X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/5e337e7ed987bfca7a79cf57f60f54301315db9e..c5d43c557791663bbea56c284e5f5f994c944898:/radius.c diff --git a/radius.c b/radius.c index 9eb00f5..d85d47f 100644 --- a/radius.c +++ b/radius.c @@ -1,6 +1,6 @@ // L2TPNS Radius Stuff -char const *cvs_id_radius = "$Id: radius.c,v 1.16 2004-11-27 21:10:51 bodea Exp $"; +char const *cvs_id_radius = "$Id: radius.c,v 1.19 2004-11-30 06:50:26 bodea Exp $"; #include #include @@ -42,7 +42,7 @@ static const char *radius_state(int state) void initrad(void) { int i; - LOG(3, 0, 0, 0, "Creating %d sockets for RADIUS queries\n", config->num_radfds); + LOG(3, 0, 0, "Creating %d sockets for RADIUS queries\n", config->num_radfds); radfds = calloc(sizeof(int), config->num_radfds); for (i = 0; i < config->num_radfds; i++) { @@ -77,7 +77,7 @@ static u16 get_free_radius() } } - LOG(0, 0, 0, 0, "Can't find a free radius session! This is very bad!\n"); + LOG(0, 0, 0, "Can't find a free radius session! This is very bad!\n"); return 0; } @@ -88,13 +88,13 @@ u16 radiusnew(sessionidt s) /* re-use */ if (r) { - LOG(3, 0, s, session[s].tunnel, "Re-used radius %d\n", r); + LOG(3, s, session[s].tunnel, "Re-used radius %d\n", r); return r; } if (!(r = get_free_radius())) { - LOG(1, 0, s, session[s].tunnel, "No free RADIUS sessions\n"); + LOG(1, s, session[s].tunnel, "No free RADIUS sessions\n"); STAT(radius_overflow); return 0; }; @@ -105,7 +105,7 @@ u16 radiusnew(sessionidt s) radius[r].state = RADIUSWAIT; radius[r].retry = TIME + 1200; // Wait at least 120 seconds to re-claim this. - LOG(3,0,s, session[s].tunnel, "Allocated radius %d\n", r); + LOG(3, s, session[s].tunnel, "Allocated radius %d\n", r); return r; } @@ -124,12 +124,12 @@ void radiussend(u16 r, u8 state) s = radius[r].session; if (!config->numradiusservers) { - LOG(0, 0, s, session[s].tunnel, "No RADIUS servers\n"); + LOG(0, s, session[s].tunnel, "No RADIUS servers\n"); return; } if (!*config->radiussecret) { - LOG(0, 0, s, session[s].tunnel, "No RADIUS secret\n"); + LOG(0, s, session[s].tunnel, "No RADIUS secret\n"); return; } @@ -144,9 +144,10 @@ void radiussend(u16 r, u8 state) radius[r].try = 0; radius[r].state = state; radius[r].retry = backoff(radius[r].try++); - LOG(4, 0, s, session[s].tunnel, "Send RADIUS id %d sock %d state %s try %d\n", - r >> RADIUS_SHIFT, r & RADIUS_MASK, - radius_state(radius[r].state), radius[r].try); + LOG(4, s, session[s].tunnel, "Send RADIUS id %d sock %d state %s try %d\n", + r >> RADIUS_SHIFT, r & RADIUS_MASK, + radius_state(radius[r].state), radius[r].try); + if (radius[r].try > config->numradiusservers * 2) { if (s) @@ -155,7 +156,7 @@ void radiussend(u16 r, u8 state) sessionshutdown(s, "RADIUS timeout"); else { - LOG(1, 0, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n", + LOG(1, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n", radius_states[state]); radiusclear(r, s); } @@ -180,7 +181,7 @@ void radiussend(u16 r, u8 state) b[0] = 4; // accounting request break; default: - LOG(0, 0, 0, 0, "Unknown radius state %d\n", state); + LOG(0, 0, 0, "Unknown radius state %d\n", state); } b[1] = r >> RADIUS_SHIFT; // identifier memcpy(b + 4, radius[r].auth, 16); @@ -381,22 +382,22 @@ void processrad(u8 *buf, int len, char socket_index) LOG_HEX(5, "RADIUS Response", buf, len); if (len < 20 || len < ntohs(*(u16 *) (buf + 2))) { - LOG(1, 0, 0, 0, "Duff RADIUS response length %d\n", len); + LOG(1, 0, 0, "Duff RADIUS response length %d\n", len); return ; } len = ntohs(*(u16 *) (buf + 2)); r = socket_index | (r_id << RADIUS_SHIFT); s = radius[r].session; - LOG(3, 0, s, session[s].tunnel, "Received %s, radius %d response for session %u (code %d, id %d)\n", + LOG(3, s, session[s].tunnel, "Received %s, radius %d response for session %u (code %d, id %d)\n", radius_states[radius[r].state], r, s, r_code, r_id); if (!s && radius[r].state != RADIUSSTOP) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response\n"); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response\n"); return; } if (radius[r].state != RADIUSAUTH && radius[r].state != RADIUSSTART && radius[r].state != RADIUSSTOP) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response\n"); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response\n"); return; } t = session[s].tunnel; @@ -409,19 +410,19 @@ void processrad(u8 *buf, int len, char socket_index) do { if (memcmp(hash, buf + 4, 16)) { - LOG(0, 0, s, session[s].tunnel, " Incorrect auth on RADIUS response!! (wrong secret in radius config?)\n"); + LOG(0, s, session[s].tunnel, " Incorrect auth on RADIUS response!! (wrong secret in radius config?)\n"); return; // Do nothing. On timeout, it will try the next radius server. } if ((radius[r].state == RADIUSAUTH && *buf != 2 && *buf != 3) || ((radius[r].state == RADIUSSTART || radius[r].state == RADIUSSTOP) && *buf != 5)) { - LOG(1, 0, s, session[s].tunnel, " Unexpected RADIUS response %d\n", *buf); + LOG(1, s, session[s].tunnel, " Unexpected RADIUS response %d\n", *buf); return; // We got something we didn't expect. Let the timeouts take // care off finishing the radius session if that's really correct. } if (radius[r].state == RADIUSAUTH) { - LOG(4, 0, s, session[s].tunnel, " Original response is \"%s\"\n", (*buf == 2) ? "accept" : "reject"); + LOG(4, s, session[s].tunnel, " Original response is \"%s\"\n", (*buf == 2) ? "accept" : "reject"); // process auth response if (radius[r].chap) { @@ -435,7 +436,7 @@ void processrad(u8 *buf, int len, char socket_index) *buf = packet.auth_allowed ? 2 : 3; } - LOG(3, 0, s, session[s].tunnel, " CHAP User %s authentication %s.\n", session[s].user, + LOG(3, s, session[s].tunnel, " CHAP User %s authentication %s.\n", session[s].user, (*buf == 2) ? "allowed" : "denied"); *p = (*buf == 2) ? 3 : 4; // ack/nak p[1] = radius[r].id; @@ -454,7 +455,7 @@ void processrad(u8 *buf, int len, char socket_index) *buf = packet.auth_allowed ? 2 : 3; } - LOG(3, 0, s, session[s].tunnel, " PAP User %s authentication %s.\n", session[s].user, + LOG(3, s, session[s].tunnel, " PAP User %s authentication %s.\n", session[s].user, (*buf == 2) ? "allowed" : "denied"); // ack/nak *p = *buf; @@ -470,26 +471,32 @@ void processrad(u8 *buf, int len, char socket_index) // Extract IP, routes, etc u8 *p = buf + 20; u8 *e = buf + len; - for (p = buf + 20; p < e && p[1]; p += p[1]) + for (; p + 2 <= e && p[1] && p + p[1] <= e; p += p[1]) { if (*p == 8) { // Framed-IP-Address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains IP address %s\n", inet_toa(*(u32 *) (p + 2))); + if (p[1] < 6) continue; session[s].ip = ntohl(*(u32 *) (p + 2)); session[s].ip_pool_index = -1; + LOG(3, s, session[s].tunnel, " Radius reply contains IP address %s\n", + fmtaddr(htonl(session[s].ip), 0)); } else if (*p == 135) { // DNS address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n", inet_toa(*(u32 *) (p + 2))); + if (p[1] < 6) continue; session[s].dns1 = ntohl(*(u32 *) (p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n", + fmtaddr(htonl(session[s].dns1), 0)); } else if (*p == 136) { // DNS address - LOG(3, 0, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n", inet_toa(*(u32 *) (p + 2))); + if (p[1] < 6) continue; session[s].dns2 = ntohl(*(u32 *) (p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n", + fmtaddr(htonl(session[s].dns2), 0)); } else if (*p == 22) { @@ -524,18 +531,16 @@ void processrad(u8 *buf, int len, char socket_index) mask = 0xFFFF0000; else mask = 0xFFFFFF00; + if (routes == MAXROUTE) { - LOG(1, 0, s, session[s].tunnel, " Too many routes\n"); + LOG(1, s, session[s].tunnel, " Too many routes\n"); } else if (ip) { - char *ips, *masks; - ips = strdup(inet_toa(htonl(ip))); - masks = strdup(inet_toa(htonl(mask))); - LOG(3, 0, s, session[s].tunnel, " Radius reply contains route for %s/%s\n", ips, masks); - free(ips); - free(masks); + LOG(3, s, session[s].tunnel, " Radius reply contains route for %s/%s\n", + fmtaddr(htonl(ip), 0), fmtaddr(htonl(mask), 1)); + session[s].route[routes].ip = ip; session[s].route[routes].mask = mask; routes++; @@ -550,7 +555,7 @@ void processrad(u8 *buf, int len, char socket_index) u8 *f = 0; int i; - LOG(3, 0, s, session[s].tunnel, " Radius reply contains Filter-Id \"%.*s\"\n", l, filter); + LOG(3, s, session[s].tunnel, " Radius reply contains Filter-Id \"%.*s\"\n", l, filter); if ((suffix = memchr(filter, '.', l))) { int b = suffix - filter; @@ -564,7 +569,7 @@ void processrad(u8 *buf, int len, char socket_index) if (!f) { - LOG(3, 0, s, session[s].tunnel, " Invalid filter\n"); + LOG(3, s, session[s].tunnel, " Invalid filter\n"); continue; } @@ -573,58 +578,63 @@ void processrad(u8 *buf, int len, char socket_index) !strncmp(ip_filters[i].name, filter, l)) *f = i + 1; - if (!*f) - LOG(3, 0, s, session[s].tunnel, " Unknown filter\n"); + if (*f) + ip_filters[*f - 1].used++; + else + LOG(3, s, session[s].tunnel, " Unknown filter\n"); } - else if (*p == 26) + else if (*p == 26 && p[1] >= 7) { // Vendor-Specific Attribute int vendor = ntohl(*(int *)(p + 2)); char attrib = *(p + 6); char attrib_length = *(p + 7) - 2; - LOG(3, 0, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length); - if (attrib_length == 0) continue; - if (attrib != 1) - LOG(3, 0, s, session[s].tunnel, " Unknown vendor-specific\n"); - else + char *avpair, *value, *key, *newp; + + LOG(3, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length); + if (vendor != 9 || attrib != 1) { - char *avpair, *value, *key, *newp; - avpair = key = calloc(attrib_length + 1, 1); - memcpy(avpair, p + 8, attrib_length); - LOG(3, 0, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair); - do { - value = strchr(key, '='); - if (!value) break; - *value++ = 0; - - // Trim quotes off reply string - if (*value == '\'' || *value == '\"') - { - char *x; - value++; - x = value + strlen(value) - 1; - if (*x == '\'' || *x == '\"') - *x = 0; - } - - // Run hooks - newp = strchr(value, ','); - if (newp) *newp++ = 0; - { - struct param_radius_response p = { &tunnel[session[s].tunnel], &session[s], key, value }; - run_plugins(PLUGIN_RADIUS_RESPONSE, &p); - } - key = newp; - } while (newp); - free(avpair); + LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n"); + continue; } + + if (attrib_length < 0) continue; + + avpair = key = calloc(attrib_length + 1, 1); + memcpy(avpair, p + 8, attrib_length); + LOG(3, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair); + do { + value = strchr(key, '='); + if (!value) break; + *value++ = 0; + + // Trim quotes off reply string + if (*value == '\'' || *value == '\"') + { + char *x; + value++; + x = value + strlen(value) - 1; + if (*x == '\'' || *x == '\"') + *x = 0; + } + + // Run hooks + newp = strchr(value, ','); + if (newp) *newp++ = 0; + { + struct param_radius_response p = { &tunnel[session[s].tunnel], &session[s], key, value }; + run_plugins(PLUGIN_RADIUS_RESPONSE, &p); + } + key = newp; + } while (newp); + free(avpair); } } } else if (*buf == 3) { - LOG(2, 0, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user); + LOG(2, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user); //FIXME: We should tear down the session here! break; } @@ -632,12 +642,12 @@ void processrad(u8 *buf, int len, char socket_index) if (!session[s].dns1 && config->default_dns1) { session[s].dns1 = htonl(config->default_dns1); - LOG(3, 0, s, t, " Sending dns1 = %s\n", inet_toa(config->default_dns1)); + LOG(3, s, t, " Sending dns1 = %s\n", fmtaddr(config->default_dns1, 0)); } if (!session[s].dns2 && config->default_dns2) { session[s].dns2 = htonl(config->default_dns2); - LOG(3, 0, s, t, " Sending dns2 = %s\n", inet_toa(config->default_dns2)); + LOG(3, s, t, " Sending dns2 = %s\n", fmtaddr(config->default_dns2, 0)); } // Valid Session, set it up @@ -647,7 +657,7 @@ void processrad(u8 *buf, int len, char socket_index) else { // An ack for a stop or start record. - LOG(3, 0, s, t, " RADIUS accounting ack recv in state %s\n", radius_states[radius[r].state]); + LOG(3, s, t, " RADIUS accounting ack recv in state %s\n", radius_states[radius[r].state]); break; } } while (0); @@ -689,7 +699,7 @@ void radiusretry(u16 r) case RADIUSWAIT: // waiting timeout before available, in case delayed reply from RADIUS server // free up RADIUS task radiusclear(r, s); - LOG(3, 0, s, session[s].tunnel, "Freeing up radius session %d\n", r); + LOG(3, s, session[s].tunnel, "Freeing up radius session %d\n", r); break; } }