+ int i, r_code, r_id, length, attribute_length;
+ uint8_t *packet, attribute;
+ hasht hash;
+ char username[MAXUSER] = "";
+ in_addr_t nas = 0;
+ in_addr_t ip = 0;
+ uint32_t port = 0;
+ uint32_t error = 0;
+ sessionidt s = 0;
+ tunnelidt t;
+ int fin = -1;
+ int fout = -1;
+ uint8_t *avpair[64];
+ int avpair_len[sizeof(avpair)/sizeof(*avpair)];
+ int avp = 0;
+ int auth_only = 0;
+ uint8_t *p;
+
+ LOG(3, 0, 0, "DAE request from %s\n", fmtaddr(addr->sin_addr.s_addr, 0));
+ LOG_HEX(5, "DAE Request", buf, len);
+
+ if (len < 20 || len < ntohs(*(uint16_t *) (buf + 2)))
+ {
+ LOG(1, 0, 0, "Duff DAE request length %d\n", len);
+ return;
+ }
+
+ r_code = buf[0]; // request type
+ r_id = buf[1]; // radius indentifier.
+
+ if (r_code != DisconnectRequest && r_code != CoARequest)
+ {
+ LOG(1, 0, 0, "Unrecognised DAE request %s\n", radius_code(r_code));
+ return;
+ }
+
+ if (!config->cluster_iam_master)
+ {
+ master_forward_dae_packet(buf, len, addr->sin_addr.s_addr, addr->sin_port);
+ return;
+ }
+
+ len = ntohs(*(uint16_t *) (buf + 2));
+
+ LOG(3, 0, 0, "Received DAE %s, id %d\n", radius_code(r_code), r_id);
+
+ // check authenticator
+ calc_auth(buf, len, zero, hash);
+ if (memcmp(hash, buf + 4, 16) != 0)
+ {
+ LOG(1, 0, 0, "Incorrect vector in DAE request (wrong secret in radius config?)\n");
+ return;
+ }
+
+ // unpack attributes
+ packet = buf + 20;
+ length = len - 20;
+
+ while (length > 0)
+ {
+ attribute = *packet++;
+ attribute_length = *packet++;
+ if (attribute_length < 2)
+ break;
+
+ length -= attribute_length;
+ attribute_length -= 2;
+ switch (attribute)
+ {
+ case 1: /* username */
+ len = attribute_length < MAXUSER ? attribute_length : MAXUSER - 1;
+ memcpy(username, packet, len);
+ username[len] = 0;
+ LOG(4, 0, 0, " Received DAE User-Name: %s\n", username);
+ break;
+
+ case 4: /* nas ip address */
+ nas = *(uint32_t *) packet; // net order
+ if (nas != config->bind_address)
+ error = 403; // NAS identification mismatch
+
+ LOG(4, 0, 0, " Received DAE NAS-IP-Address: %s\n", fmtaddr(nas, 0));
+ break;
+
+ case 5: /* nas port */
+ port = ntohl(*(uint32_t *) packet);
+ if (port < 1 || port > MAXSESSION)
+ error = 404;
+
+ LOG(4, 0, 0, " Received DAE NAS-Port: %u\n", port);
+ break;
+
+ case 6: /* service type */
+ {
+ uint32_t service_type = ntohl(*(uint32_t *) packet);
+ auth_only = service_type == 8; // Authenticate only