Gitiles
Code Review Sign In
gerrit.opencord.org / aaa / 8b01ee71f21ea32bf100425f94eb912b1bfd4100 / . / src / main / java / org / onosproject / aaa / packet / RADIUS.java
blob: 753490b79fd2ba963390aa1dace1f696a87c2e1f [file] [log] [blame]
Ari Saha89831742015-06-26 10:31:48 -0700[diff] [blame]1/*
2 *
3 * * Copyright 2015 AT&T Foundry
4 * *
5 * * Licensed under the Apache License, Version 2.0 (the "License");
6 * * you may not use this file except in compliance with the License.
7 * * You may obtain a copy of the License at
8 * *
9 * * http://www.apache.org/licenses/LICENSE-2.0
10 * *
11 * * Unless required by applicable law or agreed to in writing, software
12 * * distributed under the License is distributed on an "AS IS" BASIS,
13 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * * See the License for the specific language governing permissions and
15 * * limitations under the License.
16 *
17 */
18
19package org.onosproject.aaa.packet;
20
21import org.onlab.packet.BasePacket;
22import org.onlab.packet.IPacket;
23import org.slf4j.Logger;
24
25import javax.crypto.Mac;
26import javax.crypto.spec.SecretKeySpec;
27import java.io.ByteArrayOutputStream;
28import java.io.IOException;
29import java.nio.ByteBuffer;
30import java.security.SecureRandom;
31import java.util.ArrayList;
32import java.util.Arrays;
33
34import static org.slf4j.LoggerFactory.getLogger;
35
36/**
37 *
38 */
39public class RADIUS extends BasePacket {
40 protected byte code;
41 protected byte identifier;
42 protected short length = RADIUS_MIN_LENGTH;
43 protected byte[] authenticator = new byte[16];
44 protected ArrayList<RADIUSAttribute> attributes = new ArrayList<>();
45
46 /* RADIUS parameters */
47 public static final short RADIUS_MIN_LENGTH = 20;
48 public static final short MAX_ATTR_VALUE_LENGTH = 253;
49 public static final short RADIUS_MAX_LENGTH = 4096;
50
51 /* RADIUS packet types */
52 public static final byte RADIUS_CODE_ACCESS_REQUEST = 0x01;
53 public static final byte RADIUS_CODE_ACCESS_ACCEPT = 0x02;
54 public static final byte RADIUS_CODE_ACCESS_REJECT = 0x03;
55 public static final byte RADIUS_CODE_ACCOUNTING_REQUEST = 0x04;
56 public static final byte RADIUS_CODE_ACCOUNTING_RESPONSE = 0x05;
57 public static final byte RADIUS_CODE_ACCESS_CHALLENGE = 0x0b;
58
59 private final Logger log = getLogger(getClass());
60
61 public RADIUS() {
62 }
63
64 public RADIUS(byte code, byte identifier) {
65 this.code = code;
66 this.identifier = identifier;
67 }
68
69 public byte getCode() {
70 return this.code;
71 }
72
73 public void setCode(byte code) {
74 this.code = code;
75 }
76
77 public byte getIdentifier() {
78 return this.identifier;
79 }
80
81 public void setIdentifier(byte identifier) {
82 this.identifier = identifier;
83 }
84
85 public byte[] getAuthenticator() {
86 return this.authenticator;
87 }
88
89 public void setAuthenticator(byte[] a) {
90 this.authenticator = a;
91 }
92
93 public byte[] generateAuthCode() {
94 new SecureRandom().nextBytes(this.authenticator);
95 return this.authenticator;
96 }
97
98 public boolean isValidCode() {
99 return this.code == RADIUS_CODE_ACCESS_REQUEST ||
100 this.code == RADIUS_CODE_ACCESS_ACCEPT ||
101 this.code == RADIUS_CODE_ACCESS_REJECT ||
102 this.code == RADIUS_CODE_ACCOUNTING_REQUEST ||
103 this.code == RADIUS_CODE_ACCOUNTING_RESPONSE ||
104 this.code == RADIUS_CODE_ACCESS_CHALLENGE;
105 }
106
107 public RADIUSAttribute addMessageAuthenticator(String key) {
108 /* Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes)
109 When the message integrity check is calculated the signature string should be considered to be
110 sixteen octets of zero.
111 */
112 byte[] hashOutput = new byte[16];
113 Arrays.fill(hashOutput, (byte) 0);
114
115 RADIUSAttribute authAttribute = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH);
116 if (authAttribute != null) {
117 // If Message-Authenticator was already present, override it
118 this.log.warn("Attempted to add duplicate Message-Authenticator");
119 authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
120 } else {
121 // Else generate a new attribute padded with zeroes
122 authAttribute = this.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
123 }
124 // Calculate the MD5 HMAC based on the message
125 try {
126 SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5");
127 Mac mac = Mac.getInstance("HmacMD5");
128 mac.init(keySpec);
129 hashOutput = mac.doFinal(this.serialize());
130 // Update HMAC in Message-Authenticator
131 authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
132 } catch (Exception e) {
133 this.log.error("Failed to generate message authenticator: {}", e.getMessage());
134 }
135
136 return authAttribute;
137 }
138
139 public boolean checkMessageAuthenticator(String key) {
140 byte[] newHash = new byte[16];
141 Arrays.fill(newHash, (byte) 0);
142 byte[] messageAuthenticator = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH).getValue();
143 this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, newHash);
144 // Calculate the MD5 HMAC based on the message
145 try {
146 SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5");
147 Mac mac = Mac.getInstance("HmacMD5");
148 mac.init(keySpec);
149 newHash = mac.doFinal(this.serialize());
150 } catch (Exception e) {
151 log.error("Failed to generate message authenticator: {}", e.getMessage());
152 }
153 this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, messageAuthenticator);
154 // Compare the calculated Message-Authenticator with the one in the message
155 return Arrays.equals(newHash, messageAuthenticator);
156 }
157
158 /**
159 * @param message
160 * EAP message object to be embedded in the RADIUS EAP-Message attributed
161 */
162 public void encapsulateMessage(EAP message) {
163 if (message.length <= MAX_ATTR_VALUE_LENGTH) {
164 // Use the regular serialization method as it fits into one EAP-Message attribute
165 this.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
166 message.serialize());
167 } else {
168 // Segment the message into chucks and embed them in several EAP-Message attributes
169 short remainingLength = message.length;
170 byte[] messageBuffer = message.serialize();
171 final ByteBuffer bb = ByteBuffer.wrap(messageBuffer);
172 while (bb.hasRemaining()) {
173 byte[] messageAttributeData;
174 if (remainingLength > MAX_ATTR_VALUE_LENGTH) {
175 // The remaining data is still too long to fit into one attribute, keep going
176 messageAttributeData = new byte[MAX_ATTR_VALUE_LENGTH];
177 bb.get(messageAttributeData, 0, MAX_ATTR_VALUE_LENGTH);
178 remainingLength -= MAX_ATTR_VALUE_LENGTH;
179 } else {
180 // The remaining data fits, this will be the last chunk
181 messageAttributeData = new byte[remainingLength];
182 bb.get(messageAttributeData, 0, remainingLength);
183 }
184 this.attributes.add(new RADIUSAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
185 (byte) (messageAttributeData.length + 2), messageAttributeData));
186
187 // Adding the size of the data to the total RADIUS length
188 this.length += (short) (messageAttributeData.length & 0xFF);
189 // Adding the size of the overhead attribute type and length
190 this.length += 2;
191 }
192 }
193 }
194
195 /**
196 * @return An EAP object containing the reassembled EAP message
197 */
198 public EAP decapsulateMessage() {
199 EAP message = new EAP();
200 ByteArrayOutputStream messageStream = new ByteArrayOutputStream();
201 // Iterating through EAP-Message attributes to concatenate their value
202 for (RADIUSAttribute ra : this.getAttributeList(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE)) {
203 try {
204 messageStream.write(ra.getValue());
205 } catch (IOException e) {
206 log.error("Error while reassembling EAP message: {}", e.getMessage());
207 }
208 }
209 // Assembling EAP object from the concatenated stream
210 message.deserialize(messageStream.toByteArray(), 0, messageStream.size());
211 return message;
212 }
213
214 /**
215 * @param attrType
216 * the type field of the required attributes
217 * @return List of the attributes that matches the type or an empty list if there is none
218 */
219 public ArrayList<RADIUSAttribute> getAttributeList(byte attrType) {
220 ArrayList<RADIUSAttribute> attrList = new ArrayList<>();
221 for (int i = 0; i < this.attributes.size(); i++) {
222 if (this.attributes.get(i).getType() == attrType) {
223 attrList.add(this.attributes.get(i));
224 }
225 }
226 return attrList;
227 }
228
229 /**
230 * @param attrType
231 * the type field of the required attribute
232 * @return the first attribute that matches the type or null if does not exist
233 */
234 public RADIUSAttribute getAttribute(byte attrType) {
235 for (int i = 0; i < this.attributes.size(); i++) {
236 if (this.attributes.get(i).getType() == attrType) {
237 return this.attributes.get(i);
238 }
239 }
240 return null;
241 }
242
243 /**
244 * @param attrType
245 * the type field of the attribute to set
246 * @param value
247 * value to be set
248 * @return reference to the attribute object
249 */
250 public RADIUSAttribute setAttribute(byte attrType, byte[] value) {
251 byte attrLength = (byte) (value.length + 2);
252 RADIUSAttribute newAttribute = new RADIUSAttribute(attrType, attrLength, value);
253 this.attributes.add(newAttribute);
254 this.length += (short) (attrLength & 0xFF);
255 return newAttribute;
256 }
257
258 public RADIUSAttribute updateAttribute(byte attrType, byte[] value) {
259 for (int i = 0; i < this.attributes.size(); i++) {
260 if (this.attributes.get(i).getType() == attrType) {
261 this.length -= (short) (this.attributes.get(i).getLength() & 0xFF);
262 RADIUSAttribute newAttr = new RADIUSAttribute(attrType, (byte) (value.length + 2), value);
263 this.attributes.set(i, newAttr);
264 this.length += (short) (newAttr.getLength() & 0xFF);
265 return newAttr;
266 }
267 }
268 return null;
269 }
270
271 @Override
272 public byte[] serialize() {
273 final byte[] data = new byte[this.length];
274 final ByteBuffer bb = ByteBuffer.wrap(data);
275
276 bb.put(this.code);
277 bb.put(this.identifier);
278 bb.putShort(this.length);
279 bb.put(this.authenticator);
280 for (int i = 0; i < this.attributes.size(); i++) {
281 RADIUSAttribute attr = this.attributes.get(i);
282 bb.put(attr.getType());
283 bb.put(attr.getLength());
284 bb.put(attr.getValue());
285 }
286
287 return data;
288 }
289
290 @Override
291 public IPacket deserialize(final byte[] data, final int offset,
292 final int length) {
293 final ByteBuffer bb = ByteBuffer.wrap(data, offset, length);
294 this.code = bb.get();
295 this.identifier = bb.get();
296 this.length = bb.getShort();
297 bb.get(this.authenticator, 0, 16);
298
299 int remainingLength = this.length - RADIUS_MIN_LENGTH;
300 while (remainingLength > 0 && bb.hasRemaining()) {
301 RADIUSAttribute attr = new RADIUSAttribute();
302 attr.setType(bb.get());
303 attr.setLength(bb.get());
304 short attrLength = (short) (attr.length & 0xff);
305 attr.value = new byte[attrLength - 2];
306 bb.get(attr.value, 0, attrLength - 2);
307 this.attributes.add(attr);
308 remainingLength -= attr.length;
309 }
310 return this;
311 }
312
313}