How to enable Freeradius to support a smart card with AES encryption algorithm?
yao guoxian
yaoguoxian at gmail.com
Fri Mar 16 09:53:09 CET 2007
Thanks,Alan.
To create a new attribute, I did the following things.
(1).I edited the file "src/include/radius.h" and add a line like
"#define PW_AES_PASSWORD 192" .
(2).I also edited the file "/usr/local/share/freeradius/dictionary" and
insert a line like
"ATTRIBUTE AES-PASSWORD 192 octets " .
(3).Finally, I recompiled Freeradius .
Is it right and enough to create a new attribute "AES-PASSWORD"?
To create a new module,I did the following things.
(1).Icopy src/rlm_example/rlm_example.c to another dictory.
(2).amend the rlm_example to make it support AES encryption algorithm,
main changes are as follow:
static int example_authorize(void *instance, REQUEST *request)
{
/* quiet the compiler */
instance = instance;
request = request;
/*
* Look for the 'state' attribute.
*/
// state = pairfind(request->packet->vps, PW_STATE);
// if (state != NULL) {
// DEBUG("rlm_example: Found reply to access challenge");
// return RLM_MODULE_OK;
// }
/*
* Create the challenge, and add it to the reply.
*/
// reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ);
// pairadd(&request->reply->vps, reply);
// state = pairmake("State", "0", T_OP_EQ);
// pairadd(&request->reply->vps, state);
/*
* Mark the packet as an Access-Challenge packet.
* * The server will take care of sending it to the user.
*/
// request->reply->code = PW_ACCESS_CHALLENGE;
// DEBUG("rlm_example: Sending Access-Challenge.");
// return RLM_MODULE_HANDLED;
return RLM_MODULE_OK;
}
note: I have commented main part of lines of funtion
example_authorize.
static int example_authenticate(void *instance, REQUEST *request)
{
VALUE_PAIR *passwd_item;
char pass_str[MAX_STRING_LEN];
VALUE_PAIR *module_fmsg_vp;
char module_fmsg[MAX_STRING_LEN];
/* quiet the compiler */
instance = instance;
request = request;
if (!request->username) {
radlog(L_AUTH, "rlm_aes: Attribute \"User-Name\" is required
for authentication.\n");
return RLM_MODULE_INVALID;
}
if (!request->password) {
radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is
required for authentication.");
return RLM_MODULE_INVALID;
}
if (request->password->attribute != PW_AES_PASSWORD) {
radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required
for authentication. Cannot use \"%s\".", request->password->name);
return RLM_MODULE_INVALID;
}
if (request->password->length == 0) {
radlog(L_ERR, "rlm_aes: empty password supplied");
return RLM_MODULE_INVALID;
}
/*
* * Don't print out the CHAP password here. It's
binary crap.
* */
DEBUG(" rlm_aes: login attempt by \"%s\" with AES password",
request->username->strvalue);
if ((passwd_item = pairfind(request->config_items, PW_PASSWORD)) ==
NULL){
DEBUG(" rlm_aes: Could not find clear text password for
user %s",request->username->strvalue);
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes:
Clear text password not available");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_INVALID;
}
DEBUG(" rlm_aes: Using clear text password %s for user %s
authentication.",
passwd_item->strvalue,
request->username->strvalue);
rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);
if (memcmp(pass_str+1,request->password->strvalue+1,CHAP_VALUE_LENGTH) !=
0){
DEBUG(" rlm_aes: Pasword check failed");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Wrong
user password");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_REJECT;
}
DEBUG(" rlm_aes: chap user %s authenticated
succesfully",request->username->strvalue);
return RLM_MODULE_OK;
}
note: I have use
rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);
to enable AES password.
(3). edit the src/lib/radiusc.c and insert my funtion rad_aes_encode.
(4). recompile Freeradius.
The following is part of result to the command " radiusd -X":
Module: Loaded example
example: integer = 1
example: boolean = no
example: string = "(null)"
Module: Instantiated example (example)
But when I send packets like follow to Freeradius server:
+-----------------------------------------------------------------------------------+
| UserName="test" | ID = n | length = m |
+-------------------------------------------------------------------------------------------------------------------------------+
| 192(Identify "AES-PASSWORD")| length =19 | ID = n | 16 Bytes AES
encrypted text |
+--------------------------------------------------------------------------------------------------------------------------------
| .......... |
+-----------------------------------------------------------------------
I got the following message:
WARNING: Malformed RADIUS packet from host 202.117.7.223: packet attributes
do NOT exactly fill the packet
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
Thanks for any suggestion!
2007/3/14, Alan DeKok <aland at deployingradius.com>:
>
> yao guoxian wrote:
> > Thanks,Alan.
> > But I have a few questions.
> > First, if I create a new attribute "My-Aes-Password" and include it
> > in the Access-Requet packet, I should not include the attributes such
> > as "User-Password" or "Chap-Password".Is it right?
>
> Yes.
>
> > The second question is about how to write modules.
>
> There is documentation. See "rlm_example", for one.
>
> > Sorry to ask the
> > same question,but I want to verify my plan to see if it is pratical. The
> > plan is as follow: I dont amend the module "rlm_chap" , I just copy all
> > files in the ./src/modules/rlm_chap/ to a new dictory "rlm_aes" and
> > rename files rlm_chap.* to rlm_aes.*. Then I edit rlm-chap.c to alter
> > it to use AES to analyze the request packet. Is it pratical?
>
> Yes.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070316/3b317097/attachment.html>
More information about the Freeradius-Users
mailing list