Jens Langhammer
@ -29,13 +29,13 @@ func (p *Packet) Handle(stm StateManager, w radius.ResponseWriter, r *radius.Pac
|
||||
res, newState := p.GetChallengeForType(st, nextChallengeToOffer)
|
||||
stm.SetEAPState(rst, newState)
|
||||
|
||||
log.Debug("EAP: encapsulating challenge")
|
||||
rres := r.Response(radius.CodeAccessChallenge)
|
||||
rfc2865.State_SetString(rres, rst)
|
||||
eapEncoded, err := res.Encode()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
log.WithField("length", len(eapEncoded)).Debug("EAP: encapsulating challenge")
|
||||
rfc2869.EAPMessage_Set(rres, eapEncoded)
|
||||
p.setMessageAuthenticator(rres)
|
||||
err = w.Write(rres)
|
||||
@ -54,9 +54,11 @@ func (p *Packet) GetChallengeForType(st *State, t Type) (*Packet, *State) {
|
||||
var tst any
|
||||
switch t {
|
||||
case TypeTLS:
|
||||
cp := tls.Payload{}
|
||||
cp.Decode(p.rawPayload)
|
||||
payload, tst = cp.Handle(st.TypeState[t])
|
||||
if _, ok := p.Payload.(*tls.Payload); !ok {
|
||||
p.Payload = &tls.Payload{}
|
||||
p.Payload.Decode(p.rawPayload)
|
||||
}
|
||||
payload, tst = p.Payload.(*tls.Payload).Handle(st.TypeState[t])
|
||||
}
|
||||
st.TypeState[t] = tst
|
||||
res.Payload = payload.(Payload)
|
||||
|
||||
@ -21,8 +21,16 @@ func NewTLSConnection(initialData []byte) TLSConnection {
|
||||
return c
|
||||
}
|
||||
|
||||
func (conn TLSConnection) TLSData() []byte {
|
||||
return conn.writer.Bytes()
|
||||
func (conn TLSConnection) GetData() []byte {
|
||||
for {
|
||||
b := conn.writer.Bytes()
|
||||
if len(b) < 1 {
|
||||
log.Debug("TLS(buffer): Attempted retrieve from empty buffer, stalling...")
|
||||
time.Sleep(1 * time.Second)
|
||||
continue
|
||||
}
|
||||
return b
|
||||
}
|
||||
}
|
||||
|
||||
func (conn TLSConnection) UpdateData(data []byte) {
|
||||
|
||||
@ -103,7 +103,7 @@ func (p *Payload) Handle(stt any) (*Payload, State) {
|
||||
if st.HasMore() {
|
||||
return p.sendNextChunk(st)
|
||||
}
|
||||
return p.startChunkedTransfer(st.Conn.TLSData(), st)
|
||||
return p.startChunkedTransfer(st.Conn.GetData(), st)
|
||||
}
|
||||
|
||||
const maxChunkSize = 1000
|
||||
@ -114,10 +114,10 @@ func (p *Payload) startChunkedTransfer(data []byte, st State) (*Payload, State)
|
||||
if len(data) > maxChunkSize {
|
||||
log.WithField("length", len(data)).Debug("TLS: Data needs to be chunked")
|
||||
flags += FlagMoreFragments
|
||||
dataToSend = data[:maxChunkSize]
|
||||
remainingData := data[maxChunkSize:]
|
||||
// Chunk remaining data into correct chunks and add them to the list
|
||||
st.RemainingChunks = append(st.RemainingChunks, slices.Collect(slices.Chunk(remainingData, maxChunkSize))...)
|
||||
// Chunk data into correct chunks and add them to the list
|
||||
st.RemainingChunks = append(st.RemainingChunks, slices.Collect(slices.Chunk(data, maxChunkSize))...)
|
||||
dataToSend = st.RemainingChunks[0]
|
||||
st.RemainingChunks = st.RemainingChunks[1:]
|
||||
st.TotalPayloadSize = len(data)
|
||||
} else {
|
||||
dataToSend = data
|
||||
|
||||
@ -3,6 +3,7 @@ package radius
|
||||
import (
|
||||
"crypto/sha512"
|
||||
"encoding/hex"
|
||||
"net"
|
||||
"time"
|
||||
|
||||
"github.com/getsentry/sentry-go"
|
||||
@ -35,12 +36,31 @@ func (r *RadiusRequest) ID() string {
|
||||
return r.id
|
||||
}
|
||||
|
||||
type LogWriter struct {
|
||||
w radius.ResponseWriter
|
||||
l *log.Entry
|
||||
}
|
||||
|
||||
func (lw LogWriter) Write(packet *radius.Packet) error {
|
||||
lw.l.WithField("code", packet.Code.String()).Info("Radius Response")
|
||||
return lw.w.Write(packet)
|
||||
}
|
||||
|
||||
func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
|
||||
span := sentry.StartSpan(r.Context(), "authentik.providers.radius.connect",
|
||||
sentry.WithTransactionName("authentik.providers.radius.connect"))
|
||||
rid := uuid.New().String()
|
||||
span.SetTag("request_uid", rid)
|
||||
rl := rs.log.WithField("code", r.Code.String()).WithField("request", rid)
|
||||
host, _, err := net.SplitHostPort(r.RemoteAddr.String())
|
||||
if err != nil {
|
||||
rs.log.WithError(err).Warning("Failed to get remote IP")
|
||||
return
|
||||
}
|
||||
rl := rs.log.WithFields(log.Fields{
|
||||
"code": r.Code.String(),
|
||||
"request": rid,
|
||||
"ip": host,
|
||||
})
|
||||
selectedApp := ""
|
||||
defer func() {
|
||||
span.Finish()
|
||||
@ -58,6 +78,7 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
|
||||
}
|
||||
|
||||
rl.Info("Radius Request")
|
||||
ww := LogWriter{w, rl}
|
||||
|
||||
// Lookup provider by shared secret
|
||||
var pi *ProviderInstance
|
||||
@ -72,12 +93,12 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
|
||||
hs := sha512.Sum512([]byte(r.Secret))
|
||||
bs := hex.EncodeToString(hs[:])
|
||||
nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
|
||||
_ = w.Write(r.Response(radius.CodeAccessReject))
|
||||
_ = ww.Write(r.Response(radius.CodeAccessReject))
|
||||
return
|
||||
}
|
||||
nr.pi = pi
|
||||
|
||||
if nr.Code == radius.CodeAccessRequest {
|
||||
rs.Handle_AccessRequest(w, nr)
|
||||
rs.Handle_AccessRequest(ww, nr)
|
||||
}
|
||||
}
|
||||
|
||||
@ -87,7 +87,7 @@ func (rs *RadiusServer) RADIUSSecret(ctx context.Context, remoteAddr net.Addr) (
|
||||
return bi < bj
|
||||
})
|
||||
candidate := matchedPrefixes[0]
|
||||
rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).Debug("Matched CIDR")
|
||||
rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).WithField("instance", candidate.p.appSlug).Debug("Matched CIDR")
|
||||
return candidate.p.SharedSecret, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user