26RCSID(
"$Id: 526ab5bef536226580e240a54f25ee2394286653 $")
29#include <freeradius-devel/server/base.h>
30#include <freeradius-devel/server/module_rlm.h>
31#include <freeradius-devel/server/password.h>
32#include <freeradius-devel/tls/base.h>
33#include <freeradius-devel/tls/log.h>
35#include <freeradius-devel/util/base64.h>
36#include <freeradius-devel/util/debug.h>
37#include <freeradius-devel/util/base16.h>
38#include <freeradius-devel/util/md5.h>
39#include <freeradius-devel/util/sha1.h>
41#include <freeradius-devel/unlang/call_env.h>
43#include <freeradius-devel/protocol/freeradius/freeradius.internal.password.h>
52#ifdef HAVE_OPENSSL_EVP_H
53# include <freeradius-devel/tls/openssl_user_macros.h>
54# include <openssl/evp.h>
92 .inst_type =
"pap_call_env_t",
118#ifdef HAVE_OPENSSL_EVP_H
120 {
L(
"HMACSHA1"), FR_SSHA1 },
121 {
L(
"HMACSHA2+224"), FR_SSHA2_224 },
122 {
L(
"HMACSHA2+256"), FR_SSHA2_256 },
123 {
L(
"HMACSHA2+384"), FR_SSHA2_384 },
124 {
L(
"HMACSHA2+512"), FR_SSHA2_512 },
125 {
L(
"HMACSHA3+224"), FR_SSHA3_224 },
126 {
L(
"HMACSHA3+256"), FR_SSHA3_256 },
127 {
L(
"HMACSHA3+384"), FR_SSHA3_384 },
128 {
L(
"HMACSHA3+512"), FR_SSHA3_512 },
130static size_t pbkdf2_crypt_names_len =
NUM_ELEMENTS(pbkdf2_crypt_names);
133 {
L(
"sha1"), FR_SSHA1 },
134 {
L(
"sha256"), FR_SSHA2_256 },
135 {
L(
"sha512"), FR_SSHA2_512 }
137static size_t pbkdf2_passlib_names_len =
NUM_ELEMENTS(pbkdf2_passlib_names);
154 RDEBUG3(
"Auth-Type is already set. Not setting 'Auth-Type := %s'", mctx->
mi->
name);
163 if (!
inst->auth_type) {
164 WARN(
"No 'authenticate %s {...}' section or 'Auth-Type = %s' set. Cannot setup PAP authentication.",
182 if ((known_good->vp_length != password->vb_length) ||
183 (
fr_digest_cmp(known_good->vp_octets, password->vb_octets, known_good->vp_length) != 0)) {
184 REDEBUG(
"Cleartext password does not match \"known good\" password");
185 REDEBUG3(
"Password : %pV", password);
186 REDEBUG3(
"Expected : %pV", &known_good->data);
201 struct crypt_data crypt_data = { .initialized = 0 };
203 crypt_out = crypt_r(password->vb_strvalue, known_good->vp_strvalue, &crypt_data);
204 if (crypt_out) cmp = strcmp(known_good->vp_strvalue, crypt_out);
210 crypt_out = crypt(password->vb_strvalue, known_good->vp_strvalue);
217 if (crypt_out) cmp = strcmp(known_good->vp_strvalue, crypt_out);
224 if (!crypt_out || (cmp != 0)) {
225 REDEBUG(
"Crypt digest does not match \"known good\" digest");
240 REDEBUG(
"\"known-good\" MD5 password has incorrect length, expected 16 got %zu", known_good->vp_length);
244 fr_md5_calc(digest, password->vb_octets, password->vb_length);
246 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
247 REDEBUG(
"MD5 digest does not match \"known good\" digest");
248 REDEBUG3(
"Password : %pV", password);
266 REDEBUG(
"\"known-good\" Password.SMD5 has incorrect length, expected 16 got %zu", known_good->vp_length);
271 fr_md5_update(md5_ctx, password->vb_octets, password->vb_length);
280 REDEBUG(
"SMD5 digest does not match \"known good\" digest");
281 REDEBUG3(
"Password : %pV", password);
298 REDEBUG(
"\"known-good\" Password.SHA1 has incorrect length, expected 20 got %zu", known_good->vp_length);
303 fr_sha1_update(&sha1_context, password->vb_octets, password->vb_length);
306 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
307 REDEBUG(
"SHA1 digest does not match \"known good\" digest");
308 REDEBUG3(
"Password : %pV", password);
325 REDEBUG(
"\"known-good\" Password.SSHA has incorrect length, expected > 20 got %zu", known_good->vp_length);
330 fr_sha1_update(&sha1_context, password->vb_octets, password->vb_length);
336 REDEBUG(
"SSHA digest does not match \"known good\" digest");
337 REDEBUG3(
"Password : %pV", password);
348#ifdef HAVE_OPENSSL_EVP_H
352 char const *
name, EVP_MD
const *md)
355 uint8_t digest[EVP_MAX_MD_SIZE];
356 unsigned int digest_len;
358 ctx = EVP_MD_CTX_create();
359 EVP_DigestInit_ex(ctx, md, NULL);
360 EVP_DigestUpdate(ctx, password->vb_octets, password->vb_length);
361 EVP_DigestFinal_ex(ctx, digest, &digest_len);
362 EVP_MD_CTX_destroy(ctx);
364 fr_assert((
size_t) digest_len == known_good->vp_length);
366 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
367 REDEBUG(
"%s digest does not match \"known good\" digest",
name);
368 REDEBUG3(
"Password : %pV", password);
370 REDEBUG3(
"Expected : %pH", &known_good->data);
380 char const *
name, EVP_MD
const *md)
383 uint8_t digest[EVP_MAX_MD_SIZE];
384 unsigned int digest_len, min_len;
386 min_len = EVP_MD_size(md);
387 ctx = EVP_MD_CTX_create();
388 EVP_DigestInit_ex(ctx, md, NULL);
389 EVP_DigestUpdate(ctx, password->vb_octets, password->vb_length);
390 EVP_DigestUpdate(ctx, known_good->vp_octets + min_len, known_good->vp_length - min_len);
391 EVP_DigestFinal_ex(ctx, digest, &digest_len);
392 EVP_MD_CTX_destroy(ctx);
394 fr_assert((
size_t) digest_len == min_len);
399 if (
fr_digest_cmp(digest, known_good->vp_octets, (
size_t)digest_len) != 0) {
400 REDEBUG(
"%s digest does not match \"known good\" digest",
name);
401 REDEBUG3(
"Password : %pV", password);
403 fr_box_octets(known_good->vp_octets + digest_len, known_good->vp_length - digest_len));
415#define PAP_AUTH_EVP_MD(_func, _new_func, _name, _md) \
416static unlang_action_t CC_HINT(nonnull) _new_func(rlm_rcode_t *p_result, \
417 rlm_pap_t const *inst, request_t *request, \
418 fr_pair_t const *known_good, fr_value_box_t const *password) \
420 return _func(p_result, inst, request, known_good, password, _name, _md); \
423PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_224,
"SHA2-224", EVP_sha224())
424PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_256, "SHA2-256", EVP_sha256())
425PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_384, "SHA2-384", EVP_sha384())
426PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha2_512, "SHA2-512", EVP_sha512())
427PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_224, "SSHA2-224", EVP_sha224())
428PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_256, "SSHA2-256", EVP_sha256())
429PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_384, "SSHA2-384", EVP_sha384())
430PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_512, "SSHA2-512", EVP_sha512())
432PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_224, "SHA3-224", EVP_sha3_224())
433PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_256, "SHA3-256", EVP_sha3_256())
434PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_384, "SHA3-384", EVP_sha3_384())
435PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_512, "SHA3-512", EVP_sha3_512())
436PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_224, "SSHA3-224", EVP_sha3_224())
437PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_256, "SSHA3-256", EVP_sha3_256())
438PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_384, "SSHA3-384", EVP_sha3_384())
439PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_512, "SSHA3-512", EVP_sha3_512())
458 int digest_type,
char iter_sep,
char salt_sep,
466 EVP_MD
const *evp_md;
474 uint8_t digest[EVP_MAX_MD_SIZE];
482 switch (digest_type) {
489 evp_md = EVP_sha224();
490 digest_len = SHA224_DIGEST_LENGTH;
494 evp_md = EVP_sha256();
495 digest_len = SHA256_DIGEST_LENGTH;
499 evp_md = EVP_sha384();
500 digest_len = SHA384_DIGEST_LENGTH;
504 evp_md = EVP_sha512();
505 digest_len = SHA512_DIGEST_LENGTH;
509 evp_md = EVP_sha3_224();
510 digest_len = SHA224_DIGEST_LENGTH;
514 evp_md = EVP_sha3_256();
515 digest_len = SHA256_DIGEST_LENGTH;
519 evp_md = EVP_sha3_384();
520 digest_len = SHA384_DIGEST_LENGTH;
524 evp_md = EVP_sha3_512();
525 digest_len = SHA512_DIGEST_LENGTH;
529 REDEBUG(
"Unknown PBKDF2 digest type \"%d\"", digest_type);
533 if (((end - p) < 1) || !(q = memchr(p, iter_sep, end - p))) {
534 REDEBUG(
"Password.PBKDF2 missing iterations component");
539 REDEBUG(
"Password.PBKDF2 iterations component too short");
546 if (!iter_is_base64) {
547 char iterations_buff[
sizeof(
"4294967295") + 1];
553 if ((
size_t) (q - p) >=
sizeof(iterations_buff)) {
555 "Password.PBKDF2 iterations field is too large");
560 strlcpy(iterations_buff, (
char const *)p, (q - p) + 1);
562 iterations = strtoul(iterations_buff, &qq, 10);
564 REMARKER(iterations_buff, qq - iterations_buff,
565 "Password.PBKDF2 iterations field contains an invalid character");
576 &
FR_SBUFF_IN((
char const *)p, (
char const *)q),
false,
false);
578 RPEDEBUG(
"Failed decoding Password.PBKDF2 iterations component (%.*s)", (
int)(q - p), p);
581 if (slen !=
sizeof(iterations)) {
582 REDEBUG(
"Decoded Password.PBKDF2 iterations component is wrong size");
585 iterations = ntohl(iterations);
593 if (iterations == 0) iterations = 1;
595 if (((end - p) < 1) || !(q = memchr(p, salt_sep, end - p))) {
596 REDEBUG(
"Password.PBKDF2 missing salt component");
601 REDEBUG(
"Password.PBKDF2 salt component too short");
607 &
FR_SBUFF_IN((
char const *) p, (
char const *)q),
false,
false);
609 RPEDEBUG(
"Failed decoding Password.PBKDF2 salt component");
617 REDEBUG(
"Password.PBKDF2 hash component too short");
622 &
FR_SBUFF_IN((
char const *)p, (
char const *)end),
false,
false);
624 RPEDEBUG(
"Failed decoding Password.PBKDF2 hash component");
628 if ((
size_t)slen != digest_len) {
629 REDEBUG(
"Password.PBKDF2 hash component length is incorrect for hash type, expected %zu, got %zd",
637 RDEBUG2(
"PBKDF2 %s: Iterations %u, salt length %zu, hash length %zd",
639 iterations, salt_len, slen);
644 if (PKCS5_PBKDF2_HMAC((
char const *)password->vb_octets, (
int)password->vb_length,
645 (
unsigned char const *)salt, (
int)salt_len,
648 (
int)digest_len, (
unsigned char *)digest) == 0) {
649 fr_tls_log(request,
"PBKDF2 digest failure");
654 REDEBUG(
"PBKDF2 digest does not match \"known good\" digest");
689 char scheme_sep,
char iter_sep,
char salt_sep,
697 RDEBUG2(
"Comparing with \"known-good\" Password.PBKDF2");
700 REDEBUG(
"Password.PBKDF2 is too short");
710 q = memchr(p, scheme_sep, end - p);
712 REDEBUG(
"Password.PBKDF2 has no component separators");
720 return pap_auth_pbkdf2_parse_digest(p_result, request, p, end - p, digest_type, iter_sep, salt_sep, iter_is_base64, password);
731 uint8_t const *p = known_good->vp_octets, *q, *end = p + known_good->vp_length;
734 REDEBUG(
"Password.PBKDF2 too short");
749 if ((
size_t)(end - p) >=
sizeof(
"{PBKDF2-") && (memcmp(p,
"{PBKDF2-",
sizeof(
"{PBKDF2-") - 1) == 0)) {
750 p +=
sizeof(
"{PBKDF2-") - 1;
751 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
752 pbkdf2_passlib_names, pbkdf2_passlib_names_len,
753 '}',
'$',
'$',
false, password);
759 q = memchr(p,
'}', end - p);
762 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
763 pbkdf2_crypt_names, pbkdf2_crypt_names_len,
764 ':',
':',
':',
true, password);
773 if ((
size_t)(end - p) >=
sizeof(
"$PBKDF2$") && (memcmp(p,
"$PBKDF2$",
sizeof(
"$PBKDF2$") - 1) == 0)) {
774 p +=
sizeof(
"$PBKDF2$") - 1;
775 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
776 pbkdf2_crypt_names, pbkdf2_crypt_names_len,
777 ':',
':',
'$',
false, password);
787 if ((
size_t)(end - p) >=
sizeof(
"$pbkdf2-") && (memcmp(p,
"$pbkdf2-",
sizeof(
"$pbkdf2-") - 1) == 0)) {
788 p +=
sizeof(
"$pbkdf2-") - 1;
789 return pap_auth_pbkdf2_parse(p_result, request, p, end - p,
790 pbkdf2_passlib_names, pbkdf2_passlib_names_len,
791 '$',
'$',
'$',
false, password);
794 REDEBUG(
"Can't determine format of Password.PBKDF2");
809 uint8_t const *p = known_good->vp_octets, *end = p + known_good->vp_length;
812 REDEBUG(
"Password.With-Header {PBKDF2-SHA1} too short");
816 return pap_auth_pbkdf2_parse_digest(p_result, request, p, end - p, FR_SSHA1,
'$',
'$',
false, password);
824 uint8_t const *p = known_good->vp_octets, *end = p + known_good->vp_length;
827 REDEBUG(
"Password.With-Header {PBKDF2-SHA256} too short");
831 return pap_auth_pbkdf2_parse_digest(p_result, request, p, end - p, FR_SSHA2_256,
'$',
'$',
false, password);
839 uint8_t const *p = known_good->vp_octets, *end = p + known_good->vp_length;
842 REDEBUG(
"Password.With-Header {PBKDF2-SHA512} too short");
846 return pap_auth_pbkdf2_parse_digest(p_result, request, p, end - p, FR_SSHA2_512,
'$',
'$',
false, password);
865#define PBKDF2_SHA256_LEGACY_SALT_LENGTH 64
866#define PBKDF2_SHA256_LEGACY_ITERATIONS_LENGTH 4
867#define PBKDF2_SHA256_LEGACY_HASH_LENGTH 256
868#define PBKDF2_SHA256_LEGACY_TOTAL_LENGTH (PBKDF2_SHA256_LEGACY_ITERATIONS_LENGTH + PBKDF2_SHA256_LEGACY_SALT_LENGTH + PBKDF2_SHA256_LEGACY_HASH_LENGTH)
869#define PBKDF2_SHA256_LEGACY_ITERATIONS 8192
870#define PBKDF2_SHA256_LEGACY_B64_LENGTH (PBKDF2_SHA256_LEGACY_TOTAL_LENGTH * 4 / 3)
874 uint8_t salt[PBKDF2_SHA256_LEGACY_SALT_LENGTH];
877 struct pbkdf2_bufs pbkdf2_buf = { .iterations = PBKDF2_SHA256_LEGACY_ITERATIONS };
880 uint8_t const *p = known_good->vp_octets, *end = p + known_good->vp_length;
882 EVP_MD
const *evp_md = EVP_sha256();
883 size_t digest_len = SHA256_DIGEST_LENGTH;
884 uint8_t digest[SHA256_DIGEST_LENGTH];
886 if ((end - p) != PBKDF2_SHA256_LEGACY_B64_LENGTH) {
887 REDEBUG(
"Password.With-Header {PBKDF2_SHA256} has incorrect size %zd instead of %d.", known_good->vp_length, PBKDF2_SHA256_LEGACY_B64_LENGTH);
892 &
FR_SBUFF_IN((
char const *) p, (
char const *)end),
false,
false);
895 RPEDEBUG(
"Failed decoding Password.With-Header {PBKDF2_SHA256}: \"%.*s\"", (
int)(end -p), p);
899 if (slen != PBKDF2_SHA256_LEGACY_TOTAL_LENGTH) {
900 REDEBUG(
"Password.With-Header {PBKDF2_SHA256} has incorrect decoded size %zd instead of %d.", slen, PBKDF2_SHA256_LEGACY_TOTAL_LENGTH);
904 pbkdf2_buf.iterations = ntohl(pbkdf2_buf.iterations);
906 if (pbkdf2_buf.iterations != PBKDF2_SHA256_LEGACY_ITERATIONS) {
907 REDEBUG(
"Password.With-Header {PBKDF2_SHA256} has unexpected number of iterations %d instead of %d.", pbkdf2_buf.iterations, PBKDF2_SHA256_LEGACY_ITERATIONS);
911 if (PKCS5_PBKDF2_HMAC((
char const *)password->vb_octets, (
int)password->vb_length,
912 (
unsigned char const *)pbkdf2_buf.salt, (
int)PBKDF2_SHA256_LEGACY_SALT_LENGTH,
913 (
int)pbkdf2_buf.iterations,
915 (
int)digest_len, (
unsigned char *)digest) == 0) {
916 fr_tls_log(request,
"PBKDF2_SHA256 digest failure");
920 if (
fr_digest_cmp(digest, pbkdf2_buf.hash, (
size_t)digest_len) != 0) {
921 REDEBUG(
"PBKDF2_SHA256 digest does not match \"known good\" digest");
940 RDEBUG2(
"Comparing with \"known-good\" Password.NT");
943 REDEBUG(
"\"known good\" Password.NT has incorrect length, expected 16 got %zu", known_good->vp_length);
948 password->vb_strvalue, password->vb_length);
950 REDEBUG(
"User-Password is not in UCS2 format");
956 if (
fr_digest_cmp(digest, known_good->vp_octets, known_good->vp_length) != 0) {
957 REDEBUG(
"NT digest does not match \"known good\" digest");
959 REDEBUG3(
"Expected : %pH", &known_good->data);
975 RDEBUG2(
"Using Password.NT-MTA-MD5");
977 if (known_good->vp_length != 64) {
978 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 has incorrect length, expected 64 got %zu",
979 known_good->vp_length);
987 &
FR_SBUFF_IN(known_good->vp_strvalue, known_good->vp_length),
false) != 16) {
988 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 has invalid value");
997 if (password->vb_length >= (
sizeof(
buff) - 2 - 2 * 32)) {
998 REDEBUG(
"\"known good\" Password.NS-MTA-MD5 is too long");
1008 memcpy(p, &known_good->vp_octets[32], 32);
1011 memcpy(p, password->vb_strvalue, password->vb_length);
1012 p += password->vb_length;
1014 memcpy(p, &known_good->vp_octets[32], 32);
1021 REDEBUG(
"NS-MTA-MD5 digest does not match \"known good\" digest");
1047 [FR_CRYPT] = pap_auth_crypt,
1055#ifdef HAVE_OPENSSL_EVP_H
1056 [FR_PBKDF2] = pap_auth_pbkdf2,
1057 [FR_PBKDF2_SHA1] = pap_auth_pbkdf2_sha1,
1058 [FR_PBKDF2_SHA256] = pap_auth_pbkdf2_sha256,
1059 [FR_PBKDF2_SHA512] = pap_auth_pbkdf2_sha512,
1060 [FR_PBKDF2_SHA256_LEGACY] = pap_auth_pbkdf2_sha256_legacy,
1062 [FR_SHA2_224] = pap_auth_sha2_224,
1063 [FR_SHA2_256] = pap_auth_sha2_256,
1064 [FR_SHA2_384] = pap_auth_sha2_384,
1065 [FR_SHA2_512] = pap_auth_sha2_512,
1066 [FR_SSHA2_224] = pap_auth_ssha2_224,
1067 [FR_SSHA2_256] = pap_auth_ssha2_256,
1068 [FR_SSHA2_384] = pap_auth_ssha2_384,
1069 [FR_SSHA2_512] = pap_auth_ssha2_512,
1071 [FR_SHA3_224] = pap_auth_sha3_224,
1072 [FR_SHA3_256] = pap_auth_sha3_256,
1073 [FR_SHA3_384] = pap_auth_sha3_384,
1074 [FR_SHA3_512] = pap_auth_sha3_512,
1075 [FR_SSHA3_224] = pap_auth_ssha3_224,
1076 [FR_SSHA3_256] = pap_auth_ssha3_256,
1077 [FR_SSHA3_384] = pap_auth_ssha3_384,
1078 [FR_SSHA3_512] = pap_auth_ssha3_512,
1095 REDEBUG(
"You set 'Auth-Type = PAP' for a request that does not contain a %s attribute!",
1103 if (env_data->
password.vb_length == 0) {
1104 REDEBUG(
"Password must not be empty");
1112 RDEBUG2(
"Login attempt with password");
1125 REDEBUG(
"No \"known good\" password found for user");
1135 RDEBUG3(
"Comparing with \"known good\" %pP (%zu)", known_good, known_good->vp_length);
1137 RDEBUG2(
"Comparing with \"known-good\" %s (%zu)", known_good->
da->name, known_good->vp_length);
1143 auth_func(&rcode,
inst, request, known_good, &env_data->
password);
1144 if (ephemeral) TALLOC_FREE(known_good);
1147 REDEBUG(
"Password incorrect");
1151 RDEBUG2(
"User authenticated successfully");
1166 if (!
inst->auth_type) {
1167 WARN(
"Failed to find 'authenticate %s {...}' section. PAP will likely not work",
1183 PERROR(
"%s", __FUNCTION__);
1187 PERROR(
"%s", __FUNCTION__);
1213 ERROR(
"Could not resolve password attribute %zu", i);
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
#define fr_base16_decode(_err, _out, _in, _no_trailing)
#define fr_base64_decode(_out, _in, _expect_padding, _no_trailing)
#define FR_BASE64_DEC_LENGTH(_inlen)
#define USES_APPLE_DEPRECATED_API
#define L(_str)
Helper for initialising arrays of string literals.
#define CALL_ENV_TERMINATOR
#define FR_CALL_ENV_PARSE_OFFSET(_name, _cast_type, _flags, _struct, _field, _parse_field)
Specify a call_env_parser_t which writes out runtime results and the result of the parsing phase to t...
size_t inst_size
Size of per call env.
@ CALL_ENV_FLAG_ATTRIBUTE
Tmpl MUST contain an attribute reference.
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
@ CALL_ENV_FLAG_NULLABLE
Tmpl expansions are allowed to produce no output.
#define CONF_PARSER_TERMINATOR
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
#define fr_dict_autofree(_to_free)
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autoload(_to_load)
fr_dict_attr_t const * fr_dict_attr_child_by_num(fr_dict_attr_t const *parent, unsigned int attr)
Check if a child attribute exists in a parent using an attribute number.
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
Value of an enumerated attribute.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
#define REDEBUG3(fmt,...)
#define REMARKER(_str, _marker_idx, _marker,...)
Output string with error marker, showing where format error occurred.
#define RPEDEBUG(fmt,...)
#define RHEXDUMP2(_data, _len, _fmt,...)
void fr_md4_calc(uint8_t out[static MD4_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Calculate the MD4 hash of the contents of a buffer.
#define MD4_DIGEST_LENGTH
fr_md5_update_t fr_md5_update
fr_md5_final_t fr_md5_final
void fr_md5_ctx_free_from_list(fr_md5_ctx_t **ctx)
fr_md5_ctx_t * fr_md5_ctx_alloc_from_list(void)
#define MD5_DIGEST_LENGTH
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
ssize_t fr_utf8_to_ucs2(uint8_t *out, size_t outlen, char const *in, size_t inlen)
Convert UTF8 string to UCS2 encoding.
int fr_digest_cmp(uint8_t const *a, uint8_t const *b, size_t length)
Do a comparison of two authentication digests by comparing the FULL data.
void * env_data
Per call environment data.
module_instance_t const * mi
Instance of the module being instantiated.
module_instance_t * mi
Instance of the module being instantiated.
Temporary structure to hold arguments for module calls.
Temporary structure to hold arguments for instantiation calls.
bool module_rlm_section_type_set(request_t *request, fr_dict_attr_t const *type_da, fr_dict_enum_value_t const *enumv)
Set the next section type if it's not already set.
module_t common
Common fields presented by all modules.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
static ssize_t normify(normalise_t *action, uint8_t *buffer, size_t bufflen, char const *known_good, size_t len, size_t min_len)
fr_pair_t * password_find(bool *ephemeral, TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify)
Find a "known good" password in the control list of a request.
static const conf_parser_t config[]
#define RETURN_MODULE_REJECT
#define RETURN_MODULE_NOOP
#define RETURN_MODULE_RCODE(_rcode)
#define RETURN_MODULE_INVALID
#define RETURN_MODULE_FAIL
#define RETURN_MODULE_UPDATED
rlm_rcode_t
Return codes indicating the result of the module call.
@ RLM_MODULE_INVALID
The module considers the request invalid.
@ RLM_MODULE_OK
The module is OK, continue.
@ RLM_MODULE_REJECT
Immediately reject the request.
static const pap_auth_func_t auth_func_table[]
Table of password types we can process.
static unlang_action_t pap_auth_dummy(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, UNUSED request_t *request, UNUSED fr_pair_t const *known_good, UNUSED fr_value_box_t const *password)
Auth func for password types that should have been normalised away.
static int mod_load(void)
static fr_dict_attr_autoload_t rlm_pap_dict_attr[]
static unlang_action_t pap_auth_md5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t pap_auth_clear(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t pap_auth_smd5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static fr_dict_t const * dict_freeradius
static const call_env_method_t pap_method_env
fr_dict_enum_value_t const * auth_type
static unlang_action_t pap_auth_nt(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static fr_dict_autoload_t rlm_pap_dict[]
static unlang_action_t pap_auth_ns_mta_md5(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_auth_type
static unlang_action_t pap_auth_sha1(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static void mod_unload(void)
static unlang_action_t pap_auth_ssha1(rlm_rcode_t *p_result, UNUSED rlm_pap_t const *inst, request_t *request, fr_pair_t const *known_good, fr_value_box_t const *password)
static unlang_action_t mod_authorize(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_root
static fr_dict_attr_t const ** pap_alloweds
static USES_APPLE_DEPRECATED_API pthread_mutex_t fr_crypt_mutex
static const conf_parser_t module_config[]
unlang_action_t(* pap_auth_func_t)(rlm_rcode_t *p_result, rlm_pap_t const *inst, request_t *request, fr_pair_t const *, fr_value_box_t const *)
static int mod_instantiate(module_inst_ctx_t const *mctx)
static unsigned int hash(char const *username, unsigned int tablesize)
static int instantiate(module_inst_ctx_t const *mctx)
#define FR_SBUFF_IN(_start, _len_or_end)
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
char const * name
Instance name e.g. user_database.
size_t inst_size
Size of the module's instance data.
void * data
Module's instance data.
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Named methods exported by a module.
void fr_sha1_init(fr_sha1_ctx *context)
void fr_sha1_final(uint8_t digest[static SHA1_DIGEST_LENGTH], fr_sha1_ctx *context)
void fr_sha1_update(fr_sha1_ctx *context, uint8_t const *in, size_t len)
#define SHA1_DIGEST_LENGTH
static char buff[sizeof("18446744073709551615")+3]
eap_aka_sim_process_conf_t * inst
size_t strlcpy(char *dst, char const *src, size_t siz)
Stores an attribute, a value and various bits of other data.
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
#define fr_table_value_by_substr(_table, _name, _name_len, _def)
Convert a partial string to a value using an ordered or sorted table.
An element in a lexicographically sorted array of name to num mappings.
#define talloc_get_type_abort_const
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
#define FR_MAX_STRING_LEN
#define fr_box_octets(_val, _len)
1.9.8