main(int argc, char *argv[])
{
int filedone;
RADIUS_PACKET *req,*req2;
VALUE_PAIR *vp, *vpkey, *vpextra;
extern unsigned int sha1_data_problems;
req = NULL;
req2 = NULL;
filedone = 0;
if(argc>1) {
sha1_data_problems = 1;
}
if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
librad_perror("radclient");
return 1;
}
if ((req = rad_alloc(1)) == NULL) {
librad_perror("radclient");
exit(1);
}
if ((req2 = rad_alloc(1)) == NULL) {
librad_perror("radclient");
exit(1);
}
while(!filedone) {
if(req->vps) pairfree(&req->vps);
if(req2->vps) pairfree(&req2->vps);
if ((req->vps = readvp2(stdin, &filedone, "eapsimlib:")) == NULL) {
break;
}
printf("\nRead:\n");
vp_printlist(stdout, req->vps);
map_eapsim_types(req);
map_eap_types(req);
printf("Mapped to:\n");
vp_printlist(stdout, req->vps);
/* find the EAP-Message, copy it to req2 */
vp = paircopy2(req->vps, PW_EAP_MESSAGE);
if(vp == NULL) continue;
pairadd(&req2->vps, vp);
/* only call unmap for sim types here */
unmap_eap_types(req2);
unmap_eapsim_types(req2);
printf("Unmapped to:\n");
vp_printlist(stdout, req2->vps);
vp = pairfind(req2->vps,
ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC);
vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY);
vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA);
if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
uint8_t calcmac[16];
/* find the EAP-Message, copy it to req2 */
memset(calcmac, 0, sizeof(calcmac));
printf("Confirming MAC...");
if(eapsim_checkmac(req2->vps, vpkey->strvalue,
vpextra->strvalue, vpextra->length,
calcmac)) {
printf("succeed\n");
} else {
int i, j;
printf("calculated MAC (");
for (i = 0; i < 20; i++) {
if(j==4) {
printf("_");
j=0;
}
j++;
printf("%02x", calcmac[i]);
}
printf(" did not match\n");
}
}
fflush(stdout);
}
}
static int sm_parse_file(FILE*fp,const char* fname) {
LRAD_TOKEN tok;
VALUE_PAIR *vp = NULL;
sm_parse_state_t parse_state = SMP_USER;
unsigned long lino = 0;
char *p;
char buff[MAX_BUFF_SIZE];
char username[256];
while( parse_state != SMP_INVALID && fgets(buff, sizeof(buff), fp) != NULL ) {
lino ++;
st_lines++;
if ( strchr(buff, '\n') == NULL) {
fprintf(stderr,"%s: %s[%lu]:Warning: line too long or not closed by \\n character. Skiped\n",progname,fname,lino);
st_warns++;
st_skiped++; /* _LINE_ skiped */
continue;
}
DOUT2("Parseline: %s",buff);
for ( p = buff; isspace((int) *p); p++);
if ( *p == '#' || *p == 0 ) continue;
/* userparse hack */
if ( *p == ';' ) *p = '\n';
p = buff;
/* try to decide is this line new user or new pattern */
if ( parse_state == SMP_PATTERN_OR_USER ) {
if ( isspace((int) buff[0]) ) parse_state = SMP_PATTERN;
else {
parse_state = SMP_USER;
storecontent(username);
st_users++;
}
}
if ( parse_state == SMP_USER ) {
tok = getuname(&p,username,sizeof(username));
/* check: is it include. not implemented */
if ( tok ) {
fprintf(stderr ,"%s: %s[%lu]: error while expecting user name\n",progname,fname,lino);
parse_state = SMP_INVALID;
st_errors++;
} else {
parse_state = SMP_PATTERN;
DOUT1("Found user: %s\n",username);
}
}
if ( parse_state == SMP_PATTERN || parse_state == SMP_ACTION ) {
/* check for empty line */
while( *p && isspace((int) *p) ) p++;
if ( *p && ( *p != ';' ) ) tok = userparse(p,&vp);
else tok = T_EOL; /* ';' - signs empty line */
switch(tok) {
case T_EOL: /* add to content */
addlinetocontent(vp);
pairfree(&vp);
if ( parse_state == SMP_PATTERN )
parse_state = SMP_ACTION;
else parse_state = SMP_PATTERN_OR_USER;
case T_COMMA: break; /* parse next line */
default: /* error: we do not expect anything else */
fprintf(stderr ,"%s: %s[%lu]: sintax error\n",progname,fname,lino);
librad_perror("Error");
parse_state = SMP_INVALID;
st_errors++;
}
}
}
if ( feof(fp) ) switch (parse_state ) {
case SMP_USER: /* file is empty, last line is comment */
break;
case SMP_PATTERN: /* only username ?*/
fprintf(stderr ,"%s: %s[%lu]: EOF while pattern line are expecting\n",progname,fname,lino);
st_errors++;
parse_state = SMP_INVALID;
break;
case SMP_ACTION: /* looking for reply line */
fprintf(stderr ,"%s: %s[%lu]: EOF while reply line are expecting\n",progname,fname,lino);
st_errors++;
parse_state = SMP_INVALID;
break;
case SMP_PATTERN_OR_USER:
storecontent(username);
st_users++;
break;
default:break;
} else if ( parse_state != SMP_INVALID ) { /* file read error */
fprintf(stderr ,"%s: error file reading from file\n",progname);
}
pairfree(&vp);
return (parse_state == SMP_INVALID)?-1:0;
}
int main(int n,char **argv) {
const char *fname = NULL;
const char *ofile = NULL;
FILE *fp;
int print_stat = 1;
int ch;
const char *sm_radius_dir = NULL;
progname = argv[0];
librad_debug = 0;
while ((ch = getopt(n, argv, "d:i:xo:qvc")) != -1)
switch (ch) {
case 'd':
sm_radius_dir = optarg;
break;
case 'i':
fname = optarg;
break;
case 'x':
librad_debug++;
case 'o':
ofile = optarg;
break;
case 'q':
print_stat = 0;
break;
case 'v':
printf("%s: $Id: rlm_dbm_parser.c,v 1.9 2004/02/26 19:04:28 aland Exp $ \n",progname);
exit(0);
case 'c':
oflags = O_CREAT | O_TRUNC | O_RDWR;
break;
default: sm_usage();exit(1);
}
if ( sm_radius_dir == NULL ) sm_radius_dir = RADDBDIR;
DOUT1("Use dictionary in: %s\n",sm_radius_dir);
if (dict_init(sm_radius_dir, RADIUS_DICTIONARY) < 0 ) {
librad_perror("parser: init dictionary:");
exit(1);
}
if ( fname == NULL || fname[0] == '-') {
fp = stdin;
fname = "STDIN";
} else if ( ( fp = fopen(fname, "r") ) == NULL ) {
fprintf( stderr,"%s: Couldn't open source file\n", progname);
exit(1);
}
if ( ofile == NULL ) ofile = "sandy_db" ;
if ( open_storage(ofile) ) {
exit (1);
}
sm_parse_file(fp,fname);
close_storage();
if ( print_stat )
fprintf(stderr,"\nRecord loaded: %lu\nLines parsed: %lu\nRecord skiped: %lu\nWarnings: %lu\nErrors: %lu\n"
,st_loaded,st_lines,st_skiped,st_warns,st_errors);
return 0;
}
static int do_packet(int allports, uint32_t nasaddr, const struct radutmp *u)
{
int i, retries=5, timeout=3;
struct timeval tv;
RADIUS_PACKET *req, *rep = NULL;
VALUE_PAIR *vp;
const char *secret;
if ((req = rad_alloc(1)) == NULL) {
librad_perror("radzap");
exit(1);
}
req->id = getpid() & 0xFF;
req->code = PW_ACCOUNTING_REQUEST;
req->dst_port = acct_port;
if(req->dst_port == 0)
req->dst_port = getport("radacct");
if(req->dst_port == 0)
req->dst_port = PW_ACCT_UDP_PORT;
if (radiusip == INADDR_NONE) {
req->dst_ipaddr = ip_getaddr("localhost");
}
else {
req->dst_ipaddr = radiusip;
}
if(!req->dst_ipaddr)
req->dst_ipaddr = 0x7f000001;
req->vps = NULL;
secret = getsecret(req->dst_ipaddr);
if(allports != 0) {
INTPAIR(PW_ACCT_STATUS_TYPE, PW_STATUS_ACCOUNTING_OFF);
IPPAIR(PW_NAS_IP_ADDRESS, nasaddr);
INTPAIR(PW_ACCT_DELAY_TIME, 0);
} else {
char login[sizeof u->login+1];
char session_id[sizeof u->session_id+1];
strNcpy(login, u->login, sizeof login);
strNcpy(session_id, u->session_id, sizeof session_id);
INTPAIR(PW_ACCT_STATUS_TYPE, PW_STATUS_STOP);
IPPAIR(PW_NAS_IP_ADDRESS, u->nas_address);
INTPAIR(PW_ACCT_DELAY_TIME, 0);
STRINGPAIR(PW_USER_NAME, login);
INTPAIR(PW_NAS_PORT, u->nas_port);
STRINGPAIR(PW_ACCT_SESSION_ID, session_id);
if(u->proto=='P') {
INTPAIR(PW_SERVICE_TYPE, PW_FRAMED_USER);
INTPAIR(PW_FRAMED_PROTOCOL, PW_PPP);
} else if(u->proto=='S') {
INTPAIR(PW_SERVICE_TYPE, PW_FRAMED_USER);
INTPAIR(PW_FRAMED_PROTOCOL, PW_SLIP);
} else {
INTPAIR(PW_SERVICE_TYPE, PW_LOGIN_USER); /* A guess, really */
}
IPPAIR(PW_FRAMED_IP_ADDRESS, u->framed_address);
INTPAIR(PW_ACCT_SESSION_TIME, 0);
INTPAIR(PW_ACCT_INPUT_OCTETS, 0);
INTPAIR(PW_ACCT_OUTPUT_OCTETS, 0);
INTPAIR(PW_ACCT_INPUT_PACKETS, 0);
INTPAIR(PW_ACCT_OUTPUT_PACKETS, 0);
}
if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("radzap: socket: ");
exit(1);
}
for (i = 0; i < retries; i++) {
fd_set rdfdesc;
rad_send(req, NULL, secret);
/* And wait for reply, timing out as necessary */
FD_ZERO(&rdfdesc);
FD_SET(req->sockfd, &rdfdesc);
tv.tv_sec = (int)timeout;
tv.tv_usec = 1000000 * (timeout - (int)timeout);
/* Something's wrong if we don't get exactly one fd. */
if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
continue;
}
rep = rad_recv(req->sockfd);
if (rep != NULL) {
break;
} else { /* NULL: couldn't receive the packet */
librad_perror("radzap:");
exit(1);
}
}
/* No response or no data read (?) */
if (i == retries) {
fprintf(stderr, "%s: no response from server\n", progname);
exit(1);
}
if (rad_decode(rep, req, secret) != 0) {
librad_perror("rad_decode");
exit(1);
}
vp_printlist(stdout, rep->vps);
return 0;
}
int radius_auth(char *username, char *password, char *radius_server_ip_address, unsigned short int radius_server_port, char * radius_server_secret)
{
/*
printf("radius server = %s, port = %d\n", radius_server_ip_address, radius_server_port);
printf("radius secret = %s\n", radius_server_secret);
*/
const char *radius_dir = RADDBDIR;
int persec = 0;
int parallel = 1;
radclient_t *this;
librad_debug = 0;
if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0)
{
librad_perror("radclient");
return 1;
}
/*
* Strip port from hostname if needed.
*/
server_port = radius_server_port;
packet_code = PW_AUTHENTICATION_REQUEST;
/*
* Grab the socket.
*/
if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("radclient: socket: ");
exit(1);
}
memset(radius_id, 0, sizeof(radius_id));
/*
* Resolve hostname.
*/
server_ipaddr = ip_getaddr(radius_server_ip_address);
/*
* Add the secret.
*/
secret = radius_server_secret;
/*
* If no '-f' is specified, we're reading from stdin.
*/
if (last_used_id < 0) last_used_id = getpid() & 0xff;
/*
* Walk over the packets to send, until
* we're all done.
*
* FIXME: This currently busy-loops until it receives
* all of the packets. It should really have some sort of
* send packet, get time to wait, select for time, etc.
* loop.
*/
int n = parallel;
const char *filename = NULL;
done = 1;
sleep_time = -1;
/*
* Walk over the packets, sending them.
*/
/* Send username and password to radius server */
char auth_context[128];
memset( auth_context, 0x00, sizeof(auth_context) );
sprintf(auth_context,"User-Name = %s, User-Password = %s", username, password);
/* Send username and password to radius server */
this = radclient_init(auth_context);
if (radclient_sane(this) != 0)
{
exit(1);
}
/*
* If there's a packet to receive,
* receive it, but don't wait for a
* packet.
*/
recv_one_packet(0);
/*
* This packet is done. Delete it.
*/
/*
* Packets from multiple '-f' are sent
* in parallel.
*
* Packets from one file are sent in
* series, unless '-p' is specified, in
* which case N packets from each file
* are sent in parallel.
*/
if (this->filename != filename)
{
filename = this->filename;
n = parallel;
}
if (n > 0)
{
n--;
/*
* Send the current packet.
*/
send_one_packet(this);
/*
* Wait a little before sending
* the next packet, if told to.
*/
if (persec)
{
struct timeval tv;
/*
* Don't sleep elsewhere.
*/
sleep_time = 0;
if (persec == 1)
{
tv.tv_sec = 1;
tv.tv_usec = 0;
}
else
{
tv.tv_sec = 0;
tv.tv_usec = 1000000/persec;
}
/*
* Sleep for milliseconds,
* portably.
*
* If we get an error or
* a signal, treat it like
* a normal timeout.
*/
select(0, NULL, NULL, NULL, &tv);
}
/*
* If we haven't sent this packet
* often enough, we're not done,
* and we shouldn't sleep.
*/
if (this->resend < resend_count)
{
done = 0;
sleep_time = 0;
}
}
else /* haven't sent this packet, we're not done */
{
assert(this->done == 0);
assert(this->reply == NULL);
done = 0;
}
/*
* Still have outstanding requests.
*/
if (rbtree_num_elements(request_tree) > 0)
{
done = 0;
}
else
{
sleep_time = 0;
}
/*
* Nothing to do until we receive a request, so
* sleep until then. Once we receive one packet,
* we go back, and walk through the whole list again,
* sending more packets (if necessary), and updating
* the sleep time.
*/
int ret = recv_one_packet(3);
rbtree_free(filename_tree);
rbtree_free(request_tree);
return ret;
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
radclient_t myclient, radclient;
RADIUS_PACKET myrequest, *reply;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
FD_SET(sockfd, &set);
if (wait_time <= 0)
{
tv.tv_sec = 0;
}
else
{
tv.tv_sec = wait_time;
}
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(sockfd + 1, &set, NULL, NULL, &tv) != 1)
{
return 0;
}
/*
* Look for the packet.
*/
reply = rad_recv(sockfd);
if (!reply)
{
fprintf(stderr, "radclient: received bad packet: %s\n",
librad_errstr);
return -1; /* bad packet */
}
myclient.request = &myrequest;
myrequest.id = reply->id;
myrequest.dst_ipaddr = reply->src_ipaddr;
myrequest.dst_port = reply->src_port;
radclient.reply = reply;
/*
* FIXME: Do stuff to process the reply.
*/
#if 0
if (rad_verify(reply, radclient->request, secret) != 0)
{
printf("rad_verify\n");
librad_perror("rad_verify");
totallost++;
goto packet_done; /* shared secret is incorrect */
}
#endif
if (rad_decode(reply, radclient.request, secret) != 0)
{
librad_perror("rad_decode");
totallost++;
goto packet_done; /* shared secret is incorrect */
}
/* libradius debug already prints out the value pairs for us */
if (reply->code != PW_AUTHENTICATION_REJECT)
{
totalapp++;
}
else
{
totaldeny++;
}
packet_done:
/*
* Once we've sent the packet as many times as requested,
* mark it done.
*/
return reply->code;
}
int main(int argc, char **argv)
{
RADIUS_PACKET *req;
char *p;
int c;
int port = 0;
char *filename = NULL;
FILE *fp;
int count = 1;
int id;
id = ((int)getpid() & 0xff);
librad_debug = 0;
radlog_dest = RADLOG_STDERR;
while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF)
{
switch(c) {
case 'c':
if (!isdigit((int) *optarg))
usage();
count = atoi(optarg);
break;
case 'd':
radius_dir = optarg;
break;
case 'f':
filename = optarg;
break;
case 'q':
do_output = 0;
break;
case 'x':
debug_flag++;
librad_debug++;
break;
case 'X':
#if 0
sha1_data_problems = 1; /* for debugging only */
#endif
break;
case 'r':
if (!isdigit((int) *optarg))
usage();
retries = atoi(optarg);
break;
case 'i':
if (!isdigit((int) *optarg))
usage();
id = atoi(optarg);
if ((id < 0) || (id > 255)) {
usage();
}
break;
case 's':
do_summary = 1;
break;
case 't':
if (!isdigit((int) *optarg))
usage();
timeout = atof(optarg);
break;
case 'v':
printf("radclient: $Id: radeapclient.c,v 1.7.4.5 2006/05/19 14:22:23 nbk Exp $ built on " __DATE__ " at " __TIME__ "\n");
exit(0);
break;
case 'S':
fp = fopen(optarg, "r");
if (!fp) {
fprintf(stderr, "radclient: Error opening %s: %s\n",
optarg, strerror(errno));
exit(1);
}
if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
fprintf(stderr, "radclient: Error reading %s: %s\n",
optarg, strerror(errno));
exit(1);
}
fclose(fp);
/* truncate newline */
p = filesecret + strlen(filesecret) - 1;
while ((p >= filesecret) &&
(*p < ' ')) {
*p = '\0';
--p;
}
if (strlen(filesecret) < 2) {
fprintf(stderr, "radclient: Secret in %s is too short\n", optarg);
exit(1);
}
secret = filesecret;
break;
case 'h':
default:
usage();
break;
}
}
argc -= (optind - 1);
argv += (optind - 1);
if ((argc < 3) ||
((secret == NULL) && (argc < 4))) {
usage();
}
if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
librad_perror("radclient");
return 1;
}
if ((req = rad_alloc(1)) == NULL) {
librad_perror("radclient");
exit(1);
}
#if 0
{
FILE *randinit;
if((randinit = fopen("/dev/urandom", "r")) == NULL)
{
perror("/dev/urandom");
} else {
fread(randctx.randrsl, 256, 1, randinit);
fclose(randinit);
}
}
lrad_randinit(&randctx, 1);
#endif
req->id = id;
/*
* Strip port from hostname if needed.
*/
if ((p = strchr(argv[1], ':')) != NULL) {
*p++ = 0;
port = atoi(p);
}
/*
* See what kind of request we want to send.
*/
if (strcmp(argv[2], "auth") == 0) {
if (port == 0) port = getport("radius");
if (port == 0) port = PW_AUTH_UDP_PORT;
req->code = PW_AUTHENTICATION_REQUEST;
} else if (strcmp(argv[2], "acct") == 0) {
if (port == 0) port = getport("radacct");
if (port == 0) port = PW_ACCT_UDP_PORT;
req->code = PW_ACCOUNTING_REQUEST;
do_summary = 0;
} else if (strcmp(argv[2], "status") == 0) {
if (port == 0) port = getport("radius");
if (port == 0) port = PW_AUTH_UDP_PORT;
req->code = PW_STATUS_SERVER;
} else if (strcmp(argv[2], "disconnect") == 0) {
if (port == 0) port = PW_POD_UDP_PORT;
req->code = PW_DISCONNECT_REQUEST;
} else if (isdigit((int) argv[2][0])) {
if (port == 0) port = getport("radius");
if (port == 0) port = PW_AUTH_UDP_PORT;
req->code = atoi(argv[2]);
} else {
usage();
}
/*
* Ensure that the configuration is initialized.
*/
memset(&mainconfig, 0, sizeof(mainconfig));
/*
* Resolve hostname.
*/
req->dst_port = port;
req->dst_ipaddr = ip_getaddr(argv[1]);
if (req->dst_ipaddr == INADDR_NONE) {
fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]);
exit(1);
}
/*
* Add the secret.
*/
if (argv[3]) secret = argv[3];
/*
* Read valuepairs.
* Maybe read them, from stdin, if there's no
* filename, or if the filename is '-'.
*/
if (filename && (strcmp(filename, "-") != 0)) {
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "radclient: Error opening %s: %s\n",
filename, strerror(errno));
exit(1);
}
} else {
fp = stdin;
}
/*
* Send request.
*/
if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("radclient: socket: ");
exit(1);
}
while(!filedone) {
if(req->vps) pairfree(&req->vps);
if ((req->vps = readvp2(fp, &filedone, "radeapclient:"))
== NULL) {
break;
}
sendrecv_eap(req);
}
if(do_summary) {
printf("\n\t Total approved auths: %d\n", totalapp);
printf("\t Total denied auths: %d\n", totaldeny);
}
return 0;
}
static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
{
int i;
struct timeval tv;
for (i = 0; i < retries; i++) {
fd_set rdfdesc;
rad_send(req, NULL, secret);
/* And wait for reply, timing out as necessary */
FD_ZERO(&rdfdesc);
FD_SET(req->sockfd, &rdfdesc);
tv.tv_sec = (int)timeout;
tv.tv_usec = 1000000 * (timeout - (int) timeout);
/* Something's wrong if we don't get exactly one fd. */
if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
continue;
}
*rep = rad_recv(req->sockfd);
if (*rep != NULL) {
/*
* If we get a response from a machine
* which we did NOT send a request to,
* then complain.
*/
if (((*rep)->src_ipaddr != req->dst_ipaddr) ||
((*rep)->src_port != req->dst_port)) {
char src[64], dst[64];
ip_ntoa(src, (*rep)->src_ipaddr);
ip_ntoa(dst, req->dst_ipaddr);
fprintf(stderr, "radclient: ERROR: Sent request to host %s port %d, got response from host %s port %d\n!",
dst, req->dst_port,
src, (*rep)->src_port);
exit(1);
}
break;
} else { /* NULL: couldn't receive the packet */
librad_perror("radclient:");
exit(1);
}
}
/* No response or no data read (?) */
if (i == retries) {
fprintf(stderr, "radclient: no response from server\n");
exit(1);
}
/*
* FIXME: Discard the packet & listen for another.
*
* Hmm... we should really be using eapol_test, which does
* a lot more than radeapclient.
*/
if (rad_verify(*rep, req, secret) != 0) {
librad_perror("rad_verify");
exit(1);
}
if (rad_decode(*rep, req, secret) != 0) {
librad_perror("rad_decode");
exit(1);
}
/* libradius debug already prints out the value pairs for us */
if (!librad_debug && do_output) {
printf("Received response ID %d, code %d, length = %d\n",
(*rep)->id, (*rep)->code, (*rep)->data_len);
vp_printlist(stdout, (*rep)->vps);
}
if((*rep)->code == PW_AUTHENTICATION_ACK) {
totalapp++;
} else {
totaldeny++;
}
return 0;
}
