2013-05-03 21:04:40 +00:00
|
|
|
From 9a0bb5ada335017c5da35cb41333632ae5577a93 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
|
|
Date: Tue, 15 Jan 2013 11:11:27 -0500
|
|
|
|
Subject: [PATCH 1/4] Add internal KDC_DIR macro
|
|
|
|
|
|
|
|
Define KDC_DIR in osconf.hin and use it for paths within the KDC
|
|
|
|
directory.
|
|
|
|
---
|
|
|
|
src/include/osconf.hin | 21 +++++++++++----------
|
|
|
|
1 file changed, 11 insertions(+), 10 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
|
|
|
|
index c3a33c2..90ab86d 100644
|
|
|
|
--- a/src/include/osconf.hin
|
|
|
|
+++ b/src/include/osconf.hin
|
|
|
|
@@ -58,14 +58,15 @@
|
|
|
|
#define DEFAULT_PLUGIN_BASE_DIR "@LIBDIR/krb5/plugins"
|
|
|
|
#define PLUGIN_EXT "@DYNOBJEXT"
|
|
|
|
|
|
|
|
-#define DEFAULT_KDB_FILE "@LOCALSTATEDIR/krb5kdc/principal"
|
|
|
|
-#define DEFAULT_KEYFILE_STUB "@LOCALSTATEDIR/krb5kdc/.k5."
|
|
|
|
-#define KRB5_DEFAULT_ADMIN_ACL "@LOCALSTATEDIR/krb5kdc/krb5_adm.acl"
|
|
|
|
+#define KDC_DIR "@LOCALSTATEDIR/krb5kdc"
|
|
|
|
+#define DEFAULT_KDB_FILE KDC_DIR "/principal"
|
|
|
|
+#define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
|
|
|
|
+#define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
|
|
|
|
/* Used by old admin server */
|
|
|
|
-#define DEFAULT_ADMIN_ACL "@LOCALSTATEDIR/krb5kdc/kadm_old.acl"
|
|
|
|
+#define DEFAULT_ADMIN_ACL KDC_DIR "/kadm_old.acl"
|
|
|
|
|
|
|
|
/* Location of KDC profile */
|
|
|
|
-#define DEFAULT_KDC_PROFILE "@LOCALSTATEDIR/krb5kdc/kdc.conf"
|
|
|
|
+#define DEFAULT_KDC_PROFILE KDC_DIR "/kdc.conf"
|
|
|
|
#define KDC_PROFILE_ENV "KRB5_KDC_PROFILE"
|
|
|
|
|
|
|
|
#if TARGET_OS_MAC
|
|
|
|
@@ -93,8 +94,8 @@
|
|
|
|
/*
|
|
|
|
* Defaults for the KADM5 admin system.
|
|
|
|
*/
|
|
|
|
-#define DEFAULT_KADM5_KEYTAB "@LOCALSTATEDIR/krb5kdc/kadm5.keytab"
|
|
|
|
-#define DEFAULT_KADM5_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kadm5.acl"
|
|
|
|
+#define DEFAULT_KADM5_KEYTAB KDC_DIR "/kadm5.keytab"
|
|
|
|
+#define DEFAULT_KADM5_ACL_FILE KDC_DIR "/kadm5.acl"
|
|
|
|
#define DEFAULT_KADM5_PORT 749 /* assigned by IANA */
|
|
|
|
|
|
|
|
#define KRB5_DEFAULT_SUPPORTED_ENCTYPES \
|
|
|
|
@@ -116,12 +117,12 @@
|
|
|
|
* krb5 slave support follows
|
|
|
|
*/
|
|
|
|
|
|
|
|
-#define KPROP_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/slave_datatrans"
|
|
|
|
-#define KPROPD_DEFAULT_FILE "@LOCALSTATEDIR/krb5kdc/from_master"
|
|
|
|
+#define KPROP_DEFAULT_FILE KDC_DIR "/slave_datatrans"
|
|
|
|
+#define KPROPD_DEFAULT_FILE KDC_DIR "/from_master"
|
|
|
|
#define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
|
|
|
|
#define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
|
|
|
|
#define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
|
|
|
|
-#define KPROPD_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kpropd.acl"
|
|
|
|
+#define KPROPD_ACL_FILE KDC_DIR "/kpropd.acl"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* GSS mechglue
|
|
|
|
--
|
|
|
|
1.8.2.1
|
|
|
|
|
|
|
|
|
|
|
|
From 4ba748915908a45564d2e8a098cf107e39de3315 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
Date: Tue, 9 Apr 2013 11:17:04 -0400
|
|
|
|
Subject: [PATCH 2/4] add k5memdup()
|
|
|
|
|
|
|
|
---
|
|
|
|
src/include/k5-int.h | 11 +++++++++++
|
|
|
|
1 file changed, 11 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
|
|
|
index 75e6783..7b5ab2c 100644
|
|
|
|
--- a/src/include/k5-int.h
|
|
|
|
+++ b/src/include/k5-int.h
|
|
|
|
@@ -2600,6 +2600,17 @@ k5alloc(size_t len, krb5_error_code *code)
|
|
|
|
return ptr;
|
|
|
|
}
|
|
|
|
|
|
|
|
+/* Return a copy of the len bytes of memory at in; set *code to 0 or ENOMEM. */
|
|
|
|
+static inline void *
|
|
|
|
+k5memdup(const void *in, size_t len, krb5_error_code *code)
|
|
|
|
+{
|
|
|
|
+ void *ptr = k5alloc(len, code);
|
|
|
|
+
|
|
|
|
+ if (ptr != NULL)
|
|
|
|
+ memcpy(ptr, in, len);
|
|
|
|
+ return ptr;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
krb5_error_code KRB5_CALLCONV
|
|
|
|
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
|
|
|
|
krb5_ccache ccache,
|
|
|
|
--
|
|
|
|
1.8.2.1
|
|
|
|
|
|
|
|
|
|
|
|
From f98e3f2569996d84c968852b50f76173203e568f Mon Sep 17 00:00:00 2001
|
2013-04-09 18:06:33 +00:00
|
|
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
Date: Thu, 4 Apr 2013 13:39:21 -0400
|
2013-05-03 21:04:40 +00:00
|
|
|
Subject: [PATCH 3/4] add libkrad
|
2013-04-09 18:06:33 +00:00
|
|
|
|
|
|
|
---
|
|
|
|
src/configure.in | 2 +-
|
|
|
|
src/include/Makefile.in | 1 +
|
|
|
|
src/include/krad.h | 267 ++++++++++++++++++++++
|
|
|
|
src/lib/Makefile.in | 2 +-
|
|
|
|
src/lib/krad/Makefile.in | 74 ++++++
|
|
|
|
src/lib/krad/attr.c | 317 ++++++++++++++++++++++++++
|
|
|
|
src/lib/krad/attrset.c | 244 ++++++++++++++++++++
|
|
|
|
src/lib/krad/client.c | 335 ++++++++++++++++++++++++++++
|
|
|
|
src/lib/krad/code.c | 111 +++++++++
|
|
|
|
src/lib/krad/deps | 156 +++++++++++++
|
|
|
|
src/lib/krad/internal.h | 155 +++++++++++++
|
|
|
|
src/lib/krad/libkrad.exports | 23 ++
|
2013-05-03 21:04:40 +00:00
|
|
|
src/lib/krad/packet.c | 470 +++++++++++++++++++++++++++++++++++++++
|
2013-04-09 18:06:33 +00:00
|
|
|
src/lib/krad/remote.c | 519 +++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
src/lib/krad/t_attr.c | 89 ++++++++
|
|
|
|
src/lib/krad/t_attrset.c | 98 ++++++++
|
|
|
|
src/lib/krad/t_client.c | 126 +++++++++++
|
|
|
|
src/lib/krad/t_code.c | 54 +++++
|
|
|
|
src/lib/krad/t_daemon.h | 92 ++++++++
|
|
|
|
src/lib/krad/t_daemon.py | 76 +++++++
|
|
|
|
src/lib/krad/t_packet.c | 194 ++++++++++++++++
|
|
|
|
src/lib/krad/t_remote.c | 170 ++++++++++++++
|
|
|
|
src/lib/krad/t_test.c | 50 +++++
|
|
|
|
src/lib/krad/t_test.h | 60 +++++
|
2013-05-03 21:04:40 +00:00
|
|
|
24 files changed, 3683 insertions(+), 2 deletions(-)
|
2013-04-09 18:06:33 +00:00
|
|
|
create mode 100644 src/include/krad.h
|
|
|
|
create mode 100644 src/lib/krad/Makefile.in
|
|
|
|
create mode 100644 src/lib/krad/attr.c
|
|
|
|
create mode 100644 src/lib/krad/attrset.c
|
|
|
|
create mode 100644 src/lib/krad/client.c
|
|
|
|
create mode 100644 src/lib/krad/code.c
|
|
|
|
create mode 100644 src/lib/krad/deps
|
|
|
|
create mode 100644 src/lib/krad/internal.h
|
|
|
|
create mode 100644 src/lib/krad/libkrad.exports
|
|
|
|
create mode 100644 src/lib/krad/packet.c
|
|
|
|
create mode 100644 src/lib/krad/remote.c
|
|
|
|
create mode 100644 src/lib/krad/t_attr.c
|
|
|
|
create mode 100644 src/lib/krad/t_attrset.c
|
|
|
|
create mode 100644 src/lib/krad/t_client.c
|
|
|
|
create mode 100644 src/lib/krad/t_code.c
|
|
|
|
create mode 100644 src/lib/krad/t_daemon.h
|
|
|
|
create mode 100644 src/lib/krad/t_daemon.py
|
|
|
|
create mode 100644 src/lib/krad/t_packet.c
|
|
|
|
create mode 100644 src/lib/krad/t_remote.c
|
|
|
|
create mode 100644 src/lib/krad/t_test.c
|
|
|
|
create mode 100644 src/lib/krad/t_test.h
|
|
|
|
|
|
|
|
diff --git a/src/configure.in b/src/configure.in
|
|
|
|
index faf93a1..d8676e5 100644
|
|
|
|
--- a/src/configure.in
|
|
|
|
+++ b/src/configure.in
|
|
|
|
@@ -1318,7 +1318,7 @@ dnl lib/krb5/ccache/ccapi
|
|
|
|
lib/rpc lib/rpc/unit-test
|
|
|
|
|
|
|
|
lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
|
|
|
|
-
|
|
|
|
+ lib/krad
|
|
|
|
lib/apputils
|
|
|
|
|
|
|
|
dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
|
|
|
|
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
|
|
|
|
index c69b809..869b04b 100644
|
|
|
|
--- a/src/include/Makefile.in
|
|
|
|
+++ b/src/include/Makefile.in
|
|
|
|
@@ -145,5 +145,6 @@ install-headers-unix install:: krb5/krb5.h profile.h
|
|
|
|
$(INSTALL_DATA) $(srcdir)/krb5/kadm5_hook_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kadm5_hook_plugin.h
|
|
|
|
$(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h
|
|
|
|
$(INSTALL_DATA) $(srcdir)/gssapi.h $(DESTDIR)$(KRB5_INCDIR)$(S)gssapi.h
|
|
|
|
+ $(INSTALL_DATA) $(srcdir)/krad.h $(DESTDIR)$(KRB5_INCDIR)/krad.h
|
|
|
|
|
|
|
|
depend:: krb5/krb5.h $(BUILT_HEADERS)
|
|
|
|
diff --git a/src/include/krad.h b/src/include/krad.h
|
|
|
|
new file mode 100644
|
2013-05-03 21:04:40 +00:00
|
|
|
index 0000000..e6d5766
|
2013-04-09 18:06:33 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/include/krad.h
|
|
|
|
@@ -0,0 +1,267 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * This API is not considered as stable as the main krb5 API.
|
|
|
|
+ *
|
|
|
|
+ * - We may make arbitrary incompatible changes between feature releases
|
|
|
|
+ * (e.g. from 1.12 to 1.13).
|
|
|
|
+ * - We will make some effort to avoid making incompatible changes for
|
|
|
|
+ * bugfix releases, but will make them if necessary.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#ifndef KRAD_H_
|
|
|
|
+#define KRAD_H_
|
|
|
|
+
|
|
|
|
+#include <krb5.h>
|
|
|
|
+#include <verto.h>
|
|
|
|
+#include <stddef.h>
|
|
|
|
+#include <stdio.h>
|
|
|
|
+
|
|
|
|
+#define KRAD_PACKET_SIZE_MAX 4096
|
|
|
|
+
|
|
|
|
+#define KRAD_SERVICE_TYPE_LOGIN 1
|
|
|
|
+#define KRAD_SERVICE_TYPE_FRAMED 2
|
|
|
|
+#define KRAD_SERVICE_TYPE_CALLBACK_LOGIN 3
|
|
|
|
+#define KRAD_SERVICE_TYPE_CALLBACK_FRAMED 4
|
|
|
|
+#define KRAD_SERVICE_TYPE_OUTBOUND 5
|
|
|
|
+#define KRAD_SERVICE_TYPE_ADMINISTRATIVE 6
|
|
|
|
+#define KRAD_SERVICE_TYPE_NAS_PROMPT 7
|
|
|
|
+#define KRAD_SERVICE_TYPE_AUTHENTICATE_ONLY 8
|
|
|
|
+#define KRAD_SERVICE_TYPE_CALLBACK_NAS_PROMPT 9
|
|
|
|
+#define KRAD_SERVICE_TYPE_CALL_CHECK 10
|
|
|
|
+#define KRAD_SERVICE_TYPE_CALLBACK_ADMINISTRATIVE 11
|
|
|
|
+
|
|
|
|
+typedef struct krad_attrset_st krad_attrset;
|
|
|
|
+typedef struct krad_packet_st krad_packet;
|
|
|
|
+typedef struct krad_client_st krad_client;
|
|
|
|
+typedef unsigned char krad_code;
|
|
|
|
+typedef unsigned char krad_attr;
|
|
|
|
+
|
|
|
|
+/* Called when a response is received or the request times out. */
|
|
|
|
+typedef void
|
|
|
|
+(*krad_cb)(krb5_error_code retval, const krad_packet *request,
|
|
|
|
+ const krad_packet *response, void *data);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Called to iterate over a set of requests. Either the callback will be
|
|
|
|
+ * called until it returns NULL, or it will be called with cancel = TRUE to
|
|
|
|
+ * terminate in the middle of an iteration.
|
|
|
|
+ */
|
|
|
|
+typedef const krad_packet *
|
|
|
|
+(*krad_packet_iter_cb)(void *data, krb5_boolean cancel);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Code
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/* Convert a code name to its number. Only works for codes defined
|
|
|
|
+ * by RFC 2875 or 2882. Returns 0 if the name was not found. */
|
|
|
|
+krad_code
|
|
|
|
+krad_code_name2num(const char *name);
|
|
|
|
+
|
|
|
|
+/* Convert a code number to its name. Only works for attributes defined
|
|
|
|
+ * by RFC 2865 or 2882. Returns NULL if the name was not found. */
|
|
|
|
+const char *
|
|
|
|
+krad_code_num2name(krad_code code);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Attribute
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/* Convert an attribute name to its number. Only works for attributes defined
|
|
|
|
+ * by RFC 2865. Returns 0 if the name was not found. */
|
|
|
|
+krad_attr
|
|
|
|
+krad_attr_name2num(const char *name);
|
|
|
|
+
|
|
|
|
+/* Convert an attribute number to its name. Only works for attributes defined
|
|
|
|
+ * by RFC 2865. Returns NULL if the name was not found. */
|
|
|
|
+const char *
|
|
|
|
+krad_attr_num2name(krad_attr type);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Attribute set
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/* Create a new attribute set. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_new(krb5_context ctx, krad_attrset **set);
|
|
|
|
+
|
|
|
|
+/* Create a deep copy of an attribute set. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_copy(const krad_attrset *set, krad_attrset **copy);
|
|
|
|
+
|
|
|
|
+/* Free an attribute set. */
|
|
|
|
+void
|
|
|
|
+krad_attrset_free(krad_attrset *set);
|
|
|
|
+
|
|
|
|
+/* Add an attribute to a set. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_add(krad_attrset *set, krad_attr type, const krb5_data *data);
|
|
|
|
+
|
|
|
|
+/* Add a four-octet unsigned number attribute to the given set. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_add_number(krad_attrset *set, krad_attr type, krb5_ui_4 num);
|
|
|
|
+
|
|
|
|
+/* Delete the specified attribute. */
|
|
|
|
+void
|
|
|
|
+krad_attrset_del(krad_attrset *set, krad_attr type, size_t indx);
|
|
|
|
+
|
|
|
|
+/* Get the specified attribute. */
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_attrset_get(const krad_attrset *set, krad_attr type, size_t indx);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Packet
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/* Determine the bytes needed from the socket to get the whole packet. Don't
|
|
|
|
+ * cache the return value as it can change! Returns -1 on EBADMSG. */
|
|
|
|
+ssize_t
|
|
|
|
+krad_packet_bytes_needed(const krb5_data *buffer);
|
|
|
|
+
|
|
|
|
+/* Free a packet. */
|
|
|
|
+void
|
|
|
|
+krad_packet_free(krad_packet *pkt);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Create a new request packet.
|
|
|
|
+ *
|
|
|
|
+ * This function takes the attributes specified in set and converts them into a
|
|
|
|
+ * radius packet. The packet will have a randomized id. If cb is not NULL, it
|
|
|
|
+ * will be called passing data as the argument to iterate over a set of
|
|
|
|
+ * outstanding requests. In this case, the id will be both random and unique
|
|
|
|
+ * across the set of requests.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
|
|
|
|
+ const krad_attrset *set, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, krad_packet **request);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Create a new response packet.
|
|
|
|
+ *
|
|
|
|
+ * This function is similar to krad_packet_new_requst() except that it crafts a
|
|
|
|
+ * packet in response to a request packet. This new packet will borrow values
|
|
|
|
+ * from the request such as the id and the authenticator.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
|
|
|
|
+ const krad_attrset *set, const krad_packet *request,
|
|
|
|
+ krad_packet **response);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Decode a request radius packet from krb5_data.
|
|
|
|
+ *
|
|
|
|
+ * The resulting decoded packet will be a request packet stored in *reqpkt.
|
|
|
|
+ *
|
|
|
|
+ * If cb is NULL, *duppkt will always be NULL.
|
|
|
|
+ *
|
|
|
|
+ * If cb is not NULL, it will be called (with the data argument) to iterate
|
|
|
|
+ * over a set of requests currently being processed. In this case, if the
|
|
|
|
+ * packet is a duplicate of an already received request, the original request
|
|
|
|
+ * will be set in *duppkt.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_decode_request(krb5_context ctx, const char *secret,
|
|
|
|
+ const krb5_data *buffer, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, const krad_packet **duppkt,
|
|
|
|
+ krad_packet **reqpkt);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Decode a response radius packet from krb5_data.
|
|
|
|
+ *
|
|
|
|
+ * The resulting decoded packet will be a response packet stored in *rsppkt.
|
|
|
|
+ *
|
|
|
|
+ * If cb is NULL, *reqpkt will always be NULL.
|
|
|
|
+ *
|
|
|
|
+ * If cb is not NULL, it will be called (with the data argument) to iterate
|
|
|
|
+ * over a set of requests awaiting responses. In this case, if the response
|
|
|
|
+ * packet matches one of these requests, the original request will be set in
|
|
|
|
+ * *reqpkt.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_decode_response(krb5_context ctx, const char *secret,
|
|
|
|
+ const krb5_data *buffer, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, const krad_packet **reqpkt,
|
|
|
|
+ krad_packet **rsppkt);
|
|
|
|
+
|
|
|
|
+/* Encode packet. */
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_packet_encode(const krad_packet *pkt);
|
|
|
|
+
|
|
|
|
+/* Get the code for the given packet. */
|
|
|
|
+krad_code
|
|
|
|
+krad_packet_get_code(const krad_packet *pkt);
|
|
|
|
+
|
|
|
|
+/* Get the specified attribute. */
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_packet_get_attr(const krad_packet *pkt, krad_attr type, size_t indx);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Client
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+/* Create a new client. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **client);
|
|
|
|
+
|
|
|
|
+/* Free the client. */
|
|
|
|
+void
|
|
|
|
+krad_client_free(krad_client *client);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Send a request to a radius server.
|
|
|
|
+ *
|
|
|
|
+ * The remote host may be specified by one of the following formats:
|
|
|
|
+ * - /path/to/unix.socket
|
|
|
|
+ * - IPv4
|
|
|
|
+ * - IPv4:port
|
|
|
|
+ * - IPv4:service
|
|
|
|
+ * - [IPv6]
|
|
|
|
+ * - [IPv6]:port
|
|
|
|
+ * - [IPv6]:service
|
|
|
|
+ * - hostname
|
|
|
|
+ * - hostname:port
|
|
|
|
+ * - hostname:service
|
|
|
|
+ *
|
|
|
|
+ * The timeout parameter (milliseconds) is the total timeout across all remote
|
|
|
|
+ * hosts (when DNS returns multiple entries) and all retries.
|
|
|
|
+ *
|
|
|
|
+ * The cb function will be called with the data argument when either a response
|
|
|
|
+ * is received or the request times out on all possible remote hosts.
|
|
|
|
+ *
|
|
|
|
+ * If the remote host is a unix domain socket, retries is ignored due to
|
|
|
|
+ * guaranteed delivery.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_client_send(krad_client *rc, krad_code code, const krad_attrset *attrs,
|
2013-05-03 21:04:40 +00:00
|
|
|
+ const char *remote, const char *secret, int timeout,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ size_t retries, krad_cb cb, void *data);
|
|
|
|
+
|
|
|
|
+#endif /* KRAD_H_ */
|
|
|
|
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
|
|
|
|
index 485db40..4dde514 100644
|
|
|
|
--- a/src/lib/Makefile.in
|
|
|
|
+++ b/src/lib/Makefile.in
|
|
|
|
@@ -1,5 +1,5 @@
|
|
|
|
mydir=lib
|
|
|
|
-SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils
|
|
|
|
+SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils krad
|
|
|
|
WINSUBDIRS=crypto krb5 gssapi
|
|
|
|
BUILDTOP=$(REL)..
|
|
|
|
|
|
|
|
diff --git a/src/lib/krad/Makefile.in b/src/lib/krad/Makefile.in
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..75431a0
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/Makefile.in
|
|
|
|
@@ -0,0 +1,74 @@
|
|
|
|
+mydir=lib$(S)krad
|
|
|
|
+BUILDTOP=$(REL)..$(S)..
|
|
|
|
+RELDIR=krad
|
|
|
|
+
|
|
|
|
+RUN_SETUP=@KRB5_RUN_ENV@
|
|
|
|
+PROG_LIBPATH=-L$(TOPLIBD)
|
|
|
|
+PROG_RPATH=$(KRB5_LIBDIR)
|
|
|
|
+
|
|
|
|
+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) $(VERTO_LIBS)
|
|
|
|
+SHLIB_EXPDEPLIBS=$(KRB5_BASE_DEPLIBS) $(VERTO_DEPLIB)
|
|
|
|
+SHLIB_DIRS=-L$(TOPLIBD)
|
|
|
|
+SHLIB_RDIRS=$(KRB5_LIBDIR)
|
|
|
|
+
|
|
|
|
+LIBBASE=krad
|
|
|
|
+LIBMAJOR=0
|
|
|
|
+LIBMINOR=0
|
|
|
|
+
|
|
|
|
+STLIBOBJS=attr.o attrset.o client.o code.o packet.o remote.o
|
|
|
|
+LIBOBJS=$(OUTPRE)attr.$(OBJEXT) \
|
|
|
|
+ $(OUTPRE)attrset.$(OBJEXT) \
|
|
|
|
+ $(OUTPRE)client.$(OBJEXT) \
|
|
|
|
+ $(OUTPRE)code.$(OBJEXT) \
|
|
|
|
+ $(OUTPRE)packet.$(OBJEXT) \
|
|
|
|
+ $(OUTPRE)remote.$(OBJEXT)
|
|
|
|
+SRCS=attr.c attrset.c client.c code.c packet.c remote.c \
|
|
|
|
+ t_attr.c t_attrset.c t_client.c t_code.c t_packet.c t_remote.c t_test.c
|
|
|
|
+
|
|
|
|
+STOBJLISTS=OBJS.ST
|
|
|
|
+
|
|
|
|
+all-unix:: all-liblinks
|
|
|
|
+install-unix:: install-libs
|
|
|
|
+
|
|
|
|
+clean-unix:: clean-liblinks clean-libs clean-libobjs
|
|
|
|
+
|
|
|
|
+check-unix:: t_attr t_attrset t_code t_packet t_remote t_client
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_attr
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_attrset
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_code
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_packet $(PYTHON) $(srcdir)/t_daemon.py
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_remote $(PYTHON) $(srcdir)/t_daemon.py
|
|
|
|
+ $(RUN_SETUP) $(VALGRIND) ./t_client $(PYTHON) $(srcdir)/t_daemon.py
|
|
|
|
+
|
|
|
|
+TESTDEPS=t_test.o $(KRB5_BASE_DEPLIBS)
|
|
|
|
+TESTLIBS=t_test.o $(KRB5_BASE_LIBS)
|
|
|
|
+
|
|
|
|
+T_ATTR_OBJS=attr.o t_attr.o
|
|
|
|
+t_attr: $(T_ATTR_OBJS) $(TESTDEPS)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_ATTR_OBJS) $(TESTLIBS)
|
|
|
|
+
|
|
|
|
+T_ATTRSET_OBJS=attr.o attrset.o t_attrset.o
|
|
|
|
+t_attrset: $(T_ATTRSET_OBJS) $(TESTDEPS)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_ATTRSET_OBJS) $(TESTLIBS)
|
|
|
|
+
|
|
|
|
+T_CODE_OBJS=code.o t_code.o
|
|
|
|
+t_code: $(T_CODE_OBJS) $(TESTDEPS)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_CODE_OBJS) $(TESTLIBS)
|
|
|
|
+
|
|
|
|
+T_PACKET_OBJS=attr.o attrset.o code.o packet.o t_packet.o
|
|
|
|
+t_packet: $(T_PACKET_OBJS) $(TESTDEPS)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_PACKET_OBJS) $(TESTLIBS)
|
|
|
|
+
|
|
|
|
+T_REMOTE_OBJS=attr.o attrset.o code.o packet.o remote.o t_remote.o
|
|
|
|
+t_remote: $(T_REMOTE_OBJS) $(TESTDEPS) $(VERTO_DEPLIB)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_REMOTE_OBJS) $(TESTLIBS) $(VERTO_LIBS)
|
|
|
|
+
|
|
|
|
+T_CLIENT_OBJS=attr.o attrset.o code.o packet.o remote.o client.o t_client.o
|
|
|
|
+t_client: $(T_CLIENT_OBJS) $(TESTDEPS) $(VERTO_DEPLIB)
|
|
|
|
+ $(CC_LINK) -o $@ $(T_CLIENT_OBJS) $(TESTLIBS) $(VERTO_LIBS)
|
|
|
|
+
|
|
|
|
+clean-unix:: clean-libobjs
|
|
|
|
+ $(RM) *.o t_attr t_attrset t_code t_packet t_remote t_client
|
|
|
|
+
|
|
|
|
+@lib_frag@
|
|
|
|
+@libobj_frag@
|
|
|
|
diff --git a/src/lib/krad/attr.c b/src/lib/krad/attr.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..9c13d9d
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/attr.c
|
|
|
|
@@ -0,0 +1,317 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/attr.c - RADIUS attribute functions for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include <k5-int.h>
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+
|
|
|
|
+/* RFC 2865 */
|
|
|
|
+#define BLOCKSIZE 16
|
|
|
|
+
|
|
|
|
+typedef krb5_error_code
|
|
|
|
+(*attribute_transform_fn)(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+typedef struct {
|
|
|
|
+ const char *name;
|
|
|
|
+ unsigned char minval;
|
|
|
|
+ unsigned char maxval;
|
|
|
|
+ attribute_transform_fn encode;
|
|
|
|
+ attribute_transform_fn decode;
|
|
|
|
+} attribute_record;
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+user_password_encode(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+user_password_decode(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+static const attribute_record attributes[UCHAR_MAX] = {
|
|
|
|
+ {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"User-Password", 1, 128, user_password_encode, user_password_decode},
|
|
|
|
+ {"CHAP-Password", 17, 17, NULL, NULL},
|
|
|
|
+ {"NAS-IP-Address", 4, 4, NULL, NULL},
|
|
|
|
+ {"NAS-Port", 4, 4, NULL, NULL},
|
|
|
|
+ {"Service-Type", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-Protocol", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-IP-Address", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-IP-Netmask", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-Routing", 4, 4, NULL, NULL},
|
|
|
|
+ {"Filter-Id", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Framed-MTU", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-Compression", 4, 4, NULL, NULL},
|
|
|
|
+ {"Login-IP-Host", 4, 4, NULL, NULL},
|
|
|
|
+ {"Login-Service", 4, 4, NULL, NULL},
|
|
|
|
+ {"Login-TCP-Port", 4, 4, NULL, NULL},
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Unassigned */
|
|
|
|
+ {"Reply-Message", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Callback-Number", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Callback-Id", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Unassigned */
|
|
|
|
+ {"Framed-Route", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Framed-IPX-Network", 4, 4, NULL, NULL},
|
|
|
|
+ {"State", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Class", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Vendor-Specific", 5, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Session-Timeout", 4, 4, NULL, NULL},
|
|
|
|
+ {"Idle-Timeout", 4, 4, NULL, NULL},
|
|
|
|
+ {"Termination-Action", 4, 4, NULL, NULL},
|
|
|
|
+ {"Called-Station-Id", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Calling-Station-Id", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"NAS-Identifier", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Proxy-State", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Login-LAT-Service", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Login-LAT-Node", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"Login-LAT-Group", 32, 32, NULL, NULL},
|
|
|
|
+ {"Framed-AppleTalk-Link", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-AppleTalk-Network", 4, 4, NULL, NULL},
|
|
|
|
+ {"Framed-AppleTalk-Zone", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
|
|
|
|
+ {"CHAP-Challenge", 5, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+ {"NAS-Port-Type", 4, 4, NULL, NULL},
|
|
|
|
+ {"Port-Limit", 4, 4, NULL, NULL},
|
|
|
|
+ {"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL},
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+/* Encode User-Password attribute. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+user_password_encode(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
|
|
|
|
+{
|
|
|
|
+ const unsigned char *indx;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ unsigned int seclen;
|
|
|
|
+ krb5_checksum sum;
|
|
|
|
+ size_t blck, len, i;
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ /* Copy the input buffer to the (zero-padded) output buffer. */
|
|
|
|
+ len = (in->length + BLOCKSIZE - 1) / BLOCKSIZE * BLOCKSIZE;
|
|
|
|
+ if (len > MAX_ATTRSIZE)
|
|
|
|
+ return ENOBUFS;
|
|
|
|
+ memset(outbuf, 0, len);
|
|
|
|
+ memcpy(outbuf, in->data, in->length);
|
|
|
|
+
|
|
|
|
+ /* Create our temporary space for processing each block. */
|
|
|
|
+ seclen = strlen(secret);
|
|
|
|
+ retval = alloc_data(&tmp, seclen + BLOCKSIZE);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ memcpy(tmp.data, secret, seclen);
|
|
|
|
+ for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) {
|
|
|
|
+ memcpy(tmp.data + seclen, indx, BLOCKSIZE);
|
|
|
|
+
|
|
|
|
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
|
|
|
|
+ &sum);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ zap(tmp.data, tmp.length);
|
|
|
|
+ zap(outbuf, len);
|
|
|
|
+ krb5_free_data_contents(ctx, &tmp);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < BLOCKSIZE; i++)
|
|
|
|
+ outbuf[blck * BLOCKSIZE + i] ^= sum.contents[i];
|
|
|
|
+ krb5_free_checksum_contents(ctx, &sum);
|
|
|
|
+
|
|
|
|
+ indx = &outbuf[blck * BLOCKSIZE];
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ zap(tmp.data, tmp.length);
|
|
|
|
+ krb5_free_data_contents(ctx, &tmp);
|
|
|
|
+ *outlen = len;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode User-Password attribute. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+user_password_decode(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
|
|
|
|
+{
|
|
|
|
+ const unsigned char *indx;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ unsigned int seclen;
|
|
|
|
+ krb5_checksum sum;
|
|
|
|
+ ssize_t blck, i;
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ if (in->length % BLOCKSIZE != 0)
|
|
|
|
+ return EINVAL;
|
|
|
|
+ if (in->length > MAX_ATTRSIZE)
|
|
|
|
+ return ENOBUFS;
|
|
|
|
+
|
|
|
|
+ /* Create our temporary space for processing each block. */
|
|
|
|
+ seclen = strlen(secret);
|
|
|
|
+ retval = alloc_data(&tmp, seclen + BLOCKSIZE);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ memcpy(tmp.data, secret, seclen);
|
|
|
|
+ for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) {
|
|
|
|
+ memcpy(tmp.data + seclen, indx, BLOCKSIZE);
|
|
|
|
+
|
|
|
|
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
|
|
|
|
+ &tmp, &sum);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ zap(tmp.data, tmp.length);
|
|
|
|
+ zap(outbuf, in->length);
|
|
|
|
+ krb5_free_data_contents(ctx, &tmp);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < BLOCKSIZE; i++) {
|
|
|
|
+ outbuf[blck * BLOCKSIZE + i] = in->data[blck * BLOCKSIZE + i] ^
|
|
|
|
+ sum.contents[i];
|
|
|
|
+ }
|
|
|
|
+ krb5_free_checksum_contents(ctx, &sum);
|
|
|
|
+
|
|
|
|
+ indx = (const unsigned char *)&in->data[blck * BLOCKSIZE];
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Strip off trailing NULL bytes. */
|
|
|
|
+ *outlen = in->length;
|
|
|
|
+ while (*outlen > 0 && outbuf[*outlen - 1] == '\0')
|
|
|
|
+ (*outlen)--;
|
|
|
|
+
|
|
|
|
+ krb5_free_data_contents(ctx, &tmp);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_valid(krad_attr type, const krb5_data *data)
|
|
|
|
+{
|
|
|
|
+ const attribute_record *ar;
|
|
|
|
+
|
|
|
|
+ if (type == 0)
|
|
|
|
+ return EINVAL;
|
|
|
|
+
|
|
|
|
+ ar = &attributes[type - 1];
|
|
|
|
+ return (data->length >= ar->minval && data->length <= ar->maxval) ? 0 :
|
|
|
|
+ EMSGSIZE;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_encode(krb5_context ctx, const char *secret,
|
|
|
|
+ const unsigned char *auth, krad_attr type,
|
|
|
|
+ const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE],
|
|
|
|
+ size_t *outlen)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+
|
|
|
|
+ retval = kr_attr_valid(type, in);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ if (attributes[type - 1].encode == NULL) {
|
|
|
|
+ if (in->length > MAX_ATTRSIZE)
|
|
|
|
+ return ENOBUFS;
|
|
|
|
+
|
|
|
|
+ *outlen = in->length;
|
|
|
|
+ memcpy(outbuf, in->data, in->length);
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
|
|
|
+ krad_attr type, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+
|
|
|
|
+ retval = kr_attr_valid(type, in);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ if (attributes[type - 1].encode == NULL) {
|
|
|
|
+ if (in->length > MAX_ATTRSIZE)
|
|
|
|
+ return ENOBUFS;
|
|
|
|
+
|
|
|
|
+ *outlen = in->length;
|
|
|
|
+ memcpy(outbuf, in->data, in->length);
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krad_attr
|
|
|
|
+krad_attr_name2num(const char *name)
|
|
|
|
+{
|
|
|
|
+ unsigned char i;
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < UCHAR_MAX; i++) {
|
|
|
|
+ if (attributes[i].name == NULL)
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ if (strcmp(attributes[i].name, name) == 0)
|
|
|
|
+ return i + 1;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+const char *
|
|
|
|
+krad_attr_num2name(krad_attr type)
|
|
|
|
+{
|
|
|
|
+ if (type == 0)
|
|
|
|
+ return NULL;
|
|
|
|
+
|
|
|
|
+ return attributes[type - 1].name;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..fbd0621
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/attrset.c
|
|
|
|
@@ -0,0 +1,244 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/attrset.c - RADIUS attribute set functions for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include <k5-int.h>
|
|
|
|
+#include <k5-queue.h>
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+
|
|
|
|
+TAILQ_HEAD(attr_head, attr_st);
|
|
|
|
+
|
|
|
|
+typedef struct attr_st attr;
|
|
|
|
+struct attr_st {
|
|
|
|
+ TAILQ_ENTRY(attr_st) list;
|
|
|
|
+ krad_attr type;
|
|
|
|
+ krb5_data attr;
|
|
|
|
+ char buffer[MAX_ATTRSIZE];
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+struct krad_attrset_st {
|
|
|
|
+ krb5_context ctx;
|
|
|
|
+ struct attr_head list;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_new(krb5_context ctx, krad_attrset **set)
|
|
|
|
+{
|
|
|
|
+ krad_attrset *tmp;
|
|
|
|
+
|
|
|
|
+ tmp = calloc(1, sizeof(krad_attrset));
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ tmp->ctx = ctx;
|
|
|
|
+ TAILQ_INIT(&tmp->list);
|
|
|
|
+
|
|
|
|
+ *set = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+krad_attrset_free(krad_attrset *set)
|
|
|
|
+{
|
|
|
|
+ attr *a;
|
|
|
|
+
|
|
|
|
+ if (set == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ while (!TAILQ_EMPTY(&set->list)) {
|
|
|
|
+ a = TAILQ_FIRST(&set->list);
|
|
|
|
+ TAILQ_REMOVE(&set->list, a, list);
|
|
|
|
+ zap(a->buffer, sizeof(a->buffer));
|
|
|
|
+ free(a);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ free(set);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_add(krad_attrset *set, krad_attr type, const krb5_data *data)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ attr *tmp;
|
|
|
|
+
|
|
|
|
+ retval = kr_attr_valid(type, data);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ tmp = calloc(1, sizeof(attr));
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ tmp->type = type;
|
|
|
|
+ tmp->attr = make_data(tmp->buffer, data->length);
|
|
|
|
+ memcpy(tmp->attr.data, data->data, data->length);
|
|
|
|
+
|
|
|
|
+ TAILQ_INSERT_TAIL(&set->list, tmp, list);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_add_number(krad_attrset *set, krad_attr type, krb5_ui_4 num)
|
|
|
|
+{
|
|
|
|
+ krb5_data data;
|
|
|
|
+
|
|
|
|
+ num = htonl(num);
|
|
|
|
+ data = make_data(&num, sizeof(num));
|
|
|
|
+ return krad_attrset_add(set, type, &data);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+krad_attrset_del(krad_attrset *set, krad_attr type, size_t indx)
|
|
|
|
+{
|
|
|
|
+ attr *a;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(a, &set->list, list) {
|
|
|
|
+ if (a->type == type && indx-- == 0) {
|
|
|
|
+ TAILQ_REMOVE(&set->list, a, list);
|
|
|
|
+ zap(a->buffer, sizeof(a->buffer));
|
|
|
|
+ free(a);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_attrset_get(const krad_attrset *set, krad_attr type, size_t indx)
|
|
|
|
+{
|
|
|
|
+ attr *a;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(a, &set->list, list) {
|
|
|
|
+ if (a->type == type && indx-- == 0)
|
|
|
|
+ return &a->attr;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return NULL;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_attrset_copy(const krad_attrset *set, krad_attrset **copy)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_attrset *tmp;
|
|
|
|
+ attr *a;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_new(set->ctx, &tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(a, &set->list, list) {
|
|
|
|
+ retval = krad_attrset_add(tmp, a->type, &a->attr);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ krad_attrset_free(tmp);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *copy = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attrset_encode(const krad_attrset *set, const char *secret,
|
|
|
|
+ const unsigned char *auth,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen)
|
|
|
|
+{
|
|
|
|
+ unsigned char buffer[MAX_ATTRSIZE];
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ size_t i = 0, attrlen;
|
|
|
|
+ attr *a;
|
|
|
|
+
|
|
|
|
+ if (set == NULL) {
|
|
|
|
+ *outlen = 0;
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(a, &set->list, list) {
|
|
|
|
+ retval = kr_attr_encode(set->ctx, secret, auth, a->type, &a->attr,
|
|
|
|
+ buffer, &attrlen);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ if (i + attrlen + 2 > MAX_ATTRSETSIZE)
|
|
|
|
+ return EMSGSIZE;
|
|
|
|
+
|
|
|
|
+ outbuf[i++] = a->type;
|
|
|
|
+ outbuf[i++] = attrlen + 2;
|
|
|
|
+ memcpy(&outbuf[i], buffer, attrlen);
|
|
|
|
+ i += attrlen;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *outlen = i;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
|
|
|
|
+ const unsigned char *auth, krad_attrset **set_out)
|
|
|
|
+{
|
|
|
|
+ unsigned char buffer[MAX_ATTRSIZE];
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_attr type;
|
|
|
|
+ krad_attrset *set;
|
|
|
|
+ size_t i, len;
|
|
|
|
+
|
|
|
|
+ *set_out = NULL;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_new(ctx, &set);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ for (i = 0; i + 2 < in->length; ) {
|
|
|
|
+ type = in->data[i++];
|
|
|
|
+ tmp = make_data(&in->data[i + 1], in->data[i] - 2);
|
|
|
|
+ i += tmp.length + 1;
|
|
|
|
+
|
|
|
|
+ retval = (in->length < i) ? EBADMSG : 0;
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ retval = kr_attr_decode(ctx, secret, auth, type, &tmp, buffer, &len);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ tmp = make_data(buffer, len);
|
|
|
|
+ retval = krad_attrset_add(set, type, &tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *set_out = set;
|
|
|
|
+ set = NULL;
|
|
|
|
+
|
|
|
|
+cleanup:
|
|
|
|
+ zap(buffer, sizeof(buffer));
|
|
|
|
+ krad_attrset_free(set);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
|
|
|
|
new file mode 100644
|
2013-05-03 21:04:40 +00:00
|
|
|
index 0000000..0c37680
|
2013-04-09 18:06:33 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/client.c
|
|
|
|
@@ -0,0 +1,335 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/client.c - Client request code for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include <k5-queue.h>
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+#include <sys/un.h>
|
|
|
|
+#include <unistd.h>
|
|
|
|
+#include <stdio.h>
|
|
|
|
+#include <limits.h>
|
|
|
|
+
|
|
|
|
+LIST_HEAD(server_head, server_st);
|
|
|
|
+
|
|
|
|
+typedef struct remote_state_st remote_state;
|
|
|
|
+typedef struct request_st request;
|
|
|
|
+typedef struct server_st server;
|
|
|
|
+
|
|
|
|
+struct remote_state_st {
|
|
|
|
+ const krad_packet *packet;
|
|
|
|
+ krad_remote *remote;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+struct request_st {
|
|
|
|
+ krad_client *rc;
|
|
|
|
+
|
|
|
|
+ krad_code code;
|
|
|
|
+ krad_attrset *attrs;
|
2013-05-03 21:04:40 +00:00
|
|
|
+ int timeout;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ size_t retries;
|
|
|
|
+ krad_cb cb;
|
|
|
|
+ void *data;
|
|
|
|
+
|
|
|
|
+ remote_state *remotes;
|
|
|
|
+ ssize_t current;
|
|
|
|
+ ssize_t count;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+struct server_st {
|
|
|
|
+ krad_remote *serv;
|
|
|
|
+ time_t last;
|
|
|
|
+ LIST_ENTRY(server_st) list;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+struct krad_client_st {
|
|
|
|
+ krb5_context kctx;
|
|
|
|
+ verto_ctx *vctx;
|
|
|
|
+ struct server_head servers;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+/* Return either a pre-existing server that matches the address info and the
|
|
|
|
+ * secret, or create a new one. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
|
|
|
|
+ krad_remote **out)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ time_t currtime;
|
|
|
|
+ server *srv;
|
|
|
|
+
|
2013-05-03 21:04:40 +00:00
|
|
|
+ if (time(&currtime) == (time_t)-1)
|
2013-04-09 18:06:33 +00:00
|
|
|
+ return errno;
|
|
|
|
+
|
|
|
|
+ LIST_FOREACH(srv, &rc->servers, list) {
|
|
|
|
+ if (kr_remote_equals(srv->serv, ai, secret)) {
|
|
|
|
+ srv->last = currtime;
|
|
|
|
+ *out = srv->serv;
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ srv = calloc(1, sizeof(server));
|
|
|
|
+ if (srv == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ srv->last = currtime;
|
|
|
|
+
|
|
|
|
+ retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ free(srv);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ LIST_INSERT_HEAD(&rc->servers, srv, list);
|
|
|
|
+ *out = srv->serv;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Free a request. */
|
|
|
|
+static void
|
|
|
|
+request_free(request *req)
|
|
|
|
+{
|
|
|
|
+ krad_attrset_free(req->attrs);
|
|
|
|
+ free(req->remotes);
|
|
|
|
+ free(req);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Create a request. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
|
2013-05-03 21:04:40 +00:00
|
|
|
+ const struct addrinfo *ai, const char *secret, int timeout,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ size_t retries, krad_cb cb, void *data, request **req)
|
|
|
|
+{
|
|
|
|
+ const struct addrinfo *tmp;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ request *rqst;
|
|
|
|
+ size_t i;
|
|
|
|
+
|
|
|
|
+ if (ai == NULL)
|
|
|
|
+ return EINVAL;
|
|
|
|
+
|
|
|
|
+ rqst = calloc(1, sizeof(request));
|
|
|
|
+ if (rqst == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ for (tmp = ai; tmp != NULL; tmp = tmp->ai_next)
|
|
|
|
+ rqst->count++;
|
|
|
|
+
|
|
|
|
+ rqst->rc = rc;
|
|
|
|
+ rqst->code = code;
|
|
|
|
+ rqst->cb = cb;
|
|
|
|
+ rqst->data = data;
|
|
|
|
+ rqst->timeout = timeout / rqst->count;
|
|
|
|
+ rqst->retries = retries;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_copy(attrs, &rqst->attrs);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ request_free(rqst);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ rqst->remotes = calloc(rqst->count + 1, sizeof(remote_state));
|
|
|
|
+ if (rqst->remotes == NULL) {
|
|
|
|
+ request_free(rqst);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ i = 0;
|
|
|
|
+ for (tmp = ai; tmp != NULL; tmp = tmp->ai_next) {
|
|
|
|
+ retval = get_server(rc, tmp, secret, &rqst->remotes[i++].remote);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ request_free(rqst);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *req = rqst;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Close remotes that haven't been used in a while. */
|
|
|
|
+static void
|
|
|
|
+age(struct server_head *head, time_t currtime)
|
|
|
|
+{
|
|
|
|
+ server *srv, *tmp;
|
|
|
|
+
|
|
|
|
+ LIST_FOREACH_SAFE(srv, head, list, tmp) {
|
|
|
|
+ if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
|
|
|
|
+ LIST_REMOVE(srv, list);
|
|
|
|
+ kr_remote_free(srv->serv);
|
|
|
|
+ free(srv);
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Handle a response from a server (or related errors). */
|
|
|
|
+static void
|
|
|
|
+on_response(krb5_error_code retval, const krad_packet *reqp,
|
|
|
|
+ const krad_packet *rspp, void *data)
|
|
|
|
+{
|
|
|
|
+ request *req = data;
|
|
|
|
+ time_t currtime;
|
|
|
|
+ size_t i;
|
|
|
|
+
|
|
|
|
+ /* Do nothing if we are already completed. */
|
|
|
|
+ if (req->count < 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* If we have timed out and have more remotes to try, do so. */
|
|
|
|
+ if (retval == ETIMEDOUT && req->remotes[++req->current].remote != NULL) {
|
|
|
|
+ retval = kr_remote_send(req->remotes[req->current].remote, req->code,
|
|
|
|
+ req->attrs, on_response, req, req->timeout,
|
|
|
|
+ req->retries,
|
|
|
|
+ &req->remotes[req->current].packet);
|
|
|
|
+ if (retval == 0)
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Mark the request as complete. */
|
|
|
|
+ req->count = -1;
|
|
|
|
+
|
|
|
|
+ /* Inform the callback. */
|
|
|
|
+ req->cb(retval, reqp, rspp, req->data);
|
|
|
|
+
|
|
|
|
+ /* Cancel the outstanding packets. */
|
|
|
|
+ for (i = 0; req->remotes[i].remote != NULL; i++)
|
|
|
|
+ kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet);
|
|
|
|
+
|
|
|
|
+ /* Age out servers that haven't been used in a while. */
|
|
|
|
+ if (time(&currtime) != (time_t)-1)
|
|
|
|
+ age(&req->rc->servers, currtime);
|
|
|
|
+
|
|
|
|
+ request_free(req);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
|
|
|
|
+{
|
|
|
|
+ krad_client *tmp;
|
|
|
|
+
|
|
|
|
+ tmp = calloc(1, sizeof(krad_client));
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ tmp->kctx = kctx;
|
|
|
|
+ tmp->vctx = vctx;
|
|
|
|
+
|
|
|
|
+ *out = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+krad_client_free(krad_client *rc)
|
|
|
|
+{
|
|
|
|
+ if (rc == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ age(&rc->servers, -1);
|
|
|
|
+ free(rc);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+resolve_remote(const char *remote, struct addrinfo **ai)
|
|
|
|
+{
|
|
|
|
+ const char *svc = "radius";
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ struct addrinfo hints;
|
|
|
|
+ char *sep, *srv;
|
|
|
|
+
|
|
|
|
+ /* Isolate the port number if it exists. */
|
|
|
|
+ srv = strdup(remote);
|
|
|
|
+ if (srv == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ if (srv[0] == '[') {
|
|
|
|
+ /* IPv6 */
|
|
|
|
+ sep = strrchr(srv, ']');
|
|
|
|
+ if (sep != NULL && sep[1] == ':') {
|
|
|
|
+ sep[1] = '\0';
|
|
|
|
+ svc = &sep[2];
|
|
|
|
+ }
|
|
|
|
+ } else {
|
|
|
|
+ /* IPv4 or DNS */
|
|
|
|
+ sep = strrchr(srv, ':');
|
|
|
|
+ if (sep != NULL && sep[1] != '\0') {
|
|
|
|
+ sep[0] = '\0';
|
|
|
|
+ svc = &sep[1];
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Perform the lookup. */
|
|
|
|
+ memset(&hints, 0, sizeof(hints));
|
|
|
|
+ hints.ai_socktype = SOCK_DGRAM;
|
|
|
|
+ retval = gai_error_code(getaddrinfo(srv, svc, &hints, ai));
|
|
|
|
+ free(srv);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_client_send(krad_client *rc, krad_code code, const krad_attrset *attrs,
|
2013-05-03 21:04:40 +00:00
|
|
|
+ const char *remote, const char *secret, int timeout,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ size_t retries, krad_cb cb, void *data)
|
|
|
|
+{
|
|
|
|
+ struct addrinfo usock, *ai = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ struct sockaddr_un ua;
|
|
|
|
+ request *req;
|
|
|
|
+
|
|
|
|
+ if (remote[0] == '/') {
|
|
|
|
+ ua.sun_family = AF_UNIX;
|
|
|
|
+ snprintf(ua.sun_path, sizeof(ua.sun_path), "%s", remote);
|
|
|
|
+ memset(&usock, 0, sizeof(usock));
|
|
|
|
+ usock.ai_family = AF_UNIX;
|
|
|
|
+ usock.ai_socktype = SOCK_STREAM;
|
|
|
|
+ usock.ai_addr = (struct sockaddr *)&ua;
|
|
|
|
+ usock.ai_addrlen = sizeof(ua);
|
|
|
|
+
|
|
|
|
+ retval = request_new(rc, code, attrs, &usock, secret, timeout, retries,
|
|
|
|
+ cb, data, &req);
|
|
|
|
+ } else {
|
|
|
|
+ retval = resolve_remote(remote, &ai);
|
|
|
|
+ if (retval == 0) {
|
|
|
|
+ retval = request_new(rc, code, attrs, ai, secret, timeout, retries,
|
|
|
|
+ cb, data, &req);
|
|
|
|
+ freeaddrinfo(ai);
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ retval = kr_remote_send(req->remotes[req->current].remote, req->code,
|
|
|
|
+ req->attrs, on_response, req, req->timeout,
|
|
|
|
+ req->retries, &req->remotes[req->current].packet);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ request_free(req);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/code.c b/src/lib/krad/code.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..16871bb
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/code.c
|
|
|
|
@@ -0,0 +1,111 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/code.c - RADIUS code name table for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+
|
|
|
|
+static const char *codes[UCHAR_MAX] = {
|
|
|
|
+ "Access-Request",
|
|
|
|
+ "Access-Accept",
|
|
|
|
+ "Access-Reject",
|
|
|
|
+ "Accounting-Request",
|
|
|
|
+ "Accounting-Response",
|
|
|
|
+ "Accounting-Status",
|
|
|
|
+ "Password-Request",
|
|
|
|
+ "Password-Ack",
|
|
|
|
+ "Password-Reject",
|
|
|
|
+ "Accounting-Message",
|
|
|
|
+ "Access-Challenge",
|
|
|
|
+ "Status-Server",
|
|
|
|
+ "Status-Client",
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ "Resource-Free-Request",
|
|
|
|
+ "Resource-Free-Response",
|
|
|
|
+ "Resource-Query-Request",
|
|
|
|
+ "Resource-Query-Response",
|
|
|
|
+ "Alternate-Resource-Reclaim-Request",
|
|
|
|
+ "NAS-Reboot-Request",
|
|
|
|
+ "NAS-Reboot-Response",
|
|
|
|
+ NULL,
|
|
|
|
+ "Next-Passcode",
|
|
|
|
+ "New-Pin",
|
|
|
|
+ "Terminate-Session",
|
|
|
|
+ "Password-Expired",
|
|
|
|
+ "Event-Request",
|
|
|
|
+ "Event-Response",
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ "Disconnect-Request",
|
|
|
|
+ "Disconnect-Ack",
|
|
|
|
+ "Disconnect-Nak",
|
|
|
|
+ "Change-Filters-Request",
|
|
|
|
+ "Change-Filters-Ack",
|
|
|
|
+ "Change-Filters-Nak",
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ NULL,
|
|
|
|
+ "IP-Address-Allocate",
|
|
|
|
+ "IP-Address-Release",
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+krad_code
|
|
|
|
+krad_code_name2num(const char *name)
|
|
|
|
+{
|
|
|
|
+ unsigned char i;
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < UCHAR_MAX; i++) {
|
|
|
|
+ if (codes[i] == NULL)
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ if (strcmp(codes[i], name) == 0)
|
|
|
|
+ return ++i;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+const char *
|
|
|
|
+krad_code_num2name(krad_code code)
|
|
|
|
+{
|
|
|
|
+ if (code == 0)
|
|
|
|
+ return NULL;
|
|
|
|
+
|
|
|
|
+ return codes[code - 1];
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/deps b/src/lib/krad/deps
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..8171f94
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/deps
|
|
|
|
@@ -0,0 +1,156 @@
|
|
|
|
+#
|
|
|
|
+# Generated makefile dependencies follow.
|
|
|
|
+#
|
|
|
|
+attr.so attr.po $(OUTPRE)attr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h attr.c internal.h
|
|
|
|
+attrset.so attrset.po $(OUTPRE)attrset.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ attrset.c internal.h
|
|
|
|
+client.so client.po $(OUTPRE)client.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ client.c internal.h
|
|
|
|
+code.so code.po $(OUTPRE)code.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h code.c internal.h
|
|
|
|
+packet.so packet.po $(OUTPRE)packet.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h internal.h packet.c
|
|
|
|
+remote.so remote.po $(OUTPRE)remote.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ internal.h remote.c
|
|
|
|
+t_attr.so t_attr.po $(OUTPRE)t_attr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h internal.h t_attr.c \
|
|
|
|
+ t_test.h
|
|
|
|
+t_attrset.so t_attrset.po $(OUTPRE)t_attrset.$(OBJEXT): \
|
|
|
|
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
|
|
|
|
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
|
|
|
|
+ $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
|
|
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
|
|
|
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ internal.h t_attrset.c t_test.h
|
|
|
|
+t_client.so t_client.po $(OUTPRE)t_client.$(OBJEXT): \
|
|
|
|
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
|
|
|
|
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
|
|
|
|
+ $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
|
|
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
|
|
|
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ internal.h t_client.c t_daemon.h t_test.h
|
|
|
|
+t_code.so t_code.po $(OUTPRE)t_code.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h internal.h t_code.c \
|
|
|
|
+ t_test.h
|
|
|
|
+t_packet.so t_packet.po $(OUTPRE)t_packet.$(OBJEXT): \
|
|
|
|
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
|
|
|
|
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
|
|
|
|
+ $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
|
|
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
|
|
|
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ internal.h t_daemon.h t_packet.c t_test.h
|
|
|
|
+t_remote.so t_remote.po $(OUTPRE)t_remote.$(OBJEXT): \
|
|
|
|
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
|
|
|
|
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
|
|
|
|
+ $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
|
|
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
|
|
|
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krad.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ internal.h t_daemon.h t_remote.c t_test.h
|
|
|
|
+t_test.so t_test.po $(OUTPRE)t_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \
|
|
|
|
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krad.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h internal.h t_test.c \
|
|
|
|
+ t_test.h
|
|
|
|
diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
|
|
|
|
new file mode 100644
|
2013-05-03 21:04:40 +00:00
|
|
|
index 0000000..996a893
|
2013-04-09 18:06:33 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/internal.h
|
|
|
|
@@ -0,0 +1,155 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/internal.h - Internal declarations for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#ifndef INTERNAL_H_
|
|
|
|
+#define INTERNAL_H_
|
|
|
|
+
|
|
|
|
+#include <k5-int.h>
|
|
|
|
+#include "krad.h"
|
|
|
|
+
|
|
|
|
+#include <errno.h>
|
|
|
|
+
|
|
|
|
+#include <sys/types.h>
|
|
|
|
+#include <sys/socket.h>
|
|
|
|
+#include <netdb.h>
|
|
|
|
+
|
|
|
|
+#ifndef UCHAR_MAX
|
|
|
|
+#define UCHAR_MAX 255
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
+/* RFC 2865 */
|
|
|
|
+#define MAX_ATTRSIZE (UCHAR_MAX - 2)
|
|
|
|
+#define MAX_ATTRSETSIZE (KRAD_PACKET_SIZE_MAX - 20)
|
|
|
|
+
|
|
|
|
+typedef struct krad_remote_st krad_remote;
|
|
|
|
+
|
|
|
|
+/* Validate constraints of an attribute. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_valid(krad_attr type, const krb5_data *data);
|
|
|
|
+
|
|
|
|
+/* Encode an attribute. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_encode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
|
|
|
+ krad_attr type, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+/* Decode an attribute. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
|
|
|
|
+ krad_attr type, const krb5_data *in,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+/* Encode the attributes into the buffer. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attrset_encode(const krad_attrset *set, const char *secret,
|
|
|
|
+ const unsigned char *auth,
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSETSIZE], size_t *outlen);
|
|
|
|
+
|
|
|
|
+/* Decode attributes from a buffer. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
|
|
|
|
+ const unsigned char *auth, krad_attrset **set);
|
|
|
|
+
|
|
|
|
+/* Create a new remote object which manages a socket and the state of
|
|
|
|
+ * outstanding requests. */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_remote_new(krb5_context kctx, verto_ctx *vctx, const struct addrinfo *info,
|
|
|
|
+ const char *secret, krad_remote **rr);
|
|
|
|
+
|
|
|
|
+/* Free a remote object. */
|
|
|
|
+void
|
|
|
|
+kr_remote_free(krad_remote *rr);
|
|
|
|
+
|
|
|
|
+/*
|
|
|
|
+ * Send the packet to the remote. The cb will be called when a response is
|
|
|
|
+ * received, the request times out, the request is canceled or an error occurs.
|
|
|
|
+ *
|
|
|
|
+ * The timeout parameter is the total timeout across all retries in
|
|
|
|
+ * milliseconds.
|
|
|
|
+ *
|
|
|
|
+ * If the cb is called with a retval of ETIMEDOUT it indicates that the alloted
|
|
|
|
+ * time has elapsed. However, in the case of a timeout, we continue to listen
|
|
|
|
+ * for the packet until krad_remote_cancel() is called or a response is
|
|
|
|
+ * received. This means that cb will always be called twice in the event of a
|
|
|
|
+ * timeout. This permits you to pursue other remotes while still listening for
|
|
|
|
+ * a response from the first one.
|
|
|
|
+ */
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
2013-05-03 21:04:40 +00:00
|
|
|
+ krad_cb cb, void *data, int timeout, size_t retries,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ const krad_packet **pkt);
|
|
|
|
+
|
|
|
|
+/* Remove packet from the queue of requests awaiting responses. */
|
|
|
|
+void
|
|
|
|
+kr_remote_cancel(krad_remote *rr, const krad_packet *pkt);
|
|
|
|
+
|
|
|
|
+/* Determine if this remote object refers to the remote resource identified
|
|
|
|
+ * by the addrinfo struct and the secret. */
|
|
|
|
+krb5_boolean
|
|
|
|
+kr_remote_equals(const krad_remote *rr, const struct addrinfo *info,
|
|
|
|
+ const char *secret);
|
|
|
|
+
|
|
|
|
+/* Adapted from lib/krb5/os/sendto_kdc.c. */
|
|
|
|
+static inline krb5_error_code
|
|
|
|
+gai_error_code(int err)
|
|
|
|
+{
|
|
|
|
+ switch (err) {
|
|
|
|
+ case 0:
|
|
|
|
+ return 0;
|
|
|
|
+ case EAI_BADFLAGS:
|
|
|
|
+ case EAI_FAMILY:
|
|
|
|
+ case EAI_SOCKTYPE:
|
|
|
|
+ case EAI_SERVICE:
|
|
|
|
+#ifdef EAI_ADDRFAMILY
|
|
|
|
+ case EAI_ADDRFAMILY:
|
|
|
|
+#endif
|
|
|
|
+ return EINVAL;
|
|
|
|
+ case EAI_AGAIN:
|
|
|
|
+ return EAGAIN;
|
|
|
|
+ case EAI_MEMORY:
|
|
|
|
+ return ENOMEM;
|
|
|
|
+#if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME
|
|
|
|
+ case EAI_NODATA:
|
|
|
|
+#endif
|
|
|
|
+ case EAI_NONAME:
|
|
|
|
+ return EADDRNOTAVAIL;
|
|
|
|
+#ifdef EAI_OVERFLOW
|
|
|
|
+ case EAI_OVERFLOW:
|
|
|
|
+ return EOVERFLOW;
|
|
|
|
+#endif
|
|
|
|
+#ifdef EAI_SYSTEM
|
|
|
|
+ case EAI_SYSTEM:
|
|
|
|
+ return errno;
|
|
|
|
+#endif
|
|
|
|
+ default:
|
|
|
|
+ return EINVAL;
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+#endif /* INTERNAL_H_ */
|
|
|
|
diff --git a/src/lib/krad/libkrad.exports b/src/lib/krad/libkrad.exports
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..fe3f159
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/libkrad.exports
|
|
|
|
@@ -0,0 +1,23 @@
|
|
|
|
+krad_code_name2num
|
|
|
|
+krad_code_num2name
|
|
|
|
+krad_attr_name2num
|
|
|
|
+krad_attr_num2name
|
|
|
|
+krad_attrset_new
|
|
|
|
+krad_attrset_copy
|
|
|
|
+krad_attrset_free
|
|
|
|
+krad_attrset_add
|
|
|
|
+krad_attrset_add_number
|
|
|
|
+krad_attrset_del
|
|
|
|
+krad_attrset_get
|
|
|
|
+krad_packet_bytes_needed
|
|
|
|
+krad_packet_free
|
|
|
|
+krad_packet_new_request
|
|
|
|
+krad_packet_new_response
|
|
|
|
+krad_packet_decode_request
|
|
|
|
+krad_packet_decode_response
|
|
|
|
+krad_packet_encode
|
|
|
|
+krad_packet_get_code
|
|
|
|
+krad_packet_get_attr
|
|
|
|
+krad_client_new
|
|
|
|
+krad_client_free
|
|
|
|
+krad_client_send
|
|
|
|
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
|
|
|
|
new file mode 100644
|
2013-05-03 21:04:40 +00:00
|
|
|
index 0000000..6e6b27e
|
2013-04-09 18:06:33 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/packet.c
|
2013-05-03 21:04:40 +00:00
|
|
|
@@ -0,0 +1,470 @@
|
2013-04-09 18:06:33 +00:00
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/packet.c - Packet functions for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+
|
|
|
|
+#include <arpa/inet.h>
|
|
|
|
+
|
|
|
|
+typedef unsigned char uchar;
|
|
|
|
+
|
|
|
|
+/* RFC 2865 */
|
|
|
|
+#define OFFSET_CODE 0
|
|
|
|
+#define OFFSET_ID 1
|
|
|
|
+#define OFFSET_LENGTH 2
|
|
|
|
+#define OFFSET_AUTH 4
|
|
|
|
+#define OFFSET_ATTR 20
|
|
|
|
+#define AUTH_FIELD_SIZE (OFFSET_ATTR - OFFSET_AUTH)
|
|
|
|
+
|
|
|
|
+#define offset(d, o) (&(d)->data[o])
|
|
|
|
+#define pkt_code_get(p) (*(krad_code *)offset(&(p)->pkt, OFFSET_CODE))
|
|
|
|
+#define pkt_code_set(p, v) (*(krad_code *)offset(&(p)->pkt, OFFSET_CODE)) = v
|
|
|
|
+#define pkt_id_get(p) (*(uchar *)offset(&(p)->pkt, OFFSET_ID))
|
|
|
|
+#define pkt_id_set(p, v) (*(uchar *)offset(&(p)->pkt, OFFSET_ID)) = v
|
|
|
|
+#define pkt_len_get(p) load_16_be(offset(&(p)->pkt, OFFSET_LENGTH))
|
|
|
|
+#define pkt_len_set(p, v) store_16_be(v, offset(&(p)->pkt, OFFSET_LENGTH))
|
|
|
|
+#define pkt_auth(p) ((uchar *)offset(&(p)->pkt, OFFSET_AUTH))
|
|
|
|
+#define pkt_attr(p) ((unsigned char *)offset(&(p)->pkt, OFFSET_ATTR))
|
|
|
|
+
|
|
|
|
+struct krad_packet_st {
|
|
|
|
+ char buffer[KRAD_PACKET_SIZE_MAX];
|
|
|
|
+ krad_attrset *attrset;
|
|
|
|
+ krb5_data pkt;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+typedef struct {
|
|
|
|
+ uchar x[(UCHAR_MAX + 1) / 8];
|
|
|
|
+} idmap;
|
|
|
|
+
|
|
|
|
+/* Ensure the map is empty. */
|
|
|
|
+static inline void
|
|
|
|
+idmap_init(idmap *map)
|
|
|
|
+{
|
|
|
|
+ memset(map, 0, sizeof(*map));
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Set an id as already allocated. */
|
|
|
|
+static inline void
|
|
|
|
+idmap_set(idmap *map, uchar id)
|
|
|
|
+{
|
|
|
|
+ map->x[id / 8] |= 1 << (id % 8);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Determine whether or not an id is used. */
|
|
|
|
+static inline krb5_boolean
|
|
|
|
+idmap_isset(const idmap *map, uchar id)
|
|
|
|
+{
|
|
|
|
+ return (map->x[id / 8] & (1 << (id % 8))) != 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Find an unused id starting the search at the value specified in id.
|
|
|
|
+ * NOTE: For optimal security, the initial value of id should be random. */
|
|
|
|
+static inline krb5_error_code
|
|
|
|
+idmap_find(const idmap *map, uchar *id)
|
|
|
|
+{
|
|
|
|
+ krb5_int16 i;
|
|
|
|
+
|
|
|
|
+ for (i = *id; i >= 0 && i <= UCHAR_MAX; *id % 2 == 0 ? i++ : i--) {
|
|
|
|
+ if (!idmap_isset(map, i))
|
|
|
|
+ goto success;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ for (i = *id; i >= 0 && i <= UCHAR_MAX; *id % 2 == 1 ? i++ : i--) {
|
|
|
|
+ if (!idmap_isset(map, i))
|
|
|
|
+ goto success;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return ERANGE;
|
|
|
|
+
|
|
|
|
+success:
|
|
|
|
+ *id = i;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Generate size bytes of random data into the buffer. */
|
|
|
|
+static inline krb5_error_code
|
|
|
|
+randomize(krb5_context ctx, void *buffer, unsigned int size)
|
|
|
|
+{
|
|
|
|
+ krb5_data rdata = make_data(buffer, size);
|
|
|
|
+ return krb5_c_random_make_octets(ctx, &rdata);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Generate a radius packet id. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+id_generate(krb5_context ctx, krad_packet_iter_cb cb, void *data, uchar *id)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ const krad_packet *tmp;
|
|
|
|
+ idmap used;
|
|
|
|
+ uchar i;
|
|
|
|
+
|
|
|
|
+ retval = randomize(ctx, &i, sizeof(i));
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ if (cb != NULL)
|
|
|
|
+ (*cb)(data, TRUE);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (cb != NULL) {
|
|
|
|
+ idmap_init(&used);
|
|
|
|
+ for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE))
|
|
|
|
+ idmap_set(&used, tmp->pkt.data[1]);
|
|
|
|
+
|
|
|
|
+ retval = idmap_find(&used, &i);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *id = i;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Generate a random authenticator field. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+auth_generate_random(krb5_context ctx, uchar *rauth)
|
|
|
|
+{
|
|
|
|
+ krb5_ui_4 trunctime;
|
|
|
|
+ time_t currtime;
|
|
|
|
+
|
|
|
|
+ /* Get the least-significant four bytes of the current time. */
|
|
|
|
+ currtime = time(NULL);
|
|
|
|
+ if (currtime == (time_t)-1)
|
|
|
|
+ return errno;
|
|
|
|
+ trunctime = (krb5_ui_4)currtime;
|
|
|
|
+ memcpy(rauth, &trunctime, sizeof(trunctime));
|
|
|
|
+
|
|
|
|
+ /* Randomize the rest of the buffer. */
|
|
|
|
+ return randomize(ctx, rauth + sizeof(trunctime),
|
|
|
|
+ AUTH_FIELD_SIZE - sizeof(trunctime));
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Generate a response authenticator field. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+auth_generate_response(krb5_context ctx, const char *secret,
|
|
|
|
+ const krad_packet *response, const uchar *auth,
|
|
|
|
+ uchar *rauth)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_checksum hash;
|
|
|
|
+ krb5_data data;
|
|
|
|
+
|
|
|
|
+ /* Allocate the temporary buffer. */
|
|
|
|
+ retval = alloc_data(&data, response->pkt.length + strlen(secret));
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ /* Encoded RADIUS packet with the request's
|
|
|
|
+ * authenticator and the secret at the end. */
|
|
|
|
+ memcpy(data.data, response->pkt.data, response->pkt.length);
|
|
|
|
+ memcpy(data.data + OFFSET_AUTH, auth, AUTH_FIELD_SIZE);
|
|
|
|
+ memcpy(data.data + response->pkt.length, secret, strlen(secret));
|
|
|
|
+
|
|
|
|
+ /* Hash it. */
|
|
|
|
+ retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
|
|
|
|
+ &hash);
|
|
|
|
+ free(data.data);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ memcpy(rauth, hash.contents, AUTH_FIELD_SIZE);
|
|
|
|
+ krb5_free_checksum_contents(ctx, &hash);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Create a new packet. */
|
|
|
|
+static krad_packet *
|
|
|
|
+packet_new()
|
|
|
|
+{
|
|
|
|
+ krad_packet *pkt;
|
|
|
|
+
|
|
|
|
+ pkt = calloc(1, sizeof(krad_packet));
|
|
|
|
+ if (pkt == NULL)
|
|
|
|
+ return NULL;
|
|
|
|
+ pkt->pkt = make_data(pkt->buffer, sizeof(pkt->buffer));
|
|
|
|
+
|
|
|
|
+ return pkt;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Set the attrset object by decoding the packet. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+packet_set_attrset(krb5_context ctx, const char *secret, krad_packet *pkt)
|
|
|
|
+{
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ tmp = make_data(pkt_attr(pkt), pkt->pkt.length - OFFSET_ATTR);
|
|
|
|
+ return kr_attrset_decode(ctx, &tmp, secret, pkt_auth(pkt), &pkt->attrset);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+ssize_t
|
|
|
|
+krad_packet_bytes_needed(const krb5_data *buffer)
|
|
|
|
+{
|
|
|
|
+ size_t len;
|
|
|
|
+
|
|
|
|
+ if (buffer->length < OFFSET_AUTH)
|
|
|
|
+ return OFFSET_AUTH - buffer->length;
|
|
|
|
+
|
|
|
|
+ len = load_16_be(offset(buffer, OFFSET_LENGTH));
|
|
|
|
+ if (len > KRAD_PACKET_SIZE_MAX)
|
|
|
|
+ return -1;
|
|
|
|
+
|
|
|
|
+ return buffer->length > len ? 0 : len - buffer->length;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+krad_packet_free(krad_packet *pkt)
|
|
|
|
+{
|
|
|
|
+ if (pkt)
|
|
|
|
+ krad_attrset_free(pkt->attrset);
|
|
|
|
+ free(pkt);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Create a new request packet. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_new_request(krb5_context ctx, const char *secret, krad_code code,
|
|
|
|
+ const krad_attrset *set, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, krad_packet **request)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_packet *pkt;
|
|
|
|
+ uchar id;
|
|
|
|
+ size_t attrset_len;
|
|
|
|
+
|
|
|
|
+ pkt = packet_new();
|
|
|
|
+ if (pkt == NULL) {
|
|
|
|
+ if (cb != NULL)
|
|
|
|
+ (*cb)(data, TRUE);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Generate the ID. */
|
|
|
|
+ retval = id_generate(ctx, cb, data, &id);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+ pkt_id_set(pkt, id);
|
|
|
|
+
|
|
|
|
+ /* Generate the authenticator. */
|
|
|
|
+ retval = auth_generate_random(ctx, pkt_auth(pkt));
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Encode the attributes. */
|
|
|
|
+ retval = kr_attrset_encode(set, secret, pkt_auth(pkt), pkt_attr(pkt),
|
|
|
|
+ &attrset_len);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Set the code, ID and length. */
|
|
|
|
+ pkt->pkt.length = attrset_len + OFFSET_ATTR;
|
|
|
|
+ pkt_code_set(pkt, code);
|
|
|
|
+ pkt_len_set(pkt, pkt->pkt.length);
|
|
|
|
+
|
|
|
|
+ /* Copy the attrset for future use. */
|
|
|
|
+ retval = packet_set_attrset(ctx, secret, pkt);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ *request = pkt;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ free(pkt);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Create a new request packet. */
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_new_response(krb5_context ctx, const char *secret, krad_code code,
|
|
|
|
+ const krad_attrset *set, const krad_packet *request,
|
|
|
|
+ krad_packet **response)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_packet *pkt;
|
|
|
|
+ size_t attrset_len;
|
|
|
|
+
|
|
|
|
+ pkt = packet_new();
|
|
|
|
+ if (pkt == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ /* Encode the attributes. */
|
|
|
|
+ retval = kr_attrset_encode(set, secret, pkt_auth(request), pkt_attr(pkt),
|
|
|
|
+ &attrset_len);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Set the code, ID and length. */
|
|
|
|
+ pkt->pkt.length = attrset_len + OFFSET_ATTR;
|
|
|
|
+ pkt_code_set(pkt, code);
|
|
|
|
+ pkt_id_set(pkt, pkt_id_get(request));
|
|
|
|
+ pkt_len_set(pkt, pkt->pkt.length);
|
|
|
|
+
|
|
|
|
+ /* Generate the authenticator. */
|
|
|
|
+ retval = auth_generate_response(ctx, secret, pkt, pkt_auth(request),
|
|
|
|
+ pkt_auth(pkt));
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Copy the attrset for future use. */
|
|
|
|
+ retval = packet_set_attrset(ctx, secret, pkt);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ *response = pkt;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ free(pkt);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode a packet. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+decode_packet(krb5_context ctx, const char *secret, const krb5_data *buffer,
|
|
|
|
+ krad_packet **pkt)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_packet *tmp;
|
|
|
|
+ krb5_ui_2 len;
|
|
|
|
+
|
|
|
|
+ tmp = packet_new();
|
|
|
|
+ if (tmp == NULL) {
|
|
|
|
+ retval = ENOMEM;
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Ensure a proper message length. */
|
|
|
|
+ retval = buffer->length < OFFSET_ATTR ? EMSGSIZE : 0;
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+ len = load_16_be(offset(buffer, OFFSET_LENGTH));
|
|
|
|
+ retval = len < OFFSET_ATTR ? EBADMSG : 0;
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+ retval = (len > buffer->length || len > tmp->pkt.length) ? EBADMSG : 0;
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Copy over the buffer. */
|
|
|
|
+ tmp->pkt.length = len;
|
|
|
|
+ memcpy(tmp->pkt.data, buffer->data, len);
|
|
|
|
+
|
|
|
|
+ /* Parse the packet to ensure it is well-formed. */
|
|
|
|
+ retval = packet_set_attrset(ctx, secret, tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ *pkt = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ krad_packet_free(tmp);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_decode_request(krb5_context ctx, const char *secret,
|
|
|
|
+ const krb5_data *buffer, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, const krad_packet **duppkt,
|
|
|
|
+ krad_packet **reqpkt)
|
|
|
|
+{
|
|
|
|
+ const krad_packet *tmp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+
|
|
|
|
+ retval = decode_packet(ctx, secret, buffer, reqpkt);
|
|
|
|
+ if (cb != NULL && retval == 0) {
|
|
|
|
+ for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
|
2013-05-03 21:04:40 +00:00
|
|
|
+ if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
|
|
|
|
+ break;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (cb != NULL && (retval != 0 || tmp != NULL))
|
|
|
|
+ (*cb)(data, TRUE);
|
|
|
|
+
|
2013-05-03 21:04:40 +00:00
|
|
|
+ *duppkt = tmp;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+krad_packet_decode_response(krb5_context ctx, const char *secret,
|
|
|
|
+ const krb5_data *buffer, krad_packet_iter_cb cb,
|
|
|
|
+ void *data, const krad_packet **reqpkt,
|
|
|
|
+ krad_packet **rsppkt)
|
|
|
|
+{
|
|
|
|
+ uchar auth[AUTH_FIELD_SIZE];
|
|
|
|
+ const krad_packet *tmp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+
|
|
|
|
+ retval = decode_packet(ctx, secret, buffer, rsppkt);
|
|
|
|
+ if (cb != NULL && retval == 0) {
|
|
|
|
+ for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
|
|
|
|
+ if (pkt_id_get(*rsppkt) != pkt_id_get(tmp))
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ /* Response */
|
|
|
|
+ retval = auth_generate_response(ctx, secret, *rsppkt,
|
|
|
|
+ pkt_auth(tmp), auth);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ krad_packet_free(*rsppkt);
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+
|
2013-05-03 21:04:40 +00:00
|
|
|
+ /* If the authenticator matches, then the response is valid. */
|
|
|
|
+ if (memcmp(pkt_auth(*rsppkt), auth, sizeof(auth)) == 0)
|
|
|
|
+ break;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (cb != NULL && (retval != 0 || tmp != NULL))
|
|
|
|
+ (*cb)(data, TRUE);
|
|
|
|
+
|
2013-05-03 21:04:40 +00:00
|
|
|
+ *reqpkt = tmp;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_packet_encode(const krad_packet *pkt)
|
|
|
|
+{
|
|
|
|
+ return &pkt->pkt;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krad_code
|
|
|
|
+krad_packet_get_code(const krad_packet *pkt)
|
|
|
|
+{
|
|
|
|
+ if (pkt == NULL)
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+ return pkt_code_get(pkt);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+const krb5_data *
|
|
|
|
+krad_packet_get_attr(const krad_packet *pkt, krad_attr type, size_t indx)
|
|
|
|
+{
|
|
|
|
+ return krad_attrset_get(pkt->attrset, type, indx);
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
|
|
|
new file mode 100644
|
2013-05-03 21:04:40 +00:00
|
|
|
index 0000000..74d9865
|
2013-04-09 18:06:33 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/remote.c
|
|
|
|
@@ -0,0 +1,519 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/remote.c - Protocol code for libkrad */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include <k5-int.h>
|
|
|
|
+#include <k5-queue.h>
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <string.h>
|
|
|
|
+#include <unistd.h>
|
|
|
|
+
|
|
|
|
+#include <sys/un.h>
|
|
|
|
+
|
|
|
|
+#define FLAGS_READ (VERTO_EV_FLAG_PERSIST | VERTO_EV_FLAG_IO_CLOSE_FD | \
|
|
|
|
+ VERTO_EV_FLAG_IO_ERROR | VERTO_EV_FLAG_IO_READ)
|
|
|
|
+#define FLAGS_WRITE (FLAGS_READ | VERTO_EV_FLAG_IO_WRITE)
|
|
|
|
+
|
|
|
|
+TAILQ_HEAD(request_head, request_st);
|
|
|
|
+
|
|
|
|
+typedef struct request_st request;
|
|
|
|
+struct request_st {
|
|
|
|
+ TAILQ_ENTRY(request_st) list;
|
|
|
|
+ krad_remote *rr;
|
|
|
|
+ krad_packet *request;
|
|
|
|
+ krad_cb cb;
|
|
|
|
+ void *data;
|
|
|
|
+ verto_ev *timer;
|
2013-05-03 21:04:40 +00:00
|
|
|
+ int timeout;
|
2013-04-09 18:06:33 +00:00
|
|
|
+ size_t retries;
|
|
|
|
+ size_t sent;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+struct krad_remote_st {
|
|
|
|
+ krb5_context kctx;
|
|
|
|
+ verto_ctx *vctx;
|
|
|
|
+ verto_ev *io;
|
|
|
|
+ char *secret;
|
|
|
|
+ struct addrinfo *info;
|
|
|
|
+ struct request_head list;
|
|
|
|
+ char buffer_[KRAD_PACKET_SIZE_MAX];
|
|
|
|
+ krb5_data buffer;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+on_io(verto_ctx *ctx, verto_ev *ev);
|
|
|
|
+
|
|
|
|
+/* Iterate over the set of outstanding packets. */
|
|
|
|
+static const krad_packet *
|
|
|
|
+iterator(request **out)
|
|
|
|
+{
|
|
|
|
+ request *tmp = *out;
|
|
|
|
+
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ return NULL;
|
|
|
|
+
|
|
|
|
+ *out = TAILQ_NEXT(tmp, list);
|
|
|
|
+ return tmp->request;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Create a new request. */
|
|
|
|
+static krb5_error_code
|
2013-05-03 21:04:40 +00:00
|
|
|
+request_new(krad_remote *rr, krad_packet *rqst, int timeout, size_t retries,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ krad_cb cb, void *data, request **out)
|
|
|
|
+{
|
|
|
|
+ request *tmp;
|
|
|
|
+
|
|
|
|
+ tmp = calloc(1, sizeof(request));
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ tmp->rr = rr;
|
|
|
|
+ tmp->request = rqst;
|
|
|
|
+ tmp->cb = cb;
|
|
|
|
+ tmp->data = data;
|
|
|
|
+ tmp->timeout = timeout;
|
|
|
|
+ tmp->retries = retries;
|
|
|
|
+
|
|
|
|
+ *out = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Finish a request, calling the callback and freeing it. */
|
|
|
|
+static inline void
|
|
|
|
+request_finish(request *req, krb5_error_code retval,
|
|
|
|
+ const krad_packet *response)
|
|
|
|
+{
|
|
|
|
+ if (retval != ETIMEDOUT)
|
|
|
|
+ TAILQ_REMOVE(&req->rr->list, req, list);
|
|
|
|
+
|
|
|
|
+ req->cb(retval, req->request, response, req->data);
|
|
|
|
+
|
|
|
|
+ if (retval != ETIMEDOUT) {
|
|
|
|
+ krad_packet_free(req->request);
|
|
|
|
+ verto_del(req->timer);
|
|
|
|
+ free(req);
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Handle when packets receive no response within their alloted time. */
|
|
|
|
+static void
|
|
|
|
+on_timeout(verto_ctx *ctx, verto_ev *ev)
|
|
|
|
+{
|
|
|
|
+ request *req = verto_get_private(ev);
|
|
|
|
+
|
|
|
|
+ req->timer = NULL; /* Void the timer event. */
|
|
|
|
+
|
|
|
|
+ /* If we have more retries to perform, resend the packet. */
|
|
|
|
+ if (req->retries-- > 1) {
|
|
|
|
+ req->sent = 0;
|
|
|
|
+ verto_set_flags(req->rr->io, FLAGS_WRITE);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ request_finish(req, ETIMEDOUT, NULL);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Connect to the remote host. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+remote_connect(krad_remote *rr)
|
|
|
|
+{
|
|
|
|
+ int i, sock = -1;
|
|
|
|
+ verto_ev *ev;
|
|
|
|
+
|
|
|
|
+ sock = socket(rr->info->ai_family, rr->info->ai_socktype,
|
|
|
|
+ rr->info->ai_protocol);
|
|
|
|
+ if (sock < 0)
|
|
|
|
+ return errno;
|
|
|
|
+
|
|
|
|
+ i = connect(sock, rr->info->ai_addr, rr->info->ai_addrlen);
|
|
|
|
+ if (i < 0) {
|
|
|
|
+ i = errno;
|
|
|
|
+ close(sock);
|
|
|
|
+ return i;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ ev = verto_add_io(rr->vctx, FLAGS_READ, on_io, sock);
|
|
|
|
+ if (ev == NULL) {
|
|
|
|
+ close(sock);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ rr->io = ev;
|
|
|
|
+ verto_set_private(rr->io, rr, NULL);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Disconnect and reconnect to the remote host. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+remote_reconnect(krad_remote *rr, int errnum)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ const krb5_data *tmp;
|
|
|
|
+ request *r;
|
|
|
|
+
|
|
|
|
+ verto_del(rr->io);
|
|
|
|
+ rr->io = NULL;
|
|
|
|
+ retval = remote_connect(rr);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(r, &rr->list, list) {
|
|
|
|
+ tmp = krad_packet_encode(r->request);
|
|
|
|
+
|
|
|
|
+ if (r->sent == tmp->length) {
|
|
|
|
+ /* Error out sent requests. */
|
|
|
|
+ request_finish(r, errnum, NULL);
|
|
|
|
+ } else {
|
|
|
|
+ /* Reset partially sent requests. */
|
|
|
|
+ r->sent = 0;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Close the connection and call the callbacks of all oustanding requests. */
|
|
|
|
+static void
|
|
|
|
+remote_shutdown(krad_remote *rr, int errnum)
|
|
|
|
+{
|
|
|
|
+ verto_del(rr->io);
|
|
|
|
+ rr->io = NULL;
|
|
|
|
+ while (!TAILQ_EMPTY(&rr->list))
|
|
|
|
+ request_finish(TAILQ_FIRST(&rr->list), errnum, NULL);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Write data to the socket. */
|
|
|
|
+static void
|
|
|
|
+on_io_write(krad_remote *rr)
|
|
|
|
+{
|
|
|
|
+ const krb5_data *tmp;
|
|
|
|
+ request *r;
|
|
|
|
+ int i;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(r, &rr->list, list) {
|
|
|
|
+ tmp = krad_packet_encode(r->request);
|
|
|
|
+
|
|
|
|
+ /* If the packet has already been sent, do nothing. */
|
|
|
|
+ if (r->sent == tmp->length)
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ /* Send the packet. */
|
|
|
|
+ i = sendto(verto_get_fd(rr->io), tmp->data + r->sent,
|
|
|
|
+ tmp->length - r->sent, 0, NULL, 0);
|
|
|
|
+ if (i < 0) {
|
|
|
|
+ /* Should we try again? */
|
|
|
|
+ if (errno == EWOULDBLOCK || errno == EAGAIN || errno == ENOBUFS ||
|
|
|
|
+ errno == EINTR)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* In this case, we need to re-connect. */
|
|
|
|
+ i = remote_reconnect(rr, errno);
|
|
|
|
+ if (i == 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* Do a full reset. */
|
|
|
|
+ remote_shutdown(rr, i);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* SOCK_STREAM permits partial writes. */
|
|
|
|
+ if (rr->info->ai_socktype == SOCK_STREAM)
|
|
|
|
+ r->sent += i;
|
|
|
|
+ else if (i == (int)tmp->length)
|
|
|
|
+ r->sent = i;
|
|
|
|
+
|
|
|
|
+ /* If the packet was completely sent, set a timeout. */
|
|
|
|
+ if (r->sent == tmp->length) {
|
|
|
|
+ verto_del(r->timer);
|
|
|
|
+ r->timer = verto_add_timeout(rr->vctx, VERTO_EV_FLAG_NONE,
|
|
|
|
+ on_timeout, r->timeout);
|
|
|
|
+ if (r->timer == NULL)
|
|
|
|
+ request_finish(r, ENOMEM, NULL);
|
|
|
|
+ else
|
|
|
|
+ verto_set_private(r->timer, r, NULL);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ verto_set_flags(rr->io, FLAGS_READ);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Read data from the socket. */
|
|
|
|
+static void
|
|
|
|
+on_io_read(krad_remote *rr)
|
|
|
|
+{
|
|
|
|
+ const krad_packet *req = NULL;
|
|
|
|
+ krad_packet *rsp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ ssize_t pktlen;
|
|
|
|
+ request *tmp, *r;
|
|
|
|
+ int i;
|
|
|
|
+
|
|
|
|
+ pktlen = sizeof(rr->buffer_);
|
|
|
|
+ if (rr->info->ai_socktype == SOCK_STREAM) {
|
|
|
|
+ pktlen = krad_packet_bytes_needed(&rr->buffer);
|
|
|
|
+ if (pktlen < 0) {
|
|
|
|
+ retval = remote_reconnect(rr, EBADMSG);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ remote_shutdown(rr, retval);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Read the packet. */
|
|
|
|
+ i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
|
|
|
|
+ pktlen - rr->buffer.length, 0);
|
|
|
|
+ if (i < 0) {
|
|
|
|
+ /* Should we try again? */
|
|
|
|
+ if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ if (errno == ECONNREFUSED || errno == ECONNRESET ||
|
|
|
|
+ errno == ENOTCONN) {
|
|
|
|
+ /*
|
|
|
|
+ * When doing UDP against a local socket, the kernel will notify
|
|
|
|
+ * when the daemon closes. But not against remote sockets. We want
|
|
|
|
+ * to treat them both the same. Returning here will cause an
|
|
|
|
+ * eventual timeout.
|
|
|
|
+ */
|
|
|
|
+ if (rr->info->ai_socktype != SOCK_STREAM)
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* In this case, we need to re-connect. */
|
|
|
|
+ i = remote_reconnect(rr, errno);
|
|
|
|
+ if (i == 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* Do a full reset. */
|
|
|
|
+ remote_shutdown(rr, i);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* If we have a partial read or just the header, try again. */
|
|
|
|
+ rr->buffer.length += i;
|
|
|
|
+ pktlen = krad_packet_bytes_needed(&rr->buffer);
|
|
|
|
+ if (rr->info->ai_socktype == SOCK_STREAM && pktlen > 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* Decode the packet. */
|
|
|
|
+ tmp = TAILQ_FIRST(&rr->list);
|
|
|
|
+ retval = krad_packet_decode_response(rr->kctx, rr->secret, &rr->buffer,
|
|
|
|
+ (krad_packet_iter_cb)iterator, &tmp,
|
|
|
|
+ &req, &rsp);
|
|
|
|
+ rr->buffer.length = 0;
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ /* Match the response with an outstanding request. */
|
|
|
|
+ if (req != NULL) {
|
|
|
|
+ TAILQ_FOREACH(r, &rr->list, list) {
|
|
|
|
+ if (r->request == req &&
|
|
|
|
+ r->sent == krad_packet_encode(req)->length) {
|
|
|
|
+ request_finish(r, 0, rsp);
|
|
|
|
+ break;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ krad_packet_free(rsp);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Handle when IO is ready on the socket. */
|
|
|
|
+static void
|
|
|
|
+on_io(verto_ctx *ctx, verto_ev *ev)
|
|
|
|
+{
|
|
|
|
+ krad_remote *rr;
|
|
|
|
+
|
|
|
|
+ rr = verto_get_private(ev);
|
|
|
|
+
|
|
|
|
+ if (verto_get_fd_state(ev) & VERTO_EV_FLAG_IO_WRITE)
|
|
|
|
+ on_io_write(rr);
|
|
|
|
+ else
|
|
|
|
+ on_io_read(rr);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_remote_new(krb5_context kctx, verto_ctx *vctx, const struct addrinfo *info,
|
|
|
|
+ const char *secret, krad_remote **rr)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval = ENOMEM;
|
|
|
|
+ krad_remote *tmp = NULL;
|
|
|
|
+
|
|
|
|
+ tmp = calloc(1, sizeof(krad_remote));
|
|
|
|
+ if (tmp == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+ tmp->kctx = kctx;
|
|
|
|
+ tmp->vctx = vctx;
|
|
|
|
+ tmp->buffer = make_data(tmp->buffer_, 0);
|
|
|
|
+ TAILQ_INIT(&tmp->list);
|
|
|
|
+
|
|
|
|
+ tmp->secret = strdup(secret);
|
|
|
|
+ if (tmp->secret == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ tmp->info = k5memdup(info, sizeof(*info), &retval);
|
|
|
|
+ if (tmp->info == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ tmp->info->ai_addr = k5memdup(info->ai_addr, info->ai_addrlen, &retval);
|
|
|
|
+ if (tmp->info == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+ tmp->info->ai_next = NULL;
|
|
|
|
+ tmp->info->ai_canonname = NULL;
|
|
|
|
+
|
|
|
|
+ retval = remote_connect(tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ *rr = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ kr_remote_free(tmp);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+kr_remote_free(krad_remote *rr)
|
|
|
|
+{
|
|
|
|
+ if (rr == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ while (!TAILQ_EMPTY(&rr->list))
|
|
|
|
+ request_finish(TAILQ_FIRST(&rr->list), ECANCELED, NULL);
|
|
|
|
+
|
|
|
|
+ free(rr->secret);
|
|
|
|
+ if (rr->info != NULL)
|
|
|
|
+ free(rr->info->ai_addr);
|
|
|
|
+ free(rr->info);
|
|
|
|
+ verto_del(rr->io);
|
|
|
|
+ free(rr);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
2013-05-03 21:04:40 +00:00
|
|
|
+ krad_cb cb, void *data, int timeout, size_t retries,
|
2013-04-09 18:06:33 +00:00
|
|
|
+ const krad_packet **pkt)
|
|
|
|
+{
|
|
|
|
+ krad_packet *tmp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ request *r;
|
|
|
|
+
|
|
|
|
+ r = TAILQ_FIRST(&rr->list);
|
|
|
|
+ retval = krad_packet_new_request(rr->kctx, rr->secret, code, attrs,
|
|
|
|
+ (krad_packet_iter_cb)iterator, &r, &tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(r, &rr->list, list) {
|
|
|
|
+ if (r->request == tmp) {
|
|
|
|
+ retval = EALREADY;
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (rr->io == NULL) {
|
|
|
|
+ retval = remote_connect(rr);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (rr->info->ai_socktype == SOCK_STREAM)
|
|
|
|
+ retries = 0;
|
|
|
|
+ timeout = timeout / (retries + 1);
|
|
|
|
+ retval = request_new(rr, tmp, timeout, retries, cb, data, &r);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ if ((verto_get_flags(rr->io) & VERTO_EV_FLAG_IO_WRITE) == 0)
|
|
|
|
+ verto_set_flags(rr->io, FLAGS_WRITE);
|
|
|
|
+
|
|
|
|
+ TAILQ_INSERT_TAIL(&rr->list, r, list);
|
|
|
|
+ if (pkt != NULL)
|
|
|
|
+ *pkt = tmp;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ krad_packet_free(tmp);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+kr_remote_cancel(krad_remote *rr, const krad_packet *pkt)
|
|
|
|
+{
|
|
|
|
+ request *r;
|
|
|
|
+
|
|
|
|
+ TAILQ_FOREACH(r, &rr->list, list) {
|
|
|
|
+ if (r->request == pkt) {
|
|
|
|
+ request_finish(r, ECANCELED, NULL);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_boolean
|
|
|
|
+kr_remote_equals(const krad_remote *rr, const struct addrinfo *info,
|
|
|
|
+ const char *secret)
|
|
|
|
+{
|
|
|
|
+ struct sockaddr_un *a, *b;
|
|
|
|
+
|
|
|
|
+ if (strcmp(rr->secret, secret) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (info->ai_addrlen != rr->info->ai_addrlen)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (info->ai_family != rr->info->ai_family)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (info->ai_socktype != rr->info->ai_socktype)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (info->ai_protocol != rr->info->ai_protocol)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (info->ai_flags != rr->info->ai_flags)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (memcmp(rr->info->ai_addr, info->ai_addr, info->ai_addrlen) != 0) {
|
|
|
|
+ /* AF_UNIX fails the memcmp() test due to uninitialized bytes after the
|
|
|
|
+ * socket name. */
|
|
|
|
+ if (info->ai_family != AF_UNIX)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ a = (struct sockaddr_un *)info->ai_addr;
|
|
|
|
+ b = (struct sockaddr_un *)rr->info->ai_addr;
|
|
|
|
+ if (strncmp(a->sun_path, b->sun_path, sizeof(a->sun_path)) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return TRUE;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_attr.c b/src/lib/krad/t_attr.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..e80d77b
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_attr.c
|
|
|
|
@@ -0,0 +1,89 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_attr.c - Attribute test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_test.h"
|
|
|
|
+
|
|
|
|
+const static char encoded[] = {
|
|
|
|
+ 0xba, 0xfc, 0xed, 0x50, 0xe1, 0xeb, 0xa6, 0xc3,
|
|
|
|
+ 0xc1, 0x75, 0x20, 0xe9, 0x10, 0xce, 0xc2, 0xcb
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+const static unsigned char auth[] = {
|
|
|
|
+ 0xac, 0x9d, 0xc1, 0x62, 0x08, 0xc4, 0xc7, 0x8b,
|
|
|
|
+ 0xa1, 0x2f, 0x25, 0x0a, 0xc4, 0x1d, 0x36, 0x41
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main()
|
|
|
|
+{
|
|
|
|
+ unsigned char outbuf[MAX_ATTRSETSIZE];
|
|
|
|
+ const char *decoded = "accept";
|
|
|
|
+ const char *secret = "foo";
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_context ctx;
|
|
|
|
+ const char *tmp;
|
|
|
|
+ krb5_data in;
|
|
|
|
+ size_t len;
|
|
|
|
+
|
|
|
|
+ noerror(krb5_init_context(&ctx));
|
|
|
|
+
|
|
|
|
+ /* Make sure User-Name is 1. */
|
|
|
|
+ insist(krad_attr_name2num("User-Name") == 1);
|
|
|
|
+
|
|
|
|
+ /* Make sure 2 is User-Password. */
|
|
|
|
+ tmp = krad_attr_num2name(2);
|
|
|
|
+ insist(tmp != NULL);
|
|
|
|
+ insist(strcmp(tmp, "User-Password") == 0);
|
|
|
|
+
|
|
|
|
+ /* Test decoding. */
|
|
|
|
+ in = make_data((void *)encoded, sizeof(encoded));
|
|
|
|
+ noerror(kr_attr_decode(ctx, secret, auth,
|
|
|
|
+ krad_attr_name2num("User-Password"),
|
|
|
|
+ &in, outbuf, &len));
|
|
|
|
+ insist(len == strlen(decoded));
|
|
|
|
+ insist(memcmp(outbuf, decoded, len) == 0);
|
|
|
|
+
|
|
|
|
+ /* Test encoding. */
|
|
|
|
+ in = string2data((char *)decoded);
|
|
|
|
+ retval = kr_attr_encode(ctx, secret, auth,
|
|
|
|
+ krad_attr_name2num("User-Password"),
|
|
|
|
+ &in, outbuf, &len);
|
|
|
|
+ insist(retval == 0);
|
|
|
|
+ insist(len == sizeof(encoded));
|
|
|
|
+ insist(memcmp(outbuf, encoded, len) == 0);
|
|
|
|
+
|
|
|
|
+ /* Test constraint. */
|
|
|
|
+ in.length = 100;
|
|
|
|
+ insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) == 0);
|
|
|
|
+ in.length = 200;
|
|
|
|
+ insist(kr_attr_valid(krad_attr_name2num("User-Password"), &in) != 0);
|
|
|
|
+
|
|
|
|
+ krb5_free_context(ctx);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_attrset.c b/src/lib/krad/t_attrset.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..afae5e4
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_attrset.c
|
|
|
|
@@ -0,0 +1,98 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_attrset.c - Attribute set test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_test.h"
|
|
|
|
+
|
|
|
|
+const static unsigned char auth[] = {
|
|
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+const static char encpass[] = {
|
|
|
|
+ 0x58, 0x8d, 0xff, 0xda, 0x37, 0xf9, 0xe4, 0xca,
|
|
|
|
+ 0x19, 0xae, 0x49, 0xb7, 0x16, 0x6d, 0x58, 0x27
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main()
|
|
|
|
+{
|
|
|
|
+ unsigned char buffer[KRAD_PACKET_SIZE_MAX], encoded[MAX_ATTRSETSIZE];
|
|
|
|
+ const char *username = "testUser", *password = "accept";
|
|
|
|
+ const krb5_data *tmpp;
|
|
|
|
+ krad_attrset *set;
|
|
|
|
+ krb5_context ctx;
|
|
|
|
+ size_t len = 0, encode_len;
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ noerror(krb5_init_context(&ctx));
|
|
|
|
+ noerror(krad_attrset_new(ctx, &set));
|
|
|
|
+
|
|
|
|
+ /* Add username. */
|
|
|
|
+ tmp = string2data((char *)username);
|
|
|
|
+ noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
|
|
|
|
+
|
|
|
|
+ /* Add password. */
|
|
|
|
+ tmp = string2data((char *)password);
|
|
|
|
+ noerror(krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp));
|
|
|
|
+
|
|
|
|
+ /* Encode attrset. */
|
|
|
|
+ noerror(kr_attrset_encode(set, "foo", auth, buffer, &encode_len));
|
|
|
|
+ krad_attrset_free(set);
|
|
|
|
+
|
|
|
|
+ /* Manually encode User-Name. */
|
|
|
|
+ encoded[len + 0] = krad_attr_name2num("User-Name");
|
|
|
|
+ encoded[len + 1] = strlen(username) + 2;
|
|
|
|
+ memcpy(encoded + len + 2, username, strlen(username));
|
|
|
|
+ len += encoded[len + 1];
|
|
|
|
+
|
|
|
|
+ /* Manually encode User-Password. */
|
|
|
|
+ encoded[len + 0] = krad_attr_name2num("User-Password");
|
|
|
|
+ encoded[len + 1] = sizeof(encpass) + 2;
|
|
|
|
+ memcpy(encoded + len + 2, encpass, sizeof(encpass));
|
|
|
|
+ len += encoded[len + 1];
|
|
|
|
+
|
|
|
|
+ /* Compare output. */
|
|
|
|
+ insist(len == encode_len);
|
|
|
|
+ insist(memcmp(encoded, buffer, len) == 0);
|
|
|
|
+
|
|
|
|
+ /* Decode output. */
|
|
|
|
+ tmp = make_data(buffer, len);
|
|
|
|
+ noerror(kr_attrset_decode(ctx, &tmp, "foo", auth, &set));
|
|
|
|
+
|
|
|
|
+ /* Test getting an attribute. */
|
|
|
|
+ tmp = string2data((char *)username);
|
|
|
|
+ tmpp = krad_attrset_get(set, krad_attr_name2num("User-Name"), 0);
|
|
|
|
+ insist(tmpp != NULL);
|
|
|
|
+ insist(tmpp->length == tmp.length);
|
|
|
|
+ insist(strncmp(tmpp->data, tmp.data, tmp.length) == 0);
|
|
|
|
+
|
|
|
|
+ krad_attrset_free(set);
|
|
|
|
+ krb5_free_context(ctx);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_client.c b/src/lib/krad/t_client.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..3d0fda9
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_client.c
|
|
|
|
@@ -0,0 +1,126 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_client.c - Client request test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_daemon.h"
|
|
|
|
+
|
|
|
|
+#define EVENT_COUNT 4
|
|
|
|
+
|
|
|
|
+static struct
|
|
|
|
+{
|
|
|
|
+ int count;
|
|
|
|
+ struct event events[EVENT_COUNT];
|
|
|
|
+} record;
|
|
|
|
+
|
|
|
|
+static verto_ctx *vctx;
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+callback(krb5_error_code retval, const krad_packet *request,
|
|
|
|
+ const krad_packet *response, void *data)
|
|
|
|
+{
|
|
|
|
+ struct event *evt;
|
|
|
|
+
|
|
|
|
+ evt = &record.events[record.count++];
|
|
|
|
+ evt->error = retval != 0;
|
|
|
|
+ if (evt->error)
|
|
|
|
+ evt->result.retval = retval;
|
|
|
|
+ else
|
|
|
|
+ evt->result.code = krad_packet_get_code(response);
|
|
|
|
+ verto_break(vctx);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main(int argc, const char **argv)
|
|
|
|
+{
|
|
|
|
+ krad_attrset *attrs;
|
|
|
|
+ krad_client *rc;
|
|
|
|
+ krb5_context kctx;
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ if (!daemon_start(argc, argv)) {
|
|
|
|
+ fprintf(stderr, "Unable to start pyrad daemon, skipping test...\n");
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ noerror(krb5_init_context(&kctx));
|
|
|
|
+ vctx = verto_new(NULL, VERTO_EV_TYPE_IO | VERTO_EV_TYPE_TIMEOUT);
|
|
|
|
+ insist(vctx != NULL);
|
|
|
|
+ noerror(krad_client_new(kctx, vctx, &rc));
|
|
|
|
+
|
|
|
|
+ tmp = string2data("testUser");
|
|
|
|
+ noerror(krad_attrset_new(kctx, &attrs));
|
|
|
|
+ noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Name"), &tmp));
|
|
|
|
+
|
|
|
|
+ /* Test accept. */
|
|
|
|
+ tmp = string2data("accept");
|
|
|
|
+ noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
|
|
|
|
+ &tmp));
|
|
|
|
+ noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
|
|
|
|
+ "localhost", "foo", 1000, 3, callback, NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Test reject. */
|
|
|
|
+ tmp = string2data("reject");
|
|
|
|
+ krad_attrset_del(attrs, krad_attr_name2num("User-Password"), 0);
|
|
|
|
+ noerror(krad_attrset_add(attrs, krad_attr_name2num("User-Password"),
|
|
|
|
+ &tmp));
|
|
|
|
+ noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
|
|
|
|
+ "localhost", "foo", 1000, 3, callback, NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Test timeout. */
|
|
|
|
+ daemon_stop();
|
|
|
|
+ noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
|
|
|
|
+ "localhost", "foo", 1000, 3, callback, NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Test outstanding packet freeing. */
|
|
|
|
+ noerror(krad_client_send(rc, krad_code_name2num("Access-Request"), attrs,
|
|
|
|
+ "localhost", "foo", 1000, 3, callback, NULL));
|
|
|
|
+ krad_client_free(rc);
|
|
|
|
+ rc = NULL;
|
|
|
|
+
|
|
|
|
+ /* Verify the results. */
|
|
|
|
+ insist(record.count == EVENT_COUNT);
|
|
|
|
+ insist(record.events[0].error == FALSE);
|
|
|
|
+ insist(record.events[0].result.code ==
|
|
|
|
+ krad_code_name2num("Access-Accept"));
|
|
|
|
+ insist(record.events[1].error == FALSE);
|
|
|
|
+ insist(record.events[1].result.code ==
|
|
|
|
+ krad_code_name2num("Access-Reject"));
|
|
|
|
+ insist(record.events[2].error == TRUE);
|
|
|
|
+ insist(record.events[2].result.retval == ETIMEDOUT);
|
|
|
|
+ insist(record.events[3].error == TRUE);
|
|
|
|
+ insist(record.events[3].result.retval == ECANCELED);
|
|
|
|
+
|
|
|
|
+ krad_attrset_free(attrs);
|
|
|
|
+ krad_client_free(rc);
|
|
|
|
+ verto_free(vctx);
|
|
|
|
+ krb5_free_context(kctx);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_code.c b/src/lib/krad/t_code.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..b245a7e
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_code.c
|
|
|
|
@@ -0,0 +1,54 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_code.c - RADIUS code table test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_test.h"
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main()
|
|
|
|
+{
|
|
|
|
+ const char *tmp;
|
|
|
|
+
|
|
|
|
+ insist(krad_code_name2num("Access-Request") == 1);
|
|
|
|
+ insist(krad_code_name2num("Access-Accept") == 2);
|
|
|
|
+ insist(krad_code_name2num("Access-Reject") == 3);
|
|
|
|
+
|
|
|
|
+ tmp = krad_code_num2name(1);
|
|
|
|
+ insist(tmp != NULL);
|
|
|
|
+ insist(strcmp(tmp, "Access-Request") == 0);
|
|
|
|
+
|
|
|
|
+ tmp = krad_code_num2name(2);
|
|
|
|
+ insist(tmp != NULL);
|
|
|
|
+ insist(strcmp(tmp, "Access-Accept") == 0);
|
|
|
|
+
|
|
|
|
+ tmp = krad_code_num2name(3);
|
|
|
|
+ insist(tmp != NULL);
|
|
|
|
+ insist(strcmp(tmp, "Access-Reject") == 0);
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_daemon.h b/src/lib/krad/t_daemon.h
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..7c345a6
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_daemon.h
|
|
|
|
@@ -0,0 +1,92 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_daemon.h - Daemonization helper for RADIUS test programs */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#ifndef T_DAEMON_H_
|
|
|
|
+#define T_DAEMON_H_
|
|
|
|
+
|
|
|
|
+#include "t_test.h"
|
|
|
|
+#include <libgen.h>
|
|
|
|
+#include <sys/types.h>
|
|
|
|
+#include <sys/stat.h>
|
|
|
|
+#include <fcntl.h>
|
|
|
|
+
|
|
|
|
+static pid_t daemon_pid;
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+daemon_stop(void)
|
|
|
|
+{
|
|
|
|
+ if (daemon_pid == 0)
|
|
|
|
+ return;
|
|
|
|
+ kill(daemon_pid, SIGTERM);
|
|
|
|
+ waitpid(daemon_pid, NULL, 0);
|
|
|
|
+ daemon_pid = 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_boolean
|
|
|
|
+daemon_start(int argc, const char **argv)
|
|
|
|
+{
|
|
|
|
+ sigset_t set;
|
|
|
|
+ int sig;
|
|
|
|
+
|
|
|
|
+ if (argc != 3 || argv == NULL)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (daemon_pid != 0)
|
|
|
|
+ return TRUE;
|
|
|
|
+
|
|
|
|
+ if (sigemptyset(&set) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (sigaddset(&set, SIGUSR1) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (sigaddset(&set, SIGCHLD) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ if (sigprocmask(SIG_BLOCK, &set, NULL) != 0)
|
|
|
|
+ return FALSE;
|
|
|
|
+
|
|
|
|
+ daemon_pid = fork();
|
|
|
|
+ if (daemon_pid == 0) {
|
|
|
|
+ close(STDOUT_FILENO);
|
|
|
|
+ open("/dev/null", O_WRONLY);
|
|
|
|
+ exit(execlp(argv[1], argv[1], argv[2], NULL));
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (sigwait(&set, &sig) != 0 || sig == SIGCHLD) {
|
|
|
|
+ daemon_stop();
|
|
|
|
+ daemon_pid = 0;
|
|
|
|
+ return FALSE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ atexit(daemon_stop);
|
|
|
|
+ return TRUE;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+#endif /* T_DAEMON_H_ */
|
|
|
|
diff --git a/src/lib/krad/t_daemon.py b/src/lib/krad/t_daemon.py
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..d62bc29
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_daemon.py
|
|
|
|
@@ -0,0 +1,76 @@
|
|
|
|
+#!/usr/bin/python
|
|
|
|
+#
|
|
|
|
+# Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+#
|
|
|
|
+# Redistribution and use in source and binary forms, with or without
|
|
|
|
+# modification, are permitted provided that the following conditions are met:
|
|
|
|
+#
|
|
|
|
+# 1. Redistributions of source code must retain the above copyright
|
|
|
|
+# notice, this list of conditions and the following disclaimer.
|
|
|
|
+#
|
|
|
|
+# 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+# notice, this list of conditions and the following disclaimer in
|
|
|
|
+# the documentation and/or other materials provided with the
|
|
|
|
+# distribution.
|
|
|
|
+#
|
|
|
|
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+# OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+
|
|
|
|
+import StringIO
|
|
|
|
+import os
|
|
|
|
+import sys
|
|
|
|
+import signal
|
|
|
|
+
|
|
|
|
+try:
|
|
|
|
+ from pyrad import dictionary, packet, server
|
|
|
|
+except ImportError:
|
|
|
|
+ sys.stdout.write("pyrad not found!\n")
|
|
|
|
+ sys.exit(0)
|
|
|
|
+
|
|
|
|
+# We could use a dictionary file, but since we need
|
|
|
|
+# such few attributes, we'll just include them here
|
|
|
|
+DICTIONARY = """
|
|
|
|
+ATTRIBUTE\tUser-Name\t1\tstring
|
|
|
|
+ATTRIBUTE\tUser-Password\t2\toctets
|
|
|
|
+ATTRIBUTE\tNAS-Identifier\t32\tstring
|
|
|
|
+"""
|
|
|
|
+
|
|
|
|
+class TestServer(server.Server):
|
|
|
|
+ def _HandleAuthPacket(self, pkt):
|
|
|
|
+ server.Server._HandleAuthPacket(self, pkt)
|
|
|
|
+
|
|
|
|
+ passwd = []
|
|
|
|
+
|
|
|
|
+ print "Request: "
|
|
|
|
+ for key in pkt.keys():
|
|
|
|
+ if key == "User-Password":
|
|
|
|
+ passwd = map(pkt.PwDecrypt, pkt[key])
|
|
|
|
+ print "\t%s\t%s" % (key, passwd)
|
|
|
|
+ else:
|
|
|
|
+ print "\t%s\t%s" % (key, pkt[key])
|
|
|
|
+
|
|
|
|
+ reply = self.CreateReplyPacket(pkt)
|
|
|
|
+ if passwd == ['accept']:
|
|
|
|
+ reply.code = packet.AccessAccept
|
|
|
|
+ print "Response: %s" % "Access-Accept"
|
|
|
|
+ else:
|
|
|
|
+ reply.code = packet.AccessReject
|
|
|
|
+ print "Response: %s" % "Access-Reject"
|
|
|
|
+ print
|
|
|
|
+ self.SendReplyPacket(pkt.fd, reply)
|
|
|
|
+
|
|
|
|
+srv = TestServer(addresses=["localhost"],
|
|
|
|
+ hosts={"127.0.0.1":
|
|
|
|
+ server.RemoteHost("127.0.0.1", "foo", "localhost")},
|
|
|
|
+ dict=dictionary.Dictionary(StringIO.StringIO(DICTIONARY)))
|
|
|
|
+os.kill(os.getppid(), signal.SIGUSR1)
|
|
|
|
+srv.Run()
|
|
|
|
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..0a92e9c
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_packet.c
|
|
|
|
@@ -0,0 +1,194 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_packet.c - RADIUS packet test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_daemon.h"
|
|
|
|
+
|
|
|
|
+#define ACCEPT_PACKET 0
|
|
|
|
+#define REJECT_PACKET 1
|
|
|
|
+
|
|
|
|
+static krad_packet *packets[3];
|
|
|
|
+
|
|
|
|
+static const krad_packet *
|
|
|
|
+iterator(void *data, krb5_boolean cancel)
|
|
|
|
+{
|
|
|
|
+ krad_packet *tmp;
|
|
|
|
+ int *i = data;
|
|
|
|
+
|
|
|
|
+ if (cancel || packets[*i] == NULL)
|
|
|
|
+ return NULL;
|
|
|
|
+
|
|
|
|
+ tmp = packets[*i];
|
|
|
|
+ *i += 1;
|
|
|
|
+ return tmp;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+make_packet(krb5_context ctx, const krb5_data *username,
|
|
|
|
+ const krb5_data *password, krad_packet **pkt)
|
|
|
|
+{
|
|
|
|
+ krad_attrset *set = NULL;
|
|
|
|
+ krad_packet *tmp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ const krb5_data *data;
|
|
|
|
+ int i = 0;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_new(ctx, &set);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add(set, krad_attr_name2num("User-Name"), username);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add(set, krad_attr_name2num("User-Password"),
|
|
|
|
+ password);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ retval = krad_packet_new_request(ctx, "foo",
|
|
|
|
+ krad_code_name2num("Access-Request"),
|
|
|
|
+ set, iterator, &i, &tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ data = krad_packet_get_attr(tmp, krad_attr_name2num("User-Name"), 0);
|
|
|
|
+ if (data == NULL) {
|
|
|
|
+ retval = ENOENT;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (data->length != username->length ||
|
|
|
|
+ memcmp(data->data, username->data, data->length) != 0) {
|
|
|
|
+ retval = EINVAL;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *pkt = tmp;
|
|
|
|
+ tmp = NULL;
|
|
|
|
+
|
|
|
|
+out:
|
|
|
|
+ krad_attrset_free(set);
|
|
|
|
+ krad_packet_free(tmp);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+do_auth(krb5_context ctx, struct addrinfo *ai, const char *secret,
|
|
|
|
+ const krad_packet *rqst, krb5_boolean *auth)
|
|
|
|
+{
|
|
|
|
+ const krad_packet *req = NULL;
|
|
|
|
+ char tmp[KRAD_PACKET_SIZE_MAX];
|
|
|
|
+ const krb5_data *request;
|
|
|
|
+ krad_packet *rsp = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_data response;
|
|
|
|
+ int sock = -1, i;
|
|
|
|
+
|
|
|
|
+ response = make_data(tmp, sizeof(tmp));
|
|
|
|
+
|
|
|
|
+ sock = socket(ai->ai_family, ai->ai_socktype, 0);
|
|
|
|
+ if (sock < 0) {
|
|
|
|
+ retval = errno;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ request = krad_packet_encode(rqst);
|
|
|
|
+ if (sendto(sock, request->data, request->length, 0, ai->ai_addr,
|
|
|
|
+ ai->ai_addrlen) < 0) {
|
|
|
|
+ retval = errno;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ i = recv(sock, response.data, sizeof(tmp), 0);
|
|
|
|
+ if (i < 0) {
|
|
|
|
+ retval = errno;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+ response.length = i;
|
|
|
|
+
|
|
|
|
+ i = 0;
|
|
|
|
+ retval = krad_packet_decode_response(ctx, secret, &response, iterator, &i,
|
|
|
|
+ &req, &rsp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ if (req != rqst) {
|
|
|
|
+ retval = EBADMSG;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *auth = krad_packet_get_code(rsp) == krad_code_name2num("Access-Accept");
|
|
|
|
+
|
|
|
|
+out:
|
|
|
|
+ krad_packet_free(rsp);
|
|
|
|
+ if (sock >= 0)
|
|
|
|
+ close(sock);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main(int argc, const char **argv)
|
|
|
|
+{
|
|
|
|
+ struct addrinfo *ai = NULL, hints;
|
|
|
|
+ krb5_data username, password;
|
|
|
|
+ krb5_boolean auth = FALSE;
|
|
|
|
+ krb5_context ctx;
|
|
|
|
+
|
|
|
|
+ username = string2data("testUser");
|
|
|
|
+
|
|
|
|
+ if (!daemon_start(argc, argv)) {
|
|
|
|
+ fprintf(stderr, "Unable to start pyrad daemon, skipping test...\n");
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ noerror(krb5_init_context(&ctx));
|
|
|
|
+
|
|
|
|
+ password = string2data("accept");
|
|
|
|
+ noerror(make_packet(ctx, &username, &password, &packets[ACCEPT_PACKET]));
|
|
|
|
+
|
|
|
|
+ password = string2data("reject");
|
|
|
|
+ noerror(make_packet(ctx, &username, &password, &packets[REJECT_PACKET]));
|
|
|
|
+
|
|
|
|
+ memset(&hints, 0, sizeof(hints));
|
|
|
|
+ hints.ai_family = AF_INET;
|
|
|
|
+ hints.ai_socktype = SOCK_DGRAM;
|
|
|
|
+ noerror(gai_error_code(getaddrinfo("127.0.0.1", "radius", &hints, &ai)));
|
|
|
|
+
|
|
|
|
+ noerror(do_auth(ctx, ai, "foo", packets[ACCEPT_PACKET], &auth));
|
|
|
|
+ insist(auth == TRUE);
|
|
|
|
+
|
|
|
|
+ noerror(do_auth(ctx, ai, "foo", packets[REJECT_PACKET], &auth));
|
|
|
|
+ insist(auth == FALSE);
|
|
|
|
+
|
|
|
|
+ krad_packet_free(packets[ACCEPT_PACKET]);
|
|
|
|
+ krad_packet_free(packets[REJECT_PACKET]);
|
|
|
|
+ krb5_free_context(ctx);
|
|
|
|
+ freeaddrinfo(ai);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_remote.c b/src/lib/krad/t_remote.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..a521ecb
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_remote.c
|
|
|
|
@@ -0,0 +1,170 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_remote.c - Protocol test program */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_daemon.h"
|
|
|
|
+
|
|
|
|
+#define EVENT_COUNT 6
|
|
|
|
+
|
|
|
|
+static struct
|
|
|
|
+{
|
|
|
|
+ int count;
|
|
|
|
+ struct event events[EVENT_COUNT];
|
|
|
|
+} record;
|
|
|
|
+
|
|
|
|
+static krad_attrset *set;
|
|
|
|
+static krad_remote *rr;
|
|
|
|
+static verto_ctx *vctx;
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+callback(krb5_error_code retval, const krad_packet *request,
|
|
|
|
+ const krad_packet *response, void *data)
|
|
|
|
+{
|
|
|
|
+ struct event *evt;
|
|
|
|
+
|
|
|
|
+ evt = &record.events[record.count++];
|
|
|
|
+ evt->error = retval != 0;
|
|
|
|
+ if (evt->error)
|
|
|
|
+ evt->result.retval = retval;
|
|
|
|
+ else
|
|
|
|
+ evt->result.code = krad_packet_get_code(response);
|
|
|
|
+ verto_break(vctx);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+remote_new(krb5_context kctx, krad_remote **remote)
|
|
|
|
+{
|
|
|
|
+ struct addrinfo *ai = NULL, hints;
|
|
|
|
+
|
|
|
|
+ memset(&hints, 0, sizeof(hints));
|
|
|
|
+ hints.ai_family = AF_INET;
|
|
|
|
+ hints.ai_socktype = SOCK_DGRAM;
|
|
|
|
+ noerror(gai_error_code(getaddrinfo("127.0.0.1", "radius", &hints, &ai)));
|
|
|
|
+
|
|
|
|
+ noerror(kr_remote_new(kctx, vctx, ai, "foo", remote));
|
|
|
|
+ insist(kr_remote_equals(*remote, ai, "foo"));
|
|
|
|
+ freeaddrinfo(ai);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+do_auth(const char *password, const krad_packet **pkt)
|
|
|
|
+{
|
|
|
|
+ const krad_packet *tmppkt;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_data tmp = string2data((char *)password);
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add(set, krad_attr_name2num("User-Password"), &tmp);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ retval = kr_remote_send(rr, krad_code_name2num("Access-Request"), set,
|
|
|
|
+ callback, NULL, 1000, 3, &tmppkt);
|
|
|
|
+ krad_attrset_del(set, krad_attr_name2num("User-Password"), 0);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ if (pkt != NULL)
|
|
|
|
+ *pkt = tmppkt;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+test_timeout(verto_ctx *ctx, verto_ev *ev)
|
|
|
|
+{
|
|
|
|
+ static const krad_packet *pkt;
|
|
|
|
+
|
|
|
|
+ noerror(do_auth("accept", &pkt));
|
|
|
|
+ kr_remote_cancel(rr, pkt);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+int
|
|
|
|
+main(int argc, const char **argv)
|
|
|
|
+{
|
|
|
|
+ krb5_context kctx = NULL;
|
|
|
|
+ krb5_data tmp;
|
|
|
|
+
|
|
|
|
+ if (!daemon_start(argc, argv)) {
|
|
|
|
+ fprintf(stderr, "Unable to start pyrad daemon, skipping test...\n");
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Initialize. */
|
|
|
|
+ noerror(krb5_init_context(&kctx));
|
|
|
|
+ vctx = verto_new(NULL, VERTO_EV_TYPE_IO | VERTO_EV_TYPE_TIMEOUT);
|
|
|
|
+ insist(vctx != NULL);
|
|
|
|
+ remote_new(kctx, &rr);
|
|
|
|
+
|
|
|
|
+ /* Create attribute set. */
|
|
|
|
+ noerror(krad_attrset_new(kctx, &set));
|
|
|
|
+ tmp = string2data("testUser");
|
|
|
|
+ noerror(krad_attrset_add(set, krad_attr_name2num("User-Name"), &tmp));
|
|
|
|
+
|
|
|
|
+ /* Send accept packet. */
|
|
|
|
+ noerror(do_auth("accept", NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Send reject packet. */
|
|
|
|
+ noerror(do_auth("reject", NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Send canceled packet. */
|
|
|
|
+ insist(verto_add_timeout(vctx, VERTO_EV_FLAG_NONE, test_timeout, 0) !=
|
|
|
|
+ NULL);
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Test timeout. */
|
|
|
|
+ daemon_stop();
|
|
|
|
+ noerror(do_auth("accept", NULL));
|
|
|
|
+ verto_run(vctx);
|
|
|
|
+
|
|
|
|
+ /* Test outstanding packet freeing. */
|
|
|
|
+ noerror(do_auth("accept", NULL));
|
|
|
|
+ kr_remote_free(rr);
|
|
|
|
+ krad_attrset_free(set);
|
|
|
|
+
|
|
|
|
+ /* Verify the results. */
|
|
|
|
+ insist(record.count == EVENT_COUNT);
|
|
|
|
+ insist(record.events[0].error == FALSE);
|
|
|
|
+ insist(record.events[0].result.code ==
|
|
|
|
+ krad_code_name2num("Access-Accept"));
|
|
|
|
+ insist(record.events[1].error == FALSE);
|
|
|
|
+ insist(record.events[1].result.code ==
|
|
|
|
+ krad_code_name2num("Access-Reject"));
|
|
|
|
+ insist(record.events[2].error == TRUE);
|
|
|
|
+ insist(record.events[2].result.retval == ECANCELED);
|
|
|
|
+ insist(record.events[3].error == TRUE);
|
|
|
|
+ insist(record.events[3].result.retval == ETIMEDOUT);
|
|
|
|
+ insist(record.events[4].error == TRUE);
|
|
|
|
+ insist(record.events[4].result.retval == ECANCELED);
|
|
|
|
+ insist(record.events[5].error == TRUE);
|
|
|
|
+ insist(record.events[5].result.retval == ECANCELED);
|
|
|
|
+
|
|
|
|
+ verto_free(vctx);
|
|
|
|
+ krb5_free_context(kctx);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_test.c b/src/lib/krad/t_test.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..152bc77
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_test.c
|
|
|
|
@@ -0,0 +1,50 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_test.c - Utility functions for libkrad tests */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "t_test.h"
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+noerror_impl(const char *file, int line, const char *cmd, int retval)
|
|
|
|
+{
|
|
|
|
+ if (retval == 0)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ fprintf(stderr, "%s:%d: %s:\n\t%s\n", file, line, strerror(retval), cmd);
|
|
|
|
+ exit(1);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+insist_impl(const char *file, int line, const char *cmd, krb5_boolean result)
|
|
|
|
+{
|
|
|
|
+ if (result)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ fprintf(stderr, "%s:%d: insist failed:\n\t%s\n", file, line, cmd);
|
|
|
|
+ exit(1);
|
|
|
|
+}
|
|
|
|
diff --git a/src/lib/krad/t_test.h b/src/lib/krad/t_test.h
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..f44742f
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/lib/krad/t_test.h
|
|
|
|
@@ -0,0 +1,60 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* lib/krad/t_test.h - Shared declarations for libkrad test programs */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#ifndef T_TEST_H_
|
|
|
|
+#define T_TEST_H_
|
|
|
|
+
|
|
|
|
+#include "internal.h"
|
|
|
|
+
|
|
|
|
+#include <sys/wait.h>
|
|
|
|
+#include <signal.h>
|
|
|
|
+#include <unistd.h>
|
|
|
|
+#include <stdio.h>
|
|
|
|
+#include <stdlib.h>
|
|
|
|
+#include <string.h>
|
|
|
|
+
|
|
|
|
+#define insist(x) insist_impl(__FILE__, __LINE__, #x, x)
|
|
|
|
+#define noerror(x) noerror_impl(__FILE__, __LINE__, #x, x)
|
|
|
|
+
|
|
|
|
+struct event {
|
|
|
|
+ krb5_boolean error;
|
|
|
|
+ union
|
|
|
|
+ {
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krad_code code;
|
|
|
|
+ } result;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+noerror_impl(const char *file, int line, const char *cmd, int retval);
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+insist_impl(const char *file, int line, const char *cmd, krb5_boolean result);
|
|
|
|
+
|
|
|
|
+#endif /* T_TEST_H_ */
|
|
|
|
--
|
2013-05-03 21:04:40 +00:00
|
|
|
1.8.2.1
|
|
|
|
|
|
|
|
|
|
|
|
From 01c7bae6c9a962ffd38f9d5f70fdde7b9e6eb929 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
Date: Tue, 9 Apr 2013 12:24:47 -0400
|
|
|
|
Subject: [PATCH 4/4] add otp plugin
|
|
|
|
|
|
|
|
---
|
|
|
|
src/Makefile.in | 1 +
|
|
|
|
src/configure.in | 1 +
|
|
|
|
src/kdc/kdc_preauth.c | 2 +
|
|
|
|
src/plugins/preauth/otp/Makefile.in | 39 +++
|
|
|
|
src/plugins/preauth/otp/deps | 26 ++
|
|
|
|
src/plugins/preauth/otp/main.c | 379 ++++++++++++++++++++++++
|
|
|
|
src/plugins/preauth/otp/otp.exports | 1 +
|
|
|
|
src/plugins/preauth/otp/otp_state.c | 560 ++++++++++++++++++++++++++++++++++++
|
|
|
|
src/plugins/preauth/otp/otp_state.h | 59 ++++
|
|
|
|
9 files changed, 1068 insertions(+)
|
|
|
|
create mode 100644 src/plugins/preauth/otp/Makefile.in
|
|
|
|
create mode 100644 src/plugins/preauth/otp/deps
|
|
|
|
create mode 100644 src/plugins/preauth/otp/main.c
|
|
|
|
create mode 100644 src/plugins/preauth/otp/otp.exports
|
|
|
|
create mode 100644 src/plugins/preauth/otp/otp_state.c
|
|
|
|
create mode 100644 src/plugins/preauth/otp/otp_state.h
|
|
|
|
|
|
|
|
diff --git a/src/Makefile.in b/src/Makefile.in
|
|
|
|
index 2c65831..0b9d355 100644
|
|
|
|
--- a/src/Makefile.in
|
|
|
|
+++ b/src/Makefile.in
|
|
|
|
@@ -12,6 +12,7 @@ SUBDIRS=util include lib \
|
|
|
|
plugins/kadm5_hook/test \
|
|
|
|
plugins/kdb/db2 \
|
|
|
|
@ldap_plugin_dir@ \
|
|
|
|
+ plugins/preauth/otp \
|
|
|
|
plugins/preauth/pkinit \
|
|
|
|
kdc kadmin slave clients appl tests \
|
|
|
|
config-files man doc @po@
|
|
|
|
diff --git a/src/configure.in b/src/configure.in
|
|
|
|
index d8676e5..520e0c8 100644
|
|
|
|
--- a/src/configure.in
|
|
|
|
+++ b/src/configure.in
|
|
|
|
@@ -1337,6 +1337,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
|
|
|
|
plugins/kdb/db2/libdb2/test
|
|
|
|
plugins/kdb/hdb
|
|
|
|
plugins/preauth/cksum_body
|
|
|
|
+ plugins/preauth/otp
|
|
|
|
plugins/preauth/securid_sam2
|
|
|
|
plugins/preauth/wpse
|
|
|
|
plugins/authdata/greet
|
|
|
|
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
|
|
|
index 42a37a8..afbf1f6 100644
|
|
|
|
--- a/src/kdc/kdc_preauth.c
|
|
|
|
+++ b/src/kdc/kdc_preauth.c
|
|
|
|
@@ -238,6 +238,8 @@ get_plugin_vtables(krb5_context context,
|
|
|
|
/* Auto-register encrypted challenge and (if possible) pkinit. */
|
|
|
|
k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit",
|
|
|
|
"preauth");
|
|
|
|
+ k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp",
|
|
|
|
+ "preauth");
|
|
|
|
k5_plugin_register(context, PLUGIN_INTERFACE_KDCPREAUTH,
|
|
|
|
"encrypted_challenge",
|
|
|
|
kdcpreauth_encrypted_challenge_initvt);
|
|
|
|
diff --git a/src/plugins/preauth/otp/Makefile.in b/src/plugins/preauth/otp/Makefile.in
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..43bd2ba
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/Makefile.in
|
|
|
|
@@ -0,0 +1,39 @@
|
|
|
|
+mydir=plugins$(S)preauth$(S)otp
|
|
|
|
+BUILDTOP=$(REL)..$(S)..$(S)..
|
|
|
|
+KRB5_CONFIG_SETUP = KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf ; export KRB5_CONFIG ;
|
|
|
|
+PROG_LIBPATH=-L$(TOPLIBD)
|
|
|
|
+PROG_RPATH=$(KRB5_LIBDIR)
|
|
|
|
+MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
|
|
|
|
+DEFS=@DEFS@
|
|
|
|
+
|
|
|
|
+LIBBASE=otp
|
|
|
|
+LIBMAJOR=0
|
|
|
|
+LIBMINOR=0
|
|
|
|
+SO_EXT=.so
|
|
|
|
+RELDIR=../plugins/preauth/otp
|
|
|
|
+
|
|
|
|
+SHLIB_EXPDEPS = $(VERTO_DEPLIBS) $(KRB5_BASE_DEPLIBS) \
|
|
|
|
+ $(TOPLIBD)/libkrad$(SHLIBEXT)
|
|
|
|
+
|
|
|
|
+SHLIB_EXPLIBS= -lkrad $(VERTO_LIBS) $(KRB5_BASE_LIBS)
|
|
|
|
+
|
|
|
|
+SHLIB_DIRS=-L$(TOPLIBD)
|
|
|
|
+SHLIB_RDIRS=$(KRB5_LIBDIR)
|
|
|
|
+STOBJLISTS=OBJS.ST
|
|
|
|
+STLIBOBJS = \
|
|
|
|
+ otp_state.o \
|
|
|
|
+ main.o
|
|
|
|
+
|
|
|
|
+SRCS = \
|
|
|
|
+ $(srcdir)/otp_state.c \
|
|
|
|
+ $(srcdir)/main.c
|
|
|
|
+
|
|
|
|
+all-unix:: all-liblinks
|
|
|
|
+install-unix:: install-libs
|
|
|
|
+clean-unix:: clean-liblinks clean-libs clean-libobjs
|
|
|
|
+
|
|
|
|
+clean::
|
|
|
|
+ $(RM) lib$(LIBBASE)$(SO_EXT)
|
|
|
|
+
|
|
|
|
+@libnover_frag@
|
|
|
|
+@libobj_frag@
|
|
|
|
diff --git a/src/plugins/preauth/otp/deps b/src/plugins/preauth/otp/deps
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..3352126
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/deps
|
|
|
|
@@ -0,0 +1,26 @@
|
|
|
|
+#
|
|
|
|
+# Generated makefile dependencies follow.
|
|
|
|
+#
|
|
|
|
+otp_state.so otp_state.po $(OUTPRE)otp_state.$(OBJEXT): \
|
|
|
|
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
|
|
|
|
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
|
|
|
|
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
|
|
|
|
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-json.h \
|
|
|
|
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
|
|
|
|
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
|
|
|
|
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
|
|
|
|
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
|
|
|
|
+ otp_state.c otp_state.h
|
|
|
|
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
|
|
|
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
|
|
|
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
|
|
|
|
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
|
|
|
|
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
|
|
|
|
+ $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \
|
|
|
|
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
|
|
|
|
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
|
|
|
|
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
|
|
|
|
+ $(top_srcdir)/include/socket-utils.h main.c otp_state.h
|
|
|
|
diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..2f7470e
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/main.c
|
|
|
|
@@ -0,0 +1,379 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* plugins/preauth/otp/main.c - OTP kdcpreauth module definition */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2011 NORDUnet A/S. All rights reserved.
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "k5-int.h"
|
|
|
|
+#include "k5-json.h"
|
|
|
|
+#include <krb5/preauth_plugin.h>
|
|
|
|
+#include "otp_state.h"
|
|
|
|
+
|
|
|
|
+#include <errno.h>
|
|
|
|
+#include <ctype.h>
|
|
|
|
+
|
|
|
|
+static krb5_preauthtype otp_pa_type_list[] =
|
|
|
|
+ { KRB5_PADATA_OTP_REQUEST, 0 };
|
|
|
|
+
|
|
|
|
+struct request_state {
|
|
|
|
+ krb5_kdcpreauth_verify_respond_fn respond;
|
|
|
|
+ void *arg;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+decrypt_encdata(krb5_context context, krb5_keyblock *armor_key,
|
|
|
|
+ krb5_pa_otp_req *req, krb5_data *out)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_data plaintext;
|
|
|
|
+
|
|
|
|
+ if (req == NULL)
|
|
|
|
+ return EINVAL;
|
|
|
|
+
|
|
|
|
+ retval = alloc_data(&plaintext, req->enc_data.ciphertext.length);
|
|
|
|
+ if (retval)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ retval = krb5_c_decrypt(context, armor_key, KRB5_KEYUSAGE_PA_OTP_REQUEST,
|
|
|
|
+ NULL, &req->enc_data, &plaintext);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ com_err("otp", retval, "Unable to decrypt encData in PA-OTP-REQUEST");
|
|
|
|
+ free(plaintext.data);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *out = plaintext;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+nonce_verify(krb5_context ctx, krb5_keyblock *armor_key,
|
|
|
|
+ const krb5_data *nonce)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_timestamp ts;
|
|
|
|
+ krb5_data *er = NULL;
|
|
|
|
+
|
|
|
|
+ if (armor_key == NULL || nonce->data == NULL) {
|
|
|
|
+ retval = EINVAL;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Decode the PA-OTP-ENC-REQUEST structure. */
|
|
|
|
+ retval = decode_krb5_pa_otp_enc_req(nonce, &er);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ /* Make sure the nonce is exactly the same size as the one generated. */
|
|
|
|
+ if (er->length != armor_key->length + sizeof(krb5_timestamp))
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ /* Check to make sure the timestamp at the beginning is still valid. */
|
|
|
|
+ ts = load_32_be(er->data);
|
|
|
|
+ retval = krb5_check_clockskew(ctx, ts);
|
|
|
|
+
|
|
|
|
+out:
|
|
|
|
+ krb5_free_data(ctx, er);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+timestamp_verify(krb5_context ctx, const krb5_data *nonce)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval = EINVAL;
|
|
|
|
+ krb5_pa_enc_ts *et = NULL;
|
|
|
|
+
|
|
|
|
+ if (nonce->data == NULL)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ /* Decode the PA-ENC-TS-ENC structure. */
|
|
|
|
+ retval = decode_krb5_pa_enc_ts(nonce, &et);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ /* Check the clockskew. */
|
|
|
|
+ retval = krb5_check_clockskew(ctx, et->patimestamp);
|
|
|
|
+
|
|
|
|
+out:
|
|
|
|
+ krb5_free_pa_enc_ts(ctx, et);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+nonce_generate(krb5_context ctx, unsigned int length, krb5_data *nonce_out)
|
|
|
|
+{
|
|
|
|
+ krb5_data nonce;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_timestamp now;
|
|
|
|
+
|
|
|
|
+ retval = krb5_timeofday(ctx, &now);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ retval = alloc_data(&nonce, sizeof(now) + length);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ retval = krb5_c_random_make_octets(ctx, &nonce);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ free(nonce.data);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ store_32_be(now, nonce.data);
|
|
|
|
+ *nonce_out = nonce;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+on_response(void *data, krb5_error_code retval, otp_response response)
|
|
|
|
+{
|
|
|
|
+ struct request_state rs = *(struct request_state *)data;
|
|
|
|
+
|
|
|
|
+ free(data);
|
|
|
|
+
|
|
|
|
+ if (retval == 0 && response != otp_response_success)
|
|
|
|
+ retval = KRB5_PREAUTH_FAILED;
|
|
|
|
+
|
|
|
|
+ rs.respond(rs.arg, retval, NULL, NULL, NULL);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+otp_init(krb5_context context, krb5_kdcpreauth_moddata *moddata_out,
|
|
|
|
+ const char **realmnames)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ otp_state *state;
|
|
|
|
+
|
|
|
|
+ retval = otp_state_new(context, &state);
|
|
|
|
+ if (retval)
|
|
|
|
+ return retval;
|
|
|
|
+ *moddata_out = (krb5_kdcpreauth_moddata)state;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+otp_fini(krb5_context context, krb5_kdcpreauth_moddata moddata)
|
|
|
|
+{
|
|
|
|
+ otp_state_free((otp_state *)moddata);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static int
|
|
|
|
+otp_flags(krb5_context context, krb5_preauthtype pa_type)
|
|
|
|
+{
|
|
|
|
+ return PA_REPLACES_KEY;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+otp_edata(krb5_context context, krb5_kdc_req *request,
|
|
|
|
+ krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
|
|
|
|
+ krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
|
|
|
|
+ krb5_kdcpreauth_edata_respond_fn respond, void *arg)
|
|
|
|
+{
|
|
|
|
+ krb5_otp_tokeninfo ti, *tis[2] = { &ti, NULL };
|
|
|
|
+ krb5_keyblock *armor_key = NULL;
|
|
|
|
+ krb5_pa_otp_challenge chl;
|
|
|
|
+ krb5_pa_data *pa = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_data *encoding;
|
|
|
|
+ char *config;
|
|
|
|
+
|
|
|
|
+ /* Determine if otp is enabled for the user. */
|
|
|
|
+ retval = cb->get_string(context, rock, "otp", &config);
|
|
|
|
+ if (retval != 0 || config == NULL)
|
|
|
|
+ goto out;
|
|
|
|
+ cb->free_string(context, rock, config);
|
|
|
|
+
|
|
|
|
+ /* Get the armor key. This indicates the length of random data to use in
|
|
|
|
+ * the nonce. */
|
|
|
|
+ armor_key = cb->fast_armor(context, rock);
|
|
|
|
+ if (armor_key == NULL) {
|
|
|
|
+ retval = ENOENT;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Build the (mostly empty) challenge. */
|
|
|
|
+ memset(&ti, 0, sizeof(ti));
|
|
|
|
+ memset(&chl, 0, sizeof(chl));
|
|
|
|
+ chl.tokeninfo = tis;
|
|
|
|
+ ti.format = -1;
|
|
|
|
+ ti.length = -1;
|
|
|
|
+ ti.iteration_count = -1;
|
|
|
|
+
|
|
|
|
+ /* Generate the nonce. */
|
|
|
|
+ retval = nonce_generate(context, armor_key->length, &chl.nonce);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+
|
|
|
|
+ /* Build the output pa-data. */
|
|
|
|
+ retval = encode_krb5_pa_otp_challenge(&chl, &encoding);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto out;
|
|
|
|
+ pa = k5alloc(sizeof(krb5_pa_data), &retval);
|
|
|
|
+ if (pa == NULL) {
|
|
|
|
+ krb5_free_data(context, encoding);
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+ pa->pa_type = KRB5_PADATA_OTP_CHALLENGE;
|
|
|
|
+ pa->contents = (krb5_octet *)encoding->data;
|
|
|
|
+ pa->length = encoding->length;
|
|
|
|
+ free(encoding);
|
|
|
|
+
|
|
|
|
+out:
|
|
|
|
+ (*respond)(arg, retval, pa);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
|
+ krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
|
|
|
|
+ krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
|
|
|
|
+ krb5_kdcpreauth_moddata moddata,
|
|
|
|
+ krb5_kdcpreauth_verify_respond_fn respond, void *arg)
|
|
|
|
+{
|
|
|
|
+ krb5_keyblock *armor_key = NULL;
|
|
|
|
+ krb5_pa_otp_req *req = NULL;
|
|
|
|
+ struct request_state *rs;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ krb5_data d, plaintext;
|
|
|
|
+ char *config;
|
|
|
|
+
|
|
|
|
+ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
|
|
|
|
+
|
|
|
|
+ /* Get the FAST armor key. */
|
|
|
|
+ armor_key = cb->fast_armor(context, rock);
|
|
|
|
+ if (armor_key == NULL) {
|
|
|
|
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
|
|
|
|
+ com_err("otp", retval, "No armor key found when verifying padata");
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Decode the request. */
|
|
|
|
+ d = make_data(pa->contents, pa->length);
|
|
|
|
+ retval = decode_krb5_pa_otp_req(&d, &req);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ com_err("otp", retval, "Unable to decode OTP request");
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Decrypt the nonce from the request. */
|
|
|
|
+ retval = decrypt_encdata(context, armor_key, req, &plaintext);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ com_err("otp", retval, "Unable to decrypt nonce");
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Verify the nonce or timestamp. */
|
|
|
|
+ retval = nonce_verify(context, armor_key, &plaintext);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ retval = timestamp_verify(context, &plaintext);
|
|
|
|
+ krb5_free_data_contents(context, &plaintext);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ com_err("otp", retval, "Unable to verify nonce or timestamp");
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Create the request state. */
|
|
|
|
+ rs = k5alloc(sizeof(struct request_state), &retval);
|
|
|
|
+ if (rs == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+ rs->arg = arg;
|
|
|
|
+ rs->respond = respond;
|
|
|
|
+
|
|
|
|
+ /* Get the principal's OTP configuration string. */
|
|
|
|
+ retval = cb->get_string(context, rock, "otp", &config);
|
|
|
|
+ if (config == NULL)
|
|
|
|
+ retval = KRB5_PREAUTH_FAILED;
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ free(rs);
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Send the request. */
|
|
|
|
+ otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
|
|
|
|
+ request->client, config, req, on_response, rs);
|
|
|
|
+ cb->free_string(context, rock, config);
|
|
|
|
+
|
|
|
|
+ k5_free_pa_otp_req(context, req);
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ k5_free_pa_otp_req(context, req);
|
|
|
|
+ (*respond)(arg, retval, NULL, NULL, NULL);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static krb5_error_code
|
|
|
|
+otp_return_padata(krb5_context context, krb5_pa_data *padata,
|
|
|
|
+ krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
|
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
|
|
|
|
+ krb5_pa_data **send_pa_out, krb5_kdcpreauth_callbacks cb,
|
|
|
|
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
|
|
|
|
+ krb5_kdcpreauth_modreq modreq)
|
|
|
|
+{
|
|
|
|
+ krb5_keyblock *armor_key = NULL;
|
|
|
|
+
|
|
|
|
+ if (padata->length == 0)
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+ /* Get the armor key. */
|
|
|
|
+ armor_key = cb->fast_armor(context, rock);
|
|
|
|
+ if (!armor_key) {
|
|
|
|
+ com_err("otp", ENOENT, "No armor key found when returning padata");
|
|
|
|
+ return ENOENT;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Replace the reply key with the FAST armor key. */
|
|
|
|
+ krb5_free_keyblock_contents(context, encrypting_key);
|
|
|
|
+ return krb5_copy_keyblock_contents(context, armor_key, encrypting_key);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kdcpreauth_otp_initvt(krb5_context context, int maj_ver, int min_ver,
|
|
|
|
+ krb5_plugin_vtable vtable);
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+kdcpreauth_otp_initvt(krb5_context context, int maj_ver, int min_ver,
|
|
|
|
+ krb5_plugin_vtable vtable)
|
|
|
|
+{
|
|
|
|
+ krb5_kdcpreauth_vtable vt;
|
|
|
|
+
|
|
|
|
+ if (maj_ver != 1)
|
|
|
|
+ return KRB5_PLUGIN_VER_NOTSUPP;
|
|
|
|
+
|
|
|
|
+ vt = (krb5_kdcpreauth_vtable)vtable;
|
|
|
|
+ vt->name = "otp";
|
|
|
|
+ vt->pa_type_list = otp_pa_type_list;
|
|
|
|
+ vt->init = otp_init;
|
|
|
|
+ vt->fini = otp_fini;
|
|
|
|
+ vt->flags = otp_flags;
|
|
|
|
+ vt->edata = otp_edata;
|
|
|
|
+ vt->verify = otp_verify;
|
|
|
|
+ vt->return_padata = otp_return_padata;
|
|
|
|
+
|
|
|
|
+ com_err("otp", 0, "Loaded");
|
|
|
|
+
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
diff --git a/src/plugins/preauth/otp/otp.exports b/src/plugins/preauth/otp/otp.exports
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..26aa19d
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/otp.exports
|
|
|
|
@@ -0,0 +1 @@
|
|
|
|
+kdcpreauth_otp_initvt
|
|
|
|
diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..95f88e0
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/otp_state.c
|
|
|
|
@@ -0,0 +1,560 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* plugins/preauth/otp/otp_state.c - Verify OTP token values using RADIUS */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#include "otp_state.h"
|
|
|
|
+
|
|
|
|
+#include <krad.h>
|
|
|
|
+#include <k5-json.h>
|
|
|
|
+
|
|
|
|
+#include <ctype.h>
|
|
|
|
+
|
|
|
|
+#ifndef HOST_NAME_MAX
|
|
|
|
+/* SUSv2 */
|
|
|
|
+#define HOST_NAME_MAX 255
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
+#define DEFAULT_TYPE_NAME "DEFAULT"
|
|
|
|
+#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket"
|
|
|
|
+#define DEFAULT_TIMEOUT 5
|
|
|
|
+#define DEFAULT_RETRIES 3
|
|
|
|
+
|
|
|
|
+typedef struct token_type_st {
|
|
|
|
+ char *name;
|
|
|
|
+ char *server;
|
|
|
|
+ char *secret;
|
|
|
|
+ int timeout;
|
|
|
|
+ size_t retries;
|
|
|
|
+ krb5_boolean strip_realm;
|
|
|
|
+} token_type;
|
|
|
|
+
|
|
|
|
+typedef struct token_st {
|
|
|
|
+ const token_type *type;
|
|
|
|
+ krb5_data username;
|
|
|
|
+} token;
|
|
|
|
+
|
|
|
|
+typedef struct request_st {
|
|
|
|
+ otp_state *state;
|
|
|
|
+ token *tokens;
|
|
|
|
+ ssize_t index;
|
|
|
|
+ otp_cb cb;
|
|
|
|
+ void *data;
|
|
|
|
+ krad_attrset *attrs;
|
|
|
|
+} request;
|
|
|
|
+
|
|
|
|
+struct otp_state_st {
|
|
|
|
+ krb5_context ctx;
|
|
|
|
+ token_type *types;
|
|
|
|
+ krad_client *radius;
|
|
|
|
+ krad_attrset *attrs;
|
|
|
|
+};
|
|
|
|
+
|
|
|
|
+static void request_send(request *req);
|
|
|
|
+
|
|
|
|
+/* Free the contents of a single token type. */
|
|
|
|
+static void
|
|
|
|
+token_type_free(token_type *type)
|
|
|
|
+{
|
|
|
|
+ if (type == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ free(type->name);
|
|
|
|
+ free(type->server);
|
|
|
|
+ free(type->secret);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Construct the internal default token type. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+token_type_default(token_type *out)
|
|
|
|
+{
|
|
|
|
+ char *name = NULL, *server = NULL, *secret = NULL;
|
|
|
|
+
|
|
|
|
+ memset(out, 0, sizeof(*out));
|
|
|
|
+
|
|
|
|
+ name = strdup(DEFAULT_TYPE_NAME);
|
|
|
|
+ if (name == NULL)
|
|
|
|
+ goto oom;
|
|
|
|
+ if (asprintf(&server, DEFAULT_SOCKET_FMT, name) < 0)
|
|
|
|
+ goto oom;
|
|
|
|
+ secret = strdup("");
|
|
|
|
+ if (secret == NULL)
|
|
|
|
+ goto oom;
|
|
|
|
+
|
|
|
|
+ out->name = name;
|
|
|
|
+ out->server = server;
|
|
|
|
+ out->secret = secret;
|
|
|
|
+ out->timeout = DEFAULT_TIMEOUT * 1000;
|
|
|
|
+ out->retries = DEFAULT_RETRIES;
|
|
|
|
+ out->strip_realm = FALSE;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+oom:
|
|
|
|
+ free(name);
|
|
|
|
+ free(server);
|
|
|
|
+ free(secret);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode a single token type from the profile. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+token_type_decode(profile_t profile, const char *name, token_type *out)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ char *server = NULL, *name_copy = NULL, *secret = NULL;
|
|
|
|
+ const char *default_secret;
|
|
|
|
+ int strip_realm, timeout, retries;
|
|
|
|
+
|
|
|
|
+ memset(out, 0, sizeof(*out));
|
|
|
|
+
|
|
|
|
+ /* Set the name. */
|
|
|
|
+ name_copy = strdup(name);
|
|
|
|
+ if (name_copy == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ /* Set strip_realm. */
|
|
|
|
+ retval = profile_get_boolean(profile, "otp", name, "strip_realm", TRUE,
|
|
|
|
+ &strip_realm);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ /* Set the server. */
|
|
|
|
+ retval = profile_get_string(profile, "otp", name, "server", NULL, &server);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ if (server == NULL && asprintf(&server, DEFAULT_SOCKET_FMT, name) < 0) {
|
|
|
|
+ retval = ENOMEM;
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Get the secret (optional for Unix-domain sockets). */
|
|
|
|
+ default_secret = (*server == '/') ? "" : NULL;
|
|
|
|
+ retval = profile_get_string(profile, "otp", name, "secret", default_secret,
|
|
|
|
+ &secret);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ if (secret == NULL) {
|
|
|
|
+ com_err("otp", EINVAL, "Secret not specified in token type '%s'",
|
|
|
|
+ name);
|
|
|
|
+ retval = EINVAL;
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Get the timeout (profile value in seconds, result in milliseconds). */
|
|
|
|
+ retval = profile_get_integer(profile, "otp", name, "timeout",
|
|
|
|
+ DEFAULT_TIMEOUT, &timeout);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ timeout *= 1000;
|
|
|
|
+
|
|
|
|
+ /* Get the number of retries. */
|
|
|
|
+ retval = profile_get_integer(profile, "otp", name, "retries",
|
|
|
|
+ DEFAULT_RETRIES, &retries);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ out->name = name_copy;
|
|
|
|
+ out->server = server;
|
|
|
|
+ out->secret = secret;
|
|
|
|
+ out->timeout = timeout;
|
|
|
|
+ out->retries = retries;
|
|
|
|
+ out->strip_realm = strip_realm;
|
|
|
|
+ name_copy = server = secret = NULL;
|
|
|
|
+
|
|
|
|
+cleanup:
|
|
|
|
+ free(name_copy);
|
|
|
|
+ free(server);
|
|
|
|
+ free(secret);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Free an array of token types. */
|
|
|
|
+static void
|
|
|
|
+token_types_free(token_type *types)
|
|
|
|
+{
|
|
|
|
+ size_t i;
|
|
|
|
+
|
|
|
|
+ if (types == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ for (i = 0; types[i].server != NULL; i++)
|
|
|
|
+ token_type_free(&types[i]);
|
|
|
|
+
|
|
|
|
+ free(types);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode an array of token types from the profile. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+token_types_decode(profile_t profile, token_type **out)
|
|
|
|
+{
|
|
|
|
+ const char *hier[2] = { "otp", NULL };
|
|
|
|
+ token_type *types = NULL;
|
|
|
|
+ char **names = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ size_t i, pos;
|
|
|
|
+ krb5_boolean have_default = FALSE;
|
|
|
|
+
|
|
|
|
+ retval = profile_get_subsection_names(profile, hier, &names);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ /* Check if any of the profile subsections overrides the default. */
|
|
|
|
+ for (i = 0; names[i] != NULL; i++) {
|
|
|
|
+ if (strcmp(names[i], DEFAULT_TYPE_NAME) == 0)
|
|
|
|
+ have_default = TRUE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Leave space for the default (possibly) and the terminator. */
|
|
|
|
+ types = k5alloc((i + 2) * sizeof(token_type), &retval);
|
|
|
|
+ if (types == NULL)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ /* If no default has been specified, use our internal default. */
|
|
|
|
+ pos = 0;
|
|
|
|
+ if (!have_default) {
|
|
|
|
+ retval = token_type_default(&types[pos++]);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* Decode each profile section into a token type element. */
|
|
|
|
+ for (i = 0; names[i] != NULL; i++) {
|
|
|
|
+ retval = token_type_decode(profile, names[i], &types[pos++]);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ *out = types;
|
|
|
|
+ types = NULL;
|
|
|
|
+
|
|
|
|
+cleanup:
|
|
|
|
+ profile_free_list(names);
|
|
|
|
+ token_types_free(types);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Free the contents of a single token. */
|
|
|
|
+static void
|
|
|
|
+token_free_contents(token *t)
|
|
|
|
+{
|
|
|
|
+ if (t != NULL)
|
|
|
|
+ free(t->username.data);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode a single token from a JSON token object. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+token_decode(krb5_context ctx, krb5_const_principal princ,
|
|
|
|
+ const token_type *types, k5_json_object obj, token *out)
|
|
|
|
+{
|
|
|
|
+ const char *typename = DEFAULT_TYPE_NAME;
|
|
|
|
+ const token_type *type = NULL;
|
|
|
|
+ char *username = NULL;
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ k5_json_value val;
|
|
|
|
+ size_t i;
|
|
|
|
+ int flags;
|
|
|
|
+
|
|
|
|
+ memset(out, 0, sizeof(*out));
|
|
|
|
+
|
|
|
|
+ /* Find the token type. */
|
|
|
|
+ val = k5_json_object_get(obj, "type");
|
|
|
|
+ if (val != NULL && k5_json_get_tid(val) == K5_JSON_TID_STRING)
|
|
|
|
+ typename = k5_json_string_utf8(val);
|
|
|
|
+ for (i = 0; types[i].server != NULL; i++) {
|
|
|
|
+ if (strcmp(typename, types[i].name) == 0)
|
|
|
|
+ type = &types[i];
|
|
|
|
+ }
|
|
|
|
+ if (type == NULL)
|
|
|
|
+ return EINVAL;
|
|
|
|
+
|
|
|
|
+ /* Get the username, either from obj or from unparsing the principal. */
|
|
|
|
+ val = k5_json_object_get(obj, "username");
|
|
|
|
+ if (val != NULL && k5_json_get_tid(val) == K5_JSON_TID_STRING) {
|
|
|
|
+ username = strdup(k5_json_string_utf8(val));
|
|
|
|
+ if (username == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ } else {
|
|
|
|
+ flags = type->strip_realm ? KRB5_PRINCIPAL_UNPARSE_NO_REALM : 0;
|
|
|
|
+ retval = krb5_unparse_name_flags(ctx, princ, flags, &username);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ out->type = type;
|
|
|
|
+ out->username = string2data(username);
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Free an array of tokens. */
|
|
|
|
+static void
|
|
|
|
+tokens_free(token *tokens)
|
|
|
|
+{
|
|
|
|
+ size_t i;
|
|
|
|
+
|
|
|
|
+ if (tokens == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ for (i = 0; tokens[i].type != NULL; i++)
|
|
|
|
+ token_free_contents(&tokens[i]);
|
|
|
|
+
|
|
|
|
+ free(tokens);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Decode an array of tokens from the configuration string. */
|
|
|
|
+static krb5_error_code
|
|
|
|
+tokens_decode(krb5_context ctx, krb5_const_principal princ,
|
|
|
|
+ const token_type *types, const char *config, token **out)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ k5_json_value arr, obj;
|
|
|
|
+ token *tokens;
|
|
|
|
+ ssize_t len, i, j;
|
|
|
|
+
|
|
|
|
+ if (config == NULL)
|
|
|
|
+ config = "[{}]";
|
|
|
|
+
|
|
|
|
+ arr = k5_json_decode(config);
|
|
|
|
+ if (arr == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ if (k5_json_get_tid(arr) != K5_JSON_TID_ARRAY ||
|
|
|
|
+ (len = k5_json_array_length(arr)) == 0) {
|
|
|
|
+ k5_json_release(arr);
|
|
|
|
+
|
|
|
|
+ arr = k5_json_decode("[{}]");
|
|
|
|
+ if (arr == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ if (k5_json_get_tid(arr) != K5_JSON_TID_ARRAY) {
|
|
|
|
+ k5_json_release(arr);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ len = k5_json_array_length(arr);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ tokens = calloc(len + 1, sizeof(token));
|
|
|
|
+ if (tokens == NULL) {
|
|
|
|
+ k5_json_release(arr);
|
|
|
|
+ return ENOMEM;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ for (i = 0, j = 0; i < len; i++) {
|
|
|
|
+ obj = k5_json_array_get(arr, i);
|
|
|
|
+ if (k5_json_get_tid(obj) != K5_JSON_TID_OBJECT)
|
|
|
|
+ continue;
|
|
|
|
+
|
|
|
|
+ retval = token_decode(ctx, princ, types, obj, &tokens[j++]);
|
|
|
|
+ if (retval != 0) {
|
|
|
|
+ k5_json_release(arr);
|
|
|
|
+ while (--j > 0)
|
|
|
|
+ token_free_contents(&tokens[j]);
|
|
|
|
+ free(tokens);
|
|
|
|
+ return retval;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ k5_json_release(arr);
|
|
|
|
+ *out = tokens;
|
|
|
|
+ return 0;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+request_free(request *req)
|
|
|
|
+{
|
|
|
|
+ if (req == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ krad_attrset_free(req->attrs);
|
|
|
|
+ tokens_free(req->tokens);
|
|
|
|
+ free(req);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+otp_state_new(krb5_context ctx, otp_state **out)
|
|
|
|
+{
|
|
|
|
+ char hostname[HOST_NAME_MAX + 1];
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ profile_t profile;
|
|
|
|
+ krb5_data hndata;
|
|
|
|
+ otp_state *self;
|
|
|
|
+
|
|
|
|
+ retval = gethostname(hostname, sizeof(hostname));
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ return retval;
|
|
|
|
+
|
|
|
|
+ self = calloc(1, sizeof(otp_state));
|
|
|
|
+ if (self == NULL)
|
|
|
|
+ return ENOMEM;
|
|
|
|
+
|
|
|
|
+ retval = krb5_get_profile(ctx, &profile);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = token_types_decode(profile, &self->types);
|
|
|
|
+ profile_abandon(profile);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_new(ctx, &self->attrs);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ hndata = make_data(hostname, strlen(hostname));
|
|
|
|
+ retval = krad_attrset_add(self->attrs,
|
|
|
|
+ krad_attr_name2num("NAS-Identifier"), &hndata);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add_number(self->attrs,
|
|
|
|
+ krad_attr_name2num("Service-Type"),
|
|
|
|
+ KRAD_SERVICE_TYPE_AUTHENTICATE_ONLY);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ self->ctx = ctx;
|
|
|
|
+ *out = self;
|
|
|
|
+ return 0;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ otp_state_free(self);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+otp_state_free(otp_state *self)
|
|
|
|
+{
|
|
|
|
+ if (self == NULL)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+ krad_attrset_free(self->attrs);
|
|
|
|
+ token_types_free(self->types);
|
|
|
|
+ free(self);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+callback(krb5_error_code retval, const krad_packet *rqst,
|
|
|
|
+ const krad_packet *resp, void *data)
|
|
|
|
+{
|
|
|
|
+ request *req = data;
|
|
|
|
+
|
|
|
|
+ req->index++;
|
|
|
|
+
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* If we received an accept packet, success! */
|
|
|
|
+ if (krad_packet_get_code(resp) ==
|
|
|
|
+ krad_code_name2num("Access-Accept")) {
|
|
|
|
+ req->cb(req->data, retval, otp_response_success);
|
|
|
|
+ request_free(req);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ /* If we have no more tokens to try, failure! */
|
|
|
|
+ if (req->tokens[req->index].type == NULL)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ /* Try the next token. */
|
|
|
|
+ request_send(req);
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ req->cb(req->data, retval, otp_response_fail);
|
|
|
|
+ request_free(req);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static void
|
|
|
|
+request_send(request *req)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ token *tok = &req->tokens[req->index];
|
|
|
|
+ const token_type *t = tok->type;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add(req->attrs, krad_attr_name2num("User-Name"),
|
|
|
|
+ &tok->username);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = krad_client_send(req->state->radius,
|
|
|
|
+ krad_code_name2num("Access-Request"), req->attrs,
|
|
|
|
+ t->server, t->secret, t->timeout, t->retries,
|
|
|
|
+ callback, req);
|
|
|
|
+ krad_attrset_del(req->attrs, krad_attr_name2num("User-Name"), 0);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ req->cb(req->data, retval, otp_response_fail);
|
|
|
|
+ request_free(req);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+otp_state_verify(otp_state *state, verto_ctx *ctx, krb5_const_principal princ,
|
|
|
|
+ const char *config, const krb5_pa_otp_req *req,
|
|
|
|
+ otp_cb cb, void *data)
|
|
|
|
+{
|
|
|
|
+ krb5_error_code retval;
|
|
|
|
+ request *rqst = NULL;
|
|
|
|
+
|
|
|
|
+ if (state->radius == NULL) {
|
|
|
|
+ retval = krad_client_new(state->ctx, ctx, &state->radius);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ rqst = calloc(1, sizeof(request));
|
|
|
|
+ if (rqst == NULL) {
|
|
|
|
+ (*cb)(data, ENOMEM, otp_response_fail);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+ rqst->state = state;
|
|
|
|
+ rqst->data = data;
|
|
|
|
+ rqst->cb = cb;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_copy(state->attrs, &rqst->attrs);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = krad_attrset_add(rqst->attrs, krad_attr_name2num("User-Password"),
|
|
|
|
+ &req->otp_value);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ retval = tokens_decode(state->ctx, princ, state->types, config,
|
|
|
|
+ &rqst->tokens);
|
|
|
|
+ if (retval != 0)
|
|
|
|
+ goto error;
|
|
|
|
+
|
|
|
|
+ request_send(rqst);
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
+error:
|
|
|
|
+ (*cb)(data, retval, otp_response_fail);
|
|
|
|
+ request_free(rqst);
|
|
|
|
+}
|
|
|
|
diff --git a/src/plugins/preauth/otp/otp_state.h b/src/plugins/preauth/otp/otp_state.h
|
|
|
|
new file mode 100644
|
|
|
|
index 0000000..4247d0b
|
|
|
|
--- /dev/null
|
|
|
|
+++ b/src/plugins/preauth/otp/otp_state.h
|
|
|
|
@@ -0,0 +1,59 @@
|
|
|
|
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
|
|
+/* plugins/preauth/otp/otp_state.h - Internal declarations for OTP module */
|
|
|
|
+/*
|
|
|
|
+ * Copyright 2013 Red Hat, Inc. All rights reserved.
|
|
|
|
+ *
|
|
|
|
+ * Redistribution and use in source and binary forms, with or without
|
|
|
|
+ * modification, are permitted provided that the following conditions are met:
|
|
|
|
+ *
|
|
|
|
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer.
|
|
|
|
+ *
|
|
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
+ * notice, this list of conditions and the following disclaimer in
|
|
|
|
+ * the documentation and/or other materials provided with the
|
|
|
|
+ * distribution.
|
|
|
|
+ *
|
|
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
|
|
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
|
|
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
+ */
|
|
|
|
+
|
|
|
|
+#ifndef OTP_H_
|
|
|
|
+#define OTP_H_
|
|
|
|
+
|
|
|
|
+#include <k5-int.h>
|
|
|
|
+#include <verto.h>
|
|
|
|
+
|
|
|
|
+#include <com_err.h>
|
|
|
|
+
|
|
|
|
+typedef enum otp_response {
|
|
|
|
+ otp_response_fail = 0,
|
|
|
|
+ otp_response_success
|
|
|
|
+ /* Other values reserved for responses like next token or new pin. */
|
|
|
|
+} otp_response;
|
|
|
|
+
|
|
|
|
+typedef struct otp_state_st otp_state;
|
|
|
|
+typedef void
|
|
|
|
+(*otp_cb)(void *data, krb5_error_code retval, otp_response response);
|
|
|
|
+
|
|
|
|
+krb5_error_code
|
|
|
|
+otp_state_new(krb5_context ctx, otp_state **self);
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+otp_state_free(otp_state *self);
|
|
|
|
+
|
|
|
|
+void
|
|
|
|
+otp_state_verify(otp_state *state, verto_ctx *ctx, krb5_const_principal princ,
|
|
|
|
+ const char *config, const krb5_pa_otp_req *request,
|
|
|
|
+ otp_cb cb, void *data);
|
|
|
|
+
|
|
|
|
+#endif /* OTP_H_ */
|
|
|
|
--
|
|
|
|
1.8.2.1
|
2013-04-09 18:06:33 +00:00
|
|
|
|