src/libradius/radius_message.h

   1 /*
   2  * Copyright (C) 2009 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 /**
  17  * @defgroup libradius libradius
  18  *
  19  * @addtogroup libradius
  20  * RADIUS protocol support library.
  21  *
  22  * @defgroup radius_message radius_message
  23  * @{ @ingroup libradius
  24  */
  25
  26 #ifndef RADIUS_MESSAGE_H_
  27 #define RADIUS_MESSAGE_H_
  28
  29 #include <library.h>
  30
  31 #define MAX_RADIUS_ATTRIBUTE_SIZE       253
  32
  33 typedef struct radius_message_t radius_message_t;
  34 typedef enum radius_message_code_t radius_message_code_t;
  35 typedef enum radius_attribute_type_t radius_attribute_type_t;
  36
  37 /**
  38  * RADIUS Message Codes.
  39  */
  40 enum radius_message_code_t {
  41         RMC_ACCESS_REQUEST = 1,
  42         RMC_ACCESS_ACCEPT = 2,
  43         RMC_ACCESS_REJECT = 3,
  44         RMC_ACCOUNTING_REQUEST = 4,
  45         RMC_ACCOUNTING_RESPONSE = 5,
  46         RMC_ACCESS_CHALLENGE = 11,
  47         RMC_DISCONNECT_REQUEST = 40,
  48         RMC_DISCONNECT_ACK = 41,
  49         RMC_DISCONNECT_NAK = 42,
  50         RMC_COA_REQUEST = 43,
  51         RMC_COA_ACK = 44,
  52         RMC_COA_NAK = 45,
  53 };
  54
  55 /**
  56  * Enum names for radius_attribute_type_t.
  57  */
  58 extern enum_name_t *radius_message_code_names;
  59
  60 /**
  61  * RADIUS Attribute Types.
  62  */
  63 enum radius_attribute_type_t {
  64         RAT_USER_NAME = 1,
  65         RAT_USER_PASSWORD = 2,
  66         RAT_CHAP_PASSWORD = 3,
  67         RAT_NAS_IP_ADDRESS = 4,
  68         RAT_NAS_PORT = 5,
  69         RAT_SERVICE_TYPE = 6,
  70         RAT_FRAMED_PROTOCOL = 7,
  71         RAT_FRAMED_IP_ADDRESS = 8,
  72         RAT_FRAMED_IP_NETMASK = 9,
  73         RAT_FRAMED_ROUTING = 10,
  74         RAT_FILTER_ID = 11,
  75         RAT_FRAMED_MTU = 12,
  76         RAT_FRAMED_COMPRESSION = 13,
  77         RAT_LOGIN_IP_HOST = 14,
  78         RAT_LOGIN_SERVICE = 15,
  79         RAT_LOGIN_TCP_PORT = 16,
  80         RAT_REPLY_MESSAGE = 18,
  81         RAT_CALLBACK_NUMBER = 19,
  82         RAT_CALLBACK_ID = 20,
  83         RAT_FRAMED_ROUTE = 22,
  84         RAT_FRAMED_IPX_NETWORK = 23,
  85         RAT_STATE = 24,
  86         RAT_CLASS = 25,
  87         RAT_VENDOR_SPECIFIC = 26,
  88         RAT_SESSION_TIMEOUT = 27,
  89         RAT_IDLE_TIMEOUT = 28,
  90         RAT_TERMINATION_ACTION = 29,
  91         RAT_CALLED_STATION_ID = 30,
  92         RAT_CALLING_STATION_ID = 31,
  93         RAT_NAS_IDENTIFIER = 32,
  94         RAT_PROXY_STATE = 33,
  95         RAT_LOGIN_LAT_SERVICE = 34,
  96         RAT_LOGIN_LAT_NODE = 35,
  97         RAT_LOGIN_LAT_GROUP = 36,
  98         RAT_FRAMED_APPLETALK_LINK = 37,
  99         RAT_FRAMED_APPLETALK_NETWORK = 38,
 100         RAT_FRAMED_APPLETALK_ZONE = 39,
 101         RAT_ACCT_STATUS_TYPE = 40,
 102         RAT_ACCT_DELAY_TIME = 41,
 103         RAT_ACCT_INPUT_OCTETS = 42,
 104         RAT_ACCT_OUTPUT_OCTETS = 43,
 105         RAT_ACCT_SESSION_ID = 44,
 106         RAT_ACCT_AUTHENTIC = 45,
 107         RAT_ACCT_SESSION_TIME = 46,
 108         RAT_ACCT_INPUT_PACKETS = 47,
 109         RAT_ACCT_OUTPUT_PACKETS = 48,
 110         RAT_ACCT_TERMINATE_CAUSE = 49,
 111         RAT_ACCT_MULTI_SESSION_ID = 50,
 112         RAT_ACCT_LINK_COUNT = 51,
 113         RAT_ACCT_INPUT_GIGAWORDS = 52,
 114         RAT_ACCT_OUTPUT_GIGAWORDS = 53,
 115         RAT_EVENT_TIMESTAMP = 55,
 116         RAT_EGRESS_VLANID = 56,
 117         RAT_INGRESS_FILTERS = 57,
 118         RAT_EGRESS_VLAN_NAME = 58,
 119         RAT_USER_PRIORITY_TABLE = 59,
 120         RAT_CHAP_CHALLENGE = 60,
 121         RAT_NAS_PORT_TYPE = 61,
 122         RAT_PORT_LIMIT = 62,
 123         RAT_LOGIN_LAT_PORT = 63,
 124         RAT_TUNNEL_TYPE = 64,
 125         RAT_TUNNEL_MEDIUM_TYPE = 65,
 126         RAT_TUNNEL_CLIENT_ENDPOINT = 66,
 127         RAT_TUNNEL_SERVER_ENDPOINT = 67,
 128         RAT_ACCT_TUNNEL_CONNECTION = 68,
 129         RAT_TUNNEL_PASSWORD = 69,
 130         RAT_ARAP_PASSWORD = 70,
 131         RAT_ARAP_FEATURES = 71,
 132         RAT_ARAP_ZONE_ACCESS = 72,
 133         RAT_ARAP_SECURITY = 73,
 134         RAT_ARAP_SECURITY_DATA = 74,
 135         RAT_PASSWORD_RETRY = 75,
 136         RAT_PROMPT = 76,
 137         RAT_CONNECT_INFO = 77,
 138         RAT_CONFIGURATION_TOKEN = 78,
 139         RAT_EAP_MESSAGE = 79,
 140         RAT_MESSAGE_AUTHENTICATOR = 80,
 141         RAT_TUNNEL_PRIVATE_GROUP_ID = 81,
 142         RAT_TUNNEL_ASSIGNMENT_ID = 82,
 143         RAT_TUNNEL_PREFERENCE = 83,
 144         RAT_ARAP_CHALLENGE_RESPONSE = 84,
 145         RAT_ACCT_INTERIM_INTERVAL = 85,
 146         RAT_ACCT_TUNNEL_PACKETS_LOST = 86,
 147         RAT_NAS_PORT_ID = 87,
 148         RAT_FRAMED_POOL = 88,
 149         RAT_CUI = 89,
 150         RAT_TUNNEL_CLIENT_AUTH_ID = 90,
 151         RAT_TUNNEL_SERVER_AUTH_ID = 91,
 152         RAT_NAS_FILTER_RULE = 92,
 153         RAT_UNASSIGNED = 93,
 154         RAT_ORIGINATING_LINE_INFO = 94,
 155         RAT_NAS_IPV6_ADDRESS = 95,
 156         RAT_FRAMED_INTERFACE_ID = 96,
 157         RAT_FRAMED_IPV6_PREFIX = 97,
 158         RAT_LOGIN_IPV6_HOST = 98,
 159         RAT_FRAMED_IPV6_ROUTE = 99,
 160         RAT_FRAMED_IPV6_POOL = 100,
 161         RAT_ERROR_CAUSE = 101,
 162         RAT_EAP_KEY_NAME = 102,
 163         RAT_DIGEST_RESPONSE = 103,
 164         RAT_DIGEST_REALM = 104,
 165         RAT_DIGEST_NONCE = 105,
 166         RAT_DIGEST_RESPONSE_AUTH = 106,
 167         RAT_DIGEST_NEXTNONCE = 107,
 168         RAT_DIGEST_METHOD = 108,
 169         RAT_DIGEST_URI = 109,
 170         RAT_DIGEST_QOP = 110,
 171         RAT_DIGEST_ALGORITHM = 111,
 172         RAT_DIGEST_ENTITY_BODY_HASH = 112,
 173         RAT_DIGEST_CNONCE = 113,
 174         RAT_DIGEST_NONCE_COUNT = 114,
 175         RAT_DIGEST_USERNAME = 115,
 176         RAT_DIGEST_OPAQUE = 116,
 177         RAT_DIGEST_AUTH_PARAM = 117,
 178         RAT_DIGEST_AKA_AUTS = 118,
 179         RAT_DIGEST_DOMAIN = 119,
 180         RAT_DIGEST_STALE = 120,
 181         RAT_DIGEST_HA1 = 121,
 182         RAT_SIP_AOR = 122,
 183         RAT_DELEGATED_IPV6_PREFIX = 123,
 184         RAT_MIP6_FEATURE_VECTOR = 124,
 185         RAT_MIP6_HOME_LINK_PREFIX = 125,
 186 };
 187
 188 /**
 189  * Enum names for radius_attribute_type_t.
 190  */
 191 extern enum_name_t *radius_attribute_type_names;
 192
 193 /**
 194  * A RADIUS message, contains attributes.
 195  */
 196 struct radius_message_t {
 197
 198         /**
 199          * Create an enumerator over contained RADIUS attributes.
 200          *
 201          * @return                              enumerator over (int type, chunk_t data)
 202          */
 203         enumerator_t* (*create_enumerator)(radius_message_t *this);
 204
 205         /**
 206          * Add a RADIUS attribute to the message.
 207          *
 208          * @param type                  type of attribute to add
 209          * @param                               attribute data, gets cloned
 210          */
 211         void (*add)(radius_message_t *this, radius_attribute_type_t type,
 212                                 chunk_t data);
 213
 214         /**
 215          * Get the message type (code).
 216          *
 217          * @return                              message code
 218          */
 219         radius_message_code_t (*get_code)(radius_message_t *this);
 220
 221         /**
 222          * Get the message identifier.
 223          *
 224          * @return                              message identifier
 225          */
 226         u_int8_t (*get_identifier)(radius_message_t *this);
 227
 228         /**
 229          * Set the message identifier.
 230          *
 231          * @param identifier    message identifier
 232          */
 233         void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
 234
 235         /**
 236          * Get the 16 byte authenticator.
 237          *
 238          * @return                              pointer to the Authenticator field
 239          */
 240         u_int8_t* (*get_authenticator)(radius_message_t *this);
 241
 242         /**
 243          * Get the RADIUS message in its encoded form.
 244          *
 245          * @return                              chunk pointing to internal RADIUS message.
 246          */
 247         chunk_t (*get_encoding)(radius_message_t *this);
 248
 249         /**
 250          * Calculate and add the Message-Authenticator attribute to the message.
 251          *
 252          * @param req_auth              16 byte Authenticator of request, or NULL
 253          * @param secret                shared RADIUS secret
 254          * @param signer                HMAC-MD5 signer with secret set
 255          * @param hasher                MD5 hasher
 256          * @param rng                   RNG to create Request-Authenticator, NULL to omit
 257          * @param msg_auth              calculate and add Message-Authenticator
 258          */
 259         void (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 260                                  hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth);
 261
 262         /**
 263          * Verify the integrity of a received RADIUS message.
 264          *
 265          * @param req_auth              16 byte Authenticator of request, or NULL
 266          * @param secret                shared RADIUS secret
 267          * @param signer                HMAC-MD5 signer with secret set
 268          * @param hasher                MD5 hasher
 269          */
 270         bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 271                                    hasher_t *hasher, signer_t *signer);
 272
 273         /**
 274          * Destroy the message.
 275          */
 276         void (*destroy)(radius_message_t *this);
 277 };
 278
 279 /**
 280  * Create an empty RADIUS message.
 281  *
 282  * @param code                  request type
 283  * @return                              radius_message_t object
 284  */
 285 radius_message_t *radius_message_create(radius_message_code_t code);
 286
 287 /**
 288  * Parse and verify a recevied RADIUS message.
 289  *
 290  * @param data                  received message data
 291  * @return                              radius_message_t object, NULL if length invalid
 292  */
 293 radius_message_t *radius_message_parse(chunk_t data);
 294
 295 #endif /** RADIUS_MESSAGE_H_ @}*/