static int
process_hashpw(ETERM *pid, ETERM *data)
{
int retval = 0;
ETERM *pattern, *pwd, *slt;
char *password, *salt;
char *ret = NULL;
pattern = erl_format("{Pass, Salt}");
if (erl_match(pattern, data)) {
pwd = erl_var_content(pattern, "Pass");
password = erl_iolist_to_string(pwd);
slt = erl_var_content(pattern, "Salt");
salt = erl_iolist_to_string(slt);
if (NULL == (ret = bcrypt(password, salt)) ||
0 == strcmp(ret, ":")) {
retval = process_reply(pid, CMD_HASHPW, "Invalid salt");
} else {
retval = process_reply(pid, CMD_HASHPW, ret);
}
erl_free_term(pwd);
erl_free_term(slt);
erl_free(password);
erl_free(salt);
};
erl_free_term(pattern);
return retval;
}
static int
process_encode_salt(ETERM *pid, ETERM *data)
{
int retval = 0;
ETERM *pattern, *cslt, *lr;
byte *csalt = NULL;
long log_rounds = -1;
int csaltlen = -1;
char ret[64];
pattern = erl_format("{Csalt, LogRounds}");
if (erl_match(pattern, data)) {
cslt = erl_var_content(pattern, "Csalt");
csaltlen = ERL_BIN_SIZE(cslt);
csalt = ERL_BIN_PTR(cslt);
lr = erl_var_content(pattern, "LogRounds");
log_rounds = ERL_INT_UVALUE(lr);
if (16 != csaltlen) {
retval = process_reply(pid, CMD_SALT, "Invalid salt length");
} else if (log_rounds < 4 || log_rounds > 31) {
retval = process_reply(pid, CMD_SALT, "Invalid number of rounds");
} else {
encode_salt(ret, (u_int8_t*)csalt, csaltlen, log_rounds);
retval = process_reply(pid, CMD_SALT, ret);
}
erl_free_term(cslt);
erl_free_term(lr);
};
erl_free_term(pattern);
return retval;
}
static int process_auth(ETERM *pid, ETERM *data)
{
int retval = 0;
ETERM *pattern, *srv, *user, *pass;
char *service, *username, *password;
pattern = erl_format("{Srv, User, Pass}");
if (erl_match(pattern, data))
{
srv = erl_var_content(pattern, "Srv");
service = erl_iolist_to_string(srv);
user = erl_var_content(pattern, "User");
username = erl_iolist_to_string(user);
pass = erl_var_content(pattern, "Pass");
password = erl_iolist_to_string(pass);
retval = process_reply(pid, CMD_AUTH, auth(service, username, password));
erl_free_term(srv);
erl_free_term(user);
erl_free_term(pass);
erl_free(service);
erl_free(username);
erl_free(password);
};
erl_free_term(pattern);
return retval;
}
t_OTF_RESULT miniAudicle::handle_reply( t_CKUINT docid, string & out )
{
last_result[docid].result = OTF_UNDEFINED;
otf_docids.push( docid );
int sleep_count = 0;
// process
while( last_result[docid].result == OTF_UNDEFINED )
{
if( !process_reply() )
{
if( sleep_count < vm_sleep_max )
{
usleep( vm_sleep_time );
sleep_count++;
}
else
{
return OTF_VM_TIMEOUT;
}
}
}
out += last_result[docid].output;
return last_result[docid].result;
}
static int q_exec(struct txn *t) {
unsigned data[MAXWORDS];
unsigned seq;
int r;
u32 id;
if (t->magic != 0x12345678) {
fprintf(stderr,"FATAL: bogus txn magic\n");
exit(1);
}
t->magic = 0;
/* If we are a multiple of 64, and not exactly 4K,
* add padding to ensure the target can detect the end of txn
*/
if (((t->txc % 16) == 0) && (t->txc != swd_maxwords))
t->tx[t->txc++] = RSWD_MSG(CMD_NULL, 0, 0);
pthread_mutex_lock(&swd_lock);
seq = sequence++;
id = RSWD_TXN_START(seq);
t->tx[0] = id;
if (swd_online != 1) {
if (swd_online == -1) {
// ack disconnect
usb_close(usb);
usb = NULL;
swd_online = 0;
pthread_cond_broadcast(&swd_event);
}
r = -1;
} else {
r = usb_write(usb, t->tx, t->txc * sizeof(u32));
if (r == (t->txc * sizeof(u32))) {
swd_txn_id = id;
swd_txn_data = data;
swd_txn_status = TXN_STATUS_WAIT;
do {
pthread_cond_wait(&swd_event, &swd_lock);
} while (swd_txn_status == TXN_STATUS_WAIT);
if (swd_txn_status == TXN_STATUS_FAIL) {
r = -1;
} else {
r = swd_txn_status;
}
swd_txn_data = NULL;
} else {
r = -1;
}
}
pthread_mutex_unlock(&swd_lock);
if (r > 0) {
return process_reply(t, data + 1, (r / 4) - 1);
} else {
return -1;
}
}
static int
process_hashpw(ETERM *pid, ETERM *data)
{
int retval = 0;
ETERM *pattern, *pwd, *slt, *pwd_bin, *slt_bin;
char password[1024];
char salt[1024];
char encrypted[1024] = { 0 };
(void)memset(&password, '\0', sizeof(password));
(void)memset(&salt, '\0', sizeof(salt));
pattern = erl_format("{Pass, Salt}");
if (erl_match(pattern, data)) {
pwd = erl_var_content(pattern, "Pass");
pwd_bin = erl_iolist_to_binary(pwd);
slt = erl_var_content(pattern, "Salt");
slt_bin = erl_iolist_to_binary(slt);
if (ERL_BIN_SIZE(pwd_bin) > sizeof(password)) {
retval = process_reply(pid, CMD_HASHPW, "Password too long");
} else if (ERL_BIN_SIZE(slt_bin) > sizeof(salt)) {
retval = process_reply(pid, CMD_HASHPW, "Salt too long");
} else {
memcpy(password, ERL_BIN_PTR(pwd_bin), ERL_BIN_SIZE(pwd_bin));
memcpy(salt, ERL_BIN_PTR(slt_bin), ERL_BIN_SIZE(slt_bin));
if (bcrypt(encrypted, password, salt)) {
retval = process_reply(pid, CMD_HASHPW, "Invalid salt");
} else {
retval = process_reply(pid, CMD_HASHPW, encrypted);
}
}
erl_free_term(pwd);
erl_free_term(slt);
erl_free_term(pwd_bin);
erl_free_term(slt_bin);
};
erl_free_term(pattern);
return retval;
}
//-----------------------------------------------------------------------------
// name: status()
// desc: ...
//-----------------------------------------------------------------------------
t_OTF_RESULT miniAudicle::status( Chuck_VM_Status * status )
{
if( vm_on != TRUE || vm == NULL )
return OTF_MINI_ERROR;
t_CKBOOL do_copy_status = TRUE;
while( process_reply() == TRUE )
;
if( do_copy_status && status_bufs[status_bufs_read] &&
status_bufs[status_bufs_read]->now_system >= status->now_system )
{
status->clear();
Chuck_VM_Status_copy( *status, *( status_bufs[status_bufs_read] ) );
do_copy_status = FALSE;
}
for( size_t i = 0; i < num_status_bufs; i++ )
{
if( i != status_bufs_read && status_bufs[i] )
{
if( do_copy_status )
{
status->clear();
Chuck_VM_Status_copy( *status, *( status_bufs[i] ) );
}
Chuck_Msg * msg = new Chuck_Msg;
msg->type = MSG_STATUS;
msg->reply = ( ck_msg_func )1;
msg->user = status_bufs[i];
status_bufs[i] = NULL;
vm->queue_msg( msg, 1 );
return OTF_SUCCESS;
}
}
//EM_log( CK_LOG_SEVERE, "(miniAudicle): insufficient buffers for status query" );
return OTF_MINI_ERROR;
}
/* Main loop of a slave thread.
* Send the current command to the slave machine and wait for a reply.
* Resend command history if the slave machine is out of sync.
* Returns when the connection with the slave machine is cut.
* slave_lock is held on both entry and exit of this function. */
static void
slave_loop(FILE *f, char *reply_buf, struct slave_state *sstate, bool resend)
{
char *to_send;
int last_cmd_count = 0;
int last_reply_id = -1;
int reply_slot = -1;
for (;;) {
if (resend) {
/* Resend complete or partial history */
to_send = next_command(last_reply_id);
} else {
/* Wait for a new command. */
while (last_cmd_count == cmd_count)
pthread_cond_wait(&cmd_cond, &slave_lock);
to_send = gtp_cmd;
}
/* Command available, send it to slave machine.
* If slave was out of sync, send the history.
* But first get binary arguments if necessary. */
int bin_size = 0;
void *bin_buf = get_binary_arg(sstate, gtp_cmd,
gtp_cmds + CMDS_SIZE - gtp_cmd,
&bin_size);
/* Check that the command is still valid. */
resend = true;
if (!bin_buf) continue;
/* Send the command and get the reply, which always ends with \n\n
* The slave machine sends "=id reply" or "?id reply"
* with id == cmd_id if it is in sync. */
last_cmd_count = cmd_count;
char buf[CMDS_SIZE];
int reply_id = send_command(to_send, bin_buf, &bin_size, f,
sstate, buf);
if (reply_id == -1) return;
resend = process_reply(reply_id, buf, reply_buf, bin_buf, bin_size,
&last_reply_id, &reply_slot, sstate);
}
}
static int process_acct(ETERM *pid, ETERM *data)
{
int retval = 0;
ETERM *pattern, *srv, *user;
char *service, *username;
pattern = erl_format("{Srv, User}");
if (erl_match(pattern, data))
{
srv = erl_var_content(pattern, "Srv");
service = erl_iolist_to_string(srv);
user = erl_var_content(pattern, "User");
username = erl_iolist_to_string(user);
retval = process_reply(pid, CMD_ACCT, acct_mgmt(service, username));
erl_free_term(srv);
erl_free_term(user);
erl_free(service);
erl_free(username);
}
erl_free_term(pattern);
return retval;
}
static int process_requests(int sock)
{
int flags;
int size = 0;
int retval = 0;
uint64_t offset;
ProxyHeader header;
int mode, uid, gid;
V9fsString name, value;
struct timespec spec[2];
V9fsString oldpath, path;
struct iovec in_iovec, out_iovec;
in_iovec.iov_base = g_malloc(PROXY_MAX_IO_SZ + PROXY_HDR_SZ);
in_iovec.iov_len = PROXY_MAX_IO_SZ + PROXY_HDR_SZ;
out_iovec.iov_base = g_malloc(PROXY_MAX_IO_SZ + PROXY_HDR_SZ);
out_iovec.iov_len = PROXY_MAX_IO_SZ + PROXY_HDR_SZ;
while (1) {
/*
* initialize the header type, so that we send
* response to proper request type.
*/
header.type = 0;
retval = read_request(sock, &in_iovec, &header);
if (retval < 0) {
goto err_out;
}
switch (header.type) {
case T_OPEN:
retval = do_open(&in_iovec);
break;
case T_CREATE:
retval = do_create(&in_iovec);
break;
case T_MKNOD:
case T_MKDIR:
case T_SYMLINK:
retval = do_create_others(header.type, &in_iovec);
break;
case T_LINK:
v9fs_string_init(&path);
v9fs_string_init(&oldpath);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ,
"ss", &oldpath, &path);
if (retval > 0) {
retval = link(oldpath.data, path.data);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&oldpath);
v9fs_string_free(&path);
break;
case T_LSTAT:
case T_STATFS:
retval = do_stat(header.type, &in_iovec, &out_iovec);
break;
case T_READLINK:
retval = do_readlink(&in_iovec, &out_iovec);
break;
case T_CHMOD:
v9fs_string_init(&path);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ,
"sd", &path, &mode);
if (retval > 0) {
retval = chmod(path.data, mode);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
break;
case T_CHOWN:
v9fs_string_init(&path);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ, "sdd", &path,
&uid, &gid);
if (retval > 0) {
retval = lchown(path.data, uid, gid);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
break;
case T_TRUNCATE:
v9fs_string_init(&path);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ, "sq",
&path, &offset);
if (retval > 0) {
retval = truncate(path.data, offset);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
break;
case T_UTIME:
v9fs_string_init(&path);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ, "sqqqq", &path,
&spec[0].tv_sec, &spec[0].tv_nsec,
&spec[1].tv_sec, &spec[1].tv_nsec);
if (retval > 0) {
retval = utimensat(AT_FDCWD, path.data, spec,
AT_SYMLINK_NOFOLLOW);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
break;
case T_RENAME:
v9fs_string_init(&path);
v9fs_string_init(&oldpath);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ,
"ss", &oldpath, &path);
if (retval > 0) {
retval = rename(oldpath.data, path.data);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&oldpath);
v9fs_string_free(&path);
break;
case T_REMOVE:
v9fs_string_init(&path);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ, "s", &path);
if (retval > 0) {
retval = remove(path.data);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
break;
case T_LGETXATTR:
case T_LLISTXATTR:
retval = do_getxattr(header.type, &in_iovec, &out_iovec);
break;
case T_LSETXATTR:
v9fs_string_init(&path);
v9fs_string_init(&name);
v9fs_string_init(&value);
retval = proxy_unmarshal(&in_iovec, PROXY_HDR_SZ, "sssdd", &path,
&name, &value, &size, &flags);
if (retval > 0) {
retval = lsetxattr(path.data,
name.data, value.data, size, flags);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
v9fs_string_free(&name);
v9fs_string_free(&value);
break;
case T_LREMOVEXATTR:
v9fs_string_init(&path);
v9fs_string_init(&name);
retval = proxy_unmarshal(&in_iovec,
PROXY_HDR_SZ, "ss", &path, &name);
if (retval > 0) {
retval = lremovexattr(path.data, name.data);
if (retval < 0) {
retval = -errno;
}
}
v9fs_string_free(&path);
v9fs_string_free(&name);
break;
case T_GETVERSION:
retval = do_getversion(&in_iovec, &out_iovec);
break;
default:
goto err_out;
break;
}
if (process_reply(sock, header.type, &out_iovec, retval) < 0) {
goto err_out;
}
}
err_out:
g_free(in_iovec.iov_base);
g_free(out_iovec.iov_base);
return -1;
}
// check for replies from sensor, returns true if at least one message was processed
bool AP_Proximity_LightWareSF40C::check_for_reply()
{
if (uart == nullptr) {
return false;
}
// read any available lines from the lidar
// if CR (i.e. \r), LF (\n) it means we have received a full packet so send for processing
// lines starting with # are ignored because this is the echo of a set-motor request which has no reply
// lines starting with ? are the echo back of our distance request followed by the sensed distance
// distance data appears after a <space>
// distance data is comma separated so we put into separate elements (i.e. <space>angle,distance)
uint16_t count = 0;
int16_t nbytes = uart->available();
while (nbytes-- > 0) {
char c = uart->read();
// check for end of packet
if (c == '\r' || c == '\n') {
if ((element_len[0] > 0)) {
if (process_reply()) {
count++;
}
}
// clear buffers after processing
clear_buffers();
ignore_reply = false;
wait_for_space = false;
// if message starts with # ignore it
} else if (c == '#' || ignore_reply) {
ignore_reply = true;
// if waiting for <space>
} else if (c == '?') {
wait_for_space = true;
} else if (wait_for_space) {
if (c == ' ') {
wait_for_space = false;
}
// if comma, move onto filling in 2nd element
} else if (c == ',') {
if ((element_num == 0) && (element_len[0] > 0)) {
element_num++;
} else {
// don't support 3rd element so clear buffers
clear_buffers();
ignore_reply = true;
}
// if part of a number, add to element buffer
} else if (isdigit(c) || c == '.' || c == '-') {
element_buf[element_num][element_len[element_num]] = c;
element_len[element_num]++;
if (element_len[element_num] >= sizeof(element_buf[element_num])-1) {
// too long, discard the line
clear_buffers();
ignore_reply = true;
}
}
}
return (count > 0);
}
/*
* Process the "diameter" contents of the tunneled data.
*/
PW_CODE eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
PW_CODE code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
uint8_t const *data;
size_t data_len;
REQUEST *request = handler->request;
chbind_packet_t *chbind;
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = (ttls_tunnel_t *) tls_session->opaque;
/*
* If there's no data, maybe this is an ACK to an
* MS-CHAP2-Success.
*/
if (data_len == 0) {
if (t->authenticated) {
RDEBUG("Got ACK, and the user was already authenticated");
return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* FIXME: Call SSL_get_error() to see what went
* wrong.
*/
RDEBUG2("SSL_read Error");
return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
if ((rad_debug_lvl > 2) && fr_log_fp) {
size_t i;
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i);
fprintf(fr_log_fp, "%02x ", data[i]);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
}
if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n");
}
#endif
if (!diameter_verify(request, data, data_len)) {
return PW_CODE_ACCESS_REJECT;
}
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request);
rad_assert(!fake->packet->vps);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
talloc_free(fake);
return PW_CODE_ACCESS_REJECT;
}
/*
* Tell the request that it's a fake one.
*/
pair_make_request("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
RDEBUG("Got tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
fake->password = fr_pair_find_by_num(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ);
rad_assert(t->username != NULL);
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
/*
* If there's a default EAP type,
* set it here.
*/
if (t->default_method != 0) {
RDEBUG("Setting default EAP type for tunneled EAP session");
vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
fr_pair_add(&fake->config, vp);
}
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_list_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
}
} /* else the request ALREADY had a User-Name */
/*
* Add the State attribute, too, if it exists.
*/
if (t->state) {
vp = fr_pair_list_copy(fake->packet, t->state);
if (vp) fr_pair_add(&fake->packet->vps, vp);
}
/*
* If this is set, we copy SOME of the request attributes
* from outside of the tunnel to inside of the tunnel.
*
* We copy ONLY those attributes which do NOT already
* exist in the tunneled request.
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
vp_cursor_t cursor;
for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
*/
if ((vp->da->attr > 255) &&
(vp->da->vendor == 0)) {
continue;
}
/*
* The outside attribute is already in the
* tunnel, don't copy it.
*
* This works for BOTH attributes which
* are originally in the tunneled request,
* AND attributes which are copied there
* from below.
*/
if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) {
continue;
}
/*
* Some attributes are handled specially.
*/
switch (vp->da->attr) {
/*
* NEVER copy Message-Authenticator,
* EAP-Message, or State. They're
* only for outside of the tunnel.
*/
case PW_USER_NAME:
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_CHAP_CHALLENGE:
case PW_PROXY_STATE:
case PW_MESSAGE_AUTHENTICATOR:
case PW_EAP_MESSAGE:
case PW_STATE:
continue;
/*
* By default, copy it over.
*/
default:
break;
}
/*
* Don't copy from the head, we've already
* checked it.
*/
copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY);
fr_pair_add(&fake->packet->vps, copy);
}
}
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (t->virtual_server) {
fake->server = t->virtual_server;
} /* else fake->server == request->server */
if ((rad_debug_lvl > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
}
/*
* Process channel binding.
*/
chbind = eap_chbind_vp2packet(fake, fake->packet->vps);
if (chbind) {
PW_CODE chbind_code;
CHBIND_REQ *req = talloc_zero(fake, CHBIND_REQ);
RDEBUG("received chbind request");
req->request = chbind;
if (fake->username) {
req->username = fake->username;
} else {
req->username = NULL;
}
chbind_code = chbind_process(request, req);
/* encapsulate response here */
if (req->response) {
RDEBUG("sending chbind response");
fr_pair_add(&fake->reply->vps,
eap_chbind_packet2vp(fake, req->response));
} else {
RDEBUG("no chbind response");
}
/* clean up chbind req */
talloc_free(req);
if (chbind_code != PW_CODE_ACCESS_ACCEPT) {
return chbind_code;
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
rad_virtual_server(fake);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_num(fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY);
if (vp) {
eap_tunnel_data_t *tunnel;
RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue);
/*
* Tell the original request that it's going
* to be proxied.
*/
fr_pair_list_move_by_num(request, &request->config,
&fake->config,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* Seed the proxy packet with the
* tunneled request.
*/
rad_assert(!request->proxy);
request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
request->proxy->src_port = 0;
request->proxy->dst_port = 0;
fake->packet = NULL;
rad_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
tunnel->callback = eapttls_postproxy;
/*
* Associate the callback with the request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false);
rad_assert(code == 0);
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
*
* So we associate the fake request with
* this request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
code = PW_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return PW_FOO
*/
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = PW_CODE_ACCESS_ACCEPT;
break;
default:
code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
/*
* Do post-proxy processing,
*/
static int CC_HINT(nonnull) eapttls_postproxy(eap_handler_t *handler, void *data)
{
int rcode;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
* request, do more processing of it.
*/
fake = (REQUEST *) request_data_get(handler->request,
handler->request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK);
/*
* Do the callback, if it exists, and if it was a success.
*/
if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "server %s {\n",
(!fake->server) ? "" : fake->server);
}
/*
* Perform a post-auth stage for the tunneled
* session.
*/
fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
if ((rad_debug_lvl > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(!fake->server) ? "" : fake->server);
RDEBUG("Final reply from tunneled session code %d", fake->reply->code);
rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
}
/*
* Terrible hacks.
*/
request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
* And we're done with this request.
*/
switch (rcode) {
case RLM_MODULE_FAIL:
talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
request->proxy_reply->code);
break;
}
}
talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
*/
rcode = process_reply(handler, tls_session, handler->request, handler->request->proxy_reply);
/*
* The proxy code uses the reply from the home server as
* the basis for the reply to the NAS. We don't want that,
* so we toss it, after we've had our way with it.
*/
fr_pair_list_free(&handler->request->proxy_reply->vps);
switch (rcode) {
case RLM_MODULE_REJECT:
RDEBUG("Reply was rejected");
break;
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
RDEBUG("Reply was OK");
/*
* Success: Automatically return MPPE keys.
*/
return eaptls_success(handler, 0);
default:
RDEBUG("Reply was unknown");
break;
}
eaptls_fail(handler, 0);
return 0;
}
int main(int argc, char** argv)
{
Options_t opts;
int rc;
pn_message_t *response_msg = pn_message();
check( response_msg, "Failed to allocate a Message");
pn_message_t *request_msg = pn_message();
check( request_msg, "Failed to allocate a Message");
pn_messenger_t *messenger = pn_messenger( 0 );
check( messenger, "Failed to allocate a Messenger");
parse_options( argc, argv, &opts );
// no need to track outstanding messages
pn_messenger_set_outgoing_window( messenger, 0 );
pn_messenger_set_incoming_window( messenger, 0 );
pn_messenger_set_timeout( messenger, opts.timeout );
if (opts.gateway_addr) {
LOG( "routing all messages via %s\n", opts.gateway_addr );
rc = pn_messenger_route( messenger,
"*", opts.gateway_addr );
check( rc == 0, "pn_messenger_route() failed" );
}
pn_messenger_start(messenger);
char *reply_to = NULL;
if (opts.reply_to) {
LOG("subscribing to %s for replies\n", opts.reply_to);
pn_messenger_subscribe(messenger, opts.reply_to);
reply_to = _strdup(opts.reply_to);
check( reply_to, "Out of memory" );
#if 1
// need to 'fix' the reply-to for use in the message itself:
// no '~' is allowed in that case
char *tilde = strstr( reply_to, "://~" );
if (tilde) {
tilde += 3; // overwrite '~'
memmove( tilde, tilde + 1, strlen( tilde + 1 ) + 1 );
}
#endif
}
// Create a request message
//
const char *command = opts.new_fortune ? "set" : "get";
build_request_message( request_msg,
opts.send_bad_msg ? "bad-command" : command,
opts.address, reply_to,
opts.new_fortune, opts.ttl );
// set a unique identifier for this message, so remote can
// de-duplicate when we re-transmit
uuid_t uuid;
uuid_generate(uuid);
char uuid_str[37];
uuid_unparse_upper(uuid, uuid_str);
pn_data_put_string( pn_message_id( request_msg ),
pn_bytes( sizeof(uuid_str), uuid_str ));
// set the correlation id so we can ensure the response matches
// our request. (re-use uuid just 'cause it's easy!)
pn_data_put_string( pn_message_correlation_id( request_msg ),
pn_bytes( sizeof(uuid_str), uuid_str ));
int send_count = 0;
bool done = false;
// keep re-transmitting until something arrives
do {
LOG("sending request message...\n");
rc = pn_messenger_put( messenger, request_msg );
check(rc == 0, "pn_messenger_put() failed");
send_count++;
if (opts.retry) opts.retry--;
LOG("waiting for response...\n");
rc = pn_messenger_recv( messenger, -1 );
if (rc == PN_TIMEOUT) {
LOG( "Timed-out waiting for a response, retransmitting...\n" );
pn_message_set_delivery_count( request_msg, send_count );
} else {
check(rc == 0, "pn_messenger_recv() failed\n");
while (pn_messenger_incoming( messenger ) > 0) {
rc = pn_messenger_get( messenger, response_msg );
check(rc == 0, "pn_messenger_get() failed");
LOG("response received!\n");
// validate the correlation id
pn_bytes_t cid = pn_data_get_string( pn_message_correlation_id( response_msg ) );
if (cid.size == 0 || strncmp( uuid_str, cid.start, cid.size )) {
LOG( "Correlation Id mismatch! Ignoring this response!\n" );
} else {
process_reply( messenger, response_msg );
done = true;
}
}
}
} while (!done && opts.retry);
if (!done) {
fprintf( stderr, "Retries exhausted, no response received from server!\n" );
}
rc = pn_messenger_stop(messenger);
check(rc == 0, "pn_messenger_stop() failed");
pn_messenger_free(messenger);
pn_message_free( response_msg );
pn_message_free( request_msg );
if (reply_to) free(reply_to);
return 0;
}
/*
* Process the "diameter" contents of the tunneled data.
*/
int eapttls_process(EAP_HANDLER *handler, tls_session_t *tls_session)
{
int rcode = PW_AUTHENTICATION_REJECT;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
const uint8_t *data;
size_t data_len;
REQUEST *request = handler->request;
rad_assert(request != NULL);
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = (ttls_tunnel_t *) tls_session->opaque;
/*
* If there's no data, maybe this is an ACK to an
* MS-CHAP2-Success.
*/
if (data_len == 0) {
if (t->authenticated) {
RDEBUG("Got ACK, and the user was already authenticated.");
return PW_AUTHENTICATION_ACK;
} /* else no session, no data, die. */
/*
* FIXME: Call SSL_get_error() to see what went
* wrong.
*/
RDEBUG2("SSL_read Error");
return PW_AUTHENTICATION_REJECT;
}
#ifndef NDEBUG
if ((debug_flag > 2) && fr_log_fp) {
size_t i;
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i);
fprintf(fr_log_fp, "%02x ", data[i]);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
}
if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n");
}
#endif
if (!diameter_verify(request, data, data_len)) {
return PW_AUTHENTICATION_REJECT;
}
/*
* Allocate a fake REQUEST structe.
*/
fake = request_alloc_fake(request);
rad_assert(fake->packet->vps == NULL);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = diameter2vp(request, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
request_free(&fake);
return PW_AUTHENTICATION_REJECT;
}
/*
* Tell the request that it's a fake one.
*/
vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
if (vp) {
pairadd(&fake->packet->vps, vp);
}
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Got tunneled request");
debug_pair_list(fake->packet->vps);
}
/*
* Update other items in the REQUEST data structure.
*/
fake->username = pairfind(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
fake->password = pairfind(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = pairfind(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp &&
(vp->length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
t->username = pairmake("User-Name", "", T_OP_EQ);
rad_assert(t->username != NULL);
memcpy(t->username->vp_strvalue, vp->vp_strvalue + 5,
vp->length - 5);
t->username->length = vp->length - 5;
t->username->vp_strvalue[t->username->length] = 0;
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
/*
* If there's a default EAP type,
* set it here.
*/
if (t->default_eap_type != 0) {
RDEBUG("Setting default EAP type for tunneled EAP session.");
vp = paircreate(PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_eap_type;
pairadd(&fake->config_items, vp);
}
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RDEBUG2W("No EAP-Identity found to start EAP conversation.");
}
} /* else there WAS a t->username */
if (t->username) {
vp = paircopy(t->username);
pairadd(&fake->packet->vps, vp);
fake->username = pairfind(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
}
} /* else the request ALREADY had a User-Name */
/*
* Add the State attribute, too, if it exists.
*/
if (t->state) {
vp = paircopy(t->state);
if (vp) pairadd(&fake->packet->vps, vp);
}
/*
* If this is set, we copy SOME of the request attributes
* from outside of the tunnel to inside of the tunnel.
*
* We copy ONLY those attributes which do NOT already
* exist in the tunneled request.
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
/*
* The attribute is a server-side thingy,
* don't copy it.
*/
if ((vp->da->attr > 255) &&
(vp->da->vendor == 0)) {
continue;
}
/*
* The outside attribute is already in the
* tunnel, don't copy it.
*
* This works for BOTH attributes which
* are originally in the tunneled request,
* AND attributes which are copied there
* from below.
*/
if (pairfind(fake->packet->vps, vp->da->attr, vp->da->vendor, TAG_ANY)) {
continue;
}
/*
* Some attributes are handled specially.
*/
switch (vp->da->attr) {
/*
* NEVER copy Message-Authenticator,
* EAP-Message, or State. They're
* only for outside of the tunnel.
*/
case PW_USER_NAME:
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_CHAP_CHALLENGE:
case PW_PROXY_STATE:
case PW_MESSAGE_AUTHENTICATOR:
case PW_EAP_MESSAGE:
case PW_STATE:
continue;
break;
/*
* By default, copy it over.
*/
default:
break;
}
/*
* Don't copy from the head, we've already
* checked it.
*/
copy = paircopy2(vp, vp->da->attr, vp->da->vendor, TAG_ANY);
pairadd(&fake->packet->vps, copy);
}
}
if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (t->virtual_server) {
fake->server = t->virtual_server;
} /* else fake->server == request->server */
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
debug_pair_list(fake->packet->vps);
fprintf(fr_log_fp, "server %s {\n",
(fake->server == NULL) ? "" : fake->server);
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
rad_virtual_server(fake);
/*
* Note that we don't do *anything* with the reply
* attributes.
*/
if ((debug_flag > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(fake->server == NULL) ? "" : fake->server);
RDEBUG("Got tunneled reply code %d", fake->reply->code);
debug_pair_list(fake->reply->vps);
}
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = pairfind(fake->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY);
if (vp) {
eap_tunnel_data_t *tunnel;
RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue);
/*
* Tell the original request that it's going
* to be proxied.
*/
pairmove2(&(request->config_items),
&(fake->config_items),
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* Seed the proxy packet with the
* tunneled request.
*/
rad_assert(request->proxy == NULL);
request->proxy = fake->packet;
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
request->proxy->src_port = 0;
request->proxy->dst_port = 0;
fake->packet = NULL;
rad_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = rad_malloc(sizeof(*tunnel));
memset(tunnel, 0, sizeof(*tunnel));
tunnel->tls_session = tls_session;
tunnel->callback = eapttls_postproxy;
/*
* Associate the callback with the request.
*/
rcode = request_data_add(request,
request->proxy,
REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, free);
rad_assert(rcode == 0);
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
*
* So we associate the fake request with
* this request.
*/
rcode = request_data_add(request,
request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, my_request_free);
rad_assert(rcode == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
rcode = PW_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
rcode = PW_AUTHENTICATION_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return
* PW_FOO
*/
rcode = process_reply(handler, tls_session, request,
fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
rcode = PW_AUTHENTICATION_REJECT;
break;
case RLM_MODULE_HANDLED:
rcode = PW_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
rcode = PW_AUTHENTICATION_ACK;
break;
default:
rcode = PW_AUTHENTICATION_REJECT;
break;
}
break;
}
request_free(&fake);
return rcode;
}
/* sets new last_server */
void reply_query(int fd, int family, time_t now)
{
/* packet from peer server, extract data for cache, and send to
original requester */
HEADER *header;
union mysockaddr serveraddr;
struct frec *forward;
socklen_t addrlen = sizeof(serveraddr);
ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
size_t nn;
struct server *server;
/* packet buffer overwritten */
daemon->srv_save = NULL;
/* Determine the address of the server replying so that we can mark that as good */
serveraddr.sa.sa_family = family;
#ifdef HAVE_IPV6
if (serveraddr.sa.sa_family == AF_INET6)
serveraddr.in6.sin6_flowinfo = 0;
#endif
/* spoof check: answer must come from known server, */
for (server = daemon->servers; server; server = server->next)
if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
sockaddr_isequal(&server->addr, &serveraddr))
break;
header = (HEADER *)daemon->packet;
if (!server ||
n < (int)sizeof(HEADER) || !header->qr ||
!(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
return;
server = forward->sentto;
if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
!(daemon->options & OPT_ORDER) &&
forward->forwardall == 0)
/* for broken servers, attempt to send to another one. */
{
unsigned char *pheader;
size_t plen;
int is_sign;
/* recreate query from reply */
pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
if (!is_sign)
{
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
{
header->qr = 0;
header->tc = 0;
forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
return;
}
}
}
if ((forward->sentto->flags & SERV_TYPE) == 0)
{
if (header->rcode == SERVFAIL || header->rcode == REFUSED)
server = NULL;
else
{
struct server *last_server;
/* find good server by address if possible, otherwise assume the last one we sent to */
for (last_server = daemon->servers; last_server; last_server = last_server->next)
if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
sockaddr_isequal(&last_server->addr, &serveraddr))
{
server = last_server;
break;
}
}
if (!(daemon->options & OPT_ALL_SERVERS))
daemon->last_server = server;
}
/* If the answer is an error, keep the forward record in place in case
we get a good reply from another server. Kill it when we've
had replies from all to avoid filling the forwarding table when
everything is broken */
if (forward->forwardall == 0 || --forward->forwardall == 1 ||
(header->rcode != REFUSED && header->rcode != SERVFAIL))
{
if ((nn = process_reply(header, now, server, (size_t)n)))
{
header->id = htons(forward->orig_id);
header->ra = 1; /* recursion if available */
send_from(forward->fd, daemon->options & OPT_NOWILD, daemon->packet, nn,
&forward->source, &forward->dest, forward->iface);
}
free_frec(forward); /* cancel */
}
}
/* The daemon forks before calling this: it should deal with one connection,
blocking as neccessary, and then return. Note, need to be a bit careful
about resources for debug mode, when the fork is suppressed: that's
done by the caller. */
unsigned char *tcp_request(int confd, time_t now,
struct in_addr local_addr, struct in_addr netmask)
{
int size = 0;
size_t m;
unsigned short qtype, gotname;
unsigned char c1, c2;
/* Max TCP packet + slop */
unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
HEADER *header;
struct server *last_server;
while (1)
{
if (!packet ||
!read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
!(size = c1 << 8 | c2) ||
!read_write(confd, packet, size, 1))
return packet;
if (size < (int)sizeof(HEADER))
continue;
header = (HEADER *)packet;
if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
{
union mysockaddr peer_addr;
socklen_t peer_len = sizeof(union mysockaddr);
if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) != -1)
{
char types[20];
querystr(types, qtype);
if (peer_addr.sa.sa_family == AF_INET)
log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
(struct all_addr *)&peer_addr.in.sin_addr, types);
#ifdef HAVE_IPV6
else
log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
(struct all_addr *)&peer_addr.in6.sin6_addr, types);
#endif
}
}
/* m > 0 if answered from cache */
m = answer_request(header, ((char *) header) + 65536, (unsigned int)size,
local_addr, netmask, now);
/* Do this by steam now we're not in the select() loop */
check_log_writer(NULL);
if (m == 0)
{
unsigned short flags = 0;
struct all_addr *addrp = NULL;
int type = 0;
char *domain = NULL;
if (gotname)
flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain);
if (type != 0 || (daemon->options & OPT_ORDER) || !daemon->last_server)
last_server = daemon->servers;
else
last_server = daemon->last_server;
if (!flags && last_server)
{
struct server *firstsendto = NULL;
unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
/* Loop round available servers until we succeed in connecting to one.
Note that this code subtley ensures that consecutive queries on this connection
which can go to the same server, do so. */
while (1)
{
if (!firstsendto)
firstsendto = last_server;
else
{
if (!(last_server = last_server->next))
last_server = daemon->servers;
if (last_server == firstsendto)
break;
}
/* server for wrong domain */
if (type != (last_server->flags & SERV_TYPE) ||
(type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
continue;
if ((last_server->tcpfd == -1) &&
(last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) != -1 &&
(!local_bind(last_server->tcpfd, &last_server->source_addr,
last_server->interface, last_server->mark, 1) ||
connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
{
close(last_server->tcpfd);
last_server->tcpfd = -1;
}
if (last_server->tcpfd == -1)
continue;
c1 = size >> 8;
c2 = size;
if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
!read_write(last_server->tcpfd, &c2, 1, 0) ||
!read_write(last_server->tcpfd, packet, size, 0) ||
!read_write(last_server->tcpfd, &c1, 1, 1) ||
!read_write(last_server->tcpfd, &c2, 1, 1))
{
close(last_server->tcpfd);
last_server->tcpfd = -1;
continue;
}
m = (c1 << 8) | c2;
if (!read_write(last_server->tcpfd, packet, m, 1))
return packet;
if (!gotname)
strcpy(daemon->namebuff, "query");
if (last_server->addr.sa.sa_family == AF_INET)
log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
(struct all_addr *)&last_server->addr.in.sin_addr, NULL);
#ifdef HAVE_IPV6
else
log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
(struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
#endif
/* There's no point in updating the cache, since this process will exit and
lose the information after a few queries. We make this call for the alias and
bogus-nxdomain side-effects. */
/* If the crc of the question section doesn't match the crc we sent, then
someone might be attempting to insert bogus values into the cache by
sending replies containing questions and bogus answers. */
if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
m = process_reply(header, now, last_server, (unsigned int)m);
break;
}
}
/* In case of local answer or no connections made. */
if (m == 0)
m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
}
check_log_writer(NULL);
c1 = m>>8;
c2 = m;
if (!read_write(confd, &c1, 1, 0) ||
!read_write(confd, &c2, 1, 0) ||
!read_write(confd, packet, m, 0))
return packet;
}
static FR_CODE eap_fast_eap_payload(REQUEST *request, eap_session_t *eap_session,
tls_session_t *tls_session, VALUE_PAIR *tlv_eap_payload)
{
FR_CODE code = FR_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
VALUE_PAIR *vp;
eap_fast_tunnel_t *t;
REQUEST *fake;
RDEBUG2("Processing received EAP Payload");
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request, NULL);
rad_assert(!fake->packet->vps);
t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = fr_pair_afrom_da(fake->packet, attr_eap_message);
fr_pair_value_memcpy(fake->packet->vps, tlv_eap_payload->vp_octets, tlv_eap_payload->vp_length, false);
RDEBUG2("Got tunneled request");
log_request_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Tell the request that it's a fake one.
*/
MEM(fr_pair_add_by_da(fake->packet, &vp, &fake->packet->vps, attr_freeradius_proxied_to) >= 0);
fr_pair_value_from_str(vp, "127.0.0.1", sizeof("127.0.0.1"), '\0', false);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_da(fake->packet->vps, attr_user_name, TAG_ANY);
fake->password = fr_pair_find_by_da(fake->packet->vps, attr_user_password, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_da(fake->packet->vps, attr_eap_message, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == FR_EAP_CODE_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == FR_EAP_METHOD_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
MEM(t->username = fr_pair_afrom_da(t, attr_user_name));
t->username->vp_tainted = true;
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG2("Got tunneled identity of %pV", &t->username->data);
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = vp;
}
} /* else the request ALREADY had a User-Name */
if (t->stage == EAP_FAST_AUTHENTICATION) { /* FIXME do this only for MSCHAPv2 */
VALUE_PAIR *tvp;
tvp = fr_pair_afrom_da(fake, attr_eap_type);
tvp->vp_uint32 = t->default_provisioning_method;
fr_pair_add(&fake->control, tvp);
/*
* RFC 5422 section 3.2.3 - Authenticating Using EAP-FAST-MSCHAPv2
*/
if (t->mode == EAP_FAST_PROVISIONING_ANON) {
tvp = fr_pair_afrom_da(fake, attr_ms_chap_challenge);
fr_pair_value_memcpy(tvp, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false);
fr_pair_add(&fake->control, tvp);
RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->server_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 auth_challenge");
tvp = fr_pair_afrom_da(fake, attr_ms_chap_peer_challenge);
fr_pair_value_memcpy(tvp, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, false);
fr_pair_add(&fake->control, tvp);
RHEXDUMP(L_DBG_LVL_MAX, t->keyblock->client_challenge, RADIUS_CHAP_CHALLENGE_LENGTH, "MSCHAPv2 peer_challenge");
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
eap_virtual_server(request, fake, eap_session, t->virtual_server);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_da(fake->control, attr_proxy_to_realm, TAG_ANY);
if (vp) {
int ret;
eap_tunnel_data_t *tunnel;
RDEBUG2("Tunneled authentication will be proxied to %pV", &vp->data);
/*
* Tell the original request that it's going to be proxied.
*/
fr_pair_list_copy_by_da(request, &request->control, fake->control, attr_proxy_to_realm);
/*
* Seed the proxy packet with the tunneled request.
*/
rad_assert(!request->proxy);
/*
* FIXME: Actually proxy stuff
*/
request->proxy = request_alloc_fake(request, NULL);
request->proxy->packet = talloc_steal(request->proxy, fake->packet);
memset(&request->proxy->packet->src_ipaddr, 0,
sizeof(request->proxy->packet->src_ipaddr));
memset(&request->proxy->packet->src_ipaddr, 0,
sizeof(request->proxy->packet->src_ipaddr));
request->proxy->packet->src_port = 0;
request->proxy->packet->dst_port = 0;
fake->packet = NULL;
fr_radius_packet_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
/*
* Associate the callback with the request.
*/
ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false, false, false);
fr_cond_assert(ret == 0);
/*
* rlm_eap.c has taken care of associating the eap_session
* with the fake request.
*
* So we associate the fake request with this request.
*/
ret = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true, false, false);
fr_cond_assert(ret == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but we're proxying it.
*/
code = FR_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
REDEBUG("No tunneled reply was found, and the request was not proxied: rejecting the user");
code = FR_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return FR_FOO
*/
rcode = process_reply(eap_session, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = FR_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = FR_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = FR_CODE_ACCESS_ACCEPT;
break;
default:
code = FR_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
