summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2024-09-15 11:08:51 +0000
committerYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2024-09-15 11:08:51 +0000
commit4d3371919fa991220b0ad5825189da84ccba22ea (patch)
tree9c9541902589de299ba358336a2a3cfdb7037daa
parente85030ff11ba3e2767bef29bc50690a162c71233 (diff)
Add handling of "Class" attribute. diff from markus
ok markus
-rw-r--r--sbin/iked/config.c3
-rw-r--r--sbin/iked/iked.h3
-rw-r--r--sbin/iked/ikev2.c4
-rw-r--r--sbin/iked/radius.c16
4 files changed, 22 insertions, 4 deletions
diff --git a/sbin/iked/config.c b/sbin/iked/config.c
index d4204509522..def970e05a0 100644
--- a/sbin/iked/config.c
+++ b/sbin/iked/config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $ */
+/* $OpenBSD: config.c,v 1.99 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -178,6 +178,7 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
ibuf_free(sa->sa_eap.id_buf);
free(sa->sa_eapid);
ibuf_free(sa->sa_eapmsk);
+ ibuf_free(sa->sa_eapclass);
free(sa->sa_cp_addr);
free(sa->sa_cp_addr6);
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 5d95dd92908..d3da0b7b38d 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $ */
+/* $OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -491,6 +491,7 @@ struct iked_sa {
char *sa_eapid; /* EAP identity */
struct iked_id sa_eap; /* EAP challenge */
struct ibuf *sa_eapmsk; /* EAK session key */
+ struct ibuf *sa_eapclass; /* EAP/RADIUS class */
struct iked_proposals sa_proposals; /* SA proposals */
struct iked_childsas sa_childsas; /* IPsec Child SAs */
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index ccbab9de1cb..b6e8ecee93c 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $ */
+/* $OpenBSD: ikev2.c,v 1.388 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4774,6 +4774,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
/* sa_eapid needs to be set on both for radius accounting */
if (sa->sa_eapid)
nsa->sa_eapid = strdup(sa->sa_eapid);
+ if (sa->sa_eapclass)
+ nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass);
log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)",
SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),
diff --git a/sbin/iked/radius.c b/sbin/iked/radius.c
index e14c83560ad..fcaf52198c2 100644
--- a/sbin/iked/radius.c
+++ b/sbin/iked/radius.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: radius.c,v 1.12 2024/09/11 00:41:51 yasuoka Exp $ */
+/* $OpenBSD: radius.c,v 1.13 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -270,6 +270,16 @@ iked_radius_on_event(int fd, short ev, void *ctx)
req->rr_sa->sa_eapid = req->rr_user;
req->rr_user = NULL;
+ if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval,
+ &attrlen) == 0) {
+ ibuf_free(req->rr_sa->sa_eapclass);
+ if ((req->rr_sa->sa_eapclass = ibuf_new(attrval,
+ attrlen)) == NULL) {
+ log_info("%s: ibuf_new() failed: %s", __func__,
+ strerror(errno));
+ }
+ }
+
sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
/* Map RADIUS attributes to cp */
@@ -748,6 +758,10 @@ iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
switch (stype) {
case RADIUS_ACCT_STATUS_TYPE_START:
+ if (req->rr_sa && req->rr_sa->sa_eapclass != NULL)
+ radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS,
+ ibuf_data(req->rr_sa->sa_eapclass),
+ ibuf_size(req->rr_sa->sa_eapclass));
break;
case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
case RADIUS_ACCT_STATUS_TYPE_STOP: