/*
* Authenticate a previously sent challenge.
*/
static int mod_process(UNUSED void *arg, eap_handler_t *handler)
{
MD5_PACKET *packet;
MD5_PACKET *reply;
VALUE_PAIR *password;
REQUEST *request = handler->request;
/*
* Get the Cleartext-Password for this user.
*/
rad_assert(handler->request != NULL);
rad_assert(handler->stage == PROCESS);
password = fr_pair_find_by_num(handler->request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
if (!password) {
REDEBUG2("Cleartext-Password is required for EAP-MD5 authentication");
return 0;
}
/*
* Extract the EAP-MD5 packet.
*/
if (!(packet = eapmd5_extract(handler->eap_ds)))
return 0;
/*
* Create a reply, and initialize it.
*/
reply = talloc(packet, MD5_PACKET);
if (!reply) {
talloc_free(packet);
return 0;
}
reply->id = handler->eap_ds->request->id;
reply->length = 0;
/*
* Verify the received packet against the previous packet
* (i.e. challenge) which we sent out.
*/
if (eapmd5_verify(packet, password, handler->opaque)) {
reply->code = PW_MD5_SUCCESS;
} else {
reply->code = PW_MD5_FAILURE;
}
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
talloc_free(packet);
return 1;
}
/*
* Authenticate a previously sent challenge.
*/
static int md5_authenticate(UNUSED void *arg, EAP_HANDLER *handler)
{
MD5_PACKET *packet;
MD5_PACKET *reply;
VALUE_PAIR *password;
/*
* Get the Cleartext-Password for this user.
*/
rad_assert(handler->request != NULL);
rad_assert(handler->stage == AUTHENTICATE);
password = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD);
if (password == NULL) {
DEBUG2("rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication");
return 0;
}
/*
* Extract the EAP-MD5 packet.
*/
if (!(packet = eapmd5_extract(handler->eap_ds)))
return 0;
/*
* Create a reply, and initialize it.
*/
reply = eapmd5_alloc();
if (!reply) {
eapmd5_free(&packet);
return 0;
}
reply->id = handler->eap_ds->request->id;
reply->length = 0;
/*
* Verify the received packet against the previous packet
* (i.e. challenge) which we sent out.
*/
if (eapmd5_verify(packet, password, handler->opaque)) {
reply->code = PW_MD5_SUCCESS;
} else {
reply->code = PW_MD5_FAILURE;
}
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
eapmd5_free(&packet);
return 1;
}
/*
* Initiate the EAP-MD5 session by sending a challenge to the peer.
*/
static int mod_session_init(UNUSED void *instance, eap_handler_t *handler)
{
int i;
MD5_PACKET *reply;
REQUEST *request = handler->request;
/*
* Allocate an EAP-MD5 packet.
*/
reply = talloc(handler, MD5_PACKET);
if (!reply) {
return 0;
}
/*
* Fill it with data.
*/
reply->code = PW_MD5_CHALLENGE;
reply->length = 1 + MD5_CHALLENGE_LEN; /* one byte of value size */
reply->value_size = MD5_CHALLENGE_LEN;
/*
* Allocate user data.
*/
reply->value = talloc_array(reply, uint8_t, reply->value_size);
if (!reply->value) {
talloc_free(reply);
return 0;
}
/*
* Get a random challenge.
*/
for (i = 0; i < reply->value_size; i++) {
reply->value[i] = fr_rand();
}
RDEBUG2("Issuing MD5 Challenge");
/*
* Keep track of the challenge.
*/
handler->opaque = talloc_array(handler, uint8_t, reply->value_size);
rad_assert(handler->opaque != NULL);
memcpy(handler->opaque, reply->value, reply->value_size);
handler->free_opaque = NULL;
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
/*
* We don't need to authorize the user at this point.
*
* We also don't need to keep the challenge, as it's
* stored in 'handler->eap_ds', which will be given back
* to us...
*/
handler->stage = PROCESS;
return 1;
}
/*
* Initiate the EAP-MD5 session by sending a challenge to the peer.
*/
static int md5_initiate(void *type_data, EAP_HANDLER *handler)
{
int i;
MD5_PACKET *reply;
type_data = type_data; /* -Wunused */
/*
* Allocate an EAP-MD5 packet.
*/
reply = eapmd5_alloc();
if (reply == NULL) {
radlog(L_ERR, "rlm_eap_md5: out of memory");
return 0;
}
/*
* Fill it with data.
*/
reply->code = PW_MD5_CHALLENGE;
reply->length = 1 + MD5_CHALLENGE_LEN; /* one byte of value size */
reply->value_size = MD5_CHALLENGE_LEN;
/*
* Allocate user data.
*/
reply->value = malloc(reply->value_size);
if (reply->value == NULL) {
radlog(L_ERR, "rlm_eap_md5: out of memory");
eapmd5_free(&reply);
return 0;
}
/*
* Get a random challenge.
*/
for (i = 0; i < reply->value_size; i++) {
reply->value[i] = fr_rand();
}
DEBUG2("rlm_eap_md5: Issuing Challenge");
/*
* Keep track of the challenge.
*/
handler->opaque = malloc(reply->value_size);
rad_assert(handler->opaque != NULL);
memcpy(handler->opaque, reply->value, reply->value_size);
handler->free_opaque = free;
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
/*
* We don't need to authorize the user at this point.
*
* We also don't need to keep the challenge, as it's
* stored in 'handler->eap_ds', which will be given back
* to us...
*/
handler->stage = AUTHENTICATE;
return 1;
}
