![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to radius_socket.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libradius|
Return to radius_socket.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libradius |
1.1 misho 1: /*
2: * Copyright (C) 2010 Martin Willi
3: * Copyright (C) 2010 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: /*
17: * Copyright (C) 2015 Thom Troy
18: *
19: * Permission is hereby granted, free of charge, to any person obtaining a copy
20: * of this software and associated documentation files (the "Software"), to deal
21: * in the Software without restriction, including without limitation the rights
22: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
23: * copies of the Software, and to permit persons to whom the Software is
24: * furnished to do so, subject to the following conditions:
25: *
26: * The above copyright notice and this permission notice shall be included in
27: * all copies or substantial portions of the Software.
28: *
29: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
30: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
31: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
32: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
33: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
34: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
35: * THE SOFTWARE.
36: */
37:
38: #include "radius_socket.h"
39: #include "radius_mppe.h"
40:
41: #include <errno.h>
42: #include <unistd.h>
43: #include <math.h>
44:
45: #include <pen/pen.h>
46: #include <utils/debug.h>
47:
48: typedef struct private_radius_socket_t private_radius_socket_t;
49:
50: /**
51: * Private data of an radius_socket_t object.
52: */
53: struct private_radius_socket_t {
54:
55: /**
56: * Public radius_socket_t interface.
57: */
58: radius_socket_t public;
59:
60: /**
61: * Server port for authentication
62: */
63: uint16_t auth_port;
64:
65: /**
66: * socket file descriptor for authentication
67: */
68: int auth_fd;
69:
70: /**
71: * Server port for accounting
72: */
73: uint16_t acct_port;
74:
75: /**
76: * socket file descriptor for accounting
77: */
78: int acct_fd;
79:
80: /**
81: * Server address
82: */
83: char *address;
84:
85: /**
86: * current RADIUS identifier
87: */
88: uint8_t identifier;
89:
90: /**
91: * hasher to use for response verification
92: */
93: hasher_t *hasher;
94:
95: /**
96: * HMAC-MD5 signer to build Message-Authenticator attribute
97: */
98: signer_t *signer;
99:
100: /**
101: * random number generator for RADIUS request authenticator
102: */
103: rng_t *rng;
104:
105: /**
106: * RADIUS secret
107: */
108: chunk_t secret;
109:
110: /**
111: * Number of times we retransmit messages before giving up
112: */
113: u_int retransmit_tries;
114:
115: /**
116: * Retransmission timeout
117: */
118: double retransmit_timeout;
119:
120: /**
121: * Base to calculate retransmission timeout
122: */
123: double retransmit_base;
124: };
125:
126: /**
127: * Check or establish RADIUS connection
128: */
129: static bool check_connection(private_radius_socket_t *this,
130: int *fd, uint16_t port)
131: {
132: if (*fd == -1)
133: {
134: host_t *server;
135:
136: server = host_create_from_dns(this->address, AF_UNSPEC, port);
137: if (!server)
138: {
139: DBG1(DBG_CFG, "resolving RADIUS server address '%s' failed",
140: this->address);
141: return FALSE;
142: }
143: *fd = socket(server->get_family(server), SOCK_DGRAM, IPPROTO_UDP);
144: if (*fd == -1)
145: {
146: DBG1(DBG_CFG, "opening RADIUS socket for %#H failed: %s",
147: server, strerror(errno));
148: server->destroy(server);
149: return FALSE;
150: }
151: if (connect(*fd, server->get_sockaddr(server),
152: *server->get_sockaddr_len(server)) < 0)
153: {
154: DBG1(DBG_CFG, "connecting RADIUS socket to %#H failed: %s",
155: server, strerror(errno));
156: server->destroy(server);
157: close(*fd);
158: *fd = -1;
159: return FALSE;
160: }
161: server->destroy(server);
162: }
163: return TRUE;
164: }
165:
166: /**
167: * Receive the response to the message with the given ID
168: */
169: static status_t receive_response(int fd, int timeout, uint8_t id,
170: radius_message_t **response)
171: {
172: radius_message_t *msg;
173: char buf[4096];
174: int res;
175: struct pollfd pfd = {
176: .fd = fd,
177: .events = POLLIN,
178: };
179:
180: while (TRUE)
181: {
182: res = poll(&pfd, 1, timeout);
183: if (res < 0)
184: {
185: DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
186: strerror(errno));
187: return FAILED;
188: }
189: if (res == 0)
190: { /* timeout */
191: return OUT_OF_RES;
192: }
193: res = recv(fd, buf, sizeof(buf), MSG_DONTWAIT);
194: if (res <= 0)
195: {
196: DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
197: strerror(errno));
198: return FAILED;
199: }
200: msg = radius_message_parse(chunk_create(buf, res));
201: if (!msg)
202: {
203: DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
204: return FAILED;
205: }
206: if (id != msg->get_identifier(msg))
207: {
208: /* we haven't received the response to our current request, but
209: * perhaps one for an earlier request for which we didn't wait
210: * long enough */
211: DBG1(DBG_CFG, "received RADIUS message with unexpected ID %d "
212: "[%d expected], ignored", msg->get_identifier(msg), id);
213: msg->destroy(msg);
214: continue;
215: }
216: *response = msg;
217: return SUCCESS;
218: }
219: }
220:
221: METHOD(radius_socket_t, request, radius_message_t*,
222: private_radius_socket_t *this, radius_message_t *request)
223: {
224: radius_message_t *response;
225: chunk_t data;
226: int *fd, retransmit = 0, timeout;
227: uint16_t port;
228: rng_t *rng = NULL;
229:
230: if (request->get_code(request) == RMC_ACCOUNTING_REQUEST)
231: {
232: fd = &this->acct_fd;
233: port = this->acct_port;
234: }
235: else
236: {
237: fd = &this->auth_fd;
238: port = this->auth_port;
239: rng = this->rng;
240: }
241:
242: /* set Message Identifier */
243: request->set_identifier(request, this->identifier++);
244: /* sign the request */
245: if (!request->sign(request, NULL, this->secret, this->hasher, this->signer,
246: rng, rng != NULL))
247: {
248: return NULL;
249: }
250:
251: if (!check_connection(this, fd, port))
252: {
253: return NULL;
254: }
255:
256: data = request->get_encoding(request);
257: DBG3(DBG_CFG, "%B", &data);
258:
259: while (retransmit < this->retransmit_tries)
260: {
261: timeout = (int)(this->retransmit_timeout * 1000.0 *
262: pow(this->retransmit_base, retransmit));
263: if (retransmit)
264: {
265: DBG1(DBG_CFG, "retransmit %d of RADIUS %N (timeout: %.1fs)",
266: retransmit, radius_message_code_names,
267: request->get_code(request), timeout/1000.0);
268: }
269: if (send(*fd, data.ptr, data.len, 0) != data.len)
270: {
271: DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
272: return NULL;
273: }
274: switch (receive_response(*fd, timeout, request->get_identifier(request),
275: &response))
276: {
277: case SUCCESS:
278: break;
279: case OUT_OF_RES:
280: retransmit++;
281: continue;
282: default:
283: return NULL;
284: }
285: if (response->verify(response, request->get_authenticator(request),
286: this->secret, this->hasher, this->signer))
287: {
288: return response;
289: }
290: response->destroy(response);
291: return NULL;
292: }
293:
294: DBG1(DBG_CFG, "RADIUS %N timed out after %d attempts",
295: radius_message_code_names, request->get_code(request), retransmit);
296: return NULL;
297: }
298:
299: /**
300: * Decrypt a MS-MPPE-Send/Recv-Key
301: */
302: static chunk_t decrypt_mppe_key(private_radius_socket_t *this, uint16_t salt,
303: chunk_t C, radius_message_t *request)
304: {
305: chunk_t decrypted;
306:
307: decrypted = chunk_alloca(C.len);
308: if (!request->crypt(request, chunk_from_thing(salt), C, decrypted,
309: this->secret, this->hasher) ||
310: decrypted.ptr[0] >= decrypted.len)
311: { /* decryption failed? */
312: return chunk_empty;
313: }
314: /* remove truncation, first byte is key length */
315: return chunk_clone(chunk_create(decrypted.ptr + 1, decrypted.ptr[0]));
316: }
317:
318: METHOD(radius_socket_t, decrypt_msk, chunk_t,
319: private_radius_socket_t *this, radius_message_t *request,
320: radius_message_t *response)
321: {
322: mppe_key_t *mppe_key;
323: enumerator_t *enumerator;
324: chunk_t data, send = chunk_empty, recv = chunk_empty;
325: int type;
326:
327: enumerator = response->create_enumerator(response);
328: while (enumerator->enumerate(enumerator, &type, &data))
329: {
330: if (type == RAT_VENDOR_SPECIFIC && data.len > sizeof(mppe_key_t))
331: {
332: mppe_key = (mppe_key_t*)data.ptr;
333: if (ntohl(mppe_key->id) == PEN_MICROSOFT &&
334: mppe_key->length == data.len - sizeof(mppe_key->id))
335: {
336: data = chunk_create(mppe_key->key, data.len - sizeof(mppe_key_t));
337: if (mppe_key->type == MS_MPPE_SEND_KEY)
338: {
339: send = decrypt_mppe_key(this, mppe_key->salt, data, request);
340: }
341: if (mppe_key->type == MS_MPPE_RECV_KEY)
342: {
343: recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
344: }
345: }
346: }
347: }
348: enumerator->destroy(enumerator);
349: if (send.ptr && recv.ptr)
350: {
351: chunk_t pad = chunk_empty;
352:
353: if ((send.len + recv.len) < 64)
354: { /* zero-pad MSK to at least 64 bytes */
355: pad = chunk_alloca(64 - send.len - recv.len);
356: memset(pad.ptr, 0, pad.len);
357: }
358: return chunk_cat("mmc", recv, send, pad);
359: }
360: chunk_clear(&send);
361: chunk_clear(&recv);
362: return chunk_empty;
363: }
364:
365: METHOD(radius_socket_t, destroy, void,
366: private_radius_socket_t *this)
367: {
368: DESTROY_IF(this->hasher);
369: DESTROY_IF(this->signer);
370: DESTROY_IF(this->rng);
371: if (this->auth_fd != -1)
372: {
373: close(this->auth_fd);
374: };
375: if (this->acct_fd != -1)
376: {
377: close(this->acct_fd);
378: }
379: free(this);
380: }
381:
382: /**
383: * See header
384: */
385: radius_socket_t *radius_socket_create(char *address, uint16_t auth_port,
386: uint16_t acct_port, chunk_t secret,
387: u_int tries, double timeout, double base)
388: {
389: private_radius_socket_t *this;
390:
391: INIT(this,
392: .public = {
393: .request = _request,
394: .decrypt_msk = _decrypt_msk,
395: .destroy = _destroy,
396: },
397: .address = address,
398: .auth_port = auth_port,
399: .auth_fd = -1,
400: .acct_port = acct_port,
401: .acct_fd = -1,
402: .hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
403: .signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
404: .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
405: .retransmit_tries = tries,
406: .retransmit_timeout = timeout,
407: .retransmit_base = base,
408: );
409:
410: if (!this->hasher || !this->signer || !this->rng ||
411: !this->signer->set_key(this->signer, secret))
412: {
413: DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
414: destroy(this);
415: return NULL;
416: }
417: this->secret = secret;
418: /* we use a random identifier, helps if we restart often */
419: this->identifier = random();
420:
421: return &this->public;
422: }