[thirdparty/strongswan.git] / src / libradius / radius_socket.c

/*
 * Copyright (C) 2010 Martin Willi
 * Copyright (C) 2010 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "radius_socket.h"

#include <errno.h>
#include <unistd.h>

#include <debug.h>

/**
 * Vendor-Id of Microsoft specific attributes
 */
#define VENDOR_ID_MICROSOFT 311

/**
 * Microsoft specific vendor attributes
 */
#define MS_MPPE_SEND_KEY 16
#define MS_MPPE_RECV_KEY 17

typedef struct private_radius_socket_t private_radius_socket_t;

/**
 * Private data of an radius_socket_t object.
 */
struct private_radius_socket_t {

	/**
	 * Public radius_socket_t interface.
	 */
	radius_socket_t public;

	/**
	 * Server port for authentication
	 */
	u_int16_t auth_port;

	/**
	 * socket file descriptor for authentication
	 */
	int auth_fd;

	/**
	 * Server port for accounting
	 */
	u_int16_t acct_port;

	/**
	 * socket file descriptor for accounting
	 */
	int acct_fd;

	/**
	 * Server address
	 */
	char *address;

	/**
	 * current RADIUS identifier
	 */
	u_int8_t identifier;

	/**
	 * hasher to use for response verification
	 */
	hasher_t *hasher;

	/**
	 * HMAC-MD5 signer to build Message-Authenticator attribute
	 */
	signer_t *signer;

	/**
	 * random number generator for RADIUS request authenticator
	 */
	rng_t *rng;

	/**
	 * RADIUS secret
	 */
	chunk_t secret;
};

/**
 * Check or establish RADIUS connection
 */
static bool check_connection(private_radius_socket_t *this,
							 int *fd, u_int16_t port)
{
	if (*fd == -1)
	{
		host_t *server;

		server = host_create_from_dns(this->address, AF_UNSPEC, port);
		if (!server)
		{
			DBG1(DBG_CFG, "resolving RADIUS server address '%s' failed",
				 this->address);
			return FALSE;
		}
		*fd = socket(server->get_family(server), SOCK_DGRAM, IPPROTO_UDP);
		if (*fd == -1)
		{
			DBG1(DBG_CFG, "opening RADIUS socket for %#H failed: %s",
				 server, strerror(errno));
			server->destroy(server);
			return FALSE;
		}
		if (connect(*fd, server->get_sockaddr(server),
					*server->get_sockaddr_len(server)) < 0)
		{
			DBG1(DBG_CFG, "connecting RADIUS socket to %#H failed: %s",
				 server, strerror(errno));
			server->destroy(server);
			close(*fd);
			*fd = -1;
			return FALSE;
		}
		server->destroy(server);
	}
	return TRUE;
}

METHOD(radius_socket_t, request, radius_message_t*,
	private_radius_socket_t *this, radius_message_t *request)
{
	chunk_t data;
	int i, *fd;
	u_int16_t port;
	rng_t *rng = NULL;

	if (request->get_code(request) == RMC_ACCOUNTING_REQUEST)
	{
		fd = &this->acct_fd;
		port = this->acct_port;
	}
	else
	{
		fd = &this->auth_fd;
		port = this->auth_port;
		rng = this->rng;
	}

	/* set Message Identifier */
	request->set_identifier(request, this->identifier++);
	/* sign the request */
	request->sign(request, NULL, this->secret, this->hasher, this->signer, rng);

	if (!check_connection(this, fd, port))
	{
		return NULL;
	}

	data = request->get_encoding(request);
	/* timeout after 2, 3, 4, 5 seconds */
	for (i = 2; i <= 5; i++)
	{
		radius_message_t *response;
		bool retransmit = FALSE;
		struct timeval tv;
		char buf[4096];
		fd_set fds;
		int res;

		if (send(*fd, data.ptr, data.len, 0) != data.len)
		{
			DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
			return NULL;
		}
		tv.tv_sec = i;
		tv.tv_usec = 0;

		while (TRUE)
		{
			FD_ZERO(&fds);
			FD_SET(*fd, &fds);
			res = select((*fd) + 1, &fds, NULL, NULL, &tv);
			/* TODO: updated tv to time not waited. Linux does this for us. */
			if (res < 0)
			{	/* failed */
				DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
					 strerror(errno));
				break;
			}
			if (res == 0)
			{	/* timeout */
				DBG1(DBG_CFG, "retransmitting RADIUS message");
				retransmit = TRUE;
				break;
			}
			res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
			if (res <= 0)
			{
				DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
					 strerror(errno));
				break;
			}
			response = radius_message_parse(chunk_create(buf, res));
			if (response)
			{
				if (response->verify(response,
							request->get_authenticator(request), this->secret,
							this->hasher, this->signer))
				{
					return response;
				}
				response->destroy(response);
			}
			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
		}
		if (!retransmit)
		{
			break;
		}
	}
	DBG1(DBG_CFG, "RADIUS server is not responding");
	return NULL;
}

/**
 * Decrypt a MS-MPPE-Send/Recv-Key
 */
static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
								chunk_t C, radius_message_t *request)
{
	chunk_t A, R, P, seed;
	u_char *c, *p;

	/**
	 * From RFC2548 (encryption):
	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
	 *      . . .
	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
	 */

	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
	{
		return chunk_empty;
	}

	A = chunk_create((u_char*)&salt, sizeof(salt));
	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
	P = chunk_alloca(C.len);
	p = P.ptr;
	c = C.ptr;

	seed = chunk_cata("cc", R, A);

	while (c < C.ptr + C.len)
	{
		/* b(i) = MD5(S + c(i-1)) */
		this->hasher->get_hash(this->hasher, this->secret, NULL);
		this->hasher->get_hash(this->hasher, seed, p);

		/* p(i) = b(i) xor c(1) */
		memxor(p, c, HASH_SIZE_MD5);

		/* prepare next round */
		seed = chunk_create(c, HASH_SIZE_MD5);
		c += HASH_SIZE_MD5;
		p += HASH_SIZE_MD5;
	}

	/* remove truncation, first byte is key length */
	if (*P.ptr >= P.len)
	{	/* decryption failed? */
		return chunk_empty;
	}
	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
}

METHOD(radius_socket_t, decrypt_msk, chunk_t,
	private_radius_socket_t *this, radius_message_t *request,
	radius_message_t *response)
{
	struct {
		u_int32_t id;
		u_int8_t type;
		u_int8_t length;
		u_int16_t salt;
		u_int8_t key[];
	} __attribute__((packed)) *mppe_key;
	enumerator_t *enumerator;
	chunk_t data, send = chunk_empty, recv = chunk_empty;
	int type;

	enumerator = response->create_enumerator(response);
	while (enumerator->enumerate(enumerator, &type, &data))
	{
		if (type == RAT_VENDOR_SPECIFIC &&
			data.len > sizeof(*mppe_key))
		{
			mppe_key = (void*)data.ptr;
			if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
				mppe_key->length == data.len - sizeof(mppe_key->id))
			{
				data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
				if (mppe_key->type == MS_MPPE_SEND_KEY)
				{
					send = decrypt_mppe_key(this, mppe_key->salt, data, request);
				}
				if (mppe_key->type == MS_MPPE_RECV_KEY)
				{
					recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
				}
			}
		}
	}
	enumerator->destroy(enumerator);
	if (send.ptr && recv.ptr)
	{
		return chunk_cat("mm", recv, send);
	}
	chunk_clear(&send);
	chunk_clear(&recv);
	return chunk_empty;
}

METHOD(radius_socket_t, destroy, void,
	private_radius_socket_t *this)
{
	DESTROY_IF(this->hasher);
	DESTROY_IF(this->signer);
	DESTROY_IF(this->rng);
	if (this->auth_fd != -1)
	{
		close(this->auth_fd);
	};
	if (this->acct_fd != -1)
	{
		close(this->acct_fd);
	}
	free(this);
}

/**
 * See header
 */
radius_socket_t *radius_socket_create(char *address, u_int16_t auth_port,
									  u_int16_t acct_port, chunk_t secret)
{
	private_radius_socket_t *this;

	INIT(this,
		.public = {
			.request = _request,
			.decrypt_msk = _decrypt_msk,
			.destroy = _destroy,
		},
		.address = address,
		.auth_port = auth_port,
		.auth_fd = -1,
		.acct_port = acct_port,
		.acct_fd = -1,
	);

	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
	if (!this->hasher || !this->signer || !this->rng)
	{
		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
		destroy(this);
		return NULL;
	}
	this->secret = secret;
	this->signer->set_key(this->signer, secret);
	/* we use a random identifier, helps if we restart often */
	this->identifier = random();

	return &this->public;
}
Commit	Line	Data
ce7967c5 MW	1	/*
	2	* Copyright (C) 2010 Martin Willi
	3	* Copyright (C) 2010 revosec AG
	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
	14	*/
	15
	16	#include "radius_socket.h"
	17
	18	#include <errno.h>
	19	#include <unistd.h>
	20
	21	#include <debug.h>
	22
	23	/**
	24	* Vendor-Id of Microsoft specific attributes
	25	*/
	26	#define VENDOR_ID_MICROSOFT 311
	27
	28	/**
	29	* Microsoft specific vendor attributes
	30	*/
	31	#define MS_MPPE_SEND_KEY 16
	32	#define MS_MPPE_RECV_KEY 17
	33
	34	typedef struct private_radius_socket_t private_radius_socket_t;
	35
	36	/**
	37	* Private data of an radius_socket_t object.
	38	*/
	39	struct private_radius_socket_t {
	40
	41	/**
	42	* Public radius_socket_t interface.
	43	*/
	44	radius_socket_t public;
	45
	46	/**
8e5b4aa0	47	* Server port for authentication
ce7967c5	48	*/
8e5b4aa0	49	u_int16_t auth_port;
ce7967c5	50
f9a552f0	51	/**
8e5b4aa0	52	* socket file descriptor for authentication
f9a552f0	53	*/
8e5b4aa0	54	int auth_fd;
f9a552f0 MW	55
f9a552f0 MW	56	/**
8e5b4aa0	57	* Server port for accounting
f9a552f0	58	*/
8e5b4aa0 MW	59	u_int16_t acct_port;
	60
	61	/**
	62	* socket file descriptor for accounting
	63	*/
	64	int acct_fd;
	65
	66	/**
	67	* Server address
	68	*/
	69	char *address;
f9a552f0	70
ce7967c5 MW	71	/**
	72	* current RADIUS identifier
	73	*/
	74	u_int8_t identifier;
	75
	76	/**
	77	* hasher to use for response verification
	78	*/
	79	hasher_t *hasher;
	80
	81	/**
	82	* HMAC-MD5 signer to build Message-Authenticator attribute
	83	*/
	84	signer_t *signer;
	85
	86	/**
	87	* random number generator for RADIUS request authenticator
	88	*/
	89	rng_t *rng;
	90
	91	/**
	92	* RADIUS secret
	93	*/
	94	chunk_t secret;
	95	};
	96
f9a552f0 MW	97	/**
	98	* Check or establish RADIUS connection
	99	*/
8e5b4aa0 MW	100	static bool check_connection(private_radius_socket_t *this,
8e5b4aa0 MW	101	int *fd, u_int16_t port)
f9a552f0	102	{
8e5b4aa0	103	if (*fd == -1)
f9a552f0 MW	104	{
	105	host_t *server;
	106
8e5b4aa0	107	server = host_create_from_dns(this->address, AF_UNSPEC, port);
f9a552f0 MW	108	if (!server)
	109	{
	110	DBG1(DBG_CFG, "resolving RADIUS server address '%s' failed",
	111	this->address);
	112	return FALSE;
	113	}
8e5b4aa0 MW	114	*fd = socket(server->get_family(server), SOCK_DGRAM, IPPROTO_UDP);
8e5b4aa0 MW	115	if (*fd == -1)
f9a552f0 MW	116	{
	117	DBG1(DBG_CFG, "opening RADIUS socket for %#H failed: %s",
	118	server, strerror(errno));
	119	server->destroy(server);
	120	return FALSE;
	121	}
8e5b4aa0	122	if (connect(*fd, server->get_sockaddr(server),
f9a552f0 MW	123	*server->get_sockaddr_len(server)) < 0)
	124	{
	125	DBG1(DBG_CFG, "connecting RADIUS socket to %#H failed: %s",
	126	server, strerror(errno));
	127	server->destroy(server);
8e5b4aa0 MW	128	close(*fd);
8e5b4aa0 MW	129	*fd = -1;
f9a552f0 MW	130	return FALSE;
	131	}
	132	server->destroy(server);
	133	}
	134	return TRUE;
	135	}
	136
ce7967c5 MW	137	METHOD(radius_socket_t, request, radius_message_t*,
	138	private_radius_socket_t this, radius_message_t request)
	139	{
	140	chunk_t data;
8e5b4aa0 MW	141	int i, *fd;
8e5b4aa0 MW	142	u_int16_t port;
392618d4	143	rng_t *rng = NULL;
ce7967c5	144
8e5b4aa0 MW	145	if (request->get_code(request) == RMC_ACCOUNTING_REQUEST)
	146	{
	147	fd = &this->acct_fd;
	148	port = this->acct_port;
	149	}
	150	else
	151	{
	152	fd = &this->auth_fd;
	153	port = this->auth_port;
392618d4	154	rng = this->rng;
8e5b4aa0	155	}
392618d4 MW	156
	157	/* set Message Identifier */
	158	request->set_identifier(request, this->identifier++);
	159	/* sign the request */
	160	request->sign(request, NULL, this->secret, this->hasher, this->signer, rng);
	161
8e5b4aa0	162	if (!check_connection(this, fd, port))
f9a552f0 MW	163	{
	164	return NULL;
	165	}
	166
ce7967c5 MW	167	data = request->get_encoding(request);
	168	/* timeout after 2, 3, 4, 5 seconds */
	169	for (i = 2; i <= 5; i++)
	170	{
	171	radius_message_t *response;
	172	bool retransmit = FALSE;
	173	struct timeval tv;
	174	char buf[4096];
	175	fd_set fds;
	176	int res;
	177
8e5b4aa0	178	if (send(*fd, data.ptr, data.len, 0) != data.len)
ce7967c5 MW	179	{
	180	DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
	181	return NULL;
	182	}
	183	tv.tv_sec = i;
	184	tv.tv_usec = 0;
	185
	186	while (TRUE)
	187	{
	188	FD_ZERO(&fds);
8e5b4aa0 MW	189	FD_SET(*fd, &fds);
8e5b4aa0 MW	190	res = select((*fd) + 1, &fds, NULL, NULL, &tv);
ce7967c5 MW	191	/* TODO: updated tv to time not waited. Linux does this for us. */
	192	if (res < 0)
	193	{ /* failed */
	194	DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
	195	strerror(errno));
	196	break;
	197	}
	198	if (res == 0)
	199	{ /* timeout */
	200	DBG1(DBG_CFG, "retransmitting RADIUS message");
	201	retransmit = TRUE;
	202	break;
	203	}
8e5b4aa0	204	res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
ce7967c5 MW	205	if (res <= 0)
	206	{
	207	DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
	208	strerror(errno));
	209	break;
	210	}
3bc18292	211	response = radius_message_parse(chunk_create(buf, res));
ce7967c5 MW	212	if (response)
	213	{
	214	if (response->verify(response,
	215	request->get_authenticator(request), this->secret,
	216	this->hasher, this->signer))
	217	{
	218	return response;
	219	}
	220	response->destroy(response);
	221	}
	222	DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
	223	}
	224	if (!retransmit)
	225	{
	226	break;
	227	}
	228	}
	229	DBG1(DBG_CFG, "RADIUS server is not responding");
	230	return NULL;
	231	}
	232
	233	/**
	234	* Decrypt a MS-MPPE-Send/Recv-Key
	235	*/
	236	static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
	237	chunk_t C, radius_message_t *request)
	238	{
	239	chunk_t A, R, P, seed;
	240	u_char c, p;
	241
	242	/**
	243	* From RFC2548 (encryption):
	244	* b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
	245	* b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
	246	* . . .
	247	* b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
	248	*/
	249
	250	if (C.len % HASH_SIZE_MD5 \|\| C.len < HASH_SIZE_MD5)
	251	{
	252	return chunk_empty;
	253	}
	254
	255	A = chunk_create((u_char*)&salt, sizeof(salt));
	256	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
	257	P = chunk_alloca(C.len);
	258	p = P.ptr;
	259	c = C.ptr;
	260
	261	seed = chunk_cata("cc", R, A);
	262
	263	while (c < C.ptr + C.len)
	264	{
	265	/* b(i) = MD5(S + c(i-1)) */
	266	this->hasher->get_hash(this->hasher, this->secret, NULL);
	267	this->hasher->get_hash(this->hasher, seed, p);
	268
	269	/* p(i) = b(i) xor c(1) */
	270	memxor(p, c, HASH_SIZE_MD5);
	271
	272	/* prepare next round */
	273	seed = chunk_create(c, HASH_SIZE_MD5);
	274	c += HASH_SIZE_MD5;
	275	p += HASH_SIZE_MD5;
276	}
277
278	/* remove truncation, first byte is key length */
279	if (*P.ptr >= P.len)
280	{ /* decryption failed? */
281	return chunk_empty;
282	}
283	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
284	}
285
286	METHOD(radius_socket_t, decrypt_msk, chunk_t,
287	private_radius_socket_t this, radius_message_t request,
288	radius_message_t *response)
289	{
290	struct {
291	u_int32_t id;
292	u_int8_t type;
293	u_int8_t length;
294	u_int16_t salt;
295	u_int8_t key[];
296	} __attribute__((packed)) *mppe_key;
297	enumerator_t *enumerator;
298	chunk_t data, send = chunk_empty, recv = chunk_empty;
299	int type;
300
301	enumerator = response->create_enumerator(response);
302	while (enumerator->enumerate(enumerator, &type, &data))
303	{
304	if (type == RAT_VENDOR_SPECIFIC &&
305	data.len > sizeof(*mppe_key))
306	{
307	mppe_key = (void*)data.ptr;
308	if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT &&
309	mppe_key->length == data.len - sizeof(mppe_key->id))
310	{
311	data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key));
312	if (mppe_key->type == MS_MPPE_SEND_KEY)
313	{
314	send = decrypt_mppe_key(this, mppe_key->salt, data, request);
315	}
316	if (mppe_key->type == MS_MPPE_RECV_KEY)
317	{
318	recv = decrypt_mppe_key(this, mppe_key->salt, data, request);
319	}
320	}
321	}
322	}
323	enumerator->destroy(enumerator);
324	if (send.ptr && recv.ptr)
325	{
326	return chunk_cat("mm", recv, send);
327	}
328	chunk_clear(&send);
329	chunk_clear(&recv);
330	return chunk_empty;
331	}
332
333	METHOD(radius_socket_t, destroy, void,
334	private_radius_socket_t *this)
335	{
336	DESTROY_IF(this->hasher);
337	DESTROY_IF(this->signer);
338	DESTROY_IF(this->rng);
8e5b4aa0 MW	339	if (this->auth_fd != -1)
	340	{
	341	close(this->auth_fd);
	342	};
	343	if (this->acct_fd != -1)
f9a552f0	344	{
8e5b4aa0	345	close(this->acct_fd);
f9a552f0	346	}
ce7967c5 MW	347	free(this);
	348	}
	349
	350	/**
	351	* See header
	352	*/
8e5b4aa0 MW	353	radius_socket_t radius_socket_create(char address, u_int16_t auth_port,
8e5b4aa0 MW	354	u_int16_t acct_port, chunk_t secret)
ce7967c5 MW	355	{
	356	private_radius_socket_t *this;
	357
	358	INIT(this,
	359	.public = {
	360	.request = _request,
	361	.decrypt_msk = _decrypt_msk,
	362	.destroy = _destroy,
	363	},
f9a552f0	364	.address = address,
8e5b4aa0 MW	365	.auth_port = auth_port,
	366	.auth_fd = -1,
	367	.acct_port = acct_port,
	368	.acct_fd = -1,
ce7967c5 MW	369	);
ce7967c5 MW	370
ce7967c5 MW	371	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
	372	this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128);
	373	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
	374	if (!this->hasher \|\| !this->signer \|\| !this->rng)
	375	{
	376	DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
	377	destroy(this);
	378	return NULL;
	379	}
5b0bcfb1	380	this->secret = secret;
ce7967c5 MW	381	this->signer->set_key(this->signer, secret);
	382	/* we use a random identifier, helps if we restart often */
	383	this->identifier = random();
	384
	385	return &this->public;
	386	}