static int _map_proc_client_get_vp(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request,
vp_map_t const *map, void *uctx)
{
client_get_vp_ctx_t *client = uctx;
VALUE_PAIR *head = NULL, *vp;
fr_cursor_t cursor;
fr_dict_attr_t const *da;
CONF_PAIR const *cp;
rad_assert(ctx != NULL);
fr_cursor_init(&cursor, &head);
/*
* FIXME: allow multiple entries.
*/
if (map->lhs->type == TMPL_TYPE_ATTR) {
da = map->lhs->tmpl_da;
} else {
char *attr;
if (tmpl_aexpand(ctx, &attr, request, map->lhs, NULL, NULL) <= 0) {
RWDEBUG("Failed expanding string");
return -1;
}
da = fr_dict_attr_by_name(request->dict, attr);
if (!da) {
RWDEBUG("No such attribute '%s'", attr);
return -1;
}
talloc_free(attr);
}
for (cp = client->cp;
cp;
cp = cf_pair_find_next(client->cs, cp, client->field)) {
char const *value = cf_pair_value(cp);
MEM(vp = fr_pair_afrom_da(ctx, da));
if (fr_pair_value_from_str(vp, value, talloc_array_length(value) - 1, '\0', false) < 0) {
RWDEBUG("Failed parsing value \"%pV\" for attribute %s: %s", fr_box_strvalue(value),
map->lhs->tmpl_da->name, fr_strerror());
fr_pair_list_free(&head);
talloc_free(vp);
return -1;
}
vp->op = map->op;
fr_cursor_append(&cursor, vp);
if (map->op != T_OP_ADD) break; /* Create multiple attribute for multiple CONF_PAIRs */
}
*out = head;
return 0;
}
/** Send a failure message
*
*/
static int eap_sim_send_eap_failure_notification(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
RADIUS_PACKET *packet = eap_session->request->reply;
fr_cursor_t cursor;
VALUE_PAIR *vp;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
fr_cursor_init(&cursor, &packet->vps);
vp = fr_pair_find_by_da(packet->vps, attr_eap_sim_notification, TAG_ANY);
if (!vp) {
vp = fr_pair_afrom_da(packet, attr_eap_sim_notification);
vp->vp_uint16 = FR_EAP_SIM_NOTIFICATION_VALUE_GENERAL_FAILURE;
fr_cursor_append(&cursor, vp);
}
/*
* Change the failure notification depending where
* we are in the state machine.
*/
if (eap_sim_session->challenge_success) {
vp->vp_uint16 &= ~0x4000; /* Unset phase bit */
} else {
vp->vp_uint16 |= 0x4000; /* Set phase bit */
}
vp->vp_uint16 &= ~0x8000; /* In both cases success bit should be low */
RDEBUG2("Sending SIM-Notification (%pV)", &vp->data);
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
/*
* Set the subtype to notification
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = FR_EAP_SIM_SUBTYPE_VALUE_SIM_NOTIFICATION;
fr_cursor_append(&cursor, vp);
/*
* If we're after the challenge phase
* then we need to include a MAC to
* protect notifications.
*/
if (eap_sim_session->challenge_success) {
vp = fr_pair_afrom_da(packet, attr_eap_sim_mac);
fr_pair_replace(&packet->vps, vp);
}
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
/*
* Allow single attribute values to be retrieved from the dhcp.
*/
static ssize_t dhcp_options_xlat(UNUSED void *instance, REQUEST *request,
char const *fmt, char **out, size_t freespace)
{
vp_cursor_t cursor, src_cursor;
vp_tmpl_t src;
VALUE_PAIR *vp, *head = NULL;
int decoded = 0;
ssize_t slen;
while (isspace((int) *fmt)) fmt++;
slen = tmpl_from_attr_str(&src, fmt, REQUEST_CURRENT, PAIR_LIST_REQUEST, false, false);
if (slen <= 0) {
REMARKER(fmt, slen, fr_strerror());
error:
return -1;
}
if (src.type != TMPL_TYPE_ATTR) {
REDEBUG("dhcp_options cannot operate on a %s", fr_int2str(tmpl_names, src.type, "<INVALID>"));
goto error;
}
if (src.tmpl_da->type != PW_TYPE_OCTETS) {
REDEBUG("dhcp_options got a %s attribute needed octets",
fr_int2str(dict_attr_types, src.tmpl_da->type, "<INVALID>"));
goto error;
}
for (vp = tmpl_cursor_init(NULL, &src_cursor, request, &src);
vp;
vp = tmpl_cursor_next(&src_cursor, &src)) {
/*
* @fixme: we should pass in a cursor, then decoding multiple
* source attributes can be made atomic.
*/
if ((fr_dhcp_decode_options(request->packet, &head, vp->vp_octets, vp->vp_length) < 0) || (!head)) {
RWDEBUG("DHCP option decoding failed: %s", fr_strerror());
goto error;
}
for (vp = fr_cursor_init(&cursor, &head);
vp;
vp = fr_cursor_next(&cursor)) {
rdebug_pair(L_DBG_LVL_2, request, vp, "dhcp_options: ");
decoded++;
}
fr_pair_list_move(request->packet, &(request->packet->vps), &head);
/* Free any unmoved pairs */
fr_pair_list_free(&head);
}
snprintf(*out, freespace, "%i", decoded);
return strlen(*out);
}
/*
* Generic comparisons, via xlat.
*/
static int generic_cmp(UNUSED void *instance,
REQUEST *request,
VALUE_PAIR *req,
VALUE_PAIR *check,
UNUSED VALUE_PAIR *check_list,
UNUSED VALUE_PAIR **reply_list)
{
VP_VERIFY(check);
if ((check->op != T_OP_REG_EQ) && (check->op != T_OP_REG_NE)) {
int rcode;
char name[1024];
char value[1024];
VALUE_PAIR *vp;
snprintf(name, sizeof(name), "%%{%s}", check->da->name);
if (xlat_eval(value, sizeof(value), request, name, NULL, NULL) < 0) return 0;
vp = fr_pair_afrom_da(req, check->da);
vp->op = check->op;
fr_pair_value_from_str(vp, value, -1, '"', false);
/*
* Paircmp returns 0 for failed comparison, 1 for succeeded -1 for error.
*/
rcode = fr_pair_cmp(check, vp);
/*
* We're being called from paircmp_func,
* which wants 0 for success, and 1 for fail (sigh)
*
* We should really fix the API so that it is
* consistent. i.e. the comparison callbacks should
* return ONLY the resut of comparing A to B.
* The radius_callback_cmp function should then
* take care of using the operator to see if the
* condition (A OP B) is true or not.
*
* This would also allow "<", etc. to work in the
* callback functions...
*
* See rlm_ldap, ...groupcmp() for something that
* returns 0 for matched, and 1 for didn't match.
*/
rcode = !rcode;
fr_pair_list_free(&vp);
return rcode;
}
/*
* Will do the xlat for us
*/
return paircmp_pairs(request, check, NULL);
}
/** Free a RADIUS_PACKET
*
*/
void fr_radius_packet_free(RADIUS_PACKET **radius_packet_ptr)
{
RADIUS_PACKET *radius_packet;
if (!radius_packet_ptr || !*radius_packet_ptr) return;
radius_packet = *radius_packet_ptr;
PACKET_VERIFY(radius_packet);
fr_pair_list_free(&radius_packet->vps);
talloc_free(radius_packet);
*radius_packet_ptr = NULL;
}
/** Send a success notification
*
*/
static int eap_sim_send_eap_success_notification(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
RADIUS_PACKET *packet = eap_session->request->reply;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
fr_cursor_t cursor;
VALUE_PAIR *vp;
RDEBUG2("Sending SIM-Notification (Success)");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
if (!fr_cond_assert(eap_sim_session->challenge_success)) return -1;
fr_cursor_init(&cursor, &packet->vps);
/*
* Set the subtype to notification
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = FR_EAP_SIM_SUBTYPE_VALUE_SIM_NOTIFICATION;
fr_cursor_append(&cursor, vp);
vp = fr_pair_afrom_da(packet, attr_eap_sim_notification);
vp->vp_uint16 = FR_EAP_SIM_NOTIFICATION_VALUE_SUCCESS;
fr_cursor_append(&cursor, vp);
/*
* Need to include an AT_MAC attribute so that it will get
* calculated.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_mac);
fr_pair_replace(&packet->vps, vp);
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
/*
* Compare the request with the "reply" part in the
* huntgroup, which normally only contains username or group.
* At least one of the "reply" items has to match.
*/
static int hunt_paircmp(REQUEST *req, VALUE_PAIR *request, VALUE_PAIR *check)
{
vp_cursor_t cursor;
VALUE_PAIR *check_item;
VALUE_PAIR *tmp;
int result = -1;
if (!check) return 0;
for (check_item = fr_cursor_init(&cursor, &check);
check_item && (result != 0);
check_item = fr_cursor_next(&cursor)) {
/* FIXME: fr_pair_list_copy should be removed once VALUE_PAIRs are no longer in linked lists */
tmp = fr_pair_copy(request, check_item);
tmp->op = check_item->op;
result = paircompare(req, request, check_item, NULL);
fr_pair_list_free(&tmp);
}
return result;
}
VALUE_PAIR *eap_packet2vp(RADIUS_PACKET *packet, eap_packet_raw_t const *eap)
{
int total, size;
uint8_t const *ptr;
VALUE_PAIR *head = NULL;
VALUE_PAIR *vp;
vp_cursor_t out;
total = eap->length[0] * 256 + eap->length[1];
if (total == 0) {
DEBUG("Asked to encode empty EAP-Message!");
return NULL;
}
ptr = (uint8_t const *) eap;
fr_cursor_init(&out, &head);
do {
size = total;
if (size > 253) size = 253;
vp = fr_pair_afrom_num(packet, 0, PW_EAP_MESSAGE);
if (!vp) {
fr_pair_list_free(&head);
return NULL;
}
fr_pair_value_memcpy(vp, ptr, size);
fr_cursor_insert(&out, vp);
ptr += size;
total -= size;
} while (total > 0);
return head;
}
/*
* Common code called by everything below.
*/
static rlm_rcode_t file_common(rlm_files_t const *inst, REQUEST *request, char const *filename, rbtree_t *tree,
RADIUS_PACKET *request_packet, RADIUS_PACKET *reply_packet)
{
char const *name;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
PAIR_LIST const *user_pl, *default_pl;
bool found = false;
PAIR_LIST my_pl;
char buffer[256];
if (!inst->key) {
VALUE_PAIR *namepair;
namepair = request->username;
name = namepair ? namepair->vp_strvalue : "NONE";
} else {
int len;
len = xlat_eval(buffer, sizeof(buffer), request, inst->key, NULL, NULL);
if (len < 0) {
return RLM_MODULE_FAIL;
}
name = len ? buffer : "NONE";
}
if (!tree) return RLM_MODULE_NOOP;
my_pl.name = name;
user_pl = rbtree_finddata(tree, &my_pl);
my_pl.name = "DEFAULT";
default_pl = rbtree_finddata(tree, &my_pl);
/*
* Find the entry for the user.
*/
while (user_pl || default_pl) {
fr_cursor_t cursor;
VALUE_PAIR *vp;
PAIR_LIST const *pl;
/*
* Figure out which entry to match on.
*/
if (!default_pl && user_pl) {
pl = user_pl;
user_pl = user_pl->next;
} else if (!user_pl && default_pl) {
pl = default_pl;
default_pl = default_pl->next;
} else if (user_pl->order < default_pl->order) {
pl = user_pl;
user_pl = user_pl->next;
} else {
pl = default_pl;
default_pl = default_pl->next;
}
MEM(fr_pair_list_copy(request, &check_tmp, pl->check) >= 0);
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (xlat_eval_pair(request, vp) < 0) {
RWARN("Failed parsing expanded value for check item, skipping entry: %s", fr_strerror());
fr_pair_list_free(&check_tmp);
continue;
}
}
if (paircmp(request, request_packet->vps, check_tmp, &reply_packet->vps) == 0) {
RDEBUG2("Found match \"%s\" one line %d of %s", pl->name, pl->lineno, filename);
found = true;
/* ctx may be reply or proxy */
MEM(fr_pair_list_copy(reply_packet, &reply_tmp, pl->reply) >= 0);
radius_pairmove(request, &reply_packet->vps, reply_tmp, true);
fr_pair_list_move(&request->control, &check_tmp);
reply_tmp = NULL; /* radius_pairmove() frees input attributes */
fr_pair_list_free(&check_tmp);
/*
* Fallthrough?
*/
if (!fall_through(pl->reply)) break;
}
}
/*
* Remove server internal parameters.
*/
fr_pair_delete_by_da(&reply_packet->vps, attr_fall_through);
/*
* See if we succeeded.
*/
if (!found)
return RLM_MODULE_NOOP; /* on to the next module */
return RLM_MODULE_OK;
}
static unlang_action_t unlang_foreach(REQUEST *request,
rlm_rcode_t *presult, int *priority)
{
VALUE_PAIR *vp;
unlang_stack_t *stack = request->stack;
unlang_stack_frame_t *frame = &stack->frame[stack->depth];
unlang_t *instruction = frame->instruction;
unlang_frame_state_foreach_t *foreach = NULL;
unlang_group_t *g;
g = unlang_generic_to_group(instruction);
if (!frame->repeat) {
int i, foreach_depth = -1;
VALUE_PAIR *vps;
if (stack->depth >= UNLANG_STACK_MAX) {
ERROR("Internal sanity check failed: module stack is too deep");
fr_exit(EXIT_FAILURE);
}
/*
* Figure out how deep we are in nesting by looking at request_data
* stored previously.
*
* FIXME: figure this out by walking up the modcall stack instead.
*/
for (i = 0; i < 8; i++) {
if (!request_data_reference(request, (void *)xlat_fmt_get_vp, i)) {
foreach_depth = i;
break;
}
}
if (foreach_depth < 0) {
REDEBUG("foreach Nesting too deep!");
*presult = RLM_MODULE_FAIL;
*priority = 0;
return UNLANG_ACTION_CALCULATE_RESULT;
}
/*
* Copy the VPs from the original request, this ensures deterministic
* behaviour if someone decides to add or remove VPs in the set we're
* iterating over.
*/
if (tmpl_copy_vps(stack, &vps, request, g->vpt) < 0) { /* nothing to loop over */
*presult = RLM_MODULE_NOOP;
*priority = instruction->actions[RLM_MODULE_NOOP];
return UNLANG_ACTION_CALCULATE_RESULT;
}
MEM(frame->state = foreach = talloc_zero(stack, unlang_frame_state_foreach_t));
rad_assert(vps != NULL);
foreach->depth = foreach_depth;
foreach->vps = vps;
fr_cursor_talloc_init(&foreach->cursor, &foreach->vps, VALUE_PAIR);
#ifndef NDEBUG
foreach->indent = request->log.unlang_indent;
#endif
vp = fr_cursor_head(&foreach->cursor);
} else {
foreach = talloc_get_type_abort(frame->state, unlang_frame_state_foreach_t);
vp = fr_cursor_next(&foreach->cursor);
/*
* We've been asked to unwind to the
* enclosing "foreach". We're here, so
* we can stop unwinding.
*/
if (frame->unwind == UNLANG_TYPE_BREAK) {
frame->unwind = UNLANG_TYPE_NULL;
vp = NULL;
}
/*
* Unwind all the way.
*/
if (frame->unwind == UNLANG_TYPE_RETURN) {
vp = NULL;
}
if (!vp) {
/*
* Free the copied vps and the request data
* If we don't remove the request data, something could call
* the xlat outside of a foreach loop and trigger a segv.
*/
fr_pair_list_free(&foreach->vps);
request_data_get(request, (void *)xlat_fmt_get_vp, foreach->depth);
*presult = frame->result;
if (*presult != RLM_MODULE_UNKNOWN) *priority = instruction->actions[*presult];
#ifndef NDEBUG
rad_assert(foreach->indent == request->log.unlang_indent);
#endif
return UNLANG_ACTION_CALCULATE_RESULT;
}
}
#ifndef NDEBUG
RDEBUG2("");
RDEBUG2("# looping with: Foreach-Variable-%d = %pV", foreach->depth, &vp->data);
#endif
rad_assert(vp);
/*
* Add the vp to the request, so that
* xlat.c, xlat_foreach() can find it.
*/
foreach->variable = vp;
request_data_add(request, (void *)xlat_fmt_get_vp, foreach->depth, &foreach->variable,
false, false, false);
/*
* Push the child, and yield for a later return.
*/
unlang_push(stack, g->children, frame->result, UNLANG_NEXT_SIBLING, UNLANG_SUB_FRAME);
frame->repeat = true;
return UNLANG_ACTION_PUSHED_CHILD;
}
/*
* Process and reply to an authentication request
*
* The return value of this function isn't actually used right now, so
* it's not entirely clear if it is returning the right things. --Pac.
*/
int rad_authenticate(REQUEST *request)
{
#ifdef WITH_SESSION_MGMT
VALUE_PAIR *check_item;
#endif
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
int result;
char autz_retry = 0;
int autz_type = 0;
#ifdef WITH_PROXY
/*
* If this request got proxied to another server, we need
* to check whether it authenticated the request or not.
*
* request->proxy gets set only AFTER authorization, so
* it's safe to check it here. If it exists, it means
* we're doing a second pass through rad_authenticate().
*/
if (request->proxy) {
int code = 0;
if (request->proxy_reply) code = request->proxy_reply->code;
switch (code) {
/*
* Reply of ACCEPT means accept, thus set Auth-Type
* accordingly.
*/
case PW_CODE_ACCESS_ACCEPT:
tmp = radius_pair_create(request,
&request->config,
PW_AUTH_TYPE, 0);
if (tmp) tmp->vp_integer = PW_AUTH_TYPE_ACCEPT;
goto authenticate;
/*
* Challenges are punted back to the NAS without any
* further processing.
*/
case PW_CODE_ACCESS_CHALLENGE:
request->reply->code = PW_CODE_ACCESS_CHALLENGE;
fr_state_put_vps(request, request->packet, request->reply);
return RLM_MODULE_OK;
/*
* ALL other replies mean reject. (this is fail-safe)
*
* Do NOT do any authorization or authentication. They
* are being rejected, so we minimize the amount of work
* done by the server, by rejecting them here.
*/
case PW_CODE_ACCESS_REJECT:
rad_authlog("Login incorrect (Home Server says so)",
request, 0);
request->reply->code = PW_CODE_ACCESS_REJECT;
fr_state_discard(request, request->packet);
return RLM_MODULE_REJECT;
default:
rad_authlog("Login incorrect (Home Server failed to respond)",
request, 0);
fr_state_discard(request, request->packet);
return RLM_MODULE_REJECT;
}
}
#endif
/*
* Look for, and cache, passwords.
*/
if (!request->password) {
request->password = fr_pair_find_by_num(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
if (!request->password) {
request->password = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
/*
* Grab the VPS associated with the State attribute.
*/
fr_state_get_vps(request, request->packet);
/*
* Get the user's authorization information from the database
*/
autz_redo:
result = process_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
case RLM_MODULE_HANDLED:
return result;
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
if ((module_msg = fr_pair_find_by_num(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
char msg[MAX_STRING_LEN + 16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->vp_strvalue);
rad_authlog(msg,request,0);
} else {
rad_authlog("Invalid user", request, 0);
}
request->reply->code = PW_CODE_ACCESS_REJECT;
return result;
}
if (!autz_retry) {
tmp = fr_pair_find_by_num(request->config, PW_AUTZ_TYPE, 0, TAG_ANY);
if (tmp) {
autz_type = tmp->vp_integer;
RDEBUG2("Using Autz-Type %s",
dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
autz_retry = 1;
goto autz_redo;
}
}
/*
* If we haven't already proxied the packet, then check
* to see if we should. Maybe one of the authorize
* modules has decided that a proxy should be used. If
* so, get out of here and send the packet.
*/
if (
#ifdef WITH_PROXY
(request->proxy == NULL) &&
#endif
((tmp = fr_pair_find_by_num(request->config, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
REALM *realm;
realm = realm_find2(tmp->vp_strvalue);
/*
* Don't authenticate, as the request is going to
* be proxied.
*/
if (realm && realm->auth_pool) {
return RLM_MODULE_OK;
}
/*
* Catch users who set Proxy-To-Realm to a LOCAL
* realm (sigh). But don't complain if it is
* *the* LOCAL realm.
*/
if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
}
if (!realm) {
RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
}
}
#ifdef WITH_PROXY
authenticate:
#endif
/*
* Validate the user
*/
do {
result = rad_check_password(request);
if (result > 0) {
return RLM_MODULE_HANDLED;
}
} while(0);
/*
* Failed to validate the user.
*
* We PRESUME that the code which failed will clean up
* request->reply->vps, to be ONLY the reply items it
* wants to send back.
*/
if (result < 0) {
RDEBUG2("Failed to authenticate the user");
request->reply->code = PW_CODE_ACCESS_REJECT;
if ((module_msg = fr_pair_find_by_num(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+19];
snprintf(msg, sizeof(msg), "Login incorrect (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 0);
} else {
rad_authlog("Login incorrect", request, 0);
}
if (request->password) {
VERIFY_VP(request->password);
/* double check: maybe the secret is wrong? */
if ((rad_debug_lvl > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
uint8_t const *p;
p = (uint8_t const *) request->password->vp_strvalue;
while (*p) {
int size;
size = fr_utf8_char(p, -1);
if (!size) {
RWDEBUG("Unprintable characters in the password. Double-check the "
"shared secret on the server and the NAS!");
break;
}
p += size;
}
}
}
}
#ifdef WITH_SESSION_MGMT
if (result >= 0 &&
(check_item = fr_pair_find_by_num(request->config, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
int r, session_type = 0;
char logstr[1024];
char umsg[MAX_STRING_LEN + 1];
tmp = fr_pair_find_by_num(request->config, PW_SESSION_TYPE, 0, TAG_ANY);
if (tmp) {
session_type = tmp->vp_integer;
RDEBUG2("Using Session-Type %s",
dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
}
/*
* User authenticated O.K. Now we have to check
* for the Simultaneous-Use parameter.
*/
if (request->username &&
(r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
char mpp_ok = 0;
if (r == 2){
/* Multilink attempt. Check if port-limit > simultaneous-use */
VALUE_PAIR *port_limit;
if ((port_limit = fr_pair_find_by_num(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
port_limit->vp_integer > check_item->vp_integer){
RDEBUG2("MPP is OK");
mpp_ok = 1;
}
}
if (!mpp_ok){
if (check_item->vp_integer > 1) {
snprintf(umsg, sizeof(umsg), "%s (%u)", main_config.denied_msg,
check_item->vp_integer);
} else {
strlcpy(umsg, main_config.denied_msg, sizeof(umsg));
}
request->reply->code = PW_CODE_ACCESS_REJECT;
/*
* They're trying to log in too many times.
* Remove ALL reply attributes.
*/
fr_pair_list_free(&request->reply->vps);
pair_make_reply("Reply-Message", umsg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
r == 2 ? "[MPP attempt]" : "");
rad_authlog(logstr, request, 1);
result = -1;
}
}
}
#endif
/*
* Result should be >= 0 here - if not, it means the user
* is rejected, so we just process post-auth and return.
*/
if (result < 0) {
return RLM_MODULE_REJECT;
}
/*
* Set the reply to Access-Accept, if it hasn't already
* been set to something. (i.e. Access-Challenge)
*/
if (request->reply->code == 0)
request->reply->code = PW_CODE_ACCESS_ACCEPT;
if ((module_msg = fr_pair_find_by_num(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
char msg[MAX_STRING_LEN+12];
snprintf(msg, sizeof(msg), "Login OK (%s)",
module_msg->vp_strvalue);
rad_authlog(msg, request, 1);
} else {
rad_authlog("Login OK", request, 1);
}
return result;
}
/** Break apart a TLV attribute into individual attributes
*
* @param[in] ctx to allocate new attributes in.
* @param[in] cursor to addd new attributes to.
* @param[in] parent the current attribute TLV attribute we're processing.
* @param[in] data to parse. Points to the data field of the attribute.
* @param[in] attr_len length of the TLV attribute.
* @param[in] data_len remaining data in the packet.
* @param[in] decoder_ctx IVs, keys etc...
* @return
* - Length on success.
* - < 0 on malformed attribute.
*/
static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_cursor_t *cursor,
fr_dict_attr_t const *parent,
uint8_t const *data, size_t const attr_len, size_t data_len,
void *decoder_ctx)
{
uint8_t const *p = data, *end = p + attr_len;
uint8_t *decr = NULL;
ssize_t decr_len;
fr_dict_attr_t const *child;
VALUE_PAIR *head = NULL;
fr_cursor_t tlv_cursor;
ssize_t rcode;
if (data_len < 2) {
fr_strerror_printf("%s: Insufficient data", __FUNCTION__);
return -1; /* minimum attr size */
}
/*
* We have an AES-128-CBC encrypted attribute
*
* IV is from AT_IV, key is from k_encr.
*
* unfortunately the ordering of these two attributes
* aren't specified, so we may have to hunt for the IV.
*/
if (parent->flags.encrypt) {
FR_PROTO_TRACE("found encrypted attribute '%s'", parent->name);
decr_len = sim_value_decrypt(ctx, &decr, p + 2,
attr_len - 2, data_len - 2, decoder_ctx); /* Skip reserved */
if (decr_len < 0) return -1;
p = decr;
end = p + decr_len;
} else {
p += 2; /* Skip the reserved bytes */
}
FR_PROTO_HEX_DUMP(p, end - p, "tlvs");
/*
* Record where we were in the list when packet_ctx function was called
*/
fr_cursor_init(&tlv_cursor, &head);
while ((size_t)(end - p) >= sizeof(uint32_t)) {
uint8_t sim_at = p[0];
size_t sim_at_len = ((size_t)p[1]) << 2;
if ((p + sim_at_len) > end) {
fr_strerror_printf("%s: Malformed nested attribute %d: Length field (%zu bytes) value "
"longer than remaining data in parent (%zu bytes)",
__FUNCTION__, sim_at, sim_at_len, end - p);
error:
talloc_free(decr);
fr_pair_list_free(&head);
return -1;
}
if (sim_at_len == 0) {
fr_strerror_printf("%s: Malformed nested attribute %d: Length field 0", __FUNCTION__, sim_at);
goto error;
}
/*
* Padding attributes are cleartext inside of
* encrypted TLVs to pad out the value to the
* correct length for the block cipher
* (16 in the case of AES-128-CBC).
*/
if (sim_at == FR_SIM_PADDING) {
uint8_t zero = 0;
uint8_t i;
if (!parent->flags.encrypt) {
fr_strerror_printf("%s: Found padding attribute outside of an encrypted TLV",
__FUNCTION__);
goto error;
}
if (!fr_cond_assert(data_len % 4)) goto error;
if (sim_at_len > 12) {
fr_strerror_printf("%s: Expected padding attribute length <= 12 bytes, got %zu bytes",
__FUNCTION__, sim_at_len);
goto error;
}
/*
* RFC says we MUST verify that FR_SIM_PADDING
* data is zeroed out.
*/
for (i = 2; i < sim_at_len; i++) zero |= p[i];
if (zero) {
fr_strerror_printf("%s: Padding attribute value not zeroed 0x%pH", __FUNCTION__,
fr_box_octets(p + 2, sim_at_len - 2));
goto error;
}
p += sim_at_len;
continue;
}
child = fr_dict_attr_child_by_num(parent, p[0]);
if (!child) {
fr_dict_attr_t const *unknown_child;
FR_PROTO_TRACE("Failed to find child %u of TLV %s", p[0], parent->name);
/*
* Encountered none skippable attribute
*
* RFC says we need to die on these if we don't
* understand them. non-skippables are < 128.
*/
if (sim_at <= SIM_SKIPPABLE_MAX) {
fr_strerror_printf("%s: Unknown (non-skippable) attribute %i",
__FUNCTION__, sim_at);
goto error;
}
/*
* Build an unknown attr
*/
unknown_child = fr_dict_unknown_afrom_fields(ctx, parent,
fr_dict_vendor_num_by_da(parent), p[0]);
if (!unknown_child) goto error;
child = unknown_child;
}
FR_PROTO_TRACE("decode context changed %s -> %s", parent->name, child->name);
rcode = sim_decode_pair_value(ctx, &tlv_cursor, child, p + 2, sim_at_len - 2, (end - p) - 2,
decoder_ctx);
if (rcode < 0) goto error;
p += sim_at_len;
}
fr_cursor_head(&tlv_cursor);
fr_cursor_tail(cursor);
fr_cursor_merge(cursor, &tlv_cursor); /* Wind to the end of the new pairs */
talloc_free(decr);
return attr_len;
}
/*
* Do post-proxy processing,
*/
static int CC_HINT(nonnull) eapttls_postproxy(eap_handler_t *handler, void *data)
{
int rcode;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
* request, do more processing of it.
*/
fake = (REQUEST *) request_data_get(handler->request,
handler->request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK);
/*
* Do the callback, if it exists, and if it was a success.
*/
if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "server %s {\n",
(!fake->server) ? "" : fake->server);
}
/*
* Perform a post-auth stage for the tunneled
* session.
*/
fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(!fake->server) ? "" : fake->server);
RDEBUG("Final reply from tunneled session code %d", fake->reply->code);
rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
}
/*
* Terrible hacks.
*/
request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
* And we're done with this request.
*/
switch (rcode) {
case RLM_MODULE_FAIL:
talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
request->proxy_reply->code);
break;
}
}
talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
*/
rcode = process_reply(handler, tls_session, handler->request, handler->request->proxy_reply);
/*
* The proxy code uses the reply from the home server as
* the basis for the reply to the NAS. We don't want that,
* so we toss it, after we've had our way with it.
*/
fr_pair_list_free(&handler->request->proxy_reply->vps);
switch (rcode) {
case RLM_MODULE_REJECT:
RDEBUG("Reply was rejected");
break;
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
RDEBUG("Reply was OK");
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
default:
RDEBUG("Reply was unknown");
break;
}
eaptls_fail(handler, 0);
return 0;
}
/*
* Convert diameter attributes to our VALUE_PAIR's
*/
static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl,
uint8_t const *data, size_t data_len)
{
uint32_t attr;
uint32_t vendor;
uint32_t length;
size_t offset;
size_t size;
size_t data_left = data_len;
VALUE_PAIR *first = NULL;
VALUE_PAIR *vp;
RADIUS_PACKET *packet = fake->packet; /* FIXME: api issues */
vp_cursor_t out;
fr_cursor_init(&out, &first);
while (data_left > 0) {
rad_assert(data_left <= data_len);
memcpy(&attr, data, sizeof(attr));
data += 4;
attr = ntohl(attr);
vendor = 0;
memcpy(&length, data, sizeof(length));
data += 4;
length = ntohl(length);
/*
* A "vendor" flag, with a vendor ID of zero,
* is equivalent to no vendor. This is stupid.
*/
offset = 8;
if ((length & ((uint32_t)1 << 31)) != 0) {
memcpy(&vendor, data, sizeof(vendor));
vendor = ntohl(vendor);
data += 4; /* skip the vendor field, it's zero */
offset += 4; /* offset to value field */
if (attr > 65535) goto next_attr;
if (vendor > FR_MAX_VENDOR) goto next_attr;
}
/*
* FIXME: Handle the M bit. For now, we assume that
* some other module takes care of any attribute
* with the M bit set.
*/
/*
* Get the length.
*/
length &= 0x00ffffff;
/*
* Get the size of the value portion of the
* attribute.
*/
size = length - offset;
/*
* Vendor attributes can be larger than 255.
* Normal attributes cannot be.
*/
if ((attr > 255) && (vendor == 0)) {
RWDEBUG2("Skipping Diameter attribute %u", attr);
goto next_attr;
}
/*
* EAP-Message AVPs can be larger than 253 octets.
*
* For now, we rely on the main decoder in
* src/lib/radius to decode data into VPs. This
* means putting the data into a RADIUS attribute
* format. It also means that we can't handle
* "extended" attributes in the Diameter space. Oh well...
*/
if ((size > 253) && !((vendor == 0) && (attr == PW_EAP_MESSAGE))) {
RWDEBUG2("diameter2vp skipping long attribute %u", attr);
goto next_attr;
}
/*
* RADIUS VSAs are handled as Diameter attributes
* with Vendor-Id == 0, and the VSA data packed
* into the "String" field as per normal.
*
* EXCEPT for the MS-CHAP attributes.
*/
if ((vendor == 0) && (attr == PW_VENDOR_SPECIFIC)) {
ssize_t decoded;
uint8_t buffer[256];
buffer[0] = PW_VENDOR_SPECIFIC;
buffer[1] = size + 2;
memcpy(buffer + 2, data, size);
vp = NULL;
decoded = rad_attr2vp(packet, NULL, NULL, NULL,
buffer, size + 2, &vp);
if (decoded < 0) {
REDEBUG2("diameter2vp failed decoding attr: %s",
fr_strerror());
goto do_octets;
}
if ((size_t) decoded != size + 2) {
REDEBUG2("diameter2vp failed to entirely decode VSA");
fr_pair_list_free(&vp);
goto do_octets;
}
fr_cursor_merge(&out, vp);
goto next_attr;
}
/*
* Create it. If this fails, it's because we're OOM.
*/
do_octets:
vp = fr_pair_afrom_num(packet, attr, vendor);
if (!vp) {
RDEBUG2("Failure in creating VP");
fr_pair_list_free(&first);
return NULL;
}
/*
* If it's a type from our dictionary, then
* we need to put the data in a relevant place.
*
* @todo: Export the lib/radius.c decoder, and use it here!
*/
switch (vp->da->type) {
case PW_TYPE_INTEGER:
case PW_TYPE_DATE:
if (size != vp->vp_length) {
DICT_ATTR const *da;
/*
* Bad format. Create a "raw"
* attribute.
*/
raw:
if (vp) fr_pair_list_free(&vp);
da = dict_unknown_afrom_fields(packet, attr, vendor);
if (!da) return NULL;
vp = fr_pair_afrom_da(packet, da);
if (!vp) return NULL;
fr_pair_value_memcpy(vp, data, size);
break;
}
memcpy(&vp->vp_integer, data, vp->vp_length);
/*
* Stored in host byte order: change it.
*/
vp->vp_integer = ntohl(vp->vp_integer);
break;
case PW_TYPE_INTEGER64:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_integer64, data, vp->vp_length);
/*
* Stored in host byte order: change it.
*/
vp->vp_integer64 = ntohll(vp->vp_integer64);
break;
case PW_TYPE_IPV4_ADDR:
if (size != vp->vp_length) {
RDEBUG2("Invalid length attribute %d",
attr);
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
memcpy(&vp->vp_ipaddr, data, vp->vp_length);
/*
* Stored in network byte order: don't change it.
*/
break;
case PW_TYPE_BYTE:
if (size != vp->vp_length) goto raw;
vp->vp_byte = data[0];
break;
case PW_TYPE_SHORT:
if (size != vp->vp_length) goto raw;
vp->vp_short = (data[0] * 256) + data[1];
break;
case PW_TYPE_SIGNED:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_signed, data, vp->vp_length);
vp->vp_signed = ntohl(vp->vp_signed);
break;
case PW_TYPE_IPV6_ADDR:
if (size != vp->vp_length) goto raw;
memcpy(&vp->vp_ipv6addr, data, vp->vp_length);
break;
case PW_TYPE_IPV6_PREFIX:
if (size != vp->vp_length) goto raw;
memcpy(vp->vp_ipv6prefix, data, vp->vp_length);
break;
case PW_TYPE_STRING:
fr_pair_value_bstrncpy(vp, data, size);
vp->vp_length = strlen(vp->vp_strvalue); /* embedded zeros are NOT allowed */
break;
/*
* Copy it over verbatim.
*/
case PW_TYPE_OCTETS:
default:
fr_pair_value_memcpy(vp, data, size);
break;
}
/*
* Ensure that the client is using the
* correct challenge. This weirdness is
* to protect against against replay
* attacks, where anyone observing the
* CHAP exchange could pose as that user,
* by simply choosing to use the same
* challenge.
*
* By using a challenge based on
* information from the current session,
* we can guarantee that the client is
* not *choosing* a challenge.
*
* We're a little forgiving in that we
* have loose checks on the length, and
* we do NOT check the Id (first octet of
* the response to the challenge)
*
* But if the client gets the challenge correct,
* we're not too worried about the Id.
*/
if (((vp->da->vendor == 0) && (vp->da->attr == PW_CHAP_CHALLENGE)) ||
((vp->da->vendor == VENDORPEC_MICROSOFT) && (vp->da->attr == PW_MSCHAP_CHALLENGE))) {
uint8_t challenge[16];
if ((vp->vp_length < 8) ||
(vp->vp_length > 16)) {
RDEBUG("Tunneled challenge has invalid length");
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
eapttls_gen_challenge(ssl, challenge,
sizeof(challenge));
if (memcmp(challenge, vp->vp_octets,
vp->vp_length) != 0) {
RDEBUG("Tunneled challenge is incorrect");
fr_pair_list_free(&first);
fr_pair_list_free(&vp);
return NULL;
}
}
/*
* Update the list.
*/
fr_cursor_insert(&out, vp);
next_attr:
/*
* Catch non-aligned attributes.
*/
if (data_left == length) break;
/*
* The length does NOT include the padding, so
* we've got to account for it here by rounding up
* to the nearest 4-byte boundary.
*/
length += 0x03;
length &= ~0x03;
rad_assert(data_left >= length);
data_left -= length;
data += length - offset; /* already updated */
}
/*
* We got this far. It looks OK.
*/
return first;
}
static rlm_rcode_t mod_authorize(void *instance, REQUEST *request)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
rlm_sql_t *inst = instance;
rlm_sql_handle_t *handle;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
bool user_found = false;
sql_fall_through_t do_fall_through = FALL_THROUGH_DEFAULT;
int rows;
char *expanded = NULL;
rad_assert(request->packet != NULL);
rad_assert(request->reply != NULL);
if (!inst->config->authorize_check_query && !inst->config->authorize_reply_query &&
!inst->config->read_groups && !inst->config->read_profiles) {
RWDEBUG("No authorization checks configured, returning noop");
return RLM_MODULE_NOOP;
}
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* Reserve a socket
*
* After this point use goto error or goto release to cleanup socket temporary pairlists and
* temporary attributes.
*/
handle = fr_connection_get(inst->pool);
if (!handle) {
rcode = RLM_MODULE_FAIL;
goto error;
}
/*
* Query the check table to find any conditions associated with this user/realm/whatever...
*/
if (inst->config->authorize_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
if (radius_axlat(&expanded, request, inst->config->authorize_check_query,
inst->sql_escape_func, handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request, inst, request, &handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error getting check attributes");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply; /* Don't need to free VPs we don't have */
/*
* Only do this if *some* check pairs were returned
*/
RDEBUG2("User found in radcheck table");
user_found = true;
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0) {
fr_pair_list_free(&check_tmp);
check_tmp = NULL;
goto skipreply;
}
RDEBUG2("Conditional check items matched, merging assignment check items");
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(2, request, vp, NULL);
}
REXDENT();
radius_pairmove(request, &request->config, check_tmp, true);
rcode = RLM_MODULE_OK;
check_tmp = NULL;
}
if (inst->config->authorize_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_reply_query,
inst->sql_escape_func, handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request->reply, inst, request, &handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error getting reply attributes");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply;
do_fall_through = fall_through(reply_tmp);
RDEBUG2("User found in radreply table, merging reply items");
user_found = true;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp, NULL);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
rcode = RLM_MODULE_OK;
reply_tmp = NULL;
}
/*
* Neither group checks or profiles will work without
* a group membership query.
*/
if (!inst->config->groupmemb_query) goto release;
skipreply:
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_groups && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
RDEBUG3("... falling-through to group processing");
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* Repeat the above process with the default profile or User-Profile
*/
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
/*
* Check for a default_profile or for a User-Profile.
*/
RDEBUG3("... falling-through to profile processing");
user_profile = fr_pair_find_by_num(request->config, 0, PW_USER_PROFILE, TAG_ANY);
char const *profile = user_profile ?
user_profile->vp_strvalue :
inst->config->default_profile;
if (!profile || !*profile) {
goto release;
}
RDEBUG2("Checking profile %s", profile);
if (sql_set_user(inst, request, profile) < 0) {
REDEBUG("Error setting profile");
rcode = RLM_MODULE_FAIL;
goto error;
}
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* At this point the key (user) hasn't be found in the check table, the reply table
* or the group mapping table, and there was no matching profile.
*/
release:
if (!user_found) {
rcode = RLM_MODULE_NOTFOUND;
}
fr_connection_release(inst->pool, handle);
sql_unset_user(inst, request);
return rcode;
error:
fr_pair_list_free(&check_tmp);
fr_pair_list_free(&reply_tmp);
sql_unset_user(inst, request);
fr_connection_release(inst->pool, handle);
return rcode;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search.
* @param[in] attr membership attribute to look for in the entry.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn,
LDAPMessage *entry, char const *attr)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
struct berval **values;
char *group_name[LDAP_MAX_CACHEABLE + 1];
char **name_p = group_name;
char *group_dn[LDAP_MAX_CACHEABLE + 1];
char **dn_p;
char *name;
VALUE_PAIR *vp, **list, *groups = NULL;
TALLOC_CTX *list_ctx, *value_ctx;
vp_cursor_t list_cursor, groups_cursor;
int is_dn, i, count;
rad_assert(entry);
rad_assert(attr);
/*
* Parse the membership information we got in the initial user query.
*/
values = ldap_get_values_len((*pconn)->handle, entry, attr);
if (!values) {
RDEBUG2("No cacheable group memberships found in user object");
return RLM_MODULE_OK;
}
count = ldap_count_values_len(values);
list = radius_list(request, PAIR_LIST_CONTROL);
list_ctx = radius_list_ctx(request, PAIR_LIST_CONTROL);
/*
* Simplifies freeing temporary values
*/
value_ctx = talloc_new(request);
/*
* Temporary list to hold new group VPs, will be merged
* once all group info has been gathered/resolved
* successfully.
*/
fr_cursor_init(&groups_cursor, &groups);
for (i = 0; (i < LDAP_MAX_CACHEABLE) && (i < count); i++) {
is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len);
if (inst->cacheable_group_dn) {
/*
* The easy case, we're caching DNs and we got a DN.
*/
if (is_dn) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&groups_cursor, vp);
/*
* We were told to cache DNs but we got a name, we now need to resolve
* this to a DN. Store all the group names in an array so we can do one query.
*/
} else {
*name_p++ = rlm_ldap_berval_to_string(value_ctx, values[i]);
}
}
if (inst->cacheable_group_name) {
/*
* The easy case, we're caching names and we got a name.
*/
if (!is_dn) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&groups_cursor, vp);
/*
* We were told to cache names but we got a DN, we now need to resolve
* this to a name.
* Only Active Directory supports filtering on DN, so we have to search
* for each individual group.
*/
} else {
char *dn;
dn = rlm_ldap_berval_to_string(value_ctx, values[i]);
rcode = rlm_ldap_group_dn2name(inst, request, pconn, dn, &name);
talloc_free(dn);
if (rcode != RLM_MODULE_OK) {
ldap_value_free_len(values);
talloc_free(value_ctx);
fr_pair_list_free(&groups);
return rcode;
}
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, name, talloc_array_length(name) - 1);
fr_cursor_insert(&groups_cursor, vp);
talloc_free(name);
}
}
}
*name_p = NULL;
rcode = rlm_ldap_group_name2dn(inst, request, pconn, group_name, group_dn, sizeof(group_dn));
ldap_value_free_len(values);
talloc_free(value_ctx);
if (rcode != RLM_MODULE_OK) return rcode;
fr_cursor_init(&list_cursor, list);
RDEBUG("Adding cacheable user object memberships");
RINDENT();
if (RDEBUG_ENABLED) {
for (vp = fr_cursor_first(&groups_cursor);
vp;
vp = fr_cursor_next(&groups_cursor)) {
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue);
}
}
fr_cursor_merge(&list_cursor, groups);
for (dn_p = group_dn; *dn_p; dn_p++) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_strcpy(vp, *dn_p);
fr_cursor_insert(&list_cursor, vp);
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue);
ldap_memfree(*dn_p);
}
REXDENT();
return rcode;
}
static rlm_rcode_t rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t **handle,
sql_fall_through_t *do_fall_through)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
VALUE_PAIR *check_tmp = NULL, *reply_tmp = NULL, *sql_group = NULL;
rlm_sql_grouplist_t *head = NULL, *entry = NULL;
char *expanded = NULL;
int rows;
rad_assert(request->packet != NULL);
if (!inst->config->groupmemb_query) {
RWARN("Cannot do check groups when group_membership_query is not set");
do_nothing:
*do_fall_through = FALL_THROUGH_DEFAULT;
/*
* Didn't add group attributes or allocate
* memory, so don't do anything else.
*/
return RLM_MODULE_NOTFOUND;
}
/*
* Get the list of groups this user is a member of
*/
rows = sql_get_grouplist(inst, handle, request, &head);
if (rows < 0) {
REDEBUG("Error retrieving group list");
return RLM_MODULE_FAIL;
}
if (rows == 0) {
RDEBUG2("User not found in any groups");
goto do_nothing;
}
rad_assert(head);
RDEBUG2("User found in the group table");
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pair_make_request(inst->group_da->name, NULL, T_OP_EQ);
if (!sql_group) {
REDEBUG("Error creating %s attribute", inst->group_da->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry = head;
do {
next:
rad_assert(entry != NULL);
fr_pair_value_strcpy(sql_group, entry->name);
if (inst->config->authorize_group_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
/*
* Expand the group query
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_check_query,
inst->sql_escape_func, *handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request, inst, request, handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving check pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* If we got check rows we need to process them before we decide to
* process the reply rows
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0)) {
fr_pair_list_free(&check_tmp);
entry = entry->next;
if (!entry) break;
goto next; /* != continue */
}
RDEBUG2("Group \"%s\": Conditional check items matched", entry->name);
rcode = RLM_MODULE_OK;
RDEBUG2("Group \"%s\": Merging assignment check items", entry->name);
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
}
REXDENT();
radius_pairmove(request, &request->config, check_tmp, true);
check_tmp = NULL;
}
if (inst->config->authorize_group_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_reply_query,
inst->sql_escape_func, *handle) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request->reply, inst, request, handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving reply pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
*do_fall_through = fall_through(reply_tmp);
RDEBUG2("Group \"%s\": Merging reply items", entry->name);
rcode = RLM_MODULE_OK;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp, NULL);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
reply_tmp = NULL;
/*
* If there's no reply query configured, then we assume
* FALL_THROUGH_NO, which is the same as the users file if you
* had no reply attributes.
*/
} else {
*do_fall_through = FALL_THROUGH_DEFAULT;
}
entry = entry->next;
} while (entry != NULL && (*do_fall_through == FALL_THROUGH_YES));
finish:
talloc_free(head);
fr_pair_delete_by_num(&request->packet->vps, 0, inst->group_da->attr, TAG_ANY);
return rcode;
}
/*
* Use a reply packet to determine what to do.
*/
static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *handler, tls_session_t *tls_session,
REQUEST *request, RADIUS_PACKET *reply)
{
rlm_rcode_t rcode = RLM_MODULE_REJECT;
VALUE_PAIR *vp;
ttls_tunnel_t *t = tls_session->opaque;
rad_assert(handler->request == request);
/*
* If the response packet was Access-Accept, then
* we're OK. If not, die horribly.
*
* FIXME: Take MS-CHAP2-Success attribute, and
* tunnel it back to the client, to authenticate
* ourselves to the client.
*
* FIXME: If we have an Access-Challenge, then
* the Reply-Message is tunneled back to the client.
*
* FIXME: If we have an EAP-Message, then that message
* must be tunneled back to the client.
*
* FIXME: If we have an Access-Challenge with a State
* attribute, then do we tunnel that to the client, or
* keep track of it ourselves?
*
* FIXME: EAP-Messages can only start with 'identity',
* NOT 'eap start', so we should check for that....
*/
switch (reply->code) {
case PW_CODE_ACCESS_ACCEPT:
RDEBUG("Got tunneled Access-Accept");
rcode = RLM_MODULE_OK;
/*
* MS-CHAP2-Success means that we do NOT return
* an Access-Accept, but instead tunnel that
* attribute to the client, and keep going with
* the TTLS session. Once the client accepts
* our identity, it will respond with an empty
* packet, and we will send EAP-Success.
*/
vp = NULL;
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
if (vp) {
RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge");
rcode = RLM_MODULE_HANDLED;
t->authenticated = true;
/*
* Delete MPPE keys & encryption policy. We don't
* want these here.
*/
fr_pair_delete_by_num(&reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
fr_pair_delete_by_num(&reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
/*
* Use the tunneled reply, but not now.
*/
if (t->use_tunneled_reply) {
rad_assert(!t->accept_vps);
fr_pair_list_move_by_num(t, &t->accept_vps, &reply->vps,
0, 0, TAG_ANY);
rad_assert(!reply->vps);
}
} else { /* no MS-CHAP2-Success */
/*
* Can only have EAP-Message if there's
* no MS-CHAP2-Success. (FIXME: EAP-MSCHAP?)
*
* We also do NOT tunnel the EAP-Success
* attribute back to the client, as the client
* can figure it out, from the non-tunneled
* EAP-Success packet.
*/
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
fr_pair_list_free(&vp);
}
/* move channel binding responses; we need to send them */
fr_pair_list_move_by_num(tls_session, &vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
if (fr_pair_find_by_num(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
t->authenticated = true;
/*
* Use the tunneled reply, but not now.
*/
if (t->use_tunneled_reply) {
rad_assert(!t->accept_vps);
fr_pair_list_move_by_num(t, &t->accept_vps, &reply->vps,
0, 0, TAG_ANY);
rad_assert(!reply->vps);
}
rcode = RLM_MODULE_HANDLED;
}
/*
* Handle the ACK, by tunneling any necessary reply
* VP's back to the client.
*/
if (vp) {
RDEBUG("Sending tunneled reply attributes");
rdebug_pair_list(L_DBG_LVL_1, request, vp, NULL);
vp2diameter(request, tls_session, vp);
fr_pair_list_free(&vp);
}
/*
* If we've been told to use the attributes from
* the reply, then do so.
*
* WARNING: This may leak information about the
* tunneled user!
*/
if (t->use_tunneled_reply) {
fr_pair_delete_by_num(&reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
fr_pair_list_move_by_num(request->reply, &request->reply->vps,
&reply->vps, 0, 0, TAG_ANY);
}
break;
case PW_CODE_ACCESS_REJECT:
RDEBUG("Got tunneled Access-Reject");
rcode = RLM_MODULE_REJECT;
break;
/*
* Handle Access-Challenge, but only if we
* send tunneled reply data. This is because
* an Access-Challenge means that we MUST tunnel
* a Reply-Message to the client.
*/
case PW_CODE_ACCESS_CHALLENGE:
RDEBUG("Got tunneled Access-Challenge");
/*
* Keep the State attribute, if necessary.
*
* Get rid of the old State, too.
*/
fr_pair_list_free(&t->state);
fr_pair_list_move_by_num(t, &t->state, &reply->vps, PW_STATE, 0, TAG_ANY);
/*
* We should really be a bit smarter about this,
* and move over only those attributes which
* are relevant to the authentication request,
* but that's a lot more work, and this "dumb"
* method works in 99.9% of the situations.
*/
vp = NULL;
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
/*
* There MUST be a Reply-Message in the challenge,
* which we tunnel back to the client.
*
* If there isn't one in the reply VP's, then
* we MUST create one, with an empty string as
* it's value.
*/
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_REPLY_MESSAGE, 0, TAG_ANY);
/* also move chbind messages, if any */
fr_pair_list_move_by_num(t, &vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA,
TAG_ANY);
/*
* Handle the ACK, by tunneling any necessary reply
* VP's back to the client.
*/
if (vp) {
vp2diameter(request, tls_session, vp);
fr_pair_list_free(&vp);
}
rcode = RLM_MODULE_HANDLED;
break;
default:
RDEBUG("Unknown RADIUS packet type %d: rejecting tunneled user", reply->code);
rcode = RLM_MODULE_INVALID;
break;
}
return rcode;
}
static int eap_aka_compose(eap_session_t *eap_session)
{
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
fr_cursor_t cursor;
fr_cursor_t to_encode;
VALUE_PAIR *head = NULL, *vp;
REQUEST *request = eap_session->request;
ssize_t ret;
fr_sim_encode_ctx_t encoder_ctx = {
.root = fr_dict_root(dict_eap_aka),
.keys = &eap_aka_session->keys,
.iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
.iv_included = false,
.hmac_md = eap_aka_session->mac_md,
.eap_packet = eap_session->this_round->request,
.hmac_extra = NULL,
.hmac_extra_len = 0
};
fr_cursor_init(&cursor, &eap_session->request->reply->vps);
fr_cursor_init(&to_encode, &head);
while ((vp = fr_cursor_current(&cursor))) {
if (!fr_dict_parent_common(encoder_ctx.root, vp->da, true)) {
fr_cursor_next(&cursor);
continue;
}
vp = fr_cursor_remove(&cursor);
/*
* Silently discard encrypted attributes until
* the peer should have k_encr. These can be
* added by policy, and seem to cause
* wpa_supplicant to fail if sent before the challenge.
*/
if (!eap_aka_session->allow_encrypted && fr_dict_parent_common(attr_eap_aka_encr_data, vp->da, true)) {
RWDEBUG("Silently discarding &reply:%s: Encrypted attributes not allowed in this round",
vp->da->name);
talloc_free(vp);
continue;
}
fr_cursor_append(&to_encode, vp);
}
RDEBUG2("Encoding EAP-AKA attributes");
log_request_pair_list(L_DBG_LVL_2, request, head, NULL);
eap_session->this_round->request->type.num = eap_aka_session->type;
eap_session->this_round->request->id = eap_aka_session->aka_id++ & 0xff;
eap_session->this_round->set_request_id = true;
ret = fr_sim_encode(eap_session->request, head, &encoder_ctx);
fr_cursor_head(&to_encode);
fr_cursor_free_list(&to_encode);
if (ret < 0) {
RPEDEBUG("Failed encoding EAP-AKA data");
return -1;
}
return 0;
}
/** Send an EAP-AKA identity request to the supplicant
*
* There are three types of user identities that can be implemented
* - Permanent identities such as [email protected]
* Permanent identities can be identified by the leading zero followed by
* by 15 digits (the IMSI number).
* - Ephemeral identities (pseudonyms). These are identities assigned for
* identity privacy so the user can't be tracked. These can identities
* can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses'
* document section 14, where a set of up to 16 encryption keys are used
* to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely
* randomised and stored in a datastore.
* - A fast resumption ID which resolves to data used for fast resumption.
*
* In order to perform full authentication the original IMSI is required for
* forwarding to the HLR. In the case where we can't match/decrypt the pseudonym,
* or can't perform fast resumption, we need to request the full identity from
* the supplicant.
*
* @param[in] eap_session to continue.
* @return
* - 0 on success.
* - <0 on failure.
*/
static int eap_aka_send_identity_request(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
VALUE_PAIR *vp;
RADIUS_PACKET *packet;
fr_cursor_t cursor;
RDEBUG2("Sending AKA-Identity (%s)", fr_int2str(sim_id_request_table, eap_aka_session->id_req, "<INVALID>"));
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
eap_aka_session->allow_encrypted = false; /* In case this is after failed fast-resumption */
packet = request->reply;
fr_cursor_init(&cursor, &packet->vps);
/*
* Set the subtype to identity request
*/
vp = fr_pair_afrom_da(packet, attr_eap_aka_subtype);
vp->vp_uint16 = FR_EAP_AKA_SUBTYPE_VALUE_AKA_IDENTITY;
fr_cursor_append(&cursor, vp);
/*
* Select the right type of identity request attribute
*/
switch (eap_aka_session->id_req) {
case SIM_ANY_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_any_id_req);
break;
case SIM_PERMANENT_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_permanent_id_req);
break;
case SIM_FULLAUTH_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_fullauth_id_req);
break;
default:
rad_assert(0);
}
vp->vp_bool = true;
fr_cursor_append(&cursor, vp);
/*
* Encode the packet
*/
if (eap_aka_compose(eap_session) < 0) {
failure:
fr_pair_list_free(&packet->vps);
return -1;
}
/*
* Digest the packet contents, updating our checkcode.
*/
if (!eap_aka_session->checkcode_state &&
fr_sim_crypto_init_checkcode(eap_aka_session, &eap_aka_session->checkcode_state,
eap_aka_session->checkcode_md) < 0) {
RPEDEBUG("Failed initialising checkcode");
goto failure;
}
if (fr_sim_crypto_update_checkcode(eap_aka_session->checkcode_state, eap_session->this_round->request) < 0) {
RPEDEBUG("Failed updating checkcode");
goto failure;
}
return 0;
}
/*
* Process the inner tunnel data
*/
FR_CODE eap_fast_process(eap_session_t *eap_session, tls_session_t *tls_session)
{
FR_CODE code;
VALUE_PAIR *fast_vps = NULL;
fr_cursor_t cursor;
uint8_t const *data;
size_t data_len;
eap_fast_tunnel_t *t;
REQUEST *request = eap_session->request;
/*
* Just look at the buffer directly, without doing
* record_to_buff.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t);
/*
* See if the tunneled data is well formed.
*/
if (!eap_fast_verify(request, tls_session, data, data_len)) return FR_CODE_ACCESS_REJECT;
if (t->stage == EAP_FAST_TLS_SESSION_HANDSHAKE) {
rad_assert(t->mode == EAP_FAST_UNKNOWN);
char buf[256];
if (strstr(SSL_CIPHER_description(SSL_get_current_cipher(tls_session->ssl),
buf, sizeof(buf)), "Au=None")) {
/* FIXME enforce MSCHAPv2 - RFC 5422 section 3.2.2 */
RDEBUG2("Using anonymous provisioning");
t->mode = EAP_FAST_PROVISIONING_ANON;
t->pac.send = true;
} else {
if (SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Session Resumed from PAC");
t->mode = EAP_FAST_NORMAL_AUTH;
} else {
RDEBUG2("Using authenticated provisioning");
t->mode = EAP_FAST_PROVISIONING_AUTH;
}
if (!t->pac.expires || t->pac.expired || t->pac.expires - time(NULL) < t->pac_lifetime * 0.6) {
t->pac.send = true;
}
}
eap_fast_init_keys(request, tls_session);
eap_fast_send_identity_request(request, tls_session, eap_session);
t->stage = EAP_FAST_AUTHENTICATION;
return FR_CODE_ACCESS_CHALLENGE;
}
fr_cursor_init(&cursor, &fast_vps);
if (eap_fast_decode_pair(request, &cursor, attr_eap_fast_tlv,
data, data_len, NULL) < 0) return FR_CODE_ACCESS_REJECT;
RDEBUG2("Got Tunneled FAST TLVs");
log_request_pair_list(L_DBG_LVL_1, request, fast_vps, NULL);
code = eap_fast_process_tlvs(request, eap_session, tls_session, fast_vps);
fr_pair_list_free(&fast_vps);
if (code == FR_CODE_ACCESS_REJECT) return FR_CODE_ACCESS_REJECT;
switch (t->stage) {
case EAP_FAST_AUTHENTICATION:
code = FR_CODE_ACCESS_CHALLENGE;
break;
case EAP_FAST_CRYPTOBIND_CHECK:
{
if (t->mode != EAP_FAST_PROVISIONING_ANON && !t->pac.send)
t->result_final = true;
eap_fast_append_result(tls_session, code);
eap_fast_update_icmk(request, tls_session, (uint8_t *)&t->isk);
eap_fast_append_crypto_binding(request, tls_session);
code = FR_CODE_ACCESS_CHALLENGE;
break;
}
case EAP_FAST_PROVISIONING:
t->result_final = true;
eap_fast_append_result(tls_session, code);
if (t->pac.send) {
RDEBUG2("Peer requires new PAC");
eap_fast_send_pac_tunnel(request, tls_session);
code = FR_CODE_ACCESS_CHALLENGE;
break;
}
t->stage = EAP_FAST_COMPLETE;
/* fallthrough */
case EAP_FAST_COMPLETE:
/*
* RFC 5422 section 3.5 - Network Access after EAP-FAST Provisioning
*/
if (t->pac.type && t->pac.expired) {
REDEBUG("Rejecting expired PAC.");
code = FR_CODE_ACCESS_REJECT;
break;
}
if (t->mode == EAP_FAST_PROVISIONING_ANON) {
REDEBUG("Rejecting unauthenticated provisioning");
code = FR_CODE_ACCESS_REJECT;
break;
}
/*
* eap_crypto_mppe_keys() is unsuitable for EAP-FAST as Cisco decided
* it would be a great idea to flip the recv/send keys around
*/
#define EAPTLS_MPPE_KEY_LEN 32
eap_add_reply(request, attr_ms_mppe_recv_key, t->msk, EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, attr_ms_mppe_send_key, &t->msk[EAPTLS_MPPE_KEY_LEN], EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, attr_eap_msk, t->msk, EAP_FAST_KEY_LEN);
eap_add_reply(request, attr_eap_emsk, t->emsk, EAP_EMSK_LEN);
break;
default:
RERROR("Internal sanity check failed in EAP-FAST at %d", t->stage);
code = FR_CODE_ACCESS_REJECT;
}
return code;
}
/** Send the challenge itself
*
* Challenges will come from one of three places eventually:
*
* 1 from attributes like FR_EAP_AKA_RANDx
* (these might be retrieved from a database)
*
* 2 from internally implemented SIM authenticators
* (a simple one based upon XOR will be provided)
*
* 3 from some kind of SS7 interface.
*
* For now, they only come from attributes.
* It might be that the best way to do 2/3 will be with a different
* module to generate/calculate things.
*/
static int eap_aka_send_challenge(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
VALUE_PAIR **to_peer, *vp;
RADIUS_PACKET *packet;
fr_sim_vector_src_t src = SIM_VECTOR_SRC_AUTO;
rad_assert(request);
rad_assert(request->reply);
/*
* to_peer is the data to the client
*/
packet = eap_session->request->reply;
to_peer = &packet->vps;
RDEBUG2("Acquiring UMTS vector(s)");
/*
* Toggle the AMF high bit to indicate we're doing AKA'
*/
if (eap_aka_session->type == FR_EAP_AKA_PRIME) {
uint8_t amf_buff[2] = { 0x80, 0x00 }; /* Set the AMF separation bit high */
MEM(pair_update_control(&vp, attr_sim_amf) >= 0);
fr_pair_value_memcpy(vp, amf_buff, sizeof(amf_buff));
}
/*
* Get vectors from attribute or generate
* them using COMP128-* or Milenage.
*/
if (fr_sim_vector_umts_from_attrs(eap_session, request->control, &eap_aka_session->keys, &src) != 0) {
REDEBUG("Failed retrieving UMTS vectors");
return RLM_MODULE_FAIL;
}
/*
* Don't leave the AMF hanging around
*/
if (eap_aka_session->type == FR_EAP_AKA_PRIME) pair_delete_control(attr_sim_amf);
/*
* All set, calculate keys!
*/
switch (eap_aka_session->kdf) {
case FR_EAP_AKA_KDF_VALUE_EAP_AKA_PRIME_WITH_CK_PRIME_IK_PRIME:
fr_sim_crypto_kdf_1_umts(&eap_aka_session->keys);
break;
default:
fr_sim_crypto_kdf_0_umts(&eap_aka_session->keys);
break;
}
if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_aka_session->keys);
RDEBUG2("Sending AKA-Challenge");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
/*
* Set the subtype to challenge
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_subtype));
vp->vp_uint16 = FR_EAP_AKA_SUBTYPE_VALUE_AKA_CHALLENGE;
fr_pair_replace(to_peer, vp);
/*
* Indicate we'd like to use protected success messages
*/
if (eap_aka_session->send_result_ind) {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_result_ind));
vp->vp_bool = true;
fr_pair_replace(to_peer, vp);
}
/*
* We support EAP-AKA' and the peer should use that
* if it's able to...
*/
if (eap_aka_session->send_at_bidding) {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_bidding));
vp->vp_uint16 = FR_EAP_AKA_BIDDING_VALUE_PREFER_AKA_PRIME;
fr_pair_replace(to_peer, vp);
}
/*
* Send the network name and KDF to the peer
*/
if (eap_aka_session->type == FR_EAP_AKA_PRIME) {
if (!eap_aka_session->keys.network_len) {
REDEBUG2("No network name available, can't set EAP-AKA-KDF-Input");
failure:
fr_pair_list_free(&packet->vps);
return -1;
}
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_kdf_input));
fr_pair_value_bstrncpy(vp, eap_aka_session->keys.network, eap_aka_session->keys.network_len);
fr_pair_replace(to_peer, vp);
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_kdf));
vp->vp_uint16 = eap_aka_session->kdf;
fr_pair_replace(to_peer, vp);
}
/*
* Okay, we got the challenge! Put it into an attribute.
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_rand));
fr_pair_value_memcpy(vp, eap_aka_session->keys.umts.vector.rand, SIM_VECTOR_UMTS_RAND_SIZE);
fr_pair_replace(to_peer, vp);
/*
* Send the AUTN value to the client, so it can authenticate
* whoever has knowledge of the Ki.
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_autn));
fr_pair_value_memcpy(vp, eap_aka_session->keys.umts.vector.autn, SIM_VECTOR_UMTS_AUTN_SIZE);
fr_pair_replace(to_peer, vp);
/*
* need to include an AT_MAC attribute so that it will get
* calculated.
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_mac));
fr_pair_replace(to_peer, vp);
/*
* If we have checkcode data, send that to the peer
* for validation.
*/
if (eap_aka_session->checkcode_state) {
ssize_t slen;
slen = fr_sim_crypto_finalise_checkcode(eap_aka_session->checkcode, &eap_aka_session->checkcode_state);
if (slen < 0) {
RPEDEBUG("Failed calculating checkcode");
goto failure;
}
eap_aka_session->checkcode_len = slen;
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_checkcode));
fr_pair_value_memcpy(vp, eap_aka_session->checkcode, slen);
/*
* If we don't have checkcode data, then we exchanged
* no identity packets, so checkcode is zero.
*/
} else {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_checkcode));
eap_aka_session->checkcode_len = 0;
}
fr_pair_replace(to_peer, vp);
/*
* We've sent the challenge so the peer should now be able
* to accept encrypted attributes.
*/
eap_aka_session->allow_encrypted = true;
/*
* Encode the packet
*/
if (eap_aka_compose(eap_session) < 0) goto failure;
return 0;
}
/*
* Call the function_name inside the module
* Store all vps in hashes %RAD_CHECK %RAD_REPLY %RAD_REQUEST
*
*/
static int do_perl(void *instance, REQUEST *request, char const *function_name)
{
rlm_perl_t *inst = instance;
VALUE_PAIR *vp;
int exitstatus=0, count;
STRLEN n_a;
HV *rad_reply_hv;
HV *rad_check_hv;
HV *rad_config_hv;
HV *rad_request_hv;
HV *rad_state_hv;
#ifdef WITH_PROXY
HV *rad_request_proxy_hv;
HV *rad_request_proxy_reply_hv;
#endif
SV *rad_requestp_sv;
/*
* Radius has told us to call this function, but none
* is defined.
*/
if (!function_name) return RLM_MODULE_FAIL;
#ifdef USE_ITHREADS
pthread_mutex_lock(&inst->clone_mutex);
PerlInterpreter *interp;
interp = rlm_perl_clone(inst->perl,inst->thread_key);
{
dTHXa(interp);
PERL_SET_CONTEXT(interp);
}
pthread_mutex_unlock(&inst->clone_mutex);
#else
PERL_SET_CONTEXT(inst->perl);
#endif
{
dSP;
ENTER;
SAVETMPS;
rad_reply_hv = get_hv("RAD_REPLY", 1);
rad_check_hv = get_hv("RAD_CHECK", 1);
rad_config_hv = get_hv("RAD_CONFIG", 1);
rad_request_hv = get_hv("RAD_REQUEST", 1);
rad_state_hv = get_hv("RAD_STATE", 1);
rad_requestp_sv = get_sv("RAD___REQUESTP", 1);
perl_store_vps(request->packet, request, &request->packet->vps, rad_request_hv, "RAD_REQUEST", "request");
perl_store_vps(request->reply, request, &request->reply->vps, rad_reply_hv, "RAD_REPLY", "reply");
perl_store_vps(request, request, &request->config, rad_check_hv, "RAD_CHECK", "control");
perl_store_vps(request, request, &request->config, rad_config_hv, "RAD_CONFIG", "control");
perl_store_vps(request->state_ctx, request, &request->state, rad_state_hv, "RAD_STATE", "session-state");
#ifdef WITH_PROXY
rad_request_proxy_hv = get_hv("RAD_REQUEST_PROXY",1);
rad_request_proxy_reply_hv = get_hv("RAD_REQUEST_PROXY_REPLY",1);
if (request->proxy != NULL) {
perl_store_vps(request->proxy, request, &request->proxy->vps, rad_request_proxy_hv,
"RAD_REQUEST_PROXY", "proxy-request");
} else {
hv_undef(rad_request_proxy_hv);
}
if (request->proxy_reply != NULL) {
perl_store_vps(request->proxy_reply, request, &request->proxy_reply->vps,
rad_request_proxy_reply_hv, "RAD_REQUEST_PROXY_REPLY", "proxy-reply");
} else {
hv_undef(rad_request_proxy_reply_hv);
}
#endif
/*
* Store pointer to request structure globally so xlat works
* We mark it read-only for interpreter so end users will not be
* in posession to change it and crash radiusd with bogus pointer
*/
SvREADONLY_off(rad_requestp_sv);
sv_setiv(rad_requestp_sv, PTR2IV(request));
SvREADONLY_on(rad_requestp_sv);
PUSHMARK(SP);
/*
* This way %RAD_xx can be pushed onto stack as sub parameters.
* XPUSHs( newRV_noinc((SV *)rad_request_hv) );
* XPUSHs( newRV_noinc((SV *)rad_reply_hv) );
* XPUSHs( newRV_noinc((SV *)rad_check_hv) );
* PUTBACK;
*/
count = call_pv(function_name, G_SCALAR | G_EVAL | G_NOARGS);
SPAGAIN;
if (SvTRUE(ERRSV)) {
RDEBUG("perl_embed:: module = %s , func = %s exit status= %s\n",
inst->module, function_name, SvPV(ERRSV,n_a));
(void)POPs;
count = 0;
exitstatus = RLM_MODULE_FAIL;
}
if (count == 1) {
exitstatus = POPi;
if (exitstatus >= 100 || exitstatus < 0) {
exitstatus = RLM_MODULE_FAIL;
}
}
PUTBACK;
FREETMPS;
LEAVE;
vp = NULL;
get_hv_content(request->packet, request, rad_request_hv, &vp, "RAD_REQUEST", "request");
if (vp) {
fr_pair_list_free(&request->packet->vps);
request->packet->vps = vp;
vp = NULL;
/*
* Update cached copies
*/
request->username = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
request->password = fr_pair_find_by_num(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
if (!request->password)
request->password = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
get_hv_content(request->reply, request, rad_reply_hv, &vp, "RAD_REPLY", "reply");
if (vp) {
fr_pair_list_free(&request->reply->vps);
request->reply->vps = vp;
vp = NULL;
}
get_hv_content(request, request, rad_check_hv, &vp, "RAD_CHECK", "control");
if (vp) {
fr_pair_list_free(&request->config);
request->config = vp;
vp = NULL;
}
get_hv_content(request->state_ctx, request, rad_state_hv, &vp, "RAD_STATE", "session-state");
if (vp) {
fr_pair_list_free(&request->state);
request->state = vp;
vp = NULL;
}
#ifdef WITH_PROXY
if (request->proxy) {
get_hv_content(request->proxy, request, rad_request_proxy_hv, &vp,
"RAD_REQUEST_PROXY", "proxy-request");
if (vp) {
fr_pair_list_free(&request->proxy->vps);
request->proxy->vps = vp;
vp = NULL;
}
}
if (request->proxy_reply) {
get_hv_content(request->proxy_reply, request, rad_request_proxy_reply_hv, &vp,
"RAD_REQUEST_PROXY_REPLY", "proxy-reply");
if (vp) {
fr_pair_list_free(&request->proxy_reply->vps);
request->proxy_reply->vps = vp;
vp = NULL;
}
}
#endif
}
return exitstatus;
}
/*
* build a reply to be sent.
*/
static int eap_sim_compose(eap_session_t *eap_session, uint8_t const *hmac_extra, size_t hmac_extra_len)
{
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
fr_cursor_t cursor;
fr_cursor_t to_encode;
VALUE_PAIR *head = NULL, *vp;
REQUEST *request = eap_session->request;
fr_sim_encode_ctx_t encoder_ctx = {
.root = fr_dict_root(dict_eap_sim),
.keys = &eap_sim_session->keys,
.iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
.iv_included = false,
.hmac_md = EVP_sha1(),
.eap_packet = eap_session->this_round->request,
.hmac_extra = hmac_extra,
.hmac_extra_len = hmac_extra_len
};
ssize_t ret;
/* we will set the ID on requests, since we have to HMAC it */
eap_session->this_round->set_request_id = true;
fr_cursor_init(&cursor, &eap_session->request->reply->vps);
fr_cursor_init(&to_encode, &head);
while ((vp = fr_cursor_current(&cursor))) {
if (!fr_dict_parent_common(fr_dict_root(dict_eap_sim), vp->da, true)) {
fr_cursor_next(&cursor);
continue;
}
vp = fr_cursor_remove(&cursor);
/*
* Silently discard encrypted attributes until
* the peer should have k_encr. These can be
* added by policy, and seem to cause
* wpa_supplicant to fail if sent before the challenge.
*/
if (!eap_sim_session->allow_encrypted && fr_dict_parent_common(attr_eap_sim_encr_data, vp->da, true)) {
RWDEBUG("Silently discarding &reply:%s: Encrypted attributes not allowed in this round",
vp->da->name);
talloc_free(vp);
continue;
}
fr_cursor_append(&to_encode, vp);
}
RDEBUG2("Encoding EAP-SIM attributes");
log_request_pair_list(L_DBG_LVL_2, request, head, NULL);
eap_session->this_round->request->type.num = FR_EAP_SIM;
eap_session->this_round->request->id = eap_sim_session->sim_id++ & 0xff;
eap_session->this_round->set_request_id = true;
ret = fr_sim_encode(eap_session->request, head, &encoder_ctx);
fr_cursor_head(&to_encode);
fr_cursor_free_list(&to_encode);
if (ret < 0) {
RPEDEBUG("Failed encoding EAP-SIM data");
return -1;
}
return 0;
}
static int eap_sim_send_start(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
VALUE_PAIR **vps, *vp;
uint16_t version;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
RADIUS_PACKET *packet;
rad_assert(eap_session->request != NULL);
rad_assert(eap_session->request->reply);
RDEBUG2("Sending SIM-State");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
eap_sim_session->allow_encrypted = false; /* In case this is after failed fast-resumption */
/* these are the outgoing attributes */
packet = eap_session->request->reply;
vps = &packet->vps;
rad_assert(vps != NULL);
/*
* Add appropriate TLVs for the EAP things we wish to send.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_version_list);
vp->vp_uint16 = EAP_SIM_VERSION;
fr_pair_add(vps, vp);
/* record it in the ess */
version = htons(EAP_SIM_VERSION);
memcpy(eap_sim_session->keys.gsm.version_list, &version, sizeof(version));
eap_sim_session->keys.gsm.version_list_len = 2;
/*
* Select the right type of identity request attribute
*/
switch (eap_sim_session->id_req) {
case SIM_ANY_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_any_id_req);
break;
case SIM_PERMANENT_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_permanent_id_req);
break;
case SIM_FULLAUTH_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_fullauth_id_req);
break;
default:
rad_assert(0);
}
vp->vp_bool = true;
fr_pair_replace(vps, vp);
/* the SUBTYPE, set to start. */
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = EAP_SIM_START;
fr_pair_replace(vps, vp);
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
/** Create any kind of VP from the attribute contents
*
* @param[in] ctx to allocate new attributes in.
* @param[in] cursor to addd new attributes to.
* @param[in] parent the current attribute we're processing.
* @param[in] data to parse. Points to the data field of the attribute.
* @param[in] attr_len length of the attribute being parsed.
* @param[in] data_len length of the remaining data in the packet.
* @param[in] decoder_ctx IVs, keys etc...
* @return
* - Length on success.
* - -1 on failure.
*/
static ssize_t sim_decode_pair_value(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *parent,
uint8_t const *data, size_t const attr_len, size_t const data_len,
void *decoder_ctx)
{
VALUE_PAIR *vp;
uint8_t const *p = data;
size_t prefix = 0;
fr_sim_decode_ctx_t *packet_ctx = decoder_ctx;
if (!fr_cond_assert(attr_len <= data_len)) return -1;
if (!fr_cond_assert(parent)) return -1;
FR_PROTO_TRACE("Parent %s len %zu", parent->name, attr_len);
FR_PROTO_HEX_DUMP(data, attr_len, __FUNCTION__ );
FR_PROTO_TRACE("Type \"%s\" (%u)", fr_int2str(fr_value_box_type_table, parent->type, "?Unknown?"), parent->type);
/*
* Special cases, attributes that either have odd formats, or need
* have information we need to decode the packet.
*/
switch (parent->attr) {
/*
* We need to record packet_ctx so we can decrypt AT_ENCR attributes.
*
* If we don't find it before, then that's fine, we'll try and
* find it in the rest of the packet after the encrypted
* attribute.
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_IV | Length = 5 | Reserved |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* | Initialization Vector |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_SIM_IV:
if (sim_iv_extract(&packet_ctx->iv[0], data, attr_len) < 0) return -1;
packet_ctx->have_iv = true;
break; /* Now create the attribute */
/*
* AT_RES - Special case (RES length is in bits)
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_RES | Length | RES Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
* | |
* | RES |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_EAP_AKA_RES:
{
uint16_t res_len;
if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */
res_len = (p[0] << 8) | p[1];
if (res_len % 8) {
fr_strerror_printf("%s: RES Length (%hu) is not a multiple of 8",
__FUNCTION__, res_len);
return -1;
}
res_len /= 8;
if (res_len > (attr_len - 2)) {
fr_strerror_printf("%s: RES Length field value (%u bits) > attribute value length (%zu bits)",
__FUNCTION__, res_len * 8, (attr_len - 2) * 8);
return -1;
}
if ((res_len < 4) || (res_len > 16)) {
fr_strerror_printf("%s: RES Length field value must be between 32-128 bits, got %u bits",
__FUNCTION__, (res_len * 8));
return -1;
}
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
fr_pair_value_memcpy(vp, p + 2, res_len, true);
}
goto done;
/*
* AT_CHECKCODE - Special case (Variable length with no length field)
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_CHECKCODE | Length | Reserved |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* | Checkcode (0 or 20 bytes) |
* | |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_EAP_AKA_CHECKCODE:
if (attr_len < 2) goto raw; /* Need at least two bytes for reserved field */
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
fr_pair_value_memcpy(vp, p + 2, attr_len - 2, true);
goto done;
default:
break;
}
switch (parent->type) {
case FR_TYPE_STRING:
if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */
if (parent->flags.length && (attr_len != parent->flags.length)) {
wrong_len:
fr_strerror_printf("%s: Attribute \"%s\" needs a value of exactly %zu bytes, "
"but value was %zu bytes", __FUNCTION__,
parent->name, (size_t)parent->flags.length, attr_len);
goto raw;
}
break;
case FR_TYPE_OCTETS:
/*
* Get the number of bytes we expect before the value
*/
prefix = fr_sim_octets_prefix_len(parent);
if (attr_len < prefix) goto raw;
if (parent->flags.length && (attr_len != (parent->flags.length + prefix))) goto wrong_len;
break;
case FR_TYPE_BOOL:
case FR_TYPE_UINT8:
case FR_TYPE_UINT16:
case FR_TYPE_UINT32:
case FR_TYPE_UINT64:
if (attr_len != fr_sim_attr_sizes[parent->type][0]) goto raw;
break;
case FR_TYPE_TLV:
if (attr_len < 2) goto raw;
/*
* We presume that the TLVs all fit into one
* attribute, OR they've already been grouped
* into a contiguous memory buffer.
*/
return sim_decode_tlv(ctx, cursor, parent, p, attr_len, data_len, decoder_ctx);
default:
raw:
/*
* We can't create unknowns for non-skippable attributes
* as we're prohibited from continuing by the SIM RFCs.
*/
if (parent->attr <= SIM_SKIPPABLE_MAX) {
fr_strerror_printf_push("%s: Failed parsing non-skippable attribute '%s'",
__FUNCTION__, parent->name);
return -1;
}
#ifdef __clang_analyzer__
if (!parent->parent) return -1; /* stupid static analyzers */
#endif
rad_assert(parent->parent);
/*
* Re-write the attribute to be "raw". It is
* therefore of type "octets", and will be
* handled below.
*/
parent = fr_dict_unknown_afrom_fields(ctx, parent->parent,
fr_dict_vendor_num_by_da(parent), parent->attr);
if (!parent) {
fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__);
return -1;
}
}
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
/*
* For unknown attributes copy the entire value, not skipping
* any reserved bytes.
*/
if (parent->flags.is_unknown || parent->flags.is_raw) {
fr_pair_value_memcpy(vp, p, attr_len, true);
vp->vp_length = attr_len;
goto done;
}
switch (parent->type) {
/*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<STRING> | Length | Actual <STRING> Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* . String .
* . .
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_TYPE_STRING:
{
uint16_t actual_len = (p[0] << 8) | p[1];
if (actual_len > (attr_len - 2)) {
fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)",
__FUNCTION__, actual_len, attr_len - 2);
return -1;
}
fr_pair_value_bstrncpy(vp, p + 2, actual_len);
}
break;
case FR_TYPE_OCTETS:
/*
* Variable length octets buffer
*/
if (!parent->flags.length) {
uint16_t actual_len = (p[0] << 8) | p[1];
if (actual_len > (attr_len - prefix)) {
fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)",
__FUNCTION__, actual_len, attr_len - 2);
return -1;
}
fr_pair_value_memcpy(vp, p + prefix, actual_len, true);
/*
* Fixed length octets buffer
*/
} else {
fr_pair_value_memcpy(vp, p + prefix, attr_len - prefix, true);
}
break;
/*
* Not proper bool. We Use packet_ctx to represent
* flag attributes like AT_FULLAUTH_ID_REQ
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<BOOL> | Length = 1 | Reserved |
* +---------------+---------------+-------------------------------+
*/
case FR_TYPE_BOOL:
vp->vp_bool = true;
break;
/*
* Numbers are network byte order.
*
* In the base RFCs only short (16bit) unsigned integers are used.
* We add support for more, just for completeness.
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<SHORT> | Length = 1 | Short 1 | Short 2 |
* +---------------+---------------+-------------------------------+
*/
case FR_TYPE_UINT8:
vp->vp_uint8 = p[0];
break;
case FR_TYPE_UINT16:
memcpy(&vp->vp_uint16, p, sizeof(vp->vp_uint16));
vp->vp_uint16 = ntohs(vp->vp_uint32);
break;
case FR_TYPE_UINT32:
memcpy(&vp->vp_uint32, p, sizeof(vp->vp_uint32));
vp->vp_uint32 = ntohl(vp->vp_uint32);
break;
case FR_TYPE_UINT64:
memcpy(&vp->vp_uint64, p, sizeof(vp->vp_uint64));
vp->vp_uint64 = ntohll(vp->vp_uint64);
break;
default:
fr_pair_list_free(&vp);
fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__);
return -1;
}
done:
vp->type = VT_DATA;
fr_cursor_append(cursor, vp);
return attr_len;
}
/** Send the challenge itself
*
* Challenges will come from one of three places eventually:
*
* 1 from attributes like FR_EAP_SIM_RANDx
* (these might be retrieved from a database)
*
* 2 from internally implemented SIM authenticators
* (a simple one based upon XOR will be provided)
*
* 3 from some kind of SS7 interface.
*
* For now, they only come from attributes.
* It might be that the best way to do 2/3 will be with a different
* module to generate/calculate things.
*/
static int eap_sim_send_challenge(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
VALUE_PAIR **to_peer, *vp;
RADIUS_PACKET *packet;
fr_sim_vector_src_t src = SIM_VECTOR_SRC_AUTO;
rad_assert(eap_session->request != NULL);
rad_assert(eap_session->request->reply);
RDEBUG2("Acquiring GSM vector(s)");
if ((fr_sim_vector_gsm_from_attrs(eap_session, request->control, 0, &eap_sim_session->keys, &src) != 0) ||
(fr_sim_vector_gsm_from_attrs(eap_session, request->control, 1, &eap_sim_session->keys, &src) != 0) ||
(fr_sim_vector_gsm_from_attrs(eap_session, request->control, 2, &eap_sim_session->keys, &src) != 0)) {
REDEBUG("Failed retrieving SIM vectors");
return RLM_MODULE_FAIL;
}
/*
* All set, calculate keys!
*/
fr_sim_crypto_kdf_0_gsm(&eap_sim_session->keys);
if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_sim_session->keys);
RDEBUG2("Sending SIM-Challenge");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
/*
* to_peer is the data to the client
*/
packet = eap_session->request->reply;
to_peer = &packet->vps;
/*
* Okay, we got the challenges! Put them into attributes.
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand));
fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[0].rand, SIM_VECTOR_GSM_RAND_SIZE);
fr_pair_add(to_peer, vp);
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand));
fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[1].rand, SIM_VECTOR_GSM_RAND_SIZE);
fr_pair_add(to_peer, vp);
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand));
fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[2].rand, SIM_VECTOR_GSM_RAND_SIZE);
fr_pair_add(to_peer, vp);
/*
* Set subtype to challenge.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = EAP_SIM_CHALLENGE;
fr_pair_replace(to_peer, vp);
/*
* Indicate we'd like to use protected success messages
*/
if (eap_sim_session->send_result_ind) {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_result_ind));
vp->vp_bool = true;
fr_pair_replace(to_peer, vp);
}
/*
* Need to include an AT_MAC attribute so that it will get
* calculated.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_mac);
fr_pair_replace(to_peer, vp);
/*
* We've sent the challenge so the peer should now be able
* to accept encrypted attributes.
*/
eap_sim_session->allow_encrypted = true;
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session,
eap_sim_session->keys.gsm.nonce_mt, sizeof(eap_sim_session->keys.gsm.nonce_mt)) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
/*
* Call the function_name inside the module
* Store all vps in hashes %RAD_CONFIG %RAD_REPLY %RAD_REQUEST
*
*/
static int do_perl(void *instance, REQUEST *request, char const *function_name)
{
rlm_perl_t *inst = instance;
VALUE_PAIR *vp;
int exitstatus=0, count;
STRLEN n_a;
HV *rad_reply_hv;
HV *rad_config_hv;
HV *rad_request_hv;
HV *rad_state_hv;
#ifdef WITH_PROXY
HV *rad_request_proxy_hv;
HV *rad_request_proxy_reply_hv;
#endif
/*
* Radius has told us to call this function, but none
* is defined.
*/
if (!function_name) return RLM_MODULE_FAIL;
#ifdef USE_ITHREADS
pthread_mutex_lock(&inst->clone_mutex);
PerlInterpreter *interp;
interp = rlm_perl_clone(inst->perl,inst->thread_key);
{
dTHXa(interp);
PERL_SET_CONTEXT(interp);
}
pthread_mutex_unlock(&inst->clone_mutex);
#else
PERL_SET_CONTEXT(inst->perl);
#endif
{
dSP;
ENTER;
SAVETMPS;
rad_reply_hv = get_hv("RAD_REPLY", 1);
rad_config_hv = get_hv("RAD_CONFIG", 1);
rad_request_hv = get_hv("RAD_REQUEST", 1);
rad_state_hv = get_hv("RAD_STATE", 1);
perl_store_vps(request->packet, request, &request->packet->vps, rad_request_hv, "RAD_REQUEST", "request");
perl_store_vps(request->reply, request, &request->reply->vps, rad_reply_hv, "RAD_REPLY", "reply");
perl_store_vps(request, request, &request->control, rad_config_hv, "RAD_CONFIG", "control");
perl_store_vps(request->state_ctx, request, &request->state, rad_state_hv, "RAD_STATE", "session-state");
#ifdef WITH_PROXY
rad_request_proxy_hv = get_hv("RAD_REQUEST_PROXY",1);
rad_request_proxy_reply_hv = get_hv("RAD_REQUEST_PROXY_REPLY",1);
if (request->proxy) {
perl_store_vps(request->proxy->packet, request, &request->proxy->packet->vps, rad_request_proxy_hv,
"RAD_REQUEST_PROXY", "proxy-request");
} else {
hv_undef(rad_request_proxy_hv);
}
if (request->proxy && request->proxy->reply != NULL) {
perl_store_vps(request->proxy->reply, request, &request->proxy->reply->vps,
rad_request_proxy_reply_hv, "RAD_REQUEST_PROXY_REPLY", "proxy-reply");
} else {
hv_undef(rad_request_proxy_reply_hv);
}
#endif
/*
* Store pointer to request structure globally so radiusd::xlat works
*/
rlm_perl_request = request;
PUSHMARK(SP);
/*
* This way %RAD_xx can be pushed onto stack as sub parameters.
* XPUSHs( newRV_noinc((SV *)rad_request_hv) );
* XPUSHs( newRV_noinc((SV *)rad_reply_hv) );
* XPUSHs( newRV_noinc((SV *)rad_config_hv) );
* PUTBACK;
*/
count = call_pv(function_name, G_SCALAR | G_EVAL | G_NOARGS);
SPAGAIN;
if (SvTRUE(ERRSV)) {
REDEBUG("perl_embed:: module = %s , func = %s exit status= %s\n",
inst->module, function_name, SvPV(ERRSV,n_a));
(void)POPs;
exitstatus = RLM_MODULE_FAIL;
} else if (count == 1) {
exitstatus = POPi;
if (exitstatus >= 100 || exitstatus < 0) {
exitstatus = RLM_MODULE_FAIL;
}
}
PUTBACK;
FREETMPS;
LEAVE;
vp = NULL;
if ((get_hv_content(request->packet, request, rad_request_hv, &vp, "RAD_REQUEST", "request")) == 0) {
fr_pair_list_free(&request->packet->vps);
request->packet->vps = vp;
vp = NULL;
/*
* Update cached copies
*/
request->username = fr_pair_find_by_da(request->packet->vps, attr_user_name, TAG_ANY);
request->password = fr_pair_find_by_da(request->packet->vps, attr_user_password, TAG_ANY);
if (!request->password) request->password = fr_pair_find_by_da(request->packet->vps,
attr_chap_password,
TAG_ANY);
}
if ((get_hv_content(request->reply, request, rad_reply_hv, &vp, "RAD_REPLY", "reply")) == 0) {
fr_pair_list_free(&request->reply->vps);
request->reply->vps = vp;
vp = NULL;
}
if ((get_hv_content(request, request, rad_config_hv, &vp, "RAD_CONFIG", "control")) == 0) {
fr_pair_list_free(&request->control);
request->control = vp;
vp = NULL;
}
if ((get_hv_content(request->state_ctx, request, rad_state_hv, &vp, "RAD_STATE", "session-state")) == 0) {
fr_pair_list_free(&request->state);
request->state = vp;
vp = NULL;
}
#ifdef WITH_PROXY
if (request->proxy &&
(get_hv_content(request->proxy->packet, request, rad_request_proxy_hv, &vp,
"RAD_REQUEST_PROXY", "proxy-request") == 0)) {
fr_pair_list_free(&request->proxy->packet->vps);
request->proxy->packet->vps = vp;
vp = NULL;
}
if (request->proxy && request->proxy->reply &&
(get_hv_content(request->proxy->reply, request, rad_request_proxy_reply_hv, &vp,
"RAD_REQUEST_PROXY_REPLY", "proxy-reply") == 0)) {
fr_pair_list_free(&request->proxy->reply->vps);
request->proxy->reply->vps = vp;
vp = NULL;
}
#endif
}
return exitstatus;
}
/** Send NONCE_S and re-key
*
*/
static int eap_sim_send_reauthentication(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
VALUE_PAIR **to_peer, *vp, *mk, *counter;
RADIUS_PACKET *packet;
rad_assert(eap_session->request != NULL);
rad_assert(eap_session->request->reply);
/*
* to_peer is the data to the client
*/
packet = eap_session->request->reply;
to_peer = &packet->vps;
/*
* If any of the session resumption inputs (on our side)
* are missing or malformed, return an error code
* and the state machine will jump to the start state.
*/
mk = fr_pair_find_by_da(request->control, attr_eap_sim_mk, TAG_ANY);
if (!mk) {
RWDEBUG2("Missing &control:EAP-SIM-MK, skipping session resumption");
return -1;
}
if (mk->vp_length != SIM_MK_SIZE) {
RWDEBUG("&control:EAP-SIM-MK has incorrect length, expected %u bytes got %zu bytes",
SIM_MK_SIZE, mk->vp_length);
return -1;
}
counter = fr_pair_find_by_da(request->control, attr_eap_sim_counter, TAG_ANY);
if (!counter) {
RWDEBUG2("Missing &control:EAP-SIM-Counter, skipping session resumption");
return -1;
}
/*
* All set, calculate keys!
*/
fr_sim_crypto_keys_init_kdf_0_reauth(&eap_sim_session->keys, mk->vp_octets, counter->vp_uint16);
fr_sim_crypto_kdf_0_reauth(&eap_sim_session->keys);
if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_sim_session->keys);
RDEBUG2("Sending SIM-Reauthentication");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
/*
* Set subtype to challenge.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = EAP_SIM_REAUTH;
fr_pair_replace(to_peer, vp);
/*
* Add nonce_s
*/
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_nonce_s));
fr_pair_value_memcpy(vp, eap_sim_session->keys.reauth.nonce_s, sizeof(eap_sim_session->keys.reauth.nonce_s));
fr_pair_replace(to_peer, vp);
/*
* Indicate we'd like to use protected success messages
*/
if (eap_sim_session->send_result_ind) {
MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_result_ind));
vp->vp_bool = true;
fr_pair_replace(to_peer, vp);
}
/*
* Need to include an AT_MAC attribute so that it will get
* calculated.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_mac);
fr_pair_replace(to_peer, vp);
/*
* We've sent the challenge so the peer should now be able
* to accept encrypted attributes.
*/
eap_sim_session->allow_encrypted = true;
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
