/*
* Merge a cached entry into a REQUEST.
*/
static void cache_merge(rlm_cache_t *inst, REQUEST *request,
rlm_cache_entry_t *c)
{
VALUE_PAIR *vp;
rad_assert(request != NULL);
rad_assert(c != NULL);
vp = pairfind(request->config_items,
inst->cache_merge->attr,
inst->cache_merge->vendor,
TAG_ANY);
if (vp && (vp->vp_integer == 0)) {
RDEBUG2("Told not to merge entry into request");
return;
}
if (c->control) {
RDEBUG2("Merging cached control list:");
rdebug_pair_list(2, request, c->control);
vp = paircopy(c->control);
pairmove(&request->config_items, &vp);
pairfree(&vp);
}
if (c->request && request->packet) {
RDEBUG2("Merging cached request list:");
rdebug_pair_list(2, request, c->request);
vp = paircopy(c->request);
pairmove(&request->packet->vps, &vp);
pairfree(&vp);
}
if (c->reply && request->reply) {
RDEBUG2("Merging cached reply list:");
rdebug_pair_list(2, request, c->reply);
vp = paircopy(c->reply);
pairmove(&request->reply->vps, &vp);
pairfree(&vp);
}
if (inst->stats) {
vp = pairalloc(inst->cache_entry_hits);
rad_assert(vp != NULL);
vp->vp_integer = c->hits;
pairadd(&request->packet->vps, vp);
}
}
/*
* Merge a cached entry into a REQUEST.
*/
static void cache_merge(rlm_cache_t *inst, REQUEST *request,
rlm_cache_entry_t *c)
{
VALUE_PAIR *vp;
rad_assert(request != NULL);
rad_assert(c != NULL);
vp = pairfind(request->config_items, PW_CACHE_MERGE, 0, TAG_ANY);
if (vp && (vp->vp_integer == 0)) {
RDEBUG2("Told not to merge entry into request");
return;
}
if (c->control) {
RDEBUG2("Merging cached control list:");
rdebug_pair_list(2, request, c->control);
pairadd(&request->config_items, paircopy(request, c->control));
}
if (c->packet && request->packet) {
RDEBUG2("Merging cached request list:");
rdebug_pair_list(2, request, c->packet);
pairadd(&request->packet->vps,
paircopy(request->packet, c->packet));
}
if (c->reply && request->reply) {
RDEBUG2("Merging cached reply list:");
rdebug_pair_list(2, request, c->reply);
pairadd(&request->reply->vps,
paircopy(request->reply, c->reply));
}
if (inst->stats) {
vp = paircreate(request->packet, PW_CACHE_ENTRY_HITS, 0);
rad_assert(vp != NULL);
vp->vp_integer = c->hits;
pairadd(&request->packet->vps, vp);
}
}
/*
* Merge a cached entry into a REQUEST.
*/
static void CC_HINT(nonnull) cache_merge(rlm_cache_t *inst, REQUEST *request, rlm_cache_entry_t *c)
{
VALUE_PAIR *vp;
vp = pairfind(request->config_items, PW_CACHE_MERGE, 0, TAG_ANY);
if (vp && (vp->vp_integer == 0)) {
RDEBUG2("Told not to merge entry into request");
return;
}
RDEBUG2("Merging cache entry into request");
if (c->control) {
rdebug_pair_list(L_DBG_LVL_2, request, c->control, "&control:");
radius_pairmove(request, &request->config_items, paircopy(request, c->control), false);
}
if (c->packet && request->packet) {
rdebug_pair_list(L_DBG_LVL_2, request, c->packet, "&request:");
radius_pairmove(request, &request->packet->vps, paircopy(request->packet, c->packet), false);
}
if (c->reply && request->reply) {
rdebug_pair_list(L_DBG_LVL_2, request, c->reply, "&reply:");
radius_pairmove(request, &request->reply->vps, paircopy(request->reply, c->reply), false);
}
if (inst->stats) {
rad_assert(request->packet != NULL);
vp = pairfind(request->packet->vps, PW_CACHE_ENTRY_HITS, 0, TAG_ANY);
if (!vp) {
vp = paircreate(request->packet, PW_CACHE_ENTRY_HITS, 0);
rad_assert(vp != NULL);
pairadd(&request->packet->vps, vp);
}
vp->vp_integer = c->hits;
}
}
/*
* Run a virtual server auth and postauth
*
*/
int rad_virtual_server(REQUEST *request)
{
VALUE_PAIR *vp;
int result;
RDEBUG("Virtual server %s received request", request->server);
rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, NULL);
RDEBUG("server %s {", request->server);
RINDENT();
/*
* We currently only handle AUTH packets here.
* This could be expanded to handle other packets as well if required.
*/
rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
result = rad_authenticate(request);
if (request->reply->code == PW_CODE_ACCESS_REJECT) {
pairdelete(&request->config, PW_POST_AUTH_TYPE, 0, TAG_ANY);
vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
if (vp) rad_postauth(request);
}
if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
rad_postauth(request);
}
REXDENT();
RDEBUG("} # server %s", request->server);
RDEBUG("Virtual server sending reply");
rdebug_pair_list(L_DBG_LVL_1, request, request->reply->vps, NULL);
return result;
}
/** Send the challenge itself
*
* Challenges will come from one of three places eventually:
*
* 1 from attributes like PW_EAP_SIM_RANDx
* (these might be retrived from a database)
*
* 2 from internally implemented SIM authenticators
* (a simple one based upon XOR will be provided)
*
* 3 from some kind of SS7 interface.
*
* For now, they only come from attributes.
* It might be that the best way to do 2/3 will be with a different
* module to generate/calculate things.
*
*/
static int eap_sim_sendchallenge(eap_handler_t *handler)
{
REQUEST *request = handler->request;
eap_sim_state_t *ess;
VALUE_PAIR **invps, **outvps, *newvp;
RADIUS_PACKET *packet;
uint8_t *p;
ess = (eap_sim_state_t *)handler->opaque;
rad_assert(handler->request != NULL);
rad_assert(handler->request->reply);
/*
* Invps is the data from the client but this is for non-protocol data here.
* We should already have consumed any client originated data.
*/
invps = &handler->request->packet->vps;
/*
* Outvps is the data to the client
*/
packet = handler->request->reply;
outvps = &packet->vps;
if (RDEBUG_ENABLED2) {
RDEBUG2("EAP-SIM decoded packet");
rdebug_pair_list(L_DBG_LVL_2, request, *invps, NULL);
}
/*
* Okay, we got the challenges! Put them into an attribute.
*/
newvp = paircreate(packet, PW_EAP_SIM_RAND, 0);
newvp->length = 2 + (EAPSIM_RAND_SIZE * 3);
newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->length);
memset(p, 0, 2); /* clear reserved bytes */
p += 2;
memcpy(p, ess->keys.rand[0], EAPSIM_RAND_SIZE);
p += EAPSIM_RAND_SIZE;
memcpy(p, ess->keys.rand[1], EAPSIM_RAND_SIZE);
p += EAPSIM_RAND_SIZE;
memcpy(p, ess->keys.rand[2], EAPSIM_RAND_SIZE);
pairadd(outvps, newvp);
/*
* Set the EAP_ID - new value
*/
newvp = paircreate(packet, PW_EAP_ID, 0);
newvp->vp_integer = ess->sim_id++;
pairreplace(outvps, newvp);
/*
* Make a copy of the identity
*/
ess->keys.identitylen = strlen(handler->identity);
memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
/*
* Use the SIM identity, if available
*/
newvp = pairfind(*invps, PW_EAP_SIM_IDENTITY, 0, TAG_ANY);
if (newvp && newvp->length > 2) {
uint16_t len;
memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
len = ntohs(len);
if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
ess->keys.identitylen = len;
memcpy(ess->keys.identity, newvp->vp_octets + 2, ess->keys.identitylen);
}
}
/*
* All set, calculate keys!
*/
eapsim_calculate_keys(&ess->keys);
#ifdef EAP_SIM_DEBUG_PRF
eapsim_dump_mk(&ess->keys);
#endif
/*
* Need to include an AT_MAC attribute so that it will get
* calculated. The NONCE_MT and the MAC are both 16 bytes, so
* We store the NONCE_MT in the MAC for the encoder, which
* will pull it out before it does the operation.
*/
newvp = paircreate(packet, PW_EAP_SIM_MAC, 0);
pairmemcpy(newvp, ess->keys.nonce_mt, 16);
pairreplace(outvps, newvp);
newvp = paircreate(packet, PW_EAP_SIM_KEY, 0);
pairmemcpy(newvp, ess->keys.K_aut, 16);
pairreplace(outvps, newvp);
/* the SUBTYPE, set to challenge. */
newvp = paircreate(packet, PW_EAP_SIM_SUBTYPE, 0);
newvp->vp_integer = EAPSIM_CHALLENGE;
pairreplace(outvps, newvp);
return 1;
}
static int mod_process(void *arg, eap_handler_t *handler)
{
pwd_session_t *session;
pwd_hdr *hdr;
pwd_id_packet_t *packet;
eap_packet_t *response;
REQUEST *request, *fake;
VALUE_PAIR *pw, *vp;
EAP_DS *eap_ds;
size_t in_len;
int ret = 0;
eap_pwd_t *inst = (eap_pwd_t *)arg;
uint16_t offset;
uint8_t exch, *in, *ptr, msk[MSK_EMSK_LEN], emsk[MSK_EMSK_LEN];
uint8_t peer_confirm[SHA256_DIGEST_LENGTH];
if (((eap_ds = handler->eap_ds) == NULL) || !inst) return 0;
session = (pwd_session_t *)handler->opaque;
request = handler->request;
response = handler->eap_ds->response;
hdr = (pwd_hdr *)response->type.data;
/*
* The header must be at least one byte.
*/
if (!hdr || (response->type.length < sizeof(pwd_hdr))) {
RDEBUG("Packet with insufficient data");
return 0;
}
in = hdr->data;
in_len = response->type.length - sizeof(pwd_hdr);
/*
* see if we're fragmenting, if so continue until we're done
*/
if (session->out_pos) {
if (in_len) RDEBUG2("pwd got something more than an ACK for a fragment");
return send_pwd_request(session, eap_ds);
}
/*
* the first fragment will have a total length, make a
* buffer to hold all the fragments
*/
if (EAP_PWD_GET_LENGTH_BIT(hdr)) {
if (session->in) {
RDEBUG2("pwd already alloced buffer for fragments");
return 0;
}
if (in_len < 2) {
RDEBUG("Invalid packet: length bit set, but no length field");
return 0;
}
session->in_len = ntohs(in[0] * 256 | in[1]);
if ((session->in = talloc_zero_array(session, uint8_t, session->in_len)) == NULL) {
RDEBUG2("pwd cannot allocate %zd buffer to hold fragments",
session->in_len);
return 0;
}
memset(session->in, 0, session->in_len);
session->in_pos = 0;
in += sizeof(uint16_t);
in_len -= sizeof(uint16_t);
}
/*
* all fragments, including the 1st will have the M(ore) bit set,
* buffer those fragments!
*/
if (EAP_PWD_GET_MORE_BIT(hdr)) {
rad_assert(session->in != NULL);
if ((session->in_pos + in_len) > session->in_len) {
RDEBUG2("Fragment overflows packet.");
return 0;
}
memcpy(session->in + session->in_pos, in, in_len);
session->in_pos += in_len;
/*
* send back an ACK for this fragment
*/
exch = EAP_PWD_GET_EXCHANGE(hdr);
eap_ds->request->code = PW_EAP_REQUEST;
eap_ds->request->type.num = PW_EAP_PWD;
eap_ds->request->type.length = sizeof(pwd_hdr);
if ((eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, sizeof(pwd_hdr))) == NULL) {
return 0;
}
hdr = (pwd_hdr *)eap_ds->request->type.data;
EAP_PWD_SET_EXCHANGE(hdr, exch);
return 1;
}
if (session->in) {
/*
* the last fragment...
*/
if ((session->in_pos + in_len) > session->in_len) {
RDEBUG2("pwd will not overflow a fragment buffer. Nope, not prudent");
return 0;
}
memcpy(session->in + session->in_pos, in, in_len);
in = session->in;
in_len = session->in_len;
}
switch (session->state) {
case PWD_STATE_ID_REQ:
{
BIGNUM *x = NULL, *y = NULL;
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_ID) {
RDEBUG2("pwd exchange is incorrect: not ID");
return 0;
}
packet = (pwd_id_packet_t *) in;
if (in_len < sizeof(*packet)) {
RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(*packet));
return 0;
}
if ((packet->prf != EAP_PWD_DEF_PRF) ||
(packet->random_function != EAP_PWD_DEF_RAND_FUN) ||
(packet->prep != EAP_PWD_PREP_NONE) ||
(CRYPTO_memcmp(packet->token, &session->token, 4)) ||
(packet->group_num != ntohs(session->group_num))) {
RDEBUG2("pwd id response is invalid");
return 0;
}
/*
* we've agreed on the ciphersuite, record it...
*/
ptr = (uint8_t *)&session->ciphersuite;
memcpy(ptr, (char *)&packet->group_num, sizeof(uint16_t));
ptr += sizeof(uint16_t);
*ptr = EAP_PWD_DEF_RAND_FUN;
ptr += sizeof(uint8_t);
*ptr = EAP_PWD_DEF_PRF;
session->peer_id_len = in_len - sizeof(pwd_id_packet_t);
if (session->peer_id_len >= sizeof(session->peer_id)) {
RDEBUG2("pwd id response is malformed");
return 0;
}
memcpy(session->peer_id, packet->identity, session->peer_id_len);
session->peer_id[session->peer_id_len] = '\0';
/*
* make fake request to get the password for the usable ID
*/
if ((fake = request_alloc_fake(handler->request)) == NULL) {
RDEBUG("pwd unable to create fake request!");
return 0;
}
fake->username = fr_pair_afrom_num(fake->packet, PW_USER_NAME, 0);
if (!fake->username) {
RDEBUG("Failed creating pair for peer id");
talloc_free(fake);
return 0;
}
fr_pair_value_bstrncpy(fake->username, session->peer_id, session->peer_id_len);
fr_pair_add(&fake->packet->vps, fake->username);
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (inst->virtual_server) {
fake->server = inst->virtual_server;
} /* else fake->server == request->server */
RDEBUG("Sending tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
if (fake->server) {
RDEBUG("server %s {", fake->server);
} else {
RDEBUG("server {");
}
/*
* Call authorization recursively, which will
* get the password.
*/
RINDENT();
process_authorize(0, fake);
REXDENT();
/*
* Note that we don't do *anything* with the reply
* attributes.
*/
if (fake->server) {
RDEBUG("} # server %s", fake->server);
} else {
RDEBUG("}");
}
RDEBUG("Got tunneled reply code %d", fake->reply->code);
rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
if ((pw = fr_pair_find_by_num(fake->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL) {
DEBUG2("failed to find password for %s to do pwd authentication",
session->peer_id);
talloc_free(fake);
return 0;
}
if (compute_password_element(session, session->group_num,
pw->data.strvalue, strlen(pw->data.strvalue),
inst->server_id, strlen(inst->server_id),
session->peer_id, strlen(session->peer_id),
&session->token)) {
DEBUG2("failed to obtain password element");
talloc_free(fake);
return 0;
}
TALLOC_FREE(fake);
/*
* compute our scalar and element
*/
if (compute_scalar_element(session, inst->bnctx)) {
DEBUG2("failed to compute server's scalar and element");
return 0;
}
MEM(x = BN_new());
MEM(y = BN_new());
/*
* element is a point, get both coordinates: x and y
*/
if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->my_element, x, y,
inst->bnctx)) {
DEBUG2("server point assignment failed");
BN_clear_free(x);
BN_clear_free(y);
return 0;
}
/*
* construct request
*/
session->out_len = BN_num_bytes(session->order) + (2 * BN_num_bytes(session->prime));
if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
return 0;
}
memset(session->out, 0, session->out_len);
ptr = session->out;
offset = BN_num_bytes(session->prime) - BN_num_bytes(x);
BN_bn2bin(x, ptr + offset);
BN_clear_free(x);
ptr += BN_num_bytes(session->prime);
offset = BN_num_bytes(session->prime) - BN_num_bytes(y);
BN_bn2bin(y, ptr + offset);
BN_clear_free(y);
ptr += BN_num_bytes(session->prime);
offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar);
BN_bn2bin(session->my_scalar, ptr + offset);
session->state = PWD_STATE_COMMIT;
ret = send_pwd_request(session, eap_ds);
}
break;
case PWD_STATE_COMMIT:
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_COMMIT) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
/*
* process the peer's commit and generate the shared key, k
*/
if (process_peer_commit(session, in, in_len, inst->bnctx)) {
RDEBUG2("failed to process peer's commit");
return 0;
}
/*
* compute our confirm blob
*/
if (compute_server_confirm(session, session->my_confirm, inst->bnctx)) {
ERROR("rlm_eap_pwd: failed to compute confirm!");
return 0;
}
/*
* construct a response...which is just our confirm blob
*/
session->out_len = SHA256_DIGEST_LENGTH;
if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
return 0;
}
memset(session->out, 0, session->out_len);
memcpy(session->out, session->my_confirm, SHA256_DIGEST_LENGTH);
session->state = PWD_STATE_CONFIRM;
ret = send_pwd_request(session, eap_ds);
break;
case PWD_STATE_CONFIRM:
if (in_len < SHA256_DIGEST_LENGTH) {
RDEBUG("Peer confirm is too short (%zd < %d)",
in_len, SHA256_DIGEST_LENGTH);
return 0;
}
if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_CONFIRM) {
RDEBUG2("pwd exchange is incorrect: not commit!");
return 0;
}
if (compute_peer_confirm(session, peer_confirm, inst->bnctx)) {
RDEBUG2("pwd exchange cannot compute peer's confirm");
return 0;
}
if (CRYPTO_memcmp(peer_confirm, in, SHA256_DIGEST_LENGTH)) {
RDEBUG2("pwd exchange fails: peer confirm is incorrect!");
return 0;
}
if (compute_keys(session, peer_confirm, msk, emsk)) {
RDEBUG2("pwd exchange cannot generate (E)MSK!");
return 0;
}
eap_ds->request->code = PW_EAP_SUCCESS;
/*
* return the MSK (in halves)
*/
eap_add_reply(handler->request, "MS-MPPE-Recv-Key", msk, MPPE_KEY_LEN);
eap_add_reply(handler->request, "MS-MPPE-Send-Key", msk + MPPE_KEY_LEN, MPPE_KEY_LEN);
ret = 1;
break;
default:
RDEBUG2("unknown PWD state");
return 0;
}
/*
* we processed the buffered fragments, get rid of them
*/
if (session->in) {
talloc_free(session->in);
session->in = NULL;
}
return ret;
}
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
rlm_sql_t *inst = instance;
rlm_sql_handle_t *handle;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
bool user_found = false;
sql_fall_through_t do_fall_through = FALL_THROUGH_DEFAULT;
int rows;
char *expanded = NULL;
rad_assert(request->packet != NULL);
rad_assert(request->reply != NULL);
if (!inst->config->authorize_check_query && !inst->config->authorize_reply_query &&
!inst->config->read_groups && !inst->config->read_profiles) {
RWDEBUG("No authorization checks configured, returning noop");
return RLM_MODULE_NOOP;
}
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* Reserve a socket
*
* After this point use goto error or goto release to cleanup socket temporary pairlists and
* temporary attributes.
*/
handle = sql_get_socket(inst);
if (!handle) {
rcode = RLM_MODULE_FAIL;
goto error;
}
/*
* Query the check table to find any conditions associated with this user/realm/whatever...
*/
if (inst->config->authorize_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
if (radius_axlat(&expanded, request, inst->config->authorize_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request, inst, &handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply; /* Don't need to free VPs we don't have */
/*
* Only do this if *some* check pairs were returned
*/
RDEBUG2("User found in radcheck table");
user_found = true;
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0) {
pairfree(&check_tmp);
check_tmp = NULL;
goto skipreply;
}
RDEBUG2("Conditional check items matched, merging assignment check items");
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(2, request, vp);
}
REXDENT();
radius_pairmove(request, &request->config_items, check_tmp, true);
rcode = RLM_MODULE_OK;
check_tmp = NULL;
}
if (inst->config->authorize_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request->reply, inst, &handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply;
do_fall_through = fall_through(reply_tmp);
RDEBUG2("User found in radreply table, merging reply items");
user_found = true;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
rcode = RLM_MODULE_OK;
reply_tmp = NULL;
}
skipreply:
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_groups && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
RDEBUG3("... falling-through to group processing");
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* Repeat the above process with the default profile or User-Profile
*/
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
/*
* Check for a default_profile or for a User-Profile.
*/
RDEBUG3("... falling-through to profile processing");
user_profile = pairfind(request->config_items, PW_USER_PROFILE, 0, TAG_ANY);
char const *profile = user_profile ?
user_profile->vp_strvalue :
inst->config->default_profile;
if (!profile || !*profile) {
goto release;
}
RDEBUG2("Checking profile %s", profile);
if (sql_set_user(inst, request, profile) < 0) {
REDEBUG("Error setting profile");
rcode = RLM_MODULE_FAIL;
goto error;
}
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* At this point the key (user) hasn't be found in the check table, the reply table
* or the group mapping table, and there was no matching profile.
*/
release:
if (!user_found) {
rcode = RLM_MODULE_NOTFOUND;
}
sql_release_socket(inst, handle);
sql_unset_user(inst, request);
return rcode;
error:
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_unset_user(inst, request);
sql_release_socket(inst, handle);
return rcode;
}
static rlm_rcode_t rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t **handle,
sql_fall_through_t *do_fall_through)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
VALUE_PAIR *check_tmp = NULL, *reply_tmp = NULL, *sql_group = NULL;
rlm_sql_grouplist_t *head = NULL, *entry = NULL;
char *expanded = NULL;
int rows;
rad_assert(request->packet != NULL);
/*
* Get the list of groups this user is a member of
*/
rows = sql_get_grouplist(inst, handle, request, &head);
if (rows < 0) {
REDEBUG("Error retrieving group list");
return RLM_MODULE_FAIL;
}
if (rows == 0) {
RDEBUG2("User not found in any groups");
rcode = RLM_MODULE_NOTFOUND;
goto finish;
}
rad_assert(head);
RDEBUG2("User found in the group table");
entry = head;
do {
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pairmake_packet("Sql-Group", entry->name, T_OP_EQ);
if (!sql_group) {
REDEBUG("Error creating Sql-Group attribute");
rcode = RLM_MODULE_FAIL;
goto finish;
}
if (inst->config->authorize_group_check_query && (*inst->config->authorize_group_check_query != '\0')) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
/*
* Expand the group query
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request, inst, handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving check pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* If we got check rows we need to process them before we decide to process the reply rows
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0)) {
pairfree(&check_tmp);
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
continue;
}
RDEBUG2("Group \"%s\": Conditional check items matched", entry->name);
rcode = RLM_MODULE_OK;
RDEBUG2("Group \"%s\": Merging assignment check items", entry->name);
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(2, request, vp);
}
REXDENT();
radius_pairmove(request, &request->config_items, check_tmp, true);
check_tmp = NULL;
}
if (inst->config->authorize_group_reply_query && (*inst->config->authorize_group_reply_query != '\0')) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request->reply, inst, handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving reply pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
*do_fall_through = fall_through(reply_tmp);
RDEBUG2("Group \"%s\": Merging reply items", entry->name);
rcode = RLM_MODULE_OK;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
reply_tmp = NULL;
}
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
entry = entry->next;
} while (entry != NULL && (*do_fall_through == FALL_THROUGH_YES));
finish:
talloc_free(head);
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
return rcode;
}
/*
* Do authentication, by letting EAP-TLS do most of the work.
*/
static int mod_process(void *arg, eap_handler_t *handler)
{
int rcode;
fr_tls_status_t status;
rlm_eap_peap_t *inst = (rlm_eap_peap_t *) arg;
tls_session_t *tls_session = (tls_session_t *) handler->opaque;
peap_tunnel_t *peap = tls_session->opaque;
REQUEST *request = handler->request;
/*
* Session resumption requires the storage of data, so
* allocate it if it doesn't already exist.
*/
if (!tls_session->opaque) {
peap = tls_session->opaque = peap_alloc(tls_session, inst);
}
status = eaptls_process(handler);
RDEBUG2("eaptls_process returned %d\n", status);
switch (status) {
/*
* EAP-TLS handshake was successful, tell the
* client to keep talking.
*
* If this was EAP-TLS, we would just return
* an EAP-TLS-Success packet here.
*/
case FR_TLS_SUCCESS:
RDEBUG2("FR_TLS_SUCCESS");
peap->status = PEAP_STATUS_TUNNEL_ESTABLISHED;
break;
/*
* The TLS code is still working on the TLS
* exchange, and it's a valid TLS request.
* do nothing.
*/
case FR_TLS_HANDLED:
/*
* FIXME: If the SSL session is established, grab the state
* and EAP id from the inner tunnel, and update it with
* the expected EAP id!
*/
RDEBUG2("FR_TLS_HANDLED");
return 1;
/*
* Handshake is done, proceed with decoding tunneled
* data.
*/
case FR_TLS_OK:
RDEBUG2("FR_TLS_OK");
break;
/*
* Anything else: fail.
*/
default:
RDEBUG2("FR_TLS_OTHERS");
return 0;
}
/*
* Session is established, proceed with decoding
* tunneled data.
*/
RDEBUG2("Session established. Decoding tunneled attributes");
/*
* We may need PEAP data associated with the session, so
* allocate it here, if it wasn't already alloacted.
*/
if (!tls_session->opaque) {
tls_session->opaque = peap_alloc(tls_session, inst);
}
/*
* Process the PEAP portion of the request.
*/
rcode = eappeap_process(handler, tls_session);
switch (rcode) {
case RLM_MODULE_REJECT:
eaptls_fail(handler, 0);
return 0;
case RLM_MODULE_HANDLED:
eaptls_request(handler->eap_ds, tls_session);
return 1;
case RLM_MODULE_OK:
/*
* Move the saved VP's from the Access-Accept to
* our Access-Accept.
*/
peap = tls_session->opaque;
if (peap->soh_reply_vps) {
RDEBUG2("Using saved attributes from the SoH reply");
rdebug_pair_list(L_DBG_LVL_2, request, peap->soh_reply_vps, NULL);
pairfilter(handler->request->reply,
&handler->request->reply->vps,
&peap->soh_reply_vps, 0, 0, TAG_ANY);
}
if (peap->accept_vps) {
RDEBUG2("Using saved attributes from the original Access-Accept");
rdebug_pair_list(L_DBG_LVL_2, request, peap->accept_vps, NULL);
pairfilter(handler->request->reply,
&handler->request->reply->vps,
&peap->accept_vps, 0, 0, TAG_ANY);
} else if (peap->use_tunneled_reply) {
RDEBUG2("No saved attributes in the original Access-Accept");
}
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
/*
* No response packet, MUST be proxying it.
* The main EAP module will take care of discovering
* that the request now has a "proxy" packet, and
* will proxy it, rather than returning an EAP packet.
*/
case RLM_MODULE_UPDATED:
#ifdef WITH_PROXY
rad_assert(handler->request->proxy != NULL);
#endif
return 1;
default:
break;
}
eaptls_fail(handler, 0);
return 0;
}
/*
* Process the "diameter" contents of the tunneled data.
*/
PW_CODE eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
PW_CODE code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
uint8_t const *data;
size_t data_len;
REQUEST *request = handler->request;
chbind_packet_t *chbind;
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = (ttls_tunnel_t *) tls_session->opaque;
/*
* If there's no data, maybe this is an ACK to an
* MS-CHAP2-Success.
*/
if (data_len == 0) {
if (t->authenticated) {
RDEBUG("Got ACK, and the user was already authenticated");
return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* FIXME: Call SSL_get_error() to see what went
* wrong.
*/
RDEBUG2("SSL_read Error");
return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
if ((rad_debug_lvl > 2) && fr_log_fp) {
size_t i;
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i);
fprintf(fr_log_fp, "%02x ", data[i]);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
}
if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n");
}
#endif
if (!diameter_verify(request, data, data_len)) {
return PW_CODE_ACCESS_REJECT;
}
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request);
rad_assert(!fake->packet->vps);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
talloc_free(fake);
return PW_CODE_ACCESS_REJECT;
}
/*
* Tell the request that it's a fake one.
*/
pair_make_request("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
RDEBUG("Got tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
fake->password = fr_pair_find_by_num(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ);
rad_assert(t->username != NULL);
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
/*
* If there's a default EAP type,
* set it here.
*/
if (t->default_method != 0) {
RDEBUG("Setting default EAP type for tunneled EAP session");
vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
fr_pair_add(&fake->config, vp);
}
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_list_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
}
} /* else the request ALREADY had a User-Name */
/*
* Add the State attribute, too, if it exists.
*/
if (t->state) {
vp = fr_pair_list_copy(fake->packet, t->state);
if (vp) fr_pair_add(&fake->packet->vps, vp);
}
/*
* If this is set, we copy SOME of the request attributes
* from outside of the tunnel to inside of the tunnel.
*
* We copy ONLY those attributes which do NOT already
* exist in the tunneled request.
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
vp_cursor_t cursor;
for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
*/
if ((vp->da->attr > 255) &&
(vp->da->vendor == 0)) {
continue;
}
/*
* The outside attribute is already in the
* tunnel, don't copy it.
*
* This works for BOTH attributes which
* are originally in the tunneled request,
* AND attributes which are copied there
* from below.
*/
if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) {
continue;
}
/*
* Some attributes are handled specially.
*/
switch (vp->da->attr) {
/*
* NEVER copy Message-Authenticator,
* EAP-Message, or State. They're
* only for outside of the tunnel.
*/
case PW_USER_NAME:
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_CHAP_CHALLENGE:
case PW_PROXY_STATE:
case PW_MESSAGE_AUTHENTICATOR:
case PW_EAP_MESSAGE:
case PW_STATE:
continue;
/*
* By default, copy it over.
*/
default:
break;
}
/*
* Don't copy from the head, we've already
* checked it.
*/
copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY);
fr_pair_add(&fake->packet->vps, copy);
}
}
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (t->virtual_server) {
fake->server = t->virtual_server;
} /* else fake->server == request->server */
if ((rad_debug_lvl > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
}
/*
* Process channel binding.
*/
chbind = eap_chbind_vp2packet(fake, fake->packet->vps);
if (chbind) {
PW_CODE chbind_code;
CHBIND_REQ *req = talloc_zero(fake, CHBIND_REQ);
RDEBUG("received chbind request");
req->request = chbind;
if (fake->username) {
req->username = fake->username;
} else {
req->username = NULL;
}
chbind_code = chbind_process(request, req);
/* encapsulate response here */
if (req->response) {
RDEBUG("sending chbind response");
fr_pair_add(&fake->reply->vps,
eap_chbind_packet2vp(fake, req->response));
} else {
RDEBUG("no chbind response");
}
/* clean up chbind req */
talloc_free(req);
if (chbind_code != PW_CODE_ACCESS_ACCEPT) {
return chbind_code;
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
rad_virtual_server(fake);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_num(fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY);
if (vp) {
eap_tunnel_data_t *tunnel;
RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue);
/*
* Tell the original request that it's going
* to be proxied.
*/
fr_pair_list_move_by_num(request, &request->config,
&fake->config,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* Seed the proxy packet with the
* tunneled request.
*/
rad_assert(!request->proxy);
request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
request->proxy->src_port = 0;
request->proxy->dst_port = 0;
fake->packet = NULL;
rad_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
tunnel->callback = eapttls_postproxy;
/*
* Associate the callback with the request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false);
rad_assert(code == 0);
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
*
* So we associate the fake request with
* this request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
code = PW_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return PW_FOO
*/
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = PW_CODE_ACCESS_ACCEPT;
break;
default:
code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
/*
* Do post-proxy processing,
*/
static int CC_HINT(nonnull) eapttls_postproxy(eap_handler_t *handler, void *data)
{
int rcode;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
* request, do more processing of it.
*/
fake = (REQUEST *) request_data_get(handler->request,
handler->request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK);
/*
* Do the callback, if it exists, and if it was a success.
*/
if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "server %s {\n",
(!fake->server) ? "" : fake->server);
}
/*
* Perform a post-auth stage for the tunneled
* session.
*/
fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(!fake->server) ? "" : fake->server);
RDEBUG("Final reply from tunneled session code %d", fake->reply->code);
rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
}
/*
* Terrible hacks.
*/
request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
* And we're done with this request.
*/
switch (rcode) {
case RLM_MODULE_FAIL:
talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
request->proxy_reply->code);
break;
}
}
talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
*/
rcode = process_reply(handler, tls_session, handler->request, handler->request->proxy_reply);
/*
* The proxy code uses the reply from the home server as
* the basis for the reply to the NAS. We don't want that,
* so we toss it, after we've had our way with it.
*/
fr_pair_list_free(&handler->request->proxy_reply->vps);
switch (rcode) {
case RLM_MODULE_REJECT:
RDEBUG("Reply was rejected");
break;
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
RDEBUG("Reply was OK");
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
default:
RDEBUG("Reply was unknown");
break;
}
eaptls_fail(handler, 0);
return 0;
}
/*
* Use a reply packet to determine what to do.
*/
static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *handler, tls_session_t *tls_session,
REQUEST *request, RADIUS_PACKET *reply)
{
rlm_rcode_t rcode = RLM_MODULE_REJECT;
VALUE_PAIR *vp;
ttls_tunnel_t *t = tls_session->opaque;
rad_assert(handler->request == request);
/*
* If the response packet was Access-Accept, then
* we're OK. If not, die horribly.
*
* FIXME: Take MS-CHAP2-Success attribute, and
* tunnel it back to the client, to authenticate
* ourselves to the client.
*
* FIXME: If we have an Access-Challenge, then
* the Reply-Message is tunneled back to the client.
*
* FIXME: If we have an EAP-Message, then that message
* must be tunneled back to the client.
*
* FIXME: If we have an Access-Challenge with a State
* attribute, then do we tunnel that to the client, or
* keep track of it ourselves?
*
* FIXME: EAP-Messages can only start with 'identity',
* NOT 'eap start', so we should check for that....
*/
switch (reply->code) {
case PW_CODE_ACCESS_ACCEPT:
RDEBUG("Got tunneled Access-Accept");
rcode = RLM_MODULE_OK;
/*
* MS-CHAP2-Success means that we do NOT return
* an Access-Accept, but instead tunnel that
* attribute to the client, and keep going with
* the TTLS session. Once the client accepts
* our identity, it will respond with an empty
* packet, and we will send EAP-Success.
*/
vp = NULL;
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
if (vp) {
RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge");
rcode = RLM_MODULE_HANDLED;
t->authenticated = true;
/*
* Delete MPPE keys & encryption policy. We don't
* want these here.
*/
fr_pair_delete_by_num(&reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
/*
* Use the tunneled reply, but not now.
*/
if (t->use_tunneled_reply) {
rad_assert(!t->accept_vps);
fr_pair_list_move_by_num(t, &t->accept_vps, &reply->vps,
0, 0, TAG_ANY);
rad_assert(!reply->vps);
}
} else { /* no MS-CHAP2-Success */
/*
* Can only have EAP-Message if there's
* no MS-CHAP2-Success. (FIXME: EAP-MSCHAP?)
*
* We also do NOT tunnel the EAP-Success
* attribute back to the client, as the client
* can figure it out, from the non-tunneled
* EAP-Success packet.
*/
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
fr_pair_list_free(&vp);
}
/* move channel binding responses; we need to send them */
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
if (fr_pair_find_by_num(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
t->authenticated = true;
/*
* Use the tunneled reply, but not now.
*/
if (t->use_tunneled_reply) {
rad_assert(!t->accept_vps);
fr_pair_list_move_by_num(t, &t->accept_vps, &reply->vps,
0, 0, TAG_ANY);
rad_assert(!reply->vps);
}
rcode = RLM_MODULE_HANDLED;
}
/*
* Handle the ACK, by tunneling any necessary reply
* VP's back to the client.
*/
if (vp) {
RDEBUG("Sending tunneled reply attributes");
rdebug_pair_list(L_DBG_LVL_1, request, vp, NULL);
vp2diameter(request, tls_session, vp);
fr_pair_list_free(&vp);
}
/*
* If we've been told to use the attributes from
* the reply, then do so.
*
* WARNING: This may leak information about the
* tunneled user!
*/
if (t->use_tunneled_reply) {
fr_pair_delete_by_num(&reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
fr_pair_list_move_by_num(request->reply, &request->reply->vps,
&reply->vps, 0, 0, TAG_ANY);
}
break;
case PW_CODE_ACCESS_REJECT:
RDEBUG("Got tunneled Access-Reject");
rcode = RLM_MODULE_REJECT;
break;
/*
* Handle Access-Challenge, but only if we
* send tunneled reply data. This is because
* an Access-Challenge means that we MUST tunnel
* a Reply-Message to the client.
*/
case PW_CODE_ACCESS_CHALLENGE:
RDEBUG("Got tunneled Access-Challenge");
/*
* Keep the State attribute, if necessary.
*
* Get rid of the old State, too.
*/
fr_pair_list_free(&t->state);
fr_pair_list_move_by_num(t, &t->state, &reply->vps, PW_STATE, 0, TAG_ANY);
/*
* We should really be a bit smarter about this,
* and move over only those attributes which
* are relevant to the authentication request,
* but that's a lot more work, and this "dumb"
* method works in 99.9% of the situations.
*/
vp = NULL;
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
/*
* There MUST be a Reply-Message in the challenge,
* which we tunnel back to the client.
*
* If there isn't one in the reply VP's, then
* we MUST create one, with an empty string as
* it's value.
*/
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_REPLY_MESSAGE, 0, TAG_ANY);
/* also move chbind messages, if any */
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA,
TAG_ANY);
/*
* Handle the ACK, by tunneling any necessary reply
* VP's back to the client.
*/
if (vp) {
vp2diameter(request, tls_session, vp);
fr_pair_list_free(&vp);
}
rcode = RLM_MODULE_HANDLED;
break;
default:
RDEBUG("Unknown RADIUS packet type %d: rejecting tunneled user", reply->code);
rcode = RLM_MODULE_INVALID;
break;
}
return rcode;
}
static rlm_rcode_t rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t **handle,
sql_fall_through_t *do_fall_through)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
VALUE_PAIR *check_tmp = NULL, *reply_tmp = NULL, *sql_group = NULL;
rlm_sql_grouplist_t *head = NULL, *entry = NULL;
char *expanded = NULL;
int rows;
rad_assert(request->packet != NULL);
if (!inst->config->groupmemb_query) {
RWARN("Cannot do check groups when group_membership_query is not set");
do_nothing:
*do_fall_through = FALL_THROUGH_DEFAULT;
/*
* Didn't add group attributes or allocate
* memory, so don't do anything else.
*/
return RLM_MODULE_NOTFOUND;
}
/*
* Get the list of groups this user is a member of
*/
rows = sql_get_grouplist(inst, handle, request, &head);
if (rows < 0) {
REDEBUG("Error retrieving group list");
return RLM_MODULE_FAIL;
}
if (rows == 0) {
RDEBUG2("User not found in any groups");
goto do_nothing;
}
rad_assert(head);
RDEBUG2("User found in the group table");
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pair_make_request(inst->group_da->name, NULL, T_OP_EQ);
if (!sql_group) {
REDEBUG("Error creating %s attribute", inst->group_da->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry = head;
do {
next:
rad_assert(entry != NULL);
fr_pair_value_strcpy(sql_group, entry->name);
if (inst->config->authorize_group_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
/*
* Expand the group query
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_check_query,
inst->sql_escape_func, *handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request, inst, request, handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving check pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* If we got check rows we need to process them before we decide to
* process the reply rows
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0)) {
fr_pair_list_free(&check_tmp);
entry = entry->next;
if (!entry) break;
goto next; /* != continue */
}
RDEBUG2("Group \"%s\": Conditional check items matched", entry->name);
rcode = RLM_MODULE_OK;
RDEBUG2("Group \"%s\": Merging assignment check items", entry->name);
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
}
REXDENT();
radius_pairmove(request, &request->config, check_tmp, true);
check_tmp = NULL;
}
if (inst->config->authorize_group_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_reply_query,
inst->sql_escape_func, *handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request->reply, inst, request, handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving reply pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
*do_fall_through = fall_through(reply_tmp);
RDEBUG2("Group \"%s\": Merging reply items", entry->name);
rcode = RLM_MODULE_OK;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp, NULL);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
reply_tmp = NULL;
/*
* If there's no reply query configured, then we assume
* FALL_THROUGH_NO, which is the same as the users file if you
* had no reply attributes.
*/
} else {
*do_fall_through = FALL_THROUGH_DEFAULT;
}
entry = entry->next;
} while (entry != NULL && (*do_fall_through == FALL_THROUGH_YES));
finish:
talloc_free(head);
fr_pair_delete_by_num(&request->packet->vps, 0, inst->group_da->attr, TAG_ANY);
return rcode;
}
