rlm__eap__md5_8c_source.html

/*

 * rlm_eap_md5.c    Handles that are called from eap

 *

 * Version:     $Id: 8aff65ee19d9605cdc242fc709bdf934bfb61dc9 $

 *

 *   This program is free software; you can redistribute it and/or modify

 *   it under the terms of the GNU General Public License as published by

 *   the Free Software Foundation; either version 2 of the License, or

 *   (at your option) any later version.

 *

 *   This program is distributed in the hope that it will be useful,

 *   but WITHOUT ANY WARRANTY; without even the implied warranty of

 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *   GNU General Public License for more details.

 *

 *   You should have received a copy of the GNU General Public License

 *   along with this program; if not, write to the Free Software

 *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA

 *

 * @copyright 2000,2001,2006 The FreeRADIUS server project

 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)

 */


RCSID("$Id: 8aff65ee19d9605cdc242fc709bdf934bfb61dc9 $")


#include <freeradius-devel/server/password.h>

#include <freeradius-devel/util/debug.h>

#include <freeradius-devel/util/md5.h>

#include <freeradius-devel/util/rand.h>


#include "eap_md5.h"


static fr_dict_t const *dict_freeradius;


extern fr_dict_autoload_t rlm_eap_md5_dict[];


fr_dict_autoload_t rlm_eap_md5_dict[] = {

        { .out = &dict_freeradius, .proto = "freeradius" },

        { NULL }

};


static fr_dict_attr_t const *attr_cleartext_password;


extern fr_dict_attr_autoload_t rlm_eap_md5_dict_attr[];


fr_dict_attr_autoload_t rlm_eap_md5_dict_attr[] = {

        { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },

        { NULL }

};


/*

 *      Authenticate a previously sent challenge.

 */


static unlang_action_t mod_process(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)

{

        eap_session_t           *eap_session = eap_session_get(request->parent);

        MD5_PACKET              *packet;

        MD5_PACKET              *reply;

        fr_pair_t               *known_good;

        fr_dict_attr_t  const   *allowed_passwords[] = { attr_cleartext_password };

        bool                    ephemeral;


        /*

         *      Get the Password.Cleartext for this user.

         */

        fr_assert(eap_session->request != NULL);


        known_good = password_find(&ephemeral, request, request->parent,

                                   allowed_passwords, NUM_ELEMENTS(allowed_passwords),

                                   false);

        if (!known_good) {

                REDEBUG("No \"known good\" password found for user");

                RETURN_MODULE_FAIL;

        }


        /*

         *      Extract the EAP-MD5 packet.

         */

        packet = eap_md5_extract(request, eap_session->this_round);

        if (!packet) {

                if (ephemeral) TALLOC_FREE(known_good);

                RETURN_MODULE_INVALID;

        }


        /*

         *      Create a reply, and initialize it.

         */

        MEM(reply = talloc(packet, MD5_PACKET));

        reply->id = eap_session->this_round->request->id;

        reply->length = 0;


        /*

         *      Verify the received packet against the previous packet

         *      (i.e. challenge) which we sent out.

         */

        if (eap_md5_verify(request, packet, known_good, eap_session->opaque)) {

                reply->code = FR_MD5_SUCCESS;

        } else {

                reply->code = FR_MD5_FAILURE;

        }


        /*

         *      Compose the EAP-MD5 packet out of the data structure,

         *      and free it.

         */

        eap_md5_compose(eap_session->this_round, reply);

        talloc_free(packet);


        if (ephemeral) TALLOC_FREE(known_good);


        RETURN_MODULE_OK;

}


/*

 *      Initiate the EAP-MD5 session by sending a challenge to the peer.

 */


static unlang_action_t mod_session_init(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)

{

        eap_session_t   *eap_session = eap_session_get(request->parent);

        MD5_PACKET      *reply;

        int             i;


        fr_assert(eap_session != NULL);


        /*

         *      Allocate an EAP-MD5 packet.

         */

        MEM(reply = talloc(eap_session, MD5_PACKET));


        /*

         *      Fill it with data.

         */

        reply->code = FR_MD5_CHALLENGE;

        reply->length = 1 + MD5_CHALLENGE_LEN; /* one byte of value size */

        reply->value_size = MD5_CHALLENGE_LEN;


        /*

         *      Allocate user data.

         */

        MEM(reply->value = talloc_array(reply, uint8_t, reply->value_size));

        /*

         *      Get a random challenge.

         */

        for (i = 0; i < reply->value_size; i++) reply->value[i] = fr_rand();

        RDEBUG2("Issuing MD5 Challenge");


        /*

         *      Keep track of the challenge.

         */

        MEM(eap_session->opaque = talloc_array(eap_session, uint8_t, reply->value_size));

        memcpy(eap_session->opaque, reply->value, reply->value_size);


        /*

         *      Compose the EAP-MD5 packet out of the data structure,

         *      and free it.

         */

        eap_md5_compose(eap_session->this_round, reply);


        /*

         *      We don't need to authorize the user at this point.

         *

         *      We also don't need to keep the challenge, as it's

         *      stored in 'eap_session->this_round', which will be given back

         *      to us...

         */

        eap_session->process = mod_process;


        RETURN_MODULE_HANDLED;

}


/*

 *      The module name should be the only globally exported symbol.

 *      That is, everything else should be 'static'.

 */

extern rlm_eap_submodule_t rlm_eap_md5;


rlm_eap_submodule_t rlm_eap_md5 = {

        .common = {

                .magic          = MODULE_MAGIC_INIT,

                .name           = "eap_md5"

        },

        .provides       = { FR_EAP_METHOD_MD5 },

        .session_init   = mod_session_init,     /* Initialise a new EAP session */

};


unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35

RCSID
#define RCSID(id)
Definition build.h:483

UNUSED
#define UNUSED
Definition build.h:315

NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:337

eap_packet_t::id
uint8_t id
Definition compose.h:37

eap_round_t::request
eap_packet_t * request
Packet we will send to the peer.
Definition compose.h:50

MEM
#define MEM(x)
Definition debug.h:36

fr_dict_attr_autoload_t::out
fr_dict_attr_t const  ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:268

fr_dict_autoload_t::out
fr_dict_t const  ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:281

fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:267

fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:280

MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63

FR_EAP_METHOD_MD5
@ FR_EAP_METHOD_MD5
Definition types.h:49

eap_md5_verify
int eap_md5_verify(request_t *request, MD5_PACKET *packet, fr_pair_t *password, uint8_t *challenge)
Definition eap_md5.c:129

eap_md5_compose
int eap_md5_compose(eap_round_t *eap_round, MD5_PACKET *reply)
Definition eap_md5.c:179

eap_md5_extract
MD5_PACKET * eap_md5_extract(request_t *request, eap_round_t *eap_round)
Definition eap_md5.c:49

eap_md5.h

FR_MD5_FAILURE
#define FR_MD5_FAILURE
Definition eap_md5.h:9

MD5_PACKET::id
unsigned char id
Definition eap_md5.h:38

MD5_CHALLENGE_LEN
#define MD5_CHALLENGE_LEN
Definition eap_md5.h:13

MD5_PACKET::length
unsigned short length
Definition eap_md5.h:39

MD5_PACKET::code
unsigned char code
Definition eap_md5.h:37

MD5_PACKET::value
unsigned char * value
Definition eap_md5.h:41

MD5_PACKET::value_size
unsigned char value_size
Definition eap_md5.h:40

FR_MD5_SUCCESS
#define FR_MD5_SUCCESS
Definition eap_md5.h:8

FR_MD5_CHALLENGE
#define FR_MD5_CHALLENGE
Definition eap_md5.h:6

MD5_PACKET
Definition eap_md5.h:36

eap_session_get
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:82

eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition session.h:62

eap_session_s::process
module_method_t process
Callback that should be used to process the next round.
Definition session.h:64

eap_session_s::request
request_t * request
Current request.
Definition session.h:51

eap_session_s::this_round
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:59

eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:40

talloc_free
talloc_free(reap)

FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83

uint8_t
unsigned char uint8_t
Definition merged_model.c:30

fr_dict_attr_t
Definition merged_model.c:133

fr_dict_t
Definition merged_model.c:198

request_t
Definition merged_model.c:210

module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41

password_find
fr_pair_t * password_find(bool *ephemeral, TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify)
Find a "known good" password in the control list of a request.
Definition password.c:954

fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38

REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52

RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54

fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105

RETURN_MODULE_HANDLED
#define RETURN_MODULE_HANDLED
Definition rcode.h:58

RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition rcode.h:59

RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition rcode.h:57

RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:56

rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40

rlm_eap_md5_dict
fr_dict_autoload_t rlm_eap_md5_dict[]
Definition rlm_eap_md5.c:36

dict_freeradius
static fr_dict_t const  * dict_freeradius
Definition rlm_eap_md5.c:33

mod_session_init
static unlang_action_t mod_session_init(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_md5.c:115

rlm_eap_md5
rlm_eap_submodule_t rlm_eap_md5
Definition rlm_eap_md5.c:174

attr_cleartext_password
static fr_dict_attr_t const  * attr_cleartext_password
Definition rlm_eap_md5.c:41

rlm_eap_md5_dict_attr
fr_dict_attr_autoload_t rlm_eap_md5_dict_attr[]
Definition rlm_eap_md5.c:44

mod_process
static unlang_action_t mod_process(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_md5.c:52

value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68

rlm_eap_submodule_t::common
module_t common
Common fields provided by all modules.
Definition submodule.h:50

rlm_eap_submodule_t
Interface exported by EAP submodules.
Definition submodule.h:49