/*
* Authenticate a previously sent challenge.
*/
static int mod_process(UNUSED void *arg, eap_handler_t *handler)
{
MD5_PACKET *packet;
MD5_PACKET *reply;
VALUE_PAIR *password;
REQUEST *request = handler->request;
/*
* Get the Cleartext-Password for this user.
*/
rad_assert(handler->request != NULL);
rad_assert(handler->stage == PROCESS);
password = fr_pair_find_by_num(handler->request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
if (!password) {
REDEBUG2("Cleartext-Password is required for EAP-MD5 authentication");
return 0;
}
/*
* Extract the EAP-MD5 packet.
*/
if (!(packet = eapmd5_extract(handler->eap_ds)))
return 0;
/*
* Create a reply, and initialize it.
*/
reply = talloc(packet, MD5_PACKET);
if (!reply) {
talloc_free(packet);
return 0;
}
reply->id = handler->eap_ds->request->id;
reply->length = 0;
/*
* Verify the received packet against the previous packet
* (i.e. challenge) which we sent out.
*/
if (eapmd5_verify(packet, password, handler->opaque)) {
reply->code = PW_MD5_SUCCESS;
} else {
reply->code = PW_MD5_FAILURE;
}
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
talloc_free(packet);
return 1;
}
/*
* Authenticate a previously sent challenge.
*/
static int md5_authenticate(UNUSED void *arg, EAP_HANDLER *handler)
{
MD5_PACKET *packet;
MD5_PACKET *reply;
VALUE_PAIR *password;
/*
* Get the Cleartext-Password for this user.
*/
rad_assert(handler->request != NULL);
rad_assert(handler->stage == AUTHENTICATE);
password = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD);
if (password == NULL) {
DEBUG2("rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication");
return 0;
}
/*
* Extract the EAP-MD5 packet.
*/
if (!(packet = eapmd5_extract(handler->eap_ds)))
return 0;
/*
* Create a reply, and initialize it.
*/
reply = eapmd5_alloc();
if (!reply) {
eapmd5_free(&packet);
return 0;
}
reply->id = handler->eap_ds->request->id;
reply->length = 0;
/*
* Verify the received packet against the previous packet
* (i.e. challenge) which we sent out.
*/
if (eapmd5_verify(packet, password, handler->opaque)) {
reply->code = PW_MD5_SUCCESS;
} else {
reply->code = PW_MD5_FAILURE;
}
/*
* Compose the EAP-MD5 packet out of the data structure,
* and free it.
*/
eapmd5_compose(handler->eap_ds, reply);
eapmd5_free(&packet);
return 1;
}
/*
* Identify whether the response that you got is either the
* response to the challenge that we sent or a new one.
* If it is a response to the request then issue success/failure
* else issue a challenge
*/
MD5_PACKET *eapmd5_process(MD5_PACKET *packet, int id,
VALUE_PAIR *username, VALUE_PAIR* password, md5_packet_t *request)
{
unsigned char output[MAX_STRING_LEN];
MD5_PACKET *reply;
if (!username || !password || !packet)
return NULL;
reply = eapmd5_alloc();
if (!reply) return NULL;
memset(output, 0, MAX_STRING_LEN);
reply->id = id;
if (request) {
/* verify and issue Success/failure */
if (eapmd5_verify(packet, password, request) == 0) {
radlog(L_INFO, "rlm_eap_md5: Challenge failed");
reply->code = PW_MD5_FAILURE;
}
else {
reply->code = PW_MD5_SUCCESS;
}
} else {
/*
* Previous request not found.
* Probably it is timed out.
* So send another challenge.
* TODO: Later Send these challenges for the configurable
* number of times for each user & stop.
*/
/*
* Ensure that the challenge is always of the correct
* length. i.e. Don't take value size from data
* supplied by the client.
*/
if (reply->value_size != MD5_LEN) {
free(reply->value);
reply->value_size = MD5_LEN;
reply->value = malloc(reply->value_size);
}
eapmd5_challenge(reply->value, reply->value_size);
reply->code = PW_MD5_CHALLENGE;
radlog(L_INFO, "rlm_eap_md5: Previous request not found");
radlog(L_INFO, "rlm_eap_md5: Issuing Challenge to the user - %s",
(char *)username->strvalue);
}
/* fill reply packet */
if (reply->code == PW_MD5_CHALLENGE) {
reply->value_size = packet->value_size;
reply->value = malloc(reply->value_size);
if (reply->value == NULL) {
radlog(L_ERR, "rlm_eap_md5: out of memory");
eapmd5_free(&reply);
return NULL;
}
memcpy(reply->value, output, reply->value_size);
reply->length = packet->length;
} else {
reply->length = MD5_HEADER_LEN;
}
return reply;
}
