cryb.to
/
cryb-otp
mirror of https://github.com/cryb-to/cryb-otp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Proof-of-concept RADIUS server. 

It is not yet capable of handling OTP requests, but all the elements are there: it can receive and decode Access-Request messages and respond with either Access-Accept or Access-Reject.  All that remains is to refactor the guts of otpkey into libotp and plug them into otpradiusd.
This commit is contained in:
Dag-Erling Smørgrav 2018-05-13 00:21:55 +02:00
parent a169d5aa63
commit be6f32b5bd
7 changed files with 1106 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sbin/otpradiusd/Makefile.am
View File

@ -4,7 +4,12 @@ libotp = $(top_builddir)/lib/otp/libcryb-otp.la
sbin_PROGRAMS = otpradiusd
otpradiusd_SOURCES = otpradiusd.c
otpradiusd_SOURCES = \
auth.c \
main.c \
network.c \
radius.c \
resolver.c
otpradiusd_CFLAGS = \
$(CRYB_OATH_CFLAGS) \
@ -18,3 +23,5 @@ otpradiusd_LDADD = \
$(CRYB_CORE_CFLAGS)
dist_man8_MANS = otpradiusd.8
noinst_HEADERS = otpradiusd.h

103
sbin/otpradiusd/auth.c Normal file
View File

@ -0,0 +1,103 @@
/*-
* Copyright (c) 2018 The University of Oslo
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "cryb/impl.h"
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <cryb/md5.h>
#include <cryb/memset_s.h>
#include "otpradiusd.h"
const char *rad_secret;
size_t rad_secret_len;
void
auth_encode(const uint8_t *nonce, const uint8_t *pt,
uint8_t *ct, size_t len)
{
md5_ctx ctx, sctx;
uint8_t stream[16];
const uint8_t *key;
unsigned int i;
// assert(len % 16 == 0);
md5_init(&ctx);
md5_update(&ctx, rad_secret, rad_secret_len);
sctx = ctx;
key = nonce;
while (len >= 16) {
ctx = sctx;
md5_update(&ctx, key, 16);
md5_final(&ctx, stream);
for (i = 0; i < 16; ++i)
ct[i] = pt[i] ^ stream[i];
key = ct;
ct += 16;
pt += 16;
len -= 16;
}
memset_s(&sctx, sizeof sctx, 0, sizeof sctx);
}
void
auth_decode(const uint8_t *nonce, const uint8_t *ct,
uint8_t *pt, size_t len)
{
md5_ctx ctx, sctx;
uint8_t stream[16];
const uint8_t *key;
unsigned int i;
// assert(len % 16 == 0);
md5_init(&ctx);
md5_update(&ctx, rad_secret, rad_secret_len);
sctx = ctx;
key = nonce;
while (len >= 16) {
ctx = sctx;
md5_update(&ctx, key, 16);
md5_final(&ctx, stream);
for (i = 0; i < 16; ++i)
pt[i] = ct[i] ^ stream[i];
key = ct;
pt += 16;
ct += 16;
len -= 16;
}
memset_s(&sctx, sizeof sctx, 0, sizeof sctx);
}

74
sbin/otpradiusd/otpradiusd.c → sbin/otpradiusd/main.c
View File

@ -29,29 +29,87 @@
#include "cryb/impl.h"
#include <sys/socket.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <cryb/oath.h>
#include <cryb/otp.h>
#include "otpradiusd.h"
void
print_hex(const void *data, size_t len, size_t off)
{
const uint8_t *bytes = data;
size_t beg, end, pos;
beg = off;
off -= off % 16;
end = ((beg + len + 15) / 16) * 16;
pos = off;
while (pos < end) {
if (pos % 16 == 0)
fprintf(stderr, "%08zu |", pos);
else if (pos % 8 == 0)
fprintf(stderr, " .");
else if (pos % 4 == 0)
fprintf(stderr, " ");
if (pos >= beg && pos < beg + len) {
#if 0
if (*bytes > 32 && *bytes < 127)
fprintf(stderr, " %c", *bytes);
else
#endif
fprintf(stderr, " %02x", *bytes);
bytes++;
} else {
fprintf(stderr, " ");
}
pos++;
if (pos % 16 == 0)
fprintf(stderr, " |\n");
}
}
static void
usage(void)
{
fprintf(stderr, "usage: otpradiusd\n");
fprintf(stderr,
"usage: otpradiusd [-46d] [-l host[:port]] [-s secret]\n");
exit(1);
}
int
main(int argc, char *argv[])
{
int opt;
const char *laddrv[argc];
unsigned int i, laddrc;
int ipv, opt;
while ((opt = getopt(argc, argv, "")) != -1)
ipv = 0;
laddrc = 0;
while ((opt = getopt(argc, argv, "46dl:s:")) != -1)
switch (opt) {
case '4':
case '6':
ipv |= 1 << (opt - '0');
break;
case 'd':
/* nothing */
break;
case 'l':
laddrv[laddrc++] = optarg;
break;
case 's':
rad_secret = optarg;
rad_secret_len = strlen(optarg);
break;
default:
usage();
}
@ -62,5 +120,15 @@ main(int argc, char *argv[])
if (argc > 0)
usage();
if (ipv == 0)
ipv = 1 << 4 | 1 << 6;
if (laddrc == 0)
laddrv[laddrc++] = "*:radius";
for (i = 0; i < laddrc; i++)
if (add_listener(laddrv[i], ipv) < 0)
exit(1);
dispatch();
exit(0);
}

237
sbin/otpradiusd/network.c Normal file
View File

@ -0,0 +1,237 @@
/*-
* Copyright (c) 2018 The University of Oslo
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "cryb/impl.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <err.h>
#include <errno.h>
#include <netdb.h>
#include <poll.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <cryb/ctype.h>
#include "otpradiusd.h"
#ifndef INFTIM
#define INFTIM -1
#endif
typedef struct rad_listener rad_listener;
struct rad_listener {
char laddrstr[1024];
struct sockaddr_storage laddr;
socklen_t laddrlen;
int sd;
};
static rad_listener *listeners;
static unsigned int nls, szls;
static int
open_and_bind(struct addrinfo *ai)
{
int one, sd;
if ((sd = socket(ai->ai_family, SOCK_DGRAM | SOCK_NONBLOCK, 0)) < 0)
return (-1);
one = 1;
if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof one) < 0 ||
setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof one) < 0 ||
bind(sd, ai->ai_addr, ai->ai_addrlen) < 0) {
close(sd);
return (-1);
}
return (sd);
}
int
add_listener(const char *addrstr, int ipv)
{
char hbuf[256], sbuf[8];
struct addrinfo *ai, *res;
rad_listener *l, *newls;
int gai_err, serrno;
int ip4, ip6;
int n, sd;
ip4 = !!(ipv & 1 << 4);
ip6 = !!(ipv & 1 << 6);
n = 0;
/* attempt DNS lookup */
if ((gai_err = resolve(addrstr, "radius", &res)) != 0) {
if (gai_err == EAI_SYSTEM)
warn("%s", addrstr);
else
warnx("%s: %s", addrstr, gai_strerror(gai_err));
return (-1);
}
/* iterate of results, if any */
for (ai = res; ai != NULL; ai = ai->ai_next) {
/* skip if not a desired address family */
if (!(ip4 && ai->ai_family == AF_INET) &&
!(ip6 && ai->ai_family == AF_INET6))
continue;
/* pretty-print the address */
hbuf[0] = '*'; sbuf[0] = '*'; hbuf[1] = sbuf[1] = '\0';
getnameinfo(ai->ai_addr, ai->ai_addrlen,
hbuf, sizeof hbuf, sbuf, sizeof sbuf,
NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM);
/* try to open and bind */
if ((sd = open_and_bind(ai)) < 0) {
warn("%s:%s", hbuf, sbuf);
continue;
}
/* resize list if necessary */
if (nls == szls) {
if (szls == 0)
szls = 4;
szls *= 2;
newls = realloc(listeners, szls * sizeof *newls);
if (newls == NULL)
goto syserr;
memset(newls + nls, 0, (szls - nls) * sizeof *newls);
listeners = newls;
}
/* insert and increment */
l = &listeners[nls++];
// assert(ai->ai_addrlen <= sizeof l->laddr);
snprintf(l->laddrstr, sizeof l->laddrstr, "%s:%s", hbuf, sbuf);
memcpy(&l->laddr, ai->ai_addr, ai->ai_addrlen);
l->laddrlen = ai->ai_addrlen;
l->sd = sd;
warnx("listener added for %s", l->laddrstr);
n++;
}
if (n == 0)
warnx("%s: no address found", addrstr);
return (n);
syserr:
serrno = errno;
warn("%s", addrstr);
close(sd);
freeaddrinfo(res);
errno = serrno;
return (-1);
}
int
receive(const rad_listener *l, struct rad_transaction *rx)
{
char hbuf[256], sbuf[8];
ssize_t rcvdlen;
memset(rx, 0, sizeof *rx);
rx->caddrlen = sizeof rx->caddr;
rcvdlen = recvfrom(l->sd, &rx->request, sizeof rx->request, 0,
(struct sockaddr *)&rx->caddr, &rx->caddrlen);
fprintf(stderr, "message received on %s", l->laddrstr);
hbuf[0] = '*'; sbuf[0] = '*'; hbuf[1] = sbuf[1] = '\0';
getnameinfo((struct sockaddr *)&rx->caddr, rx->caddrlen,
hbuf, sizeof hbuf, sbuf, sizeof sbuf,
NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM);
fprintf(stderr, " from %s:%s\n", hbuf, sbuf);
print_hex(&rx->request, (size_t)rcvdlen, 0);
if (rcvdlen < 0)
return (-1);
rx->reqlen = (size_t)rcvdlen;
return (0);
}
int
reply(const rad_listener *l, const struct rad_transaction *rx)
{
char hbuf[256], sbuf[8];
ssize_t sentlen;
do {
fprintf(stderr, "sending message on %s", l->laddrstr);
hbuf[0] = '*'; sbuf[0] = '*'; hbuf[1] = sbuf[1] = '\0';
getnameinfo((const struct sockaddr *)&rx->caddr, rx->caddrlen,
hbuf, sizeof hbuf, sbuf, sizeof sbuf,
NI_NUMERICHOST | NI_NUMERICSERV | NI_DGRAM);
fprintf(stderr, " to %s:%s\n", hbuf, sbuf);
print_hex(&rx->response, rx->rsplen, 0);
sentlen = sendto(l->sd, &rx->response, rx->rsplen, 0,
(const struct sockaddr *)&rx->caddr, rx->caddrlen);
if (sentlen < 0)
return (-1);
} while ((size_t)sentlen != rx->rsplen);
return (0);
}
int
dispatch(void)
{
struct rad_transaction rx;
struct pollfd pfd[nls];
unsigned int i;
int n;
memset(pfd, 0, sizeof pfd);
for (i = 0; i < nls; ++i) {
pfd[i].fd = listeners[i].sd;
pfd[i].events = POLLIN | POLLERR;
}
for (;;) {
if ((n = poll(pfd, nls, INFTIM)) < 0)
return (-1);
for (i = 0; i < nls; ++i) {
if (pfd[i].revents & POLLERR) {
warnx("%s: unspecified error",
listeners[i].laddrstr);
close(listeners[i].sd);
listeners[i].sd = pfd[i].fd = -1;
pfd[i].events = 0;
} else if (pfd[i].revents & POLLIN) {
memset(&rx, 0, sizeof rx);
if (receive(&listeners[i], &rx) < 0) {
warn("%s", listeners[i].laddrstr);
continue;
}
if (rad_handle(&rx) > 0 &&
reply(&listeners[i], &rx) < 0) {
warn("%s", listeners[i].laddrstr);
}
}
}
}
}

148
sbin/otpradiusd/otpradiusd.h Normal file
View File

@ -0,0 +1,148 @@
/*-
* Copyright (c) 2018 The University of Oslo
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef OTPRADIUSD_H_INCLUDED
#define OTPRADIUSD_H_INCLUDED
typedef struct rad_attribute rad_attribute;
typedef struct rad_message rad_message;
typedef struct rad_transaction rad_transaction;
struct addrinfo;
typedef enum rad_msg_code {
rmc_unknown = 0,
rmc_access_request = 1,
rmc_access_accept = 2,
rmc_access_reject = 3,
rmc_accounting_request = 4,
rmc_accounting_response = 5,
rmc_access_challenge = 11,
rmc_status_server = 12,
rmc_status_client = 13,
rmc_max
} rad_msg_code;
typedef enum rad_attr_code {
rac_unknown_attr = 0,
rac_user_name = 1,
rac_user_password = 2,
rac_chap_password = 3,
rac_nas_ip_address = 4,
rac_nas_port = 5,
rac_service_type = 6,
rac_framed_protocol = 7,
rac_framed_ip_address = 8,
rac_framed_ip_netmask = 9,
rac_framed_routing = 10,
rac_filter_id = 11,
rac_framed_mtu = 12,
rac_framed_compression = 13,
rac_login_ip_host = 14,
rac_login_service = 15,
rac_login_tcp_port = 16,
/* unassigned = 17, */
rac_reply_message = 18,
rac_callback_number = 19,
rac_callback_id = 20,
/* unassigned = 21, */
rac_framed_route = 22,
rac_framed_ipx_network = 23,
rac_state = 24,
rac_class = 25,
rac_vendor_specific = 26,
rac_session_timeout = 27,
rac_idle_timeout = 28,
rac_termination_action = 29,
rac_called_station_id = 30,
rac_calling_station_id = 31,
rac_nas_identifier = 32,
rac_proxy_state = 33,
rac_login_lat_service = 34,
rac_login_lat_node = 35,
rac_login_lat_group = 36,
rac_framed_appletalk_link = 37,
rac_framed_appletalk_network = 38,
rac_framed_appletalk_zone = 39,
/* reserved for accounting = 40...59, */
rac_chap_challenge = 60,
rac_nas_port_type = 61,
rac_port_limit = 62,
rac_login_lat_port = 63,
rac_max
} rad_attr_code;
#define MIN_RADPASS_LEN 16
#define MAX_RADPASS_LEN 128
#define MIN_RADATTR_LEN 3
#define MAX_RADATTR_LEN 255
struct rad_attribute {
uint8_t code;
uint8_t length;
uint8_t value[MAX_RADATTR_LEN - 2];
};
#define MIN_RADPKT_LEN 20
#define MAX_RADPKT_LEN 4096
struct rad_message {
uint8_t code;
uint8_t identifier;
uint16_t length;
uint8_t authenticator[16];
uint8_t attributes[MAX_RADPKT_LEN - 20];
};
struct rad_transaction {
struct sockaddr_storage caddr;
socklen_t caddrlen;
rad_message request;
size_t reqlen;
rad_message response;
size_t rsplen;
};
int add_listener(const char *, int);
int resolve(const char *, const char *, struct addrinfo **);
int dispatch(void);
int rad_handle(rad_transaction *);
extern const char *rad_secret;
extern size_t rad_secret_len;
void print_hex(const void *, size_t, size_t);
void auth_encode(const uint8_t *, const uint8_t *, uint8_t *, size_t);
void auth_decode(const uint8_t *, const uint8_t *, uint8_t *, size_t);
#endif

424
sbin/otpradiusd/radius.c Normal file
View File

@ -0,0 +1,424 @@
/*-
* Copyright (c) 2018 The University of Oslo
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "cryb/impl.h"
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <cryb/md5.h>
#include "otpradiusd.h"
static struct rad_msg_def {
const char *name;
} rad_msg_def[rmc_max] = {
[rmc_unknown] = {
.name = "Unknown-Message",
},
[rmc_access_request] = {
.name = "Access-Request",
},
[rmc_access_accept] = {
.name = "Access-Accept",
},
[rmc_access_reject] = {
.name = "Access-Reject",
},
[rmc_accounting_request] = {
.name = "Accounting-Request",
},
[rmc_accounting_response] = {
.name = "Accounting-Response",
},
[rmc_access_challenge] = {
.name = "Access-Challenge",
},
[rmc_status_server] = {
.name = "Status-Server",
},
[rmc_status_client] = {
.name = "Status-Client",
},
};
#define rad_msg_name(rmc) \
(((rmc) < rmc_max && rad_msg_def[(rmc)].name) ? \
rad_msg_def[(rmc)].name : rad_msg_def[0].name)
typedef enum rad_attr_type {
rat_unknown,
rat_text,
rat_string,
rat_address,
rat_integer,
rat_time,
rat_max
} rad_attr_type;
static struct rad_attr_def {
const char *name;
} rad_attr_def[rac_max] = {
[rac_unknown_attr] = {
.name = "Unknown-Attribute",
},
[rac_user_name] = {
.name = "User-Name",
},
[rac_user_password] = {
.name = "User-Password",
},
[rac_chap_password] = {
.name = "CHAP-Password",
},
[rac_nas_ip_address] = {
.name = "NAS-IP-Address",
},
[rac_nas_port] = {
.name = "NAS-Port",
},
[rac_service_type] = {
.name = "Service-Type",
},
[rac_framed_protocol] = {
.name = "Framed-Protocol",
},
[rac_framed_ip_address] = {
.name = "Framed-IP-Address",
},
[rac_framed_ip_netmask] = {
.name = "Framed-IP-Netmask",
},
[rac_framed_routing] = {
.name = "Framed-Routing",
},
[rac_filter_id] = {
.name = "Filter-Id",
},
[rac_framed_mtu] = {
.name = "Framed-MTU",
},
[rac_framed_compression] = {
.name = "Framed-Compression",
},
[rac_login_ip_host] = {
.name = "Login-IP-Host",
},
[rac_login_service] = {
.name = "Login-Service",
},
[rac_login_tcp_port] = {
.name = "Login-TCP-Port",
},
[rac_reply_message] = {
.name = "Reply-Message",
},
[rac_callback_number] = {
.name = "Callback-Number",
},
[rac_callback_id] = {
.name = "Callback-Id",
},
[rac_framed_route] = {
.name = "Framed-Route",
},
[rac_framed_ipx_network] = {
.name = "Framed-IPX-Network",
},
[rac_state] = {
.name = "State",
},
[rac_class] = {
.name = "Class",
},
[rac_vendor_specific] = {
.name = "Vendor-Specific",
},
[rac_session_timeout] = {
.name = "Session-Timeout",
},
[rac_idle_timeout] = {
.name = "Idle-Timeout",
},
[rac_termination_action] = {
.name = "Termination-Action",
},
[rac_called_station_id] = {
.name = "Called-Station-Id",
},
[rac_calling_station_id] = {
.name = "Calling-Station-Id",
},
[rac_nas_identifier] = {
.name = "NAS-Identifier",
},
[rac_proxy_state] = {
.name = "Proxy-State",
},
[rac_login_lat_service] = {
.name = "Login-LAT-Service",
},
[rac_login_lat_node] = {
.name = "Login-LAT-Node",
},
[rac_login_lat_group] = {
.name = "Login-LAT-Group",
},
[rac_framed_appletalk_link] = {
.name = "Framed-AppleTalk-Link",
},
[rac_framed_appletalk_network] = {
.name = "Framed-AppleTalk-Network",
},
[rac_framed_appletalk_zone] = {
.name = "Framed-AppleTalk-Zone",
},
[rac_chap_challenge] = {
.name = "CHAP-Challenge",
},
[rac_nas_port_type] = {
.name = "NAS-Port-Type",
},
[rac_port_limit] = {
.name = "Port-Limit",
},
[rac_login_lat_port] = {
.name = "Login-LAT-Port",
},
};
#define rad_attr_name(rac) \
(((rac) < rac_max && rad_attr_def[(rac)].name) ? \
rad_attr_def[(rac)].name : rad_attr_def[0].name)
static int
rad_decode_str(const rad_attribute *ra, const uint8_t **str, size_t *len)
{
rad_attr_code rac;
rac = ra->code;
if (rac >= rac_max || rad_attr_def[rac].name == NULL) {
warnx("unknown attribute 0x%02x", ra->code);
return (-1);
}
// assert(rad_attr_def[rac].type == rat_string);
if (ra->length < 3 || ra->length > MAX_RADATTR_LEN) {
warnx("invalid attribute length");
return (-1);
}
*str = ra->value;
*len = ra->length - 2;
return (0);
}
static void
mxu(md5_ctx *context, const void *data, unsigned int len)
{
const unsigned char *bytes = data;
fprintf(stderr, "md5");
for (unsigned int i = 0; i < len; ++i)
fprintf(stderr, " %02x", bytes[i]);
fprintf(stderr, "\n");
md5_update(context, data, len);
}
#undef md5_update
#define md5_update mxu
static int
handle_access_request(rad_transaction *rx)
{
uint8_t password[MAX_RADPASS_LEN];
rad_message *req, *rsp;
rad_attribute *ra;
uint8_t *nextra, *end;
const uint8_t *user, *pass;
size_t userlen, passlen;
unsigned int i;
int ch;
req = &rx->request;
rsp = &rx->response;
nextra = req->attributes;
end = (uint8_t *)&rx->request + rx->reqlen;
user = pass = NULL;
userlen = passlen = 0;
while (nextra + MIN_RADATTR_LEN < end) {
ra = (rad_attribute *)nextra;
if (ra->length < MIN_RADATTR_LEN ||
ra->length > MAX_RADATTR_LEN ||
ra->length > end - nextra) {
warnx("invalid attribute length %u", ra->length);
return (0);
}
switch ((rad_attr_code)ra->code) {
case rac_user_name:
if (user != NULL) {
warnx("duplicate User-Name attribute");
return (0);
}
if (rad_decode_str(ra, &user, &userlen) != 0)
return (0);
break;
case rac_user_password:
if (pass != NULL) {
warnx("duplicate User-Password attribute");
return (0);
}
if (rad_decode_str(ra, &pass, &passlen) != 0)
return (0);
if (passlen < MIN_RADPASS_LEN ||
passlen > MAX_RADPASS_LEN ||
passlen % 16 != 0) {
warnx("invalid User-Password length %zu",
passlen);
return (0);
}
break;
default:
warnx("ignoring %s attribute",
rad_attr_name(ra->code));
}
nextra += ra->length;
}
if (nextra != end) {
warnx("trailing garbage in request");
return (0);
}
if (user == NULL) {
warnx("mssing User-Name attribute");
return (0);
}
fprintf(stderr, "user: \"");
for (i = 0; i < userlen; ++i) {
ch = user[i];
if (ch >= 32 && ch < 127 && ch != '"')
fprintf(stderr, "%c", ch);
else
fprintf(stderr, "\\x%02x", ch);
}
fprintf(stderr, "\"\n");
if (pass == NULL) {
warnx("missing User-Password attribute");
return (0);
}
fprintf(stderr, "pass: \"");
auth_decode(req->authenticator, pass, password, passlen);
while (password[passlen - 1] == '\0')
passlen--;
for (i = 0; i < passlen; ++i) {
ch = password[i];
if (ch >= 32 && ch < 127 && ch != '"')
fprintf(stderr, "%c", ch);
else
fprintf(stderr, "\\x%02x", ch);
}
fprintf(stderr, "\"\n");
static int coin;
if ((coin = !coin)) {
/* accept */
ra = (rad_attribute *)&rsp->attributes;
ra->code = rac_reply_message;
strcpy((char *)ra->value, "hello!");
ra->length = 2 + strlen((const char *)ra->value);
rsp->code = rmc_access_accept;
rsp->length = htons(20 + ra->length);
} else {
/* reject */
ra = (rad_attribute *)&rsp->attributes;
ra->code = rac_reply_message;
strcpy((char *)ra->value, "denied");
ra->length = 2 + strlen((const char *)ra->value);
rsp->code = rmc_access_reject;
rsp->length = htons(20 + ra->length);
}
return (1);
}
void
authenticate_response(rad_message *rsp, size_t rsplen)
{
md5_ctx ctx;
md5_init(&ctx);
md5_update(&ctx, rsp, rsplen);
md5_update(&ctx, rad_secret, rad_secret_len);
md5_final(&ctx, rsp->authenticator);
}
int
rad_handle(rad_transaction *rx)
{
rad_message *req, *rsp;
int ret;
req = &rx->request;
rsp = &rx->response;
if (rx->reqlen != ntohs(req->length)) {
warnx("length mismatch: %zu != %u",
rx->reqlen, ntohs(req->length));
return (0);
}
if (rx->reqlen < MIN_RADPKT_LEN || rx->reqlen > MAX_RADPKT_LEN) {
warnx("invalid length: %zu", rx->reqlen);
return (0);
}
warnx("request 0x%02x (%s) ident 0x%02x", req->code,
rad_msg_name(req->code), req->identifier);
memset(rsp, 0, sizeof *rsp);
rsp->identifier = req->identifier;
memcpy(rsp->authenticator, req->authenticator, 16);
switch ((rad_msg_code)req->code) {
case rmc_access_request:
ret = handle_access_request(rx);
break;
default:
warnx("unsupported RADIUS code %u", req->code);
return (0);
}
if (ret > 0) {
rx->rsplen = ntohs(rsp->length);
if (rsp->code == rmc_access_accept ||
rsp->code == rmc_access_reject ||
rsp->code == rmc_access_challenge) {
authenticate_response(rsp, rx->rsplen);
}
}
print_hex(rsp, rx->rsplen, 0);
return (ret);
}

115
sbin/otpradiusd/resolver.c Normal file
View File

@ -0,0 +1,115 @@
/*-
* Copyright (c) 2016-2018 Dag-Erling Smørgrav
* Copyright (c) 2018 The University of Oslo
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "cryb/impl.h"
#include <sys/socket.h>
#include <errno.h>
#include <netdb.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <cryb/ctype.h>
#include "otpradiusd.h"
/*
* Parse an address spec of the form:
*
* addr-spec := <host-spec> [ ':' <port-spec> ]
* host-spec := '*' | <host-name> | <ipv4-addr> | '[' <ipv6-addr> ']'
* port-spec := <service-name> | <port-number>
*
* then call getaddrinfo(3) with the appropriate parameters. Input
* validation is fairly lax; we trust getaddrinfo(3) to take up the slack.
*
* Derived from fetch_resolve() in FreeBSD's libfetch.
*/
int
resolve(const char *addr, const char *port, struct addrinfo **res)
{
char hbuf[256];
struct addrinfo hints;
const char *hb, *he, *sep;
const char *host, *service;
int len;
*res = NULL;
/* first, check for a bracketed IPv6 address */
if (*addr == '[') {
hb = addr + 1;
for (he = hb; *he != ']'; ++he) {
if (!is_xdigit(*he) && *he != ':') {
errno = EINVAL;
return (EAI_SYSTEM);
}
sep = he;
}
} else {
hb = addr;
sep = strchrnul(hb, ':');
he = sep;
}
/* see if we need to copy the host name */
if (he == hb || (*hb == '*' && he - hb == 1)) {
host = NULL;
} else if (*he != '\0') {
len = snprintf(hbuf, sizeof hbuf, "%.*s", (int)(he - hb), hb);
if (len < 0)
return (EAI_SYSTEM);
if ((size_t)len >= sizeof hbuf) {
errno = ENAMETOOLONG;
return (EAI_SYSTEM);
}
host = hbuf;
} else {
host = hb;
}
/* was it followed by a service name? */
if (*sep == '\0' && port != NULL) {
service = port;
} else if (*sep != '\0') {
service = sep + 1;
} else {
service = NULL;
}
/* resolve */
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = AI_ADDRCONFIG | AI_PASSIVE;
return (getaddrinfo(host, service, &hints, res));
}