/*
* Find the named user in this modules database. Create the set
* of attribute-value pairs to check and reply with for this user
* from the database. The authentication code only needs to check
* the password, the rest is done here.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(UNUSED void *instance,
REQUEST *request)
{
VALUE_PAIR *passwd_item, *chap;
uint8_t pass_str[MAX_STRING_LEN];
if (!request->username) {
RWDEBUG("Attribute 'User-Name' is required for authentication.\n");
return RLM_MODULE_INVALID;
}
chap = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
if (!chap) {
REDEBUG("You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!");
return RLM_MODULE_INVALID;
}
if (chap->length == 0) {
REDEBUG("CHAP-Password is empty");
return RLM_MODULE_INVALID;
}
if (chap->length != CHAP_VALUE_LENGTH + 1) {
REDEBUG("CHAP-Password has invalid length");
return RLM_MODULE_INVALID;
}
/*
* Don't print out the CHAP password here. It's binary crap.
*/
RDEBUG("Login attempt by \"%s\" with CHAP password",
request->username->vp_strvalue);
if ((passwd_item = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL){
if (pairfind(request->config_items, PW_USER_PASSWORD, 0, TAG_ANY) != NULL){
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
REDEBUG("!!! Please update your configuration so that the \"known !!!");
REDEBUG("!!! good\" cleartext password is in Cleartext-Password, !!!");
REDEBUG("!!! and NOT in User-Password. !!!");
REDEBUG("!!! !!!");
REDEBUG("!!! Authentication will fail because of this. !!!");
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
REDEBUG("Cleartext password is required for authentication");
return RLM_MODULE_INVALID;
}
rad_chap_encode(request->packet, pass_str,
chap->vp_octets[0], passwd_item);
if (RDEBUG_ENABLED3) {
uint8_t const *p;
size_t length;
VALUE_PAIR *vp;
char buffer[CHAP_VALUE_LENGTH * 2 + 1];
RDEBUG3("Comparing with \"known good\" Cleartext-Password \"%s\"", passwd_item->vp_strvalue);
vp = pairfind(request->packet->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY);
if (vp) {
p = vp->vp_octets;
length = vp->length;
} else {
p = request->packet->vector;
length = sizeof(request->packet->vector);
}
fr_bin2hex(buffer, p, length);
RINDENT();
RDEBUG3("CHAP challenge : %s", buffer);
fr_bin2hex(buffer, chap->vp_octets + 1, CHAP_VALUE_LENGTH);
RDEBUG3("Client sent : %s", buffer);
fr_bin2hex(buffer, pass_str + 1, CHAP_VALUE_LENGTH);
RDEBUG3("We calculated : %s", buffer);
REXDENT();
} else {
RDEBUG2("Comparing with \"known good\" Cleartext-Password");
}
if (rad_digest_cmp(pass_str + 1, chap->vp_octets + 1,
CHAP_VALUE_LENGTH) != 0) {
REDEBUG("Password is comparison failed: password is incorrect");
return RLM_MODULE_REJECT;
}
RDEBUG("CHAP user \"%s\" authenticated successfully",
request->username->vp_strvalue);
return RLM_MODULE_OK;
}
/*
* Send one packet.
*/
static int send_one_packet(rc_request_t *request)
{
assert(request->done == false);
/*
* Remember when we have to wake up, to re-send the
* request, of we didn't receive a reply.
*/
if ((sleep_time == -1) || (sleep_time > (int) timeout)) sleep_time = (int) timeout;
/*
* Haven't sent the packet yet. Initialize it.
*/
if (request->packet->id == -1) {
int i;
bool rcode;
assert(request->reply == NULL);
/*
* Didn't find a free packet ID, we're not done,
* we don't sleep, and we stop trying to process
* this packet.
*/
retry:
request->packet->src_ipaddr.af = server_ipaddr.af;
rcode = fr_packet_list_id_alloc(pl, ipproto, &request->packet, NULL);
if (!rcode) {
int mysockfd;
#ifdef WITH_TCP
if (proto) {
mysockfd = fr_socket_client_tcp(NULL,
&request->packet->dst_ipaddr,
request->packet->dst_port, false);
} else
#endif
mysockfd = fr_socket(&client_ipaddr, 0);
if (mysockfd < 0) {
ERROR("Failed opening socket");
exit(1);
}
if (!fr_packet_list_socket_add(pl, mysockfd, ipproto,
&request->packet->dst_ipaddr,
request->packet->dst_port, NULL)) {
ERROR("Can't add new socket");
exit(1);
}
goto retry;
}
assert(request->packet->id != -1);
assert(request->packet->data == NULL);
for (i = 0; i < 4; i++) {
((uint32_t *) request->packet->vector)[i] = fr_rand();
}
/*
* Update the password, so it can be encrypted with the
* new authentication vector.
*/
if (request->password) {
VALUE_PAIR *vp;
if ((vp = fr_pair_find_by_num(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
fr_pair_value_strcpy(vp, request->password->vp_strvalue);
} else if ((vp = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
uint8_t buffer[17];
rad_chap_encode(request->packet, buffer, fr_rand() & 0xff, request->password);
fr_pair_value_memcpy(vp, buffer, 17);
} else if (fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_PASSWORD, 0, TAG_ANY) != NULL) {
mschapv1_encode(request->packet, &request->packet->vps, request->password->vp_strvalue);
} else {
DEBUG("WARNING: No password in the request");
}
}
request->timestamp = time(NULL);
request->tries = 1;
request->resend++;
} else { /* request->packet->id >= 0 */
time_t now = time(NULL);
/*
* FIXME: Accounting packets are never retried!
* The Acct-Delay-Time attribute is updated to
* reflect the delay, and the packet is re-sent
* from scratch!
*/
/*
* Not time for a retry, do so.
*/
if ((now - request->timestamp) < timeout) {
/*
* When we walk over the tree sending
* packets, we update the minimum time
* required to sleep.
*/
if ((sleep_time == -1) ||
(sleep_time > (now - request->timestamp))) {
sleep_time = now - request->timestamp;
}
return 0;
}
/*
* We're not trying later, maybe the packet is done.
*/
if (request->tries == retries) {
assert(request->packet->id >= 0);
/*
* Delete the request from the tree of
* outstanding requests.
*/
fr_packet_list_yank(pl, request->packet);
REDEBUG("No reply from server for ID %d socket %d",
request->packet->id, request->packet->sockfd);
deallocate_id(request);
/*
* Normally we mark it "done" when we've received
* the reply, but this is a special case.
*/
if (request->resend == resend_count) {
request->done = true;
}
stats.lost++;
return -1;
}
/*
* We are trying later.
*/
request->timestamp = now;
request->tries++;
}
/*
* Send the packet.
*/
if (rad_send(request->packet, NULL, secret) < 0) {
REDEBUG("Failed to send packet for ID %d", request->packet->id);
deallocate_id(request);
request->done = true;
return -1;
}
fr_packet_header_print(fr_log_fp, request->packet, false);
if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->packet->vps);
return 0;
}
static REQUEST *request_setup(FILE *fp)
{
VALUE_PAIR *vp;
REQUEST *request;
vp_cursor_t cursor;
/*
* Create and initialize the new request.
*/
request = request_alloc(NULL);
request->packet = rad_alloc(request, false);
if (!request->packet) {
ERROR("No memory");
talloc_free(request);
return NULL;
}
request->reply = rad_alloc(request, false);
if (!request->reply) {
ERROR("No memory");
talloc_free(request);
return NULL;
}
request->listener = listen_alloc(request);
request->client = client_alloc(request);
request->number = 0;
request->master_state = REQUEST_ACTIVE;
request->child_state = REQUEST_RUNNING;
request->handle = NULL;
request->server = talloc_typed_strdup(request, "default");
request->root = &main_config;
/*
* Read packet from fp
*/
if (readvp2(request->packet, &request->packet->vps, fp, &filedone) < 0) {
fr_perror("unittest");
talloc_free(request);
return NULL;
}
/*
* Set the defaults for IPs, etc.
*/
request->packet->code = PW_CODE_ACCESS_REQUEST;
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->src_port = 18120;
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->dst_port = 1812;
/*
* Copied from radclient
*/
#if 1
/*
* Fix up Digest-Attributes issues
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that here.
*/
if (vp->type == VT_XLAT) {
vp->vp_strvalue = vp->value.xlat;
vp->value.xlat = NULL;
vp->type = VT_DATA;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_CHAP_PASSWORD: {
int i, already_hex = 0;
/*
* If it's 17 octets, it *might* be already encoded.
* Or, it might just be a 17-character password (maybe UTF-8)
* Check it for non-printable characters. The odds of ALL
* of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
* or 1/(2^51), which is pretty much zero.
*/
if (vp->length == 17) {
for (i = 0; i < 17; i++) {
if (vp->vp_octets[i] < 32) {
already_hex = 1;
break;
}
}
}
/*
* Allow the user to specify ASCII or hex CHAP-Password
*/
if (!already_hex) {
uint8_t *p;
size_t len, len2;
len = len2 = vp->length;
if (len2 < 17) len2 = 17;
p = talloc_zero_array(vp, uint8_t, len2);
memcpy(p, vp->vp_strvalue, len);
rad_chap_encode(request->packet,
p,
fr_rand() & 0xff, vp);
vp->vp_octets = p;
vp->length = 17;
}
}
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->length + 2);
memcpy(p + 2, vp->vp_octets, vp->length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->length += 2;
p[1] = vp->length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
rad_assert(da != NULL);
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
}
} /* loop over the VP's we read in */
#endif
if (debug_flag) {
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Take this opportunity to verify all the VALUE_PAIRs are still valid.
*/
if (!talloc_get_type(vp, VALUE_PAIR)) {
ERROR("Expected VALUE_PAIR pointer got \"%s\"", talloc_get_name(vp));
fr_log_talloc_report(vp);
rad_assert(0);
}
vp_print(fr_log_fp, vp);
}
fflush(fr_log_fp);
}
/*
* FIXME: set IPs, etc.
*/
request->packet->code = PW_CODE_ACCESS_REQUEST;
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->src_port = 18120;
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->dst_port = 1812;
/*
* Build the reply template from the request.
*/
request->reply->sockfd = request->packet->sockfd;
request->reply->dst_ipaddr = request->packet->src_ipaddr;
request->reply->src_ipaddr = request->packet->dst_ipaddr;
request->reply->dst_port = request->packet->src_port;
request->reply->src_port = request->packet->dst_port;
request->reply->id = request->packet->id;
request->reply->code = 0; /* UNKNOWN code */
memcpy(request->reply->vector, request->packet->vector,
sizeof(request->reply->vector));
request->reply->vps = NULL;
request->reply->data = NULL;
request->reply->data_len = 0;
/*
* Debugging
*/
request->log.lvl = debug_flag;
request->log.func = vradlog_request;
request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
return request;
}
/*
* Check password.
*
* Returns: 0 OK
* -1 Password fail
* -2 Rejected (Auth-Type = Reject, send Port-Message back)
* 1 End check & return, don't reply
*
* NOTE: NOT the same as the RLM_ values !
*/
static int rad_check_password(REQUEST *request)
{
VALUE_PAIR *auth_type_pair;
VALUE_PAIR *cur_config_item;
VALUE_PAIR *password_pair;
VALUE_PAIR *auth_item;
uint8_t my_chap[MAX_STRING_LEN];
int auth_type = -1;
int result;
int auth_type_count = 0;
result = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
cur_config_item = request->config_items;
while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
auth_type = auth_type_pair->vp_integer;
auth_type_count++;
RDEBUG2("Found Auth-Type = %s",
dict_valnamebyattr(PW_AUTH_TYPE,
auth_type_pair->vp_integer));
cur_config_item = auth_type_pair->next;
if (auth_type == PW_AUTHTYPE_REJECT) {
RDEBUG2("Auth-Type = Reject, rejecting user");
return -2;
}
}
if (( auth_type_count > 1) && (debug_flag)) {
radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->vp_strvalue);
}
/*
* This means we have a proxy reply or an accept
* and it wasn't rejected in the above loop. So
* that means it is accepted and we do no further
* authentication
*/
if ((auth_type == PW_AUTHTYPE_ACCEPT)
#ifdef WITH_PROXY
|| (request->proxy)
#endif
) {
RDEBUG2("Auth-Type = Accept, accepting the user");
return 0;
}
password_pair = pairfind(request->config_items, PW_USER_PASSWORD);
if (password_pair &&
pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) {
pairdelete(&request->config_items, PW_USER_PASSWORD);
password_pair = NULL;
}
if (password_pair) {
DICT_ATTR *da;
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
RDEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
RDEBUG("!!! Please update your configuration so that the \"known good\" !!!");
RDEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
password_pair->attribute = PW_CLEARTEXT_PASSWORD;
da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD);
if (!da) {
radlog_request(L_ERR, 0, request, "FATAL: You broke the dictionaries. Please use the default dictionaries!");
_exit(1);
}
password_pair->name = da->name;
}
/*
* Find the "known good" password.
*
* FIXME: We should get rid of these hacks, and replace
* them with a module.
*/
if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
/*
* Re-write Auth-Type, but ONLY if it isn't already
* set.
*/
if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
} else {
password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
}
if (auth_type < 0) {
if (password_pair) {
auth_type = PW_AUTHTYPE_LOCAL;
} else {
/*
* The admin hasn't told us how to
* authenticate the user, so we reject them!
*
* This is fail-safe.
*/
RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user");
return -2;
}
}
switch(auth_type) {
case PW_AUTHTYPE_CRYPT:
RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'");
RDEBUG2("WARNING: Use the PAP module instead.");
/*
* Find the password sent by the user. It
* SHOULD be there, if it's not
* authentication fails.
*/
auth_item = request->password;
if (auth_item == NULL) {
RDEBUG2("No User-Password or CHAP-Password attribute in the request");
return -1;
}
if (password_pair == NULL) {
RDEBUG2("No Crypt-Password configured for the user");
rad_authlog("Login incorrect "
"(No Crypt-Password configured for the user)", request, 0);
return -1;
}
switch (fr_crypt_check((char *)auth_item->vp_strvalue,
(char *)password_pair->vp_strvalue)) {
case -1:
rad_authlog("Login incorrect "
"(system failed to supply an encrypted password for comparison)", request, 0);
/* FALL-THROUGH */
case 1:
return -1;
}
break;
case PW_AUTHTYPE_LOCAL:
RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'");
RDEBUG2("WARNING: Use the PAP or CHAP modules instead.");
/*
* Find the password sent by the user. It
* SHOULD be there, if it's not
* authentication fails.
*/
auth_item = request->password;
if (!auth_item)
auth_item = pairfind(request->packet->vps,
PW_CHAP_PASSWORD);
if (!auth_item) {
RDEBUG2("No User-Password or CHAP-Password attribute in the request.");
RDEBUG2("Cannot perform authentication.");
return -1;
}
/*
* Plain text password.
*/
if (password_pair == NULL) {
RDEBUG2("No \"known good\" password was configured for the user.");
RDEBUG2("As a result, we cannot authenticate the user.");
rad_authlog("Login incorrect "
"(No password configured for the user)", request, 0);
return -1;
}
/*
* Local password is just plain text.
*/
if (auth_item->attribute == PW_USER_PASSWORD) {
if (strcmp((char *)password_pair->vp_strvalue,
(char *)auth_item->vp_strvalue) != 0) {
RDEBUG2("User-Password in the request does NOT match \"known good\" password.");
return -1;
}
RDEBUG2("User-Password in the request is correct.");
break;
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
RDEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
rad_authlog("Login incorrect "
"(no User-Password or CHAP-Password attribute)", request, 0);
return -1;
}
rad_chap_encode(request->packet, my_chap,
auth_item->vp_octets[0], password_pair);
/*
* Compare them
*/
if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1,
CHAP_VALUE_LENGTH) != 0) {
RDEBUG2("CHAP-Password is incorrect.");
return -1;
}
RDEBUG2("CHAP-Password is correct.");
break;
default:
/*
* See if there is a module that handles
* this type, and turn the RLM_ return
* status into the values as defined at
* the top of this function.
*/
result = module_authenticate(auth_type, request);
switch (result) {
/*
* An authentication module FAIL
* return code, or any return code that
* is not expected from authentication,
* is the same as an explicit REJECT!
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_REJECT:
case RLM_MODULE_UPDATED:
case RLM_MODULE_USERLOCK:
default:
result = -1;
break;
case RLM_MODULE_OK:
result = 0;
break;
case RLM_MODULE_HANDLED:
result = 1;
break;
}
break;
}
return result;
}
/*
* Send one packet.
*/
static int send_one_packet(radclient_t *radclient)
{
assert(radclient->done == 0);
/*
* Remember when we have to wake up, to re-send the
* request, of we didn't receive a response.
*/
if ((sleep_time == -1) ||
(sleep_time > (int) timeout)) {
sleep_time = (int) timeout;
}
/*
* Haven't sent the packet yet. Initialize it.
*/
if (radclient->request->id == -1) {
int i, rcode;
assert(radclient->reply == NULL);
/*
* Didn't find a free packet ID, we're not done,
* we don't sleep, and we stop trying to process
* this packet.
*/
retry:
radclient->request->src_ipaddr.af = server_ipaddr.af;
rcode = fr_packet_list_id_alloc(pl, ipproto,
radclient->request, NULL);
if (rcode < 0) {
int mysockfd;
#ifdef WITH_TCP
if (proto) {
mysockfd = fr_tcp_client_socket(NULL,
&server_ipaddr,
server_port);
} else
#endif
mysockfd = fr_socket(&client_ipaddr, 0);
if (!mysockfd) {
fprintf(stderr, "radclient: Can't open new socket\n");
exit(1);
}
if (!fr_packet_list_socket_add(pl, mysockfd, ipproto,
&server_ipaddr,
server_port, NULL)) {
fprintf(stderr, "radclient: Can't add new socket\n");
exit(1);
}
goto retry;
}
if (rcode == 0) {
done = 0;
sleep_time = 0;
return 0;
}
assert(radclient->request->id != -1);
assert(radclient->request->data == NULL);
for (i = 0; i < 4; i++) {
((uint32_t *) radclient->request->vector)[i] = fr_rand();
}
/*
* Update the password, so it can be encrypted with the
* new authentication vector.
*/
if (radclient->password[0] != '\0') {
VALUE_PAIR *vp;
if ((vp = pairfind(radclient->request->vps, PW_USER_PASSWORD, 0)) != NULL) {
strlcpy(vp->vp_strvalue, radclient->password,
sizeof(vp->vp_strvalue));
vp->length = strlen(vp->vp_strvalue);
} else if ((vp = pairfind(radclient->request->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
int already_hex = 0;
/*
* If it's 17 octets, it *might* be already encoded.
* Or, it might just be a 17-character password (maybe UTF-8)
* Check it for non-printable characters. The odds of ALL
* of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
* or 1/(2^51), which is pretty much zero.
*/
if (vp->length == 17) {
for (i = 0; i < 17; i++) {
if (vp->vp_octets[i] < 32) {
already_hex = 1;
break;
}
}
}
/*
* Allow the user to specify ASCII or hex CHAP-Password
*/
if (!already_hex) {
strlcpy(vp->vp_strvalue, radclient->password,
sizeof(vp->vp_strvalue));
vp->length = strlen(vp->vp_strvalue);
rad_chap_encode(radclient->request,
vp->vp_octets,
fr_rand() & 0xff, vp);
vp->length = 17;
}
} else if (pairfind(radclient->request->vps, PW_MSCHAP_PASSWORD, 0) != NULL) {
mschapv1_encode(&radclient->request->vps,
radclient->password);
} else if (fr_debug_flag) {
printf("WARNING: No password in the request\n");
}
}
radclient->timestamp = time(NULL);
radclient->tries = 1;
radclient->resend++;
/*
* Duplicate found. Serious error!
*/
if (!fr_packet_list_insert(pl, &radclient->request)) {
assert(0 == 1);
}
#ifdef WITH_TCP
/*
* WTF?
*/
if (client_port == 0) {
client_ipaddr = radclient->request->src_ipaddr;
client_port = radclient->request->src_port;
}
#endif
} else { /* radclient->request->id >= 0 */
time_t now = time(NULL);
/*
* FIXME: Accounting packets are never retried!
* The Acct-Delay-Time attribute is updated to
* reflect the delay, and the packet is re-sent
* from scratch!
*/
/*
* Not time for a retry, do so.
*/
if ((now - radclient->timestamp) < timeout) {
/*
* When we walk over the tree sending
* packets, we update the minimum time
* required to sleep.
*/
if ((sleep_time == -1) ||
(sleep_time > (now - radclient->timestamp))) {
sleep_time = now - radclient->timestamp;
}
return 0;
}
/*
* We're not trying later, maybe the packet is done.
*/
if (radclient->tries == retries) {
assert(radclient->request->id >= 0);
/*
* Delete the request from the tree of
* outstanding requests.
*/
fr_packet_list_yank(pl, radclient->request);
fprintf(stderr, "radclient: no response from server for ID %d socket %d\n", radclient->request->id, radclient->request->sockfd);
deallocate_id(radclient);
/*
* Normally we mark it "done" when we've received
* the response, but this is a special case.
*/
if (radclient->resend == resend_count) {
radclient->done = 1;
}
totallost++;
return -1;
}
/*
* We are trying later.
*/
radclient->timestamp = now;
radclient->tries++;
}
/*
* Send the packet.
*/
if (rad_send(radclient->request, NULL, secret) < 0) {
fprintf(stderr, "radclient: Failed to send packet for ID %d: %s\n",
radclient->request->id, fr_strerror());
}
if (fr_debug_flag > 2) print_hex(radclient->request);
return 0;
}
static int sendrecv_eap(RADIUS_PACKET *rep)
{
RADIUS_PACKET *req = NULL;
VALUE_PAIR *vp, *vpnext;
int tried_eap_md5 = 0;
if (!rep) return -1;
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, vp->vp_strvalue, sizeof(password));
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, vp->vp_strvalue, sizeof(password));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, vp->vp_strvalue, sizeof(password));
} else {
*password = '******';
}
again:
rep->id++;
/*
* if there are EAP types, encode them into an EAP-Message
*
*/
map_eap_methods(rep);
/*
* Fix up Digest-Attributes issues
*/
for (vp = rep->vps; vp != NULL; vp = vp->next) {
switch (vp->da->attr) {
default:
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->length + 2);
memcpy(p + 2, vp->vp_octets, vp->length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->length += 2;
p[1] = vp->length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
}
}
/*
* If we've already sent a packet, free up the old
* one, and ensure that the next packet has a unique
* ID and authentication vector.
*/
if (rep->data) {
talloc_free(rep->data);
rep->data = NULL;
}
fr_md5_calc(rep->vector, rep->vector,
sizeof(rep->vector));
if (*password != '\0') {
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
uint8_t *p;
p = talloc_zero_array(vp, uint8_t, 17);
rad_chap_encode(rep, p, rep->id, vp);
pairmemsteal(vp, p);
}
} /* there WAS a password */
/* send the response, wait for the next request */
send_packet(rep, &req);
if (!req) return -1;
/* okay got back the packet, go and decode the EAP-Message. */
unmap_eap_methods(req);
debug_packet(req, R_RECV);
/* now look for the code type. */
for (vp = req->vps; vp != NULL; vp = vpnext) {
vpnext = vp->next;
switch (vp->da->attr) {
default:
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
{
tried_eap_md5++;
goto again;
}
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
if(respond_eap_sim(req, rep))
{
goto again;
}
break;
}
}
return 1;
}
/*
* Find the named user in this modules database. Create the set
* of attribute-value pairs to check and reply with for this user
* from the database. The authentication code only needs to check
* the password, the rest is done here.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(UNUSED void *instance, REQUEST *request)
{
VALUE_PAIR *password, *chap;
uint8_t pass_str[MAX_STRING_LEN];
if (!request->username) {
REDEBUG("&request:User-Name attribute is required for authentication");
return RLM_MODULE_INVALID;
}
chap = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
if (!chap) {
REDEBUG("You set '&control:Auth-Type = CHAP' for a request that "
"does not contain a CHAP-Password attribute!");
return RLM_MODULE_INVALID;
}
if (chap->vp_length == 0) {
REDEBUG("&request:CHAP-Password is empty");
return RLM_MODULE_INVALID;
}
if (chap->vp_length != CHAP_VALUE_LENGTH + 1) {
REDEBUG("&request:CHAP-Password has invalid length");
return RLM_MODULE_INVALID;
}
password = fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
if (password == NULL) {
if (fr_pair_find_by_num(request->config, PW_USER_PASSWORD, 0, TAG_ANY) != NULL){
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
REDEBUG("!!! Please update your configuration so that the \"known !!!");
REDEBUG("!!! good\" cleartext password is in Cleartext-Password, !!!");
REDEBUG("!!! and NOT in User-Password. !!!");
REDEBUG("!!! !!!");
REDEBUG("!!! Authentication will fail because of this. !!!");
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
REDEBUG("&control:Cleartext-Password is required for authentication");
return RLM_MODULE_FAIL;
}
rad_chap_encode(request->packet, pass_str, chap->vp_octets[0], password);
if (RDEBUG_ENABLED3) {
uint8_t const *p;
size_t length;
VALUE_PAIR *vp;
char buffer[MAX_STRING_LEN * 2 + 1];
RDEBUG3("Comparing with \"known good\" &control:Cleartext-Password value \"%s\"",
password->vp_strvalue);
vp = fr_pair_find_by_num(request->packet->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY);
if (vp) {
RDEBUG2("Using challenge from &request:CHAP-Challenge");
p = vp->vp_octets;
length = vp->vp_length;
} else {
RDEBUG2("Using challenge from authenticator field");
p = request->packet->vector;
length = sizeof(request->packet->vector);
}
fr_bin2hex(buffer, p, length);
RINDENT();
RDEBUG3("CHAP challenge : %s", buffer);
fr_bin2hex(buffer, chap->vp_octets + 1, CHAP_VALUE_LENGTH);
RDEBUG3("Client sent : %s", buffer);
fr_bin2hex(buffer, pass_str + 1, CHAP_VALUE_LENGTH);
RDEBUG3("We calculated : %s", buffer);
REXDENT();
} else {
RDEBUG2("Comparing with \"known good\" Cleartext-Password");
}
if (rad_digest_cmp(pass_str + 1, chap->vp_octets + 1, CHAP_VALUE_LENGTH) != 0) {
REDEBUG("Password comparison failed: password is incorrect");
return RLM_MODULE_REJECT;
}
RDEBUG("CHAP user \"%s\" authenticated successfully", request->username->vp_strvalue);
return RLM_MODULE_OK;
}
/*
* Send one packet.
*/
static int send_one_packet(rc_request_t *request)
{
assert(request->done == false);
/*
* Remember when we have to wake up, to re-send the
* request, of we didn't receive a reply.
*/
if ((sleep_time == -1) || (sleep_time > (int) timeout)) {
sleep_time = (int) timeout;
}
/*
* Haven't sent the packet yet. Initialize it.
*/
if (request->packet->id == -1) {
int i;
bool rcode;
assert(request->reply == NULL);
/*
* Didn't find a free packet ID, we're not done,
* we don't sleep, and we stop trying to process
* this packet.
*/
retry:
request->packet->src_ipaddr.af = server_ipaddr.af;
rcode = fr_packet_list_id_alloc(pl, ipproto,
&request->packet, NULL);
if (!rcode) {
int mysockfd;
#ifdef WITH_TCP
if (proto) {
mysockfd = fr_tcp_client_socket(NULL,
&server_ipaddr,
server_port);
} else
#endif
mysockfd = fr_socket(&client_ipaddr, 0);
if (mysockfd < 0) {
ERROR("Can't open new socket: %s", strerror(errno));
exit(1);
}
if (!fr_packet_list_socket_add(pl, mysockfd, ipproto,
&server_ipaddr,
server_port, NULL)) {
ERROR("Can't add new socket");
exit(1);
}
goto retry;
}
assert(request->packet->id != -1);
assert(request->packet->data == NULL);
for (i = 0; i < 4; i++) {
((uint32_t *) request->packet->vector)[i] = fr_rand();
}
/*
* Update the password, so it can be encrypted with the
* new authentication vector.
*/
if (request->password[0] != '\0') {
VALUE_PAIR *vp;
if ((vp = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, request->password);
} else if ((vp = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
bool already_hex = false;
/*
* If it's 17 octets, it *might* be already encoded.
* Or, it might just be a 17-character password (maybe UTF-8)
* Check it for non-printable characters. The odds of ALL
* of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
* or 1/(2^51), which is pretty much zero.
*/
if (vp->length == 17) {
for (i = 0; i < 17; i++) {
if (vp->vp_octets[i] < 32) {
already_hex = true;
break;
}
}
}
/*
* Allow the user to specify ASCII or hex CHAP-Password
*/
if (!already_hex) {
uint8_t *p;
size_t len, len2;
len = len2 = strlen(request->password);
if (len2 < 17) len2 = 17;
p = talloc_zero_array(vp, uint8_t, len2);
memcpy(p, request->password, len);
rad_chap_encode(request->packet,
p,
fr_rand() & 0xff, vp);
vp->vp_octets = p;
vp->length = 17;
}
} else if (pairfind(request->packet->vps, PW_MSCHAP_PASSWORD, 0, TAG_ANY) != NULL) {
mschapv1_encode(request->packet,
&request->packet->vps,
request->password);
} else {
DEBUG("WARNING: No password in the request");
}
}
request->timestamp = time(NULL);
request->tries = 1;
request->resend++;
#ifdef WITH_TCP
/*
* WTF?
*/
if (client_port == 0) {
client_ipaddr = request->packet->src_ipaddr;
client_port = request->packet->src_port;
}
#endif
} else { /* request->packet->id >= 0 */
time_t now = time(NULL);
/*
* FIXME: Accounting packets are never retried!
* The Acct-Delay-Time attribute is updated to
* reflect the delay, and the packet is re-sent
* from scratch!
*/
/*
* Not time for a retry, do so.
*/
if ((now - request->timestamp) < timeout) {
/*
* When we walk over the tree sending
* packets, we update the minimum time
* required to sleep.
*/
if ((sleep_time == -1) ||
(sleep_time > (now - request->timestamp))) {
sleep_time = now - request->timestamp;
}
return 0;
}
/*
* We're not trying later, maybe the packet is done.
*/
if (request->tries == retries) {
assert(request->packet->id >= 0);
/*
* Delete the request from the tree of
* outstanding requests.
*/
fr_packet_list_yank(pl, request->packet);
REDEBUG("No reply from server for ID %d socket %d",
request->packet->id, request->packet->sockfd);
deallocate_id(request);
/*
* Normally we mark it "done" when we've received
* the reply, but this is a special case.
*/
if (request->resend == resend_count) {
request->done = true;
}
stats.lost++;
return -1;
}
/*
* We are trying later.
*/
request->timestamp = now;
request->tries++;
}
/*
* Send the packet.
*/
if (rad_send(request->packet, NULL, secret) < 0) {
REDEBUG("Failed to send packet for ID %d", request->packet->id);
}
return 0;
}
/*
* Find the named user in this modules database. Create the set
* of attribute-value pairs to check and reply with for this user
* from the database. The authentication code only needs to check
* the password, the rest is done here.
*/
static rlm_rcode_t mod_authenticate(UNUSED void *instance,
UNUSED REQUEST *request)
{
VALUE_PAIR *passwd_item, *chap;
uint8_t pass_str[MAX_STRING_LEN];
if (!request->username) {
RWDEBUG("Attribute 'User-Name' is required for authentication.\n");
return RLM_MODULE_INVALID;
}
chap = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
if (!chap) {
REDEBUG("You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!");
return RLM_MODULE_INVALID;
}
if (chap->length == 0) {
REDEBUG("CHAP-Password is empty");
return RLM_MODULE_INVALID;
}
if (chap->length != CHAP_VALUE_LENGTH + 1) {
REDEBUG("CHAP-Password has invalid length");
return RLM_MODULE_INVALID;
}
/*
* Don't print out the CHAP password here. It's binary crap.
*/
RDEBUG("Login attempt by \"%s\" with CHAP password",
request->username->vp_strvalue);
if ((passwd_item = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL){
if (pairfind(request->config_items, PW_USER_PASSWORD, 0, TAG_ANY) != NULL){
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
REDEBUG("!!! Please update your configuration so that the \"known !!!");
REDEBUG("!!! good\" clear text password is in Cleartext-Password, !!!");
REDEBUG("!!! and NOT in User-Password. !!!");
REDEBUG("!!! !!!");
REDEBUG("!!! Authentication will fail because of this. !!!");
REDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
REDEBUG("Clear-Text password is required for authentication");
return RLM_MODULE_INVALID;
}
RDEBUG("Using Clear-Text password \"%s\" for user %s authentication.",
passwd_item->vp_strvalue, request->username->vp_strvalue);
rad_chap_encode(request->packet,pass_str,
chap->vp_octets[0],passwd_item);
if (rad_digest_cmp(pass_str + 1, chap->vp_octets + 1,
CHAP_VALUE_LENGTH) != 0) {
REDEBUG("Password is comparison failed: password is incorrect");
return RLM_MODULE_REJECT;
}
RDEBUG("CHAP user \"%s\" authenticated successfully",
request->username->vp_strvalue);
return RLM_MODULE_OK;
}
static int sendrecv_eap(RADIUS_PACKET *rep)
{
RADIUS_PACKET *req = NULL;
VALUE_PAIR *vp, *vpnext;
int tried_eap_md5 = 0;
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
} else {
*password = '******';
}
again:
rep->id++;
/*
* if there are EAP types, encode them into an EAP-Message
*
*/
map_eap_methods(rep);
/*
* Fix up Digest-Attributes issues
*/
for (vp = rep->vps; vp != NULL; vp = vp->next) {
switch (vp->da->attribute) {
default:
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
vp->vp_octets[0] = vp->da->attribute - PW_DIGEST_REALM + 1;
vp->length += 2;
vp->vp_octets[1] = vp->length;
vp->da->attribute = PW_DIGEST_ATTRIBUTES;
break;
}
}
/*
* If we've already sent a packet, free up the old
* one, and ensure that the next packet has a unique
* ID and authentication vector.
*/
if (rep->data) {
talloc_free(rep->data);
rep->data = NULL;
}
fr_md5_calc(rep->vector, rep->vector,
sizeof(rep->vector));
if (*password != '\0') {
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
pairstrcpy(vp, password);
rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
vp->length = 17;
}
} /* there WAS a password */
/* send the response, wait for the next request */
send_packet(rep, &req);
/* okay got back the packet, go and decode the EAP-Message. */
unmap_eap_methods(req);
debug_packet(req, R_RECV);
/* now look for the code type. */
for (vp = req->vps; vp != NULL; vp = vpnext) {
vpnext = vp->next;
switch (vp->da->attribute) {
default:
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
{
tried_eap_md5++;
goto again;
}
break;
case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
if(respond_eap_sim(req, rep))
{
goto again;
}
break;
}
}
return 1;
}
/*
* Find the named user in this modules database. Create the set
* of attribute-value pairs to check and reply with for this user
* from the database. The authentication code only needs to check
* the password, the rest is done here.
*/
static int chap_authenticate(void *instance, REQUEST *request)
{
VALUE_PAIR *passwd_item, *chap;
uint8_t pass_str[MAX_STRING_LEN];
VALUE_PAIR *module_fmsg_vp;
char module_fmsg[MAX_STRING_LEN];
/* quiet the compiler */
instance = instance;
request = request;
if (!request->username) {
radlog_request(L_AUTH, 0, request, "rlm_chap: Attribute \"User-Name\" is required for authentication.\n");
return RLM_MODULE_INVALID;
}
chap = pairfind(request->packet->vps, PW_CHAP_PASSWORD);
if (!chap) {
RDEBUG("ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute!");
return RLM_MODULE_INVALID;
}
if (chap->length == 0) {
RDEBUG("ERROR: CHAP-Password is empty");
return RLM_MODULE_INVALID;
}
if (chap->length != CHAP_VALUE_LENGTH + 1) {
RDEBUG("ERROR: CHAP-Password has invalid length");
return RLM_MODULE_INVALID;
}
/*
* Don't print out the CHAP password here. It's binary crap.
*/
RDEBUG("login attempt by \"%s\" with CHAP password",
request->username->vp_strvalue);
if ((passwd_item = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) == NULL){
RDEBUG("Cleartext-Password is required for authentication");
snprintf(module_fmsg, sizeof(module_fmsg),
"rlm_chap: Clear text password not available");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_INVALID;
}
RDEBUG("Using clear text password \"%s\" for user %s authentication.",
passwd_item->vp_strvalue, request->username->vp_strvalue);
rad_chap_encode(request->packet,pass_str,
chap->vp_octets[0],passwd_item);
if (rad_digest_cmp(pass_str + 1, chap->vp_octets + 1,
CHAP_VALUE_LENGTH) != 0) {
RDEBUG("Password check failed");
snprintf(module_fmsg, sizeof(module_fmsg),
"rlm_chap: Wrong user password");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_REJECT;
}
RDEBUG("chap user %s authenticated succesfully",
request->username->vp_strvalue);
return RLM_MODULE_OK;
}
/*
* Compare two RADIUS_PACKET data structures, based on a number
* of criteria.
*/
static int send_one_packet(radclient_t *radclient)
{
int i;
assert(radclient->done == 0);
/*
* Remember when we have to wake up, to re-send the
* request, of we didn't receive a response.
*/
if ((sleep_time == -1) ||
(sleep_time > (int) timeout))
{
sleep_time = (int) timeout;
}
/*
* Haven't sent the packet yet. Initialize it.
*/
if (radclient->request->id == -1)
{
int found = 0;
assert(radclient->reply == NULL);
/*
* Find a free packet Id
*/
for (i = 0; i < 256; i++)
{
if (radius_id[(last_used_id + i) & 0xff] == 0)
{
last_used_id = (last_used_id + i) & 0xff;
radius_id[last_used_id] = 1;
radclient->request->id = last_used_id++;
found = 1;
break;
}
}
/*
* Didn't find a free packet ID, we're not done,
* we don't sleep, and we stop trying to process
* this packet.
*/
if (!found)
{
done = 0;
sleep_time = 0;
return 0;
}
assert(radclient->request->id != -1);
assert(radclient->request->data == NULL);
librad_md5_calc(radclient->request->vector, radclient->request->vector,
sizeof(radclient->request->vector));
/*
* Update the password, so it can be encrypted with the
* new authentication vector.
*/
if (radclient->password[0] != '\0')
{
VALUE_PAIR *vp;
if ((vp = pairfind(radclient->request->vps, PW_PASSWORD)) != NULL)
{
strNcpy((char *)vp->strvalue, radclient->password, sizeof(vp->strvalue));
vp->length = strlen(vp->strvalue);
}
else if ((vp = pairfind(radclient->request->vps, PW_CHAP_PASSWORD)) != NULL)
{
strNcpy((char *)vp->strvalue, radclient->password, sizeof(vp->strvalue));
vp->length = strlen(vp->strvalue);
rad_chap_encode(radclient->request, (char *) vp->strvalue, radclient->request->id, vp);
vp->length = 17;
}
}
radclient->timestamp = time(NULL);
radclient->tries = 1;
radclient->resend++;
/*
* Duplicate found. Serious error!
*/
}
else /* radclient->request->id >= 0 */
{
time_t now = time(NULL);
/*
* FIXME: Accounting packets are never retried!
* The Acct-Delay-Time attribute is updated to
* reflect the delay, and the packet is re-sent
* from scratch!
*/
/*
* Not time for a retry, do so.
*/
if ((now - radclient->timestamp) < timeout)
{
/*
* When we walk over the tree sending
* packets, we update the minimum time
* required to sleep.
*/
if ((sleep_time == -1) ||
(sleep_time > (now - radclient->timestamp)))
{
sleep_time = now - radclient->timestamp;
}
return 0;
}
/*
* We're not trying later, maybe the packet is done.
*/
if (radclient->tries == retries)
{
assert(radclient->request->id >= 0);
/*
* Delete the request from the tree of
* outstanding requests.
*/
fprintf(stderr, "radclient: no response from server for ID %d\n", radclient->request->id);
/*
* Normally we mark it "done" when we've received
* the response, but this is a special case.
*/
if (radclient->resend == resend_count)
{
radclient->done = 1;
}
totallost++;
return -1;
}
/*
* We are trying later.
*/
radclient->timestamp = now;
radclient->tries++;
}
/*
* Send the packet.
*/
if (rad_send(radclient->request, NULL, secret) < 0)
{
fprintf(stderr, "radclient: Failed to send packet for ID %d: %s\n",
radclient->request->id, librad_errstr);
}
return 0;
}
/*Note:
* We just support EAP proxy.
* rad_send_eap_response
* send a EAP response to radius server
*/
int
rad_send_eap_response(RADIUS_PACKET* rep,const char* secret,const char* pwd)
{
VALUE_PAIR* vp;
int rc;
int old_debug_flag;
vp = NULL;
rc = 0;
old_debug_flag = 0;
/*
* if there are EAP types, encode them into an EAP-Message
*
*/
map_eap_types(rep);
/*
* Fix up Digest-Attributes issues
*/
for (vp = rep->vps; vp != NULL; vp = vp->next) {
switch (vp->attribute) {
default:
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1;
vp->length += 2;
vp->vp_octets[1] = vp->length;
vp->attribute = PW_DIGEST_ATTRIBUTES;
break;
}
}
fr_md5_calc(rep->vector, rep->vector,
sizeof(rep->vector));
if ((pwd != NULL) && (*pwd != '\0')) {
if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
} else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
} else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD)) != NULL) {
strncpy((char *)vp->vp_strvalue, pwd, sizeof(vp->vp_strvalue) - 1);
vp->length = strlen(pwd);
rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
vp->length = 17;
}
} /* there WAS a password */
/* send the response*/
if(fr_debug_flag) {
debug_packet(rep,R_SENT);
old_debug_flag = fr_debug_flag;
fr_debug_flag = 0; /*just turn off the debug-flag to avoid rad_send debug out agin*/
}
if(rad_send(rep,NULL,secret) < 0)
rc = -1;
else
rc = 0;
if(old_debug_flag)
fr_debug_flag = old_debug_flag;
return rc;
}
/*
* Check password.
*
* Returns: 0 OK
* -1 Password fail
* -2 Rejected (Auth-Type = Reject, send Port-Message back)
* 1 End check & return, don't reply
*
* NOTE: NOT the same as the RLM_ values !
*/
static int rad_check_password(REQUEST *request)
{
VALUE_PAIR *auth_type_pair;
VALUE_PAIR *cur_config_item;
VALUE_PAIR *password_pair;
VALUE_PAIR *auth_item;
DICT_VALUE *da;
char string[MAX_STRING_LEN];
int auth_type = -1;
int result;
int auth_type_count = 0;
result = 0;
/*
* Look for matching check items. We skip the whole lot
* if the authentication type is PW_AUTHTYPE_ACCEPT or
* PW_AUTHTYPE_REJECT.
*/
cur_config_item = request->config_items;
while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
auth_type = auth_type_pair->lvalue;
auth_type_count++;
DEBUG2(" rad_check_password: Found Auth-Type %s",
auth_type_pair->strvalue);
cur_config_item = auth_type_pair->next;
if (auth_type == PW_AUTHTYPE_REJECT) {
DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
return -2;
}
}
if (( auth_type_count > 1) && (debug_flag)) {
radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
auth_type_count, request->username->strvalue);
}
/*
* This means we have a proxy reply or an accept
* and it wasn't rejected in the above loop. So
* that means it is accepted and we do no further
* authentication
*/
if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
return 0;
}
/*
* Find the password from the users file.
*/
if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
/*
* Re-write Auth-Type, but ONLY if it isn't already
* set.
*/
if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
} else {
password_pair = pairfind(request->config_items, PW_PASSWORD);
}
if (auth_type < 0) {
if (password_pair) {
auth_type = PW_AUTHTYPE_LOCAL;
} else {
/*
* The admin hasn't told us how to
* authenticate the user, so we reject them!
*
* This is fail-safe.
*/
DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
return -2;
}
}
switch(auth_type) {
case PW_AUTHTYPE_CRYPT:
/*
* Find the password sent by the user. It
* SHOULD be there, if it's not
* authentication fails.
*/
auth_item = request->password;
if (auth_item == NULL) {
DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
return -1;
}
DEBUG2("auth: type Crypt");
if (password_pair == NULL) {
DEBUG2("No Crypt-Password configured for the user");
rad_authlog("Login incorrect "
"(No Crypt-Password configured for the user)", request, 0);
return -1;
}
switch (lrad_crypt_check((char *)auth_item->strvalue,
(char *)password_pair->strvalue)) {
case -1:
rad_authlog("Login incorrect "
"(system failed to supply an encrypted password for comparison)", request, 0);
case 1:
return -1;
}
break;
case PW_AUTHTYPE_LOCAL:
DEBUG2("auth: type Local");
/*
* Find the password sent by the user. It
* SHOULD be there, if it's not
* authentication fails.
*/
auth_item = request->password;
if (auth_item == NULL) {
DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
return -1;
}
/*
* Plain text password.
*/
if (password_pair == NULL) {
DEBUG2("auth: No password configured for the user");
rad_authlog("Login incorrect "
"(No password configured for the user)", request, 0);
return -1;
}
/*
* Local password is just plain text.
*/
if (auth_item->attribute == PW_PASSWORD) {
if (strcmp((char *)password_pair->strvalue,
(char *)auth_item->strvalue) != 0) {
DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
return -1;
}
DEBUG2("auth: user supplied User-Password matches local User-Password");
break;
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
rad_authlog("Login incorrect "
"(no User-Password or CHAP-Password attribute)", request, 0);
return -1;
}
rad_chap_encode(request->packet, string,
auth_item->strvalue[0], password_pair);
/*
* Compare them
*/
if (memcmp(string + 1, auth_item->strvalue + 1,
CHAP_VALUE_LENGTH) != 0) {
DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
return -1;
}
DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
break;
default:
da = dict_valbyattr(PW_AUTH_TYPE, auth_type);
DEBUG2("auth: type \"%s\"", da->name);
/*
* See if there is a module that handles
* this type, and turn the RLM_ return
* status into the values as defined at
* the top of this function.
*/
result = module_authenticate(auth_type, request);
switch (result) {
/*
* An authentication module FAIL
* return code, or any return code that
* is not expected from authentication,
* is the same as an explicit REJECT!
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
case RLM_MODULE_INVALID:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_NOOP:
case RLM_MODULE_UPDATED:
result = -1;
break;
case RLM_MODULE_OK:
result = 0;
break;
case RLM_MODULE_HANDLED:
result = 1;
break;
}
break;
}
return result;
}
