The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_eap_mschapv2.c
Go to the documentation of this file.
1/*
2 * rlm_eap_mschapv2.c Handles that are called from eap
3 *
4 * Version: $Id: 1865195f881921157c4ea5cacab02db27ce2fa9d $
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 * @copyright 2003,2006 The FreeRADIUS server project
21 */
22
23RCSID("$Id: 1865195f881921157c4ea5cacab02db27ce2fa9d $")
24
25#include <freeradius-devel/server/dependency.h>
26#include <freeradius-devel/server/pair.h>
27#include <freeradius-devel/server/virtual_servers.h>
28#include <freeradius-devel/unlang/call.h>
29#include <freeradius-devel/util/base16.h>
30#include <freeradius-devel/util/debug.h>
31#include <freeradius-devel/util/rand.h>
32
33#include "eap_mschapv2.h"
34
35static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent,
36 CONF_ITEM *ci, UNUSED conf_parser_t const *rule);
37
44
48
49static conf_parser_t submodule_config[] = {
50 { FR_CONF_OFFSET("with_ntdomain_hack", rlm_eap_mschapv2_t, with_ntdomain_hack), .dflt = "no" },
51
52 { FR_CONF_OFFSET_TYPE_FLAGS("auth_type", FR_TYPE_VOID, 0, rlm_eap_mschapv2_t, auth_type), .func = auth_type_parse, .dflt = "mschap" },
53 { FR_CONF_OFFSET("send_error", rlm_eap_mschapv2_t, send_error), .dflt = "no" },
54 { FR_CONF_OFFSET("identity", rlm_eap_mschapv2_t, identity) },
55 CONF_PARSER_TERMINATOR
56};
57
58static fr_dict_t const *dict_freeradius;
59static fr_dict_t const *dict_radius;
60
61extern fr_dict_autoload_t rlm_eap_mschapv2_dict[];
62fr_dict_autoload_t rlm_eap_mschapv2_dict[] = {
63 { .out = &dict_freeradius, .proto = "freeradius" },
64 { .out = &dict_radius, .proto = "radius" },
65 DICT_AUTOLOAD_TERMINATOR
66};
67
68static fr_dict_attr_t const *attr_auth_type;
69static fr_dict_attr_t const *attr_ms_chap_peer_challenge;
70static fr_dict_attr_t const *attr_ms_chap_user_name;
71
72static fr_dict_attr_t const *attr_microsoft;
73
74static fr_dict_attr_t const *attr_ms_chap_challenge;
75static fr_dict_attr_t const *attr_ms_chap_error;
76static fr_dict_attr_t const *attr_ms_chap_nt_enc_pw;
77static fr_dict_attr_t const *attr_ms_chap2_cpw;
78static fr_dict_attr_t const *attr_ms_chap2_response;
79static fr_dict_attr_t const *attr_ms_chap2_success;
80static fr_dict_attr_t const *attr_ms_mppe_encryption_policy;
81static fr_dict_attr_t const *attr_ms_mppe_encryption_type;
82static fr_dict_attr_t const *attr_ms_mppe_send_key;
83static fr_dict_attr_t const *attr_ms_mppe_recv_key;
84static fr_dict_attr_t const *attr_user_name;
85
86extern fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[];
87fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[] = {
88 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
89 { .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
90 { .out = &attr_ms_chap_user_name, .name = "MS-CHAP-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
91
92 { .out = &attr_microsoft, .name = "Vendor-Specific.Microsoft", .type = FR_TYPE_VENDOR, .dict = &dict_radius },
93
94 { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
95 { .out = &attr_ms_chap_error, .name = "Vendor-Specific.Microsoft.CHAP-Error", .type = FR_TYPE_STRING, .dict = &dict_radius },
96 { .out = &attr_ms_chap_nt_enc_pw, .name = "Vendor-Specific.Microsoft.CHAP-NT-Enc-PW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
97 { .out = &attr_ms_chap2_cpw, .name = "Vendor-Specific.Microsoft.CHAP2-CPW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
98 { .out = &attr_ms_chap2_response, .name = "Vendor-Specific.Microsoft.CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
99 { .out = &attr_ms_chap2_success, .name = "Vendor-Specific.Microsoft.CHAP2-Success", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
100 { .out = &attr_ms_mppe_encryption_policy, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Policy", .type = FR_TYPE_UINT32, .dict = &dict_radius },
101 { .out = &attr_ms_mppe_encryption_type, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
102 { .out = &attr_ms_mppe_send_key, .name = "Vendor-Specific.Microsoft.MPPE-Send-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
103 { .out = &attr_ms_mppe_recv_key, .name = "Vendor-Specific.Microsoft.MPPE-Recv-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
104 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
105 DICT_AUTOLOAD_TERMINATOR
106};
107
108static void mppe_keys_store(request_t *request, mschapv2_opaque_t *data)
109{
110 fr_pair_t *parent;
111
112 RDEBUG2("Storing attributes for final response");
113
114 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
115 if (!parent) parent = request->reply_ctx;
116
117 RINDENT();
118 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
119 attr_ms_mppe_encryption_policy, 0) > 0) {
120 RDEBUG2("%s", attr_ms_mppe_encryption_policy->name);
121 }
122 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
123 attr_ms_mppe_encryption_type, 0) > 0) {
124 RDEBUG2("%s", attr_ms_mppe_encryption_type->name);
125 }
126 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
127 attr_ms_mppe_recv_key, 0) > 0) {
128 RDEBUG2("%s", attr_ms_mppe_recv_key->name);
129 }
130 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
131 attr_ms_mppe_send_key, 0) > 0) {
132 RDEBUG2("%s", attr_ms_mppe_send_key->name);
133 }
134 REXDENT();
135}
136
137/** Translate a string auth_type into an enumeration value
138 *
139 * @param[in] ctx to allocate data.
140 * @param[out] out Where to write the auth_type we created or resolved.
141 * @param[in] parent Base structure address.
142 * @param[in] ci #CONF_PAIR specifying the name of the auth_type.
143 * @param[in] rule unused.
144 * @return
145 * - 0 on success.
146 * - -1 on failure.
147 */
148static int auth_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
149 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
150{
151 char const *auth_type = cf_pair_value(cf_item_to_pair(ci));
152
153 if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), auth_type) < 0) {
154 cf_log_err(ci, "Failed adding %s alias", attr_auth_type->name);
155 return -1;
156 }
157 *((fr_dict_enum_value_t **)out) = UNCONST(fr_dict_enum_value_t *, fr_dict_enum_by_name(attr_auth_type, auth_type, -1));
158
159 return 0;
160}
161
162/*
163 * Compose the response.
164 */
165static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
166 fr_pair_t *reply) CC_HINT(nonnull);
167static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
168 fr_pair_t *reply)
169{
170 uint8_t *ptr;
171 int16_t length;
172 mschapv2_header_t *hdr;
173 eap_round_t *eap_round = eap_session->this_round;
174
175 eap_round->request->code = FR_EAP_CODE_REQUEST;
176 eap_round->request->type.num = FR_EAP_METHOD_MSCHAPV2;
177
178 /*
179 * Always called with vendor Microsoft
180 */
181 if (reply->da == attr_ms_chap_challenge) {
182 /*
183 * 0 1 2 3
184 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
185 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
186 * | Code | Identifier | Length |
187 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
188 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
189 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
190 * | MS-Length | Value-Size | Challenge...
191 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
192 * | Challenge...
193 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
194 * | Server Name...
195 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
196 */
197 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + (talloc_strlen(inst->identity));
198 MEM(eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length));
199
200 /*
201 * Allocate room for the EAP-MS-CHAPv2 data.
202 */
203 eap_round->request->type.length = length;
204
205 ptr = eap_round->request->type.data;
206 hdr = (mschapv2_header_t *) ptr;
207
208 hdr->opcode = FR_EAP_MSCHAPV2_CHALLENGE;
209 hdr->mschapv2_id = eap_round->response->id + 1;
210 length = htons(length);
211 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
212 hdr->value_size = MSCHAPV2_CHALLENGE_LEN;
213
214 ptr += MSCHAPV2_HEADER_LEN;
215
216 /*
217 * Copy the Challenge, success, or error over.
218 */
219 memcpy(ptr, reply->vp_octets, reply->vp_length);
220 memcpy((ptr + reply->vp_length), inst->identity, (talloc_strlen(inst->identity)));
221 } else if (reply->da == attr_ms_chap2_success) {
222 /*
223 * 0 1 2 3
224 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
225 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
226 * | Code | Identifier | Length |
227 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
228 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
229 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
230 * | MS-Length | Message...
231 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
232 */
233 RDEBUG2("MS-CHAPv2 Success");
234 length = 46;
235 MEM(eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length));
236
237 /*
238 * Allocate room for the EAP-MS-CHAPv2 data.
239 */
240 memset(eap_round->request->type.data, 0, length);
241 eap_round->request->type.length = length;
242
243 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_SUCCESS;
244 eap_round->request->type.data[1] = eap_round->response->id;
245 length = htons(length);
246 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
247 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, 42);
248 } else if (reply->da == attr_ms_chap_error) {
249 REDEBUG("MS-CHAPv2 Failure");
250 length = 4 + reply->vp_length - 1;
251 eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
252
253 /*
254 * Allocate room for the EAP-MS-CHAPv2 data.
255 */
256 if (!eap_round->request->type.data) return 0;
257 memset(eap_round->request->type.data, 0, length);
258 eap_round->request->type.length = length;
259
260 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_FAILURE;
261 eap_round->request->type.data[1] = eap_round->response->id;
262 length = htons(length);
263 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
264 /*
265 * Copy the entire failure message.
266 */
267 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, reply->vp_length - 1);
268 } else {
269 RERROR("%s: Internal sanity check failed", __FUNCTION__);
270 return -1;
271 }
272
273 return 0;
274}
275
276
277static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request);
278
279static unlang_action_t mschap_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
280{
281 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
282 eap_session_t *eap_session = eap_session_get(request->parent);
283 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
284 eap_round_t *eap_round = eap_session->this_round;
285 fr_pair_list_t response;
286 rlm_eap_mschapv2_t const *inst = mctx->mi->data;
287 rlm_rcode_t rcode = rctx->section_result.rcode;
288 fr_pair_t *parent;
289
290 fr_pair_list_init(&response);
291
292 /*
293 * Delete MPPE keys & encryption policy. We don't
294 * want these here.
295 */
296 mppe_keys_store(request, data);
297
298 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
299 if (!parent) parent = request->reply_ctx;
300
301 /*
302 * Take the response from the mschap module, and
303 * return success or failure, depending on the result.
304 */
305 if (rcode == RLM_MODULE_OK) {
306 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap2_success, 0) < 0) {
307 RPERROR("Failed copying %s", attr_ms_chap2_success->name);
308 RETURN_UNLANG_FAIL;
309 }
310
311 data->code = FR_EAP_MSCHAPV2_SUCCESS;
312 } else if (inst->send_error) {
313 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap_error, 0) < 0) {
314 RPERROR("Failed copying %s", attr_ms_chap_error->name);
315 RETURN_UNLANG_FAIL;
316 }
317 if (!fr_pair_list_empty(&response)) {
318 int n, err, retry;
319 char buf[34];
320 fr_pair_t *vp = fr_pair_list_head(&response);
321
322 PAIR_VERIFY(vp);
323
324 RDEBUG2("MSCHAP-Error: %pV", &vp->data);
325
326 /*
327 * Parse the new challenge out of the
328 * MS-CHAP-Error, so that if the client
329 * issues a re-try, we will know which
330 * challenge value that they used.
331 */
332 n = sscanf(vp->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
333 if (n == 3) {
334 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
335 err, retry, buf);
336 fr_base16_decode(NULL, &FR_DBUFF_TMP(data->auth_challenge, 16),
337 &FR_SBUFF_IN_STR(buf), false);
338 } else {
339 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
340 }
341 }
342 data->code = FR_EAP_MSCHAPV2_FAILURE;
343 } else {
344 eap_round->request->code = FR_EAP_CODE_FAILURE;
345 RETURN_UNLANG_REJECT;
346 }
347
348 /*
349 * No response, die.
350 */
351 if (fr_pair_list_empty(&response)) {
352 REDEBUG("No %s or %s attributes were found", attr_ms_chap2_success->name, attr_ms_chap_error->name);
353 RETURN_UNLANG_INVALID;
354 }
355
356 /*
357 * Compose the response (whatever it is),
358 * and return it to the over-lying EAP module.
359 */
360 eap_mschapv2_compose(eap_session->inst, request, eap_session, fr_pair_list_head(&response));
361 fr_pair_list_free(&response);
362
363 RETURN_UNLANG_OK;
364}
365
366/*
367 * Authenticate a previously sent challenge.
368 */
369static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
370{
371 rlm_eap_mschapv2_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
372 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
373 request_t *parent = request->parent;
374 eap_session_t *eap_session = eap_session_get(parent);
375 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
376 eap_round_t *eap_round = eap_session->this_round;
377 fr_pair_t *auth_challenge, *response, *name;
378
379 CONF_SECTION *unlang;
380 int ccode;
381 uint8_t *p;
382 size_t length;
383
384 if (!fr_cond_assert(eap_session->inst)) RETURN_UNLANG_FAIL;
385
386 /*
387 * Sanity check the response.
388 */
389 if (eap_round->response->length < 6) {
390 REDEBUG("Response too short, expected at least 6 bytes, got %zu bytes",
391 eap_round->response->length);
392 RETURN_UNLANG_INVALID;
393 }
394
395 ccode = eap_round->response->type.data[0];
396
397 switch (data->code) {
398 case FR_EAP_MSCHAPV2_FAILURE:
399 if (ccode == FR_EAP_MSCHAPV2_RESPONSE) {
400 RDEBUG2("Authentication re-try from client after we sent a failure");
401 break;
402 }
403
404 /*
405 * if we sent error 648 (password expired) to the client
406 * we might get an MSCHAP-CPW packet here; turn it into a
407 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
408 * (or proxy it, I guess)
409 */
410 if (ccode == FR_EAP_MSCHAPV2_CHGPASSWD) {
411 fr_pair_t *cpw;
412 int mschap_id;
413 int copied = 0;
414 int seq = 1;
415 fr_pair_t *ms;
416
417
418 if (eap_round->response->type.length < 544) {
419 RDEBUG2("Password change has invalid length %zu < 544",
420 eap_round->response->type.length);
421 RETURN_UNLANG_INVALID;
422 }
423
424 RDEBUG2("Password change packet received");
425
426 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
427 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
428
429 mschap_id = eap_round->response->type.data[1];
430
431 MEM(pair_update_request(&cpw, attr_ms_chap2_cpw) >= 0);
432 MEM(fr_pair_value_mem_alloc(cpw, &p, 68, false) == 0);
433 p[0] = 7;
434 p[1] = mschap_id;
435 memcpy(p + 2, eap_round->response->type.data + 520, 66);
436
437 ms = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_microsoft);
438 if (!ms) ms = request->request_ctx;
439
440 /*
441 * break the encoded password into VPs (3 of them)
442 */
443 while (copied < 516) {
444 fr_pair_t *nt_enc;
445
446 int to_copy = 516 - copied;
447 if (to_copy > 243) to_copy = 243;
448
449 MEM(nt_enc = fr_pair_afrom_da(ms, attr_ms_chap_nt_enc_pw));
450 MEM(fr_pair_value_mem_alloc(nt_enc, &p, 4 + to_copy, false) == 0);
451 MEM(fr_pair_append(&ms->vp_group, nt_enc) == 0);
452 p[0] = 6;
453 p[1] = mschap_id;
454 p[2] = 0;
455 p[3] = seq++;
456 memcpy(p + 4, eap_round->response->type.data + 4 + copied, to_copy);
457
458 copied += to_copy;
459 }
460
461 RDEBUG2("Built change password packet");
462 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->request_pairs, NULL);
463
464 /*
465 * jump to "authentication"
466 */
467 goto packet_ready;
468 }
469
470 /*
471 * we sent a failure and are expecting a failure back
472 */
473 if (ccode != FR_EAP_MSCHAPV2_FAILURE) {
474 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
475 RETURN_UNLANG_INVALID;
476 }
477
478failure:
479 eap_round->request->code = FR_EAP_CODE_FAILURE;
480 RETURN_UNLANG_REJECT;
481
482 case FR_EAP_MSCHAPV2_SUCCESS:
483 /*
484 * we sent a success to the client; some clients send a
485 * success back as-per the RFC, some send an ACK. Permit
486 * both, I guess...
487 */
488
489 switch (ccode) {
490 case FR_EAP_MSCHAPV2_SUCCESS:
491 eap_round->request->code = FR_EAP_CODE_SUCCESS;
492
493 if (!fr_pair_list_empty(&data->mppe_keys)) {
494 fr_pair_t *ms;
495
496 ms = fr_pair_find_by_da_nested(&parent->reply_pairs, NULL, attr_microsoft);
497 if (!ms) {
498 MEM(ms = fr_pair_afrom_da_nested(parent->reply_ctx, &parent->reply_pairs, attr_microsoft));
499 }
500
501 RDEBUG2("Adding stored attributes to parent");
502 log_request_pair_list(L_DBG_LVL_2, request, NULL, &data->mppe_keys, "parent.reply.");
503 MEM(fr_pair_list_copy(ms, &ms->vp_group, &data->mppe_keys) >= 0);
504 } else {
505 RDEBUG2("No stored attributes to copy to parent");
506 }
507
508 FALL_THROUGH;
509
510 case FR_EAP_MSCHAPV2_ACK:
511 MEM(fr_pair_list_copy(parent->reply_ctx, &parent->reply_pairs, &data->reply) >= 0);
512 RETURN_UNLANG_OK;
513 }
514 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
515 RETURN_UNLANG_INVALID;
516
517 case FR_EAP_MSCHAPV2_CHALLENGE:
518 if (ccode == FR_EAP_MSCHAPV2_FAILURE) goto failure;
519
520 /*
521 * we sent a challenge, expecting a response
522 */
523 if (ccode != FR_EAP_MSCHAPV2_RESPONSE) {
524 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
525 RETURN_UNLANG_INVALID;
526 }
527 /* authentication happens below */
528 break;
529
530 default:
531 /* should never happen */
532 REDEBUG("Unknown state %d", data->code);
533 RETURN_UNLANG_FAIL;
534 }
535
536
537 /*
538 * Ensure that we have at least enough data
539 * to do the following checks.
540 *
541 * EAP header (4), EAP type, MS-CHAP opcode,
542 * MS-CHAP ident, MS-CHAP data length (2),
543 * MS-CHAP value length.
544 */
545 if (eap_round->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
546 REDEBUG("Response is too short");
547 RETURN_UNLANG_INVALID;
548 }
549
550 /*
551 * The 'value_size' is the size of the response,
552 * which is supposed to be the response (48
553 * bytes) plus 1 byte of flags at the end.
554 *
555 * NOTE: When using Cisco NEAT with EAP-MSCHAPv2, the
556 * switch supplicant will send MSCHAPv2 data (EAP type = 26)
557 * but will always set a value_size of 16 and NULL out the
558 * peer challenge.
559 *
560 */
561 if ((eap_round->response->type.data[4] != 49) &&
562 (eap_round->response->type.data[4] != 16)) {
563 REDEBUG("Response is of incorrect length %d", eap_round->response->type.data[4]);
564 RETURN_UNLANG_INVALID;
565 }
566
567 /*
568 * The MS-Length field is 5 + value_size + length
569 * of name, which is put after the response.
570 */
571 if (eap_round->response->type.length < (5 + MSCHAPV2_RESPONSE_LEN + 1)) {
572 REDEBUG("MS-CHAPv2 response packet is too short %zu < %d",
573 eap_round->response->type.length, 5 + MSCHAPV2_RESPONSE_LEN + 1);
574 RETURN_UNLANG_INVALID;
575 }
576
577 length = fr_nbo_to_uint16(eap_round->response->type.data + 2);
578 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
579 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
580 RETURN_UNLANG_INVALID;
581 }
582
583 /*
584 * We now know that the user has sent us a response
585 * to the challenge. Let's try to authenticate it.
586 *
587 * We do this by taking the challenge from 'data',
588 * the response from the EAP packet, and creating fr_pair_t's
589 * to pass to the 'mschap' module. This is a little wonky,
590 * but it works.
591 */
592 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
593 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
594
595 MEM(pair_update_request(&response, attr_ms_chap2_response) >= 0);
596 MEM(fr_pair_value_mem_alloc(response, &p, MSCHAPV2_RESPONSE_LEN, false) == 0);
597 p[0] = eap_round->response->type.data[1];
598 p[1] = eap_round->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
599 memcpy(p + 2, &eap_round->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
600
601 /*
602 * If we're forcing a peer challenge, use it instead of
603 * the challenge sent by the client.
604 */
605 if (data->has_peer_challenge) memcpy(p + 2, data->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
606
607 /*
608 * MS-Length - MS-Value - 5.
609 */
610 MEM(pair_update_request(&name, attr_ms_chap_user_name) >= 0);
611 MEM(fr_pair_value_bstrndup(name, (char const *)&eap_round->response->type.data[4 + MSCHAPV2_RESPONSE_LEN],
612 length - 49 - 5, true) == 0);
613packet_ready:
614
615 /*
616 * Look for "authenticate foo" in the current virtual
617 * server. If not there, then in the parent one.
618 */
619 RDEBUG("Looking for authenticate %s { ... }", inst->auth_type->name);
620 unlang = cf_section_find(unlang_call_current(parent), "authenticate", inst->auth_type->name);
621 if (!unlang) unlang = cf_section_find(unlang_call_current(request->parent), "authenticate", inst->auth_type->name);
622 if (!unlang) {
623 RDEBUG2("authenticate %s { ... } sub-section not found.",
624 inst->auth_type->name);
625 RETURN_UNLANG_FAIL;
626 }
627
628 return unlang_module_yield_to_section(&rctx->section_result, request, unlang, RLM_MODULE_FAIL, mschap_resume, NULL, 0, rctx);
629}
630
631/*
632 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
633 */
634static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
635{
636 request_t *parent = request->parent;
637 eap_session_t *eap_session = eap_session_get(parent);
638 fr_pair_t *auth_challenge;
639 fr_pair_t *peer_challenge;
640 mschapv2_opaque_t *data;
641
642 uint8_t *p;
643 int i;
644 bool created_auth_challenge;
645
646 if (!fr_cond_assert(mctx->mi->data)) RETURN_UNLANG_FAIL;
647
648 /*
649 * We're looking for attributes that should come
650 * from the EAP-TTLS submodule.
651 */
652 if (!fr_cond_assert(parent)) RETURN_UNLANG_FAIL;
653
654 /*
655 * Keep track of the challenge and the state we are in.
656 */
657 MEM(data = talloc_zero(eap_session, mschapv2_opaque_t));
658 data->code = FR_EAP_MSCHAPV2_CHALLENGE;
659 fr_pair_list_init(&data->mppe_keys);
660 fr_pair_list_init(&data->reply);
661
662 /*
663 * Allow the administrator to set the CHAP-Challenge and Peer-Challenge attributes.
664 */
665 auth_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_challenge);
666 if (auth_challenge && (auth_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
667 RWDEBUG("parent.control.MS-CHAP-Challenge is incorrect length. Ignoring it");
668 auth_challenge = NULL;
669 }
670
671 peer_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_peer_challenge);
672 if (peer_challenge && (peer_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
673 RWDEBUG("parent.control.MS-CHAP-Peer-Challenge is incorrect length. Ignoring it");
674 peer_challenge = NULL;
675 }
676
677 created_auth_challenge = (auth_challenge == NULL);
678
679 /*
680 * if the administrator didn't set a challenge, then create one ourselves.
681 */
682 if (!auth_challenge) {
683 MEM(auth_challenge = fr_pair_afrom_da(eap_session, attr_ms_chap_challenge));
684 MEM(fr_pair_value_mem_alloc(auth_challenge, &p, MSCHAPV2_CHALLENGE_LEN, false) == 0);
685 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) p[i] = fr_rand();
686 }
687 RDEBUG2("Issuing Challenge");
688
689 /*
690 * We're at the stage where we're challenging the user.
691 */
692 memcpy(data->auth_challenge, auth_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
693
694 if (peer_challenge) {
695 data->has_peer_challenge = true;
696 memcpy(data->peer_challenge, peer_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
697 }
698
699 eap_session->opaque = data;
700
701 /*
702 * Compose the EAP-MSCHAPV2 packet out of the data structure,
703 * and free it.
704 */
705 eap_mschapv2_compose(mctx->mi->data, request, eap_session, auth_challenge);
706 if (created_auth_challenge) TALLOC_FREE(auth_challenge);
707
708 /*
709 * We don't need to authorize the user at this point.
710 *
711 * We also don't need to keep the challenge, as it's
712 * stored in 'eap_session->this_round', which will be given back
713 * to us...
714 */
715 eap_session->process = mod_process;
716
717 RETURN_UNLANG_HANDLED;
718}
719
720/*
721 * Attach the module.
722 */
723static int mod_instantiate(module_inst_ctx_t const *mctx)
724{
725 rlm_eap_mschapv2_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
726
727 if (inst->identity && (strlen(inst->identity) > 255)) {
728 cf_log_err(mctx->mi->conf, "identity is too long");
729 return -1;
730 }
731
732 if (!inst->identity) inst->identity = talloc_typed_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING);
733
734 return 0;
735}
736
737/*
738 * The module name should be the only globally exported symbol.
739 * That is, everything else should be 'static'.
740 */
741extern rlm_eap_submodule_t rlm_eap_mschapv2;
742rlm_eap_submodule_t rlm_eap_mschapv2 = {
743 .common = {
744 .name = "eap_mschapv2",
745 .magic = MODULE_MAGIC_INIT,
746 MODULE_INST(rlm_eap_mschapv2_t),
747 MODULE_RCTX(rlm_eap_mschapv2_rctx_t),
748 .config = submodule_config,
749 .instantiate = mod_instantiate, /* Create new submodule instance */
750 },
751 .provides = { FR_EAP_METHOD_MSCHAPV2 },
752 .session_init = mod_session_init, /* Initialise a new EAP session */
753 .clone_parent_lists = false /* HACK */
754};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
n
int n
Definition acutest.h:577
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:92
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:186
RCSID
#define RCSID(id)
Definition build.h:506
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:343
UNUSED
#define UNUSED
Definition build.h:336
unlang_call_current
CONF_SECTION * unlang_call_current(request_t *request)
Return the last virtual server that was called.
Definition call.c:214
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:657
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:611
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:280
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:238
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:594
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1574
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:285
eap_packet_t::type
eap_type_data_t type
Definition compose.h:38
eap_packet_t::length
size_t length
Definition compose.h:37
eap_round_t::response
eap_packet_t * response
Packet we received from the peer.
Definition compose.h:48
eap_packet_t::code
eap_code_t code
Definition compose.h:35
eap_packet_t::id
uint8_t id
Definition compose.h:36
eap_round_t::request
eap_packet_t * request
Packet we will send to the peer.
Definition compose.h:49
eap_round_t
Contains a pair of request and response packets.
Definition compose.h:47
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:522
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:141
MEM
#define MEM(x)
Definition debug.h:46
RADIUSD_VERSION_STRING
#define RADIUSD_VERSION_STRING
Definition dependency.h:39
err
static fr_slen_t err
Definition dict.h:882
fr_dict_attr_unconst
fr_dict_attr_t * fr_dict_attr_unconst(fr_dict_attr_t const *da)
Coerce to non-const.
Definition dict_util.c:4915
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:292
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:305
fr_dict_enum_add_name_next
int fr_dict_enum_add_name_next(fr_dict_attr_t *da, char const *name)
Add an name to an integer attribute hashing the name for the integer value.
Definition dict_util.c:2229
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
fr_dict_enum_by_name
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3701
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:291
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:304
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:253
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
FR_EAP_CODE_FAILURE
@ FR_EAP_CODE_FAILURE
Definition types.h:40
FR_EAP_CODE_REQUEST
@ FR_EAP_CODE_REQUEST
Definition types.h:37
FR_EAP_CODE_SUCCESS
@ FR_EAP_CODE_SUCCESS
Definition types.h:39
eap_type_data_t::num
eap_type_t num
Definition types.h:110
eap_type_data_t::length
size_t length
Definition types.h:111
eap_type_data_t::data
uint8_t * data
Definition types.h:112
FR_EAP_METHOD_MSCHAPV2
@ FR_EAP_METHOD_MSCHAPV2
Definition types.h:71
eap_mschapv2.h
mschapv2_header_t::opcode
uint8_t opcode
Definition eap_mschapv2.h:36
MSCHAPV2_CHALLENGE_LEN
#define MSCHAPV2_CHALLENGE_LEN
Definition eap_mschapv2.h:32
mschapv2_header_t::ms_length
uint8_t ms_length[2]
Definition eap_mschapv2.h:38
MSCHAPV2_HEADER_LEN
#define MSCHAPV2_HEADER_LEN
Definition eap_mschapv2.h:31
mschapv2_header_t::mschapv2_id
uint8_t mschapv2_id
Definition eap_mschapv2.h:37
MSCHAPV2_RESPONSE_LEN
#define MSCHAPV2_RESPONSE_LEN
Definition eap_mschapv2.h:33
mschapv2_header_t::value_size
uint8_t value_size
Definition eap_mschapv2.h:39
FR_EAP_MSCHAPV2_FAILURE
#define FR_EAP_MSCHAPV2_FAILURE
Definition eap_mschapv2.h:27
FR_EAP_MSCHAPV2_CHALLENGE
#define FR_EAP_MSCHAPV2_CHALLENGE
Definition eap_mschapv2.h:24
FR_EAP_MSCHAPV2_SUCCESS
#define FR_EAP_MSCHAPV2_SUCCESS
Definition eap_mschapv2.h:26
FR_EAP_MSCHAPV2_RESPONSE
#define FR_EAP_MSCHAPV2_RESPONSE
Definition eap_mschapv2.h:25
FR_EAP_MSCHAPV2_ACK
#define FR_EAP_MSCHAPV2_ACK
Definition eap_mschapv2.h:23
FR_EAP_MSCHAPV2_CHGPASSWD
#define FR_EAP_MSCHAPV2_CHGPASSWD
Definition eap_mschapv2.h:28
mschapv2_header_t
Definition eap_mschapv2.h:35
mschapv2_opaque_t
Definition eap_mschapv2.h:42
unlang_result_t::rcode
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
unlang_result_t
Definition interpret.h:133
eap_session_get
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:85
eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition session.h:63
eap_session_s::process
module_method_t process
Callback that should be used to process the next round.
Definition session.h:65
eap_session_s::inst
void const * inst
Instance of the eap module this session was created by.
Definition session.h:49
eap_session_s::this_round
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:60
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:41
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:831
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RERROR
#define RERROR(fmt,...)
Definition log.h:310
RPERROR
#define RPERROR(fmt,...)
Definition log.h:314
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:68
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_VENDOR
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
Definition merged_model.c:122
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
fr_pair_list_copy_by_da
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
Definition pair.c:2416
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2326
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2962
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1352
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2812
fr_pair_value_mem_alloc
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
Definition pair.c:2911
fr_pair_afrom_da_nested
fr_pair_t * fr_pair_afrom_da_nested(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *da)
Create a pair (and all intermediate parents), and append it to the list.
Definition pair.c:480
pair_update_request
#define pair_update_request(_attr, _da)
Definition radclient-ng.c:59
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:104
RETURN_UNLANG_HANDLED
#define RETURN_UNLANG_HANDLED
Definition rcode.h:65
RETURN_UNLANG_INVALID
#define RETURN_UNLANG_INVALID
Definition rcode.h:66
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
RETURN_UNLANG_REJECT
#define RETURN_UNLANG_REJECT
Definition rcode.h:62
RETURN_UNLANG_OK
#define RETURN_UNLANG_OK
Definition rcode.h:64
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
attr_microsoft
static fr_dict_attr_t const * attr_microsoft
Definition rlm_eap_mschapv2.c:72
mschap_resume
static unlang_action_t mschap_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:279
eap_mschapv2_compose
static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session, fr_pair_t *reply)
Definition rlm_eap_mschapv2.c:167
mppe_keys_store
static void mppe_keys_store(request_t *request, mschapv2_opaque_t *data)
Definition rlm_eap_mschapv2.c:108
attr_ms_mppe_encryption_type
static fr_dict_attr_t const * attr_ms_mppe_encryption_type
Definition rlm_eap_mschapv2.c:81
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition rlm_eap_mschapv2.c:58
auth_type_parse
static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
rlm_eap_mschapv2_t::auth_type
fr_dict_enum_value_t * auth_type
Definition rlm_eap_mschapv2.c:42
attr_ms_chap2_success
static fr_dict_attr_t const * attr_ms_chap2_success
Definition rlm_eap_mschapv2.c:79
mod_process
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:369
dict_radius
static fr_dict_t const * dict_radius
Definition rlm_eap_mschapv2.c:59
attr_ms_chap_challenge
static fr_dict_attr_t const * attr_ms_chap_challenge
Definition rlm_eap_mschapv2.c:74
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition rlm_eap_mschapv2.c:68
attr_ms_chap_user_name
static fr_dict_attr_t const * attr_ms_chap_user_name
Definition rlm_eap_mschapv2.c:70
attr_ms_chap_error
static fr_dict_attr_t const * attr_ms_chap_error
Definition rlm_eap_mschapv2.c:75
attr_ms_mppe_send_key
static fr_dict_attr_t const * attr_ms_mppe_send_key
Definition rlm_eap_mschapv2.c:82
rlm_eap_mschapv2_rctx_t::section_result
unlang_result_t section_result
Definition rlm_eap_mschapv2.c:46
rlm_eap_mschapv2_t::with_ntdomain_hack
bool with_ntdomain_hack
Definition rlm_eap_mschapv2.c:39
attr_ms_chap2_response
static fr_dict_attr_t const * attr_ms_chap2_response
Definition rlm_eap_mschapv2.c:78
rlm_eap_mschapv2_dict
fr_dict_autoload_t rlm_eap_mschapv2_dict[]
Definition rlm_eap_mschapv2.c:62
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition rlm_eap_mschapv2.c:84
rlm_eap_mschapv2_dict_attr
fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[]
Definition rlm_eap_mschapv2.c:87
attr_ms_mppe_recv_key
static fr_dict_attr_t const * attr_ms_mppe_recv_key
Definition rlm_eap_mschapv2.c:83
submodule_config
static conf_parser_t submodule_config[]
Definition rlm_eap_mschapv2.c:49
rlm_eap_mschapv2_t::identity
char const * identity
Definition rlm_eap_mschapv2.c:41
attr_ms_chap_nt_enc_pw
static fr_dict_attr_t const * attr_ms_chap_nt_enc_pw
Definition rlm_eap_mschapv2.c:76
rlm_eap_mschapv2
rlm_eap_submodule_t rlm_eap_mschapv2
Definition rlm_eap_mschapv2.c:742
attr_ms_chap_peer_challenge
static fr_dict_attr_t const * attr_ms_chap_peer_challenge
Definition rlm_eap_mschapv2.c:69
mod_session_init
static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:634
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_eap_mschapv2.c:723
rlm_eap_mschapv2_t::send_error
bool send_error
Definition rlm_eap_mschapv2.c:40
attr_ms_chap2_cpw
static fr_dict_attr_t const * attr_ms_chap2_cpw
Definition rlm_eap_mschapv2.c:77
attr_ms_mppe_encryption_policy
static fr_dict_attr_t const * attr_ms_mppe_encryption_policy
Definition rlm_eap_mschapv2.c:80
rlm_eap_mschapv2_rctx_t
Definition rlm_eap_mschapv2.c:45
rlm_eap_mschapv2_t
Definition rlm_eap_mschapv2.c:38
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
FR_SBUFF_IN_STR
#define FR_SBUFF_IN_STR(_start)
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:351
module_instance_s::data
void * data
Module's instance data.
Definition module.h:293
MODULE_RCTX
#define MODULE_RCTX(_ctype)
Definition module.h:259
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:257
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3645
vp
fr_pair_t * vp
Definition state_machine.c:2287
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
rlm_eap_submodule_t::common
module_t common
Common fields provided by all modules.
Definition submodule.h:50
rlm_eap_submodule_t
Interface exported by EAP submodules.
Definition submodule.h:49
talloc_typed_asprintf
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
Definition talloc.c:545
talloc_strlen
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
Definition talloc.h:136
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:124
PAIR_VERIFY
#define PAIR_VERIFY(_x)
Definition pair.h:204
fr_pair_list_free
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
Definition pair_inline.c:112
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
parent
static fr_slen_t parent
Definition pair.h:858
data
static fr_slen_t data
Definition value.h:1340
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1030
Generated by   doxygen 1.9.8