Starship/node-radius-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: a lot of bug fixes, first running version for windows and android :)

Browse Source 
code is super ugly right now.. please don't judge
This commit is contained in:
simon
2020-02-22 02:32:12 +01:00
parent 7e28c60d81
commit 0cb807a555
21 changed files with 449 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/app.ts
View File

@@ -3,27 +3,15 @@ import * as radius from 'radius';
// import * as dgram from "dgram";
// import * as fs from 'fs';
import { EAPHandler } from './eap';
import { makeid } from './helpers';
import { IDeferredPromise, makeid, MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from './helpers';
import { LDAPAuth } from './ldap';
import { GoogleLDAPAuth } from './auth/google-ldap';
import { AdditionalAuthHandler } from './types/Handler';
const server = dgram.createSocket('udp4');
// not used right now, using stunnel to connect to ldap
/* const tlsOptions = {
key: fs.readFileSync('ldap.gsuite.hokify.com.40567.key'),
cert: fs.readFileSync('ldap.gsuite.hokify.com.40567.crt'),
// This is necessary only if using the client certificate authentication.
requestCert: true,
// This is necessary only if the client uses the self-signed certificate.
ca: [fs.readFileSync('ldap.gsuite.hokify.com.40567.key')]
}; */
const { argv } = require('yargs')
.usage('Simple Google LDAP <> RADIUS Server\nUsage: $0')
.usage('RADIUS Server\nUsage: $0')
.example('$0 --port 1812 -s radiussecret')
.default({
port: 1812,
@@ -46,9 +34,39 @@ console.log(`LDAP Server: ${argv.ldapServer}`);
// const ldap = new LDAPAuth({url: 'ldap://ldap.google.com', base: 'dc=hokify,dc=com', uid: 'uid', tlsOptions});
const ldap = new LDAPAuth(argv.ldapServer, argv.baseDN);
const ldap = new GoogleLDAPAuth(argv.ldapServer, argv.baseDN);
const eapHandler = new EAPHandler();
const timeout: { [key: string]: NodeJS.Timeout } = {};
const waitForNextMsg: { [key: string]: IDeferredPromise } = {};
function sendToClient(
msg: string | Uint8Array,
offset: number,
length: number,
port?: number,
address?: string,
callback?: (error: Error | null, bytes: number) => void,
stateForRetry?: string
): void {
let retried = 0;
function sendResponse() {
console.log(`sending response... (try: ${retried})`);
server.send(msg, offset, length, port, address, (error: Error | null, bytes: number) => {
// all good
if (callback) callback(error, bytes);
});
if (stateForRetry && retried < 3) {
// timeout[stateForRetry] = setTimeout(sendResponse, 600 * (retried+1));
}
retried++;
}
sendResponse();
}
server.on('message', async function(msg, rinfo) {
const packet = radius.decode({ packet: msg, secret: argv.secret });
@@ -57,7 +75,6 @@ server.on('message', async function(msg, rinfo) {
console.log('unknown packet type: ', packet.code);
return;
}
// console.log('packet.attributes', packet.attributes);
// console.log('rinfo', rinfo);
@@ -90,7 +107,7 @@ server.on('message', async function(msg, rinfo) {
});
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
server.send(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
sendToClient(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
@@ -99,15 +116,22 @@ server.on('message', async function(msg, rinfo) {
if (packet.attributes['EAP-Message']) {
const state = (packet.attributes.State && packet.attributes.State.toString()) || makeid(16);
// EAP MESSAGE
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, {
if (timeout[state]) {
clearTimeout(timeout[state]);
}
const handlers = {
response: (EAPMessage: Buffer) => {
const attributes: any = [['State', Buffer.from(state)]];
let sentDataSize = 0;
do {
if (EAPMessage.length > 0) {
attributes.push(['EAP-Message', EAPMessage.slice(sentDataSize, sentDataSize + 253)]);
sentDataSize += 253;
attributes.push([
'EAP-Message',
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
]);
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
}
} while (sentDataSize < EAPMessage.length);
@@ -118,14 +142,34 @@ server.on('message', async function(msg, rinfo) {
attributes
});
server.send(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
});
waitForNextMsg[state] = newDeferredPromise();
sendToClient(
response,
0,
response.length,
rinfo.port,
rinfo.address,
function(err, _bytes) {
if (err) {
console.log('Error sending response to ', rinfo);
}
},
state
);
return waitForNextMsg[state].promise;
},
checkAuth
});
};
if (waitForNextMsg[state]) {
const identifier = packet.attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
}
// EAP MESSAGE
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, handlers);
} else {
const username = packet.attributes['User-Name'];
const password = packet.attributes['User-Password'];

7
src/ldap.ts → src/auth/google-ldap.ts
View File

@@ -1,13 +1,14 @@
import * as NodeCache from 'node-cache';
import { createClient, Client } from 'ldapjs';
import { IAuthentication } from '../types/Authentication';
const usernameFields = ['posixUid', 'mail'];
// TLS:
// https://github.com/ldapjs/node-ldapjs/issues/307
export class LDAPAuth {
export class GoogleLDAPAuth implements IAuthentication {
cache = new NodeCache();
ldap: Client;
@@ -24,7 +25,7 @@ export class LDAPAuth {
this.fetchDNs();
}
async fetchDNs() {
private async fetchDNs() {
const dns: { [key: string]: string } = {};
await new Promise((resolve, reject) => {
@@ -119,6 +120,6 @@ export class LDAPAuth {
this.cache.set(cacheKey, true, 86400);
return true;
return username;
}
}

80
src/eap.ts
View File

@@ -4,6 +4,7 @@
// https://tools.ietf.org/html/draft-funk-eap-ttls-v1-00 TTLS v1 (not implemented)
import { IResponseHandlers, ResponseHandler } from './types/Handler';
import { EAPTTLS } from './eap/eap-ttls';
import { MAX_RADIUS_ATTRIBUTE_SIZE } from './helpers';
export class EAPHandler {
eapTTLS: EAPTTLS;
@@ -17,28 +18,35 @@ export class EAPHandler {
* @param data
* @param type 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
*/
private sendEAPResponse(
private async sendEAPResponse(
response: ResponseHandler,
identifier: number,
data?: Buffer,
msgType = 21,
msgFlags = 0x00
) {
const maxFragmentSize = 1400; // @todo .. take framed-mtu into account from AVPs
let i = 0;
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
let sentDataSize = 0;
let currentIdentifier = identifier;
let currentResponse = response;
do {
const fragmentMaxPart =
data && (i + 1) * maxFragmentSize > data.length ? undefined : (i + 1) * maxFragmentSize;
const sslPart = data && data.slice(i * maxFragmentSize, fragmentMaxPart);
console.log('sslPart', sslPart, i, maxFragmentSize, i * maxFragmentSize, fragmentMaxPart);
// SLICE
const includeLength =
data &&
i === 0 &&
fragmentMaxPart !== undefined; /* firsrt one and we have more, therefore include length */
// const fragmentMaxPart =
// data && (i + 1) * maxFragmentSize > data.length ? (i + 1) * maxFragmentSize : undefined;
const dataPart = data && data.length > 0 && data.slice(sentDataSize, sentDataSize + maxSize);
/* it's the first one and we have more, therefore include length */
const includeLength = data && i === 0 && sentDataSize < data.length;
sentDataSize += maxSize;
// console.log('includeLength', includeLength, fragmentMaxPart, i)
i += 1;
/*
@@ -62,11 +70,13 @@ export class EAPHandler {
const flags =
msgFlags +
(includeLength ? 0b10000000 : 0) + // set L bit
(fragmentMaxPart /* we have more */ ? 0b01000000 : 0); // set M bit
(data && sentDataSize < data.length /* we have more */ ? 0b01000000 : 0); // set M bit
currentIdentifier++;
let buffer = Buffer.from([
1, // request
identifier + 1,
currentIdentifier,
0, // length (1/2)
0, // length (2/2)
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
@@ -81,15 +91,16 @@ export class EAPHandler {
buffer = Buffer.concat([buffer, length]);
}
const resBuffer = sslPart ? Buffer.concat([buffer, sslPart]) : buffer;
const resBuffer = dataPart ? Buffer.concat([buffer, dataPart]) : buffer;
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
console.log('EAP RESPONSE', {
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
code: 1,
identifier: identifier + 1,
length: (includeLength && data && data.byteLength) || 0,
msgType,
flags,
currentIdentifier,
includeLength,
length: (data && data.byteLength) || 0,
msgType: msgType.toString(10),
flags: `00000000${flags.toString(2)}`.substr(-8),
data
});
@@ -98,13 +109,14 @@ export class EAPHandler {
// buffer.writeInt8(21, 4); // eap-ttls
// buffer.writeInt8(0, 5); // flags
/*
@todo: this is wrong,
if there are more messages, add them to a queue
and process the next one when client has ack. (message without data)
*/
response(resBuffer);
} while (data && i * maxFragmentSize < data.length);
console.log('sending message with identifier', currentIdentifier);
({ identifier: currentIdentifier, response: currentResponse } = await currentResponse(
resBuffer
));
console.log('next message got identifier', currentIdentifier);
} while (data && sentDataSize < data.length);
console.log('DONE', sentDataSize, data && data.length);
}
handleEAPMessage(msg: Buffer, state: string, handlers: IResponseHandlers) {
@@ -148,8 +160,7 @@ export class EAPHandler {
Message Length | Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
console.log('RESPONDING WITH IDENTIDY / START');
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
this.sendEAPResponse(handlers.response, identifier, undefined, 21, 0x20);
@@ -167,14 +178,17 @@ export class EAPHandler {
break;
case 21: // EAP TTLS
this.eapTTLS.handleMessage(msg, state, handlers, identifier);
return;
break;
case 3: // nak
this.sendEAPResponse(handlers.response, identifier, undefined, 3);
// this.sendEAPResponse(handlers.response, identifier, undefined, 3);
break;
case 2: // notification
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
console.info('notification');
break;
case 4: // md5-challenge
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
console.info('md5-challenge');
break;
case 254: // expanded type
@@ -183,7 +197,11 @@ export class EAPHandler {
break;
default:
console.error('unsupported type', type);
// we do not support this auth type, ask for TTLS
console.error('unsupported type', type, 'requesting TTLS (21)');
this.sendEAPResponse(handlers.response, identifier, Buffer.from([21]), 3);
break;
}
break;

4
src/eap/challenges/pap.ts
View File

@@ -1,6 +1,6 @@
import { IAuthChallenge } from '../../types/AuthChallenge';
import { IEAPChallenge } from '../../types/EAPChallenge';
export class PAPChallenge implements IAuthChallenge {
export class PAPChallenge implements IEAPChallenge {
// i couldn't find any documentation about it, therefore best guess how this is processed...
// http://www.networksorcery.com/enp/rfc/rfc1334.txt ?

88
src/eap/eap-ttls.ts
View File

@@ -1,10 +1,16 @@
/* eslint-disable no-bitwise */
import * as events from 'events';
import * as tls from 'tls';
import { encodeTunnelPW, openTLSSockets, startTLSServer } from '../tls/crypt';
import { AdditionalAuthHandler, IResponseHandlers } from '../types/Handler';
import { AdditionalAuthHandler, ResponseAuthHandler } from '../types/Handler';
import { PAPChallenge } from './challenges/pap';
import { IEAPType } from '../types/EAPType';
interface IEAPResponseHandlers {
response: (respData?: Buffer, msgType?: number) => void;
checkAuth: ResponseAuthHandler;
}
export class EAPTTLS implements IEAPType {
papChallenge: PAPChallenge;
@@ -12,23 +18,48 @@ export class EAPTTLS implements IEAPType {
this.papChallenge = new PAPChallenge();
}
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
const flags = msg.slice(5, 6); // .toString('hex');
decode(msg: Buffer) {
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
// if (flags)
// @todo check if "L" flag is set in flags
const msglength = msg.slice(6, 10).readInt32BE(0); // .toString('hex');
const data = msg.slice(6, msg.length); // 10); //.toString('hex');
const decodedFlags = {
lengthIncluded: flags & 0b010000000,
moreFragments: flags & 0b001000000,
start: flags & 0b000100000,
reserved: flags & 0b000011000,
version: flags & 0b010000111
};
let msglength;
if (decodedFlags.lengthIncluded) {
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
}
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
return {
decodedFlags,
msglength,
data
};
}
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
const { decodedFlags, msglength, data } = this.decode(msg);
// check if no data package is there and we have something in the queue, if so.. empty the queue first
if (!data) {
if (!data || data.length === 0) {
// @todo: queue processing
console.warn('no data, just a confirmation!');
console.warn(
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
);
return;
}
console.log('incoming EAP TTLS', {
flags /*
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
// flags: `00000000${flags.toString(2)}`.substr(-8),
decodedFlags,
identifier,
/*
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| L | M | S | R | R | V |
@@ -39,14 +70,15 @@ export class EAPTTLS implements IEAPType {
S = Start
R = Reserved
V = Version (000 for EAP-TTLSv0)
*/,
*/
msglength,
data,
dataStr: data.toString()
});
let currentConnection = openTLSSockets.get(state) as
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IResponseHandlers }
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IEAPResponseHandlers }
| undefined;
if (!currentConnection) {
const connection = startTLSServer();
@@ -71,12 +103,15 @@ export class EAPTTLS implements IEAPType {
// pwd not found..
console.error('pwd not found', err);
// NAK
currentConnection!.currentHandlers.response(undefined, 3);
/*
this.sendEAPResponse(
currentConnection!.currentHandlers.response,
identifier,
undefined,
3
);
); */
currentConnection!.events.emit('end');
throw new Error(`pwd not found`);
}
@@ -85,16 +120,28 @@ export class EAPTTLS implements IEAPType {
console.log('data', incomingData);
console.log('data str', incomingData.toString());
currentConnection!.events.emit('end');
throw new Error(`unsupported auth type${type}`);
// currentConnection!.events.emit('end');
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
// throw new Error(`unsupported auth type${type}`);
currentConnection!.currentHandlers.response(Buffer.from([1]), 3);
/*
this.sendEAPResponse(
currentConnection!.currentHandlers.response,
identifier,
Buffer.from([1]),
3
); */
}
});
currentConnection.events.on('response', (responseData: Buffer) => {
console.log('sending encrypted data back to client', responseData);
// console.log('sending encrypted data back to client', responseData);
// send back...
this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
currentConnection!.currentHandlers.response(responseData);
// this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
// this.sendMessage(TYPE.PRELOGIN, data, false);
});
@@ -103,13 +150,14 @@ export class EAPTTLS implements IEAPType {
console.log('ENDING SOCKET');
openTLSSockets.del(state);
});
} else {
} /* else {
console.log('using existing socket');
}
} */
// update handlers
currentConnection.currentHandlers = {
...handlers,
response: (respData?: Buffer, msgType?: number) =>
this.sendEAPResponse(handlers.response, identifier, respData, msgType),
checkAuth: (username: string, password: string) => {
const additionalAuthHandler: AdditionalAuthHandler = (success, params) => {
const buffer = Buffer.from([
@@ -138,7 +186,7 @@ export class EAPTTLS implements IEAPType {
'ttls keying material'
);
console.log('keyingMaterial', keyingMaterial);
// console.log('keyingMaterial', keyingMaterial);
// eapKeyData + len
params.attributes.push([

30
src/helpers.ts
View File

@@ -7,3 +7,33 @@ export function makeid(length) {
}
return result;
}
export const MAX_RADIUS_ATTRIBUTE_SIZE = 253;
export interface IDeferredPromise {
promise: Promise<any>;
resolve: (value?: unknown) => Promise<void>;
reject: (reason?: any) => Promise<void>;
}
export const newDeferredPromise = (): IDeferredPromise => {
if (Promise && !('deferred' in Promise)) {
let fResolve;
let fReject;
const P = new Promise((resolve, reject) => {
fResolve = resolve;
fReject = reject;
});
return {
promise: P,
resolve: fResolve,
reject: fReject
};
}
return (Promise as any).deferred;
};
export const delay = (timeout: number) =>
new Promise(resolve => setTimeout(() => resolve(), timeout));

22
src/tls/crypt.ts
View File

@@ -5,14 +5,21 @@ import { createSecureContext } from 'tls';
import * as fs from 'fs';
import * as crypto from 'crypto';
import * as DuplexPair from 'native-duplexpair';
import * as constants from 'constants';
import { makeid } from '../helpers';
import * as config from '../../config';
// https://nodejs.org/api/tls.html
const tlsOptions = {
cert: fs.readFileSync('./ssl/public-cert.pem'),
key: fs.readFileSync('./ssl/private-key.pem'),
ecdhCurve: 'auto'
const tlsOptions: tls.SecureContextOptions = {
...config.certificate,
// ca: fs.readFileSync('./ssl/server.pem'),
// eslint-disable-next-line no-bitwise
secureOptions: constants.SSL_OP_NO_TICKET // : constants.SSL_OP_NO_TLSv1_2 | constants.SSL_OP_NO_TLSv1_1,
// honorCipherOrder: true
// secureOptions:
// ecdhCurve: 'auto'
};
console.log('tlsOptions', tlsOptions);
const secureContext = createSecureContext(tlsOptions);
export const openTLSSockets = new NodeCache({ useClones: false, stdTTL: 3600 }); // keep sockets for about one hour
@@ -22,7 +29,11 @@ export function startTLSServer(): { events: events.EventEmitter; tls: tls.TLSSoc
const cleartext = new tls.TLSSocket(duplexpair.socket1, {
secureContext,
isServer: true
isServer: true,
enableTrace: true,
rejectUnauthorized: false,
// handshakeTimeout: 10,
requestCert: false
});
const encrypted = duplexpair.socket2;
@@ -71,6 +82,7 @@ export function startTLSServer(): { events: events.EventEmitter; tls: tls.TLSSoc
console.log('*********** new client connection established / secured ********');
// this.emit('secure', securePair.cleartext);
// this.encryptAllFutureTraffic();
console.log('GET FINSIHED', cleartext.getFinished());
});
cleartext.on('error', (err?: Error) => {

3
src/types/Authentication.ts Normal file
View File

@@ -0,0 +1,3 @@
export interface IAuthentication {
authenticate(username: string, password: string): Promise<string>;
}

2
src/types/AuthChallenge.ts → src/types/EAPChallenge.ts
View File

@@ -1,3 +1,3 @@
export interface IAuthChallenge {
export interface IEAPChallenge {
decode(data: Buffer): { username: string; password: string };
}

2
src/types/EAPType.ts
View File

@@ -1,3 +1,3 @@
export interface IEAPType {
handleMessage(msg: Buffer, state: string, handlers, identifier: number)
handleMessage(msg: Buffer, state: string, handlers, identifier: number);
}

4
src/types/Handler.ts
View File

@@ -1,6 +1,8 @@
import { RadiusPacket } from 'radius';
export type ResponseHandler = (msg: Buffer) => void;
export type ResponseHandler = (
msg: Buffer
) => Promise<{ identifier: number; response: ResponseHandler }>;
export type ResponseAuthHandler = (
username: string,
password: string,