radius.c revision 129457
1/* 2 * Copyright 1999 Internet Business Solutions Ltd., Switzerland 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/usr.sbin/ppp/radius.c 129457 2004-05-19 21:00:42Z dds $ 27 * 28 */ 29 30#include <stdint.h> 31#include <sys/param.h> 32 33#include <sys/socket.h> 34#include <netinet/in_systm.h> 35#include <netinet/in.h> 36#include <netinet/ip.h> 37#include <arpa/inet.h> 38#include <sys/un.h> 39#include <net/route.h> 40 41#ifdef LOCALRAD 42#include "radlib.h" 43#include "radlib_vs.h" 44#else 45#include <radlib.h> 46#include <radlib_vs.h> 47#endif 48 49#include <errno.h> 50#ifndef NODES 51#include <md5.h> 52#endif 53#include <stdarg.h> 54#include <stdio.h> 55#include <stdlib.h> 56#include <string.h> 57#include <sys/time.h> 58#include <termios.h> 59#include <unistd.h> 60#include <netdb.h> 61 62#include "layer.h" 63#include "defs.h" 64#include "log.h" 65#include "descriptor.h" 66#include "prompt.h" 67#include "timer.h" 68#include "fsm.h" 69#include "iplist.h" 70#include "slcompress.h" 71#include "throughput.h" 72#include "lqr.h" 73#include "hdlc.h" 74#include "mbuf.h" 75#include "ncpaddr.h" 76#include "ip.h" 77#include "ipcp.h" 78#include "ipv6cp.h" 79#include "route.h" 80#include "command.h" 81#include "filter.h" 82#include "lcp.h" 83#include "ccp.h" 84#include "link.h" 85#include "mp.h" 86#include "radius.h" 87#include "auth.h" 88#include "async.h" 89#include "physical.h" 90#include "chat.h" 91#include "cbcp.h" 92#include "chap.h" 93#include "datalink.h" 94#include "ncp.h" 95#include "bundle.h" 96#include "proto.h" 97 98#ifndef NODES 99struct mschap_response { 100 u_char ident; 101 u_char flags; 102 u_char lm_response[24]; 103 u_char nt_response[24]; 104}; 105 106struct mschap2_response { 107 u_char ident; 108 u_char flags; 109 u_char pchallenge[16]; 110 u_char reserved[8]; 111 u_char response[24]; 112}; 113 114#define AUTH_LEN 16 115#define SALT_LEN 2 116#endif 117 118static const char * 119radius_policyname(int policy) 120{ 121 switch(policy) { 122 case MPPE_POLICY_ALLOWED: 123 return "Allowed"; 124 case MPPE_POLICY_REQUIRED: 125 return "Required"; 126 } 127 return NumStr(policy, NULL, 0); 128} 129 130static const char * 131radius_typesname(int types) 132{ 133 switch(types) { 134 case MPPE_TYPE_40BIT: 135 return "40 bit"; 136 case MPPE_TYPE_128BIT: 137 return "128 bit"; 138 case MPPE_TYPE_40BIT|MPPE_TYPE_128BIT: 139 return "40 or 128 bit"; 140 } 141 return NumStr(types, NULL, 0); 142} 143 144#ifndef NODES 145static void 146demangle(struct radius *r, const void *mangled, size_t mlen, 147 char **buf, size_t *len) 148{ 149 char R[AUTH_LEN]; /* variable names as per rfc2548 */ 150 const char *S; 151 u_char b[16]; 152 const u_char *A, *C; 153 MD5_CTX Context; 154 int Slen, i, Clen, Ppos; 155 u_char *P; 156 157 if (mlen % 16 != SALT_LEN) { 158 log_Printf(LogWARN, "Cannot interpret mangled data of length %ld\n", 159 (u_long)mlen); 160 *buf = NULL; 161 *len = 0; 162 return; 163 } 164 165 /* We need the RADIUS Request-Authenticator */ 166 if (rad_request_authenticator(r->cx.rad, R, sizeof R) != AUTH_LEN) { 167 log_Printf(LogWARN, "Cannot obtain the RADIUS request authenticator\n"); 168 *buf = NULL; 169 *len = 0; 170 return; 171 } 172 173 A = (const u_char *)mangled; /* Salt comes first */ 174 C = (const u_char *)mangled + SALT_LEN; /* Then the ciphertext */ 175 Clen = mlen - SALT_LEN; 176 S = rad_server_secret(r->cx.rad); /* We need the RADIUS secret */ 177 Slen = strlen(S); 178 P = alloca(Clen); /* We derive our plaintext */ 179 180 MD5Init(&Context); 181 MD5Update(&Context, S, Slen); 182 MD5Update(&Context, R, AUTH_LEN); 183 MD5Update(&Context, A, SALT_LEN); 184 MD5Final(b, &Context); 185 Ppos = 0; 186 187 while (Clen) { 188 Clen -= 16; 189 190 for (i = 0; i < 16; i++) 191 P[Ppos++] = C[i] ^ b[i]; 192 193 if (Clen) { 194 MD5Init(&Context); 195 MD5Update(&Context, S, Slen); 196 MD5Update(&Context, C, 16); 197 MD5Final(b, &Context); 198 } 199 200 C += 16; 201 } 202 203 /* 204 * The resulting plain text consists of a one-byte length, the text and 205 * maybe some padding. 206 */ 207 *len = *P; 208 if (*len > mlen - 1) { 209 log_Printf(LogWARN, "Mangled data seems to be garbage\n"); 210 *buf = NULL; 211 *len = 0; 212 return; 213 } 214 215 *buf = malloc(*len); 216 memcpy(*buf, P + 1, *len); 217} 218#endif 219 220/* XXX: This should go into librarius. */ 221#ifndef NOINET6 222static uint8_t * 223rad_cvt_ipv6prefix(const void *data, size_t len) 224{ 225 const size_t ipv6len = sizeof(struct in6_addr) + 2; 226 uint8_t *s; 227 228 if (len > ipv6len) 229 return NULL; 230 s = malloc(ipv6len); 231 if (s != NULL) { 232 memset(s, 0, ipv6len); 233 memcpy(s, data, len); 234 } 235 return s; 236} 237#endif 238 239/* 240 * rad_continue_send_request() has given us `got' (non-zero). Deal with it. 241 */ 242static void 243radius_Process(struct radius *r, int got) 244{ 245 char *argv[MAXARGS], *nuke; 246 struct bundle *bundle; 247 int argc, addrs, res, width; 248 size_t len; 249 struct ncprange dest; 250 struct ncpaddr gw; 251 const void *data; 252 const char *stype; 253 u_int32_t ipaddr, vendor; 254 struct in_addr ip; 255#ifndef NOINET6 256 uint8_t ipv6addr[INET6_ADDRSTRLEN]; 257 struct in6_addr ip6; 258#endif 259 260 r->cx.fd = -1; /* Stop select()ing */ 261 stype = r->cx.auth ? "auth" : "acct"; 262 263 switch (got) { 264 case RAD_ACCESS_ACCEPT: 265 log_Printf(LogPHASE, "Radius(%s): ACCEPT received\n", stype); 266 if (!r->cx.auth) { 267 rad_close(r->cx.rad); 268 return; 269 } 270 break; 271 272 case RAD_ACCESS_REJECT: 273 log_Printf(LogPHASE, "Radius(%s): REJECT received\n", stype); 274 if (!r->cx.auth) { 275 rad_close(r->cx.rad); 276 return; 277 } 278 break; 279 280 case RAD_ACCESS_CHALLENGE: 281 /* we can't deal with this (for now) ! */ 282 log_Printf(LogPHASE, "Radius: CHALLENGE received (can't handle yet)\n"); 283 if (r->cx.auth) 284 auth_Failure(r->cx.auth); 285 rad_close(r->cx.rad); 286 return; 287 288 case RAD_ACCOUNTING_RESPONSE: 289 log_Printf(LogPHASE, "Radius(%s): Accounting response received\n", stype); 290 if (r->cx.auth) 291 auth_Failure(r->cx.auth); /* unexpected !!! */ 292 293 /* No further processing for accounting requests, please */ 294 rad_close(r->cx.rad); 295 return; 296 297 case -1: 298 log_Printf(LogPHASE, "radius(%s): %s\n", stype, rad_strerror(r->cx.rad)); 299 if (r->cx.auth) 300 auth_Failure(r->cx.auth); 301 rad_close(r->cx.rad); 302 return; 303 304 default: 305 log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype, 306 got, rad_strerror(r->cx.rad)); 307 if (r->cx.auth) 308 auth_Failure(r->cx.auth); 309 rad_close(r->cx.rad); 310 return; 311 } 312 313 /* Let's see what we've got in our reply */ 314 r->ip.s_addr = r->mask.s_addr = INADDR_NONE; 315 r->mtu = 0; 316 r->vj = 0; 317 while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) { 318 switch (res) { 319 case RAD_FRAMED_IP_ADDRESS: 320 r->ip = rad_cvt_addr(data); 321 log_Printf(LogPHASE, " IP %s\n", inet_ntoa(r->ip)); 322 break; 323 324 case RAD_FILTER_ID: 325 free(r->filterid); 326 if ((r->filterid = rad_cvt_string(data, len)) == NULL) { 327 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 328 auth_Failure(r->cx.auth); 329 rad_close(r->cx.rad); 330 return; 331 } 332 log_Printf(LogPHASE, " Filter \"%s\"\n", r->filterid); 333 break; 334 335 case RAD_SESSION_TIMEOUT: 336 r->sessiontime = rad_cvt_int(data); 337 log_Printf(LogPHASE, " Session-Timeout %lu\n", r->sessiontime); 338 break; 339 340 case RAD_FRAMED_IP_NETMASK: 341 r->mask = rad_cvt_addr(data); 342 log_Printf(LogPHASE, " Netmask %s\n", inet_ntoa(r->mask)); 343 break; 344 345 case RAD_FRAMED_MTU: 346 r->mtu = rad_cvt_int(data); 347 log_Printf(LogPHASE, " MTU %lu\n", r->mtu); 348 break; 349 350 case RAD_FRAMED_ROUTING: 351 /* Disabled for now - should we automatically set up some filters ? */ 352 /* rad_cvt_int(data); */ 353 /* bit 1 = Send routing packets */ 354 /* bit 2 = Receive routing packets */ 355 break; 356 357 case RAD_FRAMED_COMPRESSION: 358 r->vj = rad_cvt_int(data) == 1 ? 1 : 0; 359 log_Printf(LogPHASE, " VJ %sabled\n", r->vj ? "en" : "dis"); 360 break; 361 362 case RAD_FRAMED_ROUTE: 363 /* 364 * We expect a string of the format ``dest[/bits] gw [metrics]'' 365 * Any specified metrics are ignored. MYADDR and HISADDR are 366 * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same 367 * as ``HISADDR''. 368 */ 369 370 if ((nuke = rad_cvt_string(data, len)) == NULL) { 371 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 372 auth_Failure(r->cx.auth); 373 rad_close(r->cx.rad); 374 return; 375 } 376 377 log_Printf(LogPHASE, " Route: %s\n", nuke); 378 bundle = r->cx.auth->physical->dl->bundle; 379 ip.s_addr = INADDR_ANY; 380 ncpaddr_setip4(&gw, ip); 381 ncprange_setip4host(&dest, ip); 382 argc = command_Interpret(nuke, strlen(nuke), argv); 383 if (argc < 0) 384 log_Printf(LogWARN, "radius: %s: Syntax error\n", 385 argc == 1 ? argv[0] : "\"\""); 386 else if (argc < 2) 387 log_Printf(LogWARN, "radius: %s: Invalid route\n", 388 argc == 1 ? argv[0] : "\"\""); 389 else if ((strcasecmp(argv[0], "default") != 0 && 390 !ncprange_aton(&dest, &bundle->ncp, argv[0])) || 391 !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) 392 log_Printf(LogWARN, "radius: %s %s: Invalid route\n", 393 argv[0], argv[1]); 394 else { 395 ncprange_getwidth(&dest, &width); 396 if (width == 32 && strchr(argv[0], '/') == NULL) { 397 /* No mask specified - use the natural mask */ 398 ncprange_getip4addr(&dest, &ip); 399 ncprange_setip4mask(&dest, addr2mask(ip)); 400 } 401 addrs = 0; 402 403 if (!strncasecmp(argv[0], "HISADDR", 7)) 404 addrs = ROUTE_DSTHISADDR; 405 else if (!strncasecmp(argv[0], "MYADDR", 6)) 406 addrs = ROUTE_DSTMYADDR; 407 408 if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) { 409 addrs |= ROUTE_GWHISADDR; 410 ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip); 411 } else if (strcasecmp(argv[1], "HISADDR") == 0) 412 addrs |= ROUTE_GWHISADDR; 413 414 route_Add(&r->routes, addrs, &dest, &gw); 415 } 416 free(nuke); 417 break; 418 419 case RAD_REPLY_MESSAGE: 420 free(r->repstr); 421 if ((r->repstr = rad_cvt_string(data, len)) == NULL) { 422 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 423 auth_Failure(r->cx.auth); 424 rad_close(r->cx.rad); 425 return; 426 } 427 log_Printf(LogPHASE, " Reply-Message \"%s\"\n", r->repstr); 428 break; 429 430#ifndef NOINET6 431 case RAD_FRAMED_IPV6_PREFIX: 432 free(r->ipv6prefix); 433 r->ipv6prefix = rad_cvt_ipv6prefix(data, len); 434 inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr)); 435 log_Printf(LogPHASE, " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]); 436 break; 437 438 case RAD_FRAMED_IPV6_ROUTE: 439 /* 440 * We expect a string of the format ``dest[/bits] gw [metrics]'' 441 * Any specified metrics are ignored. MYADDR6 and HISADDR6 are 442 * understood for ``dest'' and ``gw'' and ``::'' is the same 443 * as ``HISADDR6''. 444 */ 445 446 if ((nuke = rad_cvt_string(data, len)) == NULL) { 447 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 448 auth_Failure(r->cx.auth); 449 rad_close(r->cx.rad); 450 return; 451 } 452 453 log_Printf(LogPHASE, " IPv6 Route: %s\n", nuke); 454 bundle = r->cx.auth->physical->dl->bundle; 455 ncpaddr_setip6(&gw, &in6addr_any); 456 ncprange_set(&dest, &gw, 0); 457 argc = command_Interpret(nuke, strlen(nuke), argv); 458 if (argc < 0) 459 log_Printf(LogWARN, "radius: %s: Syntax error\n", 460 argc == 1 ? argv[0] : "\"\""); 461 else if (argc < 2) 462 log_Printf(LogWARN, "radius: %s: Invalid route\n", 463 argc == 1 ? argv[0] : "\"\""); 464 else if ((strcasecmp(argv[0], "default") != 0 && 465 !ncprange_aton(&dest, &bundle->ncp, argv[0])) || 466 !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) 467 log_Printf(LogWARN, "radius: %s %s: Invalid route\n", 468 argv[0], argv[1]); 469 else { 470 addrs = 0; 471 472 if (!strncasecmp(argv[0], "HISADDR6", 8)) 473 addrs = ROUTE_DSTHISADDR6; 474 else if (!strncasecmp(argv[0], "MYADDR6", 7)) 475 addrs = ROUTE_DSTMYADDR6; 476 477 if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) { 478 addrs |= ROUTE_GWHISADDR6; 479 ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr); 480 } else if (strcasecmp(argv[1], "HISADDR6") == 0) 481 addrs |= ROUTE_GWHISADDR6; 482 483 route_Add(&r->ipv6routes, addrs, &dest, &gw); 484 } 485 free(nuke); 486 break; 487#endif 488 489 case RAD_VENDOR_SPECIFIC: 490 if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) { 491 log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n", 492 rad_strerror(r->cx.rad)); 493 auth_Failure(r->cx.auth); 494 rad_close(r->cx.rad); 495 return; 496 } 497 498 switch (vendor) { 499 case RAD_VENDOR_MICROSOFT: 500 switch (res) { 501#ifndef NODES 502 case RAD_MICROSOFT_MS_CHAP_ERROR: 503 free(r->errstr); 504 if (len == 0) 505 r->errstr = NULL; 506 else { 507 if (len < 3 || ((const char *)data)[1] != '=') { 508 /* 509 * Only point at the String field if we don't think the 510 * peer has misformatted the response. 511 */ 512 ((const char *)data)++; 513 len--; 514 } else 515 log_Printf(LogWARN, "Warning: The MS-CHAP-Error " 516 "attribute is mis-formatted. Compensating\n"); 517 if ((r->errstr = rad_cvt_string((const char *)data, 518 len)) == NULL) { 519 log_Printf(LogERROR, "rad_cvt_string: %s\n", 520 rad_strerror(r->cx.rad)); 521 auth_Failure(r->cx.auth); 522 rad_close(r->cx.rad); 523 return; 524 } 525 log_Printf(LogPHASE, " MS-CHAP-Error \"%s\"\n", r->errstr); 526 } 527 break; 528 529 case RAD_MICROSOFT_MS_CHAP2_SUCCESS: 530 free(r->msrepstr); 531 if (len == 0) 532 r->msrepstr = NULL; 533 else { 534 if (len < 3 || ((const char *)data)[1] != '=') { 535 /* 536 * Only point at the String field if we don't think the 537 * peer has misformatted the response. 538 */ 539 ((const char *)data)++; 540 len--; 541 } else 542 log_Printf(LogWARN, "Warning: The MS-CHAP2-Success " 543 "attribute is mis-formatted. Compensating\n"); 544 if ((r->msrepstr = rad_cvt_string((const char *)data, 545 len)) == NULL) { 546 log_Printf(LogERROR, "rad_cvt_string: %s\n", 547 rad_strerror(r->cx.rad)); 548 auth_Failure(r->cx.auth); 549 rad_close(r->cx.rad); 550 return; 551 } 552 log_Printf(LogPHASE, " MS-CHAP2-Success \"%s\"\n", 553 r->msrepstr); 554 } 555 break; 556 557 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: 558 r->mppe.policy = rad_cvt_int(data); 559 log_Printf(LogPHASE, " MS-MPPE-Encryption-Policy %s\n", 560 radius_policyname(r->mppe.policy)); 561 break; 562 563 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: 564 r->mppe.types = rad_cvt_int(data); 565 log_Printf(LogPHASE, " MS-MPPE-Encryption-Types %s\n", 566 radius_typesname(r->mppe.types)); 567 break; 568 569 case RAD_MICROSOFT_MS_MPPE_RECV_KEY: 570 free(r->mppe.recvkey); 571 demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen); 572 log_Printf(LogPHASE, " MS-MPPE-Recv-Key ********\n"); 573 break; 574 575 case RAD_MICROSOFT_MS_MPPE_SEND_KEY: 576 demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen); 577 log_Printf(LogPHASE, " MS-MPPE-Send-Key ********\n"); 578 break; 579#endif 580 581 default: 582 log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific " 583 "RADIUS attribute %d\n", res); 584 break; 585 } 586 break; 587 588 default: 589 log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n", 590 (unsigned long)vendor, res); 591 break; 592 } 593 break; 594 595 default: 596 log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res); 597 break; 598 } 599 } 600 601 if (res == -1) { 602 log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n", 603 rad_strerror(r->cx.rad)); 604 auth_Failure(r->cx.auth); 605 } else if (got == RAD_ACCESS_REJECT) 606 auth_Failure(r->cx.auth); 607 else { 608 r->valid = 1; 609 auth_Success(r->cx.auth); 610 } 611 rad_close(r->cx.rad); 612} 613 614/* 615 * We've either timed out or select()ed on the read descriptor 616 */ 617static void 618radius_Continue(struct radius *r, int sel) 619{ 620 struct timeval tv; 621 int got; 622 623 timer_Stop(&r->cx.timer); 624 if ((got = rad_continue_send_request(r->cx.rad, sel, &r->cx.fd, &tv)) == 0) { 625 log_Printf(LogPHASE, "Radius: Request re-sent\n"); 626 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 627 timer_Start(&r->cx.timer); 628 return; 629 } 630 631 radius_Process(r, got); 632} 633 634/* 635 * Time to call rad_continue_send_request() - timed out. 636 */ 637static void 638radius_Timeout(void *v) 639{ 640 radius_Continue((struct radius *)v, 0); 641} 642 643/* 644 * Time to call rad_continue_send_request() - something to read. 645 */ 646static void 647radius_Read(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 648{ 649 radius_Continue(descriptor2radius(d), 1); 650} 651 652/* 653 * Behave as a struct fdescriptor (descriptor.h) 654 */ 655static int 656radius_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w, fd_set *e, int *n) 657{ 658 struct radius *rad = descriptor2radius(d); 659 660 if (r && rad->cx.fd != -1) { 661 FD_SET(rad->cx.fd, r); 662 if (*n < rad->cx.fd + 1) 663 *n = rad->cx.fd + 1; 664 log_Printf(LogTIMER, "Radius: fdset(r) %d\n", rad->cx.fd); 665 return 1; 666 } 667 668 return 0; 669} 670 671/* 672 * Behave as a struct fdescriptor (descriptor.h) 673 */ 674static int 675radius_IsSet(struct fdescriptor *d, const fd_set *fdset) 676{ 677 struct radius *r = descriptor2radius(d); 678 679 return r && r->cx.fd != -1 && FD_ISSET(r->cx.fd, fdset); 680} 681 682/* 683 * Behave as a struct fdescriptor (descriptor.h) 684 */ 685static int 686radius_Write(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 687{ 688 /* We never want to write here ! */ 689 log_Printf(LogALERT, "radius_Write: Internal error: Bad call !\n"); 690 return 0; 691} 692 693/* 694 * Initialise ourselves 695 */ 696void 697radius_Init(struct radius *r) 698{ 699 r->desc.type = RADIUS_DESCRIPTOR; 700 r->desc.UpdateSet = radius_UpdateSet; 701 r->desc.IsSet = radius_IsSet; 702 r->desc.Read = radius_Read; 703 r->desc.Write = radius_Write; 704 r->cx.fd = -1; 705 r->cx.rad = NULL; 706 memset(&r->cx.timer, '\0', sizeof r->cx.timer); 707 r->cx.auth = NULL; 708 r->valid = 0; 709 r->vj = 0; 710 r->ip.s_addr = INADDR_ANY; 711 r->mask.s_addr = INADDR_NONE; 712 r->routes = NULL; 713 r->mtu = DEF_MTU; 714 r->msrepstr = NULL; 715 r->repstr = NULL; 716#ifndef NOINET6 717 r->ipv6prefix = NULL; 718 r->ipv6routes = NULL; 719#endif 720 r->errstr = NULL; 721 r->mppe.policy = 0; 722 r->mppe.types = 0; 723 r->mppe.recvkey = NULL; 724 r->mppe.recvkeylen = 0; 725 r->mppe.sendkey = NULL; 726 r->mppe.sendkeylen = 0; 727 *r->cfg.file = '\0';; 728 log_Printf(LogDEBUG, "Radius: radius_Init\n"); 729} 730 731/* 732 * Forget everything and go back to initialised state. 733 */ 734void 735radius_Destroy(struct radius *r) 736{ 737 r->valid = 0; 738 log_Printf(LogDEBUG, "Radius: radius_Destroy\n"); 739 timer_Stop(&r->cx.timer); 740 route_DeleteAll(&r->routes); 741#ifndef NOINET6 742 route_DeleteAll(&r->ipv6routes); 743#endif 744 free(r->filterid); 745 r->filterid = NULL; 746 free(r->msrepstr); 747 r->msrepstr = NULL; 748 free(r->repstr); 749 r->repstr = NULL; 750#ifndef NOINET6 751 free(r->ipv6prefix); 752 r->ipv6prefix = NULL; 753#endif 754 free(r->errstr); 755 r->errstr = NULL; 756 free(r->mppe.recvkey); 757 r->mppe.recvkey = NULL; 758 r->mppe.recvkeylen = 0; 759 free(r->mppe.sendkey); 760 r->mppe.sendkey = NULL; 761 r->mppe.sendkeylen = 0; 762 if (r->cx.fd != -1) { 763 r->cx.fd = -1; 764 rad_close(r->cx.rad); 765 } 766} 767 768static int 769radius_put_physical_details(struct rad_handle *rad, struct physical *p) 770{ 771 int slot, type; 772 773 type = RAD_VIRTUAL; 774 if (p->handler) 775 switch (p->handler->type) { 776 case I4B_DEVICE: 777 type = RAD_ISDN_SYNC; 778 break; 779 780 case TTY_DEVICE: 781 type = RAD_ASYNC; 782 break; 783 784 case ETHER_DEVICE: 785 type = RAD_ETHERNET; 786 break; 787 788 case TCP_DEVICE: 789 case UDP_DEVICE: 790 case EXEC_DEVICE: 791 case ATM_DEVICE: 792 case NG_DEVICE: 793 type = RAD_VIRTUAL; 794 break; 795 } 796 797 if (rad_put_int(rad, RAD_NAS_PORT_TYPE, type) != 0) { 798 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad)); 799 rad_close(rad); 800 return 0; 801 } 802 803 if ((slot = physical_Slot(p)) >= 0) 804 if (rad_put_int(rad, RAD_NAS_PORT, slot) != 0) { 805 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad)); 806 rad_close(rad); 807 return 0; 808 } 809 810 return 1; 811} 812 813/* 814 * Start an authentication request to the RADIUS server. 815 */ 816int 817radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, 818 const char *key, int klen, const char *nchallenge, 819 int nclen) 820{ 821 struct timeval tv; 822 int got; 823 char hostname[MAXHOSTNAMELEN]; 824#if 0 825 struct hostent *hp; 826 struct in_addr hostaddr; 827#endif 828#ifndef NODES 829 struct mschap_response msresp; 830 struct mschap2_response msresp2; 831 const struct MSCHAPv2_resp *keyv2; 832#endif 833 834 if (!*r->cfg.file) 835 return 0; 836 837 if (r->cx.fd != -1) 838 /* 839 * We assume that our name/key/challenge is the same as last time, 840 * and just continue to wait for the RADIUS server(s). 841 */ 842 return 1; 843 844 radius_Destroy(r); 845 846 if ((r->cx.rad = rad_auth_open()) == NULL) { 847 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); 848 return 0; 849 } 850 851 if (rad_config(r->cx.rad, r->cfg.file) != 0) { 852 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); 853 rad_close(r->cx.rad); 854 return 0; 855 } 856 857 if (rad_create_request(r->cx.rad, RAD_ACCESS_REQUEST) != 0) { 858 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); 859 rad_close(r->cx.rad); 860 return 0; 861 } 862 863 if (rad_put_string(r->cx.rad, RAD_USER_NAME, name) != 0 || 864 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || 865 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { 866 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 867 rad_close(r->cx.rad); 868 return 0; 869 } 870 871 switch (authp->physical->link.lcp.want_auth) { 872 case PROTO_PAP: 873 /* We're talking PAP */ 874 if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) { 875 log_Printf(LogERROR, "PAP: rad_put_string: %s\n", 876 rad_strerror(r->cx.rad)); 877 rad_close(r->cx.rad); 878 return 0; 879 } 880 break; 881 882 case PROTO_CHAP: 883 switch (authp->physical->link.lcp.want_authtype) { 884 case 0x5: 885 if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 || 886 rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, nchallenge, nclen) != 0) { 887 log_Printf(LogERROR, "CHAP: rad_put_string: %s\n", 888 rad_strerror(r->cx.rad)); 889 rad_close(r->cx.rad); 890 return 0; 891 } 892 break; 893 894#ifndef NODES 895 case 0x80: 896 if (klen != 50) { 897 log_Printf(LogERROR, "CHAP80: Unrecognised key length %d\n", klen); 898 rad_close(r->cx.rad); 899 return 0; 900 } 901 902 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 903 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); 904 msresp.ident = *key; 905 msresp.flags = 0x01; 906 memcpy(msresp.lm_response, key + 1, 24); 907 memcpy(msresp.nt_response, key + 25, 24); 908 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 909 RAD_MICROSOFT_MS_CHAP_RESPONSE, &msresp, 910 sizeof msresp); 911 break; 912 913 case 0x81: 914 if (klen != sizeof(*keyv2) + 1) { 915 log_Printf(LogERROR, "CHAP81: Unrecognised key length %d\n", klen); 916 rad_close(r->cx.rad); 917 return 0; 918 } 919 920 keyv2 = (const struct MSCHAPv2_resp *)(key + 1); 921 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 922 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); 923 msresp2.ident = *key; 924 msresp2.flags = keyv2->Flags; 925 memcpy(msresp2.response, keyv2->NTResponse, sizeof msresp2.response); 926 memset(msresp2.reserved, '\0', sizeof msresp2.reserved); 927 memcpy(msresp2.pchallenge, keyv2->PeerChallenge, 928 sizeof msresp2.pchallenge); 929 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 930 RAD_MICROSOFT_MS_CHAP2_RESPONSE, &msresp2, 931 sizeof msresp2); 932 break; 933#endif 934 default: 935 log_Printf(LogERROR, "CHAP: Unrecognised type 0x%02x\n", 936 authp->physical->link.lcp.want_authtype); 937 rad_close(r->cx.rad); 938 return 0; 939 } 940 } 941 942 if (gethostname(hostname, sizeof hostname) != 0) 943 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); 944 else { 945#if 0 946 if ((hp = gethostbyname(hostname)) != NULL) { 947 hostaddr.s_addr = *(u_long *)hp->h_addr; 948 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { 949 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 950 rad_strerror(r->cx.rad)); 951 rad_close(r->cx.rad); 952 return 0; 953 } 954 } 955#endif 956 if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { 957 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 958 rad_strerror(r->cx.rad)); 959 rad_close(r->cx.rad); 960 return 0; 961 } 962 } 963 964 radius_put_physical_details(r->cx.rad, authp->physical); 965 966 r->cx.auth = authp; 967 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) 968 radius_Process(r, got); 969 else { 970 log_Printf(LogPHASE, "Radius: Request sent\n"); 971 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); 972 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 973 r->cx.timer.func = radius_Timeout; 974 r->cx.timer.name = "radius auth"; 975 r->cx.timer.arg = r; 976 timer_Start(&r->cx.timer); 977 } 978 979 return 1; 980} 981 982/* Fetch IP, netmask from IPCP */ 983void 984radius_Account_Set_Ip(struct radacct *ac, struct in_addr *peer_ip, 985 struct in_addr *netmask) 986{ 987 ac->proto = PROTO_IPCP; 988 memcpy(&ac->peer.ip.addr, peer_ip, sizeof(ac->peer.ip.addr)); 989 memcpy(&ac->peer.ip.mask, netmask, sizeof(ac->peer.ip.mask)); 990} 991 992#ifndef NOINET6 993/* Fetch interface-id from IPV6CP */ 994void 995radius_Account_Set_Ipv6(struct radacct *ac, u_char *ifid) 996{ 997 ac->proto = PROTO_IPV6CP; 998 memcpy(&ac->peer.ipv6.ifid, ifid, sizeof(ac->peer.ipv6.ifid)); 999} 1000#endif 1001 1002/* 1003 * Send an accounting request to the RADIUS server 1004 */ 1005void 1006radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, 1007 int acct_type, struct pppThroughput *stats) 1008{ 1009 struct timeval tv; 1010 int got; 1011 char hostname[MAXHOSTNAMELEN]; 1012#if 0 1013 struct hostent *hp; 1014 struct in_addr hostaddr; 1015#endif 1016 1017 if (!*r->cfg.file) 1018 return; 1019 1020 if (r->cx.fd != -1) 1021 /* 1022 * We assume that our name/key/challenge is the same as last time, 1023 * and just continue to wait for the RADIUS server(s). 1024 */ 1025 return; 1026 1027 timer_Stop(&r->cx.timer); 1028 1029 if ((r->cx.rad = rad_acct_open()) == NULL) { 1030 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); 1031 return; 1032 } 1033 1034 if (rad_config(r->cx.rad, r->cfg.file) != 0) { 1035 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); 1036 rad_close(r->cx.rad); 1037 return; 1038 } 1039 1040 if (rad_create_request(r->cx.rad, RAD_ACCOUNTING_REQUEST) != 0) { 1041 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); 1042 rad_close(r->cx.rad); 1043 return; 1044 } 1045 1046 /* Grab some accounting data and initialize structure */ 1047 if (acct_type == RAD_START) { 1048 ac->rad_parent = r; 1049 /* Fetch username from datalink */ 1050 strncpy(ac->user_name, dl->peer.authname, sizeof ac->user_name); 1051 ac->user_name[AUTHLEN-1] = '\0'; 1052 1053 ac->authentic = 2; /* Assume RADIUS verified auth data */ 1054 1055 /* Generate a session ID */ 1056 snprintf(ac->session_id, sizeof ac->session_id, "%s%ld-%s%lu", 1057 dl->bundle->cfg.auth.name, (long)getpid(), 1058 dl->peer.authname, (unsigned long)stats->uptime); 1059 1060 /* And grab our MP socket name */ 1061 snprintf(ac->multi_session_id, sizeof ac->multi_session_id, "%s", 1062 dl->bundle->ncp.mp.active ? 1063 dl->bundle->ncp.mp.server.socket.sun_path : ""); 1064 }; 1065 1066 if (rad_put_string(r->cx.rad, RAD_USER_NAME, ac->user_name) != 0 || 1067 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || 1068 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { 1069 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 1070 rad_close(r->cx.rad); 1071 return; 1072 } 1073 switch (ac->proto) { 1074 case PROTO_IPCP: 1075 if (rad_put_addr(r->cx.rad, RAD_FRAMED_IP_ADDRESS, 1076 ac->peer.ip.addr) != 0 || \ 1077 rad_put_addr(r->cx.rad, RAD_FRAMED_IP_NETMASK, 1078 ac->peer.ip.mask) != 0) { 1079 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 1080 rad_close(r->cx.rad); 1081 return; 1082 } 1083 break; 1084#ifndef NOINET6 1085 case PROTO_IPV6CP: 1086 if (rad_put_attr(r->cx.rad, RAD_FRAMED_INTERFACE_ID, ac->peer.ipv6.ifid, 1087 sizeof(ac->peer.ipv6.ifid)) != 0) { 1088 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad)); 1089 rad_close(r->cx.rad); 1090 return; 1091 } 1092 if (r->ipv6prefix) { 1093 /* 1094 * Since PPP doesn't delegate an IPv6 prefix to a peer, 1095 * Framed-IPv6-Prefix may be not used, actually. 1096 */ 1097 if (rad_put_attr(r->cx.rad, RAD_FRAMED_IPV6_PREFIX, r->ipv6prefix, 1098 sizeof(struct in6_addr) + 2) != 0) { 1099 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad)); 1100 rad_close(r->cx.rad); 1101 return; 1102 } 1103 } 1104 break; 1105#endif 1106 default: 1107 /* We don't log any protocol specific information */ 1108 break; 1109 } 1110 1111 if (gethostname(hostname, sizeof hostname) != 0) 1112 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); 1113 else { 1114#if 0 1115 if ((hp = gethostbyname(hostname)) != NULL) { 1116 hostaddr.s_addr = *(u_long *)hp->h_addr; 1117 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { 1118 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 1119 rad_strerror(r->cx.rad)); 1120 rad_close(r->cx.rad); 1121 return; 1122 } 1123 } 1124#endif 1125 if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { 1126 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 1127 rad_strerror(r->cx.rad)); 1128 rad_close(r->cx.rad); 1129 return; 1130 } 1131 } 1132 1133 radius_put_physical_details(r->cx.rad, dl->physical); 1134 1135 if (rad_put_int(r->cx.rad, RAD_ACCT_STATUS_TYPE, acct_type) != 0 || 1136 rad_put_string(r->cx.rad, RAD_ACCT_SESSION_ID, ac->session_id) != 0 || 1137 rad_put_string(r->cx.rad, RAD_ACCT_MULTI_SESSION_ID, 1138 ac->multi_session_id) != 0 || 1139 rad_put_int(r->cx.rad, RAD_ACCT_DELAY_TIME, 0) != 0) { 1140/* XXX ACCT_DELAY_TIME should be increased each time a packet is waiting */ 1141 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 1142 rad_close(r->cx.rad); 1143 return; 1144 } 1145 1146 if (acct_type == RAD_STOP) 1147 /* Show some statistics */ 1148 if (rad_put_int(r->cx.rad, RAD_ACCT_INPUT_OCTETS, stats->OctetsIn % UINT32_MAX) != 0 || 1149 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_GIGAWORDS, stats->OctetsIn / UINT32_MAX) != 0 || 1150 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_PACKETS, stats->PacketsIn) != 0 || 1151 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_OCTETS, stats->OctetsOut % UINT32_MAX) != 0 || 1152 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_GIGAWORDS, stats->OctetsOut / UINT32_MAX) != 0 || 1153 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_PACKETS, stats->PacketsOut) 1154 != 0 || 1155 rad_put_int(r->cx.rad, RAD_ACCT_SESSION_TIME, throughput_uptime(stats)) 1156 != 0) { 1157 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 1158 rad_close(r->cx.rad); 1159 return; 1160 } 1161 1162 r->cx.auth = NULL; /* Not valid for accounting requests */ 1163 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) 1164 radius_Process(r, got); 1165 else { 1166 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); 1167 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 1168 r->cx.timer.func = radius_Timeout; 1169 r->cx.timer.name = "radius acct"; 1170 r->cx.timer.arg = r; 1171 timer_Start(&r->cx.timer); 1172 } 1173} 1174 1175/* 1176 * How do things look at the moment ? 1177 */ 1178void 1179radius_Show(struct radius *r, struct prompt *p) 1180{ 1181 prompt_Printf(p, " Radius config: %s", 1182 *r->cfg.file ? r->cfg.file : "none"); 1183 if (r->valid) { 1184 prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip)); 1185 prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask)); 1186 prompt_Printf(p, " MTU: %lu\n", r->mtu); 1187 prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis"); 1188 prompt_Printf(p, " Message: %s\n", r->repstr ? r->repstr : ""); 1189 prompt_Printf(p, " MPPE Enc Policy: %s\n", 1190 radius_policyname(r->mppe.policy)); 1191 prompt_Printf(p, " MPPE Enc Types: %s\n", 1192 radius_typesname(r->mppe.types)); 1193 prompt_Printf(p, " MPPE Recv Key: %seceived\n", 1194 r->mppe.recvkey ? "R" : "Not r"); 1195 prompt_Printf(p, " MPPE Send Key: %seceived\n", 1196 r->mppe.sendkey ? "R" : "Not r"); 1197 prompt_Printf(p, " MS-CHAP2-Response: %s\n", 1198 r->msrepstr ? r->msrepstr : ""); 1199 prompt_Printf(p, " Error Message: %s\n", r->errstr ? r->errstr : ""); 1200 if (r->routes) 1201 route_ShowSticky(p, r->routes, " Routes", 16); 1202#ifndef NOINET6 1203 if (r->ipv6routes) 1204 route_ShowSticky(p, r->ipv6routes, " IPv6 Routes", 16); 1205#endif 1206 } else 1207 prompt_Printf(p, " (not authenticated)\n"); 1208} 1209