static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, UNUSED void *thread, REQUEST *request) { rlm_chap_t *inst = instance; VALUE_PAIR *vp; if (!fr_pair_find_by_da(request->packet->vps, attr_chap_password, TAG_ANY)) return RLM_MODULE_NOOP; /* * Create the CHAP-Challenge if it wasn't already in the packet. * * This is so that the rest of the code does not need to * understand CHAP. */ vp = fr_pair_find_by_da(request->packet->vps, attr_chap_challenge, TAG_ANY); if (!vp) { RDEBUG2("Creating CHAP-Challenge from the request authenticator"); MEM(vp = fr_pair_afrom_da(request->packet, attr_chap_challenge)); fr_pair_value_memcpy(vp, request->packet->vector, sizeof(request->packet->vector)); fr_pair_add(&request->packet->vps, vp); } if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP; return RLM_MODULE_OK; }
static int arp_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request) { int i; uint8_t const *p = request->packet->data, *end = p + request->packet->data_len; fr_cursor_t cursor; fr_cursor_init(&cursor, &request->packet->vps); for (i = 0; header_names[i].name != NULL; i++) { ssize_t ret; size_t len; fr_dict_attr_t const *da; VALUE_PAIR *vp = NULL; len = header_names[i].len; if (!fr_cond_assert((size_t)(end - p) < len)) return -1; /* Should have been detected in socket_recv */ da = fr_dict_attr_by_name(dict_arp, header_names[i].name); if (!da) return 0; MEM(vp = fr_pair_afrom_da(request->packet, da)); ret = fr_value_box_from_network(vp, &vp->data, da->type, da, p, len, true); if (ret <= 0) { fr_pair_to_unknown(vp); fr_pair_value_memcpy(vp, p, len); } DEBUG2("&%pP", vp); fr_cursor_insert(&cursor, vp); } return 0; }
/** Do any RADIUS-layer fixups for proxying. * */ static void radius_fixups(rlm_radius_t *inst, REQUEST *request) { VALUE_PAIR *vp; /* * Check for proxy loops. */ if (RDEBUG_ENABLED) { fr_cursor_t cursor; for (vp = fr_cursor_iter_by_da_init(&cursor, &request->packet->vps, attr_proxy_state); vp; vp = fr_cursor_next(&cursor)) { if (vp->vp_length != 4) continue; if (memcmp(&inst->proxy_state, vp->vp_octets, 4) == 0) { RWARN("Possible proxy loop - please check server configuration."); break; } } } if (request->packet->code != FR_CODE_ACCESS_REQUEST) return; if (fr_pair_find_by_da(request->packet->vps, attr_chap_password, TAG_ANY) && !fr_pair_find_by_da(request->packet->vps, attr_chap_challenge, TAG_ANY)) { MEM(pair_add_request(&vp, attr_chap_challenge) >= 0); fr_pair_value_memcpy(vp, request->packet->vector, sizeof(request->packet->vector)); } }
/* * Add raw hex data to the reply. */ void eap_add_reply(REQUEST *request, char const *name, uint8_t const *value, int len) { VALUE_PAIR *vp; vp = pair_make_reply(name, NULL, T_OP_EQ); if (!vp) { REDEBUG("Did not create attribute %s: %s\n", name, fr_strerror()); return; } fr_pair_value_memcpy(vp, value, len); }
/** Process an entry modification operation * * @note This is a callback for the sync_demux function. * * @param[in] conn the sync belongs to. * @param[in] config of the sync that received an entry. * @param[in] sync_id of the sync that received an entry. * @param[in] phase Refresh phase the sync is currently in. * @param[in] uuid of the entry. * @param[in] msg containing the entry. * @param[in] state The type of modification we need to perform to our * representation of the entry. * @param[in] user_ctx The listener. * @return * - 0 on success. * - -1 on failure. */ static int _proto_ldap_entry(fr_ldap_connection_t *conn, sync_config_t const *config, int sync_id, UNUSED sync_phases_t phase, uint8_t const uuid[SYNC_UUID_LENGTH], LDAPMessage *msg, sync_states_t state, void *user_ctx) { rad_listen_t *listen = talloc_get_type_abort(user_ctx, rad_listen_t); proto_ldap_inst_t *inst = talloc_get_type_abort(listen->data, proto_ldap_inst_t); fr_ldap_map_exp_t expanded; REQUEST *request; request = proto_ldap_request_setup(listen, inst, sync_id); if (!request) return -1; proto_ldap_attributes_add(request, config); request->packet->code = state; /* * Add the entry DN and attributes */ if (msg) { char *entry_dn; VALUE_PAIR *vp; entry_dn = ldap_get_dn(conn->handle, msg); MEM(pair_update_request(&vp, attr_ldap_sync_entry_dn) >= 0); ldap_memfree(entry_dn); MEM(pair_update_request(&vp, attr_ldap_sync_entry_uuid) >= 0); fr_pair_value_memcpy(vp, uuid, SYNC_UUID_LENGTH); } /* * Apply the attribute map */ if (fr_ldap_map_expand(&expanded, request, config->entry_map) < 0) { error: talloc_free(request); return -1; } if (fr_ldap_map_do(request, conn, NULL, &expanded, msg) < 0) goto error; // request_enqueue(request); return 0; }
/** * * FIXME do something with mandatory */ ssize_t eap_fast_decode_pair(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *parent, uint8_t const *data, size_t data_len, void *decoder_ctx) { fr_dict_attr_t const *da; uint8_t const *p = data, *end = p + data_len; /* * Decode the TLVs */ while (p < end) { ssize_t ret; uint16_t attr; uint16_t len; VALUE_PAIR *vp; attr = fr_ntoh16_bin(p) & EAP_FAST_TLV_TYPE; p += 2; len = fr_ntoh16_bin(p); p += 2; da = fr_dict_attr_child_by_num(parent, attr); if (!da) { MEM(vp = fr_pair_afrom_child_num(ctx, parent, attr)); } else if (da->type == FR_TYPE_TLV) { p += (size_t) eap_fast_decode_pair(ctx, cursor, parent, p, len, decoder_ctx); continue; } else { MEM(vp = fr_pair_afrom_da(ctx, da)); } ret = fr_value_box_from_network(vp, &vp->data, vp->vp_type, vp->da, p, len, true); if (ret != len) { fr_pair_to_unknown(vp); fr_pair_value_memcpy(vp, p, len, true); } fr_cursor_append(cursor, vp); p += len; } return p - data; }
/* * Access-Requests can have the CHAP-Challenge implicitly taken * from the request authenticator. If the NAS has done that, * then we need to copy the data to a real CHAP-Challenge * attribute when proxying. Otherwise when we proxy the request, * the new authenticator is different, and the CHAP calculations * will fail. */ static rlm_rcode_t CC_HINT(nonnull) mod_pre_proxy(UNUSED void *instance, REQUEST *request) { VALUE_PAIR *vp; /* * For Access-Requests, which have CHAP-Password, * and no CHAP-Challenge, copy it over from the request. */ if (request->packet->code != PW_CODE_ACCESS_REQUEST) return RLM_MODULE_NOOP; if (!fr_pair_find_by_num(request->proxy->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) return RLM_MODULE_NOOP; vp = radius_pair_create(request, &request->proxy->vps, PW_CHAP_CHALLENGE, 0); if (!vp) return RLM_MODULE_FAIL; fr_pair_value_memcpy(vp, request->packet->vector, sizeof(request->packet->vector)); return RLM_MODULE_OK; }
/** Enque a new cookie store request * * Create a new request containing the cookie we received from the LDAP server. This allows * the administrator to store the cookie and provide it on a future call to * #proto_ldap_cookie_load. * * @note This is a callback for the sync_demux function. * * @param[in] conn the cookie was received on. * @param[in] config of the LDAP sync. * @param[in] sync_id sync number (msgid) of the sync within the context of the connection. * @param[in] cookie received from the LDAP server. * @param[in] user_ctx listener. * @return * - 0 on success. * - -1 on failure */ static int _proto_ldap_cookie_store(UNUSED fr_ldap_connection_t *conn, sync_config_t const *config, int sync_id, uint8_t const *cookie, void *user_ctx) { rad_listen_t *listen = talloc_get_type_abort(user_ctx, rad_listen_t); proto_ldap_inst_t *inst = talloc_get_type_abort(listen->data, proto_ldap_inst_t); REQUEST *request; VALUE_PAIR *vp; request = proto_ldap_request_setup(listen, inst, sync_id); if (!request) return -1; proto_ldap_attributes_add(request, config); MEM(pair_update_request(&vp, attr_ldap_sync_cookie) >= 0); fr_pair_value_memcpy(vp, cookie, talloc_array_length(cookie)); request->packet->code = LDAP_SYNC_CODE_COOKIE_STORE; // request_enqueue(request); return 0; }
/* * * Verify that a Perl SV is a string and save it in FreeRadius * Value Pair Format * */ static int pairadd_sv(TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR **vps, char *key, SV *sv, FR_TOKEN op, const char *hash_name, const char *list_name) { char *val; VALUE_PAIR *vp; STRLEN len; if (!SvOK(sv)) return -1; val = SvPV(sv, len); vp = fr_pair_make(ctx, request->dict, vps, key, NULL, op); if (!vp) { fail: REDEBUG("Failed to create pair %s:%s %s %s", list_name, key, fr_int2str(fr_tokens_table, op, "<INVALID>"), val); return -1; } switch (vp->vp_type) { case FR_TYPE_STRING: fr_pair_value_bstrncpy(vp, val, len); break; case FR_TYPE_OCTETS: fr_pair_value_memcpy(vp, (uint8_t const *)val, len); break; default: if (fr_pair_value_from_str(vp, val, len, '\0', false) < 0) goto fail; } VP_VERIFY(vp); RDEBUG2("&%s:%s %s $%s{'%s'} -> '%s'", list_name, key, fr_int2str(fr_tokens_table, op, "<INVALID>"), hash_name, key, val); return 0; }
VALUE_PAIR *eap_packet2vp(RADIUS_PACKET *packet, eap_packet_raw_t const *eap) { int total, size; uint8_t const *ptr; VALUE_PAIR *head = NULL; VALUE_PAIR *vp; vp_cursor_t out; total = eap->length[0] * 256 + eap->length[1]; if (total == 0) { DEBUG("Asked to encode empty EAP-Message!"); return NULL; } ptr = (uint8_t const *) eap; fr_cursor_init(&out, &head); do { size = total; if (size > 253) size = 253; vp = fr_pair_afrom_num(packet, 0, PW_EAP_MESSAGE); if (!vp) { fr_pair_list_free(&head); return NULL; } fr_pair_value_memcpy(vp, ptr, size); fr_cursor_insert(&out, vp); ptr += size; total -= size; } while (total > 0); return head; }
static int radsnmp_send_recv(radsnmp_conf_t *conf, int fd) { fr_strerror(); #define NEXT_LINE(_line, _buffer) \ { \ size_t _len; \ if (stop) return 0; \ errno = 0;\ _line = fgets(_buffer, sizeof(_buffer), stdin); \ if (_line) { \ _len = strlen(_line); \ if ((_len > 0) && (_line[_len - 1] == '\n')) _line[_len - 1] = '\0'; \ DEBUG2("read: %s", _line); \ } \ } /* * Read commands from pass_persist */ while (!stop) { radsnmp_command_t command; char buffer[256]; char *line; ssize_t slen; fr_cursor_t cursor; VALUE_PAIR *vp; RADIUS_PACKET *request; /* * Alloc a new request so we can start adding * new pairs to it. */ request = radsnmp_alloc(conf, fd); if (!request) { ERROR("Failed allocating request"); return EXIT_FAILURE; } fr_cursor_init(&cursor, &request->vps); NEXT_LINE(line, buffer); /* * Determine the type of SNMP operation */ command = fr_str2int(radsnmp_command_str, line, RADSNMP_UNKNOWN); switch (command) { case RADSNMP_EXIT: DEBUG("Empty command, exiting"); return 0; case RADSNMP_PING: RESPOND_STATIC("PONG"); continue; case RADSNMP_SET: { char value_buff[254]; /* RADIUS attribute length + 1 */ char *value; char type_str[64]; char *p; fr_dict_enum_t *type; NEXT_LINE(line, buffer); /* Should be the OID */ NEXT_LINE(value, value_buff); /* Should be the value */ p = strchr(value, ' '); if (!p) { ERROR("No SNMP type specified (or type/value string was malformed)"); RESPOND_STATIC("NONE"); continue; } if ((size_t)(p - value) >= sizeof(type_str)) { ERROR("SNMP Type string too long"); RESPOND_STATIC("NONE"); continue; } strlcpy(type_str, value, (p - value) + 1); type = fr_dict_enum_by_alias(attr_freeradius_snmp_type, type_str, -1); if (!type) { ERROR("Unknown type \"%s\"", type_str); RESPOND_STATIC("NONE"); continue; } slen = radsnmp_pair_from_oid(conf, conf, &cursor, line, type->value->vb_uint32, p + 1); } break; case RADSNMP_GET: case RADSNMP_GETNEXT: NEXT_LINE(line, buffer); /* Should be the OID */ slen = radsnmp_pair_from_oid(conf, conf, &cursor, line, 0, NULL); break; default: ERROR("Unknown command \"%s\"", line); RESPOND_STATIC("NONE"); talloc_free(request); continue; } /* * Deal with any errors from the GET/GETNEXT/SET command */ if (slen <= 0) { char *spaces, *text; fr_canonicalize_error(conf, &spaces, &text, slen, line); ERROR("Failed evaluating OID:"); ERROR("%s", text); ERROR("%s^ %s", spaces, fr_strerror()); talloc_free(spaces); talloc_free(text); talloc_free(request); RESPOND_STATIC("NONE"); continue; } /* * Now add an attribute indicating what the * SNMP operation was */ vp = fr_pair_afrom_da(request, attr_freeradius_snmp_operation); if (!vp) { ERROR("Failed allocating SNMP operation attribute"); return EXIT_FAILURE; } vp->vp_uint32 = (unsigned int)command; /* Commands must match dictionary */ fr_cursor_append(&cursor, vp); /* * Add message authenticator or the stats * request will be rejected. */ MEM(vp = fr_pair_afrom_da(request, attr_message_authenticator)); fr_pair_value_memcpy(vp, (uint8_t const *)"\0", 1, true); fr_cursor_append(&cursor, vp); /* * Send the packet */ { RADIUS_PACKET *reply = NULL; ssize_t rcode; fd_set set; unsigned int ret; unsigned int i; if (fr_radius_packet_encode(request, NULL, conf->secret) < 0) { ERROR("Failed encoding request: %s", fr_strerror()); return EXIT_FAILURE; } if (fr_radius_packet_sign(request, NULL, conf->secret) < 0) { ERROR("Failed signing request: %s", fr_strerror()); return EXIT_FAILURE; } /* * Print the attributes we're about to send */ if (fr_log_fp) fr_packet_header_print(fr_log_fp, request, false); if (fr_debug_lvl > 0) fr_pair_list_fprint(fr_log_fp, request->vps); #ifndef NDEBUG if (fr_log_fp && (fr_debug_lvl > 3)) fr_radius_packet_print_hex(request); #endif FD_ZERO(&set); /* clear the set */ FD_SET(fd, &set); /* * Any connection issues cause us to exit, so * the connection can be re-initialised on the * next call. */ for (i = 0; i < conf->retries; i++) { rcode = write(request->sockfd, request->data, request->data_len); if (rcode < 0) { ERROR("Failed sending: %s", fr_syserror(errno)); return EXIT_FAILURE; } rcode = select(fd + 1, &set, NULL, NULL, &conf->timeout); switch (rcode) { case -1: ERROR("Select failed: %s", fr_syserror(errno)); return EXIT_FAILURE; case 0: DEBUG("Response timeout. Retrying %d/%u...", i + 1, conf->retries); continue; /* Timeout */ case 1: reply = fr_radius_packet_recv(request, request->sockfd, UDP_FLAGS_NONE, RADIUS_MAX_ATTRIBUTES, false); if (!reply) { ERROR("Failed receiving reply: %s", fr_strerror()); recv_error: RESPOND_STATIC("NONE"); talloc_free(request); continue; } if (fr_radius_packet_decode(reply, request, RADIUS_MAX_ATTRIBUTES, false, conf->secret) < 0) { ERROR("Failed decoding reply: %s", fr_strerror()); goto recv_error; } break; default: DEBUG("Invalid select() return value %zd", rcode); return EXIT_FAILURE; } break; } if (!reply) { ERROR("Server didn't respond"); return EXIT_FAILURE; } /* * Print the attributes we received in response */ if (fr_log_fp) fr_packet_header_print(fr_log_fp, reply, true); if (fr_debug_lvl > 0) fr_pair_list_fprint(fr_log_fp, reply->vps); #ifndef NDEBUG if (fr_log_fp && (fr_debug_lvl > 3)) fr_radius_packet_print_hex(reply); #endif switch (command) { case RADSNMP_GET: case RADSNMP_GETNEXT: ret = radsnmp_get_response(STDOUT_FILENO, conf->snmp_oid_root, attr_freeradius_snmp_type, reply->vps); switch (ret) { case -1: ERROR("Failed converting pairs to varbind response: %s", fr_strerror()); return EXIT_FAILURE; case 0: DEBUG("Empty response"); break; default: DEBUG("Returned %u varbind responses", ret); break; } break; case RADSNMP_SET: if (radsnmp_set_response(STDOUT_FILENO, attr_freeradius_snmp_failure, reply->vps) < 0) { ERROR("Failed writing SET response: %s", fr_strerror()); return EXIT_FAILURE; } break; default: assert(0); return EXIT_FAILURE; } talloc_free(request); } } return EXIT_SUCCESS; }
/** Builds attribute representing OID string and adds 'index' attributes where required * * Will convert an OID string in the format @verbatim .1.2.3.4.5.0 @endverbatim * into a pair with a #fr_dict_attr_t of the dictionary attribute matching the OID * string, as evaluated from the specified parent. * * If an OID component does not match a child of a previous OID component, but a child * with attribute number 0 exists, and a child with attribute number 1 also exists, * the child with attribute number 0 will be used as an 'index' pair, and will be * created with the value of the non matching OID component. * * Parsing will then resume using the child with attribute number 1. * * This allows traversals of SNMP tables to be represented by the sequence of pairs * and allows the full range of entry indexes which would not be possible if we represented * table index numbers as TLV attributes. * * @param[in] ctx to allocate new pairs in. * @param[in] conf radsnmp config. * @param[in] cursor to add pairs to. * @param[in] oid string to evaluate. * @param[in] type SNMP value type. * @param[in] value to assign to OID attribute (SET operations only). * @return * - >0 on success (how much of the OID string we parsed). * - <=0 on failure (where format error occurred). */ static ssize_t radsnmp_pair_from_oid(TALLOC_CTX *ctx, radsnmp_conf_t *conf, fr_cursor_t *cursor, char const *oid, int type, char const *value) { ssize_t slen; char const *p = oid; unsigned int attr; fr_dict_attr_t const *index_attr, *da; fr_dict_attr_t const *parent = conf->snmp_root; VALUE_PAIR *vp; int ret; if (!oid) return 0; fr_cursor_tail(cursor); /* * Trim first. */ if (p[0] == '.') p++; /* * Support for indexes. If we can't find an attribute * matching a child at a given level in the OID tree, * look for attribute 0 (type integer) at that level. * We use this to represent the index instead. */ for (;;) { unsigned int num = 0; slen = fr_dict_attr_by_oid(conf->dict, &parent, &attr, p); if (slen > 0) break; p += -(slen); if (fr_dict_oid_component(&num, &p) < 0) break; /* Just advances the pointer */ assert(attr == num); p++; /* * Check for an index attribute */ index_attr = fr_dict_attr_child_by_num(parent, 0); if (!index_attr) { fr_strerror_printf("Unknown OID component: No index attribute at this level"); break; } if (index_attr->type != FR_TYPE_UINT32) { fr_strerror_printf("Index is not a \"integer\""); break; } /* * By convention SNMP entries are at .1 */ parent = fr_dict_attr_child_by_num(parent, 1); if (!parent) { fr_strerror_printf("Unknown OID component: No entry attribute at this level"); break; } /* * Entry must be a TLV type */ if (parent->type != FR_TYPE_TLV) { fr_strerror_printf("Entry is not \"tlv\""); break; } /* * We've skipped over the index attribute, and * the index number should be available in attr. */ MEM(vp = fr_pair_afrom_da(ctx, index_attr)); vp->vp_uint32 = attr; fr_cursor_append(cursor, vp); } /* * We errored out processing the OID. */ if (slen <= 0) { error: fr_cursor_free_list(cursor); return slen; } fr_strerror(); /* Clear pending errors */ /* * SNMP requests the leaf under the OID with .0. */ if (attr != 0) { da = fr_dict_attr_child_by_num(parent, attr); if (!da) { fr_strerror_printf("Unknown leaf attribute %i", attr); return -(slen); } } else { da = parent; } vp = fr_pair_afrom_da(ctx, da); if (!vp) { fr_strerror_printf("Failed allocating OID attribute"); return -(slen); } /* * VALUE_PAIRs with no value need a 1 byte value buffer. */ if (!value) { switch (da->type) { /* * We can blame the authors of RFC 6929 for * this hack. Apparently the presence or absence * of an attribute isn't considered a useful means * of conveying information, so empty TLVs are * disallowed. */ case FR_TYPE_TLV: fr_pair_to_unknown(vp); /* FALL-THROUGH */ case FR_TYPE_OCTETS: fr_pair_value_memcpy(vp, (uint8_t const *)"\0", 1, true); break; case FR_TYPE_STRING: fr_pair_value_bstrncpy(vp, "\0", 1); break; /* * Fine to leave other values zeroed out. */ default: break; } fr_cursor_append(cursor, vp); return slen; } if (da->type == FR_TYPE_TLV) { fr_strerror_printf("TLVs cannot hold values"); return -(slen); } ret = fr_pair_value_from_str(vp, value, strlen(value), '\0', true); if (ret < 0) { slen = -(slen); goto error; } vp = fr_pair_afrom_da(ctx, attr_freeradius_snmp_type); if (!vp) { slen = -(slen); goto error; } vp->vp_uint32 = type; fr_cursor_append(cursor, vp); return slen; }
/** Send the challenge itself * * Challenges will come from one of three places eventually: * * 1 from attributes like FR_EAP_AKA_RANDx * (these might be retrieved from a database) * * 2 from internally implemented SIM authenticators * (a simple one based upon XOR will be provided) * * 3 from some kind of SS7 interface. * * For now, they only come from attributes. * It might be that the best way to do 2/3 will be with a different * module to generate/calculate things. */ static int eap_aka_send_challenge(eap_session_t *eap_session) { REQUEST *request = eap_session->request; eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t); VALUE_PAIR **to_peer, *vp; RADIUS_PACKET *packet; fr_sim_vector_src_t src = SIM_VECTOR_SRC_AUTO; rad_assert(request); rad_assert(request->reply); /* * to_peer is the data to the client */ packet = eap_session->request->reply; to_peer = &packet->vps; RDEBUG2("Acquiring UMTS vector(s)"); /* * Toggle the AMF high bit to indicate we're doing AKA' */ if (eap_aka_session->type == FR_EAP_AKA_PRIME) { uint8_t amf_buff[2] = { 0x80, 0x00 }; /* Set the AMF separation bit high */ MEM(pair_update_control(&vp, attr_sim_amf) >= 0); fr_pair_value_memcpy(vp, amf_buff, sizeof(amf_buff)); } /* * Get vectors from attribute or generate * them using COMP128-* or Milenage. */ if (fr_sim_vector_umts_from_attrs(eap_session, request->control, &eap_aka_session->keys, &src) != 0) { REDEBUG("Failed retrieving UMTS vectors"); return RLM_MODULE_FAIL; } /* * Don't leave the AMF hanging around */ if (eap_aka_session->type == FR_EAP_AKA_PRIME) pair_delete_control(attr_sim_amf); /* * All set, calculate keys! */ switch (eap_aka_session->kdf) { case FR_EAP_AKA_KDF_VALUE_EAP_AKA_PRIME_WITH_CK_PRIME_IK_PRIME: fr_sim_crypto_kdf_1_umts(&eap_aka_session->keys); break; default: fr_sim_crypto_kdf_0_umts(&eap_aka_session->keys); break; } if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_aka_session->keys); RDEBUG2("Sending AKA-Challenge"); eap_session->this_round->request->code = FR_EAP_CODE_REQUEST; /* * Set the subtype to challenge */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_subtype)); vp->vp_uint16 = FR_EAP_AKA_SUBTYPE_VALUE_AKA_CHALLENGE; fr_pair_replace(to_peer, vp); /* * Indicate we'd like to use protected success messages */ if (eap_aka_session->send_result_ind) { MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_result_ind)); vp->vp_bool = true; fr_pair_replace(to_peer, vp); } /* * We support EAP-AKA' and the peer should use that * if it's able to... */ if (eap_aka_session->send_at_bidding) { MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_bidding)); vp->vp_uint16 = FR_EAP_AKA_BIDDING_VALUE_PREFER_AKA_PRIME; fr_pair_replace(to_peer, vp); } /* * Send the network name and KDF to the peer */ if (eap_aka_session->type == FR_EAP_AKA_PRIME) { if (!eap_aka_session->keys.network_len) { REDEBUG2("No network name available, can't set EAP-AKA-KDF-Input"); failure: fr_pair_list_free(&packet->vps); return -1; } MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_kdf_input)); fr_pair_value_bstrncpy(vp, eap_aka_session->keys.network, eap_aka_session->keys.network_len); fr_pair_replace(to_peer, vp); MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_kdf)); vp->vp_uint16 = eap_aka_session->kdf; fr_pair_replace(to_peer, vp); } /* * Okay, we got the challenge! Put it into an attribute. */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_rand)); fr_pair_value_memcpy(vp, eap_aka_session->keys.umts.vector.rand, SIM_VECTOR_UMTS_RAND_SIZE); fr_pair_replace(to_peer, vp); /* * Send the AUTN value to the client, so it can authenticate * whoever has knowledge of the Ki. */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_autn)); fr_pair_value_memcpy(vp, eap_aka_session->keys.umts.vector.autn, SIM_VECTOR_UMTS_AUTN_SIZE); fr_pair_replace(to_peer, vp); /* * need to include an AT_MAC attribute so that it will get * calculated. */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_mac)); fr_pair_replace(to_peer, vp); /* * If we have checkcode data, send that to the peer * for validation. */ if (eap_aka_session->checkcode_state) { ssize_t slen; slen = fr_sim_crypto_finalise_checkcode(eap_aka_session->checkcode, &eap_aka_session->checkcode_state); if (slen < 0) { RPEDEBUG("Failed calculating checkcode"); goto failure; } eap_aka_session->checkcode_len = slen; MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_checkcode)); fr_pair_value_memcpy(vp, eap_aka_session->checkcode, slen); /* * If we don't have checkcode data, then we exchanged * no identity packets, so checkcode is zero. */ } else { MEM(vp = fr_pair_afrom_da(packet, attr_eap_aka_checkcode)); eap_aka_session->checkcode_len = 0; } fr_pair_replace(to_peer, vp); /* * We've sent the challenge so the peer should now be able * to accept encrypted attributes. */ eap_aka_session->allow_encrypted = true; /* * Encode the packet */ if (eap_aka_compose(eap_session) < 0) goto failure; return 0; }
/* * Decode ONE value into a VP */ static ssize_t decode_value_internal(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *da, uint8_t const *data, size_t data_len) { VALUE_PAIR *vp; uint8_t const *p = data; FR_PROTO_TRACE("%s called to parse %zu bytes", __FUNCTION__, data_len); FR_PROTO_HEX_DUMP(data, data_len, NULL); vp = fr_pair_afrom_da(ctx, da); if (!vp) return -1; /* * Unknown attributes always get converted to * octet types, so there's no way there could * be multiple attributes, so its safe to * steal the unknown attribute into the context * of the pair. */ if (da->flags.is_unknown) talloc_steal(vp, da); if (vp->da->type == FR_TYPE_STRING) { uint8_t const *q, *end; q = end = data + data_len; /* * Not allowed to be an array, copy the whole value */ if (!vp->da->flags.array) { fr_pair_value_bstrncpy(vp, (char const *)p, end - p); p = end; goto finish; } for (;;) { q = memchr(p, '\0', q - p); /* Malformed but recoverable */ if (!q) q = end; fr_pair_value_bstrncpy(vp, (char const *)p, q - p); p = q + 1; vp->vp_tainted = true; /* Need another VP for the next round */ if (p < end) { fr_cursor_append(cursor, vp); vp = fr_pair_afrom_da(ctx, da); if (!vp) return -1; continue; } break; } goto finish; } switch (vp->da->type) { /* * Doesn't include scope, whereas the generic format can */ case FR_TYPE_IPV6_ADDR: memcpy(&vp->vp_ipv6addr, p, sizeof(vp->vp_ipv6addr)); vp->vp_ip.af = AF_INET6; vp->vp_ip.scope_id = 0; vp->vp_ip.prefix = 128; vp->vp_tainted = true; p += sizeof(vp->vp_ipv6addr); break; case FR_TYPE_IPV6_PREFIX: memcpy(&vp->vp_ipv6addr, p + 1, sizeof(vp->vp_ipv6addr)); vp->vp_ip.af = AF_INET6; vp->vp_ip.scope_id = 0; vp->vp_ip.prefix = p[0]; vp->vp_tainted = true; p += sizeof(vp->vp_ipv6addr) + 1; break; default: { ssize_t ret; ret = fr_value_box_from_network(vp, &vp->data, vp->da->type, da, p, data_len, true); if (ret < 0) { FR_PROTO_TRACE("decoding as unknown type"); if (fr_pair_to_unknown(vp) < 0) return -1; fr_pair_value_memcpy(vp, p, data_len); ret = data_len; } p += (size_t) ret; } } finish: FR_PROTO_TRACE("decoding value complete, adding new pair and returning %zu byte(s)", p - data); fr_cursor_append(cursor, vp); return p - data; }
/** Send the challenge itself * * Challenges will come from one of three places eventually: * * 1 from attributes like FR_EAP_SIM_RANDx * (these might be retrieved from a database) * * 2 from internally implemented SIM authenticators * (a simple one based upon XOR will be provided) * * 3 from some kind of SS7 interface. * * For now, they only come from attributes. * It might be that the best way to do 2/3 will be with a different * module to generate/calculate things. */ static int eap_sim_send_challenge(eap_session_t *eap_session) { REQUEST *request = eap_session->request; eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t); VALUE_PAIR **to_peer, *vp; RADIUS_PACKET *packet; fr_sim_vector_src_t src = SIM_VECTOR_SRC_AUTO; rad_assert(eap_session->request != NULL); rad_assert(eap_session->request->reply); RDEBUG2("Acquiring GSM vector(s)"); if ((fr_sim_vector_gsm_from_attrs(eap_session, request->control, 0, &eap_sim_session->keys, &src) != 0) || (fr_sim_vector_gsm_from_attrs(eap_session, request->control, 1, &eap_sim_session->keys, &src) != 0) || (fr_sim_vector_gsm_from_attrs(eap_session, request->control, 2, &eap_sim_session->keys, &src) != 0)) { REDEBUG("Failed retrieving SIM vectors"); return RLM_MODULE_FAIL; } /* * All set, calculate keys! */ fr_sim_crypto_kdf_0_gsm(&eap_sim_session->keys); if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_sim_session->keys); RDEBUG2("Sending SIM-Challenge"); eap_session->this_round->request->code = FR_EAP_CODE_REQUEST; /* * to_peer is the data to the client */ packet = eap_session->request->reply; to_peer = &packet->vps; /* * Okay, we got the challenges! Put them into attributes. */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand)); fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[0].rand, SIM_VECTOR_GSM_RAND_SIZE); fr_pair_add(to_peer, vp); MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand)); fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[1].rand, SIM_VECTOR_GSM_RAND_SIZE); fr_pair_add(to_peer, vp); MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_rand)); fr_pair_value_memcpy(vp, eap_sim_session->keys.gsm.vector[2].rand, SIM_VECTOR_GSM_RAND_SIZE); fr_pair_add(to_peer, vp); /* * Set subtype to challenge. */ vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype); vp->vp_uint16 = EAP_SIM_CHALLENGE; fr_pair_replace(to_peer, vp); /* * Indicate we'd like to use protected success messages */ if (eap_sim_session->send_result_ind) { MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_result_ind)); vp->vp_bool = true; fr_pair_replace(to_peer, vp); } /* * Need to include an AT_MAC attribute so that it will get * calculated. */ vp = fr_pair_afrom_da(packet, attr_eap_sim_mac); fr_pair_replace(to_peer, vp); /* * We've sent the challenge so the peer should now be able * to accept encrypted attributes. */ eap_sim_session->allow_encrypted = true; /* * Encode the packet */ if (eap_sim_compose(eap_session, eap_sim_session->keys.gsm.nonce_mt, sizeof(eap_sim_session->keys.gsm.nonce_mt)) < 0) { fr_pair_list_free(&packet->vps); return -1; } return 0; }
/** Parses the MS-SOH type/value (note: NOT type/length/value) data and update the sohvp list * * See section 2.2.4 of MS-SOH. Because there's no "length" field we CANNOT just skip * unknown types; we need to know their length ahead of time. Therefore, we abort * if we find an unknown type. Note that sohvp may still have been modified in the * failure case. * * @param request Current request * @param p binary blob * @param data_len length of blob * @return * - 0 on success. * - -1 on failure. */ static int eapsoh_mstlv(REQUEST *request, uint8_t const *p, unsigned int data_len) { VALUE_PAIR *vp; uint8_t c; int t; char *q; while (data_len > 0) { c = *p++; data_len--; switch (c) { case 1: /* MS-Machine-Inventory-Packet * MS-SOH section 2.2.4.1 */ if (data_len < 18) { RDEBUG("insufficient data for MS-Machine-Inventory-Packet"); return 0; } data_len -= 18; vp = pair_make_request("SoH-MS-Machine-OS-vendor", "Microsoft", T_OP_EQ); if (!vp) return 0; vp = pair_make_request("SoH-MS-Machine-OS-version", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; vp = pair_make_request("SoH-MS-Machine-OS-release", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; vp = pair_make_request("SoH-MS-Machine-OS-build", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; vp = pair_make_request("SoH-MS-Machine-SP-version", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; vp = pair_make_request("SoH-MS-Machine-SP-release", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; vp = pair_make_request("SoH-MS-Machine-Processor", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; break; case 2: /* MS-Quarantine-State - FIXME: currently unhandled * MS-SOH 2.2.4.1 * * 1 byte reserved * 1 byte flags * 8 bytes NT Time field (100-nanosec since 1 Jan 1601) * 2 byte urilen * N bytes uri */ p += 10; t = soh_pull_be_16(p); /* t == uri len */ p += 2; p += t; data_len -= 12 + t; break; case 3: /* MS-Packet-Info * MS-SOH 2.2.4.3 */ RDEBUG3("SoH MS-Packet-Info %s vers=%i", *p & 0x10 ? "request" : "response", *p & 0xf); p++; data_len--; break; case 4: /* MS-SystemGenerated-Ids - FIXME: currently unhandled * MS-SOH 2.2.4.4 * * 2 byte length * N bytes (3 bytes IANA enterprise# + 1 byte component id#) */ t = soh_pull_be_16(p); p += 2; p += t; data_len -= 2 + t; break; case 5: /* MS-MachineName * MS-SOH 2.2.4.5 * * 1 byte namelen * N bytes name */ t = soh_pull_be_16(p); p += 2; vp = pair_make_request("SoH-MS-Machine-Name", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_strvalue = q = talloc_array(vp, char, t); vp->type = VT_DATA; memcpy(q, p, t); q[t] = 0; p += t; data_len -= 2 + t; break; case 6: /* MS-CorrelationId * MS-SOH 2.2.4.6 * * 24 bytes opaque binary which we might, in future, have * to echo back to the client in a final SoHR */ vp = pair_make_request("SoH-MS-Correlation-Id", NULL, T_OP_EQ); if (!vp) return 0; fr_pair_value_memcpy(vp, p, 24); p += 24; data_len -= 24; break; case 7: /* MS-Installed-Shvs - FIXME: currently unhandled * MS-SOH 2.2.4.7 * * 2 bytes length * N bytes (3 bytes IANA enterprise# + 1 byte component id#) */ t = soh_pull_be_16(p); p += 2; p += t; data_len -= 2 + t; break; case 8: /* MS-Machine-Inventory-Ex * MS-SOH 2.2.4.8 * * 4 bytes reserved * 1 byte product type (client=1 domain_controller=2 server=3) */ p += 4; vp = pair_make_request("SoH-MS-Machine-Role", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = *p; p++; data_len -= 5; break; default: RDEBUG("SoH Unknown MS TV %i stopping", c); return 0; } } return 1; }
/** Create any kind of VP from the attribute contents * * @param[in] ctx to allocate new attributes in. * @param[in] cursor to addd new attributes to. * @param[in] parent the current attribute we're processing. * @param[in] data to parse. Points to the data field of the attribute. * @param[in] attr_len length of the attribute being parsed. * @param[in] data_len length of the remaining data in the packet. * @param[in] decoder_ctx IVs, keys etc... * @return * - Length on success. * - -1 on failure. */ static ssize_t sim_decode_pair_value(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *parent, uint8_t const *data, size_t const attr_len, size_t const data_len, void *decoder_ctx) { VALUE_PAIR *vp; uint8_t const *p = data; size_t prefix = 0; fr_sim_decode_ctx_t *packet_ctx = decoder_ctx; if (!fr_cond_assert(attr_len <= data_len)) return -1; if (!fr_cond_assert(parent)) return -1; FR_PROTO_TRACE("Parent %s len %zu", parent->name, attr_len); FR_PROTO_HEX_DUMP(data, attr_len, __FUNCTION__ ); FR_PROTO_TRACE("Type \"%s\" (%u)", fr_int2str(fr_value_box_type_table, parent->type, "?Unknown?"), parent->type); /* * Special cases, attributes that either have odd formats, or need * have information we need to decode the packet. */ switch (parent->attr) { /* * We need to record packet_ctx so we can decrypt AT_ENCR attributes. * * If we don't find it before, then that's fine, we'll try and * find it in the rest of the packet after the encrypted * attribute. * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_IV | Length = 5 | Reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | | * | Initialization Vector | * | | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ case FR_SIM_IV: if (sim_iv_extract(&packet_ctx->iv[0], data, attr_len) < 0) return -1; packet_ctx->have_iv = true; break; /* Now create the attribute */ /* * AT_RES - Special case (RES length is in bits) * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_RES | Length | RES Length | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| * | | * | RES | * | | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ case FR_EAP_AKA_RES: { uint16_t res_len; if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */ res_len = (p[0] << 8) | p[1]; if (res_len % 8) { fr_strerror_printf("%s: RES Length (%hu) is not a multiple of 8", __FUNCTION__, res_len); return -1; } res_len /= 8; if (res_len > (attr_len - 2)) { fr_strerror_printf("%s: RES Length field value (%u bits) > attribute value length (%zu bits)", __FUNCTION__, res_len * 8, (attr_len - 2) * 8); return -1; } if ((res_len < 4) || (res_len > 16)) { fr_strerror_printf("%s: RES Length field value must be between 32-128 bits, got %u bits", __FUNCTION__, (res_len * 8)); return -1; } vp = fr_pair_afrom_da(ctx, parent); if (!vp) return -1; fr_pair_value_memcpy(vp, p + 2, res_len, true); } goto done; /* * AT_CHECKCODE - Special case (Variable length with no length field) * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_CHECKCODE | Length | Reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | | * | Checkcode (0 or 20 bytes) | * | | * | | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ case FR_EAP_AKA_CHECKCODE: if (attr_len < 2) goto raw; /* Need at least two bytes for reserved field */ vp = fr_pair_afrom_da(ctx, parent); if (!vp) return -1; fr_pair_value_memcpy(vp, p + 2, attr_len - 2, true); goto done; default: break; } switch (parent->type) { case FR_TYPE_STRING: if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */ if (parent->flags.length && (attr_len != parent->flags.length)) { wrong_len: fr_strerror_printf("%s: Attribute \"%s\" needs a value of exactly %zu bytes, " "but value was %zu bytes", __FUNCTION__, parent->name, (size_t)parent->flags.length, attr_len); goto raw; } break; case FR_TYPE_OCTETS: /* * Get the number of bytes we expect before the value */ prefix = fr_sim_octets_prefix_len(parent); if (attr_len < prefix) goto raw; if (parent->flags.length && (attr_len != (parent->flags.length + prefix))) goto wrong_len; break; case FR_TYPE_BOOL: case FR_TYPE_UINT8: case FR_TYPE_UINT16: case FR_TYPE_UINT32: case FR_TYPE_UINT64: if (attr_len != fr_sim_attr_sizes[parent->type][0]) goto raw; break; case FR_TYPE_TLV: if (attr_len < 2) goto raw; /* * We presume that the TLVs all fit into one * attribute, OR they've already been grouped * into a contiguous memory buffer. */ return sim_decode_tlv(ctx, cursor, parent, p, attr_len, data_len, decoder_ctx); default: raw: /* * We can't create unknowns for non-skippable attributes * as we're prohibited from continuing by the SIM RFCs. */ if (parent->attr <= SIM_SKIPPABLE_MAX) { fr_strerror_printf_push("%s: Failed parsing non-skippable attribute '%s'", __FUNCTION__, parent->name); return -1; } #ifdef __clang_analyzer__ if (!parent->parent) return -1; /* stupid static analyzers */ #endif rad_assert(parent->parent); /* * Re-write the attribute to be "raw". It is * therefore of type "octets", and will be * handled below. */ parent = fr_dict_unknown_afrom_fields(ctx, parent->parent, fr_dict_vendor_num_by_da(parent), parent->attr); if (!parent) { fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__); return -1; } } vp = fr_pair_afrom_da(ctx, parent); if (!vp) return -1; /* * For unknown attributes copy the entire value, not skipping * any reserved bytes. */ if (parent->flags.is_unknown || parent->flags.is_raw) { fr_pair_value_memcpy(vp, p, attr_len, true); vp->vp_length = attr_len; goto done; } switch (parent->type) { /* * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_<STRING> | Length | Actual <STRING> Length | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | | * . String . * . . * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ case FR_TYPE_STRING: { uint16_t actual_len = (p[0] << 8) | p[1]; if (actual_len > (attr_len - 2)) { fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)", __FUNCTION__, actual_len, attr_len - 2); return -1; } fr_pair_value_bstrncpy(vp, p + 2, actual_len); } break; case FR_TYPE_OCTETS: /* * Variable length octets buffer */ if (!parent->flags.length) { uint16_t actual_len = (p[0] << 8) | p[1]; if (actual_len > (attr_len - prefix)) { fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)", __FUNCTION__, actual_len, attr_len - 2); return -1; } fr_pair_value_memcpy(vp, p + prefix, actual_len, true); /* * Fixed length octets buffer */ } else { fr_pair_value_memcpy(vp, p + prefix, attr_len - prefix, true); } break; /* * Not proper bool. We Use packet_ctx to represent * flag attributes like AT_FULLAUTH_ID_REQ * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_<BOOL> | Length = 1 | Reserved | * +---------------+---------------+-------------------------------+ */ case FR_TYPE_BOOL: vp->vp_bool = true; break; /* * Numbers are network byte order. * * In the base RFCs only short (16bit) unsigned integers are used. * We add support for more, just for completeness. * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | AT_<SHORT> | Length = 1 | Short 1 | Short 2 | * +---------------+---------------+-------------------------------+ */ case FR_TYPE_UINT8: vp->vp_uint8 = p[0]; break; case FR_TYPE_UINT16: memcpy(&vp->vp_uint16, p, sizeof(vp->vp_uint16)); vp->vp_uint16 = ntohs(vp->vp_uint32); break; case FR_TYPE_UINT32: memcpy(&vp->vp_uint32, p, sizeof(vp->vp_uint32)); vp->vp_uint32 = ntohl(vp->vp_uint32); break; case FR_TYPE_UINT64: memcpy(&vp->vp_uint64, p, sizeof(vp->vp_uint64)); vp->vp_uint64 = ntohll(vp->vp_uint64); break; default: fr_pair_list_free(&vp); fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__); return -1; } done: vp->type = VT_DATA; fr_cursor_append(cursor, vp); return attr_len; }
/* * Preprocess a request. */ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request) { int r; rlm_preprocess_t *inst = instance; VALUE_PAIR *vp; /* * Mangle the username, to get rid of stupid implementation * bugs. */ rad_mangle(inst, request); if (inst->with_ascend_hack) { /* * If we're using Ascend systems, hack the NAS-Port-Id * in place, to go from Ascend's weird values to something * approaching rationality. */ ascend_nasport_hack(fr_pair_find_by_num(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY), inst->ascend_channels_per_line); } if (inst->with_cisco_vsa_hack) { /* * We need to run this hack because the h323-conf-id * attribute should be used. */ cisco_vsa_hack(request); } if (inst->with_alvarion_vsa_hack) { /* * We need to run this hack because the Alvarion * people are crazy. */ alvarion_vsa_hack(request->packet->vps); } if (inst->with_cablelabs_vsa_hack) { /* * We need to run this hack because the Cablelabs * people are crazy. */ cablelabs_vsa_hack(&request->packet->vps); } /* * Add an event timestamp. Means Event-Timestamp can be used * consistently instead of one letter expansions. */ vp = fr_pair_find_by_num(request->packet->vps, PW_EVENT_TIMESTAMP, 0, TAG_ANY); if (!vp) { vp = radius_pair_create(request->packet, &request->packet->vps, PW_EVENT_TIMESTAMP, 0); vp->vp_date = request->packet->timestamp.tv_sec; } /* * Note that we add the Request-Src-IP-Address to the request * structure BEFORE checking huntgroup access. This allows * the Request-Src-IP-Address to be used for huntgroup * comparisons. */ if (add_nas_attr(request) < 0) { return RLM_MODULE_FAIL; } hints_setup(inst->hints, request); /* * If there is a PW_CHAP_PASSWORD attribute but there * is PW_CHAP_CHALLENGE we need to add it so that other * modules can use it as a normal attribute. */ if (fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY) && fr_pair_find_by_num(request->packet->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY) == NULL) { vp = radius_pair_create(request->packet, &request->packet->vps, PW_CHAP_CHALLENGE, 0); fr_pair_value_memcpy(vp, request->packet->vector, AUTH_VECTOR_LEN); } if ((r = huntgroup_access(request, inst->huntgroups)) != RLM_MODULE_OK) { char buf[1024]; RIDEBUG("No huntgroup access: [%s] (%s)", request->username ? request->username->vp_strvalue : "<NO User-Name>", auth_name(buf, sizeof(buf), request, 1)); return r; } return RLM_MODULE_OK; /* Meaning: try next authorization module */ }
/** Send NONCE_S and re-key * */ static int eap_sim_send_reauthentication(eap_session_t *eap_session) { REQUEST *request = eap_session->request; eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t); VALUE_PAIR **to_peer, *vp, *mk, *counter; RADIUS_PACKET *packet; rad_assert(eap_session->request != NULL); rad_assert(eap_session->request->reply); /* * to_peer is the data to the client */ packet = eap_session->request->reply; to_peer = &packet->vps; /* * If any of the session resumption inputs (on our side) * are missing or malformed, return an error code * and the state machine will jump to the start state. */ mk = fr_pair_find_by_da(request->control, attr_eap_sim_mk, TAG_ANY); if (!mk) { RWDEBUG2("Missing &control:EAP-SIM-MK, skipping session resumption"); return -1; } if (mk->vp_length != SIM_MK_SIZE) { RWDEBUG("&control:EAP-SIM-MK has incorrect length, expected %u bytes got %zu bytes", SIM_MK_SIZE, mk->vp_length); return -1; } counter = fr_pair_find_by_da(request->control, attr_eap_sim_counter, TAG_ANY); if (!counter) { RWDEBUG2("Missing &control:EAP-SIM-Counter, skipping session resumption"); return -1; } /* * All set, calculate keys! */ fr_sim_crypto_keys_init_kdf_0_reauth(&eap_sim_session->keys, mk->vp_octets, counter->vp_uint16); fr_sim_crypto_kdf_0_reauth(&eap_sim_session->keys); if (RDEBUG_ENABLED3) fr_sim_crypto_keys_log(request, &eap_sim_session->keys); RDEBUG2("Sending SIM-Reauthentication"); eap_session->this_round->request->code = FR_EAP_CODE_REQUEST; /* * Set subtype to challenge. */ vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype); vp->vp_uint16 = EAP_SIM_REAUTH; fr_pair_replace(to_peer, vp); /* * Add nonce_s */ MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_nonce_s)); fr_pair_value_memcpy(vp, eap_sim_session->keys.reauth.nonce_s, sizeof(eap_sim_session->keys.reauth.nonce_s)); fr_pair_replace(to_peer, vp); /* * Indicate we'd like to use protected success messages */ if (eap_sim_session->send_result_ind) { MEM(vp = fr_pair_afrom_da(packet, attr_eap_sim_result_ind)); vp->vp_bool = true; fr_pair_replace(to_peer, vp); } /* * Need to include an AT_MAC attribute so that it will get * calculated. */ vp = fr_pair_afrom_da(packet, attr_eap_sim_mac); fr_pair_replace(to_peer, vp); /* * We've sent the challenge so the peer should now be able * to accept encrypted attributes. */ eap_sim_session->allow_encrypted = true; /* * Encode the packet */ if (eap_sim_compose(eap_session, NULL, 0) < 0) { fr_pair_list_free(&packet->vps); return -1; } return 0; }
/* * Send one packet. */ static int send_one_packet(rc_request_t *request) { assert(request->done == false); /* * Remember when we have to wake up, to re-send the * request, of we didn't receive a reply. */ if ((sleep_time == -1) || (sleep_time > (int) timeout)) sleep_time = (int) timeout; /* * Haven't sent the packet yet. Initialize it. */ if (request->packet->id == -1) { int i; bool rcode; assert(request->reply == NULL); /* * Didn't find a free packet ID, we're not done, * we don't sleep, and we stop trying to process * this packet. */ retry: request->packet->src_ipaddr.af = server_ipaddr.af; rcode = fr_packet_list_id_alloc(pl, ipproto, &request->packet, NULL); if (!rcode) { int mysockfd; #ifdef WITH_TCP if (proto) { mysockfd = fr_socket_client_tcp(NULL, &request->packet->dst_ipaddr, request->packet->dst_port, false); } else #endif mysockfd = fr_socket(&client_ipaddr, 0); if (mysockfd < 0) { ERROR("Failed opening socket"); exit(1); } if (!fr_packet_list_socket_add(pl, mysockfd, ipproto, &request->packet->dst_ipaddr, request->packet->dst_port, NULL)) { ERROR("Can't add new socket"); exit(1); } goto retry; } assert(request->packet->id != -1); assert(request->packet->data == NULL); for (i = 0; i < 4; i++) { ((uint32_t *) request->packet->vector)[i] = fr_rand(); } /* * Update the password, so it can be encrypted with the * new authentication vector. */ if (request->password) { VALUE_PAIR *vp; if ((vp = fr_pair_find_by_num(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) { fr_pair_value_strcpy(vp, request->password->vp_strvalue); } else if ((vp = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) { uint8_t buffer[17]; rad_chap_encode(request->packet, buffer, fr_rand() & 0xff, request->password); fr_pair_value_memcpy(vp, buffer, 17); } else if (fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_PASSWORD, 0, TAG_ANY) != NULL) { mschapv1_encode(request->packet, &request->packet->vps, request->password->vp_strvalue); } else { DEBUG("WARNING: No password in the request"); } } request->timestamp = time(NULL); request->tries = 1; request->resend++; } else { /* request->packet->id >= 0 */ time_t now = time(NULL); /* * FIXME: Accounting packets are never retried! * The Acct-Delay-Time attribute is updated to * reflect the delay, and the packet is re-sent * from scratch! */ /* * Not time for a retry, do so. */ if ((now - request->timestamp) < timeout) { /* * When we walk over the tree sending * packets, we update the minimum time * required to sleep. */ if ((sleep_time == -1) || (sleep_time > (now - request->timestamp))) { sleep_time = now - request->timestamp; } return 0; } /* * We're not trying later, maybe the packet is done. */ if (request->tries == retries) { assert(request->packet->id >= 0); /* * Delete the request from the tree of * outstanding requests. */ fr_packet_list_yank(pl, request->packet); REDEBUG("No reply from server for ID %d socket %d", request->packet->id, request->packet->sockfd); deallocate_id(request); /* * Normally we mark it "done" when we've received * the reply, but this is a special case. */ if (request->resend == resend_count) { request->done = true; } stats.lost++; return -1; } /* * We are trying later. */ request->timestamp = now; request->tries++; } /* * Send the packet. */ if (rad_send(request->packet, NULL, secret) < 0) { REDEBUG("Failed to send packet for ID %d", request->packet->id); deallocate_id(request); request->done = true; return -1; } fr_packet_header_print(fr_log_fp, request->packet, false); if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->packet->vps); return 0; }
/* * Convert diameter attributes to our VALUE_PAIR's */ static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl, uint8_t const *data, size_t data_len) { uint32_t attr; uint32_t vendor; uint32_t length; size_t offset; size_t size; size_t data_left = data_len; VALUE_PAIR *first = NULL; VALUE_PAIR *vp; RADIUS_PACKET *packet = fake->packet; /* FIXME: api issues */ vp_cursor_t out; fr_cursor_init(&out, &first); while (data_left > 0) { rad_assert(data_left <= data_len); memcpy(&attr, data, sizeof(attr)); data += 4; attr = ntohl(attr); vendor = 0; memcpy(&length, data, sizeof(length)); data += 4; length = ntohl(length); /* * A "vendor" flag, with a vendor ID of zero, * is equivalent to no vendor. This is stupid. */ offset = 8; if ((length & ((uint32_t)1 << 31)) != 0) { memcpy(&vendor, data, sizeof(vendor)); vendor = ntohl(vendor); data += 4; /* skip the vendor field, it's zero */ offset += 4; /* offset to value field */ if (attr > 65535) goto next_attr; if (vendor > FR_MAX_VENDOR) goto next_attr; } /* * FIXME: Handle the M bit. For now, we assume that * some other module takes care of any attribute * with the M bit set. */ /* * Get the length. */ length &= 0x00ffffff; /* * Get the size of the value portion of the * attribute. */ size = length - offset; /* * Vendor attributes can be larger than 255. * Normal attributes cannot be. */ if ((attr > 255) && (vendor == 0)) { RWDEBUG2("Skipping Diameter attribute %u", attr); goto next_attr; } /* * EAP-Message AVPs can be larger than 253 octets. * * For now, we rely on the main decoder in * src/lib/radius to decode data into VPs. This * means putting the data into a RADIUS attribute * format. It also means that we can't handle * "extended" attributes in the Diameter space. Oh well... */ if ((size > 253) && !((vendor == 0) && (attr == PW_EAP_MESSAGE))) { RWDEBUG2("diameter2vp skipping long attribute %u", attr); goto next_attr; } /* * RADIUS VSAs are handled as Diameter attributes * with Vendor-Id == 0, and the VSA data packed * into the "String" field as per normal. * * EXCEPT for the MS-CHAP attributes. */ if ((vendor == 0) && (attr == PW_VENDOR_SPECIFIC)) { ssize_t decoded; uint8_t buffer[256]; buffer[0] = PW_VENDOR_SPECIFIC; buffer[1] = size + 2; memcpy(buffer + 2, data, size); vp = NULL; decoded = rad_attr2vp(packet, NULL, NULL, NULL, buffer, size + 2, &vp); if (decoded < 0) { REDEBUG2("diameter2vp failed decoding attr: %s", fr_strerror()); goto do_octets; } if ((size_t) decoded != size + 2) { REDEBUG2("diameter2vp failed to entirely decode VSA"); fr_pair_list_free(&vp); goto do_octets; } fr_cursor_merge(&out, vp); goto next_attr; } /* * Create it. If this fails, it's because we're OOM. */ do_octets: vp = fr_pair_afrom_num(packet, attr, vendor); if (!vp) { RDEBUG2("Failure in creating VP"); fr_pair_list_free(&first); return NULL; } /* * If it's a type from our dictionary, then * we need to put the data in a relevant place. * * @todo: Export the lib/radius.c decoder, and use it here! */ switch (vp->da->type) { case PW_TYPE_INTEGER: case PW_TYPE_DATE: if (size != vp->vp_length) { DICT_ATTR const *da; /* * Bad format. Create a "raw" * attribute. */ raw: if (vp) fr_pair_list_free(&vp); da = dict_unknown_afrom_fields(packet, attr, vendor); if (!da) return NULL; vp = fr_pair_afrom_da(packet, da); if (!vp) return NULL; fr_pair_value_memcpy(vp, data, size); break; } memcpy(&vp->vp_integer, data, vp->vp_length); /* * Stored in host byte order: change it. */ vp->vp_integer = ntohl(vp->vp_integer); break; case PW_TYPE_INTEGER64: if (size != vp->vp_length) goto raw; memcpy(&vp->vp_integer64, data, vp->vp_length); /* * Stored in host byte order: change it. */ vp->vp_integer64 = ntohll(vp->vp_integer64); break; case PW_TYPE_IPV4_ADDR: if (size != vp->vp_length) { RDEBUG2("Invalid length attribute %d", attr); fr_pair_list_free(&first); fr_pair_list_free(&vp); return NULL; } memcpy(&vp->vp_ipaddr, data, vp->vp_length); /* * Stored in network byte order: don't change it. */ break; case PW_TYPE_BYTE: if (size != vp->vp_length) goto raw; vp->vp_byte = data[0]; break; case PW_TYPE_SHORT: if (size != vp->vp_length) goto raw; vp->vp_short = (data[0] * 256) + data[1]; break; case PW_TYPE_SIGNED: if (size != vp->vp_length) goto raw; memcpy(&vp->vp_signed, data, vp->vp_length); vp->vp_signed = ntohl(vp->vp_signed); break; case PW_TYPE_IPV6_ADDR: if (size != vp->vp_length) goto raw; memcpy(&vp->vp_ipv6addr, data, vp->vp_length); break; case PW_TYPE_IPV6_PREFIX: if (size != vp->vp_length) goto raw; memcpy(vp->vp_ipv6prefix, data, vp->vp_length); break; case PW_TYPE_STRING: fr_pair_value_bstrncpy(vp, data, size); vp->vp_length = strlen(vp->vp_strvalue); /* embedded zeros are NOT allowed */ break; /* * Copy it over verbatim. */ case PW_TYPE_OCTETS: default: fr_pair_value_memcpy(vp, data, size); break; } /* * Ensure that the client is using the * correct challenge. This weirdness is * to protect against against replay * attacks, where anyone observing the * CHAP exchange could pose as that user, * by simply choosing to use the same * challenge. * * By using a challenge based on * information from the current session, * we can guarantee that the client is * not *choosing* a challenge. * * We're a little forgiving in that we * have loose checks on the length, and * we do NOT check the Id (first octet of * the response to the challenge) * * But if the client gets the challenge correct, * we're not too worried about the Id. */ if (((vp->da->vendor == 0) && (vp->da->attr == PW_CHAP_CHALLENGE)) || ((vp->da->vendor == VENDORPEC_MICROSOFT) && (vp->da->attr == PW_MSCHAP_CHALLENGE))) { uint8_t challenge[16]; if ((vp->vp_length < 8) || (vp->vp_length > 16)) { RDEBUG("Tunneled challenge has invalid length"); fr_pair_list_free(&first); fr_pair_list_free(&vp); return NULL; } eapttls_gen_challenge(ssl, challenge, sizeof(challenge)); if (memcmp(challenge, vp->vp_octets, vp->vp_length) != 0) { RDEBUG("Tunneled challenge is incorrect"); fr_pair_list_free(&first); fr_pair_list_free(&vp); return NULL; } } /* * Update the list. */ fr_cursor_insert(&out, vp); next_attr: /* * Catch non-aligned attributes. */ if (data_left == length) break; /* * The length does NOT include the padding, so * we've got to account for it here by rounding up * to the nearest 4-byte boundary. */ length += 0x03; length &= ~0x03; rad_assert(data_left >= length); data_left -= length; data += length - offset; /* already updated */ } /* * We got this far. It looks OK. */ return first; }
/* * Generate a challenge to be presented to the user. */ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request) { rlm_otp_t *inst = (rlm_otp_t *) instance; char challenge[OTP_MAX_CHALLENGE_LEN + 1]; /* +1 for '\0' terminator */ int auth_type_found; /* Early exit if Auth-Type != inst->name */ { VALUE_PAIR *vp; auth_type_found = 0; vp = fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY); if (vp) { auth_type_found = 1; if (strcmp(vp->vp_strvalue, inst->name)) { return RLM_MODULE_NOOP; } } } /* The State attribute will be present if this is a response. */ if (fr_pair_find_by_num(request->packet->vps, PW_STATE, 0, TAG_ANY) != NULL) { DEBUG("rlm_otp: autz: Found response to Access-Challenge"); return RLM_MODULE_OK; } /* User-Name attribute required. */ if (!request->username) { RWDEBUG("Attribute \"User-Name\" " "required for authentication"); return RLM_MODULE_INVALID; } if (otp_pwe_present(request) == 0) { RWDEBUG("Attribute " "\"User-Password\" or equivalent required " "for authentication"); return RLM_MODULE_INVALID; } /* * We used to check for special "challenge" and "resync" passcodes * here, but these are complicated to explain and application is * limited. More importantly, since we've removed all actual OTP * code (now we ask otpd), it's awkward for us to support them. * Should the need arise to reinstate these options, the most * likely choice is to duplicate some otpd code here. */ if (inst->allow_sync && !inst->allow_async) { /* This is the token sync response. */ if (!auth_type_found) { pair_make_config("Auth-Type", inst->name, T_OP_EQ); } return RLM_MODULE_OK; } /* * Generate a random challenge. */ otp_async_challenge(challenge, inst->challenge_len); /* * Create the State attribute, which will be returned to * us along with the response. * * We will need this to verify the response. * * It must be hmac protected to prevent insertion of arbitrary * State by an inside attacker. * * If we won't actually use the State (server config doesn't * allow async), we just use a trivial State. * * We always create at least a trivial State, so mod_authorize() * can quickly pass on to mod_authenticate(). */ { int32_t now = htonl(time(NULL)); //!< Low-order 32 bits on LP64. char gen_state[OTP_MAX_RADSTATE_LEN]; size_t len; VALUE_PAIR *vp; len = otp_gen_state(gen_state, challenge, inst->challenge_len, 0, now, inst->hmac_key); vp = fr_pair_afrom_num(request->reply, PW_STATE, 0); if (!vp) { return RLM_MODULE_FAIL; } fr_pair_value_memcpy(vp, (uint8_t const *) gen_state, len); fr_pair_add(&request->reply->vps, vp); } /* * Add the challenge to the reply. */ { VALUE_PAIR *vp; char *expanded = NULL; ssize_t len; /* * First add the internal OTP challenge attribute to * the reply list. */ vp = fr_pair_afrom_num(request->reply, PW_OTP_CHALLENGE, 0); if (!vp) { return RLM_MODULE_FAIL; } fr_pair_value_strcpy(vp, challenge); vp->op = T_OP_SET; fr_pair_add(&request->reply->vps, vp); /* * Then add the message to the user to they known * what the challenge value is. */ len = radius_axlat(&expanded, request, inst->chal_prompt, NULL, NULL); if (len < 0) { return RLM_MODULE_FAIL; } vp = fr_pair_afrom_num(request->reply, PW_REPLY_MESSAGE, 0); if (!vp) { talloc_free(expanded); return RLM_MODULE_FAIL; } (void) talloc_steal(vp, expanded); vp->vp_strvalue = expanded; vp->vp_length = len; vp->op = T_OP_SET; vp->type = VT_DATA; fr_pair_add(&request->reply->vps, vp); } /* * Mark the packet as an Access-Challenge packet. * The server will take care of sending it to the user. */ request->reply->code = PW_CODE_ACCESS_CHALLENGE; DEBUG("rlm_otp: Sending Access-Challenge"); if (!auth_type_found) { pair_make_config("Auth-Type", inst->name, T_OP_EQ); } return RLM_MODULE_HANDLED; }
static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session, tls_session_t *tls_session, VALUE_PAIR *tlv_eap_payload) { FR_CODE code = FR_CODE_ACCESS_REJECT; rlm_rcode_t rcode; VALUE_PAIR *vp; eap_fast_tunnel_t *t; REQUEST *fake; RDEBUG2("Processing received EAP Payload"); /* * Allocate a fake REQUEST structure. */ fake = request_alloc_fake(request, NULL); rad_assert(!fake->packet->vps); t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t); /* * Add the tunneled attributes to the fake request. */ fake->packet->vps = fr_pair_afrom_da(fake->packet, attr_eap_message); fr_pair_value_memcpy(fake->packet->vps, tlv_eap_payload->vp_octets, tlv_eap_payload->vp_length, false); RDEBUG2("Got tunneled request"); log_request_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL); /* * Tell the request that it's a fake one. */ MEM(fr_pair_add_by_da(fake->packet, &vp, &fake->packet->vps, attr_freeradius_proxied_to) >= 0); fr_pair_value_from_str(vp, "127.0.0.1", sizeof("127.0.0.1"), '\0', false); /* * Update other items in the REQUEST data structure. */ fake->username = fr_pair_find_by_da(fake->packet->vps, attr_user_name, TAG_ANY); fake->password = fr_pair_find_by_da(fake->packet->vps, attr_user_password, TAG_ANY); /* * No User-Name, try to create one from stored data. */ if (!fake->username) { /* * No User-Name in the stored data, look for * an EAP-Identity, and pull it out of there. */ if (!t->username) { vp = fr_pair_find_by_da(fake->packet->vps, attr_eap_message, TAG_ANY); if (vp && (vp->vp_length >= EAP_HEADER_LEN + 2) && (vp->vp_strvalue[0] == FR_EAP_CODE_RESPONSE) && (vp->vp_strvalue[EAP_HEADER_LEN] == FR_EAP_METHOD_IDENTITY) && (vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { /* * Create & remember a User-Name */ MEM(t->username = fr_pair_afrom_da(t, attr_user_name)); t->username->vp_tainted = true; fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5); RDEBUG2("Got tunneled identity of %pV", &t->username->data); } else { /* * Don't reject the request outright, * as it's permitted to do EAP without * user-name. */ RWDEBUG2("No EAP-Identity found to start EAP conversation"); } } /* else there WAS a t->username */ if (t->username) { vp = fr_pair_copy(fake->packet, t->username); fr_pair_add(&fake->packet->vps, vp); fake->username = vp; } } /* else the request ALREADY had a User-Name */ if (t->stage == EAP_FAST_AUTHENTICATION) { /* FIXME do this only for MSCHAPv2 */ VALUE_PAIR *tvp; tvp = fr_pair_afrom_da(fake, attr_eap_type); tvp->vp_uint32 = t->default_provisioning_method; fr_pair_add(&fake->control, tvp); /* * RFC 5422 section 3.2.3 - Authenticating Using EAP-FAST-MSCHAPv2 */ if (t->mode == EAP_FAST_PROVISIONING_ANON) { tvp = fr_pair_afrom_da(fake, attr_ms_chap_challenge); fr_pair_value_memcpy(tvp, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false); fr_pair_add(&fake->control, tvp); RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 auth_challenge"); tvp = fr_pair_afrom_da(fake, attr_ms_chap_peer_challenge); fr_pair_value_memcpy(tvp, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false); fr_pair_add(&fake->control, tvp); RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 peer_challenge"); } } /* * Call authentication recursively, which will * do PAP, CHAP, MS-CHAP, etc. */ eap_virtual_server(request, fake, eap_session, t->virtual_server); /* * Decide what to do with the reply. */ switch (fake->reply->code) { case 0: /* No reply code, must be proxied... */ #ifdef WITH_PROXY vp = fr_pair_find_by_da(fake->control, attr_proxy_to_realm, TAG_ANY); if (vp) { int ret; eap_tunnel_data_t *tunnel; RDEBUG2("Tunneled authentication will be proxied to %pV", &vp->data); /* * Tell the original request that it's going to be proxied. */ fr_pair_list_copy_by_da(request, &request->control, fake->control, attr_proxy_to_realm); /* * Seed the proxy packet with the tunneled request. */ rad_assert(!request->proxy); /* * FIXME: Actually proxy stuff */ request->proxy = request_alloc_fake(request, NULL); request->proxy->packet = talloc_steal(request->proxy, fake->packet); memset(&request->proxy->packet->src_ipaddr, 0, sizeof(request->proxy->packet->src_ipaddr)); memset(&request->proxy->packet->src_ipaddr, 0, sizeof(request->proxy->packet->src_ipaddr)); request->proxy->packet->src_port = 0; request->proxy->packet->dst_port = 0; fake->packet = NULL; fr_radius_packet_free(&fake->reply); fake->reply = NULL; /* * Set up the callbacks for the tunnel */ tunnel = talloc_zero(request, eap_tunnel_data_t); tunnel->tls_session = tls_session; /* * Associate the callback with the request. */ ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK, tunnel, false, false, false); fr_cond_assert(ret == 0); /* * rlm_eap.c has taken care of associating the eap_session * with the fake request. * * So we associate the fake request with this request. */ ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK, fake, true, false, false); fr_cond_assert(ret == 0); fake = NULL; /* * Didn't authenticate the packet, but we're proxying it. */ code = FR_CODE_STATUS_CLIENT; } else #endif /* WITH_PROXY */ { REDEBUG("No tunneled reply was found, and the request was not proxied: rejecting the user"); code = FR_CODE_ACCESS_REJECT; } break; default: /* * Returns RLM_MODULE_FOO, and we want to return FR_FOO */ rcode = process_reply(eap_session, tls_session, request, fake->reply); switch (rcode) { case RLM_MODULE_REJECT: code = FR_CODE_ACCESS_REJECT; break; case RLM_MODULE_HANDLED: code = FR_CODE_ACCESS_CHALLENGE; break; case RLM_MODULE_OK: code = FR_CODE_ACCESS_ACCEPT; break; default: code = FR_CODE_ACCESS_REJECT; break; } break; } talloc_free(fake); return code; }
/* * given a radius request with an EAP-SIM body, decode it into TLV pairs * * return value is true if it succeeded, false if there was something * wrong and the packet should be discarded. * */ int unmap_eapsim_basictypes(RADIUS_PACKET *r, uint8_t *attr, unsigned int attrlen) { VALUE_PAIR *newvp; int eapsim_attribute; unsigned int eapsim_len; int es_attribute_count; es_attribute_count = 0; /* big enough to have even a single attribute */ if (attrlen < 5) { ERROR("eap: EAP-Sim attribute too short: %d < 5", attrlen); return 0; } newvp = fr_pair_afrom_num(r, 0, PW_EAP_SIM_SUBTYPE); if (!newvp) { return 0; } newvp->vp_integer = attr[0]; newvp->vp_length = 1; fr_pair_add(&(r->vps), newvp); attr += 3; attrlen -= 3; /* now, loop processing each attribute that we find */ while (attrlen > 0) { if (attrlen < 2) { ERROR("eap: EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); return 0; } eapsim_attribute = attr[0]; eapsim_len = attr[1] * 4; if (eapsim_len > attrlen) { ERROR("eap: EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", eapsim_attribute, es_attribute_count, eapsim_len, attrlen); return 0; } if (eapsim_len > MAX_STRING_LEN) { eapsim_len = MAX_STRING_LEN; } if (eapsim_len < 2) { ERROR("eap: EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, es_attribute_count); return 0; } newvp = fr_pair_afrom_num(r, 0, eapsim_attribute + PW_EAP_SIM_BASE); fr_pair_value_memcpy(newvp, &attr[2], eapsim_len - 2); fr_pair_add(&(r->vps), newvp); newvp = NULL; /* advance pointers, decrement length */ attr += eapsim_len; attrlen -= eapsim_len; es_attribute_count++; } return 1; }