The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_eap_mschapv2.c
Go to the documentation of this file.
1/*
2 * rlm_eap_mschapv2.c Handles that are called from eap
3 *
4 * Version: $Id: 8c66dd224285af923d9dbd09483948f5146524b2 $
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 * @copyright 2003,2006 The FreeRADIUS server project
21 */
22
23RCSID("$Id: 8c66dd224285af923d9dbd09483948f5146524b2 $")
24
25#include <freeradius-devel/server/dependency.h>
26#include <freeradius-devel/server/pair.h>
27#include <freeradius-devel/server/virtual_servers.h>
28#include <freeradius-devel/unlang/call.h>
29#include <freeradius-devel/unlang/interpret.h>
30#include <freeradius-devel/util/base16.h>
31#include <freeradius-devel/util/debug.h>
32#include <freeradius-devel/util/rand.h>
33
34#include "eap_mschapv2.h"
35
36static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent,
37 CONF_ITEM *ci, UNUSED conf_parser_t const *rule);
38
45
49
50static conf_parser_t submodule_config[] = {
51 { FR_CONF_OFFSET("with_ntdomain_hack", rlm_eap_mschapv2_t, with_ntdomain_hack), .dflt = "no" },
52
53 { FR_CONF_OFFSET_TYPE_FLAGS("auth_type", FR_TYPE_VOID, 0, rlm_eap_mschapv2_t, auth_type), .func = auth_type_parse, .dflt = "mschap" },
54 { FR_CONF_OFFSET("send_error", rlm_eap_mschapv2_t, send_error), .dflt = "no" },
55 { FR_CONF_OFFSET("identity", rlm_eap_mschapv2_t, identity) },
56 CONF_PARSER_TERMINATOR
57};
58
59static fr_dict_t const *dict_freeradius;
60static fr_dict_t const *dict_radius;
61
62extern fr_dict_autoload_t rlm_eap_mschapv2_dict[];
63fr_dict_autoload_t rlm_eap_mschapv2_dict[] = {
64 { .out = &dict_freeradius, .proto = "freeradius" },
65 { .out = &dict_radius, .proto = "radius" },
66 DICT_AUTOLOAD_TERMINATOR
67};
68
69static fr_dict_attr_t const *attr_auth_type;
70static fr_dict_attr_t const *attr_ms_chap_peer_challenge;
71static fr_dict_attr_t const *attr_ms_chap_user_name;
72
73static fr_dict_attr_t const *attr_microsoft;
74
75static fr_dict_attr_t const *attr_ms_chap_challenge;
76static fr_dict_attr_t const *attr_ms_chap_error;
77static fr_dict_attr_t const *attr_ms_chap_nt_enc_pw;
78static fr_dict_attr_t const *attr_ms_chap2_cpw;
79static fr_dict_attr_t const *attr_ms_chap2_response;
80static fr_dict_attr_t const *attr_ms_chap2_success;
81static fr_dict_attr_t const *attr_ms_mppe_encryption_policy;
82static fr_dict_attr_t const *attr_ms_mppe_encryption_type;
83static fr_dict_attr_t const *attr_ms_mppe_send_key;
84static fr_dict_attr_t const *attr_ms_mppe_recv_key;
85static fr_dict_attr_t const *attr_user_name;
86
87extern fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[];
88fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[] = {
89 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
90 { .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
91 { .out = &attr_ms_chap_user_name, .name = "MS-CHAP-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
92
93 { .out = &attr_microsoft, .name = "Vendor-Specific.Microsoft", .type = FR_TYPE_VENDOR, .dict = &dict_radius },
94
95 { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
96 { .out = &attr_ms_chap_error, .name = "Vendor-Specific.Microsoft.CHAP-Error", .type = FR_TYPE_STRING, .dict = &dict_radius },
97 { .out = &attr_ms_chap_nt_enc_pw, .name = "Vendor-Specific.Microsoft.CHAP-NT-Enc-PW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
98 { .out = &attr_ms_chap2_cpw, .name = "Vendor-Specific.Microsoft.CHAP2-CPW", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
99 { .out = &attr_ms_chap2_response, .name = "Vendor-Specific.Microsoft.CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
100 { .out = &attr_ms_chap2_success, .name = "Vendor-Specific.Microsoft.CHAP2-Success", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
101 { .out = &attr_ms_mppe_encryption_policy, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Policy", .type = FR_TYPE_UINT32, .dict = &dict_radius },
102 { .out = &attr_ms_mppe_encryption_type, .name = "Vendor-Specific.Microsoft.MPPE-Encryption-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
103 { .out = &attr_ms_mppe_send_key, .name = "Vendor-Specific.Microsoft.MPPE-Send-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
104 { .out = &attr_ms_mppe_recv_key, .name = "Vendor-Specific.Microsoft.MPPE-Recv-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
105 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
106 DICT_AUTOLOAD_TERMINATOR
107};
108
109static void mppe_keys_store(request_t *request, mschapv2_opaque_t *data)
110{
111 fr_pair_t *parent;
112
113 RDEBUG2("Storing attributes for final response");
114
115 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
116 if (!parent) parent = request->reply_ctx;
117
118 RINDENT();
119 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
120 attr_ms_mppe_encryption_policy, 0) > 0) {
121 RDEBUG2("%s", attr_ms_mppe_encryption_policy->name);
122 }
123 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
124 attr_ms_mppe_encryption_type, 0) > 0) {
125 RDEBUG2("%s", attr_ms_mppe_encryption_type->name);
126 }
127 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
128 attr_ms_mppe_recv_key, 0) > 0) {
129 RDEBUG2("%s", attr_ms_mppe_recv_key->name);
130 }
131 if (fr_pair_list_copy_by_da(data, &data->mppe_keys, &parent->vp_group,
132 attr_ms_mppe_send_key, 0) > 0) {
133 RDEBUG2("%s", attr_ms_mppe_send_key->name);
134 }
135 REXDENT();
136}
137
138/** Translate a string auth_type into an enumeration value
139 *
140 * @param[in] ctx to allocate data.
141 * @param[out] out Where to write the auth_type we created or resolved.
142 * @param[in] parent Base structure address.
143 * @param[in] ci #CONF_PAIR specifying the name of the auth_type.
144 * @param[in] rule unused.
145 * @return
146 * - 0 on success.
147 * - -1 on failure.
148 */
149static int auth_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
150 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
151{
152 char const *auth_type = cf_pair_value(cf_item_to_pair(ci));
153
154 if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), auth_type) < 0) {
155 cf_log_err(ci, "Failed adding %s alias", attr_auth_type->name);
156 return -1;
157 }
158 *((fr_dict_enum_value_t **)out) = UNCONST(fr_dict_enum_value_t *, fr_dict_enum_by_name(attr_auth_type, auth_type, -1));
159
160 return 0;
161}
162
163/*
164 * Compose the response.
165 */
166static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
167 fr_pair_t *reply) CC_HINT(nonnull);
168static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session,
169 fr_pair_t *reply)
170{
171 uint8_t *ptr;
172 int16_t length;
173 mschapv2_header_t *hdr;
174 eap_round_t *eap_round = eap_session->this_round;
175
176 eap_round->request->code = FR_EAP_CODE_REQUEST;
177 eap_round->request->type.num = FR_EAP_METHOD_MSCHAPV2;
178
179 /*
180 * Always called with vendor Microsoft
181 */
182 if (reply->da == attr_ms_chap_challenge) {
183 /*
184 * 0 1 2 3
185 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
186 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
187 * | Code | Identifier | Length |
188 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
189 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
190 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
191 * | MS-Length | Value-Size | Challenge...
192 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
193 * | Challenge...
194 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195 * | Server Name...
196 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
197 */
198 length = MSCHAPV2_HEADER_LEN + MSCHAPV2_CHALLENGE_LEN + (talloc_strlen(inst->identity));
199 MEM(eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length));
200
201 /*
202 * Allocate room for the EAP-MS-CHAPv2 data.
203 */
204 eap_round->request->type.length = length;
205
206 ptr = eap_round->request->type.data;
207 hdr = (mschapv2_header_t *) ptr;
208
209 hdr->opcode = FR_EAP_MSCHAPV2_CHALLENGE;
210 hdr->mschapv2_id = eap_round->response->id + 1;
211 length = htons(length);
212 memcpy(hdr->ms_length, &length, sizeof(uint16_t));
213 hdr->value_size = MSCHAPV2_CHALLENGE_LEN;
214
215 ptr += MSCHAPV2_HEADER_LEN;
216
217 /*
218 * Copy the Challenge, success, or error over.
219 */
220 memcpy(ptr, reply->vp_octets, reply->vp_length);
221 memcpy((ptr + reply->vp_length), inst->identity, (talloc_strlen(inst->identity)));
222 } else if (reply->da == attr_ms_chap2_success) {
223 /*
224 * 0 1 2 3
225 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
226 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
227 * | Code | Identifier | Length |
228 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
229 * | Type | OpCode | MS-CHAPv2-ID | MS-Length...
230 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
231 * | MS-Length | Message...
232 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
233 */
234 RDEBUG2("MS-CHAPv2 Success");
235 length = 46;
236 MEM(eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length));
237
238 /*
239 * Allocate room for the EAP-MS-CHAPv2 data.
240 */
241 memset(eap_round->request->type.data, 0, length);
242 eap_round->request->type.length = length;
243
244 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_SUCCESS;
245 eap_round->request->type.data[1] = eap_round->response->id;
246 length = htons(length);
247 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
248 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, 42);
249 } else if (reply->da == attr_ms_chap_error) {
250 REDEBUG("MS-CHAPv2 Failure");
251 length = 4 + reply->vp_length - 1;
252 eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
253
254 /*
255 * Allocate room for the EAP-MS-CHAPv2 data.
256 */
257 if (!eap_round->request->type.data) return 0;
258 memset(eap_round->request->type.data, 0, length);
259 eap_round->request->type.length = length;
260
261 eap_round->request->type.data[0] = FR_EAP_MSCHAPV2_FAILURE;
262 eap_round->request->type.data[1] = eap_round->response->id;
263 length = htons(length);
264 memcpy((eap_round->request->type.data + 2), &length, sizeof(uint16_t));
265 /*
266 * Copy the entire failure message.
267 */
268 memcpy((eap_round->request->type.data + 4), reply->vp_strvalue + 1, reply->vp_length - 1);
269 } else {
270 RERROR("%s: Internal sanity check failed", __FUNCTION__);
271 return -1;
272 }
273
274 return 0;
275}
276
277
278static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request);
279
280static unlang_action_t mschap_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
281{
282 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
283 eap_session_t *eap_session = eap_session_get(request->parent);
284 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
285 eap_round_t *eap_round = eap_session->this_round;
286 fr_pair_list_t response;
287 rlm_eap_mschapv2_t const *inst = mctx->mi->data;
288 rlm_rcode_t rcode = rctx->section_result.rcode;
289 fr_pair_t *parent;
290
291 fr_pair_list_init(&response);
292
293 /*
294 * Delete MPPE keys & encryption policy. We don't
295 * want these here.
296 */
297 mppe_keys_store(request, data);
298
299 parent = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_microsoft);
300 if (!parent) parent = request->reply_ctx;
301
302 /*
303 * Take the response from the mschap module, and
304 * return success or failure, depending on the result.
305 */
306 if (rcode == RLM_MODULE_OK) {
307 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap2_success, 0) < 0) {
308 RPERROR("Failed copying %s", attr_ms_chap2_success->name);
309 RETURN_UNLANG_FAIL;
310 }
311
312 data->code = FR_EAP_MSCHAPV2_SUCCESS;
313 } else if (inst->send_error) {
314 if (fr_pair_list_copy_by_da(data, &response, &parent->vp_group, attr_ms_chap_error, 0) < 0) {
315 RPERROR("Failed copying %s", attr_ms_chap_error->name);
316 RETURN_UNLANG_FAIL;
317 }
318 if (!fr_pair_list_empty(&response)) {
319 int n, err, retry;
320 char buf[34];
321 fr_pair_t *vp = fr_pair_list_head(&response);
322
323 PAIR_VERIFY(vp);
324
325 RDEBUG2("MSCHAP-Error: %pV", &vp->data);
326
327 /*
328 * Parse the new challenge out of the
329 * MS-CHAP-Error, so that if the client
330 * issues a re-try, we will know which
331 * challenge value that they used.
332 */
333 n = sscanf(vp->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, &retry, &buf[0]);
334 if (n == 3) {
335 RDEBUG2("Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s",
336 err, retry, buf);
337 fr_base16_decode(NULL, &FR_DBUFF_TMP(data->auth_challenge, 16),
338 &FR_SBUFF_IN_STR(buf), false);
339 } else {
340 RDEBUG2("Could not parse new challenge from MS-CHAP-Error: %d", n);
341 }
342 }
343 data->code = FR_EAP_MSCHAPV2_FAILURE;
344 } else {
345 eap_round->request->code = FR_EAP_CODE_FAILURE;
346 RETURN_UNLANG_REJECT;
347 }
348
349 /*
350 * No response, die.
351 */
352 if (fr_pair_list_empty(&response)) {
353 REDEBUG("No %s or %s attributes were found", attr_ms_chap2_success->name, attr_ms_chap_error->name);
354 RETURN_UNLANG_INVALID;
355 }
356
357 /*
358 * Compose the response (whatever it is),
359 * and return it to the over-lying EAP module.
360 */
361 eap_mschapv2_compose(eap_session->inst, request, eap_session, fr_pair_list_head(&response));
362 fr_pair_list_free(&response);
363
364 RETURN_UNLANG_OK;
365}
366
367/*
368 * Authenticate a previously sent challenge.
369 */
370static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
371{
372 rlm_eap_mschapv2_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
373 rlm_eap_mschapv2_rctx_t *rctx = talloc_get_type_abort(mctx->rctx, rlm_eap_mschapv2_rctx_t);
374 request_t *parent = request->parent;
375 eap_session_t *eap_session = eap_session_get(parent);
376 mschapv2_opaque_t *data = talloc_get_type_abort(eap_session->opaque, mschapv2_opaque_t);
377 eap_round_t *eap_round = eap_session->this_round;
378 fr_pair_t *auth_challenge, *response, *name;
379
380 CONF_SECTION *unlang;
381 int ccode;
382 uint8_t *p;
383 size_t length;
384
385 if (!fr_cond_assert(eap_session->inst)) RETURN_UNLANG_FAIL;
386
387 /*
388 * Sanity check the response.
389 */
390 if (eap_round->response->length < 6) {
391 REDEBUG("Response too short, expected at least 6 bytes, got %zu bytes",
392 eap_round->response->length);
393 RETURN_UNLANG_INVALID;
394 }
395
396 ccode = eap_round->response->type.data[0];
397
398 switch (data->code) {
399 case FR_EAP_MSCHAPV2_FAILURE:
400 if (ccode == FR_EAP_MSCHAPV2_RESPONSE) {
401 RDEBUG2("Authentication re-try from client after we sent a failure");
402 break;
403 }
404
405 /*
406 * if we sent error 648 (password expired) to the client
407 * we might get an MSCHAP-CPW packet here; turn it into a
408 * regular MS-CHAP2-CPW packet and pass it to rlm_mschap
409 * (or proxy it, I guess)
410 */
411 if (ccode == FR_EAP_MSCHAPV2_CHGPASSWD) {
412 fr_pair_t *cpw;
413 int mschap_id;
414 int copied = 0;
415 int seq = 1;
416 fr_pair_t *ms;
417
418
419 if (eap_round->response->type.length < 544) {
420 RDEBUG2("Password change has invalid length %zu < 544",
421 eap_round->response->type.length);
422 RETURN_UNLANG_INVALID;
423 }
424
425 RDEBUG2("Password change packet received");
426
427 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
428 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
429
430 mschap_id = eap_round->response->type.data[1];
431
432 MEM(pair_update_request(&cpw, attr_ms_chap2_cpw) >= 0);
433 MEM(fr_pair_value_mem_alloc(cpw, &p, 68, false) == 0);
434 p[0] = 7;
435 p[1] = mschap_id;
436 memcpy(p + 2, eap_round->response->type.data + 520, 66);
437
438 ms = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_microsoft);
439 if (!ms) ms = request->request_ctx;
440
441 /*
442 * break the encoded password into VPs (3 of them)
443 */
444 while (copied < 516) {
445 fr_pair_t *nt_enc;
446
447 int to_copy = 516 - copied;
448 if (to_copy > 243) to_copy = 243;
449
450 MEM(nt_enc = fr_pair_afrom_da(ms, attr_ms_chap_nt_enc_pw));
451 MEM(fr_pair_value_mem_alloc(nt_enc, &p, 4 + to_copy, false) == 0);
452 MEM(fr_pair_append(&ms->vp_group, nt_enc) == 0);
453 p[0] = 6;
454 p[1] = mschap_id;
455 p[2] = 0;
456 p[3] = seq++;
457 memcpy(p + 4, eap_round->response->type.data + 4 + copied, to_copy);
458
459 copied += to_copy;
460 }
461
462 RDEBUG2("Built change password packet");
463 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->request_pairs, NULL);
464
465 /*
466 * jump to "authentication"
467 */
468 goto packet_ready;
469 }
470
471 /*
472 * we sent a failure and are expecting a failure back
473 */
474 if (ccode != FR_EAP_MSCHAPV2_FAILURE) {
475 REDEBUG("Sent FAILURE expecting FAILURE but got %d", ccode);
476 RETURN_UNLANG_INVALID;
477 }
478
479failure:
480 eap_round->request->code = FR_EAP_CODE_FAILURE;
481 RETURN_UNLANG_REJECT;
482
483 case FR_EAP_MSCHAPV2_SUCCESS:
484 /*
485 * we sent a success to the client; some clients send a
486 * success back as-per the RFC, some send an ACK. Permit
487 * both, I guess...
488 */
489
490 switch (ccode) {
491 case FR_EAP_MSCHAPV2_SUCCESS:
492 eap_round->request->code = FR_EAP_CODE_SUCCESS;
493
494 if (!fr_pair_list_empty(&data->mppe_keys)) {
495 fr_pair_t *ms;
496
497 ms = fr_pair_find_by_da_nested(&parent->reply_pairs, NULL, attr_microsoft);
498 if (!ms) {
499 MEM(ms = fr_pair_afrom_da_nested(parent->reply_ctx, &parent->reply_pairs, attr_microsoft));
500 }
501
502 RDEBUG2("Adding stored attributes to parent");
503 log_request_pair_list(L_DBG_LVL_2, request, NULL, &data->mppe_keys, "parent.reply.");
504 MEM(fr_pair_list_copy(ms, &ms->vp_group, &data->mppe_keys) >= 0);
505 } else {
506 RDEBUG2("No stored attributes to copy to parent");
507 }
508
509 FALL_THROUGH;
510
511 case FR_EAP_MSCHAPV2_ACK:
512 MEM(fr_pair_list_copy(parent->reply_ctx, &parent->reply_pairs, &data->reply) >= 0);
513 RETURN_UNLANG_OK;
514 }
515 REDEBUG("Sent SUCCESS expecting SUCCESS (or ACK) but got %d", ccode);
516 RETURN_UNLANG_INVALID;
517
518 case FR_EAP_MSCHAPV2_CHALLENGE:
519 if (ccode == FR_EAP_MSCHAPV2_FAILURE) goto failure;
520
521 /*
522 * we sent a challenge, expecting a response
523 */
524 if (ccode != FR_EAP_MSCHAPV2_RESPONSE) {
525 REDEBUG("Sent CHALLENGE expecting RESPONSE but got %d", ccode);
526 RETURN_UNLANG_INVALID;
527 }
528 /* authentication happens below */
529 break;
530
531 default:
532 /* should never happen */
533 REDEBUG("Unknown state %d", data->code);
534 RETURN_UNLANG_FAIL;
535 }
536
537
538 /*
539 * Ensure that we have at least enough data
540 * to do the following checks.
541 *
542 * EAP header (4), EAP type, MS-CHAP opcode,
543 * MS-CHAP ident, MS-CHAP data length (2),
544 * MS-CHAP value length.
545 */
546 if (eap_round->response->length < (4 + 1 + 1 + 1 + 2 + 1)) {
547 REDEBUG("Response is too short");
548 RETURN_UNLANG_INVALID;
549 }
550
551 /*
552 * The 'value_size' is the size of the response,
553 * which is supposed to be the response (48
554 * bytes) plus 1 byte of flags at the end.
555 *
556 * NOTE: When using Cisco NEAT with EAP-MSCHAPv2, the
557 * switch supplicant will send MSCHAPv2 data (EAP type = 26)
558 * but will always set a value_size of 16 and NULL out the
559 * peer challenge.
560 *
561 */
562 if ((eap_round->response->type.data[4] != 49) &&
563 (eap_round->response->type.data[4] != 16)) {
564 REDEBUG("Response is of incorrect length %d", eap_round->response->type.data[4]);
565 RETURN_UNLANG_INVALID;
566 }
567
568 /*
569 * The MS-Length field is 5 + value_size + length
570 * of name, which is put after the response.
571 */
572 if (eap_round->response->type.length < (5 + MSCHAPV2_RESPONSE_LEN + 1)) {
573 REDEBUG("MS-CHAPv2 response packet is too short %zu < %d",
574 eap_round->response->type.length, 5 + MSCHAPV2_RESPONSE_LEN + 1);
575 RETURN_UNLANG_INVALID;
576 }
577
578 length = fr_nbo_to_uint16(eap_round->response->type.data + 2);
579 if ((length < (5 + 49)) || (length > (256 + 5 + 49))) {
580 REDEBUG("Response contains contradictory length %zu %d", length, 5 + 49);
581 RETURN_UNLANG_INVALID;
582 }
583
584 /*
585 * We now know that the user has sent us a response
586 * to the challenge. Let's try to authenticate it.
587 *
588 * We do this by taking the challenge from 'data',
589 * the response from the EAP packet, and creating fr_pair_t's
590 * to pass to the 'mschap' module. This is a little wonky,
591 * but it works.
592 */
593 MEM(pair_update_request(&auth_challenge, attr_ms_chap_challenge) >= 0);
594 fr_pair_value_memdup(auth_challenge, data->auth_challenge, MSCHAPV2_CHALLENGE_LEN, false);
595
596 MEM(pair_update_request(&response, attr_ms_chap2_response) >= 0);
597 MEM(fr_pair_value_mem_alloc(response, &p, MSCHAPV2_RESPONSE_LEN, false) == 0);
598 p[0] = eap_round->response->type.data[1];
599 p[1] = eap_round->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
600 memcpy(p + 2, &eap_round->response->type.data[5], MSCHAPV2_RESPONSE_LEN - 2);
601
602 /*
603 * If we're forcing a peer challenge, use it instead of
604 * the challenge sent by the client.
605 */
606 if (data->has_peer_challenge) memcpy(p + 2, data->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
607
608 /*
609 * MS-Length - MS-Value - 5.
610 */
611 MEM(pair_update_request(&name, attr_ms_chap_user_name) >= 0);
612 MEM(fr_pair_value_bstrndup(name, (char const *)&eap_round->response->type.data[4 + MSCHAPV2_RESPONSE_LEN],
613 length - 49 - 5, true) == 0);
614packet_ready:
615
616 /*
617 * Look for "authenticate foo" in the current virtual
618 * server. If not there, then in the parent one.
619 */
620 RDEBUG("Looking for authenticate %s { ... }", inst->auth_type->name);
621 unlang = cf_section_find(unlang_call_current(parent), "authenticate", inst->auth_type->name);
622 if (!unlang) unlang = cf_section_find(unlang_call_current(request->parent), "authenticate", inst->auth_type->name);
623 if (!unlang) {
624 RDEBUG2("authenticate %s { ... } sub-section not found.",
625 inst->auth_type->name);
626 RETURN_UNLANG_FAIL;
627 }
628
629 return unlang_module_yield_to_section(&rctx->section_result, request, unlang, RLM_MODULE_FAIL, mschap_resume, NULL, 0, rctx);
630}
631
632/*
633 * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
634 */
635static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
636{
637 request_t *parent = request->parent;
638 eap_session_t *eap_session = eap_session_get(parent);
639 fr_pair_t *auth_challenge;
640 fr_pair_t *peer_challenge;
641 mschapv2_opaque_t *data;
642
643 uint8_t *p;
644 int i;
645 bool created_auth_challenge;
646
647 if (!fr_cond_assert(mctx->mi->data)) RETURN_UNLANG_FAIL;
648
649 /*
650 * We're looking for attributes that should come
651 * from the EAP-TTLS submodule.
652 */
653 if (!fr_cond_assert(parent)) RETURN_UNLANG_FAIL;
654
655 /*
656 * Keep track of the challenge and the state we are in.
657 */
658 MEM(data = talloc_zero(eap_session, mschapv2_opaque_t));
659 data->code = FR_EAP_MSCHAPV2_CHALLENGE;
660 fr_pair_list_init(&data->mppe_keys);
661 fr_pair_list_init(&data->reply);
662
663 /*
664 * Allow the administrator to set the CHAP-Challenge and Peer-Challenge attributes.
665 */
666 auth_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_challenge);
667 if (auth_challenge && (auth_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
668 RWDEBUG("parent.control.MS-CHAP-Challenge is incorrect length. Ignoring it");
669 auth_challenge = NULL;
670 }
671
672 peer_challenge = fr_pair_find_by_da_nested(&parent->control_pairs, NULL, attr_ms_chap_peer_challenge);
673 if (peer_challenge && (peer_challenge->vp_length != MSCHAPV2_CHALLENGE_LEN)) {
674 RWDEBUG("parent.control.MS-CHAP-Peer-Challenge is incorrect length. Ignoring it");
675 peer_challenge = NULL;
676 }
677
678 created_auth_challenge = (auth_challenge == NULL);
679
680 /*
681 * if the administrator didn't set a challenge, then create one ourselves.
682 */
683 if (!auth_challenge) {
684 MEM(auth_challenge = fr_pair_afrom_da(eap_session, attr_ms_chap_challenge));
685 MEM(fr_pair_value_mem_alloc(auth_challenge, &p, MSCHAPV2_CHALLENGE_LEN, false) == 0);
686 for (i = 0; i < MSCHAPV2_CHALLENGE_LEN; i++) p[i] = fr_rand();
687 }
688 RDEBUG2("Issuing Challenge");
689
690 /*
691 * We're at the stage where we're challenging the user.
692 */
693 memcpy(data->auth_challenge, auth_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
694
695 if (peer_challenge) {
696 data->has_peer_challenge = true;
697 memcpy(data->peer_challenge, peer_challenge->vp_octets, MSCHAPV2_CHALLENGE_LEN);
698 }
699
700 eap_session->opaque = data;
701
702 /*
703 * Compose the EAP-MSCHAPV2 packet out of the data structure,
704 * and free it.
705 */
706 eap_mschapv2_compose(mctx->mi->data, request, eap_session, auth_challenge);
707 if (created_auth_challenge) TALLOC_FREE(auth_challenge);
708
709 /*
710 * We don't need to authorize the user at this point.
711 *
712 * We also don't need to keep the challenge, as it's
713 * stored in 'eap_session->this_round', which will be given back
714 * to us...
715 */
716 eap_session->process = mod_process;
717
718 RETURN_UNLANG_HANDLED;
719}
720
721/*
722 * Attach the module.
723 */
724static int mod_instantiate(module_inst_ctx_t const *mctx)
725{
726 rlm_eap_mschapv2_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_eap_mschapv2_t);
727
728 if (inst->identity && (strlen(inst->identity) > 255)) {
729 cf_log_err(mctx->mi->conf, "identity is too long");
730 return -1;
731 }
732
733 if (!inst->identity) inst->identity = talloc_typed_asprintf(inst, "freeradius-%s", RADIUSD_VERSION_STRING);
734
735 return 0;
736}
737
738/*
739 * The module name should be the only globally exported symbol.
740 * That is, everything else should be 'static'.
741 */
742extern rlm_eap_submodule_t rlm_eap_mschapv2;
743rlm_eap_submodule_t rlm_eap_mschapv2 = {
744 .common = {
745 .name = "eap_mschapv2",
746 .magic = MODULE_MAGIC_INIT,
747 MODULE_INST(rlm_eap_mschapv2_t),
748 MODULE_RCTX(rlm_eap_mschapv2_rctx_t),
749 .config = submodule_config,
750 .instantiate = mod_instantiate, /* Create new submodule instance */
751 },
752 .provides = { FR_EAP_METHOD_MSCHAPV2 },
753 .session_init = mod_session_init, /* Initialise a new EAP session */
754 .clone_parent_lists = false /* HACK */
755};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
n
int n
Definition acutest.h:579
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:95
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
RCSID
#define RCSID(id)
Definition build.h:487
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
UNUSED
#define UNUSED
Definition build.h:317
unlang_call_current
CONF_SECTION * unlang_call_current(request_t *request)
Return the last virtual server that was called.
Definition call.c:214
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:614
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1574
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:288
eap_packet_t::type
eap_type_data_t type
Definition compose.h:39
eap_packet_t::length
size_t length
Definition compose.h:38
eap_round_t::response
eap_packet_t * response
Packet we received from the peer.
Definition compose.h:49
eap_packet_t::code
eap_code_t code
Definition compose.h:36
eap_packet_t::id
uint8_t id
Definition compose.h:37
eap_round_t::request
eap_packet_t * request
Packet we will send to the peer.
Definition compose.h:50
eap_round_t
Contains a pair of request and response packets.
Definition compose.h:48
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:524
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:131
MEM
#define MEM(x)
Definition debug.h:36
RADIUSD_VERSION_STRING
#define RADIUSD_VERSION_STRING
Definition dependency.h:39
err
static fr_slen_t err
Definition dict.h:884
fr_dict_attr_unconst
fr_dict_attr_t * fr_dict_attr_unconst(fr_dict_attr_t const *da)
Coerce to non-const.
Definition dict_util.c:4916
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:294
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:307
fr_dict_enum_add_name_next
int fr_dict_enum_add_name_next(fr_dict_attr_t *da, char const *name)
Add an name to an integer attribute hashing the name for the integer value.
Definition dict_util.c:2230
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:313
fr_dict_enum_by_name
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3702
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:293
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:306
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:255
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
FR_EAP_CODE_FAILURE
@ FR_EAP_CODE_FAILURE
Definition types.h:40
FR_EAP_CODE_REQUEST
@ FR_EAP_CODE_REQUEST
Definition types.h:37
FR_EAP_CODE_SUCCESS
@ FR_EAP_CODE_SUCCESS
Definition types.h:39
eap_type_data_t::num
eap_type_t num
Definition types.h:110
eap_type_data_t::length
size_t length
Definition types.h:111
eap_type_data_t::data
uint8_t * data
Definition types.h:112
FR_EAP_METHOD_MSCHAPV2
@ FR_EAP_METHOD_MSCHAPV2
Definition types.h:71
eap_mschapv2.h
mschapv2_header_t::opcode
uint8_t opcode
Definition eap_mschapv2.h:36
MSCHAPV2_CHALLENGE_LEN
#define MSCHAPV2_CHALLENGE_LEN
Definition eap_mschapv2.h:32
mschapv2_header_t::ms_length
uint8_t ms_length[2]
Definition eap_mschapv2.h:38
MSCHAPV2_HEADER_LEN
#define MSCHAPV2_HEADER_LEN
Definition eap_mschapv2.h:31
mschapv2_header_t::mschapv2_id
uint8_t mschapv2_id
Definition eap_mschapv2.h:37
MSCHAPV2_RESPONSE_LEN
#define MSCHAPV2_RESPONSE_LEN
Definition eap_mschapv2.h:33
mschapv2_header_t::value_size
uint8_t value_size
Definition eap_mschapv2.h:39
FR_EAP_MSCHAPV2_FAILURE
#define FR_EAP_MSCHAPV2_FAILURE
Definition eap_mschapv2.h:27
FR_EAP_MSCHAPV2_CHALLENGE
#define FR_EAP_MSCHAPV2_CHALLENGE
Definition eap_mschapv2.h:24
FR_EAP_MSCHAPV2_SUCCESS
#define FR_EAP_MSCHAPV2_SUCCESS
Definition eap_mschapv2.h:26
FR_EAP_MSCHAPV2_RESPONSE
#define FR_EAP_MSCHAPV2_RESPONSE
Definition eap_mschapv2.h:25
FR_EAP_MSCHAPV2_ACK
#define FR_EAP_MSCHAPV2_ACK
Definition eap_mschapv2.h:23
FR_EAP_MSCHAPV2_CHGPASSWD
#define FR_EAP_MSCHAPV2_CHGPASSWD
Definition eap_mschapv2.h:28
mschapv2_header_t
Definition eap_mschapv2.h:35
mschapv2_opaque_t
Definition eap_mschapv2.h:42
unlang_result_t::rcode
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
unlang_result_t
Definition interpret.h:133
eap_session_get
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:85
eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition session.h:63
eap_session_s::process
module_method_t process
Callback that should be used to process the next round.
Definition session.h:65
eap_session_s::inst
void const * inst
Instance of the eap module this session was created by.
Definition session.h:49
eap_session_s::this_round
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:60
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:41
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:820
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RERROR
#define RERROR(fmt,...)
Definition log.h:310
RPERROR
#define RPERROR(fmt,...)
Definition log.h:314
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_VENDOR
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
Definition merged_model.c:122
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
fr_pair_list_copy_by_da
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
Definition pair.c:2419
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2329
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2947
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:783
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1351
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2797
fr_pair_value_mem_alloc
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
Definition pair.c:2896
fr_pair_afrom_da_nested
fr_pair_t * fr_pair_afrom_da_nested(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *da)
Create a pair (and all intermediate parents), and append it to the list.
Definition pair.c:477
pair_update_request
#define pair_update_request(_attr, _da)
Definition radclient-ng.c:62
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
RETURN_UNLANG_HANDLED
#define RETURN_UNLANG_HANDLED
Definition rcode.h:65
RETURN_UNLANG_INVALID
#define RETURN_UNLANG_INVALID
Definition rcode.h:66
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
RETURN_UNLANG_REJECT
#define RETURN_UNLANG_REJECT
Definition rcode.h:62
RETURN_UNLANG_OK
#define RETURN_UNLANG_OK
Definition rcode.h:64
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
attr_microsoft
static fr_dict_attr_t const * attr_microsoft
Definition rlm_eap_mschapv2.c:73
mschap_resume
static unlang_action_t mschap_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:280
eap_mschapv2_compose
static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *request, eap_session_t *eap_session, fr_pair_t *reply)
Definition rlm_eap_mschapv2.c:168
mppe_keys_store
static void mppe_keys_store(request_t *request, mschapv2_opaque_t *data)
Definition rlm_eap_mschapv2.c:109
attr_ms_mppe_encryption_type
static fr_dict_attr_t const * attr_ms_mppe_encryption_type
Definition rlm_eap_mschapv2.c:82
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition rlm_eap_mschapv2.c:59
auth_type_parse
static int auth_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
rlm_eap_mschapv2_t::auth_type
fr_dict_enum_value_t * auth_type
Definition rlm_eap_mschapv2.c:43
attr_ms_chap2_success
static fr_dict_attr_t const * attr_ms_chap2_success
Definition rlm_eap_mschapv2.c:80
mod_process
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:370
dict_radius
static fr_dict_t const * dict_radius
Definition rlm_eap_mschapv2.c:60
attr_ms_chap_challenge
static fr_dict_attr_t const * attr_ms_chap_challenge
Definition rlm_eap_mschapv2.c:75
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition rlm_eap_mschapv2.c:69
attr_ms_chap_user_name
static fr_dict_attr_t const * attr_ms_chap_user_name
Definition rlm_eap_mschapv2.c:71
attr_ms_chap_error
static fr_dict_attr_t const * attr_ms_chap_error
Definition rlm_eap_mschapv2.c:76
attr_ms_mppe_send_key
static fr_dict_attr_t const * attr_ms_mppe_send_key
Definition rlm_eap_mschapv2.c:83
rlm_eap_mschapv2_rctx_t::section_result
unlang_result_t section_result
Definition rlm_eap_mschapv2.c:47
rlm_eap_mschapv2_t::with_ntdomain_hack
bool with_ntdomain_hack
Definition rlm_eap_mschapv2.c:40
attr_ms_chap2_response
static fr_dict_attr_t const * attr_ms_chap2_response
Definition rlm_eap_mschapv2.c:79
rlm_eap_mschapv2_dict
fr_dict_autoload_t rlm_eap_mschapv2_dict[]
Definition rlm_eap_mschapv2.c:63
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition rlm_eap_mschapv2.c:85
rlm_eap_mschapv2_dict_attr
fr_dict_attr_autoload_t rlm_eap_mschapv2_dict_attr[]
Definition rlm_eap_mschapv2.c:88
attr_ms_mppe_recv_key
static fr_dict_attr_t const * attr_ms_mppe_recv_key
Definition rlm_eap_mschapv2.c:84
submodule_config
static conf_parser_t submodule_config[]
Definition rlm_eap_mschapv2.c:50
rlm_eap_mschapv2_t::identity
char const * identity
Definition rlm_eap_mschapv2.c:42
attr_ms_chap_nt_enc_pw
static fr_dict_attr_t const * attr_ms_chap_nt_enc_pw
Definition rlm_eap_mschapv2.c:77
rlm_eap_mschapv2
rlm_eap_submodule_t rlm_eap_mschapv2
Definition rlm_eap_mschapv2.c:743
attr_ms_chap_peer_challenge
static fr_dict_attr_t const * attr_ms_chap_peer_challenge
Definition rlm_eap_mschapv2.c:70
mod_session_init
static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_mschapv2.c:635
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_eap_mschapv2.c:724
rlm_eap_mschapv2_t::send_error
bool send_error
Definition rlm_eap_mschapv2.c:41
attr_ms_chap2_cpw
static fr_dict_attr_t const * attr_ms_chap2_cpw
Definition rlm_eap_mschapv2.c:78
attr_ms_mppe_encryption_policy
static fr_dict_attr_t const * attr_ms_mppe_encryption_policy
Definition rlm_eap_mschapv2.c:81
rlm_eap_mschapv2_rctx_t
Definition rlm_eap_mschapv2.c:46
rlm_eap_mschapv2_t
Definition rlm_eap_mschapv2.c:39
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
FR_SBUFF_IN_STR
#define FR_SBUFF_IN_STR(_start)
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
module_instance_s::data
void * data
Module's instance data.
Definition module.h:291
MODULE_RCTX
#define MODULE_RCTX(_ctype)
Definition module.h:257
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:255
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3653
vp
fr_pair_t * vp
Definition state_machine.c:2295
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
rlm_eap_submodule_t::common
module_t common
Common fields provided by all modules.
Definition submodule.h:50
rlm_eap_submodule_t
Interface exported by EAP submodules.
Definition submodule.h:49
talloc_typed_asprintf
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
Definition talloc.c:545
talloc_strlen
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
Definition talloc.h:139
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:124
PAIR_VERIFY
#define PAIR_VERIFY(_x)
Definition pair.h:204
fr_pair_list_free
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
Definition pair_inline.c:112
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
parent
static fr_slen_t parent
Definition pair.h:858
data
static fr_slen_t data
Definition value.h:1334
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1024
Generated by   doxygen 1.9.8