X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/5e337e7ed987bfca7a79cf57f60f54301315db9e..018b6df6414a897636fb49f8d5a7ce96f7006fd7:/radius.c diff --git a/radius.c b/radius.c index 9eb00f5..799a472 100644 --- a/radius.c +++ b/radius.c @@ -1,6 +1,6 @@ // L2TPNS Radius Stuff -char const *cvs_id_radius = "$Id: radius.c,v 1.16 2004-11-27 21:10:51 bodea Exp $"; +char const *cvs_id_radius = "$Id: radius.c,v 1.18 2004-11-29 02:17:18 bodea Exp $"; #include #include @@ -42,7 +42,7 @@ static const char *radius_state(int state) void initrad(void) { int i; - LOG(3, 0, 0, 0, "Creating %d sockets for RADIUS queries\n", config->num_radfds); + LOG(3, 0, 0, "Creating %d sockets for RADIUS queries\n", config->num_radfds); radfds = calloc(sizeof(int), config->num_radfds); for (i = 0; i < config->num_radfds; i++) { @@ -77,7 +77,7 @@ static u16 get_free_radius() } } - LOG(0, 0, 0, 0, "Can't find a free radius session! This is very bad!\n"); + LOG(0, 0, 0, "Can't find a free radius session! This is very bad!\n"); return 0; } @@ -88,13 +88,13 @@ u16 radiusnew(sessionidt s) /* re-use */ if (r) { - LOG(3, 0, s, session[s].tunnel, "Re-used radius %d\n", r); + LOG(3, s, session[s].tunnel, "Re-used radius %d\n", r); return r; } if (!(r = get_free_radius())) { - LOG(1, 0, s, session[s].tunnel, "No free RADIUS sessions\n"); + LOG(1, s, session[s].tunnel, "No free RADIUS sessions\n"); STAT(radius_overflow); return 0; }; @@ -105,7 +105,7 @@ u16 radiusnew(sessionidt s) radius[r].state = RADIUSWAIT; radius[r].retry = TIME + 1200; // Wait at least 120 seconds to re-claim this. - LOG(3,0,s, session[s].tunnel, "Allocated radius %d\n", r); + LOG(3, s, session[s].tunnel, "Allocated radius %d\n", r); return r; } @@ -124,12 +124,12 @@ void radiussend(u16 r, u8 state) s = radius[r].session; if (!config->numradiusservers) { - LOG(0, 0, s, session[s].tunnel, "No RADIUS servers\n"); + LOG(0, s, session[s].tunnel, "No RADIUS servers\n"); return; } if (!*config->radiussecret) { - LOG(0, 0, s, session[s].tunnel, "No RADIUS secret\n"); + LOG(0, s, session[s].tunnel, "No RADIUS secret\n"); return; } @@ -144,9 +144,10 @@ void radiussend(u16 r, u8 state) radius[r].try = 0; radius[r].state = state; radius[r].retry = backoff(radius[r].try++); - LOG(4, 0, s, session[s].tunnel, "Send RADIUS id %d sock %d state %s try %d\n", - r >> RADIUS_SHIFT, r & RADIUS_MASK, - radius_state(radius[r].state), radius[r].try); + LOG(4, s, session[s].tunnel, "Send RADIUS id %d sock %d state %s try %d\n", + r >> RADIUS_SHIFT, r & RADIUS_MASK, + radius_state(radius[r].state), radius[r].try); + if (radius[r].try > config->numradiusservers * 2) { if (s) @@ -155,7 +156,7 @@ void radiussend(u16 r, u8 state) sessionshutdown(s, "RADIUS timeout"); else { - LOG(1, 0, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n", + LOG(1, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n", radius_states[state]); radiusclear(r, s); } @@ -180,7 +181,7 @@ void radiussend(u16 r, u8 state) b[0] = 4; // accounting request break; default: - LOG(0, 0, 0, 0, "Unknown radius state %d\n", state); + LOG(0, 0, 0, "Unknown radius state %d\n", state); } b[1] = r >> RADIUS_SHIFT; // identifier memcpy(b + 4, radius[r].auth, 16); @@ -381,22 +382,22 @@ void processrad(u8 *buf, int len, char socket_index) LOG_HEX(5, "RADIUS Response", buf, len); if (len < 20 || len < ntohs(*(u16 *) (buf + 2))) { - LOG(1, 0, 0, 0, "Duff RADIUS response length %d\n", len); + LOG(1, 0, 0, "Duff RADIUS response length %d\n", len); return ; } len = ntohs(*(u16 *) (buf + 2)); r = socket_index | (r_id << RADIUS_SHIFT); s = radius[r].session; - LOG(3, 0, s, session[s].tunnel, "Received %s, radius %d response for session %u (code %d, id %d)\n", + LOG(3, s, session[s].tunnel, "Received %s, radius %d response for session %u (code %d, id %d)\n", radius_states[radius[r].state], r, s, r_code, r_id); if (!s && radius[r].state != RADIUSSTOP) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response\n"); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response\n"); return; } if (radius[r].state != RADIUSAUTH && radius[r].state != RADIUSSTART && radius[r].state != RADIUSSTOP) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response\n"); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response\n"); return; } t = session[s].tunnel; @@ -409,19 +410,19 @@ void processrad(u8 *buf, int len, char socket_index) do { if (memcmp(hash, buf + 4, 16)) { - LOG(0, 0, s, session[s].tunnel, " Incorrect auth on RADIUS response!! (wrong secret in radius config?)\n"); + LOG(0, s, session[s].tunnel, " Incorrect auth on RADIUS response!! (wrong secret in radius config?)\n"); return; // Do nothing. On timeout, it will try the next radius server. } if ((radius[r].state == RADIUSAUTH && *buf != 2 && *buf != 3) || ((radius[r].state == RADIUSSTART || radius[r].state == RADIUSSTOP) && *buf != 5)) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response %d\n", *buf); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response %d\n", *buf); return; // We got something we didn't expect. Let the timeouts take // care off finishing the radius session if that's really correct. } if (radius[r].state == RADIUSAUTH) { - LOG(4, 0, s, session[s].tunnel, " Original response is \"%s\"\n", (*buf == 2) ? "accept" : "reject"); + LOG(4, s, session[s].tunnel, " Original response is \"%s\"\n", (*buf == 2) ? "accept" : "reject"); // process auth response if (radius[r].chap) { @@ -435,7 +436,7 @@ void processrad(u8 *buf, int len, char socket_index) *buf = packet.auth_allowed ? 2 : 3; } - LOG(3, 0, s, session[s].tunnel, " CHAP User %s authentication %s.\n", session[s].user, + LOG(3, s, session[s].tunnel, " CHAP User %s authentication %s.\n", session[s].user, (*buf == 2) ? "allowed" : "denied"); *p = (*buf == 2) ? 3 : 4; // ack/nak p[1] = radius[r].id; @@ -454,7 +455,7 @@ void processrad(u8 *buf, int len, char socket_index) *buf = packet.auth_allowed ? 2 : 3; } - LOG(3, 0, s, session[s].tunnel, " PAP User %s authentication %s.\n", session[s].user, + LOG(3, s, session[s].tunnel, " PAP User %s authentication %s.\n", session[s].user, (*buf == 2) ? "allowed" : "denied"); // ack/nak *p = *buf; @@ -475,21 +476,24 @@ void processrad(u8 *buf, int len, char socket_index) if (*p == 8) { // Framed-IP-Address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains IP address %s\n", inet_toa(*(u32 *) (p + 2))); session[s].ip = ntohl(*(u32 *) (p + 2)); session[s].ip_pool_index = -1; + LOG(3, s, session[s].tunnel, " Radius reply contains IP address %s\n", + fmtaddr(htonl(session[s].ip), 0)); } else if (*p == 135) { // DNS address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n", inet_toa(*(u32 *) (p + 2))); session[s].dns1 = ntohl(*(u32 *) (p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n", + fmtaddr(htonl(session[s].dns1), 0)); } else if (*p == 136) { // DNS address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n", inet_toa(*(u32 *) (p + 2))); session[s].dns2 = ntohl(*(u32 *) (p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n", + fmtaddr(htonl(session[s].dns2), 0)); } else if (*p == 22) { @@ -524,18 +528,16 @@ void processrad(u8 *buf, int len, char socket_index) mask = 0xFFFF0000; else mask = 0xFFFFFF00; + if (routes == MAXROUTE) { - LOG(1, 0, s, session[s].tunnel, " Too many routes\n"); + LOG(1, s, session[s].tunnel, " Too many routes\n"); } else if (ip) { - char *ips, *masks; - ips = strdup(inet_toa(htonl(ip))); - masks = strdup(inet_toa(htonl(mask))); - LOG(3, 0, s, session[s].tunnel, " Radius reply contains route for %s/%s\n", ips, masks); - free(ips); - free(masks); + LOG(3, s, session[s].tunnel, " Radius reply contains route for %s/%s\n", + fmtaddr(htonl(ip), 0), fmtaddr(htonl(mask), 1)); + session[s].route[routes].ip = ip; session[s].route[routes].mask = mask; routes++; @@ -550,7 +552,7 @@ void processrad(u8 *buf, int len, char socket_index) u8 *f = 0; int i; - LOG(3, 0, s, session[s].tunnel, " Radius reply contains Filter-Id \"%.*s\"\n", l, filter); + LOG(3, s, session[s].tunnel, " Radius reply contains Filter-Id \"%.*s\"\n", l, filter); if ((suffix = memchr(filter, '.', l))) { int b = suffix - filter; @@ -564,7 +566,7 @@ void processrad(u8 *buf, int len, char socket_index) if (!f) { - LOG(3, 0, s, session[s].tunnel, " Invalid filter\n"); + LOG(3, s, session[s].tunnel, " Invalid filter\n"); continue; } @@ -573,8 +575,10 @@ void processrad(u8 *buf, int len, char socket_index) !strncmp(ip_filters[i].name, filter, l)) *f = i + 1; - if (!*f) - LOG(3, 0, s, session[s].tunnel, " Unknown filter\n"); + if (*f) + ip_filters[*f - 1].used++; + else + LOG(3, s, session[s].tunnel, " Unknown filter\n"); } else if (*p == 26) @@ -583,16 +587,16 @@ void processrad(u8 *buf, int len, char socket_index) int vendor = ntohl(*(int *)(p + 2)); char attrib = *(p + 6); char attrib_length = *(p + 7) - 2; - LOG(3, 0, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length); + LOG(3, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length); if (attrib_length == 0) continue; if (attrib != 1) - LOG(3, 0, s, session[s].tunnel, " Unknown vendor-specific\n"); + LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n"); else { char *avpair, *value, *key, *newp; avpair = key = calloc(attrib_length + 1, 1); memcpy(avpair, p + 8, attrib_length); - LOG(3, 0, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair); + LOG(3, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair); do { value = strchr(key, '='); if (!value) break; @@ -624,7 +628,7 @@ void processrad(u8 *buf, int len, char socket_index) } else if (*buf == 3) { - LOG(2, 0, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user); + LOG(2, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user); //FIXME: We should tear down the session here! break; } @@ -632,12 +636,12 @@ void processrad(u8 *buf, int len, char socket_index) if (!session[s].dns1 && config->default_dns1) { session[s].dns1 = htonl(config->default_dns1); - LOG(3, 0, s, t, " Sending dns1 = %s\n", inet_toa(config->default_dns1)); + LOG(3, s, t, " Sending dns1 = %s\n", fmtaddr(config->default_dns1, 0)); } if (!session[s].dns2 && config->default_dns2) { session[s].dns2 = htonl(config->default_dns2); - LOG(3, 0, s, t, " Sending dns2 = %s\n", inet_toa(config->default_dns2)); + LOG(3, s, t, " Sending dns2 = %s\n", fmtaddr(config->default_dns2, 0)); } // Valid Session, set it up @@ -647,7 +651,7 @@ void processrad(u8 *buf, int len, char socket_index) else { // An ack for a stop or start record. - LOG(3, 0, s, t, " RADIUS accounting ack recv in state %s\n", radius_states[radius[r].state]); + LOG(3, s, t, " RADIUS accounting ack recv in state %s\n", radius_states[radius[r].state]); break; } } while (0); @@ -689,7 +693,7 @@ void radiusretry(u16 r) case RADIUSWAIT: // waiting timeout before available, in case delayed reply from RADIUS server // free up RADIUS task radiusclear(r, s); - LOG(3, 0, s, session[s].tunnel, "Freeing up radius session %d\n", r); + LOG(3, s, session[s].tunnel, "Freeing up radius session %d\n", r); break; } }