From: Alan T. DeKok Date: Sat, 1 Feb 2025 21:05:34 +0000 (-0500) Subject: debug print TEAP attributes we're sending in phase 2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b532dc53599df4f12bc6454e967d2e7b87a35fb;p=thirdparty%2Ffreeradius-server.git debug print TEAP attributes we're sending in phase 2 --- diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c index 16f4c57f38..5cb2f88b65 100644 --- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c +++ b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c @@ -168,26 +168,41 @@ static void eap_teap_derive_imck(REQUEST *request, tls_session_t *tls_session, memcpy(&t->imck_msk, &imck_msk, sizeof(imck_msk)); } -static void eap_teap_tlv_append(tls_session_t *tls_session, int tlv, bool mandatory, int length, const void *data) +static void eap_teap_tlv_append(REQUEST *request, tls_session_t *tls_session, int tlv, bool mandatory, int length, const void *data) { uint16_t hdr[2]; hdr[0] = htons(tlv | (mandatory ? EAP_TEAP_TLV_MANDATORY : 0)); hdr[1] = htons(length); + if ((rad_debug_lvl > 1) && (length < 256)) { + DICT_ATTR const *da; + + da = dict_attrbyvalue((tlv << 8) | PW_FREERADIUS_EAP_TEAP_TLV, VENDORPEC_FREERADIUS); + if (da) { + char buf[1024]; + + for (size_t i = 0; i < (size_t) length; i++) { + sprintf(&buf[2*i], "%02x", ((const uint8_t *)data)[i]); + } + + RDEBUG(" %s = 0x%s", da->name, buf); + } + } + tls_session->record_plus(&tls_session->clean_in, &hdr, 4); tls_session->record_plus(&tls_session->clean_in, data, length); } -static void eap_teap_send_error(tls_session_t *tls_session, int error) +static void eap_teap_send_error(REQUEST *request, tls_session_t *tls_session, int error) { uint32_t value; value = htonl(error); - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_ERROR, true, sizeof(value), &value); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_ERROR, true, sizeof(value), &value); } -static void eap_teap_append_identity_type(tls_session_t *tls_session, int value) +static void eap_teap_append_identity_type(REQUEST *request, tls_session_t *tls_session, int value) { uint16_t identity; identity = htons(value); @@ -202,7 +217,7 @@ static void eap_teap_append_identity_type(tls_session_t *tls_session, int value) t->auths[value].required = true; t->auths[value].sent = true; - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_IDENTITY_TYPE, false, sizeof(identity), &identity); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_IDENTITY_TYPE, false, sizeof(identity), &identity); } static void eap_teap_append_result(REQUEST *request, tls_session_t *tls_session, PW_CODE code) @@ -224,7 +239,7 @@ static void eap_teap_append_result(REQUEST *request, tls_session_t *tls_session, RDEBUG("Phase 2: %s = %s", name, state_name); - eap_teap_tlv_append(tls_session, type, true, sizeof(state), &state); + eap_teap_tlv_append(request, tls_session, type, true, sizeof(state), &state); } static void eap_teap_append_eap_identity_request(REQUEST *request, tls_session_t *tls_session, eap_handler_t *eap_session) @@ -239,7 +254,7 @@ static void eap_teap_append_eap_identity_request(REQUEST *request, tls_session_t eap_packet.length[1] = EAP_HEADER_LEN + 1; eap_packet.data[0] = PW_EAP_IDENTITY; - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, sizeof(eap_packet), &eap_packet); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, sizeof(eap_packet), &eap_packet); } /* @@ -259,8 +274,6 @@ static void eap_teap_append_crypto_binding(REQUEST *request, tls_session_t *tls_ struct crypto_binding_buffer *cbb; uint8_t *outer_tlvs; - RDEBUG("Phase 2: Sending Cryptobinding"); - eap_teap_derive_imck(request, tls_session, msk, msklen, emsk, emsklen); t->imck_emsk_available = emsklen > 0; @@ -281,6 +294,8 @@ static void eap_teap_append_crypto_binding(REQUEST *request, tls_session_t *tls_ cbb->binding.subtype = ((emsklen ? EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH : EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK) << 4) | EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; + RDEBUG("Phase 2: Sending Cryptobinding flags=%d", emsklen ? EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH : EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK); + rad_assert(sizeof(cbb->binding.nonce) % sizeof(uint32_t) == 0); RANDFILL(cbb->binding.nonce); cbb->binding.nonce[sizeof(cbb->binding.nonce) - 1] &= ~0x01; /* RFC 7170, Section 4.2.13 */ @@ -312,7 +327,7 @@ static void eap_teap_append_crypto_binding(REQUEST *request, tls_session_t *tls_ memcpy(cbb->binding.emsk_compound_mac, &mac_emsk, sizeof(cbb->binding.emsk_compound_mac)); } - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_CRYPTO_BINDING, true, sizeof(cbb->binding), (uint8_t *)&cbb->binding); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_CRYPTO_BINDING, true, sizeof(cbb->binding), (uint8_t *)&cbb->binding); } static int eap_teap_verify(REQUEST *request, tls_session_t *tls_session, uint8_t const *data, unsigned int data_len) @@ -365,7 +380,7 @@ unexpected: RDEBUG("Phase 2: - attribute %d is present", i); } } - eap_teap_send_error(tls_session, EAP_TEAP_ERR_UNEXPECTED_TLV); + eap_teap_send_error(request, tls_session, EAP_TEAP_ERR_UNEXPECTED_TLV); return 0; } @@ -1025,7 +1040,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *eap_session, t->identity_types[t->num_identities++] = vp->vp_short; /* RFC7170, Appendix C.6 */ - eap_teap_append_identity_type(tls_session, vp->vp_short); + eap_teap_append_identity_type(request, tls_session, vp->vp_short); if (t->default_method || t->eap_method[vp->vp_short]) { eap_teap_append_eap_identity_request(request, tls_session, eap_session); @@ -1125,7 +1140,7 @@ challenge: vp = fr_pair_find_by_num(reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY); if (vp) { doing_eap = true; - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, vp->vp_length, vp->vp_octets); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, vp->vp_length, vp->vp_octets); } /* @@ -1146,7 +1161,7 @@ challenge: t->sent_basic_password = true; RDEBUG("Phase 2: Sending Basic-Password-Auth-Req"); - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, vp->vp_length, vp->vp_strvalue); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, vp->vp_length, vp->vp_strvalue); } break; @@ -1468,6 +1483,8 @@ static PW_CODE eap_teap_crypto_binding(REQUEST *request, UNUSED eap_handler_t *e */ const EVP_MD *md = SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(tls_session->ssl)); + RDEBUG("Phase 2: Crypto-Binding flags=%d", flags); + /* * We verify cryptobinding MSK and EMSK, but we prefer * EMSK for the later IMCK deriviation. @@ -1761,7 +1778,7 @@ PW_CODE eap_teap_process(eap_handler_t *eap_session, tls_session_t *tls_session) vp = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); if (vp) { RDEBUG("Phase 2: Sending Identity-Type = %s", (vp->vp_short == 1) ? "User" : "Machine"); - eap_teap_append_identity_type(tls_session, vp->vp_short); + eap_teap_append_identity_type(request, tls_session, vp->vp_short); if (t->num_identities == 2) { RDEBUG("Phase 2: Configured to send too many identities, failing the session"); @@ -1783,7 +1800,7 @@ PW_CODE eap_teap_process(eap_handler_t *eap_session, tls_session_t *tls_session) } else { RDEBUG("Phase 2: No %s EAP method configured - sending Basic-Password-Auth-Req = \"\"", !vp ? "" : (vp->vp_short == 1) ? "User" : "Machine"); - eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, 0, ""); + eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, 0, ""); } t->stage = AUTHENTICATION;