2 * radeapclient.c EAP specific radius packet debug tool.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
27 #include <freeradius-devel/libradius.h>
35 #include <freeradius-devel/conf.h>
36 #include <freeradius-devel/radpaths.h>
37 #include <freeradius-devel/md5.h>
39 #include "eap_types.h"
42 extern int sha1_data_problems;
44 static int retries = 10;
45 static float timeout = 3;
46 static char const *secret = NULL;
47 static int do_output = 1;
48 static int do_summary = 0;
49 static bool filedone = false;
50 static int totalapp = 0;
51 static int totaldeny = 0;
52 static char filesecret[256];
53 char const *radius_dir = NULL;
54 char const *dict_dir = NULL;
55 char const *progname = "radeapclient";
56 /* fr_randctx randctx; */
58 struct main_config_t main_config;
59 char const *radiusd_version = "";
62 #include <freeradius-devel/tls.h>
65 log_debug_t debug_flag = 0;
68 struct eapsim_keys eapsim_mk;
70 static void map_eap_methods(RADIUS_PACKET *req);
71 static void unmap_eap_methods(RADIUS_PACKET *rep);
72 static int map_eapsim_types(RADIUS_PACKET *r);
73 static int unmap_eapsim_types(RADIUS_PACKET *r);
75 static void NEVER_RETURNS usage(void)
77 fprintf(stdout, "Usage: radeapclient [options] server[:port] <command> [<secret>]");
79 fprintf(stdout, " <command> One of auth, acct, status, or disconnect.");
80 fprintf(stdout, " -d raddb Set dictionary directory.");
81 fprintf(stdout, " -f file Read packets from file, not stdin.");
82 fprintf(stdout, " -r retries If timeout, retry sending the packet 'retries' times.");
83 fprintf(stdout, " -t timeout Wait 'timeout' seconds before retrying (may be a floating point number).");
84 fprintf(stdout, " -h Print usage help information.");
85 fprintf(stdout, " -i id Set request id to 'id'. Values may be 0..255");
86 fprintf(stdout, " -S file read secret from file, not command line.");
87 fprintf(stdout, " -q Do not print anything out.");
88 fprintf(stdout, " -s Print out summary information of auth results.");
89 fprintf(stdout, " -v Show program version information.");
90 fprintf(stdout, " -x Debugging mode.");
91 fprintf(stdout, " -4 Use IPv4 address of server");
92 fprintf(stdout, " -6 Use IPv6 address of server.");
96 int rad_virtual_server(REQUEST UNUSED *request)
98 /*We're not the server so we cannot do this*/
102 static uint16_t getport(char const *name)
106 svp = getservbyname (name, "udp");
111 return ntohs(svp->s_port);
116 static void debug_packet(RADIUS_PACKET *packet, int direction)
120 char const *received, *from;
121 fr_ipaddr_t const *ip;
126 if (direction == 0) {
127 received = "Received";
128 from = "from"; /* what else? */
129 ip = &packet->src_ipaddr;
130 port = packet->src_port;
133 received = "Sending";
134 from = "to"; /* hah! */
135 ip = &packet->dst_ipaddr;
136 port = packet->dst_port;
140 * Client-specific debugging re-prints the input
141 * packet into the client log.
143 * This really belongs in a utility library
145 if (is_radius_code(packet->code)) {
146 DEBUG("%s %s packet %s host %s port %d, id=%d, length=%d",
147 received, fr_packet_codes[packet->code], from,
148 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
149 port, packet->id, (int) packet->data_len);
151 DEBUG("%s packet %s host %s port %d code=%d, id=%d, length=%d",
153 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
155 packet->code, packet->id, (int) packet->data_len);
158 for (vp = packet->vps; vp != NULL; vp = vp->next) {
159 vp_prints(buffer, sizeof(buffer), vp);
160 DEBUG("\t%s", buffer);
166 static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
171 if (!req || !rep || !*rep) return -1;
173 for (i = 0; i < retries; i++) {
176 debug_packet(req, R_SENT);
178 if (rad_send(req, NULL, secret) < 0) {
179 ERROR("%s", fr_strerror());
183 /* And wait for reply, timing out as necessary */
185 FD_SET(req->sockfd, &rdfdesc);
187 tv.tv_sec = (int)timeout;
188 tv.tv_usec = 1000000 * (timeout - (int) timeout);
190 /* Something's wrong if we don't get exactly one fd. */
191 if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
195 *rep = rad_recv(req->sockfd, 0);
198 * If we get a response from a machine
199 * which we did NOT send a request to,
202 if (((*rep)->src_ipaddr.af != req->dst_ipaddr.af) ||
203 (memcmp(&(*rep)->src_ipaddr.ipaddr,
204 &req->dst_ipaddr.ipaddr,
205 ((req->dst_ipaddr.af == AF_INET ? /* AF_INET6? */
206 sizeof(req->dst_ipaddr.ipaddr.ip4addr) : /* FIXME: AF_INET6 */
207 sizeof(req->dst_ipaddr.ipaddr.ip6addr)))) != 0) ||
208 ((*rep)->src_port != req->dst_port)) {
209 char src[128], dst[128];
211 ip_ntoh(&(*rep)->src_ipaddr, src, sizeof(src));
212 ip_ntoh(&req->dst_ipaddr, dst, sizeof(dst));
213 ERROR("ERROR: Sent request to host %s port %d, got response from host %s port %d!",
215 src, (*rep)->src_port);
219 } else { /* NULL: couldn't receive the packet */
220 ERROR("%s", fr_strerror());
225 /* No response or no data read (?) */
227 ERROR("rad_client: no response from server");
232 * FIXME: Discard the packet & listen for another.
234 * Hmm... we should really be using eapol_test, which does
235 * a lot more than radeapclient.
237 if (rad_verify(*rep, req, secret) != 0) {
238 ERROR("rad_verify: %s", fr_strerror());
242 if (rad_decode(*rep, req, secret) != 0) {
243 ERROR("rad_decode: %s", fr_strerror());
247 /* libradius debug already prints out the value pairs for us */
248 if (!fr_debug_flag && do_output) {
249 debug_packet(*rep, R_RECV);
251 if((*rep)->code == PW_CODE_ACCESS_ACCEPT) {
253 } else if ((*rep)->code == PW_CODE_ACCESS_REJECT) {
260 static void cleanresp(RADIUS_PACKET *resp)
262 VALUE_PAIR *vpnext, *vp, **last;
266 * maybe should just copy things we care about, or keep
267 * a copy of the original input and start from there again?
269 pairdelete(&resp->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
270 pairdelete(&resp->vps, PW_EAP_TYPE_BASE+PW_EAP_IDENTITY, 0, TAG_ANY);
273 for(vp = *last; vp != NULL; vp = vpnext)
277 if((vp->da->attr > PW_EAP_TYPE_BASE &&
278 vp->da->attr <= PW_EAP_TYPE_BASE+256) ||
279 (vp->da->attr > PW_EAP_SIM_BASE &&
280 vp->da->attr <= PW_EAP_SIM_BASE+256))
291 * we got an EAP-Request/Sim/Start message in a legal state.
293 * pick a supported version, put it into the reply, and insert a nonce.
295 static int process_eap_start(RADIUS_PACKET *req,
298 VALUE_PAIR *vp, *newvp;
299 VALUE_PAIR *anyidreq_vp, *fullauthidreq_vp, *permanentidreq_vp;
300 uint16_t const *versions;
301 uint16_t selectedversion;
302 unsigned int i,versioncount;
304 /* form new response clear of any EAP stuff */
307 if((vp = pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_VERSION_LIST, 0, TAG_ANY)) == NULL) {
308 ERROR("illegal start message has no VERSION_LIST");
312 versions = (uint16_t const *) vp->vp_strvalue;
314 /* verify that the attribute length is big enough for a length field */
317 ERROR("start message has illegal VERSION_LIST. Too short: %u", (unsigned int) vp->length);
321 versioncount = ntohs(versions[0])/2;
322 /* verify that the attribute length is big enough for the given number
323 * of versions present.
325 if((unsigned)vp->length <= (versioncount*2 + 2))
327 ERROR("start message is too short. Claimed %d versions does not fit in %u bytes", versioncount, (unsigned int) vp->length);
332 * record the versionlist for the MK calculation.
334 eapsim_mk.versionlistlen = versioncount*2;
335 memcpy(eapsim_mk.versionlist, (unsigned char const *)(versions+1),
336 eapsim_mk.versionlistlen);
338 /* walk the version list, and pick the one we support, which
339 * at present, is 1, EAP_SIM_VERSION.
342 for(i=0; i < versioncount; i++)
344 if(ntohs(versions[i+1]) == EAP_SIM_VERSION)
346 selectedversion=EAP_SIM_VERSION;
350 if(selectedversion == 0)
352 ERROR("eap-sim start message. No compatible version found. We need %d", EAP_SIM_VERSION);
353 for(i=0; i < versioncount; i++)
355 ERROR("\tfound version %d",
356 ntohs(versions[i+1]));
361 * now make sure that we have only FULLAUTH_ID_REQ.
362 * I think that it actually might not matter - we can answer in
363 * anyway we like, but it is illegal to have more than one
366 anyidreq_vp = pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_ANY_ID_REQ, 0, TAG_ANY);
367 fullauthidreq_vp = pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_FULLAUTH_ID_REQ, 0, TAG_ANY);
368 permanentidreq_vp = pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_PERMANENT_ID_REQ, 0, TAG_ANY);
370 if(!fullauthidreq_vp ||
371 anyidreq_vp != NULL ||
372 permanentidreq_vp != NULL) {
373 ERROR("start message has %sanyidreq, %sfullauthid and %spermanentid. Illegal combination.",
374 (anyidreq_vp != NULL ? "a ": "no "),
375 (fullauthidreq_vp != NULL ? "a ": "no "),
376 (permanentidreq_vp != NULL ? "a ": "no "));
380 /* okay, we have just any_id_req there, so fill in response */
382 /* mark the subtype as being EAP-SIM/Response/Start */
383 newvp = paircreate(rep, PW_EAP_SIM_SUBTYPE, 0);
384 newvp->vp_integer = eapsim_start;
385 pairreplace(&(rep->vps), newvp);
387 /* insert selected version into response. */
389 uint16_t no_versions;
391 no_versions = htons(selectedversion);
393 newvp = paircreate(rep, PW_EAP_SIM_BASE + PW_EAP_SIM_SELECTED_VERSION, 0);
394 pairmemcpy(newvp, (uint8_t *) &no_versions, 2);
395 pairreplace(&(rep->vps), newvp);
397 /* record the selected version */
398 memcpy(eapsim_mk.versionselect, &no_versions, 2);
407 * insert a nonce_mt that we make up.
414 newvp = paircreate(rep, PW_EAP_SIM_BASE+PW_EAP_SIM_NONCE_MT, 0);
416 p = talloc_zero_array(newvp, uint8_t, 18); /* 18 = 16 bytes of nonce + padding */
417 memcpy(&p[2], nonce, 16);
418 pairmemsteal(newvp, p);
420 pairreplace(&(rep->vps), newvp);
422 /* also keep a copy of the nonce! */
423 memcpy(eapsim_mk.nonce_mt, nonce, 16);
432 * insert the identity here.
434 vp = pairfind(rep->vps, PW_USER_NAME, 0, TAG_ANY);
437 ERROR("eap-sim: We need to have a User-Name attribute!");
440 newvp = paircreate(rep, PW_EAP_SIM_BASE+PW_EAP_SIM_IDENTITY, 0);
442 idlen = strlen(vp->vp_strvalue);
443 p = talloc_zero_array(newvp, uint8_t, idlen + 2);
444 no_idlen = htons(idlen);
445 memcpy(p, &no_idlen, 2);
446 memcpy(p + 2, vp->vp_strvalue, idlen);
447 pairmemsteal(newvp, p);
449 pairreplace(&(rep->vps), newvp);
452 memcpy(eapsim_mk.identity, vp->vp_strvalue, idlen);
453 eapsim_mk.identitylen = idlen;
460 * we got an EAP-Request/Sim/Challenge message in a legal state.
462 * use the RAND challenge to produce the SRES result, and then
463 * use that to generate a new MAC.
465 * for the moment, we ignore the RANDs, then just plug in the SRES
469 static int process_eap_challenge(RADIUS_PACKET *req, RADIUS_PACKET *rep)
472 VALUE_PAIR *mac, *randvp;
473 VALUE_PAIR *sres1,*sres2,*sres3;
474 VALUE_PAIR *Kc1, *Kc2, *Kc3;
477 /* look for the AT_MAC and the challenge data */
478 mac = pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
479 randvp= pairfind(req->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_RAND, 0, TAG_ANY);
480 if(!mac || !randvp) {
481 ERROR("challenge message needs to contain RAND and MAC");
486 * compare RAND with randX, to verify this is the right response
490 VALUE_PAIR *randcfgvp[3];
491 uint8_t const *randcfg[3];
493 randcfg[0] = &randvp->vp_octets[2];
494 randcfg[1] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE];
495 randcfg[2] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE*2];
497 randcfgvp[0] = pairfind(rep->vps, PW_EAP_SIM_RAND1, 0, TAG_ANY);
498 randcfgvp[1] = pairfind(rep->vps, PW_EAP_SIM_RAND2, 0, TAG_ANY);
499 randcfgvp[2] = pairfind(rep->vps, PW_EAP_SIM_RAND3, 0, TAG_ANY);
504 ERROR("needs to have rand1, 2 and 3 set.");
508 if(memcmp(randcfg[0], randcfgvp[0]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
509 memcmp(randcfg[1], randcfgvp[1]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
510 memcmp(randcfg[2], randcfgvp[2]->vp_octets, EAPSIM_RAND_SIZE)!=0) {
513 ERROR("one of rand 1,2,3 didn't match");
514 for(rnum = 0; rnum < 3; rnum++) {
515 ERROR("received rand %d: ", rnum);
517 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
524 ERROR("%02x", randcfg[rnum][i]);
526 ERROR("configured rand %d: ", rnum);
528 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
535 ERROR("%02x", randcfgvp[rnum]->vp_octets[i]);
543 * now dig up the sres values from the response packet,
544 * which were put there when we read things in.
546 * Really, they should be calculated from the RAND!
549 sres1 = pairfind(rep->vps, PW_EAP_SIM_SRES1, 0, TAG_ANY);
550 sres2 = pairfind(rep->vps, PW_EAP_SIM_SRES2, 0, TAG_ANY);
551 sres3 = pairfind(rep->vps, PW_EAP_SIM_SRES3, 0, TAG_ANY);
556 ERROR("needs to have sres1, 2 and 3 set.");
559 memcpy(eapsim_mk.sres[0], sres1->vp_strvalue, sizeof(eapsim_mk.sres[0]));
560 memcpy(eapsim_mk.sres[1], sres2->vp_strvalue, sizeof(eapsim_mk.sres[1]));
561 memcpy(eapsim_mk.sres[2], sres3->vp_strvalue, sizeof(eapsim_mk.sres[2]));
563 Kc1 = pairfind(rep->vps, PW_EAP_SIM_KC1, 0, TAG_ANY);
564 Kc2 = pairfind(rep->vps, PW_EAP_SIM_KC2, 0, TAG_ANY);
565 Kc3 = pairfind(rep->vps, PW_EAP_SIM_KC3, 0, TAG_ANY);
570 ERROR("needs to have Kc1, 2 and 3 set.");
573 memcpy(eapsim_mk.Kc[0], Kc1->vp_strvalue, sizeof(eapsim_mk.Kc[0]));
574 memcpy(eapsim_mk.Kc[1], Kc2->vp_strvalue, sizeof(eapsim_mk.Kc[1]));
575 memcpy(eapsim_mk.Kc[2], Kc3->vp_strvalue, sizeof(eapsim_mk.Kc[2]));
577 /* all set, calculate keys */
578 eapsim_calculate_keys(&eapsim_mk);
581 eapsim_dump_mk(&eapsim_mk);
584 /* verify the MAC, now that we have all the keys. */
585 if(eapsim_checkmac(NULL, req->vps, eapsim_mk.K_aut,
586 eapsim_mk.nonce_mt, sizeof(eapsim_mk.nonce_mt),
588 DEBUG("MAC check succeed");
592 DEBUG("calculated MAC (");
593 for (i = 0; i < 20; i++) {
600 DEBUG("%02x", calcmac[i]);
602 DEBUG("did not match");
606 /* form new response clear of any EAP stuff */
609 /* mark the subtype as being EAP-SIM/Response/Start */
610 newvp = paircreate(rep, PW_EAP_SIM_SUBTYPE, 0);
611 newvp->vp_integer = eapsim_challenge;
612 pairreplace(&(rep->vps), newvp);
617 * fill the SIM_MAC with a field that will in fact get appended
618 * to the packet before the MAC is calculated
620 newvp = paircreate(rep, PW_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0);
622 p = talloc_zero_array(newvp, uint8_t, EAPSIM_SRES_SIZE*3);
623 memcpy(p+EAPSIM_SRES_SIZE * 0, sres1->vp_strvalue, EAPSIM_SRES_SIZE);
624 memcpy(p+EAPSIM_SRES_SIZE * 1, sres2->vp_strvalue, EAPSIM_SRES_SIZE);
625 memcpy(p+EAPSIM_SRES_SIZE * 2, sres3->vp_strvalue, EAPSIM_SRES_SIZE);
626 pairmemsteal(newvp, p);
628 pairreplace(&(rep->vps), newvp);
631 newvp = paircreate(rep, PW_EAP_SIM_KEY, 0);
632 pairmemcpy(newvp, eapsim_mk.K_aut, EAPSIM_AUTH_SIZE);
634 pairreplace(&(rep->vps), newvp);
640 * this code runs the EAP-SIM client state machine.
641 * the *request* is from the server.
642 * the *reponse* is to the server.
645 static int respond_eap_sim(RADIUS_PACKET *req, RADIUS_PACKET *resp)
647 enum eapsim_clientstates state, newstate;
648 enum eapsim_subtype subtype;
649 VALUE_PAIR *vp, *statevp, *radstate, *eapid;
650 char statenamebuf[32], subtypenamebuf[32];
652 if ((radstate = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
657 if ((eapid = paircopy2(NULL, req->vps, PW_EAP_ID, 0, TAG_ANY)) == NULL)
662 /* first, dig up the state from the request packet, setting
663 * outselves to be in EAP-SIM-Start state if there is none.
666 if((statevp = pairfind(resp->vps, PW_EAP_SIM_STATE, 0, TAG_ANY)) == NULL)
668 /* must be initial request */
669 statevp = paircreate(resp, PW_EAP_SIM_STATE, 0);
670 statevp->vp_integer = eapsim_client_init;
671 pairreplace(&(resp->vps), statevp);
673 state = statevp->vp_integer;
676 * map the attributes, and authenticate them.
678 unmap_eapsim_types(req);
680 if((vp = pairfind(req->vps, PW_EAP_SIM_SUBTYPE, 0, TAG_ANY)) == NULL)
684 subtype = vp->vp_integer;
687 * look for the appropriate state, and process incoming message
690 case eapsim_client_init:
693 newstate = process_eap_start(req, resp);
696 case eapsim_challenge:
697 case eapsim_notification:
700 ERROR("sim in state %s message %s is illegal. Reply dropped.",
701 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
702 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
703 /* invalid state, drop message */
708 case eapsim_client_start:
711 /* NOT SURE ABOUT THIS ONE, retransmit, I guess */
712 newstate = process_eap_start(req, resp);
715 case eapsim_challenge:
716 newstate = process_eap_challenge(req, resp);
720 ERROR("sim in state %s message %s is illegal. Reply dropped.",
721 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
722 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
723 /* invalid state, drop message */
730 ERROR("sim in illegal state %s",
731 sim_state2name(state, statenamebuf, sizeof(statenamebuf)));
735 /* copy the eap state object in */
736 pairreplace(&(resp->vps), eapid);
738 /* update stete info, and send new packet */
739 map_eapsim_types(resp);
741 /* copy the radius state object in */
742 pairreplace(&(resp->vps), radstate);
744 statevp->vp_integer = newstate;
748 static int respond_eap_md5(RADIUS_PACKET *req,
751 VALUE_PAIR *vp, *id, *state;
754 uint8_t const *value;
756 uint8_t response[16];
760 if ((state = paircopy2(NULL, req->vps, PW_STATE, 0, TAG_ANY)) == NULL)
762 ERROR("no state attribute found");
766 if ((id = paircopy2(NULL, req->vps, PW_EAP_ID, 0, TAG_ANY)) == NULL)
768 ERROR("no EAP-ID attribute found");
771 identifier = id->vp_integer;
773 if ((vp = pairfind(req->vps, PW_EAP_TYPE_BASE+PW_EAP_MD5, 0, TAG_ANY)) == NULL)
775 ERROR("no EAP-MD5 attribute found");
779 /* got the details of the MD5 challenge */
780 valuesize = vp->vp_octets[0];
781 value = &vp->vp_octets[1];
784 if(valuesize > vp->length)
786 ERROR("md5 valuesize if too big (%u > %u)",
787 (unsigned int) valuesize, (unsigned int) vp->length);
791 /* now do the CHAP operation ourself, rather than build the
792 * buffer. We could also call rad_chap_encode, but it wants
793 * a CHAP-Challenge, which we don't want to bother with.
795 fr_md5_init(&context);
796 fr_md5_update(&context, &identifier, 1);
797 fr_md5_update(&context, (uint8_t *) password, strlen(password));
798 fr_md5_update(&context, value, valuesize);
799 fr_md5_final(response, &context);
805 vp = paircreate(rep, PW_EAP_TYPE_BASE+PW_EAP_MD5, 0);
808 p = talloc_zero_array(vp, uint8_t, 17);
810 memcpy(p, &lg_response, 1);
811 memcpy(p + 1, response, 16);
814 pairreplace(&(rep->vps), vp);
816 pairreplace(&(rep->vps), id);
818 /* copy the state object in */
819 pairreplace(&(rep->vps), state);
826 static int sendrecv_eap(RADIUS_PACKET *rep)
828 RADIUS_PACKET *req = NULL;
829 VALUE_PAIR *vp, *vpnext;
830 int tried_eap_md5 = 0;
835 * Keep a copy of the the User-Password attribute.
837 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
838 strlcpy(password, vp->vp_strvalue, sizeof(password));
840 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
841 strlcpy(password, vp->vp_strvalue, sizeof(password));
843 * Otherwise keep a copy of the CHAP-Password attribute.
845 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
846 strlcpy(password, vp->vp_strvalue, sizeof(password));
855 * if there are EAP types, encode them into an EAP-Message
858 map_eap_methods(rep);
861 * Fix up Digest-Attributes issues
863 for (vp = rep->vps; vp != NULL; vp = vp->next) {
864 switch (vp->da->attr) {
868 case PW_DIGEST_REALM:
869 case PW_DIGEST_NONCE:
870 case PW_DIGEST_METHOD:
873 case PW_DIGEST_ALGORITHM:
874 case PW_DIGEST_BODY_DIGEST:
875 case PW_DIGEST_CNONCE:
876 case PW_DIGEST_NONCE_COUNT:
877 case PW_DIGEST_USER_NAME:
883 p = talloc_array(vp, uint8_t, vp->length + 2);
885 memcpy(p + 2, vp->vp_octets, vp->length);
886 p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
890 da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
894 * Re-do pairmemsteal ourselves,
895 * because we play games with
896 * vp->da, and pairmemsteal goes
897 * to GREAT lengths to sanitize
898 * and fix and change and
899 * double-check the various
902 memcpy(&q, &vp->vp_octets, sizeof(q));
905 vp->vp_octets = talloc_steal(vp, p);
915 * If we've already sent a packet, free up the old
916 * one, and ensure that the next packet has a unique
917 * ID and authentication vector.
920 talloc_free(rep->data);
924 fr_md5_calc(rep->vector, rep->vector, sizeof(rep->vector));
926 if (*password != '\0') {
927 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) != NULL) {
928 pairstrcpy(vp, password);
930 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
931 pairstrcpy(vp, password);
933 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
934 pairstrcpy(vp, password);
937 p = talloc_zero_array(vp, uint8_t, 17);
938 rad_chap_encode(rep, p, rep->id, vp);
941 } /* there WAS a password */
943 /* send the response, wait for the next request */
944 send_packet(req, &rep);
946 ERROR("Failed getting response");
950 /* okay got back the packet, go and decode the EAP-Message. */
951 unmap_eap_methods(req);
953 debug_packet(req, R_RECV);
955 /* now look for the code type. */
956 for (vp = req->vps; vp != NULL; vp = vpnext) {
959 switch (vp->da->attr) {
963 case PW_EAP_TYPE_BASE + PW_EAP_MD5:
964 if (respond_eap_md5(req, rep) && tried_eap_md5 < 3) {
970 case PW_EAP_TYPE_BASE + PW_EAP_SIM:
971 if (respond_eap_sim(req, rep)) {
982 void set_radius_dir(TALLOC_CTX *ctx, char const *path)
987 memcpy(&p, &radius_dir, sizeof(p));
991 if (path) radius_dir = talloc_strdup(ctx, path);
995 int main(int argc, char **argv)
1001 char *filename = NULL;
1004 int force_af = AF_UNSPEC;
1006 static fr_log_t radclient_log = {
1008 .fd = STDOUT_FILENO,
1009 .dst = L_DST_STDOUT,
1014 radlog_init(&radclient_log, false);
1017 * We probably don't want to free the talloc autofree context
1018 * directly, so we'll allocate a new context beneath it, and
1019 * free that before any leak reports.
1021 TALLOC_CTX *autofree = talloc_init("main");
1023 id = ((int)getpid() & 0xff);
1026 set_radius_dir(autofree, RADIUS_DIR);
1028 while ((c = getopt(argc, argv, "46c:d:D:f:hi:qst:r:S:xXv")) != EOF)
1035 force_af = AF_INET6;
1038 set_radius_dir(autofree, optarg);
1041 main_config.dictionary_dir = talloc_typed_strdup(NULL, optarg);
1056 sha1_data_problems = 1; /* for debugging only */
1063 if (!isdigit((int) *optarg))
1065 retries = atoi(optarg);
1068 if (!isdigit((int) *optarg))
1071 if ((id < 0) || (id > 255)) {
1079 if (!isdigit((int) *optarg))
1081 timeout = atof(optarg);
1084 printf("$Id$ built on "__DATE__ "at "__TIME__ "");
1088 fp = fopen(optarg, "r");
1090 ERROR("Error opening %s: %s",
1091 optarg, fr_syserror(errno));
1094 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1095 ERROR("Error reading %s: %s",
1096 optarg, fr_syserror(errno));
1101 /* truncate newline */
1102 p = filesecret + strlen(filesecret) - 1;
1103 while ((p >= filesecret) &&
1109 if (strlen(filesecret) < 2) {
1110 ERROR("Secret in %s is too short", optarg);
1113 secret = filesecret;
1121 argc -= (optind - 1);
1122 argv += (optind - 1);
1125 ((!secret) && (argc < 4))) {
1130 if (!main_config.dictionary_dir) {
1131 main_config.dictionary_dir = DICTDIR;
1135 * Read the distribution dictionaries first, then
1136 * the ones in raddb.
1138 DEBUG2("including dictionary file %s/%s", main_config.dictionary_dir, RADIUS_DICTIONARY);
1139 if (dict_init(main_config.dictionary_dir, RADIUS_DICTIONARY) != 0) {
1140 ERROR("Errors reading dictionary: %s", fr_strerror());
1145 * It's OK if this one doesn't exist.
1147 int rcode = dict_read(radius_dir, RADIUS_DICTIONARY);
1149 ERROR("Errors reading %s/%s: %s", radius_dir, RADIUS_DICTIONARY, fr_strerror());
1154 * We print this after reading it. That way if
1155 * it doesn't exist, it's OK, and we don't print
1159 DEBUG2("Including dictionary file %s/%s", radius_dir, RADIUS_DICTIONARY);
1162 req = rad_alloc(NULL, true);
1164 ERROR("%s", fr_strerror());
1172 if (force_af == AF_UNSPEC) force_af = AF_INET;
1173 req->dst_ipaddr.af = force_af;
1174 if (strcmp(argv[1], "-") != 0) {
1175 char const *hostname = argv[1];
1176 char const *portname = argv[1];
1179 if (*argv[1] == '[') { /* IPv6 URL encoded */
1180 p = strchr(argv[1], ']');
1181 if ((size_t) (p - argv[1]) >= sizeof(buffer)) {
1185 memcpy(buffer, argv[1] + 1, p - argv[1] - 1);
1186 buffer[p - argv[1] - 1] = '\0';
1192 p = strchr(portname, ':');
1193 if (p && (strchr(p + 1, ':') == NULL)) {
1200 if (ip_hton(&req->dst_ipaddr, force_af, hostname, false) < 0) {
1201 ERROR("Failed to find IP address for host %s: %s", hostname, fr_syserror(errno));
1206 * Strip port from hostname if needed.
1208 if (portname) port = atoi(portname);
1212 * See what kind of request we want to send.
1214 if (strcmp(argv[2], "auth") == 0) {
1215 if (port == 0) port = getport("radius");
1216 if (port == 0) port = PW_AUTH_UDP_PORT;
1217 req->code = PW_CODE_ACCESS_REQUEST;
1219 } else if (strcmp(argv[2], "acct") == 0) {
1220 if (port == 0) port = getport("radacct");
1221 if (port == 0) port = PW_ACCT_UDP_PORT;
1222 req->code = PW_CODE_ACCOUNTING_REQUEST;
1225 } else if (strcmp(argv[2], "status") == 0) {
1226 if (port == 0) port = getport("radius");
1227 if (port == 0) port = PW_AUTH_UDP_PORT;
1228 req->code = PW_CODE_STATUS_SERVER;
1230 } else if (strcmp(argv[2], "disconnect") == 0) {
1231 if (port == 0) port = PW_POD_UDP_PORT;
1232 req->code = PW_CODE_DISCONNECT_REQUEST;
1234 } else if (isdigit((int) argv[2][0])) {
1235 if (port == 0) port = getport("radius");
1236 if (port == 0) port = PW_AUTH_UDP_PORT;
1237 req->code = atoi(argv[2]);
1241 req->dst_port = port;
1246 if (argv[3]) secret = argv[3];
1250 * Maybe read them, from stdin, if there's no
1251 * filename, or if the filename is '-'.
1253 if (filename && (strcmp(filename, "-") != 0)) {
1254 fp = fopen(filename, "r");
1256 ERROR("Error opening %s: %s", filename, fr_syserror(errno));
1266 if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
1267 ERROR("socket: %s", fr_syserror(errno));
1272 if (req->vps) pairfree(&req->vps);
1273 if (readvp2(&req->vps, NULL, fp, &filedone) < 0) {
1274 ERROR("%s", fr_strerror());
1282 INFO("\n\t Total approved auths: %d", totalapp);
1283 INFO("\t Total denied auths: %d", totaldeny);
1286 talloc_free(autofree);
1292 * given a radius request with some attributes in the EAP range, build
1293 * them all into a single EAP-Message body.
1295 * Note that this function will build multiple EAP-Message bodies
1296 * if there are multiple eligible EAP-types. This is incorrect, as the
1297 * recipient will in fact concatenate them.
1299 * XXX - we could break the loop once we process one type. Maybe this
1300 * just deserves an assert?
1303 static void map_eap_methods(RADIUS_PACKET *req)
1305 VALUE_PAIR *vp, *vpnext;
1309 eap_packet_t *pt_ep = talloc_zero(req, eap_packet_t);
1311 vp = pairfind(req->vps, PW_EAP_ID, 0, TAG_ANY);
1313 id = ((int)getpid() & 0xff);
1315 id = vp->vp_integer;
1318 vp = pairfind(req->vps, PW_EAP_CODE, 0, TAG_ANY);
1320 eapcode = PW_EAP_REQUEST;
1322 eapcode = vp->vp_integer;
1325 for(vp = req->vps; vp != NULL; vp = vpnext) {
1326 /* save it in case it changes! */
1329 if(vp->da->attr >= PW_EAP_TYPE_BASE &&
1330 vp->da->attr < PW_EAP_TYPE_BASE+256) {
1339 eap_method = vp->da->attr - PW_EAP_TYPE_BASE;
1341 switch(eap_method) {
1342 case PW_EAP_IDENTITY:
1343 case PW_EAP_NOTIFICATION:
1354 * no known special handling, it is just encoded as an
1355 * EAP-message with the given type.
1358 /* nuke any existing EAP-Messages */
1359 pairdelete(&req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1361 pt_ep->code = eapcode;
1363 pt_ep->type.num = eap_method;
1364 pt_ep->type.length = vp->length;
1366 pt_ep->type.data = talloc_memdup(vp, vp->vp_octets, vp->length);
1367 talloc_set_type(pt_ep->type.data, uint8_t);
1369 eap_basic_compose(req, pt_ep);
1374 * given a radius request with an EAP-Message body, decode it specific
1377 static void unmap_eap_methods(RADIUS_PACKET *rep)
1380 eap_packet_raw_t *e;
1386 /* find eap message */
1387 e = eap_vp2packet(NULL, rep->vps);
1389 /* nothing to do! */
1392 /* create EAP-ID and EAP-CODE attributes to start */
1393 eap1 = paircreate(rep, PW_EAP_ID, 0);
1394 eap1->vp_integer = e->id;
1395 pairadd(&(rep->vps), eap1);
1397 eap1 = paircreate(rep, PW_EAP_CODE, 0);
1398 eap1->vp_integer = e->code;
1399 pairadd(&(rep->vps), eap1);
1403 case PW_EAP_SUCCESS:
1404 case PW_EAP_FAILURE:
1408 case PW_EAP_REQUEST:
1409 case PW_EAP_RESPONSE:
1410 /* there is a type field, which we use to create
1411 * a new attribute */
1413 /* the length was decode already into the attribute
1414 * length, and was checked already. Network byte
1415 * order, just pull it out using math.
1417 len = e->length[0]*256 + e->length[1];
1419 /* verify the length is big enough to hold type */
1428 type += PW_EAP_TYPE_BASE;
1431 if (len > MAX_STRING_LEN) {
1432 len = MAX_STRING_LEN;
1435 eap1 = paircreate(rep, type, 0);
1436 pairmemcpy(eap1, e->data + 1, len);
1438 pairadd(&(rep->vps), eap1);
1446 static int map_eapsim_types(RADIUS_PACKET *r)
1450 eap_packet_t *pt_ep = talloc_zero(r, eap_packet_t);
1452 ret = map_eapsim_basictypes(r, pt_ep);
1458 eap_basic_compose(r, pt_ep);
1463 static int unmap_eapsim_types(RADIUS_PACKET *r)
1469 esvp = pairfind(r->vps, PW_EAP_TYPE_BASE+PW_EAP_SIM, 0, TAG_ANY);
1471 ERROR("eap: EAP-Sim attribute not found");
1475 eap_data = talloc_memdup(esvp, esvp->vp_octets, esvp->length);
1476 talloc_set_type(eap_data, uint8_t);
1478 rcode_unmap = unmap_eapsim_basictypes(r, eap_data, esvp->length);
1480 talloc_free(eap_data);
1488 char const *radius_dir = RADDBDIR;
1490 main(int argc, char *argv[])
1493 RADIUS_PACKET *req,*req2;
1494 VALUE_PAIR *vp, *vpkey, *vpextra;
1495 extern unsigned int sha1_data_problems;
1502 sha1_data_problems = 1;
1505 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1506 ERROR("%s", fr_strerror());
1510 req = rad_alloc(NULL, true)
1512 ERROR("%s", fr_strerror());
1516 req2 = rad_alloc(NULL, true);
1518 ERROR("%s", fr_strerror());
1523 if (req->vps) pairfree(&req->vps);
1524 if (req2->vps) pairfree(&req2->vps);
1526 if (readvp2(&req->vps, NULL, stdin, &filedone) < 0) {
1527 ERROR("%s", fr_strerror());
1531 if (fr_debug_flag > 1) {
1533 vp_printlist(stdout, req->vps);
1536 map_eapsim_types(req);
1537 map_eap_methods(req);
1539 if (fr_debug_flag > 1) {
1540 DEBUG("Mapped to:");
1541 vp_printlist(stdout, req->vps);
1544 /* find the EAP-Message, copy it to req2 */
1545 vp = paircopy2(NULL, req->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
1549 pairadd(&req2->vps, vp);
1551 /* only call unmap for sim types here */
1552 unmap_eap_methods(req2);
1553 unmap_eapsim_types(req2);
1555 if (fr_debug_flag > 1) {
1556 DEBUG("Unmapped to:");
1557 vp_printlist(stdout, req2->vps);
1560 vp = pairfind(req2->vps, PW_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0, TAG_ANY);
1561 vpkey = pairfind(req->vps, PW_EAP_SIM_KEY, 0, TAG_ANY);
1562 vpextra = pairfind(req->vps, PW_EAP_SIM_EXTRA, 0, TAG_ANY);
1564 if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
1565 uint8_t calcmac[16];
1567 /* find the EAP-Message, copy it to req2 */
1569 memset(calcmac, 0, sizeof(calcmac));
1570 DEBUG("Confirming MAC...");
1571 if(eapsim_checkmac(req2->vps, vpkey->vp_strvalue,
1572 vpextra->vp_strvalue, vpextra->length,
1578 DEBUG("calculated MAC (");
1579 for (i = 0; i < 20; i++) {
1586 DEBUG("%02x", calcmac[i]);
1588 DEBUG("did not match");