kernel/comstar/port/iscsit/iscsit_radiusauth.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24
  25 #include <sys/random.h>
  26 #include <sys/ddi.h>
  27 #include <sys/md5.h>
  28
  29 #include <sys/iscsit/iscsi_if.h>
  30 #include <sys/idm/idm.h>
  31 #include <sys/idm/idm_so.h>
  32 #include <sys/iscsit/radius_packet.h>
  33 #include <sys/iscsit/radius_protocol.h>
  34
  35 #include "radius_auth.h"
  36
  37 /* Forward declaration */
  38 /*
  39  * Annotate the radius_attr_t objects with authentication data.
  40  */
  41 static
  42 void
  43 set_radius_attrs(radius_packet_data_t *req,
  44         char *target_chap_name,
  45         unsigned char *target_response,
  46         uint32_t response_length,
  47         uint8_t *challenge,
  48         uint32_t challenge_length);
  49
  50 /*
  51  * See radius_auth.h.
  52  */
  53 /* ARGSUSED */
  54 chap_validation_status_type
  55 iscsit_radius_chap_validate(char *target_chap_name,
  56         char *initiator_chap_name,
  57         uint8_t *challenge,
  58         uint32_t challenge_length,
  59         uint8_t *target_response,
  60         uint32_t response_length,
  61         uint8_t identifier,
  62         iscsi_ipaddr_t rad_svr_ip_addr,
  63         uint32_t rad_svr_port,
  64         uint8_t *rad_svr_shared_secret,
  65         uint32_t rad_svr_shared_secret_len)
  66 {
  67         chap_validation_status_type validation_status;
  68         char lbolt[64];
  69         int rcv_status;
  70         void *socket;
  71         radius_packet_data_t req;
  72         radius_packet_data_t resp;
  73         MD5_CTX context;
  74         uint8_t md5_digest[16];         /* MD5 digest length 16 */
  75         uint8_t random_number[16];
  76
  77         if (rad_svr_shared_secret_len == 0) {
  78                 /* The secret must not be empty (section 3, RFC 2865) */
  79                 cmn_err(CE_WARN, "empty RADIUS shared secret");
  80                 return (CHAP_VALIDATION_BAD_RADIUS_SECRET);
  81         }
  82
  83         bzero(&req, sizeof (radius_packet_data_t));
  84
  85         req.identifier = identifier;
  86         req.code = RAD_ACCESS_REQ;
  87         set_radius_attrs(&req,
  88             target_chap_name,
  89             target_response,
  90             response_length,
  91             challenge,
  92             challenge_length);
  93
  94         /* Prepare the request authenticator */
  95         MD5Init(&context);
  96         bzero(&md5_digest, 16);
  97         /* First, the shared secret */
  98         MD5Update(&context, rad_svr_shared_secret, rad_svr_shared_secret_len);
  99         /* Then a unique number - use lbolt plus a random number */
 100         bzero(&lbolt, sizeof (lbolt));
 101         (void) snprintf(lbolt, sizeof (lbolt), "%lx", ddi_get_lbolt());
 102         MD5Update(&context, (uint8_t *)lbolt, strlen(lbolt));
 103         bzero(&random_number, sizeof (random_number));
 104         (void) random_get_pseudo_bytes(random_number, sizeof (random_number));
 105         MD5Update(&context, random_number, sizeof (random_number));
 106         MD5Final(md5_digest, &context);
 107         bcopy(md5_digest, &req.authenticator, RAD_AUTHENTICATOR_LEN);
 108
 109         socket = idm_socreate(PF_INET, SOCK_DGRAM, 0);
 110         if (socket == NULL) {
 111                 /* Error obtaining socket for RADIUS use */
 112                 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
 113         }
 114
 115         /* Send the authentication access request to the RADIUS server */
 116         if (iscsit_snd_radius_request(socket,
 117             rad_svr_ip_addr,
 118             rad_svr_port,
 119             &req) != 0) {
 120                 idm_soshutdown(socket);
 121                 idm_sodestroy(socket);
 122                 return (CHAP_VALIDATION_RADIUS_ACCESS_ERROR);
 123         }
 124
 125         bzero(&resp, sizeof (radius_packet_data_t));
 126         /*  Analyze the response coming through from the same socket. */
 127         rcv_status = iscsit_rcv_radius_response(socket,
 128             rad_svr_shared_secret,
 129             rad_svr_shared_secret_len,
 130             req.authenticator, &resp);
 131         if (rcv_status == RAD_RSP_RCVD_SUCCESS) {
 132                 if (resp.code == RAD_ACCESS_ACPT) {
 133                         validation_status = CHAP_VALIDATION_PASSED;
 134                 } else if (resp.code == RAD_ACCESS_REJ) {
 135                         validation_status = CHAP_VALIDATION_INVALID_RESPONSE;
 136                 } else {
 137                         validation_status =
 138                             CHAP_VALIDATION_UNKNOWN_RADIUS_CODE;
 139                 }
 140         } else if (rcv_status == RAD_RSP_RCVD_AUTH_FAILED) {
 141                 validation_status = CHAP_VALIDATION_BAD_RADIUS_SECRET;
 142         } else {
 143                 validation_status = CHAP_VALIDATION_RADIUS_ACCESS_ERROR;
 144         }
 145
 146         /* Done! Close the socket. */
 147         idm_soshutdown(socket);
 148         idm_sodestroy(socket);
 149
 150         return (validation_status);
 151 }
 152
 153 /* See forward declaration. */
 154 static void
 155 set_radius_attrs(radius_packet_data_t *req,
 156         char *target_chap_name,
 157         unsigned char *target_response,
 158         uint32_t response_length,
 159         uint8_t *challenge,
 160         uint32_t challenge_length)
 161 {
 162         req->attrs[0].attr_type_code = RAD_USER_NAME;
 163         (void) strncpy((char *)req->attrs[0].attr_value,
 164             (const char *)target_chap_name,
 165             strlen(target_chap_name));
 166         req->attrs[0].attr_value_len = strlen(target_chap_name);
 167
 168         req->attrs[1].attr_type_code = RAD_CHAP_PASSWORD;
 169         bcopy(target_response,
 170             (char *)req->attrs[1].attr_value,
 171             min(response_length, sizeof (req->attrs[1].attr_value)));
 172         /* A target response is an MD5 hash thus its length has to be 16. */
 173         req->attrs[1].attr_value_len = 16;
 174
 175         req->attrs[2].attr_type_code = RAD_CHAP_CHALLENGE;
 176         bcopy(challenge,
 177             (char *)req->attrs[2].attr_value,
 178             min(challenge_length, sizeof (req->attrs[2].attr_value)));
 179         req->attrs[2].attr_value_len = challenge_length;
 180
 181         /* 3 attributes associated with each RADIUS packet. */
 182         req->num_of_attrs = 3;
 183 }