]>
Commit | Line | Data |
---|---|---|
4a6b84a9 MW |
1 | /* |
2 | * Copyright (C) 2009 Martin Willi | |
3 | * Hochschule fuer Technik Rapperswil | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
4a6b84a9 MW |
14 | */ |
15 | ||
16 | /** | |
f0f94e2c MW |
17 | * @defgroup libradius libradius |
18 | * | |
19 | * @addtogroup libradius | |
20 | * RADIUS protocol support library. | |
21 | * | |
4a6b84a9 | 22 | * @defgroup radius_message radius_message |
f0f94e2c | 23 | * @{ @ingroup libradius |
4a6b84a9 MW |
24 | */ |
25 | ||
26 | #ifndef RADIUS_MESSAGE_H_ | |
27 | #define RADIUS_MESSAGE_H_ | |
28 | ||
29 | #include <library.h> | |
54b3cbdc | 30 | #include <pen/pen.h> |
4a6b84a9 | 31 | |
4853efe8 AS |
32 | #define MAX_RADIUS_ATTRIBUTE_SIZE 253 |
33 | ||
d90ade8f AS |
34 | #define RADIUS_TUNNEL_TYPE_ESP 9 |
35 | ||
4a6b84a9 MW |
36 | typedef struct radius_message_t radius_message_t; |
37 | typedef enum radius_message_code_t radius_message_code_t; | |
38 | typedef enum radius_attribute_type_t radius_attribute_type_t; | |
39 | ||
40 | /** | |
41 | * RADIUS Message Codes. | |
42 | */ | |
43 | enum radius_message_code_t { | |
44 | RMC_ACCESS_REQUEST = 1, | |
45 | RMC_ACCESS_ACCEPT = 2, | |
46 | RMC_ACCESS_REJECT = 3, | |
47 | RMC_ACCOUNTING_REQUEST = 4, | |
48 | RMC_ACCOUNTING_RESPONSE = 5, | |
49 | RMC_ACCESS_CHALLENGE = 11, | |
3a42c089 MW |
50 | RMC_DISCONNECT_REQUEST = 40, |
51 | RMC_DISCONNECT_ACK = 41, | |
52 | RMC_DISCONNECT_NAK = 42, | |
53 | RMC_COA_REQUEST = 43, | |
54 | RMC_COA_ACK = 44, | |
55 | RMC_COA_NAK = 45, | |
4a6b84a9 MW |
56 | }; |
57 | ||
58 | /** | |
59 | * Enum names for radius_attribute_type_t. | |
60 | */ | |
61 | extern enum_name_t *radius_message_code_names; | |
62 | ||
63 | /** | |
64 | * RADIUS Attribute Types. | |
65 | */ | |
66 | enum radius_attribute_type_t { | |
67 | RAT_USER_NAME = 1, | |
68 | RAT_USER_PASSWORD = 2, | |
69 | RAT_CHAP_PASSWORD = 3, | |
70 | RAT_NAS_IP_ADDRESS = 4, | |
71 | RAT_NAS_PORT = 5, | |
72 | RAT_SERVICE_TYPE = 6, | |
73 | RAT_FRAMED_PROTOCOL = 7, | |
74 | RAT_FRAMED_IP_ADDRESS = 8, | |
75 | RAT_FRAMED_IP_NETMASK = 9, | |
76 | RAT_FRAMED_ROUTING = 10, | |
77 | RAT_FILTER_ID = 11, | |
78 | RAT_FRAMED_MTU = 12, | |
79 | RAT_FRAMED_COMPRESSION = 13, | |
80 | RAT_LOGIN_IP_HOST = 14, | |
81 | RAT_LOGIN_SERVICE = 15, | |
82 | RAT_LOGIN_TCP_PORT = 16, | |
83 | RAT_REPLY_MESSAGE = 18, | |
84 | RAT_CALLBACK_NUMBER = 19, | |
85 | RAT_CALLBACK_ID = 20, | |
86 | RAT_FRAMED_ROUTE = 22, | |
87 | RAT_FRAMED_IPX_NETWORK = 23, | |
88 | RAT_STATE = 24, | |
89 | RAT_CLASS = 25, | |
90 | RAT_VENDOR_SPECIFIC = 26, | |
91 | RAT_SESSION_TIMEOUT = 27, | |
92 | RAT_IDLE_TIMEOUT = 28, | |
93 | RAT_TERMINATION_ACTION = 29, | |
94 | RAT_CALLED_STATION_ID = 30, | |
95 | RAT_CALLING_STATION_ID = 31, | |
96 | RAT_NAS_IDENTIFIER = 32, | |
97 | RAT_PROXY_STATE = 33, | |
98 | RAT_LOGIN_LAT_SERVICE = 34, | |
99 | RAT_LOGIN_LAT_NODE = 35, | |
100 | RAT_LOGIN_LAT_GROUP = 36, | |
101 | RAT_FRAMED_APPLETALK_LINK = 37, | |
102 | RAT_FRAMED_APPLETALK_NETWORK = 38, | |
103 | RAT_FRAMED_APPLETALK_ZONE = 39, | |
104 | RAT_ACCT_STATUS_TYPE = 40, | |
105 | RAT_ACCT_DELAY_TIME = 41, | |
106 | RAT_ACCT_INPUT_OCTETS = 42, | |
107 | RAT_ACCT_OUTPUT_OCTETS = 43, | |
108 | RAT_ACCT_SESSION_ID = 44, | |
109 | RAT_ACCT_AUTHENTIC = 45, | |
110 | RAT_ACCT_SESSION_TIME = 46, | |
111 | RAT_ACCT_INPUT_PACKETS = 47, | |
112 | RAT_ACCT_OUTPUT_PACKETS = 48, | |
113 | RAT_ACCT_TERMINATE_CAUSE = 49, | |
114 | RAT_ACCT_MULTI_SESSION_ID = 50, | |
115 | RAT_ACCT_LINK_COUNT = 51, | |
116 | RAT_ACCT_INPUT_GIGAWORDS = 52, | |
117 | RAT_ACCT_OUTPUT_GIGAWORDS = 53, | |
118 | RAT_EVENT_TIMESTAMP = 55, | |
119 | RAT_EGRESS_VLANID = 56, | |
120 | RAT_INGRESS_FILTERS = 57, | |
121 | RAT_EGRESS_VLAN_NAME = 58, | |
122 | RAT_USER_PRIORITY_TABLE = 59, | |
123 | RAT_CHAP_CHALLENGE = 60, | |
124 | RAT_NAS_PORT_TYPE = 61, | |
125 | RAT_PORT_LIMIT = 62, | |
126 | RAT_LOGIN_LAT_PORT = 63, | |
127 | RAT_TUNNEL_TYPE = 64, | |
128 | RAT_TUNNEL_MEDIUM_TYPE = 65, | |
129 | RAT_TUNNEL_CLIENT_ENDPOINT = 66, | |
130 | RAT_TUNNEL_SERVER_ENDPOINT = 67, | |
131 | RAT_ACCT_TUNNEL_CONNECTION = 68, | |
132 | RAT_TUNNEL_PASSWORD = 69, | |
133 | RAT_ARAP_PASSWORD = 70, | |
134 | RAT_ARAP_FEATURES = 71, | |
135 | RAT_ARAP_ZONE_ACCESS = 72, | |
136 | RAT_ARAP_SECURITY = 73, | |
137 | RAT_ARAP_SECURITY_DATA = 74, | |
138 | RAT_PASSWORD_RETRY = 75, | |
139 | RAT_PROMPT = 76, | |
140 | RAT_CONNECT_INFO = 77, | |
141 | RAT_CONFIGURATION_TOKEN = 78, | |
142 | RAT_EAP_MESSAGE = 79, | |
143 | RAT_MESSAGE_AUTHENTICATOR = 80, | |
144 | RAT_TUNNEL_PRIVATE_GROUP_ID = 81, | |
145 | RAT_TUNNEL_ASSIGNMENT_ID = 82, | |
146 | RAT_TUNNEL_PREFERENCE = 83, | |
147 | RAT_ARAP_CHALLENGE_RESPONSE = 84, | |
148 | RAT_ACCT_INTERIM_INTERVAL = 85, | |
149 | RAT_ACCT_TUNNEL_PACKETS_LOST = 86, | |
150 | RAT_NAS_PORT_ID = 87, | |
151 | RAT_FRAMED_POOL = 88, | |
152 | RAT_CUI = 89, | |
153 | RAT_TUNNEL_CLIENT_AUTH_ID = 90, | |
154 | RAT_TUNNEL_SERVER_AUTH_ID = 91, | |
155 | RAT_NAS_FILTER_RULE = 92, | |
156 | RAT_UNASSIGNED = 93, | |
157 | RAT_ORIGINATING_LINE_INFO = 94, | |
158 | RAT_NAS_IPV6_ADDRESS = 95, | |
159 | RAT_FRAMED_INTERFACE_ID = 96, | |
160 | RAT_FRAMED_IPV6_PREFIX = 97, | |
161 | RAT_LOGIN_IPV6_HOST = 98, | |
162 | RAT_FRAMED_IPV6_ROUTE = 99, | |
163 | RAT_FRAMED_IPV6_POOL = 100, | |
164 | RAT_ERROR_CAUSE = 101, | |
165 | RAT_EAP_KEY_NAME = 102, | |
166 | RAT_DIGEST_RESPONSE = 103, | |
167 | RAT_DIGEST_REALM = 104, | |
168 | RAT_DIGEST_NONCE = 105, | |
169 | RAT_DIGEST_RESPONSE_AUTH = 106, | |
170 | RAT_DIGEST_NEXTNONCE = 107, | |
171 | RAT_DIGEST_METHOD = 108, | |
172 | RAT_DIGEST_URI = 109, | |
173 | RAT_DIGEST_QOP = 110, | |
174 | RAT_DIGEST_ALGORITHM = 111, | |
175 | RAT_DIGEST_ENTITY_BODY_HASH = 112, | |
176 | RAT_DIGEST_CNONCE = 113, | |
177 | RAT_DIGEST_NONCE_COUNT = 114, | |
178 | RAT_DIGEST_USERNAME = 115, | |
179 | RAT_DIGEST_OPAQUE = 116, | |
180 | RAT_DIGEST_AUTH_PARAM = 117, | |
181 | RAT_DIGEST_AKA_AUTS = 118, | |
182 | RAT_DIGEST_DOMAIN = 119, | |
183 | RAT_DIGEST_STALE = 120, | |
184 | RAT_DIGEST_HA1 = 121, | |
185 | RAT_SIP_AOR = 122, | |
186 | RAT_DELEGATED_IPV6_PREFIX = 123, | |
187 | RAT_MIP6_FEATURE_VECTOR = 124, | |
188 | RAT_MIP6_HOME_LINK_PREFIX = 125, | |
ec490e68 TB |
189 | RAT_FRAMED_IPV6_ADDRESS = 168, |
190 | RAT_FRAMED_IPV6_DNS_SERVER = 169, | |
191 | RAT_ROUTE_IPV6_INFORMATION = 170, | |
192 | RAT_DELEGATED_IPV6_PREFIX_POOL = 171, | |
193 | RAT_STATEFUL_IPV6_ADDRESS_POOL = 172, | |
4a6b84a9 MW |
194 | }; |
195 | ||
196 | /** | |
197 | * Enum names for radius_attribute_type_t. | |
198 | */ | |
199 | extern enum_name_t *radius_attribute_type_names; | |
200 | ||
201 | /** | |
202 | * A RADIUS message, contains attributes. | |
203 | */ | |
204 | struct radius_message_t { | |
7daf5226 | 205 | |
4a6b84a9 MW |
206 | /** |
207 | * Create an enumerator over contained RADIUS attributes. | |
208 | * | |
209 | * @return enumerator over (int type, chunk_t data) | |
210 | */ | |
211 | enumerator_t* (*create_enumerator)(radius_message_t *this); | |
7daf5226 | 212 | |
54b3cbdc MW |
213 | /** |
214 | * Create an enumerator over contained RADIUS Vendor-ID attributes. | |
215 | * | |
216 | * This enumerator parses only vendor specific attributes in the format | |
217 | * recommended in RFC2865. | |
218 | * | |
219 | * @return enumerator over (int vendor, int type, chunk_t data) | |
220 | */ | |
221 | enumerator_t* (*create_vendor_enumerator)(radius_message_t *this); | |
222 | ||
4a6b84a9 MW |
223 | /** |
224 | * Add a RADIUS attribute to the message. | |
225 | * | |
226 | * @param type type of attribute to add | |
227 | * @param attribute data, gets cloned | |
228 | */ | |
229 | void (*add)(radius_message_t *this, radius_attribute_type_t type, | |
230 | chunk_t data); | |
7daf5226 | 231 | |
4a6b84a9 MW |
232 | /** |
233 | * Get the message type (code). | |
234 | * | |
235 | * @return message code | |
236 | */ | |
237 | radius_message_code_t (*get_code)(radius_message_t *this); | |
7daf5226 | 238 | |
4a6b84a9 MW |
239 | /** |
240 | * Get the message identifier. | |
241 | * | |
242 | * @return message identifier | |
243 | */ | |
b12c53ce | 244 | uint8_t (*get_identifier)(radius_message_t *this); |
7daf5226 | 245 | |
4a6b84a9 MW |
246 | /** |
247 | * Set the message identifier. | |
248 | * | |
249 | * @param identifier message identifier | |
250 | */ | |
b12c53ce | 251 | void (*set_identifier)(radius_message_t *this, uint8_t identifier); |
7daf5226 | 252 | |
4a6b84a9 MW |
253 | /** |
254 | * Get the 16 byte authenticator. | |
255 | * | |
256 | * @return pointer to the Authenticator field | |
257 | */ | |
b12c53ce | 258 | uint8_t* (*get_authenticator)(radius_message_t *this); |
7daf5226 | 259 | |
4a6b84a9 MW |
260 | /** |
261 | * Get the RADIUS message in its encoded form. | |
262 | * | |
263 | * @return chunk pointing to internal RADIUS message. | |
264 | */ | |
265 | chunk_t (*get_encoding)(radius_message_t *this); | |
7daf5226 | 266 | |
4a6b84a9 MW |
267 | /** |
268 | * Calculate and add the Message-Authenticator attribute to the message. | |
269 | * | |
392618d4 MW |
270 | * @param req_auth 16 byte Authenticator of request, or NULL |
271 | * @param secret shared RADIUS secret | |
4a6b84a9 | 272 | * @param signer HMAC-MD5 signer with secret set |
a69aff5f | 273 | * @param hasher MD5 hasher |
b3ec6521 AS |
274 | * @param rng RNG to create Request-Authenticator, NULL to omit |
275 | * @param msg_auth calculate and add Message-Authenticator | |
5fb719e0 | 276 | * @return TRUE if signed successfully |
4a6b84a9 | 277 | */ |
b12c53ce | 278 | bool (*sign)(radius_message_t *this, uint8_t *req_auth, chunk_t secret, |
b3ec6521 | 279 | hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth); |
7daf5226 | 280 | |
4a6b84a9 | 281 | /** |
e8a81797 | 282 | * Verify the integrity of a received RADIUS message. |
4a6b84a9 | 283 | * |
e8a81797 | 284 | * @param req_auth 16 byte Authenticator of request, or NULL |
4a6b84a9 | 285 | * @param secret shared RADIUS secret |
392618d4 MW |
286 | * @param signer HMAC-MD5 signer with secret set |
287 | * @param hasher MD5 hasher | |
4a6b84a9 | 288 | */ |
b12c53ce | 289 | bool (*verify)(radius_message_t *this, uint8_t *req_auth, chunk_t secret, |
4a6b84a9 | 290 | hasher_t *hasher, signer_t *signer); |
7daf5226 | 291 | |
15483a62 MW |
292 | /** |
293 | * Perform RADIUS attribute en-/decryption. | |
294 | * | |
295 | * Performs en-/decryption by XOring the hash-extended secret into data, | |
296 | * as specified in RFC 2865 5.2 and used by RFC 2548. | |
297 | * | |
298 | * @param salt salt to append to message authenticator, if any | |
299 | * @param in data to en-/decrypt, multiple of HASH_SIZE_MD5 | |
300 | * @param out en-/decrypted data, length equal to in | |
301 | * @param secret RADIUS secret | |
302 | * @param hasher MD5 hasher | |
303 | * @return TRUE if en-/decryption successful | |
304 | */ | |
305 | bool (*crypt)(radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out, | |
306 | chunk_t secret, hasher_t *hasher); | |
307 | ||
4a6b84a9 MW |
308 | /** |
309 | * Destroy the message. | |
310 | */ | |
311 | void (*destroy)(radius_message_t *this); | |
312 | }; | |
313 | ||
314 | /** | |
3bc18292 | 315 | * Create an empty RADIUS message. |
4a6b84a9 | 316 | * |
b96eb46d | 317 | * @param code request type |
4a6b84a9 MW |
318 | * @return radius_message_t object |
319 | */ | |
3bc18292 | 320 | radius_message_t *radius_message_create(radius_message_code_t code); |
4a6b84a9 MW |
321 | |
322 | /** | |
2db6d5b8 | 323 | * Parse and verify a received RADIUS message. |
4a6b84a9 MW |
324 | * |
325 | * @param data received message data | |
326 | * @return radius_message_t object, NULL if length invalid | |
327 | */ | |
3bc18292 | 328 | radius_message_t *radius_message_parse(chunk_t data); |
4a6b84a9 | 329 | |
11adf114 TB |
330 | /** |
331 | * @} | |
332 | * @addtogroup libradius | |
333 | * @{ | |
334 | * | |
335 | * Dummy libradius initialization function needed for integrity test | |
336 | */ | |
337 | void libradius_init(void); | |
338 | ||
1490ff4d | 339 | #endif /** RADIUS_MESSAGE_H_ @}*/ |