main(int argc, char *argv[]) { int filedone; RADIUS_PACKET *req,*req2; VALUE_PAIR *vp, *vpkey, *vpextra; extern unsigned int sha1_data_problems; req = NULL; req2 = NULL; filedone = 0; if(argc>1) { sha1_data_problems = 1; } if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) { librad_perror("radclient"); return 1; } if ((req = rad_alloc(1)) == NULL) { librad_perror("radclient"); exit(1); } if ((req2 = rad_alloc(1)) == NULL) { librad_perror("radclient"); exit(1); } while(!filedone) { if(req->vps) pairfree(&req->vps); if(req2->vps) pairfree(&req2->vps); if ((req->vps = readvp2(stdin, &filedone, "eapsimlib:")) == NULL) { break; } printf("\nRead:\n"); vp_printlist(stdout, req->vps); map_eapsim_types(req); map_eap_types(req); printf("Mapped to:\n"); vp_printlist(stdout, req->vps); /* find the EAP-Message, copy it to req2 */ vp = paircopy2(req->vps, PW_EAP_MESSAGE); if(vp == NULL) continue; pairadd(&req2->vps, vp); /* only call unmap for sim types here */ unmap_eap_types(req2); unmap_eapsim_types(req2); printf("Unmapped to:\n"); vp_printlist(stdout, req2->vps); vp = pairfind(req2->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC); vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY); vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA); if(vp != NULL && vpkey != NULL && vpextra!=NULL) { uint8_t calcmac[16]; /* find the EAP-Message, copy it to req2 */ memset(calcmac, 0, sizeof(calcmac)); printf("Confirming MAC..."); if(eapsim_checkmac(req2->vps, vpkey->strvalue, vpextra->strvalue, vpextra->length, calcmac)) { printf("succeed\n"); } else { int i, j; printf("calculated MAC ("); for (i = 0; i < 20; i++) { if(j==4) { printf("_"); j=0; } j++; printf("%02x", calcmac[i]); } printf(" did not match\n"); } } fflush(stdout); } }
static int sm_parse_file(FILE*fp,const char* fname) { LRAD_TOKEN tok; VALUE_PAIR *vp = NULL; sm_parse_state_t parse_state = SMP_USER; unsigned long lino = 0; char *p; char buff[MAX_BUFF_SIZE]; char username[256]; while( parse_state != SMP_INVALID && fgets(buff, sizeof(buff), fp) != NULL ) { lino ++; st_lines++; if ( strchr(buff, '\n') == NULL) { fprintf(stderr,"%s: %s[%lu]:Warning: line too long or not closed by \\n character. Skiped\n",progname,fname,lino); st_warns++; st_skiped++; /* _LINE_ skiped */ continue; } DOUT2("Parseline: %s",buff); for ( p = buff; isspace((int) *p); p++); if ( *p == '#' || *p == 0 ) continue; /* userparse hack */ if ( *p == ';' ) *p = '\n'; p = buff; /* try to decide is this line new user or new pattern */ if ( parse_state == SMP_PATTERN_OR_USER ) { if ( isspace((int) buff[0]) ) parse_state = SMP_PATTERN; else { parse_state = SMP_USER; storecontent(username); st_users++; } } if ( parse_state == SMP_USER ) { tok = getuname(&p,username,sizeof(username)); /* check: is it include. not implemented */ if ( tok ) { fprintf(stderr ,"%s: %s[%lu]: error while expecting user name\n",progname,fname,lino); parse_state = SMP_INVALID; st_errors++; } else { parse_state = SMP_PATTERN; DOUT1("Found user: %s\n",username); } } if ( parse_state == SMP_PATTERN || parse_state == SMP_ACTION ) { /* check for empty line */ while( *p && isspace((int) *p) ) p++; if ( *p && ( *p != ';' ) ) tok = userparse(p,&vp); else tok = T_EOL; /* ';' - signs empty line */ switch(tok) { case T_EOL: /* add to content */ addlinetocontent(vp); pairfree(&vp); if ( parse_state == SMP_PATTERN ) parse_state = SMP_ACTION; else parse_state = SMP_PATTERN_OR_USER; case T_COMMA: break; /* parse next line */ default: /* error: we do not expect anything else */ fprintf(stderr ,"%s: %s[%lu]: sintax error\n",progname,fname,lino); librad_perror("Error"); parse_state = SMP_INVALID; st_errors++; } } } if ( feof(fp) ) switch (parse_state ) { case SMP_USER: /* file is empty, last line is comment */ break; case SMP_PATTERN: /* only username ?*/ fprintf(stderr ,"%s: %s[%lu]: EOF while pattern line are expecting\n",progname,fname,lino); st_errors++; parse_state = SMP_INVALID; break; case SMP_ACTION: /* looking for reply line */ fprintf(stderr ,"%s: %s[%lu]: EOF while reply line are expecting\n",progname,fname,lino); st_errors++; parse_state = SMP_INVALID; break; case SMP_PATTERN_OR_USER: storecontent(username); st_users++; break; default:break; } else if ( parse_state != SMP_INVALID ) { /* file read error */ fprintf(stderr ,"%s: error file reading from file\n",progname); } pairfree(&vp); return (parse_state == SMP_INVALID)?-1:0; }
int main(int n,char **argv) { const char *fname = NULL; const char *ofile = NULL; FILE *fp; int print_stat = 1; int ch; const char *sm_radius_dir = NULL; progname = argv[0]; librad_debug = 0; while ((ch = getopt(n, argv, "d:i:xo:qvc")) != -1) switch (ch) { case 'd': sm_radius_dir = optarg; break; case 'i': fname = optarg; break; case 'x': librad_debug++; case 'o': ofile = optarg; break; case 'q': print_stat = 0; break; case 'v': printf("%s: $Id: rlm_dbm_parser.c,v 1.9 2004/02/26 19:04:28 aland Exp $ \n",progname); exit(0); case 'c': oflags = O_CREAT | O_TRUNC | O_RDWR; break; default: sm_usage();exit(1); } if ( sm_radius_dir == NULL ) sm_radius_dir = RADDBDIR; DOUT1("Use dictionary in: %s\n",sm_radius_dir); if (dict_init(sm_radius_dir, RADIUS_DICTIONARY) < 0 ) { librad_perror("parser: init dictionary:"); exit(1); } if ( fname == NULL || fname[0] == '-') { fp = stdin; fname = "STDIN"; } else if ( ( fp = fopen(fname, "r") ) == NULL ) { fprintf( stderr,"%s: Couldn't open source file\n", progname); exit(1); } if ( ofile == NULL ) ofile = "sandy_db" ; if ( open_storage(ofile) ) { exit (1); } sm_parse_file(fp,fname); close_storage(); if ( print_stat ) fprintf(stderr,"\nRecord loaded: %lu\nLines parsed: %lu\nRecord skiped: %lu\nWarnings: %lu\nErrors: %lu\n" ,st_loaded,st_lines,st_skiped,st_warns,st_errors); return 0; }
static int do_packet(int allports, uint32_t nasaddr, const struct radutmp *u) { int i, retries=5, timeout=3; struct timeval tv; RADIUS_PACKET *req, *rep = NULL; VALUE_PAIR *vp; const char *secret; if ((req = rad_alloc(1)) == NULL) { librad_perror("radzap"); exit(1); } req->id = getpid() & 0xFF; req->code = PW_ACCOUNTING_REQUEST; req->dst_port = acct_port; if(req->dst_port == 0) req->dst_port = getport("radacct"); if(req->dst_port == 0) req->dst_port = PW_ACCT_UDP_PORT; if (radiusip == INADDR_NONE) { req->dst_ipaddr = ip_getaddr("localhost"); } else { req->dst_ipaddr = radiusip; } if(!req->dst_ipaddr) req->dst_ipaddr = 0x7f000001; req->vps = NULL; secret = getsecret(req->dst_ipaddr); if(allports != 0) { INTPAIR(PW_ACCT_STATUS_TYPE, PW_STATUS_ACCOUNTING_OFF); IPPAIR(PW_NAS_IP_ADDRESS, nasaddr); INTPAIR(PW_ACCT_DELAY_TIME, 0); } else { char login[sizeof u->login+1]; char session_id[sizeof u->session_id+1]; strNcpy(login, u->login, sizeof login); strNcpy(session_id, u->session_id, sizeof session_id); INTPAIR(PW_ACCT_STATUS_TYPE, PW_STATUS_STOP); IPPAIR(PW_NAS_IP_ADDRESS, u->nas_address); INTPAIR(PW_ACCT_DELAY_TIME, 0); STRINGPAIR(PW_USER_NAME, login); INTPAIR(PW_NAS_PORT, u->nas_port); STRINGPAIR(PW_ACCT_SESSION_ID, session_id); if(u->proto=='P') { INTPAIR(PW_SERVICE_TYPE, PW_FRAMED_USER); INTPAIR(PW_FRAMED_PROTOCOL, PW_PPP); } else if(u->proto=='S') { INTPAIR(PW_SERVICE_TYPE, PW_FRAMED_USER); INTPAIR(PW_FRAMED_PROTOCOL, PW_SLIP); } else { INTPAIR(PW_SERVICE_TYPE, PW_LOGIN_USER); /* A guess, really */ } IPPAIR(PW_FRAMED_IP_ADDRESS, u->framed_address); INTPAIR(PW_ACCT_SESSION_TIME, 0); INTPAIR(PW_ACCT_INPUT_OCTETS, 0); INTPAIR(PW_ACCT_OUTPUT_OCTETS, 0); INTPAIR(PW_ACCT_INPUT_PACKETS, 0); INTPAIR(PW_ACCT_OUTPUT_PACKETS, 0); } if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("radzap: socket: "); exit(1); } for (i = 0; i < retries; i++) { fd_set rdfdesc; rad_send(req, NULL, secret); /* And wait for reply, timing out as necessary */ FD_ZERO(&rdfdesc); FD_SET(req->sockfd, &rdfdesc); tv.tv_sec = (int)timeout; tv.tv_usec = 1000000 * (timeout - (int)timeout); /* Something's wrong if we don't get exactly one fd. */ if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) { continue; } rep = rad_recv(req->sockfd); if (rep != NULL) { break; } else { /* NULL: couldn't receive the packet */ librad_perror("radzap:"); exit(1); } } /* No response or no data read (?) */ if (i == retries) { fprintf(stderr, "%s: no response from server\n", progname); exit(1); } if (rad_decode(rep, req, secret) != 0) { librad_perror("rad_decode"); exit(1); } vp_printlist(stdout, rep->vps); return 0; }
int radius_auth(char *username, char *password, char *radius_server_ip_address, unsigned short int radius_server_port, char * radius_server_secret) { /* printf("radius server = %s, port = %d\n", radius_server_ip_address, radius_server_port); printf("radius secret = %s\n", radius_server_secret); */ const char *radius_dir = RADDBDIR; int persec = 0; int parallel = 1; radclient_t *this; librad_debug = 0; if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) { librad_perror("radclient"); return 1; } /* * Strip port from hostname if needed. */ server_port = radius_server_port; packet_code = PW_AUTHENTICATION_REQUEST; /* * Grab the socket. */ if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("radclient: socket: "); exit(1); } memset(radius_id, 0, sizeof(radius_id)); /* * Resolve hostname. */ server_ipaddr = ip_getaddr(radius_server_ip_address); /* * Add the secret. */ secret = radius_server_secret; /* * If no '-f' is specified, we're reading from stdin. */ if (last_used_id < 0) last_used_id = getpid() & 0xff; /* * Walk over the packets to send, until * we're all done. * * FIXME: This currently busy-loops until it receives * all of the packets. It should really have some sort of * send packet, get time to wait, select for time, etc. * loop. */ int n = parallel; const char *filename = NULL; done = 1; sleep_time = -1; /* * Walk over the packets, sending them. */ /* Send username and password to radius server */ char auth_context[128]; memset( auth_context, 0x00, sizeof(auth_context) ); sprintf(auth_context,"User-Name = %s, User-Password = %s", username, password); /* Send username and password to radius server */ this = radclient_init(auth_context); if (radclient_sane(this) != 0) { exit(1); } /* * If there's a packet to receive, * receive it, but don't wait for a * packet. */ recv_one_packet(0); /* * This packet is done. Delete it. */ /* * Packets from multiple '-f' are sent * in parallel. * * Packets from one file are sent in * series, unless '-p' is specified, in * which case N packets from each file * are sent in parallel. */ if (this->filename != filename) { filename = this->filename; n = parallel; } if (n > 0) { n--; /* * Send the current packet. */ send_one_packet(this); /* * Wait a little before sending * the next packet, if told to. */ if (persec) { struct timeval tv; /* * Don't sleep elsewhere. */ sleep_time = 0; if (persec == 1) { tv.tv_sec = 1; tv.tv_usec = 0; } else { tv.tv_sec = 0; tv.tv_usec = 1000000/persec; } /* * Sleep for milliseconds, * portably. * * If we get an error or * a signal, treat it like * a normal timeout. */ select(0, NULL, NULL, NULL, &tv); } /* * If we haven't sent this packet * often enough, we're not done, * and we shouldn't sleep. */ if (this->resend < resend_count) { done = 0; sleep_time = 0; } } else /* haven't sent this packet, we're not done */ { assert(this->done == 0); assert(this->reply == NULL); done = 0; } /* * Still have outstanding requests. */ if (rbtree_num_elements(request_tree) > 0) { done = 0; } else { sleep_time = 0; } /* * Nothing to do until we receive a request, so * sleep until then. Once we receive one packet, * we go back, and walk through the whole list again, * sending more packets (if necessary), and updating * the sleep time. */ int ret = recv_one_packet(3); rbtree_free(filename_tree); rbtree_free(request_tree); return ret; }
/* * Receive one packet, maybe. */ static int recv_one_packet(int wait_time) { fd_set set; struct timeval tv; radclient_t myclient, radclient; RADIUS_PACKET myrequest, *reply; /* And wait for reply, timing out as necessary */ FD_ZERO(&set); FD_SET(sockfd, &set); if (wait_time <= 0) { tv.tv_sec = 0; } else { tv.tv_sec = wait_time; } tv.tv_usec = 0; /* * No packet was received. */ if (select(sockfd + 1, &set, NULL, NULL, &tv) != 1) { return 0; } /* * Look for the packet. */ reply = rad_recv(sockfd); if (!reply) { fprintf(stderr, "radclient: received bad packet: %s\n", librad_errstr); return -1; /* bad packet */ } myclient.request = &myrequest; myrequest.id = reply->id; myrequest.dst_ipaddr = reply->src_ipaddr; myrequest.dst_port = reply->src_port; radclient.reply = reply; /* * FIXME: Do stuff to process the reply. */ #if 0 if (rad_verify(reply, radclient->request, secret) != 0) { printf("rad_verify\n"); librad_perror("rad_verify"); totallost++; goto packet_done; /* shared secret is incorrect */ } #endif if (rad_decode(reply, radclient.request, secret) != 0) { librad_perror("rad_decode"); totallost++; goto packet_done; /* shared secret is incorrect */ } /* libradius debug already prints out the value pairs for us */ if (reply->code != PW_AUTHENTICATION_REJECT) { totalapp++; } else { totaldeny++; } packet_done: /* * Once we've sent the packet as many times as requested, * mark it done. */ return reply->code; }
int main(int argc, char **argv) { RADIUS_PACKET *req; char *p; int c; int port = 0; char *filename = NULL; FILE *fp; int count = 1; int id; id = ((int)getpid() & 0xff); librad_debug = 0; radlog_dest = RADLOG_STDERR; while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF) { switch(c) { case 'c': if (!isdigit((int) *optarg)) usage(); count = atoi(optarg); break; case 'd': radius_dir = optarg; break; case 'f': filename = optarg; break; case 'q': do_output = 0; break; case 'x': debug_flag++; librad_debug++; break; case 'X': #if 0 sha1_data_problems = 1; /* for debugging only */ #endif break; case 'r': if (!isdigit((int) *optarg)) usage(); retries = atoi(optarg); break; case 'i': if (!isdigit((int) *optarg)) usage(); id = atoi(optarg); if ((id < 0) || (id > 255)) { usage(); } break; case 's': do_summary = 1; break; case 't': if (!isdigit((int) *optarg)) usage(); timeout = atof(optarg); break; case 'v': printf("radclient: $Id: radeapclient.c,v 1.7.4.5 2006/05/19 14:22:23 nbk Exp $ built on " __DATE__ " at " __TIME__ "\n"); exit(0); break; case 'S': fp = fopen(optarg, "r"); if (!fp) { fprintf(stderr, "radclient: Error opening %s: %s\n", optarg, strerror(errno)); exit(1); } if (fgets(filesecret, sizeof(filesecret), fp) == NULL) { fprintf(stderr, "radclient: Error reading %s: %s\n", optarg, strerror(errno)); exit(1); } fclose(fp); /* truncate newline */ p = filesecret + strlen(filesecret) - 1; while ((p >= filesecret) && (*p < ' ')) { *p = '\0'; --p; } if (strlen(filesecret) < 2) { fprintf(stderr, "radclient: Secret in %s is too short\n", optarg); exit(1); } secret = filesecret; break; case 'h': default: usage(); break; } } argc -= (optind - 1); argv += (optind - 1); if ((argc < 3) || ((secret == NULL) && (argc < 4))) { usage(); } if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) { librad_perror("radclient"); return 1; } if ((req = rad_alloc(1)) == NULL) { librad_perror("radclient"); exit(1); } #if 0 { FILE *randinit; if((randinit = fopen("/dev/urandom", "r")) == NULL) { perror("/dev/urandom"); } else { fread(randctx.randrsl, 256, 1, randinit); fclose(randinit); } } lrad_randinit(&randctx, 1); #endif req->id = id; /* * Strip port from hostname if needed. */ if ((p = strchr(argv[1], ':')) != NULL) { *p++ = 0; port = atoi(p); } /* * See what kind of request we want to send. */ if (strcmp(argv[2], "auth") == 0) { if (port == 0) port = getport("radius"); if (port == 0) port = PW_AUTH_UDP_PORT; req->code = PW_AUTHENTICATION_REQUEST; } else if (strcmp(argv[2], "acct") == 0) { if (port == 0) port = getport("radacct"); if (port == 0) port = PW_ACCT_UDP_PORT; req->code = PW_ACCOUNTING_REQUEST; do_summary = 0; } else if (strcmp(argv[2], "status") == 0) { if (port == 0) port = getport("radius"); if (port == 0) port = PW_AUTH_UDP_PORT; req->code = PW_STATUS_SERVER; } else if (strcmp(argv[2], "disconnect") == 0) { if (port == 0) port = PW_POD_UDP_PORT; req->code = PW_DISCONNECT_REQUEST; } else if (isdigit((int) argv[2][0])) { if (port == 0) port = getport("radius"); if (port == 0) port = PW_AUTH_UDP_PORT; req->code = atoi(argv[2]); } else { usage(); } /* * Ensure that the configuration is initialized. */ memset(&mainconfig, 0, sizeof(mainconfig)); /* * Resolve hostname. */ req->dst_port = port; req->dst_ipaddr = ip_getaddr(argv[1]); if (req->dst_ipaddr == INADDR_NONE) { fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]); exit(1); } /* * Add the secret. */ if (argv[3]) secret = argv[3]; /* * Read valuepairs. * Maybe read them, from stdin, if there's no * filename, or if the filename is '-'. */ if (filename && (strcmp(filename, "-") != 0)) { fp = fopen(filename, "r"); if (!fp) { fprintf(stderr, "radclient: Error opening %s: %s\n", filename, strerror(errno)); exit(1); } } else { fp = stdin; } /* * Send request. */ if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("radclient: socket: "); exit(1); } while(!filedone) { if(req->vps) pairfree(&req->vps); if ((req->vps = readvp2(fp, &filedone, "radeapclient:")) == NULL) { break; } sendrecv_eap(req); } if(do_summary) { printf("\n\t Total approved auths: %d\n", totalapp); printf("\t Total denied auths: %d\n", totaldeny); } return 0; }
static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep) { int i; struct timeval tv; for (i = 0; i < retries; i++) { fd_set rdfdesc; rad_send(req, NULL, secret); /* And wait for reply, timing out as necessary */ FD_ZERO(&rdfdesc); FD_SET(req->sockfd, &rdfdesc); tv.tv_sec = (int)timeout; tv.tv_usec = 1000000 * (timeout - (int) timeout); /* Something's wrong if we don't get exactly one fd. */ if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) { continue; } *rep = rad_recv(req->sockfd); if (*rep != NULL) { /* * If we get a response from a machine * which we did NOT send a request to, * then complain. */ if (((*rep)->src_ipaddr != req->dst_ipaddr) || ((*rep)->src_port != req->dst_port)) { char src[64], dst[64]; ip_ntoa(src, (*rep)->src_ipaddr); ip_ntoa(dst, req->dst_ipaddr); fprintf(stderr, "radclient: ERROR: Sent request to host %s port %d, got response from host %s port %d\n!", dst, req->dst_port, src, (*rep)->src_port); exit(1); } break; } else { /* NULL: couldn't receive the packet */ librad_perror("radclient:"); exit(1); } } /* No response or no data read (?) */ if (i == retries) { fprintf(stderr, "radclient: no response from server\n"); exit(1); } /* * FIXME: Discard the packet & listen for another. * * Hmm... we should really be using eapol_test, which does * a lot more than radeapclient. */ if (rad_verify(*rep, req, secret) != 0) { librad_perror("rad_verify"); exit(1); } if (rad_decode(*rep, req, secret) != 0) { librad_perror("rad_decode"); exit(1); } /* libradius debug already prints out the value pairs for us */ if (!librad_debug && do_output) { printf("Received response ID %d, code %d, length = %d\n", (*rep)->id, (*rep)->code, (*rep)->data_len); vp_printlist(stdout, (*rep)->vps); } if((*rep)->code == PW_AUTHENTICATION_ACK) { totalapp++; } else { totaldeny++; } return 0; }