1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <netinet/in.h> 27 #include <sys/kmem.h> 28 #include <sys/random.h> 29 #include <sys/socket.h> 30 31 #include "chap.h" 32 #include <sys/scsi/adapters/iscsi_if.h> 33 #include "iscsi.h" 34 #include <sys/md5.h> 35 #include "radius_packet.h" 36 #include "radius_protocol.h" 37 #include "radius_auth.h" 38 39 #include <sys/sunddi.h> 40 41 /* Forward declaration */ 42 /* 43 * Annotate the radius_attr_t objects with authentication data. 44 */ 45 static 46 void 47 set_radius_attrs(radius_packet_data_t *req, 48 char *target_chap_name, 49 unsigned char *target_response, 50 uint32_t response_length, 51 uint8_t *challenge, 52 uint32_t challenge_length); 53 54 /* 55 * See radius_auth.h. 56 */ 57 /* ARGSUSED */ 58 chap_validation_status_type 59 radius_chap_validate(char *target_chap_name, 60 char *initiator_chap_name, 61 uint8_t *challenge, 62 uint32_t challenge_length, 63 uint8_t *target_response, 64 uint32_t response_length, 65 uint8_t identifier, 66 iscsi_ipaddr_t rad_svr_ip_addr, 67 uint32_t rad_svr_port, 68 uint8_t *rad_svr_shared_secret, 69 uint32_t rad_svr_shared_secret_len) 70 { 71 chap_validation_status_type validation_status; 72 char lbolt[64]; 73 int rcv_status; 74 void *socket; 75 radius_packet_data_t req; 76 radius_packet_data_t resp; 77 MD5_CTX context; 78 uint8_t md5_digest[16]; /* MD5 digest length 16 */ 79 uint8_t random_number[16]; 80 81 if (rad_svr_shared_secret_len == 0) { 82 /* The secret must not be empty (section 3, RFC 2865) */ 83 cmn_err(CE_WARN, "empty RADIUS shared secret"); 84 return (CHAP_VALIDATION_BAD_RADIUS_SECRET); 85 } 86 87 bzero(&req, sizeof (radius_packet_data_t)); 88 89 req.identifier = identifier; 90 req.code = RAD_ACCESS_REQ; 91 set_radius_attrs(&req, 92 target_chap_name, 93 target_response, 94 response_length, 95 challenge, 96 challenge_length); 97 98 /* Prepare the request authenticator */ 99 MD5Init(&context); 100 bzero(&md5_digest, 16); 101 /* First, the shared secret */ 102 MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len); 103 /* Then a unique number - use lbolt plus a random number */ 104 bzero(&lbolt, sizeof (lbolt)); 105 (void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt()); 106 MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt)); 107 bzero(&random_number, sizeof (random_number)); 108 (void) random_get_pseudo_bytes(random_number, 109 sizeof (random_number)); 110 MD5Update(&context, random_number, sizeof (random_number)); 111 MD5Final(md5_digest, &context); 112 bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN); 113 114 socket = iscsi_net->socket(AF_INET, SOCK_DGRAM, 0); 115 if (socket == NULL) { 116 /* Error obtaining socket for RADIUS use */ 117 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 118 } 119 120 /* Send the authentication access request to the RADIUS server */ 121 if (snd_radius_request(socket, 122 rad_svr_ip_addr, 123 rad_svr_port, 124 &req) == -1) { 125 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 126 } 127 128 bzero(&resp, sizeof (radius_packet_data_t)); 129 /* Analyze the response coming through from the same socket. */ 130 rcv_status = rcv_radius_response(socket, 131 rad_svr_shared_secret, 132 rad_svr_shared_secret_len, 133 req.authenticator, &resp); 134 if (rcv_status == RAD_RSP_RCVD_SUCCESS) { 135 if (resp.code == RAD_ACCESS_ACPT) { 136 validation_status = CHAP_VALIDATION_PASSED; 137 } else if (resp.code == RAD_ACCESS_REJ) { 138 validation_status = CHAP_VALIDATION_INVALID_RESPONSE; 139 } else { 140 validation_status = 141 CHAP_VALIDATION_UNKNOWN_RADIUS_CODE; 142 } 143 } else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) { 144 cmn_err(CE_WARN, "RADIUS packet authentication failed"); 145 validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET; 146 } else { 147 validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR; 148 } 149 150 iscsi_net->close(socket); 151 return (validation_status); 152 } 153 154 /* See forward declaration. */ 155 static void 156 set_radius_attrs(radius_packet_data_t *req, 157 char *target_chap_name, 158 unsigned char *target_response, 159 uint32_t response_length, 160 uint8_t *challenge, 161 uint32_t challenge_length) 162 { 163 req->attrs[0].attr_type_code = RAD_USER_NAME; 164 (void) strncpy((char *)req->attrs[0].attr_value, 165 (const char *)target_chap_name, 166 strlen(target_chap_name)); 167 req->attrs[0].attr_value_len = strlen(target_chap_name); 168 169 req->attrs[1].attr_type_code = RAD_CHAP_PASSWORD; 170 bcopy(target_response, 171 (char *)req->attrs[1].attr_value, 172 min(response_length, sizeof (req->attrs[1].attr_value))); 173 /* A target response is an MD5 hash thus its length has to be 16. */ 174 req->attrs[1].attr_value_len = response_length; 175 176 req->attrs[2].attr_type_code = RAD_CHAP_CHALLENGE; 177 bcopy(challenge, 178 (char *)req->attrs[2].attr_value, 179 min(challenge_length, sizeof (req->attrs[2].attr_value))); 180 req->attrs[2].attr_value_len = challenge_length; 181 182 /* 3 attributes associated with each RADIUS packet. */ 183 req->num_of_attrs = 3; 184 } 185