From: Alan T. DeKok Date: Mon, 29 May 2023 19:42:46 +0000 (-0400) Subject: Remove rlm_soh X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f6c059c020fdcac74952d77310329397d1cc681;p=thirdparty%2Ffreeradius-server.git Remove rlm_soh Microsoft deprecated SoH / NAP in Windows Server 2012 E2, and removed it from Windows Server 2016. The NAP client was removed in Windows 10, in 2015 --- diff --git a/raddb/all.mk b/raddb/all.mk index b774e5de429..5e052ba4e9c 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -11,7 +11,7 @@ DEFAULT_MODULES := always attr_filter cache_eap chap client \ delay detail detail.log digest eap \ eap_inner echo escape exec files linelog logintime \ mschap ntlm_auth pap passwd radutmp \ - soh sradutmp stats unix unpack utf8 + sradutmp stats unix unpack utf8 LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES)) diff --git a/raddb/mods-available/soh b/raddb/mods-available/soh deleted file mode 100644 index 78bbfe1672f..00000000000 --- a/raddb/mods-available/soh +++ /dev/null @@ -1,29 +0,0 @@ -# -*- text -*- -# -# -# $Id$ - -####################################################################### -# -# = SoH Module -# -# The `soh` module is used for decoding Microsoft's "Statement of -# Health" sub-protocol. -# -# See the below link for additional information about the SoH Protocol. -# -# https://trustedcomputinggroup.org/resource/tnc-if-tnccs-protocol-bindings-for-soh-version-1-0/ -# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/WinArchive/[MS-SOH].pdf -# - -# -# ## Configuration Settings -# -soh { - # - # dhcp:: If enabled, It will do SoH over DHCP. - # - # Default is `no`. - # - dhcp = yes -} diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec index 7c1e3fd999c..a31f642973c 100644 --- a/redhat/freeradius.spec +++ b/redhat/freeradius.spec @@ -986,7 +986,6 @@ fi %{_libdir}/freeradius/rlm_radius.so %{_libdir}/freeradius/rlm_radius_udp.so %{_libdir}/freeradius/rlm_radutmp.so -%{_libdir}/freeradius/rlm_soh.so %{_libdir}/freeradius/rlm_sometimes.so %{_libdir}/freeradius/rlm_sql.so %{_libdir}/freeradius/rlm_sql_null.so diff --git a/src/modules/rlm_soh/README.md b/src/modules/rlm_soh/README.md deleted file mode 100644 index 61c0ebfeadd..00000000000 --- a/src/modules/rlm_soh/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# rlm_soh -## Metadata -
-
category
authentication
-
- -## Summary -Implements support for Microsoft's Statement of Health (SoH) protocol, which can run inside of PEAP or DHCP. diff --git a/src/modules/rlm_soh/all.mk b/src/modules/rlm_soh/all.mk deleted file mode 100644 index f3085ec2d14..00000000000 --- a/src/modules/rlm_soh/all.mk +++ /dev/null @@ -1,7 +0,0 @@ -TARGETNAME := rlm_soh - -TARGET := $(TARGETNAME)$(L) -SOURCES := $(TARGETNAME).c - -TGT_PREREQS := libfreeradius-soh$(L) -LOG_ID_LIB = 48 diff --git a/src/modules/rlm_soh/rlm_soh.c b/src/modules/rlm_soh/rlm_soh.c deleted file mode 100644 index bdc566c7428..00000000000 --- a/src/modules/rlm_soh/rlm_soh.c +++ /dev/null @@ -1,312 +0,0 @@ -/* - * This program is is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/** - * $Id$ - * @file rlm_soh.c - * @brief Decodes Microsoft's Statement of Health sub-protocol. - * - * @copyright 2010 Phil Mayers (p.mayers@imperial.ac.uk) - */ -RCSID("$Id$") - -#include -#include -#include -#include - -typedef struct { - bool dhcp; -} rlm_soh_t; - -static fr_dict_t const *dict_freeradius; -static fr_dict_t const *dict_dhcpv4; -static fr_dict_t const *dict_radius; - -extern fr_dict_autoload_t rlm_soh_dict[]; -fr_dict_autoload_t rlm_soh_dict[] = { - { .out = &dict_freeradius, .proto = "freeradius" }, - { .out = &dict_dhcpv4, .proto = "dhcpv4" }, - { .out = &dict_radius, .proto = "radius" }, - { NULL } -}; - -static fr_dict_attr_t const *attr_soh_supported; -static fr_dict_attr_t const *attr_soh_ms_machine_os_vendor; -static fr_dict_attr_t const *attr_soh_ms_machine_os_version; -static fr_dict_attr_t const *attr_soh_ms_machine_os_release; -static fr_dict_attr_t const *attr_soh_ms_machine_os_build; -static fr_dict_attr_t const *attr_soh_ms_machine_sp_version; -static fr_dict_attr_t const *attr_soh_ms_machine_sp_release; -static fr_dict_attr_t const *attr_ms_quarantine_soh; -static fr_dict_attr_t const *attr_ms_vendor; -static fr_dict_attr_t const *attr_dhcp_vendor; - -extern fr_dict_attr_autoload_t rlm_soh_dict_attr[]; -fr_dict_attr_autoload_t rlm_soh_dict_attr[] = { - { .out = &attr_soh_supported, .name = "SoH-Supported", .type = FR_TYPE_BOOL, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_os_vendor, .name = "SoH-MS-Machine-OS-vendor", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_os_version, .name = "SoH-MS-Machine-OS-version", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_os_release, .name = "SoH-MS-Machine-OS-release", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_os_build, .name = "SoH-MS-Machine-OS-build", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_sp_version, .name = "SoH-MS-Machine-SP-version", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_soh_ms_machine_sp_release, .name = "SoH-MS-Machine-SP-release", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, - { .out = &attr_ms_vendor, .name = "Vendor-Specific.Microsoft", .type = FR_TYPE_VENDOR, .dict = &dict_radius }, - { .out = &attr_ms_quarantine_soh, .name = "Vendor-Specific.Microsoft.Quarantine-SOH", .type = FR_TYPE_OCTETS, .dict = &dict_radius }, - { .out = &attr_dhcp_vendor, .name = "Vendor", .type = FR_TYPE_OCTETS, .dict = &dict_dhcpv4 }, - { NULL } -}; - -static xlat_arg_parser_t const soh_xlat_args[] = { - { .required = true, .single = true, .type = FR_TYPE_STRING }, - XLAT_ARG_PARSER_TERMINATOR -}; - -/** SoH xlat - * - * Not sure how to make this useful yet... - * - * @ingroup xlat_functions - */ -static xlat_action_t soh_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, - UNUSED xlat_ctx_t const *xctx, request_t *request, - fr_value_box_list_t *in) -{ - fr_value_box_t *in_head = fr_value_box_list_head(in); - fr_value_box_t *vb; - fr_pair_t* vp[6]; - char const *osname; - char buff[128]; - - /* - * There will be no point unless SoH-Supported = yes - */ - vp[0] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_supported); - if (!vp[0]) - return XLAT_ACTION_FAIL; - - - if (strncasecmp(in_head->vb_strvalue, "OS", 2) == 0) { - /* OS vendor */ - vp[0] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_os_vendor); - vp[1] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_os_version); - vp[2] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_os_release); - vp[3] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_os_build); - vp[4] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_sp_version); - vp[5] = fr_pair_find_by_da(&request->request_pairs, NULL, attr_soh_ms_machine_sp_release); - - if (vp[0] && vp[0]->vp_uint32 == attr_ms_vendor->attr) { - MEM(vb=fr_value_box_alloc_null(ctx)); - - if (!vp[1]) { - fr_value_box_bstrndup(ctx, vb, NULL, "Windows unknown", 15, false); - } else { - switch (vp[1]->vp_uint32) { - case 10: - osname = "10"; - break; - - case 6: - switch (vp[2]->vp_uint32) { - case 0: - osname = "Vista / Server 2008"; - break; - case 1: - osname = "7 / Server 2008 R2"; - break; - case 2: - osname = "8 / Server 2012"; - break; - case 3: - osname = "8.1 / Server 2012 R2"; - break; - default: - osname = "Other"; - break; - } - break; - - case 5: - switch (vp[2]->vp_uint32) { - case 0: - osname = "2000"; - break; - case 1: - osname = "XP"; - break; - case 2: - osname = "Server 2003"; - break; - default: - osname = "Other"; - break; - } - break; - - default: - osname = "Other"; - break; - } - snprintf(buff, 127, "Windows %s %d.%d.%d sp %d.%d", osname, vp[1]->vp_uint32, - vp[2] ? vp[2]->vp_uint32 : 0, - vp[3] ? vp[3]->vp_uint32 : 0, - vp[4] ? vp[4]->vp_uint32 : 0, - vp[5] ? vp[5]->vp_uint32 : 0); - fr_value_box_bstrndup(ctx, vb, NULL, buff, strlen(buff), false); - } - fr_dcursor_append(out, vb); - return XLAT_ACTION_DONE; - } - } - - return XLAT_ACTION_FAIL; -} - - -static const CONF_PARSER module_config[] = { - /* - * Do SoH over DHCP? - */ - { FR_CONF_OFFSET("dhcp", FR_TYPE_BOOL, rlm_soh_t, dhcp), .dflt = "no" }, - CONF_PARSER_TERMINATOR -}; - -static unlang_action_t CC_HINT(nonnull) mod_post_auth(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) -{ - int rcode; - fr_pair_t *vp; - rlm_soh_t const *inst = talloc_get_type_abort_const(mctx->inst->data, rlm_soh_t); - - if (!inst->dhcp) RETURN_MODULE_NOOP; - - vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_dhcp_vendor); - if (vp) { - /* - * vendor-specific options contain - * - * vendor opt 220/0xdc - SoH payload, or null byte to probe, or string - * "NAP" to indicate server-side support for SoH in OFFERs - * - * vendor opt 222/0xde - SoH correlation ID as utf-16 string, yuck... - */ - uint8_t vopt, vlen; - uint8_t const *data; - - data = vp->vp_octets; - while (data < vp->vp_octets + vp->vp_length) { - vopt = *data++; - vlen = *data++; - switch (vopt) { - case 220: - if (vlen <= 1) { - uint8_t *p; - - RDEBUG2("SoH adding NAP marker to DHCP reply"); - /* client probe; send "NAP" in the reply */ - MEM(vp = fr_pair_afrom_da(request->reply_ctx, attr_dhcp_vendor)); - MEM(fr_pair_value_mem_alloc(vp, &p, 5, false) == 0); - p[0] = 220; - p[1] = 3; - p[4] = 'N'; - p[3] = 'A'; - p[2] = 'P'; - fr_pair_append(&request->reply_pairs, vp); - - } else { - RDEBUG2("SoH decoding NAP from DHCP request"); - /* SoH payload */ - rcode = soh_verify(request, data, vlen); - if (rcode < 0) { - RETURN_MODULE_FAIL; - } - } - break; - - default: - /* nothing to do */ - break; - } - data += vlen; - } - RETURN_MODULE_OK; - } - - RETURN_MODULE_NOOP; -} - -static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request) -{ - fr_pair_t *vp; - int rv; - - /* try to find the MS-SoH payload */ - vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_ms_quarantine_soh); - if (!vp) { - RDEBUG2("SoH radius VP not found"); - RETURN_MODULE_NOOP; - } - - RDEBUG2("SoH radius VP found"); - /* decode it */ - rv = soh_verify(request, vp->vp_octets, vp->vp_length); - if (rv < 0) { - RETURN_MODULE_FAIL; - } - - RETURN_MODULE_OK; -} - -static int mod_bootstrap(module_inst_ctx_t const *mctx) -{ - rlm_soh_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_soh_t); - xlat_t *xlat; - - xlat = xlat_func_register_module(inst, mctx, mctx->inst->name, soh_xlat, FR_TYPE_STRING); - xlat_func_args_set(xlat, soh_xlat_args); - - return 0; -} - -static int mod_load(void) -{ - if (fr_soh_init() < 0) return -1; - - return 0; -} - -static void mod_unload(void) -{ - fr_soh_free(); -} - -extern module_rlm_t rlm_soh; -module_rlm_t rlm_soh = { - .common = { - .magic = MODULE_MAGIC_INIT, - .name = "soh", - .type = MODULE_TYPE_THREAD_SAFE, - .inst_size = sizeof(rlm_soh_t), - .config = module_config, - .onload = mod_load, - .unload = mod_unload, - .bootstrap = mod_bootstrap - }, - .method_names = (module_method_name_t[]){ - { .name1 = "recv", .name2 = CF_IDENT_ANY, .method = mod_authorize }, - { .name1 = "send", .name2 = CF_IDENT_ANY, .method = mod_post_auth }, - MODULE_NAME_TERMINATOR - } -}; diff --git a/src/modules/stable b/src/modules/stable index 11142af8dab..005c00f3b98 100644 --- a/src/modules/stable +++ b/src/modules/stable @@ -25,7 +25,6 @@ rlm_python rlm_radutmp rlm_redis rlm_rest -rlm_soh rlm_sql rlm_sqlcounter rlm_sqlippool