New module as supplied by Siemens

[freeradius.git] / src / modules / rlm_smsotp / rlm_smsotp.c

/*\r
 * rlm_smsotp.c\r
 *\r
 * Version:     $Id: rlm_smsotp.c,v 0.2 2009/02/03 08:06:44 wofflger Exp $\r
 *\r
 *   This program is free software; you can redistribute it and/or modify\r
 *   it under the terms of the GNU General Public License as published by\r
 *   the Free Software Foundation; either version 2 of the License, or\r
 *   (at your option) any later version.\r
 *\r
 *   This program is distributed in the hope that it will be useful,\r
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of\r
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\r
 *   GNU General Public License for more details.\r
 *\r
 *   You should have received a copy of the GNU General Public License\r
 *   along with this program; if not, write to the Free Software\r
 *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA\r
 *\r
 * Copyright 2000,2006  The FreeRADIUS server project\r
 * Copyright 2009  Siemens AG, Holger Wolff holger.wolff@siemens.com\r
 */\r
\r
#include <freeradius-devel/ident.h>\r
RCSID("$Id: rlm_smsotp.c,v 0.2 2009/02/03 08:06:44 wofflger Exp $")\r
\r
#include <freeradius-devel/radiusd.h>\r
#include <freeradius-devel/modules.h>\r
#include <sys/un.h>\r
\r
#include "rlm_smsotp.h"\r
\r
/*\r
 *      A mapping of configuration file names to internal variables.\r
 *\r
 *      Note that the string is dynamically allocated, so it MUST\r
 *      be freed.  When the configuration file parse re-reads the string,\r
 *      it free's the old one, and strdup's the new one, placing the pointer\r
 *      to the strdup'd string into 'config.string'.  This gets around\r
 *      buffer over-flows.\r
 */\r
\r
static const CONF_PARSER module_config[] = {\r
  { "smsotp_socket", PW_TYPE_STRING_PTR, offsetof(rlm_smsotp_t, smsotp_socket), NULL, SMSOTP_SOCKET },\r
  { "smsotp_challengemessage", PW_TYPE_STRING_PTR, offsetof(rlm_smsotp_t, smsotp_challengemessage), NULL, SMSOTP_CHALLENGEMESSAGE },\r
  { "smsotp_authtype", PW_TYPE_STRING_PTR, offsetof(rlm_smsotp_t, smsotp_authtype), NULL, SMSOTP_AUTHTYPE },\r
\r
  { NULL, -1, 0, NULL, NULL }           /* end the list */\r
};\r
\r
\r
/* socket forward declarations begin */\r
static int smsotp_connect(const char *path);\r
static smsotp_fd_t * smsotp_getfd(const rlm_smsotp_t *opt);\r
static void smsotp_putfd(smsotp_fd_t *fdp, int disconnect);\r
static int smsotp_read(smsotp_fd_t *fdp, char *buf, size_t len);\r
static int smsotp_write(smsotp_fd_t *fdp, const char *buf, size_t len);\r
/* socket forward declarations end */\r
\r
\r
/*\r
 *      Do any per-module initialization that is separate to each\r
 *      configured instance of the module.  e.g. set up connections\r
 *      to external databases, read configuration files, set up\r
 *      dictionary entries, etc.\r
 *\r
 *      If configuration information is given in the config section\r
 *      that must be referenced in later calls, store a handle to it\r
 *      in *instance otherwise put a null pointer there.\r
 */\r
static int smsotp_instantiate(CONF_SECTION *conf, void **instance)\r
{\r
        rlm_smsotp_t *data;\r
\r
        /*\r
         *      Set up a storage area for instance data\r
         */\r
        data = rad_malloc(sizeof(*data));\r
        if (!data) {\r
                return -1;\r
        }\r
        memset(data, 0, sizeof(*data));\r
\r
        /*\r
         *      If the configuration parameters can't be parsed, then\r
         *      fail.\r
         */\r
        if (cf_section_parse(conf, data, module_config) < 0) {\r
                free(data);\r
                return -1;\r
        }\r
\r
        *instance = data;\r
\r
        return 0;\r
}\r
\r
/*\r
 *      Authenticate the user with the given password.\r
 */\r
static int smsotp_authenticate(void *instance, REQUEST *request)\r
{\r
        VALUE_PAIR *state;\r
        VALUE_PAIR *reply;\r
        rlm_smsotp_t *opt = instance;\r
        char SocketReply[1000];\r
        int SocketReplyLen;\r
\r
        /* quiet the compiler */\r
        instance = instance;\r
        request = request;\r
\r
  smsotp_fd_t *fdp;\r
\r
  fdp = smsotp_getfd(instance);\r
  if (!fdp || fdp->fd == -1)\r
    return RLM_MODULE_FAIL;\r
\r
        /* Get greeting */\r
        SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
\r
        /*\r
         *  Look for the 'state' attribute.\r
         */\r
        state = pairfind(request->packet->vps, PW_STATE);\r
        if (state != NULL) {\r
                DEBUG("rlm_smsotp: Found reply to access challenge");\r
                \r
                /* set username */\r
                smsotp_write(fdp, "check otp for ", 14);\r
                smsotp_write(fdp, (const char *) request->username->vp_strvalue, sizeof(request->username->vp_strvalue));\r
                smsotp_write(fdp, "\n", 1);\r
                SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
                \r
                /* set otp password */\r
                smsotp_write(fdp, "user otp is ", 12);\r
                smsotp_write(fdp, (const char *) request->password->vp_strvalue, sizeof(request->password->vp_strvalue));\r
                smsotp_write(fdp, "\n", 1);\r
                SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
                \r
                /* set uuid */\r
                smsotp_write(fdp, "otp id is ", 10);\r
                smsotp_write(fdp, (const char *) state->vp_strvalue, 36); /* smsotp_write(fdp, (const char *) state->vp_strvalue, sizeof(state->vp_strvalue)); */\r
                smsotp_write(fdp, "\n", 1);\r
                SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
                \r
                /* now check the otp */\r
                smsotp_write(fdp, "get check result\n", 17);\r
                SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
                \r
                /* end the sesssion */\r
                smsotp_write(fdp, "quit\n", 5);\r
                smsotp_putfd(fdp, 1);\r
                \r
                (void) radlog(L_AUTH, "rlm_smsotp: SocketReply is %s ",SocketReply);\r
                \r
                if (strcmp(SocketReply,"OK") == 0)\r
                        return RLM_MODULE_OK;\r
                return RLM_MODULE_FAIL;\r
        }\r
\r
        DEBUG("rlm_smsotp: Generate OTP");\r
  \r
        /* set username */\r
  smsotp_write(fdp, "generate otp for ", 17);\r
  smsotp_write(fdp, (const char *) request->username->vp_strvalue, sizeof(request->username->vp_strvalue));\r
  smsotp_write(fdp, "\n", 1);\r
        SocketReplyLen = smsotp_read(fdp, (char *) SocketReply, sizeof(SocketReply));\r
\r
        /* end the sesssion */\r
  smsotp_write(fdp, "quit\n", 5);\r
        smsotp_putfd(fdp, 1);\r
\r
        (void) radlog(L_AUTH, "rlm_smsotp: Uniq id is %s ",SocketReply);\r
\r
        /* check the return string */\r
        if (strcmp(SocketReply,"FAILED") == 0) { /* smsotp script returns a error */\r
                return RLM_MODULE_FAIL;\r
        } else {\r
                /*\r
                 *  Create the challenge, and add it to the reply.\r
                 */\r
                \r
                reply = pairmake("Reply-Message", opt->smsotp_challengemessage, T_OP_EQ);\r
                pairadd(&request->reply->vps, reply);\r
                state = pairmake("State", SocketReply, T_OP_EQ);\r
                pairadd(&request->reply->vps, state);\r
        \r
                /*\r
                 *  Mark the packet as an Access-Challenge packet.\r
                 *\r
                 *  The server will take care of sending it to the user.\r
                 */\r
                request->reply->code = PW_ACCESS_CHALLENGE;\r
                DEBUG("rlm_smsotp: Sending Access-Challenge.");\r
        \r
                return RLM_MODULE_HANDLED;\r
        }\r
}\r
\r
/*\r
 *      Find the named user in this modules database.  Create the set\r
 *      of attribute-value pairs to check and reply with for this user\r
 *      from the database. The authentication code only needs to check\r
 *      the password, the rest is done here.\r
 */\r
static int smsotp_authorize(void *instance, REQUEST *request)\r
{\r
        VALUE_PAIR *state;\r
        rlm_smsotp_t *opt = instance;\r
\r
        /* quiet the compiler */\r
        instance = instance;\r
        request = request;\r
\r
        /*\r
         *  Look for the 'state' attribute.\r
         */\r
        state = pairfind(request->packet->vps, PW_STATE);\r
        if (state != NULL) {\r
                DEBUG("rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type '%s'",opt->smsotp_authtype);\r
                \r
                pairdelete(&request->config_items, PW_AUTH_TYPE); /* delete old auth-type */\r
                pairadd(&request->config_items, pairmake("Auth-Type", opt->smsotp_authtype, T_OP_SET));\r
        }\r
\r
        return RLM_MODULE_OK;\r
}\r
\r
/*\r
 *      Only free memory we allocated.  The strings allocated via\r
 *      cf_section_parse() do not need to be freed.\r
 */\r
static int smsotp_detach(void *instance)\r
{\r
        free(instance);\r
        return 0;\r
}\r
\r
/* forward declarations */\r
static smsotp_fd_t *smsotp_fd_head;\r
static pthread_mutex_t smsotp_fd_head_mutex = PTHREAD_MUTEX_INITIALIZER;\r
/* forward declarations end */\r
\r
/* socket functions begin */\r
/* connect to socket and return fd */\r
static int smsotp_connect(const char *path)\r
{\r
  int fd;\r
  struct sockaddr_un sa;\r
  size_t sp_len;                /* sun_path length (strlen) */\r
\r
  /* setup for unix domain socket */\r
  sp_len = strlen(path);\r
  if (sp_len > sizeof(sa.sun_path) - 1) {\r
    (void) radlog(L_ERR, "rlm_smsotp: %s: socket name too long", __func__);\r
    return -1;\r
  }\r
  sa.sun_family = AF_UNIX;\r
  (void) strcpy(sa.sun_path, path);\r
\r
  /* connect to socket */\r
  if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) {\r
    (void) radlog(L_ERR, "rlm_smsotp: %s: socket: %s", __func__, strerror(errno));\r
    return -1;\r
  }\r
  if (connect(fd, (struct sockaddr *) &sa, sizeof(sa.sun_family) + sp_len) == -1) {\r
    (void) radlog(L_ERR, "rlm_smsotp: %s: connect(%s): %s", __func__, path, strerror(errno));\r
    (void) close(fd);\r
    return -1;\r
  }\r
  return fd;\r
}\r
\r
/*\r
 * Retrieve an fd (from pool) to use for socket connection.\r
 * It'd be simpler to use TLS but FR can have lots of threads\r
 * and we don't want to waste fd's that way.\r
 * We can't have a global fd because we'd then be pipelining\r
 * requests to otpd and we have no way to demultiplex\r
 * the responses.\r
 */\r
static smsotp_fd_t * smsotp_getfd(const rlm_smsotp_t *opt)\r
{\r
  int rc;\r
  smsotp_fd_t *fdp;\r
\r
  /* walk the connection pool looking for an available fd */\r
  for (fdp = smsotp_fd_head; fdp; fdp = fdp->next) {\r
    rc = smsotp_pthread_mutex_trylock(&fdp->mutex);\r
    if (!rc)\r
      if (!strcmp(fdp->path, opt->smsotp_socket))       /* could just use == */\r
        break;\r
  }\r
\r
  if (!fdp) {\r
    /* no fd was available, add a new one */\r
    fdp = rad_malloc(sizeof(*fdp));\r
    smsotp_pthread_mutex_init(&fdp->mutex, NULL);\r
    smsotp_pthread_mutex_lock(&fdp->mutex);\r
    /* insert new fd at head */\r
    smsotp_pthread_mutex_lock(&smsotp_fd_head_mutex);\r
    fdp->next = smsotp_fd_head;\r
    smsotp_fd_head = fdp;\r
    smsotp_pthread_mutex_unlock(&smsotp_fd_head_mutex);\r
    /* initialize */\r
    fdp->path = opt->smsotp_socket;\r
    fdp->fd = -1;\r
  }\r
\r
  /* establish connection */\r
  if (fdp->fd == -1)\r
    fdp->fd = smsotp_connect(fdp->path);\r
\r
  return fdp;\r
}\r
\r
/* release fd, and optionally disconnect from otpd */\r
static void smsotp_putfd(smsotp_fd_t *fdp, int disconnect)\r
{\r
  if (disconnect) {\r
    (void) close(fdp->fd);\r
    fdp->fd = -1;\r
  }\r
\r
  /* make connection available to another thread */\r
  smsotp_pthread_mutex_unlock(&fdp->mutex);\r
}\r
\r
/*\r
 * Full read with logging, and close on failure.\r
 * Returns nread on success, 0 on EOF, -1 on other failures.\r
 */\r
static int smsotp_read(smsotp_fd_t *fdp, char *buf, size_t len)\r
{\r
  ssize_t n;\r
  size_t nread = 0;     /* bytes read into buf */\r
  \r
  fd_set rfds;\r
  struct timeval tv;\r
  int retval;\r
  FD_ZERO(&rfds);\r
  FD_SET(fdp->fd, &rfds);\r
  tv.tv_sec = 0;\r
  tv.tv_usec = 0;\r
\r
  while (nread < len) {\r
    if ((n = read(fdp->fd, &buf[nread], len - nread)) == -1) {\r
      if (errno == EINTR) {\r
        continue;\r
      } else {\r
        (void) radlog(L_ERR, "rlm_smsotp: %s: read from socket: %s", __func__, strerror(errno));\r
        smsotp_putfd(fdp, 1);\r
        return -1;\r
      }\r
    }\r
    if (!n) {\r
      (void) radlog(L_ERR, "rlm_smsotp: %s: socket disconnect", __func__);\r
      smsotp_putfd(fdp, 1);\r
      return 0;\r
    }\r
    nread += n;\r
//    DEBUG("smsotp_read ... read more ?");\r
    \r
    // check if more data is avalible\r
                retval = select(1, &rfds, NULL, NULL, &tv);\r
                if (!retval) {\r
                        buf[nread]= '\0';\r
                        break;\r
                }\r
//    DEBUG("smsotp_read ... read more ! YES !");\r
\r
  } /*while (more to read) */\r
\r
  return nread;\r
}\r
\r
/*\r
 * Full write with logging, and close on failure.\r
 * Returns 0 on success, errno on failure.\r
 */\r
static int smsotp_write(smsotp_fd_t *fdp, const char *buf, size_t len)\r
{\r
  size_t nleft = len;\r
  ssize_t nwrote;\r
\r
  while (nleft) {\r
    if ((nwrote = write(fdp->fd, &buf[len - nleft], nleft)) == -1) {\r
      if (errno == EINTR || errno == EPIPE) {\r
        continue;\r
      } else {\r
        (void) radlog(L_ERR, "rlm_smsotp: %s: write to socket: %s", __func__, strerror(errno));\r
        smsotp_putfd(fdp, 1);\r
        return errno;\r
      }\r
    }\r
    nleft -= nwrote;\r
  }\r
\r
  return 0;\r
}\r
/* socket functions end */\r
\r
\r
/* mutex functions begin*/\r
/* guaranteed initialization */\r
void _smsotp_pthread_mutex_init(pthread_mutex_t *mutexp, const pthread_mutexattr_t *attr, const char *caller)\r
{\r
  int rc;\r
\r
  if ((rc = pthread_mutex_init(mutexp, attr))) {\r
    (void) radlog(L_ERR|L_CONS, "rlm_smsotp: %s: pthread_mutex_init: %s", caller, strerror(rc));\r
    exit(1);\r
  }\r
}\r
\r
/* guaranteed lock */\r
void _smsotp_pthread_mutex_lock(pthread_mutex_t *mutexp, const char *caller)\r
{\r
  int rc;\r
\r
  if ((rc = pthread_mutex_lock(mutexp))) {\r
    (void) radlog(L_ERR|L_CONS, "rlm_smsotp: %s: pthread_mutex_lock: %s", caller, strerror(rc));\r
    exit(1);\r
  }\r
}\r
\r
/* guaranteed trylock */\r
int _smsotp_pthread_mutex_trylock(pthread_mutex_t *mutexp, const char *caller)\r
{\r
  int rc;\r
\r
  rc = pthread_mutex_trylock(mutexp);\r
  if (rc && rc != EBUSY) {\r
    (void) radlog(L_ERR|L_CONS, "rlm_smsotp: %s: pthread_mutex_trylock: %s", caller, strerror(rc));\r
    exit(1);\r
  }\r
\r
  return rc;\r
}\r
\r
/* guaranteed unlock */\r
void _smsotp_pthread_mutex_unlock(pthread_mutex_t *mutexp, const char *caller)\r
{\r
  int rc;\r
\r
  if ((rc = pthread_mutex_unlock(mutexp))) {\r
    (void) radlog(L_ERR|L_CONS, "rlm_smsotp: %s: pthread_mutex_unlock: %s", caller, strerror(rc));\r
    exit(1);\r
  }\r
}\r
/* mutex functions end */\r
\r
\r
/*\r
 *      The module name should be the only globally exported symbol.\r
 *      That is, everything else should be 'static'.\r
 *\r
 *      If the module needs to temporarily modify it's instantiation\r
 *      data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.\r
 *      The server will then take care of ensuring that the module\r
 *      is single-threaded.\r
 */\r
module_t rlm_smsotp = {\r
        RLM_MODULE_INIT,\r
        "smsotp",\r
        RLM_TYPE_THREAD_SAFE,           /* type */\r
        smsotp_instantiate,             /* instantiation */\r
        smsotp_detach,                  /* detach */\r
        {\r
                smsotp_authenticate,    /* authentication */\r
                smsotp_authorize,       /* authorization */\r
                NULL,   /* preaccounting */\r
                NULL,   /* accounting */\r
                NULL,   /* checksimul */\r
                NULL,                   /* pre-proxy */\r
                NULL,                   /* post-proxy */\r
                NULL                    /* post-auth */\r
        },\r
};\r