1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <netinet/in.h> 27 #include <sys/kmem.h> 28 #include <sys/random.h> 29 #include <sys/socket.h> 30 31 #include "chap.h" 32 #include <sys/scsi/adapters/iscsi_if.h> 33 #include "iscsi.h" 34 #include <sys/md5.h> 35 #include "radius_packet.h" 36 #include "radius_protocol.h" 37 #include "radius_auth.h" 38 39 #include <sys/sunddi.h> 40 41 /* Forward declaration */ 42 /* 43 * Annotate the radius_attr_t objects with authentication data. 44 */ 45 static 46 void 47 set_radius_attrs(radius_packet_data_t *req, 48 char *target_chap_name, 49 unsigned char *target_response, 50 uint8_t *challenge); 51 52 /* 53 * See radius_auth.h. 54 */ 55 /* ARGSUSED */ 56 chap_validation_status_type 57 radius_chap_validate(char *target_chap_name, 58 char *initiator_chap_name, 59 uint8_t *challenge, 60 uint8_t *target_response, 61 uint8_t identifier, 62 iscsi_ipaddr_t rad_svr_ip_addr, 63 uint32_t rad_svr_port, 64 uint8_t *rad_svr_shared_secret, 65 uint32_t rad_svr_shared_secret_len) 66 { 67 chap_validation_status_type validation_status; 68 char lbolt[64]; 69 int rcv_status; 70 void *socket; 71 radius_packet_data_t req; 72 radius_packet_data_t resp; 73 MD5_CTX context; 74 uint8_t md5_digest[16]; /* MD5 digest length 16 */ 75 uint8_t random_number[16]; 76 77 if (rad_svr_shared_secret_len == 0) { 78 /* The secret must not be empty (section 3, RFC 2865) */ 79 cmn_err(CE_WARN, "empty RADIUS shared secret"); 80 return (CHAP_VALIDATION_BAD_RADIUS_SECRET); 81 } 82 83 bzero(&req, sizeof (radius_packet_data_t)); 84 85 req.identifier = identifier; 86 req.code = RAD_ACCESS_REQ; 87 set_radius_attrs(&req, 88 target_chap_name, 89 target_response, 90 challenge); 91 92 /* Prepare the request authenticator */ 93 MD5Init(&context); 94 bzero(&md5_digest, 16); 95 /* First, the shared secret */ 96 MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len); 97 /* Then a unique number - use lbolt plus a random number */ 98 bzero(&lbolt, sizeof (lbolt)); 99 (void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt()); 100 MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt)); 101 bzero(&random_number, sizeof (random_number)); 102 (void) random_get_pseudo_bytes(random_number, 103 sizeof (random_number)); 104 MD5Update(&context, random_number, sizeof (random_number)); 105 MD5Final(md5_digest, &context); 106 bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN); 107 108 socket = iscsi_net->socket(AF_INET, SOCK_DGRAM, 0); 109 if (socket == NULL) { 110 /* Error obtaining socket for RADIUS use */ 111 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 112 } 113 114 /* Send the authentication access request to the RADIUS server */ 115 if (snd_radius_request(socket, 116 rad_svr_ip_addr, 117 rad_svr_port, 118 &req) == -1) { 119 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR); 120 } 121 122 bzero(&resp, sizeof (radius_packet_data_t)); 123 /* Analyze the response coming through from the same socket. */ 124 rcv_status = rcv_radius_response(socket, 125 rad_svr_shared_secret, 126 rad_svr_shared_secret_len, 127 req.authenticator, &resp); 128 if (rcv_status == RAD_RSP_RCVD_SUCCESS) { 129 if (resp.code == RAD_ACCESS_ACPT) { 130 validation_status = CHAP_VALIDATION_PASSED; 131 } else if (resp.code == RAD_ACCESS_REJ) { 132 validation_status = CHAP_VALIDATION_INVALID_RESPONSE; 133 } else { 134 validation_status = 135 CHAP_VALIDATION_UNKNOWN_RADIUS_CODE; 136 } 137 } else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) { 138 cmn_err(CE_WARN, "RADIUS packet authentication failed"); 139 validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET; 140 } else { 141 validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR; 142 } 143 144 iscsi_net->close(socket); 145 return (validation_status); 146 } 147 148 /* See forward declaration. */ 149 static void 150 set_radius_attrs(radius_packet_data_t *req, 151 char *target_chap_name, 152 unsigned char *target_response, 153 uint8_t *challenge) 154 { 155 req->attrs[0].attr_type_code = RAD_USER_NAME; 156 (void) strncpy((char *)req->attrs[0].attr_value, 157 (const char *)target_chap_name, 158 strlen(target_chap_name)); 159 req->attrs[0].attr_value_len = strlen(target_chap_name); 160 161 req->attrs[1].attr_type_code = RAD_CHAP_PASSWORD; 162 (void) strncpy((char *)req->attrs[1].attr_value, 163 (const char *)target_response, 164 strlen((const char *)target_response)); 165 /* A target response is an MD5 hash thus its length has to be 16. */ 166 req->attrs[1].attr_value_len = 16; 167 168 req->attrs[2].attr_type_code = RAD_CHAP_CHALLENGE; 169 (void) strncpy((char *)req->attrs[2].attr_value, 170 (const char *)challenge, 171 strlen((const char *)challenge)); 172 req->attrs[2].attr_value_len = strlen((const char *)challenge); 173 174 /* 3 attributes associated with each RADIUS packet. */ 175 req->num_of_attrs = 3; 176 } 177