2 * state.c To generate and verify State attribute
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
28 static const char rcsid[] = "$Id$";
31 * Global key to generate & verify State
33 * This is needed only once per instance of the server,
34 * and putting it in the rlm_eap_t is just too much effort.
36 * Putting it here is ugly, but it works.
38 static int key_initialized = 0;
39 static unsigned char state_key[AUTH_VECTOR_LEN];
42 * Generate & Verify the State attribute
44 * In the simplest implementation, we would just use the
45 * challenge as state. Unfortunately, the RADIUS secret protects
46 * only the User-Password attribute; an attacker that can remove
47 * packets from the wire and insert new ones can simply insert a
48 * replayed state without having to know the secret.
50 * However, RADIUS packets containing EAP conversations MUST be
51 * signed with Message-Authenticator, at which point, they MUST
52 * know the secret, in order to get to the EAP module. And if
53 * they know the secret, they can do many worse things than
54 * re-playing a State attribute. Their only alternative is to
55 * re-play entire packets, which is caught by the server core.
57 * In any case, we sign our state with data unique to this
58 * specific request. A NAS would use the Request Authenticator,
59 * we don't know what that will be when the State is returned to
60 * us, so we'll use a time stamp.
62 * Our replay prevention is limited to a time interval
63 * (inst->maxdelay). We could keep track of all challenges
64 * issued over that time interval, to ensure that the challenges
65 * were unique. However, they're 8-bytes of data from a good
66 * PRNG, which means that it's pretty damn unlikely that they'll
69 * Our state, then, is (challenge + hmac(challenge + time, key)),
70 * where '+' denotes concatentation, 'challenge' is the octets
71 * of the challenge, 'time' is the 'time_t' in host byte order,
72 * and 'key' is a random key, generated once in eap_init().
74 * This means that only the server which generates a challenge
75 * can verify it; this should be OK if your NAS's load balance
76 * across RADIUS servers by a "first available" algorithm. If
77 * your NAS's round-robin (ugh), you could use the RADIUS
78 * secret instead, but read RFC 2104 first, and make very sure
79 * you really want to do this.
81 void generate_key(void)
85 if (key_initialized) return;
88 * Use a cryptographically strong method to generate
89 * pseudo-random numbers.
91 for (i = 0; i < sizeof(state_key); i++) {
92 state_key[i] = lrad_rand();
99 * For clarity. Also, to avoid giving away
100 * too much information, we only put 8 octets of the HMAC
101 * into the State attribute, instead of all 16.
103 * As a security feature, it's a little hokey, but WTF.
105 * Also, ensure that EAP_CHALLENGE_LEN + EAP_USE_OF_HMAC = EAP_STATE_LEN
107 #define EAP_CHALLENGE_LEN (8)
108 #define EAP_HMAC_SIZE (16)
109 #define EAP_USE_OF_HMAC (8)
112 * Our state, is (challenge + time + hmac(challenge + time, key))
114 * If it's too long, then some clients chop it (sigh)
116 VALUE_PAIR *generate_state(time_t timestamp)
119 unsigned char challenge[EAP_CHALLENGE_LEN];
120 unsigned char hmac[EAP_HMAC_SIZE];
121 unsigned char value[EAP_CHALLENGE_LEN + sizeof(timestamp)];
124 /* Generate challenge (a random value). */
125 for (i = 0; i < sizeof(challenge); i++) {
126 challenge[i] = lrad_rand();
129 memcpy(value, challenge, sizeof(challenge));
130 memcpy(value + sizeof(challenge), ×tamp, sizeof(timestamp));
133 * hmac(challenge + timestamp)
135 lrad_hmac_md5(value, sizeof(value),
136 state_key, sizeof(state_key), hmac);
139 * Create the state attribute.
141 * Note that the timestamp is used internally, but is NOT
142 * sent to the client!
144 state = paircreate(PW_STATE, PW_TYPE_OCTETS);
146 radlog(L_ERR, "rlm_eap: out of memory");
149 memcpy(state->vp_strvalue, challenge, sizeof(challenge));
150 memcpy(state->vp_strvalue + sizeof(challenge), hmac,
153 state->length = sizeof(challenge) + EAP_USE_OF_HMAC;
159 * Returns 0 on success, non-zero otherwise.
161 int verify_state(VALUE_PAIR *state, time_t timestamp)
163 unsigned char hmac[EAP_HMAC_SIZE];
164 unsigned char value[EAP_CHALLENGE_LEN + sizeof(timestamp)];
167 * The length is wrong. Don't do anything.
169 if (state->length != EAP_STATE_LEN) {
174 * The first 16 octets of the State attribute constains
175 * the random challenge.
177 memcpy(value, state->vp_strvalue, EAP_CHALLENGE_LEN);
178 memcpy(value + EAP_CHALLENGE_LEN, ×tamp, sizeof(timestamp));
181 lrad_hmac_md5(value, sizeof(value),
182 state_key, sizeof(state_key), hmac);
185 * Compare the hmac we calculated to the one in the
188 return memcmp(hmac, state->vp_strvalue + EAP_CHALLENGE_LEN,