mirror of
https://github.com/gyurix1968/guacamole-client.git
synced 2025-09-07 13:41:21 +00:00
GUACAMOLE-197: Correct issues with TLS modules, including EAP-TLS and EAP-TTLS
This commit is contained in:
Nick Couchman
committed by
Nick Couchman
Nick Couchman
parent
aa45177387
commit
5cb9b7972d
@@ -42,6 +42,7 @@ import net.jradius.packet.AccessChallenge;
|
|||||||
import net.jradius.packet.AccessReject;
|
import net.jradius.packet.AccessReject;
|
||||||
import net.jradius.packet.AccessRequest;
|
import net.jradius.packet.AccessRequest;
|
||||||
import net.jradius.packet.AccessResponse;
|
import net.jradius.packet.AccessResponse;
|
||||||
|
import net.jradius.packet.attribute.AttributeList;
|
||||||
import net.jradius.packet.attribute.RadiusAttribute;
|
import net.jradius.packet.attribute.RadiusAttribute;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -141,6 +142,12 @@ public class AuthenticationProviderService {
|
|||||||
* We create a new form/field with the challenge message.
|
* We create a new form/field with the challenge message.
|
||||||
*/
|
*/
|
||||||
else if (radPack instanceof AccessChallenge) {
|
else if (radPack instanceof AccessChallenge) {
|
||||||
|
AttributeList radAttrs = radPack.getAttributes();
|
||||||
|
logger.debug("===BEGIN ATTRIBUTE DEBUG===");
|
||||||
|
for(RadiusAttribute attr : radAttrs.getAttributeList()) {
|
||||||
|
logger.debug("Attribute: {}; Value: {}", attr.getAttributeName(), attr.getValue());
|
||||||
|
}
|
||||||
|
logger.debug("==END ATTRIBUTE DEBUG===");
|
||||||
try {
|
try {
|
||||||
RadiusAttribute stateAttr = radPack.findAttribute(Attr_State.TYPE);
|
RadiusAttribute stateAttr = radPack.findAttribute(Attr_State.TYPE);
|
||||||
// We should have a state attribute at this point, if not, we need to quit.
|
// We should have a state attribute at this point, if not, we need to quit.
|
||||||
|
|||||||
@@ -167,14 +167,14 @@ public class ConfigurationService {
|
|||||||
public String getRadiusCAFile() throws GuacamoleException {
|
public String getRadiusCAFile() throws GuacamoleException {
|
||||||
return environment.getProperty(
|
return environment.getProperty(
|
||||||
RadiusGuacamoleProperties.RADIUS_CA_FILE,
|
RadiusGuacamoleProperties.RADIUS_CA_FILE,
|
||||||
"radius-ca.pem"
|
null
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getRadiusKeyFile() throws GuacamoleException {
|
public String getRadiusKeyFile() throws GuacamoleException {
|
||||||
return environment.getProperty(
|
return environment.getProperty(
|
||||||
RadiusGuacamoleProperties.RADIUS_KEY_FILE,
|
RadiusGuacamoleProperties.RADIUS_KEY_FILE,
|
||||||
"radius-key.pem"
|
"radius.pem"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -188,7 +188,7 @@ public class ConfigurationService {
|
|||||||
public String getRadiusCAType() throws GuacamoleException {
|
public String getRadiusCAType() throws GuacamoleException {
|
||||||
return environment.getProperty(
|
return environment.getProperty(
|
||||||
RadiusGuacamoleProperties.RADIUS_CA_TYPE,
|
RadiusGuacamoleProperties.RADIUS_CA_TYPE,
|
||||||
null
|
"pkcs12"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -201,8 +201,8 @@ public class ConfigurationService {
|
|||||||
|
|
||||||
public String getRadiusKeyType() throws GuacamoleException {
|
public String getRadiusKeyType() throws GuacamoleException {
|
||||||
return environment.getProperty(
|
return environment.getProperty(
|
||||||
RadiusGuacamoleProperties.RADIUS_KEY_PASSWORD,
|
RadiusGuacamoleProperties.RADIUS_KEY_TYPE,
|
||||||
null
|
"pkcs12"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -27,6 +27,7 @@ import java.net.UnknownHostException;
|
|||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import org.apache.guacamole.GuacamoleException;
|
import org.apache.guacamole.GuacamoleException;
|
||||||
import org.apache.guacamole.GuacamoleUnsupportedException;
|
import org.apache.guacamole.GuacamoleUnsupportedException;
|
||||||
|
import org.apache.guacamole.environment.LocalEnvironment;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import net.jradius.client.RadiusClient;
|
import net.jradius.client.RadiusClient;
|
||||||
@@ -35,6 +36,7 @@ import net.jradius.packet.RadiusPacket;
|
|||||||
import net.jradius.packet.AccessRequest;
|
import net.jradius.packet.AccessRequest;
|
||||||
import net.jradius.dictionary.*;
|
import net.jradius.dictionary.*;
|
||||||
import net.jradius.packet.attribute.AttributeList;
|
import net.jradius.packet.attribute.AttributeList;
|
||||||
|
import net.jradius.packet.attribute.RadiusAttribute;
|
||||||
import net.jradius.client.auth.EAPTLSAuthenticator;
|
import net.jradius.client.auth.EAPTLSAuthenticator;
|
||||||
import net.jradius.client.auth.EAPTTLSAuthenticator;
|
import net.jradius.client.auth.EAPTTLSAuthenticator;
|
||||||
import net.jradius.client.auth.RadiusAuthenticator;
|
import net.jradius.client.auth.RadiusAuthenticator;
|
||||||
@@ -135,9 +137,13 @@ public class RadiusConnectionService {
|
|||||||
String keyType;
|
String keyType;
|
||||||
Boolean trustAll;
|
Boolean trustAll;
|
||||||
String innerProtocol;
|
String innerProtocol;
|
||||||
|
LocalEnvironment guacEnv;
|
||||||
|
String basePath;
|
||||||
|
|
||||||
// Pull configuration parameters from guacamole.properties
|
// Pull configuration parameters from guacamole.properties
|
||||||
try {
|
try {
|
||||||
|
guacEnv = new LocalEnvironment();
|
||||||
|
basePath = guacEnv.getGuacamoleHome().getAbsolutePath() + '/';
|
||||||
radAuthName = confService.getRadiusAuthProtocol();
|
radAuthName = confService.getRadiusAuthProtocol();
|
||||||
caFile = confService.getRadiusCAFile();
|
caFile = confService.getRadiusCAFile();
|
||||||
caPassword = confService.getRadiusCAPassword();
|
caPassword = confService.getRadiusCAPassword();
|
||||||
@@ -165,7 +171,7 @@ public class RadiusConnectionService {
|
|||||||
radAuth instanceof EAPTTLSAuthenticator) {
|
radAuth instanceof EAPTTLSAuthenticator) {
|
||||||
|
|
||||||
if (caFile != null && !caFile.isEmpty())
|
if (caFile != null && !caFile.isEmpty())
|
||||||
((EAPTLSAuthenticator)radAuth).setCaFile(caFile);
|
((EAPTLSAuthenticator)radAuth).setCaFile(basePath + caFile);
|
||||||
|
|
||||||
if (caType != null && !caType.isEmpty())
|
if (caType != null && !caType.isEmpty())
|
||||||
((EAPTLSAuthenticator)radAuth).setCaFileType(caType);
|
((EAPTLSAuthenticator)radAuth).setCaFileType(caType);
|
||||||
@@ -174,7 +180,7 @@ public class RadiusConnectionService {
|
|||||||
((EAPTLSAuthenticator)radAuth).setCaPassword(caPassword);
|
((EAPTLSAuthenticator)radAuth).setCaPassword(caPassword);
|
||||||
|
|
||||||
if (keyFile != null && !keyFile.isEmpty())
|
if (keyFile != null && !keyFile.isEmpty())
|
||||||
((EAPTLSAuthenticator)radAuth).setKeyFile(keyFile);
|
((EAPTLSAuthenticator)radAuth).setKeyFile(basePath + keyFile);
|
||||||
|
|
||||||
if (keyType != null && !keyType.isEmpty())
|
if (keyType != null && !keyType.isEmpty())
|
||||||
((EAPTLSAuthenticator)radAuth).setKeyFileType(keyType);
|
((EAPTLSAuthenticator)radAuth).setKeyFileType(keyType);
|
||||||
@@ -248,18 +254,24 @@ public class RadiusConnectionService {
|
|||||||
AttributeList radAttrs = new AttributeList();
|
AttributeList radAttrs = new AttributeList();
|
||||||
radAttrs.add(new Attr_UserName(username));
|
radAttrs.add(new Attr_UserName(username));
|
||||||
radAttrs.add(new Attr_UserPassword(password));
|
radAttrs.add(new Attr_UserPassword(password));
|
||||||
|
radAttrs.add(new Attr_CleartextPassword(password));
|
||||||
|
|
||||||
AccessRequest radAcc = new AccessRequest(radiusClient);
|
AccessRequest radAcc = new AccessRequest(radiusClient);
|
||||||
|
|
||||||
if (radAuth instanceof EAPTTLSAuthenticator)
|
// EAP-TTLS tunnels protected attributes inside the TLS layer
|
||||||
|
if (radAuth instanceof EAPTTLSAuthenticator) {
|
||||||
|
radAuth.setUsername(new Attr_UserName(username));
|
||||||
((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
|
((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
|
||||||
|
}
|
||||||
else
|
else
|
||||||
radAcc.addAttributes(radAttrs);
|
radAcc.addAttributes(radAttrs);
|
||||||
|
|
||||||
radAuth.setupRequest(radiusClient, radAcc);
|
radAuth.setupRequest(radiusClient, radAcc);
|
||||||
radAuth.processRequest(radAcc);
|
radAuth.processRequest(radAcc);
|
||||||
RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
||||||
if ((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_EAPMessage.TYPE) != null)) {
|
|
||||||
logger.debug("We got an AccessChallenge message, and it appears to be an EAP mechanism, trying to process.");
|
// We receive a Challenge not asking for user input, so silently process the challenge
|
||||||
|
while((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_ReplyMessage.TYPE) == null)) {
|
||||||
radAuth.processChallenge(radAcc, reply);
|
radAuth.processChallenge(radAcc, reply);
|
||||||
reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
||||||
}
|
}
|
||||||
@@ -335,16 +347,28 @@ public class RadiusConnectionService {
|
|||||||
radAttrs.add(new Attr_UserName(username));
|
radAttrs.add(new Attr_UserName(username));
|
||||||
radAttrs.add(new Attr_State(state));
|
radAttrs.add(new Attr_State(state));
|
||||||
radAttrs.add(new Attr_UserPassword(response));
|
radAttrs.add(new Attr_UserPassword(response));
|
||||||
|
radAttrs.add(new Attr_CleartextPassword(response));
|
||||||
|
|
||||||
AccessRequest radAcc = new AccessRequest(radiusClient);
|
AccessRequest radAcc = new AccessRequest(radiusClient);
|
||||||
|
|
||||||
if (radAuth instanceof EAPTTLSAuthenticator)
|
// EAP-TTLS tunnels protected attributes inside the TLS layer
|
||||||
|
if (radAuth instanceof EAPTTLSAuthenticator) {
|
||||||
|
radAuth.setUsername(new Attr_UserName(username));
|
||||||
((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
|
((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs);
|
||||||
|
}
|
||||||
else
|
else
|
||||||
radAcc.addAttributes(radAttrs);
|
radAcc.addAttributes(radAttrs);
|
||||||
|
|
||||||
radAuth.setupRequest(radiusClient, radAcc);
|
radAuth.setupRequest(radiusClient, radAcc);
|
||||||
radAuth.processRequest(radAcc);
|
radAuth.processRequest(radAcc);
|
||||||
return radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
||||||
|
|
||||||
|
// We receive a Challenge not asking for user input, so silently process the challenge
|
||||||
|
while((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_ReplyMessage.TYPE) == null)) {
|
||||||
|
radAuth.processChallenge(radAcc, reply);
|
||||||
|
reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries());
|
||||||
|
}
|
||||||
|
return reply;
|
||||||
}
|
}
|
||||||
catch (RadiusException e) {
|
catch (RadiusException e) {
|
||||||
logger.error("Unable to complete authentication.", e.getMessage());
|
logger.error("Unable to complete authentication.", e.getMessage());
|
||||||
|
|||||||
Reference in New Issue
Block a user