2 * radeapclient.c EAP specific radius packet debug tool.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
27 #include <freeradius-devel/libradius.h>
35 #include <freeradius-devel/conf.h>
36 #include <freeradius-devel/radpaths.h>
37 #include <freeradius-devel/md5.h>
39 #include "eap_types.h"
42 extern int sha1_data_problems;
44 static int retries = 10;
45 static float timeout = 3;
46 static char const *secret = NULL;
47 static int do_output = 1;
48 static int do_summary = 0;
49 static int filedone = 0;
50 static int totalapp = 0;
51 static int totaldeny = 0;
52 static char filesecret[256];
53 char *radius_dir = NULL;
54 char const *progname = "radeapclient";
55 /* fr_randctx randctx; */
58 #include <freeradius-devel/tls.h>
61 log_dst_t radlog_dest = RADLOG_STDERR;
62 char const *radlog_dir = NULL;
66 struct eapsim_keys eapsim_mk;
68 static void map_eap_methods(RADIUS_PACKET *req);
69 static void unmap_eap_methods(RADIUS_PACKET *rep);
70 static int map_eapsim_types(RADIUS_PACKET *r);
71 static int unmap_eapsim_types(RADIUS_PACKET *r);
73 void debug_pair_list(UNUSED VALUE_PAIR *vp)
78 static void NEVER_RETURNS usage(void)
80 fprintf(stderr, "Usage: radeapclient [options] server[:port] <command> [<secret>]\n");
82 fprintf(stderr, " <command> One of auth, acct, status, or disconnect.\n");
83 fprintf(stderr, " -c count Send each packet 'count' times.\n");
84 fprintf(stderr, " -d raddb Set dictionary directory.\n");
85 fprintf(stderr, " -f file Read packets from file, not stdin.\n");
86 fprintf(stderr, " -r retries If timeout, retry sending the packet 'retries' times.\n");
87 fprintf(stderr, " -t timeout Wait 'timeout' seconds before retrying (may be a floating point number).\n");
88 fprintf(stderr, " -h Print usage help information.\n");
89 fprintf(stderr, " -i id Set request id to 'id'. Values may be 0..255\n");
90 fprintf(stderr, " -S file read secret from file, not command line.\n");
91 fprintf(stderr, " -q Do not print anything out.\n");
92 fprintf(stderr, " -s Print out summary information of auth results.\n");
93 fprintf(stderr, " -v Show program version information.\n");
94 fprintf(stderr, " -x Debugging mode.\n");
95 fprintf(stderr, " -4 Use IPv4 address of server\n");
96 fprintf(stderr, " -6 Use IPv6 address of server.\n");
101 int radlog(int lvl, char const *msg, ...)
106 r = lvl; /* shut up compiler */
109 r = vfprintf(stderr, msg, ap);
116 int log_debug(char const *msg, ...)
122 r = vfprintf(stderr, msg, ap);
129 void radlog_request(UNUSED int lvl, UNUSED int priority,
130 UNUSED REQUEST *request, char const *msg, ...)
135 vfprintf(stderr, msg, ap);
140 static int getport(char const *name)
144 svp = getservbyname (name, "udp");
149 return ntohs(svp->s_port);
154 static void debug_packet(RADIUS_PACKET *packet, int direction)
158 char const *received, *from;
159 const fr_ipaddr_t *ip;
164 if (direction == 0) {
165 received = "Received";
166 from = "from"; /* what else? */
167 ip = &packet->src_ipaddr;
168 port = packet->src_port;
171 received = "Sending";
172 from = "to"; /* hah! */
173 ip = &packet->dst_ipaddr;
174 port = packet->dst_port;
178 * Client-specific debugging re-prints the input
179 * packet into the client log.
181 * This really belongs in a utility library
183 if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
184 printf("%s %s packet %s host %s port %d, id=%d, length=%d\n",
185 received, fr_packet_codes[packet->code], from,
186 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
187 port, packet->id, (int) packet->data_len);
189 printf("%s packet %s host %s port %d code=%d, id=%d, length=%d\n",
191 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
193 packet->code, packet->id, (int) packet->data_len);
196 for (vp = packet->vps; vp != NULL; vp = vp->next) {
197 vp_prints(buffer, sizeof(buffer), vp);
198 printf("\t%s\n", buffer);
204 static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
209 for (i = 0; i < retries; i++) {
212 debug_packet(req, R_SENT);
214 rad_send(req, NULL, secret);
216 /* And wait for reply, timing out as necessary */
218 FD_SET(req->sockfd, &rdfdesc);
220 tv.tv_sec = (int)timeout;
221 tv.tv_usec = 1000000 * (timeout - (int) timeout);
223 /* Something's wrong if we don't get exactly one fd. */
224 if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
228 *rep = rad_recv(req->sockfd, 0);
231 * If we get a response from a machine
232 * which we did NOT send a request to,
235 if (((*rep)->src_ipaddr.af != req->dst_ipaddr.af) ||
236 (memcmp(&(*rep)->src_ipaddr.ipaddr,
237 &req->dst_ipaddr.ipaddr,
238 ((req->dst_ipaddr.af == AF_INET ? /* AF_INET6? */
239 sizeof(req->dst_ipaddr.ipaddr.ip4addr) : /* FIXME: AF_INET6 */
240 sizeof(req->dst_ipaddr.ipaddr.ip6addr)))) != 0) ||
241 ((*rep)->src_port != req->dst_port)) {
242 char src[128], dst[128];
244 ip_ntoh(&(*rep)->src_ipaddr, src, sizeof(src));
245 ip_ntoh(&req->dst_ipaddr, dst, sizeof(dst));
246 fprintf(stderr, "radclient: ERROR: Sent request to host %s port %d, got response from host %s port %d\n!",
248 src, (*rep)->src_port);
252 } else { /* NULL: couldn't receive the packet */
253 fr_perror("radclient:");
258 /* No response or no data read (?) */
260 fprintf(stderr, "radclient: no response from server\n");
265 * FIXME: Discard the packet & listen for another.
267 * Hmm... we should really be using eapol_test, which does
268 * a lot more than radeapclient.
270 if (rad_verify(*rep, req, secret) != 0) {
271 fr_perror("rad_verify");
275 if (rad_decode(*rep, req, secret) != 0) {
276 fr_perror("rad_decode");
280 /* libradius debug already prints out the value pairs for us */
281 if (!fr_debug_flag && do_output) {
282 debug_packet(*rep, R_RECV);
284 if((*rep)->code == PW_AUTHENTICATION_ACK) {
286 } else if ((*rep)->code == PW_AUTHENTICATION_REJECT) {
293 static void cleanresp(RADIUS_PACKET *resp)
295 VALUE_PAIR *vpnext, *vp, **last;
299 * maybe should just copy things we care about, or keep
300 * a copy of the original input and start from there again?
302 pairdelete(&resp->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
303 pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY, 0, TAG_ANY);
306 for(vp = *last; vp != NULL; vp = vpnext)
310 if((vp->da->attribute > ATTRIBUTE_EAP_BASE &&
311 vp->da->attribute <= ATTRIBUTE_EAP_BASE+256) ||
312 (vp->da->attribute > ATTRIBUTE_EAP_SIM_BASE &&
313 vp->da->attribute <= ATTRIBUTE_EAP_SIM_BASE+256))
324 * we got an EAP-Request/Sim/Start message in a legal state.
326 * pick a supported version, put it into the reply, and insert a nonce.
328 static int process_eap_start(RADIUS_PACKET *req,
331 VALUE_PAIR *vp, *newvp;
332 VALUE_PAIR *anyidreq_vp, *fullauthidreq_vp, *permanentidreq_vp;
333 uint16_t *versions, selectedversion;
334 unsigned int i,versioncount;
336 /* form new response clear of any EAP stuff */
339 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_VERSION_LIST, 0, TAG_ANY)) == NULL) {
340 fprintf(stderr, "illegal start message has no VERSION_LIST\n");
344 versions = (uint16_t *)vp->vp_strvalue;
346 /* verify that the attribute length is big enough for a length field */
349 fprintf(stderr, "start message has illegal VERSION_LIST. Too short: %u\n", (unsigned int) vp->length);
353 versioncount = ntohs(versions[0])/2;
354 /* verify that the attribute length is big enough for the given number
355 * of versions present.
357 if((unsigned)vp->length <= (versioncount*2 + 2))
359 fprintf(stderr, "start message is too short. Claimed %d versions does not fit in %u bytes\n", versioncount, (unsigned int) vp->length);
364 * record the versionlist for the MK calculation.
366 eapsim_mk.versionlistlen = versioncount*2;
367 memcpy(eapsim_mk.versionlist, (unsigned char *)(versions+1),
368 eapsim_mk.versionlistlen);
370 /* walk the version list, and pick the one we support, which
371 * at present, is 1, EAP_SIM_VERSION.
374 for(i=0; i < versioncount; i++)
376 if(ntohs(versions[i+1]) == EAP_SIM_VERSION)
378 selectedversion=EAP_SIM_VERSION;
382 if(selectedversion == 0)
384 fprintf(stderr, "eap-sim start message. No compatible version found. We need %d\n", EAP_SIM_VERSION);
385 for(i=0; i < versioncount; i++)
387 fprintf(stderr, "\tfound version %d\n",
388 ntohs(versions[i+1]));
393 * now make sure that we have only FULLAUTH_ID_REQ.
394 * I think that it actually might not matter - we can answer in
395 * anyway we like, but it is illegal to have more than one
398 anyidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_ANY_ID_REQ, 0, TAG_ANY);
399 fullauthidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_FULLAUTH_ID_REQ, 0, TAG_ANY);
400 permanentidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_PERMANENT_ID_REQ, 0, TAG_ANY);
402 if(!fullauthidreq_vp ||
403 anyidreq_vp != NULL ||
404 permanentidreq_vp != NULL) {
405 fprintf(stderr, "start message has %sanyidreq, %sfullauthid and %spermanentid. Illegal combination.\n",
406 (anyidreq_vp != NULL ? "a " : "no "),
407 (fullauthidreq_vp != NULL ? "a " : "no "),
408 (permanentidreq_vp != NULL ? "a " : "no "));
412 /* okay, we have just any_id_req there, so fill in response */
414 /* mark the subtype as being EAP-SIM/Response/Start */
415 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, 0, PW_TYPE_INTEGER);
416 newvp->vp_integer = eapsim_start;
417 pairreplace(&(rep->vps), newvp);
419 /* insert selected version into response. */
420 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_SELECTED_VERSION,
422 versions = (uint16_t *)newvp->vp_strvalue;
423 versions[0] = htons(selectedversion);
425 pairreplace(&(rep->vps), newvp);
427 /* record the selected version */
428 memcpy(eapsim_mk.versionselect, (unsigned char *)versions, 2);
435 * insert a nonce_mt that we make up.
437 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_NONCE_MT,
439 newvp->vp_octets[0]=0;
440 newvp->vp_octets[1]=0;
441 newvp->length = 18; /* 16 bytes of nonce + padding */
447 memcpy(&newvp->vp_octets[2], nonce, 16);
448 pairreplace(&(rep->vps), newvp);
450 /* also keep a copy of the nonce! */
451 memcpy(eapsim_mk.nonce_mt, nonce, 16);
455 uint16_t *pidlen, idlen;
458 * insert the identity here.
460 vp = pairfind(rep->vps, PW_USER_NAME, 0, TAG_ANY);
463 fprintf(stderr, "eap-sim: We need to have a User-Name attribute!\n");
466 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_IDENTITY,
468 idlen = strlen(vp->vp_strvalue);
469 pidlen = (uint16_t *)newvp->vp_strvalue;
470 *pidlen = htons(idlen);
471 newvp->length = idlen + 2;
473 memcpy(&newvp->vp_strvalue[2], vp->vp_strvalue, idlen);
474 pairreplace(&(rep->vps), newvp);
477 memcpy(eapsim_mk.identity, vp->vp_strvalue, idlen);
478 eapsim_mk.identitylen = idlen;
485 * we got an EAP-Request/Sim/Challenge message in a legal state.
487 * use the RAND challenge to produce the SRES result, and then
488 * use that to generate a new MAC.
490 * for the moment, we ignore the RANDs, then just plug in the SRES
494 static int process_eap_challenge(RADIUS_PACKET *req,
498 VALUE_PAIR *mac, *randvp;
499 VALUE_PAIR *sres1,*sres2,*sres3;
500 VALUE_PAIR *Kc1, *Kc2, *Kc3;
503 /* look for the AT_MAC and the challenge data */
504 mac = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
505 randvp= pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_RAND, 0, TAG_ANY);
506 if(!mac || !randvp) {
507 fprintf(stderr, "radeapclient: challenge message needs to contain RAND and MAC\n");
512 * compare RAND with randX, to verify this is the right response
516 VALUE_PAIR *randcfgvp[3];
519 randcfg[0] = &randvp->vp_octets[2];
520 randcfg[1] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE];
521 randcfg[2] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE*2];
523 randcfgvp[0] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND1, 0, TAG_ANY);
524 randcfgvp[1] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND2, 0, TAG_ANY);
525 randcfgvp[2] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND3, 0, TAG_ANY);
530 fprintf(stderr, "radeapclient: needs to have rand1, 2 and 3 set.\n");
534 if(memcmp(randcfg[0], randcfgvp[0]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
535 memcmp(randcfg[1], randcfgvp[1]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
536 memcmp(randcfg[2], randcfgvp[2]->vp_octets, EAPSIM_RAND_SIZE)!=0) {
539 fprintf(stderr, "radeapclient: one of rand 1,2,3 didn't match\n");
540 for(rnum = 0; rnum < 3; rnum++) {
541 fprintf(stderr, "received rand %d: ", rnum);
543 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
550 fprintf(stderr, "%02x", randcfg[rnum][i]);
552 fprintf(stderr, "\nconfigured rand %d: ", rnum);
554 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
561 fprintf(stderr, "%02x", randcfgvp[rnum]->vp_octets[i]);
563 fprintf(stderr, "\n");
570 * now dig up the sres values from the response packet,
571 * which were put there when we read things in.
573 * Really, they should be calculated from the RAND!
576 sres1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES1, 0, TAG_ANY);
577 sres2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES2, 0, TAG_ANY);
578 sres3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES3, 0, TAG_ANY);
583 fprintf(stderr, "radeapclient: needs to have sres1, 2 and 3 set.\n");
586 memcpy(eapsim_mk.sres[0], sres1->vp_strvalue, sizeof(eapsim_mk.sres[0]));
587 memcpy(eapsim_mk.sres[1], sres2->vp_strvalue, sizeof(eapsim_mk.sres[1]));
588 memcpy(eapsim_mk.sres[2], sres3->vp_strvalue, sizeof(eapsim_mk.sres[2]));
590 Kc1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC1, 0, TAG_ANY);
591 Kc2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC2, 0, TAG_ANY);
592 Kc3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC3, 0, TAG_ANY);
597 fprintf(stderr, "radeapclient: needs to have Kc1, 2 and 3 set.\n");
600 memcpy(eapsim_mk.Kc[0], Kc1->vp_strvalue, sizeof(eapsim_mk.Kc[0]));
601 memcpy(eapsim_mk.Kc[1], Kc2->vp_strvalue, sizeof(eapsim_mk.Kc[1]));
602 memcpy(eapsim_mk.Kc[2], Kc3->vp_strvalue, sizeof(eapsim_mk.Kc[2]));
604 /* all set, calculate keys */
605 eapsim_calculate_keys(&eapsim_mk);
608 eapsim_dump_mk(&eapsim_mk);
611 /* verify the MAC, now that we have all the keys. */
612 if(eapsim_checkmac(NULL, req->vps, eapsim_mk.K_aut,
613 eapsim_mk.nonce_mt, sizeof(eapsim_mk.nonce_mt),
615 printf("MAC check succeed\n");
619 printf("calculated MAC (");
620 for (i = 0; i < 20; i++) {
627 printf("%02x", calcmac[i]);
629 printf(" did not match\n");
633 /* form new response clear of any EAP stuff */
636 /* mark the subtype as being EAP-SIM/Response/Start */
637 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, 0, PW_TYPE_INTEGER);
638 newvp->vp_integer = eapsim_challenge;
639 pairreplace(&(rep->vps), newvp);
642 * fill the SIM_MAC with a field that will in fact get appended
643 * to the packet before the MAC is calculated
645 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0,
647 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*0, sres1->vp_strvalue, EAPSIM_SRES_SIZE);
648 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*1, sres2->vp_strvalue, EAPSIM_SRES_SIZE);
649 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*2, sres3->vp_strvalue, EAPSIM_SRES_SIZE);
650 newvp->length = EAPSIM_SRES_SIZE*3;
651 pairreplace(&(rep->vps), newvp);
653 newvp = paircreate(ATTRIBUTE_EAP_SIM_KEY, 0, PW_TYPE_OCTETS);
654 memcpy(newvp->vp_strvalue, eapsim_mk.K_aut, EAPSIM_AUTH_SIZE);
655 newvp->length = EAPSIM_AUTH_SIZE;
656 pairreplace(&(rep->vps), newvp);
662 * this code runs the EAP-SIM client state machine.
663 * the *request* is from the server.
664 * the *reponse* is to the server.
667 static int respond_eap_sim(RADIUS_PACKET *req,
670 enum eapsim_clientstates state, newstate;
671 enum eapsim_subtype subtype;
672 VALUE_PAIR *vp, *statevp, *radstate, *eapid;
673 char statenamebuf[32], subtypenamebuf[32];
675 if ((radstate = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
680 if ((eapid = paircopy2(NULL, req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY)) == NULL)
685 /* first, dig up the state from the request packet, setting
686 * outselves to be in EAP-SIM-Start state if there is none.
689 if((statevp = pairfind(resp->vps, ATTRIBUTE_EAP_SIM_STATE, 0, TAG_ANY)) == NULL)
691 /* must be initial request */
692 statevp = paircreate(ATTRIBUTE_EAP_SIM_STATE, 0, PW_TYPE_INTEGER);
693 statevp->vp_integer = eapsim_client_init;
694 pairreplace(&(resp->vps), statevp);
696 state = statevp->vp_integer;
699 * map the attributes, and authenticate them.
701 unmap_eapsim_types(req);
703 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_SUBTYPE, 0, TAG_ANY)) == NULL)
707 subtype = vp->vp_integer;
710 * look for the appropriate state, and process incoming message
713 case eapsim_client_init:
716 newstate = process_eap_start(req, resp);
719 case eapsim_challenge:
720 case eapsim_notification:
723 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
724 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
725 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
726 /* invalid state, drop message */
731 case eapsim_client_start:
734 /* NOT SURE ABOUT THIS ONE, retransmit, I guess */
735 newstate = process_eap_start(req, resp);
738 case eapsim_challenge:
739 newstate = process_eap_challenge(req, resp);
743 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
744 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
745 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
746 /* invalid state, drop message */
753 fprintf(stderr, "radeapclient: sim in illegal state %s\n",
754 sim_state2name(state, statenamebuf, sizeof(statenamebuf)));
758 /* copy the eap state object in */
759 pairreplace(&(resp->vps), eapid);
761 /* update stete info, and send new packet */
762 map_eapsim_types(resp);
764 /* copy the radius state object in */
765 pairreplace(&(resp->vps), radstate);
767 statevp->vp_integer = newstate;
771 static int respond_eap_md5(RADIUS_PACKET *req,
774 VALUE_PAIR *vp, *id, *state;
775 size_t valuesize, namesize;
780 uint8_t response[16];
784 if ((state = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
786 fprintf(stderr, "radeapclient: no state attribute found\n");
790 if ((id = paircopy2(NULL, req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY)) == NULL)
792 fprintf(stderr, "radeapclient: no EAP-ID attribute found\n");
795 identifier = id->vp_integer;
797 if ((vp = pairfind(req->vps, ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0, TAG_ANY)) == NULL)
799 fprintf(stderr, "radeapclient: no EAP-MD5 attribute found\n");
803 /* got the details of the MD5 challenge */
804 valuesize = vp->vp_octets[0];
805 value = &vp->vp_octets[1];
806 name = &vp->vp_octets[valuesize+1];
807 namesize = vp->length - (valuesize + 1);
810 if(valuesize > vp->length)
812 fprintf(stderr, "radeapclient: md5 valuesize if too big (%u > %u)\n",
813 (unsigned int) valuesize, (unsigned int) vp->length);
817 /* now do the CHAP operation ourself, rather than build the
818 * buffer. We could also call rad_chap_encode, but it wants
819 * a CHAP-Challenge, which we don't want to bother with.
821 fr_MD5Init(&context);
822 fr_MD5Update(&context, &identifier, 1);
823 fr_MD5Update(&context, (uint8_t *) password, strlen(password));
824 fr_MD5Update(&context, value, valuesize);
825 fr_MD5Final(response, &context);
827 vp = paircreate(ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0, PW_TYPE_OCTETS);
829 memcpy(&vp->vp_strvalue[1], response, 16);
832 pairreplace(&(rep->vps), vp);
834 pairreplace(&(rep->vps), id);
836 /* copy the state object in */
837 pairreplace(&(rep->vps), state);
844 static int sendrecv_eap(RADIUS_PACKET *rep)
846 RADIUS_PACKET *req = NULL;
847 VALUE_PAIR *vp, *vpnext;
848 int tried_eap_md5 = 0;
851 * Keep a copy of the the User-Password attribute.
853 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
854 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
856 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
857 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
859 * Otherwise keep a copy of the CHAP-Password attribute.
861 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
862 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
871 * if there are EAP types, encode them into an EAP-Message
874 map_eap_methods(rep);
877 * Fix up Digest-Attributes issues
879 for (vp = rep->vps; vp != NULL; vp = vp->next) {
880 switch (vp->da->attribute) {
884 case PW_DIGEST_REALM:
885 case PW_DIGEST_NONCE:
886 case PW_DIGEST_METHOD:
889 case PW_DIGEST_ALGORITHM:
890 case PW_DIGEST_BODY_DIGEST:
891 case PW_DIGEST_CNONCE:
892 case PW_DIGEST_NONCE_COUNT:
893 case PW_DIGEST_USER_NAME:
895 memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
896 vp->vp_octets[0] = vp->da->attribute - PW_DIGEST_REALM + 1;
898 vp->vp_octets[1] = vp->length;
899 vp->da->attribute = PW_DIGEST_ATTRIBUTES;
905 * If we've already sent a packet, free up the old
906 * one, and ensure that the next packet has a unique
907 * ID and authentication vector.
910 talloc_free(rep->data);
914 fr_md5_calc(rep->vector, rep->vector,
915 sizeof(rep->vector));
917 if (*password != '\0') {
918 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
919 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
920 vp->length = strlen(password);
922 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
923 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
924 vp->length = strlen(password);
926 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
927 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
928 vp->length = strlen(password);
930 rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
933 } /* there WAS a password */
935 /* send the response, wait for the next request */
936 send_packet(rep, &req);
938 /* okay got back the packet, go and decode the EAP-Message. */
939 unmap_eap_methods(req);
941 debug_packet(req, R_RECV);
943 /* now look for the code type. */
944 for (vp = req->vps; vp != NULL; vp = vpnext) {
947 switch (vp->da->attribute) {
951 case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
952 if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
959 case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
960 if(respond_eap_sim(req, rep))
972 int main(int argc, char **argv)
978 char *filename = NULL;
982 int force_af = AF_UNSPEC;
984 id = ((int)getpid() & 0xff);
987 radlog_dest = RADLOG_STDERR;
989 while ((c = getopt(argc, argv, "46c:d:f:hi:qst:r:S:xXv")) != EOF)
999 if (!isdigit((int) *optarg))
1001 count = atoi(optarg);
1004 radius_dir = strdup(optarg);
1019 sha1_data_problems = 1; /* for debugging only */
1026 if (!isdigit((int) *optarg))
1028 retries = atoi(optarg);
1031 if (!isdigit((int) *optarg))
1034 if ((id < 0) || (id > 255)) {
1042 if (!isdigit((int) *optarg))
1044 timeout = atof(optarg);
1047 printf("radclient: $Id$ built on " __DATE__ " at " __TIME__ "\n");
1051 fp = fopen(optarg, "r");
1053 fprintf(stderr, "radclient: Error opening %s: %s\n",
1054 optarg, strerror(errno));
1057 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1058 fprintf(stderr, "radclient: Error reading %s: %s\n",
1059 optarg, strerror(errno));
1064 /* truncate newline */
1065 p = filesecret + strlen(filesecret) - 1;
1066 while ((p >= filesecret) &&
1072 if (strlen(filesecret) < 2) {
1073 fprintf(stderr, "radclient: Secret in %s is too short\n", optarg);
1076 secret = filesecret;
1084 argc -= (optind - 1);
1085 argv += (optind - 1);
1088 ((!secret) && (argc < 4))) {
1092 if (!radius_dir) radius_dir = strdup(RADDBDIR);
1094 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1095 fr_perror("radclient");
1099 req = rad_alloc(NULL, 1);
1101 fr_perror("radclient");
1109 if((randinit = fopen("/dev/urandom", "r")) == NULL)
1111 perror("/dev/urandom");
1113 fread(randctx.randrsl, 256, 1, randinit);
1117 fr_randinit(&randctx, 1);
1125 if (force_af == AF_UNSPEC) force_af = AF_INET;
1126 req->dst_ipaddr.af = force_af;
1127 if (strcmp(argv[1], "-") != 0) {
1128 char const *hostname = argv[1];
1129 char const *portname = argv[1];
1132 if (*argv[1] == '[') { /* IPv6 URL encoded */
1133 p = strchr(argv[1], ']');
1134 if ((size_t) (p - argv[1]) >= sizeof(buffer)) {
1138 memcpy(buffer, argv[1] + 1, p - argv[1] - 1);
1139 buffer[p - argv[1] - 1] = '\0';
1145 p = strchr(portname, ':');
1146 if (p && (strchr(p + 1, ':') == NULL)) {
1153 if (ip_hton(hostname, force_af, &req->dst_ipaddr) < 0) {
1154 fprintf(stderr, "radclient: Failed to find IP address for host %s: %s\n", hostname, strerror(errno));
1159 * Strip port from hostname if needed.
1161 if (portname) port = atoi(portname);
1165 * See what kind of request we want to send.
1167 if (strcmp(argv[2], "auth") == 0) {
1168 if (port == 0) port = getport("radius");
1169 if (port == 0) port = PW_AUTH_UDP_PORT;
1170 req->code = PW_AUTHENTICATION_REQUEST;
1172 } else if (strcmp(argv[2], "acct") == 0) {
1173 if (port == 0) port = getport("radacct");
1174 if (port == 0) port = PW_ACCT_UDP_PORT;
1175 req->code = PW_ACCOUNTING_REQUEST;
1178 } else if (strcmp(argv[2], "status") == 0) {
1179 if (port == 0) port = getport("radius");
1180 if (port == 0) port = PW_AUTH_UDP_PORT;
1181 req->code = PW_STATUS_SERVER;
1183 } else if (strcmp(argv[2], "disconnect") == 0) {
1184 if (port == 0) port = PW_POD_UDP_PORT;
1185 req->code = PW_DISCONNECT_REQUEST;
1187 } else if (isdigit((int) argv[2][0])) {
1188 if (port == 0) port = getport("radius");
1189 if (port == 0) port = PW_AUTH_UDP_PORT;
1190 req->code = atoi(argv[2]);
1194 req->dst_port = port;
1199 if (argv[3]) secret = argv[3];
1203 * Maybe read them, from stdin, if there's no
1204 * filename, or if the filename is '-'.
1206 if (filename && (strcmp(filename, "-") != 0)) {
1207 fp = fopen(filename, "r");
1209 fprintf(stderr, "radclient: Error opening %s: %s\n",
1210 filename, strerror(errno));
1220 if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
1221 perror("radclient: socket: ");
1226 if(req->vps) pairfree(&req->vps);
1228 if ((req->vps = readvp2(fp, &filedone, "radeapclient:"))
1238 printf("\n\t Total approved auths: %d\n", totalapp);
1239 printf("\t Total denied auths: %d\n", totaldeny);
1245 * given a radius request with some attributes in the EAP range, build
1246 * them all into a single EAP-Message body.
1248 * Note that this function will build multiple EAP-Message bodies
1249 * if there are multiple eligible EAP-types. This is incorrect, as the
1250 * recipient will in fact concatenate them.
1252 * XXX - we could break the loop once we process one type. Maybe this
1253 * just deserves an assert?
1256 static void map_eap_methods(RADIUS_PACKET *req)
1258 VALUE_PAIR *vp, *vpnext;
1263 vp = pairfind(req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY);
1265 id = ((int)getpid() & 0xff);
1267 id = vp->vp_integer;
1270 vp = pairfind(req->vps, ATTRIBUTE_EAP_CODE, 0, TAG_ANY);
1272 eapcode = PW_EAP_REQUEST;
1274 eapcode = vp->vp_integer;
1278 for(vp = req->vps; vp != NULL; vp = vpnext) {
1279 /* save it in case it changes! */
1282 if(vp->da->attribute >= ATTRIBUTE_EAP_BASE &&
1283 vp->da->attribute < ATTRIBUTE_EAP_BASE+256) {
1292 eap_method = vp->da->attribute - ATTRIBUTE_EAP_BASE;
1294 switch(eap_method) {
1295 case PW_EAP_IDENTITY:
1296 case PW_EAP_NOTIFICATION:
1307 * no known special handling, it is just encoded as an
1308 * EAP-message with the given type.
1311 /* nuke any existing EAP-Messages */
1312 pairdelete(&req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1314 memset(&ep, 0, sizeof(ep));
1317 ep.type.num = eap_method;
1318 ep.type.length = vp->length;
1319 ep.type.data = vp->vp_octets; /* no need for copy */
1320 eap_basic_compose(req, &ep);
1325 * given a radius request with an EAP-Message body, decode it specific
1328 static void unmap_eap_methods(RADIUS_PACKET *rep)
1331 eap_packet_raw_t *e;
1335 /* find eap message */
1336 e = eap_vp2packet(NULL, rep->vps);
1338 /* nothing to do! */
1341 /* create EAP-ID and EAP-CODE attributes to start */
1342 eap1 = paircreate(rep, ATTRIBUTE_EAP_ID, 0, PW_TYPE_INTEGER);
1343 eap1->vp_integer = e->id;
1344 pairadd(&(rep->vps), eap1);
1346 eap1 = paircreate(rep, ATTRIBUTE_EAP_CODE, 0, PW_TYPE_INTEGER);
1347 eap1->vp_integer = e->code;
1348 pairadd(&(rep->vps), eap1);
1353 case PW_EAP_SUCCESS:
1354 case PW_EAP_FAILURE:
1358 case PW_EAP_REQUEST:
1359 case PW_EAP_RESPONSE:
1360 /* there is a type field, which we use to create
1361 * a new attribute */
1363 /* the length was decode already into the attribute
1364 * length, and was checked already. Network byte
1365 * order, just pull it out using math.
1367 len = e->length[0]*256 + e->length[1];
1369 /* verify the length is big enough to hold type */
1378 type += ATTRIBUTE_EAP_BASE;
1381 if(len > MAX_STRING_LEN) {
1382 len = MAX_STRING_LEN;
1385 eap1 = paircreate(rep, type, 0);
1386 memcpy(eap1->vp_strvalue, &e->data[1], len);
1388 pairadd(&(rep->vps), eap1);
1396 static int map_eapsim_types(RADIUS_PACKET *r)
1401 memset(&ep, 0, sizeof(ep));
1402 ret = map_eapsim_basictypes(r, &ep);
1406 eap_basic_compose(r, &ep);
1411 static int unmap_eapsim_types(RADIUS_PACKET *r)
1415 esvp = pairfind(r->vps, ATTRIBUTE_EAP_BASE+PW_EAP_SIM, 0, TAG_ANY);
1417 ERROR("eap: EAP-Sim attribute not found");
1421 return unmap_eapsim_basictypes(r, esvp->vp_octets, esvp->length);
1428 char const *radius_dir = RADDBDIR;
1430 int radlog(int lvl, char const *msg, ...)
1436 r = vfprintf(stderr, msg, ap);
1438 fputc('\n', stderr);
1443 main(int argc, char *argv[])
1446 RADIUS_PACKET *req,*req2;
1447 VALUE_PAIR *vp, *vpkey, *vpextra;
1448 extern unsigned int sha1_data_problems;
1455 sha1_data_problems = 1;
1458 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1459 fr_perror("radclient");
1463 req = rad_alloc(NULL, 1)
1465 fr_perror("radclient");
1469 req2 = rad_alloc(NULL, 1);
1471 fr_perror("radclient");
1476 if(req->vps) pairfree(&req->vps);
1477 if(req2->vps) pairfree(&req2->vps);
1479 if ((req->vps = readvp2(stdin, &filedone, "eapsimlib:")) == NULL) {
1483 if (fr_debug_flag > 1) {
1484 printf("\nRead:\n");
1485 vp_printlist(stdout, req->vps);
1488 map_eapsim_types(req);
1489 map_eap_methods(req);
1491 if (fr_debug_flag > 1) {
1492 printf("Mapped to:\n");
1493 vp_printlist(stdout, req->vps);
1496 /* find the EAP-Message, copy it to req2 */
1497 vp = paircopy2(NULL, req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1501 pairadd(&req2->vps, vp);
1503 /* only call unmap for sim types here */
1504 unmap_eap_methods(req2);
1505 unmap_eapsim_types(req2);
1507 if (fr_debug_flag > 1) {
1508 printf("Unmapped to:\n");
1509 vp_printlist(stdout, req2->vps);
1512 vp = pairfind(req2->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
1513 vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY, 0, TAG_ANY);
1514 vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA, 0, TAG_ANY);
1516 if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
1517 uint8_t calcmac[16];
1519 /* find the EAP-Message, copy it to req2 */
1521 memset(calcmac, 0, sizeof(calcmac));
1522 printf("Confirming MAC...");
1523 if(eapsim_checkmac(req2->vps, vpkey->vp_strvalue,
1524 vpextra->vp_strvalue, vpextra->length,
1526 printf("succeed\n");
1530 printf("calculated MAC (");
1531 for (i = 0; i < 20; i++) {
1538 printf("%02x", calcmac[i]);
1540 printf(" did not match\n");