The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
base.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 32385ac29a96a31bff23d5b7e5d31cf7543fca2b $
19  * @file src/process/eap_aka_prime/base.c
20  * @brief EAP-AKA' process module
21  *
22  * The state machine for EAP-SIM, EAP-AKA and EAP-AKA' is common to all methods
23  * and is in src/lib/eap_aka_sim/state_machine.c
24  *
25  * The process modules for the different EAP methods just define the sections
26  * for that EAP method, and parse different config items.
27  *
28  * @copyright 2021 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
29  */
30 
31 #include <freeradius-devel/eap_aka_sim/base.h>
32 #include <freeradius-devel/eap_aka_sim/attrs.h>
33 #include <freeradius-devel/eap_aka_sim/state_machine.h>
34 #include <freeradius-devel/server/virtual_servers.h>
35 #include <freeradius-devel/server/process.h>
36 
37 static conf_parser_t submodule_config[] = {
38  { FR_CONF_OFFSET("network_name", eap_aka_sim_process_conf_t, network_name ) },
39  { FR_CONF_OFFSET("request_identity", eap_aka_sim_process_conf_t, request_identity ),
40  .func = cf_table_parse_int,
41  .uctx = &(cf_table_parse_ctx_t){ .table = fr_aka_sim_id_request_table, .len = &fr_aka_sim_id_request_table_len }},
42  { FR_CONF_OFFSET("strip_permanent_identity_hint", eap_aka_sim_process_conf_t,
43  strip_permanent_identity_hint ), .dflt = "yes" },
44  { FR_CONF_OFFSET_TYPE_FLAGS("ephemeral_id_length", FR_TYPE_SIZE, 0, eap_aka_sim_process_conf_t, ephemeral_id_length ), .dflt = "14" }, /* 14 for compatibility */
45  { FR_CONF_OFFSET("protected_success", eap_aka_sim_process_conf_t, protected_success ), .dflt = "no" },
46 
47  CONF_PARSER_TERMINATOR
48 };
49 
50 static virtual_server_compile_t const compile_list[] = {
51  /*
52  * Identity negotiation
53  * The initial identity here is the EAP-Identity.
54  * We can then choose to request additional
55  * identities.
56  */
57  {
58  .section = SECTION_NAME("recv", "Identity-Response"),
59  .actions = &mod_actions_authorize,
60  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_identity_response)
61  },
62  {
63  .section = SECTION_NAME("send", "Identity-Request"),
64  .actions = &mod_actions_authorize,
65  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_identity_request)
66  },
67 
68  /*
69  * Optional override sections if the user *really*
70  * wants to apply special policies for subsequent
71  * request/response rounds.
72  */
73  {
74  .section = SECTION_NAME("send", "AKA-Identity-Request"),
75  .actions = &mod_actions_authorize,
76  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_identity_request)
77  },
78  {
79  .section = SECTION_NAME("recv", "AKA-Identity-Response"),
80  .actions = &mod_actions_authorize,
81  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_identity_response)
82  },
83 
84  /*
85  * Full-Authentication
86  */
87  {
88  .section = SECTION_NAME("send", "Challenge-Request"),
89  .actions = &mod_actions_authorize,
90  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_aka_challenge_request)
91  },
92  {
93  .section = SECTION_NAME("recv", "Challenge-Response"),
94  .actions = &mod_actions_authorize,
95  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_challenge_response)
96  },
97 
98  /*
99  * Fast-Re-Authentication
100  */
101  {
102  .section = SECTION_NAME("send", "Reauthentication-Request"),
103  .actions = &mod_actions_authorize,
104  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_reauthentication_request)
105  },
106  {
107  .section = SECTION_NAME("recv", "Reauthentication-Response"),
108  .actions = &mod_actions_authorize,
109  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_reauthentication_response)
110  },
111 
112  /*
113  * Failures originating from the supplicant
114  */
115  {
116  .section = SECTION_NAME("recv", "Client-Error"),
117  .actions = &mod_actions_authorize,
118  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_client_error)
119  },
120  {
121  .section = SECTION_NAME("recv", "Authentication-Reject"),
122  .actions = &mod_actions_authorize,
123  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_authentication_reject)
124  },
125  {
126  .section = SECTION_NAME("recv", "Synchronization-Failure"),
127  .actions = &mod_actions_authorize,
128  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_aka_synchronization_failure)
129  },
130 
131  /*
132  * Failure originating from the server
133  */
134  {
135  .section = SECTION_NAME("send", "Failure-Notification"),
136  .actions = &mod_actions_authorize,
137  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_failure_notification)
138  },
139  {
140  .section = SECTION_NAME("recv", "Failure-Notification-ACK"),
141  .actions = &mod_actions_authorize,
142  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_failure_notification_ack)
143  },
144 
145  /*
146  * Protected success indication
147  */
148  {
149  .section = SECTION_NAME("send", "Success-Notification"),
150  .actions = &mod_actions_authorize,
151  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_common_success_notification)
152  },
153  {
154  .section = SECTION_NAME("recv", "Success-Notification-ACK"),
155  .actions = &mod_actions_authorize,
156  .offset = offsetof(eap_aka_sim_process_conf_t, actions.recv_common_success_notification_ack)
157  },
158 
159  /*
160  * Final EAP-Success and EAP-Failure messages
161  */
162  {
163  .section = SECTION_NAME("send", "EAP-Success"),
164  .actions = &mod_actions_authorize,
165  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_success)
166  },
167  {
168  .section = SECTION_NAME("send", "EAP-Failure"),
169  .actions = &mod_actions_authorize,
170  .offset = offsetof(eap_aka_sim_process_conf_t, actions.send_eap_failure)
171  },
172 
173  /*
174  * Fast-Reauth vectors
175  */
176  {
177  .section = SECTION_NAME("store", "session"),
178  .actions = &mod_actions_authorize,
179  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_session)
180  },
181  {
182  .section = SECTION_NAME("load", "session"),
183  .actions = &mod_actions_authorize,
184  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_session)
185  },
186  {
187  .section = SECTION_NAME("clear", "session"),
188  .actions = &mod_actions_authorize,
189  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_session)
190  },
191 
192  /*
193  * Pseudonym processing
194  */
195  {
196  .section = SECTION_NAME("store", "pseudonym"),
197  .actions = &mod_actions_authorize,
198  .offset = offsetof(eap_aka_sim_process_conf_t, actions.store_pseudonym)
199  },
200  {
201  .section = SECTION_NAME("load", "pseudonym"),
202  .actions = &mod_actions_authorize,
203  .offset = offsetof(eap_aka_sim_process_conf_t, actions.load_pseudonym)
204  },
205  {
206  .section = SECTION_NAME("clear", "pseudonym"),
207  .actions = &mod_actions_authorize,
208  .offset = offsetof(eap_aka_sim_process_conf_t, actions.clear_pseudonym)
209  },
210 
211  COMPILE_TERMINATOR
212 };
213 
214 static int mod_instantiate(module_inst_ctx_t const *mctx)
215 {
216  eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t);
217 
218  inst->type = FR_EAP_METHOD_AKA_PRIME;
219 
220  /*
221  * This isn't allowed, so just munge
222  * it to no id request.
223  */
224  if (inst->request_identity == AKA_SIM_INIT_ID_REQ) inst->request_identity = AKA_SIM_NO_ID_REQ;
225 
226  return 0;
227 }
228 
229 static int mod_load(void)
230 {
231  if (unlikely(fr_aka_sim_init() < 0)) return -1;
232 
233  fr_aka_sim_xlat_func_register();
234 
235  return 0;
236 }
237 
238 static void mod_unload(void)
239 {
240  fr_aka_sim_xlat_func_unregister();
241 
242  fr_aka_sim_free();
243 }
244 
245 extern fr_process_module_t process_eap_aka_prime;
246 fr_process_module_t process_eap_aka_prime = {
247  .common = {
248  .magic = MODULE_MAGIC_INIT,
249  .name = "eap_aka_prime",
250  .onload = mod_load,
251  .unload = mod_unload,
252  .config = submodule_config,
253  .instantiate = mod_instantiate,
254  .inst_size = sizeof(eap_aka_sim_process_conf_t),
255  .inst_type = "eap_aka_sim_process_conf_t"
256  },
257  .process = eap_aka_sim_state_machine_process,
258  .compile_list = compile_list,
259  .dict = &dict_eap_aka_sim,
260 };
unlikely
#define unlikely(_x)
Definition: build.h:379
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition: cf_parse.c:1474
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
cf_table_parse_ctx_t
Definition: cf_parse.h:622
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
FR_EAP_METHOD_AKA_PRIME
@ FR_EAP_METHOD_AKA_PRIME
Definition: types.h:96
fr_aka_sim_xlat_func_register
int fr_aka_sim_xlat_func_register(void)
Definition: xlat.c:497
fr_aka_sim_xlat_func_unregister
void fr_aka_sim_xlat_func_unregister(void)
Definition: xlat.c:521
fr_aka_sim_free
void fr_aka_sim_free(void)
Definition: base.c:315
fr_aka_sim_init
int fr_aka_sim_init(void)
Definition: base.c:284
dict_eap_aka_sim
fr_dict_t const * dict_eap_aka_sim
Definition: base.c:48
fr_aka_sim_id_request_table
fr_table_num_sorted_t const fr_aka_sim_id_request_table[]
Definition: id.c:33
fr_aka_sim_id_request_table_len
size_t fr_aka_sim_id_request_table_len
Definition: id.c:41
AKA_SIM_INIT_ID_REQ
@ AKA_SIM_INIT_ID_REQ
We've requested no ID. This is used for last_id_req.
Definition: id.h:78
AKA_SIM_NO_ID_REQ
@ AKA_SIM_NO_ID_REQ
We're not requesting any ID.
Definition: id.h:79
FR_TYPE_SIZE
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
Definition: merged_model.c:115
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition: mod_action.c:44
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
mod_load
static int mod_load(void)
Definition: base.c:229
compile_list
static virtual_server_compile_t const compile_list[]
Definition: base.c:50
process_eap_aka_prime
fr_process_module_t process_eap_aka_prime
Definition: base.c:246
mod_unload
static void mod_unload(void)
Definition: base.c:238
submodule_config
static conf_parser_t submodule_config[]
Definition: base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: base.c:214
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition: process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition: process.h:54
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition: section.h:40
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition: state_machine.c:3677
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition: state_machine.h:188
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition: state_machine.h:192
eap_aka_sim_process_conf_t
Definition: state_machine.h:187
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition: virtual_servers.h:111
virtual_server_compile_t::section
section_name_t const * section
Identifier for the section.
Definition: virtual_servers.h:101
virtual_server_compile_t
Processing sections which are allowed in this virtual server.
Definition: virtual_servers.h:100
Generated by   doxygen 1.9.1