slightly better logging
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer
@ -82,12 +82,10 @@ func (p *Packet) GetChallengeForType(ctx *context, t protocol.Type) *Packet {
|
|||||||
var payload any
|
var payload any
|
||||||
switch t {
|
switch t {
|
||||||
case tls.TypeTLS:
|
case tls.TypeTLS:
|
||||||
// TODO: rewrite this
|
|
||||||
if _, ok := p.Payload.(*tls.Payload); !ok {
|
if _, ok := p.Payload.(*tls.Payload); !ok {
|
||||||
p.Payload = &tls.Payload{}
|
p.Payload = &tls.Payload{}
|
||||||
p.Payload.Decode(p.rawPayload)
|
p.Payload.Decode(p.rawPayload)
|
||||||
}
|
}
|
||||||
// this
|
|
||||||
payload = p.Payload.(*tls.Payload).Handle(ctx)
|
payload = p.Payload.(*tls.Payload).Handle(ctx)
|
||||||
}
|
}
|
||||||
if payload != nil {
|
if payload != nil {
|
||||||
@ -97,18 +95,12 @@ func (p *Packet) GetChallengeForType(ctx *context, t protocol.Type) *Packet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p *Packet) setMessageAuthenticator(rp *radius.Packet) {
|
func (p *Packet) setMessageAuthenticator(rp *radius.Packet) {
|
||||||
err := rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
|
_ = rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
hash := hmac.New(md5.New, rp.Secret)
|
hash := hmac.New(md5.New, rp.Secret)
|
||||||
encode, err := rp.MarshalBinary()
|
encode, err := rp.MarshalBinary()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
hash.Write(encode)
|
hash.Write(encode)
|
||||||
err = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
|
_ = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -67,7 +67,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
|
|||||||
p.st = ctx.GetProtocolState(NewState).(*State)
|
p.st = ctx.GetProtocolState(NewState).(*State)
|
||||||
defer ctx.SetProtocolState(p.st)
|
defer ctx.SetProtocolState(p.st)
|
||||||
if !p.st.HasStarted {
|
if !p.st.HasStarted {
|
||||||
log.Debug("TLS: handshake starting")
|
ctx.Log().Debug("TLS: handshake starting")
|
||||||
p.st.HasStarted = true
|
p.st.HasStarted = true
|
||||||
return &Payload{
|
return &Payload{
|
||||||
Flags: FlagTLSStart,
|
Flags: FlagTLSStart,
|
||||||
@ -77,12 +77,12 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
|
|||||||
if p.st.TLS == nil {
|
if p.st.TLS == nil {
|
||||||
p.tlsInit(ctx)
|
p.tlsInit(ctx)
|
||||||
} else if len(p.Data) > 0 {
|
} else if len(p.Data) > 0 {
|
||||||
log.Debug("TLS: Updating buffer with new TLS data from packet")
|
ctx.Log().Debug("TLS: Updating buffer with new TLS data from packet")
|
||||||
if p.Flags&FlagLengthIncluded != 0 && p.st.Conn.expectedWriterByteCount == 0 {
|
if p.Flags&FlagLengthIncluded != 0 && p.st.Conn.expectedWriterByteCount == 0 {
|
||||||
log.Debugf("TLS: Expecting %d total bytes, will buffer", p.Length)
|
ctx.Log().Debugf("TLS: Expecting %d total bytes, will buffer", p.Length)
|
||||||
p.st.Conn.expectedWriterByteCount = int(p.Length)
|
p.st.Conn.expectedWriterByteCount = int(p.Length)
|
||||||
} else if p.Flags&FlagLengthIncluded != 0 {
|
} else if p.Flags&FlagLengthIncluded != 0 {
|
||||||
log.Debug("TLS: No length included, not buffering")
|
ctx.Log().Debug("TLS: No length included, not buffering")
|
||||||
p.st.Conn.expectedWriterByteCount = 0
|
p.st.Conn.expectedWriterByteCount = 0
|
||||||
}
|
}
|
||||||
p.st.Conn.UpdateData(p.Data)
|
p.st.Conn.UpdateData(p.Data)
|
||||||
@ -115,12 +115,12 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p *Payload) tlsInit(ctx protocol.Context) {
|
func (p *Payload) tlsInit(ctx protocol.Context) {
|
||||||
log.Debug("TLS: no TLS connection in state yet, starting connection")
|
ctx.Log().Debug("TLS: no TLS connection in state yet, starting connection")
|
||||||
p.st.Context, p.st.ContextCancel = context.WithTimeout(context.Background(), staleConnectionTimeout*time.Second)
|
p.st.Context, p.st.ContextCancel = context.WithTimeout(context.Background(), staleConnectionTimeout*time.Second)
|
||||||
p.st.Conn = NewBuffConn(p.Data, p.st.Context)
|
p.st.Conn = NewBuffConn(p.Data, p.st.Context)
|
||||||
cfg := ctx.ProtocolSettings().(Settings).Config.Clone()
|
cfg := ctx.ProtocolSettings().(Settings).Config.Clone()
|
||||||
cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
|
cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||||
log.Debugf("TLS: ClientHello: %+v\n", chi)
|
ctx.Log().Debugf("TLS: ClientHello: %+v\n", chi)
|
||||||
p.st.ClientHello = chi
|
p.st.ClientHello = chi
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
@ -128,35 +128,35 @@ func (p *Payload) tlsInit(ctx protocol.Context) {
|
|||||||
go func() {
|
go func() {
|
||||||
err := p.st.TLS.HandshakeContext(p.st.Context)
|
err := p.st.TLS.HandshakeContext(p.st.Context)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.WithError(err).Debug("TLS: Handshake error")
|
ctx.Log().WithError(err).Debug("TLS: Handshake error")
|
||||||
ctx.EndInnerProtocol(protocol.StatusError, func(p *radius.Packet) *radius.Packet {
|
ctx.EndInnerProtocol(protocol.StatusError, func(p *radius.Packet) *radius.Packet {
|
||||||
return p
|
return p
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
log.Debug("TLS: handshake done")
|
ctx.Log().Debug("TLS: handshake done")
|
||||||
p.tlsHandshakeFinished()
|
p.tlsHandshakeFinished(ctx)
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *Payload) tlsHandshakeFinished() {
|
func (p *Payload) tlsHandshakeFinished(ctx protocol.Context) {
|
||||||
cs := p.st.TLS.ConnectionState()
|
cs := p.st.TLS.ConnectionState()
|
||||||
label := "client EAP encryption"
|
label := "client EAP encryption"
|
||||||
var context []byte
|
var context []byte
|
||||||
switch cs.Version {
|
switch cs.Version {
|
||||||
case tls.VersionTLS10:
|
case tls.VersionTLS10:
|
||||||
log.Debugf("TLS: Version %d (1.0)", cs.Version)
|
ctx.Log().Debugf("TLS: Version %d (1.0)", cs.Version)
|
||||||
case tls.VersionTLS11:
|
case tls.VersionTLS11:
|
||||||
log.Debugf("TLS: Version %d (1.1)", cs.Version)
|
ctx.Log().Debugf("TLS: Version %d (1.1)", cs.Version)
|
||||||
case tls.VersionTLS12:
|
case tls.VersionTLS12:
|
||||||
log.Debugf("TLS: Version %d (1.2)", cs.Version)
|
ctx.Log().Debugf("TLS: Version %d (1.2)", cs.Version)
|
||||||
case tls.VersionTLS13:
|
case tls.VersionTLS13:
|
||||||
log.Debugf("TLS: Version %d (1.3)", cs.Version)
|
ctx.Log().Debugf("TLS: Version %d (1.3)", cs.Version)
|
||||||
label = "EXPORTER_EAP_TLS_Key_Material"
|
label = "EXPORTER_EAP_TLS_Key_Material"
|
||||||
context = []byte{byte(TypeTLS)}
|
context = []byte{byte(TypeTLS)}
|
||||||
}
|
}
|
||||||
ksm, err := cs.ExportKeyingMaterial(label, context, 64+64)
|
ksm, err := cs.ExportKeyingMaterial(label, context, 64+64)
|
||||||
log.Debugf("TLS: ksm % x %v", ksm, err)
|
ctx.Log().Debugf("TLS: ksm % x %v", ksm, err)
|
||||||
p.st.MPPEKey = ksm
|
p.st.MPPEKey = ksm
|
||||||
p.st.HandshakeDone = true
|
p.st.HandshakeDone = true
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user