Subversion Repositories planix.SVN

/*

 * This code uses RADIUS as a portable way to validate tokens such as SecurID.

 * It is relatively simple to send a UDP packet and get a response, but various

 * things can go wrong.  Speaking the proprietary ACE protocol would allow

 * handling "next token code" and other error messages.  More importantly, the

 * timeout threshold is inherently hard to pick.  We observe responses taking

 * longer than 10 seconds in normal times.  That is a long time to wait before

 * retrying on a second server.  Moreover, if the UDP response is lost, retrying

 * on a second server will also fail because the valid token code may be

 * presented only once.  This whole approach is flawed, but best we can do.

 */

/* RFC2138 */

#include <u.h>

#include <libc.h>

#include <ip.h>

#include <ctype.h>

#include <mp.h>

#include <libsec.h>

#include <bio.h>

#include <ndb.h>

#define AUTHLOG "auth"

enum{

	R_AccessRequest	=1,	/* Packet code */

	R_AccessAccept	=2,

	R_AccessReject	=3,

	R_AccessChallenge=11,

	R_UserName	=1,

	R_UserPassword	=2,

	R_NASIPAddress	=4,

	R_ReplyMessage	=18,

	R_State		=24,

	R_NASIdentifier	=32,

};

typedef struct Secret{

	uchar	*s;

	int	len;

} Secret;

typedef struct Attribute{

	struct Attribute *next;

	uchar	type;

	uchar	len;		/* number of bytes in value */

	uchar	val[256];

} Attribute;

typedef struct Packet{

	uchar	code, ID;

	uchar	authenticator[16];

	Attribute first;

} Packet;

/* assumes pass is at most 16 chars */

void

hide(Secret *shared, uchar *auth, Secret *pass, uchar *x)

{

	DigestState *M;

	int i, n = pass->len;

	M = md5(shared->s, shared->len, nil, nil);

	md5(auth, 16, x, M);

	if(n > 16)

		n = 16;

	for(i = 0; i < n; i++)

		x[i] ^= pass->s[i];

}

int

authcmp(Secret *shared, uchar *buf, int m, uchar *auth)

{

	DigestState *M;

	uchar x[16];

	M = md5(buf, 4, nil, nil);	/* Code+ID+Length */

	M = md5(auth, 16, nil, M);	/* RequestAuth */

	M = md5(buf+20, m-20, nil, M);	/* Attributes */

	md5(shared->s, shared->len, x, M);

	return memcmp(x, buf+4, 16);

}

Packet*

newRequest(uchar *auth)

{

	static uchar ID = 0;

	Packet *p;

	p = (Packet*)malloc(sizeof(*p));

	if(p == nil)

		return nil;

	p->code = R_AccessRequest;

	p->ID = ++ID;

	memmove(p->authenticator, auth, 16);

	p->first.next = nil;

	p->first.type = 0;

	return p;

}

void

freePacket(Packet *p)

{

	Attribute *a, *x;

	if(!p)

		return;

	a = p->first.next;

	while(a){

		x = a;

		a = a->next;

		free(x);

	}

	free(p);

}

int

ding(void*, char *msg)

{

	syslog(0, AUTHLOG, "ding %s", msg);

	if(strstr(msg, "alarm"))

		return 1;

	return 0;

}

Packet *

rpc(char *dest, Secret *shared, Packet *req)

{

	uchar buf[4096], buf2[4096], *b, *e;

	Packet *resp;

	Attribute *a;

	int m, n, fd, try;

	/* marshal request */

	e = buf + sizeof buf;

	buf[0] = req->code;

	buf[1] = req->ID;

	memmove(buf+4, req->authenticator, 16);

	b = buf+20;

	for(a = &req->first; a; a = a->next){

		if(b + 2 + a->len > e)

			return nil;

		*b++ = a->type;

		*b++ = 2 + a->len;

		memmove(b, a->val, a->len);

		b += a->len;

	}

	n = b-buf;

	buf[2] = n>>8;

	buf[3] = n;

	/* send request, wait for reply */

	fd = dial(dest, 0, 0, 0);

	if(fd < 0){

		syslog(0, AUTHLOG, "%s: rpc can't get udp channel", dest);

		return nil;

	}

	atnotify(ding, 1);

	m = -1;

	for(try = 0; try < 2; try++){

		/*

		 * increased timeout from 4sec to 15sec because

		 * corporate server really takes that long.

		 */

		alarm(15000);

		m = write(fd, buf, n);

		if(m != n){

			syslog(0, AUTHLOG, "%s: rpc write err %d %d: %r",

				dest, m, n);

			m = -1;

			break;

		}

		m = read(fd, buf2, sizeof buf2);

		alarm(0);

		if(m < 0){

			syslog(0, AUTHLOG, "%s rpc read err %d: %r", dest, m);

			break;			/* failure */

		}

		if(m == 0 || buf2[1] != buf[1]){	/* need matching ID */

			syslog(0, AUTHLOG, "%s unmatched reply %d", dest, m);

			continue;

		}

		if(authcmp(shared, buf2, m, buf+4) == 0)

			break;

		syslog(0, AUTHLOG, "%s bad rpc chksum", dest);

	}

	close(fd);

	if(m <= 0)

		return nil;

	/* unmarshal reply */

	b = buf2;

	e = buf2+m;

	resp = (Packet*)malloc(sizeof(*resp));

	if(resp == nil)

		return nil;

	resp->code = *b++;

	resp->ID = *b++;

	n = *b++;

	n = (n<<8) | *b++;

	if(m != n){

		syslog(0, AUTHLOG, "rpc got %d bytes, length said %d", m, n);

		if(m > n)

			e = buf2+n;

	}

	memmove(resp->authenticator, b, 16);

	b += 16;

	a = &resp->first;

	a->type = 0;

	for(;;){

		if(b >= e){

			a->next = nil;

			break;		/* exit loop */

		}

		a->type = *b++;

		a->len = (*b++) - 2;

		if(b + a->len > e){	/* corrupt packet */

			a->next = nil;

			freePacket(resp);

			return nil;

		}

		memmove(a->val, b, a->len);

		b += a->len;

		if(b < e){		/* any more attributes? */

			a->next = (Attribute*)malloc(sizeof(*a));

			if(a->next == nil){

				free(req);

				return nil;

			}

			a = a->next;

		}

	}

	return resp;

}

int

setAttribute(Packet *p, uchar type, uchar *s, int n)

{

	Attribute *a;

	a = &p->first;

	if(a->type != 0){

		a = (Attribute*)malloc(sizeof(*a));

		if(a == nil)

			return -1;

		a->next = p->first.next;

		p->first.next = a;

	}

	a->type = type;

	a->len = n;

	if(a->len > 253)	/* RFC2138, section 5 */

		a->len = 253;

	memmove(a->val, s, a->len);

	return 0;

}

/* return a reply message attribute string */

char*

replymsg(Packet *p)

{

	Attribute *a;

	static char buf[255];

	for(a = &p->first; a; a = a->next)

		if(a->type == R_ReplyMessage){

			if(a->len >= sizeof buf)

				a->len = sizeof(buf)-1;

			memmove(buf, a->val, a->len);

			buf[a->len] = 0;

		}

	return buf;

}

/* for convenience while debugging */

char *replymess;

Attribute *stateattr;

void

logPacket(Packet *p)

{

	int i;

	char *np, *e;

	char buf[255], pbuf[4*1024];

	uchar *au = p->authenticator;

	Attribute *a;

	e = pbuf + sizeof(pbuf);

	np = seprint(pbuf, e, "Packet ID=%d auth=%x %x %x... ",

		p->ID, au[0], au[1], au[2]);

	switch(p->code){

	case R_AccessRequest:

		np = seprint(np, e, "request\n");

		break;

	case R_AccessAccept:

		np = seprint(np, e, "accept\n");

		break;

	case R_AccessReject:

		np = seprint(np, e, "reject\n");

		break;

	case R_AccessChallenge:

		np = seprint(np, e, "challenge\n");

		break;

	default:

		np = seprint(np, e, "code=%d\n", p->code);

		break;

	}

	replymess = "0000000";

	for(a = &p->first; a; a = a->next){

		if(a->len > 253 )

			a->len = 253;

		memmove(buf, a->val, a->len);

		np = seprint(np, e, " [%d]", a->type);

		for(i = 0; i < a->len; i++)

			if(isprint(a->val[i]))

				np = seprint(np, e, "%c", a->val[i]);

			else

				np = seprint(np, e, "\\%o", a->val[i]);

		np = seprint(np, e, "\n");

		buf[a->len] = 0;

		if(a->type == R_ReplyMessage)

			replymess = strdup(buf);

		else if(a->type == R_State)

			stateattr = a;

	}

	syslog(0, AUTHLOG, "%s", pbuf);

}

static uchar*

getipv4addr(void)

{

	Ipifc *nifc;

	Iplifc *lifc;

	static Ipifc *ifc;

	ifc = readipifc("/net", ifc, -1);

	for(nifc = ifc; nifc; nifc = nifc->next)

		for(lifc = nifc->lifc; lifc; lifc = lifc->next)

			if (ipcmp(lifc->ip, IPnoaddr) != 0 &&

			    ipcmp(lifc->ip, v4prefix) != 0)

				return lifc->ip;

	return nil;

}

extern Ndb *db;

/* returns 0 on success, error message on failure */

char*

secureidcheck(char *user, char *response)

{

	char *radiussecret = nil;

	char *rv = "authentication failed";

	char dest[3*IPaddrlen+20], ruser[64];

	uchar *ip;

	uchar x[16];

	ulong u[4];

	Ndbs s;

	Ndbtuple *t = nil, *nt, *tt;

	Packet *req = nil, *resp = nil;

	Secret shared, pass;

	static Ndb *netdb;

	if(netdb == nil)

		netdb = ndbopen(0);

	/* bad responses make them disable the fob, avoid silly checks */

	if(strlen(response) < 4 || strpbrk(response,"abcdefABCDEF") != nil)

		goto out;

	/* get radius secret */

	radiussecret = ndbgetvalue(db, &s, "radius", "lra-radius", "secret", &t);

	if(radiussecret == nil){

		syslog(0, AUTHLOG, "secureidcheck: nil radius secret: %r");

		goto out;

	}

	/* translate user name if we have to */

	strcpy(ruser, user);

	for(nt = t; nt; nt = nt->entry)

		if(strcmp(nt->attr, "uid") == 0 && strcmp(nt->val, user) == 0)

			for(tt = nt->line; tt != nt; tt = tt->line)

				if(strcmp(tt->attr, "rid") == 0){

					strcpy(ruser, tt->val);

					break;

				}

	ndbfree(t);

	t = nil;

	u[0] = fastrand();

	u[1] = fastrand();

	u[2] = fastrand();

	u[3] = fastrand();

	req = newRequest((uchar*)u);

	if(req == nil)

		goto out;

	shared.s = (uchar*)radiussecret;

	shared.len = strlen(radiussecret);

	ip = getipv4addr();

	if(ip == nil){

		syslog(0, AUTHLOG, "no interfaces: %r\n");

		goto out;

	}

	if(setAttribute(req, R_NASIPAddress, ip + IPv4off, 4) < 0)

		goto out;

	if(setAttribute(req, R_UserName, (uchar*)ruser, strlen(ruser)) < 0)

		goto out;

	pass.s = (uchar*)response;

	pass.len = strlen(response);

	hide(&shared, req->authenticator, &pass, x);

	if(setAttribute(req, R_UserPassword, x, 16) < 0)

		goto out;

	t = ndbsearch(netdb, &s, "sys", "lra-radius");

	if(t == nil){

		syslog(0, AUTHLOG, "secureidcheck: nil radius sys search: %r\n");

		goto out;

	}

	for(nt = t; nt; nt = nt->entry){

		if(strcmp(nt->attr, "ip") != 0)

			continue;

		snprint(dest, sizeof dest, "udp!%s!radius", nt->val);

		resp = rpc(dest, &shared, req);

		if(resp == nil){

			syslog(0, AUTHLOG, "%s nil response", dest);

			continue;

		}

		if(resp->ID != req->ID){

			syslog(0, AUTHLOG, "%s mismatched ID  req=%d resp=%d",

				dest, req->ID, resp->ID);

			freePacket(resp);

			resp = nil;

			continue;

		}

		switch(resp->code){

		case R_AccessAccept:

			syslog(0, AUTHLOG, "%s accepted ruser=%s", dest, ruser);

			rv = nil;

			break;

		case R_AccessReject:

			syslog(0, AUTHLOG, "%s rejected ruser=%s %s",

				dest, ruser, replymsg(resp));

			rv = "secureid failed";

			break;

		case R_AccessChallenge:

			syslog(0, AUTHLOG, "%s challenge ruser=%s %s",

				dest, ruser, replymsg(resp));

			rv = "secureid out of sync";

			break;

		default:

			syslog(0, AUTHLOG, "%s code=%d ruser=%s %s",

				dest, resp->code, ruser, replymsg(resp));

			break;

		}

		break;	/* we have a proper reply, no need to ask again */

	}

out:

	if (t)

		ndbfree(t);

	free(radiussecret);

	freePacket(req);

	freePacket(resp);

	return rv;

}