* Copyright 2006 The FreeRADIUS server project
*/
-#include <freeradius-devel/ident.h>
RCSID("$Id$")
#include "eap_ttls.h"
/*
- * 0 1 2 3
+ * 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | AVP Code |
+ * | AVP Code |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |V M r r r r r r| AVP Length |
+ * |V M r r r r r r| AVP Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Vendor-ID (opt) |
+ * | Vendor-ID (opt) |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Data ...
* +-+-+-+-+-+-+-+-+
/*
* Verify that the diameter packet is valid.
*/
-static int diameter_verify(REQUEST *request,
- const uint8_t *data, unsigned int data_len)
+static int diameter_verify(REQUEST *request, uint8_t const *data, unsigned int data_len)
{
uint32_t attr;
uint32_t length;
hdr_len = 12;
if (remaining < hdr_len) {
- RDEBUG2(" Diameter attribute is too small (%u) to contain a Diameter header", remaining);
+ RDEBUG2("Diameter attribute is too small (%u) to contain a Diameter header", remaining);
return 0;
}
if ((data[4] & 0x80) != 0) {
if (remaining < 16) {
- RDEBUG2(" Diameter attribute is too small to contain a Diameter header with Vendor-Id");
+ RDEBUG2("Diameter attribute is too small to contain a Diameter header with Vendor-Id");
return 0;
}
* Too short or too long is bad.
*/
if (length <= (hdr_len - 4)) {
- RDEBUG2("Tunneled attribute %u is too short (%u < %u) to contain anything useful.", attr, length, hdr_len);
+ RDEBUG2("Tunneled attribute %u is too short (%u < %u) to contain anything useful.", attr,
+ length, hdr_len);
return 0;
}
if (length > remaining) {
- RDEBUG2("Tunneled attribute %u is longer than room remaining in the packet (%u > %u).", attr, length, remaining);
+ RDEBUG2("Tunneled attribute %u is longer than room remaining in the packet (%u > %u).", attr,
+ length, remaining);
return 0;
}
* of the packet, die.
*/
if (remaining < length) {
- RDEBUG2E("Diameter attribute overflows packet!");
+ REDEBUG2("Diameter attribute overflows packet!");
return 0;
}
* Convert diameter attributes to our VALUE_PAIR's
*/
static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl,
- const uint8_t *data, size_t data_len)
+ uint8_t const *data, size_t data_len)
{
uint32_t attr;
uint32_t vendor;
size_t offset;
size_t size;
size_t data_left = data_len;
+ char *p;
VALUE_PAIR *first = NULL;
- VALUE_PAIR **last = &first;
VALUE_PAIR *vp;
RADIUS_PACKET *packet = fake->packet; /* FIXME: api issues */
+ vp_cursor_t out;
+
+ fr_cursor_init(&out, &first);
while (data_left > 0) {
rad_assert(data_left <= data_len);
* some other module takes care of any attribute
* with the M bit set.
*/
-
+
/*
* Get the length.
*/
* Normal attributes cannot be.
*/
if ((attr > 255) && (vendor == 0)) {
- RDEBUG2W("Skipping Diameter attribute %u",
- attr);
+ RWDEBUG2("Skipping Diameter attribute %u", attr);
goto next_attr;
}
/*
- * EAP-Message AVPs can be larger than 253 octets.
+ * EAP-Message AVPs can be larger than 253 octets.
+ *
+ * For now, we rely on the main decoder in
+ * src/lib/radius to decode data into VPs. This
+ * means putting the data into a RADIUS attribute
+ * format. It also means that we can't handle
+ * "extended" attributes in the Diameter space. Oh well...
*/
if ((size > 253) && !((vendor == 0) && (attr == PW_EAP_MESSAGE))) {
- RDEBUG2W("diameter2vp skipping long attribute %u", attr);
+ RWDEBUG2("diameter2vp skipping long attribute %u", attr);
goto next_attr;
}
memcpy(buffer + 2, data, size);
vp = NULL;
- decoded = rad_attr2vp(NULL, NULL, NULL,
+ decoded = rad_attr2vp(packet, NULL, NULL, NULL,
buffer, size + 2, &vp);
if (decoded < 0) {
- RDEBUG2E("diameter2vp failed decoding attr: %s",
+ REDEBUG2("diameter2vp failed decoding attr: %s",
fr_strerror());
goto do_octets;
}
if ((size_t) decoded != size + 2) {
- RDEBUG2E("diameter2vp failed to entirely decode VSA");
+ REDEBUG2("diameter2vp failed to entirely decode VSA");
pairfree(&vp);
goto do_octets;
}
- *last = vp;
- do {
- last = &(vp->next);
- vp = vp->next;
- } while (vp != NULL);
+ fr_cursor_insert(&out, vp);
goto next_attr;
}
/*
* If it's a type from our dictionary, then
* we need to put the data in a relevant place.
+ *
+ * @todo: Export the lib/radius.c decoder, and use it here!
*/
switch (vp->da->type) {
case PW_TYPE_INTEGER:
case PW_TYPE_DATE:
if (size != vp->length) {
- const DICT_ATTR *da;
+ DICT_ATTR const *da;
/*
* Bad format. Create a "raw"
*/
raw:
if (vp) pairfree(&vp);
- da = dict_attrunknown(attr, vendor, TRUE);
+ da = dict_attrunknown(attr, vendor, true);
if (!da) return NULL;
- vp = pairalloc(NULL, da);
- if (size >= 253) size = 253;
- vp->length = size;
- memcpy(vp->vp_octets, data, vp->length);
+ vp = pairalloc(packet, da);
+ if (!vp) return NULL;
+ pairmemcpy(vp, data, size);
break;
}
memcpy(&vp->vp_integer, data, vp->length);
vp->vp_integer64 = ntohll(vp->vp_integer64);
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
if (size != vp->length) {
RDEBUG2("Invalid length attribute %d",
attr);
vp->vp_signed = ntohl(vp->vp_signed);
break;
- case PW_TYPE_IPV6ADDR:
+ case PW_TYPE_IPV6_ADDR:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6addr, data, vp->length);
break;
- case PW_TYPE_IPV6PREFIX:
+ case PW_TYPE_IPV6_PREFIX:
if (size != vp->length) goto raw;
memcpy(&vp->vp_ipv6prefix, data, vp->length);
break;
/*
- * String, octet, etc. Copy the data from the
- * value field over verbatim.
+ * Ensure it's NUL terminated.
*/
- case PW_TYPE_OCTETS:
- if (attr == PW_EAP_MESSAGE) {
- const uint8_t *eap_message = data;
-
- /*
- * vp exists the first time around.
- */
- while (1) {
- vp->length = size;
- if (vp->length > 253) vp->length = 253;
- memcpy(vp->vp_octets, eap_message,
- vp->length);
-
- size -= vp->length;
- eap_message += vp->length;
-
- *last = vp;
- last = &(vp->next);
-
- if (size == 0) break;
-
- vp = paircreate(packet, attr, vendor);
- if (!vp) {
- RDEBUG2("Failure in creating VP");
- pairfree(&first);
- return NULL;
- }
- }
-
- goto next_attr;
- } /* else it's another kind of attribute */
- /* FALL-THROUGH */
-
- default:
- if (size >= 253) size = 253;
- vp->length = size;
- memcpy(vp->vp_strvalue, data, vp->length);
+ case PW_TYPE_STRING:
+ vp->vp_strvalue = p = talloc_array(vp, char, size + 1);
+ vp->type = VT_DATA;
+ memcpy(p, data, size);
+ p[size] = '\0';
+ vp->length = strlen(p);
break;
- }
- /*
- * User-Password is NUL padded to a multiple
- * of 16 bytes. Let's chop it to something
- * more reasonable.
- *
- * NOTE: This means that the User-Password
- * attribute CANNOT EVER have embedded zeros in it!
- */
- if ((vp->da->vendor == 0) && (vp->da->attr == PW_USER_PASSWORD)) {
/*
- * If the password is exactly 16 octets,
- * it won't be zero-terminated.
+ * Copy it over verbatim.
*/
- vp->vp_strvalue[vp->length] = '\0';
- vp->length = strlen(vp->vp_strvalue);
+ case PW_TYPE_OCTETS:
+ default:
+ pairmemcpy(vp, data, size);
+ break;
}
/*
eapttls_gen_challenge(ssl, challenge,
sizeof(challenge));
-
+
if (memcmp(challenge, vp->vp_octets,
vp->length) != 0) {
RDEBUG("Tunneled challenge is incorrect");
/*
* Update the list.
*/
- *last = vp;
- last = &(vp->next);
+ fr_cursor_insert(&out, vp);
next_attr:
/*
size_t total;
uint64_t attr64;
VALUE_PAIR *vp;
+ vp_cursor_t cursor;
p = buffer;
total = 0;
- for (vp = first; vp != NULL; vp = vp->next) {
+ for (vp = fr_cursor_init(&cursor, &first); vp; vp = fr_cursor_next(&cursor)) {
/*
* Too much data: die.
*/
* together. Maybe we should...
*/
- /*
- * Length is no more than 253, due to RADIUS
- * issues.
- */
length = vp->length;
vendor = vp->da->vendor;
if (vendor != 0) {
length = 8;
break;
- case PW_TYPE_IPADDR:
+ case PW_TYPE_IPV4_ADDR:
memcpy(p, &vp->vp_ipaddr, 4); /* network order */
length = 4;
break;
/*
* Use a reply packet to determine what to do.
*/
-static int process_reply(eap_handler_t *handler, tls_session_t *tls_session,
- REQUEST *request, RADIUS_PACKET *reply)
+static rlm_rcode_t CC_HINT(nonnull) process_reply(UNUSED eap_handler_t *handler, tls_session_t *tls_session,
+ REQUEST *request, RADIUS_PACKET *reply)
{
- int rcode = RLM_MODULE_REJECT;
+ rlm_rcode_t rcode = RLM_MODULE_REJECT;
VALUE_PAIR *vp;
ttls_tunnel_t *t = tls_session->opaque;
- handler = handler; /* -Wunused */
- rad_assert(request != NULL);
rad_assert(handler->request == request);
/*
* NOT 'eap start', so we should check for that....
*/
switch (reply->code) {
- case PW_AUTHENTICATION_ACK:
+ case PW_CODE_ACCESS_ACCEPT:
RDEBUG("Got tunneled Access-Accept");
rcode = RLM_MODULE_OK;
vp = NULL;
pairfilter(tls_session, &vp, &reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
if (vp) {
- RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
+ RDEBUG("Got MS-CHAP2-Success, tunneling it to the client in a challenge");
rcode = RLM_MODULE_HANDLED;
- t->authenticated = TRUE;
+ t->authenticated = true;
/*
* Delete MPPE keys & encryption policy. We don't
break;
- case PW_AUTHENTICATION_REJECT:
+ case PW_CODE_ACCESS_REJECT:
RDEBUG("Got tunneled Access-Reject");
rcode = RLM_MODULE_REJECT;
break;
* an Access-Challenge means that we MUST tunnel
* a Reply-Message to the client.
*/
- case PW_ACCESS_CHALLENGE:
+ case PW_CODE_ACCESS_CHALLENGE:
RDEBUG("Got tunneled Access-Challenge");
/*
/*
* Do post-proxy processing,
*/
-static int eapttls_postproxy(eap_handler_t *handler, void *data)
+static int CC_HINT(nonnull) eapttls_postproxy(eap_handler_t *handler, void *data)
{
int rcode;
tls_session_t *tls_session = (tls_session_t *) data;
REQUEST *fake, *request = handler->request;
- rad_assert(request != NULL);
- RDEBUG("Passing reply from proxy back into the tunnel.");
+ RDEBUG("Passing reply from proxy back into the tunnel");
/*
* If there was a fake request associated with the proxied
/*
* Do the callback, if it exists, and if it was a success.
*/
- if (fake &&
- handler->request->proxy_reply &&
- (handler->request->proxy_reply->code == PW_AUTHENTICATION_ACK)) {
+ if (fake && (handler->request->proxy_reply->code == PW_CODE_ACCESS_ACCEPT)) {
/*
* Terrible hacks.
*/
rad_assert(!fake->packet);
- fake->packet = request->proxy;
+ fake->packet = talloc_steal(fake, request->proxy);
fake->packet->src_ipaddr = request->packet->src_ipaddr;
request->proxy = NULL;
rad_assert(!fake->reply);
- fake->reply = request->proxy_reply;
+ fake->reply = talloc_steal(fake, request->proxy_reply);
request->proxy_reply = NULL;
if ((debug_flag > 0) && fr_log_fp) {
* Perform a post-auth stage for the tunneled
* session.
*/
- fake->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ fake->log.lvl &= ~RAD_REQUEST_OPTION_PROXY_EAP;
rcode = rad_postauth(fake);
RDEBUG2("post-auth returns %d", rcode);
if ((debug_flag > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(!fake->server) ? "" : fake->server);
-
+
RDEBUG("Final reply from tunneled session code %d",
fake->reply->code);
debug_pair_list(fake->reply->vps);
/*
* Terrible hacks.
*/
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
fake->packet = NULL;
- request->proxy_reply = fake->reply;
+ request->proxy_reply = talloc_steal(request, fake->reply);
fake->reply = NULL;
/*
switch (rcode) {
case RLM_MODULE_FAIL:
- request_free(&fake);
+ talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
- break;
default: /* Don't Do Anything */
RDEBUG2("Got reply %d",
break;
}
}
- request_free(&fake); /* robust if !fake */
+ talloc_free(fake); /* robust if !fake */
/*
* Process the reply from the home server.
*/
- rcode = process_reply(handler, tls_session, handler->request,
- handler->request->proxy_reply);
+ rcode = process_reply(handler, tls_session, handler->request, handler->request->proxy_reply);
/*
* The proxy code uses the reply from the home server as
case RLM_MODULE_HANDLED:
RDEBUG("Reply was handled");
eaptls_request(handler->eap_ds, tls_session);
+ request->proxy_reply->code = PW_CODE_ACCESS_CHALLENGE;
return 1;
case RLM_MODULE_OK:
return eaptls_success(handler, 0);
default:
- RDEBUG("Reply was unknown.");
+ RDEBUG("Reply was unknown");
break;
}
return 0;
}
-
-/*
- * Free a request.
- */
-static void my_request_free(void *data)
-{
- REQUEST *request = (REQUEST *)data;
-
- request_free(&request);
-}
#endif /* WITH_PROXY */
/*
*/
int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
- int rcode = PW_AUTHENTICATION_REJECT;
+ int code = PW_CODE_ACCESS_REJECT;
+ rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
- const uint8_t *data;
+ uint8_t const *data;
size_t data_len;
REQUEST *request = handler->request;
- rad_assert(request != NULL);
-
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
if (data_len == 0) {
if (t->authenticated) {
- RDEBUG("Got ACK, and the user was already authenticated.");
- return PW_AUTHENTICATION_ACK;
+ RDEBUG("Got ACK, and the user was already authenticated");
+ return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* wrong.
*/
RDEBUG2("SSL_read Error");
- return PW_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
#endif
if (!diameter_verify(request, data, data_len)) {
- return PW_AUTHENTICATION_REJECT;
+ return PW_CODE_ACCESS_REJECT;
}
/*
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
- request_free(&fake);
- return PW_AUTHENTICATION_REJECT;
+ talloc_free(fake);
+ return PW_CODE_ACCESS_REJECT;
}
/*
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
+ char *p;
+
/*
* Create & remember a User-Name
*/
- t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ);
+ t->username = pairmake(t, NULL, "User-Name", NULL, T_OP_EQ);
rad_assert(t->username != NULL);
-
- memcpy(t->username->vp_strvalue, vp->vp_strvalue + 5,
- vp->length - 5);
t->username->length = vp->length - 5;
- t->username->vp_strvalue[t->username->length] = 0;
+
+ t->username->vp_strvalue = p = talloc_array(t->username, char,
+ t->username->length + 1);
+ memcpy(p, vp->vp_octets + 5, t->username->length);
+ p[t->username->length] = 0;
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
* set it here.
*/
if (t->default_method != 0) {
- RDEBUG("Setting default EAP type for tunneled EAP session.");
+ RDEBUG("Setting default EAP type for tunneled EAP session");
vp = paircreate(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
* as it's permitted to do EAP without
* user-name.
*/
- RDEBUG2W("No EAP-Identity found to start EAP conversation.");
+ RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
+ vp_cursor_t cursor;
- for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
+ for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
-
- debug_pair_list(fake->packet->vps);
-
- fprintf(fr_log_fp, "server %s {\n",
- (!fake->server) ? "" : fake->server);
}
/*
rad_virtual_server(fake);
/*
- * Note that we don't do *anything* with the reply
- * attributes.
- */
- if ((debug_flag > 0) && fr_log_fp) {
- fprintf(fr_log_fp, "} # server %s\n",
- (!fake->server) ? "" : fake->server);
-
- RDEBUG("Got tunneled reply code %d", fake->reply->code);
-
- debug_pair_list(fake->reply->vps);
- }
-
- /*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
* Tell the original request that it's going
* to be proxied.
*/
- pairfilter(request, &(request->config_items),
- &(fake->config_items),
+ pairfilter(request, &request->config_items,
+ &fake->config_items,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* tunneled request.
*/
rad_assert(!request->proxy);
- request->proxy = fake->packet;
+ request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
/*
* Associate the callback with the request.
*/
- rcode = request_data_add(request,
- request->proxy,
- REQUEST_DATA_EAP_TUNNEL_CALLBACK,
- tunnel, NULL);
- rad_assert(rcode == 0);
+ code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
+ tunnel, false);
+ rad_assert(code == 0);
/*
* rlm_eap.c has taken care of associating
* So we associate the fake request with
* this request.
*/
- rcode = request_data_add(request,
- request->proxy,
- REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
- fake, my_request_free);
- rad_assert(rcode == 0);
+ code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
+ fake, true);
+ rad_assert(code == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
- rcode = PW_STATUS_CLIENT;
+ code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
- rcode = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
}
break;
default:
/*
- * Returns RLM_MODULE_FOO, and we want to return
- * PW_FOO
+ * Returns RLM_MODULE_FOO, and we want to return PW_FOO
*/
- rcode = process_reply(handler, tls_session, request,
- fake->reply);
+ rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
- rcode = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
- rcode = PW_ACCESS_CHALLENGE;
+ code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
- rcode = PW_AUTHENTICATION_ACK;
+ code = PW_CODE_ACCESS_ACCEPT;
break;
default:
- rcode = PW_AUTHENTICATION_REJECT;
+ code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
- request_free(&fake);
+ talloc_free(fake);
- return rcode;
+ return code;
}
projects / freeradius.git / blobdiff