parent
c285a15bee
commit
42a05b069f
@ -1,31 +1,32 @@
|
||||
{
|
||||
"name": "radius-server",
|
||||
"description": "radius server for google LDAP and TTLT",
|
||||
"version": "0.0.1",
|
||||
"scripts": {
|
||||
"start": "/home/simon/Dev/others/node/node dist/app.js",
|
||||
"build": "tsc",
|
||||
"dev": "ts-node src/app.ts",
|
||||
"test-ttls-pap": "eapol_test -c ./ttls-pap.conf -s testing123",
|
||||
"create-certificate": "sh ./ssl/create.sh && sh ./ssl/sign.sh"
|
||||
},
|
||||
"dependencies": {
|
||||
"native-duplexpair": "^1.0.0",
|
||||
"ldapjs": "^1.0.2",
|
||||
"node-cache": "^5.1.0",
|
||||
"radius": "~1.1.4",
|
||||
"ts-node": "^8.6.2",
|
||||
"type-cacheable": "^4.0.0",
|
||||
"yargs": "~15.1.0",
|
||||
"md5": "^2.2.1",
|
||||
"passport-ldapauth": "^2.1.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/ldapjs": "^1.0.5",
|
||||
"@types/radius": "0.0.28",
|
||||
"@hokify/eslint-config": "^0.2.2",
|
||||
"eslint": "^6.8.0",
|
||||
"prettier": "^1.19.1",
|
||||
"typescript": "^3.7.5"
|
||||
}
|
||||
"name": "radius-server",
|
||||
"description": "radius server for google LDAP and TTLT",
|
||||
"version": "0.0.1",
|
||||
"scripts": {
|
||||
"start": "/home/simon/Dev/others/node/node dist/app.js",
|
||||
"build": "tsc",
|
||||
"dev": "ts-node src/app.ts",
|
||||
"test-ttls-pap": "eapol_test -c ./ttls-pap.conf -s testing123",
|
||||
"create-certificate": "sh ./ssl/create.sh && sh ./ssl/sign.sh"
|
||||
},
|
||||
"dependencies": {
|
||||
"native-duplexpair": "^1.0.0",
|
||||
"ldapjs": "^1.0.2",
|
||||
"node-cache": "^5.1.0",
|
||||
"radius": "~1.1.4",
|
||||
"ts-node": "^8.6.2",
|
||||
"type-cacheable": "^4.0.0",
|
||||
"yargs": "~15.1.0",
|
||||
"md5": "^2.2.1",
|
||||
"passport-ldapauth": "^2.1.3"
|
||||
},
|
||||
"license": "GPLv3",
|
||||
"devDependencies": {
|
||||
"@types/ldapjs": "^1.0.5",
|
||||
"@types/radius": "0.0.28",
|
||||
"@hokify/eslint-config": "^0.2.4",
|
||||
"eslint": "^6.8.0",
|
||||
"prettier": "^1.19.1",
|
||||
"typescript": "^3.8.2"
|
||||
}
|
||||
}
|
||||
|
@ -1,186 +1,42 @@
|
||||
import * as dgram from 'dgram';
|
||||
import * as radius from 'radius';
|
||||
// import * as dgram from "dgram";
|
||||
// import * as fs from 'fs';
|
||||
import { EAPHandler } from './eap';
|
||||
import { IDeferredPromise, makeid, MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from './helpers';
|
||||
|
||||
import { GoogleLDAPAuth } from './auth/google-ldap';
|
||||
import { AdditionalAuthHandler } from './types/Handler';
|
||||
|
||||
const server = dgram.createSocket('udp4');
|
||||
import { UDPServer } from './server/UDPServer';
|
||||
import { RadiusService } from './radius/RadiusService';
|
||||
|
||||
const { argv } = require('yargs')
|
||||
.usage('RADIUS Server\nUsage: $0')
|
||||
.example('$0 --port 1812 -s radiussecret')
|
||||
.default({
|
||||
port: 1812,
|
||||
s: 'testing123',
|
||||
baseDN: 'dc=hokify,dc=com',
|
||||
ldapServer: 'ldap://127.0.0.1:1636'
|
||||
})
|
||||
.describe('baseDN', 'LDAP Base DN')
|
||||
.describe('ldapServer', 'LDAP Server')
|
||||
.describe('port', 'RADIUS server listener port')
|
||||
.alias('s', 'secret')
|
||||
.describe('secret', 'RADIUS secret')
|
||||
.string(['secret', 'baseDN'])
|
||||
.demand('secret');
|
||||
import * as config from '../config';
|
||||
|
||||
console.log(`Listener Port: ${argv.port}`);
|
||||
console.log(`RADIUS Secret: ${argv.secret}`);
|
||||
console.log(`LDAP Base DN: ${argv.baseDN}`);
|
||||
console.log(`LDAP Server: ${argv.ldapServer}`);
|
||||
console.log(`Listener Port: ${config.port || 1812}`);
|
||||
console.log(`RADIUS Secret: ${config.secret}`);
|
||||
console.log(`Auth Mode: ${config.authentication}`);
|
||||
|
||||
// const ldap = new LDAPAuth({url: 'ldap://ldap.google.com', base: 'dc=hokify,dc=com', uid: 'uid', tlsOptions});
|
||||
|
||||
const ldap = new GoogleLDAPAuth(argv.ldapServer, argv.baseDN);
|
||||
|
||||
const eapHandler = new EAPHandler();
|
||||
const timeout: { [key: string]: NodeJS.Timeout } = {};
|
||||
const waitForNextMsg: { [key: string]: IDeferredPromise } = {};
|
||||
|
||||
function sendToClient(
|
||||
msg: string | Uint8Array,
|
||||
offset: number,
|
||||
length: number,
|
||||
port?: number,
|
||||
address?: string,
|
||||
callback?: (error: Error | null, bytes: number) => void,
|
||||
stateForRetry?: string
|
||||
): void {
|
||||
let retried = 0;
|
||||
|
||||
function sendResponse() {
|
||||
console.log(`sending response... (try: ${retried})`);
|
||||
server.send(msg, offset, length, port, address, (error: Error | null, bytes: number) => {
|
||||
// all good
|
||||
|
||||
if (callback) callback(error, bytes);
|
||||
});
|
||||
|
||||
if (stateForRetry && retried < 3) {
|
||||
// timeout[stateForRetry] = setTimeout(sendResponse, 600 * (retried+1));
|
||||
}
|
||||
retried++;
|
||||
}
|
||||
|
||||
sendResponse();
|
||||
}
|
||||
|
||||
server.on('message', async function(msg, rinfo) {
|
||||
const packet = radius.decode({ packet: msg, secret: argv.secret });
|
||||
|
||||
if (packet.code !== 'Access-Request') {
|
||||
console.log('unknown packet type: ', packet.code);
|
||||
return;
|
||||
}
|
||||
// console.log('packet.attributes', packet.attributes);
|
||||
|
||||
// console.log('rinfo', rinfo);
|
||||
|
||||
async function checkAuth(
|
||||
username: string,
|
||||
password: string,
|
||||
additionalAuthHandler?: AdditionalAuthHandler
|
||||
) {
|
||||
console.log(`Access-Request for ${username}`);
|
||||
let success = false;
|
||||
try {
|
||||
await ldap.authenticate(username, password);
|
||||
success = true;
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
}
|
||||
|
||||
const attributes: any[] = [];
|
||||
|
||||
if (additionalAuthHandler) {
|
||||
await additionalAuthHandler(success, { packet, attributes, secret: argv.secret });
|
||||
}
|
||||
|
||||
const response = radius.encode_response({
|
||||
packet,
|
||||
code: success ? 'Access-Accept' : 'Access-Reject',
|
||||
secret: argv.secret,
|
||||
attributes
|
||||
});
|
||||
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
|
||||
|
||||
sendToClient(response, 0, response.length, rinfo.port, rinfo.address, function(err, _bytes) {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
if (packet.attributes['EAP-Message']) {
|
||||
const state = (packet.attributes.State && packet.attributes.State.toString()) || makeid(16);
|
||||
|
||||
if (timeout[state]) {
|
||||
clearTimeout(timeout[state]);
|
||||
}
|
||||
|
||||
const handlers = {
|
||||
response: (EAPMessage: Buffer) => {
|
||||
const attributes: any = [['State', Buffer.from(state)]];
|
||||
let sentDataSize = 0;
|
||||
do {
|
||||
if (EAPMessage.length > 0) {
|
||||
attributes.push([
|
||||
'EAP-Message',
|
||||
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||
]);
|
||||
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||
const ldap = new GoogleLDAPAuth(
|
||||
config.authenticationOptions.url,
|
||||
config.authenticationOptions.base
|
||||
);
|
||||
|
||||
const server = new UDPServer(config.port);
|
||||
const radiusService = new RadiusService(config.secret, ldap);
|
||||
|
||||
(async () => {
|
||||
server.on('message', async (msg, rinfo) => {
|
||||
const response = await radiusService.handleMessage(msg);
|
||||
|
||||
if (response) {
|
||||
server.sendToClient(
|
||||
response.data,
|
||||
rinfo.port,
|
||||
rinfo.address,
|
||||
(err, _bytes) => {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
} while (sentDataSize < EAPMessage.length);
|
||||
|
||||
const response = radius.encode_response({
|
||||
packet,
|
||||
code: 'Access-Challenge',
|
||||
secret: argv.secret,
|
||||
attributes
|
||||
});
|
||||
|
||||
waitForNextMsg[state] = newDeferredPromise();
|
||||
|
||||
sendToClient(
|
||||
response,
|
||||
0,
|
||||
response.length,
|
||||
rinfo.port,
|
||||
rinfo.address,
|
||||
function(err, _bytes) {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
},
|
||||
state
|
||||
);
|
||||
|
||||
return waitForNextMsg[state].promise;
|
||||
},
|
||||
checkAuth
|
||||
};
|
||||
|
||||
if (waitForNextMsg[state]) {
|
||||
const identifier = packet.attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
|
||||
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
|
||||
},
|
||||
response.expectAcknowledgment
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
// EAP MESSAGE
|
||||
eapHandler.handleEAPMessage(packet.attributes['EAP-Message'], state, handlers);
|
||||
} else {
|
||||
const username = packet.attributes['User-Name'];
|
||||
const password = packet.attributes['User-Password'];
|
||||
|
||||
checkAuth(username, password);
|
||||
}
|
||||
});
|
||||
|
||||
server.on('listening', function() {
|
||||
const address = server.address();
|
||||
console.log(`radius server listening ${address.address}:${address.port}`);
|
||||
});
|
||||
|
||||
server.bind(argv.port);
|
||||
// start server
|
||||
await server.start();
|
||||
})();
|
||||
|
@ -1,219 +0,0 @@
|
||||
// https://tools.ietf.org/html/rfc3748#section-4.1
|
||||
|
||||
// https://tools.ietf.org/html/rfc5281 TTLS v0
|
||||
// https://tools.ietf.org/html/draft-funk-eap-ttls-v1-00 TTLS v1 (not implemented)
|
||||
import { IResponseHandlers, ResponseHandler } from './types/Handler';
|
||||
import { EAPTTLS } from './eap/eap-ttls';
|
||||
import { MAX_RADIUS_ATTRIBUTE_SIZE } from './helpers';
|
||||
|
||||
export class EAPHandler {
|
||||
eapTTLS: EAPTTLS;
|
||||
|
||||
constructor() {
|
||||
this.eapTTLS = new EAPTTLS(this.sendEAPResponse);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param data
|
||||
* @param type 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
|
||||
*/
|
||||
private async sendEAPResponse(
|
||||
response: ResponseHandler,
|
||||
identifier: number,
|
||||
data?: Buffer,
|
||||
msgType = 21,
|
||||
msgFlags = 0x00
|
||||
) {
|
||||
let i = 0;
|
||||
|
||||
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
|
||||
|
||||
let sentDataSize = 0;
|
||||
|
||||
let currentIdentifier = identifier;
|
||||
let currentResponse = response;
|
||||
|
||||
do {
|
||||
// SLICE
|
||||
|
||||
// const fragmentMaxPart =
|
||||
// data && (i + 1) * maxFragmentSize > data.length ? (i + 1) * maxFragmentSize : undefined;
|
||||
|
||||
const dataPart = data && data.length > 0 && data.slice(sentDataSize, sentDataSize + maxSize);
|
||||
|
||||
/* it's the first one and we have more, therefore include length */
|
||||
const includeLength = data && i === 0 && sentDataSize < data.length;
|
||||
|
||||
sentDataSize += maxSize;
|
||||
|
||||
i += 1;
|
||||
|
||||
/*
|
||||
0 1 2 3 4 5 6 7 8
|
||||
+-+-+-+-+-+-+-+-+
|
||||
|L M R R R R R R|
|
||||
+-+-+-+-+-+-+-+-+
|
||||
|
||||
L = Length included
|
||||
M = More fragments
|
||||
R = Reserved
|
||||
|
||||
The L bit (length included) is set to indicate the presence of the
|
||||
four-octet TLS Message Length field, and MUST be set for the first
|
||||
fragment of a fragmented TLS message or set of messages. The M
|
||||
bit (more fragments) is set on all but the last fragment.
|
||||
Implementations of this specification MUST set the reserved bits
|
||||
to zero, and MUST ignore them on reception.
|
||||
*/
|
||||
|
||||
const flags =
|
||||
msgFlags +
|
||||
(includeLength ? 0b10000000 : 0) + // set L bit
|
||||
(data && sentDataSize < data.length /* we have more */ ? 0b01000000 : 0); // set M bit
|
||||
|
||||
currentIdentifier++;
|
||||
|
||||
let buffer = Buffer.from([
|
||||
1, // request
|
||||
currentIdentifier,
|
||||
0, // length (1/2)
|
||||
0, // length (2/2)
|
||||
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
||||
flags // flags: 000000 (L include lenghts, M .. more to come)
|
||||
]);
|
||||
|
||||
// append length
|
||||
if (includeLength && data) {
|
||||
const length = Buffer.alloc(4);
|
||||
length.writeInt32BE(data.byteLength, 0);
|
||||
|
||||
buffer = Buffer.concat([buffer, length]);
|
||||
}
|
||||
|
||||
const resBuffer = dataPart ? Buffer.concat([buffer, dataPart]) : buffer;
|
||||
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
||||
|
||||
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
|
||||
code: 1,
|
||||
currentIdentifier,
|
||||
includeLength,
|
||||
length: (data && data.byteLength) || 0,
|
||||
msgType: msgType.toString(10),
|
||||
flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||
data
|
||||
});
|
||||
|
||||
// uffer.from([1,identifier, 0, 0, 21, 0]);
|
||||
// buffer.writeUInt16BE(sslResponse.length, 2); // length
|
||||
// buffer.writeInt8(21, 4); // eap-ttls
|
||||
// buffer.writeInt8(0, 5); // flags
|
||||
|
||||
console.log('sending message with identifier', currentIdentifier);
|
||||
({ identifier: currentIdentifier, response: currentResponse } = await currentResponse(
|
||||
resBuffer
|
||||
));
|
||||
console.log('next message got identifier', currentIdentifier);
|
||||
} while (data && sentDataSize < data.length);
|
||||
|
||||
console.log('DONE', sentDataSize, data && data.length);
|
||||
}
|
||||
|
||||
handleEAPMessage(msg: Buffer, state: string, handlers: IResponseHandlers) {
|
||||
// const b = Buffer.from([2,0x242,0x0,0x18,0x1,0x115,0x105,0x109,0x111,0x110,0x46,0x116,0x114,0x101,0x116,0x116,0x101,0x114]);
|
||||
// const msg = Buffer.from([2, 162, 0, 18, 1, 115, 105, 109, 111, 110, 46, 116, 114, 101, 116, 116, 101, 114])
|
||||
|
||||
/*
|
||||
1 Request
|
||||
2 Response
|
||||
3 Success
|
||||
4 Failure
|
||||
*/
|
||||
|
||||
const code = msg.slice(0, 1).readUInt8(0);
|
||||
const identifier = msg.slice(1, 2).readUInt8(0); // .toString('hex');
|
||||
// const length = msg.slice(2, 4).readInt16BE(0); // .toString('binary');
|
||||
const type = msg.slice(4, 5).readUInt8(0); // .slice(3,0x5).toString('hex');
|
||||
|
||||
/*
|
||||
console.log("CODE", code);
|
||||
console.log('ID', identifier);
|
||||
console.log('length', length);
|
||||
*/
|
||||
|
||||
switch (code) {
|
||||
case 1: // for request
|
||||
case 2: // for response
|
||||
switch (type) {
|
||||
case 1: // identifiy
|
||||
/**
|
||||
* The EAP-TTLS packet format is shown below. The fields are
|
||||
transmitted left to right.
|
||||
|
||||
0 1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Code | Identifier | Length |
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Type | Flags | Message Length
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
Message Length | Data...
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
*/
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
|
||||
|
||||
this.sendEAPResponse(handlers.response, identifier, undefined, 21, 0x20);
|
||||
|
||||
/*
|
||||
handlers.response(
|
||||
Buffer.from([
|
||||
1, // request
|
||||
identifier + 1,
|
||||
0, // length (1/2)
|
||||
6, // length (2/2)
|
||||
21, // EAP-TTLS
|
||||
0x20 // flags: 001000 start flag
|
||||
])
|
||||
); */
|
||||
break;
|
||||
case 21: // EAP TTLS
|
||||
this.eapTTLS.handleMessage(msg, state, handlers, identifier);
|
||||
break;
|
||||
case 3: // nak
|
||||
// this.sendEAPResponse(handlers.response, identifier, undefined, 3);
|
||||
break;
|
||||
case 2: // notification
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
|
||||
console.info('notification');
|
||||
break;
|
||||
case 4: // md5-challenge
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
|
||||
|
||||
console.info('md5-challenge');
|
||||
break;
|
||||
case 254: // expanded type
|
||||
console.error('not implemented type', type);
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
// we do not support this auth type, ask for TTLS
|
||||
console.error('unsupported type', type, 'requesting TTLS (21)');
|
||||
|
||||
this.sendEAPResponse(handlers.response, identifier, Buffer.from([21]), 3);
|
||||
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
console.log('Client Auth Success');
|
||||
break;
|
||||
case 4:
|
||||
console.log('Client Auth FAILURE');
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
// silently ignor;
|
||||
}
|
||||
}
|
||||
}
|
@ -1,233 +0,0 @@
|
||||
/* eslint-disable no-bitwise */
|
||||
import * as events from 'events';
|
||||
import * as tls from 'tls';
|
||||
import { encodeTunnelPW, openTLSSockets, startTLSServer } from '../tls/crypt';
|
||||
import { AdditionalAuthHandler, ResponseAuthHandler } from '../types/Handler';
|
||||
import { PAPChallenge } from './challenges/pap';
|
||||
import { IEAPType } from '../types/EAPType';
|
||||
|
||||
interface IEAPResponseHandlers {
|
||||
response: (respData?: Buffer, msgType?: number) => void;
|
||||
checkAuth: ResponseAuthHandler;
|
||||
}
|
||||
|
||||
export class EAPTTLS implements IEAPType {
|
||||
papChallenge: PAPChallenge;
|
||||
|
||||
constructor(private sendEAPResponse) {
|
||||
this.papChallenge = new PAPChallenge();
|
||||
}
|
||||
|
||||
decode(msg: Buffer) {
|
||||
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
|
||||
|
||||
// if (flags)
|
||||
// @todo check if "L" flag is set in flags
|
||||
const decodedFlags = {
|
||||
lengthIncluded: flags & 0b010000000,
|
||||
moreFragments: flags & 0b001000000,
|
||||
start: flags & 0b000100000,
|
||||
reserved: flags & 0b000011000,
|
||||
version: flags & 0b010000111
|
||||
};
|
||||
let msglength;
|
||||
if (decodedFlags.lengthIncluded) {
|
||||
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
|
||||
}
|
||||
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
|
||||
|
||||
return {
|
||||
decodedFlags,
|
||||
msglength,
|
||||
data
|
||||
};
|
||||
}
|
||||
|
||||
handleMessage(msg: Buffer, state: string, handlers, identifier: number) {
|
||||
const { decodedFlags, msglength, data } = this.decode(msg);
|
||||
|
||||
// check if no data package is there and we have something in the queue, if so.. empty the queue first
|
||||
if (!data || data.length === 0) {
|
||||
// @todo: queue processing
|
||||
console.warn(
|
||||
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
|
||||
// flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||
decodedFlags,
|
||||
identifier,
|
||||
/*
|
||||
0 1 2 3 4 5 6 7
|
||||
+---+---+---+---+---+---+---+---+
|
||||
| L | M | S | R | R | V |
|
||||
+---+---+---+---+---+---+---+---+
|
||||
|
||||
L = Length included
|
||||
M = More fragments
|
||||
S = Start
|
||||
R = Reserved
|
||||
V = Version (000 for EAP-TTLSv0)
|
||||
*/
|
||||
|
||||
msglength,
|
||||
data,
|
||||
dataStr: data.toString()
|
||||
});
|
||||
|
||||
let currentConnection = openTLSSockets.get(state) as
|
||||
| { events: events.EventEmitter; tls: tls.TLSSocket; currentHandlers: IEAPResponseHandlers }
|
||||
| undefined;
|
||||
if (!currentConnection) {
|
||||
const connection = startTLSServer();
|
||||
currentConnection = {
|
||||
events: connection.events,
|
||||
tls: connection.tls,
|
||||
currentHandlers: handlers
|
||||
};
|
||||
openTLSSockets.set(state, currentConnection);
|
||||
|
||||
// register event listeners
|
||||
currentConnection.events.on('incoming', (incomingData: Buffer) => {
|
||||
const type = incomingData.slice(3, 4).readUInt8(0);
|
||||
// const code = data.slice(4, 5).readUInt8(0);
|
||||
|
||||
switch (type) {
|
||||
case 1: // PAP / CHAP
|
||||
try {
|
||||
const { username, password } = this.papChallenge.decode(incomingData);
|
||||
currentConnection!.currentHandlers.checkAuth(username, password);
|
||||
} catch (err) {
|
||||
// pwd not found..
|
||||
console.error('pwd not found', err);
|
||||
// NAK
|
||||
currentConnection!.currentHandlers.response(undefined, 3);
|
||||
|
||||
/*
|
||||
this.sendEAPResponse(
|
||||
currentConnection!.currentHandlers.response,
|
||||
identifier,
|
||||
undefined,
|
||||
3
|
||||
); */
|
||||
currentConnection!.events.emit('end');
|
||||
throw new Error(`pwd not found`);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
console.log('data', incomingData);
|
||||
console.log('data str', incomingData.toString());
|
||||
|
||||
// currentConnection!.events.emit('end');
|
||||
|
||||
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
|
||||
// throw new Error(`unsupported auth type${type}`);
|
||||
currentConnection!.currentHandlers.response(Buffer.from([1]), 3);
|
||||
|
||||
/*
|
||||
this.sendEAPResponse(
|
||||
currentConnection!.currentHandlers.response,
|
||||
identifier,
|
||||
Buffer.from([1]),
|
||||
3
|
||||
); */
|
||||
}
|
||||
});
|
||||
|
||||
currentConnection.events.on('response', (responseData: Buffer) => {
|
||||
// console.log('sending encrypted data back to client', responseData);
|
||||
|
||||
// send back...
|
||||
currentConnection!.currentHandlers.response(responseData);
|
||||
// this.sendEAPResponse(currentConnection!.currentHandlers.response, identifier, responseData);
|
||||
// this.sendMessage(TYPE.PRELOGIN, data, false);
|
||||
});
|
||||
|
||||
currentConnection.events.on('end', () => {
|
||||
// cleanup socket
|
||||
console.log('ENDING SOCKET');
|
||||
openTLSSockets.del(state);
|
||||
});
|
||||
} /* else {
|
||||
console.log('using existing socket');
|
||||
} */
|
||||
|
||||
// update handlers
|
||||
currentConnection.currentHandlers = {
|
||||
response: (respData?: Buffer, msgType?: number) =>
|
||||
this.sendEAPResponse(handlers.response, identifier, respData, msgType),
|
||||
checkAuth: (username: string, password: string) => {
|
||||
const additionalAuthHandler: AdditionalAuthHandler = (success, params) => {
|
||||
const buffer = Buffer.from([
|
||||
success ? 3 : 4, // 3.. success, 4... failure
|
||||
identifier,
|
||||
0, // length (1/2)
|
||||
4 // length (2/2)
|
||||
]);
|
||||
|
||||
params.attributes.push(['EAP-Message', buffer]);
|
||||
|
||||
if (params.packet.attributes && params.packet.attributes['User-Name']) {
|
||||
// reappend username to response
|
||||
params.attributes.push(['User-Name', params.packet.attributes['User-Name']]);
|
||||
}
|
||||
|
||||
/*
|
||||
if (sess->eap_if->eapKeyDataLen > 64) {
|
||||
len = 32;
|
||||
} else {
|
||||
len = sess->eap_if->eapKeyDataLen / 2;
|
||||
}
|
||||
*/
|
||||
const keyingMaterial = (currentConnection?.tls as any).exportKeyingMaterial(
|
||||
128,
|
||||
'ttls keying material'
|
||||
);
|
||||
|
||||
// console.log('keyingMaterial', keyingMaterial);
|
||||
|
||||
// eapKeyData + len
|
||||
params.attributes.push([
|
||||
'Vendor-Specific',
|
||||
311,
|
||||
[
|
||||
[
|
||||
16,
|
||||
encodeTunnelPW(
|
||||
keyingMaterial.slice(64),
|
||||
(params.packet as any).authenticator,
|
||||
// params.packet.attributes['Message-Authenticator'],
|
||||
params.secret
|
||||
)
|
||||
]
|
||||
]
|
||||
]); // MS-MPPE-Send-Key
|
||||
|
||||
// eapKeyData
|
||||
params.attributes.push([
|
||||
'Vendor-Specific',
|
||||
311,
|
||||
[
|
||||
[
|
||||
17,
|
||||
encodeTunnelPW(
|
||||
keyingMaterial.slice(0, 64),
|
||||
(params.packet as any).authenticator,
|
||||
// params.packet.attributes['Message-Authenticator'],
|
||||
params.secret
|
||||
)
|
||||
]
|
||||
]
|
||||
]); // MS-MPPE-Recv-Key
|
||||
};
|
||||
|
||||
return handlers.checkAuth(username, password, additionalAuthHandler);
|
||||
}
|
||||
};
|
||||
|
||||
// emit data to tls server
|
||||
currentConnection.events.emit('send', data);
|
||||
}
|
||||
}
|
@ -0,0 +1,95 @@
|
||||
import * as radius from 'radius';
|
||||
import { IAuthentication } from '../types/Authentication';
|
||||
import { EAPPacketHandler } from './handler/EAPPacketHandler';
|
||||
import { DefaultPacketHandler } from './handler/DefaultPacketHandler';
|
||||
import { IPacketHandler, IPacketHandlerResult, PacketResponseCode } from '../types/PacketHandler';
|
||||
|
||||
export class RadiusService {
|
||||
radiusPacketHandlers: IPacketHandler[] = [];
|
||||
|
||||
constructor(private secret: string, private authentication: IAuthentication) {
|
||||
this.radiusPacketHandlers.push(new EAPPacketHandler(authentication));
|
||||
this.radiusPacketHandlers.push(new DefaultPacketHandler(authentication));
|
||||
}
|
||||
|
||||
async handleMessage(
|
||||
msg: Buffer
|
||||
): Promise<{ data: Buffer; expectAcknowledgment?: boolean } | undefined> {
|
||||
const packet = radius.decode({ packet: msg, secret: this.secret });
|
||||
|
||||
if (packet.code !== 'Access-Request') {
|
||||
console.log('unknown packet type: ', packet.code);
|
||||
return undefined;
|
||||
}
|
||||
// console.log('packet.attributes', packet.attributes);
|
||||
|
||||
// console.log('rinfo', rinfo);
|
||||
/*
|
||||
const checkAuth = async (
|
||||
username: string,
|
||||
password: string,
|
||||
additionalAuthHandler?: AdditionalAuthHandler
|
||||
) => {
|
||||
console.log(`Access-Request for ${username}`);
|
||||
let success = false;
|
||||
try {
|
||||
await this.authentication.authenticate(username, password);
|
||||
success = true;
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
}
|
||||
|
||||
const attributes: any[] = [];
|
||||
|
||||
if (additionalAuthHandler) {
|
||||
await additionalAuthHandler(success, { packet, attributes, secret: this.secret });
|
||||
}
|
||||
|
||||
const response = radius.encode_response({
|
||||
packet,
|
||||
code: success ? 'Access-Accept' : 'Access-Reject',
|
||||
secret: this.secret,
|
||||
attributes
|
||||
});
|
||||
console.log(`Sending ${success ? 'accept' : 'reject'} for user ${username}`);
|
||||
|
||||
this.server.sendToClient(response, rinfo.port, rinfo.address, function(err, _bytes) {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
});
|
||||
}; */
|
||||
|
||||
let response: IPacketHandlerResult;
|
||||
|
||||
let i = 0;
|
||||
if (!this.radiusPacketHandlers[i]) {
|
||||
throw new Error('no packet handlers registered');
|
||||
}
|
||||
|
||||
// process packet handlers until we get a response
|
||||
do {
|
||||
/* response is of type IPacketHandlerResult */
|
||||
response = await this.radiusPacketHandlers[i].handlePacket(packet.attributes, packet);
|
||||
i++;
|
||||
} while (this.radiusPacketHandlers[i] && (!response || !response.code));
|
||||
|
||||
// still no response, we are done here
|
||||
if (!response || !response.code) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// all fine, return radius encoded response
|
||||
return {
|
||||
data: radius.encode_response({
|
||||
packet,
|
||||
code: response.code,
|
||||
secret: this.secret,
|
||||
attributes: response.attributes
|
||||
}),
|
||||
// if message is accept or reject, we conside this as final message
|
||||
// this means we do not expect a reponse from the client again (acknowledgement for package)
|
||||
expectAcknowledgment: response.code === PacketResponseCode.AccessChallenge
|
||||
};
|
||||
}
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
import { IAuthentication } from '../../types/Authentication';
|
||||
import {
|
||||
IPacketHandler,
|
||||
IPacketHandlerResult,
|
||||
PacketResponseCode
|
||||
} from '../../types/PacketHandler';
|
||||
|
||||
export class DefaultPacketHandler implements IPacketHandler {
|
||||
constructor(private authentication: IAuthentication) {}
|
||||
|
||||
async handlePacket(attributes: { [key: string]: Buffer }): Promise<IPacketHandlerResult> {
|
||||
const username = attributes['User-Name'];
|
||||
const password = attributes['User-Password'];
|
||||
|
||||
if (!username || !password) {
|
||||
// params missing, this handler cannot continue...
|
||||
return {};
|
||||
}
|
||||
|
||||
const authenticated = await this.authentication.authenticate(
|
||||
username.toString(),
|
||||
password.toString()
|
||||
);
|
||||
if (authenticated) {
|
||||
// success
|
||||
return {
|
||||
code: PacketResponseCode.AccessAccept
|
||||
};
|
||||
}
|
||||
|
||||
// Failed
|
||||
return {
|
||||
code: PacketResponseCode.AccessReject
|
||||
};
|
||||
}
|
||||
}
|
@ -0,0 +1,193 @@
|
||||
// https://tools.ietf.org/html/rfc3748#section-4.1
|
||||
|
||||
import * as NodeCache from 'node-cache';
|
||||
import { RadiusPacket } from 'radius';
|
||||
import { EAPTTLS } from './eapMethods/EAPTTLS';
|
||||
import { makeid } from '../../helpers';
|
||||
import {
|
||||
IPacketHandler,
|
||||
IPacketHandlerResult,
|
||||
PacketResponseCode
|
||||
} from '../../types/PacketHandler';
|
||||
import { IAuthentication } from '../../types/Authentication';
|
||||
import { IEAPMethod } from '../../types/EAPMethod';
|
||||
|
||||
export class EAPPacketHandler implements IPacketHandler {
|
||||
private eapMethods: IEAPMethod[] = [];
|
||||
|
||||
// private eapConnectionStates: { [key: string]: { validMethods: IEAPMethod[] } } = {};
|
||||
private eapConnectionStates = new NodeCache({ useClones: false, stdTTL: 3600 }); // max for one hour
|
||||
|
||||
constructor(authentication: IAuthentication) {
|
||||
this.eapMethods.push(new EAPTTLS(authentication));
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param data
|
||||
* @param msgType 1 = identity, 21 = EAP-TTLS, 2 = notification, 4 = md5-challenge, 3 = NAK
|
||||
*/
|
||||
private async buildEAPResponse(
|
||||
identifier: number,
|
||||
msgType: number,
|
||||
data?: Buffer
|
||||
): Promise<IPacketHandlerResult> {
|
||||
/** build a package according to this:
|
||||
0 1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Code | Identifier | Length |
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Type | Type-Data ...
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|
||||
*/
|
||||
const buffer = Buffer.from([
|
||||
1, // request
|
||||
identifier,
|
||||
0, // length (1/2)
|
||||
0, // length (2/2)
|
||||
msgType // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
||||
]);
|
||||
|
||||
const resBuffer = data ? Buffer.concat([buffer, data]) : buffer;
|
||||
// set EAP length header
|
||||
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
||||
|
||||
return {
|
||||
code: PacketResponseCode.AccessChallenge,
|
||||
attributes: [['EAP-Message', buffer]]
|
||||
};
|
||||
}
|
||||
|
||||
private decodeEAPHeader(msg: Buffer) {
|
||||
/**
|
||||
* parse msg according to this:
|
||||
0 1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Code | Identifier | Length |
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Type | Type-Data ...
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|
||||
*/
|
||||
|
||||
/*
|
||||
code:
|
||||
1 Request
|
||||
2 Response
|
||||
3 Success
|
||||
4 Failure
|
||||
*/
|
||||
const code = msg.slice(0, 1).readUInt8(0);
|
||||
/* identifier is a number */
|
||||
const identifier = msg.slice(1, 2).readUInt8(0);
|
||||
const length = msg.slice(2, 4).readInt16BE(0);
|
||||
/* EAP type */
|
||||
const type = msg.slice(4, 5).readUInt8(0);
|
||||
const data = msg.slice(5);
|
||||
|
||||
return {
|
||||
code,
|
||||
identifier,
|
||||
length,
|
||||
type,
|
||||
data
|
||||
};
|
||||
}
|
||||
|
||||
async handlePacket(
|
||||
attributes: { [key: string]: Buffer },
|
||||
orgRadiusPacket: RadiusPacket
|
||||
): Promise<IPacketHandlerResult> {
|
||||
if (!attributes['EAP-Message']) {
|
||||
// not an EAP message
|
||||
return {};
|
||||
}
|
||||
|
||||
const stateID = (attributes.State && attributes.State.toString()) || makeid(16);
|
||||
|
||||
if (!this.eapConnectionStates.get(stateID)) {
|
||||
this.eapConnectionStates.set(stateID, {
|
||||
validMethods: this.eapMethods // on init all registered eap methods are valid, we kick them out in case we get a NAK response
|
||||
});
|
||||
}
|
||||
|
||||
// EAP MESSAGE
|
||||
const msg = attributes['EAP-Message'];
|
||||
|
||||
const { code, type, identifier, data } = this.decodeEAPHeader(msg);
|
||||
|
||||
const currentState = this.eapConnectionStates.get(stateID) as { validMethods: IEAPMethod[] };
|
||||
|
||||
switch (code) {
|
||||
case 1: // for request
|
||||
case 2: // for response
|
||||
switch (type) {
|
||||
case 1: // identifiy
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: IDENTIFY', {});
|
||||
// start identify
|
||||
if (currentState.validMethods.length > 0) {
|
||||
return currentState.validMethods[0].identify(identifier, stateID);
|
||||
}
|
||||
|
||||
return this.buildEAPResponse(identifier, 3);
|
||||
case 2: // notification
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: notification', {});
|
||||
console.info('notification');
|
||||
break;
|
||||
case 4: // md5-challenge
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: md5-challenge', {});
|
||||
|
||||
console.info('md5-challenge');
|
||||
break;
|
||||
case 254: // expanded type
|
||||
console.error('not implemented type', type);
|
||||
break;
|
||||
case 3: // nak
|
||||
if (data) {
|
||||
const supportedEAPMethods: number[] = [];
|
||||
for (const supportedMethod of data) {
|
||||
supportedEAPMethods.push(supportedMethod);
|
||||
}
|
||||
|
||||
this.eapConnectionStates.set(stateID, {
|
||||
...currentState,
|
||||
validMethods: currentState.validMethods.filter(method => {
|
||||
return supportedEAPMethods.includes(method.getEAPType()); // kick it out?
|
||||
})
|
||||
});
|
||||
}
|
||||
// continue with responding a NAK and add rest of supported methods
|
||||
// eslint-disable-next-line no-fallthrough
|
||||
default: {
|
||||
const eapMethod = currentState.validMethods.find(method => {
|
||||
return type === method.getEAPType();
|
||||
});
|
||||
|
||||
if (eapMethod) {
|
||||
return eapMethod.handleMessage(identifier, stateID, msg, orgRadiusPacket);
|
||||
}
|
||||
|
||||
// we do not support this auth type, ask for something we support
|
||||
const serverSupportedMethods = currentState.validMethods.map(
|
||||
method => method.getEAPType
|
||||
);
|
||||
|
||||
console.error('unsupported type', type, `requesting: ${serverSupportedMethods}`);
|
||||
|
||||
return this.buildEAPResponse(identifier, 3, Buffer.from(serverSupportedMethods));
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
console.log('Client Auth Success');
|
||||
break;
|
||||
case 4:
|
||||
console.log('Client Auth FAILURE');
|
||||
break;
|
||||
default:
|
||||
}
|
||||
// silently ignore;
|
||||
return {};
|
||||
}
|
||||
}
|
@ -0,0 +1,460 @@
|
||||
/* eslint-disable no-bitwise */
|
||||
import * as tls from 'tls';
|
||||
import * as NodeCache from 'node-cache';
|
||||
import { RadiusPacket } from 'radius';
|
||||
import { encodeTunnelPW, ITLSServer, startTLSServer } from '../../../tls/crypt';
|
||||
import { ResponseAuthHandler } from '../../../types/Handler';
|
||||
import { PAPChallenge } from './challenges/PAPChallenge';
|
||||
import { IPacketHandlerResult, PacketResponseCode } from '../../../types/PacketHandler';
|
||||
import { MAX_RADIUS_ATTRIBUTE_SIZE, newDeferredPromise } from '../../../helpers';
|
||||
import { IEAPMethod } from '../../../types/EAPMethod';
|
||||
import { IAuthentication } from '../../../types/Authentication';
|
||||
import { secret } from '../../../../config';
|
||||
|
||||
interface IEAPResponseHandlers {
|
||||
response: (respData?: Buffer, msgType?: number) => void;
|
||||
checkAuth: ResponseAuthHandler;
|
||||
}
|
||||
|
||||
/* const handlers = {
|
||||
response: (EAPMessage: Buffer) => {
|
||||
const attributes: any = [['State', Buffer.from(state)]];
|
||||
let sentDataSize = 0;
|
||||
do {
|
||||
if (EAPMessage.length > 0) {
|
||||
attributes.push([
|
||||
'EAP-Message',
|
||||
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||
]);
|
||||
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||
}
|
||||
} while (sentDataSize < EAPMessage.length);
|
||||
|
||||
const response = radius.encode_response({
|
||||
packet,
|
||||
code: 'Access-Challenge',
|
||||
secret: this.secret,
|
||||
attributes
|
||||
});
|
||||
|
||||
waitForNextMsg[state] = newDeferredPromise();
|
||||
|
||||
server.sendToClient(
|
||||
response,
|
||||
rinfo.port,
|
||||
rinfo.address,
|
||||
function(err, _bytes) {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
},
|
||||
state
|
||||
);
|
||||
|
||||
return waitForNextMsg[state].promise;
|
||||
},
|
||||
checkAuth
|
||||
};
|
||||
|
||||
|
||||
const attributes: any = [['State', Buffer.from(stateID)]];
|
||||
let sentDataSize = 0;
|
||||
do {
|
||||
if (EAPMessage.length > 0) {
|
||||
attributes.push([
|
||||
'EAP-Message',
|
||||
EAPMessage.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||
]);
|
||||
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||
}
|
||||
} while (sentDataSize < EAPMessage.length);
|
||||
|
||||
const response = radius.encode_response({
|
||||
packet,
|
||||
code: 'Access-Challenge',
|
||||
secret: this.secret,
|
||||
attributes
|
||||
});
|
||||
|
||||
waitForNextMsg[stateID] = newDeferredPromise();
|
||||
|
||||
server.sendToClient(
|
||||
response,
|
||||
rinfo.port,
|
||||
rinfo.address,
|
||||
function(err, _bytes) {
|
||||
if (err) {
|
||||
console.log('Error sending response to ', rinfo);
|
||||
}
|
||||
},
|
||||
stateID
|
||||
);
|
||||
|
||||
return waitForNextMsg[stateID].promise;
|
||||
*/
|
||||
/* if (waitForNextMsg[state]) {
|
||||
const identifier = attributes['EAP-Message'].slice(1, 2).readUInt8(0); // .toString('hex');
|
||||
waitForNextMsg[state].resolve({ response: handlers.response, identifier });
|
||||
} */
|
||||
|
||||
function tlsHasExportKeyingMaterial(
|
||||
tlsSocket: any
|
||||
): tlsSocket is {
|
||||
exportKeyingMaterial: (length: number, label: string, context?: Buffer) => Buffer;
|
||||
} {
|
||||
return typeof (tlsSocket as any).exportKeyingMaterial === 'function';
|
||||
}
|
||||
|
||||
export class EAPTTLS implements IEAPMethod {
|
||||
private papChallenge: PAPChallenge = new PAPChallenge();
|
||||
|
||||
// { [key: string]: Buffer } = {};
|
||||
private queueData = new NodeCache({ useClones: false, stdTTL: 60 }); // queue data maximum for 60 seconds
|
||||
|
||||
private openTLSSockets = new NodeCache({ useClones: false, stdTTL: 3600 }); // keep sockets for about one hour
|
||||
|
||||
getEAPType(): number {
|
||||
return 21;
|
||||
}
|
||||
|
||||
identify(identifier: number, stateID: string): IPacketHandlerResult {
|
||||
return this.buildEAPTTLSResponse(identifier, 21, 0x20, stateID);
|
||||
}
|
||||
|
||||
constructor(private authentication: IAuthentication) {}
|
||||
|
||||
private buildEAPTTLSResponse(
|
||||
identifier: number,
|
||||
msgType = 21,
|
||||
msgFlags = 0x00,
|
||||
stateID: string,
|
||||
data?: Buffer,
|
||||
newResponse = true
|
||||
): IPacketHandlerResult {
|
||||
const maxSize = (MAX_RADIUS_ATTRIBUTE_SIZE - 5) * 4;
|
||||
console.log('maxSize', maxSize);
|
||||
|
||||
/* it's the first one and we have more, therefore include length */
|
||||
const includeLength = data && newResponse && data.length > maxSize;
|
||||
|
||||
// extract data party
|
||||
const dataToSend = data && data.length > 0 && data.slice(0, maxSize);
|
||||
const dataToQueue = data && data.length > maxSize && data.slice(maxSize);
|
||||
|
||||
/*
|
||||
0 1 2 3 4 5 6 7 8
|
||||
+-+-+-+-+-+-+-+-+
|
||||
|L M R R R R R R|
|
||||
+-+-+-+-+-+-+-+-+
|
||||
|
||||
L = Length included
|
||||
M = More fragments
|
||||
R = Reserved
|
||||
|
||||
The L bit (length included) is set to indicate the presence of the
|
||||
four-octet TLS Message Length field, and MUST be set for the first
|
||||
fragment of a fragmented TLS message or set of messages. The M
|
||||
bit (more fragments) is set on all but the last fragment.
|
||||
Implementations of this specification MUST set the reserved bits
|
||||
to zero, and MUST ignore them on reception.
|
||||
*/
|
||||
|
||||
const flags =
|
||||
msgFlags +
|
||||
(includeLength ? 0b10000000 : 0) + // set L bit
|
||||
(dataToQueue && dataToQueue.length > 0 ? 0b01000000 : 0); // we have more data to come, set M bit
|
||||
|
||||
let buffer = Buffer.from([
|
||||
1, // request
|
||||
identifier + 1, // increase id by 1
|
||||
0, // length (1/2)
|
||||
0, // length (2/2)
|
||||
msgType, // 1 = identity, 21 = EAP-TTLS, 2 = notificaiton, 4 = md5-challenge, 3 = NAK
|
||||
flags // flags: 000000 (L include lenghts, M .. more to come)
|
||||
]);
|
||||
|
||||
// append length
|
||||
if (includeLength && data) {
|
||||
const length = Buffer.alloc(4);
|
||||
length.writeInt32BE(data.byteLength, 0);
|
||||
|
||||
buffer = Buffer.concat([buffer, length]);
|
||||
}
|
||||
|
||||
// build final buffer with data
|
||||
const resBuffer = dataToSend ? Buffer.concat([buffer, dataToSend]) : buffer;
|
||||
|
||||
// set EAP length header
|
||||
resBuffer.writeUInt16BE(resBuffer.byteLength, 2);
|
||||
|
||||
console.log('<<<<<<<<<<<< EAP RESPONSE TO CLIENT', {
|
||||
code: 1,
|
||||
identifier: identifier + 1,
|
||||
includeLength,
|
||||
dataLength: (data && data.byteLength) || 0,
|
||||
msgType: msgType.toString(10),
|
||||
flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||
data
|
||||
});
|
||||
|
||||
if (dataToQueue) {
|
||||
// we couldn't send all at once, queue the rest and send later
|
||||
this.queueData.set(stateID, dataToQueue);
|
||||
} else {
|
||||
this.queueData.del(stateID);
|
||||
}
|
||||
|
||||
const attributes: any = [['State', Buffer.from(stateID)]];
|
||||
let sentDataSize = 0;
|
||||
do {
|
||||
if (resBuffer.length > 0) {
|
||||
attributes.push([
|
||||
'EAP-Message',
|
||||
resBuffer.slice(sentDataSize, sentDataSize + MAX_RADIUS_ATTRIBUTE_SIZE)
|
||||
]);
|
||||
sentDataSize += MAX_RADIUS_ATTRIBUTE_SIZE;
|
||||
}
|
||||
} while (sentDataSize < resBuffer.length);
|
||||
|
||||
return {
|
||||
code: PacketResponseCode.AccessChallenge,
|
||||
attributes
|
||||
};
|
||||
}
|
||||
|
||||
decodeTTLSMessage(msg: Buffer) {
|
||||
/**
|
||||
* The EAP-TTLS packet format is shown below. The fields are
|
||||
transmitted left to right.
|
||||
|
||||
0 1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Code | Identifier | Length |
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| Type | Flags | Message Length
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
Message Length | Data...
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
*/
|
||||
|
||||
const flags = msg.slice(5, 6).readUInt8(0); // .toString('hex');
|
||||
/*
|
||||
0 1 2 3 4 5 6 7
|
||||
+---+---+---+---+---+---+---+---+
|
||||
| L | M | S | R | R | V |
|
||||
+---+---+---+---+---+---+---+---+
|
||||
|
||||
L = Length included
|
||||
M = More fragments
|
||||
S = Start
|
||||
R = Reserved
|
||||
V = Version (000 for EAP-TTLSv0)
|
||||
*/
|
||||
const decodedFlags = {
|
||||
// L
|
||||
lengthIncluded: flags & 0b010000000,
|
||||
// M
|
||||
moreFragments: flags & 0b001000000,
|
||||
// S
|
||||
start: flags & 0b000100000,
|
||||
// R
|
||||
// reserved: flags & 0b000011000,
|
||||
// V
|
||||
version: flags & 0b010000111
|
||||
};
|
||||
|
||||
let msglength;
|
||||
if (decodedFlags.lengthIncluded) {
|
||||
msglength = msg.slice(6, 10).readInt32BE(0); // .readDoubleLE(0); // .toString('hex');
|
||||
}
|
||||
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
|
||||
|
||||
return {
|
||||
decodedFlags,
|
||||
msglength,
|
||||
data
|
||||
};
|
||||
}
|
||||
|
||||
authResponse(
|
||||
identifier: number,
|
||||
success: boolean,
|
||||
socket: tls.TLSSocket,
|
||||
packet: RadiusPacket
|
||||
): IPacketHandlerResult {
|
||||
const buffer = Buffer.from([
|
||||
success ? 3 : 4, // 3.. success, 4... failure
|
||||
identifier + 1,
|
||||
0, // length (1/2)
|
||||
4 // length (2/2)
|
||||
]);
|
||||
|
||||
const attributes: any[] = [];
|
||||
attributes.push(['EAP-Message', buffer]);
|
||||
|
||||
if (packet.attributes && packet.attributes['User-Name']) {
|
||||
// reappend username to response
|
||||
attributes.push(['User-Name', packet.attributes['User-Name']]);
|
||||
}
|
||||
|
||||
/*
|
||||
if (sess->eap_if->eapKeyDataLen > 64) {
|
||||
len = 32;
|
||||
} else {
|
||||
len = sess->eap_if->eapKeyDataLen / 2;
|
||||
}
|
||||
*/
|
||||
if (tlsHasExportKeyingMaterial(socket)) {
|
||||
const keyingMaterial = (socket as any).exportKeyingMaterial(128, 'ttls keying material');
|
||||
|
||||
// console.log('keyingMaterial', keyingMaterial);
|
||||
|
||||
// eapKeyData + len
|
||||
attributes.push([
|
||||
'Vendor-Specific',
|
||||
311,
|
||||
[
|
||||
[
|
||||
16,
|
||||
encodeTunnelPW(
|
||||
keyingMaterial.slice(64),
|
||||
(packet as any).authenticator,
|
||||
// params.packet.attributes['Message-Authenticator'],
|
||||
secret
|
||||
)
|
||||
]
|
||||
]
|
||||
]); // MS-MPPE-Send-Key
|
||||
|
||||
// eapKeyData
|
||||
attributes.push([
|
||||
'Vendor-Specific',
|
||||
311,
|
||||
[
|
||||
[
|
||||
17,
|
||||
encodeTunnelPW(
|
||||
keyingMaterial.slice(0, 64),
|
||||
(packet as any).authenticator,
|
||||
// params.packet.attributes['Message-Authenticator'],
|
||||
secret
|
||||
)
|
||||
]
|
||||
]
|
||||
]); // MS-MPPE-Recv-Key
|
||||
} else {
|
||||
console.error(
|
||||
'FATAL: no exportKeyingMaterial method available!!!, you need latest NODE JS, see https://github.com/nodejs/node/pull/31814'
|
||||
);
|
||||
}
|
||||
|
||||
return {
|
||||
code: success ? PacketResponseCode.AccessAccept : PacketResponseCode.AccessReject,
|
||||
attributes
|
||||
};
|
||||
}
|
||||
|
||||
async handleMessage(
|
||||
identifier: number,
|
||||
stateID: string,
|
||||
msg: Buffer,
|
||||
orgRadiusPacket: RadiusPacket
|
||||
): Promise<IPacketHandlerResult> {
|
||||
const { decodedFlags, msglength, data } = this.decodeTTLSMessage(msg);
|
||||
|
||||
// check if no data package is there and we have something in the queue, if so.. empty the queue first
|
||||
if (!data || data.length === 0) {
|
||||
console.warn(
|
||||
`>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS, ACK / NACK (no data, just a confirmation, ID: ${identifier})`
|
||||
);
|
||||
const queuedData = this.queueData.get(stateID);
|
||||
if (queuedData instanceof Buffer && queuedData.length > 0) {
|
||||
return this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, queuedData, false);
|
||||
}
|
||||
|
||||
return {};
|
||||
}
|
||||
|
||||
console.log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
|
||||
// flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||
decodedFlags,
|
||||
identifier,
|
||||
msglength
|
||||
// data,
|
||||
// dataStr: data.toString()
|
||||
});
|
||||
|
||||
let connection = this.openTLSSockets.get(stateID) as ITLSServer;
|
||||
|
||||
if (!connection) {
|
||||
connection = startTLSServer();
|
||||
this.openTLSSockets.set(stateID, connection);
|
||||
|
||||
connection.events.on('end', () => {
|
||||
// cleanup socket
|
||||
console.log('ENDING SOCKET');
|
||||
this.openTLSSockets.del(stateID);
|
||||
});
|
||||
}
|
||||
|
||||
const sendResponsePromise = newDeferredPromise();
|
||||
|
||||
const incomingMessageHandler = async (incomingData: Buffer) => {
|
||||
const type = incomingData.slice(3, 4).readUInt8(0);
|
||||
// const code = data.slice(4, 5).readUInt8(0);
|
||||
|
||||
switch (type) {
|
||||
case 1: // PAP / CHAP
|
||||
try {
|
||||
const { username, password } = this.papChallenge.decode(incomingData);
|
||||
const authResult = await this.authentication.authenticate(username, password);
|
||||
|
||||
sendResponsePromise.resolve(
|
||||
this.authResponse(identifier, authResult, connection.tls, orgRadiusPacket)
|
||||
);
|
||||
} catch (err) {
|
||||
// pwd not found..
|
||||
console.error('pwd not found', err);
|
||||
connection.events.emit('end');
|
||||
// NAK
|
||||
sendResponsePromise.resolve(this.buildEAPTTLSResponse(identifier, 3, 0, stateID));
|
||||
}
|
||||
break;
|
||||
default:
|
||||
console.log('data', incomingData);
|
||||
console.log('data str', incomingData.toString());
|
||||
|
||||
// currentConnection!.events.emit('end');
|
||||
|
||||
console.log('UNSUPPORTED AUTH TYPE, requesting PAP');
|
||||
// throw new Error(`unsupported auth type${type}`);
|
||||
sendResponsePromise.resolve(
|
||||
this.buildEAPTTLSResponse(identifier, 3, 0, stateID, Buffer.from([1]))
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
const responseHandler = (encryptedResponseData: Buffer) => {
|
||||
// send back...
|
||||
sendResponsePromise.resolve(
|
||||
this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData)
|
||||
);
|
||||
};
|
||||
|
||||
// register event listeners
|
||||
connection.events.on('incoming', incomingMessageHandler);
|
||||
connection.events.on('response', responseHandler);
|
||||
|
||||
// emit data to tls server
|
||||
connection.events.emit('send', data);
|
||||
const responseData = await sendResponsePromise.promise;
|
||||
|
||||
// cleanup
|
||||
connection.events.off('incoming', incomingMessageHandler);
|
||||
connection.events.off('response', responseHandler);
|
||||
|
||||
// send response
|
||||
return responseData; // this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData);
|
||||
}
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
import { IEAPChallenge } from '../../types/EAPChallenge';
|
||||
import { IEAPChallenge } from '../../../../types/EAPChallenge';
|
||||
|
||||
export class PAPChallenge implements IEAPChallenge {
|
||||
// i couldn't find any documentation about it, therefore best guess how this is processed...
|
@ -0,0 +1,80 @@
|
||||
import * as dgram from 'dgram';
|
||||
import { SocketType } from 'dgram';
|
||||
import * as events from 'events';
|
||||
import { EventEmitter } from 'events';
|
||||
import { newDeferredPromise } from '../helpers';
|
||||
import { IServer } from '../types/Server';
|
||||
|
||||
export class UDPServer extends events.EventEmitter implements IServer {
|
||||
static MAX_RETRIES = 3;
|
||||
|
||||
private timeout: { [key: string]: NodeJS.Timeout } = {};
|
||||
|
||||
private server: dgram.Socket;
|
||||
|
||||
constructor(private port: number, type: SocketType = 'udp4') {
|
||||
super();
|
||||
this.server = dgram.createSocket(type);
|
||||
}
|
||||
|
||||
sendToClient(
|
||||
msg: string | Uint8Array,
|
||||
port?: number,
|
||||
address?: string,
|
||||
callback?: (error: Error | null, bytes: number) => void,
|
||||
expectAcknowledgment = true
|
||||
): void {
|
||||
let retried = 0;
|
||||
|
||||
const sendResponse = (): void => {
|
||||
if (retried > 0) {
|
||||
console.warn(
|
||||
`no confirmation of last message from ${address}:${port}, re-sending response... (bytes: ${msg.length}, try: ${retried}/${UDPServer.MAX_RETRIES})`
|
||||
);
|
||||
}
|
||||
|
||||
// send message to client
|
||||
this.server.send(msg, 0, msg.length, port, address, callback);
|
||||
|
||||
// retry up to MAX_RETRIES to send this message,
|
||||
// we automatically retry if there is no confirmation (=any incoming message from client)
|
||||
// if expectAcknowledgment (e.g. Access-Accept or Access-Reject) is set, we do not retry
|
||||
const identifierForRetry = `${address}:${port}`;
|
||||
if (expectAcknowledgment && retried < UDPServer.MAX_RETRIES) {
|
||||
this.timeout[identifierForRetry] = setTimeout(sendResponse, 600 * (retried + 1));
|
||||
}
|
||||
retried += 1;
|
||||
};
|
||||
|
||||
sendResponse();
|
||||
}
|
||||
|
||||
async start(): Promise<EventEmitter> {
|
||||
const startServer = newDeferredPromise();
|
||||
this.server.on('listening', () => {
|
||||
const address = this.server.address();
|
||||
console.log(`radius server listening ${address.address}:${address.port}`);
|
||||
|
||||
this.setupListeners();
|
||||
startServer.resolve();
|
||||
});
|
||||
|
||||
this.server.on('message', (_msg, rinfo) => {
|
||||
console.log('incoming message 2');
|
||||
|
||||
// message retrieved, reset timeout handler
|
||||
const identifierForRetry = `${rinfo.address}:${rinfo.port}`;
|
||||
if (this.timeout[identifierForRetry]) {
|
||||
clearTimeout(this.timeout[identifierForRetry]);
|
||||
}
|
||||
});
|
||||
|
||||
this.server.bind(this.port);
|
||||
|
||||
return startServer.promise;
|
||||
}
|
||||
|
||||
private setupListeners() {
|
||||
this.server.on('message', (message, rinfo) => this.emit('message', message, rinfo));
|
||||
}
|
||||
}
|
@ -1,3 +1,3 @@
|
||||
export interface IAuthentication {
|
||||
authenticate(username: string, password: string): Promise<string>;
|
||||
authenticate(username: string, password: string): Promise<boolean>;
|
||||
}
|
||||
|
@ -0,0 +1,15 @@
|
||||
import { RadiusPacket } from 'radius';
|
||||
import { IPacketHandlerResult } from './PacketHandler';
|
||||
|
||||
export interface IEAPMethod {
|
||||
getEAPType(): number;
|
||||
|
||||
identify(identifier: number, stateID: string): IPacketHandlerResult;
|
||||
|
||||
handleMessage(
|
||||
identifier: number,
|
||||
stateID: string,
|
||||
msg: Buffer,
|
||||
orgRadiusPacket?: RadiusPacket
|
||||
): Promise<IPacketHandlerResult>;
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
export interface IEAPType {
|
||||
handleMessage(msg: Buffer, state: string, handlers, identifier: number);
|
||||
}
|
@ -0,0 +1,19 @@
|
||||
import { RadiusPacket } from 'radius';
|
||||
|
||||
export enum PacketResponseCode {
|
||||
AccessChallenge = 'Access-Challenge',
|
||||
AccessAccept = 'Access-Accept',
|
||||
AccessReject = 'Access-Reject'
|
||||
}
|
||||
|
||||
export interface IPacketHandlerResult {
|
||||
code?: PacketResponseCode;
|
||||
attributes?: [string, Buffer][];
|
||||
}
|
||||
|
||||
export interface IPacketHandler {
|
||||
handlePacket(
|
||||
attributes: { [key: string]: Buffer },
|
||||
orgRadiusPacket: RadiusPacket
|
||||
): Promise<IPacketHandlerResult>;
|
||||
}
|
@ -0,0 +1,32 @@
|
||||
import { RemoteInfo } from 'dgram';
|
||||
|
||||
/**
|
||||
* @fires IServer#message
|
||||
*/
|
||||
export interface IServer {
|
||||
/**
|
||||
*
|
||||
* @param msg
|
||||
* @param port
|
||||
* @param address
|
||||
* @param callback
|
||||
* @param expectAcknowledgment: if set to false, message is not retried to send again if there is no confirmation
|
||||
*/
|
||||
sendToClient(
|
||||
msg: string | Uint8Array,
|
||||
port?: number,
|
||||
address?: string,
|
||||
callback?: (error: Error | null, bytes: number) => void,
|
||||
expectAcknowledgment?: boolean
|
||||
): void;
|
||||
|
||||
/**
|
||||
* Message event.
|
||||
*
|
||||
* @event IServer#message
|
||||
* @type {object}
|
||||
* @property {message} data - the data of the incoming message
|
||||
* @property {rinfo} optionally remote information
|
||||
*/
|
||||
on(event: 'message', listener: (msg: Buffer, rinfo?: RemoteInfo) => void): this;
|
||||
}
|
@ -1,8 +1,10 @@
|
||||
this is based on freeradius cert directory :)
|
||||
|
||||
1.) edit ca.cnf
|
||||
2.) edit server.cnf
|
||||
3.) replace your choosen pwd (deafult is whatever2020) in create.sh
|
||||
4.) run ./create.sh
|
||||
5.) set your choosen pwd in ~/config.js
|
||||
there is a default certificate already present, if you want to create your own, follow these steps:
|
||||
|
||||
1. edit ca.cnf
|
||||
2. edit server.cnf
|
||||
3. replace your choosen pwd (deafult is whatever2020) in create.sh
|
||||
4. run ./create.sh
|
||||
5. set your choosen pwd in ~/config.js
|
||||
|
||||
|
@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI1Fm+/6EHcV8CAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECP14mHLiQP0EBIIEyFFD//WLNJgR
|
||||
nADmlyQgvEtEH+Rbbd6OtUXyXVLk9OtDG3s/JTh8SeeieJbm3PaLanAcyV/DgB2Q
|
||||
lseLe3WLLQSQ2lOjlU2e6KsRk+NDFaiJ5BZqISHfmrOJnZPg27rXN5EeCReRWwAr
|
||||
Myyb9Ijbw9j1LL4EwoEKmJ59XEC5Cy4bIyEDROF7ONJvwzaRyPPT5ZsB5qxozjp7
|
||||
C4YOr55AUhidEHBxmFdU7Sx1uJhxYFRccGV7m4C+00z2TKx81IWFtbj2404mBMQM
|
||||
WGf7Ncfuw1SsRwCxv89Z6+eP38Un3egT+inTFeP4E3iMWdZiK9JpYRO6qZzYdw9o
|
||||
4QyAl+oJIFjPImA+vX29J6C0BFvFAnZwmLe30nK9HMja/qynNjeF//sC3LpuC4Dx
|
||||
f07Od5X6Bq7OMmMgBNPr1Y+MmwDomrthlJhUIovowHIKQnim/Awmwv613H0kI9Dp
|
||||
bp04LMcY63cZL/ShyAG3hNqnDs6ULKv/35IA2HOPyyOzhrJl5OJbCxaoW4rp96nK
|
||||
JTFAxI2oQZtNKX4tmxP0QZ5kmd3jmBtjmuqyIGQO3PRA465bxCO6Rajo1kOhygab
|
||||
9L3dp3FRIRkWJzSxIteEmkv6RgT4CvS9d9dwk1t+GKqH7Qcg++2+/Yy7rWopxsRY
|
||||
hjAygy/kLE3HXZUgHWuJhomSTNfkjj6sHEFUiIB8RJ9DWoRkfkloGUml5/4QoGWn
|
||||
qo4qOs5vXt1iRnc65cXgT2h/IX/ohcPcZirI0gf9mKN470U5zzlUpDmCMVYgv+gh
|
||||
Te0uhghT4GIk6fZWTUKTiLmqvG6hEdVeHAfboJ6aPzrQYT2XnonRf9hQfq2SmznC
|
||||
J7MNHaLqeR0pULxxWY+UrS3oPhQ4ICDMDEGQxwVNpqLjzQJnZjI7ZYQKS324FDaH
|
||||
PPrdG/a9bc3lVeBdcCjvH6Tz+rHUYW4x7WGUeYprz7rAl8XtYtl+zT3bngLxO3D5
|
||||
mc6R+aGE1tcBY0EL1K2K0UzPqNLSUTrgnw4K+L2sgQJqKrpdyGcAZYnW0eH6ULIl
|
||||
VgKL1Ef0lX7cD6sdxASYHgqyYfc4+vAo6drwKXwb98jQFe5q73d5f1SqOiC/APuR
|
||||
ZIMRVMBydD3Mp0L7lokDpS6eraTZ+XeGwtbEzb2mC4urYoT9yEH4CdOwUe0GrKQE
|
||||
B/6mV0MEyrzlWxFpxZFkByLFf1FBlqKHpd09Sj9TdNiZom+mc90D76FiyZ83H+Pp
|
||||
D9tzelr8G5A5RVEPOaHOVL1LiDQA12B5tFhgFldUI4BXJu+LnR/4qNyNt2xedrHO
|
||||
GY/FoJjlnTMf5/S3erH+1VeIwjrnwrl4w3o2zymE19Yb2zEt9fyP67R0q/trZOs+
|
||||
umxTOxyFvJCzZoLkIFz9oGfo+IQYqqxfPC0gYYlkF1jWX1MarLwZoiXSHEkBlfez
|
||||
t61ZqYxNMWt8cxwfb5MfRpeXaY4wH1o6+GW8DgNMeq5LxgLASkvNdG0dzXTK8DPG
|
||||
sGx09dFGEDKYmljT+1chL+KjkxWIqgrq05NwpE/7OF3ZuiG2hv6ys5STY3URnINg
|
||||
lz7zqzgt1gMeCV8kikXKWXwKqxH0L14AYMDhfPaXRM23nsjC3c/h4CfySUutlpxp
|
||||
M2oE3tWQQ6TOv3yAqhRj+g==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
@ -1,29 +1,29 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIE+jCCA+KgAwIBAgIUVIBUu2vZ0TrxOwqlIyfxooaF4bIwDQYJKoZIhvcNAQEL
|
||||
MIIE+jCCA+KgAwIBAgIUA7R4NLhoa6Mt/Zek66V7+Qnx9VEwDQYJKoZIhvcNAQEL
|
||||
BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNv
|
||||
bWV3aGVyZTEVMBMGA1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFh
|
||||
ZG1pbkBleGFtcGxlLm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBB
|
||||
dXRob3JpdHkwHhcNMjAwMjIyMTYzNzAxWhcNMjkxMjMxMTYzNzAxWjCBkzELMAkG
|
||||
dXRob3JpdHkwHhcNMjAwMjIyMTcwNTM4WhcNMjkxMjMxMTcwNTM4WjCBkzELMAkG
|
||||
A1UEBhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUw
|
||||
EwYDVQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w
|
||||
bGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMg5QnJc+a8K0YGIcnZ0OfFZ
|
||||
ZNQUMIBJIxdE3LnIa1Y6JNA89oVodtD/J4bFOHa8ehji7R6JzTCpDi6Sc61D9mT2
|
||||
Fa1sm8wSrD4NU+tMlaK5U73C6nYrAtnTpFnDeQQEzgfyzoN988QXAknY++Ls0CU/
|
||||
B2Pjd5D4Sk1VOOf88/XYyU5OM5jT5/skOuBULdGhbL9TME3PRieMLOokTFZjNnDy
|
||||
uCKV3p5PD8MYAVh6qNEdHHnQMp559JfdzAh2FZPvdr88MbhO78pFCymdnOkhIr6M
|
||||
ZvBqDLxaV7mjcduU/U1lq13CekZ2DUTDpbUa9z4w+BiqgFpWJdxy0ZTwpwPBqd8C
|
||||
AwEAAaOCAUIwggE+MB0GA1UdDgQWBBR0nqW1x1vNwtdFezphgGtkz7B2RjCB0wYD
|
||||
VR0jBIHLMIHIgBR0nqW1x1vNwtdFezphgGtkz7B2RqGBmaSBljCBkzELMAkGA1UE
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrt1oTLVGNfvZvmsQd7L0Ts
|
||||
dttTKZcJynIlDX/2QJ7F77/sywrY69Bch14Gn2MhEhpRnn5GIKpEzE8KTDgg5iOV
|
||||
FOwClfMwlhzksx7VpwSjSFhxbudxWgpk8RoGmuPaB4rJLHPo7B6Pv4DduxFpO5aF
|
||||
IxKdPFCi1sKKzJAi+88SSX5KhX+MQgwiqbLjdeXxx+ofTZig7IymiJUUbcdtiQPq
|
||||
KYXjcFH/XLhJMx52GKBk9YK5yvoDwYzGs+FKkPgWCbifUHnzkQ+/v3yKsvnFS/vq
|
||||
Rb1uPA3PkJnbZwCLb0hGKh8YvGUIr+9WT4MLQPOBKgfRUHEjNxvdYCUaw6xz+8EC
|
||||
AwEAAaOCAUIwggE+MB0GA1UdDgQWBBQi2Mb/nVfuJREdj/wvqVAtZNxhXzCB0wYD
|
||||
VR0jBIHLMIHIgBQi2Mb/nVfuJREdj/wvqVAtZNxhX6GBmaSBljCBkzELMAkGA1UE
|
||||
BhMCQVQxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYD
|
||||
VQQKDAxFeGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
|
||||
b3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eYIUVIBU
|
||||
u2vZ0TrxOwqlIyfxooaF4bIwDwYDVR0TAQH/BAUwAwEB/zA2BgNVHR8ELzAtMCug
|
||||
b3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eYIUA7R4
|
||||
NLhoa6Mt/Zek66V7+Qnx9VEwDwYDVR0TAQH/BAUwAwEB/zA2BgNVHR8ELzAtMCug
|
||||
KaAnhiVodHRwOi8vd3d3LmV4YW1wbGUub3JnL2V4YW1wbGVfY2EuY3JsMA0GCSqG
|
||||
SIb3DQEBCwUAA4IBAQAdywbOcOa9XSx/hEOKkG4rZR8F6eb+z/u+BYfEhQE4unTR
|
||||
3ihNarsHwteTQArabTRzuV8+phX7fgkQJHmp1NOpJVmMEr3JOs00SGbisxDmK0Z3
|
||||
2HkE+DjpYo2Sz8b77YD1AWk705rJkJ0Jp5+d/BLk6CjCr524XsSKLwKRWKOit3eu
|
||||
WKsbt+VMd7d8jDvgwrtKLDpGv/sBym5w9zQjUqOTPBr70BBbpynJD62mzdr5OjIc
|
||||
JiZKjusr1fieOeBzo2us+hFdvoCmW8X4hwVAyWm4JgP1yZ9IT/KLnFtJo0k/BM3B
|
||||
lzcz90I0zzpewC8xxaWJ7kz6h+eSIa3orlSIug4o
|
||||
SIb3DQEBCwUAA4IBAQCOSSpCkK1kF4MlctIhNnMjP6AcxhPYFhDPrTCy+lGmNw0S
|
||||
4L73ZHoTtmPsEc7p4d3qxy1WddRS3M6+0vyQz5Yhe1xQZy+SExeYxOX8sXqK1Uu3
|
||||
37rY7oz26DkITOdI4FFtcNKtAcu8rVg2kZO/66RUiQSA6V3rzAVcFGrHHP4ZoPqV
|
||||
qy+OqO8dcldlf70B7fLnf2N28drdpkUeJEGhGRzO42gN55Zj9RVH3NCZDZI1uz2B
|
||||
ESIwjFWBFDeteux8O9BZhfNJ+Zmc9BS+1CvjMCCEAeRCjpAWdyLa+uquq5tII4Me
|
||||
STKrTWjHUmq0zjDmjOowB8xWvoWONW19nsSSqGC8
|
||||
-----END CERTIFICATE-----
|
||||
|
@ -0,0 +1,80 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 0 (0x0)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=AT, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.org, CN=Example Certificate Authority
|
||||
Validity
|
||||
Not Before: Feb 22 17:05:38 2020 GMT
|
||||
Not After : Jul 27 17:05:38 2036 GMT
|
||||
Subject: C=AT, ST=Radius, O=Example Inc., CN=Example Certificate Authority/emailAddress=admin@example.org
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:b5:ad:78:5d:89:14:28:92:55:e7:c1:e0:15:46:
|
||||
e7:ea:da:ea:98:bb:ec:33:17:ee:d6:e3:37:1c:34:
|
||||
ea:4e:87:a1:c9:d3:19:de:95:6f:c1:76:13:e0:b4:
|
||||
f5:08:3e:fe:5a:76:b8:4a:e4:94:07:8b:67:4b:b5:
|
||||
d1:97:c1:d3:e1:b1:cd:84:5b:16:aa:dc:56:5b:ff:
|
||||
0a:e7:f3:79:a3:47:4d:5b:6d:e4:d6:21:a0:eb:e1:
|
||||
54:83:87:1c:c5:18:de:d8:52:40:93:7e:fb:c5:df:
|
||||
73:3c:d6:0b:a3:1d:9f:36:c7:6f:59:90:d7:5f:82:
|
||||
80:fe:82:05:1b:1b:77:92:04:c9:25:88:8f:9c:35:
|
||||
91:cc:86:a0:8f:8f:9b:2e:2c:62:af:f3:8a:16:75:
|
||||
30:61:47:8d:24:ea:35:84:43:33:01:ed:d7:33:2c:
|
||||
29:4f:2c:8d:f5:b7:b3:bd:74:4f:2e:83:2d:e1:d6:
|
||||
3d:5e:d9:14:c3:a1:89:38:4d:29:4b:ae:39:c8:a2:
|
||||
dd:ad:f1:42:c8:0d:6c:29:eb:70:c8:dc:e7:41:59:
|
||||
47:1c:89:52:62:53:9c:35:58:8a:39:16:87:61:f2:
|
||||
11:26:3a:2b:a2:19:29:c2:77:31:de:1c:74:c6:57:
|
||||
3a:15:8b:2f:29:61:a7:45:b4:d8:70:a4:d2:ef:da:
|
||||
5d:a1
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 CRL Distribution Points:
|
||||
|
||||
Full Name:
|
||||
URI:http://www.example.com/example_ca.crl
|
||||
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
60:49:5c:0c:1d:1a:c3:86:16:b7:d8:63:b7:b9:9b:4d:74:49:
|
||||
25:05:c0:28:f4:c6:95:ce:63:95:b7:99:41:54:7f:64:5d:9a:
|
||||
8f:f5:a7:96:09:8c:67:42:61:5d:c5:af:e4:d9:33:28:20:2a:
|
||||
1f:76:5b:a7:1f:54:47:c4:94:4f:de:bb:6d:ea:36:51:44:bf:
|
||||
90:82:b3:7c:91:28:6a:1e:dd:76:66:38:2c:0f:ed:8a:fd:b6:
|
||||
91:28:3b:59:f0:b3:42:4b:bb:fb:88:d9:d8:6f:e2:a9:79:14:
|
||||
df:0b:53:76:be:23:c1:0e:96:85:aa:d9:3f:d6:60:7a:a5:a9:
|
||||
5a:1d:17:05:7e:84:7a:36:0b:a0:eb:96:8d:75:08:ab:ea:e2:
|
||||
9b:4c:dc:92:05:b0:bc:2a:c0:ff:21:89:02:c2:cd:07:ee:85:
|
||||
55:5b:cf:bd:bc:d7:b1:8a:54:51:5a:58:f6:77:e5:76:85:26:
|
||||
fd:dd:e8:ec:aa:45:c8:cf:d1:10:16:68:97:e4:e7:06:e3:22:
|
||||
9c:4d:f5:85:bb:37:26:d4:fc:47:af:26:03:f3:e1:17:cc:20:
|
||||
33:c1:c4:e2:b3:b7:1e:d3:0a:81:85:ff:e6:79:70:07:a7:8b:
|
||||
3c:1e:9e:1b:e8:f5:a1:3e:69:c5:90:f4:7f:49:a7:19:93:fa:
|
||||
65:fc:0e:43
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCQVQx
|
||||
DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
|
||||
eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUub3JnMSYw
|
||||
JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDAyMjIx
|
||||
NzA1MzhaFw0zNjA3MjcxNzA1MzhaMH8xCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZS
|
||||
YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEmMCQGA1UEAwwdRXhhbXBsZSBD
|
||||
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w
|
||||
bGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAta14XYkUKJJV
|
||||
58HgFUbn6trqmLvsMxfu1uM3HDTqToehydMZ3pVvwXYT4LT1CD7+Wna4SuSUB4tn
|
||||
S7XRl8HT4bHNhFsWqtxWW/8K5/N5o0dNW23k1iGg6+FUg4ccxRje2FJAk377xd9z
|
||||
PNYLox2fNsdvWZDXX4KA/oIFGxt3kgTJJYiPnDWRzIagj4+bLixir/OKFnUwYUeN
|
||||
JOo1hEMzAe3XMywpTyyN9bezvXRPLoMt4dY9XtkUw6GJOE0pS645yKLdrfFCyA1s
|
||||
KetwyNznQVlHHIlSYlOcNViKORaHYfIRJjorohkpwncx3hx0xlc6FYsvKWGnRbTY
|
||||
cKTS79pdoQIDAQABo08wTTATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8ELzAt
|
||||
MCugKaAnhiVodHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMA0G
|
||||
CSqGSIb3DQEBCwUAA4IBAQBgSVwMHRrDhha32GO3uZtNdEklBcAo9MaVzmOVt5lB
|
||||
VH9kXZqP9aeWCYxnQmFdxa/k2TMoICofdlunH1RHxJRP3rtt6jZRRL+QgrN8kShq
|
||||
Ht12ZjgsD+2K/baRKDtZ8LNCS7v7iNnYb+KpeRTfC1N2viPBDpaFqtk/1mB6pala
|
||||
HRcFfoR6Ngug65aNdQir6uKbTNySBbC8KsD/IYkCws0H7oVVW8+9vNexilRRWlj2
|
||||
d+V2hSb93ejsqkXIz9EQFmiX5OcG4yKcTfWFuzcm1PxHryYD8+EXzCAzwcTis7ce
|
||||
0wqBhf/meXAHp4s8Hp4b6PWhPmnFkPR/SacZk/pl/A5D
|
||||
-----END CERTIFICATE-----
|
@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIfUSPX6P3YcECAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGX0Au3iFvSjBIIEyGye/tQdIfVv
|
||||
HG9CBzyejddQTYgT5IsNzTFKsASeJi/0vlQP1mvEPScgMrNO62mBPHh0+sQGyR4v
|
||||
ccrqEobKUgXYJWJd60MeHJVPvB6fVBS2kBv1dmHYYuGNqlsWE82nmX8mdEOjNR9e
|
||||
ZTnuULqE8QHZd0EVWhdK83iUCCb4ksOF+bJYQe7gkRWeZ3ALqq4eLtlUs4LiIaAn
|
||||
VrqFWdslZLBRHfDfC/beOtxp9a/clMaTI1g0jjAKuYKkydDKl6gk6HWkyw4qnJHX
|
||||
37GgReCYE72DZSmuS6mTXjsvK2cLsRmvrwWnwBaiApE9P6+RLnYyQerDMpVc1z44
|
||||
s+9VCoOmggPgy+YNB09tptCJaWJaiLu6FQzAZNo/Hu1hIf7Gx4b9IXnT6vsAsTkg
|
||||
K4exni026uVXd/toeh1O+bH9lE85RVxkFgnv49WpcBvfVXa93BZbAZP286dEeKI4
|
||||
8EueW8fh+l1HYht+6lKN0hW5rh3nBkOFHdG0GoczmbyAsz2N/cvW20KWc75cAjdW
|
||||
HG3pAwoCxzjCUVk7s6+tueNAmANRtn1zo8RKHzQ4iUVWd6WmE9v5GrSrNmvDtqyN
|
||||
yLbzDd3BZuYyUwWxMjgIeYcyqlR0zSlj12SvhPnNqwwPsuqUuB7Y5lv3oTKl7RNk
|
||||
GGd08a5nioYMs+0Ob/Zr4ay3so5gAmYDfIVVVp7GzERK9h8FrBylZqyaA8BS95GM
|
||||
JfWJGXjKbJ2nqNqc/Ic2mYVp6AT7V4FSmYV9I+rNuRI76DdJgA3UYhQOvtvmbbFI
|
||||
EyNtHCL6M8ejfbg71c5rbj7nBYLiuk5STzIiZyKPK4QmNWQ+QLy3RIgK1fMgjlzP
|
||||
rgh/1hhFRUVJxiRKnDbzrTlHEeD17U4Rpz/M3M0ZsWCWWJe+FMDaJNuNfvJW3ZYQ
|
||||
hBFjVhZn3VTmreFyt6nshsfGU3PeFXSXx8el4M5Sja5MCqQ86nbv9W6miOVtvkOx
|
||||
7kYvHXMQpsSzkjkL9hej3PxYHcchgjRnF+l0WIs7U/RE3pRiPkm0yD9Y1IEsZIix
|
||||
farOZTtPZqrOYcHwCHdRY9oxcKLZM9Rrqi5tTMk3T1ellFuX8qUj2uqSNCbhAYpC
|
||||
Qx4VfKyAi9iEyBP01X0r8gprMzqtpZatGAB70XC+Wa4lUYfRt1IbHQ0MhWMWyStL
|
||||
iefHkHee9MVgI3hh08ww1OmQGTnpQgKG6udxSRObLbWlAgccWjnX5YE3nOmo4Vvo
|
||||
v091utdEqUZ9nrIzIvlv1lqnm0qRTY4uf99dOyl/bIr1tfWJLawL9kUbN+jl4d4C
|
||||
CnilsBFTuWQBMPFE3sit91U4Ycmi3U1lmiQTXLhlCiOkyuVLGjnb7RuY1Yjm9Gso
|
||||
D/t55VgF0882uVgocU3l9OnXRZLRijXEU7WWM8YF+RXTRORykcYfL/oPF8/E/NF7
|
||||
DbamK79gIJUXGEdDdujFGAkJr0nYdK77sMeWfqIgf7l+RNaz3dtv2NGfWjpymbMz
|
||||
RkgPUypbE4JiJVnwrsVNm20wQbE839Raijchf8ZWBEWz8nNArwe094+MQxoZHg12
|
||||
Iu742/ykANJD/xXq7Nfe0d8fXWEdG3+ZgcfKUIL2oCS7/y3p4URCl6TuujBAFO8I
|
||||
IBR4bJcgdHWSqRS8usbzVg==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
@ -1 +1 @@
|
||||
V 360727163701Z 00 unknown /C=AT/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org
|
||||
V 360727170538Z 00 unknown /C=AT/ST=Radius/O=Example Inc./CN=Example Certificate Authority/emailAddress=admin@example.org
|
||||
|
Loading…
Reference in new issue