From: Alan T. DeKok Date: Thu, 23 Sep 2021 18:15:48 +0000 (-0400) Subject: add EAP-FAST dictionary and make it run X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a0cc88018b5dd280164740d9fba7f63be6696c4;p=thirdparty%2Ffreeradius-server.git add EAP-FAST dictionary and make it run it starts up, but it doesn't work, because the underlying EAP handlers only do EAP-TLS for now. We will need to fix this for v4, in order to: * define and use src/lib/process/fast * define a real dictionary (not an internal one) * use the struct encoder where possible * fix the encoder / decoder to use the newer API --- diff --git a/share/dictionary/eap/fast/dictionary b/share/dictionary/eap/fast/dictionary new file mode 100644 index 0000000000..7bcf83d6f3 --- /dev/null +++ b/share/dictionary/eap/fast/dictionary @@ -0,0 +1,14 @@ +# -*- text -*- +# Copyright (C) 2021 The FreeRADIUS Server project and contributors +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +# +# Protocol dictionary for EAP-FAST +# +# +PROTOCOL EAP-FAST 103 +BEGIN-PROTOCOL EAP-FAST + +$INCLUDE dictionary.freeradius + +END-PROTOCOL EAP-FAST diff --git a/share/dictionary/eap/fast/dictionary.freeradius b/share/dictionary/eap/fast/dictionary.freeradius new file mode 100644 index 0000000000..fa1e8afd05 --- /dev/null +++ b/share/dictionary/eap/fast/dictionary.freeradius @@ -0,0 +1,51 @@ +# -*- text -*- +# Copyright (C) 2021 The FreeRADIUS Server project and contributors +# This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 +# Version $Id$ +# +# Attributes needed by FreeRADIUS internally +# + +# +# Internal (Non-Protocol) attributes +# +# @todo - update to use STRUCT, and get rid of the manual encoding / decoding +# +FLAGS internal + +ATTRIBUTE Result 3 short +ATTRIBUTE NAK 4 octets +ATTRIBUTE Error 5 integer +ATTRIBUTE Vendor-Specific 7 octets +ATTRIBUTE EAP-Payload 9 octets +ATTRIBUTE Intermediate-Result 10 octets + +ATTRIBUTE PAC 11 tlv +ATTRIBUTE Key 11.1 octets + +ATTRIBUTE Opaque 11.2 tlv +ATTRIBUTE PAC-Key 11.2.1 octets +ATTRIBUTE PAC-Lifetime 11.2.3 integer +ATTRIBUTE I-ID 11.2.5 octets +ATTRIBUTE PAC-Type 11.2.10 short + +ATTRIBUTE Lifetime 11.3 integer +ATTRIBUTE A-ID 11.4 octets +ATTRIBUTE I-ID 11.5 octets +ATTRIBUTE A-ID-Info 11.7 octets +ATTRIBUTE Acknowledge 11.8 short + +ATTRIBUTE Info 11.9 tlv +ATTRIBUTE PAC-Lifetime 11.9.3 integer +ATTRIBUTE A-ID 11.9.4 octets +ATTRIBUTE I-ID 11.9.5 octets +ATTRIBUTE A-ID-Info 11.9.7 octets +ATTRIBUTE PAC-Type 11.9.10 short + +ATTRIBUTE Type 11.10 short + +ATTRIBUTE Crypto-Binding 12 octets + +ATTRIBUTE Trusted-Root 18 octets +ATTRIBUTE Request-Action 19 short +ATTRIBUTE PKCS 20 octets diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c index fec2b4f303..e7e55f5463 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c @@ -810,7 +810,7 @@ static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, eap_ses vp; vp = fr_pair_list_next(fast_vps, vp)) { fr_radius_packet_code_t code = FR_RADIUS_CODE_ACCESS_REJECT; - if (vp->da->parent == attr_eap_fast_tlv) { + if (vp->da->parent == fr_dict_root(dict_eap_fast)) { if (vp->da == attr_eap_fast_eap_payload) { code = eap_fast_eap_payload(request, eap_session, tls_session, vp); if (code == FR_RADIUS_CODE_ACCESS_ACCEPT) t->stage = EAP_FAST_CRYPTOBIND_CHECK; @@ -960,7 +960,7 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_ return FR_RADIUS_CODE_ACCESS_CHALLENGE; } - if (eap_fast_decode_pair(request, &fast_vps, attr_eap_fast_tlv, + if (eap_fast_decode_pair(request, &fast_vps, fr_dict_root(dict_eap_fast), data, data_len, NULL) < 0) return FR_RADIUS_CODE_ACCESS_REJECT; RDEBUG2("Got Tunneled FAST TLVs"); diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h index d70df90b27..ea5a3032ce 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h @@ -245,8 +245,8 @@ extern fr_dict_attr_t const *attr_eap_fast_pac_opaque_tlv; extern fr_dict_attr_t const *attr_eap_fast_pac_tlv; extern fr_dict_attr_t const *attr_eap_fast_pac_type; extern fr_dict_attr_t const *attr_eap_fast_result; -extern fr_dict_attr_t const *attr_eap_fast_tlv; extern fr_dict_attr_t const *attr_eap_fast_vendor_specific; +extern fr_dict_t const *dict_eap_fast; /* * Process the FAST portion of an EAP-FAST request. diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c index 70acc76bd8..477b11b76d 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c @@ -80,13 +80,13 @@ static CONF_PARSER submodule_config[] = { static fr_dict_t const *dict_freeradius; static fr_dict_t const *dict_radius; -static fr_dict_t const *dict_eap_fast; +fr_dict_t const *dict_eap_fast; extern fr_dict_autoload_t rlm_eap_fast_dict[]; fr_dict_autoload_t rlm_eap_fast_dict[] = { { .out = &dict_freeradius, .proto = "freeradius" }, { .out = &dict_radius, .proto = "radius" }, - { .out = &dict_eap_fast, .proto = "eap-fast" }, + { .out = &dict_eap_fast, .base_dir = "eap/fast", .proto = "eap-fast" }, { NULL } }; @@ -130,7 +130,6 @@ fr_dict_attr_t const *attr_eap_fast_pac_opaque_tlv; fr_dict_attr_t const *attr_eap_fast_pac_tlv; fr_dict_attr_t const *attr_eap_fast_pac_type; fr_dict_attr_t const *attr_eap_fast_result; -fr_dict_attr_t const *attr_eap_fast_tlv; fr_dict_attr_t const *attr_eap_fast_vendor_specific; extern fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[]; @@ -139,7 +138,7 @@ fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[] = { { .out = &attr_eap_msk, .name = "EAP-MSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius }, { .out = &attr_eap_tls_require_client_cert, .name = "EAP-TLS-Require-Client-Cert", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, { .out = &attr_eap_type, .name = "EAP-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius }, + { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius }, { .out = &attr_ms_chap_peer_challenge, .name = "MS-CHAP-Peer-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius }, { .out = &attr_proxy_to_realm, .name = "Proxy-To-Realm", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, @@ -150,33 +149,32 @@ fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[] = { { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius }, { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius }, - { .out = &attr_eap_fast_crypto_binding, .name = "EAP-FAST-Crypto-Binding", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_eap_payload, .name = "EAP-FAST-EAP-Payload", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_error, .name = "EAP-FAST-Error", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_intermediate_result, .name = "EAP-FAST-Intermediate-Result", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_nak, .name = "EAP-FAST-NAK", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_a_id, .name = "EAP-FAST-PAC-A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_a_id_info, .name = "EAP-FAST-PAC-A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_acknowledge, .name = "EAP-FAST-PAC-Acknowledge", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_i_id, .name = "EAP-FAST-PAC-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_a_id, .name = "EAP-FAST-PAC-Info-A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_a_id_info, .name = "EAP-FAST-PAC-Info-A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_i_id, .name = "EAP-FAST-PAC-Info-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_pac_lifetime, .name = "EAP-FAST-PAC-Info-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_pac_type, .name = "EAP-FAST-PAC-Info-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_info_tlv, .name = "EAP-FAST-PAC-Info-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_key, .name = "EAP-FAST-PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_lifetime, .name = "EAP-FAST-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_opaque_i_id, .name = "EAP-FAST-PAC-Opaque-I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_opaque_pac_key, .name = "EAP-FAST-PAC-Opaque-PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_opaque_pac_lifetime, .name = "EAP-FAST-PAC-Opaque-PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_opaque_pac_type, .name = "EAP-FAST-PAC-Opaque-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_opaque_tlv, .name = "EAP-FAST-PAC-Opaque-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_tlv, .name = "EAP-FAST-PAC-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_pac_type, .name = "EAP-FAST-PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_result, .name = "EAP-FAST-Result", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_tlv, .name = "EAP-FAST-TLV", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, - { .out = &attr_eap_fast_vendor_specific, .name = "EAP-FAST-Vendor-Specific", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_crypto_binding, .name = "Crypto-Binding", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_eap_payload, .name = "EAP-Payload", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_error, .name = "Error", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_intermediate_result, .name = "Intermediate-Result", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_nak, .name = "NAK", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_a_id, .name = "PAC.A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_a_id_info, .name = "PAC.A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_acknowledge, .name = "PAC.Acknowledge", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_i_id, .name = "PAC.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_a_id, .name = "PAC.Info.A-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_a_id_info, .name = "PAC.Info.A-ID-Info", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_i_id, .name = "PAC.Info.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_pac_lifetime, .name = "PAC.Info.PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_pac_type, .name = "PAC.Info.PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_info_tlv, .name = "PAC.Info", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_key, .name = "PAC.Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_lifetime, .name = "PAC.Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_opaque_i_id, .name = "PAC.Opaque.I-ID", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_opaque_pac_key, .name = "PAC.Opaque.PAC-Key", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_opaque_pac_lifetime, .name = "PAC.Opaque.PAC-Lifetime", .type = FR_TYPE_UINT32, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_opaque_pac_type, .name = "PAC.Opaque.PAC-Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_opaque_tlv, .name = "PAC.Opaque", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_tlv, .name = "PAC", .type = FR_TYPE_TLV, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_pac_type, .name = "PAC.Type", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_result, .name = "Result", .type = FR_TYPE_UINT16, .dict = &dict_eap_fast }, + { .out = &attr_eap_fast_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_OCTETS, .dict = &dict_eap_fast }, { NULL } }; @@ -334,7 +332,7 @@ error: t->pac.type = vp->vp_uint16; } else if (vp->da == attr_eap_fast_pac_info_pac_lifetime) { fr_assert(fr_time_eq(t->pac.expires, fr_time_wrap(0))); - t->pac.expires = fr_time_add(request->packet->timestamp, fr_time_delta_from_sec(vp->vp_uint32)); + t->pac.expires = fr_time_add(request->packet->timestamp, vp->vp_time_delta); t->pac.expired = false; /* * Not sure if this is the correct attr