From 50b37d4a27d3295a29afca2286f1a5a086142cec Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:49:46 +0200 Subject: Adding upstream version 3.2.1+dfsg. Signed-off-by: Daniel Baumann --- src/modules/rlm_eap/libeap/eap_chbind.c | 290 ++++++++++++++++++++++++++++++++ 1 file changed, 290 insertions(+) create mode 100644 src/modules/rlm_eap/libeap/eap_chbind.c (limited to 'src/modules/rlm_eap/libeap/eap_chbind.c') diff --git a/src/modules/rlm_eap/libeap/eap_chbind.c b/src/modules/rlm_eap/libeap/eap_chbind.c new file mode 100644 index 0000000..21b2584 --- /dev/null +++ b/src/modules/rlm_eap/libeap/eap_chbind.c @@ -0,0 +1,290 @@ +/* + * eap_chbind.c + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2014 Network RADIUS SARL + * Copyright 2014 The FreeRADIUS server project + */ + + +RCSID("$Id$") + +#include "eap_chbind.h" + +static bool chbind_build_response(REQUEST *request, CHBIND_REQ *chbind) +{ + int length; + size_t total; + uint8_t *ptr, *end; + VALUE_PAIR const *vp; + vp_cursor_t cursor; + + total = 0; + for (vp = fr_cursor_init(&cursor, &request->reply->vps); + vp != NULL; + vp = fr_cursor_next(&cursor)) { + /* + * Skip things which shouldn't be in channel bindings. + */ + if (vp->da->flags.encrypt != FLAG_ENCRYPT_NONE) continue; + if (!vp->da->vendor && (vp->da->attr == PW_MESSAGE_AUTHENTICATOR)) continue; + + total += 2 + vp->vp_length; + } + + /* + * No attributes: just send a 1-byte response code. + */ + if (!total) { + ptr = talloc_zero_array(chbind, uint8_t, 1); + } else { + ptr = talloc_zero_array(chbind, uint8_t, total + 4); + } + if (!ptr) return false; + chbind->response = (chbind_packet_t *) ptr; + + /* + * Set the response code. Default to "fail" if none was + * specified. + */ + vp = fr_pair_find_by_num(request->config, PW_CHBIND_RESPONSE_CODE, 0, TAG_ANY); + if (vp) { + ptr[0] = vp->vp_integer; + } else { + ptr[0] = CHBIND_CODE_FAILURE; + } + + if (!total) return true; /* nothing to encode */ + + /* Write the length field into the header */ + ptr[1] = (total >> 8) & 0xff; + ptr[2] = total & 0xff; + ptr[3] = CHBIND_NSID_RADIUS; + + RDEBUG("Sending chbind response: code %i", (int )(ptr[0])); + rdebug_pair_list(L_DBG_LVL_1, request, request->reply->vps, NULL); + + /* Encode the chbind attributes into the response */ + ptr += 4; + end = ptr + total; + for (vp = fr_cursor_init(&cursor, &request->reply->vps); + vp != NULL; + vp = fr_cursor_next(&cursor)) { + /* + * Skip things which shouldn't be in channel bindings. + */ + if (vp->da->flags.encrypt != FLAG_ENCRYPT_NONE) continue; + if (!vp->da->vendor && (vp->da->attr == PW_MESSAGE_AUTHENTICATOR)) continue; + + length = rad_vp2attr(NULL, NULL, NULL, &vp, ptr, end - ptr); + if (length < 0) continue; + ptr += length; + } + + return true; +} + + +/* + * Parse channel binding packet to obtain data for a specific + * NSID. + * + * See: + * http://tools.ietf.org/html/draft-ietf-emu-chbind-13#section-5.3.2 + */ +static size_t chbind_get_data(chbind_packet_t const *packet, + int desired_nsid, + uint8_t const **data) +{ + uint8_t const *ptr; + uint8_t const *end; + + if (packet->code != CHBIND_CODE_REQUEST) { + return 0; + } + + ptr = (uint8_t const *) packet; + end = ptr + talloc_array_length((uint8_t const *) packet); + + ptr++; /* skip the code at the start of the packet */ + while (ptr < end) { + uint8_t nsid; + size_t length; + + /* + * Need room for length(2) + NSID + data. + */ + if ((end - ptr) < 4) return 0; + + length = (ptr[0] << 8) | ptr[1]; + if (length == 0) return 0; + + if ((ptr + length + 3) > end) return 0; + + nsid = ptr[2]; + if (nsid == desired_nsid) { + ptr += 3; + *data = ptr; + return length; + } + + ptr += 3 + length; + } + + return 0; +} + + +PW_CODE chbind_process(REQUEST *request, CHBIND_REQ *chbind) +{ + PW_CODE rcode; + REQUEST *fake = NULL; + VALUE_PAIR *vp = NULL; + uint8_t const *attr_data; + size_t data_len = 0; + + /* check input parameters */ + rad_assert((request != NULL) && + (chbind != NULL) && + (chbind->request != NULL) && + (chbind->response == NULL)); + + /* Set-up the fake request */ + fake = request_alloc_fake(request); + fr_pair_make(fake->packet, &fake->packet->vps, "Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); + + /* Add the username to the fake request */ + if (chbind->username) { + vp = fr_pair_copy(fake->packet, chbind->username); + fr_pair_add(&fake->packet->vps, vp); + fake->username = vp; + } + + /* + * Maybe copy the State over, too? + */ + + /* Add the channel binding attributes to the fake packet */ + data_len = chbind_get_data(chbind->request, CHBIND_NSID_RADIUS, &attr_data); + if (data_len) { + rad_assert(data_len <= talloc_array_length((uint8_t const *) chbind->request)); + + while (data_len > 0) { + int attr_len = rad_attr2vp(fake->packet, NULL, NULL, NULL, attr_data, data_len, &vp); + if (attr_len <= 0) { + /* If radaddr2vp fails, return NULL string for + channel binding response */ + talloc_free(fake); + return PW_CODE_ACCESS_ACCEPT; + } + if (vp) { + fr_pair_add(&fake->packet->vps, vp); + } + attr_data += attr_len; + data_len -= attr_len; + } + } + + /* + * Set virtual server based on configuration for channel + * bindings, this is hard-coded for now. + */ + fake->server = "channel_bindings"; + fake->packet->code = PW_CODE_ACCESS_REQUEST; + + switch (rad_virtual_server(fake)) { + /* If rad_authenticate succeeded, build a reply */ + case RLM_MODULE_OK: + case RLM_MODULE_HANDLED: + if (chbind_build_response(fake, chbind)) { + rcode = PW_CODE_ACCESS_ACCEPT; + break; + } + /* FALL-THROUGH */ + + /* If we got any other response from rad_authenticate, it maps to a reject */ + default: + rcode = PW_CODE_ACCESS_REJECT; + break; + } + + talloc_free(fake); + + return rcode; +} + +/* + * Handles multiple EAP-channel-binding Message attrs + * ie concatenates all to get the complete EAP-channel-binding packet. + */ +chbind_packet_t *eap_chbind_vp2packet(TALLOC_CTX *ctx, VALUE_PAIR *vps) +{ + size_t length; + uint8_t *ptr; + VALUE_PAIR *first, *vp; + chbind_packet_t *packet; + vp_cursor_t cursor; + + first = fr_pair_find_by_num(vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY); + if (!first) return NULL; + + /* + * Compute the total length of the channel binding data. + */ + length = 0; + fr_cursor_init(&cursor, &first); + while ((vp = fr_cursor_next_by_num(&cursor, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY))) { + length += vp->vp_length; + } + + if (length < 4) { + DEBUG("Invalid length %u for channel binding data", (unsigned int) length); + return NULL; + } + + /* + * Now that we know the length, allocate memory for the packet. + */ + ptr = talloc_zero_array(ctx, uint8_t, length); + if (!ptr) return NULL; + + /* + * Copy the data over to our packet. + */ + packet = (chbind_packet_t *) ptr; + fr_cursor_init(&cursor, &first); + while ((vp = fr_cursor_next_by_num(&cursor, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY))) { + memcpy(ptr, vp->vp_octets, vp->vp_length); + ptr += vp->vp_length; + } + + return packet; +} + +VALUE_PAIR *eap_chbind_packet2vp(RADIUS_PACKET *packet, chbind_packet_t *chbind) +{ + VALUE_PAIR *vp; + + if (!chbind) return NULL; /* don't produce garbage */ + + vp = fr_pair_afrom_num(packet, PW_UKERNA_CHBIND, VENDORPEC_UKERNA); + if (!vp) return NULL; + fr_pair_value_memcpy(vp, (uint8_t *) chbind, talloc_array_length((uint8_t *)chbind)); + + return vp; +} -- cgit v1.2.3