X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/bdc2baa573df926eb1b0034d11a53622385a4241..c2152aa3785766ff9623b5de63e6dcd1f934dcac:/radius.c?ds=inline diff --git a/radius.c b/radius.c index 7dcaf67..3da31f8 100644 --- a/radius.c +++ b/radius.c @@ -1,6 +1,6 @@ // L2TPNS Radius Stuff -char const *cvs_id_radius = "$Id: radius.c,v 1.41 2005-08-31 12:41:09 bodea Exp $"; +char const *cvs_id_radius = "$Id: radius.c,v 1.55 2006-08-02 14:17:30 bodea Exp $"; #include #include @@ -27,10 +27,43 @@ extern configt *config; extern int *radfds; extern ip_filtert *ip_filters; +static const hasht zero; + +static void calc_auth(const void *buf, size_t len, const uint8_t *in, uint8_t *out) +{ + MD5_CTX ctx; + + MD5_Init(&ctx); + MD5_Update(&ctx, (void *)buf, 4); // code, id, length + MD5_Update(&ctx, (void *)in, 16); // auth + MD5_Update(&ctx, (void *)(buf + 20), len - 20); + MD5_Update(&ctx, config->radiussecret, strlen(config->radiussecret)); + MD5_Final(out, &ctx); +} + // Set up socket for radius requests void initrad(void) { int i; + uint16_t port = 0; + uint16_t min = config->radius_bind_min; + uint16_t max = config->radius_bind_max; + int inc = 1; + struct sockaddr_in addr; + + if (min) + { + port = min; + if (!max) + max = ~0 - 1; + } + else if (max) /* no minimum specified, bind from max down */ + { + port = max; + min = 1; + inc = -1; + } + LOG(3, 0, 0, "Creating %d sockets for RADIUS queries\n", RADIUS_FDS); radfds = calloc(sizeof(int), RADIUS_FDS); for (i = 0; i < RADIUS_FDS; i++) @@ -39,6 +72,27 @@ void initrad(void) radfds[i] = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); flags = fcntl(radfds[i], F_GETFL, 0); fcntl(radfds[i], F_SETFL, flags | O_NONBLOCK); + + if (port) + { + int b; + + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_addr.s_addr = INADDR_ANY; + + do { + addr.sin_port = htons(port); + if ((b = bind(radfds[i], (struct sockaddr *) &addr, sizeof(addr))) < 0) + { + if ((port += inc) < min || port > max) + { + LOG(0, 0, 0, "Can't bind RADIUS socket in range %u-%u\n", min, max); + exit(1); + } + } + } while (b < 0); + } } } @@ -144,7 +198,7 @@ void radiussend(uint16_t r, uint8_t state) if (s) { if (state == RADIUSAUTH) - sessionshutdown(s, "RADIUS timeout.", 3, 0); + sessionshutdown(s, "RADIUS timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE); else { LOG(1, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n", @@ -234,8 +288,8 @@ void radiussend(uint16_t r, uint8_t state) p += p[1]; } } - else if (state == RADIUSSTART || state == RADIUSSTOP || state == RADIUSINTERIM) - { // accounting + else // accounting + { *p = 40; // accounting type p[1] = 6; *(uint32_t *) (p + 2) = htonl(state - RADIUSSTART + 1); // start=1, stop=2, interim=3 @@ -290,49 +344,116 @@ void radiussend(uint16_t r, uint8_t state) p[1] = 6; *(uint32_t *) (p + 2) = htonl(session[s].cout_wrap); p += p[1]; + + if (state == RADIUSSTOP && radius[r].term_cause) + { + *p = 49; // acct-terminate-cause + p[1] = 6; + *(uint32_t *) (p + 2) = htonl(radius[r].term_cause); + p += p[1]; + + if (radius[r].term_msg) + { + *p = 26; // vendor-specific + *(uint32_t *) (p + 2) = htonl(9); // Cisco + p[6] = 1; // Cisco-AVPair + p[7] = 2 + sprintf((char *) p + 8, "disc-cause-ext=%s", radius[r].term_msg); + p[1] = p[7] + 6; + p += p[1]; + } + } } - if (session[s].snoop_ip && session[s].snoop_port) { - *p = 26; // vendor-specific - *(uint32_t *) (p + 2) = htonl(9); // Cisco - p[6] = 1; // Cisco-AVPair - p[7] = 2 + sprintf((char *) p + 8, "intercept=%s:%d", - fmtaddr(session[s].snoop_ip, 0), session[s].snoop_port); - - p[1] = p[7] + 6; - p += p[1]; + struct param_radius_account acct = { &tunnel[session[s].tunnel], &session[s], &p }; + run_plugins(PLUGIN_RADIUS_ACCOUNT, &acct); } } } + if (s) { - *p = 5; // NAS-Port + *p = 5; // NAS-Port p[1] = 6; *(uint32_t *) (p + 2) = htonl(s); p += p[1]; - } - if (s && session[s].ip) - { - *p = 8; // Framed-IP-Address + + *p = 6; // Service-Type p[1] = 6; - *(uint32_t *) (p + 2) = htonl(session[s].ip); + *(uint32_t *) (p + 2) = htonl(2); // Framed-User p += p[1]; - } - if (*session[s].called) - { - *p = 30; // called - p[1] = strlen(session[s].called) + 2; - strcpy((char *) p + 2, session[s].called); - p += p[1]; - } - else if (*session[s].calling) - { - *p = 31; // calling - p[1] = strlen(session[s].calling) + 2; - strcpy((char *) p + 2, session[s].calling); + + *p = 7; // Framed-Protocol + p[1] = 6; + *(uint32_t *) (p + 2) = htonl(1); // PPP p += p[1]; + + if (session[s].ip) + { + *p = 8; // Framed-IP-Address + p[1] = 6; + *(uint32_t *) (p + 2) = htonl(session[s].ip); + p += p[1]; + } + + if (session[s].route[0].ip) + { + int r; + for (r = 0; s && r < MAXROUTE && session[s].route[r].ip; r++) + { + int width = 32; + if (session[s].route[r].mask) + { + int mask = session[s].route[r].mask; + while (!(mask & 1)) + { + width--; + mask >>= 1; + } + } + + *p = 22; // Framed-Route + p[1] = sprintf((char *) p + 2, "%s/%d %s 1", + fmtaddr(htonl(session[s].route[r].ip), 0), + width, fmtaddr(htonl(session[s].ip), 1)) + 2; + + p += p[1]; + } + } + + if (session[s].session_timeout) + { + *p = 27; // Session-Timeout + p[1] = 6; + *(uint32_t *) (p + 2) = htonl(session[s].session_timeout); + p += p[1]; + } + + if (session[s].idle_timeout) + { + *p = 28; // Idle-Timeout + p[1] = 6; + *(uint32_t *) (p + 2) = htonl(session[s].idle_timeout); + p += p[1]; + } + + if (*session[s].called) + { + *p = 30; // called + p[1] = strlen(session[s].called) + 2; + strcpy((char *) p + 2, session[s].called); + p += p[1]; + } + + if (*session[s].calling) + { + *p = 31; // calling + p[1] = strlen(session[s].calling) + 2; + strcpy((char *) p + 2, session[s].calling); + p += p[1]; + } } + // NAS-IP-Address *p = 4; p[1] = 6; @@ -343,18 +464,9 @@ void radiussend(uint16_t r, uint8_t state) *(uint16_t *) (b + 2) = htons(p - b); if (state != RADIUSAUTH) { - // Build auth for accounting packet - uint8_t z[16] = {0}; - uint8_t hash[16] = {0}; - MD5_CTX ctx; - MD5_Init(&ctx); - MD5_Update(&ctx, b, 4); - MD5_Update(&ctx, z, 16); - MD5_Update(&ctx, b + 20, (p - b) - 20); - MD5_Update(&ctx, config->radiussecret, strlen(config->radiussecret)); - MD5_Final(hash, &ctx); - memcpy(b + 4, hash, 16); - memcpy(radius[r].auth, hash, 16); + // Build auth for accounting packet + calc_auth(b, p - b, zero, b + 4); + memcpy(radius[r].auth, b + 4, 16); } memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; @@ -415,7 +527,6 @@ static void handle_avpair(sessionidt s, uint8_t *avp, int len) void processrad(uint8_t *buf, int len, char socket_index) { uint8_t b[MAXETHER]; - MD5_CTX ctx; uint16_t r; sessionidt s; tunnelidt t = 0; @@ -454,12 +565,7 @@ void processrad(uint8_t *buf, int len, char socket_index) return; } t = session[s].tunnel; - MD5_Init(&ctx); - MD5_Update(&ctx, buf, 4); - MD5_Update(&ctx, radius[r].auth, 16); - MD5_Update(&ctx, buf + 20, len - 20); - MD5_Update(&ctx, config->radiussecret, strlen(config->radiussecret)); - MD5_Final(hash, &ctx); + calc_auth(buf, len, radius[r].auth, hash); do { if (memcmp(hash, buf + 4, 16)) { @@ -493,7 +599,7 @@ void processrad(uint8_t *buf, int len, char socket_index) if (radius[r].chap) { // CHAP - uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPCHAP); + uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPCHAP, 0, 0, 0); if (!p) return; // Abort! *p = (r_code == AccessAccept) ? 3 : 4; // ack/nak @@ -507,7 +613,7 @@ void processrad(uint8_t *buf, int len, char socket_index) else { // PAP - uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPPAP); + uint8_t *p = makeppp(b, sizeof(b), 0, 0, s, t, PPPPAP, 0, 0, 0); if (!p) return; // Abort! // ack/nak @@ -529,6 +635,35 @@ void processrad(uint8_t *buf, int len, char socket_index) uint8_t *e = buf + len; for (; p + 2 <= e && p[1] && p + p[1] <= e; p += p[1]) { + if (*p == 26 && p[1] >= 7) + { + // Vendor-Specific Attribute + uint32_t vendor = ntohl(*(int *)(p + 2)); + uint8_t attrib = *(p + 6); + int attrib_length = *(p + 7) - 2; + + LOG(4, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%u Attrib=%u Length=%d\n", vendor, attrib, attrib_length); + if (vendor == 9 && attrib == 1) // Cisco-AVPair + { + if (attrib_length < 0) continue; + LOG(3, s, session[s].tunnel, " Cisco-AVPair value: %.*s\n", + attrib_length, p + 8); + + handle_avpair(s, p + 8, attrib_length); + continue; + } + else if (vendor == 529 && attrib >= 135 && attrib <= 136) // Ascend + { + // handle old-format ascend DNS attributes below + p += 6; + } + else + { + LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n"); + continue; + } + } + if (*p == 8) { // Framed-IP-Address @@ -642,27 +777,19 @@ void processrad(uint8_t *buf, int len, char socket_index) ip_filters[f].used++; } } - else if (*p == 26 && p[1] >= 7) + else if (*p == 27) { - // Vendor-Specific Attribute - int vendor = ntohl(*(int *)(p + 2)); - char attrib = *(p + 6); - int attrib_length = *(p + 7) - 2; - - LOG(3, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length); - if (vendor != 9 || attrib != 1) - { - LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n"); - continue; - } - - if (attrib_length > 0) - { - LOG(3, s, session[s].tunnel, " Cisco-AVPair value: %.*s\n", - attrib_length, p + 8); - - handle_avpair(s, p + 8, attrib_length); - } + // Session-Timeout + if (p[1] < 6) continue; + session[s].session_timeout = ntohl(*(uint32_t *)(p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains Session-Timeout = %u\n", session[s].session_timeout); + } + else if (*p == 28) + { + // Idle-Timeout + if (p[1] < 6) continue; + session[s].idle_timeout = ntohl(*(uint32_t *)(p + 2)); + LOG(3, s, session[s].tunnel, " Radius reply contains Idle-Timeout = %u\n", session[s].idle_timeout); } else if (*p == 99) { @@ -759,11 +886,11 @@ void radiusretry(uint16_t r) extern int daefd; -void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) +void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen, struct in_addr *local) { int i, r_code, r_id, length, attribute_length; - uint8_t vector[16], hash[16], *packet, attribute; - MD5_CTX ctx; + uint8_t *packet, attribute; + hasht hash; char username[MAXUSER] = ""; in_addr_t nas = 0; in_addr_t ip = 0; @@ -808,17 +935,8 @@ void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) LOG(3, 0, 0, "Received DAE %s, id %d\n", radius_code(r_code), r_id); // check authenticator - memcpy(vector, buf + 4, 16); - memset(buf + 4, 0, 16); - - i = strlen(config->radiussecret); - if (i > 16) i = 16; - - MD5_Init(&ctx); - MD5_Update(&ctx, buf, len); - MD5_Update(&ctx, config->radiussecret, i); - MD5_Final(hash, &ctx); - if (memcmp(hash, vector, 16) != 0) + calc_auth(buf, len, zero, hash); + if (memcmp(hash, buf + 4, 16) != 0) { LOG(1, 0, 0, "Incorrect vector in DAE request (wrong secret in radius config?)\n"); return; @@ -977,7 +1095,7 @@ void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) LOG(3, s, t, " DAE Disconnect %d (%s)\n", s, session[s].user); r_code = DisconnectACK; - sessionshutdown(s, "Requested by PoD", 3, 0); // disconnect session + sessionshutdown(s, "Requested by PoD", CDN_ADMIN_DISC, TERM_ADMIN_RESET); // disconnect session break; case CoARequest: // Change of Authorization @@ -1024,10 +1142,9 @@ void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) packet = buf; *packet++ = r_code; *packet++ = r_id; - packet += 2; - memset(packet, 0, 16); - packet += 16; - len = 20; + // skip len + auth + packet += 2 + 16; + len = packet - buf; // add attributes if (error) @@ -1042,18 +1159,11 @@ void processdae(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) *((uint16_t *)(buf + 2)) = htons(len); // make vector - i = strlen(config->radiussecret); - if (i > 16) i = 16; - - MD5_Init(&ctx); - MD5_Update(&ctx, buf, len); - MD5_Update(&ctx, config->radiussecret, i); - MD5_Final(hash, &ctx); - memcpy(buf + 4, hash, 16); + calc_auth(buf, len, hash, buf + 4); LOG(3, 0, 0, "Sending DAE %s, id=%d\n", radius_code(r_code), r_id); // send DAE response - if (sendto(daefd, buf, len, MSG_DONTWAIT | MSG_NOSIGNAL, (struct sockaddr *) addr, alen) < 0) + if (sendtofrom(daefd, buf, len, MSG_DONTWAIT | MSG_NOSIGNAL, (struct sockaddr *) addr, alen, local) < 0) LOG(0, 0, 0, "Error sending DAE response packet: %s\n", strerror(errno)); }