2 * radeapclient.c EAP specific radius packet debug tool.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
27 #include <freeradius-devel/libradius.h>
35 #include <freeradius-devel/conf.h>
36 #include <freeradius-devel/radpaths.h>
37 #include <freeradius-devel/md5.h>
39 #include "eap_types.h"
42 extern int sha1_data_problems;
44 static int retries = 10;
45 static float timeout = 3;
46 static char const *secret = NULL;
47 static int do_output = 1;
48 static int do_summary = 0;
49 static bool filedone = false;
50 static int totalapp = 0;
51 static int totaldeny = 0;
52 static char filesecret[256];
53 char const *radius_dir = NULL;
54 char const *dict_dir = NULL;
55 char const *progname = "radeapclient";
56 /* fr_randctx randctx; */
58 struct main_config_t mainconfig;
59 char const *radiusd_version = "";
62 #include <freeradius-devel/tls.h>
65 log_dst_t radlog_dest = L_DST_STDERR;
66 char const *radlog_dir = NULL;
67 log_debug_t debug_flag = 0;
70 struct eapsim_keys eapsim_mk;
72 static void map_eap_methods(RADIUS_PACKET *req);
73 static void unmap_eap_methods(RADIUS_PACKET *rep);
74 static int map_eapsim_types(RADIUS_PACKET *r);
75 static int unmap_eapsim_types(RADIUS_PACKET *r);
77 void debug_pair_list(UNUSED VALUE_PAIR *vp)
82 static void NEVER_RETURNS usage(void)
84 fprintf(stderr, "Usage: radeapclient [options] server[:port] <command> [<secret>]\n");
86 fprintf(stderr, " <command> One of auth, acct, status, or disconnect.\n");
87 fprintf(stderr, " -d raddb Set dictionary directory.\n");
88 fprintf(stderr, " -f file Read packets from file, not stdin.\n");
89 fprintf(stderr, " -r retries If timeout, retry sending the packet 'retries' times.\n");
90 fprintf(stderr, " -t timeout Wait 'timeout' seconds before retrying (may be a floating point number).\n");
91 fprintf(stderr, " -h Print usage help information.\n");
92 fprintf(stderr, " -i id Set request id to 'id'. Values may be 0..255\n");
93 fprintf(stderr, " -S file read secret from file, not command line.\n");
94 fprintf(stderr, " -q Do not print anything out.\n");
95 fprintf(stderr, " -s Print out summary information of auth results.\n");
96 fprintf(stderr, " -v Show program version information.\n");
97 fprintf(stderr, " -x Debugging mode.\n");
98 fprintf(stderr, " -4 Use IPv4 address of server\n");
99 fprintf(stderr, " -6 Use IPv6 address of server.\n");
104 int radlog(log_type_t lvl, char const *fmt, ...)
109 r = lvl; /* shut up compiler */
112 r = vfprintf(stderr, fmt, ap);
119 void vradlog_request(UNUSED log_type_t lvl, UNUSED log_debug_t priority,
120 UNUSED REQUEST *request, char const *msg, va_list ap)
122 vfprintf(stderr, msg, ap);
126 static int getport(char const *name)
130 svp = getservbyname (name, "udp");
135 return ntohs(svp->s_port);
140 static void debug_packet(RADIUS_PACKET *packet, int direction)
144 char const *received, *from;
145 fr_ipaddr_t const *ip;
150 if (direction == 0) {
151 received = "Received";
152 from = "from"; /* what else? */
153 ip = &packet->src_ipaddr;
154 port = packet->src_port;
157 received = "Sending";
158 from = "to"; /* hah! */
159 ip = &packet->dst_ipaddr;
160 port = packet->dst_port;
164 * Client-specific debugging re-prints the input
165 * packet into the client log.
167 * This really belongs in a utility library
169 if (is_radius_code(packet->code)) {
170 printf("%s %s packet %s host %s port %d, id=%d, length=%d\n",
171 received, fr_packet_codes[packet->code], from,
172 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
173 port, packet->id, (int) packet->data_len);
175 printf("%s packet %s host %s port %d code=%d, id=%d, length=%d\n",
177 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
179 packet->code, packet->id, (int) packet->data_len);
182 for (vp = packet->vps; vp != NULL; vp = vp->next) {
183 vp_prints(buffer, sizeof(buffer), vp);
184 printf("\t%s\n", buffer);
190 static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
195 for (i = 0; i < retries; i++) {
198 debug_packet(req, R_SENT);
200 rad_send(req, NULL, secret);
202 /* And wait for reply, timing out as necessary */
204 FD_SET(req->sockfd, &rdfdesc);
206 tv.tv_sec = (int)timeout;
207 tv.tv_usec = 1000000 * (timeout - (int) timeout);
209 /* Something's wrong if we don't get exactly one fd. */
210 if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
214 *rep = rad_recv(req->sockfd, 0);
217 * If we get a response from a machine
218 * which we did NOT send a request to,
221 if (((*rep)->src_ipaddr.af != req->dst_ipaddr.af) ||
222 (memcmp(&(*rep)->src_ipaddr.ipaddr,
223 &req->dst_ipaddr.ipaddr,
224 ((req->dst_ipaddr.af == AF_INET ? /* AF_INET6? */
225 sizeof(req->dst_ipaddr.ipaddr.ip4addr) : /* FIXME: AF_INET6 */
226 sizeof(req->dst_ipaddr.ipaddr.ip6addr)))) != 0) ||
227 ((*rep)->src_port != req->dst_port)) {
228 char src[128], dst[128];
230 ip_ntoh(&(*rep)->src_ipaddr, src, sizeof(src));
231 ip_ntoh(&req->dst_ipaddr, dst, sizeof(dst));
232 fprintf(stderr, "radclient: ERROR: Sent request to host %s port %d, got response from host %s port %d\n!",
234 src, (*rep)->src_port);
238 } else { /* NULL: couldn't receive the packet */
239 fr_perror("radclient:");
244 /* No response or no data read (?) */
246 fprintf(stderr, "radclient: no response from server\n");
251 * FIXME: Discard the packet & listen for another.
253 * Hmm... we should really be using eapol_test, which does
254 * a lot more than radeapclient.
256 if (rad_verify(*rep, req, secret) != 0) {
257 fr_perror("rad_verify");
261 if (rad_decode(*rep, req, secret) != 0) {
262 fr_perror("rad_decode");
266 /* libradius debug already prints out the value pairs for us */
267 if (!fr_debug_flag && do_output) {
268 debug_packet(*rep, R_RECV);
270 if((*rep)->code == PW_CODE_AUTHENTICATION_ACK) {
272 } else if ((*rep)->code == PW_CODE_AUTHENTICATION_REJECT) {
279 static void cleanresp(RADIUS_PACKET *resp)
281 VALUE_PAIR *vpnext, *vp, **last;
285 * maybe should just copy things we care about, or keep
286 * a copy of the original input and start from there again?
288 pairdelete(&resp->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
289 pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY, 0, TAG_ANY);
292 for(vp = *last; vp != NULL; vp = vpnext)
296 if((vp->da->attr > ATTRIBUTE_EAP_BASE &&
297 vp->da->attr <= ATTRIBUTE_EAP_BASE+256) ||
298 (vp->da->attr > ATTRIBUTE_EAP_SIM_BASE &&
299 vp->da->attr <= ATTRIBUTE_EAP_SIM_BASE+256))
310 * we got an EAP-Request/Sim/Start message in a legal state.
312 * pick a supported version, put it into the reply, and insert a nonce.
314 static int process_eap_start(RADIUS_PACKET *req,
317 VALUE_PAIR *vp, *newvp;
318 VALUE_PAIR *anyidreq_vp, *fullauthidreq_vp, *permanentidreq_vp;
319 uint16_t const *versions;
320 uint16_t selectedversion;
321 unsigned int i,versioncount;
323 /* form new response clear of any EAP stuff */
326 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_VERSION_LIST, 0, TAG_ANY)) == NULL) {
327 fprintf(stderr, "illegal start message has no VERSION_LIST\n");
331 versions = (uint16_t const *) vp->vp_strvalue;
333 /* verify that the attribute length is big enough for a length field */
336 fprintf(stderr, "start message has illegal VERSION_LIST. Too short: %u\n", (unsigned int) vp->length);
340 versioncount = ntohs(versions[0])/2;
341 /* verify that the attribute length is big enough for the given number
342 * of versions present.
344 if((unsigned)vp->length <= (versioncount*2 + 2))
346 fprintf(stderr, "start message is too short. Claimed %d versions does not fit in %u bytes\n", versioncount, (unsigned int) vp->length);
351 * record the versionlist for the MK calculation.
353 eapsim_mk.versionlistlen = versioncount*2;
354 memcpy(eapsim_mk.versionlist, (unsigned char const *)(versions+1),
355 eapsim_mk.versionlistlen);
357 /* walk the version list, and pick the one we support, which
358 * at present, is 1, EAP_SIM_VERSION.
361 for(i=0; i < versioncount; i++)
363 if(ntohs(versions[i+1]) == EAP_SIM_VERSION)
365 selectedversion=EAP_SIM_VERSION;
369 if(selectedversion == 0)
371 fprintf(stderr, "eap-sim start message. No compatible version found. We need %d\n", EAP_SIM_VERSION);
372 for(i=0; i < versioncount; i++)
374 fprintf(stderr, "\tfound version %d\n",
375 ntohs(versions[i+1]));
380 * now make sure that we have only FULLAUTH_ID_REQ.
381 * I think that it actually might not matter - we can answer in
382 * anyway we like, but it is illegal to have more than one
385 anyidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_ANY_ID_REQ, 0, TAG_ANY);
386 fullauthidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_FULLAUTH_ID_REQ, 0, TAG_ANY);
387 permanentidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_PERMANENT_ID_REQ, 0, TAG_ANY);
389 if(!fullauthidreq_vp ||
390 anyidreq_vp != NULL ||
391 permanentidreq_vp != NULL) {
392 fprintf(stderr, "start message has %sanyidreq, %sfullauthid and %spermanentid. Illegal combination.\n",
393 (anyidreq_vp != NULL ? "a " : "no "),
394 (fullauthidreq_vp != NULL ? "a " : "no "),
395 (permanentidreq_vp != NULL ? "a " : "no "));
399 /* okay, we have just any_id_req there, so fill in response */
401 /* mark the subtype as being EAP-SIM/Response/Start */
402 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_SUBTYPE, 0);
403 newvp->vp_integer = eapsim_start;
404 pairreplace(&(rep->vps), newvp);
406 /* insert selected version into response. */
408 uint16_t no_versions;
410 no_versions = htons(selectedversion);
412 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_SELECTED_VERSION, 0);
413 pairmemcpy(newvp, (uint8_t *) &no_versions, 2);
414 pairreplace(&(rep->vps), newvp);
416 /* record the selected version */
417 memcpy(eapsim_mk.versionselect, &no_versions, 2);
426 * insert a nonce_mt that we make up.
433 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_NONCE_MT, 0);
435 p = talloc_zero_array(newvp, uint8_t, 18); /* 18 = 16 bytes of nonce + padding */
436 memcpy(&p[2], nonce, 16);
437 pairmemsteal(newvp, p);
439 pairreplace(&(rep->vps), newvp);
441 /* also keep a copy of the nonce! */
442 memcpy(eapsim_mk.nonce_mt, nonce, 16);
451 * insert the identity here.
453 vp = pairfind(rep->vps, PW_USER_NAME, 0, TAG_ANY);
456 fprintf(stderr, "eap-sim: We need to have a User-Name attribute!\n");
459 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_IDENTITY, 0);
461 idlen = strlen(vp->vp_strvalue);
462 p = talloc_zero_array(newvp, uint8_t, idlen + 2);
463 no_idlen = htons(idlen);
464 memcpy(p, &no_idlen, 2);
465 memcpy(p + 2, vp->vp_strvalue, idlen);
466 pairmemsteal(newvp, p);
468 pairreplace(&(rep->vps), newvp);
471 memcpy(eapsim_mk.identity, vp->vp_strvalue, idlen);
472 eapsim_mk.identitylen = idlen;
479 * we got an EAP-Request/Sim/Challenge message in a legal state.
481 * use the RAND challenge to produce the SRES result, and then
482 * use that to generate a new MAC.
484 * for the moment, we ignore the RANDs, then just plug in the SRES
488 static int process_eap_challenge(RADIUS_PACKET *req,
492 VALUE_PAIR *mac, *randvp;
493 VALUE_PAIR *sres1,*sres2,*sres3;
494 VALUE_PAIR *Kc1, *Kc2, *Kc3;
497 /* look for the AT_MAC and the challenge data */
498 mac = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
499 randvp= pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_RAND, 0, TAG_ANY);
500 if(!mac || !randvp) {
501 fprintf(stderr, "radeapclient: challenge message needs to contain RAND and MAC\n");
506 * compare RAND with randX, to verify this is the right response
510 VALUE_PAIR *randcfgvp[3];
511 uint8_t const *randcfg[3];
513 randcfg[0] = &randvp->vp_octets[2];
514 randcfg[1] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE];
515 randcfg[2] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE*2];
517 randcfgvp[0] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND1, 0, TAG_ANY);
518 randcfgvp[1] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND2, 0, TAG_ANY);
519 randcfgvp[2] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND3, 0, TAG_ANY);
524 fprintf(stderr, "radeapclient: needs to have rand1, 2 and 3 set.\n");
528 if(memcmp(randcfg[0], randcfgvp[0]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
529 memcmp(randcfg[1], randcfgvp[1]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
530 memcmp(randcfg[2], randcfgvp[2]->vp_octets, EAPSIM_RAND_SIZE)!=0) {
533 fprintf(stderr, "radeapclient: one of rand 1,2,3 didn't match\n");
534 for(rnum = 0; rnum < 3; rnum++) {
535 fprintf(stderr, "received rand %d: ", rnum);
537 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
544 fprintf(stderr, "%02x", randcfg[rnum][i]);
546 fprintf(stderr, "\nconfigured rand %d: ", rnum);
548 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
555 fprintf(stderr, "%02x", randcfgvp[rnum]->vp_octets[i]);
557 fprintf(stderr, "\n");
564 * now dig up the sres values from the response packet,
565 * which were put there when we read things in.
567 * Really, they should be calculated from the RAND!
570 sres1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES1, 0, TAG_ANY);
571 sres2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES2, 0, TAG_ANY);
572 sres3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES3, 0, TAG_ANY);
577 fprintf(stderr, "radeapclient: needs to have sres1, 2 and 3 set.\n");
580 memcpy(eapsim_mk.sres[0], sres1->vp_strvalue, sizeof(eapsim_mk.sres[0]));
581 memcpy(eapsim_mk.sres[1], sres2->vp_strvalue, sizeof(eapsim_mk.sres[1]));
582 memcpy(eapsim_mk.sres[2], sres3->vp_strvalue, sizeof(eapsim_mk.sres[2]));
584 Kc1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC1, 0, TAG_ANY);
585 Kc2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC2, 0, TAG_ANY);
586 Kc3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC3, 0, TAG_ANY);
591 fprintf(stderr, "radeapclient: needs to have Kc1, 2 and 3 set.\n");
594 memcpy(eapsim_mk.Kc[0], Kc1->vp_strvalue, sizeof(eapsim_mk.Kc[0]));
595 memcpy(eapsim_mk.Kc[1], Kc2->vp_strvalue, sizeof(eapsim_mk.Kc[1]));
596 memcpy(eapsim_mk.Kc[2], Kc3->vp_strvalue, sizeof(eapsim_mk.Kc[2]));
598 /* all set, calculate keys */
599 eapsim_calculate_keys(&eapsim_mk);
602 eapsim_dump_mk(&eapsim_mk);
605 /* verify the MAC, now that we have all the keys. */
606 if(eapsim_checkmac(NULL, req->vps, eapsim_mk.K_aut,
607 eapsim_mk.nonce_mt, sizeof(eapsim_mk.nonce_mt),
609 printf("MAC check succeed\n");
613 printf("calculated MAC (");
614 for (i = 0; i < 20; i++) {
621 printf("%02x", calcmac[i]);
623 printf(" did not match\n");
627 /* form new response clear of any EAP stuff */
630 /* mark the subtype as being EAP-SIM/Response/Start */
631 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_SUBTYPE, 0);
632 newvp->vp_integer = eapsim_challenge;
633 pairreplace(&(rep->vps), newvp);
638 * fill the SIM_MAC with a field that will in fact get appended
639 * to the packet before the MAC is calculated
641 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0);
643 p = talloc_zero_array(newvp, uint8_t, EAPSIM_SRES_SIZE*3);
644 memcpy(p+EAPSIM_SRES_SIZE * 0, sres1->vp_strvalue, EAPSIM_SRES_SIZE);
645 memcpy(p+EAPSIM_SRES_SIZE * 1, sres2->vp_strvalue, EAPSIM_SRES_SIZE);
646 memcpy(p+EAPSIM_SRES_SIZE * 2, sres3->vp_strvalue, EAPSIM_SRES_SIZE);
647 pairmemsteal(newvp, p);
649 pairreplace(&(rep->vps), newvp);
652 newvp = paircreate(rep, ATTRIBUTE_EAP_SIM_KEY, 0);
653 pairmemcpy(newvp, eapsim_mk.K_aut, EAPSIM_AUTH_SIZE);
655 pairreplace(&(rep->vps), newvp);
661 * this code runs the EAP-SIM client state machine.
662 * the *request* is from the server.
663 * the *reponse* is to the server.
666 static int respond_eap_sim(RADIUS_PACKET *req,
669 enum eapsim_clientstates state, newstate;
670 enum eapsim_subtype subtype;
671 VALUE_PAIR *vp, *statevp, *radstate, *eapid;
672 char statenamebuf[32], subtypenamebuf[32];
674 if ((radstate = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
679 if ((eapid = paircopy2(NULL, req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY)) == NULL)
684 /* first, dig up the state from the request packet, setting
685 * outselves to be in EAP-SIM-Start state if there is none.
688 if((statevp = pairfind(resp->vps, ATTRIBUTE_EAP_SIM_STATE, 0, TAG_ANY)) == NULL)
690 /* must be initial request */
691 statevp = paircreate(resp, ATTRIBUTE_EAP_SIM_STATE, 0);
692 statevp->vp_integer = eapsim_client_init;
693 pairreplace(&(resp->vps), statevp);
695 state = statevp->vp_integer;
698 * map the attributes, and authenticate them.
700 unmap_eapsim_types(req);
702 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_SUBTYPE, 0, TAG_ANY)) == NULL)
706 subtype = vp->vp_integer;
709 * look for the appropriate state, and process incoming message
712 case eapsim_client_init:
715 newstate = process_eap_start(req, resp);
718 case eapsim_challenge:
719 case eapsim_notification:
722 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
723 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
724 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
725 /* invalid state, drop message */
730 case eapsim_client_start:
733 /* NOT SURE ABOUT THIS ONE, retransmit, I guess */
734 newstate = process_eap_start(req, resp);
737 case eapsim_challenge:
738 newstate = process_eap_challenge(req, resp);
742 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
743 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
744 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
745 /* invalid state, drop message */
752 fprintf(stderr, "radeapclient: sim in illegal state %s\n",
753 sim_state2name(state, statenamebuf, sizeof(statenamebuf)));
757 /* copy the eap state object in */
758 pairreplace(&(resp->vps), eapid);
760 /* update stete info, and send new packet */
761 map_eapsim_types(resp);
763 /* copy the radius state object in */
764 pairreplace(&(resp->vps), radstate);
766 statevp->vp_integer = newstate;
770 static int respond_eap_md5(RADIUS_PACKET *req,
773 VALUE_PAIR *vp, *id, *state;
776 uint8_t const *value;
778 uint8_t response[16];
782 if ((state = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
784 fprintf(stderr, "radeapclient: no state attribute found\n");
788 if ((id = paircopy2(NULL, req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY)) == NULL)
790 fprintf(stderr, "radeapclient: no EAP-ID attribute found\n");
793 identifier = id->vp_integer;
795 if ((vp = pairfind(req->vps, ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0, TAG_ANY)) == NULL)
797 fprintf(stderr, "radeapclient: no EAP-MD5 attribute found\n");
801 /* got the details of the MD5 challenge */
802 valuesize = vp->vp_octets[0];
803 value = &vp->vp_octets[1];
806 if(valuesize > vp->length)
808 fprintf(stderr, "radeapclient: md5 valuesize if too big (%u > %u)\n",
809 (unsigned int) valuesize, (unsigned int) vp->length);
813 /* now do the CHAP operation ourself, rather than build the
814 * buffer. We could also call rad_chap_encode, but it wants
815 * a CHAP-Challenge, which we don't want to bother with.
817 fr_MD5Init(&context);
818 fr_MD5Update(&context, &identifier, 1);
819 fr_MD5Update(&context, (uint8_t *) password, strlen(password));
820 fr_MD5Update(&context, value, valuesize);
821 fr_MD5Final(response, &context);
827 vp = paircreate(rep, ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0);
829 p = talloc_zero_array(vp, uint8_t, 17);
831 memcpy(p, &lg_response, 1);
832 memcpy(p + 1, response, 16);
835 pairreplace(&(rep->vps), vp);
837 pairreplace(&(rep->vps), id);
839 /* copy the state object in */
840 pairreplace(&(rep->vps), state);
847 static int sendrecv_eap(RADIUS_PACKET *rep)
849 RADIUS_PACKET *req = NULL;
850 VALUE_PAIR *vp, *vpnext;
851 int tried_eap_md5 = 0;
854 * Keep a copy of the the User-Password attribute.
856 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
857 strlcpy(password, vp->vp_strvalue, sizeof(password));
859 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
860 strlcpy(password, vp->vp_strvalue, sizeof(password));
862 * Otherwise keep a copy of the CHAP-Password attribute.
864 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
865 strlcpy(password, vp->vp_strvalue, sizeof(password));
874 * if there are EAP types, encode them into an EAP-Message
877 map_eap_methods(rep);
880 * Fix up Digest-Attributes issues
882 for (vp = rep->vps; vp != NULL; vp = vp->next) {
883 switch (vp->da->attr) {
887 case PW_DIGEST_REALM:
888 case PW_DIGEST_NONCE:
889 case PW_DIGEST_METHOD:
892 case PW_DIGEST_ALGORITHM:
893 case PW_DIGEST_BODY_DIGEST:
894 case PW_DIGEST_CNONCE:
895 case PW_DIGEST_NONCE_COUNT:
896 case PW_DIGEST_USER_NAME:
902 p = talloc_array(vp, uint8_t, vp->length + 2);
904 memcpy(p + 2, vp->vp_octets, vp->length);
905 p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
909 da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
913 * Re-do pairmemsteal ourselves,
914 * because we play games with
915 * vp->da, and pairmemsteal goes
916 * to GREAT lengths to sanitize
917 * and fix and change and
918 * double-check the various
921 memcpy(&q, &vp->vp_octets, sizeof(q));
924 vp->vp_octets = talloc_steal(vp, p);
934 * If we've already sent a packet, free up the old
935 * one, and ensure that the next packet has a unique
936 * ID and authentication vector.
939 talloc_free(rep->data);
943 fr_md5_calc(rep->vector, rep->vector,
944 sizeof(rep->vector));
946 if (*password != '\0') {
947 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
948 pairstrcpy(vp, password);
950 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
951 pairstrcpy(vp, password);
953 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
954 pairstrcpy(vp, password);
957 p = talloc_zero_array(vp, uint8_t, 17);
958 rad_chap_encode(rep, p, rep->id, vp);
961 } /* there WAS a password */
963 /* send the response, wait for the next request */
964 send_packet(rep, &req);
966 /* okay got back the packet, go and decode the EAP-Message. */
967 unmap_eap_methods(req);
969 debug_packet(req, R_RECV);
971 /* now look for the code type. */
972 for (vp = req->vps; vp != NULL; vp = vpnext) {
975 switch (vp->da->attr) {
979 case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
980 if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
987 case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
988 if(respond_eap_sim(req, rep))
1000 void set_radius_dir(TALLOC_CTX *ctx, char const *path)
1005 memcpy(&p, &radius_dir, sizeof(p));
1009 if (path) radius_dir = talloc_strdup(ctx, path);
1013 int main(int argc, char **argv)
1019 char *filename = NULL;
1022 int force_af = AF_UNSPEC;
1025 * We probably don't want to free the talloc autofree context
1026 * directly, so we'll allocate a new context beneath it, and
1027 * free that before any leak reports.
1029 TALLOC_CTX *autofree = talloc_init("main");
1031 id = ((int)getpid() & 0xff);
1034 radlog_dest = L_DST_STDERR;
1036 set_radius_dir(autofree, RADIUS_DIR);
1038 while ((c = getopt(argc, argv, "46c:d:D:f:hi:qst:r:S:xXv")) != EOF)
1045 force_af = AF_INET6;
1048 set_radius_dir(autofree, optarg);
1051 mainconfig.dictionary_dir = talloc_typed_strdup(NULL, optarg);
1066 sha1_data_problems = 1; /* for debugging only */
1073 if (!isdigit((int) *optarg))
1075 retries = atoi(optarg);
1078 if (!isdigit((int) *optarg))
1081 if ((id < 0) || (id > 255)) {
1089 if (!isdigit((int) *optarg))
1091 timeout = atof(optarg);
1094 printf("radeapclient: $Id$ built on " __DATE__ " at " __TIME__ "\n");
1098 fp = fopen(optarg, "r");
1100 fprintf(stderr, "radclient: Error opening %s: %s\n",
1101 optarg, fr_syserror(errno));
1104 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1105 fprintf(stderr, "radclient: Error reading %s: %s\n",
1106 optarg, fr_syserror(errno));
1111 /* truncate newline */
1112 p = filesecret + strlen(filesecret) - 1;
1113 while ((p >= filesecret) &&
1119 if (strlen(filesecret) < 2) {
1120 fprintf(stderr, "radclient: Secret in %s is too short\n", optarg);
1123 secret = filesecret;
1131 argc -= (optind - 1);
1132 argv += (optind - 1);
1135 ((!secret) && (argc < 4))) {
1139 if (!mainconfig.dictionary_dir) {
1140 mainconfig.dictionary_dir = DICTDIR;
1144 * Read the distribution dictionaries first, then
1145 * the ones in raddb.
1147 DEBUG2("including dictionary file %s/%s", mainconfig.dictionary_dir, RADIUS_DICTIONARY);
1148 if (dict_init(mainconfig.dictionary_dir, RADIUS_DICTIONARY) != 0) {
1149 ERROR("Errors reading dictionary: %s",
1155 * It's OK if this one doesn't exist.
1157 int rcode = dict_read(radius_dir, RADIUS_DICTIONARY);
1159 ERROR("Errors reading %s/%s: %s", radius_dir, RADIUS_DICTIONARY,
1165 * We print this after reading it. That way if
1166 * it doesn't exist, it's OK, and we don't print
1170 DEBUG2("including dictionary file %s/%s", radius_dir, RADIUS_DICTIONARY);
1173 req = rad_alloc(NULL, 1);
1175 fr_perror("radclient");
1183 if((randinit = fopen("/dev/urandom", "r")) == NULL)
1185 perror("/dev/urandom");
1187 fread(randctx.randrsl, 256, 1, randinit);
1191 fr_randinit(&randctx, 1);
1199 if (force_af == AF_UNSPEC) force_af = AF_INET;
1200 req->dst_ipaddr.af = force_af;
1201 if (strcmp(argv[1], "-") != 0) {
1202 char const *hostname = argv[1];
1203 char const *portname = argv[1];
1206 if (*argv[1] == '[') { /* IPv6 URL encoded */
1207 p = strchr(argv[1], ']');
1208 if ((size_t) (p - argv[1]) >= sizeof(buffer)) {
1212 memcpy(buffer, argv[1] + 1, p - argv[1] - 1);
1213 buffer[p - argv[1] - 1] = '\0';
1219 p = strchr(portname, ':');
1220 if (p && (strchr(p + 1, ':') == NULL)) {
1227 if (ip_hton(hostname, force_af, &req->dst_ipaddr) < 0) {
1228 fprintf(stderr, "radclient: Failed to find IP address for host %s: %s\n", hostname, fr_syserror(errno));
1233 * Strip port from hostname if needed.
1235 if (portname) port = atoi(portname);
1239 * See what kind of request we want to send.
1241 if (strcmp(argv[2], "auth") == 0) {
1242 if (port == 0) port = getport("radius");
1243 if (port == 0) port = PW_AUTH_UDP_PORT;
1244 req->code = PW_CODE_AUTHENTICATION_REQUEST;
1246 } else if (strcmp(argv[2], "acct") == 0) {
1247 if (port == 0) port = getport("radacct");
1248 if (port == 0) port = PW_ACCT_UDP_PORT;
1249 req->code = PW_CODE_ACCOUNTING_REQUEST;
1252 } else if (strcmp(argv[2], "status") == 0) {
1253 if (port == 0) port = getport("radius");
1254 if (port == 0) port = PW_AUTH_UDP_PORT;
1255 req->code = PW_CODE_STATUS_SERVER;
1257 } else if (strcmp(argv[2], "disconnect") == 0) {
1258 if (port == 0) port = PW_POD_UDP_PORT;
1259 req->code = PW_CODE_DISCONNECT_REQUEST;
1261 } else if (isdigit((int) argv[2][0])) {
1262 if (port == 0) port = getport("radius");
1263 if (port == 0) port = PW_AUTH_UDP_PORT;
1264 req->code = atoi(argv[2]);
1268 req->dst_port = port;
1273 if (argv[3]) secret = argv[3];
1277 * Maybe read them, from stdin, if there's no
1278 * filename, or if the filename is '-'.
1280 if (filename && (strcmp(filename, "-") != 0)) {
1281 fp = fopen(filename, "r");
1283 fprintf(stderr, "radclient: Error opening %s: %s\n",
1284 filename, fr_syserror(errno));
1294 if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
1295 perror("radclient: socket: ");
1300 if(req->vps) pairfree(&req->vps);
1302 if ((req->vps = readvp2(NULL, fp, &filedone, "radeapclient:")) == NULL) {
1310 printf("\n\t Total approved auths: %d\n", totalapp);
1311 printf("\t Total denied auths: %d\n", totaldeny);
1314 talloc_free(autofree);
1320 * given a radius request with some attributes in the EAP range, build
1321 * them all into a single EAP-Message body.
1323 * Note that this function will build multiple EAP-Message bodies
1324 * if there are multiple eligible EAP-types. This is incorrect, as the
1325 * recipient will in fact concatenate them.
1327 * XXX - we could break the loop once we process one type. Maybe this
1328 * just deserves an assert?
1331 static void map_eap_methods(RADIUS_PACKET *req)
1333 VALUE_PAIR *vp, *vpnext;
1337 eap_packet_t *pt_ep = talloc_zero(req, eap_packet_t);
1339 vp = pairfind(req->vps, ATTRIBUTE_EAP_ID, 0, TAG_ANY);
1341 id = ((int)getpid() & 0xff);
1343 id = vp->vp_integer;
1346 vp = pairfind(req->vps, ATTRIBUTE_EAP_CODE, 0, TAG_ANY);
1348 eapcode = PW_EAP_REQUEST;
1350 eapcode = vp->vp_integer;
1353 for(vp = req->vps; vp != NULL; vp = vpnext) {
1354 /* save it in case it changes! */
1357 if(vp->da->attr >= ATTRIBUTE_EAP_BASE &&
1358 vp->da->attr < ATTRIBUTE_EAP_BASE+256) {
1367 eap_method = vp->da->attr - ATTRIBUTE_EAP_BASE;
1369 switch(eap_method) {
1370 case PW_EAP_IDENTITY:
1371 case PW_EAP_NOTIFICATION:
1382 * no known special handling, it is just encoded as an
1383 * EAP-message with the given type.
1386 /* nuke any existing EAP-Messages */
1387 pairdelete(&req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1389 pt_ep->code = eapcode;
1391 pt_ep->type.num = eap_method;
1392 pt_ep->type.length = vp->length;
1394 pt_ep->type.data = talloc_memdup(vp, vp->vp_octets, vp->length);
1395 talloc_set_type(pt_ep->type.data, uint8_t);
1397 eap_basic_compose(req, pt_ep);
1402 * given a radius request with an EAP-Message body, decode it specific
1405 static void unmap_eap_methods(RADIUS_PACKET *rep)
1408 eap_packet_raw_t *e;
1412 /* find eap message */
1413 e = eap_vp2packet(NULL, rep->vps);
1415 /* nothing to do! */
1418 /* create EAP-ID and EAP-CODE attributes to start */
1419 eap1 = paircreate(rep, ATTRIBUTE_EAP_ID, 0);
1420 eap1->vp_integer = e->id;
1421 pairadd(&(rep->vps), eap1);
1423 eap1 = paircreate(rep, ATTRIBUTE_EAP_CODE, 0);
1424 eap1->vp_integer = e->code;
1425 pairadd(&(rep->vps), eap1);
1429 case PW_EAP_SUCCESS:
1430 case PW_EAP_FAILURE:
1434 case PW_EAP_REQUEST:
1435 case PW_EAP_RESPONSE:
1436 /* there is a type field, which we use to create
1437 * a new attribute */
1439 /* the length was decode already into the attribute
1440 * length, and was checked already. Network byte
1441 * order, just pull it out using math.
1443 len = e->length[0]*256 + e->length[1];
1445 /* verify the length is big enough to hold type */
1454 type += ATTRIBUTE_EAP_BASE;
1457 if (len > MAX_STRING_LEN) {
1458 len = MAX_STRING_LEN;
1461 eap1 = paircreate(rep, type, 0);
1462 pairmemcpy(eap1, e->data + 1, len);
1464 pairadd(&(rep->vps), eap1);
1472 static int map_eapsim_types(RADIUS_PACKET *r)
1476 eap_packet_t *pt_ep = talloc_zero(r, eap_packet_t);
1478 ret = map_eapsim_basictypes(r, pt_ep);
1484 eap_basic_compose(r, pt_ep);
1489 static int unmap_eapsim_types(RADIUS_PACKET *r)
1495 esvp = pairfind(r->vps, ATTRIBUTE_EAP_BASE+PW_EAP_SIM, 0, TAG_ANY);
1497 ERROR("eap: EAP-Sim attribute not found");
1501 eap_data = talloc_memdup(esvp, esvp->vp_octets, esvp->length);
1502 talloc_set_type(eap_data, uint8_t);
1504 rcode_unmap = unmap_eapsim_basictypes(r, eap_data, esvp->length);
1506 talloc_free(eap_data);
1514 char const *radius_dir = RADDBDIR;
1516 int radlog(int lvl, char const *msg, ...)
1522 r = vfprintf(stderr, msg, ap);
1524 fputc('\n', stderr);
1529 main(int argc, char *argv[])
1532 RADIUS_PACKET *req,*req2;
1533 VALUE_PAIR *vp, *vpkey, *vpextra;
1534 extern unsigned int sha1_data_problems;
1541 sha1_data_problems = 1;
1544 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1545 fr_perror("radclient");
1549 req = rad_alloc(NULL, 1)
1551 fr_perror("radclient");
1555 req2 = rad_alloc(NULL, 1);
1557 fr_perror("radclient");
1562 if(req->vps) pairfree(&req->vps);
1563 if(req2->vps) pairfree(&req2->vps);
1565 if ((req->vps = readvp2(NULL, stdin, &filedone, "eapsimlib:")) == NULL) {
1569 if (fr_debug_flag > 1) {
1570 printf("\nRead:\n");
1571 vp_printlist(stdout, req->vps);
1574 map_eapsim_types(req);
1575 map_eap_methods(req);
1577 if (fr_debug_flag > 1) {
1578 printf("Mapped to:\n");
1579 vp_printlist(stdout, req->vps);
1582 /* find the EAP-Message, copy it to req2 */
1583 vp = paircopy2(NULL, req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1587 pairadd(&req2->vps, vp);
1589 /* only call unmap for sim types here */
1590 unmap_eap_methods(req2);
1591 unmap_eapsim_types(req2);
1593 if (fr_debug_flag > 1) {
1594 printf("Unmapped to:\n");
1595 vp_printlist(stdout, req2->vps);
1598 vp = pairfind(req2->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
1599 vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY, 0, TAG_ANY);
1600 vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA, 0, TAG_ANY);
1602 if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
1603 uint8_t calcmac[16];
1605 /* find the EAP-Message, copy it to req2 */
1607 memset(calcmac, 0, sizeof(calcmac));
1608 printf("Confirming MAC...");
1609 if(eapsim_checkmac(req2->vps, vpkey->vp_strvalue,
1610 vpextra->vp_strvalue, vpextra->length,
1612 printf("succeed\n");
1616 printf("calculated MAC (");
1617 for (i = 0; i < 20; i++) {
1624 printf("%02x", calcmac[i]);
1626 printf(" did not match\n");