radius_rust/protocol/

host.rs

//! Shared base for RADIUS Client & Server implementations


use super::dictionary::{ Dictionary, DictionaryAttribute, DictionaryValue };
use super::error::RadiusError;
use super::radius_packet::{ RadiusAttribute, RadiusMsgType, RadiusPacket, TypeCode };

use hmac::{ Hmac, Mac };
use md5::Md5;


const IGNORE_VERIFY_ATTRIBUTE: &str = "Message-Authenticator";
type HmacMd5 = Hmac<Md5>;


#[derive(Debug)]
/// Generic struct that holds Server & Client common functions and attributes
pub struct Host {
    auth_port:  u16,
    acct_port:  u16,
    coa_port:   u16,
    dictionary: Dictionary
}

impl Host{
    /// Initialises host instance only with Dictionary (ports should be set through *set_port()*,
    /// otherwise default to 0)
    pub fn with_dictionary(dictionary: Dictionary) -> Host {
        Host {
            auth_port:  0,
            acct_port:  0,
            coa_port:   0,
            dictionary
        }
    }

    /// Sets remote port, that responsible for specific RADIUS Message Type
    pub fn set_port(&mut self, msg_type: RadiusMsgType, port: u16) {
        match msg_type {
            RadiusMsgType::AUTH => self.auth_port = port,
            RadiusMsgType::ACCT => self.acct_port = port,
            RadiusMsgType::COA  => self.coa_port  = port,
        }
    }

    #[allow(dead_code)]
    /// Initialises host instance with all required fields
    pub fn initialise_host(auth_port: u16, acct_port: u16, coa_port: u16, dictionary: Dictionary) -> Host {
        Host { auth_port, acct_port, coa_port, dictionary }
    }


    /// Creates RadiusAttribute with given name (name is checked against Dictionary)
    pub fn create_attribute_by_name(&self, attribute_name: &str, value: Vec<u8>) -> Result<RadiusAttribute, RadiusError> {
        RadiusAttribute::create_by_name(&self.dictionary, attribute_name, value).ok_or(RadiusError::MalformedAttributeError { error: format!("Failed to create: {:?} attribute. Check if attribute exists in provided dictionary file", attribute_name) })
    }

    /// Creates RadiusAttribute with given id (id is checked against Dictionary)
    pub fn create_attribute_by_id(&self, attribute_id: u8, value: Vec<u8>) -> Result<RadiusAttribute, RadiusError> {
        RadiusAttribute::create_by_id(&self.dictionary, attribute_id, value).ok_or(RadiusError::MalformedAttributeError { error: format!("Failed to create: attribute with ID {}. Check if attribute exists in provided dictionary file", attribute_id) })
    }

    /// Returns port of RADIUS server, that receives given type of RADIUS message/packet
    pub fn port(&self, code: &TypeCode) -> Option<u16> {
        match code {
            TypeCode::AccessRequest     => Some(self.auth_port),
            TypeCode::AccountingRequest => Some(self.acct_port),
            TypeCode::CoARequest        => Some(self.coa_port),
            _                           => None
        }
    }

    /// Returns host's dictionary instance
    pub fn dictionary(&self) -> &Dictionary {
        &self.dictionary
    }

    #[allow(dead_code)]
    /// Returns VALUE from dictionary with given attribute & value name
    pub fn dictionary_value_by_attr_and_value_name(&self, attr_name: &str, value_name: &str) -> Option<&DictionaryValue> {
        self.dictionary.values().iter().find(|&value| value.name() == value_name && value.attribute_name() == attr_name)
    }

    /// Returns ATTRIBUTE from dictionary with given id
    pub fn dictionary_attribute_by_id(&self, packet_attr_id: u8) -> Option<&DictionaryAttribute> {
        self.dictionary.attributes().iter().find(|&attr| attr.code() == packet_attr_id)
    }

    #[allow(dead_code)]
    /// Returns ATTRIBUTE from dictionary with given name
    pub fn dictionary_attribute_by_name(&self, packet_attr_name: &str) -> Option<&DictionaryAttribute> {
        self.dictionary.attributes().iter().find(|&attr| attr.name() == packet_attr_name)
    }

    /// Initialises RadiusPacket from bytes
    pub fn initialise_packet_from_bytes(&self, packet: &[u8]) -> Result<RadiusPacket, RadiusError> {
        RadiusPacket::initialise_packet_from_bytes(&self.dictionary, packet)
    }

    /// Verifies that RadiusPacket attributes have valid values
    ///
    /// Note: doesn't verify Message-Authenticator attribute, because it is HMAC-MD5 hash, not an
    /// ASCII string
    pub fn verify_packet_attributes(&self, packet: &[u8]) -> Result<(), RadiusError> {
        let _packet_tmp = RadiusPacket::initialise_packet_from_bytes(&self.dictionary, &packet)?;

        for packet_attr in _packet_tmp.attributes().iter().filter(|&attr| attr.name() != IGNORE_VERIFY_ATTRIBUTE) {
            match self.dictionary_attribute_by_id(packet_attr.id()) {
                None             => return Err( RadiusError::ValidationError {error: format!("Attribute with ID {} may not exist in provided dictionary file, thus verification failed", packet_attr.id())} ),
                Some(_dict_attr) => {
                    let _dict_attr_data_type = _dict_attr.code_type();
                    match packet_attr.verify_original_value(_dict_attr_data_type) {
                        Err(err) => return Err( RadiusError::ValidationError {error: err.to_string()} ),
                        _        => continue
                    }
                }
            }
        }
        Ok(())
    }

    /// Verifies Message-Authenticator value
    pub fn verify_message_authenticator(&self, secret: &str, packet: &[u8]) -> Result<(), RadiusError> {
        // Step 1. Get Message-Authenticator from packet
        let mut _packet_tmp   = RadiusPacket::initialise_packet_from_bytes(&self.dictionary, &packet)?;
        let original_msg_auth = _packet_tmp.message_authenticator()?.to_vec();

        // Step 2. Set Message-Authenticator in packet to [0; 16]
        let zeroed_authenticator = [0; 16];
        _packet_tmp.override_message_authenticator(zeroed_authenticator.to_vec())?;

        // Step 3. Calculate HMAC-MD5 for the packet
        let mut calculated_msg_auth = HmacMd5::new_from_slice(secret.as_bytes()).map_err(|error| RadiusError::ValidationError { error: error.to_string() })?;
        calculated_msg_auth.update(&_packet_tmp.to_bytes());

        // Step 4. Compare calculated hash with the one extracted in Step 1
        match calculated_msg_auth.verify_slice(&original_msg_auth) {
            Ok(())   => Ok(()),
            Err(_) => Err( RadiusError::ValidationError {error: String::from("Packet Message-Authenticator mismatch")} )
        }
    }
}


#[cfg(test)]
mod tests {
    use super::*;
    use crate::protocol::dictionary::SupportedAttributeTypes;

    #[test]
    fn test_get_dictionary_value_by_attr_and_value_name() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let dict_value = host.dictionary_value_by_attr_and_value_name("Service-Type", "Login-User").unwrap();

        assert_eq!("Service-Type", dict_value.attribute_name());
        assert_eq!("Login-User",   dict_value.name());
        assert_eq!("1",            dict_value.value());
    }

    #[test]
    fn test_get_dictionary_value_by_attr_and_value_name_error() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let dict_value = host.dictionary_value_by_attr_and_value_name("Service-Type", "Lin-User");
        assert_eq!(None, dict_value);
    }

    #[test]
    fn test_get_dictionary_attribute_by_id() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let dict_attr = host.dictionary_attribute_by_id(80).unwrap();

        assert_eq!("Message-Authenticator",                    dict_attr.name());
        assert_eq!(80,                                         dict_attr.code());
        assert_eq!(&Some(SupportedAttributeTypes::ByteString), dict_attr.code_type());
    }

    #[test]
    fn test_get_dictionary_attribute_by_id_error() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let dict_attr = host.dictionary_attribute_by_id(255);
        assert_eq!(None, dict_attr);
    }

    #[test]
    fn test_verify_packet_attributes() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let packet_bytes = [4, 43, 0, 86, 215, 189, 213, 172, 57, 94, 141, 70, 134, 121, 101, 57, 187, 220, 227, 73, 4, 6, 192, 168, 1, 10, 5, 6, 0, 0, 0, 0, 32, 10, 116, 114, 105, 108, 108, 105, 97, 110, 30, 19, 48, 48, 45, 48, 52, 45, 53, 70, 45, 48, 48, 45, 48, 70, 45, 68, 49, 31, 19, 48, 48, 45, 48, 49, 45, 50, 52, 45, 56, 48, 45, 66, 51, 45, 57, 67, 8, 6, 10, 0, 0, 100];

        match host.verify_packet_attributes(&packet_bytes) {
            Err(_err) => {
                assert!(false)
            },
            _        => assert!(true)
        }
    }

    #[test]
    fn test_verify_packet_attributes_fail() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);

        let packet_bytes = [4, 43, 0, 85, 215, 189, 213, 172, 57, 94, 141, 70, 134, 121, 101, 57, 187, 220, 227, 73, 4, 5, 192, 168, 10, 5, 6, 0, 0, 0, 0, 32, 10, 116, 114, 105, 108, 108, 105, 97, 110, 30, 19, 48, 48, 45, 48, 52, 45, 53, 70, 45, 48, 48, 45, 48, 70, 45, 68, 49, 31, 19, 48, 48, 45, 48, 49, 45, 50, 52, 45, 56, 48, 45, 66, 51, 45, 57, 67, 8, 6, 10, 0, 0, 100];

        match host.verify_packet_attributes(&packet_bytes) {
            Err(err) => {
                assert_eq!(err.to_string(), String::from("Verification failed for incoming Radius packet: Attribute in Radius packet is malformed: invalid IPv4 bytes"))
            },
            _        => assert!(false)
        }
    }

    #[test]
    fn test_verify_message_authenticator_valid() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);
        let secret     = "secret";

        let packet_bytes = [1, 120, 0, 185, 49, 79, 108, 150, 27, 203, 166, 51, 193, 68, 15, 76, 208, 114, 171, 48, 1, 9, 116, 101, 115, 116, 105, 110, 103, 80, 18, 164, 201, 132, 0, 209, 101, 200, 189, 252, 251, 120, 224, 74, 190, 232, 197, 2, 66, 85, 125, 163, 190, 40, 210, 235, 231, 112, 96, 7, 94, 27, 95, 241, 63, 23, 81, 25, 136, 36, 209, 238, 119, 131, 113, 118, 14, 160, 16, 94, 184, 143, 37, 193, 138, 124, 238, 85, 197, 21, 17, 206, 158, 87, 132, 239, 59, 82, 183, 175, 54, 124, 138, 5, 245, 166, 195, 181, 106, 41, 31, 129, 183, 4, 6, 192, 168, 1, 10, 5, 6, 0, 0, 0, 0, 6, 6, 0, 0, 0, 2, 32, 10, 116, 114, 105, 108, 108, 105, 97, 110, 30, 19, 48, 48, 45, 48, 52, 45, 53, 70, 45, 48, 48, 45, 48, 70, 45, 68, 49, 31, 19, 48, 48, 45, 48, 49, 45, 50, 52, 45, 56, 48, 45, 66, 51, 45, 57, 67, 8, 6, 10, 0, 0, 100];

        match host.verify_message_authenticator(&secret, &packet_bytes) {
            Err(_err) => {
                assert!(false)
            },
            _        => assert!(true)
        }
    }

    #[test]
    fn test_verify_message_authenticator_wo_authenticator() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);
        let secret     = "secret";

        let packet_bytes = [4, 43, 0, 86, 215, 189, 213, 172, 57, 94, 141, 70, 134, 121, 101, 57, 187, 220, 227, 73, 4, 6, 192, 168, 1, 10, 5, 6, 0, 0, 0, 0, 32, 10, 116, 114, 105, 108, 108, 105, 97, 110, 30, 19, 48, 48, 45, 48, 52, 45, 53, 70, 45, 48, 48, 45, 48, 70, 45, 68, 49, 31, 19, 48, 48, 45, 48, 49, 45, 50, 52, 45, 56, 48, 45, 66, 51, 45, 57, 67, 8, 6, 10, 0, 0, 100];

        match host.verify_message_authenticator(&secret, &packet_bytes) {
            Err(err) => {
                assert_eq!(err.to_string(), String::from("Radius packet is malformed: Message-Authenticator attribute not found in packet"))
            },
            _        => assert!(false)
        }
    }

    #[test]
    fn test_verify_message_authenticator_invalid() {
        let dictionary = Dictionary::from_file("./dict_examples/integration_dict").unwrap();
        let host       = Host::initialise_host(1812, 1813, 3799, dictionary);
        let secret     = "secret";

        let packet_bytes = [1, 94, 0, 190, 241, 228, 181, 142, 185, 194, 157, 205, 159, 0, 91, 199, 171, 119, 68, 44, 1, 9, 116, 101, 115, 116, 105, 110, 103, 80, 23, 109, 101, 115, 115, 97, 103, 101, 45, 97, 117, 116, 104, 101, 110, 116, 105, 99, 97, 116, 111, 114, 2, 66, 167, 81, 185, 84, 173, 104, 91, 10, 145, 109, 156, 169, 227, 109, 100, 76, 86, 227, 61, 253, 129, 35, 109, 115, 54, 140, 66, 106, 193, 70, 145, 39, 106, 105, 142, 215, 21, 166, 142, 80, 145, 217, 202, 252, 172, 33, 17, 12, 159, 105, 157, 144, 221, 221, 94, 48, 158, 22, 62, 191, 16, 177, 137, 131, 4, 6, 192, 168, 1, 10, 5, 6, 0, 0, 0, 0, 6, 6, 0, 0, 0, 2, 32, 10, 116, 114, 105, 108, 108, 105, 97, 110, 30, 19, 48, 48, 45, 48, 52, 45, 53, 70, 45, 48, 48, 45, 48, 70, 45, 68, 49, 31, 19, 48, 48, 45, 48, 49, 45, 50, 52, 45, 56, 48, 45, 66, 51, 45, 57, 67, 8, 6, 10, 0, 0, 100];

        match host.verify_message_authenticator(&secret, &packet_bytes) {
            Err(err) => {
                assert_eq!(err.to_string(), String::from("Verification failed for incoming Radius packet: Packet Message-Authenticator mismatch"))
            },
            _        => assert!(false)
        }
    }
}