2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License, version 2 if the
4 * License as published by the Free Software Foundation.
6 * This program is distributed in the hope that it will be useful,
7 * but WITHOUT ANY WARRANTY; without even the implied warranty of
8 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 * GNU General Public License for more details.
11 * You should have received a copy of the GNU General Public License
12 * along with this program; if not, write to the Free Software
13 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * @brief Supports auth against SecurID servers using OTP h/w tokens.
21 * Supports "next-token code" and "new-pin" modes.
23 * @copyright 2012 The FreeRADIUS server project
24 * @copyright 2012 Alan DeKok <aland@networkradius.com>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
30 #include "rlm_securid.h"
33 RC_SECURID_AUTH_SUCCESS = 0,
34 RC_SECURID_AUTH_FAILURE = -3,
35 RC_SECURID_AUTH_ACCESS_DENIED_FAILURE = -4,
36 RC_SECURID_AUTH_INVALID_SERVER_FAILURE = -5,
37 RC_SECURID_AUTH_CHALLENGE = -17
41 static const CONF_PARSER module_config[] = {
42 { "timer_expire", PW_TYPE_INTEGER,
43 offsetof(rlm_securid_t, timer_limit), NULL, "600"},
44 { "max_sessions", PW_TYPE_INTEGER,
45 offsetof(rlm_securid_t, max_sessions), NULL, "2048"},
46 { "max_trips_per_session", PW_TYPE_INTEGER,
47 offsetof(rlm_securid_t, max_trips_per_session), NULL, NULL},
48 { "max_round_trips", PW_TYPE_INTEGER,
49 offsetof(rlm_securid_t, max_trips_per_session), NULL, "6"},
50 { NULL, -1, 0, NULL, NULL } /* end the list */
54 static SD_CHAR empty_pin[] = "";
56 /* comparison function to find session in the tree */
57 static int securid_session_cmp(void const *a, void const *b)
60 SECURID_SESSION const *one = a;
61 SECURID_SESSION const *two = b;
63 rad_assert(one != NULL);
64 rad_assert(two != NULL);
66 rcode = fr_ipaddr_cmp(&one->src_ipaddr, &two->src_ipaddr);
67 if (rcode != 0) return rcode;
69 return memcmp(one->state, two->state, sizeof(one->state));
73 static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
76 char *replyMsgBuffer, size_t replyMsgBufferSize)
78 rlm_securid_t *inst = (rlm_securid_t *) instance;
83 SECURID_SESSION *securid_session = NULL;
86 SD_CHAR *securid_user, *securid_pass;
89 ERROR("SecurID username is NULL");
90 return RC_SECURID_AUTH_FAILURE;
94 ERROR("SecurID passcode is NULL for %s user", username);
95 return RC_SECURID_AUTH_FAILURE;
98 memcpy(&securid_user, &username, sizeof(securid_user));
99 memcpy(&securid_pass, &passcode, sizeof(securid_pass));
101 *replyMsgBuffer = '\0';
103 securid_session = securid_sessionlist_find(inst, request);
104 if (!securid_session) {
105 /* securid session not found */
106 SDI_HANDLE sdiHandle = SDI_HANDLE_NONE;
108 acm_ret = SD_Init(&sdiHandle);
109 if (acm_ret != ACM_OK) {
110 ERROR("Cannot communicate with the ACE/Server");
114 acm_ret = SD_Lock(sdiHandle, securid_user);
115 if (acm_ret != ACM_OK) {
116 ERROR("SecurID: Access denied. Name [%s] lock failed", username);
120 acm_ret = SD_Check(sdiHandle, securid_pass, securid_user);
124 RDEBUG("SecurID authentication successful for %s", username);
127 return RC_SECURID_AUTH_SUCCESS;
129 case ACM_ACCESS_DENIED:
131 RDEBUG("SecurID Access denied for %s", username);
133 return RC_SECURID_AUTH_ACCESS_DENIED_FAILURE;
135 case ACM_INVALID_SERVER:
136 ERROR("SecurID: Invalid ACE server");
137 return RC_SECURID_AUTH_INVALID_SERVER_FAILURE;
139 case ACM_NEW_PIN_REQUIRED:
140 RDEBUG2("SecurID new pin required for %s", username);
142 /* create a new session */
143 securid_session = securid_session_alloc();
144 securid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
145 securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
146 securid_session->identity = strdup(username);
148 /* Get PIN requirements */
149 acm_ret = AceGetPinParams(sdiHandle, &pin_params);
151 /* If a system-generated PIN is required */
152 if (pin_params.Selectable == CANNOT_CHOOSE_PIN) {
153 /* Prompt user to accept a system generated PIN */
154 snprintf(replyMsgBuffer, replyMsgBufferSize,
155 "\r\nAre you prepared to accept a new system-generated PIN [y/n]?");
156 securid_session->securidSessionState = NEW_PIN_SYSTEM_ACCEPT_STATE;
158 } else if (pin_params.Selectable == USER_SELECTABLE) { //may be returned by AM 6.x servers.
159 snprintf(replyMsgBuffer, replyMsgBufferSize,
160 "\r\nPress 'y' to generate a new PIN\r\nOR\r\n'n'to enter a new PIN yourself [y/n]");
161 securid_session->securidSessionState = NEW_PIN_USER_SELECT_STATE;
164 if (pin_params.Alphanumeric) {
165 strcpy(format, "alphanumeric characters");
167 strcpy(format, "digits");
169 snprintf(replyMsgBuffer, replyMsgBufferSize,
170 " \r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
171 pin_params.Min, pin_params.Max, format);
174 /* insert new session in the session list */
175 securid_sessionlist_add(inst, request, securid_session);
177 return RC_SECURID_AUTH_CHALLENGE;
179 case ACM_NEXT_CODE_REQUIRED:
180 RDEBUG2("Next securid token code required for %s",
183 /* create a new session */
184 securid_session = securid_session_alloc();
185 securid_session->sdiHandle = sdiHandle;
186 securid_session->securidSessionState = NEXT_CODE_REQUIRED_STATE;
187 securid_session->identity = strdup(username);
189 /* insert new session in the session list */
190 securid_sessionlist_add(inst, request, securid_session);
192 strlcpy(replyMsgBuffer, "\r\nPlease Enter the Next Code from Your Token:", replyMsgBufferSize);
193 return RC_SECURID_AUTH_CHALLENGE;
196 ERROR("SecurID: Unexpected error from ACE/Agent API acm_ret=%d", acm_ret);
197 securid_session_free(inst, request, securid_session);
198 return RC_SECURID_AUTH_FAILURE;
203 /* existing session found */
204 RDEBUG("Continuing previous session found for user [%s]", username);
206 /* continue previous session */
207 switch (securid_session->securidSessionState) {
208 case NEXT_CODE_REQUIRED_STATE:
209 DEBUG2("Securid NEXT_CODE_REQUIRED_STATE: User [%s]", username);
210 /* next token code mode */
212 acm_ret = SD_Next(securid_session->sdiHandle, securid_pass);
213 if (acm_ret == ACM_OK) {
214 INFO("Next SecurID token accepted for [%s].", securid_session->identity);
215 rc = RC_SECURID_AUTH_SUCCESS;
218 INFO("SecurID: Next token rejected for [%s].", securid_session->identity);
219 rc = RC_SECURID_AUTH_FAILURE;
222 /* deallocate session */
223 securid_session_free(inst, request, securid_session);
226 case NEW_PIN_REQUIRED_STATE:
227 RDEBUG2("SecurID NEW_PIN_REQUIRED_STATE for %s",
230 /* save the previous pin */
231 if (securid_session->pin) {
232 free(securid_session->pin);
233 securid_session->pin = NULL;
235 securid_session->pin = strdup(passcode);
237 strlcpy(replyMsgBuffer, "\r\n Please re-enter new PIN:", replyMsgBufferSize);
240 securid_session->securidSessionState = NEW_PIN_USER_CONFIRM_STATE;
242 /* insert the updated session in the session list */
243 securid_sessionlist_add(inst, request, securid_session);
244 return RC_SECURID_AUTH_CHALLENGE;
246 case NEW_PIN_USER_CONFIRM_STATE:
247 RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]", username);
248 /* compare previous pin and current pin */
249 if (!securid_session->pin || strcmp(securid_session->pin, passcode)) {
250 RDEBUG2("Pin confirmation failed. Pins do not match [%s] and [%s]",
251 SAFE_STR(securid_session->pin), securid_pass);
252 /* pins do not match */
254 /* challenge the user again */
255 AceGetPinParams(securid_session->sdiHandle, &pin_params);
256 if (pin_params.Alphanumeric) {
257 strcpy(format, "alphanumeric characters");
259 strcpy(format, "digits");
261 snprintf(replyMsgBuffer, replyMsgBufferSize,
262 " \r\n Pins do not match--Please try again.\r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
263 pin_params.Min, pin_params.Max, format);
265 securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
267 /* insert the updated session in the session list */
268 securid_sessionlist_add(inst, request, securid_session);
269 rc = RC_SECURID_AUTH_CHALLENGE;
273 RDEBUG2("Pin confirmation succeeded. Pins match");
274 acm_ret = SD_Pin(securid_session->sdiHandle, securid_pass);
275 if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
276 RDEBUG("New SecurID pin accepted for %s.", securid_session->identity);
278 securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
280 /* insert the updated session in the session list */
281 securid_sessionlist_add(inst, request, securid_session);
283 rc = RC_SECURID_AUTH_CHALLENGE;
284 strlcpy(replyMsgBuffer, " \r\n\r\nWait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
286 RDEBUG("SecurID: New SecurID pin rejected for %s.", securid_session->identity);
287 SD_Pin(securid_session->sdiHandle, &empty_pin[0]); /* cancel PIN */
290 rc = RC_SECURID_AUTH_FAILURE;
292 /* deallocate session */
293 securid_session_free(inst, request, securid_session);
297 case NEW_PIN_AUTH_VALIDATE_STATE:
298 acm_ret = SD_Check(securid_session->sdiHandle, securid_pass, securid_user);
299 if (acm_ret == ACM_OK) {
300 RDEBUG("New SecurID passcode accepted for %s.",
301 securid_session->identity);
302 rc = RC_SECURID_AUTH_SUCCESS;
305 INFO("SecurID: New passcode rejected for [%s].", securid_session->identity);
306 rc = RC_SECURID_AUTH_FAILURE;
309 /* deallocate session */
310 securid_session_free(inst, request, securid_session);
313 case NEW_PIN_SYSTEM_ACCEPT_STATE:
314 if (!strcmp(passcode, "y")) {
315 AceGetSystemPin(securid_session->sdiHandle, new_pin);
317 /* Save the PIN for the next session
319 if (securid_session->pin) {
320 free(securid_session->pin);
321 securid_session->pin = NULL;
323 securid_session->pin = strdup(new_pin);
325 snprintf(replyMsgBuffer, replyMsgBufferSize,
326 "\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
328 securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
330 /* insert the updated session in the
332 securid_sessionlist_add(inst, request, securid_session);
334 rc = RC_SECURID_AUTH_CHALLENGE;
337 SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
339 /* deallocate session */
340 securid_session_free(inst, request,
343 rc = RC_SECURID_AUTH_FAILURE;
348 case NEW_PIN_SYSTEM_CONFIRM_STATE:
349 acm_ret = SD_Pin(securid_session->sdiHandle, (SD_CHAR*)securid_session->pin);
350 if (acm_ret == ACM_NEW_PIN_ACCEPTED) {
351 strlcpy(replyMsgBuffer, " \r\n\r\nPin Accepted. Wait for the code on your card to change, then enter new PIN and TokenCode\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
352 securid_session->securidSessionState = NEW_PIN_AUTH_VALIDATE_STATE;
353 /* insert the updated session in the session list */
354 securid_sessionlist_add(inst, request, securid_session);
355 rc = RC_SECURID_AUTH_CHALLENGE;
358 SD_Pin(securid_session->sdiHandle, &empty_pin[0]); //Cancel new PIN
359 strlcpy(replyMsgBuffer, " \r\n\r\nPin Rejected. Wait for the code on your card to change, then try again.\r\n\r\nEnter PASSCODE:", replyMsgBufferSize);
360 /* deallocate session */
361 securid_session_free(inst, request,
363 rc = RC_SECURID_AUTH_FAILURE;
368 /* USER_SELECTABLE state should be implemented to preserve compatibility with AM 6.x servers, which can return this state */
369 case NEW_PIN_USER_SELECT_STATE:
370 if (!strcmp(passcode, "y")) {
371 /* User has opted for a system-generated PIN */
372 AceGetSystemPin(securid_session->sdiHandle, new_pin);
373 snprintf(replyMsgBuffer, replyMsgBufferSize,
374 "\r\nYour new PIN is: %s\r\nDo you accept this [y/n]?",
376 securid_session->securidSessionState = NEW_PIN_SYSTEM_CONFIRM_STATE;
378 /* insert the updated session in the session list */
379 securid_sessionlist_add(inst, request,
381 rc = RC_SECURID_AUTH_CHALLENGE;
384 /* User has opted for a user-defined PIN */
385 AceGetPinParams(securid_session->sdiHandle,
387 if (pin_params.Alphanumeric) {
388 strcpy(format, "alphanumeric characters");
390 strcpy(format, "digits");
393 snprintf(replyMsgBuffer, replyMsgBufferSize,
394 " \r\n Enter your new PIN of %d to %d %s, \r\n or\r\n <Ctrl-D> to cancel the New PIN procedure:",
395 pin_params.Min, pin_params.Max, format);
396 securid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
398 /* insert the updated session in the session list */
399 securid_sessionlist_add(inst, request,
401 rc = RC_SECURID_AUTH_CHALLENGE;
407 ERROR("rlm_securid: Invalid session state %d for user [%s]",
408 securid_session->securidSessionState,
418 /******************************************/
419 static int mod_detach(void *instance)
421 rlm_securid_t *inst = (rlm_securid_t *) instance;
423 /* delete session tree */
424 if (inst->session_tree) {
425 rbtree_free(inst->session_tree);
426 inst->session_tree = NULL;
429 pthread_mutex_destroy(&(inst->session_mutex));
435 static int mod_instantiate(UNUSED CONF_SECTION *conf, void *instance)
437 rlm_securid_t *inst = instance;
440 * Lookup sessions in the tree. We don't free them in
441 * the tree, as that's taken care of elsewhere...
443 inst->session_tree = rbtree_create(securid_session_cmp, NULL, 0);
444 if (!inst->session_tree) {
445 ERROR("rlm_securid: Cannot initialize session tree.");
449 pthread_mutex_init(&(inst->session_mutex), NULL);
455 * Authenticate the user via one of any well-known password.
457 static rlm_rcode_t mod_authenticate(void *instance, REQUEST *request)
460 rlm_securid_t *inst = instance;
461 char buffer[MAX_STRING_LEN]="";
462 char const *username=NULL, *password=NULL;
466 * We can only authenticate user requests which HAVE
467 * a User-Name attribute.
469 if (!request->username) {
470 AUTH("rlm_securid: Attribute \"User-Name\" is required for authentication.");
471 return RLM_MODULE_INVALID;
474 if (!request->password) {
475 RAUTH("Attribute \"Password\" is required for authentication.");
476 return RLM_MODULE_INVALID;
480 * Clear-text passwords are the only ones we support.
482 if (request->password->da->attr != PW_USER_PASSWORD) {
483 RAUTH("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
484 return RLM_MODULE_INVALID;
488 * The user MUST supply a non-zero-length password.
490 if (request->password->length == 0) {
491 REDEBUG("Password should not be empty");
492 return RLM_MODULE_INVALID;
498 username = request->username->vp_strvalue;
499 password = request->password->vp_strvalue;
501 if (RDEBUG_ENABLED3) {
502 RDEBUG3("Login attempt with password \"%s\"", password);
504 RDEBUG("Login attempt with password");
507 rcode = securidAuth(inst, request, username, password,
508 buffer, sizeof(buffer));
511 case RC_SECURID_AUTH_SUCCESS:
512 rcode = RLM_MODULE_OK;
515 case RC_SECURID_AUTH_CHALLENGE:
516 /* reply with Access-challenge message code (11) */
518 /* Generate Prompt attribute */
519 vp = paircreate(request->reply, PW_PROMPT, 0);
521 rad_assert(vp != NULL);
522 vp->vp_integer = 0; /* no echo */
523 pairadd(&request->reply->vps, vp);
525 /* Mark the packet as a Acceess-Challenge Packet */
526 request->reply->code = PW_ACCESS_CHALLENGE;
527 RDEBUG("Sending Access-Challenge.");
528 rcode = RLM_MODULE_HANDLED;
531 case RC_SECURID_AUTH_FAILURE:
532 case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE:
533 case RC_SECURID_AUTH_INVALID_SERVER_FAILURE:
535 rcode = RLM_MODULE_REJECT;
539 if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ);
546 * The module name should be the only globally exported symbol.
547 * That is, everything else should be 'static'.
549 * If the module needs to temporarily modify it's instantiation
550 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
551 * The server will then take care of ensuring that the module
552 * is single-threaded.
554 module_t rlm_securid = {
557 RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE, /* type */
558 sizeof(rlm_securid_t),
560 mod_instantiate, /* instantiation */
561 mod_detach, /* detach */
563 mod_authenticate, /* authentication */
564 NULL, /* authorization */
565 NULL, /* preaccounting */
566 NULL, /* accounting */
567 NULL, /* checksimul */
568 NULL, /* pre-proxy */
569 NULL, /* post-proxy */
projects / freeradius.git / blob