2 * radeapclient.c EAP specific radius packet debug tool.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/libradius.h>
36 #include <freeradius-devel/conf.h>
37 #include <freeradius-devel/radpaths.h>
38 #include <freeradius-devel/md5.h>
40 #include "eap_types.h"
43 extern int sha1_data_problems;
45 static int retries = 10;
46 static float timeout = 3;
47 static const char *secret = NULL;
48 static int do_output = 1;
49 static int do_summary = 0;
50 static int filedone = 0;
51 static int totalapp = 0;
52 static int totaldeny = 0;
53 static char filesecret[256];
54 const char *radius_dir = RADDBDIR;
55 const char *progname = "radeapclient";
56 /* fr_randctx randctx; */
59 radlog_dest_t radlog_dest = RADLOG_STDERR;
60 const char *radlog_dir = NULL;
64 struct eapsim_keys eapsim_mk;
66 static void map_eap_types(RADIUS_PACKET *req);
67 static void unmap_eap_types(RADIUS_PACKET *rep);
68 static int map_eapsim_types(RADIUS_PACKET *r);
69 static int unmap_eapsim_types(RADIUS_PACKET *r);
71 void debug_pair_list(UNUSED VALUE_PAIR *vp)
76 static void NEVER_RETURNS usage(void)
78 fprintf(stderr, "Usage: radeapclient [options] server[:port] <command> [<secret>]\n");
80 fprintf(stderr, " <command> One of auth, acct, status, or disconnect.\n");
81 fprintf(stderr, " -c count Send each packet 'count' times.\n");
82 fprintf(stderr, " -d raddb Set dictionary directory.\n");
83 fprintf(stderr, " -f file Read packets from file, not stdin.\n");
84 fprintf(stderr, " -r retries If timeout, retry sending the packet 'retries' times.\n");
85 fprintf(stderr, " -t timeout Wait 'timeout' seconds before retrying (may be a floating point number).\n");
86 fprintf(stderr, " -i id Set request id to 'id'. Values may be 0..255\n");
87 fprintf(stderr, " -S file read secret from file, not command line.\n");
88 fprintf(stderr, " -q Do not print anything out.\n");
89 fprintf(stderr, " -s Print out summary information of auth results.\n");
90 fprintf(stderr, " -v Show program version information.\n");
91 fprintf(stderr, " -x Debugging mode.\n");
96 int radlog(int lvl, const char *msg, ...)
101 r = lvl; /* shut up compiler */
104 r = vfprintf(stderr, msg, ap);
111 int log_debug(const char *msg, ...)
117 r = vfprintf(stderr, msg, ap);
124 void radlog_request(UNUSED int lvl, UNUSED int priority,
125 UNUSED REQUEST *request, const char *msg, ...)
130 vfprintf(stderr, msg, ap);
135 static int getport(const char *name)
139 svp = getservbyname (name, "udp");
144 return ntohs(svp->s_port);
147 static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
152 for (i = 0; i < retries; i++) {
155 rad_send(req, NULL, secret);
157 /* And wait for reply, timing out as necessary */
159 FD_SET(req->sockfd, &rdfdesc);
161 tv.tv_sec = (int)timeout;
162 tv.tv_usec = 1000000 * (timeout - (int) timeout);
164 /* Something's wrong if we don't get exactly one fd. */
165 if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
169 *rep = rad_recv(req->sockfd, 0);
172 * If we get a response from a machine
173 * which we did NOT send a request to,
176 if (((*rep)->src_ipaddr.af != req->dst_ipaddr.af) ||
177 (memcmp(&(*rep)->src_ipaddr.ipaddr,
178 &req->dst_ipaddr.ipaddr,
179 ((req->dst_ipaddr.af == AF_INET ? /* AF_INET6? */
180 sizeof(req->dst_ipaddr.ipaddr.ip4addr) : /* FIXME: AF_INET6 */
181 sizeof(req->dst_ipaddr.ipaddr.ip6addr)))) != 0) ||
182 ((*rep)->src_port != req->dst_port)) {
183 char src[128], dst[128];
185 ip_ntoh(&(*rep)->src_ipaddr, src, sizeof(src));
186 ip_ntoh(&req->dst_ipaddr, dst, sizeof(dst));
187 fprintf(stderr, "radclient: ERROR: Sent request to host %s port %d, got response from host %s port %d\n!",
189 src, (*rep)->src_port);
193 } else { /* NULL: couldn't receive the packet */
194 fr_perror("radclient:");
199 /* No response or no data read (?) */
201 fprintf(stderr, "radclient: no response from server\n");
206 * FIXME: Discard the packet & listen for another.
208 * Hmm... we should really be using eapol_test, which does
209 * a lot more than radeapclient.
211 if (rad_verify(*rep, req, secret) != 0) {
212 fr_perror("rad_verify");
216 if (rad_decode(*rep, req, secret) != 0) {
217 fr_perror("rad_decode");
221 /* libradius debug already prints out the value pairs for us */
222 if (!fr_debug_flag && do_output) {
223 printf("Received response ID %d, code %d, length = %d\n",
224 (*rep)->id, (*rep)->code, (int) (*rep)->data_len);
225 vp_printlist(stdout, (*rep)->vps);
227 if((*rep)->code == PW_AUTHENTICATION_ACK) {
236 static void cleanresp(RADIUS_PACKET *resp)
238 VALUE_PAIR *vpnext, *vp, **last;
242 * maybe should just copy things we care about, or keep
243 * a copy of the original input and start from there again?
245 pairdelete(&resp->vps, PW_EAP_MESSAGE, 0);
246 pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY, 0);
249 for(vp = *last; vp != NULL; vp = vpnext)
253 if((vp->attribute > ATTRIBUTE_EAP_BASE &&
254 vp->attribute <= ATTRIBUTE_EAP_BASE+256) ||
255 (vp->attribute > ATTRIBUTE_EAP_SIM_BASE &&
256 vp->attribute <= ATTRIBUTE_EAP_SIM_BASE+256))
267 * we got an EAP-Request/Sim/Start message in a legal state.
269 * pick a supported version, put it into the reply, and insert a nonce.
271 static int process_eap_start(RADIUS_PACKET *req,
274 VALUE_PAIR *vp, *newvp;
275 VALUE_PAIR *anyidreq_vp, *fullauthidreq_vp, *permanentidreq_vp;
276 uint16_t *versions, selectedversion;
277 unsigned int i,versioncount;
279 /* form new response clear of any EAP stuff */
282 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_VERSION_LIST, 0)) == NULL) {
283 fprintf(stderr, "illegal start message has no VERSION_LIST\n");
287 versions = (uint16_t *)vp->vp_strvalue;
289 /* verify that the attribute length is big enough for a length field */
292 fprintf(stderr, "start message has illegal VERSION_LIST. Too short: %u\n", (unsigned int) vp->length);
296 versioncount = ntohs(versions[0])/2;
297 /* verify that the attribute length is big enough for the given number
298 * of versions present.
300 if((unsigned)vp->length <= (versioncount*2 + 2))
302 fprintf(stderr, "start message is too short. Claimed %d versions does not fit in %u bytes\n", versioncount, (unsigned int) vp->length);
307 * record the versionlist for the MK calculation.
309 eapsim_mk.versionlistlen = versioncount*2;
310 memcpy(eapsim_mk.versionlist, (unsigned char *)(versions+1),
311 eapsim_mk.versionlistlen);
313 /* walk the version list, and pick the one we support, which
314 * at present, is 1, EAP_SIM_VERSION.
317 for(i=0; i < versioncount; i++)
319 if(ntohs(versions[i+1]) == EAP_SIM_VERSION)
321 selectedversion=EAP_SIM_VERSION;
325 if(selectedversion == 0)
327 fprintf(stderr, "eap-sim start message. No compatible version found. We need %d\n", EAP_SIM_VERSION);
328 for(i=0; i < versioncount; i++)
330 fprintf(stderr, "\tfound version %d\n",
331 ntohs(versions[i+1]));
336 * now make sure that we have only FULLAUTH_ID_REQ.
337 * I think that it actually might not matter - we can answer in
338 * anyway we like, but it is illegal to have more than one
341 anyidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_ANY_ID_REQ, 0);
342 fullauthidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_FULLAUTH_ID_REQ, 0);
343 permanentidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_PERMANENT_ID_REQ, 0);
345 if(fullauthidreq_vp == NULL ||
346 anyidreq_vp != NULL ||
347 permanentidreq_vp != NULL) {
348 fprintf(stderr, "start message has %sanyidreq, %sfullauthid and %spermanentid. Illegal combination.\n",
349 (anyidreq_vp != NULL ? "a " : "no "),
350 (fullauthidreq_vp != NULL ? "a " : "no "),
351 (permanentidreq_vp != NULL ? "a " : "no "));
355 /* okay, we have just any_id_req there, so fill in response */
357 /* mark the subtype as being EAP-SIM/Response/Start */
358 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, 0, PW_TYPE_INTEGER);
359 newvp->vp_integer = eapsim_start;
360 pairreplace(&(rep->vps), newvp);
362 /* insert selected version into response. */
363 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_SELECTED_VERSION,
365 versions = (uint16_t *)newvp->vp_strvalue;
366 versions[0] = htons(selectedversion);
368 pairreplace(&(rep->vps), newvp);
370 /* record the selected version */
371 memcpy(eapsim_mk.versionselect, (unsigned char *)versions, 2);
378 * insert a nonce_mt that we make up.
380 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_NONCE_MT,
382 newvp->vp_octets[0]=0;
383 newvp->vp_octets[1]=0;
384 newvp->length = 18; /* 16 bytes of nonce + padding */
390 memcpy(&newvp->vp_octets[2], nonce, 16);
391 pairreplace(&(rep->vps), newvp);
393 /* also keep a copy of the nonce! */
394 memcpy(eapsim_mk.nonce_mt, nonce, 16);
398 uint16_t *pidlen, idlen;
401 * insert the identity here.
403 vp = pairfind(rep->vps, PW_USER_NAME, 0);
406 fprintf(stderr, "eap-sim: We need to have a User-Name attribute!\n");
409 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_IDENTITY,
411 idlen = strlen(vp->vp_strvalue);
412 pidlen = (uint16_t *)newvp->vp_strvalue;
413 *pidlen = htons(idlen);
414 newvp->length = idlen + 2;
416 memcpy(&newvp->vp_strvalue[2], vp->vp_strvalue, idlen);
417 pairreplace(&(rep->vps), newvp);
420 memcpy(eapsim_mk.identity, vp->vp_strvalue, idlen);
421 eapsim_mk.identitylen = idlen;
428 * we got an EAP-Request/Sim/Challenge message in a legal state.
430 * use the RAND challenge to produce the SRES result, and then
431 * use that to generate a new MAC.
433 * for the moment, we ignore the RANDs, then just plug in the SRES
437 static int process_eap_challenge(RADIUS_PACKET *req,
441 VALUE_PAIR *mac, *randvp;
442 VALUE_PAIR *sres1,*sres2,*sres3;
443 VALUE_PAIR *Kc1, *Kc2, *Kc3;
446 /* look for the AT_MAC and the challenge data */
447 mac = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0);
448 randvp= pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_RAND, 0);
449 if(mac == NULL || randvp == NULL) {
450 fprintf(stderr, "radeapclient: challenge message needs to contain RAND and MAC\n");
455 * compare RAND with randX, to verify this is the right response
459 VALUE_PAIR *randcfgvp[3];
462 randcfg[0] = &randvp->vp_octets[2];
463 randcfg[1] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE];
464 randcfg[2] = &randvp->vp_octets[2+EAPSIM_RAND_SIZE*2];
466 randcfgvp[0] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND1, 0);
467 randcfgvp[1] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND2, 0);
468 randcfgvp[2] = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_RAND3, 0);
470 if(randcfgvp[0] == NULL ||
471 randcfgvp[1] == NULL ||
472 randcfgvp[2] == NULL) {
473 fprintf(stderr, "radeapclient: needs to have rand1, 2 and 3 set.\n");
477 if(memcmp(randcfg[0], randcfgvp[0]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
478 memcmp(randcfg[1], randcfgvp[1]->vp_octets, EAPSIM_RAND_SIZE)!=0 ||
479 memcmp(randcfg[2], randcfgvp[2]->vp_octets, EAPSIM_RAND_SIZE)!=0) {
482 fprintf(stderr, "radeapclient: one of rand 1,2,3 didn't match\n");
483 for(rnum = 0; rnum < 3; rnum++) {
484 fprintf(stderr, "received rand %d: ", rnum);
486 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
493 fprintf(stderr, "%02x", randcfg[rnum][i]);
495 fprintf(stderr, "\nconfigured rand %d: ", rnum);
497 for (i = 0; i < EAPSIM_RAND_SIZE; i++) {
504 fprintf(stderr, "%02x", randcfgvp[rnum]->vp_octets[i]);
506 fprintf(stderr, "\n");
513 * now dig up the sres values from the response packet,
514 * which were put there when we read things in.
516 * Really, they should be calculated from the RAND!
519 sres1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES1, 0);
520 sres2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES2, 0);
521 sres3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES3, 0);
526 fprintf(stderr, "radeapclient: needs to have sres1, 2 and 3 set.\n");
529 memcpy(eapsim_mk.sres[0], sres1->vp_strvalue, sizeof(eapsim_mk.sres[0]));
530 memcpy(eapsim_mk.sres[1], sres2->vp_strvalue, sizeof(eapsim_mk.sres[1]));
531 memcpy(eapsim_mk.sres[2], sres3->vp_strvalue, sizeof(eapsim_mk.sres[2]));
533 Kc1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC1, 0);
534 Kc2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC2, 0);
535 Kc3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC3, 0);
540 fprintf(stderr, "radeapclient: needs to have Kc1, 2 and 3 set.\n");
543 memcpy(eapsim_mk.Kc[0], Kc1->vp_strvalue, sizeof(eapsim_mk.Kc[0]));
544 memcpy(eapsim_mk.Kc[1], Kc2->vp_strvalue, sizeof(eapsim_mk.Kc[1]));
545 memcpy(eapsim_mk.Kc[2], Kc3->vp_strvalue, sizeof(eapsim_mk.Kc[2]));
547 /* all set, calculate keys */
548 eapsim_calculate_keys(&eapsim_mk);
551 eapsim_dump_mk(&eapsim_mk);
554 /* verify the MAC, now that we have all the keys. */
555 if(eapsim_checkmac(req->vps, eapsim_mk.K_aut,
556 eapsim_mk.nonce_mt, sizeof(eapsim_mk.nonce_mt),
558 printf("MAC check succeed\n");
562 printf("calculated MAC (");
563 for (i = 0; i < 20; i++) {
570 printf("%02x", calcmac[i]);
572 printf(" did not match\n");
576 /* form new response clear of any EAP stuff */
579 /* mark the subtype as being EAP-SIM/Response/Start */
580 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, 0, PW_TYPE_INTEGER);
581 newvp->vp_integer = eapsim_challenge;
582 pairreplace(&(rep->vps), newvp);
585 * fill the SIM_MAC with a field that will in fact get appended
586 * to the packet before the MAC is calculated
588 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC, 0,
590 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*0, sres1->vp_strvalue, EAPSIM_SRES_SIZE);
591 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*1, sres2->vp_strvalue, EAPSIM_SRES_SIZE);
592 memcpy(newvp->vp_strvalue+EAPSIM_SRES_SIZE*2, sres3->vp_strvalue, EAPSIM_SRES_SIZE);
593 newvp->length = EAPSIM_SRES_SIZE*3;
594 pairreplace(&(rep->vps), newvp);
596 newvp = paircreate(ATTRIBUTE_EAP_SIM_KEY, 0, PW_TYPE_OCTETS);
597 memcpy(newvp->vp_strvalue, eapsim_mk.K_aut, EAPSIM_AUTH_SIZE);
598 newvp->length = EAPSIM_AUTH_SIZE;
599 pairreplace(&(rep->vps), newvp);
605 * this code runs the EAP-SIM client state machine.
606 * the *request* is from the server.
607 * the *reponse* is to the server.
610 static int respond_eap_sim(RADIUS_PACKET *req,
613 enum eapsim_clientstates state, newstate;
614 enum eapsim_subtype subtype;
615 VALUE_PAIR *vp, *statevp, *radstate, *eapid;
616 char statenamebuf[32], subtypenamebuf[32];
618 if ((radstate = paircopy2(req->vps, PW_STATE, 0)) == NULL)
623 if ((eapid = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0)) == NULL)
628 /* first, dig up the state from the request packet, setting
629 * outselves to be in EAP-SIM-Start state if there is none.
632 if((statevp = pairfind(resp->vps, ATTRIBUTE_EAP_SIM_STATE, 0)) == NULL)
634 /* must be initial request */
635 statevp = paircreate(ATTRIBUTE_EAP_SIM_STATE, 0, PW_TYPE_INTEGER);
636 statevp->vp_integer = eapsim_client_init;
637 pairreplace(&(resp->vps), statevp);
639 state = statevp->vp_integer;
642 * map the attributes, and authenticate them.
644 unmap_eapsim_types(req);
646 printf("<+++ EAP-sim decoded packet:\n");
647 vp_printlist(stdout, req->vps);
649 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_SUBTYPE, 0)) == NULL)
653 subtype = vp->vp_integer;
656 * look for the appropriate state, and process incoming message
659 case eapsim_client_init:
662 newstate = process_eap_start(req, resp);
665 case eapsim_challenge:
666 case eapsim_notification:
669 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
670 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
671 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
672 /* invalid state, drop message */
677 case eapsim_client_start:
680 /* NOT SURE ABOUT THIS ONE, retransmit, I guess */
681 newstate = process_eap_start(req, resp);
684 case eapsim_challenge:
685 newstate = process_eap_challenge(req, resp);
689 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
690 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
691 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
692 /* invalid state, drop message */
699 fprintf(stderr, "radeapclient: sim in illegal state %s\n",
700 sim_state2name(state, statenamebuf, sizeof(statenamebuf)));
704 /* copy the eap state object in */
705 pairreplace(&(resp->vps), eapid);
707 /* update stete info, and send new packet */
708 map_eapsim_types(resp);
710 /* copy the radius state object in */
711 pairreplace(&(resp->vps), radstate);
713 statevp->vp_integer = newstate;
717 static int respond_eap_md5(RADIUS_PACKET *req,
720 VALUE_PAIR *vp, *id, *state;
721 size_t valuesize, namesize;
726 uint8_t response[16];
730 if ((state = paircopy2(req->vps, PW_STATE, 0)) == NULL)
732 fprintf(stderr, "radeapclient: no state attribute found\n");
736 if ((id = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0)) == NULL)
738 fprintf(stderr, "radeapclient: no EAP-ID attribute found\n");
741 identifier = id->vp_integer;
743 if ((vp = pairfind(req->vps, ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0)) == NULL)
745 fprintf(stderr, "radeapclient: no EAP-MD5 attribute found\n");
749 /* got the details of the MD5 challenge */
750 valuesize = vp->vp_octets[0];
751 value = &vp->vp_octets[1];
752 name = &vp->vp_octets[valuesize+1];
753 namesize = vp->length - (valuesize + 1);
756 if(valuesize > vp->length)
758 fprintf(stderr, "radeapclient: md5 valuesize if too big (%u > %u)\n",
759 (unsigned int) valuesize, (unsigned int) vp->length);
763 /* now do the CHAP operation ourself, rather than build the
764 * buffer. We could also call rad_chap_encode, but it wants
765 * a CHAP-Challenge, which we don't want to bother with.
767 fr_MD5Init(&context);
768 fr_MD5Update(&context, &identifier, 1);
769 fr_MD5Update(&context, (uint8_t *) password, strlen(password));
770 fr_MD5Update(&context, value, valuesize);
771 fr_MD5Final(response, &context);
773 vp = paircreate(ATTRIBUTE_EAP_BASE+PW_EAP_MD5, 0, PW_TYPE_OCTETS);
775 memcpy(&vp->vp_strvalue[1], response, 16);
778 pairreplace(&(rep->vps), vp);
780 pairreplace(&(rep->vps), id);
782 /* copy the state object in */
783 pairreplace(&(rep->vps), state);
790 static int sendrecv_eap(RADIUS_PACKET *rep)
792 RADIUS_PACKET *req = NULL;
793 VALUE_PAIR *vp, *vpnext;
794 int tried_eap_md5 = 0;
797 * Keep a copy of the the User-Password attribute.
799 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0)) != NULL) {
800 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
802 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0)) != NULL) {
803 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
805 * Otherwise keep a copy of the CHAP-Password attribute.
807 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
808 strlcpy(password, (char *)vp->vp_strvalue, sizeof(vp->vp_strvalue));
816 printf("\n+++> About to send encoded packet:\n");
817 vp_printlist(stdout, rep->vps);
820 * if there are EAP types, encode them into an EAP-Message
826 * Fix up Digest-Attributes issues
828 for (vp = rep->vps; vp != NULL; vp = vp->next) {
829 switch (vp->attribute) {
833 case PW_DIGEST_REALM:
834 case PW_DIGEST_NONCE:
835 case PW_DIGEST_METHOD:
838 case PW_DIGEST_ALGORITHM:
839 case PW_DIGEST_BODY_DIGEST:
840 case PW_DIGEST_CNONCE:
841 case PW_DIGEST_NONCE_COUNT:
842 case PW_DIGEST_USER_NAME:
844 memmove(&vp->vp_strvalue[2], &vp->vp_octets[0], vp->length);
845 vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1;
847 vp->vp_octets[1] = vp->length;
848 vp->attribute = PW_DIGEST_ATTRIBUTES;
854 * If we've already sent a packet, free up the old
855 * one, and ensure that the next packet has a unique
856 * ID and authentication vector.
863 fr_md5_calc(rep->vector, rep->vector,
864 sizeof(rep->vector));
866 if (*password != '\0') {
867 if ((vp = pairfind(rep->vps, PW_CLEARTEXT_PASSWORD, 0)) != NULL) {
868 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
869 vp->length = strlen(password);
871 } else if ((vp = pairfind(rep->vps, PW_USER_PASSWORD, 0)) != NULL) {
872 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
873 vp->length = strlen(password);
875 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
876 strlcpy((char *)vp->vp_strvalue, password, sizeof(vp->vp_strvalue));
877 vp->length = strlen(password);
879 rad_chap_encode(rep, vp->vp_octets, rep->id, vp);
882 } /* there WAS a password */
884 /* send the response, wait for the next request */
885 send_packet(rep, &req);
887 /* okay got back the packet, go and decode the EAP-Message. */
888 unmap_eap_types(req);
890 printf("<+++ EAP decoded packet:\n");
891 vp_printlist(stdout, req->vps);
893 /* now look for the code type. */
894 for (vp = req->vps; vp != NULL; vp = vpnext) {
897 switch (vp->attribute) {
901 case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
902 if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
909 case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
910 if(respond_eap_sim(req, rep))
922 int main(int argc, char **argv)
928 char *filename = NULL;
933 id = ((int)getpid() & 0xff);
936 radlog_dest = RADLOG_STDERR;
938 while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF)
942 if (!isdigit((int) *optarg))
944 count = atoi(optarg);
962 sha1_data_problems = 1; /* for debugging only */
969 if (!isdigit((int) *optarg))
971 retries = atoi(optarg);
974 if (!isdigit((int) *optarg))
977 if ((id < 0) || (id > 255)) {
985 if (!isdigit((int) *optarg))
987 timeout = atof(optarg);
990 printf("radclient: $Id$ built on " __DATE__ " at " __TIME__ "\n");
994 fp = fopen(optarg, "r");
996 fprintf(stderr, "radclient: Error opening %s: %s\n",
997 optarg, strerror(errno));
1000 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1001 fprintf(stderr, "radclient: Error reading %s: %s\n",
1002 optarg, strerror(errno));
1007 /* truncate newline */
1008 p = filesecret + strlen(filesecret) - 1;
1009 while ((p >= filesecret) &&
1015 if (strlen(filesecret) < 2) {
1016 fprintf(stderr, "radclient: Secret in %s is too short\n", optarg);
1019 secret = filesecret;
1027 argc -= (optind - 1);
1028 argv += (optind - 1);
1031 ((secret == NULL) && (argc < 4))) {
1035 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1036 fr_perror("radclient");
1040 if ((req = rad_alloc(1)) == NULL) {
1041 fr_perror("radclient");
1049 if((randinit = fopen("/dev/urandom", "r")) == NULL)
1051 perror("/dev/urandom");
1053 fread(randctx.randrsl, 256, 1, randinit);
1057 fr_randinit(&randctx, 1);
1063 * Strip port from hostname if needed.
1065 if ((p = strchr(argv[1], ':')) != NULL) {
1071 * See what kind of request we want to send.
1073 if (strcmp(argv[2], "auth") == 0) {
1074 if (port == 0) port = getport("radius");
1075 if (port == 0) port = PW_AUTH_UDP_PORT;
1076 req->code = PW_AUTHENTICATION_REQUEST;
1078 } else if (strcmp(argv[2], "acct") == 0) {
1079 if (port == 0) port = getport("radacct");
1080 if (port == 0) port = PW_ACCT_UDP_PORT;
1081 req->code = PW_ACCOUNTING_REQUEST;
1084 } else if (strcmp(argv[2], "status") == 0) {
1085 if (port == 0) port = getport("radius");
1086 if (port == 0) port = PW_AUTH_UDP_PORT;
1087 req->code = PW_STATUS_SERVER;
1089 } else if (strcmp(argv[2], "disconnect") == 0) {
1090 if (port == 0) port = PW_POD_UDP_PORT;
1091 req->code = PW_DISCONNECT_REQUEST;
1093 } else if (isdigit((int) argv[2][0])) {
1094 if (port == 0) port = getport("radius");
1095 if (port == 0) port = PW_AUTH_UDP_PORT;
1096 req->code = atoi(argv[2]);
1104 req->dst_port = port;
1105 if (ip_hton(argv[1], AF_INET, &req->dst_ipaddr) < 0) {
1106 fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]);
1113 if (argv[3]) secret = argv[3];
1117 * Maybe read them, from stdin, if there's no
1118 * filename, or if the filename is '-'.
1120 if (filename && (strcmp(filename, "-") != 0)) {
1121 fp = fopen(filename, "r");
1123 fprintf(stderr, "radclient: Error opening %s: %s\n",
1124 filename, strerror(errno));
1134 if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
1135 perror("radclient: socket: ");
1140 if(req->vps) pairfree(&req->vps);
1142 if ((req->vps = readvp2(fp, &filedone, "radeapclient:"))
1151 printf("\n\t Total approved auths: %d\n", totalapp);
1152 printf("\t Total denied auths: %d\n", totaldeny);
1158 * given a radius request with some attributes in the EAP range, build
1159 * them all into a single EAP-Message body.
1161 * Note that this function will build multiple EAP-Message bodies
1162 * if there are multiple eligible EAP-types. This is incorrect, as the
1163 * recipient will in fact concatenate them.
1165 * XXX - we could break the loop once we process one type. Maybe this
1166 * just deserves an assert?
1169 static void map_eap_types(RADIUS_PACKET *req)
1171 VALUE_PAIR *vp, *vpnext;
1176 vp = pairfind(req->vps, ATTRIBUTE_EAP_ID, 0);
1178 id = ((int)getpid() & 0xff);
1180 id = vp->vp_integer;
1183 vp = pairfind(req->vps, ATTRIBUTE_EAP_CODE, 0);
1185 eapcode = PW_EAP_REQUEST;
1187 eapcode = vp->vp_integer;
1191 for(vp = req->vps; vp != NULL; vp = vpnext) {
1192 /* save it in case it changes! */
1195 if(vp->attribute >= ATTRIBUTE_EAP_BASE &&
1196 vp->attribute < ATTRIBUTE_EAP_BASE+256) {
1205 eap_type = vp->attribute - ATTRIBUTE_EAP_BASE;
1208 case PW_EAP_IDENTITY:
1209 case PW_EAP_NOTIFICATION:
1220 * no known special handling, it is just encoded as an
1221 * EAP-message with the given type.
1224 /* nuke any existing EAP-Messages */
1225 pairdelete(&req->vps, PW_EAP_MESSAGE, 0);
1227 memset(&ep, 0, sizeof(ep));
1230 ep.type.type = eap_type;
1231 ep.type.length = vp->length;
1232 ep.type.data = malloc(vp->length);
1233 memcpy(ep.type.data,vp->vp_octets, vp->length);
1234 eap_basic_compose(req, &ep);
1239 * given a radius request with an EAP-Message body, decode it specific
1242 static void unmap_eap_types(RADIUS_PACKET *rep)
1249 /* find eap message */
1250 e = eap_vp2packet(rep->vps);
1252 /* nothing to do! */
1253 if(e == NULL) return;
1255 /* create EAP-ID and EAP-CODE attributes to start */
1256 eap1 = paircreate(ATTRIBUTE_EAP_ID, 0, PW_TYPE_INTEGER);
1257 eap1->vp_integer = e->id;
1258 pairadd(&(rep->vps), eap1);
1260 eap1 = paircreate(ATTRIBUTE_EAP_CODE, 0, PW_TYPE_INTEGER);
1261 eap1->vp_integer = e->code;
1262 pairadd(&(rep->vps), eap1);
1267 case PW_EAP_SUCCESS:
1268 case PW_EAP_FAILURE:
1272 case PW_EAP_REQUEST:
1273 case PW_EAP_RESPONSE:
1274 /* there is a type field, which we use to create
1275 * a new attribute */
1277 /* the length was decode already into the attribute
1278 * length, and was checked already. Network byte
1279 * order, just pull it out using math.
1281 len = e->length[0]*256 + e->length[1];
1283 /* verify the length is big enough to hold type */
1292 type += ATTRIBUTE_EAP_BASE;
1295 if(len > MAX_STRING_LEN) {
1296 len = MAX_STRING_LEN;
1299 eap1 = paircreate(type, 0, PW_TYPE_OCTETS);
1300 memcpy(eap1->vp_strvalue, &e->data[1], len);
1302 pairadd(&(rep->vps), eap1);
1310 static int map_eapsim_types(RADIUS_PACKET *r)
1315 memset(&ep, 0, sizeof(ep));
1316 ret = map_eapsim_basictypes(r, &ep);
1320 eap_basic_compose(r, &ep);
1325 static int unmap_eapsim_types(RADIUS_PACKET *r)
1329 esvp = pairfind(r->vps, ATTRIBUTE_EAP_BASE+PW_EAP_SIM, 0);
1331 radlog(L_ERR, "eap: EAP-Sim attribute not found");
1335 return unmap_eapsim_basictypes(r, esvp->vp_octets, esvp->length);
1342 const char *radius_dir = RADDBDIR;
1344 int radlog(int lvl, const char *msg, ...)
1350 r = vfprintf(stderr, msg, ap);
1352 fputc('\n', stderr);
1357 main(int argc, char *argv[])
1360 RADIUS_PACKET *req,*req2;
1361 VALUE_PAIR *vp, *vpkey, *vpextra;
1362 extern unsigned int sha1_data_problems;
1369 sha1_data_problems = 1;
1372 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
1373 fr_perror("radclient");
1377 if ((req = rad_alloc(1)) == NULL) {
1378 fr_perror("radclient");
1382 if ((req2 = rad_alloc(1)) == NULL) {
1383 fr_perror("radclient");
1388 if(req->vps) pairfree(&req->vps);
1389 if(req2->vps) pairfree(&req2->vps);
1391 if ((req->vps = readvp2(stdin, &filedone, "eapsimlib:")) == NULL) {
1395 printf("\nRead:\n");
1396 vp_printlist(stdout, req->vps);
1398 map_eapsim_types(req);
1400 printf("Mapped to:\n");
1401 vp_printlist(stdout, req->vps);
1403 /* find the EAP-Message, copy it to req2 */
1404 vp = paircopy2(req->vps, PW_EAP_MESSAGE);
1406 if(vp == NULL) continue;
1408 pairadd(&req2->vps, vp);
1410 /* only call unmap for sim types here */
1411 unmap_eap_types(req2);
1412 unmap_eapsim_types(req2);
1414 printf("Unmapped to:\n");
1415 vp_printlist(stdout, req2->vps);
1417 vp = pairfind(req2->vps,
1418 ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC);
1419 vpkey = pairfind(req->vps, ATTRIBUTE_EAP_SIM_KEY);
1420 vpextra = pairfind(req->vps, ATTRIBUTE_EAP_SIM_EXTRA);
1422 if(vp != NULL && vpkey != NULL && vpextra!=NULL) {
1423 uint8_t calcmac[16];
1425 /* find the EAP-Message, copy it to req2 */
1427 memset(calcmac, 0, sizeof(calcmac));
1428 printf("Confirming MAC...");
1429 if(eapsim_checkmac(req2->vps, vpkey->vp_strvalue,
1430 vpextra->vp_strvalue, vpextra->length,
1432 printf("succeed\n");
1436 printf("calculated MAC (");
1437 for (i = 0; i < 20; i++) {
1444 printf("%02x", calcmac[i]);
1446 printf(" did not match\n");