add EAP-FAST dictionary and make it run

it starts up, but it doesn't work, because the underlying
EAP handlers only do EAP-TLS for now.

We will need to fix this for v4, in order to:

* define and use src/lib/process/fast
* define a real dictionary (not an internal one)
* use the struct encoder where possible
* fix the encoder / decoder to use the newer API

diff --git a/share/dictionary/eap/fast/dictionary b/share/dictionary/eap/fast/dictionary
new file mode 100644 (file)
index 0000000..7bcf83d
--- /dev/null
+++ b/share/dictionary/eap/fast/dictionary
@@ -0,0 +1,14 @@
+# -*- text -*-
+# Copyright (C) 2021 The FreeRADIUS Server project and contributors
+# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
+# Version $Id$
+#
+#      Protocol dictionary for EAP-FAST
+#
+#
+PROTOCOL       EAP-FAST        103
+BEGIN-PROTOCOL EAP-FAST
+
+$INCLUDE dictionary.freeradius
+
+END-PROTOCOL   EAP-FAST

diff --git a/share/dictionary/eap/fast/dictionary.freeradius b/share/dictionary/eap/fast/dictionary.freeradius
new file mode 100644 (file)
index 0000000..fa1e8af
--- /dev/null
+++ b/share/dictionary/eap/fast/dictionary.freeradius
@@ -0,0 +1,51 @@
+# -*- text -*-
+# Copyright (C) 2021 The FreeRADIUS Server project and contributors
+# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
+# Version $Id$
+#
+#      Attributes needed by FreeRADIUS internally
+#
+
+#
+#  Internal (Non-Protocol) attributes
+#
+#  @todo - update to use STRUCT, and get rid of the manual encoding / decoding
+#
+FLAGS  internal
+
+ATTRIBUTE      Result                          3       short
+ATTRIBUTE      NAK                             4       octets
+ATTRIBUTE      Error                           5       integer
+ATTRIBUTE      Vendor-Specific                 7       octets
+ATTRIBUTE      EAP-Payload                     9       octets
+ATTRIBUTE      Intermediate-Result             10      octets
+
+ATTRIBUTE      PAC                             11      tlv
+ATTRIBUTE      Key                             11.1    octets
+
+ATTRIBUTE      Opaque                          11.2    tlv
+ATTRIBUTE      PAC-Key                         11.2.1  octets
+ATTRIBUTE      PAC-Lifetime                    11.2.3  integer
+ATTRIBUTE      I-ID                            11.2.5  octets
+ATTRIBUTE      PAC-Type                        11.2.10 short
+
+ATTRIBUTE      Lifetime                        11.3    integer
+ATTRIBUTE      A-ID                            11.4    octets
+ATTRIBUTE      I-ID                            11.5    octets
+ATTRIBUTE      A-ID-Info                       11.7    octets
+ATTRIBUTE      Acknowledge                     11.8    short
+
+ATTRIBUTE      Info                            11.9    tlv
+ATTRIBUTE      PAC-Lifetime                    11.9.3  integer
+ATTRIBUTE      A-ID                            11.9.4  octets
+ATTRIBUTE      I-ID                            11.9.5  octets
+ATTRIBUTE      A-ID-Info                       11.9.7  octets
+ATTRIBUTE      PAC-Type                        11.9.10 short
+
+ATTRIBUTE      Type                            11.10   short
+
+ATTRIBUTE      Crypto-Binding                  12      octets
+
+ATTRIBUTE      Trusted-Root                    18      octets
+ATTRIBUTE      Request-Action                  19      short
+ATTRIBUTE      PKCS                            20      octets

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index fec2b4f303aa2d5e08bb4d3af6494c8ffd0dd87c..e7e55f5463e42f2f330178501db41fafa1d99a76 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -810,7 +810,7 @@ static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, eap_ses
             vp;
             vp = fr_pair_list_next(fast_vps, vp)) {
                fr_radius_packet_code_t code = FR_RADIUS_CODE_ACCESS_REJECT;
-               if (vp->da->parent == attr_eap_fast_tlv) {
+               if (vp->da->parent == fr_dict_root(dict_eap_fast)) {
                        if (vp->da == attr_eap_fast_eap_payload) {
                                code = eap_fast_eap_payload(request, eap_session, tls_session, vp);
                                if (code == FR_RADIUS_CODE_ACCESS_ACCEPT) t->stage = EAP_FAST_CRYPTOBIND_CHECK;
@@ -960,7 +960,7 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_
                return FR_RADIUS_CODE_ACCESS_CHALLENGE;
        }
 
-       if (eap_fast_decode_pair(request, &fast_vps, attr_eap_fast_tlv,
+       if (eap_fast_decode_pair(request, &fast_vps, fr_dict_root(dict_eap_fast),
                                 data, data_len, NULL) < 0) return FR_RADIUS_CODE_ACCESS_REJECT;
 
        RDEBUG2("Got Tunneled FAST TLVs");

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
index d70df90b276fd374fb6891d896fdd80732268f90..ea5a3032cec1fb54529d1f6b85e6e359ccbea659 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
@@ -245,8 +245,8 @@ extern fr_dict_attr_t const *attr_eap_fast_pac_opaque_tlv;
 extern fr_dict_attr_t const *attr_eap_fast_pac_tlv;
 extern fr_dict_attr_t const *attr_eap_fast_pac_type;
 extern fr_dict_attr_t const *attr_eap_fast_result;
-extern fr_dict_attr_t const *attr_eap_fast_tlv;
 extern fr_dict_attr_t const *attr_eap_fast_vendor_specific;
+extern fr_dict_t const *dict_eap_fast;
 
 /*
  *     Process the FAST portion of an EAP-FAST request.

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
index 70acc76bd84c3cc2efb2e1fe8b19e5e032c11afa..477b11b76d1f25cf400bec5c2be90023b09c0dd2 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
@@ -80,13 +80,13 @@ static CONF_PARSER submodule_config[] = {
 
 static fr_dict_t const *dict_freeradius;
 static fr_dict_t const *dict_radius;
-static fr_dict_t const *dict_eap_fast;
+fr_dict_t const *dict_eap_fast;
 
 extern fr_dict_autoload_t rlm_eap_fast_dict[];
 fr_dict_autoload_t rlm_eap_fast_dict[] = {
        { .out = &dict_freeradius, .proto = "freeradius" },
        { .out = &dict_radius, .proto = "radius" },
-       { .out = &dict_eap_fast, .proto = "eap-fast" },
+       { .out = &dict_eap_fast, .base_dir = "eap/fast", .proto = "eap-fast" },
        { NULL }
 };
 
@@ -130,7 +130,6 @@ fr_dict_attr_t const *attr_eap_fast_pac_opaque_tlv;
 fr_dict_attr_t const *attr_eap_fast_pac_tlv;
 fr_dict_attr_t const *attr_eap_fast_pac_type;
 fr_dict_attr_t const *attr_eap_fast_result;
-fr_dict_attr_t const *attr_eap_fast_tlv;
 fr_dict_attr_t const *attr_eap_fast_vendor_specific;
 
 extern fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[];
@@ -139,7 +138,7 @@ fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[] = {
        { .out = &attr_eap_msk, .name = "EAP-MSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
        { .out = &attr_eap_tls_require_client_cert, .name = "EAP-TLS-Require-Client-Cert", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
        { .out = &attr_eap_type, .name = "EAP-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
-       { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+       { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
        { .out = &attr_proxy_to_realm, .name = "Proxy-To-Realm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 
@@ -150,33 +149,32 @@ fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[] = {
        { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
        { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
 
-       { .out = &attr_eap_fast_crypto_binding, .name = "EAP-FAST-Crypto-Binding", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_eap_payload, .name = "EAP-FAST-EAP-Payload", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_error, .name = "EAP-FAST-Error", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_intermediate_result, .name = "EAP-FAST-Intermediate-Result", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_nak, .name = "EAP-FAST-NAK", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_a_id, .name = "EAP-FAST-PAC-A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_a_id_info, .name = "EAP-FAST-PAC-A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_acknowledge, .name = "EAP-FAST-PAC-Acknowledge", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_i_id, .name = "EAP-FAST-PAC-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_a_id, .name = "EAP-FAST-PAC-Info-A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_a_id_info, .name = "EAP-FAST-PAC-Info-A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_i_id, .name = "EAP-FAST-PAC-Info-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_pac_lifetime, .name = "EAP-FAST-PAC-Info-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_pac_type, .name = "EAP-FAST-PAC-Info-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_info_tlv, .name = "EAP-FAST-PAC-Info-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_key, .name = "EAP-FAST-PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_lifetime, .name = "EAP-FAST-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_opaque_i_id, .name = "EAP-FAST-PAC-Opaque-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_opaque_pac_key, .name = "EAP-FAST-PAC-Opaque-PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_opaque_pac_lifetime, .name = "EAP-FAST-PAC-Opaque-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_opaque_pac_type, .name = "EAP-FAST-PAC-Opaque-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_opaque_tlv, .name = "EAP-FAST-PAC-Opaque-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_tlv, .name = "EAP-FAST-PAC-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_pac_type, .name = "EAP-FAST-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_result, .name = "EAP-FAST-Result", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_tlv, .name = "EAP-FAST-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
-       { .out = &attr_eap_fast_vendor_specific, .name = "EAP-FAST-Vendor-Specific", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_crypto_binding, .name = "Crypto-Binding", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_eap_payload, .name = "EAP-Payload", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_error, .name = "Error", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_intermediate_result, .name = "Intermediate-Result", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_nak, .name = "NAK", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_a_id, .name = "PAC.A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_a_id_info, .name = "PAC.A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_acknowledge, .name = "PAC.Acknowledge", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_i_id, .name = "PAC.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_a_id, .name = "PAC.Info.A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_a_id_info, .name = "PAC.Info.A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_i_id, .name = "PAC.Info.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_pac_lifetime, .name = "PAC.Info.PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_pac_type, .name = "PAC.Info.PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_info_tlv, .name = "PAC.Info", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_key, .name = "PAC.Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_lifetime, .name = "PAC.Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_opaque_i_id, .name = "PAC.Opaque.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_opaque_pac_key, .name = "PAC.Opaque.PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_opaque_pac_lifetime, .name = "PAC.Opaque.PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_opaque_pac_type, .name = "PAC.Opaque.PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_opaque_tlv, .name = "PAC.Opaque", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_tlv, .name = "PAC", .type = FR_TYPE_TLV, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_pac_type, .name = "PAC.Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_result, .name = "Result", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast },
+       { .out = &attr_eap_fast_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast },
 
        { NULL }
 };
@@ -334,7 +332,7 @@ error:
                        t->pac.type = vp->vp_uint16;
                } else if (vp->da == attr_eap_fast_pac_info_pac_lifetime) {
                        fr_assert(fr_time_eq(t->pac.expires, fr_time_wrap(0)));
-                       t->pac.expires = fr_time_add(request->packet->timestamp, fr_time_delta_from_sec(vp->vp_uint32));
+                       t->pac.expires = fr_time_add(request->packet->timestamp, vp->vp_time_delta);
                        t->pac.expired = false;
                /*
                 *      Not sure if this is the correct attr