Thanks,Alan.<br><span style="font-weight: bold;"><span style="font-weight: bold;"> </span>To create a new attribute, I did the following things.</span><br> (1).I edited the file "src/include/radius.h" and add a line like
<br>"#define PW_AES_PASSWORD 192" . <br> (2).I also edited the file "/usr/local/share/freeradius/dictionary" and insert a line like <br>"ATTRIBUTE AES-PASSWORD 192 octets " .
<br> (3).Finally, I recompiled Freeradius .<br> Is it right and enough to create a new attribute "AES-PASSWORD"?<br><br> <span style="font-weight: bold;">To create a new module,I did the following things.
</span><br> (1).Icopy src/rlm_example/rlm_example.c to another dictory.<br> (2).amend the rlm_example to make it support AES encryption algorithm, main changes are as follow:<br><br>static int example_authorize(void *instance, REQUEST *request)
<br>{<br><br> /* quiet the compiler */<br> instance = instance;<br> request = request;<br><br> /*<br> * Look for the 'state' attribute.<br> */<br><span style="font-weight: bold;">
// </span> state = pairfind(request->packet->vps, PW_STATE);<br><span style="font-weight: bold;">//</span> if (state != NULL) {<br><span style="font-weight: bold;">//</span> DEBUG("rlm_example: Found reply to access challenge");
<br><span style="font-weight: bold;">// </span> return RLM_MODULE_OK;<br><span style="font-weight: bold;">//</span> }<br><br> /*<br> * Create the challenge, and add it to the reply.<br> */
<br><span style="font-weight: bold;">// </span> reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ);<br><span style="font-weight: bold;">// </span> pairadd(&request->reply->vps, reply);
<br><span style="font-weight: bold;">//</span> state = pairmake("State", "0", T_OP_EQ);<br><span style="font-weight: bold;">// </span> pairadd(&request->reply->vps, state);<br><br> /*
<br> * Mark the packet as an Access-Challenge packet.<br> * * The server will take care of sending it to the user.<br> */<br>// request->reply->code = PW_ACCESS_CHALLENGE;<br>// DEBUG("rlm_example: Sending Access-Challenge.");
<br><br>// return RLM_MODULE_HANDLED;<br> return RLM_MODULE_OK;<br><br>}<br> <span style="font-weight: bold;"> note:</span> I have commented main part of lines of funtion example_authorize. <br><br>static int example_authenticate(void *instance, REQUEST *request)
<br>{<br> VALUE_PAIR *passwd_item;<br> char pass_str[MAX_STRING_LEN];<br> VALUE_PAIR *module_fmsg_vp;<br> char module_fmsg[MAX_STRING_LEN];<br><br> /* quiet the compiler */<br> instance = instance;
<br> request = request;<br><br> if (!request->username) {<br> radlog(L_AUTH, "rlm_aes: Attribute \"User-Name\" is required for authentication.\n");<br> return RLM_MODULE_INVALID;
<br> }<br> if (!request->password) {<br> radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required for authentication.");<br> return RLM_MODULE_INVALID;
<br> }<br><br> if (request->password->attribute != PW_AES_PASSWORD) {<br> radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
<br> return RLM_MODULE_INVALID;<br> }<br> if (request->password->length == 0) {<br> radlog(L_ERR, "rlm_aes: empty password supplied");<br> return RLM_MODULE_INVALID;
<br> }<br><br> /*<br> * * Don't print out the CHAP password here. It's binary crap.<br> * */<br> DEBUG(" rlm_aes: login attempt by \"%s\" with AES password",
<br> request->username->strvalue);<br><br> if ((passwd_item = pairfind(request->config_items, PW_PASSWORD)) == NULL){<br> DEBUG(" rlm_aes: Could not find clear text password for user %s",request->username->strvalue);
<br> snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Clear text password not available");<br> module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
<br> pairadd(&request->packet->vps, module_fmsg_vp);<br> return RLM_MODULE_INVALID;<br> }<br> DEBUG(" rlm_aes: Using clear text password %s for user %s authentication.",
<br> passwd_item->strvalue, request->username->strvalue);<br> <span style="font-weight: bold;">rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);
</span><br><br> if (memcmp(pass_str+1,request->password->strvalue+1,CHAP_VALUE_LENGTH) != 0){<br> DEBUG(" rlm_aes: Pasword check failed");<br> snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Wrong user password");
<br> module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);<br> pairadd(&request->packet->vps, module_fmsg_vp);<br> return RLM_MODULE_REJECT;
<br> }<br><br> DEBUG(" rlm_aes: chap user %s authenticated succesfully",request->username->strvalue);<br><br> return RLM_MODULE_OK;<br><br>}<br> note: I have use <span style="font-weight: bold;">
rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);</span><br>to enable AES password. <br>(3). edit the src/lib/radiusc.c and insert my funtion rad_aes_encode.<span style="font-weight: bold;">
<br></span>(4). recompile Freeradius.<br><br><span style="font-weight: bold;">The following is part of result to the command " radiusd -X":</span><br>Module: Loaded example<br> example: integer = 1<br> example: boolean = no
<br> example: string = "(null)"<br>Module: Instantiated example (example)<br><br><span style="font-weight: bold;">But when I send packets like follow to Freeradius server:</span><br>+-----------------------------------------------------------------------------------+
<br>| UserName="test" | ID = n | length = m |<br>+-------------------------------------------------------------------------------------------------------------------------------+<br>
| 192(Identify "AES-PASSWORD")| length =19 | ID = n | 16 Bytes AES encrypted text |<br>+--------------------------------------------------------------------------------------------------------------------------------
<br>| .......... |<br>+-----------------------------------------------------------------------<br><span style="font-weight: bold;">I got the following message:</span>
<br>WARNING: <span style="font-weight: bold;">Malformed</span> RADIUS packet from host <a href="http://202.117.7.223">202.117.7.223</a>: packet attributes do NOT exactly fill the packet<br>--- Walking the entire request list ---
<br>Nothing to do. Sleeping until we see a request.<br><br>Thanks for any suggestion!<br><br><span style="font-weight: bold;"></span><br><div><span class="gmail_quote">2007/3/14, Alan DeKok <<a href="mailto:aland@deployingradius.com">
aland@deployingradius.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">yao guoxian wrote:<br>> Thanks,Alan.<br>> But I have a few questions.
<br>> First, if I create a new attribute "My-Aes-Password" and include it<br>> in the Access-Requet packet, I should not include the attributes such<br>> as "User-Password" or "Chap-Password".Is it right?
<br><br> Yes.<br><br>> The second question is about how to write modules.<br><br> There is documentation. See "rlm_example", for one.<br><br>> Sorry to ask the<br>> same question,but I want to verify my plan to see if it is pratical. The
<br>> plan is as follow: I dont amend the module "rlm_chap" , I just copy all<br>> files in the ./src/modules/rlm_chap/ to a new dictory "rlm_aes" and<br>> rename files rlm_chap.* to rlm_aes.*. Then I edit
rlm-chap.c to alter<br>> it to use AES to analyze the request packet. Is it pratical?<br><br> Yes.<br><br> Alan DeKok.<br>--<br> <a href="http://deployingradius.com">http://deployingradius.com</a> - The web site of the book
<br> <a href="http://deployingradius.com/blog/">http://deployingradius.com/blog/</a> - The blog<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html
</a><br></blockquote></div><br>