/*
* Generic comparisons, via xlat.
*/
static int generic_cmp(UNUSED void *instance,
REQUEST *request,
VALUE_PAIR *req,
VALUE_PAIR *check,
UNUSED VALUE_PAIR *check_list,
UNUSED VALUE_PAIR **reply_list)
{
VP_VERIFY(check);
if ((check->op != T_OP_REG_EQ) && (check->op != T_OP_REG_NE)) {
int rcode;
char name[1024];
char value[1024];
VALUE_PAIR *vp;
snprintf(name, sizeof(name), "%%{%s}", check->da->name);
if (xlat_eval(value, sizeof(value), request, name, NULL, NULL) < 0) return 0;
vp = fr_pair_afrom_da(req, check->da);
vp->op = check->op;
fr_pair_value_from_str(vp, value, -1, '"', false);
/*
* Paircmp returns 0 for failed comparison, 1 for succeeded -1 for error.
*/
rcode = fr_pair_cmp(check, vp);
/*
* We're being called from paircmp_func,
* which wants 0 for success, and 1 for fail (sigh)
*
* We should really fix the API so that it is
* consistent. i.e. the comparison callbacks should
* return ONLY the resut of comparing A to B.
* The radius_callback_cmp function should then
* take care of using the operator to see if the
* condition (A OP B) is true or not.
*
* This would also allow "<", etc. to work in the
* callback functions...
*
* See rlm_ldap, ...groupcmp() for something that
* returns 0 for matched, and 1 for didn't match.
*/
rcode = !rcode;
fr_pair_list_free(&vp);
return rcode;
}
/*
* Will do the xlat for us
*/
return paircmp_pairs(request, check, NULL);
}
/*
* Common code called by everything below.
*/
static rlm_rcode_t file_common(rlm_files_t const *inst, REQUEST *request, char const *filename, rbtree_t *tree,
RADIUS_PACKET *request_packet, RADIUS_PACKET *reply_packet)
{
char const *name;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
PAIR_LIST const *user_pl, *default_pl;
bool found = false;
PAIR_LIST my_pl;
char buffer[256];
if (!inst->key) {
VALUE_PAIR *namepair;
namepair = request->username;
name = namepair ? namepair->vp_strvalue : "NONE";
} else {
int len;
len = xlat_eval(buffer, sizeof(buffer), request, inst->key, NULL, NULL);
if (len < 0) {
return RLM_MODULE_FAIL;
}
name = len ? buffer : "NONE";
}
if (!tree) return RLM_MODULE_NOOP;
my_pl.name = name;
user_pl = rbtree_finddata(tree, &my_pl);
my_pl.name = "DEFAULT";
default_pl = rbtree_finddata(tree, &my_pl);
/*
* Find the entry for the user.
*/
while (user_pl || default_pl) {
fr_cursor_t cursor;
VALUE_PAIR *vp;
PAIR_LIST const *pl;
/*
* Figure out which entry to match on.
*/
if (!default_pl && user_pl) {
pl = user_pl;
user_pl = user_pl->next;
} else if (!user_pl && default_pl) {
pl = default_pl;
default_pl = default_pl->next;
} else if (user_pl->order < default_pl->order) {
pl = user_pl;
user_pl = user_pl->next;
} else {
pl = default_pl;
default_pl = default_pl->next;
}
MEM(fr_pair_list_copy(request, &check_tmp, pl->check) >= 0);
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (xlat_eval_pair(request, vp) < 0) {
RWARN("Failed parsing expanded value for check item, skipping entry: %s", fr_strerror());
fr_pair_list_free(&check_tmp);
continue;
}
}
if (paircmp(request, request_packet->vps, check_tmp, &reply_packet->vps) == 0) {
RDEBUG2("Found match \"%s\" one line %d of %s", pl->name, pl->lineno, filename);
found = true;
/* ctx may be reply or proxy */
MEM(fr_pair_list_copy(reply_packet, &reply_tmp, pl->reply) >= 0);
radius_pairmove(request, &reply_packet->vps, reply_tmp, true);
fr_pair_list_move(&request->control, &check_tmp);
reply_tmp = NULL; /* radius_pairmove() frees input attributes */
fr_pair_list_free(&check_tmp);
/*
* Fallthrough?
*/
if (!fall_through(pl->reply)) break;
}
}
/*
* Remove server internal parameters.
*/
fr_pair_delete_by_da(&reply_packet->vps, attr_fall_through);
/*
* See if we succeeded.
*/
if (!found)
return RLM_MODULE_NOOP; /* on to the next module */
return RLM_MODULE_OK;
}
/** Determine the PSK to use for an incoming connection
*
* @param[in] ssl session.
* @param[in] identity The identity of the PSK to search for.
* @param[out] psk Where to write the PSK we found (if any).
* @param[in] max_psk_len The length of the buffer provided for PSK.
* @return
* - 0 if no PSK matching identity was found.
* - >0 if a PSK matching identity was found (the length of bytes written to psk).
*/
unsigned int tls_session_psk_server_cb(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len)
{
unsigned int psk_len = 0;
fr_tls_conf_t *conf;
REQUEST *request;
conf = (fr_tls_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
if (!conf) return 0;
request = (REQUEST *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
if (request && conf->psk_query) {
size_t hex_len;
VALUE_PAIR *vp;
char buffer[2 * PSK_MAX_PSK_LEN + 4]; /* allow for too-long keys */
/*
* The passed identity is weird. Deny it.
*/
if (!session_psk_identity_is_safe(identity)) {
RWDEBUG("Invalid characters in PSK identity %s", identity);
return 0;
}
MEM(pair_update_request(&vp, attr_tls_psk_identity) >= 0);
if (fr_pair_value_from_str(vp, identity, -1, '\0', true) < 0) {
RPWDEBUG2("Failed parsing TLS PSK Identity");
talloc_free(vp);
return 0;
}
hex_len = xlat_eval(buffer, sizeof(buffer), request, conf->psk_query, NULL, NULL);
if (!hex_len) {
RWDEBUG("PSK expansion returned an empty string.");
return 0;
}
/*
* The returned key is truncated at MORE than
* OpenSSL can handle. That way we can detect
* the truncation, and complain about it.
*/
if (hex_len > (2 * max_psk_len)) {
RWDEBUG("Returned PSK is too long (%u > %u)", (unsigned int) hex_len, 2 * max_psk_len);
return 0;
}
/*
* Leave the TLS-PSK-Identity in the request, and
* convert the expansion from printable string
* back to hex.
*/
return fr_hex2bin(psk, max_psk_len, buffer, hex_len);
}
if (!conf->psk_identity) {
DEBUG("No static PSK identity set. Rejecting the user");
return 0;
}
/*
* No REQUEST, or no dynamic query. Just look for a
* static identity.
*/
if (strcmp(identity, conf->psk_identity) != 0) {
ERROR("Supplied PSK identity %s does not match configuration. Rejecting.",
identity);
return 0;
}
psk_len = strlen(conf->psk_password);
if (psk_len > (2 * max_psk_len)) return 0;
return fr_hex2bin(psk, max_psk_len, conf->psk_password, psk_len);
}
