/* * $Id: sendserver.c,v 1.1 2004/11/14 07:26:26 paulus Exp $ * * Copyright (C) 1995,1996,1997 Lars Fenneberg * * Copyright 1992 Livingston Enterprises, Inc. * * Copyright 1992,1993, 1994,1995 The Regents of the University of Michigan * and Merit Network, Inc. All Rights Reserved * * See the file COPYRIGHT for the respective terms and conditions. * If the file is missing contact me at lf@elemental.net * and I'll send you a copy. * */ #include <includes.h> #include <radiusclient.h> #include <pathnames.h> static void rc_random_vector (unsigned char *); static int rc_check_reply (AUTH_HDR *, int, char *, unsigned char *, unsigned char); /* * Function: rc_pack_list * * Purpose: Packs an attribute value pair list into a buffer. * * Returns: Number of octets packed. * */ static int rc_pack_list (VALUE_PAIR *vp, char *secret, AUTH_HDR *auth) { int length, i, pc, secretlen, padded_length; int total_length = 0; UINT4 lvalue; unsigned char passbuf[MAX(AUTH_PASS_LEN, CHAP_VALUE_LENGTH)]; unsigned char md5buf[256]; unsigned char *buf, *vector, *lenptr; buf = auth->data; while (vp != (VALUE_PAIR *) NULL) { if (vp->vendorcode != VENDOR_NONE) { *buf++ = PW_VENDOR_SPECIFIC; /* Place-holder for where to put length */ lenptr = buf++; /* Insert vendor code */ *buf++ = 0; *buf++ = (((unsigned int) vp->vendorcode) >> 16) & 255; *buf++ = (((unsigned int) vp->vendorcode) >> 8) & 255; *buf++ = ((unsigned int) vp->vendorcode) & 255; /* Insert vendor-type */ *buf++ = vp->attribute; /* Insert value */ switch(vp->type) { case PW_TYPE_STRING: length = vp->lvalue; *lenptr = length + 8; *buf++ = length+2; memcpy(buf, vp->strvalue, (size_t) length); buf += length; total_length += length+8; break; case PW_TYPE_INTEGER: case PW_TYPE_IPADDR: length = sizeof(UINT4); *lenptr = length + 8; *buf++ = length+2; lvalue = htonl(vp->lvalue); memcpy(buf, (char *) &lvalue, sizeof(UINT4)); buf += length; total_length += length+8; break; default: break; } } else { *buf++ = vp->attribute; switch (vp->attribute) { case PW_USER_PASSWORD: /* Encrypt the password */ /* Chop off password at AUTH_PASS_LEN */ length = vp->lvalue; if (length > AUTH_PASS_LEN) length = AUTH_PASS_LEN; /* Calculate the padded length */ padded_length = (length+(AUTH_VECTOR_LEN-1)) & ~(AUTH_VECTOR_LEN-1); /* Record the attribute length */ *buf++ = padded_length + 2; /* Pad the password with zeros */ memset ((char *) passbuf, '\0', AUTH_PASS_LEN); memcpy ((char *) passbuf, vp->strvalue, (size_t) length); secretlen = strlen (secret); vector = (char *)auth->vector; for(i = 0; i < padded_length; i += AUTH_VECTOR_LEN) { /* Calculate the MD5 digest*/ strcpy ((char *) md5buf, secret); memcpy ((char *) md5buf + secretlen, vector, AUTH_VECTOR_LEN); rc_md5_calc (buf, md5buf, secretlen + AUTH_VECTOR_LEN); /* Remeber the start of the digest */ vector = buf; /* Xor the password into the MD5 digest */ for (pc = i; pc < (i + AUTH_VECTOR_LEN); pc++) { *buf++ ^= passbuf[pc]; } } total_length += padded_length + 2; break; #if 0 case PW_CHAP_PASSWORD: *buf++ = CHAP_VALUE_LENGTH + 2; /* Encrypt the Password */ length = vp->lvalue; if (length > CHAP_VALUE_LENGTH) { length = CHAP_VALUE_LENGTH; } memset ((char *) passbuf, '\0', CHAP_VALUE_LENGTH); memcpy ((char *) passbuf, vp->strvalue, (size_t) length); /* Calculate the MD5 Digest */ secretlen = strlen (secret); strcpy ((char *) md5buf, secret); memcpy ((char *) md5buf + secretlen, (char *) auth->vector, AUTH_VECTOR_LEN); rc_md5_calc (buf, md5buf, secretlen + AUTH_VECTOR_LEN); /* Xor the password into the MD5 digest */ for (i = 0; i < CHAP_VALUE_LENGTH; i++) { *buf++ ^= passbuf[i]; } total_length += CHAP_VALUE_LENGTH + 2; break; #endif default: switch (vp->type) { case PW_TYPE_STRING: length = vp->lvalue; *buf++ = length + 2; memcpy (buf, vp->strvalue, (size_t) length); buf += length; total_length += length + 2; break; case PW_TYPE_INTEGER: case PW_TYPE_IPADDR: *buf++ = sizeof (UINT4) + 2; lvalue = htonl (vp->lvalue); memcpy (buf, (char *) &lvalue, sizeof (UINT4)); buf += sizeof (UINT4); total_length += sizeof (UINT4) + 2; break; default: break; } break; } } vp = vp->next; } return total_length; } /* * Function: rc_send_server * * Purpose: send a request to a RADIUS server and wait for the reply * */ int rc_send_server (SEND_DATA *data, char *msg, REQUEST_INFO *info) { int sockfd; struct sockaddr salocal; struct sockaddr saremote; struct sockaddr_in *sin; struct timeval authtime; fd_set readfds; AUTH_HDR *auth, *recv_auth; UINT4 auth_ipaddr; char *server_name; /* Name of server to query */ int salen; int result; int total_length; int length; int retry_max; int secretlen; char secret[MAX_SECRET_LENGTH + 1]; unsigned char vector[AUTH_VECTOR_LEN]; char recv_buffer[BUFFER_LEN]; char send_buffer[BUFFER_LEN]; int retries; VALUE_PAIR *vp; server_name = data->server; if (server_name == (char *) NULL || server_name[0] == '\0') return (ERROR_RC); if ((vp = rc_avpair_get(data->send_pairs, PW_SERVICE_TYPE)) && \ (vp->lvalue == PW_ADMINISTRATIVE)) { strcpy(secret, MGMT_POLL_SECRET); if ((auth_ipaddr = rc_get_ipaddr(server_name)) == 0) return (ERROR_RC); } else { if (rc_find_server (server_name, &auth_ipaddr, secret) != 0) { return (ERROR_RC); } } sockfd = socket (AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { memset (secret, '\0', sizeof (secret)); error("rc_send_server: socket: %s", strerror(errno)); return (ERROR_RC); } length = sizeof (salocal); sin = (struct sockaddr_in *) & salocal; memset ((char *) sin, '\0', (size_t) length); sin->sin_family = AF_INET; sin->sin_addr.s_addr = htonl(INADDR_ANY); sin->sin_port = htons ((unsigned short) 0); if (bind (sockfd, (struct sockaddr *) sin, length) < 0 || getsockname (sockfd, (struct sockaddr *) sin, &length) < 0) { close (sockfd); memset (secret, '\0', sizeof (secret)); error("rc_send_server: bind: %s: %m", server_name); return (ERROR_RC); } retry_max = data->retries; /* Max. numbers to try for reply */ retries = 0; /* Init retry cnt for blocking call */ /* Build a request */ auth = (AUTH_HDR *) send_buffer; auth->code = data->code; auth->id = data->seq_nbr; if (data->code == PW_ACCOUNTING_REQUEST) { total_length = rc_pack_list(data->send_pairs, secret, auth) + AUTH_HDR_LEN; auth->length = htons ((unsigned short) total_length); memset((char *) auth->vector, 0, AUTH_VECTOR_LEN); secretlen = strlen (secret); memcpy ((char *) auth + total_length, secret, secretlen); rc_md5_calc (vector, (char *) auth, total_length + secretlen); memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN); } else { rc_random_vector (vector); memcpy (auth->vector, vector, AUTH_VECTOR_LEN); total_length = rc_pack_list(data->send_pairs, secret, auth) + AUTH_HDR_LEN; auth->length = htons ((unsigned short) total_length); } sin = (struct sockaddr_in *) & saremote; memset ((char *) sin, '\0', sizeof (saremote)); sin->sin_family = AF_INET; sin->sin_addr.s_addr = htonl (auth_ipaddr); sin->sin_port = htons ((unsigned short) data->svc_port); for (;;) { sendto (sockfd, (char *) auth, (unsigned int) total_length, (int) 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in)); authtime.tv_usec = 0L; authtime.tv_sec = (long) data->timeout; FD_ZERO (&readfds); FD_SET (sockfd, &readfds); if (select (sockfd + 1, &readfds, NULL, NULL, &authtime) < 0) { if (errno == EINTR) continue; error("rc_send_server: select: %m"); memset (secret, '\0', sizeof (secret)); close (sockfd); return (ERROR_RC); } if (FD_ISSET (sockfd, &readfds)) break; /* * Timed out waiting for response. Retry "retry_max" times * before giving up. If retry_max = 0, don't retry at all. */ if (++retries >= retry_max) { error("rc_send_server: no reply from RADIUS server %s:%u", rc_ip_hostname (auth_ipaddr), data->svc_port); close (sockfd); memset (secret, '\0', sizeof (secret)); return (TIMEOUT_RC); } } salen = sizeof (saremote); length = recvfrom (sockfd, (char *) recv_buffer, (int) sizeof (recv_buffer), (int) 0, &saremote, &salen); if (length <= 0) { error("rc_send_server: recvfrom: %s:%d: %m", server_name,\ data->svc_port); close (sockfd); memset (secret, '\0', sizeof (secret)); return (ERROR_RC); } recv_auth = (AUTH_HDR *)recv_buffer; result = rc_check_reply (recv_auth, BUFFER_LEN, secret, vector, data->seq_nbr); data->receive_pairs = rc_avpair_gen(recv_auth); close (sockfd); if (info) { memcpy(info->secret, secret, sizeof(info->secret)); memcpy(info->request_vector, vector, sizeof(info->request_vector)); } memset (secret, '\0', sizeof (secret)); if (result != OK_RC) return (result); *msg = '\0'; vp = data->receive_pairs; while (vp) { if ((vp = rc_avpair_get(vp, PW_REPLY_MESSAGE))) { strcat(msg, vp->strvalue); strcat(msg, "\n"); vp = vp->next; } } if ((recv_auth->code == PW_ACCESS_ACCEPT) || (recv_auth->code == PW_PASSWORD_ACK) || (recv_auth->code == PW_ACCOUNTING_RESPONSE)) { result = OK_RC; } else { result = BADRESP_RC; } return (result); } /* * Function: rc_check_reply * * Purpose: verify items in returned packet. * * Returns: OK_RC -- upon success, * BADRESP_RC -- if anything looks funny. * */ static int rc_check_reply (AUTH_HDR *auth, int bufferlen, char *secret, unsigned char *vector, unsigned char seq_nbr) { int secretlen; int totallen; unsigned char calc_digest[AUTH_VECTOR_LEN]; unsigned char reply_digest[AUTH_VECTOR_LEN]; totallen = ntohs (auth->length); secretlen = strlen (secret); /* Do sanity checks on packet length */ if ((totallen < 20) || (totallen > 4096)) { error("rc_check_reply: received RADIUS server response with invalid length"); return (BADRESP_RC); } /* Verify buffer space, should never trigger with current buffer size and check above */ if ((totallen + secretlen) > bufferlen) { error("rc_check_reply: not enough buffer space to verify RADIUS server response"); return (BADRESP_RC); } /* Verify that id (seq. number) matches what we sent */ if (auth->id != seq_nbr) { error("rc_check_reply: received non-matching id in RADIUS server response"); return (BADRESP_RC); } /* Verify the reply digest */ memcpy ((char *) reply_digest, (char *) auth->vector, AUTH_VECTOR_LEN); memcpy ((char *) auth->vector, (char *) vector, AUTH_VECTOR_LEN); memcpy ((char *) auth + totallen, secret, secretlen); rc_md5_calc (calc_digest, (char *) auth, totallen + secretlen); #ifdef DIGEST_DEBUG { int i; fputs("reply_digest: ", stderr); for (i = 0; i < AUTH_VECTOR_LEN; i++) { fprintf(stderr,"%.2x ", (int) reply_digest[i]); } fputs("\ncalc_digest: ", stderr); for (i = 0; i < AUTH_VECTOR_LEN; i++) { fprintf(stderr,"%.2x ", (int) calc_digest[i]); } fputs("\n", stderr); } #endif if (memcmp ((char *) reply_digest, (char *) calc_digest, AUTH_VECTOR_LEN) != 0) { #ifdef RADIUS_116 /* the original Livingston radiusd v1.16 seems to have a bug in digest calculation with accounting requests, authentication request are ok. i looked at the code but couldn't find any bugs. any help to get this kludge out are welcome. preferably i want to reproduce the calculation bug here to be compatible to stock Livingston radiusd v1.16. -lf, 03/14/96 */ if (auth->code == PW_ACCOUNTING_RESPONSE) return (OK_RC); #endif error("rc_check_reply: received invalid reply digest from RADIUS server"); return (BADRESP_RC); } return (OK_RC); } /* * Function: rc_random_vector * * Purpose: generates a random vector of AUTH_VECTOR_LEN octets. * * Returns: the vector (call by reference) * */ static void rc_random_vector (unsigned char *vector) { int randno; int i; int fd; /* well, I added this to increase the security for user passwords. we use /dev/urandom here, as /dev/random might block and we don't need that much randomness. BTW, great idea, Ted! -lf, 03/18/95 */ if ((fd = open(_PATH_DEV_URANDOM, O_RDONLY)) >= 0) { unsigned char *pos; int readcount; i = AUTH_VECTOR_LEN; pos = vector; while (i > 0) { readcount = read(fd, (char *)pos, i); pos += readcount; i -= readcount; } close(fd); return; } /* else fall through */ for (i = 0; i < AUTH_VECTOR_LEN;) { randno = magic(); memcpy ((char *) vector, (char *) &randno, sizeof (int)); vector += sizeof (int); i += sizeof (int); } return; }