diff options
Diffstat (limited to 'usr.sbin/ppp/radius.c')
-rw-r--r-- | usr.sbin/ppp/radius.c | 1361 |
1 files changed, 1361 insertions, 0 deletions
diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c new file mode 100644 index 0000000..dc71ab3 --- /dev/null +++ b/usr.sbin/ppp/radius.c @@ -0,0 +1,1361 @@ +/* + * Copyright 1999 Internet Business Solutions Ltd., Switzerland + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + * + */ + +#include <stdint.h> +#include <sys/param.h> + +#include <sys/select.h> +#include <sys/socket.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <arpa/inet.h> +#include <sys/un.h> +#include <net/route.h> + +#ifdef LOCALRAD +#include "radlib.h" +#include "radlib_vs.h" +#else +#include <radlib.h> +#include <radlib_vs.h> +#endif + +#include <errno.h> +#ifndef NODES +#include <md5.h> +#endif +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/time.h> +#include <termios.h> +#include <unistd.h> +#include <netdb.h> + +#include "layer.h" +#include "defs.h" +#include "log.h" +#include "descriptor.h" +#include "prompt.h" +#include "timer.h" +#include "fsm.h" +#include "iplist.h" +#include "slcompress.h" +#include "throughput.h" +#include "lqr.h" +#include "hdlc.h" +#include "mbuf.h" +#include "ncpaddr.h" +#include "ip.h" +#include "ipcp.h" +#include "ipv6cp.h" +#include "route.h" +#include "command.h" +#include "filter.h" +#include "lcp.h" +#include "ccp.h" +#include "link.h" +#include "mp.h" +#include "radius.h" +#include "auth.h" +#include "async.h" +#include "physical.h" +#include "chat.h" +#include "cbcp.h" +#include "chap.h" +#include "datalink.h" +#include "ncp.h" +#include "bundle.h" +#include "proto.h" +#include "iface.h" + +#ifndef NODES +struct mschap_response { + u_char ident; + u_char flags; + u_char lm_response[24]; + u_char nt_response[24]; +}; + +struct mschap2_response { + u_char ident; + u_char flags; + u_char pchallenge[16]; + u_char reserved[8]; + u_char response[24]; +}; + +#define AUTH_LEN 16 +#define SALT_LEN 2 +#endif + +static const char * +radius_policyname(int policy) +{ + switch(policy) { + case MPPE_POLICY_ALLOWED: + return "Allowed"; + case MPPE_POLICY_REQUIRED: + return "Required"; + } + return NumStr(policy, NULL, 0); +} + +static const char * +radius_typesname(int types) +{ + switch(types) { + case MPPE_TYPE_40BIT: + return "40 bit"; + case MPPE_TYPE_128BIT: + return "128 bit"; + case MPPE_TYPE_40BIT|MPPE_TYPE_128BIT: + return "40 or 128 bit"; + } + return NumStr(types, NULL, 0); +} + +#ifndef NODES +static void +demangle(struct radius *r, const void *mangled, size_t mlen, + char **buf, size_t *len) +{ + char R[AUTH_LEN]; /* variable names as per rfc2548 */ + const char *S; + u_char b[16]; + const u_char *A, *C; + MD5_CTX Context; + int Slen, i, Clen, Ppos; + u_char *P; + + if (mlen % 16 != SALT_LEN) { + log_Printf(LogWARN, "Cannot interpret mangled data of length %ld\n", + (u_long)mlen); + *buf = NULL; + *len = 0; + return; + } + + /* We need the RADIUS Request-Authenticator */ + if (rad_request_authenticator(r->cx.rad, R, sizeof R) != AUTH_LEN) { + log_Printf(LogWARN, "Cannot obtain the RADIUS request authenticator\n"); + *buf = NULL; + *len = 0; + return; + } + + A = (const u_char *)mangled; /* Salt comes first */ + C = (const u_char *)mangled + SALT_LEN; /* Then the ciphertext */ + Clen = mlen - SALT_LEN; + S = rad_server_secret(r->cx.rad); /* We need the RADIUS secret */ + Slen = strlen(S); + P = alloca(Clen); /* We derive our plaintext */ + + MD5Init(&Context); + MD5Update(&Context, S, Slen); + MD5Update(&Context, R, AUTH_LEN); + MD5Update(&Context, A, SALT_LEN); + MD5Final(b, &Context); + Ppos = 0; + + while (Clen) { + Clen -= 16; + + for (i = 0; i < 16; i++) + P[Ppos++] = C[i] ^ b[i]; + + if (Clen) { + MD5Init(&Context); + MD5Update(&Context, S, Slen); + MD5Update(&Context, C, 16); + MD5Final(b, &Context); + } + + C += 16; + } + + /* + * The resulting plain text consists of a one-byte length, the text and + * maybe some padding. + */ + *len = *P; + if (*len > mlen - 1) { + log_Printf(LogWARN, "Mangled data seems to be garbage\n"); + *buf = NULL; + *len = 0; + return; + } + + if ((*buf = malloc(*len)) == NULL) { + log_Printf(LogWARN, "demangle: Out of memory (%lu bytes)\n", (u_long)*len); + *len = 0; + } else + memcpy(*buf, P + 1, *len); +} +#endif + +/* XXX: This should go into librarius. */ +#ifndef NOINET6 +static uint8_t * +rad_cvt_ipv6prefix(const void *data, size_t len) +{ + const size_t ipv6len = sizeof(struct in6_addr) + 2; + uint8_t *s; + + if (len > ipv6len) + return NULL; + s = malloc(ipv6len); + if (s != NULL) { + memset(s, 0, ipv6len); + memcpy(s, data, len); + } + return s; +} +#endif + +/* + * rad_continue_send_request() has given us `got' (non-zero). Deal with it. + */ +static void +radius_Process(struct radius *r, int got) +{ + char *argv[MAXARGS], *nuke; + struct bundle *bundle; + int argc, addrs, res, width; + size_t len; + struct ncprange dest; + struct ncpaddr gw; + const void *data; + const char *stype; + u_int32_t ipaddr, vendor; + struct in_addr ip; +#ifndef NOINET6 + uint8_t ipv6addr[INET6_ADDRSTRLEN]; + struct in6_addr ip6; +#endif + + r->cx.fd = -1; /* Stop select()ing */ + stype = r->cx.auth ? "auth" : "acct"; + + switch (got) { + case RAD_ACCESS_ACCEPT: + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "Radius(%s): ACCEPT received\n", stype); + if (!r->cx.auth) { + rad_close(r->cx.rad); + return; + } + break; + + case RAD_ACCESS_REJECT: + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "Radius(%s): REJECT received\n", stype); + if (!r->cx.auth) { + rad_close(r->cx.rad); + return; + } + break; + + case RAD_ACCESS_CHALLENGE: + /* we can't deal with this (for now) ! */ + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "Radius: CHALLENGE received (can't handle yet)\n"); + if (r->cx.auth) + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + + case RAD_ACCOUNTING_RESPONSE: + /* + * It's probably not ideal to log this at PHASE level as we'll see + * too much stuff going to the log when ``set rad_alive'' is used. + * So we differ from older behaviour (ppp version 3.1 and before) + * and just log accounting responses to LogRADIUS. + */ + log_Printf(LogRADIUS, "Radius(%s): Accounting response received\n", + stype); + if (r->cx.auth) + auth_Failure(r->cx.auth); /* unexpected !!! */ + + /* No further processing for accounting requests, please */ + rad_close(r->cx.rad); + return; + + case -1: + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "radius(%s): %s\n", stype, rad_strerror(r->cx.rad)); + if (r->cx.auth) + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + + default: + log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype, + got, rad_strerror(r->cx.rad)); + if (r->cx.auth) + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + + /* Let's see what we've got in our reply */ + r->ip.s_addr = r->mask.s_addr = INADDR_NONE; + r->mtu = 0; + r->vj = 0; + while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) { + switch (res) { + case RAD_FRAMED_IP_ADDRESS: + r->ip = rad_cvt_addr(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " IP %s\n", inet_ntoa(r->ip)); + break; + + case RAD_FILTER_ID: + free(r->filterid); + if ((r->filterid = rad_cvt_string(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " Filter \"%s\"\n", r->filterid); + break; + + case RAD_SESSION_TIMEOUT: + r->sessiontime = rad_cvt_int(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " Session-Timeout %lu\n", r->sessiontime); + break; + + case RAD_FRAMED_IP_NETMASK: + r->mask = rad_cvt_addr(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " Netmask %s\n", inet_ntoa(r->mask)); + break; + + case RAD_FRAMED_MTU: + r->mtu = rad_cvt_int(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MTU %lu\n", r->mtu); + break; + + case RAD_FRAMED_ROUTING: + /* Disabled for now - should we automatically set up some filters ? */ + /* rad_cvt_int(data); */ + /* bit 1 = Send routing packets */ + /* bit 2 = Receive routing packets */ + break; + + case RAD_FRAMED_COMPRESSION: + r->vj = rad_cvt_int(data) == 1 ? 1 : 0; + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " VJ %sabled\n", r->vj ? "en" : "dis"); + break; + + case RAD_FRAMED_ROUTE: + /* + * We expect a string of the format ``dest[/bits] gw [metrics]'' + * Any specified metrics are ignored. MYADDR and HISADDR are + * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same + * as ``HISADDR''. + */ + + if ((nuke = rad_cvt_string(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " Route: %s\n", nuke); + bundle = r->cx.auth->physical->dl->bundle; + ip.s_addr = INADDR_ANY; + ncpaddr_setip4(&gw, ip); + ncprange_setip4host(&dest, ip); + argc = command_Interpret(nuke, strlen(nuke), argv); + if (argc < 0) + log_Printf(LogWARN, "radius: %s: Syntax error\n", + argc == 1 ? argv[0] : "\"\""); + else if (argc < 2) + log_Printf(LogWARN, "radius: %s: Invalid route\n", + argc == 1 ? argv[0] : "\"\""); + else if ((strcasecmp(argv[0], "default") != 0 && + !ncprange_aton(&dest, &bundle->ncp, argv[0])) || + !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) + log_Printf(LogWARN, "radius: %s %s: Invalid route\n", + argv[0], argv[1]); + else { + ncprange_getwidth(&dest, &width); + if (width == 32 && strchr(argv[0], '/') == NULL) { + /* No mask specified - use the natural mask */ + ncprange_getip4addr(&dest, &ip); + ncprange_setip4mask(&dest, addr2mask(ip)); + } + addrs = 0; + + if (!strncasecmp(argv[0], "HISADDR", 7)) + addrs = ROUTE_DSTHISADDR; + else if (!strncasecmp(argv[0], "MYADDR", 6)) + addrs = ROUTE_DSTMYADDR; + + if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) { + addrs |= ROUTE_GWHISADDR; + ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip); + } else if (strcasecmp(argv[1], "HISADDR") == 0) + addrs |= ROUTE_GWHISADDR; + + route_Add(&r->routes, addrs, &dest, &gw); + } + free(nuke); + break; + + case RAD_REPLY_MESSAGE: + free(r->repstr); + if ((r->repstr = rad_cvt_string(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " Reply-Message \"%s\"\n", r->repstr); + break; + +#ifndef NOINET6 + case RAD_FRAMED_IPV6_PREFIX: + free(r->ipv6prefix); + if ((r->ipv6prefix = rad_cvt_ipv6prefix(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_ipv6prefix: %s\n", + "Malformed attribute in response"); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr)); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]); + break; + + case RAD_FRAMED_IPV6_ROUTE: + /* + * We expect a string of the format ``dest[/bits] gw [metrics]'' + * Any specified metrics are ignored. MYADDR6 and HISADDR6 are + * understood for ``dest'' and ``gw'' and ``::'' is the same + * as ``HISADDR6''. + */ + + if ((nuke = rad_cvt_string(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " IPv6 Route: %s\n", nuke); + bundle = r->cx.auth->physical->dl->bundle; + ncpaddr_setip6(&gw, &in6addr_any); + ncprange_set(&dest, &gw, 0); + argc = command_Interpret(nuke, strlen(nuke), argv); + if (argc < 0) + log_Printf(LogWARN, "radius: %s: Syntax error\n", + argc == 1 ? argv[0] : "\"\""); + else if (argc < 2) + log_Printf(LogWARN, "radius: %s: Invalid route\n", + argc == 1 ? argv[0] : "\"\""); + else if ((strcasecmp(argv[0], "default") != 0 && + !ncprange_aton(&dest, &bundle->ncp, argv[0])) || + !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) + log_Printf(LogWARN, "radius: %s %s: Invalid route\n", + argv[0], argv[1]); + else { + addrs = 0; + + if (!strncasecmp(argv[0], "HISADDR6", 8)) + addrs = ROUTE_DSTHISADDR6; + else if (!strncasecmp(argv[0], "MYADDR6", 7)) + addrs = ROUTE_DSTMYADDR6; + + if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) { + addrs |= ROUTE_GWHISADDR6; + ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr); + } else if (strcasecmp(argv[1], "HISADDR6") == 0) + addrs |= ROUTE_GWHISADDR6; + + route_Add(&r->ipv6routes, addrs, &dest, &gw); + } + free(nuke); + break; +#endif + + case RAD_VENDOR_SPECIFIC: + if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) { + log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n", + rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + + switch (vendor) { + case RAD_VENDOR_MICROSOFT: + switch (res) { +#ifndef NODES + case RAD_MICROSOFT_MS_CHAP_ERROR: + free(r->errstr); + if (len == 0) + r->errstr = NULL; + else { + if (len < 3 || ((const char *)data)[1] != '=') { + /* + * Only point at the String field if we don't think the + * peer has misformatted the response. + */ + data = (const char *)data + 1; + len--; + } else + log_Printf(LogWARN, "Warning: The MS-CHAP-Error " + "attribute is mis-formatted. Compensating\n"); + if ((r->errstr = rad_cvt_string((const char *)data, + len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", + rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-CHAP-Error \"%s\"\n", r->errstr); + } + break; + + case RAD_MICROSOFT_MS_CHAP2_SUCCESS: + free(r->msrepstr); + if (len == 0) + r->msrepstr = NULL; + else { + if (len < 3 || ((const char *)data)[1] != '=') { + /* + * Only point at the String field if we don't think the + * peer has misformatted the response. + */ + data = (const char *)data + 1; + len--; + } else + log_Printf(LogWARN, "Warning: The MS-CHAP2-Success " + "attribute is mis-formatted. Compensating\n"); + if ((r->msrepstr = rad_cvt_string((const char *)data, + len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", + rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + rad_close(r->cx.rad); + return; + } + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-CHAP2-Success \"%s\"\n", r->msrepstr); + } + break; + + case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: + r->mppe.policy = rad_cvt_int(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-MPPE-Encryption-Policy %s\n", + radius_policyname(r->mppe.policy)); + break; + + case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: + r->mppe.types = rad_cvt_int(data); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-MPPE-Encryption-Types %s\n", + radius_typesname(r->mppe.types)); + break; + + case RAD_MICROSOFT_MS_MPPE_RECV_KEY: + free(r->mppe.recvkey); + demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-MPPE-Recv-Key ********\n"); + break; + + case RAD_MICROSOFT_MS_MPPE_SEND_KEY: + demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen); + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + " MS-MPPE-Send-Key ********\n"); + break; +#endif + + default: + log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific " + "RADIUS attribute %d\n", res); + break; + } + break; + + default: + log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n", + (unsigned long)vendor, res); + break; + } + break; + + default: + log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res); + break; + } + } + + if (res == -1) { + log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n", + rad_strerror(r->cx.rad)); + auth_Failure(r->cx.auth); + } else if (got == RAD_ACCESS_REJECT) + auth_Failure(r->cx.auth); + else { + r->valid = 1; + auth_Success(r->cx.auth); + } + rad_close(r->cx.rad); +} + +/* + * We've either timed out or select()ed on the read descriptor + */ +static void +radius_Continue(struct radius *r, int sel) +{ + struct timeval tv; + int got; + + timer_Stop(&r->cx.timer); + if ((got = rad_continue_send_request(r->cx.rad, sel, &r->cx.fd, &tv)) == 0) { + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "Radius: Request re-sent\n"); + r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; + timer_Start(&r->cx.timer); + return; + } + + radius_Process(r, got); +} + +/* + * Time to call rad_continue_send_request() - timed out. + */ +static void +radius_Timeout(void *v) +{ + radius_Continue((struct radius *)v, 0); +} + +/* + * Time to call rad_continue_send_request() - something to read. + */ +static void +radius_Read(struct fdescriptor *d, struct bundle *bundle __unused, + const fd_set *fdset __unused) +{ + radius_Continue(descriptor2radius(d), 1); +} + +/* + * Flush any pending transactions + */ +void +radius_Flush(struct radius *r) +{ + struct timeval tv; + fd_set s; + + while (r->cx.fd != -1) { + FD_ZERO(&s); + FD_SET(r->cx.fd, &s); + tv.tv_sec = 0; + tv.tv_usec = TICKUNIT; + select(r->cx.fd + 1, &s, NULL, NULL, &tv); + radius_Continue(r, 1); + } +} + +/* + * Behave as a struct fdescriptor (descriptor.h) + */ +static int +radius_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused, + fd_set *e __unused, int *n) +{ + struct radius *rad = descriptor2radius(d); + + if (r && rad->cx.fd != -1) { + FD_SET(rad->cx.fd, r); + if (*n < rad->cx.fd + 1) + *n = rad->cx.fd + 1; + log_Printf(LogTIMER, "Radius: fdset(r) %d\n", rad->cx.fd); + return 1; + } + + return 0; +} + +/* + * Behave as a struct fdescriptor (descriptor.h) + */ +static int +radius_IsSet(struct fdescriptor *d, const fd_set *fdset) +{ + struct radius *r = descriptor2radius(d); + + return r && r->cx.fd != -1 && FD_ISSET(r->cx.fd, fdset); +} + +/* + * Behave as a struct fdescriptor (descriptor.h) + */ +static int +radius_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused, + const fd_set *fdset __unused) +{ + /* We never want to write here ! */ + log_Printf(LogALERT, "radius_Write: Internal error: Bad call !\n"); + return 0; +} + +/* + * Initialise ourselves + */ +void +radius_Init(struct radius *r) +{ + r->desc.type = RADIUS_DESCRIPTOR; + r->desc.UpdateSet = radius_UpdateSet; + r->desc.IsSet = radius_IsSet; + r->desc.Read = radius_Read; + r->desc.Write = radius_Write; + r->cx.fd = -1; + r->cx.rad = NULL; + memset(&r->cx.timer, '\0', sizeof r->cx.timer); + r->cx.auth = NULL; + r->valid = 0; + r->vj = 0; + r->ip.s_addr = INADDR_ANY; + r->mask.s_addr = INADDR_NONE; + r->routes = NULL; + r->mtu = DEF_MTU; + r->msrepstr = NULL; + r->repstr = NULL; +#ifndef NOINET6 + r->ipv6prefix = NULL; + r->ipv6routes = NULL; +#endif + r->errstr = NULL; + r->mppe.policy = 0; + r->mppe.types = 0; + r->mppe.recvkey = NULL; + r->mppe.recvkeylen = 0; + r->mppe.sendkey = NULL; + r->mppe.sendkeylen = 0; + *r->cfg.file = '\0'; + log_Printf(LogDEBUG, "Radius: radius_Init\n"); +} + +/* + * Forget everything and go back to initialised state. + */ +void +radius_Destroy(struct radius *r) +{ + r->valid = 0; + log_Printf(LogDEBUG, "Radius: radius_Destroy\n"); + timer_Stop(&r->cx.timer); + route_DeleteAll(&r->routes); +#ifndef NOINET6 + route_DeleteAll(&r->ipv6routes); +#endif + free(r->filterid); + r->filterid = NULL; + free(r->msrepstr); + r->msrepstr = NULL; + free(r->repstr); + r->repstr = NULL; +#ifndef NOINET6 + free(r->ipv6prefix); + r->ipv6prefix = NULL; +#endif + free(r->errstr); + r->errstr = NULL; + free(r->mppe.recvkey); + r->mppe.recvkey = NULL; + r->mppe.recvkeylen = 0; + free(r->mppe.sendkey); + r->mppe.sendkey = NULL; + r->mppe.sendkeylen = 0; + if (r->cx.fd != -1) { + r->cx.fd = -1; + rad_close(r->cx.rad); + } +} + +static int +radius_put_physical_details(struct radius *rad, struct physical *p) +{ + int slot, type; + + type = RAD_VIRTUAL; + if (p->handler) + switch (p->handler->type) { + case I4B_DEVICE: + type = RAD_ISDN_SYNC; + break; + + case TTY_DEVICE: + type = RAD_ASYNC; + break; + + case ETHER_DEVICE: + type = RAD_ETHERNET; + break; + + case TCP_DEVICE: + case UDP_DEVICE: + case EXEC_DEVICE: + case ATM_DEVICE: + case NG_DEVICE: + type = RAD_VIRTUAL; + break; + } + + if (rad_put_int(rad->cx.rad, RAD_NAS_PORT_TYPE, type) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad)); + rad_close(rad->cx.rad); + return 0; + } + + switch (rad->port_id_type) { + case RPI_PID: + slot = (int)getpid(); + break; + case RPI_IFNUM: + slot = p->dl->bundle->iface->index; + break; + case RPI_TUNNUM: + slot = p->dl->bundle->unit; + break; + case RPI_DEFAULT: + default: + slot = physical_Slot(p); + break; + } + + if (slot >= 0) + if (rad_put_int(rad->cx.rad, RAD_NAS_PORT, slot) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad)); + rad_close(rad->cx.rad); + return 0; + } + + return 1; +} + +/* + * Start an authentication request to the RADIUS server. + */ +int +radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, + const char *key, int klen, const char *nchallenge, + int nclen) +{ + char hostname[MAXHOSTNAMELEN]; + struct timeval tv; + const char *what = "questionable"; /* silence warnings! */ + char *mac_addr; + int got; + struct hostent *hp; + struct in_addr hostaddr; +#ifndef NODES + struct mschap_response msresp; + struct mschap2_response msresp2; + const struct MSCHAPv2_resp *keyv2; +#endif + + if (!*r->cfg.file) + return 0; + + if (r->cx.fd != -1) + /* + * We assume that our name/key/challenge is the same as last time, + * and just continue to wait for the RADIUS server(s). + */ + return 1; + + radius_Destroy(r); + + if ((r->cx.rad = rad_auth_open()) == NULL) { + log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); + return 0; + } + + if (rad_config(r->cx.rad, r->cfg.file) != 0) { + log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + + if (rad_create_request(r->cx.rad, RAD_ACCESS_REQUEST) != 0) { + log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + + if (rad_put_string(r->cx.rad, RAD_USER_NAME, name) != 0 || + rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || + rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + + switch (authp->physical->link.lcp.want_auth) { + case PROTO_PAP: + /* We're talking PAP */ + if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) { + log_Printf(LogERROR, "PAP: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + what = "PAP"; + break; + + case PROTO_CHAP: + switch (authp->physical->link.lcp.want_authtype) { + case 0x5: + if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 || + rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, nchallenge, nclen) != 0) { + log_Printf(LogERROR, "CHAP: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + what = "CHAP"; + break; + +#ifndef NODES + case 0x80: + if (klen != 50) { + log_Printf(LogERROR, "CHAP80: Unrecognised key length %d\n", klen); + rad_close(r->cx.rad); + return 0; + } + + rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, + RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); + msresp.ident = *key; + msresp.flags = 0x01; + memcpy(msresp.lm_response, key + 1, 24); + memcpy(msresp.nt_response, key + 25, 24); + rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, + RAD_MICROSOFT_MS_CHAP_RESPONSE, &msresp, + sizeof msresp); + what = "MSCHAP"; + break; + + case 0x81: + if (klen != sizeof(*keyv2) + 1) { + log_Printf(LogERROR, "CHAP81: Unrecognised key length %d\n", klen); + rad_close(r->cx.rad); + return 0; + } + + keyv2 = (const struct MSCHAPv2_resp *)(key + 1); + rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, + RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); + msresp2.ident = *key; + msresp2.flags = keyv2->Flags; + memcpy(msresp2.response, keyv2->NTResponse, sizeof msresp2.response); + memset(msresp2.reserved, '\0', sizeof msresp2.reserved); + memcpy(msresp2.pchallenge, keyv2->PeerChallenge, + sizeof msresp2.pchallenge); + rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, + RAD_MICROSOFT_MS_CHAP2_RESPONSE, &msresp2, + sizeof msresp2); + what = "MSCHAPv2"; + break; +#endif + default: + log_Printf(LogERROR, "CHAP: Unrecognised type 0x%02x\n", + authp->physical->link.lcp.want_authtype); + rad_close(r->cx.rad); + return 0; + } + } + + if (gethostname(hostname, sizeof hostname) != 0) + log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); + else { + if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) && + (hp = gethostbyname(hostname)) != NULL) { + hostaddr.s_addr = *(u_long *)hp->h_addr; + if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + } + if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) && + rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + } + + if ((mac_addr = getenv("HISMACADDR")) != NULL && + rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return 0; + } + + radius_put_physical_details(r, authp->physical); + + log_Printf(LogRADIUS, "Radius(auth): %s data sent for %s\n", what, name); + + r->cx.auth = authp; + if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) + radius_Process(r, got); + else { + log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, + "Radius: Request sent\n"); + log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); + r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; + r->cx.timer.func = radius_Timeout; + r->cx.timer.name = "radius auth"; + r->cx.timer.arg = r; + timer_Start(&r->cx.timer); + } + + return 1; +} + +/* Fetch IP, netmask from IPCP */ +void +radius_Account_Set_Ip(struct radacct *ac, struct in_addr *peer_ip, + struct in_addr *netmask) +{ + ac->proto = PROTO_IPCP; + memcpy(&ac->peer.ip.addr, peer_ip, sizeof(ac->peer.ip.addr)); + memcpy(&ac->peer.ip.mask, netmask, sizeof(ac->peer.ip.mask)); +} + +#ifndef NOINET6 +/* Fetch interface-id from IPV6CP */ +void +radius_Account_Set_Ipv6(struct radacct *ac, u_char *ifid) +{ + ac->proto = PROTO_IPV6CP; + memcpy(&ac->peer.ipv6.ifid, ifid, sizeof(ac->peer.ipv6.ifid)); +} +#endif + +/* + * Send an accounting request to the RADIUS server + */ +void +radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, + int acct_type, struct pppThroughput *stats) +{ + struct timeval tv; + int got; + char hostname[MAXHOSTNAMELEN]; + char *mac_addr; + struct hostent *hp; + struct in_addr hostaddr; + + if (!*r->cfg.file) + return; + + if (r->cx.fd != -1) + /* + * We assume that our name/key/challenge is the same as last time, + * and just continue to wait for the RADIUS server(s). + */ + return; + + timer_Stop(&r->cx.timer); + + if ((r->cx.rad = rad_acct_open()) == NULL) { + log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); + return; + } + + if (rad_config(r->cx.rad, r->cfg.file) != 0) { + log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + + if (rad_create_request(r->cx.rad, RAD_ACCOUNTING_REQUEST) != 0) { + log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + + /* Grab some accounting data and initialize structure */ + if (acct_type == RAD_START) { + ac->rad_parent = r; + /* Fetch username from datalink */ + strncpy(ac->user_name, dl->peer.authname, sizeof ac->user_name); + ac->user_name[AUTHLEN-1] = '\0'; + + ac->authentic = 2; /* Assume RADIUS verified auth data */ + + /* Generate a session ID */ + snprintf(ac->session_id, sizeof ac->session_id, "%s%ld-%s%lu", + dl->bundle->cfg.auth.name, (long)getpid(), + dl->peer.authname, (unsigned long)stats->uptime); + + /* And grab our MP socket name */ + snprintf(ac->multi_session_id, sizeof ac->multi_session_id, "%s", + dl->bundle->ncp.mp.active ? + dl->bundle->ncp.mp.server.socket.sun_path : ""); + }; + + if (rad_put_string(r->cx.rad, RAD_USER_NAME, ac->user_name) != 0 || + rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || + rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + switch (ac->proto) { + case PROTO_IPCP: + if (rad_put_addr(r->cx.rad, RAD_FRAMED_IP_ADDRESS, + ac->peer.ip.addr) != 0 || + rad_put_addr(r->cx.rad, RAD_FRAMED_IP_NETMASK, + ac->peer.ip.mask) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + break; +#ifndef NOINET6 + case PROTO_IPV6CP: + if (rad_put_attr(r->cx.rad, RAD_FRAMED_INTERFACE_ID, ac->peer.ipv6.ifid, + sizeof(ac->peer.ipv6.ifid)) != 0) { + log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + if (r->ipv6prefix) { + /* + * Since PPP doesn't delegate an IPv6 prefix to a peer, + * Framed-IPv6-Prefix may be not used, actually. + */ + if (rad_put_attr(r->cx.rad, RAD_FRAMED_IPV6_PREFIX, r->ipv6prefix, + sizeof(struct in6_addr) + 2) != 0) { + log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + } + break; +#endif + default: + /* We don't log any protocol specific information */ + break; + } + + if ((mac_addr = getenv("HISMACADDR")) != NULL && + rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + + if (gethostname(hostname, sizeof hostname) != 0) + log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); + else { + if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) && + (hp = gethostbyname(hostname)) != NULL) { + hostaddr.s_addr = *(u_long *)hp->h_addr; + if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + } + if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) && + rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { + log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", + rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + } + + radius_put_physical_details(r, dl->physical); + + if (rad_put_int(r->cx.rad, RAD_ACCT_STATUS_TYPE, acct_type) != 0 || + rad_put_string(r->cx.rad, RAD_ACCT_SESSION_ID, ac->session_id) != 0 || + rad_put_string(r->cx.rad, RAD_ACCT_MULTI_SESSION_ID, + ac->multi_session_id) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_DELAY_TIME, 0) != 0) { +/* XXX ACCT_DELAY_TIME should be increased each time a packet is waiting */ + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + + if (acct_type == RAD_STOP || acct_type == RAD_ALIVE) + /* Show some statistics */ + if (rad_put_int(r->cx.rad, RAD_ACCT_INPUT_OCTETS, stats->OctetsIn % UINT32_MAX) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_INPUT_GIGAWORDS, stats->OctetsIn / UINT32_MAX) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_INPUT_PACKETS, stats->PacketsIn) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_OCTETS, stats->OctetsOut % UINT32_MAX) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_GIGAWORDS, stats->OctetsOut / UINT32_MAX) != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_PACKETS, stats->PacketsOut) + != 0 || + rad_put_int(r->cx.rad, RAD_ACCT_SESSION_TIME, throughput_uptime(stats)) + != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); + rad_close(r->cx.rad); + return; + } + + if (log_IsKept(LogPHASE) || log_IsKept(LogRADIUS)) { + const char *what; + int level; + + switch (acct_type) { + case RAD_START: + what = "START"; + level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS; + break; + case RAD_STOP: + what = "STOP"; + level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS; + break; + case RAD_ALIVE: + what = "ALIVE"; + level = LogRADIUS; + break; + default: + what = "<unknown>"; + level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS; + break; + } + log_Printf(level, "Radius(acct): %s data sent\n", what); + } + + r->cx.auth = NULL; /* Not valid for accounting requests */ + if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) + radius_Process(r, got); + else { + log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); + r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; + r->cx.timer.func = radius_Timeout; + r->cx.timer.name = "radius acct"; + r->cx.timer.arg = r; + timer_Start(&r->cx.timer); + } +} + +/* + * How do things look at the moment ? + */ +void +radius_Show(struct radius *r, struct prompt *p) +{ + prompt_Printf(p, " Radius config: %s", + *r->cfg.file ? r->cfg.file : "none"); + if (r->valid) { + prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip)); + prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask)); + prompt_Printf(p, " MTU: %lu\n", r->mtu); + prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis"); + prompt_Printf(p, " Message: %s\n", r->repstr ? r->repstr : ""); + prompt_Printf(p, " MPPE Enc Policy: %s\n", + radius_policyname(r->mppe.policy)); + prompt_Printf(p, " MPPE Enc Types: %s\n", + radius_typesname(r->mppe.types)); + prompt_Printf(p, " MPPE Recv Key: %seceived\n", + r->mppe.recvkey ? "R" : "Not r"); + prompt_Printf(p, " MPPE Send Key: %seceived\n", + r->mppe.sendkey ? "R" : "Not r"); + prompt_Printf(p, " MS-CHAP2-Response: %s\n", + r->msrepstr ? r->msrepstr : ""); + prompt_Printf(p, " Error Message: %s\n", r->errstr ? r->errstr : ""); + if (r->routes) + route_ShowSticky(p, r->routes, " Routes", 16); +#ifndef NOINET6 + if (r->ipv6routes) + route_ShowSticky(p, r->ipv6routes, " IPv6 Routes", 16); +#endif + } else + prompt_Printf(p, " (not authenticated)\n"); +} + +static void +radius_alive(void *v) +{ + struct bundle *bundle = (struct bundle *)v; + + timer_Stop(&bundle->radius.alive.timer); + bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS; + if (bundle->radius.alive.timer.load) { + radius_Account(&bundle->radius, &bundle->radacct, + bundle->links, RAD_ALIVE, &bundle->ncp.ipcp.throughput); + timer_Start(&bundle->radius.alive.timer); + } +} + +void +radius_StartTimer(struct bundle *bundle) +{ + if (bundle->radius.cfg.file && bundle->radius.alive.interval) { + bundle->radius.alive.timer.func = radius_alive; + bundle->radius.alive.timer.name = "radius alive"; + bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS; + bundle->radius.alive.timer.arg = bundle; + radius_alive(bundle); + } +} + +void +radius_StopTimer(struct radius *r) +{ + timer_Stop(&r->alive.timer); +} |