radius.c revision 36c5fee33fa8b822175d410202aebcf592c8d342
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <fcntl.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <stdlib.h>
#include <md5.h>
#include "target.h"
#include "radius.h"
/* Forward declaration */
/*
* Encode a CHAP-Password attribute. This function basically prepends
* the identifier in front of chap_passwd and copy the results to
* *result.
*/
static
void
int chap_passwd_len,
int
snd_radius_request(int sd,
int
rcv_radius_response(int sd,
/*
* Annotate the radius_attr_t objects with authentication data.
*/
static
void
char *target_chap_name,
unsigned char *target_response,
/*
* See radius_auth.h.
*/
/* ARGSUSED */
char *initiator_chap_name,
{
int rcv_status;
int sd;
int rc;
struct sockaddr_in sockaddr;
int fd;
if (rad_svr_shared_secret_len == 0) {
/* The secret must not be empty (section 3, RFC 2865) */
return (CHAP_VALIDATION_BAD_RADIUS_SECRET);
}
/* Prepare the request authenticator */
/* First, the shared secret */
/* Then a unique number - use a random number */
if (fd == -1)
return (CHAP_VALIDATION_INTERNAL_ERROR);
/* Create UDP socket */
if (sd < 0) {
return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
}
if (rc < 0) {
return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
}
/* Send the authentication access request to the RADIUS server */
if (snd_radius_request(sd,
&req) == -1) {
return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
}
/* Analyze the response coming through from the same socket. */
if (rcv_status == RAD_RSP_RCVD_SUCCESS) {
} else {
}
} else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) {
} else {
}
return (validation_status);
}
/* See forward declaration. */
static void
char *target_chap_name,
unsigned char *target_response,
{
(const char *)target_chap_name,
/* A target response is an MD5 hash thus its length has to be 16. */
/* 3 attributes associated with each RADIUS packet. */
}
/*
* See radius_packet.h.
*/
int
snd_radius_request(int sd,
{
int i; /* Loop counter. */
int data_len;
int len;
/* packet. */
union {
struct sockaddr_in s_in4;
struct sockaddr_in6 s_in6;
} sa_rsvr; /* Socket address of the server */
/*
* Create a RADIUS packet with minimal length for now.
*/
/* Loop over all attributes of the request. */
for (i = 0; i < req_data->num_of_attrs; i++) {
if (total_length > MAX_RAD_PACKET_LEN) {
/* The packet has exceed its maximum size. */
return (-1);
}
length_ptr = ptr;
/* Length is 2 octets - RFC 2865 section 3 */
*ptr++ = 2;
total_length += 2;
/* If the attribute is CHAP-Password, encode it. */
/*
* Identifier plus CHAP response. RFC 2865
* section 5.3.
*/
1];
}
*length_ptr += len;
total_length += len;
} /* Done looping over all attributes */
/*
* Send the packet to the RADIUS server.
*/
int ret;
/* IPv4 */
/*
* sin_port is of type u_short (or ushort_t - POSIX compliant).
*/
sizeof (struct sockaddr_in));
return (ret);
/* IPv6 */
/*
* sin6_port is of type in_port_t (i.e., uint16_t).
*/
/* No IPv6 support for now. */
return (-1);
} else {
/* Invalid IP address for RADIUS server. */
return (-1);
}
}
/*
* See radius_packet.h.
*/
int
rcv_radius_response(int sd,
{
int poll_cnt = 0;
int rcv_len = 0;
uint16_t declared_len = 0;
/*
* Poll and receive RADIUS packet.
*/
poll_cnt = 0;
do {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
}
break;
} else {
poll_cnt++;
}
} while (poll_cnt < RAD_RETRY_MAX);
if (poll_cnt >= RAD_RETRY_MAX) {
return (RAD_RSP_RCVD_TIMEOUT);
}
if (rcv_len < 0) {
/* Socket error. */
return (RAD_RSP_RCVD_PROTOCOL_ERR);
}
/*
* Check if the received packet length is within allowable range.
* RFC 2865 section 3.
*/
if (rcv_len < MIN_RAD_PACKET_LEN) {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
} else if (rcv_len > MAX_RAD_PACKET_LEN) {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
}
/*
* Check if the declared packet length is within allowable range.
* RFC 2865 section 3.
*/
if (declared_len < MIN_RAD_PACKET_LEN) {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
} else if (declared_len > MAX_RAD_PACKET_LEN) {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
}
/*
* Discard packet with received length shorter than declared
* length. RFC 2865 section 3.
*/
if (rcv_len < declared_len) {
return (RAD_RSP_RCVD_PROTOCOL_ERR);
}
/*
* Authenticate the incoming packet, using the following algorithm
* (RFC 2865 section 3):
*
* MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
*
* Code = RADIUS packet code
* ID = RADIUS packet identifier
* Length = Declared length of the packet
* RequestAuth = The request authenticator
* Attributes = The response attributes
* Secret = The shared secret
*/
/* Include response attributes only if there is a payload */
if (declared_len > RAD_PACKET_HDR_LEN) {
/* Response Attributes */
}
!= 0) {
return (RAD_RSP_RCVD_AUTH_FAILED);
}
/*
* If the received length is greater than the declared length,
* trust the declared length and shorten the packet (i.e., to
* treat the octets outside the range of the Length field as
* padding - RFC 2865 section 3).
*/
if (rcv_len > declared_len) {
/* Clear the padding data. */
}
/*
* Annotate the RADIUS packet data with the data we received from
* the server.
*/
return (RAD_RSP_RCVD_SUCCESS);
}
static
void
int chap_passwd_len,
{
}