3 char const *cvs_id_radius
= "$Id: radius.c,v 1.50 2006/04/27 09:53:50 bodea Exp $";
8 #include <sys/socket.h>
12 #include <arpa/inet.h>
14 #include <netinet/in.h>
17 #include "constants.h"
23 extern radiust
*radius
;
24 extern sessiont
*session
;
25 extern tunnelt
*tunnel
;
26 extern configt
*config
;
28 extern ip_filtert
*ip_filters
;
30 static const hasht zero
;
32 static void calc_auth(const void *buf
, size_t len
, const uint8_t *in
, uint8_t *out
)
37 MD5_Update(&ctx
, (void *)buf
, 4); // code, id, length
38 MD5_Update(&ctx
, (void *)in
, 16); // auth
39 MD5_Update(&ctx
, (void *)(buf
+ 20), len
- 20);
40 MD5_Update(&ctx
, config
->radiussecret
, strlen(config
->radiussecret
));
44 // Set up socket for radius requests
48 LOG(3, 0, 0, "Creating %d sockets for RADIUS queries\n", RADIUS_FDS
);
49 radfds
= calloc(sizeof(int), RADIUS_FDS
);
50 for (i
= 0; i
< RADIUS_FDS
; i
++)
53 radfds
[i
] = socket(AF_INET
, SOCK_DGRAM
, IPPROTO_UDP
);
54 flags
= fcntl(radfds
[i
], F_GETFL
, 0);
55 fcntl(radfds
[i
], F_SETFL
, flags
| O_NONBLOCK
);
59 void radiusclear(uint16_t r
, sessionidt s
)
61 if (s
) sess_local
[s
].radius
= 0;
62 memset(&radius
[r
], 0, sizeof(radius
[r
])); // radius[r].state = RADIUSNULL;
65 static uint16_t get_free_radius()
68 static uint32_t next_radius_id
= 0;
70 for (count
= MAXRADIUS
; count
> 0; --count
)
72 ++next_radius_id
; // Find the next ID to check.
73 if (next_radius_id
>= MAXRADIUS
)
76 if (radius
[next_radius_id
].state
== RADIUSNULL
)
78 return next_radius_id
;
82 LOG(0, 0, 0, "Can't find a free radius session! This is very bad!\n");
86 uint16_t radiusnew(sessionidt s
)
88 uint16_t r
= sess_local
[s
].radius
;
93 LOG(3, s
, session
[s
].tunnel
, "Re-used radius %d\n", r
);
97 if (!(r
= get_free_radius()))
99 LOG(1, s
, session
[s
].tunnel
, "No free RADIUS sessions\n");
100 STAT(radius_overflow
);
104 memset(&radius
[r
], 0, sizeof(radius
[r
]));
105 sess_local
[s
].radius
= r
;
106 radius
[r
].session
= s
;
107 radius
[r
].state
= RADIUSWAIT
;
108 radius
[r
].retry
= TIME
+ 1200; // Wait at least 120 seconds to re-claim this.
110 random_data(radius
[r
].auth
, sizeof(radius
[r
].auth
));
112 LOG(3, s
, session
[s
].tunnel
, "Allocated radius %d\n", r
);
116 // Send a RADIUS request
117 void radiussend(uint16_t r
, uint8_t state
)
119 struct sockaddr_in addr
;
120 uint8_t b
[4096]; // RADIUS packet
128 s
= radius
[r
].session
;
129 if (!config
->numradiusservers
)
131 LOG(0, s
, session
[s
].tunnel
, "No RADIUS servers\n");
134 if (!*config
->radiussecret
)
136 LOG(0, s
, session
[s
].tunnel
, "No RADIUS secret\n");
140 if (state
!= RADIUSAUTH
&& !config
->radius_accounting
)
142 // Radius accounting is turned off
147 if (radius
[r
].state
!= state
)
150 radius
[r
].state
= state
;
151 radius
[r
].retry
= backoff(radius
[r
].try++) + 20; // 3s, 4s, 6s, 10s...
152 LOG(4, s
, session
[s
].tunnel
, "Send RADIUS id %d sock %d state %s try %d\n",
153 r
>> RADIUS_SHIFT
, r
& RADIUS_MASK
,
154 radius_state(radius
[r
].state
), radius
[r
].try);
156 if (radius
[r
].try > config
->numradiusservers
* 2)
160 if (state
== RADIUSAUTH
)
161 sessionshutdown(s
, "RADIUS timeout.", CDN_ADMIN_DISC
, TERM_REAUTHENTICATION_FAILURE
);
164 LOG(1, s
, session
[s
].tunnel
, "RADIUS timeout, but in state %s so don't timeout session\n",
165 radius_state(state
));
168 STAT(radius_timeout
);
172 STAT(radius_retries
);
173 radius
[r
].state
= RADIUSWAIT
;
174 radius
[r
].retry
= 100;
178 // contruct RADIUS access request
182 b
[0] = AccessRequest
; // access request
187 b
[0] = AccountingRequest
; // accounting request
190 LOG(0, 0, 0, "Unknown radius state %d\n", state
);
192 b
[1] = r
>> RADIUS_SHIFT
; // identifier
193 memcpy(b
+ 4, radius
[r
].auth
, 16);
198 p
[1] = strlen(session
[s
].user
) + 2;
199 strcpy((char *) p
+ 2, session
[s
].user
);
202 if (state
== RADIUSAUTH
)
206 *p
= 3; // CHAP password
208 p
[2] = radius
[r
].id
; // ID
209 memcpy(p
+ 3, radius
[r
].pass
, 16); // response from CHAP request
211 *p
= 60; // CHAP Challenge
213 memcpy(p
+ 2, radius
[r
].auth
, 16);
218 strcpy(pass
, radius
[r
].pass
);
221 pass
[pl
++] = 0; // pad
230 MD5_Update(&ctx
, config
->radiussecret
, strlen(config
->radiussecret
));
232 MD5_Update(&ctx
, pass
+ p
- 16, 16);
234 MD5_Update(&ctx
, radius
[r
].auth
, 16);
235 MD5_Final(hash
, &ctx
);
238 pass
[p
] ^= hash
[p
& 15];
247 memcpy(p
+ 2, pass
, pl
);
253 *p
= 40; // accounting type
255 *(uint32_t *) (p
+ 2) = htonl(state
- RADIUSSTART
+ 1); // start=1, stop=2, interim=3
259 *p
= 44; // session ID
261 sprintf((char *) p
+ 2, "%08X%08X", session
[s
].unique_id
, session
[s
].opened
);
263 if (state
== RADIUSSTART
)
267 *(uint32_t *) (p
+ 2) = htonl(time(NULL
) - session
[s
].opened
);
269 sess_local
[s
].last_interim
= time_now
; // Setup "first" Interim
273 *p
= 42; // input octets
275 *(uint32_t *) (p
+ 2) = htonl(session
[s
].cin
);
278 *p
= 43; // output octets
280 *(uint32_t *) (p
+ 2) = htonl(session
[s
].cout
);
283 *p
= 46; // session time
285 *(uint32_t *) (p
+ 2) = htonl(time(NULL
) - session
[s
].opened
);
288 *p
= 47; // input packets
290 *(uint32_t *) (p
+ 2) = htonl(session
[s
].pin
);
293 *p
= 48; // output packets
295 *(uint32_t *) (p
+ 2) = htonl(session
[s
].pout
);
298 *p
= 52; // input gigawords
300 *(uint32_t *) (p
+ 2) = htonl(session
[s
].cin_wrap
);
303 *p
= 53; // output gigawords
305 *(uint32_t *) (p
+ 2) = htonl(session
[s
].cout_wrap
);
308 if (state
== RADIUSSTOP
&& radius
[r
].term_cause
)
310 *p
= 49; // acct-terminate-cause
312 *(uint32_t *) (p
+ 2) = htonl(radius
[r
].term_cause
);
315 if (radius
[r
].term_msg
)
317 *p
= 26; // vendor-specific
318 *(uint32_t *) (p
+ 2) = htonl(9); // Cisco
319 p
[6] = 1; // Cisco-AVPair
320 p
[7] = 2 + sprintf((char *) p
+ 8, "disc-cause-ext=%s", radius
[r
].term_msg
);
328 struct param_radius_account acct
= { &tunnel
[session
[s
].tunnel
], &session
[s
], &p
};
329 run_plugins(PLUGIN_RADIUS_ACCOUNT
, &acct
);
337 *(uint32_t *) (p
+ 2) = htonl(s
);
340 *p
= 6; // Service-Type
342 *(uint32_t *) (p
+ 2) = htonl(2); // Framed-User
345 *p
= 7; // Framed-Protocol
347 *(uint32_t *) (p
+ 2) = htonl(1); // PPP
350 if (s
&& session
[s
].ip
)
352 *p
= 8; // Framed-IP-Address
354 *(uint32_t *) (p
+ 2) = htonl(session
[s
].ip
);
357 if (s
&& session
[s
].route
[0].ip
)
360 for (r
= 0; s
&& r
< MAXROUTE
&& session
[s
].route
[r
].ip
; r
++)
363 if (session
[s
].route
[r
].mask
)
365 int mask
= session
[s
].route
[r
].mask
;
373 *p
= 22; // Framed-Route
374 p
[1] = sprintf((char *) p
+ 2, "%s/%d %s 1",
375 fmtaddr(htonl(session
[s
].route
[r
].ip
), 0),
376 width
, fmtaddr(htonl(session
[s
].ip
), 1)) + 2;
381 if (*session
[s
].called
)
384 p
[1] = strlen(session
[s
].called
) + 2;
385 strcpy((char *) p
+ 2, session
[s
].called
);
388 if (*session
[s
].calling
)
391 p
[1] = strlen(session
[s
].calling
) + 2;
392 strcpy((char *) p
+ 2, session
[s
].calling
);
398 *(uint32_t *)(p
+ 2) = config
->bind_address
;
402 *(uint16_t *) (b
+ 2) = htons(p
- b
);
403 if (state
!= RADIUSAUTH
)
405 // Build auth for accounting packet
406 calc_auth(b
, p
- b
, zero
, b
+ 4);
407 memcpy(radius
[r
].auth
, b
+ 4, 16);
409 memset(&addr
, 0, sizeof(addr
));
410 addr
.sin_family
= AF_INET
;
411 *(uint32_t *) & addr
.sin_addr
= config
->radiusserver
[(radius
[r
].try - 1) % config
->numradiusservers
];
414 uint16_t port
= config
->radiusport
[(radius
[r
].try - 1) % config
->numradiusservers
];
415 // assume RADIUS accounting port is the authentication port +1
416 addr
.sin_port
= htons((state
== RADIUSAUTH
) ? port
: port
+1);
419 LOG_HEX(5, "RADIUS Send", b
, (p
- b
));
420 sendto(radfds
[r
& RADIUS_MASK
], b
, p
- b
, 0, (void *) &addr
, sizeof(addr
));
423 static void handle_avpair(sessionidt s
, uint8_t *avp
, int len
)
426 uint8_t *value
= memchr(avp
, '=', len
);
427 uint8_t tmp
[2048] = "";
441 if (len
> 2 && (*value
== '"' || *value
== '\'') && value
[len
- 1] == *value
)
447 // copy and null terminate
448 else if (len
< sizeof(tmp
) - 1)
450 memcpy(tmp
, value
, len
);
459 struct param_radius_response p
= { &tunnel
[session
[s
].tunnel
], &session
[s
], (char *) key
, (char *) value
};
460 run_plugins(PLUGIN_RADIUS_RESPONSE
, &p
);
464 // process RADIUS response
465 void processrad(uint8_t *buf
, int len
, char socket_index
)
478 LOG_HEX(5, "RADIUS Response", buf
, len
);
479 if (len
< 20 || len
< ntohs(*(uint16_t *) (buf
+ 2)))
481 LOG(1, 0, 0, "Duff RADIUS response length %d\n", len
);
485 r_code
= buf
[0]; // response type
486 r_id
= buf
[1]; // radius reply indentifier.
488 len
= ntohs(*(uint16_t *) (buf
+ 2));
489 r
= socket_index
| (r_id
<< RADIUS_SHIFT
);
490 s
= radius
[r
].session
;
491 LOG(3, s
, session
[s
].tunnel
, "Received %s, radius %d response for session %u (%s, id %d)\n",
492 radius_state(radius
[r
].state
), r
, s
, radius_code(r_code
), r_id
);
494 if (!s
&& radius
[r
].state
!= RADIUSSTOP
)
496 LOG(1, s
, session
[s
].tunnel
, " Unexpected RADIUS response\n");
499 if (radius
[r
].state
!= RADIUSAUTH
&& radius
[r
].state
!= RADIUSSTART
500 && radius
[r
].state
!= RADIUSSTOP
&& radius
[r
].state
!= RADIUSINTERIM
)
502 LOG(1, s
, session
[s
].tunnel
, " Unexpected RADIUS response\n");
505 t
= session
[s
].tunnel
;
506 calc_auth(buf
, len
, radius
[r
].auth
, hash
);
508 if (memcmp(hash
, buf
+ 4, 16))
510 LOG(0, s
, session
[s
].tunnel
, " Incorrect auth on RADIUS response!! (wrong secret in radius config?)\n");
511 return; // Do nothing. On timeout, it will try the next radius server.
514 if ((radius
[r
].state
== RADIUSAUTH
&& r_code
!= AccessAccept
&& r_code
!= AccessReject
) ||
515 ((radius
[r
].state
== RADIUSSTART
|| radius
[r
].state
== RADIUSSTOP
|| radius
[r
].state
== RADIUSINTERIM
) && r_code
!= AccountingResponse
))
517 LOG(1, s
, session
[s
].tunnel
, " Unexpected RADIUS response %s\n", radius_code(r_code
));
518 return; // We got something we didn't expect. Let the timeouts take
519 // care off finishing the radius session if that's really correct.
522 if (radius
[r
].state
== RADIUSAUTH
)
524 // run post-auth plugin
525 struct param_post_auth packet
= {
529 (r_code
== AccessAccept
),
530 radius
[r
].chap
? PPPCHAP
: PPPPAP
533 run_plugins(PLUGIN_POST_AUTH
, &packet
);
534 r_code
= packet
.auth_allowed
? AccessAccept
: AccessReject
;
536 // process auth response
540 uint8_t *p
= makeppp(b
, sizeof(b
), 0, 0, s
, t
, PPPCHAP
, 0, 0, 0);
541 if (!p
) return; // Abort!
543 *p
= (r_code
== AccessAccept
) ? 3 : 4; // ack/nak
545 *(uint16_t *) (p
+ 2) = ntohs(4); // no message
546 tunnelsend(b
, (p
- b
) + 4, t
); // send it
548 LOG(3, s
, session
[s
].tunnel
, " CHAP User %s authentication %s.\n", session
[s
].user
,
549 (r_code
== AccessAccept
) ? "allowed" : "denied");
554 uint8_t *p
= makeppp(b
, sizeof(b
), 0, 0, s
, t
, PPPPAP
, 0, 0, 0);
555 if (!p
) return; // Abort!
560 *(uint16_t *) (p
+ 2) = ntohs(5);
561 p
[4] = 0; // no message
562 tunnelsend(b
, (p
- b
) + 5, t
); // send it
564 LOG(3, s
, session
[s
].tunnel
, " PAP User %s authentication %s.\n", session
[s
].user
,
565 (r_code
== AccessAccept
) ? "allowed" : "denied");
568 if (r_code
== AccessAccept
)
571 // Extract IP, routes, etc
572 uint8_t *p
= buf
+ 20;
573 uint8_t *e
= buf
+ len
;
574 for (; p
+ 2 <= e
&& p
[1] && p
+ p
[1] <= e
; p
+= p
[1])
579 if (p
[1] < 6) continue;
580 session
[s
].ip
= ntohl(*(uint32_t *) (p
+ 2));
581 session
[s
].ip_pool_index
= -1;
582 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains IP address %s\n",
583 fmtaddr(htonl(session
[s
].ip
), 0));
585 if (session
[s
].ip
== 0xFFFFFFFE)
586 session
[s
].ip
= 0; // assign from pool
591 if (p
[1] < 6) continue;
592 session
[s
].dns1
= ntohl(*(uint32_t *) (p
+ 2));
593 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains primary DNS address %s\n",
594 fmtaddr(htonl(session
[s
].dns1
), 0));
600 LOG(2, s
, session
[s
].tunnel
, "Error: Received Session timeout with length %d < 6\n", p
[1]);
604 session
[s
].timeout
= ntohl(*(uint32_t *) (p
+ 2));
605 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains Session timeout %d\n", session
[s
].timeout
);
606 if (!session
[s
].timeout
)
607 sessionshutdown(s
, "Session timeout is zero", CDN_ADMIN_DISC
, TERM_SESSION_TIMEOUT
);
612 if (p
[1] < 6) continue;
613 session
[s
].dns2
= ntohl(*(uint32_t *) (p
+ 2));
614 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains secondary DNS address %s\n",
615 fmtaddr(htonl(session
[s
].dns2
), 0));
620 in_addr_t ip
= 0, mask
= 0;
624 uint8_t *e
= p
+ p
[1];
625 while (n
< e
&& (isdigit(*n
) || *n
== '.'))
633 u
= u
* 10 + *n
- '0';
640 while (n
< e
&& isdigit(*n
))
641 bits
= bits
* 10 + *n
++ - '0';
642 mask
= (( -1) << (32 - bits
));
644 else if ((ip
>> 24) < 128)
646 else if ((ip
>> 24) < 192)
651 if (routes
== MAXROUTE
)
653 LOG(1, s
, session
[s
].tunnel
, " Too many routes\n");
657 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains route for %s/%s\n",
658 fmtaddr(htonl(ip
), 0), fmtaddr(htonl(mask
), 1));
660 session
[s
].route
[routes
].ip
= ip
;
661 session
[s
].route
[routes
].mask
= mask
;
668 char *filter
= (char *) p
+ 2;
674 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains Filter-Id \"%.*s\"\n", l
, filter
);
675 if ((suffix
= memchr(filter
, '.', l
)))
677 int b
= suffix
- filter
;
678 if (l
- b
== 3 && !memcmp("in", suffix
+1, 2))
679 fp
= &session
[s
].filter_in
;
680 else if (l
- b
== 4 && !memcmp("out", suffix
+1, 3))
681 fp
= &session
[s
].filter_out
;
688 LOG(3, s
, session
[s
].tunnel
, " Invalid filter\n");
692 if ((f
= find_filter(filter
, l
)) < 0 || !*ip_filters
[f
].name
)
694 LOG(3, s
, session
[s
].tunnel
, " Unknown filter\n");
699 ip_filters
[f
].used
++;
702 else if (*p
== 26 && p
[1] >= 7)
704 // Vendor-Specific Attribute
705 int vendor
= ntohl(*(int *)(p
+ 2));
706 char attrib
= *(p
+ 6);
707 int attrib_length
= *(p
+ 7) - 2;
709 LOG(3, s
, session
[s
].tunnel
, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor
, attrib
, attrib_length
);
710 if (vendor
!= 9 || attrib
!= 1)
712 LOG(3, s
, session
[s
].tunnel
, " Unknown vendor-specific\n");
716 if (attrib_length
> 0)
718 LOG(3, s
, session
[s
].tunnel
, " Cisco-AVPair value: %.*s\n",
719 attrib_length
, p
+ 8);
721 handle_avpair(s
, p
+ 8, attrib_length
);
730 uint8_t *e
= p
+ p
[1];
731 uint8_t *m
= memchr(n
, '/', e
- p
);
734 inet_pton(AF_INET6
, (char *) n
, &r6
);
737 while (m
< e
&& isdigit(*m
)) {
738 prefixlen
= prefixlen
* 10 + *m
++ - '0';
743 LOG(3, s
, session
[s
].tunnel
,
744 " Radius reply contains route for %s/%d\n",
746 session
[s
].ipv6route
= r6
;
747 session
[s
].ipv6prefixlen
= prefixlen
;
752 else if (r_code
== AccessReject
)
754 LOG(2, s
, session
[s
].tunnel
, " Authentication rejected for %s\n", session
[s
].user
);
755 sessionkill(s
, "Authentication rejected");
759 if (!session
[s
].dns1
&& config
->default_dns1
)
761 session
[s
].dns1
= ntohl(config
->default_dns1
);
762 LOG(3, s
, t
, " Sending dns1 = %s\n", fmtaddr(config
->default_dns1
, 0));
764 if (!session
[s
].dns2
&& config
->default_dns2
)
766 session
[s
].dns2
= ntohl(config
->default_dns2
);
767 LOG(3, s
, t
, " Sending dns2 = %s\n", fmtaddr(config
->default_dns2
, 0));
770 // Valid Session, set it up
771 session
[s
].unique_id
= 0;
776 // An ack for a stop or start record.
777 LOG(3, s
, t
, " RADIUS accounting ack recv in state %s\n", radius_state(radius
[r
].state
));
782 // finished with RADIUS
786 // Send a retry for RADIUS/CHAP message
787 void radiusretry(uint16_t r
)
789 sessionidt s
= radius
[r
].session
;
794 if (s
) t
= session
[s
].tunnel
;
796 switch (radius
[r
].state
)
798 case RADIUSCHAP
: // sending CHAP down PPP
801 case RADIUSAUTH
: // sending auth to RADIUS server
802 case RADIUSSTART
: // sending start accounting to RADIUS server
803 case RADIUSSTOP
: // sending stop accounting to RADIUS server
804 case RADIUSINTERIM
: // sending interim accounting to RADIUS server
805 radiussend(r
, radius
[r
].state
);
808 case RADIUSNULL
: // Not in use
809 case RADIUSWAIT
: // waiting timeout before available, in case delayed reply from RADIUS server
810 // free up RADIUS task
812 LOG(3, s
, session
[s
].tunnel
, "Freeing up radius session %d\n", r
);
819 void processdae(uint8_t *buf
, int len
, struct sockaddr_in
*addr
, int alen
, struct in_addr
*local
)
821 int i
, r_code
, r_id
, length
, attribute_length
;
822 uint8_t *packet
, attribute
;
824 char username
[MAXUSER
] = "";
834 int avpair_len
[sizeof(avpair
)/sizeof(*avpair
)];
839 LOG(3, 0, 0, "DAE request from %s\n", fmtaddr(addr
->sin_addr
.s_addr
, 0));
840 LOG_HEX(5, "DAE Request", buf
, len
);
842 if (len
< 20 || len
< ntohs(*(uint16_t *) (buf
+ 2)))
844 LOG(1, 0, 0, "Duff DAE request length %d\n", len
);
848 r_code
= buf
[0]; // request type
849 r_id
= buf
[1]; // radius indentifier.
851 if (r_code
!= DisconnectRequest
&& r_code
!= CoARequest
)
853 LOG(1, 0, 0, "Unrecognised DAE request %s\n", radius_code(r_code
));
857 if (!config
->cluster_iam_master
)
859 master_forward_dae_packet(buf
, len
, addr
->sin_addr
.s_addr
, addr
->sin_port
);
863 len
= ntohs(*(uint16_t *) (buf
+ 2));
865 LOG(3, 0, 0, "Received DAE %s, id %d\n", radius_code(r_code
), r_id
);
867 // check authenticator
868 calc_auth(buf
, len
, zero
, hash
);
869 if (memcmp(hash
, buf
+ 4, 16) != 0)
871 LOG(1, 0, 0, "Incorrect vector in DAE request (wrong secret in radius config?)\n");
881 attribute
= *packet
++;
882 attribute_length
= *packet
++;
883 if (attribute_length
< 2)
886 length
-= attribute_length
;
887 attribute_length
-= 2;
890 case 1: /* username */
891 len
= attribute_length
< MAXUSER
? attribute_length
: MAXUSER
- 1;
892 memcpy(username
, packet
, len
);
894 LOG(4, 0, 0, " Received DAE User-Name: %s\n", username
);
897 case 4: /* nas ip address */
898 nas
= *(uint32_t *) packet
; // net order
899 if (nas
!= config
->bind_address
)
900 error
= 403; // NAS identification mismatch
902 LOG(4, 0, 0, " Received DAE NAS-IP-Address: %s\n", fmtaddr(nas
, 0));
905 case 5: /* nas port */
906 port
= ntohl(*(uint32_t *) packet
);
907 if (port
< 1 || port
> MAXSESSION
)
910 LOG(4, 0, 0, " Received DAE NAS-Port: %u\n", port
);
913 case 6: /* service type */
915 uint32_t service_type
= ntohl(*(uint32_t *) packet
);
916 auth_only
= service_type
== 8; // Authenticate only
918 LOG(4, 0, 0, " Received DAE Service-Type: %u\n", service_type
);
922 case 8: /* ip address */
923 ip
= *(uint32_t *) packet
; // net order
924 LOG(4, 0, 0, " Received DAE Framed-IP-Address: %s\n", fmtaddr(ip
, 0));
927 case 11: /* filter id */
928 LOG(4, 0, 0, " Received DAE Filter-Id: %.*s\n", attribute_length
, packet
);
929 if (!(p
= memchr(packet
, '.', attribute_length
)))
931 error
= 404; // invalid request
936 i
= find_filter((char *) packet
, len
);
937 if (i
< 0 || !*ip_filters
[i
].name
)
943 if (!memcmp(p
, ".in", attribute_length
- len
))
945 else if (!memcmp(p
, ".out", attribute_length
- len
))
952 case 26: /* vendor specific */
953 if (attribute_length
>= 6
954 && ntohl(*(uint32_t *) packet
) == 9 // Cisco
955 && *(packet
+ 4) == 1 // Cisco-AVPair
956 && *(packet
+ 5) >= 2) // length
958 int len
= *(packet
+ 5) - 2;
959 uint8_t *a
= packet
+ 6;
961 LOG(4, 0, 0, " Received DAE Cisco-AVPair: %.*s\n", len
, a
);
962 if (avp
< sizeof(avpair
)/sizeof(*avpair
) - 1)
965 avpair_len
[avp
++] = len
;
971 packet
+= attribute_length
;
974 if (!error
&& auth_only
)
976 if (fin
!= -1 || fout
!= -1 || avp
)
977 error
= 401; // unsupported attribute
979 error
= 405; // unsupported service
982 if (!error
&& !(port
|| ip
|| *username
))
983 error
= 402; // missing attribute
985 // exact match for SID if given
989 if (!session
[s
].opened
)
990 error
= 503; // not found
995 // find/check session by IP
997 if (!i
|| (s
&& s
!= i
)) // not found or mismatching port
1003 if (!error
&& *username
)
1007 if (strcmp(session
[s
].user
, username
))
1010 else if (!(s
= sessionbyuser(username
)))
1014 t
= session
[s
].tunnel
;
1018 case DisconnectRequest
: // Packet of Disconnect/Death
1021 r_code
= DisconnectNAK
;
1025 LOG(3, s
, t
, " DAE Disconnect %d (%s)\n", s
, session
[s
].user
);
1026 r_code
= DisconnectACK
;
1028 sessionshutdown(s
, "Requested by PoD", CDN_ADMIN_DISC
, TERM_ADMIN_RESET
); // disconnect session
1031 case CoARequest
: // Change of Authorization
1038 LOG(3, s
, t
, " DAE Change %d (%s)\n", s
, session
[s
].user
);
1043 struct param_radius_reset p
= { &tunnel
[session
[s
].tunnel
], &session
[s
] };
1044 run_plugins(PLUGIN_RADIUS_RESET
, &p
);
1051 LOG(3, s
, t
, " Filter in %d (%s)\n", fin
, ip_filters
[fin
- 1].name
);
1056 LOG(3, s
, t
, " Filter out %d (%s)\n", fout
, ip_filters
[fout
- 1].name
);
1058 filter_session(s
, fin
, fout
);
1060 // process cisco av-pair(s)
1061 for (i
= 0; i
< avp
; i
++)
1063 LOG(3, s
, t
, " Cisco-AVPair: %.*s\n", avpair_len
[i
], avpair
[i
]);
1064 handle_avpair(s
, avpair
[i
], avpair_len
[i
]);
1067 cluster_send_session(s
);
1085 *(uint32_t *) packet
= htonl(error
);
1089 *((uint16_t *)(buf
+ 2)) = htons(len
);
1092 calc_auth(buf
, len
, hash
, buf
+ 4);
1094 LOG(3, 0, 0, "Sending DAE %s, id=%d\n", radius_code(r_code
), r_id
);
1096 // send DAE response
1097 if (sendtofrom(daefd
, buf
, len
, MSG_DONTWAIT
| MSG_NOSIGNAL
, (struct sockaddr
*) addr
, alen
, local
) < 0)
1098 LOG(0, 0, 0, "Error sending DAE response packet: %s\n", strerror(errno
));