1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krad/attr.c - RADIUS attribute functions for libkrad */
3 /*
4 * Copyright 2013 Red Hat, Inc. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
18 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
20 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
21 * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
22 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
23 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
24 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
25 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
26 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <k5-int.h>
31 #include "internal.h"
32
33 #include <string.h>
34
35 /* RFC 2865 */
36 #define BLOCKSIZE 16
37
38 typedef krb5_error_code
39 (*attribute_transform_fn)(krb5_context ctx, const char *secret,
40 const unsigned char *auth, const krb5_data *in,
41 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
42
43 typedef struct {
44 const char *name;
45 unsigned char minval;
46 unsigned char maxval;
47 attribute_transform_fn encode;
48 attribute_transform_fn decode;
49 } attribute_record;
50
51 static krb5_error_code
52 user_password_encode(krb5_context ctx, const char *secret,
53 const unsigned char *auth, const krb5_data *in,
54 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
55
56 static krb5_error_code
57 user_password_decode(krb5_context ctx, const char *secret,
58 const unsigned char *auth, const krb5_data *in,
59 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen);
60
61 static const attribute_record attributes[UCHAR_MAX] = {
62 {"User-Name", 1, MAX_ATTRSIZE, NULL, NULL},
63 {"User-Password", 1, 128, user_password_encode, user_password_decode},
64 {"CHAP-Password", 17, 17, NULL, NULL},
65 {"NAS-IP-Address", 4, 4, NULL, NULL},
66 {"NAS-Port", 4, 4, NULL, NULL},
67 {"Service-Type", 4, 4, NULL, NULL},
68 {"Framed-Protocol", 4, 4, NULL, NULL},
69 {"Framed-IP-Address", 4, 4, NULL, NULL},
70 {"Framed-IP-Netmask", 4, 4, NULL, NULL},
71 {"Framed-Routing", 4, 4, NULL, NULL},
72 {"Filter-Id", 1, MAX_ATTRSIZE, NULL, NULL},
73 {"Framed-MTU", 4, 4, NULL, NULL},
74 {"Framed-Compression", 4, 4, NULL, NULL},
75 {"Login-IP-Host", 4, 4, NULL, NULL},
76 {"Login-Service", 4, 4, NULL, NULL},
77 {"Login-TCP-Port", 4, 4, NULL, NULL},
78 {NULL, 0, 0, NULL, NULL}, /* Unassigned */
79 {"Reply-Message", 1, MAX_ATTRSIZE, NULL, NULL},
80 {"Callback-Number", 1, MAX_ATTRSIZE, NULL, NULL},
81 {"Callback-Id", 1, MAX_ATTRSIZE, NULL, NULL},
82 {NULL, 0, 0, NULL, NULL}, /* Unassigned */
83 {"Framed-Route", 1, MAX_ATTRSIZE, NULL, NULL},
84 {"Framed-IPX-Network", 4, 4, NULL, NULL},
85 {"State", 1, MAX_ATTRSIZE, NULL, NULL},
86 {"Class", 1, MAX_ATTRSIZE, NULL, NULL},
87 {"Vendor-Specific", 5, MAX_ATTRSIZE, NULL, NULL},
88 {"Session-Timeout", 4, 4, NULL, NULL},
89 {"Idle-Timeout", 4, 4, NULL, NULL},
90 {"Termination-Action", 4, 4, NULL, NULL},
91 {"Called-Station-Id", 1, MAX_ATTRSIZE, NULL, NULL},
92 {"Calling-Station-Id", 1, MAX_ATTRSIZE, NULL, NULL},
93 {"NAS-Identifier", 1, MAX_ATTRSIZE, NULL, NULL},
94 {"Proxy-State", 1, MAX_ATTRSIZE, NULL, NULL},
95 {"Login-LAT-Service", 1, MAX_ATTRSIZE, NULL, NULL},
96 {"Login-LAT-Node", 1, MAX_ATTRSIZE, NULL, NULL},
97 {"Login-LAT-Group", 32, 32, NULL, NULL},
98 {"Framed-AppleTalk-Link", 4, 4, NULL, NULL},
99 {"Framed-AppleTalk-Network", 4, 4, NULL, NULL},
100 {"Framed-AppleTalk-Zone", 1, MAX_ATTRSIZE, NULL, NULL},
101 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
102 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
103 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
104 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
105 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
106 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
107 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
108 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
109 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
110 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
111 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
112 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
113 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
114 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
115 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
116 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
117 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
118 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
119 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
120 {NULL, 0, 0, NULL, NULL}, /* Reserved for accounting */
121 {"CHAP-Challenge", 5, MAX_ATTRSIZE, NULL, NULL},
122 {"NAS-Port-Type", 4, 4, NULL, NULL},
123 {"Port-Limit", 4, 4, NULL, NULL},
124 {"Login-LAT-Port", 1, MAX_ATTRSIZE, NULL, NULL},
125 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
126 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
127 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
128 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
129 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
130 {NULL, 0, 0, NULL, NULL}, /* Reserved for tunnelling */
131 {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
132 {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
133 {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
134 {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
135 {NULL, 0, 0, NULL, NULL}, /* Reserved for Apple Remote Access Protocol */
136 {NULL, 0, 0, NULL, NULL}, /* Password-Retry */
137 {NULL, 0, 0, NULL, NULL}, /* Prompt */
138 {NULL, 0, 0, NULL, NULL}, /* Connect-Info */
139 {NULL, 0, 0, NULL, NULL}, /* Configuration-Token */
140 {NULL, 0, 0, NULL, NULL}, /* EAP-Message */
141 {"Message-Authenticator", MD5_DIGEST_SIZE, MD5_DIGEST_SIZE, NULL, NULL},
142 };
143
144 /* Encode User-Password attribute. */
145 static krb5_error_code
user_password_encode(krb5_context ctx,const char * secret,const unsigned char * auth,const krb5_data * in,unsigned char outbuf[MAX_ATTRSIZE],size_t * outlen)146 user_password_encode(krb5_context ctx, const char *secret,
147 const unsigned char *auth, const krb5_data *in,
148 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
149 {
150 const unsigned char *indx;
151 krb5_error_code retval;
152 unsigned int seclen;
153 krb5_checksum sum;
154 size_t blck, len, i;
155 krb5_data tmp;
156
157 /* Copy the input buffer to the (zero-padded) output buffer. */
158 len = (in->length + BLOCKSIZE - 1) / BLOCKSIZE * BLOCKSIZE;
159 if (len > MAX_ATTRSIZE)
160 return ENOBUFS;
161 memset(outbuf, 0, len);
162 memcpy(outbuf, in->data, in->length);
163
164 /* Create our temporary space for processing each block. */
165 seclen = strlen(secret);
166 retval = alloc_data(&tmp, seclen + BLOCKSIZE);
167 if (retval != 0)
168 return retval;
169
170 memcpy(tmp.data, secret, seclen);
171 for (blck = 0, indx = auth; blck * BLOCKSIZE < len; blck++) {
172 memcpy(tmp.data + seclen, indx, BLOCKSIZE);
173
174 retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &tmp,
175 &sum);
176 if (retval != 0) {
177 zap(tmp.data, tmp.length);
178 zap(outbuf, len);
179 krb5_free_data_contents(ctx, &tmp);
180 return retval;
181 }
182
183 for (i = 0; i < BLOCKSIZE; i++)
184 outbuf[blck * BLOCKSIZE + i] ^= sum.contents[i];
185 krb5_free_checksum_contents(ctx, &sum);
186
187 indx = &outbuf[blck * BLOCKSIZE];
188 }
189
190 zap(tmp.data, tmp.length);
191 krb5_free_data_contents(ctx, &tmp);
192 *outlen = len;
193 return 0;
194 }
195
196 /* Decode User-Password attribute. */
197 static krb5_error_code
user_password_decode(krb5_context ctx,const char * secret,const unsigned char * auth,const krb5_data * in,unsigned char outbuf[MAX_ATTRSIZE],size_t * outlen)198 user_password_decode(krb5_context ctx, const char *secret,
199 const unsigned char *auth, const krb5_data *in,
200 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
201 {
202 const unsigned char *indx;
203 krb5_error_code retval;
204 unsigned int seclen;
205 krb5_checksum sum;
206 ssize_t blck, i;
207 krb5_data tmp;
208
209 if (in->length % BLOCKSIZE != 0)
210 return EINVAL;
211 if (in->length > MAX_ATTRSIZE)
212 return ENOBUFS;
213
214 /* Create our temporary space for processing each block. */
215 seclen = strlen(secret);
216 retval = alloc_data(&tmp, seclen + BLOCKSIZE);
217 if (retval != 0)
218 return retval;
219
220 memcpy(tmp.data, secret, seclen);
221 for (blck = 0, indx = auth; blck * BLOCKSIZE < in->length; blck++) {
222 memcpy(tmp.data + seclen, indx, BLOCKSIZE);
223
224 retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0,
225 &tmp, &sum);
226 if (retval != 0) {
227 zap(tmp.data, tmp.length);
228 zap(outbuf, in->length);
229 krb5_free_data_contents(ctx, &tmp);
230 return retval;
231 }
232
233 for (i = 0; i < BLOCKSIZE; i++) {
234 outbuf[blck * BLOCKSIZE + i] = in->data[blck * BLOCKSIZE + i] ^
235 sum.contents[i];
236 }
237 krb5_free_checksum_contents(ctx, &sum);
238
239 indx = (const unsigned char *)&in->data[blck * BLOCKSIZE];
240 }
241
242 /* Strip off trailing NULL bytes. */
243 *outlen = in->length;
244 while (*outlen > 0 && outbuf[*outlen - 1] == '\0')
245 (*outlen)--;
246
247 krb5_free_data_contents(ctx, &tmp);
248 return 0;
249 }
250
251 krb5_error_code
kr_attr_valid(krad_attr type,const krb5_data * data)252 kr_attr_valid(krad_attr type, const krb5_data *data)
253 {
254 const attribute_record *ar;
255
256 if (type == 0)
257 return EINVAL;
258
259 ar = &attributes[type - 1];
260 return (data->length >= ar->minval && data->length <= ar->maxval) ? 0 :
261 EMSGSIZE;
262 }
263
264 krb5_error_code
kr_attr_encode(krb5_context ctx,const char * secret,const unsigned char * auth,krad_attr type,const krb5_data * in,unsigned char outbuf[MAX_ATTRSIZE],size_t * outlen)265 kr_attr_encode(krb5_context ctx, const char *secret,
266 const unsigned char *auth, krad_attr type,
267 const krb5_data *in, unsigned char outbuf[MAX_ATTRSIZE],
268 size_t *outlen)
269 {
270 krb5_error_code retval;
271
272 retval = kr_attr_valid(type, in);
273 if (retval != 0)
274 return retval;
275
276 if (attributes[type - 1].encode == NULL) {
277 if (in->length > MAX_ATTRSIZE)
278 return ENOBUFS;
279
280 *outlen = in->length;
281 memcpy(outbuf, in->data, in->length);
282 return 0;
283 }
284
285 return attributes[type - 1].encode(ctx, secret, auth, in, outbuf, outlen);
286 }
287
288 krb5_error_code
kr_attr_decode(krb5_context ctx,const char * secret,const unsigned char * auth,krad_attr type,const krb5_data * in,unsigned char outbuf[MAX_ATTRSIZE],size_t * outlen)289 kr_attr_decode(krb5_context ctx, const char *secret, const unsigned char *auth,
290 krad_attr type, const krb5_data *in,
291 unsigned char outbuf[MAX_ATTRSIZE], size_t *outlen)
292 {
293 krb5_error_code retval;
294
295 retval = kr_attr_valid(type, in);
296 if (retval != 0)
297 return retval;
298
299 if (attributes[type - 1].encode == NULL) {
300 if (in->length > MAX_ATTRSIZE)
301 return ENOBUFS;
302
303 *outlen = in->length;
304 memcpy(outbuf, in->data, in->length);
305 return 0;
306 }
307
308 return attributes[type - 1].decode(ctx, secret, auth, in, outbuf, outlen);
309 }
310
311 krad_attr
krad_attr_name2num(const char * name)312 krad_attr_name2num(const char *name)
313 {
314 unsigned char i;
315
316 for (i = 0; i < UCHAR_MAX; i++) {
317 if (attributes[i].name == NULL)
318 continue;
319
320 if (strcmp(attributes[i].name, name) == 0)
321 return i + 1;
322 }
323
324 return 0;
325 }
326
327 const char *
krad_attr_num2name(krad_attr type)328 krad_attr_num2name(krad_attr type)
329 {
330 if (type == 0)
331 return NULL;
332
333 return attributes[type - 1].name;
334 }
335