SoftEtherVPN/src/Cedar/Radius.h

// SoftEther VPN Source Code - Developer Edition Master Branch
// Cedar Communication Module
// 
// SoftEther VPN Server, Client and Bridge are free software under GPLv2.
// 
// Copyright (c) Daiyuu Nobori.
// Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan.
// Copyright (c) SoftEther Corporation.
// 
// All Rights Reserved.
// 
// http://www.softether.org/
// 
// Author: Daiyuu Nobori, Ph.D.
// Comments: Tetsuo Sugiyama, Ph.D.
// 
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// version 2 as published by the Free Software Foundation.
// 
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// 
// You should have received a copy of the GNU General Public License version 2
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
// 
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
// 
// THE LICENSE AGREEMENT IS ATTACHED ON THE SOURCE-CODE PACKAGE
// AS "LICENSE.TXT" FILE. READ THE TEXT FILE IN ADVANCE TO USE THE SOFTWARE.
// 
// 
// THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN,
// UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY,
// MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS
// SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS
// SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER
// CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL
// DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING,
// MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR
// SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND
// CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO
// EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO,
// JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION
// AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN
// THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
// 
// USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS
// YOU HAVE A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY
// CRIMINAL LAWS OR CIVIL RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS
// SOFTWARE IN OTHER COUNTRIES IS COMPLETELY AT YOUR OWN RISK. THE
// SOFTETHER VPN PROJECT HAS DEVELOPED AND DISTRIBUTED THIS SOFTWARE TO
// COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING CIVIL RIGHTS INCLUDING
// PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER COUNTRIES' LAWS OR
// CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. WE HAVE
// NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR
// INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+
// COUNTRIES AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE
// WORLD, WITH DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY
// COUNTRIES' LAWS, REGULATIONS AND CIVIL RIGHTS TO MAKE THE SOFTWARE
// COMPLY WITH ALL COUNTRIES' LAWS BY THE PROJECT. EVEN IF YOU WILL BE
// SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A PUBLIC SERVANT IN YOUR
// COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE LIABLE TO
// RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL
// RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT
// JUST A STATEMENT FOR WARNING AND DISCLAIMER.
// 
// 
// SOURCE CODE CONTRIBUTION
// ------------------------
// 
// Your contribution to SoftEther VPN Project is much appreciated.
// Please send patches to us through GitHub.
// Read the SoftEther VPN Patch Acceptance Policy in advance:
// http://www.softether.org/5-download/src/9.patch
// 
// 
// DEAR SECURITY EXPERTS
// ---------------------
// 
// If you find a bug or a security vulnerability please kindly inform us
// about the problem immediately so that we can fix the security problem
// to protect a lot of users around the world as soon as possible.
// 
// Our e-mail address for security reports is:
// softether-vpn-security [at] softether.org
// 
// Please note that the above e-mail address is not a technical support
// inquiry address. If you need technical assistance, please visit
// http://www.softether.org/ and ask your question on the users forum.
// 
// Thank you for your cooperation.
// 
// 
// NO MEMORY OR RESOURCE LEAKS
// ---------------------------
// 
// The memory-leaks and resource-leaks verification under the stress
// test has been passed before release this source code.


// Radius.h
// Header of Radius.c

#ifndef	RADIUS_H
#define	RADIUS_H

#define	RADIUS_DEFAULT_PORT		1812			// The default port number
#define	RADIUS_RETRY_INTERVAL	500				// Retransmission interval
#define	RADIUS_RETRY_TIMEOUT	(10 * 1000)		// Time-out period
#define	RADIUS_INITIAL_EAP_TIMEOUT	1600		// Initial timeout for EAP


// RADIUS attributes
#define	RADIUS_ATTRIBUTE_USER_NAME					1
#define	RADIUS_ATTRIBUTE_NAS_IP						4
#define	RADIUS_ATTRIBUTE_NAS_PORT					5
#define	RADIUS_ATTRIBUTE_SERVICE_TYPE				6
#define	RADIUS_ATTRIBUTE_FRAMED_PROTOCOL			7
#define	RADIUS_ATTRIBUTE_FRAMED_MTU					12
#define	RADIUS_ATTRIBUTE_STATE						24
#define	RADIUS_ATTRIBUTE_VENDOR_SPECIFIC			26
#define	RADIUS_ATTRIBUTE_CALLED_STATION_ID			30
#define	RADIUS_ATTRIBUTE_CALLING_STATION_ID			31
#define	RADIUS_ATTRIBUTE_NAS_ID						32
#define	RADIUS_ATTRIBUTE_PROXY_STATE				33
#define	RADIUS_ATTRIBUTE_ACCT_SESSION_ID			44
#define	RADIUS_ATTRIBUTE_NAS_PORT_TYPE				61
#define	RADIUS_ATTRIBUTE_TUNNEL_TYPE				64
#define	RADIUS_ATTRIBUTE_TUNNEL_MEDIUM_TYPE			65
#define	RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT		66
#define	RADIUS_ATTRIBUTE_TUNNEL_SERVER_ENDPOINT		67
#define	RADIUS_ATTRIBUTE_EAP_MESSAGE				79
#define	RADIUS_ATTRIBUTE_EAP_AUTHENTICATOR			80
#define	RADIUS_ATTRIBUTE_VLAN_ID					81
#define	RADIUS_MAX_NAS_ID_LEN						253

// RADIUS codes
#define	RADIUS_CODE_ACCESS_REQUEST					1
#define	RADIUS_CODE_ACCESS_ACCEPT					2
#define	RADIUS_CODE_ACCESS_REJECT					3
#define	RADIUS_CODE_ACCESS_CHALLENGE				11

// RADIUS vendor ID
#define	RADIUS_VENDOR_MICROSOFT						311

// RADIUS MS attributes
#define	RADIUS_MS_RAS_VENDOR						9
#define	RADIUS_MS_CHAP_CHALLENGE					11
#define	RADIUS_MS_VERSION							18
#define	RADIUS_MS_CHAP2_RESPONSE					25
#define	RADIUS_MS_RAS_CLIENT_NAME					34
#define	RADIUS_MS_RAS_CLIENT_VERSION				35
#define	RADIUS_MS_NETWORK_ACCESS_SERVER_TYPE		47
#define	RADIUS_MS_RAS_CORRELATION					56

// EAP code
#define	EAP_CODE_REQUEST							1
#define	EAP_CODE_RESPONSE							2
#define	EAP_CODE_SUCCESS							3
#define	EAP_CODE_FAILURE							4

// EAP type
#define	EAP_TYPE_IDENTITY							1
#define	EAP_TYPE_LEGACY_NAK							3
#define	EAP_TYPE_PEAP								25
#define	EAP_TYPE_MS_AUTH							26

// MS-CHAPv2 opcodes
#define	EAP_MSCHAPV2_OP_CHALLENGE					1
#define	EAP_MSCHAPV2_OP_RESPONSE					2
#define	EAP_MSCHAPV2_OP_SUCCESS						3

// EAP-TLS flags
#define	EAP_TLS_FLAGS_LEN							0x80
#define	EAP_TLS_FLAGS_MORE_FRAGMENTS				0x40
#define	EAP_TLS_FLAGS_START							0x20


////////// Modern implementation

#ifdef	OS_WIN32
#pragma pack(push, 1)
#endif	// OS_WIN32

struct EAP_MESSAGE
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Data[1500];
} GCC_PACKED;

struct EAP_MSCHAPV2_GENERAL
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Chap_Opcode;
} GCC_PACKED;

struct EAP_MSCHAPV2_CHALLENGE
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Chap_Opcode;
	UCHAR Chap_Id;
	USHORT Chap_Len;
	UCHAR Chap_ValueSize;	// = 16
	UCHAR Chap_ChallengeValue[16];
	char Chap_Name[256];
} GCC_PACKED;

struct EAP_MSCHAPV2_RESPONSE
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Chap_Opcode;
	UCHAR Chap_Id;
	USHORT Chap_Len;
	UCHAR Chap_ValueSize;	// = 49
	UCHAR Chap_PeerChallenge[16];
	UCHAR Chap_Reserved[8];
	UCHAR Chap_NtResponse[24];
	UCHAR Chap_Flags;
	char Chap_Name[256];
} GCC_PACKED;

struct EAP_MSCHAPV2_SUCCESS_SERVER
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Chap_Opcode;
	UCHAR Chap_Id;
	USHORT Chap_Len;
	char Message[256];
} GCC_PACKED;

struct EAP_MSCHAPV2_SUCCESS_CLIENT
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR Chap_Opcode;
} GCC_PACKED;

struct EAP_PEAP
{
	UCHAR Code;
	UCHAR Id;
	USHORT Len;		// = sizeof(Data) + 5
	UCHAR Type;
	UCHAR TlsFlags;
} GCC_PACKED;

#ifdef	OS_WIN32
#pragma pack(pop)
#endif	// OS_WIN32

struct RADIUS_PACKET
{
	UCHAR Code;
	UCHAR PacketId;
	LIST *AvpList;
	UCHAR Authenticator[16];

	UINT Parse_EapAuthMessagePos;
	UINT Parse_AuthenticatorPos;

	EAP_MESSAGE *Parse_EapMessage;
	UINT Parse_EapMessage_DataSize;

	UINT Parse_StateSize;
	UCHAR Parse_State[256];
};

struct RADIUS_AVP
{
	UCHAR Type;
	UINT VendorId;
	UCHAR VendorCode;
	UCHAR Padding[3];
	UCHAR DataSize;
	UCHAR Data[256];
};

struct EAP_CLIENT
{
	REF *Ref;

	SOCK *UdpSock;
	IP ServerIp;
	UINT ServerPort;
	char SharedSecret[MAX_SIZE];
	char ClientIpStr[256];
	char CalledStationStr[256];
	char Username[MAX_USERNAME_LEN + 1];
	UINT ResendTimeout;
	UINT GiveupTimeout;
	UCHAR TmpBuffer[4096];
	UCHAR NextEapId;
	UCHAR LastRecvEapId;

	bool PeapMode;

	UCHAR LastState[256];
	UINT LastStateSize;

	EAP_MSCHAPV2_CHALLENGE MsChapV2Challenge;
	EAP_MSCHAPV2_SUCCESS_SERVER MsChapV2Success;
	UCHAR ServerResponse[20];

	SSL_PIPE *SslPipe;
	UCHAR NextRadiusPacketId;

	BUF *PEAP_CurrentReceivingMsg;
	UINT PEAP_CurrentReceivingTotalSize;
	UCHAR RecvLastCode;

	UINT LastRecvVLanId;
};

void FreeRadiusPacket(RADIUS_PACKET *p);
BUF *GenerateRadiusPacket(RADIUS_PACKET *p, char *shared_secret);
RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size);
RADIUS_PACKET *NewRadiusPacket(UCHAR code, UCHAR packet_id);
RADIUS_AVP *NewRadiusAvp(UCHAR type, UINT vendor_id, UCHAR vendor_code, void *data, UINT size);
RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type);
void RadiusTest();


EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname);
void ReleaseEapClient(EAP_CLIENT *e);
void CleanupEapClient(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);
void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e);
bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r);
RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r);

bool PeapClientSendMsChapv2AuthRequest(EAP_CLIENT *eap);
bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);

bool StartPeapClient(EAP_CLIENT *e);
bool StartPeapSslClient(EAP_CLIENT *e);
bool SendPeapRawPacket(EAP_CLIENT *e, UCHAR *peap_data, UINT peap_size);
bool SendPeapPacket(EAP_CLIENT *e, void *msg, UINT msg_size);
bool GetRecvPeapMessage(EAP_CLIENT *e, EAP_MESSAGE *msg);


////////// Classical implementation
struct RADIUS_LOGIN_OPTION
{
	bool In_CheckVLanId;
	bool In_DenyNoVlanId;
	UINT Out_VLanId;
	bool Out_IsRadiusLogin;
	char NasId[RADIUS_MAX_NAS_ID_LEN + 1];	// NAS-Identifier
};

// Function prototype
bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
				 RADIUS_LOGIN_OPTION *opt, char *hubname);
BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
BUF *RadiusCreateUserName(wchar_t *username);
BUF *RadiusCreateUserPassword(void *data, UINT size);
BUF *RadiusCreateNasId(char *name);
void RadiusAddValue(BUF *b, UCHAR t, UINT v, UCHAR vt, void *data, UINT size);
LIST *RadiusParseOptions(BUF *b);

#endif	// RADIUS_H