NOOP;
bool pass1 = true;
vp_cursor_t cursor;
VALUE_PAIR *vp;
RADIUS_PACKET *packet = NULL;
rcode = rlm_replicate_alloc(&packet, request, list, code);
if (rcode != RLM_MODULE_OK) {
return rcode;
}
/*
* Send as many packets as necessary to different destinations.
*/
fr_cursor_init(&cursor, &request->config_items);
while ((vp = fr_cursor_next_by_num(&cursor, PW_REPLICATE_TO_REALM, 0, TAG_ANY))) {
home_server_t *home;
REALM *realm;
home_pool_t *pool;
realm = realm_find2(vp->vp_strvalue);
if (!realm) {
REDEBUG2("Cannot Replicate to unknown realm \"%s\"", vp->vp_strvalue);
continue;
}
/*
* We shouldn't really do this on every loop.
*/
switch (request->packet->code) {
default:
REDEBUG2("Cannot replicate unknown packet code %d", request->packet->code);
rcode = RLM_MODULE_FAIL;
goto done;
case PW_CODE_ACCESS_REQUEST:
pool = realm->auth_pool;
break;
#ifdef WITH_ACCOUNTING
case PW_CODE_ACCOUNTING_REQUEST:
pool = realm->acct_pool;
break;
#endif
#ifdef WITH_COA
case PW_CODE_COA_REQUEST:
case PW_CODE_DISCONNECT_REQUEST:
pool = realm->acct_pool;
break;
#endif
}
if (!pool) {
RWDEBUG2("Cancelling replication to Realm %s, as the realm is local", realm->name);
continue;
}
home = home_server_ldb(realm->name, pool, request);
if (!home) {
REDEBUG2("Failed to find live home server for realm %s", realm->name);
continue;
}
/*
* For replication to multiple servers we re-use the packet
* we built here.
*/
if (pass1) {
packet->id = fr_rand() & 0xff;
packet->sockfd = fr_socket(&home->src_ipaddr, 0);
if (packet->sockfd < 0) {
REDEBUG("Failed opening socket: %s", fr_strerror());
rcode = RLM_MODULE_FAIL;
goto done;
}
pass1 = false;
} else {
size_t i;
for (i = 0; i < sizeof(packet->vector); i++) {
packet->vector[i] = fr_rand() & 0xff;
}
packet->id++;
TALLOC_FREE(packet->data);
packet->data_len = 0;
}
/*
* (Re)-Write these.
*/
packet->dst_ipaddr = home->ipaddr;
packet->dst_port = home->port;
memset(&packet->src_ipaddr, 0, sizeof(packet->src_ipaddr));
packet->src_port = 0;
/*
* Encode, sign and then send the packet.
*/
RDEBUG("Replicating list '%s' to Realm '%s'", fr_int2str(pair_lists, list, "<INVALID>"), realm->name);
if (rad_send(packet, NULL, home->secret) < 0) {
REDEBUG("Failed replicating packet: %s", fr_strerror());
rcode = RLM_MODULE_FAIL;
goto done;
}
/*
* We've sent it to at least one destination.
*/
rcode = RLM_MODULE_OK;
}
done:
talloc_free(packet);
return rcode;
}
/*
* Find the named user in this modules database. Create the set
* of attribute-value pairs to check and reply with for this user
* from the database. The authentication code only needs to check
* the password, the rest is done here.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request)
{
rlm_sqlcounter_t *inst = instance;
int rcode = RLM_MODULE_NOOP;
uint64_t counter, res;
DICT_ATTR const *da;
VALUE_PAIR *key_vp, *limit;
VALUE_PAIR *reply_item;
char msg[128];
char query[MAX_QUERY_LEN], subst[MAX_QUERY_LEN];
char *expanded = NULL;
size_t len;
/*
* Before doing anything else, see if we have to reset
* the counters.
*/
if (inst->reset_time && (inst->reset_time <= request->timestamp)) {
/*
* Re-set the next time and prev_time for this counters range
*/
inst->last_reset = inst->reset_time;
find_next_reset(inst,request->timestamp);
}
/*
* Look for the key. User-Name is special. It means
* The REAL username, after stripping.
*/
if ((inst->key_attr->vendor == 0) && (inst->key_attr->attr == PW_USER_NAME)) {
key_vp = request->username;
} else {
key_vp = pairfind(request->packet->vps, inst->key_attr->attr, inst->key_attr->vendor, TAG_ANY);
}
if (!key_vp) {
RWDEBUG2("Couldn't find key attribute 'request:%s'", inst->key_attr->name);
return rcode;
}
/*
* Look for the check item
*/
if ((da = dict_attrbyname(inst->limit_name)) == NULL) {
return rcode;
}
limit = pairfind(request->config_items, da->attr, da->vendor, TAG_ANY);
if (limit == NULL) {
RWDEBUG2("Couldn't find control attribute 'control:%s'", inst->limit_name);
return rcode;
}
/* First, expand %k, %b and %e in query */
if (sqlcounter_expand(subst, sizeof(subst), inst->query, inst) <= 0) {
REDEBUG("Insufficient query buffer space");
return RLM_MODULE_FAIL;
}
/* Then combine that with the name of the module were using to do the query */
len = snprintf(query, sizeof(query), "%%{%s:%s}", inst->sqlmod_inst, subst);
if (len >= (sizeof(query) - 1)) {
REDEBUG("Insufficient query buffer space");
return RLM_MODULE_FAIL;
}
/* Finally, xlat resulting SQL query */
if (radius_axlat(&expanded, request, query, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
talloc_free(expanded);
if (sscanf(expanded, "%" PRIu64, &counter) != 1) {
RDEBUG2("No integer found in result string \"%s\". May be first session, setting counter to 0",
expanded);
counter = 0;
}
/*
* Check if check item > counter
*/
if (limit->vp_integer64 <= counter) {
/* User is denied access, send back a reply message */
snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", inst->reset);
pairmake_reply("Reply-Message", msg, T_OP_EQ);
REDEBUG2("Maximum %s usage time reached", inst->reset);
REDEBUG2("Rejecting user, control:%s value (%" PRIu64 ") is less than counter value (%" PRIu64 ")",
inst->limit_name, limit->vp_integer64, counter);
return RLM_MODULE_REJECT;
}
res = limit->vp_integer64 - counter;
RDEBUG2("Allowing user, control:%s value (%" PRIu64 ") is greater than counter value (%" PRIu64 ")",
inst->limit_name, limit->vp_integer64, counter);
/*
* We are assuming that simultaneous-use=1. But
* even if that does not happen then our user
* could login at max for 2*max-usage-time Is
* that acceptable?
*/
/*
* If we are near a reset then add the next
* limit, so that the user will not need to login
* again. Do this only for Session-Timeout.
*/
if (((inst->reply_attr->vendor == 0) && (inst->reply_attr->attr == PW_SESSION_TIMEOUT)) &&
inst->reset_time && ((int) res >= (inst->reset_time - request->timestamp))) {
res = (inst->reset_time - request->timestamp);
res += limit->vp_integer;
}
/*
* Limit the reply attribute to the minimum of the existing value, or this new one.
*/
reply_item = pairfind(request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor, TAG_ANY);
if (reply_item) {
if (reply_item->vp_integer64 <= res) {
RDEBUG2("Leaving existing reply:%s value of %" PRIu64, inst->reply_attr->name,
reply_item->vp_integer64);
return RLM_MODULE_OK;
}
} else {
reply_item = radius_paircreate(request->reply, &request->reply->vps, inst->reply_attr->attr,
inst->reply_attr->vendor);
}
reply_item->vp_integer64 = res;
RDEBUG2("Setting reply:%s value to %" PRIu64, inst->reply_name, reply_item->vp_integer64);
return RLM_MODULE_OK;
}
/** Copy packet to multiple servers
*
* Create a duplicate of the packet and send it to a list of realms
* defined by the presence of the Replicate-To-Realm VP in the control
* list of the current request.
*
* This is pretty hacky and is 100% fire and forget. If you're looking
* to forward authentication requests to multiple realms and process
* the responses, this function will not allow you to do that.
*
* @param[in] instance of this module.
* @param[in] request The current request.
* @param[in] list of attributes to copy to the duplicate packet.
* @param[in] code to write into the code field of the duplicate packet.
* @return RCODE fail on error, invalid if list does not exist, noop if no replications succeeded, else ok.
*/
static int replicate_packet(UNUSED void *instance, REQUEST *request, pair_lists_t list, unsigned int code)
{
int rcode = RLM_MODULE_NOOP;
VALUE_PAIR *vp, **vps;
vp_cursor_t cursor;
home_server_t *home;
REALM *realm;
home_pool_t *pool;
RADIUS_PACKET *packet = NULL;
/*
* Send as many packets as necessary to different
* destinations.
*/
fr_cursor_init(&cursor, &request->config);
while ((vp = fr_cursor_next_by_num(&cursor, PW_REPLICATE_TO_REALM, 0, TAG_ANY))) {
realm = realm_find2(vp->vp_strvalue);
if (!realm) {
REDEBUG2("Cannot Replicate to unknown realm \"%s\"", vp->vp_strvalue);
continue;
}
/*
* We shouldn't really do this on every loop.
*/
switch (request->packet->code) {
default:
REDEBUG2("Cannot replicate unknown packet code %d", request->packet->code);
cleanup(packet);
return RLM_MODULE_FAIL;
case PW_CODE_ACCESS_REQUEST:
pool = realm->auth_pool;
break;
#ifdef WITH_ACCOUNTING
case PW_CODE_ACCOUNTING_REQUEST:
pool = realm->acct_pool;
break;
#endif
#ifdef WITH_COA
case PW_CODE_COA_REQUEST:
case PW_CODE_DISCONNECT_REQUEST:
pool = realm->coa_pool;
break;
#endif
}
if (!pool) {
RWDEBUG2("Cancelling replication to Realm %s, as the realm is local", realm->name);
continue;
}
home = home_server_ldb(realm->name, pool, request);
if (!home) {
REDEBUG2("Failed to find live home server for realm %s", realm->name);
continue;
}
/*
* For replication to multiple servers we re-use the packet
* we built here.
*/
if (!packet) {
packet = rad_alloc(request, true);
if (!packet) {
return RLM_MODULE_FAIL;
}
packet->code = code;
packet->id = fr_rand() & 0xff;
packet->sockfd = fr_socket(&home->src_ipaddr, 0);
if (packet->sockfd < 0) {
REDEBUG("Failed opening socket: %s", fr_strerror());
rcode = RLM_MODULE_FAIL;
goto done;
}
vps = radius_list(request, list);
if (!vps) {
RWDEBUG("List '%s' doesn't exist for this packet",
fr_int2str(pair_lists, list, "<INVALID>"));
rcode = RLM_MODULE_INVALID;
goto done;
}
/*
* Don't assume the list actually contains any
* attributes.
*/
if (*vps) {
packet->vps = fr_pair_list_copy(packet, *vps);
if (!packet->vps) {
rcode = RLM_MODULE_FAIL;
goto done;
}
}
/*
* For CHAP, create the CHAP-Challenge if
* it doesn't exist.
*/
if ((code == PW_CODE_ACCESS_REQUEST) &&
(fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY) != NULL) &&
(fr_pair_find_by_num(request->packet->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY) == NULL)) {
uint8_t *p;
vp = radius_pair_create(packet, &packet->vps, PW_CHAP_CHALLENGE, 0);
vp->length = AUTH_VECTOR_LEN;
vp->vp_octets = p = talloc_array(vp, uint8_t, vp->length);
memcpy(p, request->packet->vector, AUTH_VECTOR_LEN);
}
} else {
size_t i;
for (i = 0; i < sizeof(packet->vector); i++) {
packet->vector[i] = fr_rand() & 0xff;
}
packet->id++;
TALLOC_FREE(packet->data);
packet->data_len = 0;
}
/*
* (Re)-Write these.
*/
packet->dst_ipaddr = home->ipaddr;
packet->dst_port = home->port;
memset(&packet->src_ipaddr, 0, sizeof(packet->src_ipaddr));
packet->src_port = 0;
/*
* Encode, sign and then send the packet.
*/
RDEBUG("Replicating list '%s' to Realm '%s'", fr_int2str(pair_lists, list, "<INVALID>"),
realm->name);
if (rad_send(packet, NULL, home->secret) < 0) {
REDEBUG("Failed replicating packet: %s", fr_strerror());
rcode = RLM_MODULE_FAIL;
goto done;
}
/*
* We've sent it to at least one destination.
*/
rcode = RLM_MODULE_OK;
}
done:
cleanup(packet);
return rcode;
}
/*
* Process the "diameter" contents of the tunneled data.
*/
PW_CODE eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
PW_CODE code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
uint8_t const *data;
size_t data_len;
REQUEST *request = handler->request;
chbind_packet_t *chbind;
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = (ttls_tunnel_t *) tls_session->opaque;
/*
* If there's no data, maybe this is an ACK to an
* MS-CHAP2-Success.
*/
if (data_len == 0) {
if (t->authenticated) {
RDEBUG("Got ACK, and the user was already authenticated");
return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* FIXME: Call SSL_get_error() to see what went
* wrong.
*/
RDEBUG2("SSL_read Error");
return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
if ((rad_debug_lvl > 2) && fr_log_fp) {
size_t i;
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i);
fprintf(fr_log_fp, "%02x ", data[i]);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
}
if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n");
}
#endif
if (!diameter_verify(request, data, data_len)) {
return PW_CODE_ACCESS_REJECT;
}
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request);
rad_assert(!fake->packet->vps);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
talloc_free(fake);
return PW_CODE_ACCESS_REJECT;
}
/*
* Tell the request that it's a fake one.
*/
pair_make_request("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
RDEBUG("Got tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
fake->password = fr_pair_find_by_num(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ);
rad_assert(t->username != NULL);
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
/*
* If there's a default EAP type,
* set it here.
*/
if (t->default_method != 0) {
RDEBUG("Setting default EAP type for tunneled EAP session");
vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
fr_pair_add(&fake->config, vp);
}
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_list_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
}
} /* else the request ALREADY had a User-Name */
/*
* Add the State attribute, too, if it exists.
*/
if (t->state) {
vp = fr_pair_list_copy(fake->packet, t->state);
if (vp) fr_pair_add(&fake->packet->vps, vp);
}
/*
* If this is set, we copy SOME of the request attributes
* from outside of the tunnel to inside of the tunnel.
*
* We copy ONLY those attributes which do NOT already
* exist in the tunneled request.
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
vp_cursor_t cursor;
for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
*/
if ((vp->da->attr > 255) &&
(vp->da->vendor == 0)) {
continue;
}
/*
* The outside attribute is already in the
* tunnel, don't copy it.
*
* This works for BOTH attributes which
* are originally in the tunneled request,
* AND attributes which are copied there
* from below.
*/
if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) {
continue;
}
/*
* Some attributes are handled specially.
*/
switch (vp->da->attr) {
/*
* NEVER copy Message-Authenticator,
* EAP-Message, or State. They're
* only for outside of the tunnel.
*/
case PW_USER_NAME:
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_CHAP_CHALLENGE:
case PW_PROXY_STATE:
case PW_MESSAGE_AUTHENTICATOR:
case PW_EAP_MESSAGE:
case PW_STATE:
continue;
/*
* By default, copy it over.
*/
default:
break;
}
/*
* Don't copy from the head, we've already
* checked it.
*/
copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY);
fr_pair_add(&fake->packet->vps, copy);
}
}
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (t->virtual_server) {
fake->server = t->virtual_server;
} /* else fake->server == request->server */
if ((rad_debug_lvl > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
}
/*
* Process channel binding.
*/
chbind = eap_chbind_vp2packet(fake, fake->packet->vps);
if (chbind) {
PW_CODE chbind_code;
CHBIND_REQ *req = talloc_zero(fake, CHBIND_REQ);
RDEBUG("received chbind request");
req->request = chbind;
if (fake->username) {
req->username = fake->username;
} else {
req->username = NULL;
}
chbind_code = chbind_process(request, req);
/* encapsulate response here */
if (req->response) {
RDEBUG("sending chbind response");
fr_pair_add(&fake->reply->vps,
eap_chbind_packet2vp(fake, req->response));
} else {
RDEBUG("no chbind response");
}
/* clean up chbind req */
talloc_free(req);
if (chbind_code != PW_CODE_ACCESS_ACCEPT) {
return chbind_code;
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
rad_virtual_server(fake);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_num(fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY);
if (vp) {
eap_tunnel_data_t *tunnel;
RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue);
/*
* Tell the original request that it's going
* to be proxied.
*/
fr_pair_list_move_by_num(request, &request->config,
&fake->config,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* Seed the proxy packet with the
* tunneled request.
*/
rad_assert(!request->proxy);
request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
request->proxy->src_port = 0;
request->proxy->dst_port = 0;
fake->packet = NULL;
rad_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
tunnel->callback = eapttls_postproxy;
/*
* Associate the callback with the request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false);
rad_assert(code == 0);
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
*
* So we associate the fake request with
* this request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
code = PW_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return PW_FOO
*/
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = PW_CODE_ACCESS_ACCEPT;
break;
default:
code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
/*
* Convert diameter attributes to our VALUE_PAIR's
*/
static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl,
uint8_t const *data, size_t data_len)
{
uint32_t attr;
uint32_t vendor;
uint32_t length;
size_t offset;
size_t size;
size_t data_left = data_len;
VALUE_PAIR *first = NULL;
VALUE_PAIR *vp;
RADIUS_PACKET *packet = fake->packet; /* FIXME: api issues */
vp_cursor_t out;
fr_cursor_init(&out, &first);
while (data_left > 0) {
rad_assert(data_left <= data_len);
memcpy(&attr, data, sizeof(attr));
data += 4;
attr = ntohl(attr);
vendor = 0;
memcpy(&length, data, sizeof(length));
data += 4;
length = ntohl(length);
/*
* A "vendor" flag, with a vendor ID of zero,
* is equivalent to no vendor. This is stupid.
*/
offset = 8;
if ((length & ((uint32_t)1 << 31)) != 0) {
memcpy(&vendor, data, sizeof(vendor));
vendor = ntohl(vendor);
data += 4; /* skip the vendor field, it's zero */
offset += 4; /* offset to value field */
if (attr > 65535) goto next_attr;
if (vendor > FR_MAX_VENDOR) goto next_attr;
}
/*
* FIXME: Handle the M bit. For now, we assume that
* some other module takes care of any attribute
* with the M bit set.
*/
/*
* Get the length.
*/
length &= 0x00ffffff;
/*
* Get the size of the value portion of the
* attribute.
*/
size = length - offset;
/*
* Vendor attributes can be larger than 255.
* Normal attributes cannot be.
*/
if ((attr > 255) && (vendor == 0)) {
RWDEBUG2("Skipping Diameter attribute %u", attr);
goto next_attr;
}
/*
* EAP-Message AVPs can be larger than 253 octets.
*
* For now, we rely on the main decoder in
* src/lib/radius to decode data into VPs. This
* means putting the data into a RADIUS attribute
* format. It also means that we can't handle
* "extended" attributes in the Diameter space. Oh well...
*/
if ((size > 253) && !((vendor == 0) && (attr == PW_EAP_MESSAGE))) {
RWDEBUG2("diameter2vp skipping long attribute %u", attr);
goto next_attr;
}
/*
* RADIUS VSAs are handled as Diameter attributes
* with Vendor-Id == 0, and the VSA data packed
* into the "String" field as per normal.
*
* EXCEPT for the MS-CHAP attributes.
*/
if ((vendor == 0) && (attr == PW_VENDOR_SPECIFIC)) {
ssize_t decoded;
uint8_t buffer[256];
buffer[0] = PW_VENDOR_SPECIFIC;
buffer[1] = size + 2;
memcpy(buffer + 2, data, size);
vp = NULL;
decoded = rad_attr2vp(packet, NULL, NULL, NULL,
buffer, size + 2, &vp);
if (decoded < 0) {
REDEBUG2("diameter2vp failed decoding attr: %s",
fr_strerror());
goto do_octets;
}
if ((size_t) decoded != size + 2) {
REDEBUG2("diameter2vp failed to entirely decode VSA");
fr_pair_list_free(&vp);
goto do_octets;
}
fr_cursor_merge(&out, vp);
goto next_attr;
}
/*
* Create it. If this fails, it's because we're OOM.
*/
do_octets:
vp = fr_pair_afrom_num(packet, attr, vendor);
if (!vp) {
RDEBUG2("Failure in creating VP");
fr_pair_list_free(&first);
return NULL;
}
/*
* If it's a type from our dictionary, then
* we need to put the data in a relevant place.
*
* @todo: Export the lib/radius.c decoder, and use it here!
*/
switch (vp->da->type) {
case PW_TYPE_INTEGER:
case PW_TYPE_DATE:
if (size != vp->vp_length) {
DICT_ATTR const *da;
/*
* Bad format. Create a "raw"
* attribute.
*/
raw:
if (vp) fr_pair_list_free(&vp);
da = dict_unknown_afrom_fields(packet, attr, vendor);
if (!da) return NULL;
vp = fr_pair_afrom_da(packet, da);
if (!vp) return NULL;
fr_pair_value_memcpy(vp, data, size);
break;
}
memcpy(&vp->vp_integer, data, vp->vp_length);
/*
* Stored in host byte order: change it.
*/
vp->vp_integer = ntohl(vp->vp_integer);
break;
case PW_TYPE_INTEGER64:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_integer64, data, vp->vp_length);
/*
* Stored in host byte order: change it.
*/
vp->vp_integer64 = ntohll(vp->vp_integer64);
break;
case PW_TYPE_IPV4_ADDR:
if (size != vp->vp_length) {
RDEBUG2("Invalid length attribute %d",
attr);
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
memcpy(&vp->vp_ipaddr, data, vp->vp_length);
/*
* Stored in network byte order: don't change it.
*/
break;
case PW_TYPE_BYTE:
if (size != vp->vp_length) goto raw;
vp->vp_byte = data[0];
break;
case PW_TYPE_SHORT:
if (size != vp->vp_length) goto raw;
vp->vp_short = (data[0] * 256) + data[1];
break;
case PW_TYPE_SIGNED:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_signed, data, vp->vp_length);
vp->vp_signed = ntohl(vp->vp_signed);
break;
case PW_TYPE_IPV6_ADDR:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_ipv6addr, data, vp->vp_length);
break;
case PW_TYPE_IPV6_PREFIX:
if (size != vp->vp_length) goto raw;
memcpy(vp->vp_ipv6prefix, data, vp->vp_length);
break;
case PW_TYPE_STRING:
fr_pair_value_bstrncpy(vp, data, size);
vp->vp_length = strlen(vp->vp_strvalue); /* embedded zeros are NOT allowed */
break;
/*
* Copy it over verbatim.
*/
case PW_TYPE_OCTETS:
default:
fr_pair_value_memcpy(vp, data, size);
break;
}
/*
* Ensure that the client is using the
* correct challenge. This weirdness is
* to protect against against replay
* attacks, where anyone observing the
* CHAP exchange could pose as that user,
* by simply choosing to use the same
* challenge.
*
* By using a challenge based on
* information from the current session,
* we can guarantee that the client is
* not *choosing* a challenge.
*
* We're a little forgiving in that we
* have loose checks on the length, and
* we do NOT check the Id (first octet of
* the response to the challenge)
*
* But if the client gets the challenge correct,
* we're not too worried about the Id.
*/
if (((vp->da->vendor == 0) && (vp->da->attr == PW_CHAP_CHALLENGE)) ||
((vp->da->vendor == VENDORPEC_MICROSOFT) && (vp->da->attr == PW_MSCHAP_CHALLENGE))) {
uint8_t challenge[16];
if ((vp->vp_length < 8) ||
(vp->vp_length > 16)) {
RDEBUG("Tunneled challenge has invalid length");
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
eapttls_gen_challenge(ssl, challenge,
sizeof(challenge));
if (memcmp(challenge, vp->vp_octets,
vp->vp_length) != 0) {
RDEBUG("Tunneled challenge is incorrect");
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
}
/*
* Update the list.
*/
fr_cursor_insert(&out, vp);
next_attr:
/*
* Catch non-aligned attributes.
*/
if (data_left == length) break;
/*
* The length does NOT include the padding, so
* we've got to account for it here by rounding up
* to the nearest 4-byte boundary.
*/
length += 0x03;
length &= ~0x03;
rad_assert(data_left >= length);
data_left -= length;
data += length - offset; /* already updated */
}
/*
* We got this far. It looks OK.
*/
return first;
}
/** Send NONCE_S and re-key
*
*/
static int eap_sim_send_reauthentication(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
VALUE_PAIR **to_peer, *vp, *mk, *counter;
RADIUS_PACKET *packet;
rad_assert(eap_session->request != NULL);
rad_assert(eap_session->request->reply);
/*
* to_peer is the data to the client
*/
packet = eap_session->request->reply;
to_peer = &packet->vps;
/*
* If any of the session resumption inputs (on our side)
* are missing or malformed, return an error code
* and the state machine will jump to the start state.
*/
mk = fr_pair_find_by_da(request->control, attr_eap_sim_mk, TAG_ANY);
if (!mk) {
RWDEBUG2("Missing &control:EAP-SIM-MK, skipping session resumption");
return -1;
}
if (mk->vp_length != SIM_MK_SIZE) {
RWDEBUG("&control:EAP-SIM-MK has incorrect length, expected %u bytes got %zu bytes",
SIM_MK_SIZE, mk->vp_length);
return -1;
}
counter = fr_pair_find_by_da(request->control, attr_eap_sim_counter, TAG_ANY);
if (!counter) {
RWDEBUG2("Missing &control:EAP-SIM-Counter, skipping session resumption");
return -1;
}
/*
* All set, calculate keys!
*/
fr_sim_crypto_keys_init_kdf_0_reauth(&eap_sim_session->keys, mk->vp_octets, counter->vp_uint16);
fr_sim_crypto_kdf_0_reauth(&eap_sim_session->keys);
if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_sim_session->keys);
RDEBUG2("Sending SIM-Reauthentication");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
/*
* Set subtype to challenge.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = EAP_SIM_REAUTH;
fr_pair_replace(to_peer, vp);
/*
* Add nonce_s
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_nonce_s));
fr_pair_value_memcpy(vp, eap_sim_session->keys.reauth.nonce_s, sizeof(eap_sim_session->keys.reauth.nonce_s));
fr_pair_replace(to_peer, vp);
/*
* Indicate we'd like to use protected success messages
*/
if (eap_sim_session->send_result_ind) {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_result_ind));
vp->vp_bool = true;
fr_pair_replace(to_peer, vp);
}
/*
* Need to include an AT_MAC attribute so that it will get
* calculated.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_mac);
fr_pair_replace(to_peer, vp);
/*
* We've sent the challenge so the peer should now be able
* to accept encrypted attributes.
*/
eap_sim_session->allow_encrypted = true;
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
static rlm_rcode_t CC_HINT(nonnull) mod_do_linelog(void *instance, REQUEST *request)
{
int fd = -1;
rlm_linelog_t *inst = (rlm_linelog_t*) instance;
char const *value = inst->line;
#ifdef HAVE_GRP_H
gid_t gid;
char *endptr;
#endif
char path[2048];
char line[4096];
line[0] = '\0';
if (inst->reference) {
CONF_ITEM *ci;
CONF_PAIR *cp;
if (radius_xlat(line + 1, sizeof(line) - 1, request, inst->reference, linelog_escape_func, NULL) < 0) {
return RLM_MODULE_FAIL;
}
line[0] = '.'; /* force to be in current section */
/*
* Don't allow it to go back up
*/
if (line[1] == '.') goto do_log;
ci = cf_reference_item(NULL, inst->cs, line);
if (!ci) {
RDEBUG2("No such entry \"%s\"", line);
return RLM_MODULE_NOOP;
}
if (!cf_item_is_pair(ci)) {
RDEBUG2("Entry \"%s\" is not a variable assignment ", line);
goto do_log;
}
cp = cf_item_to_pair(ci);
value = cf_pair_value(cp);
if (!value) {
RWDEBUG2("Entry \"%s\" has no value", line);
return RLM_MODULE_OK;
}
/*
* Value exists, but is empty. Don't log anything.
*/
if (!*value) return RLM_MODULE_OK;
}
do_log:
/*
* FIXME: Check length.
*/
if (radius_xlat(line, sizeof(line) - 1, request, value, linelog_escape_func, NULL) < 0) {
return RLM_MODULE_FAIL;
}
#ifdef HAVE_SYSLOG_H
if (strcmp(inst->filename, "syslog") == 0) {
syslog(inst->syslog_priority, "%s", line);
return RLM_MODULE_OK;
}
#endif
/*
* We're using a real filename now.
*/
if (radius_xlat(path, sizeof(path), request, inst->filename, inst->escape_func, NULL) < 0) {
return RLM_MODULE_FAIL;
}
fd = exfile_open(inst->ef, path, inst->permissions, true);
if (fd < 0) {
ERROR("rlm_linelog: Failed to open %s: %s", path, fr_syserror(errno));
return RLM_MODULE_FAIL;
}
if (inst->group != NULL) {
gid = strtol(inst->group, &endptr, 10);
if (*endptr != '\0') {
if (rad_getgid(request, &gid, inst->group) < 0) {
RDEBUG2("Unable to find system group \"%s\"", inst->group);
goto skip_group;
}
}
if (chown(path, -1, gid) == -1) {
RDEBUG2("Unable to change system group of \"%s\"", path);
}
}
skip_group:
strcat(line, "\n");
if (write(fd, line, strlen(line)) < 0) {
exfile_close(inst->ef, fd);
ERROR("rlm_linelog: Failed writing: %s", fr_syserror(errno));
return RLM_MODULE_FAIL;
}
exfile_close(inst->ef, fd);
return RLM_MODULE_OK;
}
/*
* Check NTLM authentication direct to winbind via
* Samba's libwbclient library
*
* Returns:
* 0 success
* -1 auth failure
* -648 password expired
*/
int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request,
uint8_t const *challenge, uint8_t const *response,
uint8_t nthashhash[NT_DIGEST_LENGTH])
{
int rcode = -1;
struct wbcContext *wb_ctx;
struct wbcAuthUserParams authparams;
wbcErr err;
int len;
struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *error = NULL;
char user_name_buf[500];
char domain_name_buf[500];
uint8_t resp[NT_LENGTH];
/*
* Clear the auth parameters - this is important, as
* there are options that will cause wbcAuthenticateUserEx
* to bomb out if not zero.
*/
memset(&authparams, 0, sizeof(authparams));
/*
* wb_username must be set for this function to be called
*/
rad_assert(inst->wb_username);
/*
* Get the username and domain from the configuration
*/
len = tmpl_expand(&authparams.account_name, user_name_buf, sizeof(user_name_buf),
request, inst->wb_username, NULL, NULL);
if (len < 0) {
REDEBUG2("Unable to expand winbind_username");
goto done;
}
if (inst->wb_domain) {
len = tmpl_expand(&authparams.domain_name, domain_name_buf, sizeof(domain_name_buf),
request, inst->wb_domain, NULL, NULL);
if (len < 0) {
REDEBUG2("Unable to expand winbind_domain");
goto done;
}
} else {
RWDEBUG2("No domain specified; authentication may fail because of this");
}
/*
* Build the wbcAuthUserParams structure with what we know
*/
authparams.level = WBC_AUTH_USER_LEVEL_RESPONSE;
authparams.password.response.nt_length = NT_LENGTH;
memcpy(resp, response, NT_LENGTH);
authparams.password.response.nt_data = resp;
memcpy(authparams.password.response.challenge, challenge,
sizeof(authparams.password.response.challenge));
/*
* Send auth request across to winbind
*/
wb_ctx = fr_connection_get(inst->wb_pool);
if (wb_ctx == NULL) {
RERROR("Unable to get winbind connection from pool");
goto done;
}
RDEBUG2("sending authentication request user='******' domain='%s'", authparams.account_name,
authparams.domain_name);
err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error);
fr_connection_release(inst->wb_pool, wb_ctx);
/*
* Try and give some useful feedback on what happened. There are only
* a few errors that can actually be returned from wbcCtxAuthenticateUserEx.
*/
switch (err) {
case WBC_ERR_SUCCESS:
rcode = 0;
RDEBUG2("Authenticated successfully");
/* Grab the nthashhash from the result */
memcpy(nthashhash, info->user_session_key, NT_DIGEST_LENGTH);
break;
case WBC_ERR_WINBIND_NOT_AVAILABLE:
RERROR("Unable to contact winbind!");
RDEBUG2("Check that winbind is running and that FreeRADIUS has");
RDEBUG2("permission to connect to the winbind privileged socket.");
break;
case WBC_ERR_DOMAIN_NOT_FOUND:
REDEBUG2("Domain not found");
break;
case WBC_ERR_AUTH_ERROR:
if (!error) {
REDEBUG2("Authentication failed");
break;
}
/*
* The password needs to be changed, so set rcode appropriately.
*/
if (error->nt_status & NT_STATUS_PASSWORD_EXPIRED ||
error->nt_status & NT_STATUS_PASSWORD_MUST_CHANGE) {
rcode = -648;
}
/*
* Return the NT_STATUS human readable error string, if there is one.
*/
if (error->display_string) {
REDEBUG2("%s [0x%X]", error->display_string, error->nt_status);
} else {
REDEBUG2("Authentication failed [0x%X]", error->nt_status);
}
break;
default:
/*
* Only errors left are
* WBC_ERR_INVALID_PARAM
* WBC_ERR_NO_MEMORY
* neither of which are particularly likely.
*/
if (error && error->display_string) {
REDEBUG2("libwbclient error: wbcErr %d (%s)", err, error->display_string);
} else {
REDEBUG2("libwbclient error: wbcErr %d", err);
}
break;
}
done:
if (info) wbcFreeMemory(info);
if (error) wbcFreeMemory(error);
return rcode;
}
static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session,
tls_session_t *tls_session, VALUE_PAIR *tlv_eap_payload)
{
FR_CODE code = FR_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
VALUE_PAIR *vp;
eap_fast_tunnel_t *t;
REQUEST *fake;
RDEBUG2("Processing received EAP Payload");
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request, NULL);
rad_assert(!fake->packet->vps);
t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = fr_pair_afrom_da(fake->packet, attr_eap_message);
fr_pair_value_memcpy(fake->packet->vps, tlv_eap_payload->vp_octets, tlv_eap_payload->vp_length, false);
RDEBUG2("Got tunneled request");
log_request_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Tell the request that it's a fake one.
*/
MEM(fr_pair_add_by_da(fake->packet, &vp, &fake->packet->vps, attr_freeradius_proxied_to) >= 0);
fr_pair_value_from_str(vp, "127.0.0.1", sizeof("127.0.0.1"), '\0', false);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_da(fake->packet->vps, attr_user_name, TAG_ANY);
fake->password = fr_pair_find_by_da(fake->packet->vps, attr_user_password, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_da(fake->packet->vps, attr_eap_message, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == FR_EAP_CODE_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == FR_EAP_METHOD_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
MEM(t->username = fr_pair_afrom_da(t, attr_user_name));
t->username->vp_tainted = true;
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG2("Got tunneled identity of %pV", &t->username->data);
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = vp;
}
} /* else the request ALREADY had a User-Name */
if (t->stage == EAP_FAST_AUTHENTICATION) { /* FIXME do this only for MSCHAPv2 */
VALUE_PAIR *tvp;
tvp = fr_pair_afrom_da(fake, attr_eap_type);
tvp->vp_uint32 = t->default_provisioning_method;
fr_pair_add(&fake->control, tvp);
/*
* RFC 5422 section 3.2.3 - Authenticating Using EAP-FAST-MSCHAPv2
*/
if (t->mode == EAP_FAST_PROVISIONING_ANON) {
tvp = fr_pair_afrom_da(fake, attr_ms_chap_challenge);
fr_pair_value_memcpy(tvp, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false);
fr_pair_add(&fake->control, tvp);
RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 auth_challenge");
tvp = fr_pair_afrom_da(fake, attr_ms_chap_peer_challenge);
fr_pair_value_memcpy(tvp, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false);
fr_pair_add(&fake->control, tvp);
RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 peer_challenge");
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
eap_virtual_server(request, fake, eap_session, t->virtual_server);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_da(fake->control, attr_proxy_to_realm, TAG_ANY);
if (vp) {
int ret;
eap_tunnel_data_t *tunnel;
RDEBUG2("Tunneled authentication will be proxied to %pV", &vp->data);
/*
* Tell the original request that it's going to be proxied.
*/
fr_pair_list_copy_by_da(request, &request->control, fake->control, attr_proxy_to_realm);
/*
* Seed the proxy packet with the tunneled request.
*/
rad_assert(!request->proxy);
/*
* FIXME: Actually proxy stuff
*/
request->proxy = request_alloc_fake(request, NULL);
request->proxy->packet = talloc_steal(request->proxy, fake->packet);
memset(&request->proxy->packet->src_ipaddr, 0,
sizeof(request->proxy->packet->src_ipaddr));
memset(&request->proxy->packet->src_ipaddr, 0,
sizeof(request->proxy->packet->src_ipaddr));
request->proxy->packet->src_port = 0;
request->proxy->packet->dst_port = 0;
fake->packet = NULL;
fr_radius_packet_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
/*
* Associate the callback with the request.
*/
ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false, false, false);
fr_cond_assert(ret == 0);
/*
* rlm_eap.c has taken care of associating the eap_session
* with the fake request.
*
* So we associate the fake request with this request.
*/
ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true, false, false);
fr_cond_assert(ret == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but we're proxying it.
*/
code = FR_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
REDEBUG("No tunneled reply was found, and the request was not proxied: rejecting the user");
code = FR_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return FR_FOO
*/
rcode = process_reply(eap_session, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = FR_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = FR_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = FR_CODE_ACCESS_ACCEPT;
break;
default:
code = FR_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
/*
* Store logins in the RADIUS utmp file.
*/
static rlm_rcode_t mod_accounting(void *instance, REQUEST *request)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
struct radutmp ut, u;
vp_cursor_t cursor;
VALUE_PAIR *vp;
int status = -1;
int protocol = -1;
time_t t;
int fd = -1;
int port_seen = 0;
int off;
rlm_radutmp_t *inst = instance;
char ip_name[32]; /* 255.255.255.255 */
char const *nas;
NAS_PORT *cache;
int r;
char *filename = NULL;
char *expanded = NULL;
if (request->packet->src_ipaddr.af != AF_INET) {
DEBUG("rlm_radutmp: IPv6 not supported!");
return RLM_MODULE_NOOP;
}
/*
* Which type is this.
*/
if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE, 0, TAG_ANY)) == NULL) {
RDEBUG("No Accounting-Status-Type record.");
return RLM_MODULE_NOOP;
}
status = vp->vp_integer;
/*
* Look for weird reboot packets.
*
* ComOS (up to and including 3.5.1b20) does not send
* standard PW_STATUS_ACCOUNTING_XXX messages.
*
* Check for: o no Acct-Session-Time, or time of 0
* o Acct-Session-Id of "00000000".
*
* We could also check for NAS-Port, that attribute
* should NOT be present (but we don't right now).
*/
if ((status != PW_STATUS_ACCOUNTING_ON) &&
(status != PW_STATUS_ACCOUNTING_OFF)) do {
int check1 = 0;
int check2 = 0;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME, 0, TAG_ANY))
== NULL || vp->vp_date == 0)
check1 = 1;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_ID, 0, TAG_ANY))
!= NULL && vp->length == 8 &&
memcmp(vp->vp_strvalue, "00000000", 8) == 0)
check2 = 1;
if (check1 == 0 || check2 == 0) {
break;
}
INFO("rlm_radutmp: converting reboot records.");
if (status == PW_STATUS_STOP)
status = PW_STATUS_ACCOUNTING_OFF;
if (status == PW_STATUS_START)
status = PW_STATUS_ACCOUNTING_ON;
} while(0);
time(&t);
memset(&ut, 0, sizeof(ut));
ut.porttype = 'A';
ut.nas_address = htonl(INADDR_NONE);
/*
* First, find the interesting attributes.
*/
for (vp = paircursor(&cursor, &request->packet->vps);
vp;
vp = pairnext(&cursor)) {
if (!vp->da->vendor) switch (vp->da->attr) {
case PW_LOGIN_IP_HOST:
case PW_FRAMED_IP_ADDRESS:
ut.framed_address = vp->vp_ipaddr;
break;
case PW_FRAMED_PROTOCOL:
protocol = vp->vp_integer;
break;
case PW_NAS_IP_ADDRESS:
ut.nas_address = vp->vp_ipaddr;
break;
case PW_NAS_PORT:
ut.nas_port = vp->vp_integer;
port_seen = 1;
break;
case PW_ACCT_DELAY_TIME:
ut.delay = vp->vp_integer;
break;
case PW_ACCT_SESSION_ID:
/*
* If length > 8, only store the
* last 8 bytes.
*/
off = vp->length - sizeof(ut.session_id);
/*
* Ascend is br0ken - it adds a \0
* to the end of any string.
* Compensate.
*/
if (vp->length > 0 &&
vp->vp_strvalue[vp->length - 1] == 0)
off--;
if (off < 0) off = 0;
memcpy(ut.session_id, vp->vp_strvalue + off,
sizeof(ut.session_id));
break;
case PW_NAS_PORT_TYPE:
if (vp->vp_integer <= 4)
ut.porttype = porttypes[vp->vp_integer];
break;
case PW_CALLING_STATION_ID:
if(inst->caller_id_ok)
strlcpy(ut.caller_id,
vp->vp_strvalue,
sizeof(ut.caller_id));
break;
}
}
/*
* If we didn't find out the NAS address, use the
* originator's IP address.
*/
if (ut.nas_address == htonl(INADDR_NONE)) {
ut.nas_address = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
nas = request->client->shortname;
} else if (request->packet->src_ipaddr.ipaddr.ip4addr.s_addr == ut.nas_address) { /* might be a client, might not be. */
nas = request->client->shortname;
} else {
/*
* The NAS isn't a client, it's behind
* a proxy server. In that case, just
* get the IP address.
*/
nas = ip_ntoa(ip_name, ut.nas_address);
}
/*
* Set the protocol field.
*/
if (protocol == PW_PPP) {
ut.proto = 'P';
} else if (protocol == PW_SLIP) {
ut.proto = 'S';
} else {
ut.proto = 'T';
}
ut.time = t - ut.delay;
/*
* Get the utmp filename, via xlat.
*/
filename = NULL;
if (radius_axlat(&filename, request, inst->filename, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* See if this was a reboot.
*
* Hmm... we may not want to zap all of the users when the NAS comes up, because of issues with receiving
* UDP packets out of order.
*/
if (status == PW_STATUS_ACCOUNTING_ON && (ut.nas_address != htonl(INADDR_NONE))) {
RIDEBUG("NAS %s restarted (Accounting-On packet seen)", nas);
rcode = radutmp_zap(request, filename, ut.nas_address, ut.time);
goto finish;
}
if (status == PW_STATUS_ACCOUNTING_OFF && (ut.nas_address != htonl(INADDR_NONE))) {
RIDEBUG("NAS %s rebooted (Accounting-Off packet seen)", nas);
rcode = radutmp_zap(request, filename, ut.nas_address, ut.time);
goto finish;
}
/*
* If we don't know this type of entry pretend we succeeded.
*/
if (status != PW_STATUS_START && status != PW_STATUS_STOP && status != PW_STATUS_ALIVE) {
REDEBUG("NAS %s port %u unknown packet type %d)", nas, ut.nas_port, status);
rcode = RLM_MODULE_NOOP;
goto finish;
}
/*
* Translate the User-Name attribute, or whatever else they told us to use.
*/
if (radius_axlat(&expanded, request, inst->username, NULL, NULL) < 0) {
rcode = RLM_MODULE_FAIL;
goto finish;
}
strlcpy(ut.login, expanded, RUT_NAMESIZE);
TALLOC_FREE(expanded);
/*
* Perhaps we don't want to store this record into
* radutmp. We skip records:
*
* - without a NAS-Port (telnet / tcp access)
* - with the username "!root" (console admin login)
*/
if (!port_seen) {
RWDEBUG2("No NAS-Port seen. Cannot do anything. Checkrad will probably not work!");
rcode = RLM_MODULE_NOOP;
goto finish;
}
if (strncmp(ut.login, "!root", RUT_NAMESIZE) == 0) {
RDEBUG2("Not recording administrative user");
rcode = RLM_MODULE_NOOP;
goto finish;
}
/*
* Enter into the radutmp file.
*/
fd = open(filename, O_RDWR|O_CREAT, inst->permission);
if (fd < 0) {
REDEBUG("Error accessing file %s: %s", filename, strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* Lock the utmp file, prefer lockf() over flock().
*/
rad_lockfd(fd, LOCK_LEN);
/*
* Find the entry for this NAS / portno combination.
*/
if ((cache = nas_port_find(inst->nas_port_list, ut.nas_address, ut.nas_port)) != NULL) {
lseek(fd, (off_t)cache->offset, SEEK_SET);
}
r = 0;
off = 0;
while (read(fd, &u, sizeof(u)) == sizeof(u)) {
off += sizeof(u);
if ((u.nas_address != ut.nas_address) || (u.nas_port != ut.nas_port)) {
continue;
}
/*
* Don't compare stop records to unused entries.
*/
if (status == PW_STATUS_STOP && u.type == P_IDLE) {
continue;
}
if ((status == PW_STATUS_STOP) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) != 0) {
/*
* Don't complain if this is not a
* login record (some clients can
* send _only_ logout records).
*/
if (u.type == P_LOGIN) {
RWDEBUG("Logout entry for NAS %s port %u has wrong ID", nas, u.nas_port);
}
r = -1;
break;
}
if ((status == PW_STATUS_START) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 &&
u.time >= ut.time) {
if (u.type == P_LOGIN) {
INFO("rlm_radutmp: Login entry for NAS %s port %u duplicate",
nas, u.nas_port);
r = -1;
break;
}
RWDEBUG("Login entry for NAS %s port %u wrong order", nas, u.nas_port);
r = -1;
break;
}
/*
* FIXME: the ALIVE record could need some more checking, but anyway I'd
* rather rewrite this mess -- miquels.
*/
if ((status == PW_STATUS_ALIVE) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 &&
u.type == P_LOGIN) {
/*
* Keep the original login time.
*/
ut.time = u.time;
}
if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) {
RWDEBUG("negative lseek!");
lseek(fd, (off_t)0, SEEK_SET);
off = 0;
} else {
off -= sizeof(u);
}
r = 1;
break;
} /* read the file until we find a match */
/*
* Found the entry, do start/update it with
* the information from the packet.
*/
if ((r >= 0) && (status == PW_STATUS_START || status == PW_STATUS_ALIVE)) {
/*
* Remember where the entry was, because it's
* easier than searching through the entire file.
*/
if (!cache) {
cache = talloc_zero(inst, NAS_PORT);
if (cache) {
cache->nasaddr = ut.nas_address;
cache->port = ut.nas_port;
cache->offset = off;
cache->next = inst->nas_port_list;
inst->nas_port_list = cache;
}
}
ut.type = P_LOGIN;
if (write(fd, &ut, sizeof(u)) < 0) {
REDEBUG("Failed writing: %s", strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
}
/*
* The user has logged off, delete the entry by
* re-writing it in place.
*/
if (status == PW_STATUS_STOP) {
if (r > 0) {
u.type = P_IDLE;
u.time = ut.time;
u.delay = ut.delay;
if (write(fd, &u, sizeof(u)) < 0) {
REDEBUG("Failed writing: %s", strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
} else if (r == 0) {
RWDEBUG("Logout for NAS %s port %u, but no Login record", nas, ut.nas_port);
}
}
finish:
talloc_free(filename);
if (fd > -1) {
close(fd); /* and implicitely release the locks */
}
return rcode;
}
/*
* EAP authorization DEPENDS on other rlm authorizations,
* to check for user existance & get their configured values.
* It Handles EAP-START Messages, User-Name initilization.
*/
static rlm_rcode_t mod_authorize(void *instance, REQUEST *request)
{
rlm_eap_t *inst;
int status;
VALUE_PAIR *vp;
inst = (rlm_eap_t *)instance;
#ifdef WITH_PROXY
/*
* We don't do authorization again, once we've seen the
* proxy reply (or the proxied packet)
*/
if (request->proxy != NULL)
return RLM_MODULE_NOOP;
#endif
/*
* For EAP_START, send Access-Challenge with EAP Identity
* request. even when we have to proxy this request
*
* RFC 2869, Section 2.3.1 notes that the "domain" of the
* user, (i.e. where to proxy him) comes from the EAP-Identity,
* so we CANNOT proxy the user, until we know his identity.
*
* We therefore send an EAP Identity request.
*/
status = eap_start(inst, request);
switch(status) {
case EAP_NOOP:
return RLM_MODULE_NOOP;
case EAP_FAIL:
return RLM_MODULE_FAIL;
case EAP_FOUND:
return RLM_MODULE_HANDLED;
case EAP_OK:
case EAP_NOTFOUND:
default:
break;
}
/*
* RFC 2869, Section 2.3.1. If a NAS sends an EAP-Identity,
* it MUST copy the identity into the User-Name attribute.
*
* But we don't worry about that too much. We depend on
* each EAP sub-module to look for handler->request->username,
* and to get excited if it doesn't appear.
*/
vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
if ((!vp) || (vp->vp_integer != PW_AUTHTYPE_REJECT)) {
vp = pairmake_config("Auth-Type", inst->xlat_name, T_OP_EQ);
if (!vp) {
RDEBUG2("Failed to create Auth-Type %s: %s\n",
inst->xlat_name, fr_strerror());
return RLM_MODULE_FAIL;
}
} else {
RWDEBUG2("Auth-Type already set. Not setting to EAP");
}
if (status == EAP_OK) return RLM_MODULE_OK;
return RLM_MODULE_UPDATED;
}
