The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: f6bcf01a3ac2175b90b20bda6d9a53164a11d5a2 $
19 * @file src/process/eap_aka/base.c
20 * @brief EAP-AKA process module
21 *
22 * The state machine for EAP-SIM, EAP-AKA and EAP-AKA' is common to all methods
23 * and is in src/lib/eap_aka_sim/state_machine.c
24 *
25 * The process modules for the different EAP methods just define the sections
26 * for that EAP method, and parse different config items.
27 *
28 * @copyright 2021 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
29 */
30
31#include <freeradius-devel/eap_aka_sim/base.h>
32#include <freeradius-devel/eap_aka_sim/attrs.h>
33#include <freeradius-devel/eap_aka_sim/state_machine.h>
34#include <freeradius-devel/server/virtual_servers.h>
35#include <freeradius-devel/server/process.h>
36
37static conf_parser_t submodule_config[] = {
38 { FR_CONF_OFFSET("request_identity", eap_aka_sim_process_conf_t, request_identity ),
39 .func = cf_table_parse_int,
40 .uctx = &(cf_table_parse_ctx_t){ .table = fr_aka_sim_id_request_table, .len = &fr_aka_sim_id_request_table_len }},
41 { FR_CONF_OFFSET("strip_permanent_identity_hint", eap_aka_sim_process_conf_t,
42 strip_permanent_identity_hint ), .dflt = "yes" },
43 { FR_CONF_OFFSET_TYPE_FLAGS("ephemeral_id_length", FR_TYPE_SIZE, 0, eap_aka_sim_process_conf_t, ephemeral_id_length ), .dflt = "14" }, /* 14 for compatibility */
44 { FR_CONF_OFFSET("protected_success", eap_aka_sim_process_conf_t, protected_success ), .dflt = "no" },
45
46 CONF_PARSER_TERMINATOR
47};
48
49static virtual_server_compile_t const compile_list[] = {
50 /*
51 * Identity negotiation
52 * The initial identity here is the EAP-Identity.
53 * We can then choose to request additional
54 * identities.
55 */
56 {
57 .section = SECTION_NAME("recv", "Identity-Response"),
58 .actions = &mod_actions_authorize,
59 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_identity_response)
60 },
61 {
62 .section = SECTION_NAME("send", "Identity-Request"),
63 .actions = &mod_actions_authorize,
64 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_identity_request)
65 },
66
67 /*
68 * Optional override sections if the user *really*
69 * wants to apply special policies for subsequent
70 * request/response rounds.
71 */
72 {
73 .section = SECTION_NAME("send", "AKA-Identity-Request"),
74 .actions = &mod_actions_authorize,
75 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_identity_request)
76 },
77 {
78 .section = SECTION_NAME("recv", "AKA-Identity-Response"),
79 .actions = &mod_actions_authorize,
80 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_identity_response)
81 },
82
83 /*
84 * Full-Authentication
85 */
86 {
87 .section = SECTION_NAME("send", "Challenge-Request"),
88 .actions = &mod_actions_authorize,
89 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_challenge_request)
90 },
91 {
92 .section = SECTION_NAME("recv", "Challenge-Response"),
93 .actions = &mod_actions_authorize,
94 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_challenge_response)
95 },
96
97 /*
98 * Fast-Re-Authentication
99 */
100 {
101 .section = SECTION_NAME("send", "Reauthentication-Request"),
102 .actions = &mod_actions_authorize,
103 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_reauthentication_request)
104 },
105 {
106 .section = SECTION_NAME("recv", "Reauthentication-Response"),
107 .actions = &mod_actions_authorize,
108 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_reauthentication_response)
109 },
110
111 /*
112 * Failures originating from the supplicant
113 */
114 {
115 .section = SECTION_NAME("recv", "Client-Error"),
116 .actions = &mod_actions_authorize,
117 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_client_error)
118 },
119 {
120 .section = SECTION_NAME("recv", "Authentication-Reject"),
121 .actions = &mod_actions_authorize,
122 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_authentication_reject)
123 },
124 {
125 .section = SECTION_NAME("recv", "Synchronization-Failure"),
126 .actions = &mod_actions_authorize,
127 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_synchronization_failure)
128 },
129
130 /*
131 * Failure originating from the server
132 */
133 {
134 .section = SECTION_NAME("send", "Failure-Notification"),
135 .actions = &mod_actions_authorize,
136 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_failure_notification)
137 },
138 {
139 .section = SECTION_NAME("recv", "Failure-Notification-ACK"),
140 .actions = &mod_actions_authorize,
141 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_failure_notification_ack)
142 },
143
144 /*
145 * Protected success indication
146 */
147 {
148 .section = SECTION_NAME("send", "Success-Notification"),
149 .actions = &mod_actions_authorize,
150 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_success_notification)
151 },
152 {
153 .section = SECTION_NAME("recv", "Success-Notification-ACK"),
154 .actions = &mod_actions_authorize,
155 .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_success_notification_ack)
156 },
157
158 /*
159 * Final EAP-Success and EAP-Failure messages
160 */
161 {
162 .section = SECTION_NAME("send", "EAP-Success"),
163 .actions = &mod_actions_authorize,
164 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_success)
165 },
166 {
167 .section = SECTION_NAME("send", "EAP-Failure"),
168 .actions = &mod_actions_authorize,
169 .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_failure)
170 },
171
172 /*
173 * Fast-Reauth vectors
174 */
175 {
176 .section = SECTION_NAME("store", "session"),
177 .actions = &mod_actions_authorize,
178 .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_session)
179 },
180 {
181 .section = SECTION_NAME("load", "session"),
182 .actions = &mod_actions_authorize,
183 .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_session)
184 },
185 {
186 .section = SECTION_NAME("clear", "session"),
187 .actions = &mod_actions_authorize,
188 .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_session)
189 },
190
191 /*
192 * Pseudonym processing
193 */
194 {
195 .section = SECTION_NAME("store", "pseudonym"),
196 .actions = &mod_actions_authorize,
197 .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_pseudonym)
198 },
199 {
200 .section = SECTION_NAME("load", "pseudonym"),
201 .actions = &mod_actions_authorize,
202 .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_pseudonym)
203 },
204 {
205 .section = SECTION_NAME("clear", "pseudonym"),
206 .actions = &mod_actions_authorize,
207 .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_pseudonym)
208 },
209
210 COMPILE_TERMINATOR
211};
212
213static int mod_instantiate(module_inst_ctx_t const *mctx)
214{
215 eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t);
216
217 inst->type = FR_EAP_METHOD_AKA;
218
219 /*
220 * This isn't allowed, so just munge
221 * it to no id request.
222 */
223 if (inst->request_identity == AKA_SIM_INIT_ID_REQ) inst->request_identity = AKA_SIM_NO_ID_REQ;
224
225 return 0;
226}
227
228static int mod_load(void)
229{
230 if (unlikely(fr_aka_sim_init() < 0)) return -1;
231
232 fr_aka_sim_xlat_func_register();
233
234 return 0;
235}
236
237static void mod_unload(void)
238{
239 fr_aka_sim_xlat_func_unregister();
240
241 fr_aka_sim_free();
242}
243
244extern fr_process_module_t process_eap_aka;
245fr_process_module_t process_eap_aka = {
246 .common = {
247 .magic = MODULE_MAGIC_INIT,
248 .name = "eap_aka",
249 .onload = mod_load,
250 .unload = mod_unload,
251 .config = submodule_config,
252 .instantiate = mod_instantiate,
253 .inst_size = sizeof(eap_aka_sim_process_conf_t),
254 .inst_type = "eap_aka_sim_process_conf_t"
255 },
256 .process = eap_aka_sim_state_machine_process,
257 .compile_list = compile_list,
258 .dict = &dict_eap_aka_sim,
259};
unlikely
#define unlikely(_x)
Definition build.h:381
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1550
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:642
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:596
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
cf_table_parse_ctx_t
Definition cf_parse.h:637
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:579
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
FR_EAP_METHOD_AKA
@ FR_EAP_METHOD_AKA
Definition types.h:68
fr_aka_sim_xlat_func_register
int fr_aka_sim_xlat_func_register(void)
Definition xlat.c:497
fr_aka_sim_xlat_func_unregister
void fr_aka_sim_xlat_func_unregister(void)
Definition xlat.c:521
fr_aka_sim_free
void fr_aka_sim_free(void)
Definition base.c:315
fr_aka_sim_init
int fr_aka_sim_init(void)
Definition base.c:284
dict_eap_aka_sim
fr_dict_t const * dict_eap_aka_sim
Definition base.c:48
fr_aka_sim_id_request_table
fr_table_num_sorted_t const fr_aka_sim_id_request_table[]
Definition id.c:33
fr_aka_sim_id_request_table_len
size_t fr_aka_sim_id_request_table_len
Definition id.c:41
AKA_SIM_INIT_ID_REQ
@ AKA_SIM_INIT_ID_REQ
We've requested no ID. This is used for last_id_req.
Definition id.h:78
AKA_SIM_NO_ID_REQ
@ AKA_SIM_NO_ID_REQ
We're not requesting any ID.
Definition id.h:79
FR_TYPE_SIZE
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
Definition merged_model.c:115
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:44
unlang_mod_actions_t::actions
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:62
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
compile_list
static const virtual_server_compile_t compile_list[]
Definition base.c:205
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:745
mod_load
static int mod_load(void)
Definition base.c:228
process_eap_aka
fr_process_module_t process_eap_aka
Definition base.c:245
mod_unload
static void mod_unload(void)
Definition base.c:237
submodule_config
static conf_parser_t submodule_config[]
Definition base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:213
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition process.h:54
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
module_instance_s::data
void * data
Module's instance data.
Definition module.h:271
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:198
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition state_machine.c:3677
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition state_machine.h:188
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition state_machine.h:192
eap_aka_sim_process_conf_t
Definition state_machine.h:187
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition virtual_servers.h:111
virtual_server_compile_t::section
section_name_t const * section
Identifier for the section.
Definition virtual_servers.h:101
virtual_server_compile_t
Processing sections which are allowed in this virtual server.
Definition virtual_servers.h:100
Generated by   doxygen 1.9.8