1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/random.h> 26 #include <sys/ddi.h> 27 #include <sys/md5.h> 28 29 #include <sys/iscsit/iscsi_if.h> 30 #include <sys/idm/idm.h> 31 #include <sys/idm/idm_so.h> 32 #include <sys/iscsit/radius_packet.h> 33 #include <sys/iscsit/radius_protocol.h> 34 35 #include "radius_auth.h" 36 37 /* Forward declaration */ 38 /* 39 * Annotate the radius_attr_t objects with authentication data. 40 */ 41 static 42 void 43 set_radius_attrs(radius_packet_data_t *req, 44 char *target_chap_name, 45 unsigned char *target_response, 46 uint32_t response_length, 47 uint8_t *challenge, 48 uint32_t challenge_length); 49 50 /* 51 * See radius_auth.h. 52 */ 53 /* ARGSUSED */ 54 chap_validation_status_type 55 iscsit_radius_chap_validate(char *target_chap_name, 56 char *initiator_chap_name, 57 uint8_t *challenge, 58 uint32_t challenge_length, 59 uint8_t *target_response, 60 uint32_t response_length, 61 uint8_t identifier, 62 iscsi_ipaddr_t rad_svr_ip_addr, 63 uint32_t rad_svr_port, 64 uint8_t *rad_svr_shared_secret, 65 uint32_t rad_svr_shared_secret_len) 66 { 67 chap_validation_status_type validation_status; 68 char lbolt[64]; 69 int rcv_status; 70 void *socket; 71 radius_packet_data_t req; 72 radius_packet_data_t resp; 73 MD5_CTX context; 74 uint8_t md5_digest[16]; /* MD5 digest length 16 */ 75 uint8_t random_number[16]; 76 77 if (rad_svr_shared_secret_len == 0) { 78 /* The secret must not be empty (section 3, RFC 2865) */ 79 cmn_err(CE_WARN, "empty RADIUS shared secret"); 80 return (CHAP_VALIDATION_BAD_RADIUS_SECRET); 81 } 82 83 bzero(&req, sizeof (radius_packet_data_t)); 84 85 req.identifier = identifier; 86 req.code = RAD_ACCESS_REQ; 87 set_radius_attrs(&req, 88 target_chap_name, 89 target_response, 90 response_length, 91 challenge, 92 challenge_length); 93 94 /* Prepare the request authenticator */ 95 MD5Init(&context); 96 bzero(&md5_digest, 16); 97 /* First, the shared secret */ 98 MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len); 99 /* Then a unique number - use lbolt plus a random number */ 100 bzero(&lbolt, sizeof (lbolt)); 101 (void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt()); 102 MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt)); 103 bzero(&random_number, sizeof (random_number)); 104 (void) random_get_pseudo_bytes(random_number, sizeof (random_number)); 105 MD5Update(&context, random_number, sizeof (random_number)); 106 MD5Final(md5_digest, &context); 107 bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN); 108 109 socket = idm_socreate(PF_INET, SOCK_DGRAM, 0); 110 if (socket == NULL) { 111 /* Error obtaining socket for RADIUS use */ 112 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 113 } 114 115 /* Send the authentication access request to the RADIUS server */ 116 if (iscsit_snd_radius_request(socket, 117 rad_svr_ip_addr, 118 rad_svr_port, 119 &req) != 0) { 120 idm_soshutdown(socket); 121 idm_sodestroy(socket); 122 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 123 } 124 125 bzero(&resp, sizeof (radius_packet_data_t)); 126 /* Analyze the response coming through from the same socket. */ 127 rcv_status = iscsit_rcv_radius_response(socket, 128 rad_svr_shared_secret, 129 rad_svr_shared_secret_len, 130 req.authenticator, &resp); 131 if (rcv_status == RAD_RSP_RCVD_SUCCESS) { 132 if (resp.code == RAD_ACCESS_ACPT) { 133 validation_status = CHAP_VALIDATION_PASSED; 134 } else if (resp.code == RAD_ACCESS_REJ) { 135 validation_status = CHAP_VALIDATION_INVALID_RESPONSE; 136 } else { 137 validation_status = 138 CHAP_VALIDATION_UNKNOWN_RADIUS_CODE; 139 } 140 } else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) { 141 validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET; 142 } else { 143 validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR; 144 } 145 146 /* Done! Close the socket. */ 147 idm_soshutdown(socket); 148 idm_sodestroy(socket); 149 150 return (validation_status); 151 } 152 153 /* See forward declaration. */ 154 static void 155 set_radius_attrs(radius_packet_data_t *req, 156 char *target_chap_name, 157 unsigned char *target_response, 158 uint32_t response_length, 159 uint8_t *challenge, 160 uint32_t challenge_length) 161 { 162 req->attrs[0].attr_type_code = RAD_USER_NAME; 163 (void) strncpy((char *)req->attrs[0].attr_value, 164 (const char *)target_chap_name, 165 strlen(target_chap_name)); 166 req->attrs[0].attr_value_len = strlen(target_chap_name); 167 168 req->attrs[1].attr_type_code = RAD_CHAP_PASSWORD; 169 bcopy(target_response, 170 (char *)req->attrs[1].attr_value, 171 min(response_length, sizeof (req->attrs[1].attr_value))); 172 /* A target response is an MD5 hash thus its length has to be 16. */ 173 req->attrs[1].attr_value_len = 16; 174 175 req->attrs[2].attr_type_code = RAD_CHAP_CHALLENGE; 176 bcopy(challenge, 177 (char *)req->attrs[2].attr_value, 178 min(challenge_length, sizeof (req->attrs[2].attr_value))); 179 req->attrs[2].attr_value_len = challenge_length; 180 181 /* 3 attributes associated with each RADIUS packet. */ 182 req->num_of_attrs = 3; 183 } 184