1 // SoftEther VPN Source Code - Stable Edition Repository 2 // Cedar Communication Module 3 // 4 // SoftEther VPN Server, Client and Bridge are free software under the Apache License, Version 2.0. 5 // 6 // Copyright (c) Daiyuu Nobori. 7 // Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan. 8 // Copyright (c) SoftEther Corporation. 9 // Copyright (c) all contributors on SoftEther VPN project in GitHub. 10 // 11 // All Rights Reserved. 12 // 13 // http://www.softether.org/ 14 // 15 // This stable branch is officially managed by Daiyuu Nobori, the owner of SoftEther VPN Project. 16 // Pull requests should be sent to the Developer Edition Master Repository on https://github.com/SoftEtherVPN/SoftEtherVPN 17 // 18 // License: The Apache License, Version 2.0 19 // https://www.apache.org/licenses/LICENSE-2.0 20 // 21 // DISCLAIMER 22 // ========== 23 // 24 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 25 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 26 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 27 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 28 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 29 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 30 // SOFTWARE. 31 // 32 // THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER 33 // JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, 34 // DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY 35 // JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, 36 // AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER 37 // SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND 38 // OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, 39 // AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND 40 // CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE 41 // JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE 42 // ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. 43 // PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE 44 // LAW OR COURT RULE. 45 // 46 // USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE 47 // A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL 48 // RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS 49 // COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND 50 // DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING 51 // CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER 52 // COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. 53 // WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR 54 // INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES 55 // AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH 56 // DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS 57 // AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE 58 // PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A 59 // PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE 60 // LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL 61 // RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A 62 // STATEMENT FOR WARNING AND DISCLAIMER. 63 // 64 // READ AND UNDERSTAND THE 'WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. 65 // SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH 66 // LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'THIRD_PARTY.TXT' FILE. 67 // 68 // 69 // SOURCE CODE CONTRIBUTION 70 // ------------------------ 71 // 72 // Your contribution to SoftEther VPN Project is much appreciated. 73 // Please send patches to us through GitHub. 74 // Read the SoftEther VPN Patch Acceptance Policy in advance: 75 // http://www.softether.org/5-download/src/9.patch 76 // 77 // 78 // DEAR SECURITY EXPERTS 79 // --------------------- 80 // 81 // If you find a bug or a security vulnerability please kindly inform us 82 // about the problem immediately so that we can fix the security problem 83 // to protect a lot of users around the world as soon as possible. 84 // 85 // Our e-mail address for security reports is: 86 // softether-vpn-security [at] softether.org 87 // 88 // Please note that the above e-mail address is not a technical support 89 // inquiry address. If you need technical assistance, please visit 90 // http://www.softether.org/ and ask your question on the users forum. 91 // 92 // Thank you for your cooperation. 93 // 94 // 95 // NO MEMORY OR RESOURCE LEAKS 96 // --------------------------- 97 // 98 // The memory-leaks and resource-leaks verification under the stress 99 // test has been passed before release this source code. 100 101 102 // Radius.h 103 // Header of Radius.c 104 105 #ifndef RADIUS_H 106 #define RADIUS_H 107 108 #define RADIUS_DEFAULT_PORT 1812 // The default port number 109 #define RADIUS_RETRY_INTERVAL 500 // Retransmission interval 110 #define RADIUS_RETRY_TIMEOUT (10 * 1000) // Time-out period 111 #define RADIUS_INITIAL_EAP_TIMEOUT 1600 // Initial timeout for EAP 112 113 114 // RADIUS attributes 115 #define RADIUS_ATTRIBUTE_USER_NAME 1 116 #define RADIUS_ATTRIBUTE_NAS_IP 4 117 #define RADIUS_ATTRIBUTE_NAS_PORT 5 118 #define RADIUS_ATTRIBUTE_SERVICE_TYPE 6 119 #define RADIUS_ATTRIBUTE_FRAMED_PROTOCOL 7 120 #define RADIUS_ATTRIBUTE_FRAMED_MTU 12 121 #define RADIUS_ATTRIBUTE_STATE 24 122 #define RADIUS_ATTRIBUTE_VENDOR_SPECIFIC 26 123 #define RADIUS_ATTRIBUTE_CALLED_STATION_ID 30 124 #define RADIUS_ATTRIBUTE_CALLING_STATION_ID 31 125 #define RADIUS_ATTRIBUTE_NAS_ID 32 126 #define RADIUS_ATTRIBUTE_PROXY_STATE 33 127 #define RADIUS_ATTRIBUTE_ACCT_SESSION_ID 44 128 #define RADIUS_ATTRIBUTE_NAS_PORT_TYPE 61 129 #define RADIUS_ATTRIBUTE_TUNNEL_TYPE 64 130 #define RADIUS_ATTRIBUTE_TUNNEL_MEDIUM_TYPE 65 131 #define RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT 66 132 #define RADIUS_ATTRIBUTE_TUNNEL_SERVER_ENDPOINT 67 133 #define RADIUS_ATTRIBUTE_EAP_MESSAGE 79 134 #define RADIUS_ATTRIBUTE_EAP_AUTHENTICATOR 80 135 #define RADIUS_ATTRIBUTE_VLAN_ID 81 136 #define RADIUS_ATTRIBUTE_FRAMED_INTERFACE_ID 96 137 #define RADIUS_MAX_NAS_ID_LEN 253 138 139 // RADIUS codes 140 #define RADIUS_CODE_ACCESS_REQUEST 1 141 #define RADIUS_CODE_ACCESS_ACCEPT 2 142 #define RADIUS_CODE_ACCESS_REJECT 3 143 #define RADIUS_CODE_ACCESS_CHALLENGE 11 144 145 // RADIUS vendor ID 146 #define RADIUS_VENDOR_MICROSOFT 311 147 148 // RADIUS MS attributes 149 #define RADIUS_MS_RAS_VENDOR 9 150 #define RADIUS_MS_CHAP_CHALLENGE 11 151 #define RADIUS_MS_VERSION 18 152 #define RADIUS_MS_CHAP2_RESPONSE 25 153 #define RADIUS_MS_RAS_CLIENT_NAME 34 154 #define RADIUS_MS_RAS_CLIENT_VERSION 35 155 #define RADIUS_MS_NETWORK_ACCESS_SERVER_TYPE 47 156 #define RADIUS_MS_RAS_CORRELATION 56 157 158 // EAP code 159 #define EAP_CODE_REQUEST 1 160 #define EAP_CODE_RESPONSE 2 161 #define EAP_CODE_SUCCESS 3 162 #define EAP_CODE_FAILURE 4 163 164 // EAP type 165 #define EAP_TYPE_IDENTITY 1 166 #define EAP_TYPE_LEGACY_NAK 3 167 #define EAP_TYPE_PEAP 25 168 #define EAP_TYPE_MS_AUTH 26 169 170 // MS-CHAPv2 opcodes 171 #define EAP_MSCHAPV2_OP_CHALLENGE 1 172 #define EAP_MSCHAPV2_OP_RESPONSE 2 173 #define EAP_MSCHAPV2_OP_SUCCESS 3 174 175 // EAP-TLS flags 176 #define EAP_TLS_FLAGS_LEN 0x80 177 #define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40 178 #define EAP_TLS_FLAGS_START 0x20 179 180 181 ////////// Modern implementation 182 183 #ifdef OS_WIN32 184 #pragma pack(push, 1) 185 #endif // OS_WIN32 186 187 struct EAP_MESSAGE 188 { 189 UCHAR Code; 190 UCHAR Id; 191 USHORT Len; // = sizeof(Data) + 5 192 UCHAR Type; 193 UCHAR Data[1500]; 194 } GCC_PACKED; 195 196 struct EAP_MSCHAPV2_GENERAL 197 { 198 UCHAR Code; 199 UCHAR Id; 200 USHORT Len; // = sizeof(Data) + 5 201 UCHAR Type; 202 UCHAR Chap_Opcode; 203 } GCC_PACKED; 204 205 struct EAP_MSCHAPV2_CHALLENGE 206 { 207 UCHAR Code; 208 UCHAR Id; 209 USHORT Len; // = sizeof(Data) + 5 210 UCHAR Type; 211 UCHAR Chap_Opcode; 212 UCHAR Chap_Id; 213 USHORT Chap_Len; 214 UCHAR Chap_ValueSize; // = 16 215 UCHAR Chap_ChallengeValue[16]; 216 char Chap_Name[256]; 217 } GCC_PACKED; 218 219 struct EAP_MSCHAPV2_RESPONSE 220 { 221 UCHAR Code; 222 UCHAR Id; 223 USHORT Len; // = sizeof(Data) + 5 224 UCHAR Type; 225 UCHAR Chap_Opcode; 226 UCHAR Chap_Id; 227 USHORT Chap_Len; 228 UCHAR Chap_ValueSize; // = 49 229 UCHAR Chap_PeerChallange[16]; 230 UCHAR Chap_Reserved[8]; 231 UCHAR Chap_NtResponse[24]; 232 UCHAR Chap_Flags; 233 char Chap_Name[256]; 234 } GCC_PACKED; 235 236 struct EAP_MSCHAPV2_SUCCESS_SERVER 237 { 238 UCHAR Code; 239 UCHAR Id; 240 USHORT Len; // = sizeof(Data) + 5 241 UCHAR Type; 242 UCHAR Chap_Opcode; 243 UCHAR Chap_Id; 244 USHORT Chap_Len; 245 char Message[256]; 246 } GCC_PACKED; 247 248 struct EAP_MSCHAPV2_SUCCESS_CLIENT 249 { 250 UCHAR Code; 251 UCHAR Id; 252 USHORT Len; // = sizeof(Data) + 5 253 UCHAR Type; 254 UCHAR Chap_Opcode; 255 } GCC_PACKED; 256 257 struct EAP_PEAP 258 { 259 UCHAR Code; 260 UCHAR Id; 261 USHORT Len; // = sizeof(Data) + 5 262 UCHAR Type; 263 UCHAR TlsFlags; 264 } GCC_PACKED; 265 266 #ifdef OS_WIN32 267 #pragma pack(pop) 268 #endif // OS_WIN32 269 270 struct RADIUS_PACKET 271 { 272 UCHAR Code; 273 UCHAR PacketId; 274 LIST *AvpList; 275 UCHAR Authenticator[16]; 276 277 UINT Parse_EapAuthMessagePos; 278 UINT Parse_AuthenticatorPos; 279 280 EAP_MESSAGE *Parse_EapMessage; 281 UINT Parse_EapMessage_DataSize; 282 283 UINT Parse_StateSize; 284 UCHAR Parse_State[256]; 285 }; 286 287 struct RADIUS_AVP 288 { 289 UCHAR Type; 290 UINT VendorId; 291 UCHAR VendorCode; 292 UCHAR Padding[3]; 293 UCHAR DataSize; 294 UCHAR Data[256]; 295 }; 296 297 struct EAP_CLIENT 298 { 299 REF *Ref; 300 301 SOCK *UdpSock; 302 IP ServerIp; 303 UINT ServerPort; 304 char SharedSecret[MAX_SIZE]; 305 char ClientIpStr[256]; 306 char CalledStationStr[256]; 307 char Username[MAX_USERNAME_LEN + 1]; 308 UINT ResendTimeout; 309 UINT GiveupTimeout; 310 UCHAR TmpBuffer[4096]; 311 UCHAR NextEapId; 312 UCHAR LastRecvEapId; 313 314 bool PeapMode; 315 316 UCHAR LastState[256]; 317 UINT LastStateSize; 318 319 EAP_MSCHAPV2_CHALLENGE MsChapV2Challenge; 320 EAP_MSCHAPV2_SUCCESS_SERVER MsChapV2Success; 321 UCHAR ServerResponse[20]; 322 323 SSL_PIPE *SslPipe; 324 UCHAR NextRadiusPacketId; 325 326 BUF *PEAP_CurrentReceivingMsg; 327 UINT PEAP_CurrentReceivingTotalSize; 328 UCHAR RecvLastCode; 329 330 UINT LastRecvVLanId; 331 UCHAR LastRecvVirtualMacAddress[6]; 332 333 char In_VpnProtocolState[64]; 334 }; 335 336 void FreeRadiusPacket(RADIUS_PACKET *p); 337 BUF *GenerateRadiusPacket(RADIUS_PACKET *p, char *shared_secret); 338 RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size); 339 RADIUS_PACKET *NewRadiusPacket(UCHAR code, UCHAR packet_id); 340 RADIUS_AVP *NewRadiusAvp(UCHAR type, UINT vendor_id, UCHAR vendor_code, void *data, UINT size); 341 RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type); 342 void RadiusTest(); 343 344 345 EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname); 346 void ReleaseEapClient(EAP_CLIENT *e); 347 void CleanupEapClient(EAP_CLIENT *e); 348 bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e); 349 bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge); 350 void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e); 351 bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r); 352 RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r); 353 354 bool PeapClientSendMsChapv2AuthRequest(EAP_CLIENT *eap); 355 bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge); 356 357 bool StartPeapClient(EAP_CLIENT *e); 358 bool StartPeapSslClient(EAP_CLIENT *e); 359 bool SendPeapRawPacket(EAP_CLIENT *e, UCHAR *peap_data, UINT peap_size); 360 bool SendPeapPacket(EAP_CLIENT *e, void *msg, UINT msg_size); 361 bool GetRecvPeapMessage(EAP_CLIENT *e, EAP_MESSAGE *msg); 362 363 364 ////////// Classical implementation 365 struct RADIUS_LOGIN_OPTION 366 { 367 bool In_CheckVLanId; 368 bool In_DenyNoVlanId; 369 UINT Out_VLanId; 370 bool Out_IsRadiusLogin; 371 char NasId[RADIUS_MAX_NAS_ID_LEN + 1]; // NAS-Identifier 372 char Out_VirtualMacAddress[6]; 373 char In_VpnProtocolState[64]; 374 }; 375 376 // Function prototype 377 bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20, 378 RADIUS_LOGIN_OPTION *opt, char *hubname); 379 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size); 380 BUF *RadiusCreateUserName(wchar_t *username); 381 BUF *RadiusCreateUserPassword(void *data, UINT size); 382 BUF *RadiusCreateNasId(char *name); 383 void RadiusAddValue(BUF *b, UCHAR t, UINT v, UCHAR vt, void *data, UINT size); 384 LIST *RadiusParseOptions(BUF *b); 385 386 #endif // RADIUS_H 387 388 389 390