197
207
hdr->code = packet->code;
198
208
hdr->id = packet->id;
199
if ((packet->code == PW_ACCOUNTING_REQUEST) ||
200
(packet->code == PW_DISCONNECT_REQUEST)) {
201
memset(hdr->vector, 0, AUTH_VECTOR_LEN);
203
memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
211
* Double-check some things based on packet code.
213
switch (packet->code) {
214
case PW_AUTHENTICATION_ACK:
215
case PW_AUTHENTICATION_REJECT:
216
case PW_ACCESS_CHALLENGE:
218
librad_log("ERROR: Cannot sign response packet without a request packet.");
224
* These packet vectors start off as all zero.
226
case PW_ACCOUNTING_REQUEST:
227
case PW_DISCONNECT_REQUEST:
228
memset(packet->vector, 0, sizeof(packet->vector));
235
memcpy(hdr->vector, packet->vector, sizeof(hdr->vector));
206
237
DEBUG("Sending %s of id %d to %s:%d\n",
207
238
what, packet->id,
208
239
ip_ntoa((char *)ip_buffer, packet->dst_ipaddr),
209
240
packet->dst_port);
211
242
total_length = AUTH_HDR_LEN;
214
245
* Load up the configuration values for the user
531
559
* and put it in the vector.
533
561
secretlen = strlen(secret);
534
if (packet->code != PW_AUTHENTICATION_REQUEST &&
535
packet->code != PW_STATUS_SERVER) {
538
* Set the Message-Authenticator attribute,
539
* BEFORE setting the reply authentication vector
540
* for CHALLENGE, ACCEPT and REJECT.
542
if (msg_auth_offset) {
543
uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
545
switch (packet->code) {
549
case PW_AUTHENTICATION_ACK:
550
case PW_AUTHENTICATION_REJECT:
551
case PW_ACCESS_CHALLENGE:
553
memcpy(hdr->vector, original->vector, AUTH_VECTOR_LEN);
558
memset(packet->data + msg_auth_offset + 2, 0,
560
lrad_hmac_md5(packet->data, packet->data_len,
561
secret, secretlen, calc_auth_vector);
562
memcpy(packet->data + msg_auth_offset + 2,
563
calc_auth_vector, AUTH_VECTOR_LEN);
564
memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
568
MD5Update(&context, packet->data, packet->data_len);
569
MD5Update(&context, secret, strlen(secret));
570
MD5Final(digest, &context);
572
memcpy(hdr->vector, digest, AUTH_VECTOR_LEN);
573
memcpy(packet->vector, digest, AUTH_VECTOR_LEN);
577
* Set the Message-Authenticator attribute,
578
* AFTER setting the authentication vector
579
* only for ACCESS-REQUESTS
564
* If there's a Message-Authenticator, update it
565
* now, BEFORE updating the authentication vector.
581
else if (msg_auth_offset) {
567
if (msg_auth_offset) {
582
568
uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
584
570
switch (packet->code) {
588
574
case PW_AUTHENTICATION_ACK:
589
575
case PW_AUTHENTICATION_REJECT:
590
576
case PW_ACCESS_CHALLENGE:
592
memcpy(hdr->vector, original->vector,
577
/* this was checked above */
578
memcpy(hdr->vector, original->vector,
584
* Set the authentication vector to zero,
585
* calculate the signature, and put it
586
* into the Message-Authenticator
598
589
memset(packet->data + msg_auth_offset + 2,
599
590
0, AUTH_VECTOR_LEN);
600
591
lrad_hmac_md5(packet->data, packet->data_len,
601
592
secret, secretlen, calc_auth_vector);
602
593
memcpy(packet->data + msg_auth_offset + 2,
603
calc_auth_vector, AUTH_VECTOR_LEN);
594
calc_auth_vector, AUTH_VECTOR_LEN);
597
* Copy the original request vector back
604
600
memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
604
* Switch over the packet code, deciding how to
607
switch (packet->code) {
609
* Request packets are not signed, bur
610
* have a random authentication vector.
612
case PW_AUTHENTICATION_REQUEST:
613
case PW_STATUS_SERVER:
617
* Reply packets are signed with the
618
* authentication vector of the request.
624
MD5Update(&context, packet->data, packet->data_len);
625
MD5Update(&context, secret, strlen(secret));
626
MD5Final(digest, &context);
628
memcpy(hdr->vector, digest, AUTH_VECTOR_LEN);
629
memcpy(packet->vector, digest, AUTH_VECTOR_LEN);
632
} /* switch over packet codes */
608
636
* If packet->data points to data, then we print out
609
637
* the VP list again only for debugging.
758
793
salen = sizeof(saremote);
759
794
memset(&saremote, 0, sizeof(saremote));
795
#ifndef WITH_UDPFROMTO
760
796
packet->data_len = recvfrom(fd, data, sizeof(data),
761
0, (struct sockaddr *)&saremote, &salen);
797
0, (struct sockaddr *)&saremote, &salen);
798
packet->dst_ipaddr = htonl(INADDR_ANY); /* i.e. unknown */
801
socklen_t salen_local;
802
struct sockaddr_in salocal;
803
salen_local = sizeof(salocal);
804
memset(&salocal, 0, sizeof(salocal));
805
packet->data_len = recvfromto(fd, data, sizeof(data), 0,
806
(struct sockaddr *)&saremote, &salen,
807
(struct sockaddr *)&salocal, &salen_local);
808
packet->dst_ipaddr = salocal.sin_addr.s_addr;
764
813
* Check for socket errors.
965
1013
seen_eap |= PW_MESSAGE_AUTHENTICATOR;
968
1016
case PW_VENDOR_SPECIFIC:
970
1018
librad_log("WARNING: Malformed RADIUS packet from host %s: Vendor-Specific has invalid length %d",
971
1019
ip_ntoa(host_ipaddr, packet->src_ipaddr),
976
memcpy(&vendorcode, attr + 2, 4);
977
vendorcode = ntohl(vendorcode);
978
if (vendorcode == VENDORPEC_USR) {
980
librad_log("WARNING: Malformed RADIUS packet from host %s: USR attribute has invalid length %d",
981
ip_ntoa(host_ipaddr, packet->src_ipaddr),
988
vendorlen = attr[1] - 6;
989
vendorattr = attr + 6;
990
while (vendorlen >= 2) {
991
if (vendorattr[1] < 2){
992
librad_log("WARNING: Malformed RADIUS packet from host %s: Vendor specific attribute has invalid length %d",
993
ip_ntoa(host_ipaddr, packet->src_ipaddr),
998
vendorlen -= vendorattr[1];
999
vendorattr += vendorattr[1];
1001
if (vendorlen != 0){
1002
librad_log("WARNING: Malformed RADIUS packet from host %s: Vendor specific attributes do not exactly fill Vendor-Specific",
1026
* Don't allow VSA's with vendor zero.
1028
if ((attr[2] == 0) && (attr[3] == 0) &&
1029
(attr[4] == 0) && (attr[5] == 0)) {
1030
librad_log("WARNING: Malformed RADIUS packet from host %s: Vendor-Specific has vendor ID of zero",
1003
1031
ip_ntoa(host_ipaddr, packet->src_ipaddr));
1037
* Don't look at the contents of VSA's,
1038
* too many vendors have non-standard
1082
* http://www.freeradius.org/rfc/rfc2869.html#EAP-Message
1084
* A packet with an EAP-Message attribute MUST also have
1085
* a Message-Authenticator attribute.
1087
* A Message-Authenticator all by itself is OK, though.
1090
(seen_eap != PW_MESSAGE_AUTHENTICATOR) &&
1091
(seen_eap != (PW_EAP_MESSAGE | PW_MESSAGE_AUTHENTICATOR))) {
1092
librad_log("WARNING: Insecure packet from host %s: Received EAP-Message with no Message-Authenticator.",
1093
ip_ntoa(host_ipaddr, packet->src_ipaddr));
1047
1098
if (librad_debug) {
1048
1099
if ((hdr->code > 0) && (hdr->code < 52)) {
1049
1100
printf("rad_recv: %s packet from host %s:%d",
1050
1101
packet_codes[hdr->code],
1051
1102
ip_ntoa(host_ipaddr, packet->src_ipaddr), packet->src_port);
1053
printf("rad_recv: Packet from host %s:%d code=%d",
1104
printf("rad_recv: Packet from host %s:%d code=%d",
1054
1105
ip_ntoa(host_ipaddr, packet->src_ipaddr), packet->src_port,
1227
1286
* This could be a Vendor-Specific attribute.
1230
1288
if ((vendorlen <= 0) &&
1231
(attribute == PW_VENDOR_SPECIFIC) &&
1289
(attribute == PW_VENDOR_SPECIFIC)) {
1294
* attrlen was checked to be >= 6, in rad_recv
1233
1296
memcpy(&lvalue, ptr, 4);
1234
1297
vendorcode = ntohl(lvalue);
1235
if (vendorcode != 0) {
1237
if (vendorcode == VENDORPEC_USR) {
1239
memcpy(&lvalue, ptr, 4);
1240
/*printf("received USR %04x\n", ntohl(lvalue));*/
1241
attribute = (ntohl(lvalue) & 0xFFFF) |
1300
* This is an implementation issue.
1301
* We currently pack vendor into the upper
1302
* 16 bits of a 32-bit attribute number,
1303
* so we can't handle vendor numbers larger
1306
if (vendorcode > 65535) goto create_pair;
1309
* vendorcode was checked to be non-zero
1310
* above, in rad_recv.
1314
* First, check to see if the
1315
* sub-attributes fill the VSA, as
1316
* defined by the RFC. If not, then it
1317
* may be a USR-style VSA, or it may be a
1318
* vendor who packs all of the
1319
* information into one nonsense
1323
sublen = attrlen - 4;
1325
while (sublen > 0) {
1326
if (subptr[1] < 2) { /* too short */
1330
if (subptr[1] > sublen) { /* too long */
1334
sublen -= subptr[1]; /* just right */
1335
subptr += subptr[1];
1339
* If the attribute is RFC compatible,
1340
* then allow it as an RFC style VSA.
1344
vendorlen = attrlen - 4;
1345
attribute = *ptr++ | (vendorcode << 16);
1351
* USR-style attributes are 4 octets,
1352
* with the upper 2 octets being zero.
1354
* The upper octets may not be zero,
1355
* but that then means we won't be
1356
* able to pack the vendor & attribute
1357
* into a 32-bit number, so we can't
1361
* FIXME: Update the dictionaries so
1362
* that we key off of per-attribute
1363
* flags "4-octet", instead of hard
1364
* coding USR here. This will also
1365
* let us send packets with other
1366
* vendors having 4-octet attributes.
1368
} else if ((vendorcode == VENDORPEC_USR) &&
1369
((ptr[4] == 0) && (ptr[5] == 0)) &&
1373
da = dict_attrbyvalue((vendorcode << 16) |
1378
* See if it's in the dictionary.
1379
* If so, it's a valid USR style
1380
* attribute. If not, it's not...
1382
* Don't touch 'attribute' until
1383
* we know what to do!
1386
attribute = ((vendorcode << 16) |
1249
vendorlen = attrlen - 4;
1250
attribute = *ptr++ | (vendorcode << 16);
1257
* Else the vendor wasn't found...
1392
} /* else it's not in the dictionary */
1393
} /* else it was a stupid vendor format */
1394
} /* else it wasn't a VSA */
1262
* FIXME: should we us paircreate() ?
1397
* Create the attribute, setting the default type
1398
* to 'octects'. If the type in the dictionary
1399
* is different, then the dictionary type will
1400
* over-ride this one.
1264
if ((pair = malloc(sizeof(VALUE_PAIR))) == NULL) {
1403
if ((pair = paircreate(attribute, PW_TYPE_OCTETS)) == NULL) {
1265
1404
pairfree(&packet->vps);
1266
1405
librad_log("out of memory");
1271
memset(pair, 0, sizeof(VALUE_PAIR));
1272
if ((attr = dict_attrbyvalue(attribute)) == NULL) {
1273
snprintf(pair->name, sizeof(pair->name), "Attr-%d", attribute);
1274
pair->type = PW_TYPE_OCTETS;
1276
strcpy(pair->name, attr->name);
1277
pair->type = attr->type;
1278
pair->flags = attr->flags;
1280
pair->attribute = attribute;
1281
1409
pair->length = attrlen;
1282
1410
pair->operator = T_OP_EQ;
1283
1411
pair->next = NULL;
1285
1413
switch (pair->type) {
1287
case PW_TYPE_OCTETS:
1288
case PW_TYPE_ABINARY:
1416
* The attribute may be zero length,
1417
* or it may have a tag, and then no data...
1289
1419
case PW_TYPE_STRING:
1290
if (pair->flags.has_tag &&
1291
pair->type == PW_TYPE_STRING) {
1420
if (pair->flags.has_tag) {
1292
1421
int offset = 0;
1294
if ((pair->length > 0) && TAG_VALID(*ptr)) {
1424
* If there's sufficient room for
1425
* a tag, and the tag looks valid,
1428
if ((pair->length > 0) &&
1429
TAG_VALID_ZERO(*ptr)) {
1295
1430
pair->flags.tag = *ptr;
1296
1431
pair->length--;
1435
* If the leading tag
1436
* isn't valid, then it's
1437
* ignored for the tunnel
1438
* password attribute.
1298
1440
} else if (pair->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) {
1300
1442
* from RFC2868 - 3.5. Tunnel-Password
1315
* pair->length may be zero here...
1457
* pair->length MAY be zero here.
1317
1459
memcpy(pair->strvalue, ptr + offset,
1463
* Ascend binary attributes never have a
1464
* tag, and neither do the 'octets' type.
1466
case PW_TYPE_ABINARY:
1467
case PW_TYPE_OCTETS:
1320
1468
/* attrlen always < MAX_STRING_LEN */
1321
1469
memcpy(pair->strvalue, ptr, attrlen);
1322
1470
pair->flags.tag = 0;
1326
* FIXME: HACK for non-updated dictionaries.
1327
* REMOVE in a future release.
1329
if ((strcmp(pair->name, "Ascend-Send-Secret") == 0) ||
1330
(strcmp(pair->name, "Ascend-Receive-Secret") == 0)) {
1331
pair->flags.encrypt = FLAG_ENCRYPT_ASCEND_SECRET;
1333
if (pair->attribute == PW_USER_PASSWORD) {
1334
pair->flags.encrypt = FLAG_ENCRYPT_USER_PASSWORD;
1338
1474
* Decrypt passwords here.
1340
1476
switch (pair->flags.encrypt) {
1600
* IPv6 interface ID is 8 octets long.
1604
pair->type = PW_TYPE_OCTETS;
1605
memcpy(pair->strvalue, ptr, attrlen);
1609
* IPv6 addresses are 16 octets long
1611
case PW_TYPE_IPV6ADDR:
1613
pair->type = PW_TYPE_OCTETS;
1614
memcpy(pair->strvalue, ptr, attrlen);
1618
* IPv6 prefixes are 2 to 18 octets long.
1620
* RFC 3162: The first octet is unused.
1621
* The second is the length of the prefix
1622
* the rest are the prefix data.
1624
* The prefix length can have value 0 to 128.
1626
case PW_TYPE_IPV6PREFIX:
1627
if (attrlen < 2 || attrlen > 18)
1628
pair->type = PW_TYPE_OCTETS;
1631
pair->type = PW_TYPE_OCTETS;
1634
* FIXME: double-check that
1635
* (ptr[1] >> 3) matches attrlen + 2
1638
memcpy(pair->strvalue, ptr, attrlen);
1450
1642
DEBUG(" %s (Unknown Type %d)\n",
1451
attr->name,attr->type);
1643
pair->name, pair->type);
1458
1650
debug_pair(pair);
1659
1851
/* set new password length */
1660
1852
*pwlen = len + 2;
1663
1855
* Use the secret to setup the decryption digest
1665
1857
secretlen = strlen(secret);
1666
1858
memcpy(buffer, secret, secretlen);
1668
for (n = 0; n < len; n+=AUTH_PASS_LEN) {
1860
for (n2 = 0; n2 < len; n2+=AUTH_PASS_LEN) {
1670
1862
memcpy(buffer + secretlen, vector, AUTH_VECTOR_LEN);
1671
1863
memcpy(buffer + secretlen + AUTH_VECTOR_LEN, salt, 2);
1672
1864
librad_md5_calc(digest, buffer, secretlen + AUTH_VECTOR_LEN + 2);
1675
memcpy(buffer + secretlen, passwd + n - AUTH_PASS_LEN, AUTH_PASS_LEN);
1866
memcpy(buffer + secretlen, passwd + n2 - AUTH_PASS_LEN, AUTH_PASS_LEN);
1676
1867
librad_md5_calc(digest, buffer, secretlen + AUTH_PASS_LEN);
1679
for (i = 0; i < AUTH_PASS_LEN; i++)
1680
passwd[i + n] ^= digest[i];
1870
for (i = 0; i < AUTH_PASS_LEN; i++) {
1871
passwd[i + n2] ^= digest[i];
1687
1879
* Decode Tunnel-Password encrypted attributes.
1689
* Defined in RFC-2868, this adds a two char SALT to the initial intermediate
1690
* value, to differentiate it from the above.
1881
* Defined in RFC-2868, this uses a two char SALT along with the
1882
* initial intermediate value, to differentiate it from the
1693
int rad_tunnel_pwdecode(char *passwd, int * pwlen, const char *secret, const char *vector)
1885
int rad_tunnel_pwdecode(uint8_t *passwd, int *pwlen, const char *secret,
1695
uint8_t buffer[AUTH_VECTOR_LEN + MAX_STRING_LEN + 3];
1696
unsigned char digest[AUTH_VECTOR_LEN];
1698
int i, n, ntimes, secretlen;
1888
uint8_t buffer[AUTH_VECTOR_LEN + MAX_STRING_LEN + 3];
1889
uint8_t digest[AUTH_VECTOR_LEN];
1890
uint8_t decrypted[MAX_STRING_LEN + 1];
1706
salt[0] = passwd[0];
1707
salt[1] = passwd[1];
1897
* We need at least a salt.
1900
librad_log("tunnel password is too short");
1905
* There's a salt, but no password. Or, there's a salt
1906
* and a 'data_len' octet. It's wrong, but at least we
1907
* can figure out what it means: the password is empty.
1909
* Note that this means we ignore the 'data_len' field,
1910
* if the attribute length tells us that there's no
1911
* more data. So the 'data_len' field may be wrong,
1920
len -= 2; /* discount the salt */
1713
1923
* Use the secret to setup the decryption digest
1715
1925
secretlen = strlen(secret);
1928
* Set up the initial key:
1930
* b(1) = MD5(secret + vector + salt)
1716
1932
memcpy(buffer, secret, secretlen);
1718
ntimes = (len-1)/AUTH_PASS_LEN;
1721
memcpy(buffer + secretlen, vector, AUTH_VECTOR_LEN);
1722
memcpy(buffer + secretlen + AUTH_VECTOR_LEN, salt, 2);
1723
librad_md5_calc(digest, buffer, secretlen + AUTH_VECTOR_LEN + 2);
1726
memcpy(buffer + secretlen, passwd + AUTH_PASS_LEN * (ntimes - 1), AUTH_PASS_LEN);
1727
librad_md5_calc(digest, buffer, secretlen + AUTH_PASS_LEN);
1729
for ( i = 0, n = ntimes * AUTH_PASS_LEN; i < AUTH_PASS_LEN && (i + n) < len; i++)
1730
passwd[i + n] ^= digest[i];
1734
if (*(unsigned char*)passwd >= len) {
1735
/* Pasword is broken, original password should be longer */
1737
passwd[0]=passwd[1]=0;
1740
len = *pwlen = *passwd; /* restore original length */
1741
for (n=0; n<len; n++) passwd[n-2]=passwd[n+1];
1933
memcpy(buffer + secretlen, vector, AUTH_VECTOR_LEN);
1934
memcpy(buffer + secretlen + AUTH_VECTOR_LEN, passwd, 2);
1935
librad_md5_calc(digest, buffer, secretlen + AUTH_VECTOR_LEN + 2);
1938
* A quick check: decrypt the first octet of the password,
1939
* which is the 'data_len' field. Ensure it's sane.
1941
* 'n' doesn't include the 'data_len' octet
1944
n = passwd[2] ^ digest[0];
1946
librad_log("tunnel password is too long for the attribute");
1951
* Loop over the data, decrypting it, and generating
1952
* the key for the next round of decryption.
1954
for (n = 0; n < len; n += AUTH_PASS_LEN) {
1955
for (i = 0; i < AUTH_PASS_LEN; i++) {
1956
decrypted[n + i] = passwd[n + i + 2] ^ digest[i];
1959
* Encrypted password may not be aligned
1960
* on 16 octets, so we catch that here...
1962
if ((n + i) == len) break;
1966
* Update the digest, based on
1968
* b(n) = MD5(secret + cleartext(n-1)
1970
* but only if there's more data...
1972
memcpy(buffer + secretlen, passwd + n + 2, AUTH_PASS_LEN);
1973
librad_md5_calc(digest, buffer, secretlen + AUTH_PASS_LEN);
1977
* We've already validated the length of the decrypted
1978
* password. Copy it back to the caller.
1980
memcpy(passwd, decrypted + 1, decrypted[0]);
1981
passwd[decrypted[0]] = 0;
1982
*pwlen = decrypted[0];
1984
return decrypted[0];