parent
c285a15bee
commit
42a05b069f
@ -1,31 +1,32 @@
|
|||||||
{
|
{
|
||||||
"name": "radius-server",
|
"name": "radius-server",
|
||||||
"description": "radius server for google LDAP and TTLT",
|
"description": "radius server for google LDAP and TTLT",
|
||||||
"version": "0.0.1",
|
"version": "0.0.1",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
"start": "/home/simon/Dev/others/node/node dist/app.js",
|
"start": "/home/simon/Dev/others/node/node dist/app.js",
|
||||||
"build": "tsc",
|
"build": "tsc",
|
||||||
"dev": "ts-node src/app.ts",
|
"dev": "ts-node src/app.ts",
|
||||||
"test-ttls-pap": "eapol_test -c ./ttls-pap.conf -s testing123",
|
"test-ttls-pap": "eapol_test -c ./ttls-pap.conf -s testing123",
|
||||||
"create-certificate": "sh ./ssl/create.sh && sh ./ssl/sign.sh"
|
"create-certificate": "sh ./ssl/create.sh && sh ./ssl/sign.sh"
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"native-duplexpair": "^1.0.0",
|
"native-duplexpair": "^1.0.0",
|
||||||
"ldapjs": "^1.0.2",
|
"ldapjs": "^1.0.2",
|
||||||
"node-cache": "^5.1.0",
|
"node-cache": "^5.1.0",
|
||||||
"radius": "~1.1.4",
|
"radius": "~1.1.4",
|
||||||
"ts-node": "^8.6.2",
|
"ts-node": "^8.6.2",
|
||||||
"type-cacheable": "^4.0.0",
|
"type-cacheable": "^4.0.0",
|
||||||
"yargs": "~15.1.0",
|
"yargs": "~15.1.0",
|
||||||
"md5": "^2.2.1",
|
"md5": "^2.2.1",
|
||||||
"passport-ldapauth": "^2.1.3"
|
"passport-ldapauth": "^2.1.3"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"license": "GPLv3",
|
||||||
"@types/ldapjs": "^1.0.5",
|
"devDependencies": {
|
||||||
"@types/radius": "0.0.28",
|
"@types/ldapjs": "^1.0.5",
|
||||||
"@hokify/eslint-config": "^0.2.2",
|
"@types/radius": "0.0.28",
|
||||||
"eslint": "^6.8.0",
|
"@hokify/eslint-config": "^0.2.4",
|
||||||
"prettier": "^1.19.1",
|
"eslint": "^6.8.0",
|
||||||
"typescript": "^3.7.5"
|
"prettier": "^1.19.1",
|
||||||
}
|
"typescript": "^3.8.2"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,186 +1,42 @@
|
|||||||
import * as dgram from 'dgram';
|
|
||||||
import * as radius from 'radius';
|
|
||||||
// import * as dgram from "dgram";
|
|
||||||
// import * as fs from 'fs';
|
|
||||||
import { EAPHandler } from './eap';
|
|
||||||
import { IDeferredPromise, makeid, MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from './helpers';
|
|
||||||
|
|
||||||
import { GoogleLDAPAuth } from './auth/google-ldap';
|
import { GoogleLDAPAuth } from './auth/google-ldap';
|
||||||
import { AdditionalAuthHandler } from './types/Handler';
|
import { UDPServer } from './server/UDPServer';
|
||||||
|
import { RadiusService } from './radius/RadiusService';
|
||||||
const server = dgram.createSocket('udp4');
|
|
||||||
|
|
||||||
const { argv } = require('yargs')
|
import * as config from '../config';
|
||||||
.usage('RADIUS Server\nUsage: $0')
|
|
||||||
.example('$0 --port 1812 -s radiussecret')
|
|
||||||
.default({
|
|
||||||
port: 1812,
|
|
||||||
s: 'testing123',
|
|
||||||
baseDN: 'dc=hokify,dc=com',
|
|
||||||
ldapServer: 'ldap://127.0.0.1:1636'
|
|
||||||
})
|
|
||||||
.describe('baseDN', 'LDAP Base DN')
|
|
||||||
.describe('ldapServer', 'LDAP Server')
|
|
||||||
.describe('port', 'RADIUS server listener port')
|
|
||||||
.alias('s', 'secret')
|
|
||||||
.describe('secret', 'RADIUS secret')
|
|
||||||
.string(['secret', 'baseDN'])
|
|
||||||
.demand('secret');
|
|
||||||
|
|
||||||
console.log(`Listener Port: ${argv.port}`);
|
console.log(`Listener Port: ${config.port || 1812}`);
|
||||||
console.log(`RADIUS Secret: ${argv.secret}`);
|
console.log(`RADIUS Secret: ${config.secret}`);
|
||||||
console.log(`LDAP Base DN: ${argv.baseDN}`);
|
console.log(`Auth Mode: ${config.authentication}`);
|
||||||
console.log(`LDAP Server: ${argv.ldapServer}`);
|
|
||||||
|
|
||||||
// const ldap = new LDAPAuth({url: 'ldap://ldap.google.com', base: 'dc=hokify,dc=com', uid: 'uid', tlsOptions});
|
// const ldap = new LDAPAuth({url: 'ldap://ldap.google.com', base: 'dc=hokify,dc=com', uid: 'uid', tlsOptions});
|
||||||
|
|
||||||
const ldap = new GoogleLDAPAuth(argv.ldapServer, argv.baseDN);
|
const ldap = new GoogleLDAPAuth(
|
||||||
|
config.authenticationOptions.url,
|
||||||
const eapHandler = new EAPHandler();
|
config.authenticationOptions.base
|
||||||
const timeout: { [key: string]: NodeJS.Timeout } = {};
|
);
|
||||||
const waitForNextMsg: { [key: string]: IDeferredPromise } = {};
|
|
||||||
|
const server = new UDPServer(config.port);
|
||||||
function sendToClient(
|
const radiusService = new RadiusService(config.secret, ldap);
|
||||||
msg: string | Uint8Array,
|
|
||||||
offset: number,
|
(async () => {
|
||||||
length: number,
|
server.on('message', async (msg, rinfo) => {
|
||||||
port?: number,
|
const response = await radiusService.handleMessage(msg);
|
||||||
address?: string,
|
|
||||||
callback?: (error: Error | null, bytes: number) => void,
|
if (response) {
|
||||||
stateForRetry?: string
|
server.sendToClient(
|
||||||
): void {
|
response.data,
|
||||||
let retried = 0;
|
rinfo.port,
|
||||||
|
rinfo.address,
|
||||||
function sendResponse() {
|
(err, _bytes) => {
|
||||||
console.log(`sending response... (try: ${retried})`);
|
if (err) {
|
||||||
server.send(msg, offset, length, port, address, (error: Error | null, bytes: number) => {
|
console.log('Error sending response to ', rinfo);
|
||||||
// all good
|
|
||||||
|
|
||||||
if (callback) callback(error, bytes);
|
|
||||||
});
|
|
||||||
|
|
||||||
if (stateForRetry && retried < 3) {
|
|
||||||
// timeout[stateForRetry] = setTimeout(sendResponse, 600 * (retried+1));
|
|
||||||
}
|
|
||||||
retried++;
|
|
||||||
}
|
|
||||||
|
|
||||||
sendResponse();
|
|
||||||
}
|
|
||||||
|
|
||||||
server.on('message', async function(msg, rinfo) {
|
|
||||||
const packet = radius.decode({ packet: msg, secret: argv.secret });
|
|
||||||
|
|
||||||
if (packet.code !== 'Access-Request') {
|
|
||||||
console.log('unknown packet type: ', packet.code);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
// console.log('packet.attributes', packet.attributes);
|
|
||||||
|
|
||||||
// console.log('rinfo', rinfo);
|
|
||||||
|
|
||||||
async function checkAuth(
|
|
||||||
username: string,
|
|
||||||
password: string,
|
|
||||||
additionalAuthHandler?: AdditionalAuthHandler
|
|
||||||
) {
|
|
||||||
console.log(`Access-Request for ${username}`);
|
|
||||||
let success = false;
|
|
||||||
try {
|
|
||||||
await ldap.authenticate(username, password);
|
|
||||||
success = true;
|
|
||||||
} catch (err) {
|
|
||||||
console.error(err);
|
|
||||||
}
|
|
||||||
|
|
||||||
const attributes: any[] = [];
|
|
||||||
|
|
||||||
if (additionalAuthHandler) {
|
|
||||||
await additionalAuthHandler(success, { packet, attributes, secret: argv.secret });
|
|
||||||
}
|
|
||||||
|
|
||||||
const response = radius.encode_response({
|
|
||||||
packet,
|
|
||||||
code: success ? 'Access-Accept' : 'Access-Reject',
|
|
||||||
secret: argv.secret,
|
|
||||||
attributes
|
|
||||||
});
|
|
||||||
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
|
|
||||||
|
|
||||||
sendToClient(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
|
|
||||||
if (err) {
|
|
||||||
console.log('Error sending response to ', rinfo);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
if (packet.attributes['EAP-Message']) {
|
|
||||||
const state = (packet.attributes.State && packet.attributes.State.toString()) || makeid(16);
|
|
||||||
|
|
||||||
if (timeout[state]) {
|
|
||||||
clearTimeout(timeout[state]);
|
|
||||||
}
|
|
||||||
|
|
||||||
const handlers = {
|
|
||||||
response: (EAPMessage: Buffer) => {
|
|
||||||
const attributes: any = [['State', Buffer.from(state)]];
|
|
||||||
let sentDataSize = 0;
|
|
||||||
do {
|
|
||||||
if (EAPMessage.length > 0) {
|
|
||||||
attributes.push([
|
|
||||||
'EAP-Message',
|
|
||||||
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
|
||||||
]);
|
|
||||||
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
|
||||||
}
|
}
|
||||||
} while (sentDataSize < EAPMessage.length);
|
},
|
||||||
|
response.expectAcknowledgment
|
||||||
const response = radius.encode_response({
|
);
|
||||||
packet,
|
|
||||||
code: 'Access-Challenge',
|
|
||||||
secret: argv.secret,
|
|
||||||
attributes
|
|
||||||
});
|
|
||||||
|
|
||||||
waitForNextMsg[state] = newDeferredPromise();
|
|
||||||
|
|
||||||
sendToClient(
|
|
||||||
response,
|
|
||||||
0,
|
|
||||||
response.length,
|
|
||||||
rinfo.port,
|
|
||||||
rinfo.address,
|
|
||||||
function(err, _bytes) {
|
|
||||||
if (err) {
|
|
||||||
console.log('Error sending response to ', rinfo);
|
|
||||||
}
|
|
||||||
},
|
|
||||||
state
|
|
||||||
);
|
|
||||||
|
|
||||||
return waitForNextMsg[state].promise;
|
|
||||||
},
|
|
||||||
checkAuth
|
|
||||||
};
|
|
||||||
|
|
||||||
if (waitForNextMsg[state]) {
|
|
||||||
const identifier = packet.attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
|
|
||||||
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
|
|
||||||
}
|
}
|
||||||
|
});
|
||||||
|
|
||||||
// EAP MESSAGE
|
// start server
|
||||||
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, handlers);
|
await server.start();
|
||||||
} else {
|
})();
|
||||||
const username = packet.attributes['User-Name'];
|
|
||||||
const password = packet.attributes['User-Password'];
|
|
||||||
|
|
||||||
checkAuth(username, password);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
server.on('listening', function() {
|
|
||||||
const address = server.address();
|
|
||||||
console.log(`radius server listening ${address.address}:${address.port}`);
|
|
||||||
});
|
|
||||||
|
|
||||||
server.bind(argv.port);
|
|
||||||
|
@ -1,219 +0,0 @@
|
|||||||
// https://tools.ietf.org/html/rfc3748#section-4.1
|
|
||||||
|
|
||||||
// https://tools.ietf.org/html/rfc5281 TTLS v0
|
|
||||||
// https://tools.ietf.org/html/draft-funk-eap-ttls-v1-00 TTLS v1 (not implemented)
|
|
||||||
import { IResponseHandlers, ResponseHandler } from './types/Handler';
|
|
||||||
import { EAPTTLS } from './eap/eap-ttls';
|
|
||||||
import { MAX_RADIUS_ATTRIBUTE_SIZE } from './helpers';
|
|
||||||
|
|
||||||
export class EAPHandler {
|
|
||||||
eapTTLS: EAPTTLS;
|
|
||||||
|
|
||||||
constructor() {
|
|
||||||
this.eapTTLS = new EAPTTLS(this.sendEAPResponse);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
*
|
|
||||||
* @param data
|
|
||||||
* @param type 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
|
|
||||||
*/
|
|
||||||
private async sendEAPResponse(
|
|
||||||
response: ResponseHandler,
|
|
||||||
identifier: number,
|
|
||||||
data?: Buffer,
|
|
||||||
msgType = 21,
|
|
||||||
msgFlags = 0x00
|
|
||||||
) {
|
|
||||||
let i = 0;
|
|
||||||
|
|
||||||
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
|
|
||||||
|
|
||||||
let sentDataSize = 0;
|
|
||||||
|
|
||||||
let currentIdentifier = identifier;
|
|
||||||
let currentResponse = response;
|
|
||||||
|
|
||||||
do {
|
|
||||||
// SLICE
|
|
||||||
|
|
||||||
// const fragmentMaxPart =
|
|
||||||
// data && (i + 1) * maxFragmentSize > data.length ? (i + 1) * maxFragmentSize : undefined;
|
|
||||||
|
|
||||||
const dataPart = data && data.length > 0 && data.slice(sentDataSize, sentDataSize + maxSize);
|
|
||||||
|
|
||||||
/* it's the first one and we have more, therefore include length */
|
|
||||||
const includeLength = data && i === 0 && sentDataSize < data.length;
|
|
||||||
|
|
||||||
sentDataSize += maxSize;
|
|
||||||
|
|
||||||
i += 1;
|
|
||||||
|
|
||||||
/*
|
|
||||||
0 1 2 3 4 5 6 7 8
|
|
||||||
+-+-+-+-+-+-+-+-+
|
|
||||||
|L M R R R R R R|
|
|
||||||
+-+-+-+-+-+-+-+-+
|
|
||||||
|
|
||||||
L = Length included
|
|
||||||
M = More fragments
|
|
||||||
R = Reserved
|
|
||||||
|
|
||||||
The L bit (length included) is set to indicate the presence of the
|
|
||||||
four-octet TLS Message Length field, and MUST be set for the first
|
|
||||||
fragment of a fragmented TLS message or set of messages. The M
|
|
||||||
bit (more fragments) is set on all but the last fragment.
|
|
||||||
Implementations of this specification MUST set the reserved bits
|
|
||||||
to zero, and MUST ignore them on reception.
|
|
||||||
*/
|
|
||||||
|
|
||||||
const flags =
|
|
||||||
msgFlags +
|
|
||||||
(includeLength ? 0b10000000 : 0) + // set L bit
|
|
||||||
(data && sentDataSize < data.length /* we have more */ ? 0b01000000 : 0); // set M bit
|
|
||||||
|
|
||||||
currentIdentifier++;
|
|
||||||
|
|
||||||
let buffer = Buffer.from([
|
|
||||||
1, // request
|
|
||||||
currentIdentifier,
|
|
||||||
0, // length (1/2)
|
|
||||||
0, // length (2/2)
|
|
||||||
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
|
||||||
flags // flags: 000000 (L include lenghts, M .. more to come)
|
|
||||||
]);
|
|
||||||
|
|
||||||
// append length
|
|
||||||
if (includeLength && data) {
|
|
||||||
const length = Buffer.alloc(4);
|
|
||||||
length.writeInt32BE(data.byteLength, 0);
|
|
||||||
|
|
||||||
buffer = Buffer.concat([buffer, length]);
|
|
||||||
}
|
|
||||||
|
|
||||||
const resBuffer = dataPart ? Buffer.concat([buffer, dataPart]) : buffer;
|
|
||||||
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
|
||||||
|
|
||||||
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
|
|
||||||
code: 1,
|
|
||||||
currentIdentifier,
|
|
||||||
includeLength,
|
|
||||||
length: (data && data.byteLength) || 0,
|
|
||||||
msgType: msgType.toString(10),
|
|
||||||
flags: `00000000${flags.toString(2)}`.substr(-8),
|
|
||||||
data
|
|
||||||
});
|
|
||||||
|
|
||||||
// uffer.from([1,identifier, 0, 0, 21, 0]);
|
|
||||||
// buffer.writeUInt16BE(sslResponse.length, 2); // length
|
|
||||||
// buffer.writeInt8(21, 4); // eap-ttls
|
|
||||||
// buffer.writeInt8(0, 5); // flags
|
|
||||||
|
|
||||||
console.log('sending message with identifier', currentIdentifier);
|
|
||||||
({ identifier: currentIdentifier, response: currentResponse } = await currentResponse(
|
|
||||||
resBuffer
|
|
||||||
));
|
|
||||||
console.log('next message got identifier', currentIdentifier);
|
|
||||||
} while (data && sentDataSize < data.length);
|
|
||||||
|
|
||||||
console.log('DONE', sentDataSize, data && data.length);
|
|
||||||
}
|
|
||||||
|
|
||||||
handleEAPMessage(msg: Buffer, state: string, handlers: IResponseHandlers) {
|
|
||||||
// const b = Buffer.from([2,0x242,0x0,0x18,0x1,0x115,0x105,0x109,0x111,0x110,0x46,0x116,0x114,0x101,0x116,0x116,0x101,0x114]);
|
|
||||||
// const msg = Buffer.from([2, 162, 0, 18, 1, 115, 105, 109, 111, 110, 46, 116, 114, 101, 116, 116, 101, 114])
|
|
||||||
|
|
||||||
/*
|
|
||||||
1 Request
|
|
||||||
2 Response
|
|
||||||
3 Success
|
|
||||||
4 Failure
|
|
||||||
*/
|
|
||||||
|
|
||||||
const code = msg.slice(0, 1).readUInt8(0);
|
|
||||||
const identifier = msg.slice(1, 2).readUInt8(0); // .toString('hex');
|
|
||||||
// const length = msg.slice(2, 4).readInt16BE(0); // .toString('binary');
|
|
||||||
const type = msg.slice(4, 5).readUInt8(0); // .slice(3,0x5).toString('hex');
|
|
||||||
|
|
||||||
/*
|
|
||||||
console.log("CODE", code);
|
|
||||||
console.log('ID', identifier);
|
|
||||||
console.log('length', length);
|
|
||||||
*/
|
|
||||||
|
|
||||||
switch (code) {
|
|
||||||
case 1: // for request
|
|
||||||
case 2: // for response
|
|
||||||
switch (type) {
|
|
||||||
case 1: // identifiy
|
|
||||||
/**
|
|
||||||
* The EAP-TTLS packet format is shown below. The fields are
|
|
||||||
transmitted left to right.
|
|
||||||
|
|
||||||
0 1 2 3
|
|
||||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
| Code | Identifier | Length |
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
| Type | Flags | Message Length
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
Message Length | Data...
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
*/
|
|
||||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
|
|
||||||
|
|
||||||
this.sendEAPResponse(handlers.response, identifier, undefined, 21, 0x20);
|
|
||||||
|
|
||||||
/*
|
|
||||||
handlers.response(
|
|
||||||
Buffer.from([
|
|
||||||
1, // request
|
|
||||||
identifier + 1,
|
|
||||||
0, // length (1/2)
|
|
||||||
6, // length (2/2)
|
|
||||||
21, // EAP-TTLS
|
|
||||||
0x20 // flags: 001000 start flag
|
|
||||||
])
|
|
||||||
); */
|
|
||||||
break;
|
|
||||||
case 21: // EAP TTLS
|
|
||||||
this.eapTTLS.handleMessage(msg, state, handlers, identifier);
|
|
||||||
break;
|
|
||||||
case 3: // nak
|
|
||||||
// this.sendEAPResponse(handlers.response, identifier, undefined, 3);
|
|
||||||
break;
|
|
||||||
case 2: // notification
|
|
||||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
|
|
||||||
console.info('notification');
|
|
||||||
break;
|
|
||||||
case 4: // md5-challenge
|
|
||||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
|
|
||||||
|
|
||||||
console.info('md5-challenge');
|
|
||||||
break;
|
|
||||||
case 254: // expanded type
|
|
||||||
console.error('not implemented type', type);
|
|
||||||
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
// we do not support this auth type, ask for TTLS
|
|
||||||
console.error('unsupported type', type, 'requesting TTLS (21)');
|
|
||||||
|
|
||||||
this.sendEAPResponse(handlers.response, identifier, Buffer.from([21]), 3);
|
|
||||||
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case 3:
|
|
||||||
console.log('Client Auth Success');
|
|
||||||
break;
|
|
||||||
case 4:
|
|
||||||
console.log('Client Auth FAILURE');
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
// silently ignor;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,233 +0,0 @@
|
|||||||
/* eslint-disable no-bitwise */
|
|
||||||
import * as events from 'events';
|
|
||||||
import * as tls from 'tls';
|
|
||||||
import { encodeTunnelPW, openTLSSockets, startTLSServer } from '../tls/crypt';
|
|
||||||
import { AdditionalAuthHandler, ResponseAuthHandler } from '../types/Handler';
|
|
||||||
import { PAPChallenge } from './challenges/pap';
|
|
||||||
import { IEAPType } from '../types/EAPType';
|
|
||||||
|
|
||||||
interface IEAPResponseHandlers {
|
|
||||||
response: (respData?: Buffer, msgType?: number) => void;
|
|
||||||
checkAuth: ResponseAuthHandler;
|
|
||||||
}
|
|
||||||
|
|
||||||
export class EAPTTLS implements IEAPType {
|
|
||||||
papChallenge: PAPChallenge;
|
|
||||||
|
|
||||||
constructor(private sendEAPResponse) {
|
|
||||||
this.papChallenge = new PAPChallenge();
|
|
||||||
}
|
|
||||||
|
|
||||||
decode(msg: Buffer) {
|
|
||||||
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
|
|
||||||
|
|
||||||
// if (flags)
|
|
||||||
// @todo check if "L" flag is set in flags
|
|
||||||
const decodedFlags = {
|
|
||||||
lengthIncluded: flags & 0b010000000,
|
|
||||||
moreFragments: flags & 0b001000000,
|
|
||||||
start: flags & 0b000100000,
|
|
||||||
reserved: flags & 0b000011000,
|
|
||||||
version: flags & 0b010000111
|
|
||||||
};
|
|
||||||
let msglength;
|
|
||||||
if (decodedFlags.lengthIncluded) {
|
|
||||||
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
|
|
||||||
}
|
|
||||||
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
|
|
||||||
|
|
||||||
return {
|
|
||||||
decodedFlags,
|
|
||||||
msglength,
|
|
||||||
data
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
|
|
||||||
const { decodedFlags, msglength, data } = this.decode(msg);
|
|
||||||
|
|
||||||
// check if no data package is there and we have something in the queue, if so.. empty the queue first
|
|
||||||
if (!data || data.length === 0) {
|
|
||||||
// @todo: queue processing
|
|
||||||
console.warn(
|
|
||||||
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
|
|
||||||
);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
|
|
||||||
// flags: `00000000${flags.toString(2)}`.substr(-8),
|
|
||||||
decodedFlags,
|
|
||||||
identifier,
|
|
||||||
/*
|
|
||||||
0 1 2 3 4 5 6 7
|
|
||||||
+---+---+---+---+---+---+---+---+
|
|
||||||
| L | M | S | R | R | V |
|
|
||||||
+---+---+---+---+---+---+---+---+
|
|
||||||
|
|
||||||
L = Length included
|
|
||||||
M = More fragments
|
|
||||||
S = Start
|
|
||||||
R = Reserved
|
|
||||||
V = Version (000 for EAP-TTLSv0)
|
|
||||||
*/
|
|
||||||
|
|
||||||
msglength,
|
|
||||||
data,
|
|
||||||
dataStr: data.toString()
|
|
||||||
});
|
|
||||||
|
|
||||||
let currentConnection = openTLSSockets.get(state) as
|
|
||||||
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IEAPResponseHandlers }
|
|
||||||
| undefined;
|
|
||||||
if (!currentConnection) {
|
|
||||||
const connection = startTLSServer();
|
|
||||||
currentConnection = {
|
|
||||||
events: connection.events,
|
|
||||||
tls: connection.tls,
|
|
||||||
currentHandlers: handlers
|
|
||||||
};
|
|
||||||
openTLSSockets.set(state, currentConnection);
|
|
||||||
|
|
||||||
// register event listeners
|
|
||||||
currentConnection.events.on('incoming', (incomingData: Buffer) => {
|
|
||||||
const type = incomingData.slice(3, 4).readUInt8(0);
|
|
||||||
// const code = data.slice(4, 5).readUInt8(0);
|
|
||||||
|
|
||||||
switch (type) {
|
|
||||||
case 1: // PAP / CHAP
|
|
||||||
try {
|
|
||||||
const { username, password } = this.papChallenge.decode(incomingData);
|
|
||||||
currentConnection!.currentHandlers.checkAuth(username, password);
|
|
||||||
} catch (err) {
|
|
||||||
// pwd not found..
|
|
||||||
console.error('pwd not found', err);
|
|
||||||
// NAK
|
|
||||||
currentConnection!.currentHandlers.response(undefined, 3);
|
|
||||||
|
|
||||||
/*
|
|
||||||
this.sendEAPResponse(
|
|
||||||
currentConnection!.currentHandlers.response,
|
|
||||||
identifier,
|
|
||||||
undefined,
|
|
||||||
3
|
|
||||||
); */
|
|
||||||
currentConnection!.events.emit('end');
|
|
||||||
throw new Error(`pwd not found`);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
console.log('data', incomingData);
|
|
||||||
console.log('data str', incomingData.toString());
|
|
||||||
|
|
||||||
// currentConnection!.events.emit('end');
|
|
||||||
|
|
||||||
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
|
|
||||||
// throw new Error(`unsupported auth type${type}`);
|
|
||||||
currentConnection!.currentHandlers.response(Buffer.from([1]), 3);
|
|
||||||
|
|
||||||
/*
|
|
||||||
this.sendEAPResponse(
|
|
||||||
currentConnection!.currentHandlers.response,
|
|
||||||
identifier,
|
|
||||||
Buffer.from([1]),
|
|
||||||
3
|
|
||||||
); */
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
currentConnection.events.on('response', (responseData: Buffer) => {
|
|
||||||
// console.log('sending encrypted data back to client', responseData);
|
|
||||||
|
|
||||||
// send back...
|
|
||||||
currentConnection!.currentHandlers.response(responseData);
|
|
||||||
// this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
|
|
||||||
// this.sendMessage(TYPE.PRELOGIN, data, false);
|
|
||||||
});
|
|
||||||
|
|
||||||
currentConnection.events.on('end', () => {
|
|
||||||
// cleanup socket
|
|
||||||
console.log('ENDING SOCKET');
|
|
||||||
openTLSSockets.del(state);
|
|
||||||
});
|
|
||||||
} /* else {
|
|
||||||
console.log('using existing socket');
|
|
||||||
} */
|
|
||||||
|
|
||||||
// update handlers
|
|
||||||
currentConnection.currentHandlers = {
|
|
||||||
response: (respData?: Buffer, msgType?: number) =>
|
|
||||||
this.sendEAPResponse(handlers.response, identifier, respData, msgType),
|
|
||||||
checkAuth: (username: string, password: string) => {
|
|
||||||
const additionalAuthHandler: AdditionalAuthHandler = (success, params) => {
|
|
||||||
const buffer = Buffer.from([
|
|
||||||
success ? 3 : 4, // 3.. success, 4... failure
|
|
||||||
identifier,
|
|
||||||
0, // length (1/2)
|
|
||||||
4 // length (2/2)
|
|
||||||
]);
|
|
||||||
|
|
||||||
params.attributes.push(['EAP-Message', buffer]);
|
|
||||||
|
|
||||||
if (params.packet.attributes && params.packet.attributes['User-Name']) {
|
|
||||||
// reappend username to response
|
|
||||||
params.attributes.push(['User-Name', params.packet.attributes['User-Name']]);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
if (sess->eap_if->eapKeyDataLen > 64) {
|
|
||||||
len = 32;
|
|
||||||
} else {
|
|
||||||
len = sess->eap_if->eapKeyDataLen / 2;
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
const keyingMaterial = (currentConnection?.tls as any).exportKeyingMaterial(
|
|
||||||
128,
|
|
||||||
'ttls keying material'
|
|
||||||
);
|
|
||||||
|
|
||||||
// console.log('keyingMaterial', keyingMaterial);
|
|
||||||
|
|
||||||
// eapKeyData + len
|
|
||||||
params.attributes.push([
|
|
||||||
'Vendor-Specific',
|
|
||||||
311,
|
|
||||||
[
|
|
||||||
[
|
|
||||||
16,
|
|
||||||
encodeTunnelPW(
|
|
||||||
keyingMaterial.slice(64),
|
|
||||||
(params.packet as any).authenticator,
|
|
||||||
// params.packet.attributes['Message-Authenticator'],
|
|
||||||
params.secret
|
|
||||||
)
|
|
||||||
]
|
|
||||||
]
|
|
||||||
]); // MS-MPPE-Send-Key
|
|
||||||
|
|
||||||
// eapKeyData
|
|
||||||
params.attributes.push([
|
|
||||||
'Vendor-Specific',
|
|
||||||
311,
|
|
||||||
[
|
|
||||||
[
|
|
||||||
17,
|
|
||||||
encodeTunnelPW(
|
|
||||||
keyingMaterial.slice(0, 64),
|
|
||||||
(params.packet as any).authenticator,
|
|
||||||
// params.packet.attributes['Message-Authenticator'],
|
|
||||||
params.secret
|
|
||||||
)
|
|
||||||
]
|
|
||||||
]
|
|
||||||
]); // MS-MPPE-Recv-Key
|
|
||||||
};
|
|
||||||
|
|
||||||
return handlers.checkAuth(username, password, additionalAuthHandler);
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
// emit data to tls server
|
|
||||||
currentConnection.events.emit('send', data);
|
|
||||||
}
|
|
||||||
}
|
|
@ -0,0 +1,95 @@
|
|||||||
|
import * as radius from 'radius';
|
||||||
|
import { IAuthentication } from '../types/Authentication';
|
||||||
|
import { EAPPacketHandler } from './handler/EAPPacketHandler';
|
||||||
|
import { DefaultPacketHandler } from './handler/DefaultPacketHandler';
|
||||||
|
import { IPacketHandler, IPacketHandlerResult, PacketResponseCode } from '../types/PacketHandler';
|
||||||
|
|
||||||
|
export class RadiusService {
|
||||||
|
radiusPacketHandlers: IPacketHandler[] = [];
|
||||||
|
|
||||||
|
constructor(private secret: string, private authentication: IAuthentication) {
|
||||||
|
this.radiusPacketHandlers.push(new EAPPacketHandler(authentication));
|
||||||
|
this.radiusPacketHandlers.push(new DefaultPacketHandler(authentication));
|
||||||
|
}
|
||||||
|
|
||||||
|
async handleMessage(
|
||||||
|
msg: Buffer
|
||||||
|
): Promise<{ data: Buffer; expectAcknowledgment?: boolean } | undefined> {
|
||||||
|
const packet = radius.decode({ packet: msg, secret: this.secret });
|
||||||
|
|
||||||
|
if (packet.code !== 'Access-Request') {
|
||||||
|
console.log('unknown packet type: ', packet.code);
|
||||||
|
return undefined;
|
||||||
|
}
|
||||||
|
// console.log('packet.attributes', packet.attributes);
|
||||||
|
|
||||||
|
// console.log('rinfo', rinfo);
|
||||||
|
/*
|
||||||
|
const checkAuth = async (
|
||||||
|
username: string,
|
||||||
|
password: string,
|
||||||
|
additionalAuthHandler?: AdditionalAuthHandler
|
||||||
|
) => {
|
||||||
|
console.log(`Access-Request for ${username}`);
|
||||||
|
let success = false;
|
||||||
|
try {
|
||||||
|
await this.authentication.authenticate(username, password);
|
||||||
|
success = true;
|
||||||
|
} catch (err) {
|
||||||
|
console.error(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
const attributes: any[] = [];
|
||||||
|
|
||||||
|
if (additionalAuthHandler) {
|
||||||
|
await additionalAuthHandler(success, { packet, attributes, secret: this.secret });
|
||||||
|
}
|
||||||
|
|
||||||
|
const response = radius.encode_response({
|
||||||
|
packet,
|
||||||
|
code: success ? 'Access-Accept' : 'Access-Reject',
|
||||||
|
secret: this.secret,
|
||||||
|
attributes
|
||||||
|
});
|
||||||
|
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
|
||||||
|
|
||||||
|
this.server.sendToClient(response, rinfo.port, rinfo.address, function(err, _bytes) {
|
||||||
|
if (err) {
|
||||||
|
console.log('Error sending response to ', rinfo);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}; */
|
||||||
|
|
||||||
|
let response: IPacketHandlerResult;
|
||||||
|
|
||||||
|
let i = 0;
|
||||||
|
if (!this.radiusPacketHandlers[i]) {
|
||||||
|
throw new Error('no packet handlers registered');
|
||||||
|
}
|
||||||
|
|
||||||
|
// process packet handlers until we get a response
|
||||||
|
do {
|
||||||
|
/* response is of type IPacketHandlerResult */
|
||||||
|
response = await this.radiusPacketHandlers[i].handlePacket(packet.attributes, packet);
|
||||||
|
i++;
|
||||||
|
} while (this.radiusPacketHandlers[i] && (!response || !response.code));
|
||||||
|
|
||||||
|
// still no response, we are done here
|
||||||
|
if (!response || !response.code) {
|
||||||
|
return undefined;
|
||||||
|
}
|
||||||
|
|
||||||
|
// all fine, return radius encoded response
|
||||||
|
return {
|
||||||
|
data: radius.encode_response({
|
||||||
|
packet,
|
||||||
|
code: response.code,
|
||||||
|
secret: this.secret,
|
||||||
|
attributes: response.attributes
|
||||||
|
}),
|
||||||
|
// if message is accept or reject, we conside this as final message
|
||||||
|
// this means we do not expect a reponse from the client again (acknowledgement for package)
|
||||||
|
expectAcknowledgment: response.code === PacketResponseCode.AccessChallenge
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,36 @@
|
|||||||
|
import { IAuthentication } from '../../types/Authentication';
|
||||||
|
import {
|
||||||
|
IPacketHandler,
|
||||||
|
IPacketHandlerResult,
|
||||||
|
PacketResponseCode
|
||||||
|
} from '../../types/PacketHandler';
|
||||||
|
|
||||||
|
export class DefaultPacketHandler implements IPacketHandler {
|
||||||
|
constructor(private authentication: IAuthentication) {}
|
||||||
|
|
||||||
|
async handlePacket(attributes: { [key: string]: Buffer }): Promise<IPacketHandlerResult> {
|
||||||
|
const username = attributes['User-Name'];
|
||||||
|
const password = attributes['User-Password'];
|
||||||
|
|
||||||
|
if (!username || !password) {
|
||||||
|
// params missing, this handler cannot continue...
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
|
||||||
|
const authenticated = await this.authentication.authenticate(
|
||||||
|
username.toString(),
|
||||||
|
password.toString()
|
||||||
|
);
|
||||||
|
if (authenticated) {
|
||||||
|
// success
|
||||||
|
return {
|
||||||
|
code: PacketResponseCode.AccessAccept
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
// Failed
|
||||||
|
return {
|
||||||
|
code: PacketResponseCode.AccessReject
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,193 @@
|
|||||||
|
// https://tools.ietf.org/html/rfc3748#section-4.1
|
||||||
|
|
||||||
|
import * as NodeCache from 'node-cache';
|
||||||
|
import { RadiusPacket } from 'radius';
|
||||||
|
import { EAPTTLS } from './eapMethods/EAPTTLS';
|
||||||
|
import { makeid } from '../../helpers';
|
||||||
|
import {
|
||||||
|
IPacketHandler,
|
||||||
|
IPacketHandlerResult,
|
||||||
|
PacketResponseCode
|
||||||
|
} from '../../types/PacketHandler';
|
||||||
|
import { IAuthentication } from '../../types/Authentication';
|
||||||
|
import { IEAPMethod } from '../../types/EAPMethod';
|
||||||
|
|
||||||
|
export class EAPPacketHandler implements IPacketHandler {
|
||||||
|
private eapMethods: IEAPMethod[] = [];
|
||||||
|
|
||||||
|
// private eapConnectionStates: { [key: string]: { validMethods: IEAPMethod[] } } = {};
|
||||||
|
private eapConnectionStates = new NodeCache({ useClones: false, stdTTL: 3600 }); // max for one hour
|
||||||
|
|
||||||
|
constructor(authentication: IAuthentication) {
|
||||||
|
this.eapMethods.push(new EAPTTLS(authentication));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @param data
|
||||||
|
* @param msgType 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
|
||||||
|
*/
|
||||||
|
private async buildEAPResponse(
|
||||||
|
identifier: number,
|
||||||
|
msgType: number,
|
||||||
|
data?: Buffer
|
||||||
|
): Promise<IPacketHandlerResult> {
|
||||||
|
/** build a package according to this:
|
||||||
|
0 1 2 3
|
||||||
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Code | Identifier | Length |
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Type | Type-Data ...
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|
||||||
|
*/
|
||||||
|
const buffer = Buffer.from([
|
||||||
|
1, // request
|
||||||
|
identifier,
|
||||||
|
0, // length (1/2)
|
||||||
|
0, // length (2/2)
|
||||||
|
msgType // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
||||||
|
]);
|
||||||
|
|
||||||
|
const resBuffer = data ? Buffer.concat([buffer, data]) : buffer;
|
||||||
|
// set EAP length header
|
||||||
|
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
||||||
|
|
||||||
|
return {
|
||||||
|
code: PacketResponseCode.AccessChallenge,
|
||||||
|
attributes: [['EAP-Message', buffer]]
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private decodeEAPHeader(msg: Buffer) {
|
||||||
|
/**
|
||||||
|
* parse msg according to this:
|
||||||
|
0 1 2 3
|
||||||
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Code | Identifier | Length |
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Type | Type-Data ...
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
code:
|
||||||
|
1 Request
|
||||||
|
2 Response
|
||||||
|
3 Success
|
||||||
|
4 Failure
|
||||||
|
*/
|
||||||
|
const code = msg.slice(0, 1).readUInt8(0);
|
||||||
|
/* identifier is a number */
|
||||||
|
const identifier = msg.slice(1, 2).readUInt8(0);
|
||||||
|
const length = msg.slice(2, 4).readInt16BE(0);
|
||||||
|
/* EAP type */
|
||||||
|
const type = msg.slice(4, 5).readUInt8(0);
|
||||||
|
const data = msg.slice(5);
|
||||||
|
|
||||||
|
return {
|
||||||
|
code,
|
||||||
|
identifier,
|
||||||
|
length,
|
||||||
|
type,
|
||||||
|
data
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
async handlePacket(
|
||||||
|
attributes: { [key: string]: Buffer },
|
||||||
|
orgRadiusPacket: RadiusPacket
|
||||||
|
): Promise<IPacketHandlerResult> {
|
||||||
|
if (!attributes['EAP-Message']) {
|
||||||
|
// not an EAP message
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
|
||||||
|
const stateID = (attributes.State && attributes.State.toString()) || makeid(16);
|
||||||
|
|
||||||
|
if (!this.eapConnectionStates.get(stateID)) {
|
||||||
|
this.eapConnectionStates.set(stateID, {
|
||||||
|
validMethods: this.eapMethods // on init all registered eap methods are valid, we kick them out in case we get a NAK response
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// EAP MESSAGE
|
||||||
|
const msg = attributes['EAP-Message'];
|
||||||
|
|
||||||
|
const { code, type, identifier, data } = this.decodeEAPHeader(msg);
|
||||||
|
|
||||||
|
const currentState = this.eapConnectionStates.get(stateID) as { validMethods: IEAPMethod[] };
|
||||||
|
|
||||||
|
switch (code) {
|
||||||
|
case 1: // for request
|
||||||
|
case 2: // for response
|
||||||
|
switch (type) {
|
||||||
|
case 1: // identifiy
|
||||||
|
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
|
||||||
|
// start identify
|
||||||
|
if (currentState.validMethods.length > 0) {
|
||||||
|
return currentState.validMethods[0].identify(identifier, stateID);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this.buildEAPResponse(identifier, 3);
|
||||||
|
case 2: // notification
|
||||||
|
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
|
||||||
|
console.info('notification');
|
||||||
|
break;
|
||||||
|
case 4: // md5-challenge
|
||||||
|
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
|
||||||
|
|
||||||
|
console.info('md5-challenge');
|
||||||
|
break;
|
||||||
|
case 254: // expanded type
|
||||||
|
console.error('not implemented type', type);
|
||||||
|
break;
|
||||||
|
case 3: // nak
|
||||||
|
if (data) {
|
||||||
|
const supportedEAPMethods: number[] = [];
|
||||||
|
for (const supportedMethod of data) {
|
||||||
|
supportedEAPMethods.push(supportedMethod);
|
||||||
|
}
|
||||||
|
|
||||||
|
this.eapConnectionStates.set(stateID, {
|
||||||
|
...currentState,
|
||||||
|
validMethods: currentState.validMethods.filter(method => {
|
||||||
|
return supportedEAPMethods.includes(method.getEAPType()); // kick it out?
|
||||||
|
})
|
||||||
|
});
|
||||||
|
}
|
||||||
|
// continue with responding a NAK and add rest of supported methods
|
||||||
|
// eslint-disable-next-line no-fallthrough
|
||||||
|
default: {
|
||||||
|
const eapMethod = currentState.validMethods.find(method => {
|
||||||
|
return type === method.getEAPType();
|
||||||
|
});
|
||||||
|
|
||||||
|
if (eapMethod) {
|
||||||
|
return eapMethod.handleMessage(identifier, stateID, msg, orgRadiusPacket);
|
||||||
|
}
|
||||||
|
|
||||||
|
// we do not support this auth type, ask for something we support
|
||||||
|
const serverSupportedMethods = currentState.validMethods.map(
|
||||||
|
method => method.getEAPType
|
||||||
|
);
|
||||||
|
|
||||||
|
console.error('unsupported type', type, `requesting: ${serverSupportedMethods}`);
|
||||||
|
|
||||||
|
return this.buildEAPResponse(identifier, 3, Buffer.from(serverSupportedMethods));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case 3:
|
||||||
|
console.log('Client Auth Success');
|
||||||
|
break;
|
||||||
|
case 4:
|
||||||
|
console.log('Client Auth FAILURE');
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
}
|
||||||
|
// silently ignore;
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,460 @@
|
|||||||
|
/* eslint-disable no-bitwise */
|
||||||
|
import * as tls from 'tls';
|
||||||
|
import * as NodeCache from 'node-cache';
|
||||||
|
import { RadiusPacket } from 'radius';
|
||||||
|
import { encodeTunnelPW, ITLSServer, startTLSServer } from '../../../tls/crypt';
|
||||||
|
import { ResponseAuthHandler } from '../../../types/Handler';
|
||||||
|
import { PAPChallenge } from './challenges/PAPChallenge';
|
||||||
|
import { IPacketHandlerResult, PacketResponseCode } from '../../../types/PacketHandler';
|
||||||
|
import { MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from '../../../helpers';
|
||||||
|
import { IEAPMethod } from '../../../types/EAPMethod';
|
||||||
|
import { IAuthentication } from '../../../types/Authentication';
|
||||||
|
import { secret } from '../../../../config';
|
||||||
|
|
||||||
|
interface IEAPResponseHandlers {
|
||||||
|
response: (respData?: Buffer, msgType?: number) => void;
|
||||||
|
checkAuth: ResponseAuthHandler;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* const handlers = {
|
||||||
|
response: (EAPMessage: Buffer) => {
|
||||||
|
const attributes: any = [['State', Buffer.from(state)]];
|
||||||
|
let sentDataSize = 0;
|
||||||
|
do {
|
||||||
|
if (EAPMessage.length > 0) {
|
||||||
|
attributes.push([
|
||||||
|
'EAP-Message',
|
||||||
|
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||||
|
]);
|
||||||
|
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||||
|
}
|
||||||
|
} while (sentDataSize < EAPMessage.length);
|
||||||
|
|
||||||
|
const response = radius.encode_response({
|
||||||
|
packet,
|
||||||
|
code: 'Access-Challenge',
|
||||||
|
secret: this.secret,
|
||||||
|
attributes
|
||||||
|
});
|
||||||
|
|
||||||
|
waitForNextMsg[state] = newDeferredPromise();
|
||||||
|
|
||||||
|
server.sendToClient(
|
||||||
|
response,
|
||||||
|
rinfo.port,
|
||||||
|
rinfo.address,
|
||||||
|
function(err, _bytes) {
|
||||||
|
if (err) {
|
||||||
|
console.log('Error sending response to ', rinfo);
|
||||||
|
}
|
||||||
|
},
|
||||||
|
state
|
||||||
|
);
|
||||||
|
|
||||||
|
return waitForNextMsg[state].promise;
|
||||||
|
},
|
||||||
|
checkAuth
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
const attributes: any = [['State', Buffer.from(stateID)]];
|
||||||
|
let sentDataSize = 0;
|
||||||
|
do {
|
||||||
|
if (EAPMessage.length > 0) {
|
||||||
|
attributes.push([
|
||||||
|
'EAP-Message',
|
||||||
|
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||||
|
]);
|
||||||
|
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||||
|
}
|
||||||
|
} while (sentDataSize < EAPMessage.length);
|
||||||
|
|
||||||
|
const response = radius.encode_response({
|
||||||
|
packet,
|
||||||
|
code: 'Access-Challenge',
|
||||||
|
secret: this.secret,
|
||||||
|
attributes
|
||||||
|
});
|
||||||
|
|
||||||
|
waitForNextMsg[stateID] = newDeferredPromise();
|
||||||
|
|
||||||
|
server.sendToClient(
|
||||||
|
response,
|
||||||
|
rinfo.port,
|
||||||
|
rinfo.address,
|
||||||
|
function(err, _bytes) {
|
||||||
|
if (err) {
|
||||||
|
console.log('Error sending response to ', rinfo);
|
||||||
|
}
|
||||||
|
},
|
||||||
|
stateID
|
||||||
|
);
|
||||||
|
|
||||||
|
return waitForNextMsg[stateID].promise;
|
||||||
|
*/
|
||||||
|
/* if (waitForNextMsg[state]) {
|
||||||
|
const identifier = attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
|
||||||
|
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
|
||||||
|
} */
|
||||||
|
|
||||||
|
function tlsHasExportKeyingMaterial(
|
||||||
|
tlsSocket: any
|
||||||
|
): tlsSocket is {
|
||||||
|
exportKeyingMaterial: (length: number, label: string, context?: Buffer) => Buffer;
|
||||||
|
} {
|
||||||
|
return typeof (tlsSocket as any).exportKeyingMaterial === 'function';
|
||||||
|
}
|
||||||
|
|
||||||
|
export class EAPTTLS implements IEAPMethod {
|
||||||
|
private papChallenge: PAPChallenge = new PAPChallenge();
|
||||||
|
|
||||||
|
// { [key: string]: Buffer } = {};
|
||||||
|
private queueData = new NodeCache({ useClones: false, stdTTL: 60 }); // queue data maximum for 60 seconds
|
||||||
|
|
||||||
|
private openTLSSockets = new NodeCache({ useClones: false, stdTTL: 3600 }); // keep sockets for about one hour
|
||||||
|
|
||||||
|
getEAPType(): number {
|
||||||
|
return 21;
|
||||||
|
}
|
||||||
|
|
||||||
|
identify(identifier: number, stateID: string): IPacketHandlerResult {
|
||||||
|
return this.buildEAPTTLSResponse(identifier, 21, 0x20, stateID);
|
||||||
|
}
|
||||||
|
|
||||||
|
constructor(private authentication: IAuthentication) {}
|
||||||
|
|
||||||
|
private buildEAPTTLSResponse(
|
||||||
|
identifier: number,
|
||||||
|
msgType = 21,
|
||||||
|
msgFlags = 0x00,
|
||||||
|
stateID: string,
|
||||||
|
data?: Buffer,
|
||||||
|
newResponse = true
|
||||||
|
): IPacketHandlerResult {
|
||||||
|
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
|
||||||
|
console.log('maxSize', maxSize);
|
||||||
|
|
||||||
|
/* it's the first one and we have more, therefore include length */
|
||||||
|
const includeLength = data && newResponse && data.length > maxSize;
|
||||||
|
|
||||||
|
// extract data party
|
||||||
|
const dataToSend = data && data.length > 0 && data.slice(0, maxSize);
|
||||||
|
const dataToQueue = data && data.length > maxSize && data.slice(maxSize);
|
||||||
|
|
||||||
|
/*
|
||||||
|
0 1 2 3 4 5 6 7 8
|
||||||
|
+-+-+-+-+-+-+-+-+
|
||||||
|
|L M R R R R R R|
|
||||||
|
+-+-+-+-+-+-+-+-+
|
||||||
|
|
||||||
|
L = Length included
|
||||||
|
M = More fragments
|
||||||
|
R = Reserved
|
||||||
|
|
||||||
|
The L bit (length included) is set to indicate the presence of the
|
||||||
|
four-octet TLS Message Length field, and MUST be set for the first
|
||||||
|
fragment of a fragmented TLS message or set of messages. The M
|
||||||
|
bit (more fragments) is set on all but the last fragment.
|
||||||
|
Implementations of this specification MUST set the reserved bits
|
||||||
|
to zero, and MUST ignore them on reception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
const flags =
|
||||||
|
msgFlags +
|
||||||
|
(includeLength ? 0b10000000 : 0) + // set L bit
|
||||||
|
(dataToQueue && dataToQueue.length > 0 ? 0b01000000 : 0); // we have more data to come, set M bit
|
||||||
|
|
||||||
|
let buffer = Buffer.from([
|
||||||
|
1, // request
|
||||||
|
identifier + 1, // increase id by 1
|
||||||
|
0, // length (1/2)
|
||||||
|
0, // length (2/2)
|
||||||
|
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
||||||
|
flags // flags: 000000 (L include lenghts, M .. more to come)
|
||||||
|
]);
|
||||||
|
|
||||||
|
// append length
|
||||||
|
if (includeLength && data) {
|
||||||
|
const length = Buffer.alloc(4);
|
||||||
|
length.writeInt32BE(data.byteLength, 0);
|
||||||
|
|
||||||
|
buffer = Buffer.concat([buffer, length]);
|
||||||
|
}
|
||||||
|
|
||||||
|
// build final buffer with data
|
||||||
|
const resBuffer = dataToSend ? Buffer.concat([buffer, dataToSend]) : buffer;
|
||||||
|
|
||||||
|
// set EAP length header
|
||||||
|
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
||||||
|
|
||||||
|
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
|
||||||
|
code: 1,
|
||||||
|
identifier: identifier + 1,
|
||||||
|
includeLength,
|
||||||
|
dataLength: (data && data.byteLength) || 0,
|
||||||
|
msgType: msgType.toString(10),
|
||||||
|
flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||||
|
data
|
||||||
|
});
|
||||||
|
|
||||||
|
if (dataToQueue) {
|
||||||
|
// we couldn't send all at once, queue the rest and send later
|
||||||
|
this.queueData.set(stateID, dataToQueue);
|
||||||
|
} else {
|
||||||
|
this.queueData.del(stateID);
|
||||||
|
}
|
||||||
|
|
||||||
|
const attributes: any = [['State', Buffer.from(stateID)]];
|
||||||
|
let sentDataSize = 0;
|
||||||
|
do {
|
||||||
|
if (resBuffer.length > 0) {
|
||||||
|
attributes.push([
|
||||||
|
'EAP-Message',
|
||||||
|
resBuffer.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||||
|
]);
|
||||||
|
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||||
|
}
|
||||||
|
} while (sentDataSize < resBuffer.length);
|
||||||
|
|
||||||
|
return {
|
||||||
|
code: PacketResponseCode.AccessChallenge,
|
||||||
|
attributes
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
decodeTTLSMessage(msg: Buffer) {
|
||||||
|
/**
|
||||||
|
* The EAP-TTLS packet format is shown below. The fields are
|
||||||
|
transmitted left to right.
|
||||||
|
|
||||||
|
0 1 2 3
|
||||||
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Code | Identifier | Length |
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
| Type | Flags | Message Length
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
Message Length | Data...
|
||||||
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
|
*/
|
||||||
|
|
||||||
|
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
|
||||||
|
/*
|
||||||
|
0 1 2 3 4 5 6 7
|
||||||
|
+---+---+---+---+---+---+---+---+
|
||||||
|
| L | M | S | R | R | V |
|
||||||
|
+---+---+---+---+---+---+---+---+
|
||||||
|
|
||||||
|
L = Length included
|
||||||
|
M = More fragments
|
||||||
|
S = Start
|
||||||
|
R = Reserved
|
||||||
|
V = Version (000 for EAP-TTLSv0)
|
||||||
|
*/
|
||||||
|
const decodedFlags = {
|
||||||
|
// L
|
||||||
|
lengthIncluded: flags & 0b010000000,
|
||||||
|
// M
|
||||||
|
moreFragments: flags & 0b001000000,
|
||||||
|
// S
|
||||||
|
start: flags & 0b000100000,
|
||||||
|
// R
|
||||||
|
// reserved: flags & 0b000011000,
|
||||||
|
// V
|
||||||
|
version: flags & 0b010000111
|
||||||
|
};
|
||||||
|
|
||||||
|
let msglength;
|
||||||
|
if (decodedFlags.lengthIncluded) {
|
||||||
|
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
|
||||||
|
}
|
||||||
|
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
|
||||||
|
|
||||||
|
return {
|
||||||
|
decodedFlags,
|
||||||
|
msglength,
|
||||||
|
data
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
authResponse(
|
||||||
|
identifier: number,
|
||||||
|
success: boolean,
|
||||||
|
socket: tls.TLSSocket,
|
||||||
|
packet: RadiusPacket
|
||||||
|
): IPacketHandlerResult {
|
||||||
|
const buffer = Buffer.from([
|
||||||
|
success ? 3 : 4, // 3.. success, 4... failure
|
||||||
|
identifier + 1,
|
||||||
|
0, // length (1/2)
|
||||||
|
4 // length (2/2)
|
||||||
|
]);
|
||||||
|
|
||||||
|
const attributes: any[] = [];
|
||||||
|
attributes.push(['EAP-Message', buffer]);
|
||||||
|
|
||||||
|
if (packet.attributes && packet.attributes['User-Name']) {
|
||||||
|
// reappend username to response
|
||||||
|
attributes.push(['User-Name', packet.attributes['User-Name']]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
if (sess->eap_if->eapKeyDataLen > 64) {
|
||||||
|
len = 32;
|
||||||
|
} else {
|
||||||
|
len = sess->eap_if->eapKeyDataLen / 2;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
if (tlsHasExportKeyingMaterial(socket)) {
|
||||||
|
const keyingMaterial = (socket as any).exportKeyingMaterial(128, 'ttls keying material');
|
||||||
|
|
||||||
|
// console.log('keyingMaterial', keyingMaterial);
|
||||||
|
|
||||||
|
// eapKeyData + len
|
||||||
|
attributes.push([
|
||||||
|
'Vendor-Specific',
|
||||||
|
311,
|
||||||
|
[
|
||||||
|
[
|
||||||
|
16,
|
||||||
|
encodeTunnelPW(
|
||||||
|
keyingMaterial.slice(64),
|
||||||
|
(packet as any).authenticator,
|
||||||
|
// params.packet.attributes['Message-Authenticator'],
|
||||||
|
secret
|
||||||
|
)
|
||||||
|
]
|
||||||
|
]
|
||||||
|
]); // MS-MPPE-Send-Key
|
||||||
|
|
||||||
|
// eapKeyData
|
||||||
|
attributes.push([
|
||||||
|
'Vendor-Specific',
|
||||||
|
311,
|
||||||
|
[
|
||||||
|
[
|
||||||
|
17,
|
||||||
|
encodeTunnelPW(
|
||||||
|
keyingMaterial.slice(0, 64),
|
||||||
|
(packet as any).authenticator,
|
||||||
|
// params.packet.attributes['Message-Authenticator'],
|
||||||
|
secret
|
||||||
|
)
|
||||||
|
]
|
||||||
|
]
|
||||||
|
]); // MS-MPPE-Recv-Key
|
||||||
|
} else {
|
||||||
|
console.error(
|
||||||
|
'FATAL: no exportKeyingMaterial method available!!!, you need latest NODE JS, see https://github.com/nodejs/node/pull/31814'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
return {
|
||||||
|
code: success ? PacketResponseCode.AccessAccept : PacketResponseCode.AccessReject,
|
||||||
|
attributes
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
async handleMessage(
|
||||||
|
identifier: number,
|
||||||
|
stateID: string,
|
||||||
|
msg: Buffer,
|
||||||
|
orgRadiusPacket: RadiusPacket
|
||||||
|
): Promise<IPacketHandlerResult> {
|
||||||
|
const { decodedFlags, msglength, data } = this.decodeTTLSMessage(msg);
|
||||||
|
|
||||||
|
// check if no data package is there and we have something in the queue, if so.. empty the queue first
|
||||||
|
if (!data || data.length === 0) {
|
||||||
|
console.warn(
|
||||||
|
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
|
||||||
|
);
|
||||||
|
const queuedData = this.queueData.get(stateID);
|
||||||
|
if (queuedData instanceof Buffer && queuedData.length > 0) {
|
||||||
|
return this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, queuedData, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
|
||||||
|
// flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||||
|
decodedFlags,
|
||||||
|
identifier,
|
||||||
|
msglength
|
||||||
|
// data,
|
||||||
|
// dataStr: data.toString()
|
||||||
|
});
|
||||||
|
|
||||||
|
let connection = this.openTLSSockets.get(stateID) as ITLSServer;
|
||||||
|
|
||||||
|
if (!connection) {
|
||||||
|
connection = startTLSServer();
|
||||||
|
this.openTLSSockets.set(stateID, connection);
|
||||||
|
|
||||||
|
connection.events.on('end', () => {
|
||||||
|
// cleanup socket
|
||||||
|
console.log('ENDING SOCKET');
|
||||||
|
this.openTLSSockets.del(stateID);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
const sendResponsePromise = newDeferredPromise();
|
||||||
|
|
||||||
|
const incomingMessageHandler = async (incomingData: Buffer) => {
|
||||||
|
const type = incomingData.slice(3, 4).readUInt8(0);
|
||||||
|
// const code = data.slice(4, 5).readUInt8(0);
|
||||||
|
|
||||||
|
switch (type) {
|
||||||
|
case 1: // PAP / CHAP
|
||||||
|
try {
|
||||||
|
const { username, password } = this.papChallenge.decode(incomingData);
|
||||||
|
const authResult = await this.authentication.authenticate(username, password);
|
||||||
|
|
||||||
|
sendResponsePromise.resolve(
|
||||||
|
this.authResponse(identifier, authResult, connection.tls, orgRadiusPacket)
|
||||||
|
);
|
||||||
|
} catch (err) {
|
||||||
|
// pwd not found..
|
||||||
|
console.error('pwd not found', err);
|
||||||
|
connection.events.emit('end');
|
||||||
|
// NAK
|
||||||
|
sendResponsePromise.resolve(this.buildEAPTTLSResponse(identifier, 3, 0, stateID));
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
console.log('data', incomingData);
|
||||||
|
console.log('data str', incomingData.toString());
|
||||||
|
|
||||||
|
// currentConnection!.events.emit('end');
|
||||||
|
|
||||||
|
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
|
||||||
|
// throw new Error(`unsupported auth type${type}`);
|
||||||
|
sendResponsePromise.resolve(
|
||||||
|
this.buildEAPTTLSResponse(identifier, 3, 0, stateID, Buffer.from([1]))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
const responseHandler = (encryptedResponseData: Buffer) => {
|
||||||
|
// send back...
|
||||||
|
sendResponsePromise.resolve(
|
||||||
|
this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData)
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
// register event listeners
|
||||||
|
connection.events.on('incoming', incomingMessageHandler);
|
||||||
|
connection.events.on('response', responseHandler);
|
||||||
|
|
||||||
|
// emit data to tls server
|
||||||
|
connection.events.emit('send', data);
|
||||||
|
const responseData = await sendResponsePromise.promise;
|
||||||
|
|
||||||
|
// cleanup
|
||||||
|
connection.events.off('incoming', incomingMessageHandler);
|
||||||
|
connection.events.off('response', responseHandler);
|
||||||
|
|
||||||
|
// send response
|
||||||
|
return responseData; // this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData);
|
||||||
|
}
|
||||||
|
}
|
@ -1,4 +1,4 @@
|
|||||||
import { IEAPChallenge } from '../../types/EAPChallenge';
|
import { IEAPChallenge } from '../../../../types/EAPChallenge';
|
||||||
|
|
||||||
export class PAPChallenge implements IEAPChallenge {
|
export class PAPChallenge implements IEAPChallenge {
|
||||||
// i couldn't find any documentation about it, therefore best guess how this is processed...
|
// i couldn't find any documentation about it, therefore best guess how this is processed...
|
@ -0,0 +1,80 @@
|
|||||||
|
import * as dgram from 'dgram';
|
||||||
|
import { SocketType } from 'dgram';
|
||||||
|
import * as events from 'events';
|
||||||
|
import { EventEmitter } from 'events';
|
||||||
|
import { newDeferredPromise } from '../helpers';
|
||||||
|
import { IServer } from '../types/Server';
|
||||||
|
|
||||||
|
export class UDPServer extends events.EventEmitter implements IServer {
|
||||||
|
static MAX_RETRIES = 3;
|
||||||
|
|
||||||
|
private timeout: { [key: string]: NodeJS.Timeout } = {};
|
||||||
|
|
||||||
|
private server: dgram.Socket;
|
||||||
|
|
||||||
|
constructor(private port: number, type: SocketType = 'udp4') {
|
||||||
|
super();
|
||||||
|
this.server = dgram.createSocket(type);
|
||||||
|
}
|
||||||
|
|
||||||
|
sendToClient(
|
||||||
|
msg: string | Uint8Array,
|
||||||
|
port?: number,
|
||||||
|
address?: string,
|
||||||
|
callback?: (error: Error | null, bytes: number) => void,
|
||||||
|
expectAcknowledgment = true
|
||||||
|
): void {
|
||||||
|
let retried = 0;
|
||||||
|
|
||||||
|
const sendResponse = (): void => {
|
||||||
|
if (retried > 0) {
|
||||||
|
console.warn(
|
||||||
|
`no confirmation of last message from ${address}:${port}, re-sending response... (bytes: ${msg.length}, try: ${retried}/${UDPServer.MAX_RETRIES})`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// send message to client
|
||||||
|
this.server.send(msg, 0, msg.length, port, address, callback);
|
||||||
|
|
||||||
|
// retry up to MAX_RETRIES to send this message,
|
||||||
|
// we automatically retry if there is no confirmation (=any incoming message from client)
|
||||||
|
// if expectAcknowledgment (e.g. Access-Accept or Access-Reject) is set, we do not retry
|
||||||
|
const identifierForRetry = `${address}:${port}`;
|
||||||
|
if (expectAcknowledgment && retried < UDPServer.MAX_RETRIES) {
|
||||||
|
this.timeout[identifierForRetry] = setTimeout(sendResponse, 600 * (retried + 1));
|
||||||
|
}
|
||||||
|
retried += 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
sendResponse();
|
||||||
|
}
|
||||||
|
|
||||||
|
async start(): Promise<EventEmitter> {
|
||||||
|
const startServer = newDeferredPromise();
|
||||||
|
this.server.on('listening', () => {
|
||||||
|
const address = this.server.address();
|
||||||
|
console.log(`radius server listening ${address.address}:${address.port}`);
|
||||||
|
|
||||||
|
this.setupListeners();
|
||||||
|
startServer.resolve();
|
||||||
|
});
|
||||||
|
|
||||||
|
this.server.on('message', (_msg, rinfo) => {
|
||||||
|
console.log('incoming message 2');
|
||||||
|
|
||||||
|
// message retrieved, reset timeout handler
|
||||||
|
const identifierForRetry = `${rinfo.address}:${rinfo.port}`;
|
||||||
|
if (this.timeout[identifierForRetry]) {
|
||||||
|
clearTimeout(this.timeout[identifierForRetry]);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
this.server.bind(this.port);
|
||||||
|
|
||||||
|
return startServer.promise;
|
||||||
|
}
|
||||||
|
|
||||||
|
private setupListeners() {
|
||||||
|
this.server.on('message', (message, rinfo) => this.emit('message', message, rinfo));
|
||||||
|
}
|
||||||
|
}
|
@ -1,3 +1,3 @@
|
|||||||
export interface IAuthentication {
|
export interface IAuthentication {
|
||||||
authenticate(username: string, password: string): Promise<string>;
|
authenticate(username: string, password: string): Promise<boolean>;
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,15 @@
|
|||||||
|
import { RadiusPacket } from 'radius';
|
||||||
|
import { IPacketHandlerResult } from './PacketHandler';
|
||||||
|
|
||||||
|
export interface IEAPMethod {
|
||||||
|
getEAPType(): number;
|
||||||
|
|
||||||
|
identify(identifier: number, stateID: string): IPacketHandlerResult;
|
||||||
|
|
||||||
|
handleMessage(
|
||||||
|
identifier: number,
|
||||||
|
stateID: string,
|
||||||
|
msg: Buffer,
|
||||||
|
orgRadiusPacket?: RadiusPacket
|
||||||
|
): Promise<IPacketHandlerResult>;
|
||||||
|
}
|
@ -1,3 +0,0 @@
|
|||||||
export interface IEAPType {
|
|
||||||
handleMessage(msg: Buffer, state: string, handlers, identifier: number);
|
|
||||||
}
|
|
@ -0,0 +1,19 @@
|
|||||||
|
import { RadiusPacket } from 'radius';
|
||||||
|
|
||||||
|
export enum PacketResponseCode {
|
||||||
|
AccessChallenge = 'Access-Challenge',
|
||||||
|
AccessAccept = 'Access-Accept',
|
||||||
|
AccessReject = 'Access-Reject'
|
||||||
|
}
|
||||||
|
|
||||||
|
export interface IPacketHandlerResult {
|
||||||
|
code?: PacketResponseCode;
|
||||||
|
attributes?: [string, Buffer][];
|
||||||
|
}
|
||||||
|
|
||||||
|
export interface IPacketHandler {
|
||||||
|
handlePacket(
|
||||||
|
attributes: { [key: string]: Buffer },
|
||||||
|
orgRadiusPacket: RadiusPacket
|
||||||
|
): Promise<IPacketHandlerResult>;
|
||||||
|
}
|
@ -0,0 +1,32 @@
|
|||||||
|
import { RemoteInfo } from 'dgram';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @fires IServer#message
|
||||||
|
*/
|
||||||
|
export interface IServer {
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @param msg
|
||||||
|
* @param port
|
||||||
|
* @param address
|
||||||
|
* @param callback
|
||||||
|
* @param expectAcknowledgment: if set to false, message is not retried to send again if there is no confirmation
|
||||||
|
*/
|
||||||
|
sendToClient(
|
||||||
|
msg: string | Uint8Array,
|
||||||
|
port?: number,
|
||||||
|
address?: string,
|
||||||
|
callback?: (error: Error | null, bytes: number) => void,
|
||||||
|
expectAcknowledgment?: boolean
|
||||||
|
): void;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Message event.
|
||||||
|
*
|
||||||
|
* @event IServer#message
|
||||||
|
* @type {object}
|
||||||
|
* @property {message} data - the data of the incoming message
|
||||||
|
* @property {rinfo} optionally remote information
|
||||||
|
*/
|
||||||
|
on(event: 'message', listener: (msg: Buffer, rinfo?: RemoteInfo) => void): this;
|
||||||
|
}
|
@ -1,8 +1,10 @@
|
|||||||
this is based on freeradius cert directory :)
|
this is based on freeradius cert directory :)
|
||||||
|
|
||||||
1.) edit ca.cnf
|
there is a default certificate already present, if you want to create your own, follow these steps:
|
||||||
2.) edit server.cnf
|
|
||||||
3.) replace your choosen pwd (deafult is whatever2020) in create.sh
|
1. edit ca.cnf
|
||||||
4.) run ./create.sh
|
2. edit server.cnf
|
||||||
5.) set your choosen pwd in ~/config.js
|
3. replace your choosen pwd (deafult is whatever2020) in create.sh
|
||||||
|
4. run ./create.sh
|
||||||
|
5. set your choosen pwd in ~/config.js
|
||||||
|
|
||||||
|
@ -0,0 +1,30 @@
|
|||||||
|
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||||
|
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI1Fm+/6EHcV8CAggA
|
||||||
|
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECP14mHLiQP0EBIIEyFFD//WLNJgR
|
||||||
|
nADmlyQgvEtEH+Rbbd6OtUXyXVLk9OtDG3s/JTh8SeeieJbm3PaLanAcyV/DgB2Q
|
||||||
|
lseLe3WLLQSQ2lOjlU2e6KsRk+NDFaiJ5BZqISHfmrOJnZPg27rXN5EeCReRWwAr
|
||||||
|
Myyb9Ijbw9j1LL4EwoEKmJ59XEC5Cy4bIyEDROF7ONJvwzaRyPPT5ZsB5qxozjp7
|
||||||
|
C4YOr55AUhidEHBxmFdU7Sx1uJhxYFRccGV7m4C+00z2TKx81IWFtbj2404mBMQM
|
||||||
|
WGf7Ncfuw1SsRwCxv89Z6+eP38Un3egT+inTFeP4E3iMWdZiK9JpYRO6qZzYdw9o
|
||||||
|
4QyAl+oJIFjPImA+vX29J6C0BFvFAnZwmLe30nK9HMja/qynNjeF//sC3LpuC4Dx
|
||||||
|
f07Od5X6Bq7OMmMgBNPr1Y+MmwDomrthlJhUIovowHIKQnim/Awmwv613H0kI9Dp
|
||||||
|
bp04LMcY63cZL/ShyAG3hNqnDs6ULKv/35IA2HOPyyOzhrJl5OJbCxaoW4rp96nK
|
||||||
|
JTFAxI2oQZtNKX4tmxP0QZ5kmd3jmBtjmuqyIGQO3PRA465bxCO6Rajo1kOhygab
|
||||||
|
9L3dp3FRIRkWJzSxIteEmkv6RgT4CvS9d9dwk1t+GKqH7Qcg++2+/Yy7rWopxsRY
|
||||||
|
hjAygy/kLE3HXZUgHWuJhomSTNfkjj6sHEFUiIB8RJ9DWoRkfkloGUml5/4QoGWn
|
||||||
|
qo4qOs5vXt1iRnc65cXgT2h/IX/ohcPcZirI0gf9mKN470U5zzlUpDmCMVYgv+gh
|
||||||
|
Te0uhghT4GIk6fZWTUKTiLmqvG6hEdVeHAfboJ6aPzrQYT2XnonRf9hQfq2SmznC
|
||||||
|
J7MNHaLqeR0pULxxWY+UrS3oPhQ4ICDMDEGQxwVNpqLjzQJnZjI7ZYQKS324FDaH
|
||||||
|
PPrdG/a9bc3lVeBdcCjvH6Tz+rHUYW4x7WGUeYprz7rAl8XtYtl+zT3bngLxO3D5
|
||||||
|
mc6R+aGE1tcBY0EL1K2K0UzPqNLSUTrgnw4K+L2sgQJqKrpdyGcAZYnW0eH6ULIl
|
||||||
|
VgKL1Ef0lX7cD6sdxASYHgqyYfc4+vAo6drwKXwb98jQFe5q73d5f1SqOiC/APuR
|
||||||
|
ZIMRVMBydD3Mp0L7lokDpS6eraTZ+XeGwtbEzb2mC4urYoT9yEH4CdOwUe0GrKQE
|
||||||
|
B/6mV0MEyrzlWxFpxZFkByLFf1FBlqKHpd09Sj9TdNiZom+mc90D76FiyZ83H+Pp
|
||||||
|
D9tzelr8G5A5RVEPOaHOVL1LiDQA12B5tFhgFldUI4BXJu+LnR/4qNyNt2xedrHO
|
||||||
|
GY/FoJjlnTMf5/S3erH+1VeIwjrnwrl4w3o2zymE19Yb2zEt9fyP67R0q/trZOs+
|
||||||
|
umxTOxyFvJCzZoLkIFz9oGfo+IQYqqxfPC0gYYlkF1jWX1MarLwZoiXSHEkBlfez
|
||||||
|
t61ZqYxNMWt8cxwfb5MfRpeXaY4wH1o6+GW8DgNMeq5LxgLASkvNdG0dzXTK8DPG
|
||||||
|
sGx09dFGEDKYmljT+1chL+KjkxWIqgrq05NwpE/7OF3ZuiG2hv6ys5STY3URnINg
|
||||||
|
lz7zqzgt1gMeCV8kikXKWXwKqxH0L14AYMDhfPaXRM23nsjC3c/h4CfySUutlpxp
|
||||||
|
M2oE3tWQQ6TOv3yAqhRj+g==
|
||||||
|
-----END ENCRYPTED PRIVATE KEY-----
|
@ -1,29 +1,29 @@
|
|||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIE+jCCA+KgAwIBAgIUVIBUu2vZ0TrxOwqlIyfxooaF4bIwDQYJKoZIhvcNAQEL
|
MIIE+jCCA+KgAwIBAgIUA7R4NLhoa6Mt/Zek66V7+Qnx9VEwDQYJKoZIhvcNAQEL
|
||||||
BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNv
|
BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNv
|
||||||
bWV3aGVyZTEVMBMGA1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFh
|
bWV3aGVyZTEVMBMGA1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFh
|
||||||
ZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBB
|
ZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBB
|
||||||
dXRob3JpdHkwHhcNMjAwMjIyMTYzNzAxWhcNMjkxMjMxMTYzNzAxWjCBkzELMAkG
|
dXRob3JpdHkwHhcNMjAwMjIyMTcwNTM4WhcNMjkxMjMxMTcwNTM4WjCBkzELMAkG
|
||||||
A1UEBhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUw
|
A1UEBhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUw
|
||||||
EwYDVQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w
|
EwYDVQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w
|
||||||
bGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
|
bGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
|
||||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMg5QnJc+a8K0YGIcnZ0OfFZ
|
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrt1oTLVGNfvZvmsQd7L0Ts
|
||||||
ZNQUMIBJIxdE3LnIa1Y6JNA89oVodtD/J4bFOHa8ehji7R6JzTCpDi6Sc61D9mT2
|
dttTKZcJynIlDX/2QJ7F77/sywrY69Bch14Gn2MhEhpRnn5GIKpEzE8KTDgg5iOV
|
||||||
Fa1sm8wSrD4NU+tMlaK5U73C6nYrAtnTpFnDeQQEzgfyzoN988QXAknY++Ls0CU/
|
FOwClfMwlhzksx7VpwSjSFhxbudxWgpk8RoGmuPaB4rJLHPo7B6Pv4DduxFpO5aF
|
||||||
B2Pjd5D4Sk1VOOf88/XYyU5OM5jT5/skOuBULdGhbL9TME3PRieMLOokTFZjNnDy
|
IxKdPFCi1sKKzJAi+88SSX5KhX+MQgwiqbLjdeXxx+ofTZig7IymiJUUbcdtiQPq
|
||||||
uCKV3p5PD8MYAVh6qNEdHHnQMp559JfdzAh2FZPvdr88MbhO78pFCymdnOkhIr6M
|
KYXjcFH/XLhJMx52GKBk9YK5yvoDwYzGs+FKkPgWCbifUHnzkQ+/v3yKsvnFS/vq
|
||||||
ZvBqDLxaV7mjcduU/U1lq13CekZ2DUTDpbUa9z4w+BiqgFpWJdxy0ZTwpwPBqd8C
|
Rb1uPA3PkJnbZwCLb0hGKh8YvGUIr+9WT4MLQPOBKgfRUHEjNxvdYCUaw6xz+8EC
|
||||||
AwEAAaOCAUIwggE+MB0GA1UdDgQWBBR0nqW1x1vNwtdFezphgGtkz7B2RjCB0wYD
|
AwEAAaOCAUIwggE+MB0GA1UdDgQWBBQi2Mb/nVfuJREdj/wvqVAtZNxhXzCB0wYD
|
||||||
VR0jBIHLMIHIgBR0nqW1x1vNwtdFezphgGtkz7B2RqGBmaSBljCBkzELMAkGA1UE
|
VR0jBIHLMIHIgBQi2Mb/nVfuJREdj/wvqVAtZNxhX6GBmaSBljCBkzELMAkGA1UE
|
||||||
BhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYD
|
BhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYD
|
||||||
VQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
|
VQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
|
||||||
b3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eYIUVIBU
|
b3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eYIUA7R4
|
||||||
u2vZ0TrxOwqlIyfxooaF4bIwDwYDVR0TAQH/BAUwAwEB/zA2BgNVHR8ELzAtMCug
|
NLhoa6Mt/Zek66V7+Qnx9VEwDwYDVR0TAQH/BAUwAwEB/zA2BgNVHR8ELzAtMCug
|
||||||
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUub3JnL2V4YW1wbGVfY2EuY3JsMA0GCSqG
|
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUub3JnL2V4YW1wbGVfY2EuY3JsMA0GCSqG
|
||||||
SIb3DQEBCwUAA4IBAQAdywbOcOa9XSx/hEOKkG4rZR8F6eb+z/u+BYfEhQE4unTR
|
SIb3DQEBCwUAA4IBAQCOSSpCkK1kF4MlctIhNnMjP6AcxhPYFhDPrTCy+lGmNw0S
|
||||||
3ihNarsHwteTQArabTRzuV8+phX7fgkQJHmp1NOpJVmMEr3JOs00SGbisxDmK0Z3
|
4L73ZHoTtmPsEc7p4d3qxy1WddRS3M6+0vyQz5Yhe1xQZy+SExeYxOX8sXqK1Uu3
|
||||||
2HkE+DjpYo2Sz8b77YD1AWk705rJkJ0Jp5+d/BLk6CjCr524XsSKLwKRWKOit3eu
|
37rY7oz26DkITOdI4FFtcNKtAcu8rVg2kZO/66RUiQSA6V3rzAVcFGrHHP4ZoPqV
|
||||||
WKsbt+VMd7d8jDvgwrtKLDpGv/sBym5w9zQjUqOTPBr70BBbpynJD62mzdr5OjIc
|
qy+OqO8dcldlf70B7fLnf2N28drdpkUeJEGhGRzO42gN55Zj9RVH3NCZDZI1uz2B
|
||||||
JiZKjusr1fieOeBzo2us+hFdvoCmW8X4hwVAyWm4JgP1yZ9IT/KLnFtJo0k/BM3B
|
ESIwjFWBFDeteux8O9BZhfNJ+Zmc9BS+1CvjMCCEAeRCjpAWdyLa+uquq5tII4Me
|
||||||
lzcz90I0zzpewC8xxaWJ7kz6h+eSIa3orlSIug4o
|
STKrTWjHUmq0zjDmjOowB8xWvoWONW19nsSSqGC8
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
@ -0,0 +1,80 @@
|
|||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 0 (0x0)
|
||||||
|
Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
Issuer: C=AT, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.org, CN=Example Certificate Authority
|
||||||
|
Validity
|
||||||
|
Not Before: Feb 22 17:05:38 2020 GMT
|
||||||
|
Not After : Jul 27 17:05:38 2036 GMT
|
||||||
|
Subject: C=AT, ST=Radius, O=Example Inc., CN=Example Certificate Authority/emailAddress=admin@example.org
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
RSA Public-Key: (2048 bit)
|
||||||
|
Modulus:
|
||||||
|
00:b5:ad:78:5d:89:14:28:92:55:e7:c1:e0:15:46:
|
||||||
|
e7:ea:da:ea:98:bb:ec:33:17:ee:d6:e3:37:1c:34:
|
||||||
|
ea:4e:87:a1:c9:d3:19:de:95:6f:c1:76:13:e0:b4:
|
||||||
|
f5:08:3e:fe:5a:76:b8:4a:e4:94:07:8b:67:4b:b5:
|
||||||
|
d1:97:c1:d3:e1:b1:cd:84:5b:16:aa:dc:56:5b:ff:
|
||||||
|
0a:e7:f3:79:a3:47:4d:5b:6d:e4:d6:21:a0:eb:e1:
|
||||||
|
54:83:87:1c:c5:18:de:d8:52:40:93:7e:fb:c5:df:
|
||||||
|
73:3c:d6:0b:a3:1d:9f:36:c7:6f:59:90:d7:5f:82:
|
||||||
|
80:fe:82:05:1b:1b:77:92:04:c9:25:88:8f:9c:35:
|
||||||
|
91:cc:86:a0:8f:8f:9b:2e:2c:62:af:f3:8a:16:75:
|
||||||
|
30:61:47:8d:24:ea:35:84:43:33:01:ed:d7:33:2c:
|
||||||
|
29:4f:2c:8d:f5:b7:b3:bd:74:4f:2e:83:2d:e1:d6:
|
||||||
|
3d:5e:d9:14:c3:a1:89:38:4d:29:4b:ae:39:c8:a2:
|
||||||
|
dd:ad:f1:42:c8:0d:6c:29:eb:70:c8:dc:e7:41:59:
|
||||||
|
47:1c:89:52:62:53:9c:35:58:8a:39:16:87:61:f2:
|
||||||
|
11:26:3a:2b:a2:19:29:c2:77:31:de:1c:74:c6:57:
|
||||||
|
3a:15:8b:2f:29:61:a7:45:b4:d8:70:a4:d2:ef:da:
|
||||||
|
5d:a1
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Extended Key Usage:
|
||||||
|
TLS Web Server Authentication
|
||||||
|
X509v3 CRL Distribution Points:
|
||||||
|
|
||||||
|
Full Name:
|
||||||
|
URI:http://www.example.com/example_ca.crl
|
||||||
|
|
||||||
|
Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
60:49:5c:0c:1d:1a:c3:86:16:b7:d8:63:b7:b9:9b:4d:74:49:
|
||||||
|
25:05:c0:28:f4:c6:95:ce:63:95:b7:99:41:54:7f:64:5d:9a:
|
||||||
|
8f:f5:a7:96:09:8c:67:42:61:5d:c5:af:e4:d9:33:28:20:2a:
|
||||||
|
1f:76:5b:a7:1f:54:47:c4:94:4f:de:bb:6d:ea:36:51:44:bf:
|
||||||
|
90:82:b3:7c:91:28:6a:1e:dd:76:66:38:2c:0f:ed:8a:fd:b6:
|
||||||
|
91:28:3b:59:f0:b3:42:4b:bb:fb:88:d9:d8:6f:e2:a9:79:14:
|
||||||
|
df:0b:53:76:be:23:c1:0e:96:85:aa:d9:3f:d6:60:7a:a5:a9:
|
||||||
|
5a:1d:17:05:7e:84:7a:36:0b:a0:eb:96:8d:75:08:ab:ea:e2:
|
||||||
|
9b:4c:dc:92:05:b0:bc:2a:c0:ff:21:89:02:c2:cd:07:ee:85:
|
||||||
|
55:5b:cf:bd:bc:d7:b1:8a:54:51:5a:58:f6:77:e5:76:85:26:
|
||||||
|
fd:dd:e8:ec:aa:45:c8:cf:d1:10:16:68:97:e4:e7:06:e3:22:
|
||||||
|
9c:4d:f5:85:bb:37:26:d4:fc:47:af:26:03:f3:e1:17:cc:20:
|
||||||
|
33:c1:c4:e2:b3:b7:1e:d3:0a:81:85:ff:e6:79:70:07:a7:8b:
|
||||||
|
3c:1e:9e:1b:e8:f5:a1:3e:69:c5:90:f4:7f:49:a7:19:93:fa:
|
||||||
|
65:fc:0e:43
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCQVQx
|
||||||
|
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
|
||||||
|
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
|
||||||
|
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDAyMjIx
|
||||||
|
NzA1MzhaFw0zNjA3MjcxNzA1MzhaMH8xCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZS
|
||||||
|
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEmMCQGA1UEAwwdRXhhbXBsZSBD
|
||||||
|
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w
|
||||||
|
bGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAta14XYkUKJJV
|
||||||
|
58HgFUbn6trqmLvsMxfu1uM3HDTqToehydMZ3pVvwXYT4LT1CD7+Wna4SuSUB4tn
|
||||||
|
S7XRl8HT4bHNhFsWqtxWW/8K5/N5o0dNW23k1iGg6+FUg4ccxRje2FJAk377xd9z
|
||||||
|
PNYLox2fNsdvWZDXX4KA/oIFGxt3kgTJJYiPnDWRzIagj4+bLixir/OKFnUwYUeN
|
||||||
|
JOo1hEMzAe3XMywpTyyN9bezvXRPLoMt4dY9XtkUw6GJOE0pS645yKLdrfFCyA1s
|
||||||
|
KetwyNznQVlHHIlSYlOcNViKORaHYfIRJjorohkpwncx3hx0xlc6FYsvKWGnRbTY
|
||||||
|
cKTS79pdoQIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAt
|
||||||
|
MCugKaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0G
|
||||||
|
CSqGSIb3DQEBCwUAA4IBAQBgSVwMHRrDhha32GO3uZtNdEklBcAo9MaVzmOVt5lB
|
||||||
|
VH9kXZqP9aeWCYxnQmFdxa/k2TMoICofdlunH1RHxJRP3rtt6jZRRL+QgrN8kShq
|
||||||
|
Ht12ZjgsD+2K/baRKDtZ8LNCS7v7iNnYb+KpeRTfC1N2viPBDpaFqtk/1mB6pala
|
||||||
|
HRcFfoR6Ngug65aNdQir6uKbTNySBbC8KsD/IYkCws0H7oVVW8+9vNexilRRWlj2
|
||||||
|
d+V2hSb93ejsqkXIz9EQFmiX5OcG4yKcTfWFuzcm1PxHryYD8+EXzCAzwcTis7ce
|
||||||
|
0wqBhf/meXAHp4s8Hp4b6PWhPmnFkPR/SacZk/pl/A5D
|
||||||
|
-----END CERTIFICATE-----
|
@ -0,0 +1,30 @@
|
|||||||
|
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||||
|
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIfUSPX6P3YcECAggA
|
||||||
|
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGX0Au3iFvSjBIIEyGye/tQdIfVv
|
||||||
|
HG9CBzyejddQTYgT5IsNzTFKsASeJi/0vlQP1mvEPScgMrNO62mBPHh0+sQGyR4v
|
||||||
|
ccrqEobKUgXYJWJd60MeHJVPvB6fVBS2kBv1dmHYYuGNqlsWE82nmX8mdEOjNR9e
|
||||||
|
ZTnuULqE8QHZd0EVWhdK83iUCCb4ksOF+bJYQe7gkRWeZ3ALqq4eLtlUs4LiIaAn
|
||||||
|
VrqFWdslZLBRHfDfC/beOtxp9a/clMaTI1g0jjAKuYKkydDKl6gk6HWkyw4qnJHX
|
||||||
|
37GgReCYE72DZSmuS6mTXjsvK2cLsRmvrwWnwBaiApE9P6+RLnYyQerDMpVc1z44
|
||||||
|
s+9VCoOmggPgy+YNB09tptCJaWJaiLu6FQzAZNo/Hu1hIf7Gx4b9IXnT6vsAsTkg
|
||||||
|
K4exni026uVXd/toeh1O+bH9lE85RVxkFgnv49WpcBvfVXa93BZbAZP286dEeKI4
|
||||||
|
8EueW8fh+l1HYht+6lKN0hW5rh3nBkOFHdG0GoczmbyAsz2N/cvW20KWc75cAjdW
|
||||||
|
HG3pAwoCxzjCUVk7s6+tueNAmANRtn1zo8RKHzQ4iUVWd6WmE9v5GrSrNmvDtqyN
|
||||||
|
yLbzDd3BZuYyUwWxMjgIeYcyqlR0zSlj12SvhPnNqwwPsuqUuB7Y5lv3oTKl7RNk
|
||||||
|
GGd08a5nioYMs+0Ob/Zr4ay3so5gAmYDfIVVVp7GzERK9h8FrBylZqyaA8BS95GM
|
||||||
|
JfWJGXjKbJ2nqNqc/Ic2mYVp6AT7V4FSmYV9I+rNuRI76DdJgA3UYhQOvtvmbbFI
|
||||||
|
EyNtHCL6M8ejfbg71c5rbj7nBYLiuk5STzIiZyKPK4QmNWQ+QLy3RIgK1fMgjlzP
|
||||||
|
rgh/1hhFRUVJxiRKnDbzrTlHEeD17U4Rpz/M3M0ZsWCWWJe+FMDaJNuNfvJW3ZYQ
|
||||||
|
hBFjVhZn3VTmreFyt6nshsfGU3PeFXSXx8el4M5Sja5MCqQ86nbv9W6miOVtvkOx
|
||||||
|
7kYvHXMQpsSzkjkL9hej3PxYHcchgjRnF+l0WIs7U/RE3pRiPkm0yD9Y1IEsZIix
|
||||||
|
farOZTtPZqrOYcHwCHdRY9oxcKLZM9Rrqi5tTMk3T1ellFuX8qUj2uqSNCbhAYpC
|
||||||
|
Qx4VfKyAi9iEyBP01X0r8gprMzqtpZatGAB70XC+Wa4lUYfRt1IbHQ0MhWMWyStL
|
||||||
|
iefHkHee9MVgI3hh08ww1OmQGTnpQgKG6udxSRObLbWlAgccWjnX5YE3nOmo4Vvo
|
||||||
|
v091utdEqUZ9nrIzIvlv1lqnm0qRTY4uf99dOyl/bIr1tfWJLawL9kUbN+jl4d4C
|
||||||
|
CnilsBFTuWQBMPFE3sit91U4Ycmi3U1lmiQTXLhlCiOkyuVLGjnb7RuY1Yjm9Gso
|
||||||
|
D/t55VgF0882uVgocU3l9OnXRZLRijXEU7WWM8YF+RXTRORykcYfL/oPF8/E/NF7
|
||||||
|
DbamK79gIJUXGEdDdujFGAkJr0nYdK77sMeWfqIgf7l+RNaz3dtv2NGfWjpymbMz
|
||||||
|
RkgPUypbE4JiJVnwrsVNm20wQbE839Raijchf8ZWBEWz8nNArwe094+MQxoZHg12
|
||||||
|
Iu742/ykANJD/xXq7Nfe0d8fXWEdG3+ZgcfKUIL2oCS7/y3p4URCl6TuujBAFO8I
|
||||||
|
IBR4bJcgdHWSqRS8usbzVg==
|
||||||
|
-----END ENCRYPTED PRIVATE KEY-----
|
@ -1 +1 @@
|
|||||||
V 360727163701Z 00 unknown /C=AT/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org
|
V 360727170538Z 00 unknown /C=AT/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org
|
||||||
|
Loading…
Reference in new issue