The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
base.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: f6bcf01a3ac2175b90b20bda6d9a53164a11d5a2 $
19  * @file src/process/eap_aka/base.c
20  * @brief EAP-AKA process module
21  *
22  * The state machine for EAP-SIM, EAP-AKA and EAP-AKA' is common to all methods
23  * and is in src/lib/eap_aka_sim/state_machine.c
24  *
25  * The process modules for the different EAP methods just define the sections
26  * for that EAP method, and parse different config items.
27  *
28  * @copyright 2021 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
29  */
30 
31 #include <freeradius-devel/eap_aka_sim/base.h>
32 #include <freeradius-devel/eap_aka_sim/attrs.h>
33 #include <freeradius-devel/eap_aka_sim/state_machine.h>
34 #include <freeradius-devel/server/virtual_servers.h>
35 #include <freeradius-devel/server/process.h>
36 
37 static conf_parser_t submodule_config[] = {
38  { FR_CONF_OFFSET("request_identity", eap_aka_sim_process_conf_t, request_identity ),
39  .func = cf_table_parse_int,
40  .uctx = &(cf_table_parse_ctx_t){ .table = fr_aka_sim_id_request_table, .len = &fr_aka_sim_id_request_table_len }},
41  { FR_CONF_OFFSET("strip_permanent_identity_hint", eap_aka_sim_process_conf_t,
42  strip_permanent_identity_hint ), .dflt = "yes" },
43  { FR_CONF_OFFSET_TYPE_FLAGS("ephemeral_id_length", FR_TYPE_SIZE, 0, eap_aka_sim_process_conf_t, ephemeral_id_length ), .dflt = "14" }, /* 14 for compatibility */
44  { FR_CONF_OFFSET("protected_success", eap_aka_sim_process_conf_t, protected_success ), .dflt = "no" },
45 
46  CONF_PARSER_TERMINATOR
47 };
48 
49 static virtual_server_compile_t const compile_list[] = {
50  /*
51  * Identity negotiation
52  * The initial identity here is the EAP-Identity.
53  * We can then choose to request additional
54  * identities.
55  */
56  {
57  .section = SECTION_NAME("recv", "Identity-Response"),
58  .actions = &mod_actions_authorize,
59  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_identity_response)
60  },
61  {
62  .section = SECTION_NAME("send", "Identity-Request"),
63  .actions = &mod_actions_authorize,
64  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_identity_request)
65  },
66 
67  /*
68  * Optional override sections if the user *really*
69  * wants to apply special policies for subsequent
70  * request/response rounds.
71  */
72  {
73  .section = SECTION_NAME("send", "AKA-Identity-Request"),
74  .actions = &mod_actions_authorize,
75  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_identity_request)
76  },
77  {
78  .section = SECTION_NAME("recv", "AKA-Identity-Response"),
79  .actions = &mod_actions_authorize,
80  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_identity_response)
81  },
82 
83  /*
84  * Full-Authentication
85  */
86  {
87  .section = SECTION_NAME("send", "Challenge-Request"),
88  .actions = &mod_actions_authorize,
89  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_challenge_request)
90  },
91  {
92  .section = SECTION_NAME("recv", "Challenge-Response"),
93  .actions = &mod_actions_authorize,
94  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_challenge_response)
95  },
96 
97  /*
98  * Fast-Re-Authentication
99  */
100  {
101  .section = SECTION_NAME("send", "Reauthentication-Request"),
102  .actions = &mod_actions_authorize,
103  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_reauthentication_request)
104  },
105  {
106  .section = SECTION_NAME("recv", "Reauthentication-Response"),
107  .actions = &mod_actions_authorize,
108  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_reauthentication_response)
109  },
110 
111  /*
112  * Failures originating from the supplicant
113  */
114  {
115  .section = SECTION_NAME("recv", "Client-Error"),
116  .actions = &mod_actions_authorize,
117  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_client_error)
118  },
119  {
120  .section = SECTION_NAME("recv", "Authentication-Reject"),
121  .actions = &mod_actions_authorize,
122  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_authentication_reject)
123  },
124  {
125  .section = SECTION_NAME("recv", "Synchronization-Failure"),
126  .actions = &mod_actions_authorize,
127  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_synchronization_failure)
128  },
129 
130  /*
131  * Failure originating from the server
132  */
133  {
134  .section = SECTION_NAME("send", "Failure-Notification"),
135  .actions = &mod_actions_authorize,
136  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_failure_notification)
137  },
138  {
139  .section = SECTION_NAME("recv", "Failure-Notification-ACK"),
140  .actions = &mod_actions_authorize,
141  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_failure_notification_ack)
142  },
143 
144  /*
145  * Protected success indication
146  */
147  {
148  .section = SECTION_NAME("send", "Success-Notification"),
149  .actions = &mod_actions_authorize,
150  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_success_notification)
151  },
152  {
153  .section = SECTION_NAME("recv", "Success-Notification-ACK"),
154  .actions = &mod_actions_authorize,
155  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_success_notification_ack)
156  },
157 
158  /*
159  * Final EAP-Success and EAP-Failure messages
160  */
161  {
162  .section = SECTION_NAME("send", "EAP-Success"),
163  .actions = &mod_actions_authorize,
164  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_success)
165  },
166  {
167  .section = SECTION_NAME("send", "EAP-Failure"),
168  .actions = &mod_actions_authorize,
169  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_failure)
170  },
171 
172  /*
173  * Fast-Reauth vectors
174  */
175  {
176  .section = SECTION_NAME("store", "session"),
177  .actions = &mod_actions_authorize,
178  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_session)
179  },
180  {
181  .section = SECTION_NAME("load", "session"),
182  .actions = &mod_actions_authorize,
183  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_session)
184  },
185  {
186  .section = SECTION_NAME("clear", "session"),
187  .actions = &mod_actions_authorize,
188  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_session)
189  },
190 
191  /*
192  * Pseudonym processing
193  */
194  {
195  .section = SECTION_NAME("store", "pseudonym"),
196  .actions = &mod_actions_authorize,
197  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_pseudonym)
198  },
199  {
200  .section = SECTION_NAME("load", "pseudonym"),
201  .actions = &mod_actions_authorize,
202  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_pseudonym)
203  },
204  {
205  .section = SECTION_NAME("clear", "pseudonym"),
206  .actions = &mod_actions_authorize,
207  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_pseudonym)
208  },
209 
210  COMPILE_TERMINATOR
211 };
212 
213 static int mod_instantiate(module_inst_ctx_t const *mctx)
214 {
215  eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t);
216 
217  inst->type = FR_EAP_METHOD_AKA;
218 
219  /*
220  * This isn't allowed, so just munge
221  * it to no id request.
222  */
223  if (inst->request_identity == AKA_SIM_INIT_ID_REQ) inst->request_identity = AKA_SIM_NO_ID_REQ;
224 
225  return 0;
226 }
227 
228 static int mod_load(void)
229 {
230  if (unlikely(fr_aka_sim_init() < 0)) return -1;
231 
232  fr_aka_sim_xlat_func_register();
233 
234  return 0;
235 }
236 
237 static void mod_unload(void)
238 {
239  fr_aka_sim_xlat_func_unregister();
240 
241  fr_aka_sim_free();
242 }
243 
244 extern fr_process_module_t process_eap_aka;
245 fr_process_module_t process_eap_aka = {
246  .common = {
247  .magic = MODULE_MAGIC_INIT,
248  .name = "eap_aka",
249  .onload = mod_load,
250  .unload = mod_unload,
251  .config = submodule_config,
252  .instantiate = mod_instantiate,
253  .inst_size = sizeof(eap_aka_sim_process_conf_t),
254  .inst_type = "eap_aka_sim_process_conf_t"
255  },
256  .process = eap_aka_sim_state_machine_process,
257  .compile_list = compile_list,
258  .dict = &dict_eap_aka_sim,
259 };
unlikely
#define unlikely(_x)
Definition: build.h:379
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition: cf_parse.c:1474
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
cf_table_parse_ctx_t
Definition: cf_parse.h:622
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
FR_EAP_METHOD_AKA
@ FR_EAP_METHOD_AKA
Definition: types.h:68
fr_aka_sim_xlat_func_register
int fr_aka_sim_xlat_func_register(void)
Definition: xlat.c:497
fr_aka_sim_xlat_func_unregister
void fr_aka_sim_xlat_func_unregister(void)
Definition: xlat.c:521
fr_aka_sim_free
void fr_aka_sim_free(void)
Definition: base.c:315
fr_aka_sim_init
int fr_aka_sim_init(void)
Definition: base.c:284
dict_eap_aka_sim
fr_dict_t const * dict_eap_aka_sim
Definition: base.c:48
fr_aka_sim_id_request_table
fr_table_num_sorted_t const fr_aka_sim_id_request_table[]
Definition: id.c:33
fr_aka_sim_id_request_table_len
size_t fr_aka_sim_id_request_table_len
Definition: id.c:41
AKA_SIM_INIT_ID_REQ
@ AKA_SIM_INIT_ID_REQ
We've requested no ID. This is used for last_id_req.
Definition: id.h:78
AKA_SIM_NO_ID_REQ
@ AKA_SIM_NO_ID_REQ
We're not requesting any ID.
Definition: id.h:79
FR_TYPE_SIZE
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
Definition: merged_model.c:115
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition: mod_action.c:44
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
mod_load
static int mod_load(void)
Definition: base.c:228
compile_list
static virtual_server_compile_t const compile_list[]
Definition: base.c:49
process_eap_aka
fr_process_module_t process_eap_aka
Definition: base.c:245
mod_unload
static void mod_unload(void)
Definition: base.c:237
submodule_config
static conf_parser_t submodule_config[]
Definition: base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: base.c:213
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition: process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition: process.h:54
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition: section.h:40
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition: state_machine.c:3677
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition: state_machine.h:188
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition: state_machine.h:192
eap_aka_sim_process_conf_t
Definition: state_machine.h:187
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition: virtual_servers.h:111
virtual_server_compile_t::section
section_name_t const * section
Identifier for the section.
Definition: virtual_servers.h:101
virtual_server_compile_t
Processing sections which are allowed in this virtual server.
Definition: virtual_servers.h:100
Generated by   doxygen 1.9.1