vici: Properly handle absence of peer ID on mediation connections
[strongswan.git] / src / libradius / radius_message.h
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup libradius libradius
18 *
19 * @addtogroup libradius
20 * RADIUS protocol support library.
21 *
22 * @defgroup radius_message radius_message
23 * @{ @ingroup libradius
24 */
25
26 #ifndef RADIUS_MESSAGE_H_
27 #define RADIUS_MESSAGE_H_
28
29 #include <library.h>
30 #include <pen/pen.h>
31
32 #define MAX_RADIUS_ATTRIBUTE_SIZE 253
33
34 #define RADIUS_TUNNEL_TYPE_ESP 9
35
36 typedef struct radius_message_t radius_message_t;
37 typedef enum radius_message_code_t radius_message_code_t;
38 typedef enum radius_attribute_type_t radius_attribute_type_t;
39
40 /**
41 * RADIUS Message Codes.
42 */
43 enum radius_message_code_t {
44 RMC_ACCESS_REQUEST = 1,
45 RMC_ACCESS_ACCEPT = 2,
46 RMC_ACCESS_REJECT = 3,
47 RMC_ACCOUNTING_REQUEST = 4,
48 RMC_ACCOUNTING_RESPONSE = 5,
49 RMC_ACCESS_CHALLENGE = 11,
50 RMC_DISCONNECT_REQUEST = 40,
51 RMC_DISCONNECT_ACK = 41,
52 RMC_DISCONNECT_NAK = 42,
53 RMC_COA_REQUEST = 43,
54 RMC_COA_ACK = 44,
55 RMC_COA_NAK = 45,
56 };
57
58 /**
59 * Enum names for radius_attribute_type_t.
60 */
61 extern enum_name_t *radius_message_code_names;
62
63 /**
64 * RADIUS Attribute Types.
65 */
66 enum radius_attribute_type_t {
67 RAT_USER_NAME = 1,
68 RAT_USER_PASSWORD = 2,
69 RAT_CHAP_PASSWORD = 3,
70 RAT_NAS_IP_ADDRESS = 4,
71 RAT_NAS_PORT = 5,
72 RAT_SERVICE_TYPE = 6,
73 RAT_FRAMED_PROTOCOL = 7,
74 RAT_FRAMED_IP_ADDRESS = 8,
75 RAT_FRAMED_IP_NETMASK = 9,
76 RAT_FRAMED_ROUTING = 10,
77 RAT_FILTER_ID = 11,
78 RAT_FRAMED_MTU = 12,
79 RAT_FRAMED_COMPRESSION = 13,
80 RAT_LOGIN_IP_HOST = 14,
81 RAT_LOGIN_SERVICE = 15,
82 RAT_LOGIN_TCP_PORT = 16,
83 RAT_REPLY_MESSAGE = 18,
84 RAT_CALLBACK_NUMBER = 19,
85 RAT_CALLBACK_ID = 20,
86 RAT_FRAMED_ROUTE = 22,
87 RAT_FRAMED_IPX_NETWORK = 23,
88 RAT_STATE = 24,
89 RAT_CLASS = 25,
90 RAT_VENDOR_SPECIFIC = 26,
91 RAT_SESSION_TIMEOUT = 27,
92 RAT_IDLE_TIMEOUT = 28,
93 RAT_TERMINATION_ACTION = 29,
94 RAT_CALLED_STATION_ID = 30,
95 RAT_CALLING_STATION_ID = 31,
96 RAT_NAS_IDENTIFIER = 32,
97 RAT_PROXY_STATE = 33,
98 RAT_LOGIN_LAT_SERVICE = 34,
99 RAT_LOGIN_LAT_NODE = 35,
100 RAT_LOGIN_LAT_GROUP = 36,
101 RAT_FRAMED_APPLETALK_LINK = 37,
102 RAT_FRAMED_APPLETALK_NETWORK = 38,
103 RAT_FRAMED_APPLETALK_ZONE = 39,
104 RAT_ACCT_STATUS_TYPE = 40,
105 RAT_ACCT_DELAY_TIME = 41,
106 RAT_ACCT_INPUT_OCTETS = 42,
107 RAT_ACCT_OUTPUT_OCTETS = 43,
108 RAT_ACCT_SESSION_ID = 44,
109 RAT_ACCT_AUTHENTIC = 45,
110 RAT_ACCT_SESSION_TIME = 46,
111 RAT_ACCT_INPUT_PACKETS = 47,
112 RAT_ACCT_OUTPUT_PACKETS = 48,
113 RAT_ACCT_TERMINATE_CAUSE = 49,
114 RAT_ACCT_MULTI_SESSION_ID = 50,
115 RAT_ACCT_LINK_COUNT = 51,
116 RAT_ACCT_INPUT_GIGAWORDS = 52,
117 RAT_ACCT_OUTPUT_GIGAWORDS = 53,
118 RAT_EVENT_TIMESTAMP = 55,
119 RAT_EGRESS_VLANID = 56,
120 RAT_INGRESS_FILTERS = 57,
121 RAT_EGRESS_VLAN_NAME = 58,
122 RAT_USER_PRIORITY_TABLE = 59,
123 RAT_CHAP_CHALLENGE = 60,
124 RAT_NAS_PORT_TYPE = 61,
125 RAT_PORT_LIMIT = 62,
126 RAT_LOGIN_LAT_PORT = 63,
127 RAT_TUNNEL_TYPE = 64,
128 RAT_TUNNEL_MEDIUM_TYPE = 65,
129 RAT_TUNNEL_CLIENT_ENDPOINT = 66,
130 RAT_TUNNEL_SERVER_ENDPOINT = 67,
131 RAT_ACCT_TUNNEL_CONNECTION = 68,
132 RAT_TUNNEL_PASSWORD = 69,
133 RAT_ARAP_PASSWORD = 70,
134 RAT_ARAP_FEATURES = 71,
135 RAT_ARAP_ZONE_ACCESS = 72,
136 RAT_ARAP_SECURITY = 73,
137 RAT_ARAP_SECURITY_DATA = 74,
138 RAT_PASSWORD_RETRY = 75,
139 RAT_PROMPT = 76,
140 RAT_CONNECT_INFO = 77,
141 RAT_CONFIGURATION_TOKEN = 78,
142 RAT_EAP_MESSAGE = 79,
143 RAT_MESSAGE_AUTHENTICATOR = 80,
144 RAT_TUNNEL_PRIVATE_GROUP_ID = 81,
145 RAT_TUNNEL_ASSIGNMENT_ID = 82,
146 RAT_TUNNEL_PREFERENCE = 83,
147 RAT_ARAP_CHALLENGE_RESPONSE = 84,
148 RAT_ACCT_INTERIM_INTERVAL = 85,
149 RAT_ACCT_TUNNEL_PACKETS_LOST = 86,
150 RAT_NAS_PORT_ID = 87,
151 RAT_FRAMED_POOL = 88,
152 RAT_CUI = 89,
153 RAT_TUNNEL_CLIENT_AUTH_ID = 90,
154 RAT_TUNNEL_SERVER_AUTH_ID = 91,
155 RAT_NAS_FILTER_RULE = 92,
156 RAT_UNASSIGNED = 93,
157 RAT_ORIGINATING_LINE_INFO = 94,
158 RAT_NAS_IPV6_ADDRESS = 95,
159 RAT_FRAMED_INTERFACE_ID = 96,
160 RAT_FRAMED_IPV6_PREFIX = 97,
161 RAT_LOGIN_IPV6_HOST = 98,
162 RAT_FRAMED_IPV6_ROUTE = 99,
163 RAT_FRAMED_IPV6_POOL = 100,
164 RAT_ERROR_CAUSE = 101,
165 RAT_EAP_KEY_NAME = 102,
166 RAT_DIGEST_RESPONSE = 103,
167 RAT_DIGEST_REALM = 104,
168 RAT_DIGEST_NONCE = 105,
169 RAT_DIGEST_RESPONSE_AUTH = 106,
170 RAT_DIGEST_NEXTNONCE = 107,
171 RAT_DIGEST_METHOD = 108,
172 RAT_DIGEST_URI = 109,
173 RAT_DIGEST_QOP = 110,
174 RAT_DIGEST_ALGORITHM = 111,
175 RAT_DIGEST_ENTITY_BODY_HASH = 112,
176 RAT_DIGEST_CNONCE = 113,
177 RAT_DIGEST_NONCE_COUNT = 114,
178 RAT_DIGEST_USERNAME = 115,
179 RAT_DIGEST_OPAQUE = 116,
180 RAT_DIGEST_AUTH_PARAM = 117,
181 RAT_DIGEST_AKA_AUTS = 118,
182 RAT_DIGEST_DOMAIN = 119,
183 RAT_DIGEST_STALE = 120,
184 RAT_DIGEST_HA1 = 121,
185 RAT_SIP_AOR = 122,
186 RAT_DELEGATED_IPV6_PREFIX = 123,
187 RAT_MIP6_FEATURE_VECTOR = 124,
188 RAT_MIP6_HOME_LINK_PREFIX = 125,
189 RAT_FRAMED_IPV6_ADDRESS = 168,
190 RAT_FRAMED_IPV6_DNS_SERVER = 169,
191 RAT_ROUTE_IPV6_INFORMATION = 170,
192 RAT_DELEGATED_IPV6_PREFIX_POOL = 171,
193 RAT_STATEFUL_IPV6_ADDRESS_POOL = 172,
194 };
195
196 /**
197 * Enum names for radius_attribute_type_t.
198 */
199 extern enum_name_t *radius_attribute_type_names;
200
201 /**
202 * A RADIUS message, contains attributes.
203 */
204 struct radius_message_t {
205
206 /**
207 * Create an enumerator over contained RADIUS attributes.
208 *
209 * @return enumerator over (int type, chunk_t data)
210 */
211 enumerator_t* (*create_enumerator)(radius_message_t *this);
212
213 /**
214 * Create an enumerator over contained RADIUS Vendor-ID attributes.
215 *
216 * This enumerator parses only vendor specific attributes in the format
217 * recommended in RFC2865.
218 *
219 * @return enumerator over (int vendor, int type, chunk_t data)
220 */
221 enumerator_t* (*create_vendor_enumerator)(radius_message_t *this);
222
223 /**
224 * Add a RADIUS attribute to the message.
225 *
226 * @param type type of attribute to add
227 * @param attribute data, gets cloned
228 */
229 void (*add)(radius_message_t *this, radius_attribute_type_t type,
230 chunk_t data);
231
232 /**
233 * Get the message type (code).
234 *
235 * @return message code
236 */
237 radius_message_code_t (*get_code)(radius_message_t *this);
238
239 /**
240 * Get the message identifier.
241 *
242 * @return message identifier
243 */
244 uint8_t (*get_identifier)(radius_message_t *this);
245
246 /**
247 * Set the message identifier.
248 *
249 * @param identifier message identifier
250 */
251 void (*set_identifier)(radius_message_t *this, uint8_t identifier);
252
253 /**
254 * Get the 16 byte authenticator.
255 *
256 * @return pointer to the Authenticator field
257 */
258 uint8_t* (*get_authenticator)(radius_message_t *this);
259
260 /**
261 * Get the RADIUS message in its encoded form.
262 *
263 * @return chunk pointing to internal RADIUS message.
264 */
265 chunk_t (*get_encoding)(radius_message_t *this);
266
267 /**
268 * Calculate and add the Message-Authenticator attribute to the message.
269 *
270 * @param req_auth 16 byte Authenticator of request, or NULL
271 * @param secret shared RADIUS secret
272 * @param signer HMAC-MD5 signer with secret set
273 * @param hasher MD5 hasher
274 * @param rng RNG to create Request-Authenticator, NULL to omit
275 * @param msg_auth calculate and add Message-Authenticator
276 * @return TRUE if signed successfully
277 */
278 bool (*sign)(radius_message_t *this, uint8_t *req_auth, chunk_t secret,
279 hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth);
280
281 /**
282 * Verify the integrity of a received RADIUS message.
283 *
284 * @param req_auth 16 byte Authenticator of request, or NULL
285 * @param secret shared RADIUS secret
286 * @param signer HMAC-MD5 signer with secret set
287 * @param hasher MD5 hasher
288 */
289 bool (*verify)(radius_message_t *this, uint8_t *req_auth, chunk_t secret,
290 hasher_t *hasher, signer_t *signer);
291
292 /**
293 * Perform RADIUS attribute en-/decryption.
294 *
295 * Performs en-/decryption by XOring the hash-extended secret into data,
296 * as specified in RFC 2865 5.2 and used by RFC 2548.
297 *
298 * @param salt salt to append to message authenticator, if any
299 * @param in data to en-/decrypt, multiple of HASH_SIZE_MD5
300 * @param out en-/decrypted data, length equal to in
301 * @param secret RADIUS secret
302 * @param hasher MD5 hasher
303 * @return TRUE if en-/decryption successful
304 */
305 bool (*crypt)(radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out,
306 chunk_t secret, hasher_t *hasher);
307
308 /**
309 * Destroy the message.
310 */
311 void (*destroy)(radius_message_t *this);
312 };
313
314 /**
315 * Create an empty RADIUS message.
316 *
317 * @param code request type
318 * @return radius_message_t object
319 */
320 radius_message_t *radius_message_create(radius_message_code_t code);
321
322 /**
323 * Parse and verify a received RADIUS message.
324 *
325 * @param data received message data
326 * @return radius_message_t object, NULL if length invalid
327 */
328 radius_message_t *radius_message_parse(chunk_t data);
329
330 /**
331 * @}
332 * @addtogroup libradius
333 * @{
334 *
335 * Dummy libradius initialization function needed for integrity test
336 */
337 void libradius_init(void);
338
339 #endif /** RADIUS_MESSAGE_H_ @}*/