validate_8c_source.html

/**

 * $Id: f039e8c5cd2841d4a7cb95c0cdd369985fd9f2be $

 * @file rlm_yubikey/validate.c

 * @brief Authentication for yubikey OTP tokens using the ykclient library.

 *

 * @author Arran Cudbard-Bell (a.cudbardb@networkradius.com)

 * @copyright 2013 The FreeRADIUS server project

 * @copyright 2013 Network RADIUS (legal@networkradius.com)

 */

#define LOG_PREFIX inst->name


#include "rlm_yubikey.h"


#ifdef HAVE_YKCLIENT

#include <freeradius-devel/server/pool.h>


/** Frees a ykclient handle

 *

 * @param[in] yandle rlm_yubikey_handle_t to close and free.

 * @return returns 0.

 */

static int _mod_conn_free(ykclient_handle_t **yandle)

{

        ykclient_handle_done(yandle);


        return 0;

}


/** Creates a new connection handle for use by the FR connection API.

 *

 * Matches the fr_pool_connection_create_t function prototype, is passed to

 * fr_pool_init, and called when a new connection is required by the

 * connection pool API.

 *

 * @see fr_pool_init

 * @see fr_pool_connection_create_t

 * @see connection.c

 */

static void *mod_conn_create(TALLOC_CTX *ctx, void *instance, UNUSED fr_time_delta_t timeout)

{

        rlm_yubikey_t const *inst = talloc_get_type_abort_const(instance, rlm_yubikey_t);

        ykclient_rc status;

        ykclient_handle_t *yandle, **marker;


        status = ykclient_handle_init(inst->ykc, &yandle);

        if (status != YKCLIENT_OK) {

                ERROR("%s", ykclient_strerror(status));


                return NULL;

        }

        marker = talloc(ctx, ykclient_handle_t *);

        talloc_set_destructor(marker, _mod_conn_free);

        *marker = yandle;


        return yandle;

}


int rlm_yubikey_ykclient_init(CONF_SECTION *conf, rlm_yubikey_t *inst)

{

        ykclient_rc status;

        CONF_SECTION *servers;


        int count = 0;


        if (!inst->client_id) {

                ERROR("validation.client_id must be set (to a valid id) when validation is enabled");


                return -1;

        }


        if (!inst->api_key || !*inst->api_key || is_zero(inst->api_key)) {

                ERROR("validation.api_key must be set (to a valid key) when validation is enabled");


                return -1;

        }


        DEBUG("Initialising ykclient");


        status = ykclient_global_init();

        if (status != YKCLIENT_OK) {

                ERROR("%s", ykclient_strerror(status));


                return -1;

        }


        status = ykclient_init(&inst->ykc);

        if (status != YKCLIENT_OK) {

                ERROR("%s", ykclient_strerror(status));

                ykclient_global_done();

                return -1;

        }


        servers = cf_section_find(conf, "servers", CF_IDENT_ANY);

        if (servers) {

                CONF_PAIR *uri, *first;

                /*

                 *      If there were no uris configured we just use the default

                 *      ykclient uris which point to the yubico servers.

                 */

                first = uri = cf_pair_find(servers, "uri");

                if (!uri) {

                        goto init;

                }


                while (uri) {

                        count++;

                        uri = cf_pair_find_next(servers, uri, "uri");

                }

                inst->uris = talloc_zero_array(inst, char const *, count);


                uri = first;

                count = 0;

                while (uri) {

                        inst->uris[count++] = cf_pair_value(uri);

                        uri = cf_pair_find_next(servers, uri, "uri");

                }

                if (count) {

                        status = ykclient_set_url_templates(inst->ykc, count, inst->uris);

                        if (status != YKCLIENT_OK) {

                                ERROR("%s", ykclient_strerror(status));

                                ykclient_done(&inst->ykc);

                                ykclient_global_done();

                                return -1;

                        }

                }

        }


init:

        status = ykclient_set_client_b64(inst->ykc, inst->client_id, inst->api_key);

        if (status != YKCLIENT_OK) {

                ERROR("%s", ykclient_strerror(status));

                ykclient_done(&inst->ykc);

                ykclient_global_done();

                return -1;

        }


        inst->pool = module_rlm_connection_pool_init(conf, inst, mod_conn_create, NULL, inst->name, NULL, NULL);

        if (!inst->pool) {

                ykclient_done(&inst->ykc);

                ykclient_global_done();

                return -1;

        }


        return 0;

}


int rlm_yubikey_ykclient_detach(rlm_yubikey_t *inst)

{

        fr_pool_free(inst->pool);

        ykclient_done(&inst->ykc);

        ykclient_global_done();


        return 0;

}


unlang_action_t rlm_yubikey_validate(unlang_result_t *p_result, module_ctx_t const *mctx,

                                     request_t *request, char const *passcode)

{

        rlm_yubikey_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_yubikey_t);

        rlm_rcode_t rcode = RLM_MODULE_OK;

        ykclient_rc status;

        ykclient_handle_t *yandle;


        yandle = fr_pool_connection_get(inst->pool, request);

        if (!yandle) RETURN_UNLANG_FAIL;


        /*

         *      The libcurl multi-handle interface will tear down the TCP sockets for any partially completed

         *      requests when their easy handle is removed from the multistack.

         *

         *      For performance reasons ykclient will stop processing the request immediately after receiving

         *      a response from one of the servers. If we then immediately call ykclient_handle_cleanup

         *      the connections are destroyed and will need to be re-established the next time the handle

         *      is used.

         *

         *      To try and prevent this from happening, we leave cleanup until the *next* time

         *      the handle is used, by which time the requests will of hopefully completed and the connections

         *      can be re-used.

         *

         */

        ykclient_handle_cleanup(yandle);


        status = ykclient_request_process(inst->ykc, yandle, passcode);

        if (status != YKCLIENT_OK) {

                REDEBUG("%s", ykclient_strerror(status));

                switch (status) {

                case YKCLIENT_BAD_OTP:

                case YKCLIENT_REPLAYED_OTP:

                        rcode = RLM_MODULE_REJECT;

                        break;


                case YKCLIENT_NO_SUCH_CLIENT:

                        rcode = RLM_MODULE_NOTFOUND;

                        break;


                default:

                        rcode = RLM_MODULE_FAIL;

                }

        }


        fr_pool_connection_release(inst->pool, request, yandle);


        RETURN_UNLANG_RCODE(rcode);

}

#endif

unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35

UNUSED
#define UNUSED
Definition build.h:336

cf_pair
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:77

cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:106

cf_pair_find_next
CONF_PAIR * cf_pair_find_next(CONF_SECTION const *cs, CONF_PAIR const *prev, char const *attr)
Find a pair with a name matching attr, after specified pair.
Definition cf_util.c:1601

cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1194

cf_pair_find
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1587

cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1746

CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:80

ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:40

DEBUG
#define DEBUG(fmt,...)
Definition dhcpclient.c:38

unlang_result_t
Definition interpret.h:138

request_t
Definition merged_model.c:210

is_zero
static bool is_zero(char const *value)
Check whether the string is all zeros.
Definition misc.h:127

module_ctx_t::mi
module_instance_t const  * mi
Instance of the module being instantiated.
Definition module_ctx.h:42

module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41

module_rlm_connection_pool_init
fr_pool_t * module_rlm_connection_pool_init(CONF_SECTION *module, void *opaque, fr_pool_connection_create_t c, fr_pool_connection_alive_t a, char const *log_prefix, char const *trigger_prefix, fr_pair_list_t *trigger_args)
Initialise a module specific connection pool.
Definition module_rlm.c:283

fr_pool_connection_release
void fr_pool_connection_release(fr_pool_t *pool, request_t *request, void *conn)
Release a connection.
Definition pool.c:1410

fr_pool_free
void fr_pool_free(fr_pool_t *pool)
Delete a connection pool.
Definition pool.c:1332

fr_pool_connection_get
void * fr_pool_connection_get(fr_pool_t *pool, request_t *request)
Reserve a connection in the connection pool.
Definition pool.c:1395

REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52

conf
static rs_t * conf
Definition radsniff.c:52

RETURN_UNLANG_RCODE
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:61

RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63

rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44

RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49

RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48

RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:47

RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:53

_mod_conn_free
static int _mod_conn_free(rlm_cache_memcached_handle_t *mandle)
Free a connection handle.
Definition rlm_cache_memcached.c:72

mod_conn_create
static void * mod_conn_create(TALLOC_CTX *ctx, void *instance, fr_time_delta_t timeout)
Definition rlm_linelog.c:187

rlm_yubikey.h

rlm_yubikey_validate
unlang_action_t rlm_yubikey_validate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request, char const *passcode)

rlm_yubikey_ykclient_init
int rlm_yubikey_ykclient_init(CONF_SECTION *conf, rlm_yubikey_t *inst)

rlm_yubikey_ykclient_detach
int rlm_yubikey_ykclient_detach(rlm_yubikey_t *inst)

rlm_yubikey_t
Definition rlm_yubikey.h:40

module_instance_s::data
void * data
Module's instance data.
Definition module.h:293

count
return count
Definition module.c:155

init
init
Enter the EAP-IDENTITY state.
Definition state_machine.c:99

inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3645

talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:117

fr_time_delta_s
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80