Ari Saha | 8983174 | 2015-06-26 10:31:48 -0700 | [diff] [blame] | 1 | /* |
| 2 | * |
| 3 | * * Copyright 2015 AT&T Foundry |
| 4 | * * |
| 5 | * * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * * you may not use this file except in compliance with the License. |
| 7 | * * You may obtain a copy of the License at |
| 8 | * * |
| 9 | * * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * * |
| 11 | * * Unless required by applicable law or agreed to in writing, software |
| 12 | * * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * * See the License for the specific language governing permissions and |
| 15 | * * limitations under the License. |
| 16 | * |
| 17 | */ |
| 18 | |
| 19 | package org.onosproject.aaa.packet; |
| 20 | |
| 21 | import org.onlab.packet.BasePacket; |
| 22 | import org.onlab.packet.IPacket; |
| 23 | import org.slf4j.Logger; |
| 24 | |
| 25 | import javax.crypto.Mac; |
| 26 | import javax.crypto.spec.SecretKeySpec; |
| 27 | import java.io.ByteArrayOutputStream; |
| 28 | import java.io.IOException; |
| 29 | import java.nio.ByteBuffer; |
| 30 | import java.security.SecureRandom; |
| 31 | import java.util.ArrayList; |
| 32 | import java.util.Arrays; |
| 33 | |
| 34 | import static org.slf4j.LoggerFactory.getLogger; |
| 35 | |
| 36 | /** |
| 37 | * |
| 38 | */ |
| 39 | public class RADIUS extends BasePacket { |
| 40 | protected byte code; |
| 41 | protected byte identifier; |
| 42 | protected short length = RADIUS_MIN_LENGTH; |
| 43 | protected byte[] authenticator = new byte[16]; |
| 44 | protected ArrayList<RADIUSAttribute> attributes = new ArrayList<>(); |
| 45 | |
| 46 | /* RADIUS parameters */ |
| 47 | public static final short RADIUS_MIN_LENGTH = 20; |
| 48 | public static final short MAX_ATTR_VALUE_LENGTH = 253; |
| 49 | public static final short RADIUS_MAX_LENGTH = 4096; |
| 50 | |
| 51 | /* RADIUS packet types */ |
| 52 | public static final byte RADIUS_CODE_ACCESS_REQUEST = 0x01; |
| 53 | public static final byte RADIUS_CODE_ACCESS_ACCEPT = 0x02; |
| 54 | public static final byte RADIUS_CODE_ACCESS_REJECT = 0x03; |
| 55 | public static final byte RADIUS_CODE_ACCOUNTING_REQUEST = 0x04; |
| 56 | public static final byte RADIUS_CODE_ACCOUNTING_RESPONSE = 0x05; |
| 57 | public static final byte RADIUS_CODE_ACCESS_CHALLENGE = 0x0b; |
| 58 | |
| 59 | private final Logger log = getLogger(getClass()); |
| 60 | |
| 61 | public RADIUS() { |
| 62 | } |
| 63 | |
| 64 | public RADIUS(byte code, byte identifier) { |
| 65 | this.code = code; |
| 66 | this.identifier = identifier; |
| 67 | } |
| 68 | |
| 69 | public byte getCode() { |
| 70 | return this.code; |
| 71 | } |
| 72 | |
| 73 | public void setCode(byte code) { |
| 74 | this.code = code; |
| 75 | } |
| 76 | |
| 77 | public byte getIdentifier() { |
| 78 | return this.identifier; |
| 79 | } |
| 80 | |
| 81 | public void setIdentifier(byte identifier) { |
| 82 | this.identifier = identifier; |
| 83 | } |
| 84 | |
| 85 | public byte[] getAuthenticator() { |
| 86 | return this.authenticator; |
| 87 | } |
| 88 | |
| 89 | public void setAuthenticator(byte[] a) { |
| 90 | this.authenticator = a; |
| 91 | } |
| 92 | |
| 93 | public byte[] generateAuthCode() { |
| 94 | new SecureRandom().nextBytes(this.authenticator); |
| 95 | return this.authenticator; |
| 96 | } |
| 97 | |
| 98 | public boolean isValidCode() { |
| 99 | return this.code == RADIUS_CODE_ACCESS_REQUEST || |
| 100 | this.code == RADIUS_CODE_ACCESS_ACCEPT || |
| 101 | this.code == RADIUS_CODE_ACCESS_REJECT || |
| 102 | this.code == RADIUS_CODE_ACCOUNTING_REQUEST || |
| 103 | this.code == RADIUS_CODE_ACCOUNTING_RESPONSE || |
| 104 | this.code == RADIUS_CODE_ACCESS_CHALLENGE; |
| 105 | } |
| 106 | |
| 107 | public RADIUSAttribute addMessageAuthenticator(String key) { |
| 108 | /* Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) |
| 109 | When the message integrity check is calculated the signature string should be considered to be |
| 110 | sixteen octets of zero. |
| 111 | */ |
| 112 | byte[] hashOutput = new byte[16]; |
| 113 | Arrays.fill(hashOutput, (byte) 0); |
| 114 | |
| 115 | RADIUSAttribute authAttribute = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH); |
| 116 | if (authAttribute != null) { |
| 117 | // If Message-Authenticator was already present, override it |
| 118 | this.log.warn("Attempted to add duplicate Message-Authenticator"); |
| 119 | authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput); |
| 120 | } else { |
| 121 | // Else generate a new attribute padded with zeroes |
| 122 | authAttribute = this.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput); |
| 123 | } |
| 124 | // Calculate the MD5 HMAC based on the message |
| 125 | try { |
| 126 | SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5"); |
| 127 | Mac mac = Mac.getInstance("HmacMD5"); |
| 128 | mac.init(keySpec); |
| 129 | hashOutput = mac.doFinal(this.serialize()); |
| 130 | // Update HMAC in Message-Authenticator |
| 131 | authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput); |
| 132 | } catch (Exception e) { |
| 133 | this.log.error("Failed to generate message authenticator: {}", e.getMessage()); |
| 134 | } |
| 135 | |
| 136 | return authAttribute; |
| 137 | } |
| 138 | |
| 139 | public boolean checkMessageAuthenticator(String key) { |
| 140 | byte[] newHash = new byte[16]; |
| 141 | Arrays.fill(newHash, (byte) 0); |
| 142 | byte[] messageAuthenticator = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH).getValue(); |
| 143 | this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, newHash); |
| 144 | // Calculate the MD5 HMAC based on the message |
| 145 | try { |
| 146 | SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5"); |
| 147 | Mac mac = Mac.getInstance("HmacMD5"); |
| 148 | mac.init(keySpec); |
| 149 | newHash = mac.doFinal(this.serialize()); |
| 150 | } catch (Exception e) { |
| 151 | log.error("Failed to generate message authenticator: {}", e.getMessage()); |
| 152 | } |
| 153 | this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, messageAuthenticator); |
| 154 | // Compare the calculated Message-Authenticator with the one in the message |
| 155 | return Arrays.equals(newHash, messageAuthenticator); |
| 156 | } |
| 157 | |
| 158 | /** |
| 159 | * @param message |
| 160 | * EAP message object to be embedded in the RADIUS EAP-Message attributed |
| 161 | */ |
| 162 | public void encapsulateMessage(EAP message) { |
| 163 | if (message.length <= MAX_ATTR_VALUE_LENGTH) { |
| 164 | // Use the regular serialization method as it fits into one EAP-Message attribute |
| 165 | this.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE, |
| 166 | message.serialize()); |
| 167 | } else { |
| 168 | // Segment the message into chucks and embed them in several EAP-Message attributes |
| 169 | short remainingLength = message.length; |
| 170 | byte[] messageBuffer = message.serialize(); |
| 171 | final ByteBuffer bb = ByteBuffer.wrap(messageBuffer); |
| 172 | while (bb.hasRemaining()) { |
| 173 | byte[] messageAttributeData; |
| 174 | if (remainingLength > MAX_ATTR_VALUE_LENGTH) { |
| 175 | // The remaining data is still too long to fit into one attribute, keep going |
| 176 | messageAttributeData = new byte[MAX_ATTR_VALUE_LENGTH]; |
| 177 | bb.get(messageAttributeData, 0, MAX_ATTR_VALUE_LENGTH); |
| 178 | remainingLength -= MAX_ATTR_VALUE_LENGTH; |
| 179 | } else { |
| 180 | // The remaining data fits, this will be the last chunk |
| 181 | messageAttributeData = new byte[remainingLength]; |
| 182 | bb.get(messageAttributeData, 0, remainingLength); |
| 183 | } |
| 184 | this.attributes.add(new RADIUSAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE, |
| 185 | (byte) (messageAttributeData.length + 2), messageAttributeData)); |
| 186 | |
| 187 | // Adding the size of the data to the total RADIUS length |
| 188 | this.length += (short) (messageAttributeData.length & 0xFF); |
| 189 | // Adding the size of the overhead attribute type and length |
| 190 | this.length += 2; |
| 191 | } |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | /** |
| 196 | * @return An EAP object containing the reassembled EAP message |
| 197 | */ |
| 198 | public EAP decapsulateMessage() { |
| 199 | EAP message = new EAP(); |
| 200 | ByteArrayOutputStream messageStream = new ByteArrayOutputStream(); |
| 201 | // Iterating through EAP-Message attributes to concatenate their value |
| 202 | for (RADIUSAttribute ra : this.getAttributeList(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE)) { |
| 203 | try { |
| 204 | messageStream.write(ra.getValue()); |
| 205 | } catch (IOException e) { |
| 206 | log.error("Error while reassembling EAP message: {}", e.getMessage()); |
| 207 | } |
| 208 | } |
| 209 | // Assembling EAP object from the concatenated stream |
| 210 | message.deserialize(messageStream.toByteArray(), 0, messageStream.size()); |
| 211 | return message; |
| 212 | } |
| 213 | |
| 214 | /** |
| 215 | * @param attrType |
| 216 | * the type field of the required attributes |
| 217 | * @return List of the attributes that matches the type or an empty list if there is none |
| 218 | */ |
| 219 | public ArrayList<RADIUSAttribute> getAttributeList(byte attrType) { |
| 220 | ArrayList<RADIUSAttribute> attrList = new ArrayList<>(); |
| 221 | for (int i = 0; i < this.attributes.size(); i++) { |
| 222 | if (this.attributes.get(i).getType() == attrType) { |
| 223 | attrList.add(this.attributes.get(i)); |
| 224 | } |
| 225 | } |
| 226 | return attrList; |
| 227 | } |
| 228 | |
| 229 | /** |
| 230 | * @param attrType |
| 231 | * the type field of the required attribute |
| 232 | * @return the first attribute that matches the type or null if does not exist |
| 233 | */ |
| 234 | public RADIUSAttribute getAttribute(byte attrType) { |
| 235 | for (int i = 0; i < this.attributes.size(); i++) { |
| 236 | if (this.attributes.get(i).getType() == attrType) { |
| 237 | return this.attributes.get(i); |
| 238 | } |
| 239 | } |
| 240 | return null; |
| 241 | } |
| 242 | |
| 243 | /** |
| 244 | * @param attrType |
| 245 | * the type field of the attribute to set |
| 246 | * @param value |
| 247 | * value to be set |
| 248 | * @return reference to the attribute object |
| 249 | */ |
| 250 | public RADIUSAttribute setAttribute(byte attrType, byte[] value) { |
| 251 | byte attrLength = (byte) (value.length + 2); |
| 252 | RADIUSAttribute newAttribute = new RADIUSAttribute(attrType, attrLength, value); |
| 253 | this.attributes.add(newAttribute); |
| 254 | this.length += (short) (attrLength & 0xFF); |
| 255 | return newAttribute; |
| 256 | } |
| 257 | |
| 258 | public RADIUSAttribute updateAttribute(byte attrType, byte[] value) { |
| 259 | for (int i = 0; i < this.attributes.size(); i++) { |
| 260 | if (this.attributes.get(i).getType() == attrType) { |
| 261 | this.length -= (short) (this.attributes.get(i).getLength() & 0xFF); |
| 262 | RADIUSAttribute newAttr = new RADIUSAttribute(attrType, (byte) (value.length + 2), value); |
| 263 | this.attributes.set(i, newAttr); |
| 264 | this.length += (short) (newAttr.getLength() & 0xFF); |
| 265 | return newAttr; |
| 266 | } |
| 267 | } |
| 268 | return null; |
| 269 | } |
| 270 | |
| 271 | @Override |
| 272 | public byte[] serialize() { |
| 273 | final byte[] data = new byte[this.length]; |
| 274 | final ByteBuffer bb = ByteBuffer.wrap(data); |
| 275 | |
| 276 | bb.put(this.code); |
| 277 | bb.put(this.identifier); |
| 278 | bb.putShort(this.length); |
| 279 | bb.put(this.authenticator); |
| 280 | for (int i = 0; i < this.attributes.size(); i++) { |
| 281 | RADIUSAttribute attr = this.attributes.get(i); |
| 282 | bb.put(attr.getType()); |
| 283 | bb.put(attr.getLength()); |
| 284 | bb.put(attr.getValue()); |
| 285 | } |
| 286 | |
| 287 | return data; |
| 288 | } |
| 289 | |
| 290 | @Override |
| 291 | public IPacket deserialize(final byte[] data, final int offset, |
| 292 | final int length) { |
| 293 | final ByteBuffer bb = ByteBuffer.wrap(data, offset, length); |
| 294 | this.code = bb.get(); |
| 295 | this.identifier = bb.get(); |
| 296 | this.length = bb.getShort(); |
| 297 | bb.get(this.authenticator, 0, 16); |
| 298 | |
| 299 | int remainingLength = this.length - RADIUS_MIN_LENGTH; |
| 300 | while (remainingLength > 0 && bb.hasRemaining()) { |
| 301 | RADIUSAttribute attr = new RADIUSAttribute(); |
| 302 | attr.setType(bb.get()); |
| 303 | attr.setLength(bb.get()); |
| 304 | short attrLength = (short) (attr.length & 0xff); |
| 305 | attr.value = new byte[attrLength - 2]; |
| 306 | bb.get(attr.value, 0, attrLength - 2); |
| 307 | this.attributes.add(attr); |
| 308 | remainingLength -= attr.length; |
| 309 | } |
| 310 | return this; |
| 311 | } |
| 312 | |
| 313 | } |