]>
Commit | Line | Data |
---|---|---|
6fc6879b | 1 | /* |
d04a96b0 | 2 | * RADIUS message processing |
1166b20c | 3 | * Copyright (c) 2002-2009, 2011-2015, Jouni Malinen <j@w1.fi> |
6fc6879b | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
d04a96b0 | 9 | #include "utils/includes.h" |
6fc6879b | 10 | |
d04a96b0 | 11 | #include "utils/common.h" |
aa235d2e | 12 | #include "utils/wpabuf.h" |
03da66bd JM |
13 | #include "crypto/md5.h" |
14 | #include "crypto/crypto.h" | |
d04a96b0 JM |
15 | #include "radius.h" |
16 | ||
17 | ||
1489e11a JM |
18 | /** |
19 | * struct radius_msg - RADIUS message structure for new and parsed messages | |
20 | */ | |
21 | struct radius_msg { | |
22 | /** | |
23 | * buf - Allocated buffer for RADIUS message | |
24 | */ | |
25 | struct wpabuf *buf; | |
26 | ||
27 | /** | |
28 | * hdr - Pointer to the RADIUS header in buf | |
29 | */ | |
30 | struct radius_hdr *hdr; | |
31 | ||
32 | /** | |
33 | * attr_pos - Array of indexes to attributes | |
34 | * | |
35 | * The values are number of bytes from buf to the beginning of | |
36 | * struct radius_attr_hdr. | |
37 | */ | |
38 | size_t *attr_pos; | |
39 | ||
40 | /** | |
41 | * attr_size - Total size of the attribute pointer array | |
42 | */ | |
43 | size_t attr_size; | |
44 | ||
45 | /** | |
46 | * attr_used - Total number of attributes in the array | |
47 | */ | |
48 | size_t attr_used; | |
49 | }; | |
50 | ||
51 | ||
52 | struct radius_hdr * radius_msg_get_hdr(struct radius_msg *msg) | |
53 | { | |
54 | return msg->hdr; | |
55 | } | |
56 | ||
57 | ||
58 | struct wpabuf * radius_msg_get_buf(struct radius_msg *msg) | |
59 | { | |
60 | return msg->buf; | |
61 | } | |
62 | ||
63 | ||
6fc6879b JM |
64 | static struct radius_attr_hdr * |
65 | radius_get_attr_hdr(struct radius_msg *msg, int idx) | |
66 | { | |
aa235d2e JM |
67 | return (struct radius_attr_hdr *) |
68 | (wpabuf_mhead_u8(msg->buf) + msg->attr_pos[idx]); | |
6fc6879b JM |
69 | } |
70 | ||
71 | ||
d04a96b0 JM |
72 | static void radius_msg_set_hdr(struct radius_msg *msg, u8 code, u8 identifier) |
73 | { | |
74 | msg->hdr->code = code; | |
75 | msg->hdr->identifier = identifier; | |
76 | } | |
77 | ||
78 | ||
aa235d2e | 79 | static int radius_msg_initialize(struct radius_msg *msg) |
6fc6879b | 80 | { |
f9884c09 JM |
81 | msg->attr_pos = os_calloc(RADIUS_DEFAULT_ATTR_COUNT, |
82 | sizeof(*msg->attr_pos)); | |
aa235d2e | 83 | if (msg->attr_pos == NULL) |
6fc6879b | 84 | return -1; |
6fc6879b JM |
85 | |
86 | msg->attr_size = RADIUS_DEFAULT_ATTR_COUNT; | |
87 | msg->attr_used = 0; | |
88 | ||
89 | return 0; | |
90 | } | |
91 | ||
92 | ||
9e7245bd JM |
93 | /** |
94 | * radius_msg_new - Create a new RADIUS message | |
95 | * @code: Code for RADIUS header | |
96 | * @identifier: Identifier for RADIUS header | |
97 | * Returns: Context for RADIUS message or %NULL on failure | |
98 | * | |
99 | * The caller is responsible for freeing the returned data with | |
100 | * radius_msg_free(). | |
101 | */ | |
d94f86d8 JM |
102 | struct radius_msg * radius_msg_new(u8 code, u8 identifier) |
103 | { | |
104 | struct radius_msg *msg; | |
105 | ||
106 | msg = os_zalloc(sizeof(*msg)); | |
107 | if (msg == NULL) | |
108 | return NULL; | |
109 | ||
aa235d2e JM |
110 | msg->buf = wpabuf_alloc(RADIUS_DEFAULT_MSG_SIZE); |
111 | if (msg->buf == NULL || radius_msg_initialize(msg)) { | |
112 | radius_msg_free(msg); | |
d94f86d8 JM |
113 | return NULL; |
114 | } | |
aa235d2e | 115 | msg->hdr = wpabuf_put(msg->buf, sizeof(struct radius_hdr)); |
d94f86d8 JM |
116 | |
117 | radius_msg_set_hdr(msg, code, identifier); | |
118 | ||
119 | return msg; | |
120 | } | |
121 | ||
122 | ||
9e7245bd JM |
123 | /** |
124 | * radius_msg_free - Free a RADIUS message | |
125 | * @msg: RADIUS message from radius_msg_new() or radius_msg_parse() | |
126 | */ | |
6fc6879b JM |
127 | void radius_msg_free(struct radius_msg *msg) |
128 | { | |
9e7245bd JM |
129 | if (msg == NULL) |
130 | return; | |
6fc6879b | 131 | |
aa235d2e | 132 | wpabuf_free(msg->buf); |
6fc6879b | 133 | os_free(msg->attr_pos); |
9e7245bd | 134 | os_free(msg); |
6fc6879b JM |
135 | } |
136 | ||
137 | ||
138 | static const char *radius_code_string(u8 code) | |
139 | { | |
140 | switch (code) { | |
141 | case RADIUS_CODE_ACCESS_REQUEST: return "Access-Request"; | |
142 | case RADIUS_CODE_ACCESS_ACCEPT: return "Access-Accept"; | |
143 | case RADIUS_CODE_ACCESS_REJECT: return "Access-Reject"; | |
144 | case RADIUS_CODE_ACCOUNTING_REQUEST: return "Accounting-Request"; | |
145 | case RADIUS_CODE_ACCOUNTING_RESPONSE: return "Accounting-Response"; | |
146 | case RADIUS_CODE_ACCESS_CHALLENGE: return "Access-Challenge"; | |
147 | case RADIUS_CODE_STATUS_SERVER: return "Status-Server"; | |
148 | case RADIUS_CODE_STATUS_CLIENT: return "Status-Client"; | |
149 | case RADIUS_CODE_RESERVED: return "Reserved"; | |
b031338c JM |
150 | case RADIUS_CODE_DISCONNECT_REQUEST: return "Disconnect-Request"; |
151 | case RADIUS_CODE_DISCONNECT_ACK: return "Disconnect-ACK"; | |
152 | case RADIUS_CODE_DISCONNECT_NAK: return "Disconnect-NAK"; | |
153 | case RADIUS_CODE_COA_REQUEST: return "CoA-Request"; | |
154 | case RADIUS_CODE_COA_ACK: return "CoA-ACK"; | |
155 | case RADIUS_CODE_COA_NAK: return "CoA-NAK"; | |
6fc6879b JM |
156 | default: return "?Unknown?"; |
157 | } | |
158 | } | |
159 | ||
160 | ||
161 | struct radius_attr_type { | |
162 | u8 type; | |
163 | char *name; | |
164 | enum { | |
165 | RADIUS_ATTR_UNDIST, RADIUS_ATTR_TEXT, RADIUS_ATTR_IP, | |
166 | RADIUS_ATTR_HEXDUMP, RADIUS_ATTR_INT32, RADIUS_ATTR_IPV6 | |
167 | } data_type; | |
168 | }; | |
169 | ||
8b423edb | 170 | static const struct radius_attr_type radius_attrs[] = |
6fc6879b JM |
171 | { |
172 | { RADIUS_ATTR_USER_NAME, "User-Name", RADIUS_ATTR_TEXT }, | |
173 | { RADIUS_ATTR_USER_PASSWORD, "User-Password", RADIUS_ATTR_UNDIST }, | |
174 | { RADIUS_ATTR_NAS_IP_ADDRESS, "NAS-IP-Address", RADIUS_ATTR_IP }, | |
175 | { RADIUS_ATTR_NAS_PORT, "NAS-Port", RADIUS_ATTR_INT32 }, | |
8c676b50 | 176 | { RADIUS_ATTR_SERVICE_TYPE, "Service-Type", RADIUS_ATTR_INT32 }, |
1166b20c | 177 | { RADIUS_ATTR_FRAMED_IP_ADDRESS, "Framed-IP-Address", RADIUS_ATTR_IP }, |
6fc6879b JM |
178 | { RADIUS_ATTR_FRAMED_MTU, "Framed-MTU", RADIUS_ATTR_INT32 }, |
179 | { RADIUS_ATTR_REPLY_MESSAGE, "Reply-Message", RADIUS_ATTR_TEXT }, | |
180 | { RADIUS_ATTR_STATE, "State", RADIUS_ATTR_UNDIST }, | |
181 | { RADIUS_ATTR_CLASS, "Class", RADIUS_ATTR_UNDIST }, | |
182 | { RADIUS_ATTR_VENDOR_SPECIFIC, "Vendor-Specific", RADIUS_ATTR_UNDIST }, | |
183 | { RADIUS_ATTR_SESSION_TIMEOUT, "Session-Timeout", RADIUS_ATTR_INT32 }, | |
184 | { RADIUS_ATTR_IDLE_TIMEOUT, "Idle-Timeout", RADIUS_ATTR_INT32 }, | |
185 | { RADIUS_ATTR_TERMINATION_ACTION, "Termination-Action", | |
186 | RADIUS_ATTR_INT32 }, | |
187 | { RADIUS_ATTR_CALLED_STATION_ID, "Called-Station-Id", | |
188 | RADIUS_ATTR_TEXT }, | |
189 | { RADIUS_ATTR_CALLING_STATION_ID, "Calling-Station-Id", | |
190 | RADIUS_ATTR_TEXT }, | |
191 | { RADIUS_ATTR_NAS_IDENTIFIER, "NAS-Identifier", RADIUS_ATTR_TEXT }, | |
192 | { RADIUS_ATTR_PROXY_STATE, "Proxy-State", RADIUS_ATTR_UNDIST }, | |
193 | { RADIUS_ATTR_ACCT_STATUS_TYPE, "Acct-Status-Type", | |
194 | RADIUS_ATTR_INT32 }, | |
195 | { RADIUS_ATTR_ACCT_DELAY_TIME, "Acct-Delay-Time", RADIUS_ATTR_INT32 }, | |
196 | { RADIUS_ATTR_ACCT_INPUT_OCTETS, "Acct-Input-Octets", | |
197 | RADIUS_ATTR_INT32 }, | |
198 | { RADIUS_ATTR_ACCT_OUTPUT_OCTETS, "Acct-Output-Octets", | |
199 | RADIUS_ATTR_INT32 }, | |
200 | { RADIUS_ATTR_ACCT_SESSION_ID, "Acct-Session-Id", RADIUS_ATTR_TEXT }, | |
201 | { RADIUS_ATTR_ACCT_AUTHENTIC, "Acct-Authentic", RADIUS_ATTR_INT32 }, | |
202 | { RADIUS_ATTR_ACCT_SESSION_TIME, "Acct-Session-Time", | |
203 | RADIUS_ATTR_INT32 }, | |
204 | { RADIUS_ATTR_ACCT_INPUT_PACKETS, "Acct-Input-Packets", | |
205 | RADIUS_ATTR_INT32 }, | |
206 | { RADIUS_ATTR_ACCT_OUTPUT_PACKETS, "Acct-Output-Packets", | |
207 | RADIUS_ATTR_INT32 }, | |
208 | { RADIUS_ATTR_ACCT_TERMINATE_CAUSE, "Acct-Terminate-Cause", | |
209 | RADIUS_ATTR_INT32 }, | |
210 | { RADIUS_ATTR_ACCT_MULTI_SESSION_ID, "Acct-Multi-Session-Id", | |
211 | RADIUS_ATTR_TEXT }, | |
212 | { RADIUS_ATTR_ACCT_LINK_COUNT, "Acct-Link-Count", RADIUS_ATTR_INT32 }, | |
95de34a1 | 213 | { RADIUS_ATTR_ACCT_INPUT_GIGAWORDS, "Acct-Input-Gigawords", |
6fc6879b JM |
214 | RADIUS_ATTR_INT32 }, |
215 | { RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS, "Acct-Output-Gigawords", | |
216 | RADIUS_ATTR_INT32 }, | |
217 | { RADIUS_ATTR_EVENT_TIMESTAMP, "Event-Timestamp", | |
218 | RADIUS_ATTR_INT32 }, | |
8e44c192 | 219 | { RADIUS_ATTR_EGRESS_VLANID, "EGRESS-VLANID", RADIUS_ATTR_HEXDUMP }, |
6fc6879b JM |
220 | { RADIUS_ATTR_NAS_PORT_TYPE, "NAS-Port-Type", RADIUS_ATTR_INT32 }, |
221 | { RADIUS_ATTR_TUNNEL_TYPE, "Tunnel-Type", RADIUS_ATTR_HEXDUMP }, | |
222 | { RADIUS_ATTR_TUNNEL_MEDIUM_TYPE, "Tunnel-Medium-Type", | |
223 | RADIUS_ATTR_HEXDUMP }, | |
05ab9712 MB |
224 | { RADIUS_ATTR_TUNNEL_PASSWORD, "Tunnel-Password", |
225 | RADIUS_ATTR_UNDIST }, | |
6fc6879b JM |
226 | { RADIUS_ATTR_CONNECT_INFO, "Connect-Info", RADIUS_ATTR_TEXT }, |
227 | { RADIUS_ATTR_EAP_MESSAGE, "EAP-Message", RADIUS_ATTR_UNDIST }, | |
228 | { RADIUS_ATTR_MESSAGE_AUTHENTICATOR, "Message-Authenticator", | |
229 | RADIUS_ATTR_UNDIST }, | |
230 | { RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID, "Tunnel-Private-Group-Id", | |
231 | RADIUS_ATTR_HEXDUMP }, | |
232 | { RADIUS_ATTR_ACCT_INTERIM_INTERVAL, "Acct-Interim-Interval", | |
233 | RADIUS_ATTR_INT32 }, | |
e58b5ffe | 234 | { RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, "Chargeable-User-Identity", |
1e4b9da1 | 235 | RADIUS_ATTR_TEXT }, |
6fc6879b | 236 | { RADIUS_ATTR_NAS_IPV6_ADDRESS, "NAS-IPv6-Address", RADIUS_ATTR_IPV6 }, |
251c53e0 JM |
237 | { RADIUS_ATTR_ERROR_CAUSE, "Error-Cause", RADIUS_ATTR_INT32 }, |
238 | { RADIUS_ATTR_EAP_KEY_NAME, "EAP-Key-Name", RADIUS_ATTR_HEXDUMP }, | |
0ffe7a54 JM |
239 | { RADIUS_ATTR_OPERATOR_NAME, "Operator-Name", RADIUS_ATTR_TEXT }, |
240 | { RADIUS_ATTR_LOCATION_INFO, "Location-Information", | |
241 | RADIUS_ATTR_HEXDUMP }, | |
242 | { RADIUS_ATTR_LOCATION_DATA, "Location-Data", RADIUS_ATTR_HEXDUMP }, | |
243 | { RADIUS_ATTR_BASIC_LOCATION_POLICY_RULES, | |
244 | "Basic-Location-Policy-Rules", RADIUS_ATTR_HEXDUMP }, | |
245 | { RADIUS_ATTR_EXTENDED_LOCATION_POLICY_RULES, | |
246 | "Extended-Location-Policy-Rules", RADIUS_ATTR_HEXDUMP }, | |
247 | { RADIUS_ATTR_LOCATION_CAPABLE, "Location-Capable", RADIUS_ATTR_INT32 }, | |
248 | { RADIUS_ATTR_REQUESTED_LOCATION_INFO, "Requested-Location-Info", | |
249 | RADIUS_ATTR_INT32 }, | |
69002fb0 JM |
250 | { RADIUS_ATTR_MOBILITY_DOMAIN_ID, "Mobility-Domain-Id", |
251 | RADIUS_ATTR_INT32 }, | |
cdffd721 | 252 | { RADIUS_ATTR_WLAN_HESSID, "WLAN-HESSID", RADIUS_ATTR_TEXT }, |
6c460eaf JM |
253 | { RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, "WLAN-Pairwise-Cipher", |
254 | RADIUS_ATTR_HEXDUMP }, | |
255 | { RADIUS_ATTR_WLAN_GROUP_CIPHER, "WLAN-Group-Cipher", | |
256 | RADIUS_ATTR_HEXDUMP }, | |
257 | { RADIUS_ATTR_WLAN_AKM_SUITE, "WLAN-AKM-Suite", | |
258 | RADIUS_ATTR_HEXDUMP }, | |
259 | { RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, "WLAN-Group-Mgmt-Pairwise-Cipher", | |
260 | RADIUS_ATTR_HEXDUMP }, | |
6fc6879b | 261 | }; |
e7ecab4a | 262 | #define RADIUS_ATTRS ARRAY_SIZE(radius_attrs) |
6fc6879b JM |
263 | |
264 | ||
8b423edb | 265 | static const struct radius_attr_type *radius_get_attr_type(u8 type) |
6fc6879b JM |
266 | { |
267 | size_t i; | |
268 | ||
269 | for (i = 0; i < RADIUS_ATTRS; i++) { | |
270 | if (type == radius_attrs[i].type) | |
271 | return &radius_attrs[i]; | |
272 | } | |
273 | ||
274 | return NULL; | |
275 | } | |
276 | ||
277 | ||
6fc6879b JM |
278 | static void radius_msg_dump_attr(struct radius_attr_hdr *hdr) |
279 | { | |
8b423edb | 280 | const struct radius_attr_type *attr; |
38ecb06e | 281 | int len; |
6fc6879b | 282 | unsigned char *pos; |
38ecb06e | 283 | char buf[1000]; |
6fc6879b JM |
284 | |
285 | attr = radius_get_attr_type(hdr->type); | |
286 | ||
38ecb06e JM |
287 | wpa_printf(MSG_INFO, " Attribute %d (%s) length=%d", |
288 | hdr->type, attr ? attr->name : "?Unknown?", hdr->length); | |
6fc6879b | 289 | |
47e9d50d | 290 | if (attr == NULL || hdr->length < sizeof(struct radius_attr_hdr)) |
6fc6879b JM |
291 | return; |
292 | ||
293 | len = hdr->length - sizeof(struct radius_attr_hdr); | |
294 | pos = (unsigned char *) (hdr + 1); | |
295 | ||
296 | switch (attr->data_type) { | |
297 | case RADIUS_ATTR_TEXT: | |
38ecb06e JM |
298 | printf_encode(buf, sizeof(buf), pos, len); |
299 | wpa_printf(MSG_INFO, " Value: '%s'", buf); | |
6fc6879b JM |
300 | break; |
301 | ||
302 | case RADIUS_ATTR_IP: | |
303 | if (len == 4) { | |
304 | struct in_addr addr; | |
305 | os_memcpy(&addr, pos, 4); | |
38ecb06e JM |
306 | wpa_printf(MSG_INFO, " Value: %s", |
307 | inet_ntoa(addr)); | |
308 | } else { | |
309 | wpa_printf(MSG_INFO, " Invalid IP address length %d", | |
310 | len); | |
311 | } | |
6fc6879b JM |
312 | break; |
313 | ||
314 | #ifdef CONFIG_IPV6 | |
315 | case RADIUS_ATTR_IPV6: | |
316 | if (len == 16) { | |
6fc6879b JM |
317 | const char *atxt; |
318 | struct in6_addr *addr = (struct in6_addr *) pos; | |
319 | atxt = inet_ntop(AF_INET6, addr, buf, sizeof(buf)); | |
38ecb06e JM |
320 | wpa_printf(MSG_INFO, " Value: %s", |
321 | atxt ? atxt : "?"); | |
322 | } else { | |
323 | wpa_printf(MSG_INFO, " Invalid IPv6 address length %d", | |
324 | len); | |
325 | } | |
6fc6879b JM |
326 | break; |
327 | #endif /* CONFIG_IPV6 */ | |
328 | ||
329 | case RADIUS_ATTR_HEXDUMP: | |
330 | case RADIUS_ATTR_UNDIST: | |
38ecb06e JM |
331 | wpa_snprintf_hex(buf, sizeof(buf), pos, len); |
332 | wpa_printf(MSG_INFO, " Value: %s", buf); | |
6fc6879b JM |
333 | break; |
334 | ||
335 | case RADIUS_ATTR_INT32: | |
336 | if (len == 4) | |
38ecb06e JM |
337 | wpa_printf(MSG_INFO, " Value: %u", |
338 | WPA_GET_BE32(pos)); | |
6fc6879b | 339 | else |
38ecb06e JM |
340 | wpa_printf(MSG_INFO, " Invalid INT32 length %d", |
341 | len); | |
6fc6879b JM |
342 | break; |
343 | ||
344 | default: | |
345 | break; | |
346 | } | |
347 | } | |
348 | ||
349 | ||
350 | void radius_msg_dump(struct radius_msg *msg) | |
351 | { | |
352 | size_t i; | |
353 | ||
38ecb06e JM |
354 | wpa_printf(MSG_INFO, "RADIUS message: code=%d (%s) identifier=%d length=%d", |
355 | msg->hdr->code, radius_code_string(msg->hdr->code), | |
356 | msg->hdr->identifier, be_to_host16(msg->hdr->length)); | |
6fc6879b JM |
357 | |
358 | for (i = 0; i < msg->attr_used; i++) { | |
359 | struct radius_attr_hdr *attr = radius_get_attr_hdr(msg, i); | |
360 | radius_msg_dump_attr(attr); | |
361 | } | |
362 | } | |
363 | ||
364 | ||
7d02e641 JM |
365 | int radius_msg_finish(struct radius_msg *msg, const u8 *secret, |
366 | size_t secret_len) | |
6fc6879b JM |
367 | { |
368 | if (secret) { | |
369 | u8 auth[MD5_MAC_LEN]; | |
370 | struct radius_attr_hdr *attr; | |
371 | ||
372 | os_memset(auth, 0, MD5_MAC_LEN); | |
373 | attr = radius_msg_add_attr(msg, | |
374 | RADIUS_ATTR_MESSAGE_AUTHENTICATOR, | |
375 | auth, MD5_MAC_LEN); | |
376 | if (attr == NULL) { | |
aa235d2e JM |
377 | wpa_printf(MSG_WARNING, "RADIUS: Could not add " |
378 | "Message-Authenticator"); | |
6fc6879b JM |
379 | return -1; |
380 | } | |
c50b0233 | 381 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); |
aa235d2e JM |
382 | hmac_md5(secret, secret_len, wpabuf_head(msg->buf), |
383 | wpabuf_len(msg->buf), (u8 *) (attr + 1)); | |
6fc6879b | 384 | } else |
c50b0233 | 385 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); |
6fc6879b | 386 | |
aa235d2e JM |
387 | if (wpabuf_len(msg->buf) > 0xffff) { |
388 | wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)", | |
389 | (unsigned long) wpabuf_len(msg->buf)); | |
6fc6879b JM |
390 | return -1; |
391 | } | |
392 | return 0; | |
393 | } | |
394 | ||
395 | ||
396 | int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, | |
397 | size_t secret_len, const u8 *req_authenticator) | |
398 | { | |
399 | u8 auth[MD5_MAC_LEN]; | |
400 | struct radius_attr_hdr *attr; | |
401 | const u8 *addr[4]; | |
402 | size_t len[4]; | |
403 | ||
404 | os_memset(auth, 0, MD5_MAC_LEN); | |
405 | attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, | |
406 | auth, MD5_MAC_LEN); | |
407 | if (attr == NULL) { | |
38ecb06e | 408 | wpa_printf(MSG_ERROR, "WARNING: Could not add Message-Authenticator"); |
6fc6879b JM |
409 | return -1; |
410 | } | |
c50b0233 | 411 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); |
6fc6879b JM |
412 | os_memcpy(msg->hdr->authenticator, req_authenticator, |
413 | sizeof(msg->hdr->authenticator)); | |
aa235d2e JM |
414 | hmac_md5(secret, secret_len, wpabuf_head(msg->buf), |
415 | wpabuf_len(msg->buf), (u8 *) (attr + 1)); | |
6fc6879b JM |
416 | |
417 | /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ | |
418 | addr[0] = (u8 *) msg->hdr; | |
419 | len[0] = 1 + 1 + 2; | |
420 | addr[1] = req_authenticator; | |
421 | len[1] = MD5_MAC_LEN; | |
aa235d2e JM |
422 | addr[2] = wpabuf_head_u8(msg->buf) + sizeof(struct radius_hdr); |
423 | len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr); | |
6fc6879b JM |
424 | addr[3] = secret; |
425 | len[3] = secret_len; | |
426 | md5_vector(4, addr, len, msg->hdr->authenticator); | |
427 | ||
aa235d2e JM |
428 | if (wpabuf_len(msg->buf) > 0xffff) { |
429 | wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)", | |
430 | (unsigned long) wpabuf_len(msg->buf)); | |
6fc6879b JM |
431 | return -1; |
432 | } | |
433 | return 0; | |
434 | } | |
435 | ||
436 | ||
b031338c JM |
437 | int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret, |
438 | size_t secret_len, | |
439 | const struct radius_hdr *req_hdr) | |
440 | { | |
441 | const u8 *addr[2]; | |
442 | size_t len[2]; | |
443 | u8 auth[MD5_MAC_LEN]; | |
444 | struct radius_attr_hdr *attr; | |
445 | ||
446 | os_memset(auth, 0, MD5_MAC_LEN); | |
447 | attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, | |
448 | auth, MD5_MAC_LEN); | |
449 | if (attr == NULL) { | |
450 | wpa_printf(MSG_WARNING, "Could not add Message-Authenticator"); | |
451 | return -1; | |
452 | } | |
453 | ||
c50b0233 | 454 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); |
b031338c JM |
455 | os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16); |
456 | hmac_md5(secret, secret_len, wpabuf_head(msg->buf), | |
457 | wpabuf_len(msg->buf), (u8 *) (attr + 1)); | |
458 | ||
459 | /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ | |
460 | addr[0] = wpabuf_head_u8(msg->buf); | |
461 | len[0] = wpabuf_len(msg->buf); | |
462 | addr[1] = secret; | |
463 | len[1] = secret_len; | |
464 | if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0) | |
465 | return -1; | |
466 | ||
467 | if (wpabuf_len(msg->buf) > 0xffff) { | |
468 | wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)", | |
469 | (unsigned long) wpabuf_len(msg->buf)); | |
470 | return -1; | |
471 | } | |
472 | return 0; | |
473 | } | |
474 | ||
475 | ||
7d02e641 | 476 | void radius_msg_finish_acct(struct radius_msg *msg, const u8 *secret, |
6fc6879b JM |
477 | size_t secret_len) |
478 | { | |
479 | const u8 *addr[2]; | |
480 | size_t len[2]; | |
481 | ||
c50b0233 | 482 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); |
6fc6879b | 483 | os_memset(msg->hdr->authenticator, 0, MD5_MAC_LEN); |
aa235d2e JM |
484 | addr[0] = wpabuf_head(msg->buf); |
485 | len[0] = wpabuf_len(msg->buf); | |
6fc6879b JM |
486 | addr[1] = secret; |
487 | len[1] = secret_len; | |
488 | md5_vector(2, addr, len, msg->hdr->authenticator); | |
489 | ||
aa235d2e JM |
490 | if (wpabuf_len(msg->buf) > 0xffff) { |
491 | wpa_printf(MSG_WARNING, "RADIUS: Too long messages (%lu)", | |
492 | (unsigned long) wpabuf_len(msg->buf)); | |
6fc6879b JM |
493 | } |
494 | } | |
495 | ||
496 | ||
a1dd890a JM |
497 | void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret, |
498 | size_t secret_len, const u8 *req_authenticator) | |
499 | { | |
500 | const u8 *addr[2]; | |
501 | size_t len[2]; | |
502 | ||
503 | msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); | |
504 | os_memcpy(msg->hdr->authenticator, req_authenticator, MD5_MAC_LEN); | |
505 | addr[0] = wpabuf_head(msg->buf); | |
506 | len[0] = wpabuf_len(msg->buf); | |
507 | addr[1] = secret; | |
508 | len[1] = secret_len; | |
509 | md5_vector(2, addr, len, msg->hdr->authenticator); | |
510 | ||
511 | if (wpabuf_len(msg->buf) > 0xffff) { | |
512 | wpa_printf(MSG_WARNING, "RADIUS: Too long messages (%lu)", | |
513 | (unsigned long) wpabuf_len(msg->buf)); | |
514 | } | |
515 | } | |
516 | ||
517 | ||
b031338c JM |
518 | int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret, |
519 | size_t secret_len) | |
520 | { | |
521 | const u8 *addr[4]; | |
522 | size_t len[4]; | |
523 | u8 zero[MD5_MAC_LEN]; | |
524 | u8 hash[MD5_MAC_LEN]; | |
525 | ||
526 | os_memset(zero, 0, sizeof(zero)); | |
527 | addr[0] = (u8 *) msg->hdr; | |
528 | len[0] = sizeof(struct radius_hdr) - MD5_MAC_LEN; | |
529 | addr[1] = zero; | |
530 | len[1] = MD5_MAC_LEN; | |
531 | addr[2] = (u8 *) (msg->hdr + 1); | |
532 | len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr); | |
533 | addr[3] = secret; | |
534 | len[3] = secret_len; | |
535 | md5_vector(4, addr, len, hash); | |
c2371953 | 536 | return os_memcmp_const(msg->hdr->authenticator, hash, MD5_MAC_LEN) != 0; |
b031338c JM |
537 | } |
538 | ||
539 | ||
540 | int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret, | |
42d30e9e NL |
541 | size_t secret_len, |
542 | int require_message_authenticator) | |
b031338c JM |
543 | { |
544 | const u8 *addr[4]; | |
545 | size_t len[4]; | |
546 | u8 zero[MD5_MAC_LEN]; | |
547 | u8 hash[MD5_MAC_LEN]; | |
548 | u8 auth[MD5_MAC_LEN], orig[MD5_MAC_LEN]; | |
549 | u8 orig_authenticator[16]; | |
550 | ||
551 | struct radius_attr_hdr *attr = NULL, *tmp; | |
552 | size_t i; | |
553 | ||
554 | os_memset(zero, 0, sizeof(zero)); | |
555 | addr[0] = (u8 *) msg->hdr; | |
556 | len[0] = sizeof(struct radius_hdr) - MD5_MAC_LEN; | |
557 | addr[1] = zero; | |
558 | len[1] = MD5_MAC_LEN; | |
559 | addr[2] = (u8 *) (msg->hdr + 1); | |
560 | len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr); | |
561 | addr[3] = secret; | |
562 | len[3] = secret_len; | |
563 | md5_vector(4, addr, len, hash); | |
c2371953 | 564 | if (os_memcmp_const(msg->hdr->authenticator, hash, MD5_MAC_LEN) != 0) |
b031338c JM |
565 | return 1; |
566 | ||
567 | for (i = 0; i < msg->attr_used; i++) { | |
568 | tmp = radius_get_attr_hdr(msg, i); | |
569 | if (tmp->type == RADIUS_ATTR_MESSAGE_AUTHENTICATOR) { | |
570 | if (attr != NULL) { | |
571 | wpa_printf(MSG_WARNING, "Multiple " | |
572 | "Message-Authenticator attributes " | |
573 | "in RADIUS message"); | |
574 | return 1; | |
575 | } | |
576 | attr = tmp; | |
577 | } | |
578 | } | |
579 | ||
580 | if (attr == NULL) { | |
42d30e9e NL |
581 | if (require_message_authenticator) { |
582 | wpa_printf(MSG_WARNING, | |
583 | "Missing Message-Authenticator attribute in RADIUS message"); | |
584 | return 1; | |
585 | } | |
b031338c JM |
586 | return 0; |
587 | } | |
588 | ||
589 | os_memcpy(orig, attr + 1, MD5_MAC_LEN); | |
590 | os_memset(attr + 1, 0, MD5_MAC_LEN); | |
591 | os_memcpy(orig_authenticator, msg->hdr->authenticator, | |
592 | sizeof(orig_authenticator)); | |
593 | os_memset(msg->hdr->authenticator, 0, | |
594 | sizeof(msg->hdr->authenticator)); | |
595 | hmac_md5(secret, secret_len, wpabuf_head(msg->buf), | |
596 | wpabuf_len(msg->buf), auth); | |
597 | os_memcpy(attr + 1, orig, MD5_MAC_LEN); | |
598 | os_memcpy(msg->hdr->authenticator, orig_authenticator, | |
599 | sizeof(orig_authenticator)); | |
600 | ||
c2371953 | 601 | return os_memcmp_const(orig, auth, MD5_MAC_LEN) != 0; |
b031338c JM |
602 | } |
603 | ||
604 | ||
6fc6879b JM |
605 | static int radius_msg_add_attr_to_array(struct radius_msg *msg, |
606 | struct radius_attr_hdr *attr) | |
607 | { | |
608 | if (msg->attr_used >= msg->attr_size) { | |
609 | size_t *nattr_pos; | |
610 | int nlen = msg->attr_size * 2; | |
611 | ||
067ffa26 JM |
612 | nattr_pos = os_realloc_array(msg->attr_pos, nlen, |
613 | sizeof(*msg->attr_pos)); | |
6fc6879b JM |
614 | if (nattr_pos == NULL) |
615 | return -1; | |
616 | ||
617 | msg->attr_pos = nattr_pos; | |
618 | msg->attr_size = nlen; | |
619 | } | |
620 | ||
aa235d2e JM |
621 | msg->attr_pos[msg->attr_used++] = |
622 | (unsigned char *) attr - wpabuf_head_u8(msg->buf); | |
6fc6879b JM |
623 | |
624 | return 0; | |
625 | } | |
626 | ||
627 | ||
628 | struct radius_attr_hdr *radius_msg_add_attr(struct radius_msg *msg, u8 type, | |
629 | const u8 *data, size_t data_len) | |
630 | { | |
631 | size_t buf_needed; | |
632 | struct radius_attr_hdr *attr; | |
633 | ||
b9fd3c24 JM |
634 | if (TEST_FAIL()) |
635 | return NULL; | |
636 | ||
6fc6879b | 637 | if (data_len > RADIUS_MAX_ATTR_LEN) { |
38ecb06e | 638 | wpa_printf(MSG_ERROR, "radius_msg_add_attr: too long attribute (%lu bytes)", |
6fc6879b JM |
639 | (unsigned long) data_len); |
640 | return NULL; | |
641 | } | |
642 | ||
aa235d2e | 643 | buf_needed = sizeof(*attr) + data_len; |
6fc6879b | 644 | |
aa235d2e | 645 | if (wpabuf_tailroom(msg->buf) < buf_needed) { |
6fc6879b | 646 | /* allocate more space for message buffer */ |
aa235d2e | 647 | if (wpabuf_resize(&msg->buf, buf_needed) < 0) |
6fc6879b | 648 | return NULL; |
aa235d2e | 649 | msg->hdr = wpabuf_mhead(msg->buf); |
6fc6879b JM |
650 | } |
651 | ||
aa235d2e | 652 | attr = wpabuf_put(msg->buf, sizeof(struct radius_attr_hdr)); |
6fc6879b JM |
653 | attr->type = type; |
654 | attr->length = sizeof(*attr) + data_len; | |
aa235d2e | 655 | wpabuf_put_data(msg->buf, data, data_len); |
6fc6879b JM |
656 | |
657 | if (radius_msg_add_attr_to_array(msg, attr)) | |
658 | return NULL; | |
659 | ||
660 | return attr; | |
661 | } | |
662 | ||
663 | ||
9e7245bd JM |
664 | /** |
665 | * radius_msg_parse - Parse a RADIUS message | |
666 | * @data: RADIUS message to be parsed | |
667 | * @len: Length of data buffer in octets | |
668 | * Returns: Parsed RADIUS message or %NULL on failure | |
669 | * | |
670 | * This parses a RADIUS message and makes a copy of its data. The caller is | |
671 | * responsible for freeing the returned data with radius_msg_free(). | |
672 | */ | |
673 | struct radius_msg * radius_msg_parse(const u8 *data, size_t len) | |
6fc6879b JM |
674 | { |
675 | struct radius_msg *msg; | |
676 | struct radius_hdr *hdr; | |
677 | struct radius_attr_hdr *attr; | |
678 | size_t msg_len; | |
679 | unsigned char *pos, *end; | |
680 | ||
681 | if (data == NULL || len < sizeof(*hdr)) | |
682 | return NULL; | |
683 | ||
684 | hdr = (struct radius_hdr *) data; | |
685 | ||
c50b0233 | 686 | msg_len = be_to_host16(hdr->length); |
6fc6879b | 687 | if (msg_len < sizeof(*hdr) || msg_len > len) { |
9e7245bd | 688 | wpa_printf(MSG_INFO, "RADIUS: Invalid message length"); |
6fc6879b JM |
689 | return NULL; |
690 | } | |
691 | ||
692 | if (msg_len < len) { | |
9e7245bd JM |
693 | wpa_printf(MSG_DEBUG, "RADIUS: Ignored %lu extra bytes after " |
694 | "RADIUS message", (unsigned long) len - msg_len); | |
6fc6879b JM |
695 | } |
696 | ||
d94f86d8 | 697 | msg = os_zalloc(sizeof(*msg)); |
6fc6879b JM |
698 | if (msg == NULL) |
699 | return NULL; | |
700 | ||
aa235d2e JM |
701 | msg->buf = wpabuf_alloc_copy(data, msg_len); |
702 | if (msg->buf == NULL || radius_msg_initialize(msg)) { | |
703 | radius_msg_free(msg); | |
6fc6879b JM |
704 | return NULL; |
705 | } | |
aa235d2e | 706 | msg->hdr = wpabuf_mhead(msg->buf); |
6fc6879b JM |
707 | |
708 | /* parse attributes */ | |
aa235d2e JM |
709 | pos = wpabuf_mhead_u8(msg->buf) + sizeof(struct radius_hdr); |
710 | end = wpabuf_mhead_u8(msg->buf) + wpabuf_len(msg->buf); | |
6fc6879b JM |
711 | while (pos < end) { |
712 | if ((size_t) (end - pos) < sizeof(*attr)) | |
713 | goto fail; | |
714 | ||
715 | attr = (struct radius_attr_hdr *) pos; | |
716 | ||
de7fe64d | 717 | if (attr->length > end - pos || attr->length < sizeof(*attr)) |
6fc6879b JM |
718 | goto fail; |
719 | ||
720 | /* TODO: check that attr->length is suitable for attr->type */ | |
721 | ||
722 | if (radius_msg_add_attr_to_array(msg, attr)) | |
723 | goto fail; | |
724 | ||
725 | pos += attr->length; | |
726 | } | |
727 | ||
728 | return msg; | |
729 | ||
730 | fail: | |
731 | radius_msg_free(msg); | |
6fc6879b JM |
732 | return NULL; |
733 | } | |
734 | ||
735 | ||
736 | int radius_msg_add_eap(struct radius_msg *msg, const u8 *data, size_t data_len) | |
737 | { | |
738 | const u8 *pos = data; | |
739 | size_t left = data_len; | |
740 | ||
741 | while (left > 0) { | |
742 | int len; | |
743 | if (left > RADIUS_MAX_ATTR_LEN) | |
744 | len = RADIUS_MAX_ATTR_LEN; | |
745 | else | |
746 | len = left; | |
747 | ||
748 | if (!radius_msg_add_attr(msg, RADIUS_ATTR_EAP_MESSAGE, | |
749 | pos, len)) | |
750 | return 0; | |
751 | ||
752 | pos += len; | |
753 | left -= len; | |
754 | } | |
755 | ||
756 | return 1; | |
757 | } | |
758 | ||
759 | ||
e100828b | 760 | struct wpabuf * radius_msg_get_eap(struct radius_msg *msg) |
6fc6879b | 761 | { |
e100828b | 762 | struct wpabuf *eap; |
6fc6879b JM |
763 | size_t len, i; |
764 | struct radius_attr_hdr *attr; | |
765 | ||
766 | if (msg == NULL) | |
767 | return NULL; | |
768 | ||
769 | len = 0; | |
770 | for (i = 0; i < msg->attr_used; i++) { | |
771 | attr = radius_get_attr_hdr(msg, i); | |
47e9d50d JM |
772 | if (attr->type == RADIUS_ATTR_EAP_MESSAGE && |
773 | attr->length > sizeof(struct radius_attr_hdr)) | |
6fc6879b JM |
774 | len += attr->length - sizeof(struct radius_attr_hdr); |
775 | } | |
776 | ||
777 | if (len == 0) | |
778 | return NULL; | |
779 | ||
e100828b | 780 | eap = wpabuf_alloc(len); |
6fc6879b JM |
781 | if (eap == NULL) |
782 | return NULL; | |
783 | ||
6fc6879b JM |
784 | for (i = 0; i < msg->attr_used; i++) { |
785 | attr = radius_get_attr_hdr(msg, i); | |
47e9d50d JM |
786 | if (attr->type == RADIUS_ATTR_EAP_MESSAGE && |
787 | attr->length > sizeof(struct radius_attr_hdr)) { | |
6fc6879b | 788 | int flen = attr->length - sizeof(*attr); |
e100828b | 789 | wpabuf_put_data(eap, attr + 1, flen); |
6fc6879b JM |
790 | } |
791 | } | |
792 | ||
6fc6879b JM |
793 | return eap; |
794 | } | |
795 | ||
796 | ||
797 | int radius_msg_verify_msg_auth(struct radius_msg *msg, const u8 *secret, | |
798 | size_t secret_len, const u8 *req_auth) | |
799 | { | |
800 | u8 auth[MD5_MAC_LEN], orig[MD5_MAC_LEN]; | |
801 | u8 orig_authenticator[16]; | |
802 | struct radius_attr_hdr *attr = NULL, *tmp; | |
803 | size_t i; | |
804 | ||
805 | for (i = 0; i < msg->attr_used; i++) { | |
806 | tmp = radius_get_attr_hdr(msg, i); | |
807 | if (tmp->type == RADIUS_ATTR_MESSAGE_AUTHENTICATOR) { | |
808 | if (attr != NULL) { | |
38ecb06e | 809 | wpa_printf(MSG_INFO, "Multiple Message-Authenticator attributes in RADIUS message"); |
6fc6879b JM |
810 | return 1; |
811 | } | |
812 | attr = tmp; | |
813 | } | |
814 | } | |
815 | ||
816 | if (attr == NULL) { | |
38ecb06e | 817 | wpa_printf(MSG_INFO, "No Message-Authenticator attribute found"); |
6fc6879b JM |
818 | return 1; |
819 | } | |
820 | ||
821 | os_memcpy(orig, attr + 1, MD5_MAC_LEN); | |
822 | os_memset(attr + 1, 0, MD5_MAC_LEN); | |
823 | if (req_auth) { | |
824 | os_memcpy(orig_authenticator, msg->hdr->authenticator, | |
825 | sizeof(orig_authenticator)); | |
826 | os_memcpy(msg->hdr->authenticator, req_auth, | |
827 | sizeof(msg->hdr->authenticator)); | |
828 | } | |
38eee0f5 JM |
829 | if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), |
830 | wpabuf_len(msg->buf), auth) < 0) | |
831 | return 1; | |
6fc6879b JM |
832 | os_memcpy(attr + 1, orig, MD5_MAC_LEN); |
833 | if (req_auth) { | |
834 | os_memcpy(msg->hdr->authenticator, orig_authenticator, | |
835 | sizeof(orig_authenticator)); | |
836 | } | |
837 | ||
c2371953 | 838 | if (os_memcmp_const(orig, auth, MD5_MAC_LEN) != 0) { |
38ecb06e | 839 | wpa_printf(MSG_INFO, "Invalid Message-Authenticator!"); |
6fc6879b JM |
840 | return 1; |
841 | } | |
842 | ||
843 | return 0; | |
844 | } | |
845 | ||
846 | ||
847 | int radius_msg_verify(struct radius_msg *msg, const u8 *secret, | |
848 | size_t secret_len, struct radius_msg *sent_msg, int auth) | |
849 | { | |
850 | const u8 *addr[4]; | |
851 | size_t len[4]; | |
852 | u8 hash[MD5_MAC_LEN]; | |
853 | ||
854 | if (sent_msg == NULL) { | |
38ecb06e | 855 | wpa_printf(MSG_INFO, "No matching Access-Request message found"); |
6fc6879b JM |
856 | return 1; |
857 | } | |
858 | ||
859 | if (auth && | |
860 | radius_msg_verify_msg_auth(msg, secret, secret_len, | |
861 | sent_msg->hdr->authenticator)) { | |
862 | return 1; | |
863 | } | |
864 | ||
865 | /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ | |
866 | addr[0] = (u8 *) msg->hdr; | |
867 | len[0] = 1 + 1 + 2; | |
868 | addr[1] = sent_msg->hdr->authenticator; | |
869 | len[1] = MD5_MAC_LEN; | |
aa235d2e JM |
870 | addr[2] = wpabuf_head_u8(msg->buf) + sizeof(struct radius_hdr); |
871 | len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr); | |
6fc6879b JM |
872 | addr[3] = secret; |
873 | len[3] = secret_len; | |
05dad946 JM |
874 | if (md5_vector(4, addr, len, hash) < 0 || |
875 | os_memcmp_const(hash, msg->hdr->authenticator, MD5_MAC_LEN) != 0) { | |
38ecb06e | 876 | wpa_printf(MSG_INFO, "Response Authenticator invalid!"); |
6fc6879b JM |
877 | return 1; |
878 | } | |
879 | ||
880 | return 0; | |
881 | } | |
882 | ||
883 | ||
884 | int radius_msg_copy_attr(struct radius_msg *dst, struct radius_msg *src, | |
885 | u8 type) | |
886 | { | |
887 | struct radius_attr_hdr *attr; | |
888 | size_t i; | |
889 | int count = 0; | |
890 | ||
891 | for (i = 0; i < src->attr_used; i++) { | |
892 | attr = radius_get_attr_hdr(src, i); | |
47e9d50d | 893 | if (attr->type == type && attr->length >= sizeof(*attr)) { |
6fc6879b JM |
894 | if (!radius_msg_add_attr(dst, type, (u8 *) (attr + 1), |
895 | attr->length - sizeof(*attr))) | |
896 | return -1; | |
897 | count++; | |
898 | } | |
899 | } | |
900 | ||
901 | return count; | |
902 | } | |
903 | ||
904 | ||
905 | /* Create Request Authenticator. The value should be unique over the lifetime | |
906 | * of the shared secret between authenticator and authentication server. | |
2cbc6ffb NL |
907 | */ |
908 | int radius_msg_make_authenticator(struct radius_msg *msg) | |
6fc6879b | 909 | { |
2cbc6ffb NL |
910 | return os_get_random((u8 *) &msg->hdr->authenticator, |
911 | sizeof(msg->hdr->authenticator)); | |
6fc6879b JM |
912 | } |
913 | ||
914 | ||
915 | /* Get Vendor-specific RADIUS Attribute from a parsed RADIUS message. | |
916 | * Returns the Attribute payload and sets alen to indicate the length of the | |
917 | * payload if a vendor attribute with subtype is found, otherwise returns NULL. | |
918 | * The returned payload is allocated with os_malloc() and caller must free it | |
919 | * by calling os_free(). | |
920 | */ | |
921 | static u8 *radius_msg_get_vendor_attr(struct radius_msg *msg, u32 vendor, | |
922 | u8 subtype, size_t *alen) | |
923 | { | |
924 | u8 *data, *pos; | |
925 | size_t i, len; | |
926 | ||
927 | if (msg == NULL) | |
928 | return NULL; | |
929 | ||
930 | for (i = 0; i < msg->attr_used; i++) { | |
931 | struct radius_attr_hdr *attr = radius_get_attr_hdr(msg, i); | |
932 | size_t left; | |
933 | u32 vendor_id; | |
934 | struct radius_attr_vendor *vhdr; | |
935 | ||
47e9d50d JM |
936 | if (attr->type != RADIUS_ATTR_VENDOR_SPECIFIC || |
937 | attr->length < sizeof(*attr)) | |
6fc6879b JM |
938 | continue; |
939 | ||
940 | left = attr->length - sizeof(*attr); | |
941 | if (left < 4) | |
942 | continue; | |
943 | ||
944 | pos = (u8 *) (attr + 1); | |
945 | ||
946 | os_memcpy(&vendor_id, pos, 4); | |
947 | pos += 4; | |
948 | left -= 4; | |
949 | ||
950 | if (ntohl(vendor_id) != vendor) | |
951 | continue; | |
952 | ||
953 | while (left >= sizeof(*vhdr)) { | |
954 | vhdr = (struct radius_attr_vendor *) pos; | |
955 | if (vhdr->vendor_length > left || | |
956 | vhdr->vendor_length < sizeof(*vhdr)) { | |
6fc6879b JM |
957 | break; |
958 | } | |
959 | if (vhdr->vendor_type != subtype) { | |
960 | pos += vhdr->vendor_length; | |
961 | left -= vhdr->vendor_length; | |
962 | continue; | |
963 | } | |
964 | ||
965 | len = vhdr->vendor_length - sizeof(*vhdr); | |
966 | data = os_malloc(len); | |
967 | if (data == NULL) | |
968 | return NULL; | |
969 | os_memcpy(data, pos + sizeof(*vhdr), len); | |
970 | if (alen) | |
971 | *alen = len; | |
972 | return data; | |
973 | } | |
974 | } | |
975 | ||
976 | return NULL; | |
977 | } | |
978 | ||
979 | ||
980 | static u8 * decrypt_ms_key(const u8 *key, size_t len, | |
981 | const u8 *req_authenticator, | |
982 | const u8 *secret, size_t secret_len, size_t *reslen) | |
983 | { | |
984 | u8 *plain, *ppos, *res; | |
985 | const u8 *pos; | |
986 | size_t left, plen; | |
987 | u8 hash[MD5_MAC_LEN]; | |
988 | int i, first = 1; | |
989 | const u8 *addr[3]; | |
990 | size_t elen[3]; | |
991 | ||
992 | /* key: 16-bit salt followed by encrypted key info */ | |
993 | ||
400de9b1 BG |
994 | if (len < 2 + 16) { |
995 | wpa_printf(MSG_DEBUG, "RADIUS: %s: Len is too small: %d", | |
996 | __func__, (int) len); | |
6fc6879b | 997 | return NULL; |
400de9b1 | 998 | } |
6fc6879b JM |
999 | |
1000 | pos = key + 2; | |
1001 | left = len - 2; | |
1002 | if (left % 16) { | |
400de9b1 | 1003 | wpa_printf(MSG_INFO, "RADIUS: Invalid ms key len %lu", |
38ecb06e | 1004 | (unsigned long) left); |
6fc6879b JM |
1005 | return NULL; |
1006 | } | |
1007 | ||
1008 | plen = left; | |
1009 | ppos = plain = os_malloc(plen); | |
1010 | if (plain == NULL) | |
1011 | return NULL; | |
380da72b | 1012 | plain[0] = 0; |
6fc6879b JM |
1013 | |
1014 | while (left > 0) { | |
1015 | /* b(1) = MD5(Secret + Request-Authenticator + Salt) | |
1016 | * b(i) = MD5(Secret + c(i - 1)) for i > 1 */ | |
1017 | ||
1018 | addr[0] = secret; | |
1019 | elen[0] = secret_len; | |
1020 | if (first) { | |
1021 | addr[1] = req_authenticator; | |
1022 | elen[1] = MD5_MAC_LEN; | |
1023 | addr[2] = key; | |
1024 | elen[2] = 2; /* Salt */ | |
1025 | } else { | |
1026 | addr[1] = pos - MD5_MAC_LEN; | |
1027 | elen[1] = MD5_MAC_LEN; | |
1028 | } | |
2c3d95c7 JM |
1029 | if (md5_vector(first ? 3 : 2, addr, elen, hash) < 0) { |
1030 | os_free(plain); | |
1031 | return NULL; | |
1032 | } | |
6fc6879b JM |
1033 | first = 0; |
1034 | ||
1035 | for (i = 0; i < MD5_MAC_LEN; i++) | |
1036 | *ppos++ = *pos++ ^ hash[i]; | |
1037 | left -= MD5_MAC_LEN; | |
1038 | } | |
1039 | ||
380da72b | 1040 | if (plain[0] == 0 || plain[0] > plen - 1) { |
400de9b1 | 1041 | wpa_printf(MSG_INFO, "RADIUS: Failed to decrypt MPPE key"); |
6fc6879b JM |
1042 | os_free(plain); |
1043 | return NULL; | |
1044 | } | |
1045 | ||
1046 | res = os_malloc(plain[0]); | |
1047 | if (res == NULL) { | |
1048 | os_free(plain); | |
1049 | return NULL; | |
1050 | } | |
1051 | os_memcpy(res, plain + 1, plain[0]); | |
1052 | if (reslen) | |
1053 | *reslen = plain[0]; | |
1054 | os_free(plain); | |
1055 | return res; | |
1056 | } | |
1057 | ||
1058 | ||
1059 | static void encrypt_ms_key(const u8 *key, size_t key_len, u16 salt, | |
1060 | const u8 *req_authenticator, | |
1061 | const u8 *secret, size_t secret_len, | |
1062 | u8 *ebuf, size_t *elen) | |
1063 | { | |
1064 | int i, len, first = 1; | |
1065 | u8 hash[MD5_MAC_LEN], saltbuf[2], *pos; | |
1066 | const u8 *addr[3]; | |
1067 | size_t _len[3]; | |
1068 | ||
1069 | WPA_PUT_BE16(saltbuf, salt); | |
1070 | ||
1071 | len = 1 + key_len; | |
1072 | if (len & 0x0f) { | |
1073 | len = (len & 0xf0) + 16; | |
1074 | } | |
1075 | os_memset(ebuf, 0, len); | |
1076 | ebuf[0] = key_len; | |
1077 | os_memcpy(ebuf + 1, key, key_len); | |
1078 | ||
1079 | *elen = len; | |
1080 | ||
1081 | pos = ebuf; | |
1082 | while (len > 0) { | |
1083 | /* b(1) = MD5(Secret + Request-Authenticator + Salt) | |
1084 | * b(i) = MD5(Secret + c(i - 1)) for i > 1 */ | |
1085 | addr[0] = secret; | |
1086 | _len[0] = secret_len; | |
1087 | if (first) { | |
1088 | addr[1] = req_authenticator; | |
1089 | _len[1] = MD5_MAC_LEN; | |
1090 | addr[2] = saltbuf; | |
1091 | _len[2] = sizeof(saltbuf); | |
1092 | } else { | |
1093 | addr[1] = pos - MD5_MAC_LEN; | |
1094 | _len[1] = MD5_MAC_LEN; | |
1095 | } | |
1096 | md5_vector(first ? 3 : 2, addr, _len, hash); | |
1097 | first = 0; | |
1098 | ||
1099 | for (i = 0; i < MD5_MAC_LEN; i++) | |
1100 | *pos++ ^= hash[i]; | |
1101 | ||
1102 | len -= MD5_MAC_LEN; | |
1103 | } | |
1104 | } | |
1105 | ||
1106 | ||
1107 | struct radius_ms_mppe_keys * | |
1108 | radius_msg_get_ms_keys(struct radius_msg *msg, struct radius_msg *sent_msg, | |
7d02e641 | 1109 | const u8 *secret, size_t secret_len) |
6fc6879b JM |
1110 | { |
1111 | u8 *key; | |
1112 | size_t keylen; | |
1113 | struct radius_ms_mppe_keys *keys; | |
1114 | ||
1115 | if (msg == NULL || sent_msg == NULL) | |
1116 | return NULL; | |
1117 | ||
1118 | keys = os_zalloc(sizeof(*keys)); | |
1119 | if (keys == NULL) | |
1120 | return NULL; | |
1121 | ||
1122 | key = radius_msg_get_vendor_attr(msg, RADIUS_VENDOR_ID_MICROSOFT, | |
1123 | RADIUS_VENDOR_ATTR_MS_MPPE_SEND_KEY, | |
1124 | &keylen); | |
1125 | if (key) { | |
1126 | keys->send = decrypt_ms_key(key, keylen, | |
1127 | sent_msg->hdr->authenticator, | |
1128 | secret, secret_len, | |
1129 | &keys->send_len); | |
400de9b1 BG |
1130 | if (!keys->send) { |
1131 | wpa_printf(MSG_DEBUG, | |
1132 | "RADIUS: Failed to decrypt send key"); | |
1133 | } | |
6fc6879b JM |
1134 | os_free(key); |
1135 | } | |
1136 | ||
1137 | key = radius_msg_get_vendor_attr(msg, RADIUS_VENDOR_ID_MICROSOFT, | |
1138 | RADIUS_VENDOR_ATTR_MS_MPPE_RECV_KEY, | |
1139 | &keylen); | |
1140 | if (key) { | |
1141 | keys->recv = decrypt_ms_key(key, keylen, | |
1142 | sent_msg->hdr->authenticator, | |
1143 | secret, secret_len, | |
1144 | &keys->recv_len); | |
400de9b1 BG |
1145 | if (!keys->recv) { |
1146 | wpa_printf(MSG_DEBUG, | |
1147 | "RADIUS: Failed to decrypt recv key"); | |
1148 | } | |
6fc6879b JM |
1149 | os_free(key); |
1150 | } | |
1151 | ||
1152 | return keys; | |
1153 | } | |
1154 | ||
1155 | ||
1156 | struct radius_ms_mppe_keys * | |
1157 | radius_msg_get_cisco_keys(struct radius_msg *msg, struct radius_msg *sent_msg, | |
7d02e641 | 1158 | const u8 *secret, size_t secret_len) |
6fc6879b JM |
1159 | { |
1160 | u8 *key; | |
1161 | size_t keylen; | |
1162 | struct radius_ms_mppe_keys *keys; | |
1163 | ||
1164 | if (msg == NULL || sent_msg == NULL) | |
1165 | return NULL; | |
1166 | ||
1167 | keys = os_zalloc(sizeof(*keys)); | |
1168 | if (keys == NULL) | |
1169 | return NULL; | |
1170 | ||
1171 | key = radius_msg_get_vendor_attr(msg, RADIUS_VENDOR_ID_CISCO, | |
1172 | RADIUS_CISCO_AV_PAIR, &keylen); | |
1173 | if (key && keylen == 51 && | |
1174 | os_memcmp(key, "leap:session-key=", 17) == 0) { | |
1175 | keys->recv = decrypt_ms_key(key + 17, keylen - 17, | |
1176 | sent_msg->hdr->authenticator, | |
1177 | secret, secret_len, | |
1178 | &keys->recv_len); | |
1179 | } | |
1180 | os_free(key); | |
1181 | ||
1182 | return keys; | |
1183 | } | |
1184 | ||
1185 | ||
1186 | int radius_msg_add_mppe_keys(struct radius_msg *msg, | |
1187 | const u8 *req_authenticator, | |
1188 | const u8 *secret, size_t secret_len, | |
1189 | const u8 *send_key, size_t send_key_len, | |
1190 | const u8 *recv_key, size_t recv_key_len) | |
1191 | { | |
1192 | struct radius_attr_hdr *attr; | |
1193 | u32 vendor_id = htonl(RADIUS_VENDOR_ID_MICROSOFT); | |
1194 | u8 *buf; | |
1195 | struct radius_attr_vendor *vhdr; | |
1196 | u8 *pos; | |
1197 | size_t elen; | |
1198 | int hlen; | |
1199 | u16 salt; | |
1200 | ||
1201 | hlen = sizeof(vendor_id) + sizeof(*vhdr) + 2; | |
1202 | ||
1203 | /* MS-MPPE-Send-Key */ | |
1204 | buf = os_malloc(hlen + send_key_len + 16); | |
1205 | if (buf == NULL) { | |
1206 | return 0; | |
1207 | } | |
1208 | pos = buf; | |
1209 | os_memcpy(pos, &vendor_id, sizeof(vendor_id)); | |
1210 | pos += sizeof(vendor_id); | |
1211 | vhdr = (struct radius_attr_vendor *) pos; | |
1212 | vhdr->vendor_type = RADIUS_VENDOR_ATTR_MS_MPPE_SEND_KEY; | |
1213 | pos = (u8 *) (vhdr + 1); | |
e52a6989 AB |
1214 | if (os_get_random((u8 *) &salt, sizeof(salt)) < 0) { |
1215 | os_free(buf); | |
c06c9099 | 1216 | return 0; |
e52a6989 | 1217 | } |
c06c9099 | 1218 | salt |= 0x8000; |
6fc6879b JM |
1219 | WPA_PUT_BE16(pos, salt); |
1220 | pos += 2; | |
1221 | encrypt_ms_key(send_key, send_key_len, salt, req_authenticator, secret, | |
1222 | secret_len, pos, &elen); | |
1223 | vhdr->vendor_length = hlen + elen - sizeof(vendor_id); | |
1224 | ||
1225 | attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, | |
1226 | buf, hlen + elen); | |
1227 | os_free(buf); | |
1228 | if (attr == NULL) { | |
1229 | return 0; | |
1230 | } | |
1231 | ||
1232 | /* MS-MPPE-Recv-Key */ | |
dea0d8ee | 1233 | buf = os_malloc(hlen + recv_key_len + 16); |
6fc6879b JM |
1234 | if (buf == NULL) { |
1235 | return 0; | |
1236 | } | |
1237 | pos = buf; | |
1238 | os_memcpy(pos, &vendor_id, sizeof(vendor_id)); | |
1239 | pos += sizeof(vendor_id); | |
1240 | vhdr = (struct radius_attr_vendor *) pos; | |
1241 | vhdr->vendor_type = RADIUS_VENDOR_ATTR_MS_MPPE_RECV_KEY; | |
1242 | pos = (u8 *) (vhdr + 1); | |
1243 | salt ^= 1; | |
1244 | WPA_PUT_BE16(pos, salt); | |
1245 | pos += 2; | |
1246 | encrypt_ms_key(recv_key, recv_key_len, salt, req_authenticator, secret, | |
1247 | secret_len, pos, &elen); | |
1248 | vhdr->vendor_length = hlen + elen - sizeof(vendor_id); | |
1249 | ||
1250 | attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, | |
1251 | buf, hlen + elen); | |
1252 | os_free(buf); | |
1253 | if (attr == NULL) { | |
1254 | return 0; | |
1255 | } | |
1256 | ||
1257 | return 1; | |
1258 | } | |
1259 | ||
1260 | ||
0dd100fb JM |
1261 | int radius_msg_add_wfa(struct radius_msg *msg, u8 subtype, const u8 *data, |
1262 | size_t len) | |
1263 | { | |
1264 | struct radius_attr_hdr *attr; | |
1265 | u8 *buf, *pos; | |
1266 | size_t alen; | |
1267 | ||
1268 | alen = 4 + 2 + len; | |
1269 | buf = os_malloc(alen); | |
1270 | if (buf == NULL) | |
1271 | return 0; | |
1272 | pos = buf; | |
1273 | WPA_PUT_BE32(pos, RADIUS_VENDOR_ID_WFA); | |
1274 | pos += 4; | |
1275 | *pos++ = subtype; | |
1276 | *pos++ = 2 + len; | |
1277 | os_memcpy(pos, data, len); | |
1278 | attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, | |
1279 | buf, alen); | |
1280 | os_free(buf); | |
1281 | if (attr == NULL) | |
1282 | return 0; | |
1283 | ||
1284 | return 1; | |
1285 | } | |
1286 | ||
1287 | ||
8943cc99 JM |
1288 | int radius_user_password_hide(struct radius_msg *msg, |
1289 | const u8 *data, size_t data_len, | |
1290 | const u8 *secret, size_t secret_len, | |
1291 | u8 *buf, size_t buf_len) | |
6fc6879b | 1292 | { |
8943cc99 | 1293 | size_t padlen, i, pos; |
6fc6879b JM |
1294 | const u8 *addr[2]; |
1295 | size_t len[2]; | |
1296 | u8 hash[16]; | |
1297 | ||
8943cc99 JM |
1298 | if (data_len + 16 > buf_len) |
1299 | return -1; | |
6fc6879b JM |
1300 | |
1301 | os_memcpy(buf, data, data_len); | |
6fc6879b JM |
1302 | |
1303 | padlen = data_len % 16; | |
8943cc99 | 1304 | if (padlen && data_len < buf_len) { |
6fc6879b JM |
1305 | padlen = 16 - padlen; |
1306 | os_memset(buf + data_len, 0, padlen); | |
8943cc99 JM |
1307 | buf_len = data_len + padlen; |
1308 | } else { | |
1309 | buf_len = data_len; | |
6fc6879b JM |
1310 | } |
1311 | ||
1312 | addr[0] = secret; | |
1313 | len[0] = secret_len; | |
1314 | addr[1] = msg->hdr->authenticator; | |
1315 | len[1] = 16; | |
1316 | md5_vector(2, addr, len, hash); | |
1317 | ||
1318 | for (i = 0; i < 16; i++) | |
1319 | buf[i] ^= hash[i]; | |
1320 | pos = 16; | |
1321 | ||
1322 | while (pos < buf_len) { | |
1323 | addr[0] = secret; | |
1324 | len[0] = secret_len; | |
1325 | addr[1] = &buf[pos - 16]; | |
1326 | len[1] = 16; | |
1327 | md5_vector(2, addr, len, hash); | |
1328 | ||
1329 | for (i = 0; i < 16; i++) | |
1330 | buf[pos + i] ^= hash[i]; | |
1331 | ||
1332 | pos += 16; | |
1333 | } | |
1334 | ||
8943cc99 JM |
1335 | return buf_len; |
1336 | } | |
1337 | ||
1338 | ||
1339 | /* Add User-Password attribute to a RADIUS message and encrypt it as specified | |
1340 | * in RFC 2865, Chap. 5.2 */ | |
1341 | struct radius_attr_hdr * | |
1342 | radius_msg_add_attr_user_password(struct radius_msg *msg, | |
1343 | const u8 *data, size_t data_len, | |
1344 | const u8 *secret, size_t secret_len) | |
1345 | { | |
1346 | u8 buf[128]; | |
1347 | int res; | |
1348 | ||
1349 | res = radius_user_password_hide(msg, data, data_len, | |
1350 | secret, secret_len, buf, sizeof(buf)); | |
1351 | if (res < 0) | |
1352 | return NULL; | |
1353 | ||
6fc6879b | 1354 | return radius_msg_add_attr(msg, RADIUS_ATTR_USER_PASSWORD, |
8943cc99 | 1355 | buf, res); |
6fc6879b JM |
1356 | } |
1357 | ||
1358 | ||
1359 | int radius_msg_get_attr(struct radius_msg *msg, u8 type, u8 *buf, size_t len) | |
1360 | { | |
1361 | struct radius_attr_hdr *attr = NULL, *tmp; | |
1362 | size_t i, dlen; | |
1363 | ||
1364 | for (i = 0; i < msg->attr_used; i++) { | |
1365 | tmp = radius_get_attr_hdr(msg, i); | |
1366 | if (tmp->type == type) { | |
1367 | attr = tmp; | |
1368 | break; | |
1369 | } | |
1370 | } | |
1371 | ||
47e9d50d | 1372 | if (!attr || attr->length < sizeof(*attr)) |
6fc6879b JM |
1373 | return -1; |
1374 | ||
1375 | dlen = attr->length - sizeof(*attr); | |
1376 | if (buf) | |
1377 | os_memcpy(buf, (attr + 1), dlen > len ? len : dlen); | |
1378 | return dlen; | |
1379 | } | |
1380 | ||
1381 | ||
1382 | int radius_msg_get_attr_ptr(struct radius_msg *msg, u8 type, u8 **buf, | |
1383 | size_t *len, const u8 *start) | |
1384 | { | |
1385 | size_t i; | |
1386 | struct radius_attr_hdr *attr = NULL, *tmp; | |
1387 | ||
1388 | for (i = 0; i < msg->attr_used; i++) { | |
1389 | tmp = radius_get_attr_hdr(msg, i); | |
1390 | if (tmp->type == type && | |
1391 | (start == NULL || (u8 *) tmp > start)) { | |
1392 | attr = tmp; | |
1393 | break; | |
1394 | } | |
1395 | } | |
1396 | ||
47e9d50d | 1397 | if (!attr || attr->length < sizeof(*attr)) |
6fc6879b JM |
1398 | return -1; |
1399 | ||
1400 | *buf = (u8 *) (attr + 1); | |
1401 | *len = attr->length - sizeof(*attr); | |
1402 | return 0; | |
1403 | } | |
1404 | ||
1405 | ||
1406 | int radius_msg_count_attr(struct radius_msg *msg, u8 type, int min_len) | |
1407 | { | |
1408 | size_t i; | |
1409 | int count; | |
1410 | ||
1411 | for (count = 0, i = 0; i < msg->attr_used; i++) { | |
1412 | struct radius_attr_hdr *attr = radius_get_attr_hdr(msg, i); | |
1413 | if (attr->type == type && | |
1414 | attr->length >= sizeof(struct radius_attr_hdr) + min_len) | |
1415 | count++; | |
1416 | } | |
1417 | ||
1418 | return count; | |
1419 | } | |
1420 | ||
1421 | ||
1422 | struct radius_tunnel_attrs { | |
1423 | int tag_used; | |
1424 | int type; /* Tunnel-Type */ | |
1425 | int medium_type; /* Tunnel-Medium-Type */ | |
1426 | int vlanid; | |
1427 | }; | |
1428 | ||
1429 | ||
8e44c192 MB |
1430 | static int cmp_int(const void *a, const void *b) |
1431 | { | |
1432 | int x, y; | |
1433 | ||
1434 | x = *((int *) a); | |
1435 | y = *((int *) b); | |
1436 | return (x - y); | |
1437 | } | |
1438 | ||
1439 | ||
6fc6879b JM |
1440 | /** |
1441 | * radius_msg_get_vlanid - Parse RADIUS attributes for VLAN tunnel information | |
8e44c192 MB |
1442 | * The k tagged vlans found are sorted by vlan_id and stored in the first k |
1443 | * items of tagged. | |
1444 | * | |
6fc6879b | 1445 | * @msg: RADIUS message |
8e44c192 MB |
1446 | * @untagged: Pointer to store untagged vid |
1447 | * @numtagged: Size of tagged | |
1448 | * @tagged: Pointer to store tagged list | |
1449 | * | |
1450 | * Returns: 0 if neither tagged nor untagged configuration is found, 1 otherwise | |
6fc6879b | 1451 | */ |
8e44c192 MB |
1452 | int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, |
1453 | int *tagged) | |
6fc6879b JM |
1454 | { |
1455 | struct radius_tunnel_attrs tunnel[RADIUS_TUNNEL_TAGS], *tun; | |
1456 | size_t i; | |
1457 | struct radius_attr_hdr *attr = NULL; | |
1458 | const u8 *data; | |
1459 | char buf[10]; | |
1460 | size_t dlen; | |
8e44c192 | 1461 | int j, taggedidx = 0, vlan_id; |
6fc6879b JM |
1462 | |
1463 | os_memset(&tunnel, 0, sizeof(tunnel)); | |
8e44c192 MB |
1464 | for (j = 0; j < numtagged; j++) |
1465 | tagged[j] = 0; | |
1466 | *untagged = 0; | |
6fc6879b JM |
1467 | |
1468 | for (i = 0; i < msg->attr_used; i++) { | |
1469 | attr = radius_get_attr_hdr(msg, i); | |
47e9d50d JM |
1470 | if (attr->length < sizeof(*attr)) |
1471 | return -1; | |
6fc6879b JM |
1472 | data = (const u8 *) (attr + 1); |
1473 | dlen = attr->length - sizeof(*attr); | |
1474 | if (attr->length < 3) | |
1475 | continue; | |
1476 | if (data[0] >= RADIUS_TUNNEL_TAGS) | |
1477 | tun = &tunnel[0]; | |
1478 | else | |
1479 | tun = &tunnel[data[0]]; | |
1480 | ||
1481 | switch (attr->type) { | |
1482 | case RADIUS_ATTR_TUNNEL_TYPE: | |
1483 | if (attr->length != 6) | |
1484 | break; | |
1485 | tun->tag_used++; | |
1486 | tun->type = WPA_GET_BE24(data + 1); | |
1487 | break; | |
1488 | case RADIUS_ATTR_TUNNEL_MEDIUM_TYPE: | |
1489 | if (attr->length != 6) | |
1490 | break; | |
1491 | tun->tag_used++; | |
1492 | tun->medium_type = WPA_GET_BE24(data + 1); | |
1493 | break; | |
1494 | case RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID: | |
1495 | if (data[0] < RADIUS_TUNNEL_TAGS) { | |
1496 | data++; | |
1497 | dlen--; | |
1498 | } | |
1499 | if (dlen >= sizeof(buf)) | |
1500 | break; | |
1501 | os_memcpy(buf, data, dlen); | |
1502 | buf[dlen] = '\0'; | |
8e44c192 MB |
1503 | vlan_id = atoi(buf); |
1504 | if (vlan_id <= 0) | |
1505 | break; | |
6fc6879b | 1506 | tun->tag_used++; |
8e44c192 MB |
1507 | tun->vlanid = vlan_id; |
1508 | break; | |
1509 | case RADIUS_ATTR_EGRESS_VLANID: /* RFC 4675 */ | |
1510 | if (attr->length != 6) | |
1511 | break; | |
1512 | vlan_id = WPA_GET_BE24(data + 1); | |
1513 | if (vlan_id <= 0) | |
1514 | break; | |
1515 | if (data[0] == 0x32) | |
1516 | *untagged = vlan_id; | |
1517 | else if (data[0] == 0x31 && tagged && | |
1518 | taggedidx < numtagged) | |
1519 | tagged[taggedidx++] = vlan_id; | |
6fc6879b JM |
1520 | break; |
1521 | } | |
1522 | } | |
1523 | ||
8e44c192 | 1524 | /* Use tunnel with the lowest tag for untagged VLAN id */ |
6fc6879b JM |
1525 | for (i = 0; i < RADIUS_TUNNEL_TAGS; i++) { |
1526 | tun = &tunnel[i]; | |
1527 | if (tun->tag_used && | |
1528 | tun->type == RADIUS_TUNNEL_TYPE_VLAN && | |
1529 | tun->medium_type == RADIUS_TUNNEL_MEDIUM_TYPE_802 && | |
8e44c192 MB |
1530 | tun->vlanid > 0) { |
1531 | *untagged = tun->vlanid; | |
1532 | break; | |
1533 | } | |
6fc6879b JM |
1534 | } |
1535 | ||
8e44c192 MB |
1536 | if (taggedidx) |
1537 | qsort(tagged, taggedidx, sizeof(int), cmp_int); | |
1538 | ||
1539 | if (*untagged > 0 || taggedidx) | |
1540 | return 1; | |
3ffdeb7a | 1541 | return 0; |
6fc6879b | 1542 | } |
010dc068 JM |
1543 | |
1544 | ||
05ab9712 MB |
1545 | /** |
1546 | * radius_msg_get_tunnel_password - Parse RADIUS attribute Tunnel-Password | |
1547 | * @msg: Received RADIUS message | |
1548 | * @keylen: Length of returned password | |
1549 | * @secret: RADIUS shared secret | |
1550 | * @secret_len: Length of secret | |
1551 | * @sent_msg: Sent RADIUS message | |
14e91947 MB |
1552 | * @n: Number of password attribute to return (starting with 0) |
1553 | * Returns: Pointer to n-th password (free with os_free) or %NULL | |
05ab9712 MB |
1554 | */ |
1555 | char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, | |
1556 | const u8 *secret, size_t secret_len, | |
14e91947 | 1557 | struct radius_msg *sent_msg, size_t n) |
05ab9712 MB |
1558 | { |
1559 | u8 *buf = NULL; | |
1560 | size_t buflen; | |
1561 | const u8 *salt; | |
1562 | u8 *str; | |
1563 | const u8 *addr[3]; | |
1564 | size_t len[3]; | |
1565 | u8 hash[16]; | |
1566 | u8 *pos; | |
14e91947 | 1567 | size_t i, j = 0; |
05ab9712 MB |
1568 | struct radius_attr_hdr *attr; |
1569 | const u8 *data; | |
1570 | size_t dlen; | |
1571 | const u8 *fdata = NULL; /* points to found item */ | |
1572 | size_t fdlen = -1; | |
1573 | char *ret = NULL; | |
1574 | ||
14e91947 | 1575 | /* find n-th valid Tunnel-Password attribute */ |
05ab9712 MB |
1576 | for (i = 0; i < msg->attr_used; i++) { |
1577 | attr = radius_get_attr_hdr(msg, i); | |
1578 | if (attr == NULL || | |
1579 | attr->type != RADIUS_ATTR_TUNNEL_PASSWORD) { | |
1580 | continue; | |
1581 | } | |
1582 | if (attr->length <= 5) | |
1583 | continue; | |
1584 | data = (const u8 *) (attr + 1); | |
1585 | dlen = attr->length - sizeof(*attr); | |
1586 | if (dlen <= 3 || dlen % 16 != 3) | |
1587 | continue; | |
14e91947 MB |
1588 | j++; |
1589 | if (j <= n) | |
05ab9712 MB |
1590 | continue; |
1591 | ||
1592 | fdata = data; | |
1593 | fdlen = dlen; | |
14e91947 | 1594 | break; |
05ab9712 MB |
1595 | } |
1596 | if (fdata == NULL) | |
1597 | goto out; | |
1598 | ||
1599 | /* alloc writable memory for decryption */ | |
1600 | buf = os_malloc(fdlen); | |
1601 | if (buf == NULL) | |
1602 | goto out; | |
1603 | os_memcpy(buf, fdata, fdlen); | |
1604 | buflen = fdlen; | |
1605 | ||
1606 | /* init pointers */ | |
1607 | salt = buf + 1; | |
1608 | str = buf + 3; | |
1609 | ||
1610 | /* decrypt blocks */ | |
1611 | pos = buf + buflen - 16; /* last block */ | |
1612 | while (pos >= str + 16) { /* all but the first block */ | |
1613 | addr[0] = secret; | |
1614 | len[0] = secret_len; | |
1615 | addr[1] = pos - 16; | |
1616 | len[1] = 16; | |
1617 | md5_vector(2, addr, len, hash); | |
1618 | ||
1619 | for (i = 0; i < 16; i++) | |
1620 | pos[i] ^= hash[i]; | |
1621 | ||
1622 | pos -= 16; | |
1623 | } | |
1624 | ||
1625 | /* decrypt first block */ | |
1626 | if (str != pos) | |
1627 | goto out; | |
1628 | addr[0] = secret; | |
1629 | len[0] = secret_len; | |
1630 | addr[1] = sent_msg->hdr->authenticator; | |
1631 | len[1] = 16; | |
1632 | addr[2] = salt; | |
1633 | len[2] = 2; | |
1634 | md5_vector(3, addr, len, hash); | |
1635 | ||
1636 | for (i = 0; i < 16; i++) | |
1637 | pos[i] ^= hash[i]; | |
1638 | ||
1639 | /* derive plaintext length from first subfield */ | |
1640 | *keylen = (unsigned char) str[0]; | |
1641 | if ((u8 *) (str + *keylen) >= (u8 *) (buf + buflen)) { | |
1642 | /* decryption error - invalid key length */ | |
1643 | goto out; | |
1644 | } | |
1645 | if (*keylen == 0) { | |
1646 | /* empty password */ | |
1647 | goto out; | |
1648 | } | |
1649 | ||
1650 | /* copy passphrase into new buffer */ | |
1651 | ret = os_malloc(*keylen); | |
1652 | if (ret) | |
1653 | os_memcpy(ret, str + 1, *keylen); | |
1654 | ||
1655 | out: | |
1656 | /* return new buffer */ | |
1657 | os_free(buf); | |
1658 | return ret; | |
1659 | } | |
1660 | ||
1661 | ||
010dc068 JM |
1662 | void radius_free_class(struct radius_class_data *c) |
1663 | { | |
1664 | size_t i; | |
1665 | if (c == NULL) | |
1666 | return; | |
1667 | for (i = 0; i < c->count; i++) | |
1668 | os_free(c->attr[i].data); | |
1669 | os_free(c->attr); | |
1670 | c->attr = NULL; | |
1671 | c->count = 0; | |
1672 | } | |
1673 | ||
1674 | ||
1675 | int radius_copy_class(struct radius_class_data *dst, | |
1676 | const struct radius_class_data *src) | |
1677 | { | |
1678 | size_t i; | |
1679 | ||
1680 | if (src->attr == NULL) | |
1681 | return 0; | |
1682 | ||
f9884c09 | 1683 | dst->attr = os_calloc(src->count, sizeof(struct radius_attr_data)); |
010dc068 JM |
1684 | if (dst->attr == NULL) |
1685 | return -1; | |
1686 | ||
1687 | dst->count = 0; | |
1688 | ||
1689 | for (i = 0; i < src->count; i++) { | |
1690 | dst->attr[i].data = os_malloc(src->attr[i].len); | |
1691 | if (dst->attr[i].data == NULL) | |
1692 | break; | |
1693 | dst->count++; | |
1694 | os_memcpy(dst->attr[i].data, src->attr[i].data, | |
1695 | src->attr[i].len); | |
1696 | dst->attr[i].len = src->attr[i].len; | |
1697 | } | |
1698 | ||
1699 | return 0; | |
1700 | } | |
fc2a924a JM |
1701 | |
1702 | ||
1703 | u8 radius_msg_find_unlisted_attr(struct radius_msg *msg, u8 *attrs) | |
1704 | { | |
1705 | size_t i, j; | |
1706 | struct radius_attr_hdr *attr; | |
1707 | ||
1708 | for (i = 0; i < msg->attr_used; i++) { | |
1709 | attr = radius_get_attr_hdr(msg, i); | |
1710 | ||
1711 | for (j = 0; attrs[j]; j++) { | |
1712 | if (attr->type == attrs[j]) | |
1713 | break; | |
1714 | } | |
1715 | ||
1716 | if (attrs[j] == 0) | |
1717 | return attr->type; /* unlisted attr */ | |
1718 | } | |
1719 | ||
1720 | return 0; | |
1721 | } | |
1fc63fe2 JM |
1722 | |
1723 | ||
1724 | int radius_gen_session_id(u8 *id, size_t len) | |
1725 | { | |
1726 | /* | |
1727 | * Acct-Session-Id and Acct-Multi-Session-Id should be globally and | |
1728 | * temporarily unique. A high quality random number is required | |
1729 | * therefore. This could be be improved by switching to a GUID. | |
1730 | */ | |
1731 | return os_get_random(id, len); | |
1732 | } |