/*Note:
* We just support EAP proxy.
* rad_send_eap_response
* send a EAP response to radius server
*/
int
rad_send_eap_response(RADIUS_PACKET* rep,const char* secret,const char* pwd)
{
VALUE_PAIR* vp;
int rc;
int old_debug_flag;
vp = NULL;
rc = 0;
old_debug_flag = 0;
/*
* if there are EAP types, encode them into an EAP-Message
*
*/
map_eap_types(rep);
/*
* Fix up Digest-Attributes issues
*/
for (vp = rep->vps; vp != NULL; vp = vp->next) {
switch (vp->attribute) {
default:
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1;
vp->length += 2;
vp->vp_octets[1] = vp->length;
vp->attribute = PW_DIGEST_ATTRIBUTES;
break;
}
}
fr_md5_calc(rep->vector, rep->vector,
sizeof(rep->vector));
if ((pwd != NULL) && (*pwd != '\0')) {
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
vp->length = 17;
}
} /* there WAS a password */
/* send the response*/
if(fr_debug_flag) {
debug_packet(rep,R_SENT);
old_debug_flag = fr_debug_flag;
fr_debug_flag = 0; /*just turn off the debug-flag to avoid rad_send debug out agin*/
}
if(rad_send(rep,NULL,secret) < 0)
rc = -1;
else
rc = 0;
if(old_debug_flag)
fr_debug_flag = old_debug_flag;
return rc;
}
main(int argc, char *argv[])
{
int filedone;
RADIUS_PACKET *req,*req2;
VALUE_PAIR *vp, *vpkey, *vpextra;
extern unsigned int sha1_data_problems;
req = NULL;
req2 = NULL;
filedone = 0;
if(argc>1) {
sha1_data_problems = 1;
}
if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
librad_perror("radclient");
return 1;
}
if ((req = rad_alloc(1)) == NULL) {
librad_perror("radclient");
exit(1);
}
if ((req2 = rad_alloc(1)) == NULL) {
librad_perror("radclient");
exit(1);
}
while(!filedone) {
if(req->vps) pairfree(&req->vps);
if(req2->vps) pairfree(&req2->vps);
if ((req->vps = readvp2(stdin, &filedone, "eapsimlib:")) == NULL) {
break;
}
printf("\nRead:\n");
vp_printlist(stdout, req->vps);
map_eapsim_types(req);
map_eap_types(req);
printf("Mapped to:\n");
vp_printlist(stdout, req->vps);
/* find the EAP-Message, copy it to req2 */
vp = paircopy2(req->vps, PW_EAP_MESSAGE);
if(vp == NULL) continue;
pairadd(&req2->vps, vp);
/* only call unmap for sim types here */
unmap_eap_types(req2);
unmap_eapsim_types(req2);
printf("Unmapped to:\n");
vp_printlist(stdout, req2->vps);
vp = pairfind(req2->vps,
ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC);
vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY);
vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA);
if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
uint8_t calcmac[16];
/* find the EAP-Message, copy it to req2 */
memset(calcmac, 0, sizeof(calcmac));
printf("Confirming MAC...");
if(eapsim_checkmac(req2->vps, vpkey->strvalue,
vpextra->strvalue, vpextra->length,
calcmac)) {
printf("succeed\n");
} else {
int i, j;
printf("calculated MAC (");
for (i = 0; i < 20; i++) {
if(j==4) {
printf("_");
j=0;
}
j++;
printf("%02x", calcmac[i]);
}
printf(" did not match\n");
}
}
fflush(stdout);
}
}
static int sendrecv_eap(RADIUS_PACKET *rep)
{
RADIUS_PACKET *req = NULL;
VALUE_PAIR *vp, *vpnext;
int tried_eap_md5 = 0;
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
} else {
*password = '******';
}
again:
rep->id++;
/*
* if there are EAP types, encode them into an EAP-Message
*
*/
map_eap_types(rep);
/*
* Fix up Digest-Attributes issues
*/
for (vp = rep->vps; vp != NULL; vp = vp->next) {
switch (vp->attribute) {
default:
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1;
vp->length += 2;
vp->vp_octets[1] = vp->length;
vp->attribute = PW_DIGEST_ATTRIBUTES;
break;
}
}
/*
* If we've already sent a packet, free up the old
* one, and ensure that the next packet has a unique
* ID and authentication vector.
*/
if (rep->data) {
free(rep->data);
rep->data = NULL;
}
fr_md5_calc(rep->vector, rep->vector,
sizeof(rep->vector));
if (*password != '\0') {
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0)) != NULL) {
strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
vp->length = strlen(password);
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0)) != NULL) {
strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
vp->length = strlen(password);
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
vp->length = strlen(password);
rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
vp->length = 17;
}
} /* there WAS a password */
/* send the response, wait for the next request */
send_packet(rep, &req);
/* okay got back the packet, go and decode the EAP-Message. */
unmap_eap_types(req);
debug_packet(req, R_RECV);
/* now look for the code type. */
for (vp = req->vps; vp != NULL; vp = vpnext) {
vpnext = vp->next;
switch (vp->attribute) {
default:
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
{
tried_eap_md5++;
goto again;
}
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
if(respond_eap_sim(req, rep))
{
goto again;
}
break;
}
}
return 1;
}
