The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
base.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 7877f99027ebc57445dd9502f6aca2ddca0ac4d7 $
19  * @file src/process/eap_aka_prime/base.c
20  * @brief EAP-AKA' process module
21  *
22  * The state machine for EAP-SIM, EAP-AKA and EAP-AKA' is common to all methods
23  * and is in src/lib/eap_aka_sim/state_machine.c
24  *
25  * The process modules for the different EAP methods just define the sections
26  * for that EAP method, and parse different config items.
27  *
28  * @copyright 2021 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
29  */
30 
31 #include <freeradius-devel/eap_aka_sim/base.h>
32 #include <freeradius-devel/eap_aka_sim/attrs.h>
33 #include <freeradius-devel/eap_aka_sim/state_machine.h>
34 #include <freeradius-devel/server/virtual_servers.h>
35 #include <freeradius-devel/server/process.h>
36 
37 static conf_parser_t submodule_config[] = {
38  { FR_CONF_OFFSET("network_name", eap_aka_sim_process_conf_t, network_name ) },
39  { FR_CONF_OFFSET("request_identity", eap_aka_sim_process_conf_t, request_identity ),
40  .func = cf_table_parse_int,
41  .uctx = &(cf_table_parse_ctx_t){ .table = fr_aka_sim_id_request_table, .len = &fr_aka_sim_id_request_table_len }},
42  { FR_CONF_OFFSET("strip_permanent_identity_hint", eap_aka_sim_process_conf_t,
43  strip_permanent_identity_hint ), .dflt = "yes" },
44  { FR_CONF_OFFSET_TYPE_FLAGS("ephemeral_id_length", FR_TYPE_SIZE, 0, eap_aka_sim_process_conf_t, ephemeral_id_length ), .dflt = "14" }, /* 14 for compatibility */
45  { FR_CONF_OFFSET("protected_success", eap_aka_sim_process_conf_t, protected_success ), .dflt = "no" },
46 
47  CONF_PARSER_TERMINATOR
48 };
49 
50 static virtual_server_compile_t const compile_list[] = {
51  /*
52  * Identity negotiation
53  * The initial identity here is the EAP-Identity.
54  * We can then choose to request additional
55  * identities.
56  */
57  {
58  .name = "recv",
59  .name2 = "Identity-Response",
60  .component = MOD_AUTHORIZE,
61  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_identity_response)
62  },
63  {
64  .name = "send",
65  .name2 = "Identity-Request",
66  .component = MOD_AUTHORIZE,
67  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_identity_request)
68  },
69 
70  /*
71  * Optional override sections if the user *really*
72  * wants to apply special policies for subsequent
73  * request/response rounds.
74  */
75  {
76  .name = "send",
77  .name2 = "AKA-Identity-Request",
78  .component = MOD_AUTHORIZE,
79  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_identity_request)
80  },
81  {
82  .name = "recv",
83  .name2 = "AKA-Identity-Response",
84  .component = MOD_AUTHORIZE,
85  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_identity_response)
86  },
87 
88  /*
89  * Full-Authentication
90  */
91  {
92  .name = "send",
93  .name2 = "Challenge-Request",
94  .component = MOD_AUTHORIZE,
95  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_challenge_request)
96  },
97  {
98  .name = "recv",
99  .name2 = "Challenge-Response",
100  .component = MOD_AUTHORIZE,
101  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_challenge_response)
102  },
103 
104  /*
105  * Fast-Re-Authentication
106  */
107  {
108  .name = "send",
109  .name2 = "Reauthentication-Request",
110  .component = MOD_AUTHORIZE,
111  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_reauthentication_request)
112  },
113  {
114  .name = "recv",
115  .name2 = "Reauthentication-Response",
116  .component = MOD_AUTHORIZE,
117  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_reauthentication_response)
118  },
119 
120  /*
121  * Failures originating from the supplicant
122  */
123  {
124  .name = "recv",
125  .name2 = "Client-Error",
126  .component = MOD_AUTHORIZE,
127  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_client_error)
128  },
129  {
130  .name = "recv",
131  .name2 = "Authentication-Reject",
132  .component = MOD_AUTHORIZE,
133  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_authentication_reject)
134  },
135  {
136  .name = "recv",
137  .name2 = "Synchronization-Failure",
138  .component = MOD_AUTHORIZE,
139  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_synchronization_failure)
140  },
141 
142  /*
143  * Failure originating from the server
144  */
145  {
146  .name = "send",
147  .name2 = "Failure-Notification",
148  .component = MOD_AUTHORIZE,
149  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_failure_notification)
150  },
151  {
152  .name = "recv",
153  .name2 = "Failure-Notification-ACK",
154  .component = MOD_AUTHORIZE,
155  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_failure_notification_ack)
156  },
157 
158  /*
159  * Protected success indication
160  */
161  {
162  .name = "send",
163  .name2 = "Success-Notification",
164  .component = MOD_AUTHORIZE,
165  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_success_notification)
166  },
167  {
168  .name = "recv",
169  .name2 = "Success-Notification-ACK",
170  .component = MOD_AUTHORIZE,
171  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_success_notification_ack)
172  },
173 
174  /*
175  * Final EAP-Success and EAP-Failure messages
176  */
177  {
178  .name = "send",
179  .name2 = "EAP-Success",
180  .component = MOD_AUTHORIZE,
181  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_success)
182  },
183  {
184  .name = "send",
185  .name2 = "EAP-Failure",
186  .component = MOD_AUTHORIZE,
187  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_failure)
188  },
189 
190  /*
191  * Fast-Reauth vectors
192  */
193  {
194  .name = "store",
195  .name2 = "session",
196  .component = MOD_AUTHORIZE,
197  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_session)
198  },
199  {
200  .name = "load",
201  .name2 = "session",
202  .component = MOD_AUTHORIZE,
203  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_session)
204  },
205  {
206  .name = "clear",
207  .name2 = "session",
208  .component = MOD_AUTHORIZE,
209  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_session)
210  },
211 
212  /*
213  * Pseudonym processing
214  */
215  {
216  .name = "store",
217  .name2 = "pseudonym",
218  .component = MOD_AUTHORIZE,
219  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_pseudonym)
220  },
221  {
222  .name = "load",
223  .name2 = "pseudonym",
224  .component = MOD_AUTHORIZE,
225  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_pseudonym)
226  },
227  {
228  .name = "clear",
229  .name2 = "pseudonym",
230  .component = MOD_AUTHORIZE,
231  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_pseudonym)
232  },
233 
234  COMPILE_TERMINATOR
235 };
236 
237 static int mod_instantiate(module_inst_ctx_t const *mctx)
238 {
239  eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->inst->data, eap_aka_sim_process_conf_t);
240 
241  inst->type = FR_EAP_METHOD_AKA_PRIME;
242 
243  /*
244  * This isn't allowed, so just munge
245  * it to no id request.
246  */
247  if (inst->request_identity == AKA_SIM_INIT_ID_REQ) inst->request_identity = AKA_SIM_NO_ID_REQ;
248 
249  return 0;
250 }
251 
252 static int mod_load(void)
253 {
254  if (unlikely(fr_aka_sim_init() < 0)) return -1;
255 
256  fr_aka_sim_xlat_func_register();
257 
258  return 0;
259 }
260 
261 static void mod_unload(void)
262 {
263  fr_aka_sim_xlat_func_unregister();
264 
265  fr_aka_sim_free();
266 }
267 
268 extern fr_process_module_t process_eap_aka_prime;
269 fr_process_module_t process_eap_aka_prime = {
270  .common = {
271  .magic = MODULE_MAGIC_INIT,
272  .name = "eap_aka_prime",
273  .onload = mod_load,
274  .unload = mod_unload,
275  .config = submodule_config,
276  .instantiate = mod_instantiate,
277  .inst_size = sizeof(eap_aka_sim_process_conf_t),
278  .inst_type = "eap_aka_sim_process_conf_t"
279  },
280  .process = eap_aka_sim_state_machine_process,
281  .compile_list = compile_list,
282  .dict = &dict_eap_aka_sim,
283 };
unlikely
#define unlikely(_x)
Definition: build.h:378
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition: cf_parse.c:1474
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:626
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
cf_table_parse_ctx_t
Definition: cf_parse.h:621
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:563
MOD_AUTHORIZE
@ MOD_AUTHORIZE
1 methods index for authorize section.
Definition: components.h:34
dl_module_instance_s::data
void *_CONST data
Module instance's parsed configuration.
Definition: dl_module.h:165
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:65
FR_EAP_METHOD_AKA_PRIME
@ FR_EAP_METHOD_AKA_PRIME
Definition: types.h:96
fr_aka_sim_xlat_func_register
int fr_aka_sim_xlat_func_register(void)
Definition: xlat.c:497
fr_aka_sim_xlat_func_unregister
void fr_aka_sim_xlat_func_unregister(void)
Definition: xlat.c:521
fr_aka_sim_free
void fr_aka_sim_free(void)
Definition: base.c:285
fr_aka_sim_init
int fr_aka_sim_init(void)
Definition: base.c:254
dict_eap_aka_sim
fr_dict_t const * dict_eap_aka_sim
Definition: base.c:48
fr_aka_sim_id_request_table
fr_table_num_sorted_t const fr_aka_sim_id_request_table[]
Definition: id.c:33
fr_aka_sim_id_request_table_len
size_t fr_aka_sim_id_request_table_len
Definition: id.c:41
AKA_SIM_INIT_ID_REQ
@ AKA_SIM_INIT_ID_REQ
We've requested no ID. This is used for last_id_req.
Definition: id.h:78
AKA_SIM_NO_ID_REQ
@ AKA_SIM_NO_ID_REQ
We're not requesting any ID.
Definition: id.h:79
FR_TYPE_SIZE
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
Definition: merged_model.c:115
module_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:52
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:51
mod_load
static int mod_load(void)
Definition: base.c:252
compile_list
static virtual_server_compile_t const compile_list[]
Definition: base.c:50
process_eap_aka_prime
fr_process_module_t process_eap_aka_prime
Definition: base.c:269
mod_unload
static void mod_unload(void)
Definition: base.c:261
submodule_config
static conf_parser_t submodule_config[]
Definition: base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: base.c:237
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition: process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition: process.h:54
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition: state_machine.c:3690
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition: state_machine.h:188
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition: state_machine.h:192
eap_aka_sim_process_conf_t
Definition: state_machine.h:187
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition: virtual_servers.h:92
virtual_server_compile_t::name
char const * name
Name of the processing section, such as "recv" or "send".
Definition: virtual_servers.h:82
virtual_server_compile_t
Processing sections which are allowed in this virtual server.
Definition: virtual_servers.h:81
Generated by   doxygen 1.9.1