radius.c revision 98132
1/* 2 * Copyright 1999 Internet Business Solutions Ltd., Switzerland 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/usr.sbin/ppp/radius.c 98132 2002-06-12 00:33:17Z brian $ 27 * 28 */ 29 30#include <sys/param.h> 31 32#include <sys/socket.h> 33#include <netinet/in_systm.h> 34#include <netinet/in.h> 35#include <netinet/ip.h> 36#include <arpa/inet.h> 37#include <sys/un.h> 38#include <net/route.h> 39 40#ifdef LOCALRAD 41#include "radlib.h" 42#include "radlib_vs.h" 43#else 44#include <radlib.h> 45#include <radlib_vs.h> 46#endif 47 48#include <errno.h> 49#ifndef NODES 50#include <md5.h> 51#endif 52#include <stdio.h> 53#include <stdlib.h> 54#include <string.h> 55#include <sys/time.h> 56#include <termios.h> 57#include <unistd.h> 58#include <netdb.h> 59 60#include "layer.h" 61#include "defs.h" 62#include "log.h" 63#include "descriptor.h" 64#include "prompt.h" 65#include "timer.h" 66#include "fsm.h" 67#include "iplist.h" 68#include "slcompress.h" 69#include "throughput.h" 70#include "lqr.h" 71#include "hdlc.h" 72#include "mbuf.h" 73#include "ncpaddr.h" 74#include "ip.h" 75#include "ipcp.h" 76#include "ipv6cp.h" 77#include "route.h" 78#include "command.h" 79#include "filter.h" 80#include "lcp.h" 81#include "ccp.h" 82#include "link.h" 83#include "mp.h" 84#include "radius.h" 85#include "auth.h" 86#include "async.h" 87#include "physical.h" 88#include "chat.h" 89#include "cbcp.h" 90#include "chap.h" 91#include "datalink.h" 92#include "ncp.h" 93#include "bundle.h" 94#include "proto.h" 95 96#ifndef NODES 97struct mschap_response { 98 u_char ident; 99 u_char flags; 100 u_char lm_response[24]; 101 u_char nt_response[24]; 102}; 103 104struct mschap2_response { 105 u_char ident; 106 u_char flags; 107 u_char pchallenge[16]; 108 u_char reserved[8]; 109 u_char response[24]; 110}; 111 112#define AUTH_LEN 16 113#define SALT_LEN 2 114#endif 115 116static const char * 117radius_policyname(int policy) 118{ 119 switch(policy) { 120 case MPPE_POLICY_ALLOWED: 121 return "Allowed"; 122 case MPPE_POLICY_REQUIRED: 123 return "Required"; 124 } 125 return NumStr(policy, NULL, 0); 126} 127 128static const char * 129radius_typesname(int types) 130{ 131 switch(types) { 132 case MPPE_TYPE_40BIT: 133 return "40 bit"; 134 case MPPE_TYPE_128BIT: 135 return "128 bit"; 136 case MPPE_TYPE_40BIT|MPPE_TYPE_128BIT: 137 return "40 or 128 bit"; 138 } 139 return NumStr(types, NULL, 0); 140} 141 142#ifndef NODES 143static void 144demangle(struct radius *r, const void *mangled, size_t mlen, 145 char **buf, size_t *len) 146{ 147 char R[AUTH_LEN]; /* variable names as per rfc2548 */ 148 const char *S; 149 u_char b[16]; 150 const u_char *A, *C; 151 MD5_CTX Context; 152 int Slen, i, Clen, Ppos; 153 u_char *P; 154 155 if (mlen % 16 != SALT_LEN) { 156 log_Printf(LogWARN, "Cannot interpret mangled data of length %ld\n", 157 (u_long)mlen); 158 *buf = NULL; 159 *len = 0; 160 return; 161 } 162 163 /* We need the RADIUS Request-Authenticator */ 164 if (rad_request_authenticator(r->cx.rad, R, sizeof R) != AUTH_LEN) { 165 log_Printf(LogWARN, "Cannot obtain the RADIUS request authenticator\n"); 166 *buf = NULL; 167 *len = 0; 168 return; 169 } 170 171 A = (const u_char *)mangled; /* Salt comes first */ 172 C = (const u_char *)mangled + SALT_LEN; /* Then the ciphertext */ 173 Clen = mlen - SALT_LEN; 174 S = rad_server_secret(r->cx.rad); /* We need the RADIUS secret */ 175 Slen = strlen(S); 176 P = alloca(Clen); /* We derive our plaintext */ 177 178 MD5Init(&Context); 179 MD5Update(&Context, S, Slen); 180 MD5Update(&Context, R, AUTH_LEN); 181 MD5Update(&Context, A, SALT_LEN); 182 MD5Final(b, &Context); 183 Ppos = 0; 184 185 while (Clen) { 186 Clen -= 16; 187 188 for (i = 0; i < 16; i++) 189 P[Ppos++] = C[i] ^ b[i]; 190 191 if (Clen) { 192 MD5Init(&Context); 193 MD5Update(&Context, S, Slen); 194 MD5Update(&Context, C, 16); 195 MD5Final(b, &Context); 196 } 197 198 C += 16; 199 } 200 201 /* 202 * The resulting plain text consists of a one-byte length, the text and 203 * maybe some padding. 204 */ 205 *len = *P; 206 if (*len > mlen - 1) { 207 log_Printf(LogWARN, "Mangled data seems to be garbage\n"); 208 *buf = NULL; 209 *len = 0; 210 return; 211 } 212 213 *buf = malloc(*len); 214 memcpy(*buf, P + 1, *len); 215log_Printf(LogWARN, "demangled %d bytes\n", *len); 216} 217#endif 218 219/* 220 * rad_continue_send_request() has given us `got' (non-zero). Deal with it. 221 */ 222static void 223radius_Process(struct radius *r, int got) 224{ 225 char *argv[MAXARGS], *nuke; 226 struct bundle *bundle; 227 int argc, addrs, res, width; 228 size_t len; 229 struct ncprange dest; 230 struct ncpaddr gw; 231 const void *data; 232 const char *stype; 233 u_int32_t ipaddr, vendor; 234 struct in_addr ip; 235 236 r->cx.fd = -1; /* Stop select()ing */ 237 stype = r->cx.auth ? "auth" : "acct"; 238 239 switch (got) { 240 case RAD_ACCESS_ACCEPT: 241 log_Printf(LogPHASE, "Radius(%s): ACCEPT received\n", stype); 242 if (!r->cx.auth) { 243 rad_close(r->cx.rad); 244 return; 245 } 246 break; 247 248 case RAD_ACCESS_REJECT: 249 log_Printf(LogPHASE, "Radius(%s): REJECT received\n", stype); 250 if (!r->cx.auth) { 251 rad_close(r->cx.rad); 252 return; 253 } 254 break; 255 256 case RAD_ACCESS_CHALLENGE: 257 /* we can't deal with this (for now) ! */ 258 log_Printf(LogPHASE, "Radius: CHALLENGE received (can't handle yet)\n"); 259 if (r->cx.auth) 260 auth_Failure(r->cx.auth); 261 rad_close(r->cx.rad); 262 return; 263 264 case RAD_ACCOUNTING_RESPONSE: 265 log_Printf(LogPHASE, "Radius(%s): Accounting response received\n", stype); 266 if (r->cx.auth) 267 auth_Failure(r->cx.auth); /* unexpected !!! */ 268 269 /* No further processing for accounting requests, please */ 270 rad_close(r->cx.rad); 271 return; 272 273 case -1: 274 log_Printf(LogPHASE, "radius(%s): %s\n", stype, rad_strerror(r->cx.rad)); 275 if (r->cx.auth) 276 auth_Failure(r->cx.auth); 277 rad_close(r->cx.rad); 278 return; 279 280 default: 281 log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype, 282 got, rad_strerror(r->cx.rad)); 283 if (r->cx.auth) 284 auth_Failure(r->cx.auth); 285 rad_close(r->cx.rad); 286 return; 287 } 288 289 /* Let's see what we've got in our reply */ 290 r->ip.s_addr = r->mask.s_addr = INADDR_NONE; 291 r->mtu = 0; 292 r->vj = 0; 293 while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) { 294 switch (res) { 295 case RAD_FRAMED_IP_ADDRESS: 296 r->ip = rad_cvt_addr(data); 297 log_Printf(LogPHASE, " IP %s\n", inet_ntoa(r->ip)); 298 break; 299 300 case RAD_FILTER_ID: 301 free(r->filterid); 302 if ((r->filterid = rad_cvt_string(data, len)) == NULL) { 303 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 304 auth_Failure(r->cx.auth); 305 rad_close(r->cx.rad); 306 return; 307 } 308 log_Printf(LogPHASE, " Filter \"%s\"\n", r->filterid); 309 break; 310 311 case RAD_SESSION_TIMEOUT: 312 r->sessiontime = rad_cvt_int(data); 313 log_Printf(LogPHASE, " Session-Timeout %lu\n", r->sessiontime); 314 break; 315 316 case RAD_FRAMED_IP_NETMASK: 317 r->mask = rad_cvt_addr(data); 318 log_Printf(LogPHASE, " Netmask %s\n", inet_ntoa(r->mask)); 319 break; 320 321 case RAD_FRAMED_MTU: 322 r->mtu = rad_cvt_int(data); 323 log_Printf(LogPHASE, " MTU %lu\n", r->mtu); 324 break; 325 326 case RAD_FRAMED_ROUTING: 327 /* Disabled for now - should we automatically set up some filters ? */ 328 /* rad_cvt_int(data); */ 329 /* bit 1 = Send routing packets */ 330 /* bit 2 = Receive routing packets */ 331 break; 332 333 case RAD_FRAMED_COMPRESSION: 334 r->vj = rad_cvt_int(data) == 1 ? 1 : 0; 335 log_Printf(LogPHASE, " VJ %sabled\n", r->vj ? "en" : "dis"); 336 break; 337 338 case RAD_FRAMED_ROUTE: 339 /* 340 * We expect a string of the format ``dest[/bits] gw [metrics]'' 341 * Any specified metrics are ignored. MYADDR and HISADDR are 342 * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same 343 * as ``HISADDR''. 344 */ 345 346 if ((nuke = rad_cvt_string(data, len)) == NULL) { 347 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 348 auth_Failure(r->cx.auth); 349 rad_close(r->cx.rad); 350 return; 351 } 352 353 log_Printf(LogPHASE, " Route: %s\n", nuke); 354 bundle = r->cx.auth->physical->dl->bundle; 355 ip.s_addr = INADDR_ANY; 356 ncprange_setip4host(&dest, ip); 357 argc = command_Interpret(nuke, strlen(nuke), argv); 358 if (argc < 0) 359 log_Printf(LogWARN, "radius: %s: Syntax error\n", 360 argc == 1 ? argv[0] : "\"\""); 361 else if (argc < 2) 362 log_Printf(LogWARN, "radius: %s: Invalid route\n", 363 argc == 1 ? argv[0] : "\"\""); 364 else if ((strcasecmp(argv[0], "default") != 0 && 365 !ncprange_aton(&dest, &bundle->ncp, argv[0])) || 366 !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) 367 log_Printf(LogWARN, "radius: %s %s: Invalid route\n", 368 argv[0], argv[1]); 369 else { 370 ncprange_getwidth(&dest, &width); 371 if (width == 32 && strchr(argv[0], '/') == NULL) { 372 /* No mask specified - use the natural mask */ 373 ncprange_getip4addr(&dest, &ip); 374 ncprange_setip4mask(&dest, addr2mask(ip)); 375 } 376 addrs = 0; 377 378 if (!strncasecmp(argv[0], "HISADDR", 7)) 379 addrs = ROUTE_DSTHISADDR; 380 else if (!strncasecmp(argv[0], "MYADDR", 6)) 381 addrs = ROUTE_DSTMYADDR; 382 383 if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) { 384 addrs |= ROUTE_GWHISADDR; 385 ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip); 386 } else if (strcasecmp(argv[1], "HISADDR") == 0) 387 addrs |= ROUTE_GWHISADDR; 388 389 route_Add(&r->routes, addrs, &dest, &gw); 390 } 391 free(nuke); 392 break; 393 394 case RAD_REPLY_MESSAGE: 395 free(r->repstr); 396 if ((r->repstr = rad_cvt_string(data, len)) == NULL) { 397 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); 398 auth_Failure(r->cx.auth); 399 rad_close(r->cx.rad); 400 return; 401 } 402 log_Printf(LogPHASE, " Reply-Message \"%s\"\n", r->repstr); 403 break; 404 405 case RAD_VENDOR_SPECIFIC: 406 if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) { 407 log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n", 408 rad_strerror(r->cx.rad)); 409 auth_Failure(r->cx.auth); 410 rad_close(r->cx.rad); 411 return; 412 } 413 414 switch (vendor) { 415 case RAD_VENDOR_MICROSOFT: 416 switch (res) { 417#ifndef NODES 418 case RAD_MICROSOFT_MS_CHAP_ERROR: 419 free(r->errstr); 420 if ((r->errstr = rad_cvt_string(data, len)) == NULL) { 421 log_Printf(LogERROR, "rad_cvt_string: %s\n", 422 rad_strerror(r->cx.rad)); 423 auth_Failure(r->cx.auth); 424 rad_close(r->cx.rad); 425 return; 426 } 427 log_Printf(LogPHASE, " MS-CHAP-Error \"%s\"\n", r->errstr); 428 break; 429 430 case RAD_MICROSOFT_MS_CHAP2_SUCCESS: 431 free(r->msrepstr); 432 if ((r->msrepstr = rad_cvt_string(data, len)) == NULL) { 433 log_Printf(LogERROR, "rad_cvt_string: %s\n", 434 rad_strerror(r->cx.rad)); 435 auth_Failure(r->cx.auth); 436 rad_close(r->cx.rad); 437 return; 438 } 439 log_Printf(LogPHASE, " MS-CHAP2-Success \"%s\"\n", r->msrepstr); 440 break; 441 442 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: 443 r->mppe.policy = rad_cvt_int(data); 444 log_Printf(LogPHASE, " MS-MPPE-Encryption-Policy %s\n", 445 radius_policyname(r->mppe.policy)); 446 break; 447 448 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: 449 r->mppe.types = rad_cvt_int(data); 450 log_Printf(LogPHASE, " MS-MPPE-Encryption-Types %s\n", 451 radius_typesname(r->mppe.types)); 452 break; 453 454 case RAD_MICROSOFT_MS_MPPE_RECV_KEY: 455 free(r->mppe.recvkey); 456 demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen); 457 log_Printf(LogPHASE, " MS-MPPE-Recv-Key ********\n"); 458 break; 459 460 case RAD_MICROSOFT_MS_MPPE_SEND_KEY: 461 demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen); 462 log_Printf(LogPHASE, " MS-MPPE-Send-Key ********\n"); 463 break; 464#endif 465 466 default: 467 log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific " 468 "RADIUS attribute %d\n", res); 469 break; 470 } 471 break; 472 473 default: 474 log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n", 475 (unsigned long)vendor, res); 476 break; 477 } 478 break; 479 480 default: 481 log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res); 482 break; 483 } 484 } 485 486 if (res == -1) { 487 log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n", 488 rad_strerror(r->cx.rad)); 489 auth_Failure(r->cx.auth); 490 } else if (got == RAD_ACCESS_REJECT) 491 auth_Failure(r->cx.auth); 492 else { 493 r->valid = 1; 494 auth_Success(r->cx.auth); 495 } 496 rad_close(r->cx.rad); 497} 498 499/* 500 * We've either timed out or select()ed on the read descriptor 501 */ 502static void 503radius_Continue(struct radius *r, int sel) 504{ 505 struct timeval tv; 506 int got; 507 508 timer_Stop(&r->cx.timer); 509 if ((got = rad_continue_send_request(r->cx.rad, sel, &r->cx.fd, &tv)) == 0) { 510 log_Printf(LogPHASE, "Radius: Request re-sent\n"); 511 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 512 timer_Start(&r->cx.timer); 513 return; 514 } 515 516 radius_Process(r, got); 517} 518 519/* 520 * Time to call rad_continue_send_request() - timed out. 521 */ 522static void 523radius_Timeout(void *v) 524{ 525 radius_Continue((struct radius *)v, 0); 526} 527 528/* 529 * Time to call rad_continue_send_request() - something to read. 530 */ 531static void 532radius_Read(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 533{ 534 radius_Continue(descriptor2radius(d), 1); 535} 536 537/* 538 * Behave as a struct fdescriptor (descriptor.h) 539 */ 540static int 541radius_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w, fd_set *e, int *n) 542{ 543 struct radius *rad = descriptor2radius(d); 544 545 if (r && rad->cx.fd != -1) { 546 FD_SET(rad->cx.fd, r); 547 if (*n < rad->cx.fd + 1) 548 *n = rad->cx.fd + 1; 549 log_Printf(LogTIMER, "Radius: fdset(r) %d\n", rad->cx.fd); 550 return 1; 551 } 552 553 return 0; 554} 555 556/* 557 * Behave as a struct fdescriptor (descriptor.h) 558 */ 559static int 560radius_IsSet(struct fdescriptor *d, const fd_set *fdset) 561{ 562 struct radius *r = descriptor2radius(d); 563 564 return r && r->cx.fd != -1 && FD_ISSET(r->cx.fd, fdset); 565} 566 567/* 568 * Behave as a struct fdescriptor (descriptor.h) 569 */ 570static int 571radius_Write(struct fdescriptor *d, struct bundle *bundle, const fd_set *fdset) 572{ 573 /* We never want to write here ! */ 574 log_Printf(LogALERT, "radius_Write: Internal error: Bad call !\n"); 575 return 0; 576} 577 578/* 579 * Initialise ourselves 580 */ 581void 582radius_Init(struct radius *r) 583{ 584 r->desc.type = RADIUS_DESCRIPTOR; 585 r->desc.UpdateSet = radius_UpdateSet; 586 r->desc.IsSet = radius_IsSet; 587 r->desc.Read = radius_Read; 588 r->desc.Write = radius_Write; 589 r->cx.fd = -1; 590 r->cx.rad = NULL; 591 memset(&r->cx.timer, '\0', sizeof r->cx.timer); 592 r->cx.auth = NULL; 593 r->valid = 0; 594 r->vj = 0; 595 r->ip.s_addr = INADDR_ANY; 596 r->mask.s_addr = INADDR_NONE; 597 r->routes = NULL; 598 r->mtu = DEF_MTU; 599 r->msrepstr = NULL; 600 r->repstr = NULL; 601 r->errstr = NULL; 602 r->mppe.policy = 0; 603 r->mppe.types = 0; 604 r->mppe.recvkey = NULL; 605 r->mppe.recvkeylen = 0; 606 r->mppe.sendkey = NULL; 607 r->mppe.sendkeylen = 0; 608 *r->cfg.file = '\0';; 609 log_Printf(LogDEBUG, "Radius: radius_Init\n"); 610} 611 612/* 613 * Forget everything and go back to initialised state. 614 */ 615void 616radius_Destroy(struct radius *r) 617{ 618 r->valid = 0; 619 log_Printf(LogDEBUG, "Radius: radius_Destroy\n"); 620 timer_Stop(&r->cx.timer); 621 route_DeleteAll(&r->routes); 622 free(r->filterid); 623 r->filterid = NULL; 624 free(r->msrepstr); 625 r->msrepstr = NULL; 626 free(r->repstr); 627 r->repstr = NULL; 628 free(r->errstr); 629 r->errstr = NULL; 630 free(r->mppe.recvkey); 631 r->mppe.recvkey = NULL; 632 r->mppe.recvkeylen = 0; 633 free(r->mppe.sendkey); 634 r->mppe.sendkey = NULL; 635 r->mppe.sendkeylen = 0; 636 if (r->cx.fd != -1) { 637 r->cx.fd = -1; 638 rad_close(r->cx.rad); 639 } 640} 641 642static int 643radius_put_physical_details(struct rad_handle *rad, struct physical *p) 644{ 645 int slot, type; 646 647 type = RAD_VIRTUAL; 648 if (p->handler) 649 switch (p->handler->type) { 650 case I4B_DEVICE: 651 type = RAD_ISDN_SYNC; 652 break; 653 654 case TTY_DEVICE: 655 type = RAD_ASYNC; 656 break; 657 658 case ETHER_DEVICE: 659 type = RAD_ETHERNET; 660 break; 661 662 case TCP_DEVICE: 663 case UDP_DEVICE: 664 case EXEC_DEVICE: 665 case ATM_DEVICE: 666 case NG_DEVICE: 667 type = RAD_VIRTUAL; 668 break; 669 } 670 671 if (rad_put_int(rad, RAD_NAS_PORT_TYPE, type) != 0) { 672 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad)); 673 rad_close(rad); 674 return 0; 675 } 676 677 if ((slot = physical_Slot(p)) >= 0) 678 if (rad_put_int(rad, RAD_NAS_PORT, slot) != 0) { 679 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad)); 680 rad_close(rad); 681 return 0; 682 } 683 684 return 1; 685} 686 687/* 688 * Start an authentication request to the RADIUS server. 689 */ 690int 691radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name, 692 const char *key, int klen, const char *nchallenge, 693 int nclen, const char *pchallenge, int pclen) 694{ 695 struct timeval tv; 696 int got; 697 char hostname[MAXHOSTNAMELEN]; 698#if 0 699 struct hostent *hp; 700 struct in_addr hostaddr; 701#endif 702#ifndef NODES 703 struct mschap_response msresp; 704 struct mschap2_response msresp2; 705#endif 706 707 if (!*r->cfg.file) 708 return 0; 709 710 if (r->cx.fd != -1) 711 /* 712 * We assume that our name/key/challenge is the same as last time, 713 * and just continue to wait for the RADIUS server(s). 714 */ 715 return 1; 716 717 radius_Destroy(r); 718 719 if ((r->cx.rad = rad_auth_open()) == NULL) { 720 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); 721 return 0; 722 } 723 724 if (rad_config(r->cx.rad, r->cfg.file) != 0) { 725 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); 726 rad_close(r->cx.rad); 727 return 0; 728 } 729 730 if (rad_create_request(r->cx.rad, RAD_ACCESS_REQUEST) != 0) { 731 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); 732 rad_close(r->cx.rad); 733 return 0; 734 } 735 736 if (rad_put_string(r->cx.rad, RAD_USER_NAME, name) != 0 || 737 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || 738 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { 739 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 740 rad_close(r->cx.rad); 741 return 0; 742 } 743 744 switch (authp->physical->link.lcp.want_auth) { 745 case PROTO_PAP: 746 /* We're talking PAP */ 747 if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) { 748 log_Printf(LogERROR, "PAP: rad_put_string: %s\n", 749 rad_strerror(r->cx.rad)); 750 rad_close(r->cx.rad); 751 return 0; 752 } 753 break; 754 755 case PROTO_CHAP: 756 switch (authp->physical->link.lcp.want_authtype) { 757 case 0x5: 758 if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 || 759 rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, nchallenge, nclen) != 0) { 760 log_Printf(LogERROR, "CHAP: rad_put_string: %s\n", 761 rad_strerror(r->cx.rad)); 762 rad_close(r->cx.rad); 763 return 0; 764 } 765 break; 766 767#ifndef NODES 768 case 0x80: 769 if (klen != 50) { 770 log_Printf(LogERROR, "CHAP80: Unrecognised key length %d\n", klen); 771 rad_close(r->cx.rad); 772 return 0; 773 } 774 775 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 776 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); 777 msresp.ident = *key; 778 msresp.flags = 0x01; 779 memcpy(msresp.lm_response, key + 1, 24); 780 memcpy(msresp.nt_response, key + 25, 24); 781 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 782 RAD_MICROSOFT_MS_CHAP_RESPONSE, &msresp, 783 sizeof msresp); 784 break; 785 786 case 0x81: 787 if (klen != 50) { 788 log_Printf(LogERROR, "CHAP81: Unrecognised key length %d\n", klen); 789 rad_close(r->cx.rad); 790 return 0; 791 } 792 793 if (pclen != sizeof msresp2.pchallenge) { 794 log_Printf(LogERROR, "CHAP81: Unrecognised peer challenge length %d\n", 795 pclen); 796 rad_close(r->cx.rad); 797 return 0; 798 } 799 800 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 801 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen); 802 msresp2.ident = *key; 803 msresp2.flags = 0x00; 804 memcpy(msresp2.response, key + 25, 24); 805 memset(msresp2.reserved, '\0', sizeof msresp2.reserved); 806 memcpy(msresp2.pchallenge, pchallenge, pclen); 807 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT, 808 RAD_MICROSOFT_MS_CHAP2_RESPONSE, &msresp2, 809 sizeof msresp2); 810 break; 811#endif 812 default: 813 log_Printf(LogERROR, "CHAP: Unrecognised type 0x%02x\n", 814 authp->physical->link.lcp.want_authtype); 815 rad_close(r->cx.rad); 816 return 0; 817 } 818 } 819 820 if (gethostname(hostname, sizeof hostname) != 0) 821 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); 822 else { 823#if 0 824 if ((hp = gethostbyname(hostname)) != NULL) { 825 hostaddr.s_addr = *(u_long *)hp->h_addr; 826 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { 827 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 828 rad_strerror(r->cx.rad)); 829 rad_close(r->cx.rad); 830 return 0; 831 } 832 } 833#endif 834 if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { 835 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 836 rad_strerror(r->cx.rad)); 837 rad_close(r->cx.rad); 838 return 0; 839 } 840 } 841 842 radius_put_physical_details(r->cx.rad, authp->physical); 843 844 r->cx.auth = authp; 845 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) 846 radius_Process(r, got); 847 else { 848 log_Printf(LogPHASE, "Radius: Request sent\n"); 849 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); 850 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 851 r->cx.timer.func = radius_Timeout; 852 r->cx.timer.name = "radius auth"; 853 r->cx.timer.arg = r; 854 timer_Start(&r->cx.timer); 855 } 856 857 return 1; 858} 859 860/* 861 * Send an accounting request to the RADIUS server 862 */ 863void 864radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl, 865 int acct_type, struct in_addr *peer_ip, struct in_addr *netmask, 866 struct pppThroughput *stats) 867{ 868 struct timeval tv; 869 int got; 870 char hostname[MAXHOSTNAMELEN]; 871#if 0 872 struct hostent *hp; 873 struct in_addr hostaddr; 874#endif 875 876 if (!*r->cfg.file) 877 return; 878 879 if (r->cx.fd != -1) 880 /* 881 * We assume that our name/key/challenge is the same as last time, 882 * and just continue to wait for the RADIUS server(s). 883 */ 884 return; 885 886 timer_Stop(&r->cx.timer); 887 888 if ((r->cx.rad = rad_acct_open()) == NULL) { 889 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno)); 890 return; 891 } 892 893 if (rad_config(r->cx.rad, r->cfg.file) != 0) { 894 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad)); 895 rad_close(r->cx.rad); 896 return; 897 } 898 899 if (rad_create_request(r->cx.rad, RAD_ACCOUNTING_REQUEST) != 0) { 900 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad)); 901 rad_close(r->cx.rad); 902 return; 903 } 904 905 /* Grab some accounting data and initialize structure */ 906 if (acct_type == RAD_START) { 907 ac->rad_parent = r; 908 /* Fetch username from datalink */ 909 strncpy(ac->user_name, dl->peer.authname, sizeof ac->user_name); 910 ac->user_name[AUTHLEN-1] = '\0'; 911 912 ac->authentic = 2; /* Assume RADIUS verified auth data */ 913 914 /* Generate a session ID */ 915 snprintf(ac->session_id, sizeof ac->session_id, "%s%ld-%s%lu", 916 dl->bundle->cfg.auth.name, (long)getpid(), 917 dl->peer.authname, (unsigned long)stats->uptime); 918 919 /* And grab our MP socket name */ 920 snprintf(ac->multi_session_id, sizeof ac->multi_session_id, "%s", 921 dl->bundle->ncp.mp.active ? 922 dl->bundle->ncp.mp.server.socket.sun_path : ""); 923 924 /* Fetch IP, netmask from IPCP */ 925 memcpy(&ac->ip, peer_ip, sizeof(ac->ip)); 926 memcpy(&ac->mask, netmask, sizeof(ac->mask)); 927 }; 928 929 if (rad_put_string(r->cx.rad, RAD_USER_NAME, ac->user_name) != 0 || 930 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || 931 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0 || 932 rad_put_addr(r->cx.rad, RAD_FRAMED_IP_ADDRESS, ac->ip) != 0 || 933 rad_put_addr(r->cx.rad, RAD_FRAMED_IP_NETMASK, ac->mask) != 0) { 934 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 935 rad_close(r->cx.rad); 936 return; 937 } 938 939 if (gethostname(hostname, sizeof hostname) != 0) 940 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno)); 941 else { 942#if 0 943 if ((hp = gethostbyname(hostname)) != NULL) { 944 hostaddr.s_addr = *(u_long *)hp->h_addr; 945 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) { 946 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 947 rad_strerror(r->cx.rad)); 948 rad_close(r->cx.rad); 949 return; 950 } 951 } 952#endif 953 if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) { 954 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n", 955 rad_strerror(r->cx.rad)); 956 rad_close(r->cx.rad); 957 return; 958 } 959 } 960 961 radius_put_physical_details(r->cx.rad, dl->physical); 962 963 if (rad_put_int(r->cx.rad, RAD_ACCT_STATUS_TYPE, acct_type) != 0 || 964 rad_put_string(r->cx.rad, RAD_ACCT_SESSION_ID, ac->session_id) != 0 || 965 rad_put_string(r->cx.rad, RAD_ACCT_MULTI_SESSION_ID, 966 ac->multi_session_id) != 0 || 967 rad_put_int(r->cx.rad, RAD_ACCT_DELAY_TIME, 0) != 0) { 968/* XXX ACCT_DELAY_TIME should be increased each time a packet is waiting */ 969 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 970 rad_close(r->cx.rad); 971 return; 972 } 973 974 if (acct_type == RAD_STOP) 975 /* Show some statistics */ 976 if (rad_put_int(r->cx.rad, RAD_ACCT_INPUT_OCTETS, stats->OctetsIn) != 0 || 977 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_PACKETS, stats->PacketsIn) != 0 || 978 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_OCTETS, stats->OctetsOut) != 0 || 979 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_PACKETS, stats->PacketsOut) 980 != 0 || 981 rad_put_int(r->cx.rad, RAD_ACCT_SESSION_TIME, throughput_uptime(stats)) 982 != 0) { 983 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad)); 984 rad_close(r->cx.rad); 985 return; 986 } 987 988 r->cx.auth = NULL; /* Not valid for accounting requests */ 989 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv))) 990 radius_Process(r, got); 991 else { 992 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout); 993 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS; 994 r->cx.timer.func = radius_Timeout; 995 r->cx.timer.name = "radius acct"; 996 r->cx.timer.arg = r; 997 timer_Start(&r->cx.timer); 998 } 999} 1000 1001/* 1002 * How do things look at the moment ? 1003 */ 1004void 1005radius_Show(struct radius *r, struct prompt *p) 1006{ 1007 prompt_Printf(p, " Radius config: %s", 1008 *r->cfg.file ? r->cfg.file : "none"); 1009 if (r->valid) { 1010 prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip)); 1011 prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask)); 1012 prompt_Printf(p, " MTU: %lu\n", r->mtu); 1013 prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis"); 1014 prompt_Printf(p, " Message: %s\n", r->repstr ? r->repstr : ""); 1015 prompt_Printf(p, " MPPE Enc Policy: %s\n", 1016 radius_policyname(r->mppe.policy)); 1017 prompt_Printf(p, " MPPE Enc Types: %s\n", 1018 radius_typesname(r->mppe.types)); 1019 prompt_Printf(p, " MPPE Recv Key: %seceived\n", 1020 r->mppe.recvkey ? "R" : "Not r"); 1021 prompt_Printf(p, " MPPE Send Key: %seceived\n", 1022 r->mppe.sendkey ? "R" : "Not r"); 1023 prompt_Printf(p, " MS-CHAP2-Response: %s\n", 1024 r->msrepstr ? r->msrepstr : ""); 1025 prompt_Printf(p, " Error Message: %s\n", r->errstr ? r->errstr : ""); 1026 if (r->routes) 1027 route_ShowSticky(p, r->routes, " Routes", 16); 1028 } else 1029 prompt_Printf(p, " (not authenticated)\n"); 1030} 1031