Пример #1
0
/** Set the filename of a #CONF_ITEM
 *
 * @param[in] ci	to set filename on.
 * @param[in] filename	to set.
 */
void _cf_filename_set(CONF_ITEM *ci, char const *filename)
{
	talloc_const_free(ci->filename);

	ci->filename = talloc_typed_strdup(ci, filename);
}
Пример #2
0
/** Process an EAP-Sim/Response/Start
 *
 * Verify that client chose a version, and provided a NONCE_MT,
 * and if so, then change states to challenge, and send the new
 * challenge, else, resend the Request/Start.
 */
static int process_eap_sim_start(eap_session_t *eap_session, VALUE_PAIR *vps)
{
	REQUEST			*request = eap_session->request;
	VALUE_PAIR		*nonce_vp, *selected_version_vp;
	eap_sim_session_t	*eap_sim_session;
	uint16_t		eap_sim_version;
	VALUE_PAIR		*id;
	fr_sim_id_type_t	type = SIM_ID_TYPE_UNKNOWN;
	fr_sim_method_hint_t	method = SIM_METHOD_HINT_UNKNOWN;

	eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);

	/*
	 *	For fullauth We require both the NONCE_MT
	 *	and SELECTED_VERSION from the peer, else
	 *	the packet is invalid.
	 */
	nonce_vp = fr_pair_find_by_da(vps, attr_eap_sim_nonce_mt, TAG_ANY);
	selected_version_vp = fr_pair_find_by_da(vps, attr_eap_sim_selected_version, TAG_ANY);
	if (!nonce_vp || !selected_version_vp) {
		REDEBUG2("Client did not select a version and send a NONCE");
		return -1;
	}

	eap_sim_version = selected_version_vp->vp_uint16;
	if (eap_sim_version != EAP_SIM_VERSION) {
		REDEBUG2("EAP-SIM-Version %i is unknown", eap_sim_version);
		return -1;
	}

	/*
	 *	Record it for later keying
	 */
	eap_sim_version = htons(eap_sim_version);
	memcpy(eap_sim_session->keys.gsm.version_select,
	       &eap_sim_version, sizeof(eap_sim_session->keys.gsm.version_select));

	/*
	 *	Double check the nonce size.
	 */
	if (nonce_vp->vp_length != 16) {
		REDEBUG("EAP-SIM nonce_mt must be 16 bytes, not %zu bytes", nonce_vp->vp_length);
		return -1;
	}
	memcpy(eap_sim_session->keys.gsm.nonce_mt, nonce_vp->vp_octets, 16);

	/*
	 *	See if we got an AT_IDENTITY
	 */
	id = fr_pair_find_by_da(vps, attr_eap_sim_identity, TAG_ANY);
	if (id) {
	 	if (fr_sim_id_type(&type, &method,
				   eap_session->identity, talloc_array_length(eap_session->identity) - 1) < 0) {
			RPWDEBUG2("Failed parsing identity");
		}

		/*
		 *	Update cryptographic identity
		 */
		talloc_const_free(eap_sim_session->keys.identity);
		eap_sim_session->keys.identity_len = id->vp_length;
		MEM(eap_sim_session->keys.identity = talloc_memdup(eap_sim_session, id->vp_strvalue, id->vp_length));
	}

	/*
	 *	@TODO Run a virtual server to see if we can use the
	 *	identity we just acquired, or whether we need to
	 *	negotiate the next permissive ID.
	 */

	/*
	 *	Negotiate the next permissive form
	 *	if identity, or fail.
	 */
	switch (eap_sim_session->id_req) {
	case SIM_ANY_ID_REQ:
		eap_sim_session->id_req = SIM_FULLAUTH_ID_REQ;
		eap_sim_state_enter(eap_session, EAP_SIM_SERVER_START);
		break;

	case SIM_FULLAUTH_ID_REQ:
		eap_sim_session->id_req = SIM_PERMANENT_ID_REQ;
		eap_sim_state_enter(eap_session, EAP_SIM_SERVER_START);
		break;

	case SIM_NO_ID_REQ:
	case SIM_PERMANENT_ID_REQ:
		eap_sim_state_enter(eap_session, EAP_SIM_SERVER_CHALLENGE);
//		REDEBUG2("Failed to negotiate a usable identity");
//		eap_sim_state_enter(eap_session, eap_sim_session, EAP_SIM_SERVER_FAILURE_NOTIFICATION);
		break;
	}

	return 0;
}
Пример #3
0
static int process_eap_aka_identity(eap_session_t *eap_session, VALUE_PAIR *vps)
{
	REQUEST			*request = eap_session->request;
	eap_aka_session_t	*eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
	VALUE_PAIR		*id;
	fr_sim_id_type_t	type = SIM_ID_TYPE_UNKNOWN;
	fr_sim_method_hint_t	method = SIM_METHOD_HINT_UNKNOWN;

	/*
	 *	Digest the identity response
	 */
	if (fr_sim_crypto_update_checkcode(eap_aka_session->checkcode_state, eap_session->this_round->response) < 0) {
		RPEDEBUG("Failed updating checkcode");
		return -1;
	}

	/*
	 *	See if we got an AT_IDENTITY
	 */
	id = fr_pair_find_by_da(vps, attr_eap_aka_identity, TAG_ANY);
	if (id) {
	 	if (fr_sim_id_type(&type, &method,
				   eap_session->identity, talloc_array_length(eap_session->identity) - 1) < 0) {
			RPWDEBUG2("Failed parsing identity");
		}
		/*
		 *	Update cryptographic identity
		 */
		talloc_const_free(eap_aka_session->keys.identity);
		eap_aka_session->keys.identity_len = id->vp_length;
		MEM(eap_aka_session->keys.identity = talloc_memdup(eap_aka_session, id->vp_strvalue, id->vp_length));
	}

	/*
	 *	@TODO Run a virtual server to see if we can use the
	 *	identity we just acquired, or whether we need to
	 *	negotiate the next permissive ID.
	 */

	/*
	 *	Negotiate the next permissive form
	 *	if identity, or fail.
	 */
	switch (eap_aka_session->id_req) {
	case SIM_ANY_ID_REQ:
		eap_aka_session->id_req = SIM_FULLAUTH_ID_REQ;
		eap_aka_state_enter(eap_session, EAP_AKA_SERVER_IDENTITY);
		break;

	case SIM_FULLAUTH_ID_REQ:
		eap_aka_session->id_req = SIM_PERMANENT_ID_REQ;
		eap_aka_state_enter(eap_session, EAP_AKA_SERVER_IDENTITY);
		break;

	case SIM_PERMANENT_ID_REQ:
		eap_aka_state_enter(eap_session, EAP_AKA_SERVER_CHALLENGE);
//		REDEBUG2("Failed to negotiate a usable identity");
//		eap_aka_state_enter(eap_session, eap_aka_session, EAP_AKA_SERVER_FAILURE_NOTIFICATION);
		break;

	case SIM_NO_ID_REQ:
		rad_assert(0);
		return -1;
	}

	return 0;
}