/* * Copyright (c) 2009 Mark Fullmer * Copyright (c) 2009 Mark Fullmer and the Ohio State University * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: rad.h 157 2011-04-06 03:57:29Z maf $ */ #include #include "sys/queue.h" #include #define URD_PORT 1812 /* UDP port */ #define URD_HEADER_LEN 20 /* radius packet header length */ #define URD_MAX_DGRAM_LEN 4096 /* MAX datagram size */ #define URD_MAX_TLV 2048 /* MAX number of TLV's */ #define URD_USER_PASS_LEN 32 /* MAX user password - multiples of 16 */ #define URD_USER_NAME_LEN 32 /* MAX user name length */ #define URD_SECRET_LEN 32 /* MAX server/client secret length */ #define URD_PACKET_LEN_MIN 20 /* minimum datagram length */ #define URD_TLV_STATE_LEN 20 /* length of state tlv data */ /* can encode a PRIu64 which is up to 20 digits in ASCII */ #define URD_TLV_REPLY_MSG_LEN 20 /* length of state reply message data */ /* * The cache length should be a minimum (max queries/second * cache seconds) * ie, 1000 queries per second * 10 second cache lifetime = 10000 entries * entries are kept in a ring buffer with a hashed entry lookup. * * The state cache shares the request cache entry list. State caching * is used to pair up requests in a challenge/response to emulate a * session. These cache entries will need to live for as long as it * takes a user to enter their challenge/reponse, ie 60 seconds or * more. At 1000 queries/second * 90 second cache lifetime = 90000 * entries. A challenge/response will also consume two entries, one * for the original request and one for the challenge (state) request. */ #define URD_REQ_CACHE_LIFETIME 10 /* lifetime of cache entry in seconds */ #define URD_REQ_CACHE_ENTRIES 16384 /* reply cache entries */ #define URD_REQ_CACHE_HIT 1 /* cache hit */ #define URD_REQ_CACHE_MISS 0 /* cache miss */ #define URD_REQ_CACHE_FLAG_INUSE 0x1 /* cache entry is in use */ #define URD_STATE_CACHE_FLAG_INUSE 0x2 /* cache entry is in use */ /* Hash buckets is dependent on the hash function.. */ #define URD_REQ_HASH_BUCKET_BITS 16 /* number of hash buckets */ #define URD_STATE_CACHE_LIFETIME 90 /* lifetime of cache entry in seconds */ #define URD_STATE_CACHE_HIT 1 /* cache hit */ #define URD_STATE_CACHE_MISS 0 /* cache miss */ #define URD_CACHE_FLAG_STATE 0x1 /* prep lookup by state too */ #define URD_CACHE_FLAG_MSG 0x2 /* hint to encode message */ #define URD_ENCODE_FLAG_STATE 0x1 /* encode state in reply */ #define URD_ENCODE_FLAG_MSG 0x2 /* encode message in reply */ /* Hash buckets is dependent on the hash function.. */ #define URD_STATE_HASH_BUCKET_BITS 16 /* number of hash buckets */ #define RADIUS_AUTHENTICATOR_LEN 16 #define RADIUS_CODE_ACCESS_REQUEST 1 #define RADIUS_CODE_ACCESS_ACCEPT 2 #define RADIUS_CODE_ACCESS_REJECT 3 #define RADIUS_CODE_ACCOUNTING_REQUEST 4 #define RADIUS_CODE_ACCOUNTING_RESPONSE 5 #define RADIUS_CODE_ACCESS_CHALLENGE 11 #define RADIUS_CODE_STATUS_SERVER 12 #define RADIUS_CODE_STATUS_CLIENT 13 #define RADIUS_CODE_RESERVED 255 #define RADIUS_ATTRIB_USER_NAME 1 #define RADIUS_ATTRIB_USER_PASSWORD 2 #define RADIUS_ATTRIB_CHAP_PASSWORD 3 #define RADIUS_ATTRIB_NAS_IP_ADDRESS 4 #define RADIUS_ATTRIB_NAS_PORT 5 #define RADIUS_ATTRIB_SERVICE_TYPE 6 #define RADIUS_ATTRIB_FRAMED_PROTOCOL 7 #define RADIUS_ATTRIB_FRAMED_IP_ADDRESS 8 #define RADIUS_ATTRIB_FRAMED_IP_NETMASK 9 #define RADIUS_ATTRIB_FRAMED_ROUTING 10 #define RADIUS_ATTRIB_FILTER_ID 11 #define RADIUS_ATTRIB_FRAMED_MTU 12 #define RADIUS_ATTRIB_FRAMED_COMPRESSION 13 #define RADIUS_ATTRIB_LOGIN_IP_HOST 14 #define RADIUS_ATTRIB_LOGIN_SERVICE 15 #define RADIUS_ATTRIB_LOGIN_TCP_PORT 16 #define RADIUS_ATTRIB_REPLY_MESSAGE 18 #define RADIUS_ATTRIB_CALLBACK_NUMBER 19 #define RADIUS_ATTRIB_CALLBACK_ID 20 #define RADIUS_ATTRIB_FRAMED_ROUTE 22 #define RADIUS_ATTRIB_FRAMED_IPX_NETWORK 23 #define RADIUS_ATTRIB_STATE 24 #define RADIUS_ATTRIB_CLASS 25 #define RADIUS_ATTRIB_VENDOR_SPECIFIC 26 #define RADIUS_ATTRIB_SESSION_TIMEOUT 27 #define RADIUS_ATTRIB_IDLE_TIMEOUT 28 #define RADIUS_ATTRIB_TERMINATION_ACTION 29 #define RADIUS_ATTRIB_CALLED_STATION_ID 30 #define RADIUS_ATTRIB_CALLING_STATION_ID 31 #define RADIUS_ATTRIB_NAS_IDENTIFIER 32 #define RADIUS_ATTRIB_PROXY_STATE 33 #define RADIUS_ATTRIB_LOGIN_LAT_SERVICE 34 #define RADIUS_ATTRIB_LOGIN_LAT_GROUP 35 #define RADIUS_ATTRIB_FRAMED_APPLETALK_LINK 36 #define RADIUS_ATTRIB_FRAMED_APPLETALK_NETWORK 37 #define RADIUS_ATTRIB_FRAMED_APPLETALK_ZONE 38 #define RADIUS_ATTRIB_CHAP_CHALLENGE 60 #define RADIUS_ATTRIB_NAS_PORT_TYPE 61 #define RADIUS_ATTRIB_PORT_LIMIT 62 #define RADIUS_ATTRIB_LOGIN_LAT_PORT 63 #define URD_DECODE_TYPE_HEX 0 #define URD_DECODE_TYPE_CHAR 1 #define URD_DECODE_TYPE_IP 2 #define URD_DECODE_TYPE_HIDDEN 3 struct radius_dgram_header { uint8_t code; uint8_t identifier; uint16_t length; uint8_t authenticator[16]; }; struct urd_tlv { uint8_t type; uint8_t len; uint8_t *val; }; struct urd_tlv_state { uint8_t type; uint8_t len; uint8_t val[URD_TLV_STATE_LEN]; }; struct urd_tlv_rep_msg { uint8_t type; uint8_t len; uint8_t val[URD_TLV_REPLY_MSG_LEN]; }; struct urd_req_cache_entry { uint8_t rad_auth[16]; /* req_hash/rkey */ char user_name[URD_USER_NAME_LEN+1]; /* key */ char user_pass[URD_USER_PASS_LEN+1]; /* key */ uint64_t state_counter; /* state_hash/key */ uint64_t otp_count; /* OTP count */ time_t create_time; /* cache maintenance */ uint8_t rad_code; /* data to be cached */ uint8_t rad_id; /* req_hash/key */ uint8_t rexmit_count; /* retransmit count */ uint8_t flags; /* flags */ LIST_ENTRY (urd_req_cache_entry) req_chain; /* req_hash chain */ LIST_ENTRY (urd_req_cache_entry) state_chain; /* state_hash chain */ }; /* * contiguous list of urd_req_cache_entry [0..URD_REQ_CACHE_SIZE-1] * * allocation is done on a round robin basis: * if (++ce_index >= URD_REQ_CACHE_SIZE) * rce_index = 0; * * when storing an entry (rce_index always points to the next free entry) * if (entry.flags & URD_REQ_CACHE_FLAG_INUSE) then * remove entry from req_chain before using. * * counter initialized to 1, counter=0 is a stateless cache entry, ie * initial request * * all _new_ replies go into the cache * state = rad_auth+user_name+rad_id+counter * * cache_expire * - incremental by n (512) entries * cache_lookup * */ struct urd_req { EVP_MD_CTX mdctx; /* MD5 context */ uint8_t pkt_buf[URD_MAX_DGRAM_LEN]; /* raw datagram */ struct radius_dgram_header dgram_header; /* datagram header */ struct sockaddr_in rem_addr; /* remote host */ int pkt_len; /* packet length */ int tlv_count; /* number TLV's */ struct urd_tlv tlv[URD_MAX_TLV]; /* decoded TLV's */ char user_name[URD_USER_NAME_LEN+1]; /* C string */ char user_pass[URD_USER_PASS_LEN+1]; /* C string (clear) */ char user_name_base[URD_USER_NAME_LEN+1]; /* C string (clear) */ uint64_t state_counter; /* decoded state TLV */ /* shortcuts */ struct urd_tlv *tlv_User_Name; struct urd_tlv *tlv_NAS_IP_Address; struct urd_tlv *tlv_NAS_Port; struct urd_tlv *tlv_NAS_Port_Type; struct urd_tlv *tlv_NAS_Identifier; struct urd_tlv *tlv_User_Password; struct urd_tlv *tlv_State; }; struct urd_rep { uint8_t pkt_buf[URD_MAX_DGRAM_LEN]; /* raw datagram */ int pkt_len; /* packet length */ struct sockaddr_in rem_addr; /* remote host */ }; struct urd_ctx { uint64_t state_counter; struct urd_req req; struct urd_rep rep; int req_cache_len; LIST_HEAD(urd_req_cache_entry_head, urd_req_cache_entry)\ req_cache_bucket[1<<(URD_REQ_HASH_BUCKET_BITS)]; LIST_HEAD(urd_state_cache_entry_head, urd_req_cache_entry)\ state_cache_bucket[1<<(URD_STATE_HASH_BUCKET_BITS)]; struct urd_req_cache_entry req_cache[URD_REQ_CACHE_ENTRIES]; char rsecret[URD_SECRET_LEN+1]; int debug; }; int urd_req_decode(struct urd_ctx *urdctx); void urd_req_dump(struct urd_ctx *urdctx); int urd_rep_encode(struct urd_ctx *urdctx, uint8_t code, uint64_t state_counter, uint64_t otp_count, int rep_encode_flags); struct urd_ctx *urd_ctx_new(char *rsecret); void urd_ctx_free(struct urd_ctx *urdctx); int urd_req_cache_update(struct urd_ctx *urdctx, uint8_t code, uint64_t state_counter, uint64_t otp_count, int req_cache_flags); int urd_req_cache_lookup(struct urd_ctx *urdctx, uint8_t *code, uint64_t *state_counter, uint64_t *otp_count, int *cache_flags); int urd_state_cache_lookup(struct urd_ctx *urdctx, uint8_t *code); void urd_state_cache_stats(struct urd_ctx *urdctx); void urd_req_cache_stats(struct urd_ctx *urdctx); void urd_debug(struct urd_ctx *urdctx, int debug);