/** Remove item from parent and fixup trees
*
* @param[in] parent to remove child from.
* @param[in] child to remove.
* @return
* - The item removed.
* - NULL if the item wasn't set.
*/
CONF_ITEM *cf_remove(CONF_ITEM *parent, CONF_ITEM *child)
{
CONF_ITEM *found;
bool in_ident1, in_ident2;
if (!parent || !parent->child) return NULL;
if (parent != child->parent) return NULL;
for (found = fr_cursor_head(&parent->cursor);
found && (child != found);
found = fr_cursor_next(&parent->cursor));
if (!found) return NULL;
/*
* Fixup the linked list
*/
found = fr_cursor_remove(&parent->cursor);
if (!fr_cond_assert(found == child)) return NULL;
in_ident1 = (rbtree_finddata(parent->ident1, child) == child);
if (in_ident1 && (!rbtree_deletebydata(parent->ident1, child))) {
rad_assert(0);
return NULL;
}
in_ident2 = (rbtree_finddata(parent->ident2, child) == child);
if (in_ident2 && (!rbtree_deletebydata(parent->ident2, child))) {
rad_assert(0);
return NULL;
}
/*
* Look for twins
*/
for (found = fr_cursor_head(&parent->cursor);
found && (in_ident1 || in_ident2);
found = fr_cursor_next(&parent->cursor)) {
if (in_ident1 && (_cf_ident1_cmp(found, child) == 0)) {
rbtree_insert(parent->ident1, child);
in_ident1 = false;
}
if (in_ident2 && (_cf_ident2_cmp(found, child) == 0)) {
rbtree_insert(parent->ident2, child);
in_ident2 = false;
}
}
return child;
}
/*
* Do caching checks. Since we can update ANY VP list, we do
* exactly the same thing for all sections (autz / auth / etc.)
*
* If you want to cache something different in different sections,
* configure another cache module.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_cache_it(void *instance, REQUEST *request)
{
rlm_cache_entry_t *c;
rlm_cache_t *inst = instance;
rlm_cache_handle_t *handle;
vp_cursor_t cursor;
VALUE_PAIR *vp;
char buffer[1024];
rlm_rcode_t rcode;
int ttl = inst->ttl;
if (radius_xlat(buffer, sizeof(buffer), request, inst->key, NULL, NULL) < 0) return RLM_MODULE_FAIL;
if (buffer[0] == '\0') {
REDEBUG("Zero length key string is invalid");
return RLM_MODULE_INVALID;
}
if (cache_acquire(&handle, inst, request) < 0) return RLM_MODULE_FAIL;
rcode = cache_find(&c, inst, request, &handle, buffer);
if (rcode == RLM_MODULE_FAIL) goto finish;
rad_assert(handle);
/*
* If Cache-Status-Only == yes, only return whether we found a
* valid cache entry
*/
vp = pairfind(request->config_items, PW_CACHE_STATUS_ONLY, 0, TAG_ANY);
if (vp && vp->vp_integer) {
rcode = c ? RLM_MODULE_OK:
RLM_MODULE_NOTFOUND;
goto finish;
}
/*
* Update the expiry time based on the TTL.
* A TTL of 0 means "delete from the cache".
* A TTL < 0 means "delete from the cache and recreate the entry".
*/
vp = pairfind(request->config_items, PW_CACHE_TTL, 0, TAG_ANY);
if (vp) ttl = vp->vp_signed;
/*
* If there's no existing cache entry, go and create a new one.
*/
if (!c) {
if (ttl <= 0) ttl = inst->ttl;
goto insert;
}
/*
* Expire the entry if requested to do so
*/
if (vp) {
if (ttl == 0) {
cache_expire(inst, request, &handle, &c);
RDEBUG("Forcing expiry of entry");
rcode = RLM_MODULE_OK;
goto finish;
}
if (ttl < 0) {
RDEBUG("Forcing expiry of existing entry");
cache_expire(inst, request, &handle, &c);
ttl *= -1;
goto insert;
}
c->expires = request->timestamp + ttl;
RDEBUG("Setting TTL to %d", ttl);
}
/*
* Cache entry was still valid, so we merge it into the request
* and return. No need to add a new entry.
*/
cache_merge(inst, request, c);
rcode = RLM_MODULE_UPDATED;
goto finish;
insert:
/*
* If Cache-Read-Only == yes, then we only allow already cached entries
* to be merged into the request
*/
vp = pairfind(request->config_items, PW_CACHE_READ_ONLY, 0, TAG_ANY);
if (vp && vp->vp_integer) {
rcode = RLM_MODULE_NOTFOUND;
goto finish;
}
/*
* Create a new entry.
*/
rcode = cache_insert(inst, request, &handle, buffer, ttl);
rad_assert(handle);
finish:
cache_free(inst, &c);
cache_release(inst, request, &handle);
/*
* Clear control attributes
*/
for (vp = fr_cursor_init(&cursor, &request->config_items);
vp;
vp = fr_cursor_next(&cursor)) {
if (vp->da->vendor == 0) switch (vp->da->attr) {
case PW_CACHE_TTL:
case PW_CACHE_STATUS_ONLY:
case PW_CACHE_READ_ONLY:
case PW_CACHE_MERGE:
vp = fr_cursor_remove(&cursor);
talloc_free(vp);
break;
}
}
return rcode;
}
/*
* Initialize a radclient data structure and add it to
* the global linked list.
*/
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
{
FILE *packets, *filters = NULL;
vp_cursor_t cursor;
VALUE_PAIR *vp;
rc_request_t *request;
bool packets_done = false;
uint64_t num = 0;
assert(files->packets != NULL);
/*
* Determine where to read the VP's from.
*/
if (strcmp(files->packets, "-") != 0) {
packets = fopen(files->packets, "r");
if (!packets) {
ERROR("Error opening %s: %s", files->packets, strerror(errno));
return 0;
}
/*
* Read in the pairs representing the expected response.
*/
if (files->filters) {
filters = fopen(files->filters, "r");
if (!filters) {
ERROR("Error opening %s: %s", files->filters, strerror(errno));
fclose(packets);
return 0;
}
}
} else {
packets = stdin;
}
/*
* Loop until the file is done.
*/
do {
/*
* Allocate it.
*/
request = talloc_zero(ctx, rc_request_t);
if (!request) {
ERROR("Out of memory");
goto error;
}
request->packet = rad_alloc(request, true);
if (!request->packet) {
ERROR("Out of memory");
goto error;
}
#ifdef WITH_TCP
request->packet->src_ipaddr = client_ipaddr;
request->packet->src_port = client_port;
request->packet->dst_ipaddr = server_ipaddr;
request->packet->dst_port = server_port;
request->packet->proto = ipproto;
#endif
request->files = files;
request->packet->id = -1; /* allocate when sending */
request->num = num++;
/*
* Read the request VP's.
*/
if (fr_pair_list_afrom_file(request->packet, &request->packet->vps, packets, &packets_done) < 0) {
char const *input;
if ((files->packets[0] == '-') && (files->packets[1] == '\0')) {
input = "stdin";
} else {
input = files->packets;
}
REDEBUG("Error parsing \"%s\"", input);
goto error;
}
/*
* Skip empty entries
*/
if (!request->packet->vps) {
talloc_free(request);
continue;
}
/*
* Read in filter VP's.
*/
if (filters) {
bool filters_done;
if (fr_pair_list_afrom_file(request, &request->filter, filters, &filters_done) < 0) {
REDEBUG("Error parsing \"%s\"", files->filters);
goto error;
}
if (filters_done && !packets_done) {
REDEBUG("Differing number of packets/filters in %s:%s "
"(too many requests))", files->packets, files->filters);
goto error;
}
if (!filters_done && packets_done) {
REDEBUG("Differing number of packets/filters in %s:%s "
"(too many filters))", files->packets, files->filters);
goto error;
}
/*
* xlat expansions aren't supported here
*/
for (vp = fr_cursor_init(&cursor, &request->filter);
vp;
vp = fr_cursor_next(&cursor)) {
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->xlat;
vp->vp_length = talloc_array_length(vp->vp_strvalue) - 1;
}
if (vp->da->vendor == 0 ) switch (vp->da->attr) {
case PW_RESPONSE_PACKET_TYPE:
case PW_PACKET_TYPE:
fr_cursor_remove(&cursor); /* so we don't break the filter */
request->filter_code = vp->vp_integer;
talloc_free(vp);
default:
break;
}
}
/*
* This allows efficient list comparisons later
*/
fr_pair_list_sort(&request->filter, fr_pair_cmp_by_da_tag);
}
/*
* Process special attributes
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that in request.
*/
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->xlat;
vp->vp_length = talloc_array_length(vp->vp_strvalue) - 1;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_RESPONSE_PACKET_TYPE:
request->filter_code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->packet->dst_ipaddr.prefix = 32;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->packet->dst_ipaddr.prefix = 128;
break;
case PW_PACKET_SRC_PORT:
if ((vp->vp_integer < 1024) ||
(vp->vp_integer > 65535)) {
ERROR("Invalid value '%u' for Packet-Src-Port", vp->vp_integer);
goto error;
}
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->packet->src_ipaddr.prefix = 32;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->packet->src_ipaddr.prefix = 128;
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->vp_length + 2);
memcpy(p + 2, vp->vp_octets, vp->vp_length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->vp_length += 2;
p[1] = vp->vp_length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
if (!da) {
ERROR("Out of memory");
goto error;
}
vp->da = da;
/*
* Re-do fr_pair_value_memsteal ourselves,
* because we play games with
* vp->da, and fr_pair_value_memsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
/*
* Cache this for later.
*/
case PW_CLEARTEXT_PASSWORD:
request->password = vp;
break;
/*
* Keep a copy of the the password attribute.
*/
case PW_CHAP_PASSWORD:
/*
* If it's already hex, do nothing.
*/
if ((vp->vp_length == 17) &&
(already_hex(vp))) break;
/*
* CHAP-Password is octets, so it may not be zero terminated.
*/
request->password = fr_pair_make(request->packet, &request->packet->vps, "Cleartext-Password",
"", T_OP_EQ);
fr_pair_value_bstrncpy(request->password, vp->vp_strvalue, vp->vp_length);
break;
case PW_USER_PASSWORD:
case PW_MS_CHAP_PASSWORD:
request->password = fr_pair_make(request->packet, &request->packet->vps, "Cleartext-Password",
vp->vp_strvalue, T_OP_EQ);
break;
case PW_RADCLIENT_TEST_NAME:
request->name = vp->vp_strvalue;
break;
}
} /* loop over the VP's we read in */
/*
* Use the default set on the command line
*/
if (request->packet->code == PW_CODE_UNDEFINED) request->packet->code = packet_code;
/*
* Default to the filename
*/
if (!request->name) request->name = request->files->packets;
/*
* Automatically set the response code from the request code
* (if one wasn't already set).
*/
if (request->filter_code == PW_CODE_UNDEFINED) {
switch (request->packet->code) {
case PW_CODE_ACCESS_REQUEST:
request->filter_code = PW_CODE_ACCESS_ACCEPT;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
case PW_CODE_COA_REQUEST:
request->filter_code = PW_CODE_COA_ACK;
break;
case PW_CODE_DISCONNECT_REQUEST:
request->filter_code = PW_CODE_DISCONNECT_ACK;
break;
case PW_CODE_STATUS_SERVER:
switch (radclient_get_code(request->packet->dst_port)) {
case PW_CODE_ACCESS_REQUEST:
request->filter_code = PW_CODE_ACCESS_ACCEPT;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
default:
REDEBUG("Can't determine expected response to Status-Server request, specify "
"a well known RADIUS port, or add a Response-Packet-Type attribute "
"to the request of filter");
goto error;
}
break;
case PW_CODE_UNDEFINED:
REDEBUG("Both Packet-Type and Response-Packet-Type undefined, specify at least one, "
"or a well known RADIUS port");
goto error;
default:
REDEBUG("Can't determine expected Response-Packet-Type for Packet-Type %i",
request->packet->code);
goto error;
}
/*
* Automatically set the request code from the response code
* (if one wasn't already set).
*/
} else if (request->packet->code == PW_CODE_UNDEFINED) {
switch (request->filter_code) {
case PW_CODE_ACCESS_ACCEPT:
case PW_CODE_ACCESS_REJECT:
request->packet->code = PW_CODE_ACCESS_REQUEST;
break;
case PW_CODE_ACCOUNTING_RESPONSE:
request->packet->code = PW_CODE_ACCOUNTING_REQUEST;
break;
case PW_CODE_DISCONNECT_ACK:
case PW_CODE_DISCONNECT_NAK:
request->packet->code = PW_CODE_DISCONNECT_REQUEST;
break;
case PW_CODE_COA_ACK:
case PW_CODE_COA_NAK:
request->packet->code = PW_CODE_COA_REQUEST;
break;
default:
REDEBUG("Can't determine expected Packet-Type for Response-Packet-Type %i",
request->filter_code);
goto error;
}
}
/*
* Automatically set the dst port (if one wasn't already set).
*/
if (request->packet->dst_port == 0) {
radclient_get_port(request->packet->code, &request->packet->dst_port);
if (request->packet->dst_port == 0) {
REDEBUG("Can't determine destination port");
goto error;
}
}
/*
* Add it to the tail of the list.
*/
if (!request_head) {
assert(rc_request_tail == NULL);
request_head = request;
request->prev = NULL;
} else {
assert(rc_request_tail->next == NULL);
rc_request_tail->next = request;
request->prev = rc_request_tail;
}
rc_request_tail = request;
request->next = NULL;
/*
* Set the destructor so it removes itself from the
* request list when freed. We don't set this until
* the packet is actually in the list, else we trigger
* the asserts in the free callback.
*/
talloc_set_destructor(request, _rc_request_free);
} while (!packets_done); /* loop until the file is done. */
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
/*
* And we're done.
*/
return 1;
error:
talloc_free(request);
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
return 0;
}
static rlm_rcode_t mod_cache_it(void *instance, UNUSED void *thread, REQUEST *request)
{
rlm_cache_entry_t *c = NULL;
rlm_cache_t const *inst = instance;
rlm_cache_handle_t *handle;
fr_cursor_t cursor;
VALUE_PAIR *vp;
bool merge = true, insert = true, expire = false, set_ttl = false;
int exists = -1;
uint8_t buffer[1024];
uint8_t const *key;
ssize_t key_len;
rlm_rcode_t rcode = RLM_MODULE_NOOP;
int ttl = inst->config.ttl;
key_len = tmpl_expand((char const **)&key, (char *)buffer, sizeof(buffer),
request, inst->config.key, NULL, NULL);
if (key_len < 0) return RLM_MODULE_FAIL;
if (key_len == 0) {
REDEBUG("Zero length key string is invalid");
return RLM_MODULE_INVALID;
}
/*
* If Cache-Status-Only == yes, only return whether we found a
* valid cache entry
*/
vp = fr_pair_find_by_da(request->control, attr_cache_status_only, TAG_ANY);
if (vp && vp->vp_bool) {
RINDENT();
RDEBUG3("status-only: yes");
REXDENT();
if (cache_acquire(&handle, inst, request) < 0) return RLM_MODULE_FAIL;
rcode = cache_find(&c, inst, request, &handle, key, key_len);
if (rcode == RLM_MODULE_FAIL) goto finish;
rad_assert(!inst->driver->acquire || handle);
rcode = c ? RLM_MODULE_OK:
RLM_MODULE_NOTFOUND;
goto finish;
}
/*
* Figure out what operation we're doing
*/
vp = fr_pair_find_by_da(request->control, attr_cache_allow_merge, TAG_ANY);
if (vp) merge = vp->vp_bool;
vp = fr_pair_find_by_da(request->control, attr_cache_allow_insert, TAG_ANY);
if (vp) insert = vp->vp_bool;
vp = fr_pair_find_by_da(request->control, attr_cache_ttl, TAG_ANY);
if (vp) {
if (vp->vp_int32 == 0) {
expire = true;
} else if (vp->vp_int32 < 0) {
expire = true;
ttl = -(vp->vp_int32);
/* Updating the TTL */
} else {
set_ttl = true;
ttl = vp->vp_int32;
}
}
RINDENT();
RDEBUG3("merge : %s", merge ? "yes" : "no");
RDEBUG3("insert : %s", insert ? "yes" : "no");
RDEBUG3("expire : %s", expire ? "yes" : "no");
RDEBUG3("ttl : %i", ttl);
REXDENT();
if (cache_acquire(&handle, inst, request) < 0) return RLM_MODULE_FAIL;
/*
* Retrieve the cache entry and merge it with the current request
* recording whether the entry existed.
*/
if (merge) {
rcode = cache_find(&c, inst, request, &handle, key, key_len);
switch (rcode) {
case RLM_MODULE_FAIL:
goto finish;
case RLM_MODULE_OK:
rcode = cache_merge(inst, request, c);
exists = 1;
break;
case RLM_MODULE_NOTFOUND:
rcode = RLM_MODULE_NOTFOUND;
exists = 0;
break;
default:
rad_assert(0);
}
rad_assert(!inst->driver->acquire || handle);
}
/*
* Expire the entry if told to, and we either don't know whether
* it exists, or we know it does.
*
* We only expire if we're not inserting, as driver insert methods
* should perform upserts.
*/
if (expire && ((exists == -1) || (exists == 1))) {
if (!insert) {
rad_assert(!set_ttl);
switch (cache_expire(inst, request, &handle, key, key_len)) {
case RLM_MODULE_FAIL:
rcode = RLM_MODULE_FAIL;
goto finish;
case RLM_MODULE_OK:
if (rcode == RLM_MODULE_NOOP) rcode = RLM_MODULE_OK;
break;
case RLM_MODULE_NOTFOUND:
if (rcode == RLM_MODULE_NOOP) rcode = RLM_MODULE_NOTFOUND;
break;
default:
rad_assert(0);
break;
}
/* If it previously existed, it doesn't now */
}
/* Otherwise use insert to overwrite */
exists = 0;
}
/*
* If we still don't know whether it exists or not
* and we need to do an insert or set_ttl operation
* determine that now.
*/
if ((exists < 0) && (insert || set_ttl)) {
switch (cache_find(&c, inst, request, &handle, key, key_len)) {
case RLM_MODULE_FAIL:
rcode = RLM_MODULE_FAIL;
goto finish;
case RLM_MODULE_OK:
exists = 1;
if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK;
break;
case RLM_MODULE_NOTFOUND:
exists = 0;
break;
default:
rad_assert(0);
}
rad_assert(!inst->driver->acquire || handle);
}
/*
* We can only alter the TTL on an entry if it exists.
*/
if (set_ttl && (exists == 1)) {
rad_assert(c);
c->expires = request->packet->timestamp.tv_sec + ttl;
switch (cache_set_ttl(inst, request, &handle, c)) {
case RLM_MODULE_FAIL:
rcode = RLM_MODULE_FAIL;
goto finish;
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK;
goto finish;
default:
rad_assert(0);
}
}
/*
* Inserts are upserts, so we don't care about the
* entry state, just that we're not meant to be
* setting the TTL, which precludes performing an
* insert.
*/
if (insert && (exists == 0)) {
switch (cache_insert(inst, request, &handle, key, key_len, ttl)) {
case RLM_MODULE_FAIL:
rcode = RLM_MODULE_FAIL;
goto finish;
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) rcode = RLM_MODULE_OK;
break;
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
break;
default:
rad_assert(0);
}
rad_assert(!inst->driver->acquire || handle);
goto finish;
}
finish:
cache_free(inst, &c);
cache_release(inst, request, &handle);
/*
* Clear control attributes
*/
for (vp = fr_cursor_init(&cursor, &request->control);
vp;
vp = fr_cursor_next(&cursor)) {
again:
if (!fr_dict_attr_is_top_level(vp->da)) continue;
switch (vp->da->attr) {
case FR_CACHE_TTL:
case FR_CACHE_STATUS_ONLY:
case FR_CACHE_ALLOW_MERGE:
case FR_CACHE_ALLOW_INSERT:
case FR_CACHE_MERGE_NEW:
RDEBUG2("Removing &control:%s", vp->da->name);
vp = fr_cursor_remove(&cursor);
talloc_free(vp);
vp = fr_cursor_current(&cursor);
if (!vp) break;
goto again;
}
}
return rcode;
}
/*
* Initialize a radclient data structure and add it to
* the global linked list.
*/
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
{
FILE *packets, *filters = NULL;
vp_cursor_t cursor;
VALUE_PAIR *vp;
rc_request_t *request;
bool packets_done = false;
uint64_t num = 0;
assert(files->packets != NULL);
/*
* Determine where to read the VP's from.
*/
if (strcmp(files->packets, "-") != 0) {
packets = fopen(files->packets, "r");
if (!packets) {
ERROR("Error opening %s: %s", files->packets, strerror(errno));
return 0;
}
/*
* Read in the pairs representing the expected response.
*/
if (files->filters) {
filters = fopen(files->filters, "r");
if (!filters) {
ERROR("Error opening %s: %s", files->filters, strerror(errno));
fclose(packets);
return 0;
}
}
} else {
packets = stdin;
}
/*
* Loop until the file is done.
*/
do {
/*
* Allocate it.
*/
request = talloc_zero(ctx, rc_request_t);
if (!request) {
ERROR("Out of memory");
goto error;
}
talloc_set_destructor(request, _rc_request_free);
request->packet = rad_alloc(request, 1);
if (!request->packet) {
ERROR("Out of memory");
goto error;
}
#ifdef WITH_TCP
request->packet->src_ipaddr = client_ipaddr;
request->packet->src_port = client_port;
request->packet->dst_ipaddr = server_ipaddr;
request->packet->dst_port = server_port;
request->packet->proto = ipproto;
#endif
request->files = files;
request->packet->id = -1; /* allocate when sending */
request->num = num++;
/*
* Read the request VP's.
*/
if (readvp2(&request->packet->vps, request->packet, packets, &packets_done) < 0) {
ERROR("Error parsing \"%s\"", files->packets);
goto error;
}
fr_cursor_init(&cursor, &request->filter);
vp = fr_cursor_next_by_num(&cursor, PW_PACKET_TYPE, 0, TAG_ANY);
if (vp) {
fr_cursor_remove(&cursor);
request->packet_code = vp->vp_integer;
talloc_free(vp);
} else {
request->packet_code = packet_code; /* Use the default set on the command line */
}
/*
* Read in filter VP's.
*/
if (filters) {
bool filters_done;
if (readvp2(&request->filter, request, filters, &filters_done) < 0) {
ERROR("Error parsing \"%s\"", files->filters);
goto error;
}
if (!request->filter) {
goto error;
}
if (filters_done && !packets_done) {
ERROR("Differing number of packets/filters in %s:%s "
"(too many requests))", files->packets, files->filters);
goto error;
}
if (!filters_done && packets_done) {
ERROR("Differing number of packets/filters in %s:%s "
"(too many filters))", files->packets, files->filters);
goto error;
}
fr_cursor_init(&cursor, &request->filter);
vp = fr_cursor_next_by_num(&cursor, PW_PACKET_TYPE, 0, TAG_ANY);
if (vp) {
fr_cursor_remove(&cursor);
request->filter_code = vp->vp_integer;
talloc_free(vp);
}
/*
* xlat expansions aren't supported here
*/
for (vp = fr_cursor_init(&cursor, &request->filter);
vp;
vp = fr_cursor_next(&cursor)) {
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->value.xlat;
}
}
/*
* This allows efficient list comparisons later
*/
pairsort(&request->filter, attrtagcmp);
}
/*
* Determine the response code from the request (if not already set)
*/
if (!request->filter_code) {
switch (request->packet_code) {
case PW_CODE_AUTHENTICATION_REQUEST:
request->filter_code = PW_CODE_AUTHENTICATION_ACK;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
case PW_CODE_COA_REQUEST:
request->filter_code = PW_CODE_COA_ACK;
break;
case PW_CODE_DISCONNECT_REQUEST:
request->filter_code = PW_CODE_DISCONNECT_ACK;
break;
default:
break;
}
}
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
} else if ((vp = pairfind(request->packet->vps, PW_MSCHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
} else {
request->password[0] = '\0';
}
/*
* Fix up Digest-Attributes issues
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that in request.
*/
if (vp->type == VT_XLAT) {
vp->vp_strvalue = vp->value.xlat;
vp->value.xlat = NULL;
vp->type = VT_DATA;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->length + 2);
memcpy(p + 2, vp->vp_octets, vp->length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->length += 2;
p[1] = vp->length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
if (!da) {
ERROR("Out of memory");
goto error;
}
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
}
} /* loop over the VP's we read in */
/*
* Automatically set the port if we don't have a global
* or packet specific one.
*/
if ((server_port == 0) && (request->packet->dst_port == 0)) {
radclient_get_port(request->packet->code, &request->packet->dst_port);
}
/*
* Add it to the tail of the list.
*/
if (!request_head) {
assert(rc_request_tail == NULL);
request_head = request;
request->prev = NULL;
} else {
assert(rc_request_tail->next == NULL);
rc_request_tail->next = request;
request->prev = rc_request_tail;
}
rc_request_tail = request;
request->next = NULL;
} while (!packets_done); /* loop until the file is done. */
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
/*
* And we're done.
*/
return 1;
error:
talloc_free(request);
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
return 0;
}
/** Logging callback to write log messages to a destination
*
* This allows the logging destination to be customised on a per request basis.
*
* @note Function does not write log output immediately
*
* @param[in] type What type of message this is (error, warn, info, debug).
* @param[in] lvl At what logging level this message should be output.
* @param[in] request The current request.
* @param[in] file src file the log message was generated in.
* @param[in] line number the log message was generated on.
* @param[in] fmt sprintf style fmt string.
* @param[in] ap Arguments for the fmt string.
* @param[in] uctx Context data for the log function.
*/
static void logtee_it(fr_log_type_t type, fr_log_lvl_t lvl, REQUEST *request,
UNUSED char const *file, UNUSED int line,
char const *fmt, va_list ap, void *uctx)
{
rlm_logtee_thread_t *t = talloc_get_type_abort(uctx, rlm_logtee_thread_t);
rlm_logtee_t const *inst = t->inst;
char *msg, *exp;
fr_cursor_t cursor;
VALUE_PAIR *vp;
log_dst_t *dst;
rad_assert(t->msg->vp_length == 0); /* Should have been cleared before returning */
/*
* None of this should involve mallocs unless msg > 1k
*/
msg = talloc_typed_vasprintf(t->msg, fmt, ap);
fr_value_box_strdup_buffer_shallow(NULL, &t->msg->data, attr_log_message, msg, true);
t->type->vp_uint32 = (uint32_t) type;
t->lvl->vp_uint32 = (uint32_t) lvl;
fr_cursor_init(&cursor, &request->packet->vps);
fr_cursor_prepend(&cursor, t->msg);
fr_cursor_prepend(&cursor, t->type);
fr_cursor_prepend(&cursor, t->lvl);
fr_cursor_head(&cursor);
/*
* Now expand our fmt string to encapsulate the
* message and any metadata
*
* Fixme: Would be better to call tmpl_expand
* into a variable length ring buffer.
*/
dst = request->log.dst;
request->log.dst = NULL;
if (tmpl_aexpand(t, &exp, request, inst->log_fmt, NULL, NULL) < 0) goto finish;
request->log.dst = dst;
fr_fring_overwrite(t->fring, exp); /* Insert it into the buffer */
if (!t->pending) {
t->pending = true;
logtee_fd_active(t); /* Listen for when the fd is writable */
}
finish:
/*
* Don't free, we re-use the VALUE_PAIRs for the next message
*/
vp = fr_cursor_remove(&cursor);
if (!fr_cond_assert(vp == t->lvl)) fr_cursor_append(&cursor, vp);
vp = fr_cursor_remove(&cursor);
if (!fr_cond_assert(vp == t->type)) fr_cursor_append(&cursor, vp);
vp = fr_cursor_remove(&cursor);
if (!fr_cond_assert(vp == t->msg)) fr_cursor_append(&cursor, vp);
fr_value_box_clear(&t->msg->data); /* Clear message data */
}
/*
* build a reply to be sent.
*/
static int eap_sim_compose(eap_session_t *eap_session, uint8_t const *hmac_extra, size_t hmac_extra_len)
{
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
fr_cursor_t cursor;
fr_cursor_t to_encode;
VALUE_PAIR *head = NULL, *vp;
REQUEST *request = eap_session->request;
fr_sim_encode_ctx_t encoder_ctx = {
.root = fr_dict_root(dict_eap_sim),
.keys = &eap_sim_session->keys,
.iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
.iv_included = false,
.hmac_md = EVP_sha1(),
.eap_packet = eap_session->this_round->request,
.hmac_extra = hmac_extra,
.hmac_extra_len = hmac_extra_len
};
ssize_t ret;
/* we will set the ID on requests, since we have to HMAC it */
eap_session->this_round->set_request_id = true;
fr_cursor_init(&cursor, &eap_session->request->reply->vps);
fr_cursor_init(&to_encode, &head);
while ((vp = fr_cursor_current(&cursor))) {
if (!fr_dict_parent_common(fr_dict_root(dict_eap_sim), vp->da, true)) {
fr_cursor_next(&cursor);
continue;
}
vp = fr_cursor_remove(&cursor);
/*
* Silently discard encrypted attributes until
* the peer should have k_encr. These can be
* added by policy, and seem to cause
* wpa_supplicant to fail if sent before the challenge.
*/
if (!eap_sim_session->allow_encrypted && fr_dict_parent_common(attr_eap_sim_encr_data, vp->da, true)) {
RWDEBUG("Silently discarding &reply:%s: Encrypted attributes not allowed in this round",
vp->da->name);
talloc_free(vp);
continue;
}
fr_cursor_append(&to_encode, vp);
}
RDEBUG2("Encoding EAP-SIM attributes");
log_request_pair_list(L_DBG_LVL_2, request, head, NULL);
eap_session->this_round->request->type.num = FR_EAP_SIM;
eap_session->this_round->request->id = eap_sim_session->sim_id++ & 0xff;
eap_session->this_round->set_request_id = true;
ret = fr_sim_encode(eap_session->request, head, &encoder_ctx);
fr_cursor_head(&to_encode);
fr_cursor_free_list(&to_encode);
if (ret < 0) {
RPEDEBUG("Failed encoding EAP-SIM data");
return -1;
}
return 0;
}
static int eap_sim_send_start(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
VALUE_PAIR **vps, *vp;
uint16_t version;
eap_sim_session_t *eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
RADIUS_PACKET *packet;
rad_assert(eap_session->request != NULL);
rad_assert(eap_session->request->reply);
RDEBUG2("Sending SIM-State");
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
eap_sim_session->allow_encrypted = false; /* In case this is after failed fast-resumption */
/* these are the outgoing attributes */
packet = eap_session->request->reply;
vps = &packet->vps;
rad_assert(vps != NULL);
/*
* Add appropriate TLVs for the EAP things we wish to send.
*/
vp = fr_pair_afrom_da(packet, attr_eap_sim_version_list);
vp->vp_uint16 = EAP_SIM_VERSION;
fr_pair_add(vps, vp);
/* record it in the ess */
version = htons(EAP_SIM_VERSION);
memcpy(eap_sim_session->keys.gsm.version_list, &version, sizeof(version));
eap_sim_session->keys.gsm.version_list_len = 2;
/*
* Select the right type of identity request attribute
*/
switch (eap_sim_session->id_req) {
case SIM_ANY_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_any_id_req);
break;
case SIM_PERMANENT_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_permanent_id_req);
break;
case SIM_FULLAUTH_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_sim_fullauth_id_req);
break;
default:
rad_assert(0);
}
vp->vp_bool = true;
fr_pair_replace(vps, vp);
/* the SUBTYPE, set to start. */
vp = fr_pair_afrom_da(packet, attr_eap_sim_subtype);
vp->vp_uint16 = EAP_SIM_START;
fr_pair_replace(vps, vp);
/*
* Encode the packet
*/
if (eap_sim_compose(eap_session, NULL, 0) < 0) {
fr_pair_list_free(&packet->vps);
return -1;
}
return 0;
}
/** Convert value_pair_map_t to VALUE_PAIR(s) and add them to a REQUEST.
*
* Takes a single value_pair_map_t, resolves request and list identifiers
* to pointers in the current request, then attempts to retrieve module
* specific value(s) using callback, and adds the resulting values to the
* correct request/list.
*
* @param request The current request.
* @param map specifying destination attribute and location and src identifier.
* @param func to retrieve module specific values and convert them to
* VALUE_PAIRS.
* @param ctx to be passed to func.
* @param src name to be used in debugging if different from map value.
* @return -1 if the operation failed, -2 in the source attribute wasn't valid, 0 on success.
*/
int radius_map2request(REQUEST *request, value_pair_map_t const *map,
UNUSED char const *src, radius_tmpl_getvalue_t func, void *ctx)
{
int rcode, num;
VALUE_PAIR **list, *vp, *head = NULL;
REQUEST *context;
TALLOC_CTX *parent;
vp_cursor_t cursor;
/*
* Sanity check inputs. We can have a list or attribute
* as a destination.
*/
if ((map->dst->type != VPT_TYPE_LIST) &&
(map->dst->type != VPT_TYPE_ATTR)) {
REDEBUG("Invalid mapping destination");
return -2;
}
context = request;
if (radius_request(&context, map->dst->request) < 0) {
REDEBUG("Mapping \"%s\" -> \"%s\" invalid in this context", map->src->name, map->dst->name);
return -2;
}
/*
* If there's no CoA packet and we're updating it,
* auto-allocate it.
*/
if (((map->dst->list == PAIR_LIST_COA) ||
(map->dst->list == PAIR_LIST_DM)) &&
!request->coa) {
request_alloc_coa(context);
if (map->dst->list == PAIR_LIST_COA) {
context->coa->proxy->code = PW_CODE_COA_REQUEST;
} else {
context->coa->proxy->code = PW_CODE_DISCONNECT_REQUEST;
}
}
list = radius_list(context, map->dst->list);
if (!list) {
REDEBUG("Mapping \"%s\" -> \"%s\" invalid in this context", map->src->name, map->dst->name);
return -2;
}
parent = radius_list_ctx(context, map->dst->list);
/*
* The callback should either return -1 to signify operations error, -2 when it can't find the
* attribute or list being referenced, or 0 to signify success.
* It may return "sucess", but still have no VPs to work with.
*/
rcode = func(&head, request, map, ctx);
if (rcode < 0) {
rad_assert(!head);
return rcode;
}
if (!head) return 0;
/*
* Reparent the VP
*/
for (vp = fr_cursor_init(&cursor, &head); vp; vp = fr_cursor_next(&cursor)) {
VERIFY_VP(vp);
if (debug_flag) debug_map(request, map, vp);
(void) talloc_steal(parent, vp);
}
/*
* List to list copies.
*/
if (map->dst->type == VPT_TYPE_LIST) {
switch (map->op) {
case T_OP_CMP_FALSE:
rad_assert(head == NULL);
pairfree(list);
if (map->dst->list == PAIR_LIST_REQUEST) {
context->username = NULL;
context->password = NULL;
}
break;
case T_OP_SET:
if (map->src->type == VPT_TYPE_LIST) {
pairfree(list);
*list = head;
} else {
case T_OP_EQ:
rad_assert(map->src->type == VPT_TYPE_EXEC);
pairmove(parent, list, &head);
pairfree(&head);
}
if (map->dst->list == PAIR_LIST_REQUEST) {
context->username = pairfind(head, PW_USER_NAME, 0, TAG_ANY);
context->password = pairfind(head, PW_USER_PASSWORD, 0, TAG_ANY);
}
break;
case T_OP_ADD:
pairadd(list, head);
break;
default:
pairfree(&head);
return -1;
}
return 0;
}
/*
* We now should have only one destination attribute, and
* only one source attribute.
*/
rad_assert(head->next == NULL);
/*
* Find the destination attribute. We leave with either
* the cursor and vp pointing to the attribute, or vp is
* NULL.
*/
num = map->dst->num;
for (vp = fr_cursor_init(&cursor, list);
vp != NULL;
vp = fr_cursor_next(&cursor)) {
VERIFY_VP(vp);
if ((vp->da == map->dst->da) && (!vp->da->flags.has_tag || (map->dst->tag == TAG_ANY) || (vp->tag == map->dst->tag))) {
if (num == 0) break;
num--;
}
}
/*
* Figure out what to do with the source attribute.
*/
switch (map->op) {
case T_OP_CMP_FALSE: /* remove matching attributes */
pairfree(&head);
if (!vp) return 0;
/*
* Wildcard: delete all of the matching ones,
* based on tag.
*/
if (!map->dst->num) {
pairdelete(list, map->dst->da->attr, map->dst->da->vendor,
map->dst->tag);
vp = NULL;
} else {
/*
* We've found the Nth one. Delete it, and only
* it.
*/
vp = fr_cursor_remove(&cursor);
}
/*
* Check that the User-Name and User-Password
* caches point to the correct attribute.
*/
fixup:
if (map->dst->list == PAIR_LIST_REQUEST) {
context->username = pairfind(*list, PW_USER_NAME, 0, TAG_ANY);
context->password = pairfind(*list, PW_USER_PASSWORD, 0, TAG_ANY);
}
pairfree(&vp);
return 0;
case T_OP_EQ: /* set only if not already set */
if (vp) {
pairfree(&head);
return 0;
}
fr_cursor_insert(&cursor, head);
goto fixup;
case T_OP_SET: /* over-write if existing, or else add */
if (vp) vp = fr_cursor_remove(&cursor);
fr_cursor_insert(&cursor, head);
goto fixup;
case T_OP_ADD: /* append no matter what */
vp = NULL;
pairadd(list, head);
goto fixup;
case T_OP_SUB: /* delete if it matches */
head->op = T_OP_CMP_EQ;
rcode = radius_compare_vps(NULL, head, vp);
pairfree(&head);
if (rcode == 0) {
vp = fr_cursor_remove(&cursor);
goto fixup;
}
return 0;
default: /* filtering operators */
/*
* If the VP doesn't exist, the filters will add
* it with the given value.
*/
if (!vp) {
fr_cursor_insert(&cursor, head);
goto fixup;
}
break;
}
/*
* The LHS exists. We need to limit it's value based on
* the operator, and the value of the RHS.
*/
head->op = map->op;
rcode = radius_compare_vps(NULL, head, vp);
head->op = T_OP_SET;
switch (map->op) {
case T_OP_CMP_EQ:
if (rcode == 0) {
leave:
pairfree(&head);
break;
}
replace:
vp = fr_cursor_remove(&cursor);
fr_cursor_insert(&cursor, head);
goto fixup;
case T_OP_LE:
if (rcode <= 0) goto leave;
goto replace;
case T_OP_GE:
if (rcode >= 0) goto leave;
goto replace;
default:
pairfree(&head);
return -1;
}
return 0;
}
static int eap_aka_compose(eap_session_t *eap_session)
{
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
fr_cursor_t cursor;
fr_cursor_t to_encode;
VALUE_PAIR *head = NULL, *vp;
REQUEST *request = eap_session->request;
ssize_t ret;
fr_sim_encode_ctx_t encoder_ctx = {
.root = fr_dict_root(dict_eap_aka),
.keys = &eap_aka_session->keys,
.iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
.iv_included = false,
.hmac_md = eap_aka_session->mac_md,
.eap_packet = eap_session->this_round->request,
.hmac_extra = NULL,
.hmac_extra_len = 0
};
fr_cursor_init(&cursor, &eap_session->request->reply->vps);
fr_cursor_init(&to_encode, &head);
while ((vp = fr_cursor_current(&cursor))) {
if (!fr_dict_parent_common(encoder_ctx.root, vp->da, true)) {
fr_cursor_next(&cursor);
continue;
}
vp = fr_cursor_remove(&cursor);
/*
* Silently discard encrypted attributes until
* the peer should have k_encr. These can be
* added by policy, and seem to cause
* wpa_supplicant to fail if sent before the challenge.
*/
if (!eap_aka_session->allow_encrypted && fr_dict_parent_common(attr_eap_aka_encr_data, vp->da, true)) {
RWDEBUG("Silently discarding &reply:%s: Encrypted attributes not allowed in this round",
vp->da->name);
talloc_free(vp);
continue;
}
fr_cursor_append(&to_encode, vp);
}
RDEBUG2("Encoding EAP-AKA attributes");
log_request_pair_list(L_DBG_LVL_2, request, head, NULL);
eap_session->this_round->request->type.num = eap_aka_session->type;
eap_session->this_round->request->id = eap_aka_session->aka_id++ & 0xff;
eap_session->this_round->set_request_id = true;
ret = fr_sim_encode(eap_session->request, head, &encoder_ctx);
fr_cursor_head(&to_encode);
fr_cursor_free_list(&to_encode);
if (ret < 0) {
RPEDEBUG("Failed encoding EAP-AKA data");
return -1;
}
return 0;
}
/** Send an EAP-AKA identity request to the supplicant
*
* There are three types of user identities that can be implemented
* - Permanent identities such as [email protected]
* Permanent identities can be identified by the leading zero followed by
* by 15 digits (the IMSI number).
* - Ephemeral identities (pseudonyms). These are identities assigned for
* identity privacy so the user can't be tracked. These can identities
* can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses'
* document section 14, where a set of up to 16 encryption keys are used
* to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely
* randomised and stored in a datastore.
* - A fast resumption ID which resolves to data used for fast resumption.
*
* In order to perform full authentication the original IMSI is required for
* forwarding to the HLR. In the case where we can't match/decrypt the pseudonym,
* or can't perform fast resumption, we need to request the full identity from
* the supplicant.
*
* @param[in] eap_session to continue.
* @return
* - 0 on success.
* - <0 on failure.
*/
static int eap_aka_send_identity_request(eap_session_t *eap_session)
{
REQUEST *request = eap_session->request;
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
VALUE_PAIR *vp;
RADIUS_PACKET *packet;
fr_cursor_t cursor;
RDEBUG2("Sending AKA-Identity (%s)", fr_int2str(sim_id_request_table, eap_aka_session->id_req, "<INVALID>"));
eap_session->this_round->request->code = FR_EAP_CODE_REQUEST;
eap_aka_session->allow_encrypted = false; /* In case this is after failed fast-resumption */
packet = request->reply;
fr_cursor_init(&cursor, &packet->vps);
/*
* Set the subtype to identity request
*/
vp = fr_pair_afrom_da(packet, attr_eap_aka_subtype);
vp->vp_uint16 = FR_EAP_AKA_SUBTYPE_VALUE_AKA_IDENTITY;
fr_cursor_append(&cursor, vp);
/*
* Select the right type of identity request attribute
*/
switch (eap_aka_session->id_req) {
case SIM_ANY_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_any_id_req);
break;
case SIM_PERMANENT_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_permanent_id_req);
break;
case SIM_FULLAUTH_ID_REQ:
vp = fr_pair_afrom_da(packet, attr_eap_aka_fullauth_id_req);
break;
default:
rad_assert(0);
}
vp->vp_bool = true;
fr_cursor_append(&cursor, vp);
/*
* Encode the packet
*/
if (eap_aka_compose(eap_session) < 0) {
failure:
fr_pair_list_free(&packet->vps);
return -1;
}
/*
* Digest the packet contents, updating our checkcode.
*/
if (!eap_aka_session->checkcode_state &&
fr_sim_crypto_init_checkcode(eap_aka_session, &eap_aka_session->checkcode_state,
eap_aka_session->checkcode_md) < 0) {
RPEDEBUG("Failed initialising checkcode");
goto failure;
}
if (fr_sim_crypto_update_checkcode(eap_aka_session->checkcode_state, eap_session->this_round->request) < 0) {
RPEDEBUG("Failed updating checkcode");
goto failure;
}
return 0;
}