Code Monkey home page Code Monkey logo

radius's Introduction

Radius

Build Status GoDoc docs examples Total views GitHub issues GitHub stars GitHub forks MIT License

A golang radius library. This project forks from jeesta/radius

Documentation

Example

package main

import (
	"fmt"
	"github.com/bronze1man/radius"
)

type radiusService struct{}

func (p radiusService) RadiusHandle(request *radius.Packet) *radius.Packet {
    // a pretty print of the request.
	fmt.Printf("[Authenticate] %s\n", request.String())
	npac := request.Reply()
	switch request.Code {
	case radius.AccessRequest:
		// check username and password
		if request.GetUsername() == "a" && request.GetPassword() == "a" {
			npac.Code = radius.AccessAccept
			// add Vendor-specific attribute - Vendor Cisco (code 9) Attribute h323-remote-address (code 23)
			npac.AddVSA( radius.VSA{Vendor: 9, Type: 23, Value: []byte("10.20.30.40")} )
		} else {
			npac.Code = radius.AccessReject
			npac.AddAVP( radius.AVP{Type: radius.ReplyMessage, Value: []byte("you dick!")} )
		}
	case radius.AccountingRequest:
		// accounting start or end
		npac.Code = radius.AccountingResponse
	default:
		npac.Code = radius.AccessAccept
	}
	return npac
}

func main() {
	s := radius.NewServer(":1812", "secret", radiusService{})

	// or you can convert it to a server that accept request
	// from some host with different secret
	// cls := radius.NewClientList([]radius.Client{
	// 		radius.NewClient("127.0.0.1", "secret1"),
	// 		radius.NewClient("10.10.10.10", "secret2"),
	// })
	// s.WithClientList(cls)

	signalChan := make(chan os.Signal, 1)
	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
	errChan := make(chan error)
	go func() {
		fmt.Println("waiting for packets...")
		err := s.ListenAndServe()
		if err != nil {
			errChan <- err
		}
	}()
	select {
	case <-signalChan:
		log.Println("stopping server...")
		s.Stop()
	case err := <-errChan:
		log.Println("[ERR] %v", err.Error())
	}
}

Implemented

  • A radius server can handle AccessRequest request from strongswan with ikev1-xauth-psk
  • A radius server can handle AccountingRequest request from strongswan with ikev1-xauth-psk

Notice

  • A radius client has not yet been implement.
  • It works , but it is not stable.

Reference

TODO

  • avpEapMessaget.Value error handle.
  • Implement eap-MSCHAPV2 server side.
  • Implement radius client side.

radius's People

Contributors

aminalaee avatar bronze1man avatar chandler767 avatar donnpebe avatar jessta avatar otraore avatar sergle avatar tehmaze avatar thomseddon avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

donnpebe karlpilkington ym okdas tehmaze-labs zenreach arun1587 sergle otraore tunghsu daiyanbao fandithung chandler767 nzions thomseddon mei-rune xi1314 bqf9979 t-takata jonsen happyegg hel2o acrist antewu windscribe eladab jamiesun gotoolkits vvhh2002 smalinskiy isabella232 predemption dylanninin

radius's Issues

Every Incoming packets are sent to handler even if the hash is not valid

Hello,
Based on my tests, it seems Decodepacket calls the handler even if the hash is insane.
I think the good behaevior would be to silently drop malformed packet (perhaps notify but NOT call the handler)

The following decode check the hash correctly before calling the handler.
tofgau

func DecodePacket(Secret string, buf []byte) (p Packet, err error) {
// fmt.Printf("\n\ndecEntr*%v", buf)
if len(buf) < 20 {
return nil, errors.New("invalid length")
}
p = &Packet{Secret: Secret}
p.Code = PacketCode(buf[0])
p.Identifier = buf[1]
copy(p.Authenticator[:], buf[4:20])
//read attributes
b := buf[20:]
for len(b) >= 2 {
length := uint8(b[1])
if int(length) > len(b) {
return nil, errors.New("invalid length")
}
attr := AVP{}
attr.Type = AttributeType(b[0])
attr.Value = append(attr.Value, b[2:length]...)
p.AVPs = append(p.AVPs, attr)
b = b[length:]
}

//验证Message-Authenticator,并且通过测试验证此处算法是正确的
//Verify Message-Authenticator, and tested to verify the algorithm is correct here
//	err = p.checkMessageAuthenticator()
//Tofgau 201812 : this is not used anymore

//tofau : Dump Original Buffer
//fmt.Printf("\n\n****BUF0 %x", buf)
oldAuth := p.Authenticator
//fmt.Printf("\n****PKHASH %x", oldAuth)

//Duplicate the buffer and white the hash part
tmp := make([]byte, len(buf))
copy(tmp, buf)
var white [16]byte
copy(tmp[4:20], white[:])

//tofau : Calculate a hash on this new buffer concatenated with the secret
hasher := crypto.Hash(crypto.MD5).New()
hasher.Write(tmp)
hasher.Write([]byte(p.Secret))

calculatedHash := hasher.Sum(nil)

//tofau :
//fmt.Printf("\n****MYHASH %x", calculatedHash)

if !hmac.Equal(calculatedHash, oldAuth[:]) {
	//fmt.Printf("\n\nINVALID PACKET")
	return p, ErrMessageAuthenticatorCheckFail
} else {
	//fmt.Printf("\n\nVALID PACKET")
}

return p, nil

/* supressed by tofgau
if err != nil {

	return p, err
}

return p, nil
*/

}

Solid library but what about custom messages

Hi,
Really like this library. Although, i need to send back bandwidth up and down message when accepting a request, for traffic shaping. Do you have any suggestions where in the code would be best to attack.
Thanks

How to get VSA from request?

I can not understand how the query extracted VSA attribute.

if i do:

attr := request.GetAVP(radius.VendorSpecfic)

then he extracts the first.

I have 27 such parameters, how to find what I need?

As a temporary solution did such a function

func getVSA(vendor uint32, attr uint8, p *radius.Packet) *radius.VSA {
	for i := range p.AVPs {
		if p.AVPs[i].Type == radius.VendorSpecific {
			a := p.AVPs[i]
			vsa := new(radius.VSA)
			value := a.Value
			vsa.Vendor = binary.BigEndian.Uint32(value[0:4])
			vsa.Type = uint8(value[4])
			vsa.Value = make([]byte, value[5]-2)
			copy(vsa.Value, value[6:])
			if vsa.Type == attr && vsa.Vendor == vendor {
				return vsa
			}
		}
	}
	return nil
}

The message authenticator of Access-Accept from Server-Status message reply is not correct

Used the library to create a Access Accept reply to ServerStatus message from radius client. The message authenticator calculated is not correct ! We can test using radclient (a standard freeradius-server client !)

echo "Client-IP-Address=192.168.1.10, Called-Station-Id=00:00:00:00:a3:58" | radclient -c 1 -r 1 -t 5 -x 10.65.1.10 status mysecret

Sent Status-Server Id 7 from 0.0.0.0:49396 to 10.65.1.10:1812 length 39
Client-IP-Address = 192.168.1.10
Called-Station-Id = "00:00:00:00:a3:58"
(0) Reply verification failed: Received packet from 10.65.1.10 with invalid Message-Authenticator!  (Shared secret is incorrect.)

Can you provide VSA an array format?

npac.AddVSA( radius.VSA{Vendor: 9, Type: 23, Value: []byte("10.20.30.40")} )

radius26 attributes.

For example:

npac.VSAadd(1, []byte{0x00, 0x00, 0x11, 0x2b}) // type:1 InputBasicRate

npac.VSAadd(12, []byte{0x00, 0x00, 0x11, 0x2b}) // type:2 InputAverageRate

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.