How to enable Freeradius to support a smart card with AES encryption algorithm?

yao guoxian yaoguoxian at gmail.com
Fri Mar 16 09:53:09 CET 2007


Thanks,Alan.
    To create a new attribute, I did the following things.
    (1).I edited the file "src/include/radius.h" and add a line like
"#define PW_AES_PASSWORD                 192" .
    (2).I also edited the file "/usr/local/share/freeradius/dictionary" and
insert a line  like
"ATTRIBUTE       AES-PASSWORD            192     octets " .
    (3).Finally, I recompiled Freeradius .
    Is it right and enough to create a new attribute "AES-PASSWORD"?

    To create a new module,I did the following things.
    (1).Icopy src/rlm_example/rlm_example.c to another dictory.
    (2).amend the rlm_example to make it support AES encryption algorithm,
main changes are as follow:

static int example_authorize(void *instance, REQUEST *request)
{

        /* quiet the compiler */
        instance = instance;
        request = request;

        /*
         *  Look for the 'state' attribute.
         */
//      state =  pairfind(request->packet->vps, PW_STATE);
//      if (state != NULL) {
//              DEBUG("rlm_example: Found reply to access challenge");
//              return RLM_MODULE_OK;
//      }

        /*
         *  Create the challenge, and add it to the reply.
         */
//      reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ);
//      pairadd(&request->reply->vps, reply);
//      state = pairmake("State", "0", T_OP_EQ);
//      pairadd(&request->reply->vps, state);

        /*
         *  Mark the packet as an Access-Challenge packet.
         *         *  The server will take care of sending it to the user.
         */
//      request->reply->code = PW_ACCESS_CHALLENGE;
//      DEBUG("rlm_example: Sending Access-Challenge.");

//      return RLM_MODULE_HANDLED;
        return RLM_MODULE_OK;

}
    note: I have commented  main part of  lines of  funtion
example_authorize.

static int example_authenticate(void *instance, REQUEST *request)
{
         VALUE_PAIR *passwd_item;
         char pass_str[MAX_STRING_LEN];
         VALUE_PAIR *module_fmsg_vp;
         char module_fmsg[MAX_STRING_LEN];

         /* quiet the compiler */
         instance = instance;
         request = request;

         if (!request->username) {
               radlog(L_AUTH, "rlm_aes: Attribute \"User-Name\" is required
for authentication.\n");
               return RLM_MODULE_INVALID;
         }
         if (!request->password) {
               radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is
required for authentication.");
               return RLM_MODULE_INVALID;
         }

         if (request->password->attribute != PW_AES_PASSWORD) {
           radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required
for authentication. Cannot use \"%s\".", request->password->name);
               return RLM_MODULE_INVALID;
         }
        if (request->password->length == 0) {
                radlog(L_ERR, "rlm_aes: empty password supplied");
                return RLM_MODULE_INVALID;
        }

        /*
         *          *      Don't print out the CHAP password here.  It's
binary crap.
         *                   */
        DEBUG("  rlm_aes: login attempt by \"%s\" with AES password",
                request->username->strvalue);

        if ((passwd_item = pairfind(request->config_items, PW_PASSWORD)) ==
NULL){
                DEBUG("  rlm_aes: Could not find clear text password for
user %s",request->username->strvalue);
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes:
Clear text password not available");
                        module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
                        pairadd(&request->packet->vps, module_fmsg_vp);
                        return RLM_MODULE_INVALID;
        }
        DEBUG("  rlm_aes: Using clear text password %s for user %s
authentication.",
                              passwd_item->strvalue,
request->username->strvalue);

rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);

   if (memcmp(pass_str+1,request->password->strvalue+1,CHAP_VALUE_LENGTH) !=
0){
                  DEBUG("  rlm_aes: Pasword check failed");
                  snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Wrong
user password");
                  module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
                  pairadd(&request->packet->vps, module_fmsg_vp);
                  return RLM_MODULE_REJECT;
      }

     DEBUG("  rlm_aes: chap user %s authenticated
succesfully",request->username->strvalue);

        return RLM_MODULE_OK;

}
    note: I have use
rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item);
to enable AES password.
(3). edit the src/lib/radiusc.c and insert my funtion rad_aes_encode.
(4). recompile Freeradius.

The following is part of result to the command " radiusd -X":
Module: Loaded example
 example: integer = 1
 example: boolean = no
 example: string = "(null)"
Module: Instantiated example (example)

But when I send packets like follow to Freeradius server:
+-----------------------------------------------------------------------------------+
|  UserName="test"  |  ID = n      |    length =  m                  |
+-------------------------------------------------------------------------------------------------------------------------------+
|  192(Identify "AES-PASSWORD")| length =19 | ID = n | 16  Bytes  AES
encrypted text   |
+--------------------------------------------------------------------------------------------------------------------------------
|  ..........                                                            |
+-----------------------------------------------------------------------
I got the following message:
WARNING: Malformed RADIUS packet from host 202.117.7.223: packet attributes
do NOT exactly fill the packet
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.

Thanks for any suggestion!


2007/3/14, Alan DeKok <aland at deployingradius.com>:
>
> yao guoxian wrote:
> > Thanks,Alan.
> >     But I have a few questions.
> >     First, if I create a new attribute "My-Aes-Password" and include it
> > in the  Access-Requet packet, I should not include the attributes such
> > as "User-Password" or "Chap-Password".Is it right?
>
>   Yes.
>
> >     The second question is about how to write modules.
>
>   There is documentation.  See "rlm_example", for one.
>
> > Sorry to ask the
> > same question,but I want to verify my plan to see if it is pratical. The
> > plan is as follow: I dont amend the module  "rlm_chap" , I just copy all
> > files in the ./src/modules/rlm_chap/  to a new dictory "rlm_aes" and
> > rename files rlm_chap.* to rlm_aes.*. Then I edit rlm-chap.c to alter
> > it  to  use  AES  to  analyze  the  request packet. Is it pratical?
>
>   Yes.
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070316/3b317097/attachment.html>


More information about the Freeradius-Users mailing list