The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
decrypt.c
Go to the documentation of this file.
1 /**
2  * $Id: 3fd970ccc54d884a5eba35dd6c1ef33eed663d40 $
3  * @file decrypt.c
4  * @brief Authentication for yubikey OTP tokens using the yubikey library.
5  *
6  * @author Arran Cudbard-Bell (a.cudbardb@networkradius.com)
7  * @copyright 2013 The FreeRADIUS server project
8  * @copyright 2013 Network RADIUS (legal@networkradius.com)
9  */
10 #include "rlm_yubikey.h"
11 
12 #ifdef HAVE_YUBIKEY
13 
14 /** Decrypt a Yubikey OTP AES block
15  *
16  * @param[out] p_result The result of attempt to decrypt the token.
17  * @param[in] mctx call data.
18  * @param[in] request The current request.
19  * @param[in] passcode string to decrypt.
20  */
21 unlang_action_t rlm_yubikey_decrypt(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request, char const *passcode)
22 {
23  rlm_yubikey_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_yubikey_t);
24  uint32_t counter, timestamp;
25  yubikey_token_st token;
26 
27  fr_pair_t *key, *vp;
28 
29  key = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_yubikey_key);
30  if (!key) {
31  REDEBUG("Yubikey-Key attribute not found in control list, can't decrypt OTP data");
32  RETURN_MODULE_INVALID;
33  }
34 
35  if (key->vp_length != YUBIKEY_KEY_SIZE) {
36  REDEBUG("Yubikey-Key length incorrect, expected %u got %zu", YUBIKEY_KEY_SIZE, key->vp_length);
37  RETURN_MODULE_INVALID;
38  }
39 
40  yubikey_parse((uint8_t const *) passcode + inst->id_len, key->vp_octets, &token);
41 
42  /*
43  * Apparently this just uses byte offsets...
44  */
45  if (!yubikey_crc_ok_p((uint8_t *) &token)) {
46  REDEBUG("Decrypting OTP token data failed, rejecting");
47  RETURN_MODULE_REJECT;
48  }
49 
50  RDEBUG2("Token data decrypted successfully");
51 
52  counter = (yubikey_counter(token.ctr) << 8) | token.use;
53  timestamp = (token.tstph << 16) | token.tstpl;
54 
55  RDEBUG2("Private ID : %pH", fr_box_octets(token.uid, YUBIKEY_UID_SIZE));
56  RDEBUG2("Session counter : %u", counter);
57 
58  RDEBUG2("Token timestamp : %u", timestamp);
59 
60  RDEBUG2("Random data : %u", token.rnd);
61  RDEBUG2("CRC data : 0x%x", token.crc);
62 
63  /*
64  * Private ID used for validation purposes
65  */
66  MEM(pair_update_request(&vp, attr_yubikey_private_id) >= 0);
67  fr_pair_value_memdup(vp, token.uid, YUBIKEY_UID_SIZE, true);
68 
69  /*
70  * Token timestamp
71  */
72  MEM(pair_update_request(&vp, attr_yubikey_timestamp) >= 0);
73  vp->vp_uint32 = timestamp;
74 
75  /*
76  * Token random
77  */
78  MEM(pair_update_request(&vp, attr_yubikey_random) >= 0);
79  vp->vp_uint32 = token.rnd;
80 
81  /*
82  * Combine the two counter fields together so we can do
83  * replay attack checks.
84  */
85  MEM(pair_update_request(&vp, attr_yubikey_counter) >= 0);
86  vp->vp_uint32 = counter;
87 
88  /*
89  * Now we check for replay attacks
90  */
91  vp = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_yubikey_counter);
92  if (!vp) {
93  RWDEBUG("Yubikey-Counter not found in control list, skipping replay attack checks");
94  RETURN_MODULE_OK;
95  }
96 
97  if (counter <= vp->vp_uint32) {
98  REDEBUG("Replay attack detected! Counter value %u, is lt or eq to last known counter value %u",
99  counter, vp->vp_uint32);
100  RETURN_MODULE_REJECT;
101  }
102 
103  RETURN_MODULE_OK;
104 }
105 #endif
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
RWDEBUG
#define RWDEBUG(fmt,...)
Definition: log.h:361
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
request_t
Definition: merged_model.c:210
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition: module_ctx.h:42
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition: module_ctx.h:41
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition: pair.c:2981
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition: pair.c:770
pair_update_request
#define pair_update_request(_attr, _da)
Definition: radclient-ng.c:60
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
RETURN_MODULE_REJECT
#define RETURN_MODULE_REJECT
Definition: rcode.h:55
RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition: rcode.h:59
RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition: rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
attr_yubikey_random
fr_dict_attr_t const * attr_yubikey_random
Definition: rlm_yubikey.c:68
attr_yubikey_counter
fr_dict_attr_t const * attr_yubikey_counter
Definition: rlm_yubikey.c:66
attr_yubikey_key
fr_dict_attr_t const * attr_yubikey_key
Definition: rlm_yubikey.c:63
attr_yubikey_timestamp
fr_dict_attr_t const * attr_yubikey_timestamp
Definition: rlm_yubikey.c:67
attr_yubikey_private_id
fr_dict_attr_t const * attr_yubikey_private_id
Definition: rlm_yubikey.c:65
rlm_yubikey.h
rlm_yubikey_decrypt
unlang_action_t rlm_yubikey_decrypt(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request, char const *passcode)
rlm_yubikey_t
Definition: rlm_yubikey.h:40
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
vp
fr_pair_t * vp
Definition: state_machine.c:2262
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
vp_uint32
#define vp_uint32
Definition: pair.h:123
fr_box_octets
#define fr_box_octets(_val, _len)
Definition: value.h:288
Generated by   doxygen 1.9.1