summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2024-07-13 12:25:08 +0000
committerYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2024-07-13 12:25:08 +0000
commit2cf87d2bf808395d82c163e8604a39505fe72a7b (patch)
treeb3ede6d1542114d3257fb96921a0f61726bb0abe
parentbc7304d910477e4c473ae4a6c5dc2ef2db807c6d (diff)
Fix radius.c. Previous it was broken.
-rw-r--r--sbin/iked/radius.c939
1 files changed, 1 insertions, 938 deletions
diff --git a/sbin/iked/radius.c b/sbin/iked/radius.c
index a9e7d3a9d84..1a89962f2a8 100644
--- a/sbin/iked/radius.c
+++ b/sbin/iked/radius.c
@@ -1,941 +1,4 @@
-/* $OpenBSD: radius.c,v 1.3 2024/07/13 12:22:46 yasuoka Exp $ */
-
-/*
- * Copyright (c) 2024 Internet Initiative Japan Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <arpa/inet.h>
-#include <netinet/ip_ipsp.h>
-
-#include <endian.h>
-#include <event.h>
-#include <errno.h>
-#include <imsg.h>
-#include <limits.h>
-#include <netinet/in.h>
-#include <radius.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <strings.h>
-#include <time.h>
-
-#include "iked.h"
-#include "eap.h"
-#include "ikev2.h"
-#include "types.h"
-
-void iked_radius_request_send(struct iked *, void *);
-void iked_radius_fill_attributes(struct iked_sa *, RADIUS_PACKET *);
-void iked_radius_config(struct iked_radserver_req *, const RADIUS_PACKET *,
- int, uint32_t, uint8_t);
-void iked_radius_acct_request(struct iked *, struct iked_sa *, uint8_t);
-
-const struct iked_radcfgmap radius_cfgmaps[] = {
- { IKEV2_CFG_INTERNAL_IP4_ADDRESS, 0, RADIUS_TYPE_FRAMED_IP_ADDRESS },
- { IKEV2_CFG_INTERNAL_IP4_NETMASK, 0, RADIUS_TYPE_FRAMED_IP_NETMASK },
- { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
- RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER },
- { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
- RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER },
- { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
- RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER },
- { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
- RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER },
- { 0 }
-};
-
-int
-iked_radius_request(struct iked *env, struct iked_sa *sa,
- struct iked_message *msg)
-{
- struct eap_message *eap;
- RADIUS_PACKET *pkt;
- size_t len;
-
- eap = ibuf_data(msg->msg_eapmsg);
- len = betoh16(eap->eap_length);
- if (eap->eap_code != EAP_CODE_RESPONSE) {
- log_debug("%s: eap_code is not response %u", __func__,
- (unsigned)eap->eap_code);
- return -1;
- }
-
- if (eap->eap_type == EAP_TYPE_IDENTITY) {
- if ((sa->sa_radreq = calloc(1,
- sizeof(struct iked_radserver_req))) == NULL) {
- log_debug(
- "%s: calloc failed for iked_radserver_req: %s",
- __func__, strerror(errno));
- return (-1);
- }
- timer_set(env, &sa->sa_radreq->rr_timer,
- iked_radius_request_send, sa->sa_radreq);
- sa->sa_radreq->rr_user = strdup(msg->msg_eap.eam_identity);
- }
-
- if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST))
- == NULL) {
- log_debug("%s: radius_new_request_packet failed %s", __func__,
- strerror(errno));
- return -1;
- }
-
- radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME,
- sa->sa_radreq->rr_user);
- if (sa->sa_radreq->rr_state != NULL)
- radius_put_raw_attr(pkt, RADIUS_TYPE_STATE,
- ibuf_data(sa->sa_radreq->rr_state),
- ibuf_size(sa->sa_radreq->rr_state));
-
- if (radius_put_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
- (uint8_t *)eap, len) == -1) {
- log_debug("%s: radius_put_raw_attr_cat failed %s", __func__,
- strerror(errno));
- return -1;
- }
-
- iked_radius_fill_attributes(sa, pkt);
-
- /* save the request, it'll be needed for message authentication */
- if (sa->sa_radreq->rr_reqpkt != NULL)
- radius_delete_packet(sa->sa_radreq->rr_reqpkt);
- sa->sa_radreq->rr_reqpkt = pkt;
- sa->sa_radreq->rr_sa = sa;
- sa->sa_radreq->rr_ntry = 0;
-
- iked_radius_request_send(env, sa->sa_radreq);
-
- return 0;
-}
-
-void
-iked_radius_request_free(struct iked *env, struct iked_radserver_req *req)
-{
- if (req == NULL)
- return;
- timer_del(env, &req->rr_timer);
- free(req->rr_user);
- ibuf_free(req->rr_state);
- if (req->rr_reqpkt)
- radius_delete_packet(req->rr_reqpkt);
- if (req->rr_sa)
- req->rr_sa->sa_radreq = NULL;
- if (req->rr_server)
- TAILQ_REMOVE(&req->rr_server->rs_reqs, req, rr_entry);
- free(req);
-}
-
-void
-iked_radius_on_event(int fd, short ev, void *ctx)
-{
- struct iked *env;
- struct iked_radserver *server = ctx;
- struct iked_radserver_req *req;
- const struct iked_radcfgmap *cfgmap;
- RADIUS_PACKET *pkt;
- int i, resid;
- struct ibuf *e;
- const void *attrval;
- size_t attrlen;
- uint8_t code;
- char username[256];
- u_char eapmsk[128];
- /* RFC 3748 defines the MSK minimum size is 64 bytes */
- size_t eapmsksiz = sizeof(eapmsk);
-
- env = server->rs_env;
- pkt = radius_recv(server->rs_sock, 0);
- if (pkt == NULL) {
- log_info("%s: receiving a RADIUS message failed: %s", __func__,
- strerror(errno));
- return;
- }
- resid = radius_get_id(pkt);
-
- TAILQ_FOREACH(req, &server->rs_reqs, rr_entry) {
- if (req->rr_reqid == resid)
- break;
- }
- if (req == NULL) {
- log_debug("%s: received an unknown RADIUS message: id=%u",
- __func__, (unsigned)resid);
- return;
- }
-
- radius_set_request_packet(pkt, req->rr_reqpkt);
- if (radius_check_response_authenticator(pkt, server->rs_secret) != 0) {
- log_info("%s: received an invalid RADIUS message: bad "
- "response authenticator", __func__);
- return;
- }
- if (req->rr_accounting) {
- /* accounting */
- code = radius_get_code(pkt);
- switch (code) {
- case RADIUS_CODE_ACCOUNTING_RESPONSE: /* Expected */
- break;
- default:
- log_info("%s: received an invalid RADIUS message: "
- "code %u", __func__, (unsigned)code);
- }
- timer_del(env, &req->rr_timer);
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- free(req);
- return;
- }
-
- /* authentication */
- if (radius_check_message_authenticator(pkt, server->rs_secret) != 0) {
- log_info("%s: received an invalid RADIUS message: bad "
- "message authenticator", __func__);
- return;
- }
-
- timer_del(env, &req->rr_timer);
- req->rr_ntry = 0;
-
- if (req->rr_sa == NULL)
- goto fail;
-
- code = radius_get_code(pkt);
- switch (code) {
- case RADIUS_CODE_ACCESS_CHALLENGE:
- if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_STATE, &attrval,
- &attrlen) != 0) {
- log_info("%s: received an invalid RADIUS message: no "
- "state attribute", __func__);
- goto fail;
- }
- if ((req->rr_state != NULL &&
- ibuf_set(req->rr_state, 0, attrval, attrlen) != 0) ||
- (req->rr_state = ibuf_new(attrval, attrlen)) == NULL) {
- log_info("%s: ibuf_new() failed: %s", __func__,
- strerror(errno));
- goto fail;
- }
- break;
- case RADIUS_CODE_ACCESS_ACCEPT:
- log_info("%s: received Access-Accept for %s",
- SPI_SA(req->rr_sa, __func__), req->rr_user);
- /* Try to retrieve the EAP MSK from the RADIUS response */
- if (radius_get_eap_msk(pkt, eapmsk, &eapmsksiz,
- server->rs_secret) == 0) {
- ibuf_free(req->rr_sa->sa_eapmsk);
- if ((req->rr_sa->sa_eapmsk = ibuf_new(eapmsk,
- eapmsksiz)) == NULL) {
- log_info("%s: ibuf_new() failed: %s", __func__,
- strerror(errno));
- goto fail;
- }
- } else
- log_debug("Could not retrieve the EAP MSK from the "
- "RADIUS message");
-
- free(req->rr_sa->sa_eapid);
- /* The EAP identity might be protected (RFC 3748 7.3) */
- if (radius_get_string_attr(pkt, RADIUS_TYPE_USER_NAME,
- username, sizeof(username)) == 0 &&
- strcmp(username, req->rr_user) != 0) {
- /*
- * The Access-Accept might have a User-Name. It
- * should be used for Accouting (RFC 2865 5.1).
- */
- free(req->rr_user);
- req->rr_sa->sa_eapid = strdup(username);
- } else
- req->rr_sa->sa_eapid = req->rr_user;
- req->rr_user = NULL;
-
- sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
-
- /* Map RADIUS attributes to cp */
- if (TAILQ_EMPTY(&env->sc_radcfgmaps)) {
- for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) {
- cfgmap = &radius_cfgmaps[i];
- iked_radius_config(req, pkt, cfgmap->cfg_type,
- cfgmap->vendor_id, cfgmap->attr_type);
- }
- } else {
- TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry)
- iked_radius_config(req, pkt, cfgmap->cfg_type,
- cfgmap->vendor_id, cfgmap->attr_type);
- }
-
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- break;
- case RADIUS_CODE_ACCESS_REJECT:
- log_info("%s: received Access-Reject for %s",
- SPI_SA(req->rr_sa, __func__), req->rr_user);
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- break;
- default:
- log_debug("%s: received an invalid RADIUS message: code %u",
- __func__, (unsigned)code);
- break;
- }
-
- /* get the length first */
- if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, NULL,
- &attrlen) != 0) {
- log_info("%s: failed to retrieve the EAP message", __func__);
- goto fail;
- }
- /* allocate a buffer */
- if ((e = ibuf_new(NULL, attrlen)) == NULL) {
- log_info("%s: ibuf_new() failed: %s", __func__,
- strerror(errno));
- goto fail;
- }
- /* copy the message to the buffer */
- if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
- ibuf_data(e), &attrlen) != 0) {
- ibuf_free(e);
- log_info("%s: failed to retrieve the EAP message", __func__);
- goto fail;
- }
- ikev2_send_ike_e(env, req->rr_sa, e, IKEV2_PAYLOAD_EAP,
- IKEV2_EXCHANGE_IKE_AUTH, 1);
- return;
- fail:
- if (req->rr_server != NULL)
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- if (req->rr_sa != NULL) {
- ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
- sa_free(env, req->rr_sa);
- }
-}
-
-void
-iked_radius_request_send(struct iked *env, void *ctx)
-{
- struct iked_radserver_req *req = ctx, *req0;
- struct iked_radserver *server = req->rr_server;
- const int timeouts[] = { 2, 4, 8 };
- uint8_t seq;
- int i, max_tries, max_failovers;
- struct sockaddr_storage ss;
- socklen_t sslen;
- struct iked_radservers *radservers;
- struct timespec now;
-
- if (!req->rr_accounting) {
- max_tries = env->sc_radauth.max_tries;
- max_failovers = env->sc_radauth.max_failovers;
- radservers = &env->sc_radauthservers;
- } else {
- max_tries = env->sc_radacct.max_tries;
- max_failovers = env->sc_radacct.max_failovers;
- radservers = &env->sc_radacctservers;
- }
-
- if (req->rr_ntry > max_tries) {
- req->rr_ntry = 0;
- log_info("%s: RADIUS server %s failed", __func__,
- print_addr(&server->rs_sockaddr));
- next_server:
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- if (req->rr_nfailover >= max_failovers ||
- TAILQ_NEXT(server, rs_entry) == NULL) {
- log_info("%s: No more RADIUS server", __func__);
- goto fail;
- } else if (req->rr_state != NULL) {
- log_info("%s: Can't change RADIUS server: "
- "client has a state already", __func__);
- goto fail;
- } else {
- TAILQ_REMOVE(radservers, server, rs_entry);
- TAILQ_INSERT_TAIL(radservers, server, rs_entry);
- server = TAILQ_FIRST(radservers);
- log_info("%s: RADIUS server %s is active",
- __func__, print_addr(&server->rs_sockaddr));
- }
- req->rr_nfailover++;
- }
-
- if (req->rr_server != NULL &&
- req->rr_server != TAILQ_FIRST(radservers)) {
- /* Current server is marked fail */
- if (req->rr_state != NULL || req->rr_nfailover >= max_failovers)
- goto fail; /* can't fail over */
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- req->rr_nfailover++;
- }
-
- if (req->rr_server == NULL) {
- /* Select a new server */
- server = TAILQ_FIRST(radservers);
- if (server == NULL) {
- log_info("%s: No RADIUS server is configured",
- __func__);
- goto fail;
- }
- TAILQ_INSERT_TAIL(&server->rs_reqs, req, rr_entry);
- req->rr_server = server;
-
- /* Prepare NAS-IP-Address */
- if (server->rs_nas_ipv4.s_addr == INADDR_ANY &&
- IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6)) {
- sslen = sizeof(ss);
- if (getsockname(server->rs_sock, (struct sockaddr *)&ss,
- &sslen) == 0) {
- if (ss.ss_family == AF_INET)
- server->rs_nas_ipv4 =
- ((struct sockaddr_in *)&ss)
- ->sin_addr;
- else
- server->rs_nas_ipv6 =
- ((struct sockaddr_in6 *)&ss)
- ->sin6_addr;
- }
- }
- }
- if (req->rr_ntry == 0) {
- /* decide the ID */
- seq = ++server->rs_reqseq;
- for (i = 0; i < UCHAR_MAX; i++) {
- TAILQ_FOREACH(req0, &server->rs_reqs, rr_entry) {
- if (req0->rr_reqid == seq)
- break;
- }
- if (req0 == NULL)
- break;
- seq++;
- }
- if (i >= UCHAR_MAX) {
- log_info("%s: RADIUS server %s failed. Too many "
- "pending requests", __func__,
- print_addr(&server->rs_sockaddr));
- if (TAILQ_NEXT(server, rs_entry) != NULL)
- goto next_server;
- goto fail;
- }
- req->rr_reqid = seq;
- radius_set_id(req->rr_reqpkt, req->rr_reqid);
- }
-
- if (server->rs_nas_ipv4.s_addr != INADDR_ANY)
- radius_put_ipv4_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IP_ADDRESS,
- server->rs_nas_ipv4);
- else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6))
- radius_put_ipv6_attr(req->rr_reqpkt,
- RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6);
- /* Identifier */
- radius_put_string_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IDENTIFIER,
- IKED_NAS_ID);
-
- if (req->rr_accounting) {
- if (req->rr_ntry == 0 && req->rr_nfailover == 0)
- radius_put_uint32_attr(req->rr_reqpkt,
- RADIUS_TYPE_ACCT_DELAY_TIME, 0);
- else {
- clock_gettime(CLOCK_MONOTONIC, &now);
- timespecsub(&now, &req->rr_accttime, &now);
- radius_put_uint32_attr(req->rr_reqpkt,
- RADIUS_TYPE_ACCT_DELAY_TIME, now.tv_sec);
- }
- radius_set_accounting_request_authenticator(req->rr_reqpkt,
- server->rs_secret);
- } else {
- radius_put_message_authenticator(req->rr_reqpkt,
- server->rs_secret);
- }
-
- if (radius_send(server->rs_sock, req->rr_reqpkt, 0) < 0)
- log_info("%s: sending a RADIUS message failed: %s", __func__,
- strerror(errno));
-
- if (req->rr_ntry >= (int)nitems(timeouts))
- timer_add(env, &req->rr_timer, timeouts[nitems(timeouts) - 1]);
- else
- timer_add(env, &req->rr_timer, timeouts[req->rr_ntry]);
- req->rr_ntry++;
- return;
- fail:
- if (req->rr_server != NULL)
- TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
- req->rr_server = NULL;
- if (req->rr_sa != NULL) {
- ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
- sa_free(env, req->rr_sa);
- }
-}
-
-void
-iked_radius_fill_attributes(struct iked_sa *sa, RADIUS_PACKET *pkt)
-{
- /* NAS Port Type = Virtual */
- radius_put_uint32_attr(pkt,
- RADIUS_TYPE_NAS_PORT_TYPE, RADIUS_NAS_PORT_TYPE_VIRTUAL);
- /* Service Type = Framed */
- radius_put_uint32_attr(pkt, RADIUS_TYPE_SERVICE_TYPE,
- RADIUS_SERVICE_TYPE_FRAMED);
- /* Tunnel Type = EAP */
- radius_put_uint32_attr(pkt, RADIUS_TYPE_TUNNEL_TYPE,
- RADIUS_TUNNEL_TYPE_ESP);
-
- radius_put_string_attr(pkt, RADIUS_TYPE_CALLED_STATION_ID,
- print_addr(&sa->sa_local.addr));
- radius_put_string_attr(pkt, RADIUS_TYPE_CALLING_STATION_ID,
- print_addr(&sa->sa_peer.addr));
-}
-
-void
-iked_radius_config(struct iked_radserver_req *req, const RADIUS_PACKET *pkt,
- int cfg_type, uint32_t vendor_id, uint8_t attr_type)
-{
- unsigned int i;
- struct iked_sa *sa = req->rr_sa;
- struct in_addr ia4;
- struct in6_addr ia6;
- struct sockaddr_in *sin4;
- struct sockaddr_in6 *sin6;
- struct iked_addr *addr;
- struct iked_cfg *ikecfg;
-
- for (i = 0; i < sa->sa_policy->pol_ncfg; i++) {
- ikecfg = &sa->sa_policy->pol_cfg[i];
- if (ikecfg->cfg_type == cfg_type &&
- ikecfg->cfg_type != IKEV2_CFG_INTERNAL_IP4_ADDRESS)
- return; /* use config rather than radius */
- }
- switch (cfg_type) {
- case IKEV2_CFG_INTERNAL_IP4_ADDRESS:
- case IKEV2_CFG_INTERNAL_IP4_NETMASK:
- case IKEV2_CFG_INTERNAL_IP4_DNS:
- case IKEV2_CFG_INTERNAL_IP4_NBNS:
- case IKEV2_CFG_INTERNAL_IP4_DHCP:
- case IKEV2_CFG_INTERNAL_IP4_SERVER:
- if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
- radius_get_ipv4_attr(pkt, attr_type, &ia4);
- else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
- attr_type))
- radius_get_vs_ipv4_attr(pkt, vendor_id, attr_type,
- &ia4);
- else
- break; /* no attribute contained */
-
- if (cfg_type == IKEV2_CFG_INTERNAL_IP4_NETMASK) {
- /*
- * This assumes IKEV2_CFG_INTERNAL_IP4_ADDRESS is
- * called before IKEV2_CFG_INTERNAL_IP4_NETMASK
- */
- if (sa->sa_rad_addr == NULL) {
- /*
- * RFC 7296, IKEV2_CFG_INTERNAL_IP4_NETMASK
- * must be used with
- * IKEV2_CFG_INTERNAL_IP4_ADDRESS
- */
- break;
- }
- if (ia4.s_addr == 0) {
- log_debug("%s: netmask is wrong", __func__);
- break;
- }
- if (ia4.s_addr == htonl(0))
- sa->sa_rad_addr->addr_mask = 0;
- else
- sa->sa_rad_addr->addr_mask =
- 33 - ffs(ntohl(ia4.s_addr));
- if (sa->sa_rad_addr->addr_mask < 32)
- sa->sa_rad_addr->addr_net = 1;
- }
- if (cfg_type == IKEV2_CFG_INTERNAL_IP4_ADDRESS) {
- if ((addr = calloc(1, sizeof(*addr))) == NULL) {
- log_warn("%s: calloc", __func__);
- return;
- }
- sa->sa_rad_addr = addr;
- } else {
- req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
- req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
- addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
- req->rr_ncfg++;
- }
- addr->addr_af = AF_INET;
- sin4 = (struct sockaddr_in *)&addr->addr;
- sin4->sin_family = AF_INET;
- sin4->sin_len = sizeof(struct sockaddr_in);
- sin4->sin_addr = ia4;
- break;
- case IKEV2_CFG_INTERNAL_IP6_ADDRESS:
- case IKEV2_CFG_INTERNAL_IP6_DNS:
- case IKEV2_CFG_INTERNAL_IP6_NBNS:
- case IKEV2_CFG_INTERNAL_IP6_DHCP:
- case IKEV2_CFG_INTERNAL_IP6_SERVER:
- if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
- radius_get_ipv6_attr(pkt, attr_type, &ia6);
- else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
- attr_type))
- radius_get_vs_ipv6_attr(pkt, vendor_id, attr_type,
- &ia6);
- else
- break; /* no attribute contained */
-
- if (cfg_type == IKEV2_CFG_INTERNAL_IP6_ADDRESS) {
- if ((addr = calloc(1, sizeof(*addr))) == NULL) {
- log_warn("%s: calloc", __func__);
- return;
- }
- sa->sa_rad_addr = addr;
- } else {
- req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
- req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
- addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
- req->rr_ncfg++;
- }
- addr->addr_af = AF_INET;
- sin6 = (struct sockaddr_in6 *)&addr->addr;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_len = sizeof(struct sockaddr_in6);
- sin6->sin6_addr = ia6;
- break;
- }
- return;
-}
-
-void
-iked_radius_acct_on(struct iked *env)
-{
- if (TAILQ_EMPTY(&env->sc_radacctservers))
- return;
- if (env->sc_radaccton == 0) { /* trigger once */
- iked_radius_acct_request(env, NULL,
- RADIUS_ACCT_STATUS_TYPE_ACCT_ON);
- env->sc_radaccton = 1;
- }
-}
-
-void
-iked_radius_acct_off(struct iked *env)
-{
- iked_radius_acct_request(env, NULL, RADIUS_ACCT_STATUS_TYPE_ACCT_OFF);
-}
-
-void
-iked_radius_acct_start(struct iked *env, struct iked_sa *sa)
-{
- iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_START);
-}
-
-void
-iked_radius_acct_stop(struct iked *env, struct iked_sa *sa)
-{
- iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_STOP);
-}
-
-void
-iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
-{
- struct iked_radserver_req *req;
- RADIUS_PACKET *pkt;
- struct iked_addr *addr4 = NULL;
- struct iked_addr *addr6 = NULL;
- struct in_addr mask4;
- char sa_id[IKED_ID_SIZE];
- char sid[16 + 1];
- struct timespec now;
- int cause;
-
- if (TAILQ_EMPTY(&env->sc_radacctservers))
- return;
- /*
- * In RFC2866 5.6, "Users who are delivered service without
- * being authenticated SHOULD NOT generate Accounting records
- */
- if (sa != NULL && sa->sa_eapid == NULL) {
- /* fallback to IKEID for accounting */
- if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) != -1)
- sa->sa_eapid = strdup(sa_id);
- if (sa->sa_eapid == NULL)
- return;
- }
-
- if ((req = calloc(1, sizeof(struct iked_radserver_req))) == NULL) {
- log_debug("%s: calloc faile for iked_radserver_req: %s",
- __func__, strerror(errno));
- return;
- }
- req->rr_accounting = 1;
- clock_gettime(CLOCK_MONOTONIC, &now);
- req->rr_accttime = now;
- timer_set(env, &req->rr_timer, iked_radius_request_send, req);
-
- if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCOUNTING_REQUEST))
- == NULL) {
- log_debug("%s: radius_new_request_packet failed %s", __func__,
- strerror(errno));
- return;
- }
-
- /* RFC 2866 5.1. Acct-Status-Type */
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE, stype);
-
- if (sa == NULL) {
- /* ASSERT(stype == RADIUS_ACCT_STATUS_TYPE_ACCT_ON ||
- stype == RADIUS_ACCT_STATUS_TYPE_ACCT_OFF) */
- req->rr_reqpkt = pkt;
- req->rr_ntry = 0;
- iked_radius_request_send(env, req);
- return;
- }
-
- iked_radius_fill_attributes(sa, pkt);
-
- radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME, sa->sa_eapid);
-
- /* RFC 2866 5.5. Acct-Session-Id */
- snprintf(sid, sizeof(sid), "%016llx",
- (unsigned long long)sa->sa_hdr.sh_ispi);
- radius_put_string_attr(pkt, RADIUS_TYPE_ACCT_SESSION_ID, sid);
-
- /* Accounting Request must have Framed-IP-Address */
- addr4 = sa->sa_addrpool;
- if (addr4 != NULL) {
- radius_put_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS,
- ((struct sockaddr_in *)&addr4->addr)->sin_addr);
- if (addr4->addr_mask != 0) {
- mask4.s_addr = htonl(
- 0xFFFFFFFFUL << (32 - addr4->addr_mask));
- radius_put_ipv4_attr(pkt,
- RADIUS_TYPE_FRAMED_IP_NETMASK, mask4);
- }
- }
- addr6 = sa->sa_addrpool6;
- if (addr6 != NULL)
- radius_put_ipv6_attr(pkt, RADIUS_TYPE_FRAMED_IPV6_ADDRESS,
- &((struct sockaddr_in6 *)&addr6->addr)->sin6_addr);
-
- /* RFC2866 5.6 Acct-Authentic */
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_AUTHENTIC,
- (sa->sa_radreq != NULL)? RADIUS_ACCT_AUTHENTIC_RADIUS :
- RADIUS_ACCT_AUTHENTIC_LOCAL);
-
- switch (stype) {
- case RADIUS_ACCT_STATUS_TYPE_START:
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE,
- RADIUS_ACCT_STATUS_TYPE_START);
- break;
- case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
- case RADIUS_ACCT_STATUS_TYPE_STOP:
- /* RFC 2866 5.7. Acct-Session-Time */
- timespecsub(&now, &sa->sa_starttime, &now);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_SESSION_TIME,
- now.tv_sec);
- /* RFC 2866 5.10 Acct-Terminate-Cause */
- cause = RADIUS_TERMNATE_CAUSE_SERVICE_UNAVAIL;
- if (sa->sa_reason) {
- if (strcmp(sa->sa_reason, "received delete") == 0) {
- cause = RADIUS_TERMNATE_CAUSE_USER_REQUEST;
- } else if (strcmp(sa->sa_reason, "SA rekeyed") == 0) {
- cause = RADIUS_TERMNATE_CAUSE_SESSION_TIMEOUT;
- } else if (strncmp(sa->sa_reason, "retransmit",
- strlen("retransmit")) == 0) {
- cause = RADIUS_TERMNATE_CAUSE_LOST_SERVICE;
- } else if (strcmp(sa->sa_reason,
- "disconnect requested") == 0) {
- cause = RADIUS_TERMNATE_CAUSE_ADMIN_RESET;
- }
- }
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_TERMINATE_CAUSE,
- cause);
- /* I/O statistics {Input,Output}-{Packets,Octets,Gigawords} */
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_PACKETS,
- sa->sa_stats.sas_ipackets);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_PACKETS,
- sa->sa_stats.sas_opackets);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_OCTETS,
- sa->sa_stats.sas_ibytes & 0xffffffffUL);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_OCTETS,
- sa->sa_stats.sas_obytes & 0xffffffffUL);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_GIGAWORDS,
- sa->sa_stats.sas_ibytes >> 32);
- radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_GIGAWORDS,
- sa->sa_stats.sas_obytes >> 32);
- break;
- }
- req->rr_reqpkt = pkt;
- req->rr_ntry = 0;
- iked_radius_request_send(env, req);
-}
-
-void
-iked_radius_dae_on_event(int fd, short ev, void *ctx)
-{
- struct iked_raddae *dae = ctx;
- struct iked *env = dae->rd_env;
- RADIUS_PACKET *req = NULL, *res = NULL;
- struct sockaddr_storage ss;
- socklen_t sslen;
- struct iked_radclient *client;
- struct iked_sa *sa = NULL;
- char attr[256], username[256];
- char *endp, *reason, *nakcause = NULL;
- int code, n = 0;
- uint64_t ispi = 0;
- uint32_t u32, cause = 0;
- struct iked_addr *addr4 = NULL;
-
- reason = "disconnect requested";
-
- sslen = sizeof(ss);
- req = radius_recvfrom(dae->rd_sock, 0, (struct sockaddr *)&ss, &sslen);
- if (req == NULL) {
- log_warn("%s: receiving a RADIUS message failed: %s", __func__,
- strerror(errno));
- return;
- }
- TAILQ_FOREACH(client, &env->sc_raddaeclients, rc_entry) {
- if (sockaddr_cmp((struct sockaddr *)&client->rc_sockaddr,
- (struct sockaddr *)&ss, -1) == 0)
- break;
- }
- if (client == NULL) {
- log_warnx("%s: received RADIUS message from %s: "
- "unknown client", __func__, print_addr(&ss));
- goto out;
- }
-
- if (radius_check_accounting_request_authenticator(req,
- client->rc_secret) != 0) {
- log_warnx("%s: received an invalid RADIUS message from %s: bad "
- "response authenticator", __func__, print_addr(&ss));
- goto out;
- }
-
- if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) {
- /* Code other than Disconnect-Request is not supported */
- if (code == RADIUS_CODE_COA_REQUEST) {
- code = RADIUS_CODE_COA_NAK;
- cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED;
- nakcause = "Coa-Request is not supprted";
- goto send;
- }
- log_warnx("%s: received an invalid RADIUS message "
- "from %s: unknown code %d", __func__,
- print_addr(&ss), code);
- goto out;
- }
-
- log_info("received Disconnect-Request from %s", print_addr(&ss));
-
- if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr,
- sizeof(attr)) == 0 && strcmp(attr, IKED_NAS_ID) != 0) {
- cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH;
- nakcause = "NAS-Identifier is not matched";
- goto search_done;
- }
-
- /* prepare User-Name attribute */
- memset(username, 0, sizeof(username));
- radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username,
- sizeof(username));
-
- if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr,
- sizeof(attr)) == 0) {
- /* the client is to disconnect a session */
- ispi = strtoull(attr, &endp, 16);
- if (attr[0] == '\0' || *endp != '\0' || errno == ERANGE ||
- ispi == ULLONG_MAX) {
- cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
- nakcause = "Session-Id is wrong";
- goto search_done;
-
- }
- RB_FOREACH(sa, iked_sas, &env->sc_sas) {
- if (sa->sa_hdr.sh_ispi == ispi)
- break;
- }
- if (sa == NULL)
- goto search_done;
- if (username[0] != '\0' && (sa->sa_eapid == NULL ||
- strcmp(username, sa->sa_eapid) != 0)) {
- /* specified User-Name attribute is mismatched */
- cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
- nakcause = "User-Name is not matched";
- goto search_done;
- }
- ikev2_ike_sa_setreason(sa, reason);
- ikev2_ike_sa_delete(env, sa);
- n++;
- } else if (username[0] != '\0') {
- RB_FOREACH(sa, iked_sas, &env->sc_sas) {
- if (sa->sa_eapid != NULL &&
- strcmp(sa->sa_eapid, username) == 0) {
- ikev2_ike_sa_setreason(sa, reason);
- ikev2_ike_sa_delete(env, sa);
- n++;
- }
- }
- } else if (radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS,
- &u32) == 0) {
- addr4 = sa->sa_addrpool;
- if (addr4 != NULL) {
- RB_FOREACH(sa, iked_sas, &env->sc_sas) {
- if (u32 == ((struct sockaddr_in *)&addr4->addr)
- ->sin_addr.s_addr) {
- ikev2_ike_sa_setreason(sa, reason);
- ikev2_ike_sa_delete(env, sa);
- n++;
- }
- }
- }
- }
- search_done:
- if (n > 0)
- code = RADIUS_CODE_DISCONNECT_ACK;
- else {
- if (nakcause == NULL)
- nakcause = "session not found";
- if (cause == 0)
- cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND;
- code = RADIUS_CODE_DISCONNECT_NAK;
- }
- send:
- res = radius_new_response_packet(code, req);
- if (res == NULL) {
- log_warn("%s: radius_new_response_packet", __func__);
- goto out;
- }
- if (cause != 0)
- radius_put_uint32_attr(res, RADIUS_TYPE_ERROR_CAUSE, cause);
- radius_set_response_authenticator(res, client->rc_secret);
- if (radius_sendto(dae->rd_sock, res, 0, (struct sockaddr *)&ss, sslen)
- == -1)
- log_warn("%s: sendto", __func__);
- log_info("send %s for %s%s%s",
- (code == RADIUS_CODE_DISCONNECT_ACK)? "Disconnect-ACK" :
- (code == RADIUS_CODE_DISCONNECT_NAK)? "Disconnect-NAK" : "CoA-NAK",
- print_addr(&ss), (nakcause)? ": " : "", (nakcause)? nakcause : "");
- out:
- radius_delete_packet(req);
- if (res != NULL)
- radius_delete_packet(res);
-}
-/* $OpenBSD: radius.c,v 1.3 2024/07/13 12:22:46 yasuoka Exp $ */
+/* $OpenBSD: radius.c,v 1.4 2024/07/13 12:25:07 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.