xref: /illumos-gate/usr/src/uts/common/io/scsi/adapters/iscsi/radius_auth.c (revision 5df5713f81d69c1a0797f99b13e95e220da00ef9)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <netinet/in.h>
27 #include <sys/kmem.h>
28 #include <sys/random.h>
29 #include <sys/socket.h>
30 
31 #include "chap.h"
32 #include <sys/scsi/adapters/iscsi_if.h>
33 #include "iscsi.h"
34 #include <sys/md5.h>
35 #include "radius_packet.h"
36 #include "radius_protocol.h"
37 #include "radius_auth.h"
38 
39 #include <sys/sunddi.h>
40 
41 /* Forward declaration */
42 /*
43  * Annotate the radius_attr_t objects with authentication data.
44  */
45 static
46 void
47 set_radius_attrs(radius_packet_data_t *req,
48 	char *target_chap_name,
49 	unsigned char *target_response,
50 	uint32_t response_length,
51 	uint8_t *challenge,
52 	uint32_t challenge_length);
53 
54 /*
55  * See radius_auth.h.
56  */
57 /* ARGSUSED */
58 chap_validation_status_type
radius_chap_validate(char * target_chap_name,char * initiator_chap_name,uint8_t * challenge,uint32_t challenge_length,uint8_t * target_response,uint32_t response_length,uint8_t identifier,iscsi_ipaddr_t rad_svr_ip_addr,uint32_t rad_svr_port,uint8_t * rad_svr_shared_secret,uint32_t rad_svr_shared_secret_len)59 radius_chap_validate(char *target_chap_name,
60 	char *initiator_chap_name,
61 	uint8_t *challenge,
62 	uint32_t challenge_length,
63 	uint8_t *target_response,
64 	uint32_t response_length,
65 	uint8_t identifier,
66 	iscsi_ipaddr_t rad_svr_ip_addr,
67 	uint32_t rad_svr_port,
68 	uint8_t *rad_svr_shared_secret,
69 	uint32_t rad_svr_shared_secret_len)
70 {
71 	chap_validation_status_type validation_status;
72 	char lbolt[64];
73 	int rcv_status;
74 	void *socket;
75 	radius_packet_data_t req;
76 	radius_packet_data_t resp;
77 	MD5_CTX context;
78 	uint8_t	md5_digest[16];		/* MD5 digest length 16 */
79 	uint8_t random_number[16];
80 
81 	if (rad_svr_shared_secret_len == 0) {
82 		/* The secret must not be empty (section 3, RFC 2865) */
83 		cmn_err(CE_WARN, "empty RADIUS shared secret");
84 		return (CHAP_VALIDATION_BAD_RADIUS_SECRET);
85 	}
86 
87 	bzero(&req, sizeof (radius_packet_data_t));
88 
89 	req.identifier = identifier;
90 	req.code = RAD_ACCESS_REQ;
91 	set_radius_attrs(&req,
92 	    target_chap_name,
93 	    target_response,
94 	    response_length,
95 	    challenge,
96 	    challenge_length);
97 
98 	/* Prepare the request authenticator */
99 	MD5Init(&context);
100 	bzero(&md5_digest, 16);
101 	/* First, the shared secret */
102 	MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len);
103 	/* Then a unique number - use lbolt plus a random number */
104 	bzero(&lbolt, sizeof (lbolt));
105 	(void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt());
106 	MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt));
107 	bzero(&random_number, sizeof (random_number));
108 	(void) random_get_pseudo_bytes(random_number,
109 	    sizeof (random_number));
110 	MD5Update(&context, random_number, sizeof (random_number));
111 	MD5Final(md5_digest, &context);
112 	bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN);
113 
114 	socket = iscsi_net->socket(AF_INET, SOCK_DGRAM, 0);
115 	if (socket == NULL) {
116 		/* Error obtaining socket for RADIUS use */
117 		return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
118 	}
119 
120 	/* Send the authentication access request to the RADIUS server */
121 	if (snd_radius_request(socket,
122 	    rad_svr_ip_addr,
123 	    rad_svr_port,
124 	    &req) == -1) {
125 		return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
126 	}
127 
128 	bzero(&resp, sizeof (radius_packet_data_t));
129 	/*  Analyze the response coming through from the same socket. */
130 	rcv_status = rcv_radius_response(socket,
131 	    rad_svr_shared_secret,
132 	    rad_svr_shared_secret_len,
133 	    req.authenticator, &resp);
134 	if (rcv_status == RAD_RSP_RCVD_SUCCESS) {
135 		if (resp.code == RAD_ACCESS_ACPT) {
136 			validation_status = CHAP_VALIDATION_PASSED;
137 		} else if (resp.code == RAD_ACCESS_REJ) {
138 			validation_status = CHAP_VALIDATION_INVALID_RESPONSE;
139 		} else {
140 			validation_status =
141 			    CHAP_VALIDATION_UNKNOWN_RADIUS_CODE;
142 		}
143 	} else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) {
144 		cmn_err(CE_WARN, "RADIUS packet authentication failed");
145 		validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET;
146 	} else {
147 		validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR;
148 	}
149 
150 	iscsi_net->close(socket);
151 	return (validation_status);
152 }
153 
154 /* See forward declaration. */
155 static void
set_radius_attrs(radius_packet_data_t * req,char * target_chap_name,unsigned char * target_response,uint32_t response_length,uint8_t * challenge,uint32_t challenge_length)156 set_radius_attrs(radius_packet_data_t *req,
157 	char *target_chap_name,
158 	unsigned char *target_response,
159 	uint32_t response_length,
160 	uint8_t *challenge,
161 	uint32_t challenge_length)
162 {
163 	req->attrs[0].attr_type_code = RAD_USER_NAME;
164 	(void) strncpy((char *)req->attrs[0].attr_value,
165 	    (const char *)target_chap_name,
166 	    strlen(target_chap_name));
167 	req->attrs[0].attr_value_len = strlen(target_chap_name);
168 
169 	req->attrs[1].attr_type_code = RAD_CHAP_PASSWORD;
170 	bcopy(target_response,
171 	    (char *)req->attrs[1].attr_value,
172 	    min(response_length, sizeof (req->attrs[1].attr_value)));
173 	/* A target response is an MD5 hash thus its length has to be 16. */
174 	req->attrs[1].attr_value_len = response_length;
175 
176 	req->attrs[2].attr_type_code = RAD_CHAP_CHALLENGE;
177 	bcopy(challenge,
178 	    (char *)req->attrs[2].attr_value,
179 	    min(challenge_length, sizeof (req->attrs[2].attr_value)));
180 	req->attrs[2].attr_value_len = challenge_length;
181 
182 	/* 3 attributes associated with each RADIUS packet. */
183 	req->num_of_attrs = 3;
184 }
185