18bdf1efc450c257f174ccccb51ffefbb6a6859f
2 // $Id: radius.c,v 1.3 2004/05/24 04:27:11 fred_nerk Exp $
7 #include <sys/socket.h>
11 #include <arpa/inet.h>
13 #include <netinet/in.h>
15 #include "constants.h"
20 extern radiust
*radius
;
21 extern sessiont
*session
;
22 extern tunnelt
*tunnel
;
24 extern struct Tstats
*_statistics
;
25 extern struct configt
*config
;
28 const char *radius_state(int state
)
30 static char *tmp
= NULL
;
32 for (i
= 0; radius_states
[i
]; i
++)
33 if (i
== state
) return radius_states
[i
];
35 if (tmp
== NULL
) tmp
= (char *)calloc(64, 1);
36 sprintf(tmp
, "%d", state
);
40 // Set up socket for radius requests
44 log(3, 0, 0, 0, "Creating %d sockets for RADIUS queries\n", config
->num_radfds
);
45 radfds
= calloc(sizeof(int), config
->num_radfds
);
46 for (i
= 0; i
< config
->num_radfds
; i
++)
49 if (!radfds
[i
]) radfds
[i
] = socket(AF_INET
, SOCK_DGRAM
, UDP
);
50 flags
= fcntl(radfds
[i
], F_GETFL
, 0);
51 fcntl(radfds
[i
], F_SETFL
, flags
| O_NONBLOCK
);
55 void radiusclear(u16 r
, sessionidt s
)
57 if (s
) session
[s
].radius
= 0;
58 memset(&radius
[r
], 0, sizeof(radius
[r
])); // radius[r].state = RADIUSNULL;
61 int next_radius_id
= 1;
63 static u16
new_radius()
67 for (i
= next_radius_id
; ; i
= (i
+ 1) % MAXRADIUS
)
69 if (radius
[i
].state
== RADIUSNULL
)
71 next_radius_id
= (next_radius_id
+ 1) % MAXRADIUS
;
74 if (next_radius_id
== i
)
78 log(0, 0, 0, 0, "Can't find a free radius session! This is very bad!\n");
85 u16
radiusnew(sessionidt s
)
88 if (!(r
= new_radius()))
90 log(1, 0, s
, session
[s
].tunnel
, "No free RADIUS sessions\n");
91 STAT(radius_overflow
);
94 memset(&radius
[r
], 0, sizeof(radius
[r
]));
95 session
[s
].radius
= r
;
96 radius
[r
].session
= s
;
97 radius
[r
].state
= RADIUSWAIT
;
101 // Send a RADIUS request
102 void radiussend(u16 r
, u8 state
)
104 struct sockaddr_in addr
;
105 u8 b
[4096]; // RADIUS packet
111 STAT(call_radiussend
);
113 s
= radius
[r
].session
;
114 if (!config
->numradiusservers
)
116 log(0, 0, s
, session
[s
].tunnel
, "No RADIUS servers\n");
119 if (!*config
->radiussecret
)
121 log(0, 0, s
, session
[s
].tunnel
, "No RADIUS secret\n");
125 if (state
!= RADIUSAUTH
&& !config
->radius_accounting
)
127 // Radius accounting is turned off
132 if (radius
[r
].state
!= state
)
134 radius
[r
].state
= state
;
135 radius
[r
].retry
= backoff(radius
[r
].try++);
136 log(4, 0, s
, session
[s
].tunnel
, "Send RADIUS id %d sock %d state %s try %d\n",
137 r
>> RADIUS_SHIFT
, r
& RADIUS_MASK
,
138 radius_state(radius
[r
].state
), radius
[r
].try);
139 if (radius
[r
].try > config
->numradiusservers
* 2)
143 if (state
== RADIUSAUTH
)
144 sessionshutdown(s
, "RADIUS timeout");
147 log(1, 0, s
, session
[s
].tunnel
, "RADIUS timeout, but in state %s so don't timeout session\n",
148 radius_states
[state
]);
151 STAT(radius_timeout
);
155 STAT(radius_retries
);
156 radius
[r
].state
= RADIUSWAIT
;
157 radius
[r
].retry
= 100;
161 // contruct RADIUS access request
165 b
[0] = 1; // access request
169 b
[0] = 4; // accounting request
172 log(0, 0, 0, 0, "Unknown radius state %d\n", state
);
174 b
[1] = r
>> RADIUS_SHIFT
; // identifier
175 memcpy(b
+ 4, radius
[r
].auth
, 16);
180 p
[1] = strlen(session
[s
].user
) + 2;
181 strcpy(p
+ 2, session
[s
].user
);
184 if (state
== RADIUSAUTH
)
188 *p
= 3; // CHAP password
190 p
[2] = radius
[r
].id
; // ID
191 memcpy(p
+ 3, radius
[r
].pass
, 16); // response from CHAP request
193 *p
= 60; // CHAP Challenge
195 memcpy(p
+ 2, radius
[r
].auth
, 16);
200 strcpy(pass
, radius
[r
].pass
);
203 pass
[pl
++] = 0; // pad
212 MD5Update(&ctx
, config
->radiussecret
, strlen(config
->radiussecret
));
214 MD5Update(&ctx
, pass
+ p
- 16, 16);
216 MD5Update(&ctx
, radius
[r
].auth
, 16);
217 MD5Final(hash
, &ctx
);
220 pass
[p
] ^= hash
[p
& 15];
229 memcpy(p
+ 2, pass
, pl
);
233 else if (state
== RADIUSSTART
|| state
== RADIUSSTOP
)
235 *p
= 40; // accounting type
237 *(u32
*) (p
+ 2) = htonl((state
== RADIUSSTART
) ? 1 : 2);
241 *p
= 44; // session ID
243 sprintf(p
+ 2, "%08X%08X", session
[s
].id
, session
[s
].opened
);
245 if (state
== RADIUSSTOP
)
247 *p
= 42; // input octets
249 *(u32
*) (p
+ 2) = htonl(session
[s
].cin
);
251 *p
= 43; // output octets
253 *(u32
*) (p
+ 2) = htonl(session
[s
].cout
);
255 *p
= 46; // session time
257 *(u32
*) (p
+ 2) = htonl(time(NULL
) - session
[s
].opened
);
259 *p
= 47; // input packets
261 *(u32
*) (p
+ 2) = htonl(session
[s
].pin
);
263 *p
= 48; // output spackets
265 *(u32
*) (p
+ 2) = htonl(session
[s
].pout
);
272 *(u32
*) (p
+ 2) = htonl(time(NULL
) - session
[s
].opened
);
281 *(u32
*) (p
+ 2) = htonl(s
);
284 if (s
&& session
[s
].ip
)
286 *p
= 8; // Framed-IP-Address
288 *(u32
*) (p
+ 2) = htonl(session
[s
].ip
);
291 if (*session
[s
].called
)
294 p
[1] = strlen(session
[s
].called
) + 2;
295 strcpy(p
+ 2, session
[s
].called
);
298 if (*radius
[r
].calling
)
301 p
[1] = strlen(radius
[r
].calling
) + 2;
302 strcpy(p
+ 2, radius
[r
].calling
);
305 else if (*session
[s
].calling
)
308 p
[1] = strlen(session
[s
].calling
) + 2;
309 strcpy(p
+ 2, session
[s
].calling
);
315 *(u32
*)(p
+ 2) = config
->bind_address
;
319 *(u16
*) (b
+ 2) = htons(p
- b
);
320 if (state
!= RADIUSAUTH
)
322 // Build auth for accounting packet
327 MD5Update(&ctx
, b
, 4);
328 MD5Update(&ctx
, z
, 16);
329 MD5Update(&ctx
, b
+ 20, (p
- b
) - 20);
330 MD5Update(&ctx
, config
->radiussecret
, strlen(config
->radiussecret
));
331 MD5Final(hash
, &ctx
);
332 memcpy(b
+ 4, hash
, 16);
333 memcpy(radius
[r
].auth
, hash
, 16);
335 memset(&addr
, 0, sizeof(addr
));
336 addr
.sin_family
= AF_INET
;
337 *(u32
*) & addr
.sin_addr
= config
->radiusserver
[(radius
[r
].try - 1) % config
->numradiusservers
];
338 addr
.sin_port
= htons((state
== RADIUSAUTH
) ? RADPORT
: RADAPORT
);
340 log_hex(5, "RADIUS Send", b
, (p
- b
));
341 sendto(radfds
[r
& RADIUS_MASK
], b
, p
- b
, 0, (void *) &addr
, sizeof(addr
));
344 // process RADIUS response
345 void processrad(u8
*buf
, int len
, char socket_index
)
356 STAT(call_processrad
);
358 log_hex(5, "RADIUS Response", buf
, len
);
359 if (len
< 20 || len
< ntohs(*(u16
*) (buf
+ 2)))
361 log(1, 0, 0, 0, "Duff RADIUS response length %d\n", len
);
364 len
= ntohs(*(u16
*) (buf
+ 2));
365 r
= socket_index
| (buf
[1] << RADIUS_SHIFT
);
366 s
= radius
[r
].session
;
367 log(3, 0, s
, session
[s
].tunnel
, "Received %s, radius %d response for session %u\n",
368 radius_states
[radius
[r
].state
], r
, s
);
369 if (!s
&& radius
[r
].state
!= RADIUSSTOP
)
371 log(1, 0, s
, session
[s
].tunnel
, " Unexpected RADIUS response\n");
374 if (radius
[r
].state
!= RADIUSAUTH
&& radius
[r
].state
!= RADIUSSTART
&& radius
[r
].state
!= RADIUSSTOP
)
376 log(1, 0, s
, session
[s
].tunnel
, " Unexpected RADIUS response\n");
379 t
= session
[s
].tunnel
;
381 MD5Update(&ctx
, buf
, 4);
382 MD5Update(&ctx
, radius
[r
].auth
, 16);
383 MD5Update(&ctx
, buf
+ 20, len
- 20);
384 MD5Update(&ctx
, config
->radiussecret
, strlen(config
->radiussecret
));
385 MD5Final(hash
, &ctx
);
387 if (memcmp(hash
, buf
+ 4, 16))
389 log(0, 0, s
, session
[s
].tunnel
, " Incorrect auth on RADIUS response\n");
390 radius
[r
].state
= RADIUSWAIT
;
393 if ((radius
[r
].state
== RADIUSAUTH
&& *buf
!= 2 && *buf
!= 3) ||
394 ((radius
[r
].state
== RADIUSSTART
|| radius
[r
].state
== RADIUSSTOP
) && *buf
!= 5))
396 log(1, 0, s
, session
[s
].tunnel
, " Unexpected RADIUS response %d\n", *buf
);
397 radius
[r
].state
= RADIUSWAIT
;
400 if (radius
[r
].state
== RADIUSAUTH
)
402 log(4, 0, s
, session
[s
].tunnel
, " Original response is \"%s\"\n", (*buf
== 2) ? "accept" : "reject");
403 // process auth response
407 u8
*p
= makeppp(b
, 0, 0, t
, s
, PPPCHAP
);
410 struct param_post_auth packet
= { &tunnel
[t
], &session
[s
], session
[s
].user
, (*buf
== 2), PPPCHAP
};
411 run_plugins(PLUGIN_POST_AUTH
, &packet
);
412 *buf
= packet
.auth_allowed
? 2 : 3;
415 log(3, 0, s
, session
[s
].tunnel
, " CHAP User %s authentication %s.\n", session
[s
].user
,
416 (*buf
== 2) ? "allowed" : "denied");
417 *p
= (*buf
== 2) ? 3 : 4; // ack/nak
419 *(u16
*) (p
+ 2) = ntohs(4); // no message
420 tunnelsend(b
, (p
- b
) + 4, t
); // send it
425 u8
*p
= makeppp(b
, 0, 0, t
, s
, PPPPAP
);
428 struct param_post_auth packet
= { &tunnel
[t
], &session
[s
], session
[s
].user
, (*buf
== 2), PPPPAP
};
429 run_plugins(PLUGIN_POST_AUTH
, &packet
);
430 *buf
= packet
.auth_allowed
? 2 : 3;
433 log(3, 0, s
, session
[s
].tunnel
, " PAP User %s authentication %s.\n", session
[s
].user
,
434 (*buf
== 2) ? "allowed" : "denied");
438 *(u16
*) (p
+ 2) = ntohs(5);
439 p
[4] = 0; // no message
440 tunnelsend(b
, (p
- b
) + 5, t
); // send it
446 // Extract IP, routes, etc
449 for (p
= buf
+ 20; p
< e
&& p
[1]; p
+= p
[1])
453 // Statically assigned address
454 log(3, 0, s
, session
[s
].tunnel
, " Radius reply contains IP address %s\n", inet_toa(*(u32
*) (p
+ 2)));
455 session
[s
].ip
= ntohl(*(u32
*) (p
+ 2));
460 log(3, 0, s
, session
[s
].tunnel
, " Radius reply contains primary DNS address %s\n", inet_toa(ntohl(*(u32
*) (p
+ 2))));
461 session
[s
].dns1
= ntohl(*(u32
*) (p
+ 2));
466 log(3, 0, s
, session
[s
].tunnel
, " Radius reply contains secondary DNS address %s\n", inet_toa(ntohl(*(u32
*) (p
+ 2))));
467 session
[s
].dns2
= ntohl(*(u32
*) (p
+ 2));
472 ipt ip
= 0, mask
= 0;
477 while (n
< e
&& (isdigit(*n
) || *n
== '.'))
485 u
= u
* 10 + *n
- '0';
492 while (n
< e
&& isdigit(*n
))
493 bits
= bits
* 10 + *n
++ - '0';
494 mask
= (( -1) << (32 - bits
));
496 else if ((ip
>> 24) < 128)
498 else if ((ip
>> 24) < 192)
502 if (routes
== MAXROUTE
)
504 log(1, 0, s
, session
[s
].tunnel
, " Too many routes\n");
509 ips
= strdup(inet_toa(ip
));
510 masks
= strdup(inet_toa(mask
));
511 log(3, 0, s
, session
[s
].tunnel
, " Radius reply contains route for %s/%s\n", ips
, masks
);
514 session
[s
].route
[routes
].ip
= ip
;
515 session
[s
].route
[routes
].mask
= mask
;
521 // Vendor-Specific Attribute
522 int vendor
= ntohl(*(int *)(p
+ 2));
523 char attrib
= *(p
+ 6);
524 char attrib_length
= *(p
+ 7) - 2;
525 log(3, 0, s
, session
[s
].tunnel
, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor
, attrib
, attrib_length
);
526 if (attrib_length
== 0) continue;
528 log(3, 0, s
, session
[s
].tunnel
, " Unknown vendor-specific\n");
531 char *avpair
, *value
, *key
, *newp
;
532 avpair
= key
= calloc(attrib_length
+ 1, 1);
533 memcpy(avpair
, p
+ 8, attrib_length
);
534 log(3, 0, s
, session
[s
].tunnel
, " Cisco-Avpair value: %s\n", avpair
);
536 value
= strchr(key
, '=');
540 // Trim quotes off reply string
541 if (*value
== '\'' || *value
== '\"')
545 x
= value
+ strlen(value
) - 1;
546 if (*x
== '\'' || *x
== '\"')
551 newp
= strchr(value
, ',');
552 if (newp
) *newp
++ = 0;
554 struct param_radius_response p
= { &tunnel
[session
[s
].tunnel
], &session
[s
], key
, value
};
555 run_plugins(PLUGIN_RADIUS_RESPONSE
, &p
);
566 log(2, 0, s
, session
[s
].tunnel
, " Authentication denied for %s\n", session
[s
].user
);
570 // Check for Assign-IP-Address
571 if (!session
[s
].ip
|| session
[s
].ip
== 0xFFFFFFFE)
573 assign_ip_address(s
);
575 log(3, 0, s
, t
, " No IP allocated by radius. Assigned %s from pool\n",
576 inet_toa(htonl(session
[s
].ip
)));
578 log(0, 0, s
, t
, " No IP allocated by radius. The IP address pool is FULL!\n");
580 if (!session
[s
].dns1
&& config
->default_dns1
)
582 session
[s
].dns1
= htonl(config
->default_dns1
);
583 log(3, 0, s
, t
, " Sending dns1 = %s\n", inet_toa(config
->default_dns1
));
585 if (!session
[s
].dns2
&& config
->default_dns2
)
587 session
[s
].dns2
= htonl(config
->default_dns2
);
588 log(3, 0, s
, t
, " Sending dns2 = %s\n", inet_toa(config
->default_dns2
));
593 // Valid Session, set it up
595 sessionsetup(t
, s
, routes
);
599 log(0, 0, s
, t
, " End of processrad(), but no valid session exists.\n");
600 sessionkill(s
, "Can't create valid session");
605 log(3, 0, s
, t
, " RADIUS response in state %s\n", radius_states
[radius
[r
].state
]);
609 // finished with RADIUS
613 // Send a retry for RADIUS/CHAP message
614 void radiusretry(u16 r
)
616 sessionidt s
= radius
[r
].session
;
619 STAT(call_radiusretry
);
622 t
= session
[s
].tunnel
;
623 radius
[r
].retry
= backoff(radius
[r
].try + 1);
624 switch (radius
[r
].state
)
626 case RADIUSCHAP
: // sending CHAP down PPP
630 sendipcp(t
, s
); // send IPCP
632 case RADIUSAUTH
: // sending auth to RADIUS server
633 radiussend(r
, RADIUSAUTH
);
635 case RADIUSSTART
: // sending start accounting to RADIUS server
636 radiussend(r
, RADIUSSTART
);
638 case RADIUSSTOP
: // sending stop accounting to RADIUS server
639 radiussend(r
, RADIUSSTOP
);
642 case RADIUSNULL
: // Not in use
643 case RADIUSWAIT
: // waiting timeout before available, in case delayed reply from RADIUS server
644 // free up RADIUS task
646 log(3, 0, s
, session
[s
].tunnel
, "Freeing up radius session %d\n", r
);
655 log(1, 0, 0, 0, "Cleaning radius session array\n");
657 for (i
= 1; i
< MAXRADIUS
; i
++)
659 if (radius
[i
].retry
== 0
660 || !session
[radius
[i
].session
].opened
661 || session
[radius
[i
].session
].die
662 || session
[radius
[i
].session
].tunnel
== 0)