rlm_eap_ikev2.c

freeradius-server-2.1.3.tar.gz安装源文件

    free(server_idtype);
    server_idtype=NULL;
    
    radlog(L_DBG,IKEv2_LOG_PREFIX "Reading proposals ...");
    if(rad_load_proposals(i2,conf)) {
	ikev2_detach(i2);
	radlog(L_ERR,IKEv2_LOG_PREFIX "Failed to load proposals");
	return -1;
    }

    int res=rad_load_credentials(i2,usersfilename,default_authtype);
    free(default_authtype);
    default_authtype=NULL;
    free(usersfilename);
    usersfilename=NULL;
    free(server_authtype);
    server_authtype=NULL;
    if(res==-1) {
	ikev2_detach(i2);
	radlog(L_ERR,IKEv2_LOG_PREFIX "Error while loading users credentials");
	return -1;
    }
    
    i2->x509_store = NULL;
    if(CertInit(i2)){
        ikev2_detach(i2);
        radlog(L_ERR,IKEv2_LOG_PREFIX "Error while loading certs/crl");
        return -1;
    }

    return 0;
} 



/*
 *	Initiate the EAP-ikev2 session by sending a challenge to the peer.
 */


static int ikev2_initiate(void *type_data, EAP_HANDLER *handler)
{
    radlog( L_INFO,IKEv2_LOG_PREFIX "Initiate connection!");
// This is the way for silent discarding behavior    
//    handler->request->options|=RAD_REQUEST_OPTION_FAKE_REQUEST;
//    handler->request->options|=RAD_REQUEST_OPTION_DONT_CACHE;
//    handler->request->reply->code=0;
//    return 0;
    
    struct ikev2_ctx *i2=(struct ikev2_ctx*)type_data;


    struct IKEv2Session *session;
    handler->free_opaque=ikev2_free_opaque;
    

    // try get respondent FASTID
    uint8_t *eap_username=handler->request->username->vp_strvalue;
    session=FindSessionByFastid(i2,(const char*)eap_username);
    if(!session) {
	if( IKEv2BeginSession( i2, &session, IKEv2_STY_INITIATOR ) != IKEv2_RET_OK ) {
	    radlog(L_ERR,IKEv2_LOG_PREFIX "Error: Can't initialize IKEv2 session.");
	    return 1;
	}
    } else {
	radlog(L_DBG, IKEv2_LOG_PREFIX "Fast reconnect procedure start");
    }
    session->timestamp=time(NULL);
    
    struct IKEv2Data *ikev2_data=IKEv2Data_new(i2,session);
    handler->opaque=ikev2_data;


#if 0
    // print session counter
    if(i2->SessionList) {
	int session_count=0;
	struct IKEv2Session *ss;
	ss=i2->SessionList;
	while(ss) {
	    session_count++;
	    //radlog(L_ERR,"XXX scounter -> fastid=[%s]",ss->fastID);
	    ss=ss->pNext;
	}
	radlog(L_ERR,"XXX: session list contains:%d",session_count);
    }
#endif
    

    uint8_t *sikemsg=NULL;
    u_int32_t slen=0;

    if( IKEv2ProcessMsg( i2, NULL , &sikemsg, &slen, session) != IKEv2_RET_OK )
    {
	radlog(L_ERR,IKEv2_LOG_PREFIX "Error while processing IKEv2 message");
	return 1;
    }

    uint8_t *out=NULL;
    u_int32_t olen=0;

    if( slen != 0 )
    {
	session->eapMsgID++;
	olen = CreateIKEv2Message(i2, sikemsg, slen, false, 0, session, &out );
	if( session->fragdata )
	    session->sendfrag = true;
    }
    if (olen>0&&out!=NULL){
	if(ComposeRadMsg(out,olen,handler->eap_ds)){
	    free(out);
	    return 0;
	}
	free(out);
    }


    /*
     *	We don't need to authorize the user at this point.
     *
     *	We also don't need to keep the challenge, as it's
     *	stored in 'handler->eap_ds', which will be given back
     *	to us...
     */
    handler->stage = AUTHENTICATE;
    return 1;
}


/*
 *	Authenticate a previously sent challenge.
 */
static int ikev2_authenticate(void *type_data, EAP_HANDLER *handler)
{

	struct ikev2_ctx *i2=(struct ikev2_ctx*)type_data;
	radlog( L_INFO, IKEv2_LOG_PREFIX "authenticate" );

	rad_assert(handler->request != NULL);
	rad_assert(handler->stage == AUTHENTICATE);

	//!!!!!if( hdr->Code == EAP_CODE_RESPONSE && hdr->Id == session->MsgID )
	//!!!!! dorobic sprawdzanie czy to nie potwierdzenie odebrania fragmentu!!!
	EAP_DS *eap_ds=handler->eap_ds;
	if (!eap_ds                                      ||
			!eap_ds->response                            ||
			(eap_ds->response->code != PW_IKEV2_RESPONSE)  ||
			eap_ds->response->type.type != PW_EAP_IKEV2    ||
			!eap_ds->response->type.data){ 
		radlog(L_ERR, IKEv2_LOG_PREFIX "corrupted data");
		return -1;
	}

	//skladanie pakietu
	uint8_t *in=NULL;
	if(!(in=malloc(eap_ds->response->length))){
		radlog(L_ERR, IKEv2_LOG_PREFIX "malloc error");
		return -1;
	}

	rad_assert(in!=NULL);
	struct EAPHeader *hdr = (struct EAPHeader *)in; 

	hdr->Code=eap_ds->response->code;
	hdr->Id=eap_ds->response->id;
	hdr->Length=htons(eap_ds->response->length);
	hdr->Type=eap_ds->response->type.type;
	memcpy(in+5,eap_ds->response->type.data,eap_ds->response->length-5);
	//koniec: skladanie pakietu

	uint8_t *out=NULL;
	u_int32_t olen=0;
	struct IKEv2Data *ikev2_data=(struct IKEv2Data*)handler->opaque;
	struct IKEv2Session *session=ikev2_data->session;
	session->timestamp=time(NULL);

        if( !session->fragdata )
                 session->sendfrag = false;
        if( session->sendfrag && !ParseFragmentAck( in, session ) ){
	        session->eapMsgID=eap_ds->response->id+1;
                olen = CreateIKEv2Message( i2, NULL, 0, false, hdr->Id, session, (uint8_t **)&out );
		free(in);
	        if(ComposeRadMsg(out,olen,handler->eap_ds)){
	        		free(out);
	        		return 0;
	       	}
		free(out);
                return 1;
        }

	uint8_t *ikemsg;
	u_int32_t len;

	session->eapMsgID=eap_ds->response->id+1;

	if( ParseIKEv2Message( in, &ikemsg, &len, session ) )
	{
                if(ikemsg!=NULL) free (ikemsg);
		handler->eap_ds->request->code=PW_EAP_FAILURE;
		radlog(L_INFO,IKEv2_LOG_PREFIX "Discarded packet");
		return 1;
	}

	if( !ikemsg || !len )     // send fragment ack
	{
                if(session->SK_ready) session->include_integ=1;
		olen = CreateFragmentAck( in, &out, session ); // confirm fragment 
		free(in);
		in=NULL;
		if(ComposeRadMsg(out,olen,handler->eap_ds)){
			free(out);
			return 0;
		}
		free(out);
		return 1;
	}
	free(in);
	in=NULL;
    
	uint8_t *sikemsg=NULL;   //out message
	u_int32_t slen=0;

	if( IKEv2ProcessMsg( i2, ikemsg, &sikemsg, &slen, session) != IKEv2_RET_OK )
	{
		radlog(L_INFO, IKEv2_LOG_PREFIX "EAP_STATE_DISCARD");
		//session->State = EAP_STATE_DISCARD;
		free(out);
		return 1;
	}

	free( ikemsg );

	if( slen != 0 ) //if there is there is something to send 
	{
		olen = CreateIKEv2Message(i2, sikemsg, slen, false, 0, session, &out );
		//bobo: a to co ?
		if( session->fragdata )
			session->sendfrag = true;
	} else {

		if( session->Status == IKEv2_SST_FAILED )
		{
			radlog(L_INFO,IKEv2_LOG_PREFIX "FAILED");
			olen = CreateResultMessage( false, session, &out );
		}
		if( session->Status == IKEv2_SST_ESTABLISHED )
		{
			radlog(L_INFO,IKEv2_LOG_PREFIX "SUCCESS");
			olen = CreateResultMessage( true, session, &out );
                        session->fFastReconnect=i2->enableFastReconnect;

                        
                        //bobo:session->eapKeyData jest zle zainicjalizowane tutaj !!!!!!!!!!!!!! nie jest NULL!!!!!!!!!!1!!!!!!!!!!!!!!!!!!!!!!!11
                        GenEapKeys(session,EAP_IKEv2_KEY_LEN);
                        set_mppe_keys(handler);
		}
		
		// keep sessions in memory, only reference cleared
		ikev2_data->session=NULL;
	}
	if (olen>0&&out!=NULL){
		if(ComposeRadMsg(out,olen,handler->eap_ds)){
			free(out);
			return 0;
		}
	}
        //eap_ds->request->code = PW_EAP_REQUEST;
        free(out);
	return 1;
}

/*
 *	The module name should be the only globally exported symbol.
 *	That is, everything else should be 'static'.
 */
EAP_TYPE rlm_eap_ikev2 = {
	"eap_ikev2",
	ikev2_attach,			/* attach */
	ikev2_initiate,			/* Start the initial request */
	NULL,				/* authorization */
	ikev2_authenticate,		/* authentication */
	ikev2_detach 			/* detach */
};