/* * Generic comparisons, via xlat. */ static int generic_cmp(UNUSED void *instance, REQUEST *request, VALUE_PAIR *req, VALUE_PAIR *check, UNUSED VALUE_PAIR *check_list, UNUSED VALUE_PAIR **reply_list) { VP_VERIFY(check); if ((check->op != T_OP_REG_EQ) && (check->op != T_OP_REG_NE)) { int rcode; char name[1024]; char value[1024]; VALUE_PAIR *vp; snprintf(name, sizeof(name), "%%{%s}", check->da->name); if (xlat_eval(value, sizeof(value), request, name, NULL, NULL) < 0) return 0; vp = fr_pair_afrom_da(req, check->da); vp->op = check->op; fr_pair_value_from_str(vp, value, -1, '"', false); /* * Paircmp returns 0 for failed comparison, 1 for succeeded -1 for error. */ rcode = fr_pair_cmp(check, vp); /* * We're being called from paircmp_func, * which wants 0 for success, and 1 for fail (sigh) * * We should really fix the API so that it is * consistent. i.e. the comparison callbacks should * return ONLY the resut of comparing A to B. * The radius_callback_cmp function should then * take care of using the operator to see if the * condition (A OP B) is true or not. * * This would also allow "<", etc. to work in the * callback functions... * * See rlm_ldap, ...groupcmp() for something that * returns 0 for matched, and 1 for didn't match. */ rcode = !rcode; fr_pair_list_free(&vp); return rcode; } /* * Will do the xlat for us */ return paircmp_pairs(request, check, NULL); }
/* * Common code called by everything below. */ static rlm_rcode_t file_common(rlm_files_t const *inst, REQUEST *request, char const *filename, rbtree_t *tree, RADIUS_PACKET *request_packet, RADIUS_PACKET *reply_packet) { char const *name; VALUE_PAIR *check_tmp = NULL; VALUE_PAIR *reply_tmp = NULL; PAIR_LIST const *user_pl, *default_pl; bool found = false; PAIR_LIST my_pl; char buffer[256]; if (!inst->key) { VALUE_PAIR *namepair; namepair = request->username; name = namepair ? namepair->vp_strvalue : "NONE"; } else { int len; len = xlat_eval(buffer, sizeof(buffer), request, inst->key, NULL, NULL); if (len < 0) { return RLM_MODULE_FAIL; } name = len ? buffer : "NONE"; } if (!tree) return RLM_MODULE_NOOP; my_pl.name = name; user_pl = rbtree_finddata(tree, &my_pl); my_pl.name = "DEFAULT"; default_pl = rbtree_finddata(tree, &my_pl); /* * Find the entry for the user. */ while (user_pl || default_pl) { fr_cursor_t cursor; VALUE_PAIR *vp; PAIR_LIST const *pl; /* * Figure out which entry to match on. */ if (!default_pl && user_pl) { pl = user_pl; user_pl = user_pl->next; } else if (!user_pl && default_pl) { pl = default_pl; default_pl = default_pl->next; } else if (user_pl->order < default_pl->order) { pl = user_pl; user_pl = user_pl->next; } else { pl = default_pl; default_pl = default_pl->next; } MEM(fr_pair_list_copy(request, &check_tmp, pl->check) >= 0); for (vp = fr_cursor_init(&cursor, &check_tmp); vp; vp = fr_cursor_next(&cursor)) { if (xlat_eval_pair(request, vp) < 0) { RWARN("Failed parsing expanded value for check item, skipping entry: %s", fr_strerror()); fr_pair_list_free(&check_tmp); continue; } } if (paircmp(request, request_packet->vps, check_tmp, &reply_packet->vps) == 0) { RDEBUG2("Found match \"%s\" one line %d of %s", pl->name, pl->lineno, filename); found = true; /* ctx may be reply or proxy */ MEM(fr_pair_list_copy(reply_packet, &reply_tmp, pl->reply) >= 0); radius_pairmove(request, &reply_packet->vps, reply_tmp, true); fr_pair_list_move(&request->control, &check_tmp); reply_tmp = NULL; /* radius_pairmove() frees input attributes */ fr_pair_list_free(&check_tmp); /* * Fallthrough? */ if (!fall_through(pl->reply)) break; } } /* * Remove server internal parameters. */ fr_pair_delete_by_da(&reply_packet->vps, attr_fall_through); /* * See if we succeeded. */ if (!found) return RLM_MODULE_NOOP; /* on to the next module */ return RLM_MODULE_OK; }
/** Determine the PSK to use for an incoming connection * * @param[in] ssl session. * @param[in] identity The identity of the PSK to search for. * @param[out] psk Where to write the PSK we found (if any). * @param[in] max_psk_len The length of the buffer provided for PSK. * @return * - 0 if no PSK matching identity was found. * - >0 if a PSK matching identity was found (the length of bytes written to psk). */ unsigned int tls_session_psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { unsigned int psk_len = 0; fr_tls_conf_t *conf; REQUEST *request; conf = (fr_tls_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF); if (!conf) return 0; request = (REQUEST *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST); if (request && conf->psk_query) { size_t hex_len; VALUE_PAIR *vp; char buffer[2 * PSK_MAX_PSK_LEN + 4]; /* allow for too-long keys */ /* * The passed identity is weird. Deny it. */ if (!session_psk_identity_is_safe(identity)) { RWDEBUG("Invalid characters in PSK identity %s", identity); return 0; } MEM(pair_update_request(&vp, attr_tls_psk_identity) >= 0); if (fr_pair_value_from_str(vp, identity, -1, '\0', true) < 0) { RPWDEBUG2("Failed parsing TLS PSK Identity"); talloc_free(vp); return 0; } hex_len = xlat_eval(buffer, sizeof(buffer), request, conf->psk_query, NULL, NULL); if (!hex_len) { RWDEBUG("PSK expansion returned an empty string."); return 0; } /* * The returned key is truncated at MORE than * OpenSSL can handle. That way we can detect * the truncation, and complain about it. */ if (hex_len > (2 * max_psk_len)) { RWDEBUG("Returned PSK is too long (%u > %u)", (unsigned int) hex_len, 2 * max_psk_len); return 0; } /* * Leave the TLS-PSK-Identity in the request, and * convert the expansion from printable string * back to hex. */ return fr_hex2bin(psk, max_psk_len, buffer, hex_len); } if (!conf->psk_identity) { DEBUG("No static PSK identity set. Rejecting the user"); return 0; } /* * No REQUEST, or no dynamic query. Just look for a * static identity. */ if (strcmp(identity, conf->psk_identity) != 0) { ERROR("Supplied PSK identity %s does not match configuration. Rejecting.", identity); return 0; } psk_len = strlen(conf->psk_password); if (psk_len > (2 * max_psk_len)) return 0; return fr_hex2bin(psk, max_psk_len, conf->psk_password, psk_len); }