1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright 1999 Internet Business Solutions Ltd., Switzerland
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 * $FreeBSD$
29 *
30 */
31
32 #include <stdint.h>
33 #include <sys/param.h>
34
35 #include <sys/select.h>
36 #include <sys/socket.h>
37 #include <netinet/in_systm.h>
38 #include <netinet/in.h>
39 #include <netinet/ip.h>
40 #include <arpa/inet.h>
41 #include <sys/un.h>
42 #include <net/route.h>
43
44 #ifdef LOCALRAD
45 #include "radlib.h"
46 #include "radlib_vs.h"
47 #else
48 #include <radlib.h>
49 #include <radlib_vs.h>
50 #endif
51
52 #include <errno.h>
53 #ifndef NODES
54 #include <md5.h>
55 #endif
56 #include <stdarg.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <sys/time.h>
61 #include <termios.h>
62 #include <unistd.h>
63 #include <netdb.h>
64
65 #include "layer.h"
66 #include "defs.h"
67 #include "log.h"
68 #include "descriptor.h"
69 #include "prompt.h"
70 #include "timer.h"
71 #include "fsm.h"
72 #include "iplist.h"
73 #include "slcompress.h"
74 #include "throughput.h"
75 #include "lqr.h"
76 #include "hdlc.h"
77 #include "mbuf.h"
78 #include "ncpaddr.h"
79 #include "ip.h"
80 #include "ipcp.h"
81 #include "ipv6cp.h"
82 #include "route.h"
83 #include "command.h"
84 #include "filter.h"
85 #include "lcp.h"
86 #include "ccp.h"
87 #include "link.h"
88 #include "mp.h"
89 #include "radius.h"
90 #include "auth.h"
91 #include "async.h"
92 #include "physical.h"
93 #include "chat.h"
94 #include "cbcp.h"
95 #include "chap.h"
96 #include "datalink.h"
97 #include "ncp.h"
98 #include "bundle.h"
99 #include "proto.h"
100 #include "iface.h"
101
102 #ifndef NODES
103 struct mschap_response {
104 u_char ident;
105 u_char flags;
106 u_char lm_response[24];
107 u_char nt_response[24];
108 };
109
110 struct mschap2_response {
111 u_char ident;
112 u_char flags;
113 u_char pchallenge[16];
114 u_char reserved[8];
115 u_char response[24];
116 };
117
118 #define AUTH_LEN 16
119 #define SALT_LEN 2
120 #endif
121
122 static const char *
radius_policyname(int policy)123 radius_policyname(int policy)
124 {
125 switch(policy) {
126 case MPPE_POLICY_ALLOWED:
127 return "Allowed";
128 case MPPE_POLICY_REQUIRED:
129 return "Required";
130 }
131 return NumStr(policy, NULL, 0);
132 }
133
134 static const char *
radius_typesname(int types)135 radius_typesname(int types)
136 {
137 switch(types) {
138 case MPPE_TYPE_40BIT:
139 return "40 bit";
140 case MPPE_TYPE_128BIT:
141 return "128 bit";
142 case MPPE_TYPE_40BIT|MPPE_TYPE_128BIT:
143 return "40 or 128 bit";
144 }
145 return NumStr(types, NULL, 0);
146 }
147
148 #ifndef NODES
149 static void
demangle(struct radius * r,const void * mangled,size_t mlen,char ** buf,size_t * len)150 demangle(struct radius *r, const void *mangled, size_t mlen,
151 char **buf, size_t *len)
152 {
153 char R[AUTH_LEN]; /* variable names as per rfc2548 */
154 const char *S;
155 u_char b[16];
156 const u_char *A, *C;
157 MD5_CTX Context;
158 int Slen, i, Clen, Ppos;
159 u_char *P;
160
161 if (mlen % 16 != SALT_LEN) {
162 log_Printf(LogWARN, "Cannot interpret mangled data of length %ld\n",
163 (u_long)mlen);
164 *buf = NULL;
165 *len = 0;
166 return;
167 }
168
169 /* We need the RADIUS Request-Authenticator */
170 if (rad_request_authenticator(r->cx.rad, R, sizeof R) != AUTH_LEN) {
171 log_Printf(LogWARN, "Cannot obtain the RADIUS request authenticator\n");
172 *buf = NULL;
173 *len = 0;
174 return;
175 }
176
177 A = (const u_char *)mangled; /* Salt comes first */
178 C = (const u_char *)mangled + SALT_LEN; /* Then the ciphertext */
179 Clen = mlen - SALT_LEN;
180 S = rad_server_secret(r->cx.rad); /* We need the RADIUS secret */
181 Slen = strlen(S);
182 P = alloca(Clen); /* We derive our plaintext */
183
184 MD5Init(&Context);
185 MD5Update(&Context, S, Slen);
186 MD5Update(&Context, R, AUTH_LEN);
187 MD5Update(&Context, A, SALT_LEN);
188 MD5Final(b, &Context);
189 Ppos = 0;
190
191 while (Clen) {
192 Clen -= 16;
193
194 for (i = 0; i < 16; i++)
195 P[Ppos++] = C[i] ^ b[i];
196
197 if (Clen) {
198 MD5Init(&Context);
199 MD5Update(&Context, S, Slen);
200 MD5Update(&Context, C, 16);
201 MD5Final(b, &Context);
202 }
203
204 C += 16;
205 }
206
207 /*
208 * The resulting plain text consists of a one-byte length, the text and
209 * maybe some padding.
210 */
211 *len = *P;
212 if (*len > mlen - 1) {
213 log_Printf(LogWARN, "Mangled data seems to be garbage\n");
214 *buf = NULL;
215 *len = 0;
216 return;
217 }
218
219 if ((*buf = malloc(*len)) == NULL) {
220 log_Printf(LogWARN, "demangle: Out of memory (%lu bytes)\n", (u_long)*len);
221 *len = 0;
222 } else
223 memcpy(*buf, P + 1, *len);
224 }
225 #endif
226
227 /* XXX: This should go into librarius. */
228 #ifndef NOINET6
229 static uint8_t *
rad_cvt_ipv6prefix(const void * data,size_t len)230 rad_cvt_ipv6prefix(const void *data, size_t len)
231 {
232 const size_t ipv6len = sizeof(struct in6_addr) + 2;
233 uint8_t *s;
234
235 if (len > ipv6len)
236 return NULL;
237 s = malloc(ipv6len);
238 if (s != NULL) {
239 memset(s, 0, ipv6len);
240 memcpy(s, data, len);
241 }
242 return s;
243 }
244 #endif
245
246 /*
247 * rad_continue_send_request() has given us `got' (non-zero). Deal with it.
248 */
249 static void
radius_Process(struct radius * r,int got)250 radius_Process(struct radius *r, int got)
251 {
252 char *argv[MAXARGS], *nuke;
253 struct bundle *bundle;
254 int argc, addrs, res, width;
255 size_t len;
256 struct ncprange dest;
257 struct ncpaddr gw;
258 const void *data;
259 const char *stype;
260 u_int32_t ipaddr, vendor;
261 struct in_addr ip;
262 #ifndef NOINET6
263 uint8_t ipv6addr[INET6_ADDRSTRLEN];
264 struct in6_addr ip6;
265 #endif
266
267 r->cx.fd = -1; /* Stop select()ing */
268 stype = r->cx.auth ? "auth" : "acct";
269
270 switch (got) {
271 case RAD_ACCESS_ACCEPT:
272 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
273 "Radius(%s): ACCEPT received\n", stype);
274 if (!r->cx.auth) {
275 rad_close(r->cx.rad);
276 return;
277 }
278 break;
279
280 case RAD_ACCESS_REJECT:
281 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
282 "Radius(%s): REJECT received\n", stype);
283 if (!r->cx.auth) {
284 rad_close(r->cx.rad);
285 return;
286 }
287 break;
288
289 case RAD_ACCESS_CHALLENGE:
290 /* we can't deal with this (for now) ! */
291 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
292 "Radius: CHALLENGE received (can't handle yet)\n");
293 if (r->cx.auth)
294 auth_Failure(r->cx.auth);
295 rad_close(r->cx.rad);
296 return;
297
298 case RAD_ACCOUNTING_RESPONSE:
299 /*
300 * It's probably not ideal to log this at PHASE level as we'll see
301 * too much stuff going to the log when ``set rad_alive'' is used.
302 * So we differ from older behaviour (ppp version 3.1 and before)
303 * and just log accounting responses to LogRADIUS.
304 */
305 log_Printf(LogRADIUS, "Radius(%s): Accounting response received\n",
306 stype);
307 if (r->cx.auth)
308 auth_Failure(r->cx.auth); /* unexpected !!! */
309
310 /* No further processing for accounting requests, please */
311 rad_close(r->cx.rad);
312 return;
313
314 case -1:
315 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
316 "radius(%s): %s\n", stype, rad_strerror(r->cx.rad));
317 if (r->cx.auth)
318 auth_Failure(r->cx.auth);
319 rad_close(r->cx.rad);
320 return;
321
322 default:
323 log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype,
324 got, rad_strerror(r->cx.rad));
325 if (r->cx.auth)
326 auth_Failure(r->cx.auth);
327 rad_close(r->cx.rad);
328 return;
329 }
330
331 /* Let's see what we've got in our reply */
332 r->ip.s_addr = r->mask.s_addr = INADDR_NONE;
333 r->mtu = 0;
334 r->vj = 0;
335 while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) {
336 switch (res) {
337 case RAD_FRAMED_IP_ADDRESS:
338 r->ip = rad_cvt_addr(data);
339 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
340 " IP %s\n", inet_ntoa(r->ip));
341 break;
342
343 case RAD_FILTER_ID:
344 free(r->filterid);
345 if ((r->filterid = rad_cvt_string(data, len)) == NULL) {
346 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
347 auth_Failure(r->cx.auth);
348 rad_close(r->cx.rad);
349 return;
350 }
351 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
352 " Filter \"%s\"\n", r->filterid);
353 break;
354
355 case RAD_SESSION_TIMEOUT:
356 r->sessiontime = rad_cvt_int(data);
357 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
358 " Session-Timeout %lu\n", r->sessiontime);
359 break;
360
361 case RAD_FRAMED_IP_NETMASK:
362 r->mask = rad_cvt_addr(data);
363 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
364 " Netmask %s\n", inet_ntoa(r->mask));
365 break;
366
367 case RAD_FRAMED_MTU:
368 r->mtu = rad_cvt_int(data);
369 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
370 " MTU %lu\n", r->mtu);
371 break;
372
373 case RAD_FRAMED_ROUTING:
374 /* Disabled for now - should we automatically set up some filters ? */
375 /* rad_cvt_int(data); */
376 /* bit 1 = Send routing packets */
377 /* bit 2 = Receive routing packets */
378 break;
379
380 case RAD_FRAMED_COMPRESSION:
381 r->vj = rad_cvt_int(data) == 1 ? 1 : 0;
382 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
383 " VJ %sabled\n", r->vj ? "en" : "dis");
384 break;
385
386 case RAD_FRAMED_ROUTE:
387 /*
388 * We expect a string of the format ``dest[/bits] gw [metrics]''
389 * Any specified metrics are ignored. MYADDR and HISADDR are
390 * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same
391 * as ``HISADDR''.
392 */
393
394 if ((nuke = rad_cvt_string(data, len)) == NULL) {
395 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
396 auth_Failure(r->cx.auth);
397 rad_close(r->cx.rad);
398 return;
399 }
400
401 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
402 " Route: %s\n", nuke);
403 bundle = r->cx.auth->physical->dl->bundle;
404 ip.s_addr = INADDR_ANY;
405 ncpaddr_setip4(&gw, ip);
406 ncprange_setip4host(&dest, ip);
407 argc = command_Interpret(nuke, strlen(nuke), argv);
408 if (argc < 0)
409 log_Printf(LogWARN, "radius: %s: Syntax error\n",
410 argc == 1 ? argv[0] : "\"\"");
411 else if (argc < 2)
412 log_Printf(LogWARN, "radius: %s: Invalid route\n",
413 argc == 1 ? argv[0] : "\"\"");
414 else if ((strcasecmp(argv[0], "default") != 0 &&
415 !ncprange_aton(&dest, &bundle->ncp, argv[0])) ||
416 !ncpaddr_aton(&gw, &bundle->ncp, argv[1]))
417 log_Printf(LogWARN, "radius: %s %s: Invalid route\n",
418 argv[0], argv[1]);
419 else {
420 ncprange_getwidth(&dest, &width);
421 if (width == 32 && strchr(argv[0], '/') == NULL) {
422 /* No mask specified - use the natural mask */
423 ncprange_getip4addr(&dest, &ip);
424 ncprange_setip4mask(&dest, addr2mask(ip));
425 }
426 addrs = 0;
427
428 if (!strncasecmp(argv[0], "HISADDR", 7))
429 addrs = ROUTE_DSTHISADDR;
430 else if (!strncasecmp(argv[0], "MYADDR", 6))
431 addrs = ROUTE_DSTMYADDR;
432
433 if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) {
434 addrs |= ROUTE_GWHISADDR;
435 ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip);
436 } else if (strcasecmp(argv[1], "HISADDR") == 0)
437 addrs |= ROUTE_GWHISADDR;
438
439 route_Add(&r->routes, addrs, &dest, &gw);
440 }
441 free(nuke);
442 break;
443
444 case RAD_REPLY_MESSAGE:
445 free(r->repstr);
446 if ((r->repstr = rad_cvt_string(data, len)) == NULL) {
447 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
448 auth_Failure(r->cx.auth);
449 rad_close(r->cx.rad);
450 return;
451 }
452 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
453 " Reply-Message \"%s\"\n", r->repstr);
454 break;
455
456 #ifndef NOINET6
457 case RAD_FRAMED_IPV6_PREFIX:
458 free(r->ipv6prefix);
459 if ((r->ipv6prefix = rad_cvt_ipv6prefix(data, len)) == NULL) {
460 log_Printf(LogERROR, "rad_cvt_ipv6prefix: %s\n",
461 "Malformed attribute in response");
462 auth_Failure(r->cx.auth);
463 rad_close(r->cx.rad);
464 return;
465 }
466 inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr));
467 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
468 " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]);
469 break;
470
471 case RAD_FRAMED_IPV6_ROUTE:
472 /*
473 * We expect a string of the format ``dest[/bits] gw [metrics]''
474 * Any specified metrics are ignored. MYADDR6 and HISADDR6 are
475 * understood for ``dest'' and ``gw'' and ``::'' is the same
476 * as ``HISADDR6''.
477 */
478
479 if ((nuke = rad_cvt_string(data, len)) == NULL) {
480 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
481 auth_Failure(r->cx.auth);
482 rad_close(r->cx.rad);
483 return;
484 }
485
486 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
487 " IPv6 Route: %s\n", nuke);
488 bundle = r->cx.auth->physical->dl->bundle;
489 ncpaddr_setip6(&gw, &in6addr_any);
490 ncprange_set(&dest, &gw, 0);
491 argc = command_Interpret(nuke, strlen(nuke), argv);
492 if (argc < 0)
493 log_Printf(LogWARN, "radius: %s: Syntax error\n",
494 argc == 1 ? argv[0] : "\"\"");
495 else if (argc < 2)
496 log_Printf(LogWARN, "radius: %s: Invalid route\n",
497 argc == 1 ? argv[0] : "\"\"");
498 else if ((strcasecmp(argv[0], "default") != 0 &&
499 !ncprange_aton(&dest, &bundle->ncp, argv[0])) ||
500 !ncpaddr_aton(&gw, &bundle->ncp, argv[1]))
501 log_Printf(LogWARN, "radius: %s %s: Invalid route\n",
502 argv[0], argv[1]);
503 else {
504 addrs = 0;
505
506 if (!strncasecmp(argv[0], "HISADDR6", 8))
507 addrs = ROUTE_DSTHISADDR6;
508 else if (!strncasecmp(argv[0], "MYADDR6", 7))
509 addrs = ROUTE_DSTMYADDR6;
510
511 if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) {
512 addrs |= ROUTE_GWHISADDR6;
513 ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr);
514 } else if (strcasecmp(argv[1], "HISADDR6") == 0)
515 addrs |= ROUTE_GWHISADDR6;
516
517 route_Add(&r->ipv6routes, addrs, &dest, &gw);
518 }
519 free(nuke);
520 break;
521 #endif
522
523 case RAD_VENDOR_SPECIFIC:
524 if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) {
525 log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n",
526 rad_strerror(r->cx.rad));
527 auth_Failure(r->cx.auth);
528 rad_close(r->cx.rad);
529 return;
530 }
531
532 switch (vendor) {
533 case RAD_VENDOR_MICROSOFT:
534 switch (res) {
535 #ifndef NODES
536 case RAD_MICROSOFT_MS_CHAP_ERROR:
537 free(r->errstr);
538 if (len == 0)
539 r->errstr = NULL;
540 else {
541 if (len < 3 || ((const char *)data)[1] != '=') {
542 /*
543 * Only point at the String field if we don't think the
544 * peer has misformatted the response.
545 */
546 data = (const char *)data + 1;
547 len--;
548 } else
549 log_Printf(LogWARN, "Warning: The MS-CHAP-Error "
550 "attribute is mis-formatted. Compensating\n");
551 if ((r->errstr = rad_cvt_string((const char *)data,
552 len)) == NULL) {
553 log_Printf(LogERROR, "rad_cvt_string: %s\n",
554 rad_strerror(r->cx.rad));
555 auth_Failure(r->cx.auth);
556 rad_close(r->cx.rad);
557 return;
558 }
559 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
560 " MS-CHAP-Error \"%s\"\n", r->errstr);
561 }
562 break;
563
564 case RAD_MICROSOFT_MS_CHAP2_SUCCESS:
565 free(r->msrepstr);
566 if (len == 0)
567 r->msrepstr = NULL;
568 else {
569 if (len < 3 || ((const char *)data)[1] != '=') {
570 /*
571 * Only point at the String field if we don't think the
572 * peer has misformatted the response.
573 */
574 data = (const char *)data + 1;
575 len--;
576 } else
577 log_Printf(LogWARN, "Warning: The MS-CHAP2-Success "
578 "attribute is mis-formatted. Compensating\n");
579 if ((r->msrepstr = rad_cvt_string((const char *)data,
580 len)) == NULL) {
581 log_Printf(LogERROR, "rad_cvt_string: %s\n",
582 rad_strerror(r->cx.rad));
583 auth_Failure(r->cx.auth);
584 rad_close(r->cx.rad);
585 return;
586 }
587 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
588 " MS-CHAP2-Success \"%s\"\n", r->msrepstr);
589 }
590 break;
591
592 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
593 r->mppe.policy = rad_cvt_int(data);
594 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
595 " MS-MPPE-Encryption-Policy %s\n",
596 radius_policyname(r->mppe.policy));
597 break;
598
599 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
600 r->mppe.types = rad_cvt_int(data);
601 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
602 " MS-MPPE-Encryption-Types %s\n",
603 radius_typesname(r->mppe.types));
604 break;
605
606 case RAD_MICROSOFT_MS_MPPE_RECV_KEY:
607 free(r->mppe.recvkey);
608 demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen);
609 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
610 " MS-MPPE-Recv-Key ********\n");
611 break;
612
613 case RAD_MICROSOFT_MS_MPPE_SEND_KEY:
614 demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen);
615 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
616 " MS-MPPE-Send-Key ********\n");
617 break;
618 #endif
619
620 default:
621 log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific "
622 "RADIUS attribute %d\n", res);
623 break;
624 }
625 break;
626
627 default:
628 log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n",
629 (unsigned long)vendor, res);
630 break;
631 }
632 break;
633
634 default:
635 log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res);
636 break;
637 }
638 }
639
640 if (res == -1) {
641 log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n",
642 rad_strerror(r->cx.rad));
643 auth_Failure(r->cx.auth);
644 } else if (got == RAD_ACCESS_REJECT)
645 auth_Failure(r->cx.auth);
646 else {
647 r->valid = 1;
648 auth_Success(r->cx.auth);
649 }
650 rad_close(r->cx.rad);
651 }
652
653 /*
654 * We've either timed out or select()ed on the read descriptor
655 */
656 static void
radius_Continue(struct radius * r,int sel)657 radius_Continue(struct radius *r, int sel)
658 {
659 struct timeval tv;
660 int got;
661
662 timer_Stop(&r->cx.timer);
663 if ((got = rad_continue_send_request(r->cx.rad, sel, &r->cx.fd, &tv)) == 0) {
664 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
665 "Radius: Request re-sent\n");
666 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
667 timer_Start(&r->cx.timer);
668 return;
669 }
670
671 radius_Process(r, got);
672 }
673
674 /*
675 * Time to call rad_continue_send_request() - timed out.
676 */
677 static void
radius_Timeout(void * v)678 radius_Timeout(void *v)
679 {
680 radius_Continue((struct radius *)v, 0);
681 }
682
683 /*
684 * Time to call rad_continue_send_request() - something to read.
685 */
686 static void
radius_Read(struct fdescriptor * d,struct bundle * bundle __unused,const fd_set * fdset __unused)687 radius_Read(struct fdescriptor *d, struct bundle *bundle __unused,
688 const fd_set *fdset __unused)
689 {
690 radius_Continue(descriptor2radius(d), 1);
691 }
692
693 /*
694 * Flush any pending transactions
695 */
696 void
radius_Flush(struct radius * r)697 radius_Flush(struct radius *r)
698 {
699 struct timeval tv;
700 fd_set s;
701
702 while (r->cx.fd != -1) {
703 FD_ZERO(&s);
704 FD_SET(r->cx.fd, &s);
705 tv.tv_sec = 0;
706 tv.tv_usec = TICKUNIT;
707 select(r->cx.fd + 1, &s, NULL, NULL, &tv);
708 radius_Continue(r, 1);
709 }
710 }
711
712 /*
713 * Behave as a struct fdescriptor (descriptor.h)
714 */
715 static int
radius_UpdateSet(struct fdescriptor * d,fd_set * r,fd_set * w __unused,fd_set * e __unused,int * n)716 radius_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused,
717 fd_set *e __unused, int *n)
718 {
719 struct radius *rad = descriptor2radius(d);
720
721 if (r && rad->cx.fd != -1) {
722 FD_SET(rad->cx.fd, r);
723 if (*n < rad->cx.fd + 1)
724 *n = rad->cx.fd + 1;
725 log_Printf(LogTIMER, "Radius: fdset(r) %d\n", rad->cx.fd);
726 return 1;
727 }
728
729 return 0;
730 }
731
732 /*
733 * Behave as a struct fdescriptor (descriptor.h)
734 */
735 static int
radius_IsSet(struct fdescriptor * d,const fd_set * fdset)736 radius_IsSet(struct fdescriptor *d, const fd_set *fdset)
737 {
738 struct radius *r = descriptor2radius(d);
739
740 return r && r->cx.fd != -1 && FD_ISSET(r->cx.fd, fdset);
741 }
742
743 /*
744 * Behave as a struct fdescriptor (descriptor.h)
745 */
746 static int
radius_Write(struct fdescriptor * d __unused,struct bundle * bundle __unused,const fd_set * fdset __unused)747 radius_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused,
748 const fd_set *fdset __unused)
749 {
750 /* We never want to write here ! */
751 log_Printf(LogALERT, "radius_Write: Internal error: Bad call !\n");
752 return 0;
753 }
754
755 /*
756 * Initialise ourselves
757 */
758 void
radius_Init(struct radius * r)759 radius_Init(struct radius *r)
760 {
761 r->desc.type = RADIUS_DESCRIPTOR;
762 r->desc.UpdateSet = radius_UpdateSet;
763 r->desc.IsSet = radius_IsSet;
764 r->desc.Read = radius_Read;
765 r->desc.Write = radius_Write;
766 r->cx.fd = -1;
767 r->cx.rad = NULL;
768 memset(&r->cx.timer, '\0', sizeof r->cx.timer);
769 r->cx.auth = NULL;
770 r->valid = 0;
771 r->vj = 0;
772 r->ip.s_addr = INADDR_ANY;
773 r->mask.s_addr = INADDR_NONE;
774 r->routes = NULL;
775 r->mtu = DEF_MTU;
776 r->msrepstr = NULL;
777 r->repstr = NULL;
778 #ifndef NOINET6
779 r->ipv6prefix = NULL;
780 r->ipv6routes = NULL;
781 #endif
782 r->errstr = NULL;
783 r->mppe.policy = 0;
784 r->mppe.types = 0;
785 r->mppe.recvkey = NULL;
786 r->mppe.recvkeylen = 0;
787 r->mppe.sendkey = NULL;
788 r->mppe.sendkeylen = 0;
789 *r->cfg.file = '\0';
790 log_Printf(LogDEBUG, "Radius: radius_Init\n");
791 }
792
793 /*
794 * Forget everything and go back to initialised state.
795 */
796 void
radius_Destroy(struct radius * r)797 radius_Destroy(struct radius *r)
798 {
799 r->valid = 0;
800 log_Printf(LogDEBUG, "Radius: radius_Destroy\n");
801 timer_Stop(&r->cx.timer);
802 route_DeleteAll(&r->routes);
803 #ifndef NOINET6
804 route_DeleteAll(&r->ipv6routes);
805 #endif
806 free(r->filterid);
807 r->filterid = NULL;
808 free(r->msrepstr);
809 r->msrepstr = NULL;
810 free(r->repstr);
811 r->repstr = NULL;
812 #ifndef NOINET6
813 free(r->ipv6prefix);
814 r->ipv6prefix = NULL;
815 #endif
816 free(r->errstr);
817 r->errstr = NULL;
818 free(r->mppe.recvkey);
819 r->mppe.recvkey = NULL;
820 r->mppe.recvkeylen = 0;
821 free(r->mppe.sendkey);
822 r->mppe.sendkey = NULL;
823 r->mppe.sendkeylen = 0;
824 if (r->cx.fd != -1) {
825 r->cx.fd = -1;
826 rad_close(r->cx.rad);
827 }
828 }
829
830 static int
radius_put_physical_details(struct radius * rad,struct physical * p)831 radius_put_physical_details(struct radius *rad, struct physical *p)
832 {
833 int slot, type;
834
835 type = RAD_VIRTUAL;
836 if (p->handler)
837 switch (p->handler->type) {
838 case I4B_DEVICE:
839 type = RAD_ISDN_SYNC;
840 break;
841
842 case TTY_DEVICE:
843 type = RAD_ASYNC;
844 break;
845
846 case ETHER_DEVICE:
847 type = RAD_ETHERNET;
848 break;
849
850 case TCP_DEVICE:
851 case UDP_DEVICE:
852 case EXEC_DEVICE:
853 case ATM_DEVICE:
854 case NG_DEVICE:
855 type = RAD_VIRTUAL;
856 break;
857 }
858
859 if (rad_put_int(rad->cx.rad, RAD_NAS_PORT_TYPE, type) != 0) {
860 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad));
861 rad_close(rad->cx.rad);
862 return 0;
863 }
864
865 switch (rad->port_id_type) {
866 case RPI_PID:
867 slot = (int)getpid();
868 break;
869 case RPI_IFNUM:
870 slot = p->dl->bundle->iface->index;
871 break;
872 case RPI_TUNNUM:
873 slot = p->dl->bundle->unit;
874 break;
875 case RPI_DEFAULT:
876 default:
877 slot = physical_Slot(p);
878 break;
879 }
880
881 if (slot >= 0)
882 if (rad_put_int(rad->cx.rad, RAD_NAS_PORT, slot) != 0) {
883 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad));
884 rad_close(rad->cx.rad);
885 return 0;
886 }
887
888 return 1;
889 }
890
891 /*
892 * Start an authentication request to the RADIUS server.
893 */
894 int
radius_Authenticate(struct radius * r,struct authinfo * authp,const char * name,const char * key,int klen,const char * nchallenge,int nclen)895 radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
896 const char *key, int klen, const char *nchallenge,
897 int nclen)
898 {
899 char hostname[MAXHOSTNAMELEN];
900 struct timeval tv;
901 const char *what = "questionable"; /* silence warnings! */
902 char *mac_addr;
903 int got;
904 struct hostent *hp;
905 struct in_addr hostaddr;
906 #ifndef NODES
907 struct mschap_response msresp;
908 struct mschap2_response msresp2;
909 const struct MSCHAPv2_resp *keyv2;
910 #endif
911
912 if (!*r->cfg.file)
913 return 0;
914
915 if (r->cx.fd != -1)
916 /*
917 * We assume that our name/key/challenge is the same as last time,
918 * and just continue to wait for the RADIUS server(s).
919 */
920 return 1;
921
922 radius_Destroy(r);
923
924 if ((r->cx.rad = rad_auth_open()) == NULL) {
925 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno));
926 return 0;
927 }
928
929 if (rad_config(r->cx.rad, r->cfg.file) != 0) {
930 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad));
931 rad_close(r->cx.rad);
932 return 0;
933 }
934
935 if (rad_create_request(r->cx.rad, RAD_ACCESS_REQUEST) != 0) {
936 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad));
937 rad_close(r->cx.rad);
938 return 0;
939 }
940
941 if (rad_put_string(r->cx.rad, RAD_USER_NAME, name) != 0 ||
942 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 ||
943 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) {
944 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
945 rad_close(r->cx.rad);
946 return 0;
947 }
948
949 switch (authp->physical->link.lcp.want_auth) {
950 case PROTO_PAP:
951 /* We're talking PAP */
952 if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) {
953 log_Printf(LogERROR, "PAP: rad_put_string: %s\n",
954 rad_strerror(r->cx.rad));
955 rad_close(r->cx.rad);
956 return 0;
957 }
958 what = "PAP";
959 break;
960
961 case PROTO_CHAP:
962 switch (authp->physical->link.lcp.want_authtype) {
963 case 0x5:
964 if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 ||
965 rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, nchallenge, nclen) != 0) {
966 log_Printf(LogERROR, "CHAP: rad_put_string: %s\n",
967 rad_strerror(r->cx.rad));
968 rad_close(r->cx.rad);
969 return 0;
970 }
971 what = "CHAP";
972 break;
973
974 #ifndef NODES
975 case 0x80:
976 if (klen != 50) {
977 log_Printf(LogERROR, "CHAP80: Unrecognised key length %d\n", klen);
978 rad_close(r->cx.rad);
979 return 0;
980 }
981
982 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
983 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen);
984 msresp.ident = *key;
985 msresp.flags = 0x01;
986 memcpy(msresp.lm_response, key + 1, 24);
987 memcpy(msresp.nt_response, key + 25, 24);
988 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
989 RAD_MICROSOFT_MS_CHAP_RESPONSE, &msresp,
990 sizeof msresp);
991 what = "MSCHAP";
992 break;
993
994 case 0x81:
995 if (klen != sizeof(*keyv2) + 1) {
996 log_Printf(LogERROR, "CHAP81: Unrecognised key length %d\n", klen);
997 rad_close(r->cx.rad);
998 return 0;
999 }
1000
1001 keyv2 = (const struct MSCHAPv2_resp *)(key + 1);
1002 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
1003 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen);
1004 msresp2.ident = *key;
1005 msresp2.flags = keyv2->Flags;
1006 memcpy(msresp2.response, keyv2->NTResponse, sizeof msresp2.response);
1007 memset(msresp2.reserved, '\0', sizeof msresp2.reserved);
1008 memcpy(msresp2.pchallenge, keyv2->PeerChallenge,
1009 sizeof msresp2.pchallenge);
1010 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
1011 RAD_MICROSOFT_MS_CHAP2_RESPONSE, &msresp2,
1012 sizeof msresp2);
1013 what = "MSCHAPv2";
1014 break;
1015 #endif
1016 default:
1017 log_Printf(LogERROR, "CHAP: Unrecognised type 0x%02x\n",
1018 authp->physical->link.lcp.want_authtype);
1019 rad_close(r->cx.rad);
1020 return 0;
1021 }
1022 }
1023
1024 if (gethostname(hostname, sizeof hostname) != 0)
1025 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
1026 else {
1027 if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) &&
1028 (hp = gethostbyname(hostname)) != NULL) {
1029 hostaddr.s_addr = *(u_long *)hp->h_addr;
1030 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
1031 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1032 rad_strerror(r->cx.rad));
1033 rad_close(r->cx.rad);
1034 return 0;
1035 }
1036 }
1037 if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) &&
1038 rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
1039 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1040 rad_strerror(r->cx.rad));
1041 rad_close(r->cx.rad);
1042 return 0;
1043 }
1044 }
1045
1046 if ((mac_addr = getenv("HISMACADDR")) != NULL &&
1047 rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) {
1048 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1049 rad_close(r->cx.rad);
1050 return 0;
1051 }
1052
1053 radius_put_physical_details(r, authp->physical);
1054
1055 log_Printf(LogRADIUS, "Radius(auth): %s data sent for %s\n", what, name);
1056
1057 r->cx.auth = authp;
1058 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv)))
1059 radius_Process(r, got);
1060 else {
1061 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
1062 "Radius: Request sent\n");
1063 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout);
1064 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
1065 r->cx.timer.func = radius_Timeout;
1066 r->cx.timer.name = "radius auth";
1067 r->cx.timer.arg = r;
1068 timer_Start(&r->cx.timer);
1069 }
1070
1071 return 1;
1072 }
1073
1074 /* Fetch IP, netmask from IPCP */
1075 void
radius_Account_Set_Ip(struct radacct * ac,struct in_addr * peer_ip,struct in_addr * netmask)1076 radius_Account_Set_Ip(struct radacct *ac, struct in_addr *peer_ip,
1077 struct in_addr *netmask)
1078 {
1079 ac->proto = PROTO_IPCP;
1080 memcpy(&ac->peer.ip.addr, peer_ip, sizeof(ac->peer.ip.addr));
1081 memcpy(&ac->peer.ip.mask, netmask, sizeof(ac->peer.ip.mask));
1082 }
1083
1084 #ifndef NOINET6
1085 /* Fetch interface-id from IPV6CP */
1086 void
radius_Account_Set_Ipv6(struct radacct * ac,u_char * ifid)1087 radius_Account_Set_Ipv6(struct radacct *ac, u_char *ifid)
1088 {
1089 ac->proto = PROTO_IPV6CP;
1090 memcpy(&ac->peer.ipv6.ifid, ifid, sizeof(ac->peer.ipv6.ifid));
1091 }
1092 #endif
1093
1094 /*
1095 * Send an accounting request to the RADIUS server
1096 */
1097 void
radius_Account(struct radius * r,struct radacct * ac,struct datalink * dl,int acct_type,struct pppThroughput * stats)1098 radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
1099 int acct_type, struct pppThroughput *stats)
1100 {
1101 struct timeval tv;
1102 int got;
1103 char hostname[MAXHOSTNAMELEN];
1104 char *mac_addr;
1105 struct hostent *hp;
1106 struct in_addr hostaddr;
1107
1108 if (!*r->cfg.file)
1109 return;
1110
1111 if (r->cx.fd != -1)
1112 /*
1113 * We assume that our name/key/challenge is the same as last time,
1114 * and just continue to wait for the RADIUS server(s).
1115 */
1116 return;
1117
1118 timer_Stop(&r->cx.timer);
1119
1120 if ((r->cx.rad = rad_acct_open()) == NULL) {
1121 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno));
1122 return;
1123 }
1124
1125 if (rad_config(r->cx.rad, r->cfg.file) != 0) {
1126 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad));
1127 rad_close(r->cx.rad);
1128 return;
1129 }
1130
1131 if (rad_create_request(r->cx.rad, RAD_ACCOUNTING_REQUEST) != 0) {
1132 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad));
1133 rad_close(r->cx.rad);
1134 return;
1135 }
1136
1137 /* Grab some accounting data and initialize structure */
1138 if (acct_type == RAD_START) {
1139 ac->rad_parent = r;
1140 /* Fetch username from datalink */
1141 strncpy(ac->user_name, dl->peer.authname, sizeof ac->user_name);
1142 ac->user_name[AUTHLEN-1] = '\0';
1143
1144 ac->authentic = 2; /* Assume RADIUS verified auth data */
1145
1146 /* Generate a session ID */
1147 snprintf(ac->session_id, sizeof ac->session_id, "%s%ld-%s%lu",
1148 dl->bundle->cfg.auth.name, (long)getpid(),
1149 dl->peer.authname, (unsigned long)stats->uptime);
1150
1151 /* And grab our MP socket name */
1152 snprintf(ac->multi_session_id, sizeof ac->multi_session_id, "%s",
1153 dl->bundle->ncp.mp.active ?
1154 dl->bundle->ncp.mp.server.socket.sun_path : "");
1155 }
1156
1157 if (rad_put_string(r->cx.rad, RAD_USER_NAME, ac->user_name) != 0 ||
1158 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 ||
1159 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) {
1160 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1161 rad_close(r->cx.rad);
1162 return;
1163 }
1164 switch (ac->proto) {
1165 case PROTO_IPCP:
1166 if (rad_put_addr(r->cx.rad, RAD_FRAMED_IP_ADDRESS,
1167 ac->peer.ip.addr) != 0 ||
1168 rad_put_addr(r->cx.rad, RAD_FRAMED_IP_NETMASK,
1169 ac->peer.ip.mask) != 0) {
1170 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1171 rad_close(r->cx.rad);
1172 return;
1173 }
1174 break;
1175 #ifndef NOINET6
1176 case PROTO_IPV6CP:
1177 if (rad_put_attr(r->cx.rad, RAD_FRAMED_INTERFACE_ID, ac->peer.ipv6.ifid,
1178 sizeof(ac->peer.ipv6.ifid)) != 0) {
1179 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad));
1180 rad_close(r->cx.rad);
1181 return;
1182 }
1183 if (r->ipv6prefix) {
1184 /*
1185 * Since PPP doesn't delegate an IPv6 prefix to a peer,
1186 * Framed-IPv6-Prefix may be not used, actually.
1187 */
1188 if (rad_put_attr(r->cx.rad, RAD_FRAMED_IPV6_PREFIX, r->ipv6prefix,
1189 sizeof(struct in6_addr) + 2) != 0) {
1190 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad));
1191 rad_close(r->cx.rad);
1192 return;
1193 }
1194 }
1195 break;
1196 #endif
1197 default:
1198 /* We don't log any protocol specific information */
1199 break;
1200 }
1201
1202 if ((mac_addr = getenv("HISMACADDR")) != NULL &&
1203 rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) {
1204 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1205 rad_close(r->cx.rad);
1206 return;
1207 }
1208
1209 if (gethostname(hostname, sizeof hostname) != 0)
1210 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
1211 else {
1212 if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) &&
1213 (hp = gethostbyname(hostname)) != NULL) {
1214 hostaddr.s_addr = *(u_long *)hp->h_addr;
1215 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
1216 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1217 rad_strerror(r->cx.rad));
1218 rad_close(r->cx.rad);
1219 return;
1220 }
1221 }
1222 if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) &&
1223 rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
1224 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1225 rad_strerror(r->cx.rad));
1226 rad_close(r->cx.rad);
1227 return;
1228 }
1229 }
1230
1231 radius_put_physical_details(r, dl->physical);
1232
1233 if (rad_put_int(r->cx.rad, RAD_ACCT_STATUS_TYPE, acct_type) != 0 ||
1234 rad_put_string(r->cx.rad, RAD_ACCT_SESSION_ID, ac->session_id) != 0 ||
1235 rad_put_string(r->cx.rad, RAD_ACCT_MULTI_SESSION_ID,
1236 ac->multi_session_id) != 0 ||
1237 rad_put_int(r->cx.rad, RAD_ACCT_DELAY_TIME, 0) != 0) {
1238 /* XXX ACCT_DELAY_TIME should be increased each time a packet is waiting */
1239 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1240 rad_close(r->cx.rad);
1241 return;
1242 }
1243
1244 if (acct_type == RAD_STOP || acct_type == RAD_ALIVE)
1245 /* Show some statistics */
1246 if (rad_put_int(r->cx.rad, RAD_ACCT_INPUT_OCTETS, stats->OctetsIn % UINT32_MAX) != 0 ||
1247 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_GIGAWORDS, stats->OctetsIn / UINT32_MAX) != 0 ||
1248 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_PACKETS, stats->PacketsIn) != 0 ||
1249 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_OCTETS, stats->OctetsOut % UINT32_MAX) != 0 ||
1250 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_GIGAWORDS, stats->OctetsOut / UINT32_MAX) != 0 ||
1251 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_PACKETS, stats->PacketsOut)
1252 != 0 ||
1253 rad_put_int(r->cx.rad, RAD_ACCT_SESSION_TIME, throughput_uptime(stats))
1254 != 0) {
1255 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1256 rad_close(r->cx.rad);
1257 return;
1258 }
1259
1260 if (log_IsKept(LogPHASE) || log_IsKept(LogRADIUS)) {
1261 const char *what;
1262 int level;
1263
1264 switch (acct_type) {
1265 case RAD_START:
1266 what = "START";
1267 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1268 break;
1269 case RAD_STOP:
1270 what = "STOP";
1271 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1272 break;
1273 case RAD_ALIVE:
1274 what = "ALIVE";
1275 level = LogRADIUS;
1276 break;
1277 default:
1278 what = "<unknown>";
1279 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1280 break;
1281 }
1282 log_Printf(level, "Radius(acct): %s data sent\n", what);
1283 }
1284
1285 r->cx.auth = NULL; /* Not valid for accounting requests */
1286 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv)))
1287 radius_Process(r, got);
1288 else {
1289 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout);
1290 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
1291 r->cx.timer.func = radius_Timeout;
1292 r->cx.timer.name = "radius acct";
1293 r->cx.timer.arg = r;
1294 timer_Start(&r->cx.timer);
1295 }
1296 }
1297
1298 /*
1299 * How do things look at the moment ?
1300 */
1301 void
radius_Show(struct radius * r,struct prompt * p)1302 radius_Show(struct radius *r, struct prompt *p)
1303 {
1304 prompt_Printf(p, " Radius config: %s",
1305 *r->cfg.file ? r->cfg.file : "none");
1306 if (r->valid) {
1307 prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip));
1308 prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask));
1309 prompt_Printf(p, " MTU: %lu\n", r->mtu);
1310 prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis");
1311 prompt_Printf(p, " Message: %s\n", r->repstr ? r->repstr : "");
1312 prompt_Printf(p, " MPPE Enc Policy: %s\n",
1313 radius_policyname(r->mppe.policy));
1314 prompt_Printf(p, " MPPE Enc Types: %s\n",
1315 radius_typesname(r->mppe.types));
1316 prompt_Printf(p, " MPPE Recv Key: %seceived\n",
1317 r->mppe.recvkey ? "R" : "Not r");
1318 prompt_Printf(p, " MPPE Send Key: %seceived\n",
1319 r->mppe.sendkey ? "R" : "Not r");
1320 prompt_Printf(p, " MS-CHAP2-Response: %s\n",
1321 r->msrepstr ? r->msrepstr : "");
1322 prompt_Printf(p, " Error Message: %s\n", r->errstr ? r->errstr : "");
1323 if (r->routes)
1324 route_ShowSticky(p, r->routes, " Routes", 16);
1325 #ifndef NOINET6
1326 if (r->ipv6routes)
1327 route_ShowSticky(p, r->ipv6routes, " IPv6 Routes", 16);
1328 #endif
1329 } else
1330 prompt_Printf(p, " (not authenticated)\n");
1331 }
1332
1333 static void
radius_alive(void * v)1334 radius_alive(void *v)
1335 {
1336 struct bundle *bundle = (struct bundle *)v;
1337
1338 timer_Stop(&bundle->radius.alive.timer);
1339 bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS;
1340 if (bundle->radius.alive.timer.load) {
1341 radius_Account(&bundle->radius, &bundle->radacct,
1342 bundle->links, RAD_ALIVE, &bundle->ncp.ipcp.throughput);
1343 timer_Start(&bundle->radius.alive.timer);
1344 }
1345 }
1346
1347 void
radius_StartTimer(struct bundle * bundle)1348 radius_StartTimer(struct bundle *bundle)
1349 {
1350 if (*bundle->radius.cfg.file && bundle->radius.alive.interval) {
1351 bundle->radius.alive.timer.func = radius_alive;
1352 bundle->radius.alive.timer.name = "radius alive";
1353 bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS;
1354 bundle->radius.alive.timer.arg = bundle;
1355 radius_alive(bundle);
1356 }
1357 }
1358
1359 void
radius_StopTimer(struct radius * r)1360 radius_StopTimer(struct radius *r)
1361 {
1362 timer_Stop(&r->alive.timer);
1363 }
1364