From 13ed1e0b63bc4813f94cbced368ba1b0c65ea4ca Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Tue, 24 Jun 2014 14:42:30 -0400 Subject: [PATCH] Channel binding encode/decoder and process functions --- raddb/sites-available/channel_bindings | 40 +++++ src/modules/rlm_eap/libeap/all.mk | 2 +- src/modules/rlm_eap/libeap/eap_chbind.c | 288 ++++++++++++++++++++++++++++++++ src/modules/rlm_eap/libeap/eap_chbind.h | 64 +++++++ src/modules/rlm_eap/libeap/eapcommon.c | 1 + 5 files changed, 394 insertions(+), 1 deletion(-) create mode 100644 raddb/sites-available/channel_bindings create mode 100644 src/modules/rlm_eap/libeap/eap_chbind.c create mode 100644 src/modules/rlm_eap/libeap/eap_chbind.h diff --git a/raddb/sites-available/channel_bindings b/raddb/sites-available/channel_bindings new file mode 100644 index 0000000..1252230 --- /dev/null +++ b/raddb/sites-available/channel_bindings @@ -0,0 +1,40 @@ +# +# A virtual server which is used to validate channel-bindings. +# +# $Id$ +# +# +# +server channel_bindings { +# +# Only the "authorize" section is needed. +# +authorize { + if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name)) { + reject + } + + if (GSS-Acceptor-Service-Name || GSS-Acceptor-Realm-Name || GSS-Acceptor-Host-Name) { + update control { + Chbind-Response-Code := success + } + + # + # ACK the attributes in the request. + # + # If any one of these attributes don't exist in the request, + # then they won't be copied to the reply. + # + update reply { + GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name + GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name + GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name + } + } + + # + # Return "handled" so that the "authenticate" section isn't used. + # + handled +} +} diff --git a/src/modules/rlm_eap/libeap/all.mk b/src/modules/rlm_eap/libeap/all.mk index 31e8a30..6a32129 100644 --- a/src/modules/rlm_eap/libeap/all.mk +++ b/src/modules/rlm_eap/libeap/all.mk @@ -1,6 +1,6 @@ TARGET := libfreeradius-eap.a -SOURCES := eapcommon.c eapcrypto.c eapsimlib.c fips186prf.c comp128.c +SOURCES := eapcommon.c eapcrypto.c eap_chbind.c eapsimlib.c fips186prf.c comp128.c ifneq (${OPENSSL_LIBS},) SOURCES += eap_tls.c mppe_keys.c endif diff --git a/src/modules/rlm_eap/libeap/eap_chbind.c b/src/modules/rlm_eap/libeap/eap_chbind.c new file mode 100644 index 0000000..2304554 --- /dev/null +++ b/src/modules/rlm_eap/libeap/eap_chbind.c @@ -0,0 +1,288 @@ +/* + * eap_chbind.c + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2014 Network RADIUS SARL + * Copyright 2014 The FreeRADIUS server project + */ + + +RCSID("$Id$") + +#include "eap_chbind.h" + +#define MAX_PACKET_LEN 4096 + +static bool chbind_build_response(REQUEST *request, CHBIND_REQ *chbind) +{ + size_t length, total; + uint8_t *ptr, *end; + VALUE_PAIR const *vp; + vp_cursor_t cursor; + + total = 0; + for (vp = fr_cursor_init(&cursor, &request->reply->vps); + vp != NULL; + vp = fr_cursor_next(&cursor)) { + /* + * Skip things which shouldn't be in channel bindings. + */ + if (vp->da->flags.encrypt != FLAG_ENCRYPT_NONE) continue; + if (!vp->da->vendor && (vp->da->attr == PW_MESSAGE_AUTHENTICATOR)) continue; + + total = 2 + vp->length; + } + + /* + * No attributes: just send a 1-byte response code. + */ + if (!total) { + ptr = talloc_zero_array(chbind, uint8_t, 1); + } else { + ptr = talloc_zero_array(chbind, uint8_t, total + 4); + } + if (!ptr) return false; + chbind->response = (chbind_packet_t *) ptr; + + /* + * Set the response code. Default to "fail" if none was + * specified. + */ + vp = pairfind(request->config_items, PW_CHBIND_RESPONSE_CODE, 0, TAG_ANY); + if (vp) { + ptr[0] = vp->vp_integer; + } else { + ptr[0] = CHBIND_CODE_FAILURE; + } + + if (!total) return true; /* nothing to encode */ + + /* Write the length field into the header */ + ptr[1] = (total >> 8) & 0xff; + ptr[2] = total & 0xff; + ptr[3] = CHBIND_NSID_RADIUS; + + if ((debug_flag > 0) && fr_log_fp) { + RDEBUG("Sending chbind response: code %i", (int )(ptr[0])); + debug_pair_list(request->reply->vps); + } + + /* Encode the chbind attributes into the response */ + ptr += 4; + end = ptr + total; + for (vp = fr_cursor_init(&cursor, &request->reply->vps); + vp != NULL; + vp = fr_cursor_next(&cursor)) { + length = rad_vp2attr(NULL, NULL, NULL, &vp, ptr, end - ptr); + ptr += length; + } + + return true; +} + + +/* + * Parse channel binding packet to obtain data for a specific + * NSID. + * + * See: + * http://tools.ietf.org/html/draft-ietf-emu-chbind-13#section-5.3.2 + */ +static size_t chbind_get_data(chbind_packet_t const *packet, + int desired_nsid, + uint8_t const **data) +{ + uint8_t const *ptr; + uint8_t const *end; + + if (packet->code != CHBIND_CODE_REQUEST) { + return 0; + } + + ptr = (uint8_t const *) packet; + end = ptr + talloc_array_length(packet); + + ptr++; /* skip the code at the start of the packet */ + while (ptr < end) { + uint8_t nsid; + size_t length; + + /* + * Need room for length(2) + NSID + data. + */ + if ((end - ptr) < 4) return 0; + + length = (ptr[0] << 8) | ptr[1]; + if (length == 0) return 0; + + if ((ptr + length + 3) > end) return 0; + + nsid = ptr[2]; + if (nsid == desired_nsid) { + ptr += 3; + *data = ptr; + return length; + } + + ptr += 3 + length; + } + + return 0; +} + + +PW_CODE chbind_process(REQUEST *request, CHBIND_REQ *chbind) +{ + PW_CODE rcode; + REQUEST *fake = NULL; + VALUE_PAIR *vp = NULL; + uint8_t const *attr_data; + size_t data_len = 0; + + /* check input parameters */ + rad_assert((request != NULL) && + (chbind != NULL) && + (chbind->request != NULL) && + (chbind->response == NULL)); + + /* Set-up the fake request */ + fake = request_alloc_fake(request); + pairmake_packet("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); + + /* Add the username to the fake request */ + if (chbind->username) { + vp = paircopyvp(fake->packet, chbind->username); + pairadd(&fake->packet->vps, vp); + fake->username = vp; + } + + /* + * Maybe copy the State over, too? + */ + + /* Add the channel binding attributes to the fake packet */ + data_len = chbind_get_data(chbind->request, CHBIND_NSID_RADIUS, &attr_data); + if (data_len) { + while (data_len > 0) { + int attr_len = rad_attr2vp(fake->packet, NULL, NULL, NULL, attr_data, data_len, &vp); + if (attr_len <= 0) { + /* If radaddr2vp fails, return NULL string for + channel binding response */ + talloc_free(fake); + return PW_CODE_ACCESS_ACCEPT; + } + if (vp) { + pairadd(&fake->packet->vps, vp); + } + attr_data += attr_len; + data_len -= attr_len; + } + } + + /* + * Set virtual server based on configuration for channel + * bindings, this is hard-coded for now. + */ + fake->server = "channel_bindings"; + fake->packet->code = PW_CODE_ACCESS_REQUEST; + + rcode = rad_virtual_server(fake); + + switch (rcode) { + /* If rad_authenticate succeeded, build a reply */ + case RLM_MODULE_OK: + case RLM_MODULE_HANDLED: + if (chbind_build_response(fake, chbind)) { + rcode = PW_CODE_ACCESS_ACCEPT; + break; + } + /* FALL-THROUGH */ + + /* If we got any other response from rad_authenticate, it maps to a reject */ + default: + rcode = PW_CODE_ACCESS_REJECT; + break; + } + + talloc_free(fake); + + return rcode; +} + +/* + * Handles multiple EAP-channel-binding Message attrs + * ie concatenates all to get the complete EAP-channel-binding packet. + */ +chbind_packet_t *eap_chbind_vp2packet(TALLOC_CTX *ctx, VALUE_PAIR *vps) +{ + size_t length; + uint8_t *ptr; + VALUE_PAIR *first, *vp; + chbind_packet_t *packet; + vp_cursor_t cursor; + + first = pairfind(vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY); + if (!first) return NULL; + + /* + * Compute the total length of the channel binding data. + */ + length = 0; + for (vp =fr_cursor_init(&cursor, first); + vp != NULL; + vp = fr_cursor_next_by_num(&cursor, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY)) { + length += vp->length; + } + + if (length < 4) { + DEBUG("Invalid length %u for channel binding data", (unsigned int) length); + return NULL; + } + + /* + * Now that we know the length, allocate memory for the packet. + */ + ptr = talloc_zero_array(ctx, uint8_t, length); + if (!ptr) return NULL; + + /* + * Copy the data over to our packet. + */ + packet = (chbind_packet_t *) ptr; + for (vp = fr_cursor_init(&cursor, first); + vp != NULL; + vp = fr_cursor_next_by_num(&cursor, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY)) { + memcpy(ptr, vp->vp_octets, vp->length); + ptr += vp->length; + } + + return packet; +} + +VALUE_PAIR *eap_chbind_packet2vp(REQUEST *request, const chbind_packet_t *packet) +{ + VALUE_PAIR *vp; + + if (!packet) return NULL; /* don't produce garbage */ + + vp = paircreate(request->packet, PW_UKERNA_CHBIND, VENDORPEC_UKERNA); + if (!vp) return NULL; + pairmemcpy(vp, (const uint8_t *) packet, talloc_array_length(packet)); + + return vp; +} diff --git a/src/modules/rlm_eap/libeap/eap_chbind.h b/src/modules/rlm_eap/libeap/eap_chbind.h new file mode 100644 index 0000000..af21d5c --- /dev/null +++ b/src/modules/rlm_eap/libeap/eap_chbind.h @@ -0,0 +1,64 @@ +/* + * eap_chbind.c + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2014 Network RADIUS SARL + * Copyright 2014 The FreeRADIUS server project + */ + +#ifndef _EAP_CHBIND_H +#define _EAP_CHBIND_H + +RCSIDH(eap_chbind_h, "$Id$") + +#include +#include +#include +#include + +#include + +#include "eap.h" + +/* Structure to represent eap channel binding packet format */ +typedef struct chbind_packet_t { + uint8_t code; + uint8_t data[1]; +} chbind_packet_t; + +/* Structure to hold channel bindings req/resp information */ +typedef struct CHBIND_REQ { + VALUE_PAIR *username; /* the username */ + chbind_packet_t *request; /* channel binding request buffer */ + chbind_packet_t *response; /* channel binding response buffer */ +} CHBIND_REQ; + +/* Protocol constants */ +#define CHBIND_NSID_RADIUS 1 + +#define CHBIND_CODE_REQUEST 1 +#define CHBIND_CODE_SUCCESS 2 +#define CHBIND_CODE_FAILURE 3 + +/* Channel binding function prototypes */ +PW_CODE chbind_process(REQUEST *request, CHBIND_REQ *chbind_req); + +extern VALUE_PAIR *eap_chbind_packet2vp(REQUEST *request, const chbind_packet_t *packet); +extern chbind_packet_t *eap_chbind_vp2packet(TALLOC_CTX *ctx, VALUE_PAIR *vps); + +#endif /*_EAP_CHBIND_H*/ diff --git a/src/modules/rlm_eap/libeap/eapcommon.c b/src/modules/rlm_eap/libeap/eapcommon.c index 0c30431..6ae0ad3 100644 --- a/src/modules/rlm_eap/libeap/eapcommon.c +++ b/src/modules/rlm_eap/libeap/eapcommon.c @@ -60,6 +60,7 @@ RCSID("$Id$") #include +#include #include "eap_types.h" const FR_NAME_NUMBER eap_rcode_table[] = { -- 2.1.4