1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
//! RADIUS Generic Server implementation
use crate::protocol::host::Host;
use crate::protocol::radius_packet::{ RadiusAttribute, RadiusMsgType, RadiusPacket, TypeCode };
use crate::protocol::dictionary::Dictionary;
use crate::protocol::error::RadiusError;
use md5::{ Digest, Md5 };
#[derive(Debug)]
/// Represents RADIUS Generic Server instance
pub struct Server {
host: Host,
allowed_hosts: Vec<String>,
server: String,
secret: String,
retries: u16,
timeout: u16,
}
impl Server {
// === Builder for Server ===
/// Initialise Server instance with dictionary (other fields would be set to default values)
///
/// To be called **first** when creating RADIUS Server instance
pub fn with_dictionary(dictionary: Dictionary) -> Server {
let host = Host::with_dictionary(dictionary);
Server {
host,
allowed_hosts: Vec::new(),
server: String::from(""),
secret: String::from(""),
retries: 1,
timeout: 2,
}
}
/// **Required**
///
/// Sets hostname to which server would bind
pub fn set_server(mut self, server: String) -> Server {
self.server = server;
self
}
/// **Required**
///
/// Sets secret which is used to encode/decode RADIUS packet
pub fn set_secret(mut self, secret: String) -> Server {
self.secret = secret;
self
}
/// **Required**
///
/// Sets allowed hosts, from where Server would be allowed to accept RADIUS requests
pub fn set_allowed_hosts(mut self, allowed_hosts: Vec<String>) -> Server {
self.allowed_hosts = allowed_hosts;
self
}
/// **Required/Optional**
///
/// Sets remote port, that responsible for specific RADIUS Message Type
pub fn set_port(mut self, msg_type: RadiusMsgType, port: u16) -> Server {
self.host.set_port(msg_type, port);
self
}
/// **Optional**
///
/// Sets socket retries, otherwise you would have a default value of 1
pub fn set_retries(mut self, retries: u16) -> Server {
self.retries = retries;
self
}
/// **Optional**
///
/// Sets socket timeout, otherwise you would have a default value of 2
pub fn set_timeout(mut self, timeout: u16) -> Server {
self.timeout = timeout;
self
}
// ===================
/// Returns port of RADIUS server, that receives given type of RADIUS message/packet
pub fn port(&self, code: &TypeCode) -> Option<u16> {
self.host.port(code)
}
/// Returns hostname/FQDN of RADIUS Server
pub fn server(&self) -> &str {
&self.server
}
/// Returns retries
pub fn retries(&self) -> u16 {
self.retries
}
/// Returns timeout
pub fn timeout(&self) -> u16 {
self.timeout
}
/// Returns allowed hosts list
pub fn allowed_hosts(&self) -> &[String] {
&self.allowed_hosts
}
/// Creates RADIUS packet attribute by name, that is defined in dictionary file
///
/// For example, see [Client](crate::client::client::Client::create_attribute_by_name)
pub fn create_attribute_by_name(&self, attribute_name: &str, value: Vec<u8>) -> Result<RadiusAttribute, RadiusError> {
self.host.create_attribute_by_name(attribute_name, value)
}
/// Creates RADIUS packet attribute by id, that is defined in dictionary file
///
/// For example, see [Client](crate::client::client::Client::create_attribute_by_id)
pub fn create_attribute_by_id(&self, attribute_id: u8, value: Vec<u8>) -> Result<RadiusAttribute, RadiusError> {
self.host.create_attribute_by_id(attribute_id, value)
}
/// Creates reply RADIUS packet
///
/// Similar to [Client's create_packet()](crate::client::client::Client::create_packet), however also sets correct packet ID and authenticator
pub fn create_reply_packet(&self, reply_code: TypeCode, attributes: Vec<RadiusAttribute>, request: &mut [u8]) -> RadiusPacket {
let mut reply_packet = RadiusPacket::initialise_packet(reply_code);
reply_packet.set_attributes(attributes);
// We can only create new authenticator after we set reply packet ID to the request's ID
reply_packet.override_id(request[1]);
let authenticator = self.create_reply_authenticator(&reply_packet.to_bytes(), &request[4..20]);
reply_packet.override_authenticator(authenticator);
reply_packet
}
fn create_reply_authenticator(&self, raw_reply_packet: &[u8], request_authenticator: &[u8]) -> Vec<u8> {
// We need to create authenticator as MD5 hash (similar to how client verifies server reply)
let mut md5_hasher = Md5::new();
md5_hasher.update(&raw_reply_packet[0..4]); // Append reply's type code, reply ID and reply length
md5_hasher.update(&request_authenticator); // Append request's authenticator
md5_hasher.update(&raw_reply_packet[20..]); // Append reply's attributes
md5_hasher.update(&self.secret.as_bytes()); // Append server's secret. Possibly it should be client's secret, which sould be stored together with allowed hostnames ?
// ----------------
md5_hasher.finalize().to_vec()
}
/// Verifies incoming RADIUS packet:
///
/// Server would try to build RadiusPacket from raw bytes, and if it succeeds then packet is
/// valid, otherwise would return RadiusError
pub fn verify_request(&self, request: &[u8]) -> Result<(), RadiusError> {
match RadiusPacket::initialise_packet_from_bytes(&self.host.dictionary(), request) {
Err(err) => Err(err),
_ => Ok(())
}
}
/// Verifies RadiusAttributes's values of incoming RADIUS packet:
///
/// Server would try to build RadiusPacket from raw bytes, and then it would try to restore
/// RadiusAttribute original value from bytes, based on the attribute data type, see [SupportedAttributeTypes](crate::protocol::dictionary::SupportedAttributeTypes)
pub fn verify_request_attributes(&self, request: &[u8]) -> Result<(), RadiusError> {
self.host.verify_packet_attributes(&request)
}
/// Initialises RadiusPacket from bytes
///
/// Unlike [verify_request](Server::verify_request), on success this function would return
/// RadiusPacket
pub fn initialise_packet_from_bytes(&self, request: &[u8]) -> Result<RadiusPacket, RadiusError> {
self.host.initialise_packet_from_bytes(request)
}
/// Checks if host from where Server received RADIUS request is allowed host, meaning RADIUS
/// Server can process such request
pub fn host_allowed(&self, remote_host: &std::net::SocketAddr) -> bool {
let remote_host_name = remote_host.to_string();
let remote_host_name: Vec<&str> = remote_host_name.split(':').collect();
self.allowed_hosts.iter().any(|host| host==remote_host_name[0])
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_add_allowed_hosts_and_add_request_handler() {
let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
let server = Server::with_dictionary(dictionary)
.set_server(String::from("0.0.0.0"))
.set_secret(String::from("secret"))
.set_allowed_hosts(vec![String::from("127.0.0.1")]);
assert_eq!(server.allowed_hosts().len(), 1);
}
}