Jens Langhammer
@ -29,13 +29,13 @@ func (p *Packet) Handle(stm StateManager, w radius.ResponseWriter, r *radius.Pac
|
|||||||
res, newState := p.GetChallengeForType(st, nextChallengeToOffer)
|
res, newState := p.GetChallengeForType(st, nextChallengeToOffer)
|
||||||
stm.SetEAPState(rst, newState)
|
stm.SetEAPState(rst, newState)
|
||||||
|
|
||||||
log.Debug("EAP: encapsulating challenge")
|
|
||||||
rres := r.Response(radius.CodeAccessChallenge)
|
rres := r.Response(radius.CodeAccessChallenge)
|
||||||
rfc2865.State_SetString(rres, rst)
|
rfc2865.State_SetString(rres, rst)
|
||||||
eapEncoded, err := res.Encode()
|
eapEncoded, err := res.Encode()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
log.WithField("length", len(eapEncoded)).Debug("EAP: encapsulating challenge")
|
||||||
rfc2869.EAPMessage_Set(rres, eapEncoded)
|
rfc2869.EAPMessage_Set(rres, eapEncoded)
|
||||||
p.setMessageAuthenticator(rres)
|
p.setMessageAuthenticator(rres)
|
||||||
err = w.Write(rres)
|
err = w.Write(rres)
|
||||||
@ -54,9 +54,11 @@ func (p *Packet) GetChallengeForType(st *State, t Type) (*Packet, *State) {
|
|||||||
var tst any
|
var tst any
|
||||||
switch t {
|
switch t {
|
||||||
case TypeTLS:
|
case TypeTLS:
|
||||||
cp := tls.Payload{}
|
if _, ok := p.Payload.(*tls.Payload); !ok {
|
||||||
cp.Decode(p.rawPayload)
|
p.Payload = &tls.Payload{}
|
||||||
payload, tst = cp.Handle(st.TypeState[t])
|
p.Payload.Decode(p.rawPayload)
|
||||||
|
}
|
||||||
|
payload, tst = p.Payload.(*tls.Payload).Handle(st.TypeState[t])
|
||||||
}
|
}
|
||||||
st.TypeState[t] = tst
|
st.TypeState[t] = tst
|
||||||
res.Payload = payload.(Payload)
|
res.Payload = payload.(Payload)
|
||||||
|
|||||||
@ -21,8 +21,16 @@ func NewTLSConnection(initialData []byte) TLSConnection {
|
|||||||
return c
|
return c
|
||||||
}
|
}
|
||||||
|
|
||||||
func (conn TLSConnection) TLSData() []byte {
|
func (conn TLSConnection) GetData() []byte {
|
||||||
return conn.writer.Bytes()
|
for {
|
||||||
|
b := conn.writer.Bytes()
|
||||||
|
if len(b) < 1 {
|
||||||
|
log.Debug("TLS(buffer): Attempted retrieve from empty buffer, stalling...")
|
||||||
|
time.Sleep(1 * time.Second)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (conn TLSConnection) UpdateData(data []byte) {
|
func (conn TLSConnection) UpdateData(data []byte) {
|
||||||
|
|||||||
@ -103,7 +103,7 @@ func (p *Payload) Handle(stt any) (*Payload, State) {
|
|||||||
if st.HasMore() {
|
if st.HasMore() {
|
||||||
return p.sendNextChunk(st)
|
return p.sendNextChunk(st)
|
||||||
}
|
}
|
||||||
return p.startChunkedTransfer(st.Conn.TLSData(), st)
|
return p.startChunkedTransfer(st.Conn.GetData(), st)
|
||||||
}
|
}
|
||||||
|
|
||||||
const maxChunkSize = 1000
|
const maxChunkSize = 1000
|
||||||
@ -114,10 +114,10 @@ func (p *Payload) startChunkedTransfer(data []byte, st State) (*Payload, State)
|
|||||||
if len(data) > maxChunkSize {
|
if len(data) > maxChunkSize {
|
||||||
log.WithField("length", len(data)).Debug("TLS: Data needs to be chunked")
|
log.WithField("length", len(data)).Debug("TLS: Data needs to be chunked")
|
||||||
flags += FlagMoreFragments
|
flags += FlagMoreFragments
|
||||||
dataToSend = data[:maxChunkSize]
|
// Chunk data into correct chunks and add them to the list
|
||||||
remainingData := data[maxChunkSize:]
|
st.RemainingChunks = append(st.RemainingChunks, slices.Collect(slices.Chunk(data, maxChunkSize))...)
|
||||||
// Chunk remaining data into correct chunks and add them to the list
|
dataToSend = st.RemainingChunks[0]
|
||||||
st.RemainingChunks = append(st.RemainingChunks, slices.Collect(slices.Chunk(remainingData, maxChunkSize))...)
|
st.RemainingChunks = st.RemainingChunks[1:]
|
||||||
st.TotalPayloadSize = len(data)
|
st.TotalPayloadSize = len(data)
|
||||||
} else {
|
} else {
|
||||||
dataToSend = data
|
dataToSend = data
|
||||||
|
|||||||
@ -3,6 +3,7 @@ package radius
|
|||||||
import (
|
import (
|
||||||
"crypto/sha512"
|
"crypto/sha512"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/getsentry/sentry-go"
|
"github.com/getsentry/sentry-go"
|
||||||
@ -35,12 +36,31 @@ func (r *RadiusRequest) ID() string {
|
|||||||
return r.id
|
return r.id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type LogWriter struct {
|
||||||
|
w radius.ResponseWriter
|
||||||
|
l *log.Entry
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lw LogWriter) Write(packet *radius.Packet) error {
|
||||||
|
lw.l.WithField("code", packet.Code.String()).Info("Radius Response")
|
||||||
|
return lw.w.Write(packet)
|
||||||
|
}
|
||||||
|
|
||||||
func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
|
func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
|
||||||
span := sentry.StartSpan(r.Context(), "authentik.providers.radius.connect",
|
span := sentry.StartSpan(r.Context(), "authentik.providers.radius.connect",
|
||||||
sentry.WithTransactionName("authentik.providers.radius.connect"))
|
sentry.WithTransactionName("authentik.providers.radius.connect"))
|
||||||
rid := uuid.New().String()
|
rid := uuid.New().String()
|
||||||
span.SetTag("request_uid", rid)
|
span.SetTag("request_uid", rid)
|
||||||
rl := rs.log.WithField("code", r.Code.String()).WithField("request", rid)
|
host, _, err := net.SplitHostPort(r.RemoteAddr.String())
|
||||||
|
if err != nil {
|
||||||
|
rs.log.WithError(err).Warning("Failed to get remote IP")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
rl := rs.log.WithFields(log.Fields{
|
||||||
|
"code": r.Code.String(),
|
||||||
|
"request": rid,
|
||||||
|
"ip": host,
|
||||||
|
})
|
||||||
selectedApp := ""
|
selectedApp := ""
|
||||||
defer func() {
|
defer func() {
|
||||||
span.Finish()
|
span.Finish()
|
||||||
@ -58,6 +78,7 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
|
|||||||
}
|
}
|
||||||
|
|
||||||
rl.Info("Radius Request")
|
rl.Info("Radius Request")
|
||||||
|
ww := LogWriter{w, rl}
|
||||||
|
|
||||||
// Lookup provider by shared secret
|
// Lookup provider by shared secret
|
||||||
var pi *ProviderInstance
|
var pi *ProviderInstance
|
||||||
@ -72,12 +93,12 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
|
|||||||
hs := sha512.Sum512([]byte(r.Secret))
|
hs := sha512.Sum512([]byte(r.Secret))
|
||||||
bs := hex.EncodeToString(hs[:])
|
bs := hex.EncodeToString(hs[:])
|
||||||
nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
|
nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
|
||||||
_ = w.Write(r.Response(radius.CodeAccessReject))
|
_ = ww.Write(r.Response(radius.CodeAccessReject))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
nr.pi = pi
|
nr.pi = pi
|
||||||
|
|
||||||
if nr.Code == radius.CodeAccessRequest {
|
if nr.Code == radius.CodeAccessRequest {
|
||||||
rs.Handle_AccessRequest(w, nr)
|
rs.Handle_AccessRequest(ww, nr)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -87,7 +87,7 @@ func (rs *RadiusServer) RADIUSSecret(ctx context.Context, remoteAddr net.Addr) (
|
|||||||
return bi < bj
|
return bi < bj
|
||||||
})
|
})
|
||||||
candidate := matchedPrefixes[0]
|
candidate := matchedPrefixes[0]
|
||||||
rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).Debug("Matched CIDR")
|
rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).WithField("instance", candidate.p.appSlug).Debug("Matched CIDR")
|
||||||
return candidate.p.SharedSecret, nil
|
return candidate.p.SharedSecret, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user