The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
module.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * @file src/lib/eap_aka_sim/module.c
19 * @brief Common encode/decode functions for EAP subtype modules
20 *
21 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
22 *
23 * @copyright 2021 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
24 */
25RCSID("$Id: 3b74edf1580637235c8b1fa97d40ee0e8350873d $")
26
27#include <freeradius-devel/eap/types.h>
28#include <freeradius-devel/server/module.h>
29#include <freeradius-devel/server/pair.h>
30#include <freeradius-devel/server/virtual_servers.h>
31#include <freeradius-devel/unlang/interpret.h>
32#include <freeradius-devel/unlang/module.h>
33#include <freeradius-devel/util/rand.h>
34
35#include "attrs.h"
36#include "base.h"
37#include "module.h"
38
39/** Encode EAP session data from attributes
40 *
41 */
42static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
43{
44 eap_aka_sim_module_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_module_conf_t);
45 eap_session_t *eap_session = eap_session_get(request->parent);
46 eap_aka_sim_mod_session_t *mod_session = talloc_get_type_abort(eap_session->opaque,
47 eap_aka_sim_mod_session_t);
48 fr_pair_t *subtype_vp;
49
50 static eap_code_t rcode_to_eap_code[RLM_MODULE_NUMCODES] = {
51 [RLM_MODULE_REJECT] = FR_EAP_CODE_FAILURE,
52 [RLM_MODULE_FAIL] = FR_EAP_CODE_FAILURE,
53 [RLM_MODULE_OK] = FR_EAP_CODE_SUCCESS,
54 [RLM_MODULE_HANDLED] = FR_EAP_CODE_REQUEST,
55 [RLM_MODULE_INVALID] = FR_EAP_CODE_FAILURE,
56 [RLM_MODULE_DISALLOW] = FR_EAP_CODE_FAILURE,
57 [RLM_MODULE_NOTFOUND] = FR_EAP_CODE_FAILURE,
58 [RLM_MODULE_NOOP] = FR_EAP_CODE_FAILURE,
59 [RLM_MODULE_UPDATED] = FR_EAP_CODE_FAILURE
60 };
61 eap_code_t code;
62 rlm_rcode_t rcode = unlang_interpret_stack_result(request);
63 fr_aka_sim_ctx_t encode_ctx;
64 uint8_t const *request_hmac_extra = NULL;
65 size_t request_hmac_extra_len = 0;
66 fr_pair_t *vp;
67
68 /*
69 * If there's no subtype vp, we look at the rcode
70 * from the virtual server to determine what kind
71 * of EAP response to send.
72 */
73 subtype_vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_eap_aka_sim_subtype);
74 if (!subtype_vp) {
75 eap_session->this_round->request->code = (rcode == RLM_MODULE_OK) ?
76 FR_EAP_CODE_SUCCESS : FR_EAP_CODE_FAILURE;
77 /*
78 * RFC 3748 requires the request and response
79 * IDs to be identical for EAP-SUCCESS and
80 * EAP-FAILURE.
81 *
82 * The EAP common code will do the right thing
83 * here if we just tell it we haven't se the
84 * request ID.
85 */
86 eap_session->this_round->set_request_id = false;
87 eap_session->finished = true;
88 TALLOC_FREE(eap_session->opaque);
89
90 return UNLANG_ACTION_CALCULATE_RESULT;
91 }
92
93 fr_assert(rcode < RLM_MODULE_NUMCODES);
94
95 /*
96 * If there is a subtype vp, verify the return
97 * code allows us send EAP-SIM/AKA/AKA' data back.
98 */
99 code = rcode_to_eap_code[rcode];
100 if (code != FR_EAP_CODE_REQUEST) {
101 eap_session->this_round->request->code = code;
102 eap_session->this_round->set_request_id = false;
103 eap_session->finished = true;
104 TALLOC_FREE(eap_session->opaque);
105
106 return UNLANG_ACTION_CALCULATE_RESULT;
107 }
108
109 /*
110 * It's not an EAP-Success or an EAP-Failure
111 * it's a real EAP-SIM/AKA/AKA' response.
112 */
113 eap_session->this_round->request->type.num = inst->type;
114 eap_session->this_round->request->code = code;
115 eap_session->this_round->set_request_id = true;
116
117 /*
118 * RFC 3748 says this ID need only be different to
119 * the previous ID.
120 *
121 * We need to set the type, code, id here as the
122 * HMAC operates on the complete packet we're
123 * returning including the EAP headers, so the packet
124 * fields must be filled in before we call encode.
125 */
126 eap_session->this_round->request->id = mod_session->id++;
127
128 /*
129 * Perform different actions depending on the type
130 * of request we're sending.
131 */
132 switch (subtype_vp->vp_uint16) {
133 case FR_SUBTYPE_VALUE_AKA_IDENTITY:
134 case FR_SUBTYPE_VALUE_SIM_START:
135 if (RDEBUG_ENABLED2) break;
136
137 /*
138 * Figure out if the state machine is
139 * requesting an ID.
140 */
141 if ((vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_eap_aka_sim_any_id_req)) ||
142 (vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_eap_aka_sim_fullauth_id_req)) ||
143 (vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_eap_aka_sim_permanent_id_req))) {
144 RDEBUG2("Sending EAP-Request/%pV (%s)", &subtype_vp->data, vp->da->name);
145 } else {
146 RDEBUG2("Sending EAP-Request/%pV", &subtype_vp->data);
147 }
148 break;
149
150 /*
151 * Deal with sending bidding VP
152 *
153 * This can either come from policy or be set by the default
154 * virtual server.
155 *
156 * We send AT_BIDDING in our EAP-Request/AKA-Challenge message
157 * to tell the supplicant that if it has AKA' available/enabled
158 * it should have used that.
159 */
160 case FR_SUBTYPE_VALUE_AKA_CHALLENGE:
161 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_eap_aka_sim_bidding);
162
163 /*
164 * Explicit NO
165 */
166 if (inst->aka.send_at_bidding_prefer_prime_is_set &&
167 !inst->aka.send_at_bidding_prefer_prime) {
168 if (vp) pair_delete_reply(attr_eap_aka_sim_bidding);
169 /*
170 * Implicit or explicit YES
171 */
172 } else if (inst->aka.send_at_bidding_prefer_prime) {
173 MEM(pair_append_reply(&vp, attr_eap_aka_sim_bidding) >= 0);
174 vp->vp_uint16 = FR_BIDDING_VALUE_PREFER_AKA_PRIME;
175 }
176 FALL_THROUGH;
177
178 case FR_SUBTYPE_VALUE_SIM_CHALLENGE:
179 case FR_SUBTYPE_VALUE_AKA_SIM_REAUTHENTICATION:
180 /*
181 * Include our copy of the checkcode if we've been
182 * calculating it.
183 */
184 if (mod_session->checkcode_state) {
185 uint8_t *checkcode;
186
187 MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
188 if (fr_aka_sim_crypto_finalise_checkcode(vp, &checkcode, mod_session->checkcode_state) < 0) {
189 RPWDEBUG("Failed calculating checkcode");
190 pair_delete_reply(vp);
191 }
192 fr_pair_value_memdup_buffer_shallow(vp, checkcode, false); /* Buffer already in the correct ctx */
193 }
194
195 /*
196 * Extra data to append to the packet when signing.
197 */
198 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_eap_aka_sim_hmac_extra_request);
199 if (vp) {
200 request_hmac_extra = vp->vp_octets;
201 request_hmac_extra_len = vp->vp_length;
202 }
203
204 /*
205 * Extra data to append to the response packet when
206 * validating the signature.
207 */
208 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_eap_aka_sim_hmac_extra_response);
209 if (vp) {
210 /*
211 * We may attempt to challenge the supplicant
212 * twice when performing a resynchronisation.
213 *
214 * We previously asserted that the following were NULL:
215 *
216 * mod_session->response_hmac_extra
217 * mod_session->ctx.k_encr
218 * mod_session->ctx.k_aut
219 *
220 * but that is incorrect, as these fields need to be
221 * updated if new vectors are available.
222 */
223 talloc_free(mod_session->response_hmac_extra);
224 MEM(mod_session->response_hmac_extra = talloc_memdup(mod_session,
225 vp->vp_octets, vp->vp_length));
226 mod_session->response_hmac_extra_len = vp->vp_length;
227 }
228 /*
229 * Key we use for encrypting and decrypting attributes.
230 */
231 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_eap_aka_sim_k_encr);
232 if (vp) {
233 talloc_const_free(mod_session->ctx.k_encr);
234 MEM(mod_session->ctx.k_encr = talloc_memdup(mod_session, vp->vp_octets, vp->vp_length));
235 }
236
237 /*
238 * Key we use for signing and validating mac values.
239 */
240 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_eap_aka_sim_k_aut);
241 if (vp) {
242 talloc_const_free(mod_session->ctx.k_aut);
243 MEM(mod_session->ctx.k_aut = talloc_memdup(mod_session, vp->vp_octets, vp->vp_length));
244 mod_session->ctx.k_aut_len = vp->vp_length;
245 }
246
247 fr_assert(mod_session->ctx.k_encr && mod_session->ctx.k_aut);
248 FALL_THROUGH;
249
250 default:
251 RDEBUG2("Sending EAP-Request/%pV", &subtype_vp->data);
252 break;
253 }
254
255 encode_ctx = mod_session->ctx;
256 encode_ctx.eap_packet = eap_session->this_round->request;
257 encode_ctx.hmac_extra = request_hmac_extra;
258 encode_ctx.hmac_extra_len = request_hmac_extra_len;
259
260 RDEBUG2("Encoding attributes");
261 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->reply_pairs, NULL);
262 if (fr_aka_sim_encode(request, &request->reply_pairs, &encode_ctx) <= 0) RETURN_MODULE_FAIL;
263
264 switch (subtype_vp->vp_uint16) {
265 case FR_SUBTYPE_VALUE_AKA_IDENTITY:
266 /*
267 * Ingest the identity message into the checkcode
268 */
269 if (mod_session->ctx.checkcode_md) {
270 RDEBUG2("Updating checkcode");
271 if (!mod_session->checkcode_state &&
272 (fr_aka_sim_crypto_init_checkcode(mod_session, &mod_session->checkcode_state,
273 mod_session->ctx.checkcode_md) < 0)) {
274 RPWDEBUG("Failed initialising checkcode");
275 break;
276 }
277
278 if (fr_aka_sim_crypto_update_checkcode(mod_session->checkcode_state,
279 eap_session->this_round->request) < 0) {
280 RPWDEBUG("Failed updating checkcode");
281 }
282 }
283 break;
284
285 default:
286 break;
287 }
288
289 return UNLANG_ACTION_CALCULATE_RESULT; /* rcode is already correct */
290}
291
292/** Decode EAP session data into attribute
293 *
294 */
295unlang_action_t eap_aka_sim_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
296{
297 eap_aka_sim_module_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_module_conf_t);
298 eap_session_t *eap_session = eap_session_get(request->parent);
299 eap_aka_sim_mod_session_t *mod_session = talloc_get_type_abort(eap_session->opaque,
300 eap_aka_sim_mod_session_t);
301 fr_pair_t *subtype_vp;
302 fr_dcursor_t cursor;
303 ssize_t ret;
304 fr_aka_sim_ctx_t decode_ctx;
305
306 switch (eap_session->this_round->response->type.num) {
307 default:
308 REDEBUG2("Unsupported EAP type (%u)", eap_session->this_round->response->type.num);
309 RETURN_MODULE_REJECT;
310
311 case FR_EAP_METHOD_IDENTITY:
312 case FR_EAP_METHOD_NAK: /* Peer NAK'd our original suggestion */
313 break;
314
315 /*
316 * Only decode data for EAP-SIM/AKA/AKA' responses
317 */
318 case FR_EAP_METHOD_SIM:
319 case FR_EAP_METHOD_AKA:
320 case FR_EAP_METHOD_AKA_PRIME:
321 fr_pair_dcursor_init(&cursor, &request->request_pairs);
322
323 decode_ctx = mod_session->ctx;
324 decode_ctx.hmac_extra = mod_session->response_hmac_extra;
325 decode_ctx.hmac_extra_len = mod_session->response_hmac_extra_len;
326 decode_ctx.eap_packet = eap_session->this_round->response;
327
328 ret = fr_aka_sim_decode(request->request_ctx,
329 &request->request_pairs,
330 dict_eap_aka_sim,
331 eap_session->this_round->response->type.data,
332 eap_session->this_round->response->type.length,
333 &decode_ctx);
334
335 /*
336 * Only good for one response packet
337 */
338 TALLOC_FREE(mod_session->response_hmac_extra);
339 mod_session->response_hmac_extra_len = 0;
340
341 /*
342 * RFC 4187 says we *MUST* notify, not just send
343 * an EAP-Failure in this case where we cannot
344 * decode an EAP-AKA packet.
345 *
346 * We instead call the state machine and allow it
347 * to fail when it can't find the necessary
348 * attributes.
349 */
350 if (ret < 0) {
351 RPEDEBUG2("Failed decoding attributes");
352 goto done;
353 }
354
355 if (!fr_pair_list_empty(&request->request_pairs) && RDEBUG_ENABLED2) {
356 RDEBUG2("Decoded attributes");
357 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->request_pairs, NULL);
358 }
359
360 subtype_vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_eap_aka_sim_subtype);
361 if (!subtype_vp) {
362 REDEBUG2("Missing Sub-Type"); /* Let the state machine enter the right state */
363 break;
364 }
365
366 RDEBUG2("Received EAP-Response/%pV", &(subtype_vp)->data);
367
368 switch (subtype_vp->vp_uint16) {
369 /*
370 * Ingest the identity message into the checkcode
371 */
372 case FR_SUBTYPE_VALUE_AKA_IDENTITY:
373 if (mod_session->checkcode_state) {
374 RDEBUG2("Updating checkcode");
375 if (fr_aka_sim_crypto_update_checkcode(mod_session->checkcode_state,
376 eap_session->this_round->response) < 0) {
377 RPWDEBUG("Failed updating checkcode");
378 }
379 }
380 break;
381
382 case FR_SUBTYPE_VALUE_AKA_SIM_REAUTHENTICATION:
383 case FR_SUBTYPE_VALUE_AKA_CHALLENGE:
384 /*
385 * Include our copy of the checkcode if we've been
386 * calculating it. This is put in the control list
387 * so the state machine can check they're identical.
388 *
389 * This lets us simulate checkcode failures easily
390 * when testing the state machine.
391 */
392 if (mod_session->checkcode_state) {
393 uint8_t *checkcode;
394 fr_pair_t *vp;
395
396 MEM(pair_append_control(&vp, attr_eap_aka_sim_checkcode) >= 0);
397 if (fr_aka_sim_crypto_finalise_checkcode(vp, &checkcode, mod_session->checkcode_state) < 0) {
398 RPWDEBUG("Failed calculating checkcode");
399 pair_delete_control(vp);
400 } else {
401 fr_pair_value_memdup_buffer_shallow(vp, checkcode, false); /* Buffer already in the correct ctx */
402 }
403 }
404 FALL_THROUGH;
405
406 case FR_SUBTYPE_VALUE_SIM_CHALLENGE:
407 {
408 fr_pair_t *vp;
409 ssize_t slen;
410 uint8_t *buff;
411
412 MEM(pair_append_control(&vp, attr_eap_aka_sim_mac) >= 0);
413 MEM(fr_pair_value_mem_alloc(vp, &buff, AKA_SIM_MAC_DIGEST_SIZE, false) == 0);
414
415 slen = fr_aka_sim_crypto_sign_packet(buff, eap_session->this_round->response, true,
416 mod_session->ctx.hmac_md,
417 mod_session->ctx.k_aut,
418 mod_session->ctx.k_aut_len,
419 mod_session->response_hmac_extra,
420 mod_session->response_hmac_extra_len);
421 if (slen <= 0) {
422 RPEDEBUG("AT_MAC calculation failed");
423 pair_delete_control(vp);
424 RETURN_MODULE_FAIL;
425 }
426 }
427 break;
428
429 default:
430 break;
431 }
432 break;
433 }
434
435done:
436 /*
437 * Setup our encode function as the resumption
438 * frame when the state machine finishes with
439 * this round.
440 */
441 (void)unlang_module_yield(request, mod_encode, NULL, 0, NULL);
442
443 if (virtual_server_push(request, inst->virtual_server, UNLANG_SUB_FRAME) < 0) {
444 unlang_interpet_frame_discard(request);
445 RETURN_MODULE_FAIL;
446 }
447
448 return UNLANG_ACTION_PUSHED_CHILD;
449}
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_PUSHED_CHILD
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition action.h:39
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
RCSID
#define RCSID(id)
Definition build.h:485
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
eap_packet_t::type
eap_type_data_t type
Definition compose.h:39
eap_round_t::set_request_id
bool set_request_id
Whether the EAP-Method already set the next request ID.
Definition compose.h:51
eap_round_t::response
eap_packet_t * response
Packet we received from the peer.
Definition compose.h:49
eap_packet_t::code
eap_code_t code
Definition compose.h:36
eap_packet_t::id
uint8_t id
Definition compose.h:37
eap_round_t::request
eap_packet_t * request
Packet we will send to the peer.
Definition compose.h:50
fr_dcursor_s
Definition dcursor.h:93
MEM
#define MEM(x)
Definition debug.h:36
FR_EAP_CODE_FAILURE
@ FR_EAP_CODE_FAILURE
Definition types.h:40
FR_EAP_CODE_REQUEST
@ FR_EAP_CODE_REQUEST
Definition types.h:37
FR_EAP_CODE_SUCCESS
@ FR_EAP_CODE_SUCCESS
Definition types.h:39
eap_type_data_t::num
eap_type_t num
Definition types.h:110
eap_type_data_t::length
size_t length
Definition types.h:111
eap_type_data_t::data
uint8_t * data
Definition types.h:112
eap_code_t
enum eap_code eap_code_t
FR_EAP_METHOD_SIM
@ FR_EAP_METHOD_SIM
Definition types.h:63
FR_EAP_METHOD_NAK
@ FR_EAP_METHOD_NAK
Definition types.h:48
FR_EAP_METHOD_AKA
@ FR_EAP_METHOD_AKA
Definition types.h:68
FR_EAP_METHOD_AKA_PRIME
@ FR_EAP_METHOD_AKA_PRIME
Definition types.h:96
FR_EAP_METHOD_IDENTITY
@ FR_EAP_METHOD_IDENTITY
Definition types.h:46
fr_aka_sim_ctx_t::hmac_extra_len
size_t hmac_extra_len
Definition base.h:244
fr_aka_sim_crypto_sign_packet
ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE], eap_packet_t *eap_packet, bool zero_mac, EVP_MD const *md, uint8_t const *key, size_t const key_len, uint8_t const *hmac_extra, size_t const hmac_extra_len)
Calculate the digest value for a packet.
Definition crypto.c:284
fr_aka_sim_ctx_t::k_aut
uint8_t const * k_aut
The authentication key used for signing.
Definition base.h:249
fr_aka_sim_decode
int fr_aka_sim_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_t const *dict, uint8_t const *data, size_t data_len, fr_aka_sim_ctx_t *decode_ctx)
Decode SIM/AKA/AKA' specific packet data.
Definition decode.c:942
fr_aka_sim_crypto_finalise_checkcode
ssize_t fr_aka_sim_crypto_finalise_checkcode(TALLOC_CTX *ctx, uint8_t **out, fr_aka_sim_checkcode_t *checkcode)
Write out the final checkcode value.
Definition crypto.c:196
fr_aka_sim_ctx_t::hmac_md
EVP_MD const * hmac_md
HMAC digest algorithm, usually EVP_sha1().
Definition base.h:240
fr_aka_sim_ctx_t::eap_packet
eap_packet_t * eap_packet
Needed for validating AT_MAC.
Definition base.h:238
fr_aka_sim_ctx_t::checkcode_md
EVP_MD const * checkcode_md
HMAC we use for calculating the checkcode.
Definition base.h:241
fr_aka_sim_ctx_t::k_encr
uint8_t const * k_encr
The encryption key used for encrypting.
Definition base.h:246
fr_aka_sim_ctx_t::hmac_extra
uint8_t const * hmac_extra
Extra data for the HMAC function.
Definition base.h:243
AKA_SIM_MAC_DIGEST_SIZE
#define AKA_SIM_MAC_DIGEST_SIZE
Length of MAC used to prevent packet modification.
Definition base.h:42
fr_aka_sim_crypto_update_checkcode
int fr_aka_sim_crypto_update_checkcode(fr_aka_sim_checkcode_t *checkcode, eap_packet_t *eap_packet)
Digest a packet, updating the checkcode.
Definition crypto.c:152
fr_aka_sim_encode
ssize_t fr_aka_sim_encode(request_t *request, fr_pair_list_t *to_encode, void *encode_ctx)
Definition encode.c:872
fr_aka_sim_ctx_t::k_aut_len
size_t k_aut_len
Definition base.h:250
fr_aka_sim_crypto_init_checkcode
int fr_aka_sim_crypto_init_checkcode(TALLOC_CTX *ctx, fr_aka_sim_checkcode_t **checkcode, EVP_MD const *md)
Initialise checkcode message digest.
Definition crypto.c:114
fr_aka_sim_ctx_t
Encoder/decoder ctx.
Definition base.h:234
eap_aka_sim_mod_session_t::response_hmac_extra
uint8_t * response_hmac_extra
Data to concatenate to response packet before validating.
Definition module.h:74
eap_aka_sim_mod_session_t::response_hmac_extra_len
size_t response_hmac_extra_len
Definition module.h:76
eap_aka_sim_mod_session_t::ctx
fr_aka_sim_ctx_t ctx
Definition module.h:79
eap_aka_sim_mod_session_t::id
uint8_t id
Last ID used, monotonically increments.
Definition module.h:72
eap_aka_sim_mod_session_t::checkcode_state
fr_aka_sim_checkcode_t * checkcode_state
Digest of all identity packets we've seen.
Definition module.h:78
eap_aka_sim_mod_session_t
Structure used to track session state at the module level.
Definition module.h:71
eap_aka_sim_module_conf_t
Definition module.h:39
unlang_interpet_frame_discard
void unlang_interpet_frame_discard(request_t *request)
Discard the bottom most frame on the request's stack.
Definition interpret.c:1730
unlang_interpret_stack_result
rlm_rcode_t unlang_interpret_stack_result(request_t *request)
Get the current rcode for the frame.
Definition interpret.c:1291
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition interpret.h:36
eap_session_get
static eap_session_t * eap_session_get(request_t *request)
Definition session.h:82
eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition session.h:62
eap_session_s::this_round
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Definition session.h:59
eap_session_s::finished
bool finished
Whether we consider this session complete.
Definition session.h:71
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:40
attr_eap_aka_sim_bidding
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_bidding
Definition base.c:63
attr_eap_aka_sim_permanent_id_req
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_permanent_id_req
Definition base.c:92
attr_eap_aka_sim_k_encr
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_k_encr
Definition base.c:78
attr_eap_aka_sim_checkcode
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_checkcode
Definition base.c:64
attr_eap_aka_sim_k_aut
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_k_aut
Definition base.c:77
attr_eap_aka_sim_any_id_req
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_any_id_req
Definition base.c:60
dict_eap_aka_sim
fr_dict_t const * dict_eap_aka_sim
Definition base.c:48
attr_eap_aka_sim_mac
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_mac
Definition base.c:84
attr_eap_aka_sim_fullauth_id_req
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_fullauth_id_req
Definition base.c:70
attr_eap_aka_sim_subtype
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_subtype
Definition base.c:99
attr_eap_aka_sim_hmac_extra_request
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_hmac_extra_request
Definition base.c:71
attr_eap_aka_sim_hmac_extra_response
HIDDEN fr_dict_attr_t const * attr_eap_aka_sim_hmac_extra_response
Definition base.c:72
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:828
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:376
RPWDEBUG
#define RPWDEBUG(fmt,...)
Definition log.h:366
RPEDEBUG2
#define RPEDEBUG2(fmt,...)
Definition log.h:377
REDEBUG2
#define REDEBUG2(fmt,...)
Definition log.h:372
talloc_free
talloc_free(reap)
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
request_t
Definition merged_model.c:210
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
fr_pair_value_mem_alloc
int fr_pair_value_mem_alloc(fr_pair_t *vp, uint8_t **out, size_t size, bool tainted)
Pre-allocate a memory buffer for a "octets" type value pair.
Definition pair.c:2885
fr_pair_value_memdup_buffer_shallow
int fr_pair_value_memdup_buffer_shallow(fr_pair_t *vp, uint8_t const *src, bool tainted)
Assign a talloced buffer to a "octets" type value pair.
Definition pair.c:3011
encode_ctx
static fr_internal_encode_ctx_t encode_ctx
Definition proto_ldap_sync.c:34
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
done
static bool done
Definition radclient.c:81
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition radclient.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
RETURN_MODULE_REJECT
#define RETURN_MODULE_REJECT
Definition rcode.h:56
RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:45
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:49
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:48
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:51
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:44
module_instance_s::data
void * data
Module's instance data.
Definition module.h:272
pair_append_control
#define pair_append_control(_attr, _da)
Allocate and append a fr_pair_t to the control list.
Definition pair.h:57
pair_update_reply
#define pair_update_reply(_attr, _da)
Return or allocate a fr_pair_t in the reply list.
Definition pair.h:129
pair_delete_reply
#define pair_delete_reply(_pair_or_da)
Delete a fr_pair_t in the reply list.
Definition pair.h:181
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
pair_delete_control
#define pair_delete_control(_pair_or_da)
Delete a fr_pair_t in the control list.
Definition pair.h:190
buff
static char buff[sizeof("18446744073709551615")+3]
Definition size_tests.c:41
mod_encode
static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Encode EAP session data from attributes.
Definition module.c:42
eap_aka_sim_process
unlang_action_t eap_aka_sim_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Decode EAP session data into attribute.
Definition module.c:295
unlang_module_yield
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:419
subtype_vp
fr_pair_t * subtype_vp
Definition state_machine.c:1283
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
vp
fr_pair_t * vp
Definition state_machine.c:2262
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition state_machine.h:188
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
talloc_const_free
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:229
module.h
Functions to allow modules to push resumption frames onto the stack and inform the interpreter about ...
base.h
Master include file to access all functions and structures in the library.
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:124
fr_pair_dcursor_init
#define fr_pair_dcursor_init(_cursor, _list)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
Definition pair.h:587
data
static fr_slen_t data
Definition value.h:1288
virtual_server_push
unlang_action_t virtual_server_push(request_t *request, CONF_SECTION *server_cs, bool top_frame)
Set the request processing function.
Definition virtual_servers.c:755
Generated by   doxygen 1.9.8