2 * Copyright 1999 Internet Business Solutions Ltd., Switzerland
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/param.h>
33 #include <sys/select.h>
34 #include <sys/socket.h>
35 #include <netinet/in_systm.h>
36 #include <netinet/in.h>
37 #include <netinet/ip.h>
38 #include <arpa/inet.h>
40 #include <net/route.h>
44 #include "radlib_vs.h"
47 #include <radlib_vs.h>
66 #include "descriptor.h"
71 #include "slcompress.h"
72 #include "throughput.h"
101 struct mschap_response {
104 u_char lm_response[24];
105 u_char nt_response[24];
108 struct mschap2_response {
111 u_char pchallenge[16];
121 radius_policyname(int policy)
124 case MPPE_POLICY_ALLOWED:
126 case MPPE_POLICY_REQUIRED:
129 return NumStr(policy, NULL, 0);
133 radius_typesname(int types)
136 case MPPE_TYPE_40BIT:
138 case MPPE_TYPE_128BIT:
140 case MPPE_TYPE_40BIT|MPPE_TYPE_128BIT:
141 return "40 or 128 bit";
143 return NumStr(types, NULL, 0);
148 demangle(struct radius *r, const void *mangled, size_t mlen,
149 char **buf, size_t *len)
151 char R[AUTH_LEN]; /* variable names as per rfc2548 */
156 int Slen, i, Clen, Ppos;
159 if (mlen % 16 != SALT_LEN) {
160 log_Printf(LogWARN, "Cannot interpret mangled data of length %ld\n",
167 /* We need the RADIUS Request-Authenticator */
168 if (rad_request_authenticator(r->cx.rad, R, sizeof R) != AUTH_LEN) {
169 log_Printf(LogWARN, "Cannot obtain the RADIUS request authenticator\n");
175 A = (const u_char *)mangled; /* Salt comes first */
176 C = (const u_char *)mangled + SALT_LEN; /* Then the ciphertext */
177 Clen = mlen - SALT_LEN;
178 S = rad_server_secret(r->cx.rad); /* We need the RADIUS secret */
180 P = alloca(Clen); /* We derive our plaintext */
183 MD5Update(&Context, S, Slen);
184 MD5Update(&Context, R, AUTH_LEN);
185 MD5Update(&Context, A, SALT_LEN);
186 MD5Final(b, &Context);
192 for (i = 0; i < 16; i++)
193 P[Ppos++] = C[i] ^ b[i];
197 MD5Update(&Context, S, Slen);
198 MD5Update(&Context, C, 16);
199 MD5Final(b, &Context);
206 * The resulting plain text consists of a one-byte length, the text and
207 * maybe some padding.
210 if (*len > mlen - 1) {
211 log_Printf(LogWARN, "Mangled data seems to be garbage\n");
217 if ((*buf = malloc(*len)) == NULL) {
218 log_Printf(LogWARN, "demangle: Out of memory (%lu bytes)\n", (u_long)*len);
221 memcpy(*buf, P + 1, *len);
225 /* XXX: This should go into librarius. */
228 rad_cvt_ipv6prefix(const void *data, size_t len)
230 const size_t ipv6len = sizeof(struct in6_addr) + 2;
237 memset(s, 0, ipv6len);
238 memcpy(s, data, len);
245 * rad_continue_send_request() has given us `got' (non-zero). Deal with it.
248 radius_Process(struct radius *r, int got)
250 char *argv[MAXARGS], *nuke;
251 struct bundle *bundle;
252 int argc, addrs, res, width;
254 struct ncprange dest;
258 u_int32_t ipaddr, vendor;
261 uint8_t ipv6addr[INET6_ADDRSTRLEN];
265 r->cx.fd = -1; /* Stop select()ing */
266 stype = r->cx.auth ? "auth" : "acct";
269 case RAD_ACCESS_ACCEPT:
270 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
271 "Radius(%s): ACCEPT received\n", stype);
273 rad_close(r->cx.rad);
278 case RAD_ACCESS_REJECT:
279 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
280 "Radius(%s): REJECT received\n", stype);
282 rad_close(r->cx.rad);
287 case RAD_ACCESS_CHALLENGE:
288 /* we can't deal with this (for now) ! */
289 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
290 "Radius: CHALLENGE received (can't handle yet)\n");
292 auth_Failure(r->cx.auth);
293 rad_close(r->cx.rad);
296 case RAD_ACCOUNTING_RESPONSE:
298 * It's probably not ideal to log this at PHASE level as we'll see
299 * too much stuff going to the log when ``set rad_alive'' is used.
300 * So we differ from older behaviour (ppp version 3.1 and before)
301 * and just log accounting responses to LogRADIUS.
303 log_Printf(LogRADIUS, "Radius(%s): Accounting response received\n",
306 auth_Failure(r->cx.auth); /* unexpected !!! */
308 /* No further processing for accounting requests, please */
309 rad_close(r->cx.rad);
313 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
314 "radius(%s): %s\n", stype, rad_strerror(r->cx.rad));
316 auth_Failure(r->cx.auth);
317 rad_close(r->cx.rad);
321 log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype,
322 got, rad_strerror(r->cx.rad));
324 auth_Failure(r->cx.auth);
325 rad_close(r->cx.rad);
329 /* Let's see what we've got in our reply */
330 r->ip.s_addr = r->mask.s_addr = INADDR_NONE;
333 while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) {
335 case RAD_FRAMED_IP_ADDRESS:
336 r->ip = rad_cvt_addr(data);
337 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
338 " IP %s\n", inet_ntoa(r->ip));
343 if ((r->filterid = rad_cvt_string(data, len)) == NULL) {
344 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
345 auth_Failure(r->cx.auth);
346 rad_close(r->cx.rad);
349 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
350 " Filter \"%s\"\n", r->filterid);
353 case RAD_SESSION_TIMEOUT:
354 r->sessiontime = rad_cvt_int(data);
355 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
356 " Session-Timeout %lu\n", r->sessiontime);
359 case RAD_FRAMED_IP_NETMASK:
360 r->mask = rad_cvt_addr(data);
361 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
362 " Netmask %s\n", inet_ntoa(r->mask));
366 r->mtu = rad_cvt_int(data);
367 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
368 " MTU %lu\n", r->mtu);
371 case RAD_FRAMED_ROUTING:
372 /* Disabled for now - should we automatically set up some filters ? */
373 /* rad_cvt_int(data); */
374 /* bit 1 = Send routing packets */
375 /* bit 2 = Receive routing packets */
378 case RAD_FRAMED_COMPRESSION:
379 r->vj = rad_cvt_int(data) == 1 ? 1 : 0;
380 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
381 " VJ %sabled\n", r->vj ? "en" : "dis");
384 case RAD_FRAMED_ROUTE:
386 * We expect a string of the format ``dest[/bits] gw [metrics]''
387 * Any specified metrics are ignored. MYADDR and HISADDR are
388 * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same
392 if ((nuke = rad_cvt_string(data, len)) == NULL) {
393 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
394 auth_Failure(r->cx.auth);
395 rad_close(r->cx.rad);
399 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
400 " Route: %s\n", nuke);
401 bundle = r->cx.auth->physical->dl->bundle;
402 ip.s_addr = INADDR_ANY;
403 ncpaddr_setip4(&gw, ip);
404 ncprange_setip4host(&dest, ip);
405 argc = command_Interpret(nuke, strlen(nuke), argv);
407 log_Printf(LogWARN, "radius: %s: Syntax error\n",
408 argc == 1 ? argv[0] : "\"\"");
410 log_Printf(LogWARN, "radius: %s: Invalid route\n",
411 argc == 1 ? argv[0] : "\"\"");
412 else if ((strcasecmp(argv[0], "default") != 0 &&
413 !ncprange_aton(&dest, &bundle->ncp, argv[0])) ||
414 !ncpaddr_aton(&gw, &bundle->ncp, argv[1]))
415 log_Printf(LogWARN, "radius: %s %s: Invalid route\n",
418 ncprange_getwidth(&dest, &width);
419 if (width == 32 && strchr(argv[0], '/') == NULL) {
420 /* No mask specified - use the natural mask */
421 ncprange_getip4addr(&dest, &ip);
422 ncprange_setip4mask(&dest, addr2mask(ip));
426 if (!strncasecmp(argv[0], "HISADDR", 7))
427 addrs = ROUTE_DSTHISADDR;
428 else if (!strncasecmp(argv[0], "MYADDR", 6))
429 addrs = ROUTE_DSTMYADDR;
431 if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) {
432 addrs |= ROUTE_GWHISADDR;
433 ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip);
434 } else if (strcasecmp(argv[1], "HISADDR") == 0)
435 addrs |= ROUTE_GWHISADDR;
437 route_Add(&r->routes, addrs, &dest, &gw);
442 case RAD_REPLY_MESSAGE:
444 if ((r->repstr = rad_cvt_string(data, len)) == NULL) {
445 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
446 auth_Failure(r->cx.auth);
447 rad_close(r->cx.rad);
450 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
451 " Reply-Message \"%s\"\n", r->repstr);
455 case RAD_FRAMED_IPV6_PREFIX:
457 if ((r->ipv6prefix = rad_cvt_ipv6prefix(data, len)) == NULL) {
458 log_Printf(LogERROR, "rad_cvt_ipv6prefix: %s\n",
459 "Malformed attribute in response");
460 auth_Failure(r->cx.auth);
461 rad_close(r->cx.rad);
464 inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr));
465 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
466 " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]);
469 case RAD_FRAMED_IPV6_ROUTE:
471 * We expect a string of the format ``dest[/bits] gw [metrics]''
472 * Any specified metrics are ignored. MYADDR6 and HISADDR6 are
473 * understood for ``dest'' and ``gw'' and ``::'' is the same
477 if ((nuke = rad_cvt_string(data, len)) == NULL) {
478 log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad));
479 auth_Failure(r->cx.auth);
480 rad_close(r->cx.rad);
484 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
485 " IPv6 Route: %s\n", nuke);
486 bundle = r->cx.auth->physical->dl->bundle;
487 ncpaddr_setip6(&gw, &in6addr_any);
488 ncprange_set(&dest, &gw, 0);
489 argc = command_Interpret(nuke, strlen(nuke), argv);
491 log_Printf(LogWARN, "radius: %s: Syntax error\n",
492 argc == 1 ? argv[0] : "\"\"");
494 log_Printf(LogWARN, "radius: %s: Invalid route\n",
495 argc == 1 ? argv[0] : "\"\"");
496 else if ((strcasecmp(argv[0], "default") != 0 &&
497 !ncprange_aton(&dest, &bundle->ncp, argv[0])) ||
498 !ncpaddr_aton(&gw, &bundle->ncp, argv[1]))
499 log_Printf(LogWARN, "radius: %s %s: Invalid route\n",
504 if (!strncasecmp(argv[0], "HISADDR6", 8))
505 addrs = ROUTE_DSTHISADDR6;
506 else if (!strncasecmp(argv[0], "MYADDR6", 7))
507 addrs = ROUTE_DSTMYADDR6;
509 if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) {
510 addrs |= ROUTE_GWHISADDR6;
511 ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr);
512 } else if (strcasecmp(argv[1], "HISADDR6") == 0)
513 addrs |= ROUTE_GWHISADDR6;
515 route_Add(&r->ipv6routes, addrs, &dest, &gw);
521 case RAD_VENDOR_SPECIFIC:
522 if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) {
523 log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n",
524 rad_strerror(r->cx.rad));
525 auth_Failure(r->cx.auth);
526 rad_close(r->cx.rad);
531 case RAD_VENDOR_MICROSOFT:
534 case RAD_MICROSOFT_MS_CHAP_ERROR:
539 if (len < 3 || ((const char *)data)[1] != '=') {
541 * Only point at the String field if we don't think the
542 * peer has misformatted the response.
544 data = (const char *)data + 1;
547 log_Printf(LogWARN, "Warning: The MS-CHAP-Error "
548 "attribute is mis-formatted. Compensating\n");
549 if ((r->errstr = rad_cvt_string((const char *)data,
551 log_Printf(LogERROR, "rad_cvt_string: %s\n",
552 rad_strerror(r->cx.rad));
553 auth_Failure(r->cx.auth);
554 rad_close(r->cx.rad);
557 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
558 " MS-CHAP-Error \"%s\"\n", r->errstr);
562 case RAD_MICROSOFT_MS_CHAP2_SUCCESS:
567 if (len < 3 || ((const char *)data)[1] != '=') {
569 * Only point at the String field if we don't think the
570 * peer has misformatted the response.
572 data = (const char *)data + 1;
575 log_Printf(LogWARN, "Warning: The MS-CHAP2-Success "
576 "attribute is mis-formatted. Compensating\n");
577 if ((r->msrepstr = rad_cvt_string((const char *)data,
579 log_Printf(LogERROR, "rad_cvt_string: %s\n",
580 rad_strerror(r->cx.rad));
581 auth_Failure(r->cx.auth);
582 rad_close(r->cx.rad);
585 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
586 " MS-CHAP2-Success \"%s\"\n", r->msrepstr);
590 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY:
591 r->mppe.policy = rad_cvt_int(data);
592 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
593 " MS-MPPE-Encryption-Policy %s\n",
594 radius_policyname(r->mppe.policy));
597 case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES:
598 r->mppe.types = rad_cvt_int(data);
599 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
600 " MS-MPPE-Encryption-Types %s\n",
601 radius_typesname(r->mppe.types));
604 case RAD_MICROSOFT_MS_MPPE_RECV_KEY:
605 free(r->mppe.recvkey);
606 demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen);
607 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
608 " MS-MPPE-Recv-Key ********\n");
611 case RAD_MICROSOFT_MS_MPPE_SEND_KEY:
612 demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen);
613 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
614 " MS-MPPE-Send-Key ********\n");
619 log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific "
620 "RADIUS attribute %d\n", res);
626 log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n",
627 (unsigned long)vendor, res);
633 log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res);
639 log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n",
640 rad_strerror(r->cx.rad));
641 auth_Failure(r->cx.auth);
642 } else if (got == RAD_ACCESS_REJECT)
643 auth_Failure(r->cx.auth);
646 auth_Success(r->cx.auth);
648 rad_close(r->cx.rad);
652 * We've either timed out or select()ed on the read descriptor
655 radius_Continue(struct radius *r, int sel)
660 timer_Stop(&r->cx.timer);
661 if ((got = rad_continue_send_request(r->cx.rad, sel, &r->cx.fd, &tv)) == 0) {
662 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
663 "Radius: Request re-sent\n");
664 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
665 timer_Start(&r->cx.timer);
669 radius_Process(r, got);
673 * Time to call rad_continue_send_request() - timed out.
676 radius_Timeout(void *v)
678 radius_Continue((struct radius *)v, 0);
682 * Time to call rad_continue_send_request() - something to read.
685 radius_Read(struct fdescriptor *d, struct bundle *bundle __unused,
686 const fd_set *fdset __unused)
688 radius_Continue(descriptor2radius(d), 1);
692 * Flush any pending transactions
695 radius_Flush(struct radius *r)
700 while (r->cx.fd != -1) {
702 FD_SET(r->cx.fd, &s);
704 tv.tv_usec = TICKUNIT;
705 select(r->cx.fd + 1, &s, NULL, NULL, &tv);
706 radius_Continue(r, 1);
711 * Behave as a struct fdescriptor (descriptor.h)
714 radius_UpdateSet(struct fdescriptor *d, fd_set *r, fd_set *w __unused,
715 fd_set *e __unused, int *n)
717 struct radius *rad = descriptor2radius(d);
719 if (r && rad->cx.fd != -1) {
720 FD_SET(rad->cx.fd, r);
721 if (*n < rad->cx.fd + 1)
723 log_Printf(LogTIMER, "Radius: fdset(r) %d\n", rad->cx.fd);
731 * Behave as a struct fdescriptor (descriptor.h)
734 radius_IsSet(struct fdescriptor *d, const fd_set *fdset)
736 struct radius *r = descriptor2radius(d);
738 return r && r->cx.fd != -1 && FD_ISSET(r->cx.fd, fdset);
742 * Behave as a struct fdescriptor (descriptor.h)
745 radius_Write(struct fdescriptor *d __unused, struct bundle *bundle __unused,
746 const fd_set *fdset __unused)
748 /* We never want to write here ! */
749 log_Printf(LogALERT, "radius_Write: Internal error: Bad call !\n");
754 * Initialise ourselves
757 radius_Init(struct radius *r)
759 r->desc.type = RADIUS_DESCRIPTOR;
760 r->desc.UpdateSet = radius_UpdateSet;
761 r->desc.IsSet = radius_IsSet;
762 r->desc.Read = radius_Read;
763 r->desc.Write = radius_Write;
766 memset(&r->cx.timer, '\0', sizeof r->cx.timer);
770 r->ip.s_addr = INADDR_ANY;
771 r->mask.s_addr = INADDR_NONE;
777 r->ipv6prefix = NULL;
778 r->ipv6routes = NULL;
783 r->mppe.recvkey = NULL;
784 r->mppe.recvkeylen = 0;
785 r->mppe.sendkey = NULL;
786 r->mppe.sendkeylen = 0;
788 log_Printf(LogDEBUG, "Radius: radius_Init\n");
792 * Forget everything and go back to initialised state.
795 radius_Destroy(struct radius *r)
798 log_Printf(LogDEBUG, "Radius: radius_Destroy\n");
799 timer_Stop(&r->cx.timer);
800 route_DeleteAll(&r->routes);
802 route_DeleteAll(&r->ipv6routes);
812 r->ipv6prefix = NULL;
816 free(r->mppe.recvkey);
817 r->mppe.recvkey = NULL;
818 r->mppe.recvkeylen = 0;
819 free(r->mppe.sendkey);
820 r->mppe.sendkey = NULL;
821 r->mppe.sendkeylen = 0;
822 if (r->cx.fd != -1) {
824 rad_close(r->cx.rad);
829 radius_put_physical_details(struct radius *rad, struct physical *p)
835 switch (p->handler->type) {
837 type = RAD_ISDN_SYNC;
857 if (rad_put_int(rad->cx.rad, RAD_NAS_PORT_TYPE, type) != 0) {
858 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad));
859 rad_close(rad->cx.rad);
863 switch (rad->port_id_type) {
865 slot = (int)getpid();
868 slot = p->dl->bundle->iface->index;
871 slot = p->dl->bundle->unit;
875 slot = physical_Slot(p);
880 if (rad_put_int(rad->cx.rad, RAD_NAS_PORT, slot) != 0) {
881 log_Printf(LogERROR, "rad_put: rad_put_int: %s\n", rad_strerror(rad->cx.rad));
882 rad_close(rad->cx.rad);
890 * Start an authentication request to the RADIUS server.
893 radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
894 const char *key, int klen, const char *nchallenge,
897 char hostname[MAXHOSTNAMELEN];
899 const char *what = "questionable"; /* silence warnings! */
903 struct in_addr hostaddr;
905 struct mschap_response msresp;
906 struct mschap2_response msresp2;
907 const struct MSCHAPv2_resp *keyv2;
915 * We assume that our name/key/challenge is the same as last time,
916 * and just continue to wait for the RADIUS server(s).
922 if ((r->cx.rad = rad_auth_open()) == NULL) {
923 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno));
927 if (rad_config(r->cx.rad, r->cfg.file) != 0) {
928 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad));
929 rad_close(r->cx.rad);
933 if (rad_create_request(r->cx.rad, RAD_ACCESS_REQUEST) != 0) {
934 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad));
935 rad_close(r->cx.rad);
939 if (rad_put_string(r->cx.rad, RAD_USER_NAME, name) != 0 ||
940 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 ||
941 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) {
942 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
943 rad_close(r->cx.rad);
947 switch (authp->physical->link.lcp.want_auth) {
949 /* We're talking PAP */
950 if (rad_put_attr(r->cx.rad, RAD_USER_PASSWORD, key, klen) != 0) {
951 log_Printf(LogERROR, "PAP: rad_put_string: %s\n",
952 rad_strerror(r->cx.rad));
953 rad_close(r->cx.rad);
960 switch (authp->physical->link.lcp.want_authtype) {
962 if (rad_put_attr(r->cx.rad, RAD_CHAP_PASSWORD, key, klen) != 0 ||
963 rad_put_attr(r->cx.rad, RAD_CHAP_CHALLENGE, nchallenge, nclen) != 0) {
964 log_Printf(LogERROR, "CHAP: rad_put_string: %s\n",
965 rad_strerror(r->cx.rad));
966 rad_close(r->cx.rad);
975 log_Printf(LogERROR, "CHAP80: Unrecognised key length %d\n", klen);
976 rad_close(r->cx.rad);
980 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
981 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen);
984 memcpy(msresp.lm_response, key + 1, 24);
985 memcpy(msresp.nt_response, key + 25, 24);
986 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
987 RAD_MICROSOFT_MS_CHAP_RESPONSE, &msresp,
993 if (klen != sizeof(*keyv2) + 1) {
994 log_Printf(LogERROR, "CHAP81: Unrecognised key length %d\n", klen);
995 rad_close(r->cx.rad);
999 keyv2 = (const struct MSCHAPv2_resp *)(key + 1);
1000 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
1001 RAD_MICROSOFT_MS_CHAP_CHALLENGE, nchallenge, nclen);
1002 msresp2.ident = *key;
1003 msresp2.flags = keyv2->Flags;
1004 memcpy(msresp2.response, keyv2->NTResponse, sizeof msresp2.response);
1005 memset(msresp2.reserved, '\0', sizeof msresp2.reserved);
1006 memcpy(msresp2.pchallenge, keyv2->PeerChallenge,
1007 sizeof msresp2.pchallenge);
1008 rad_put_vendor_attr(r->cx.rad, RAD_VENDOR_MICROSOFT,
1009 RAD_MICROSOFT_MS_CHAP2_RESPONSE, &msresp2,
1015 log_Printf(LogERROR, "CHAP: Unrecognised type 0x%02x\n",
1016 authp->physical->link.lcp.want_authtype);
1017 rad_close(r->cx.rad);
1022 if (gethostname(hostname, sizeof hostname) != 0)
1023 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
1025 if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) &&
1026 (hp = gethostbyname(hostname)) != NULL) {
1027 hostaddr.s_addr = *(u_long *)hp->h_addr;
1028 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
1029 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1030 rad_strerror(r->cx.rad));
1031 rad_close(r->cx.rad);
1035 if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) &&
1036 rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
1037 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1038 rad_strerror(r->cx.rad));
1039 rad_close(r->cx.rad);
1044 if ((mac_addr = getenv("HISMACADDR")) != NULL &&
1045 rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) {
1046 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1047 rad_close(r->cx.rad);
1051 radius_put_physical_details(r, authp->physical);
1053 log_Printf(LogRADIUS, "Radius(auth): %s data sent for %s\n", what, name);
1056 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv)))
1057 radius_Process(r, got);
1059 log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE,
1060 "Radius: Request sent\n");
1061 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout);
1062 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
1063 r->cx.timer.func = radius_Timeout;
1064 r->cx.timer.name = "radius auth";
1065 r->cx.timer.arg = r;
1066 timer_Start(&r->cx.timer);
1072 /* Fetch IP, netmask from IPCP */
1074 radius_Account_Set_Ip(struct radacct *ac, struct in_addr *peer_ip,
1075 struct in_addr *netmask)
1077 ac->proto = PROTO_IPCP;
1078 memcpy(&ac->peer.ip.addr, peer_ip, sizeof(ac->peer.ip.addr));
1079 memcpy(&ac->peer.ip.mask, netmask, sizeof(ac->peer.ip.mask));
1083 /* Fetch interface-id from IPV6CP */
1085 radius_Account_Set_Ipv6(struct radacct *ac, u_char *ifid)
1087 ac->proto = PROTO_IPV6CP;
1088 memcpy(&ac->peer.ipv6.ifid, ifid, sizeof(ac->peer.ipv6.ifid));
1093 * Send an accounting request to the RADIUS server
1096 radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
1097 int acct_type, struct pppThroughput *stats)
1101 char hostname[MAXHOSTNAMELEN];
1104 struct in_addr hostaddr;
1111 * We assume that our name/key/challenge is the same as last time,
1112 * and just continue to wait for the RADIUS server(s).
1116 timer_Stop(&r->cx.timer);
1118 if ((r->cx.rad = rad_acct_open()) == NULL) {
1119 log_Printf(LogERROR, "rad_auth_open: %s\n", strerror(errno));
1123 if (rad_config(r->cx.rad, r->cfg.file) != 0) {
1124 log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(r->cx.rad));
1125 rad_close(r->cx.rad);
1129 if (rad_create_request(r->cx.rad, RAD_ACCOUNTING_REQUEST) != 0) {
1130 log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(r->cx.rad));
1131 rad_close(r->cx.rad);
1135 /* Grab some accounting data and initialize structure */
1136 if (acct_type == RAD_START) {
1138 /* Fetch username from datalink */
1139 strncpy(ac->user_name, dl->peer.authname, sizeof ac->user_name);
1140 ac->user_name[AUTHLEN-1] = '\0';
1142 ac->authentic = 2; /* Assume RADIUS verified auth data */
1144 /* Generate a session ID */
1145 snprintf(ac->session_id, sizeof ac->session_id, "%s%ld-%s%lu",
1146 dl->bundle->cfg.auth.name, (long)getpid(),
1147 dl->peer.authname, (unsigned long)stats->uptime);
1149 /* And grab our MP socket name */
1150 snprintf(ac->multi_session_id, sizeof ac->multi_session_id, "%s",
1151 dl->bundle->ncp.mp.active ?
1152 dl->bundle->ncp.mp.server.socket.sun_path : "");
1155 if (rad_put_string(r->cx.rad, RAD_USER_NAME, ac->user_name) != 0 ||
1156 rad_put_int(r->cx.rad, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 ||
1157 rad_put_int(r->cx.rad, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) {
1158 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1159 rad_close(r->cx.rad);
1162 switch (ac->proto) {
1164 if (rad_put_addr(r->cx.rad, RAD_FRAMED_IP_ADDRESS,
1165 ac->peer.ip.addr) != 0 ||
1166 rad_put_addr(r->cx.rad, RAD_FRAMED_IP_NETMASK,
1167 ac->peer.ip.mask) != 0) {
1168 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1169 rad_close(r->cx.rad);
1175 if (rad_put_attr(r->cx.rad, RAD_FRAMED_INTERFACE_ID, ac->peer.ipv6.ifid,
1176 sizeof(ac->peer.ipv6.ifid)) != 0) {
1177 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad));
1178 rad_close(r->cx.rad);
1181 if (r->ipv6prefix) {
1183 * Since PPP doesn't delegate an IPv6 prefix to a peer,
1184 * Framed-IPv6-Prefix may be not used, actually.
1186 if (rad_put_attr(r->cx.rad, RAD_FRAMED_IPV6_PREFIX, r->ipv6prefix,
1187 sizeof(struct in6_addr) + 2) != 0) {
1188 log_Printf(LogERROR, "rad_put_attr: %s\n", rad_strerror(r->cx.rad));
1189 rad_close(r->cx.rad);
1196 /* We don't log any protocol specific information */
1200 if ((mac_addr = getenv("HISMACADDR")) != NULL &&
1201 rad_put_string(r->cx.rad, RAD_CALLING_STATION_ID, mac_addr) != 0) {
1202 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1203 rad_close(r->cx.rad);
1207 if (gethostname(hostname, sizeof hostname) != 0)
1208 log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
1210 if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) &&
1211 (hp = gethostbyname(hostname)) != NULL) {
1212 hostaddr.s_addr = *(u_long *)hp->h_addr;
1213 if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
1214 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1215 rad_strerror(r->cx.rad));
1216 rad_close(r->cx.rad);
1220 if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) &&
1221 rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
1222 log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
1223 rad_strerror(r->cx.rad));
1224 rad_close(r->cx.rad);
1229 radius_put_physical_details(r, dl->physical);
1231 if (rad_put_int(r->cx.rad, RAD_ACCT_STATUS_TYPE, acct_type) != 0 ||
1232 rad_put_string(r->cx.rad, RAD_ACCT_SESSION_ID, ac->session_id) != 0 ||
1233 rad_put_string(r->cx.rad, RAD_ACCT_MULTI_SESSION_ID,
1234 ac->multi_session_id) != 0 ||
1235 rad_put_int(r->cx.rad, RAD_ACCT_DELAY_TIME, 0) != 0) {
1236 /* XXX ACCT_DELAY_TIME should be increased each time a packet is waiting */
1237 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1238 rad_close(r->cx.rad);
1242 if (acct_type == RAD_STOP || acct_type == RAD_ALIVE)
1243 /* Show some statistics */
1244 if (rad_put_int(r->cx.rad, RAD_ACCT_INPUT_OCTETS, stats->OctetsIn % UINT32_MAX) != 0 ||
1245 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_GIGAWORDS, stats->OctetsIn / UINT32_MAX) != 0 ||
1246 rad_put_int(r->cx.rad, RAD_ACCT_INPUT_PACKETS, stats->PacketsIn) != 0 ||
1247 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_OCTETS, stats->OctetsOut % UINT32_MAX) != 0 ||
1248 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_GIGAWORDS, stats->OctetsOut / UINT32_MAX) != 0 ||
1249 rad_put_int(r->cx.rad, RAD_ACCT_OUTPUT_PACKETS, stats->PacketsOut)
1251 rad_put_int(r->cx.rad, RAD_ACCT_SESSION_TIME, throughput_uptime(stats))
1253 log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(r->cx.rad));
1254 rad_close(r->cx.rad);
1258 if (log_IsKept(LogPHASE) || log_IsKept(LogRADIUS)) {
1262 switch (acct_type) {
1265 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1269 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1277 level = log_IsKept(LogPHASE) ? LogPHASE : LogRADIUS;
1280 log_Printf(level, "Radius(acct): %s data sent\n", what);
1283 r->cx.auth = NULL; /* Not valid for accounting requests */
1284 if ((got = rad_init_send_request(r->cx.rad, &r->cx.fd, &tv)))
1285 radius_Process(r, got);
1287 log_Printf(LogDEBUG, "Using radius_Timeout [%p]\n", radius_Timeout);
1288 r->cx.timer.load = tv.tv_usec / TICKUNIT + tv.tv_sec * SECTICKS;
1289 r->cx.timer.func = radius_Timeout;
1290 r->cx.timer.name = "radius acct";
1291 r->cx.timer.arg = r;
1292 timer_Start(&r->cx.timer);
1297 * How do things look at the moment ?
1300 radius_Show(struct radius *r, struct prompt *p)
1302 prompt_Printf(p, " Radius config: %s",
1303 *r->cfg.file ? r->cfg.file : "none");
1305 prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip));
1306 prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask));
1307 prompt_Printf(p, " MTU: %lu\n", r->mtu);
1308 prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis");
1309 prompt_Printf(p, " Message: %s\n", r->repstr ? r->repstr : "");
1310 prompt_Printf(p, " MPPE Enc Policy: %s\n",
1311 radius_policyname(r->mppe.policy));
1312 prompt_Printf(p, " MPPE Enc Types: %s\n",
1313 radius_typesname(r->mppe.types));
1314 prompt_Printf(p, " MPPE Recv Key: %seceived\n",
1315 r->mppe.recvkey ? "R" : "Not r");
1316 prompt_Printf(p, " MPPE Send Key: %seceived\n",
1317 r->mppe.sendkey ? "R" : "Not r");
1318 prompt_Printf(p, " MS-CHAP2-Response: %s\n",
1319 r->msrepstr ? r->msrepstr : "");
1320 prompt_Printf(p, " Error Message: %s\n", r->errstr ? r->errstr : "");
1322 route_ShowSticky(p, r->routes, " Routes", 16);
1325 route_ShowSticky(p, r->ipv6routes, " IPv6 Routes", 16);
1328 prompt_Printf(p, " (not authenticated)\n");
1332 radius_alive(void *v)
1334 struct bundle *bundle = (struct bundle *)v;
1336 timer_Stop(&bundle->radius.alive.timer);
1337 bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS;
1338 if (bundle->radius.alive.timer.load) {
1339 radius_Account(&bundle->radius, &bundle->radacct,
1340 bundle->links, RAD_ALIVE, &bundle->ncp.ipcp.throughput);
1341 timer_Start(&bundle->radius.alive.timer);
1346 radius_StartTimer(struct bundle *bundle)
1348 if (bundle->radius.cfg.file && bundle->radius.alive.interval) {
1349 bundle->radius.alive.timer.func = radius_alive;
1350 bundle->radius.alive.timer.name = "radius alive";
1351 bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS;
1352 bundle->radius.alive.timer.arg = bundle;
1353 radius_alive(bundle);
1358 radius_StopTimer(struct radius *r)
1360 timer_Stop(&r->alive.timer);