#include <sys/types.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netinet/ip_ipsp.h>
#include <endian.h>
#include <event.h>
#include <errno.h>
#include <imsg.h>
#include <limits.h>
#include <netinet/in.h>
#include <radius.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <time.h>
#include "iked.h"
#include "eap.h"
#include "ikev2.h"
#include "types.h"
void iked_radius_request_send(struct iked *, void *);
void iked_radius_fill_attributes(struct iked_sa *, RADIUS_PACKET *);
void iked_radius_config(struct iked_radserver_req *, const RADIUS_PACKET *,
int, uint32_t, uint8_t);
void iked_radius_acct_request(struct iked *, struct iked_sa *, uint8_t);
const struct iked_radcfgmap radius_cfgmaps[] = {
{ IKEV2_CFG_INTERNAL_IP4_ADDRESS, 0, RADIUS_TYPE_FRAMED_IP_ADDRESS },
{ IKEV2_CFG_INTERNAL_IP4_NETMASK, 0, RADIUS_TYPE_FRAMED_IP_NETMASK },
{ IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER },
{ IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER },
{ IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER },
{ IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER },
{ 0 }
};
int
iked_radius_request(struct iked *env, struct iked_sa *sa,
struct iked_message *msg)
{
struct eap_message *eap;
RADIUS_PACKET *pkt;
size_t len;
eap = ibuf_data(msg->msg_eapmsg);
len = betoh16(eap->eap_length);
if (eap->eap_code != EAP_CODE_RESPONSE) {
log_debug("%s: eap_code is not response %u", __func__,
(unsigned)eap->eap_code);
return -1;
}
if (eap->eap_type == EAP_TYPE_IDENTITY) {
if ((sa->sa_radreq = calloc(1,
sizeof(struct iked_radserver_req))) == NULL) {
log_debug(
"%s: calloc failed for iked_radserver_req: %s",
__func__, strerror(errno));
return (-1);
}
timer_set(env, &sa->sa_radreq->rr_timer,
iked_radius_request_send, sa->sa_radreq);
sa->sa_radreq->rr_user = strdup(msg->msg_eap.eam_identity);
}
if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST))
== NULL) {
log_debug("%s: radius_new_request_packet failed %s", __func__,
strerror(errno));
return -1;
}
radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME,
sa->sa_radreq->rr_user);
if (sa->sa_radreq->rr_state != NULL)
radius_put_raw_attr(pkt, RADIUS_TYPE_STATE,
ibuf_data(sa->sa_radreq->rr_state),
ibuf_size(sa->sa_radreq->rr_state));
if (radius_put_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
(uint8_t *)eap, len) == -1) {
log_debug("%s: radius_put_raw_attr_cat failed %s", __func__,
strerror(errno));
return -1;
}
iked_radius_fill_attributes(sa, pkt);
if (sa->sa_radreq->rr_reqpkt != NULL)
radius_delete_packet(sa->sa_radreq->rr_reqpkt);
sa->sa_radreq->rr_reqpkt = pkt;
sa->sa_radreq->rr_sa = sa;
sa->sa_radreq->rr_ntry = 0;
iked_radius_request_send(env, sa->sa_radreq);
return 0;
}
void
iked_radius_request_free(struct iked *env, struct iked_radserver_req *req)
{
if (req == NULL)
return;
timer_del(env, &req->rr_timer);
free(req->rr_user);
ibuf_free(req->rr_state);
if (req->rr_reqpkt)
radius_delete_packet(req->rr_reqpkt);
if (req->rr_sa)
req->rr_sa->sa_radreq = NULL;
if (req->rr_server)
TAILQ_REMOVE(&req->rr_server->rs_reqs, req, rr_entry);
free(req);
}
void
iked_radius_on_event(int fd, short ev, void *ctx)
{
struct iked *env;
struct iked_radserver *server = ctx;
struct iked_radserver_req *req;
const struct iked_radcfgmap *cfgmap;
RADIUS_PACKET *pkt;
int i, resid;
struct ibuf *e;
const void *attrval;
size_t attrlen;
uint8_t code;
char username[256];
u_char eapmsk[128];
size_t eapmsksiz = sizeof(eapmsk);
env = server->rs_env;
pkt = radius_recv(server->rs_sock, 0);
if (pkt == NULL) {
log_info("%s: receiving a RADIUS message failed: %s", __func__,
strerror(errno));
return;
}
resid = radius_get_id(pkt);
TAILQ_FOREACH(req, &server->rs_reqs, rr_entry) {
if (req->rr_reqid == resid)
break;
}
if (req == NULL) {
log_debug("%s: received an unknown RADIUS message: id=%u",
__func__, (unsigned)resid);
radius_delete_packet(pkt);
return;
}
radius_set_request_packet(pkt, req->rr_reqpkt);
if (radius_check_response_authenticator(pkt, server->rs_secret) != 0) {
log_info("%s: received an invalid RADIUS message: bad "
"response authenticator", __func__);
radius_delete_packet(pkt);
return;
}
if (req->rr_accounting) {
code = radius_get_code(pkt);
switch (code) {
case RADIUS_CODE_ACCOUNTING_RESPONSE:
break;
default:
log_info("%s: received an invalid RADIUS message: "
"code %u", __func__, (unsigned)code);
}
radius_delete_packet(pkt);
iked_radius_request_free(env, req);
return;
}
if (radius_check_message_authenticator(pkt, server->rs_secret) != 0) {
log_info("%s: received an invalid RADIUS message: bad "
"message authenticator", __func__);
radius_delete_packet(pkt);
return;
}
timer_del(env, &req->rr_timer);
req->rr_ntry = 0;
if (req->rr_sa == NULL)
goto fail;
code = radius_get_code(pkt);
switch (code) {
case RADIUS_CODE_ACCESS_CHALLENGE:
if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_STATE, &attrval,
&attrlen) != 0) {
log_info("%s: received an invalid RADIUS message: no "
"state attribute", __func__);
goto fail;
}
if (req->rr_state != NULL &&
ibuf_set(req->rr_state, 0, attrval, attrlen) != 0) {
ibuf_free(req->rr_state);
req->rr_state = NULL;
}
if (req->rr_state == NULL &&
(req->rr_state = ibuf_new(attrval, attrlen)) == NULL) {
log_info("%s: ibuf_new() failed: %s", __func__,
strerror(errno));
goto fail;
}
break;
case RADIUS_CODE_ACCESS_ACCEPT:
log_info("%s: received Access-Accept for %s",
SPI_SA(req->rr_sa, __func__), req->rr_user);
if (radius_get_eap_msk(pkt, eapmsk, &eapmsksiz,
server->rs_secret) == 0) {
ibuf_free(req->rr_sa->sa_eapmsk);
if ((req->rr_sa->sa_eapmsk = ibuf_new(eapmsk,
eapmsksiz)) == NULL) {
log_info("%s: ibuf_new() failed: %s", __func__,
strerror(errno));
goto fail;
}
} else
log_debug("Could not retrieve the EAP MSK from the "
"RADIUS message");
free(req->rr_sa->sa_eapid);
if (radius_get_string_attr(pkt, RADIUS_TYPE_USER_NAME,
username, sizeof(username)) == 0 &&
strcmp(username, req->rr_user) != 0) {
free(req->rr_user);
req->rr_sa->sa_eapid = strdup(username);
} else
req->rr_sa->sa_eapid = req->rr_user;
req->rr_user = NULL;
if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval,
&attrlen) == 0) {
ibuf_free(req->rr_sa->sa_eapclass);
if ((req->rr_sa->sa_eapclass = ibuf_new(attrval,
attrlen)) == NULL) {
log_info("%s: ibuf_new() failed: %s", __func__,
strerror(errno));
}
}
sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
if (TAILQ_EMPTY(&env->sc_radcfgmaps)) {
for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) {
cfgmap = &radius_cfgmaps[i];
iked_radius_config(req, pkt, cfgmap->cfg_type,
cfgmap->vendor_id, cfgmap->attr_type);
}
} else {
TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry)
iked_radius_config(req, pkt, cfgmap->cfg_type,
cfgmap->vendor_id, cfgmap->attr_type);
}
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
break;
case RADIUS_CODE_ACCESS_REJECT:
log_info("%s: received Access-Reject for %s",
SPI_SA(req->rr_sa, __func__), req->rr_user);
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
break;
default:
log_debug("%s: received an invalid RADIUS message: code %u",
__func__, (unsigned)code);
break;
}
if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, NULL,
&attrlen) != 0) {
log_info("%s: failed to retrieve the EAP message", __func__);
goto fail;
}
if ((e = ibuf_new(NULL, attrlen)) == NULL) {
log_info("%s: ibuf_new() failed: %s", __func__,
strerror(errno));
goto fail;
}
if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
ibuf_data(e), &attrlen) != 0) {
ibuf_free(e);
log_info("%s: failed to retrieve the EAP message", __func__);
goto fail;
}
radius_delete_packet(pkt);
ikev2_send_ike_e(env, req->rr_sa, e, IKEV2_PAYLOAD_EAP,
IKEV2_EXCHANGE_IKE_AUTH, 1);
ibuf_free(e);
req->rr_reqid = -1;
return;
fail:
radius_delete_packet(pkt);
if (req->rr_server != NULL)
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
if (req->rr_sa != NULL) {
ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
sa_free(env, req->rr_sa);
}
}
void
iked_radius_request_send(struct iked *env, void *ctx)
{
struct iked_radserver_req *req = ctx, *req0;
struct iked_radserver *server = req->rr_server;
const int timeouts[] = { 2, 4, 8 };
uint8_t seq;
int i, max_tries, max_failovers;
struct sockaddr_storage ss;
socklen_t sslen;
struct iked_radservers *radservers;
struct timespec now;
if (!req->rr_accounting) {
max_tries = env->sc_radauth.max_tries;
max_failovers = env->sc_radauth.max_failovers;
radservers = &env->sc_radauthservers;
} else {
max_tries = env->sc_radacct.max_tries;
max_failovers = env->sc_radacct.max_failovers;
radservers = &env->sc_radacctservers;
}
if (req->rr_ntry > max_tries) {
req->rr_ntry = 0;
log_info("%s: RADIUS server %s failed", __func__,
print_addr(&server->rs_sockaddr));
next_server:
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
if (req->rr_nfailover >= max_failovers ||
TAILQ_NEXT(server, rs_entry) == NULL) {
log_info("%s: No more RADIUS server", __func__);
goto fail;
} else if (req->rr_state != NULL) {
log_info("%s: Can't change RADIUS server: "
"client has a state already", __func__);
goto fail;
} else {
TAILQ_REMOVE(radservers, server, rs_entry);
TAILQ_INSERT_TAIL(radservers, server, rs_entry);
server = TAILQ_FIRST(radservers);
log_info("%s: RADIUS server %s is active",
__func__, print_addr(&server->rs_sockaddr));
}
req->rr_nfailover++;
}
if (req->rr_server != NULL &&
req->rr_server != TAILQ_FIRST(radservers)) {
if (req->rr_state != NULL || req->rr_nfailover >= max_failovers)
goto fail;
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
req->rr_nfailover++;
}
if (req->rr_server == NULL) {
server = TAILQ_FIRST(radservers);
if (server == NULL) {
log_info("%s: No RADIUS server is configured",
__func__);
goto fail;
}
TAILQ_INSERT_TAIL(&server->rs_reqs, req, rr_entry);
req->rr_server = server;
if (server->rs_nas_ipv4.s_addr == INADDR_ANY &&
IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6)) {
sslen = sizeof(ss);
if (getsockname(server->rs_sock, (struct sockaddr *)&ss,
&sslen) == 0) {
if (ss.ss_family == AF_INET)
server->rs_nas_ipv4 =
((struct sockaddr_in *)&ss)
->sin_addr;
else
server->rs_nas_ipv6 =
((struct sockaddr_in6 *)&ss)
->sin6_addr;
}
}
}
if (req->rr_ntry == 0) {
seq = ++server->rs_reqseq;
for (i = 0; i <= UCHAR_MAX; i++) {
TAILQ_FOREACH(req0, &server->rs_reqs, rr_entry) {
if (req0->rr_reqid == -1)
continue;
if (req0->rr_reqid == seq)
break;
}
if (req0 == NULL)
break;
seq++;
}
if (i > UCHAR_MAX) {
log_info("%s: RADIUS server %s failed. Too many "
"pending requests", __func__,
print_addr(&server->rs_sockaddr));
if (TAILQ_NEXT(server, rs_entry) != NULL)
goto next_server;
goto fail;
}
req->rr_reqid = seq;
radius_set_id(req->rr_reqpkt, req->rr_reqid);
}
if (server->rs_nas_ipv4.s_addr != INADDR_ANY)
radius_put_ipv4_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IP_ADDRESS,
server->rs_nas_ipv4);
else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6))
radius_put_ipv6_attr(req->rr_reqpkt,
RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6);
radius_put_string_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IDENTIFIER,
IKED_NAS_ID);
if (req->rr_accounting) {
if (req->rr_ntry == 0 && req->rr_nfailover == 0)
radius_put_uint32_attr(req->rr_reqpkt,
RADIUS_TYPE_ACCT_DELAY_TIME, 0);
else {
clock_gettime(CLOCK_MONOTONIC, &now);
timespecsub(&now, &req->rr_accttime, &now);
radius_put_uint32_attr(req->rr_reqpkt,
RADIUS_TYPE_ACCT_DELAY_TIME, now.tv_sec);
}
radius_set_accounting_request_authenticator(req->rr_reqpkt,
server->rs_secret);
} else {
radius_put_message_authenticator(req->rr_reqpkt,
server->rs_secret);
}
if (radius_send(server->rs_sock, req->rr_reqpkt, 0) < 0)
log_info("%s: sending a RADIUS message failed: %s", __func__,
strerror(errno));
if (req->rr_ntry >= (int)nitems(timeouts))
timer_add(env, &req->rr_timer, timeouts[nitems(timeouts) - 1]);
else
timer_add(env, &req->rr_timer, timeouts[req->rr_ntry]);
req->rr_ntry++;
return;
fail:
if (req->rr_server != NULL)
TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
req->rr_server = NULL;
if (req->rr_sa != NULL) {
ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
sa_free(env, req->rr_sa);
}
}
void
iked_radius_fill_attributes(struct iked_sa *sa, RADIUS_PACKET *pkt)
{
char port_id[16 + 1];
radius_put_uint32_attr(pkt,
RADIUS_TYPE_NAS_PORT_TYPE, RADIUS_NAS_PORT_TYPE_VIRTUAL);
radius_put_uint32_attr(pkt, RADIUS_TYPE_SERVICE_TYPE,
RADIUS_SERVICE_TYPE_FRAMED);
radius_put_uint32_attr(pkt, RADIUS_TYPE_TUNNEL_TYPE,
RADIUS_TUNNEL_TYPE_ESP);
snprintf(port_id, sizeof(port_id), "%016llx",
(unsigned long long)sa->sa_hdr.sh_ispi);
radius_put_string_attr(pkt, RADIUS_TYPE_NAS_PORT_ID, port_id);
radius_put_string_attr(pkt, RADIUS_TYPE_CALLED_STATION_ID,
print_addr(&sa->sa_local.addr));
radius_put_string_attr(pkt, RADIUS_TYPE_CALLING_STATION_ID,
print_addr(&sa->sa_peer.addr));
}
void
iked_radius_config(struct iked_radserver_req *req, const RADIUS_PACKET *pkt,
int cfg_type, uint32_t vendor_id, uint8_t attr_type)
{
unsigned int i;
struct iked_sa *sa = req->rr_sa;
struct in_addr ia4;
struct in6_addr ia6;
struct sockaddr_in *sin4;
struct sockaddr_in6 *sin6;
struct iked_addr *addr;
struct iked_cfg *ikecfg;
for (i = 0; i < sa->sa_policy->pol_ncfg; i++) {
ikecfg = &sa->sa_policy->pol_cfg[i];
if (ikecfg->cfg_type == cfg_type &&
ikecfg->cfg_type != IKEV2_CFG_INTERNAL_IP4_ADDRESS)
return;
}
switch (cfg_type) {
case IKEV2_CFG_INTERNAL_IP4_ADDRESS:
case IKEV2_CFG_INTERNAL_IP4_NETMASK:
case IKEV2_CFG_INTERNAL_IP4_DNS:
case IKEV2_CFG_INTERNAL_IP4_NBNS:
case IKEV2_CFG_INTERNAL_IP4_DHCP:
case IKEV2_CFG_INTERNAL_IP4_SERVER:
if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
radius_get_ipv4_attr(pkt, attr_type, &ia4);
else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
attr_type))
radius_get_vs_ipv4_attr(pkt, vendor_id, attr_type,
&ia4);
else
break;
if (cfg_type == IKEV2_CFG_INTERNAL_IP4_NETMASK) {
if (sa->sa_rad_addr == NULL) {
break;
}
if (ia4.s_addr == 0) {
log_debug("%s: netmask is wrong", __func__);
break;
}
if (ia4.s_addr == htonl(0))
sa->sa_rad_addr->addr_mask = 0;
else
sa->sa_rad_addr->addr_mask =
33 - ffs(ntohl(ia4.s_addr));
if (sa->sa_rad_addr->addr_mask < 32)
sa->sa_rad_addr->addr_net = 1;
}
if (cfg_type == IKEV2_CFG_INTERNAL_IP4_ADDRESS) {
if ((addr = calloc(1, sizeof(*addr))) == NULL) {
log_warn("%s: calloc", __func__);
return;
}
sa->sa_rad_addr = addr;
} else {
req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
req->rr_ncfg++;
}
addr->addr_af = AF_INET;
sin4 = (struct sockaddr_in *)&addr->addr;
sin4->sin_family = AF_INET;
sin4->sin_len = sizeof(struct sockaddr_in);
sin4->sin_addr = ia4;
break;
case IKEV2_CFG_INTERNAL_IP6_ADDRESS:
case IKEV2_CFG_INTERNAL_IP6_DNS:
case IKEV2_CFG_INTERNAL_IP6_NBNS:
case IKEV2_CFG_INTERNAL_IP6_DHCP:
case IKEV2_CFG_INTERNAL_IP6_SERVER:
if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
radius_get_ipv6_attr(pkt, attr_type, &ia6);
else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
attr_type))
radius_get_vs_ipv6_attr(pkt, vendor_id, attr_type,
&ia6);
else
break;
if (cfg_type == IKEV2_CFG_INTERNAL_IP6_ADDRESS) {
if ((addr = calloc(1, sizeof(*addr))) == NULL) {
log_warn("%s: calloc", __func__);
return;
}
sa->sa_rad_addr = addr;
} else {
req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
req->rr_ncfg++;
}
addr->addr_af = AF_INET;
sin6 = (struct sockaddr_in6 *)&addr->addr;
sin6->sin6_family = AF_INET6;
sin6->sin6_len = sizeof(struct sockaddr_in6);
sin6->sin6_addr = ia6;
break;
}
return;
}
void
iked_radius_acct_on(struct iked *env)
{
if (TAILQ_EMPTY(&env->sc_radacctservers))
return;
if (env->sc_radaccton == 0) {
iked_radius_acct_request(env, NULL,
RADIUS_ACCT_STATUS_TYPE_ACCT_ON);
env->sc_radaccton = 1;
}
}
void
iked_radius_acct_off(struct iked *env)
{
iked_radius_acct_request(env, NULL, RADIUS_ACCT_STATUS_TYPE_ACCT_OFF);
}
void
iked_radius_acct_start(struct iked *env, struct iked_sa *sa)
{
iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_START);
}
void
iked_radius_acct_stop(struct iked *env, struct iked_sa *sa)
{
iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_STOP);
}
void
iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
{
struct iked_radserver_req *req;
RADIUS_PACKET *pkt;
struct iked_addr *addr4 = NULL;
struct iked_addr *addr6 = NULL;
struct in_addr mask4;
char sa_id[IKED_ID_SIZE];
char sid[16 + 1];
struct timespec now;
int cause;
if (TAILQ_EMPTY(&env->sc_radacctservers))
return;
if (sa != NULL && sa->sa_eapid == NULL) {
if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) != -1)
sa->sa_eapid = strdup(sa_id);
if (sa->sa_eapid == NULL)
return;
}
if ((req = calloc(1, sizeof(struct iked_radserver_req))) == NULL) {
log_debug("%s: calloc faile for iked_radserver_req: %s",
__func__, strerror(errno));
return;
}
req->rr_accounting = 1;
clock_gettime(CLOCK_MONOTONIC, &now);
req->rr_accttime = now;
timer_set(env, &req->rr_timer, iked_radius_request_send, req);
if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCOUNTING_REQUEST))
== NULL) {
log_debug("%s: radius_new_request_packet failed %s", __func__,
strerror(errno));
return;
}
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE, stype);
if (sa == NULL) {
req->rr_reqpkt = pkt;
req->rr_ntry = 0;
iked_radius_request_send(env, req);
return;
}
iked_radius_fill_attributes(sa, pkt);
radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME, sa->sa_eapid);
snprintf(sid, sizeof(sid), "%016llx",
(unsigned long long)sa->sa_hdr.sh_ispi);
radius_put_string_attr(pkt, RADIUS_TYPE_ACCT_SESSION_ID, sid);
addr4 = sa->sa_addrpool;
if (addr4 != NULL) {
radius_put_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS,
((struct sockaddr_in *)&addr4->addr)->sin_addr);
if (addr4->addr_mask != 0) {
mask4.s_addr = htonl(
0xFFFFFFFFUL << (32 - addr4->addr_mask));
radius_put_ipv4_attr(pkt,
RADIUS_TYPE_FRAMED_IP_NETMASK, mask4);
}
}
addr6 = sa->sa_addrpool6;
if (addr6 != NULL)
radius_put_ipv6_attr(pkt, RADIUS_TYPE_FRAMED_IPV6_ADDRESS,
&((struct sockaddr_in6 *)&addr6->addr)->sin6_addr);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_AUTHENTIC,
(sa->sa_radreq != NULL)? RADIUS_ACCT_AUTHENTIC_RADIUS :
RADIUS_ACCT_AUTHENTIC_LOCAL);
switch (stype) {
case RADIUS_ACCT_STATUS_TYPE_START:
if (req->rr_sa && req->rr_sa->sa_eapclass != NULL)
radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS,
ibuf_data(req->rr_sa->sa_eapclass),
ibuf_size(req->rr_sa->sa_eapclass));
break;
case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
case RADIUS_ACCT_STATUS_TYPE_STOP:
timespecsub(&now, &sa->sa_starttime, &now);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_SESSION_TIME,
now.tv_sec);
cause = RADIUS_TERMNATE_CAUSE_SERVICE_UNAVAIL;
if (sa->sa_reason) {
if (strcmp(sa->sa_reason, "received delete") == 0) {
cause = RADIUS_TERMNATE_CAUSE_USER_REQUEST;
} else if (strcmp(sa->sa_reason, "SA rekeyed") == 0) {
cause = RADIUS_TERMNATE_CAUSE_SESSION_TIMEOUT;
} else if (strncmp(sa->sa_reason, "retransmit",
strlen("retransmit")) == 0) {
cause = RADIUS_TERMNATE_CAUSE_LOST_SERVICE;
} else if (strcmp(sa->sa_reason,
"disconnect requested") == 0) {
cause = RADIUS_TERMNATE_CAUSE_ADMIN_RESET;
}
}
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_TERMINATE_CAUSE,
cause);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_PACKETS,
sa->sa_stats.sas_ipackets);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_PACKETS,
sa->sa_stats.sas_opackets);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_OCTETS,
sa->sa_stats.sas_ibytes & 0xffffffffUL);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_OCTETS,
sa->sa_stats.sas_obytes & 0xffffffffUL);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_GIGAWORDS,
sa->sa_stats.sas_ibytes >> 32);
radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_GIGAWORDS,
sa->sa_stats.sas_obytes >> 32);
break;
}
req->rr_reqpkt = pkt;
req->rr_ntry = 0;
iked_radius_request_send(env, req);
}
void
iked_radius_dae_on_event(int fd, short ev, void *ctx)
{
struct iked_raddae *dae = ctx;
struct iked *env = dae->rd_env;
RADIUS_PACKET *req = NULL, *res = NULL;
struct sockaddr_storage ss;
socklen_t sslen;
struct iked_radclient *client;
struct iked_sa *sa = NULL;
char attr[256], username[256];
char *endp, *reason, *nakcause = NULL;
int code, n = 0;
uint64_t ispi = 0;
uint32_t u32, cause = 0;
struct iked_addr *addr4 = NULL;
reason = "disconnect requested";
sslen = sizeof(ss);
req = radius_recvfrom(dae->rd_sock, 0, (struct sockaddr *)&ss, &sslen);
if (req == NULL) {
log_warn("%s: receiving a RADIUS message failed: %s", __func__,
strerror(errno));
return;
}
TAILQ_FOREACH(client, &env->sc_raddaeclients, rc_entry) {
if (sockaddr_cmp((struct sockaddr *)&client->rc_sockaddr,
(struct sockaddr *)&ss, -1) == 0)
break;
}
if (client == NULL) {
log_warnx("%s: received RADIUS message from %s: "
"unknown client", __func__, print_addr(&ss));
goto out;
}
if (radius_check_accounting_request_authenticator(req,
client->rc_secret) != 0) {
log_warnx("%s: received an invalid RADIUS message from %s: bad "
"response authenticator", __func__, print_addr(&ss));
goto out;
}
if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) {
if (code == RADIUS_CODE_COA_REQUEST) {
code = RADIUS_CODE_COA_NAK;
cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED;
nakcause = "Coa-Request is not supported";
goto send;
}
log_warnx("%s: received an invalid RADIUS message "
"from %s: unknown code %d", __func__,
print_addr(&ss), code);
goto out;
}
log_info("received Disconnect-Request from %s", print_addr(&ss));
if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr,
sizeof(attr)) == 0 && strcmp(attr, IKED_NAS_ID) != 0) {
cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH;
nakcause = "NAS-Identifier is not matched";
goto search_done;
}
memset(username, 0, sizeof(username));
radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username,
sizeof(username));
if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr,
sizeof(attr)) == 0) {
ispi = strtoull(attr, &endp, 16);
if (attr[0] == '\0' || *endp != '\0' || errno == ERANGE ||
ispi == ULLONG_MAX) {
cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
nakcause = "Session-Id is wrong";
goto search_done;
}
RB_FOREACH(sa, iked_sas, &env->sc_sas) {
if (sa->sa_hdr.sh_ispi == ispi)
break;
}
if (sa == NULL)
goto search_done;
if (username[0] != '\0' && (sa->sa_eapid == NULL ||
strcmp(username, sa->sa_eapid) != 0)) {
cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
nakcause = "User-Name is not matched";
goto search_done;
}
ikev2_ike_sa_setreason(sa, reason);
ikev2_ike_sa_delete(env, sa);
n++;
} else if (username[0] != '\0') {
RB_FOREACH(sa, iked_sas, &env->sc_sas) {
if (sa->sa_eapid != NULL &&
strcmp(sa->sa_eapid, username) == 0) {
ikev2_ike_sa_setreason(sa, reason);
ikev2_ike_sa_delete(env, sa);
n++;
}
}
} else if (radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS,
&u32) == 0) {
RB_FOREACH(sa, iked_sas, &env->sc_sas) {
addr4 = sa->sa_addrpool;
if (addr4 != NULL) {
if (u32 == ((struct sockaddr_in *)&addr4->addr)
->sin_addr.s_addr) {
ikev2_ike_sa_setreason(sa, reason);
ikev2_ike_sa_delete(env, sa);
n++;
}
}
}
}
search_done:
if (n > 0)
code = RADIUS_CODE_DISCONNECT_ACK;
else {
if (nakcause == NULL)
nakcause = "session not found";
if (cause == 0)
cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND;
code = RADIUS_CODE_DISCONNECT_NAK;
}
send:
res = radius_new_response_packet(code, req);
if (res == NULL) {
log_warn("%s: radius_new_response_packet", __func__);
goto out;
}
if (cause != 0)
radius_put_uint32_attr(res, RADIUS_TYPE_ERROR_CAUSE, cause);
radius_set_response_authenticator(res, client->rc_secret);
if (radius_sendto(dae->rd_sock, res, 0, (struct sockaddr *)&ss, sslen)
== -1)
log_warn("%s: sendto", __func__);
log_info("send %s for %s%s%s",
(code == RADIUS_CODE_DISCONNECT_ACK)? "Disconnect-ACK" :
(code == RADIUS_CODE_DISCONNECT_NAK)? "Disconnect-NAK" : "CoA-NAK",
print_addr(&ss), (nakcause)? ": " : "", (nakcause)? nakcause : "");
out:
radius_delete_packet(req);
if (res != NULL)
radius_delete_packet(res);
}
