From 5cb9b7972d5240ca9307fe5fc94ff818b6d6ab7b Mon Sep 17 00:00:00 2001
From: Nick Couchman <nick.couchman@yahoo.com>
Date: Fri, 10 Feb 2017 16:33:19 -0500
Subject: [PATCH] GUACAMOLE-197: Correct issues with TLS modules, including
 EAP-TLS and EAP-TTLS

---
 .../radius/AuthenticationProviderService.java |  7 ++++
 .../auth/radius/ConfigurationService.java     | 10 ++---
 .../auth/radius/RadiusConnectionService.java  | 38 +++++++++++++++----
 3 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java
index 91bb0985b..0e0629024 100644
--- a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java
@@ -42,6 +42,7 @@ import net.jradius.packet.AccessChallenge;
 import net.jradius.packet.AccessReject;
 import net.jradius.packet.AccessRequest;
 import net.jradius.packet.AccessResponse;
+import net.jradius.packet.attribute.AttributeList;
 import net.jradius.packet.attribute.RadiusAttribute;
 
 /**
@@ -141,6 +142,12 @@ public class AuthenticationProviderService {
              * We create a new form/field with the challenge message.
              */
             else if (radPack instanceof AccessChallenge) {
+                AttributeList radAttrs = radPack.getAttributes();
+                logger.debug("===BEGIN ATTRIBUTE DEBUG===");
+                for(RadiusAttribute attr : radAttrs.getAttributeList()) {
+                    logger.debug("Attribute: {}; Value: {}", attr.getAttributeName(), attr.getValue());
+                }
+                logger.debug("==END ATTRIBUTE DEBUG===");
                 try {
                     RadiusAttribute stateAttr = radPack.findAttribute(Attr_State.TYPE);
                     // We should have a state attribute at this point, if not, we need to quit.
diff --git a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/ConfigurationService.java b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/ConfigurationService.java
index 37117e2cc..3136587ca 100644
--- a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/ConfigurationService.java
+++ b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/ConfigurationService.java
@@ -167,14 +167,14 @@ public class ConfigurationService {
     public String getRadiusCAFile() throws GuacamoleException {
         return environment.getProperty(
             RadiusGuacamoleProperties.RADIUS_CA_FILE,
-            "radius-ca.pem"
+            null 
         );
     }
 
     public String getRadiusKeyFile() throws GuacamoleException {
         return environment.getProperty(
             RadiusGuacamoleProperties.RADIUS_KEY_FILE,
-            "radius-key.pem"
+            "radius.pem"
         );
     }
 
@@ -188,7 +188,7 @@ public class ConfigurationService {
     public String getRadiusCAType() throws GuacamoleException {
         return environment.getProperty(
             RadiusGuacamoleProperties.RADIUS_CA_TYPE,
-            null
+            "pkcs12"
         );
     }
 
@@ -201,8 +201,8 @@ public class ConfigurationService {
 
     public String getRadiusKeyType() throws GuacamoleException {
         return environment.getProperty(
-            RadiusGuacamoleProperties.RADIUS_KEY_PASSWORD,
-            null
+            RadiusGuacamoleProperties.RADIUS_KEY_TYPE,
+            "pkcs12"
         );
     }
 
diff --git a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java
index a0077b477..6cca67789 100644
--- a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java
+++ b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java
@@ -27,6 +27,7 @@ import java.net.UnknownHostException;
 import java.security.NoSuchAlgorithmException;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleUnsupportedException;
+import org.apache.guacamole.environment.LocalEnvironment;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import net.jradius.client.RadiusClient;
@@ -35,6 +36,7 @@ import net.jradius.packet.RadiusPacket;
 import net.jradius.packet.AccessRequest;
 import net.jradius.dictionary.*;
 import net.jradius.packet.attribute.AttributeList;
+import net.jradius.packet.attribute.RadiusAttribute;
 import net.jradius.client.auth.EAPTLSAuthenticator;
 import net.jradius.client.auth.EAPTTLSAuthenticator;
 import net.jradius.client.auth.RadiusAuthenticator;
@@ -135,9 +137,13 @@ public class RadiusConnectionService {
         String keyType;
         Boolean trustAll;
         String innerProtocol;
+        LocalEnvironment guacEnv;
+        String basePath;
 
         // Pull configuration parameters from guacamole.properties
         try {
+            guacEnv = new LocalEnvironment();
+            basePath = guacEnv.getGuacamoleHome().getAbsolutePath() + '/';
             radAuthName = confService.getRadiusAuthProtocol();
             caFile = confService.getRadiusCAFile();
             caPassword = confService.getRadiusCAPassword();
@@ -165,7 +171,7 @@ public class RadiusConnectionService {
             radAuth instanceof EAPTTLSAuthenticator) {
 
             if (caFile != null && !caFile.isEmpty())
-                ((EAPTLSAuthenticator)radAuth).setCaFile(caFile);
+                ((EAPTLSAuthenticator)radAuth).setCaFile(basePath + caFile);
 
             if (caType != null && !caType.isEmpty())
                 ((EAPTLSAuthenticator)radAuth).setCaFileType(caType);
@@ -174,7 +180,7 @@ public class RadiusConnectionService {
                 ((EAPTLSAuthenticator)radAuth).setCaPassword(caPassword);
 
             if (keyFile != null && !keyFile.isEmpty())
-                ((EAPTLSAuthenticator)radAuth).setKeyFile(keyFile);
+                ((EAPTLSAuthenticator)radAuth).setKeyFile(basePath + keyFile);
 
             if (keyType != null && !keyType.isEmpty())
                 ((EAPTLSAuthenticator)radAuth).setKeyFileType(keyType);
@@ -248,18 +254,24 @@ public class RadiusConnectionService {
             AttributeList radAttrs = new AttributeList();
             radAttrs.add(new Attr_UserName(username));
             radAttrs.add(new Attr_UserPassword(password));
+            radAttrs.add(new Attr_CleartextPassword(password));
+
             AccessRequest radAcc = new AccessRequest(radiusClient);
 
-            if (radAuth instanceof EAPTTLSAuthenticator)
+            // EAP-TTLS tunnels protected attributes inside the TLS layer
+            if (radAuth instanceof EAPTTLSAuthenticator) {
+                radAuth.setUsername(new Attr_UserName(username));
                 ((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
+            }
             else
                 radAcc.addAttributes(radAttrs);
 
             radAuth.setupRequest(radiusClient, radAcc);
             radAuth.processRequest(radAcc);
             RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
-            if ((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_EAPMessage.TYPE) != null)) {
-                logger.debug("We got an AccessChallenge message, and it appears to be an EAP mechanism, trying to process.");
+
+            // We receive a Challenge not asking for user input, so silently process the challenge
+            while((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_ReplyMessage.TYPE) == null)) {
                 radAuth.processChallenge(radAcc, reply);
                 reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
             }
@@ -335,16 +347,28 @@ public class RadiusConnectionService {
             radAttrs.add(new Attr_UserName(username));
             radAttrs.add(new Attr_State(state));
             radAttrs.add(new Attr_UserPassword(response));
+            radAttrs.add(new Attr_CleartextPassword(response));
+
             AccessRequest radAcc = new AccessRequest(radiusClient);
 
-            if (radAuth instanceof EAPTTLSAuthenticator)
+            // EAP-TTLS tunnels protected attributes inside the TLS layer
+            if (radAuth instanceof EAPTTLSAuthenticator) {
+                radAuth.setUsername(new Attr_UserName(username));
                 ((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
+            }
             else
                 radAcc.addAttributes(radAttrs);
 
             radAuth.setupRequest(radiusClient, radAcc);
             radAuth.processRequest(radAcc);
-            return radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
+            RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
+
+            // We receive a Challenge not asking for user input, so silently process the challenge
+            while((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_ReplyMessage.TYPE) == null)) {
+                radAuth.processChallenge(radAcc, reply);
+                reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
+            }
+            return reply;
         }
         catch (RadiusException e) {
             logger.error("Unable to complete authentication.", e.getMessage());