forked from layeh/radius
-
Notifications
You must be signed in to change notification settings - Fork 1
/
rfc2865.go
126 lines (104 loc) · 2.81 KB
/
rfc2865.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package radius // import "layeh.com/radius"
import (
"bytes"
"crypto/md5"
"encoding/binary"
"errors"
"math"
)
type rfc2865UserPassword struct{}
func (rfc2865UserPassword) Decode(p *Packet, value []byte) (interface{}, error) {
if p.Secret == nil {
return nil, errors.New("radius: User-Password attribute requires Packet.Secret")
}
if len(value) < 16 || len(value) > 128 {
return nil, errors.New("radius: invalid User-Password attribute length")
}
dec := make([]byte, 0, len(value))
hash := md5.New()
hash.Write(p.Secret)
hash.Write(p.Authenticator[:])
dec = hash.Sum(dec)
for i, b := range value[:16] {
dec[i] ^= b
}
for i := 16; i < len(value); i += 16 {
hash.Reset()
hash.Write(p.Secret)
hash.Write(value[i-16 : i])
dec = hash.Sum(dec)
for j, b := range value[i : i+16] {
dec[i+j] ^= b
}
}
if i := bytes.IndexByte(dec, 0); i > -1 {
return string(dec[:i]), nil
}
return string(dec), nil
}
func (rfc2865UserPassword) Encode(p *Packet, value interface{}) ([]byte, error) {
if p.Secret == nil {
return nil, errors.New("radius: User-Password attribute requires Packet.Secret")
}
var password []byte
if bytePassword, ok := value.([]byte); !ok {
strPassword, ok := value.(string)
if !ok {
return nil, errors.New("radius: User-Password attribute must be string or []byte")
}
password = []byte(strPassword)
} else {
password = bytePassword
}
if len(password) > 128 {
return nil, errors.New("radius: User-Password longer than 128 characters")
}
chunks := int(math.Ceil(float64(len(password)) / 16.))
if chunks == 0 {
chunks = 1
}
enc := make([]byte, 0, chunks*16)
hash := md5.New()
hash.Write(p.Secret)
hash.Write(p.Authenticator[:])
enc = hash.Sum(enc)
for i, b := range password[:16] {
enc[i] ^= b
}
for i := 16; i < len(password); i += 16 {
hash.Reset()
hash.Write(p.Secret)
hash.Write(enc[i-16 : i])
enc = hash.Sum(enc)
for j, b := range password[i : i+16] {
enc[i+j] ^= b
}
}
return enc, nil
}
// VendorSpecific defines RFC 2865's Vendor-Specific attribute.
type VendorSpecific struct {
VendorID uint32
Data []byte
}
type rfc2865VendorSpecific struct{}
func (rfc2865VendorSpecific) Decode(p *Packet, value []byte) (interface{}, error) {
if len(value) < 5 {
return nil, errors.New("radius: Vendor-Specific attribute too small")
}
var attr VendorSpecific
attr.VendorID = binary.BigEndian.Uint32(value[:4])
attr.Data = make([]byte, len(value)-4)
copy(attr.Data, value[4:])
return attr, nil
}
func (rfc2865VendorSpecific) Encode(p *Packet, value interface{}) ([]byte, error) {
attr, ok := value.(VendorSpecific)
if !ok {
return nil, errors.New("radius: Vendor-Specific attribute is not type VendorSpecific")
}
b := make([]byte, 4+len(attr.Data))
binary.BigEndian.PutUint32(b[:4], attr.VendorID)
copy(b[4:], attr.Data)
return b, nil
}