diff options
author | Kozlov Dmitry <dima@server> | 2010-08-17 17:29:46 +0400 |
---|---|---|
committer | Kozlov Dmitry <dima@server> | 2010-08-17 17:29:46 +0400 |
commit | 760d8427f133df486a145e6e7ac7610caf2356fc (patch) | |
tree | ebd109efc8882e56165e05f050dd30c9313bb9c7 | |
parent | ab418b16bf2c9a57dbb7c18141af2eb283c44447 (diff) | |
download | accel-ppp-xebd-760d8427f133df486a145e6e7ac7610caf2356fc.tar.gz accel-ppp-xebd-760d8427f133df486a145e6e7ac7610caf2356fc.zip |
reworked/rewrited lcp handling code to become more abstract
-rw-r--r-- | accel-pptpd/CMakeLists.txt | 8 | ||||
-rw-r--r-- | accel-pptpd/auth_pap.c | 134 | ||||
-rw-r--r-- | accel-pptpd/lcp_base_opt.c | 75 | ||||
-rw-r--r-- | accel-pptpd/lcp_opt_accomp.c | 92 | ||||
-rw-r--r-- | accel-pptpd/lcp_opt_magic.c | 81 | ||||
-rw-r--r-- | accel-pptpd/lcp_opt_mru.c | 97 | ||||
-rw-r--r-- | accel-pptpd/lcp_opt_pcomp.c | 92 | ||||
-rw-r--r-- | accel-pptpd/log.c | 15 | ||||
-rw-r--r-- | accel-pptpd/ppp.c | 44 | ||||
-rw-r--r-- | accel-pptpd/ppp.h | 26 | ||||
-rw-r--r-- | accel-pptpd/ppp_auth.c | 282 | ||||
-rw-r--r-- | accel-pptpd/ppp_auth.h | 34 | ||||
-rw-r--r-- | accel-pptpd/ppp_ccp.c | 12 | ||||
-rw-r--r-- | accel-pptpd/ppp_fsm.c | 118 | ||||
-rw-r--r-- | accel-pptpd/ppp_fsm.h | 84 | ||||
-rw-r--r-- | accel-pptpd/ppp_ipcp.c | 12 | ||||
-rw-r--r-- | accel-pptpd/ppp_lcp.c | 638 | ||||
-rw-r--r-- | accel-pptpd/ppp_lcp.h | 67 | ||||
-rw-r--r-- | accel-pptpd/pwdb.c | 7 | ||||
-rw-r--r-- | accel-pptpd/pwdb.h | 9 | ||||
-rw-r--r-- | accel-pptpd/triton/timer.c | 5 | ||||
-rw-r--r-- | doc/rfc3576.txt | 1683 |
22 files changed, 3085 insertions, 530 deletions
diff --git a/accel-pptpd/CMakeLists.txt b/accel-pptpd/CMakeLists.txt index 2e46e5b..3279141 100644 --- a/accel-pptpd/CMakeLists.txt +++ b/accel-pptpd/CMakeLists.txt @@ -12,6 +12,14 @@ ADD_EXECUTABLE(pptpd ppp.c ppp_fsm.c ppp_lcp.c + lcp_opt_mru.c + lcp_opt_magic.c + lcp_opt_pcomp.c + lcp_opt_accomp.c ppp_auth.c + ppp_ccp.c + ppp_ipcp.c + auth_pap.c + pwdb.c ) TARGET_LINK_LIBRARIES(pptpd pthread triton) diff --git a/accel-pptpd/auth_pap.c b/accel-pptpd/auth_pap.c index ed0f6bf..95d5b1e 100644 --- a/accel-pptpd/auth_pap.c +++ b/accel-pptpd/auth_pap.c @@ -1,3 +1,8 @@ +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> + #include "log.h" #include "ppp.h" #include "ppp_auth.h" @@ -7,14 +12,23 @@ #define HDR_LEN (sizeof(struct pap_hdr_t)-2) -static int lcp_get_conf_req(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*); -static int lcp_recv_conf_req(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*); -static int begin(struct auth_driver_t*, struct ppp_t*); -static int terminate(struct auth_driver_t*, struct ppp_t*); +#define PAP_REQ 1 +#define PAP_ACK 2 +#define PAP_NAK 3 + +char *strndup(const char *s, size_t n); + +static struct auth_data_t* auth_data_init(struct ppp_t *ppp); +static void auth_data_free(struct ppp_t*, struct auth_data_t*); +static int lcp_send_conf_req(struct ppp_t*, struct auth_data_t*, uint8_t*); +static int lcp_recv_conf_req(struct ppp_t*, struct auth_data_t*, uint8_t*); +static int pap_start(struct ppp_t*, struct auth_data_t*); +static int pap_finish(struct ppp_t*, struct auth_data_t*); static void pap_recv(struct ppp_handler_t*h); -struct pap_proto_t +struct pap_auth_data_t { + struct auth_data_t auth; struct ppp_handler_t h; struct ppp_t *ppp; }; @@ -34,91 +48,98 @@ struct pap_ack_t char msg[0]; } __attribute__((packed)); -static struct auth_driver_t pap= +static struct ppp_auth_handler_t pap= { - .type=PPP_PAP, - .get_conf_req=lcp_get_conf_req, + .name="PAP", + .init=auth_data_init, + .free=auth_data_free, + .send_conf_req=lcp_send_conf_req, .recv_conf_req=lcp_recv_conf_req, .start=pap_start, .finish=pap_finish, }; +static struct auth_data_t* auth_data_init(struct ppp_t *ppp) +{ + struct pap_auth_data_t *d=malloc(sizeof(*d)); + + memset(d,0,sizeof(*d)); + d->auth.proto=PPP_PAP; + d->ppp=ppp; -int plugin_init(void) + return &d->auth; +} + +static void auth_data_free(struct ppp_t *ppp,struct auth_data_t *auth) { - if (auth_register(&pap)) - { - log_error("pap: failed to register driver\n"); - return -1; - } + struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth); - return 0; + free(d); } -static int pap_start(struct auth_driver_t *d, struct ppp_t *ppp) +static int pap_start(struct ppp_t *ppp, struct auth_data_t *auth) { - struct pap_proto_t *p=malloc(sizeof(*p)); + struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth); - memset(&p,0,sizeof(*p)); - p->h.proto=PPP_PAP; - p->h.recv=pap_recv; - p->ppp=ppp; - ppp->auth_pd=p; + d->h.proto=PPP_PAP; + d->h.recv=pap_recv; - ppp_register_handler(p->ppp,p->h); + ppp_register_handler(ppp,&d->h); return 0; } -static int pap_finish(struct auth_driver_t *d, struct ppp_t *ppp) +static int pap_finish(struct ppp_t *ppp, struct auth_data_t *auth) { - struct pap_proto_t *p=(struct pap_proto_t*)ppp->auth_pd; - - ppp_unregister_handler(p->ppp,p->h); + struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth); - free(p); + ppp_unregister_handler(ppp,&d->h); return 0; } -static int lcp_get_conf_req(struct auth_driver_t *d, struct ppp_t *ppp, struct lcp_opt32_t *opt) +static int lcp_send_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr) { return 0; } -static int lcp_recv_conf_req(struct auth_driver_t *d, struct ppp_t *ppp, struct lcp_opt32_t *opt) +static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr) { return 0; } -static void pap_send_ack(struct pap_proto_t *p, int id) +static void pap_send_ack(struct pap_auth_data_t *p, int id) { uint8_t buf[128]; struct pap_ack_t *msg=(struct pap_ack_t*)buf; - msg->hdr.proto=PPP_PAP; + msg->hdr.proto=htons(PPP_PAP); msg->hdr.code=PAP_ACK; msg->hdr.id=id; - msg->hdr.len=HDR_LEN+1+sizeof(MSG_SUCCESSED); - msg->len=sizeof(MSG_SUCCESSED); + msg->hdr.len=htons(HDR_LEN+1+sizeof(MSG_SUCCESSED)); + msg->msg_len=sizeof(MSG_SUCCESSED)-1; memcpy(msg->msg,MSG_SUCCESSED,sizeof(MSG_SUCCESSED)); - ppp_send(p->ppp,msg,msg->hdr.len+2); + log_debug("send [PAP AuthAck id=%x \"%s\"]\n",id,MSG_SUCCESSED); + + ppp_send(p->ppp,msg,ntohs(msg->hdr.len)+2); } -static void pap_send_nack(struct pap_proto_t *p,int id) +static void pap_send_nak(struct pap_auth_data_t *p,int id) { uint8_t buf[128]; struct pap_ack_t *msg=(struct pap_ack_t*)buf; - msg->hdr.proto=PPP_PAP; - msg->hdr.code=PAP_NACK; + msg->hdr.proto=htons(PPP_PAP); + msg->hdr.code=PAP_NAK; msg->hdr.id=id; - msg->hdr.len=HDR_LEN+1+sizeof(MSG_FAILED); - msg->len=sizeof(MSG_FAILED); + msg->hdr.len=htons(HDR_LEN+1+sizeof(MSG_FAILED)); + msg->msg_len=sizeof(MSG_FAILED)-1; memcpy(msg->msg,MSG_FAILED,sizeof(MSG_FAILED)); - ppp_send(p->ppp,msg,msg->hdr.len+2); + log_debug("send [PAP AuthNak id=%x \"%s\"]\n",id,MSG_FAILED); + + ppp_send(p->ppp,msg,ntohs(msg->hdr.len)+2); } -static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr) +static int pap_recv_req(struct pap_auth_data_t *p,struct pap_hdr_t *hdr) { int ret; char *peer_id; @@ -126,29 +147,31 @@ static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr) int peer_id_len; int passwd_len; uint8_t *ptr=(uint8_t*)(hdr+1); - + + log_debug("recv [PAP AuthReq id=%x]\n",hdr->id); + peer_id_len=*(uint8_t*)ptr; ptr++; - if (peer_id_len>htons(hdr->len)-sizeof(*hdr)-1) + if (peer_id_len>ntohs(hdr->len)-sizeof(*hdr)+2-1) { log_warn("PAP: short packet received\n"); return -1; } - peer_id=ptr; ptr+=peer_id_len; + peer_id=(char*)ptr; ptr+=peer_id_len; passwd_len=*(uint8_t*)ptr; ptr++; - if (passwd_len>htons(hdr->len)-sizeof(*hdr)-2-peer_id_len) + if (passwd_len>ntohs(hdr->len)-sizeof(*hdr)+2-2-peer_id_len) { log_warn("PAP: short packet received\n"); return -1; } - peer_id=stdndup(peer_id,peer_id_len); - passwd=stdndup(ptr,passwd_len); + peer_id=strndup((const char*)peer_id,peer_id_len); + passwd=strndup((const char*)ptr,passwd_len); if (pwdb_check(peer_id,passwd)) { log_warn("PAP: authentication error\n"); - pap_send_nack(p,hdr->id); + pap_send_nak(p,hdr->id); auth_failed(p->ppp); ret=-1; }else @@ -166,19 +189,24 @@ static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr) static void pap_recv(struct ppp_handler_t *h) { - struct pap_proto_t *p=container_of(h,typeof(*p),h); - struct pap_hdr_t *hdr=(struct pap_hdr_t *)p->ppp->in_buf; + struct pap_auth_data_t *d=container_of(h,typeof(*d),h); + struct pap_hdr_t *hdr=(struct pap_hdr_t *)d->ppp->in_buf; - if (p->ppp->in_buf_size<sizeof(*hdr) || htons(hdr->len)<HDR_LEN || htons(hdr->len)<p->ppp->in_buf_size-2) + if (d->ppp->in_buf_size<sizeof(*hdr) || ntohs(hdr->len)<HDR_LEN || ntohs(hdr->len)<d->ppp->in_buf_size-2) { log_warn("PAP: short packet received\n"); return; } - if (hdr->code==PAP_REQ) pap_recv_req(p,hdr); + if (hdr->code==PAP_REQ) pap_recv_req(d,hdr); else { log_warn("PAP: unknown code received %x\n",hdr->code); } } +static void __init auth_pap_init() +{ + ppp_auth_register_handler(&pap); +} + diff --git a/accel-pptpd/lcp_base_opt.c b/accel-pptpd/lcp_base_opt.c new file mode 100644 index 0000000..352dee2 --- /dev/null +++ b/accel-pptpd/lcp_base_opt.c @@ -0,0 +1,75 @@ +#include "ppp_lcp.h" + +static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp); +static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); + +struct mru_option_t +{ + struct lcp_option_t opt; + int mru; + int mtu; +}; + +static struct lcp_option_handler_t opt_mru= +{ + .id=CI_MRU, + .init=mru_init, + .send_conf_req=mru_send_conf_req, + .send_conf_nak=mru_send_conf_nak, + .recv_conf_req=mru_recv_conf_req, + .free=mru_free, +}; + +static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp) +{ + struct mru_option_t *mru_opt=malloc(sizeof(*mru_opt)); + memset(mru_opt,0,sizeof(*mru_opt)); + mru_opt->mtu=0; + mru_opt->mru=1500; + mru_opt->opt.len=4; + + return &mru_opt->opt; +} + +static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + + free(mru_opt); +} + +static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + opt16->hdr.type=CI_MRU; + opt16->hdr.len=4; + opt16->val=htons(mru_opt->mru); + return 4; +} + +static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + opt16->hdr.type=CI_MRU; + opt16->hdr.len=4; + opt16->val=htons(mru_opt->mtu); + return 4; +} + +static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + + if (!mru_opt->mtu || mru_opt->mtu==ntohs(opt16->val)) + { + mru_opt->mtu=ntohs(opt16->val); + return LCP_OPT_ACK; + }else return LCP_OPT_NAK; +} + diff --git a/accel-pptpd/lcp_opt_accomp.c b/accel-pptpd/lcp_opt_accomp.c new file mode 100644 index 0000000..9191563 --- /dev/null +++ b/accel-pptpd/lcp_opt_accomp.c @@ -0,0 +1,92 @@ +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> + +#include "ppp.h" +#include "ppp_lcp.h" +#include "log.h" + +static struct lcp_option_t *accomp_init(struct ppp_lcp_t *lcp); +static void accomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int accomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int accomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int accomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static void accomp_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr); + +struct accomp_option_t +{ + struct lcp_option_t opt; + int accomp; // 0 - disabled, 1 - enabled, 2 - allow,disabled, 3 - allow,enabled +}; + +static struct lcp_option_handler_t accomp_opt_hnd= +{ + .init=accomp_init, + .send_conf_req=accomp_send_conf_req, + .send_conf_nak=accomp_send_conf_nak, + .recv_conf_req=accomp_recv_conf_req, + .free=accomp_free, + .print=accomp_print, +}; + +static struct lcp_option_t *accomp_init(struct ppp_lcp_t *lcp) +{ + struct accomp_option_t *accomp_opt=malloc(sizeof(*accomp_opt)); + memset(accomp_opt,0,sizeof(*accomp_opt)); + accomp_opt->accomp=2; + accomp_opt->opt.id=CI_ACCOMP; + accomp_opt->opt.len=2; + + return &accomp_opt->opt; +} + +static void accomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) +{ + struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt); + + free(accomp_opt); +} + +static int accomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt); + struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr; + if (accomp_opt->accomp==1 || accomp_opt->accomp==3) + { + opt0->id=CI_ACCOMP; + opt0->len=2; + return 2; + } + return 0; +} + +static int accomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt); + struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr; + opt0->id=CI_ACCOMP; + opt0->len=2; + return 2; +} + +static int accomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt); + + if (accomp_opt->accomp>0) + { + accomp_opt->accomp=1; + return LCP_OPT_ACK; + }else return LCP_OPT_NAK; +} + +static void accomp_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr) +{ + print("<accomp>"); +} + +static void __init accomp_opt_init() +{ + lcp_option_register(&accomp_opt_hnd); +} + diff --git a/accel-pptpd/lcp_opt_magic.c b/accel-pptpd/lcp_opt_magic.c new file mode 100644 index 0000000..53438b9 --- /dev/null +++ b/accel-pptpd/lcp_opt_magic.c @@ -0,0 +1,81 @@ +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> + +#include "ppp.h" +#include "ppp_lcp.h" +#include "log.h" + +static struct lcp_option_t *magic_init(struct ppp_lcp_t *lcp); +static void magic_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int magic_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int magic_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static void magic_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr); + +struct magic_option_t +{ + struct lcp_option_t opt; + int magic; +}; + +static struct lcp_option_handler_t magic_opt_hnd= +{ + .init=magic_init, + .send_conf_req=magic_send_conf_req, + .recv_conf_req=magic_recv_conf_req, + .free=magic_free, + .print=magic_print, +}; + +static struct lcp_option_t *magic_init(struct ppp_lcp_t *lcp) +{ + struct magic_option_t *magic_opt=malloc(sizeof(*magic_opt)); + memset(magic_opt,0,sizeof(*magic_opt)); + magic_opt->magic=random(); + magic_opt->opt.id=CI_MAGIC; + magic_opt->opt.len=6; + + return &magic_opt->opt; +} + +static void magic_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) +{ + struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt); + + free(magic_opt); +} + +static int magic_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt); + struct lcp_opt32_t *opt32=(struct lcp_opt32_t*)ptr; + opt32->hdr.id=CI_MAGIC; + opt32->hdr.len=6; + opt32->val=htonl(magic_opt->magic); + return 6; +} + +static int magic_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt); + struct lcp_opt32_t *opt32=(struct lcp_opt32_t*)ptr; + + if (magic_opt->magic==ntohl(opt32->val)) + { + log_error("loop detected"); + return -1; + } + return LCP_OPT_ACK; +} + +static void magic_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr) +{ + struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt); + + print("<magic %04x>",magic_opt->magic); +} + +static void __init magic_opt_init() +{ + lcp_option_register(&magic_opt_hnd); +} diff --git a/accel-pptpd/lcp_opt_mru.c b/accel-pptpd/lcp_opt_mru.c new file mode 100644 index 0000000..153b0e0 --- /dev/null +++ b/accel-pptpd/lcp_opt_mru.c @@ -0,0 +1,97 @@ +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> + +#include "ppp.h" +#include "ppp_lcp.h" +#include "log.h" + +static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp); +static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static void mru_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr); + +struct mru_option_t +{ + struct lcp_option_t opt; + int mru; + int mtu; +}; + +static struct lcp_option_handler_t mru_opt_hnd= +{ + .init=mru_init, + .send_conf_req=mru_send_conf_req, + .send_conf_nak=mru_send_conf_nak, + .recv_conf_req=mru_recv_conf_req, + .free=mru_free, + .print=mru_print, +}; + +static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp) +{ + struct mru_option_t *mru_opt=malloc(sizeof(*mru_opt)); + memset(mru_opt,0,sizeof(*mru_opt)); + mru_opt->mtu=0; + mru_opt->mru=1500; + mru_opt->opt.id=CI_MRU; + mru_opt->opt.len=4; + + return &mru_opt->opt; +} + +static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + + free(mru_opt); +} + +static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + opt16->hdr.id=CI_MRU; + opt16->hdr.len=4; + opt16->val=htons(mru_opt->mru); + return 4; +} + +static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + opt16->hdr.id=CI_MRU; + opt16->hdr.len=4; + opt16->val=htons(mru_opt->mtu); + return 4; +} + +static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + + if (!mru_opt->mtu || mru_opt->mtu==ntohs(opt16->val)) + { + mru_opt->mtu=ntohs(opt16->val); + return LCP_OPT_ACK; + }else return LCP_OPT_NAK; +} + +static void mru_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr) +{ + struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + + if (ptr) print("<mru %i>",ntohs(opt16->val)); + else print("<mru %i>",mru_opt->mru); +} + +static void __init mru_opt_init() +{ + lcp_option_register(&mru_opt_hnd); +} + diff --git a/accel-pptpd/lcp_opt_pcomp.c b/accel-pptpd/lcp_opt_pcomp.c new file mode 100644 index 0000000..79d77c6 --- /dev/null +++ b/accel-pptpd/lcp_opt_pcomp.c @@ -0,0 +1,92 @@ +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> + +#include "ppp.h" +#include "ppp_lcp.h" +#include "log.h" + +static struct lcp_option_t *pcomp_init(struct ppp_lcp_t *lcp); +static void pcomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int pcomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int pcomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int pcomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static void pcomp_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr); + +struct pcomp_option_t +{ + struct lcp_option_t opt; + int pcomp; // 0 - disabled, 1 - enabled, 2 - allow,disabled, 3 - allow,enabled +}; + +static struct lcp_option_handler_t pcomp_opt_hnd= +{ + .init=pcomp_init, + .send_conf_req=pcomp_send_conf_req, + .send_conf_nak=pcomp_send_conf_nak, + .recv_conf_req=pcomp_recv_conf_req, + .free=pcomp_free, + .print=pcomp_print, +}; + +static struct lcp_option_t *pcomp_init(struct ppp_lcp_t *lcp) +{ + struct pcomp_option_t *pcomp_opt=malloc(sizeof(*pcomp_opt)); + memset(pcomp_opt,0,sizeof(*pcomp_opt)); + pcomp_opt->pcomp=2; + pcomp_opt->opt.id=CI_PCOMP; + pcomp_opt->opt.len=2; + + return &pcomp_opt->opt; +} + +static void pcomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) +{ + struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt); + + free(pcomp_opt); +} + +static int pcomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt); + struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr; + if (pcomp_opt->pcomp==1 || pcomp_opt->pcomp==3) + { + opt0->id=CI_PCOMP; + opt0->len=2; + return 2; + } + return 0; +} + +static int pcomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt); + struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr; + opt0->id=CI_PCOMP; + opt0->len=2; + return 2; +} + +static int pcomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt); + + if (pcomp_opt->pcomp>0) + { + pcomp_opt->pcomp=1; + return LCP_OPT_ACK; + }else return LCP_OPT_NAK; +} + +static void pcomp_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr) +{ + print("<pcomp>"); +} + +static void __init pcomp_opt_init() +{ + lcp_option_register(&pcomp_opt_hnd); +} + diff --git a/accel-pptpd/log.c b/accel-pptpd/log.c index 454e997..4ee86e1 100644 --- a/accel-pptpd/log.c +++ b/accel-pptpd/log.c @@ -34,7 +34,7 @@ #define LOG_DEBUG 3 static FILE *log_file=NULL; -static int log_level=1; +static int log_level=10; static int log_color=1; static const char* level_name[]={"error","warning","info","debug"}; static const char* level_color[]={RED_COLOR,YELLOW_COLOR,GREEN_COLOR,BLUE_COLOR}; @@ -46,15 +46,18 @@ static void do_log(int level,const char *fmt,va_list ap) { struct timeval tv; - pthread_mutex_lock(&lock); - gettimeofday(&tv,NULL); - if (log_color) fprintf(log_file,"[%s%li.%03li] [%s]%s ",level_color[level],tv.tv_sec,tv.tv_usec/1000,NORMAL_COLOR,level_name[level]); - else fprintf(log_file,"[%li.%03li] [%s] ",tv.tv_sec,tv.tv_usec/1000,level_name[level]); + //pthread_mutex_lock(&lock); + if (msg_completed) + { + gettimeofday(&tv,NULL); + if (log_color) fprintf(log_file,"[%s%li.%03li] [%s]%s ",level_color[level],tv.tv_sec,tv.tv_usec/1000,NORMAL_COLOR,level_name[level]); + else fprintf(log_file,"[%li.%03li] [%s] ",tv.tv_sec,tv.tv_usec/1000,level_name[level]); + } vfprintf(log_file,fmt,ap); msg_completed=fmt[strlen(fmt)-1]=='\n'; - if (msg_completed) pthread_mutex_unlock(&lock); + //if (msg_completed) pthread_mutex_unlock(&lock); } void log_error(const char *fmt,...) { diff --git a/accel-pptpd/ppp.c b/accel-pptpd/ppp.c index f8a1be5..b032b06 100644 --- a/accel-pptpd/ppp.c +++ b/accel-pptpd/ppp.c @@ -86,13 +86,10 @@ int establish_ppp(struct ppp_t *ppp) ppp->h->twait=-1; triton_md_register_handler(ppp->h); triton_md_enable_handler(ppp->h,MD_MODE_READ); - INIT_LIST_HEAD(&ppp->layers); + INIT_LIST_HEAD(&ppp->handlers); - ppp->lcp_layer=ppp_lcp_init(ppp); - /*list_add_tail(&ppp->lcp_layer->entry,&ppp->layers); - ppp_fsm_open(ppp->lcp_layer); - ppp_fsm_lower_up(ppp->lcp_layer);*/ ppp->cur_layer=PPP_LAYER_LCP; + lcp_start(ppp); return 0; @@ -104,6 +101,14 @@ exit_close_chan: return -1; } +void print_buf(uint8_t *buf,int size) +{ + int i; + for(i=0;i<size;i++) + printf("%x ",buf[i]); + printf("\n"); +} + int ppp_send(struct ppp_t *ppp, void *data, int size) { int n; @@ -111,32 +116,38 @@ int ppp_send(struct ppp_t *ppp, void *data, int size) if (ppp->out_buf_size) return -1; if (size>PPP_MTU+PPP_HDRLEN) return -1; + printf("ppp: send: "); + print_buf((uint8_t*)data,size); + n=write(ppp->unit_fd,data,size); - if (n>=0) + /*if (n>=0) { if (n!=ppp->out_buf_size-ppp->out_buf_pos) { ppp->out_buf_pos+=n; triton_md_enable_handler(ppp->h,MD_MODE_WRITE); } - } + }*/ return n; } static void ppp_read(struct triton_md_handler_t*h) { struct ppp_t *ppp=(struct ppp_t *)h->pd; - struct ppp_layer_t *l=NULL; + struct ppp_handler_t *ppp_h=NULL; uint16_t proto; ppp->in_buf_size=read(h->fd,ppp->in_buf,PPP_MRU+PPP_HDRLEN); + printf("ppp: recv: "); + print_buf(ppp->in_buf,ppp->in_buf_size); + proto=ntohs(*(uint16_t*)ppp->in_buf); - list_for_each_entry(l,&ppp->layers,entry) + list_for_each_entry(ppp_h,&ppp->handlers,entry) { - if (l->proto==proto) + if (ppp_h->proto==proto) { - l->recv(l); + ppp_h->recv(ppp_h); return; } } @@ -166,7 +177,6 @@ static void ppp_timeout(struct triton_md_handler_t*h) void ppp_layer_started(struct ppp_t *ppp) { - int i; switch(ppp->cur_layer) { case PPP_LAYER_LCP: @@ -204,3 +214,13 @@ void ppp_terminate(struct ppp_t *ppp) } } + +void ppp_register_handler(struct ppp_t *ppp,struct ppp_handler_t *h) +{ + list_add_tail(&h->entry,&ppp->handlers); +} +void ppp_unregister_handler(struct ppp_t *ppp,struct ppp_handler_t *h) +{ + list_del(&h->entry); +} + diff --git a/accel-pptpd/ppp.h b/accel-pptpd/ppp.h index 4a4c70e..83ad8ed 100644 --- a/accel-pptpd/ppp.h +++ b/accel-pptpd/ppp.h @@ -2,7 +2,7 @@ #define PPP_H #include <sys/types.h> -#include "ppp_fsm.h" +#include "list.h" /* * Packet header = Code, id, length. @@ -46,6 +46,10 @@ #define PPP_LAYER_CCP 3 #define PPP_LAYER_IPCP 4 +#define AUTH_MAX 3 + +struct ppp_lcp_t; + struct ppp_t { struct triton_md_handler_t *h; @@ -77,8 +81,7 @@ struct ppp_t struct list_head handlers; int cur_layer; - struct ppp_layer_t *lcp_layer; - void *auth_pd; + struct ppp_lcp_t *lcp; }; struct ppp_handler_t @@ -94,17 +97,30 @@ int ppp_send(struct ppp_t *ppp, void *data, int size); void ppp_init(void); -struct ppp_layer_t* ppp_lcp_init(struct ppp_t *ppp); +struct ppp_fsm_t* ppp_lcp_init(struct ppp_t *ppp); void ppp_layer_started(struct ppp_t *ppp); void ppp_terminate(struct ppp_t *ppp); +void ppp_register_handler(struct ppp_t*,struct ppp_handler_t*); +void ppp_unregister_handler(struct ppp_t*,struct ppp_handler_t*); + +void lcp_start(struct ppp_t*); +void lcp_finish(struct ppp_t*); +int auth_start(struct ppp_t*); +void auth_finish(struct ppp_t*); +int ccp_start(struct ppp_t*); +void ccp_finish(struct ppp_t*); +int ipcp_start(struct ppp_t*); +void ipcp_finish(struct ppp_t*); + +#define __init __attribute__((constructor)) + #undef offsetof #ifdef __compiler_offsetof #define offsetof(TYPE,MEMBER) __compiler_offsetof(TYPE,MEMBER) #else #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER) #endif -#endif /* __KERNEL__ */ #define container_of(ptr, type, member) ({ \ const typeof( ((type *)0)->member ) *__mptr = (ptr); \ diff --git a/accel-pptpd/ppp_auth.c b/accel-pptpd/ppp_auth.c index 1117c21..6fc4801 100644 --- a/accel-pptpd/ppp_auth.c +++ b/accel-pptpd/ppp_auth.c @@ -1,129 +1,245 @@ -#include "triton/triton.h" +#include <stdlib.h> +#include <string.h> +#include <arpa/inet.h> #include "ppp.h" #include "ppp_lcp.h" -#include "ppp_fsm.h" +#include "log.h" + #include "ppp_auth.h" -static LIST_HEAD(drv_list); -int auth_register(struct auth_driver_t *new) +static LIST_HEAD(auth_handlers); +static int extra_opt_len=0; + +static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp); +static void auth_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt); +static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr); +static void auth_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr); + +struct auth_option_t +{ + struct lcp_option_t opt; + struct list_head auth_list; + struct auth_data_t *auth; + struct auth_data_t *peer_auth; +}; + +static struct lcp_option_handler_t auth_opt_hnd= { - struct auth_driver_t *drv; + .init=auth_init, + .send_conf_req=auth_send_conf_req, + .send_conf_nak=auth_send_conf_req, + .recv_conf_req=auth_recv_conf_req, + .recv_conf_nak=auth_recv_conf_nak, + .recv_conf_rej=auth_recv_conf_rej, + .recv_conf_ack=auth_recv_conf_ack, + .free=auth_free, + .print=auth_print, +}; - list_for_each_entry(drv,&drv_list,entry) +static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp) +{ + struct ppp_auth_handler_t *h; + struct auth_data_t *d; + struct auth_option_t *auth_opt=malloc(sizeof(*auth_opt)); + memset(auth_opt,0,sizeof(*auth_opt)); + auth_opt->opt.id=CI_AUTH; + auth_opt->opt.len=4+extra_opt_len; + + INIT_LIST_HEAD(&auth_opt->auth_list); + + list_for_each_entry(h,&auth_handlers,entry) { - if (drv->type==new->type) - return -1; + d=h->init(lcp->ppp); + d->h=h; + list_add_tail(&d->entry,&auth_opt->auth_list); } - list_add_tail(&new->entry,&drv_list); - return 0; + + return &auth_opt->opt; } -int auth_get_conf_req(struct ppp_layer_t *l, struct lcp_opt32_t *opt) +static void auth_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt) { - int i,n; - struct auth_driver_t *drv; + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + struct auth_data_t *d; - for(i=0; i<AUTH_MAX; i++) - { - if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]>0) - goto cont; - } - for(i=0; i<AUTH_MAX; i++) + while(!list_empty(&auth_opt->auth_list)) { - if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]==0) - goto cont; + d=list_entry(auth_opt->auth_list.next,typeof(*d),entry); + list_del(&d->entry); + d->h->free(lcp->ppp,d); } - return -1; -cont: - list_for_each_entry(drv,&drv_list,entry) + free(auth_opt); +} + +static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + struct auth_data_t *d; + int n; + + if (list_empty(&auth_opt->auth_list)) return 0; + + if (!auth_opt->auth) { - if (drv->type==l->ppp->auth[i]) - break; + d=list_entry(auth_opt->auth_list.next,typeof(*d),entry); + auth_opt->auth=d; } - n=drv->get_conf_req(drv,l,opt); - opt->val=l->auth[i]; - opt->hdr.len=6+n; - return 0; + + opt16->hdr.id=CI_AUTH; + opt16->val=htons(auth_opt->auth->proto); + n=auth_opt->auth->h->send_conf_req(lcp->ppp,auth_opt->auth,(uint8_t*)(opt16+1)); + opt16->hdr.len=4+n; + + return 4+n; } -int auth_recv_conf_req(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr) + +static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) { - struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr; - struct auth_driver_t *drv; - int i; + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + struct auth_data_t *d; - for(i=0; i<AUTH_MAX; i++) + if (list_empty(&auth_opt->auth_list)) + return LCP_OPT_REJ; + + list_for_each_entry(d,&auth_opt->auth_list,entry) { - if (l->ppp->auth[i]==opt->val) + if (d->proto==ntohs(opt16->val)) { - list_for_each_entry(drv,&drv_list,entry) - { - if (drv->type==l->ppp->auth[i]) - { - if (drv->recv_conf_req(drv,l->ppp,opt)) - return -1; - l->options.lcp.neg_auth[i]=1; - return 0; - } - } - return -1; + if (d->h->recv_conf_req(lcp->ppp,d,(uint8_t*)(opt16+1))) + break; + auth_opt->peer_auth=d; + return LCP_OPT_ACK; } } - return -1; + + list_for_each_entry(d,&auth_opt->auth_list,entry) + { + if (d->state!=LCP_OPT_NAK) + { + auth_opt->peer_auth=d; + return LCP_OPT_NAK; + } + } + + log_msg("cann't negotiate authentication type\n"); + return LCP_OPT_FAIL; } -int auth_recv_conf_rej(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr) + +static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) { - struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr; - int i; + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + + auth_opt->peer_auth=NULL; - for(i=0; i<AUTH_MAX; i++) + return 0; +} + +static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + struct auth_data_t *d; + + list_for_each_entry(d,&auth_opt->auth_list,entry) { - if (l->ppp->auth[i]==opt->val) + if (d->proto==ntohs(opt16->val)) { - l->options.lcp.neg_auth[i]=-1; - break; + d->state=LCP_OPT_NAK; + if (d->h->recv_conf_req(lcp->ppp,d,(uint8_t*)(opt16+1))) + break; + auth_opt->auth=d; + return 0; } } - for(i=0; i<AUTH_MAX; i++) + + list_for_each_entry(d,&auth_opt->auth_list,entry) { - if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]!=-1) + if (d->state!=LCP_OPT_NAK) return 0; } + + log_msg("cann't negotiate authentication type\n"); + return -1; +} + +static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr) +{ + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + + if (list_empty(&auth_opt->auth_list)) + return 0; + + log_msg("cann't negotiate authentication type\n"); return -1; } -int auth_recv_conf_nak(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr) + +static void auth_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr) { - struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr; - int i; + struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt); + struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr; + struct auth_data_t *d; - for(i=0; i<AUTH_MAX; i++) + if (ptr) { - if (l->ppp->auth[i]==opt->val) + list_for_each_entry(d,&auth_opt->auth_list,entry) { - l->options.lcp.neg_auth[i]=2; - return 0; + if (d->proto==ntohs(opt16->val)) + goto print_d; } + + print("<auth %02x>",ntohs(opt16->val)); + return; } - return -1; + else if (auth_opt->auth) d=auth_opt->auth; + else return; + +print_d: + print("<auth %s>",d->h->name); } +int ppp_auth_register_handler(struct ppp_auth_handler_t *h) +{ + list_add_tail(&h->entry,&auth_handlers); + return 0; +} + +static void __init auth_opt_init() +{ + lcp_option_register(&auth_opt_hnd); +} + + + + + + + + int auth_start(struct ppp_t *ppp) { - int i; - struct auth_driver_t *drv; + struct lcp_option_t *opt; + struct auth_option_t *auth_opt; - for(i=0; i<AUTH_MAX; i++) + list_for_each_entry(opt,&ppp->lcp->options,entry) { - if (ppp->lcp_layer->options.lcp.neg_auth[i]==1) + if (opt->id==CI_AUTH) { - list_for_each_entry(drv,&drv_list,entry) + auth_opt=container_of(opt,typeof(*auth_opt),opt); + if (auth_opt->auth) { - if (drv->type==ppp->auth[i]) - return drv->start(ppp); + auth_opt->auth->h->start(ppp,auth_opt->auth); + return 1; } - return -1; + break; } } @@ -132,21 +248,17 @@ int auth_start(struct ppp_t *ppp) void auth_finish(struct ppp_t *ppp) { - int i; - struct auth_driver_t *drv; + struct lcp_option_t *opt; + struct auth_option_t *auth_opt; - for(i=0; i<AUTH_MAX; i++) + list_for_each_entry(opt,&ppp->lcp->options,entry) { - if (ppp->lcp_layer->options.lcp.neg_auth[i]==1) + if (opt->id==CI_AUTH) { - list_for_each_entry(drv,&drv_list,entry) - { - if (drv->type==ppp->auth[i]) - { - drv->finish(ppp); - return; - } - } + auth_opt=container_of(opt,typeof(*auth_opt),opt); + if (auth_opt->auth) + auth_opt->auth->h->finish(ppp,auth_opt->auth); + break; } } } diff --git a/accel-pptpd/ppp_auth.h b/accel-pptpd/ppp_auth.h index 064bf24..f1880d5 100644 --- a/accel-pptpd/ppp_auth.h +++ b/accel-pptpd/ppp_auth.h @@ -3,24 +3,32 @@ #include "list.h" -struct ppp_layer_t; -struct lcp_opt_hdr_t; -struct lcp_opt32_t; +struct ppp_auth_handler_t; -struct auth_driver_t +struct auth_data_t { struct list_head entry; - int type; - int (*get_conf_req)(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*); - int (*recv_conf_req)(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*); - int (*begin)(struct auth_driver_t*, struct ppp_t*); - int (*terminate)(struct auth_driver_t*, struct ppp_t*); + int proto; + int state; + struct ppp_auth_handler_t *h; }; -int auth_get_conf_req(struct ppp_layer_t *l, struct lcp_opt32_t *); -int auth_recv_conf_req(struct ppp_layer_t *l, struct lcp_opt_hdr_t *); -int auth_recv_conf_rej(struct ppp_layer_t *l, struct lcp_opt_hdr_t *); -int auth_recv_conf_nak(struct ppp_layer_t *l, struct lcp_opt_hdr_t *); +struct ppp_auth_handler_t +{ + struct list_head entry; + const char *name; + struct auth_data_t* (*init)(struct ppp_t*); + int (*send_conf_req)(struct ppp_t*, struct auth_data_t*, uint8_t*); + int (*recv_conf_req)(struct ppp_t*, struct auth_data_t*, uint8_t*); + int (*start)(struct ppp_t*, struct auth_data_t*); + int (*finish)(struct ppp_t*, struct auth_data_t*); + void (*free)(struct ppp_t*,struct auth_data_t*); +}; + +int ppp_auth_register_handler(struct ppp_auth_handler_t*); + +void auth_successed(struct ppp_t *ppp); +void auth_failed(struct ppp_t *ppp); #endif diff --git a/accel-pptpd/ppp_ccp.c b/accel-pptpd/ppp_ccp.c new file mode 100644 index 0000000..2f3ce4a --- /dev/null +++ b/accel-pptpd/ppp_ccp.c @@ -0,0 +1,12 @@ +#include "ppp.h" + +int ccp_start(struct ppp_t *ppp) +{ + return 0; +} + +void ccp_finish(struct ppp_t *ppp) +{ + +} + diff --git a/accel-pptpd/ppp_fsm.c b/accel-pptpd/ppp_fsm.c index fdbcbe9..e2884c2 100644 --- a/accel-pptpd/ppp_fsm.c +++ b/accel-pptpd/ppp_fsm.c @@ -14,16 +14,17 @@ #include "ppp.h" #include "ppp_fsm.h" #include "ppp_lcp.h" +#include "log.h" -void send_term_req(struct ppp_layer_t *layer); -void send_term_ack(struct ppp_layer_t *layer); -void send_echo_reply(struct ppp_layer_t *layer); +void send_term_req(struct ppp_fsm_t *layer); +void send_term_ack(struct ppp_fsm_t *layer); +void send_echo_reply(struct ppp_fsm_t *layer); -static void init_req_counter(struct ppp_layer_t *layer,int timeout); -static void zero_req_counter(struct ppp_layer_t *layer); +static void init_req_counter(struct ppp_fsm_t *layer,int timeout); +static void zero_req_counter(struct ppp_fsm_t *layer); static int restart_timer_func(struct triton_timer_t*t); -void ppp_fsm_init(struct ppp_layer_t *layer) +void ppp_fsm_init(struct ppp_fsm_t *layer) { layer->fsm_state=FSM_Initial; layer->restart_timer.active=0; @@ -34,10 +35,9 @@ void ppp_fsm_init(struct ppp_layer_t *layer) layer->max_terminate=2; layer->max_configure=10; layer->max_failure=5; - layer->id=0; } -void ppp_fsm_lower_up(struct ppp_layer_t *layer) +void ppp_fsm_lower_up(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -55,7 +55,7 @@ void ppp_fsm_lower_up(struct ppp_layer_t *layer) } } -void ppp_fsm_lower_down(struct ppp_layer_t *layer) +void ppp_fsm_lower_down(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -82,7 +82,7 @@ void ppp_fsm_lower_down(struct ppp_layer_t *layer) } } -void ppp_fsm_open(struct ppp_layer_t *layer) +void ppp_fsm_open(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -103,18 +103,15 @@ void ppp_fsm_open(struct ppp_layer_t *layer) layer->fsm_state=FSM_Stopping; case FSM_Stopped: case FSM_Opened: - if (layer->opt_restart) - { - ppp_fsm_lower_down(layer); - ppp_fsm_lower_up(layer); - } + ppp_fsm_lower_down(layer); + ppp_fsm_lower_up(layer); break; default: break; } } -void ppp_fsm_close(struct ppp_layer_t *layer) +void ppp_fsm_close(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -143,7 +140,7 @@ void ppp_fsm_close(struct ppp_layer_t *layer) } } -void ppp_fsm_timeout0(struct ppp_layer_t *layer) +void ppp_fsm_timeout0(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -162,7 +159,7 @@ void ppp_fsm_timeout0(struct ppp_layer_t *layer) } } -void ppp_fsm_timeout1(struct ppp_layer_t *layer) +void ppp_fsm_timeout1(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -179,14 +176,13 @@ void ppp_fsm_timeout1(struct ppp_layer_t *layer) case FSM_Ack_Sent: if (layer->layer_finished) layer->layer_finished(layer); layer->fsm_state=FSM_Stopped; - layer->opt_passive=1; break; default: break; } } -void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer) +void ppp_fsm_recv_conf_req_ack(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -219,7 +215,37 @@ void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer) +void ppp_fsm_recv_conf_req_nak(struct ppp_fsm_t *layer) +{ + switch(layer->fsm_state) + { + case FSM_Closed: + send_term_ack(layer); + break; + case FSM_Stopped: + //if (layer->init_req_cnt) layer->init_req_cnt(layer); + init_req_counter(layer,layer->max_configure); + if (layer->send_conf_req) layer->send_conf_req(layer); + case FSM_Ack_Sent: + if (layer->send_conf_nak) layer->send_conf_nak(layer); + layer->fsm_state=FSM_Req_Sent; + break; + case FSM_Req_Sent: + case FSM_Ack_Rcvd: + if (layer->send_conf_nak) layer->send_conf_nak(layer); + break; + case FSM_Opened: + if (layer->layer_down) layer->layer_down(layer); + if (layer->send_conf_req) layer->send_conf_req(layer); + if (layer->send_conf_nak) layer->send_conf_nak(layer); + layer->fsm_state=FSM_Req_Sent; + break; + default: + break; + } +} + +void ppp_fsm_recv_conf_req_rej(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -249,7 +275,7 @@ void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer) +void ppp_fsm_recv_conf_ack(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -282,7 +308,7 @@ void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer) +void ppp_fsm_recv_conf_rej(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -314,7 +340,7 @@ void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_term_req(struct ppp_layer_t *layer) +void ppp_fsm_recv_term_req(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -337,7 +363,7 @@ void ppp_fsm_recv_term_req(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer) +void ppp_fsm_recv_term_ack(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -362,12 +388,12 @@ void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_unk(struct ppp_layer_t *layer) +void ppp_fsm_recv_unk(struct ppp_fsm_t *layer) { if (layer->send_conf_rej) layer->send_conf_rej(layer); } -void ppp_fsm_recv_code_rej_perm(struct ppp_layer_t *layer) +void ppp_fsm_recv_code_rej_perm(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { @@ -379,15 +405,13 @@ void ppp_fsm_recv_code_rej_perm(struct ppp_layer_t *layer) } } -void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer) +void ppp_fsm_recv_code_rej_bad(struct ppp_fsm_t *layer) { switch(layer->fsm_state) { case FSM_Opened: if (layer->layer_down) layer->layer_down(layer); - //if (layer->init_req_cnt) layer->init_req_cnt(layer); - init_req_counter(layer,layer->max_configure); - if (layer->send_conf_req) layer->send_conf_req(layer); + send_term_req(layer); layer->fsm_state=FSM_Stopping; break; case FSM_Closing: @@ -406,53 +430,55 @@ void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer) } } -void send_term_req(struct ppp_layer_t *layer) +void send_term_req(struct ppp_fsm_t *layer) { struct lcp_hdr_t hdr={ - .proto=PPP_LCP, + .proto=htons(PPP_LCP), .code=TERMREQ, .id=++layer->id, - .len=4, + .len=htons(4), }; - ppp_send(layer->ppp,&hdr,hdr.len); + log_debug("send [LCP TermReq id=%i \"\"]\n",hdr.id); + + ppp_send(layer->ppp,&hdr,6); } -void send_term_ack(struct ppp_layer_t *layer) +void send_term_ack(struct ppp_fsm_t *layer) { struct lcp_hdr_t hdr={ - .proto=PPP_LCP, + .proto=htons(PPP_LCP), .code=TERMACK, .id=layer->recv_id, - .len=4, + .len=htons(4), }; - ppp_send(layer->ppp,&hdr,hdr.len); -} -void ppp_fsm_recv(struct ppp_layer_t *layer) -{ + log_debug("send [LCP TermAck id=%i \"\"]\n",hdr.id); + + ppp_send(layer->ppp,&hdr,6); } -static void init_req_counter(struct ppp_layer_t *layer,int timeout) +static void init_req_counter(struct ppp_fsm_t *layer,int timeout) { triton_timer_del(&layer->restart_timer); + layer->restart_timer.expire_tv.tv_sec=0; triton_timer_add(&layer->restart_timer); layer->restart_counter=timeout; } -static void zero_req_counter(struct ppp_layer_t *layer) +static void zero_req_counter(struct ppp_fsm_t *layer) { triton_timer_del(&layer->restart_timer); + layer->restart_timer.expire_tv.tv_sec=0; triton_timer_add(&layer->restart_timer); layer->restart_counter=0; } static int restart_timer_func(struct triton_timer_t*t) { - struct ppp_layer_t *layer=(struct ppp_layer_t *)t->pd; + struct ppp_fsm_t *layer=(struct ppp_fsm_t *)t->pd; if (layer->restart_counter) { ppp_fsm_timeout0(layer); - layer->restart_counter--; return 1; } diff --git a/accel-pptpd/ppp_fsm.h b/accel-pptpd/ppp_fsm.h index 3ed6284..eddafcf 100644 --- a/accel-pptpd/ppp_fsm.h +++ b/accel-pptpd/ppp_fsm.h @@ -1,9 +1,6 @@ #ifndef PPP_FSM_H #define PPP_FSM_H -#include "triton/triton.h" -#include "list.h" - typedef enum {FSM_Initial=0,FSM_Starting,FSM_Closed,FSM_Stopped,FSM_Closing,FSM_Stopping,FSM_Req_Sent,FSM_Ack_Rcvd,FSM_Ack_Sent,FSM_Opened} FSM_STATE; /* * CP (LCP, IPCP, etc.) codes. @@ -18,35 +15,13 @@ typedef enum {FSM_Initial=0,FSM_Starting,FSM_Closed,FSM_Stopped,FSM_Closing,FSM_ #define ECHOREQ 9 /* Echo Request */ #define ECHOREP 10 /* Echo Reply */ -struct ppp_hdr_t; - -#define AUTH_MAX 3 -struct lcp_options_t -{ - int magic; - int mtu; - int mru; - int accomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled - int pcomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled - // negotiated options; - int neg_mru; - int neg_mtu; - int neg_accomp; // -1 - rejected - int neg_pcomp; - int neg_auth[AUTH_MAX]; -}; +struct ppp_t; -struct ppp_layer_t +struct ppp_fsm_t { - struct ppp_handler_t h; struct ppp_t *ppp; FSM_STATE fsm_state; - union - { - struct lcp_options_t lcp; - } options; - struct triton_timer_t restart_timer; int restart_counter; int max_terminate; @@ -56,38 +31,33 @@ struct ppp_layer_t int id; int recv_id; - int opt_restart:1; - int opt_passive:1; - - void *last_conf_req; //fsm handling - void (*layer_up)(struct ppp_layer_t*); - void (*layer_down)(struct ppp_layer_t*); - void (*layer_started)(struct ppp_layer_t*); - void (*layer_finished)(struct ppp_layer_t*); - void (*send_conf_req)(struct ppp_layer_t*); - void (*send_conf_ack)(struct ppp_layer_t*); - void (*send_conf_nak)(struct ppp_layer_t*); - void (*send_conf_rej)(struct ppp_layer_t*); + void (*layer_up)(struct ppp_fsm_t*); + void (*layer_down)(struct ppp_fsm_t*); + void (*layer_started)(struct ppp_fsm_t*); + void (*layer_finished)(struct ppp_fsm_t*); + void (*send_conf_req)(struct ppp_fsm_t*); + void (*send_conf_ack)(struct ppp_fsm_t*); + void (*send_conf_nak)(struct ppp_fsm_t*); + void (*send_conf_rej)(struct ppp_fsm_t*); }; -void ppp_fsm_init(struct ppp_layer_t*); -void ppp_fsm_recv(struct ppp_layer_t*); - -void ppp_fsm_lower_up(struct ppp_layer_t *layer); -void ppp_fsm_lower_down(struct ppp_layer_t *layer); -void ppp_fsm_open(struct ppp_layer_t *layer); -void ppp_fsm_close(struct ppp_layer_t *layer); -void ppp_fsm_timeout0(struct ppp_layer_t *layer); -void ppp_fsm_timeout1(struct ppp_layer_t *layer); -void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer); -void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer); -void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer); -void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer); -void ppp_fsm_recv_term_req(struct ppp_layer_t *layer); -void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer); -void ppp_fsm_recv_unk(struct ppp_layer_t *layer); -void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer); -void ppp_fsm_recv_echo(struct ppp_layer_t *layer); +void ppp_fsm_init(struct ppp_fsm_t*); + +void ppp_fsm_lower_up(struct ppp_fsm_t*); +void ppp_fsm_lower_down(struct ppp_fsm_t*); +void ppp_fsm_open(struct ppp_fsm_t*); +void ppp_fsm_close(struct ppp_fsm_t*); +void ppp_fsm_timeout0(struct ppp_fsm_t *layer); +void ppp_fsm_timeout1(struct ppp_fsm_t *layer); +void ppp_fsm_recv_conf_req_ack(struct ppp_fsm_t *layer); +void ppp_fsm_recv_conf_req_nak(struct ppp_fsm_t *layer); +void ppp_fsm_recv_conf_req_rej(struct ppp_fsm_t *layer); +void ppp_fsm_recv_conf_ack(struct ppp_fsm_t *layer); +void ppp_fsm_recv_conf_rej(struct ppp_fsm_t *layer); +void ppp_fsm_recv_term_req(struct ppp_fsm_t *layer); +void ppp_fsm_recv_term_ack(struct ppp_fsm_t *layer); +void ppp_fsm_recv_unk(struct ppp_fsm_t *layer); +void ppp_fsm_recv_code_rej_bad(struct ppp_fsm_t *layer); #endif diff --git a/accel-pptpd/ppp_ipcp.c b/accel-pptpd/ppp_ipcp.c new file mode 100644 index 0000000..09b0483 --- /dev/null +++ b/accel-pptpd/ppp_ipcp.c @@ -0,0 +1,12 @@ +#include "ppp.h" + +int ipcp_start(struct ppp_t *ppp) +{ + return 0; +} + +void ipcp_finish(struct ppp_t *ppp) +{ + +} + diff --git a/accel-pptpd/ppp_lcp.c b/accel-pptpd/ppp_lcp.c index 2d1dee0..21b7fb2 100644 --- a/accel-pptpd/ppp_lcp.c +++ b/accel-pptpd/ppp_lcp.c @@ -10,318 +10,420 @@ #include "log.h" #include "ppp.h" -#include "ppp_fsm.h" #include "ppp_lcp.h" -#include "ppp_auth.h" - -char* accomp="allow,disabled"; -char* pcomp="allow,disabled"; -char* auth="pap,eap,mschap-v2"; -char* mppe="allow,disabled"; -char* pwdb="radius"; - -static void lcp_layer_up(struct ppp_layer_t*); -static void lcp_layer_down(struct ppp_layer_t*); -static void send_conf_req(struct ppp_layer_t*); -static void send_conf_ack(struct ppp_layer_t*); -static void send_conf_nak(struct ppp_layer_t*); -static void send_conf_rej(struct ppp_layer_t*); -static void lcp_recv(struct ppp_layer_t*); + +struct recv_opt_t +{ + struct list_head entry; + struct lcp_opt_hdr_t *hdr; + int len; + int state; + struct lcp_option_t *lopt; +}; + +static LIST_HEAD(option_handlers); + +static void lcp_layer_up(struct ppp_fsm_t*); +static void lcp_layer_down(struct ppp_fsm_t*); +static void send_conf_req(struct ppp_fsm_t*); +static void send_conf_ack(struct ppp_fsm_t*); +static void send_conf_nak(struct ppp_fsm_t*); +static void send_conf_rej(struct ppp_fsm_t*); +static void lcp_recv(struct ppp_handler_t*); + +static void lcp_options_init(struct ppp_lcp_t *lcp) +{ + struct lcp_option_t *lopt; + struct lcp_option_handler_t *h; + + INIT_LIST_HEAD(&lcp->options); + + list_for_each_entry(h,&option_handlers,entry) + { + lopt=h->init(lcp); + if (lopt) + { + lopt->h=h; + list_add_tail(&lopt->entry,&lcp->options); + lcp->conf_req_len+=lopt->len; + } + } +} + +static void lcp_options_free(struct ppp_lcp_t *lcp) +{ + struct lcp_option_t *lopt; + + while(!list_empty(&lcp->options)) + { + lopt=list_entry(lcp->options.next,typeof(*lopt),entry); + list_del(&lopt->entry); + lopt->h->free(lcp,lopt); + } +} void lcp_start(struct ppp_t *ppp) { - struct ppp_layer_t *layer=malloc(sizeof(*layer)); - memset(layer,0,sizeof(*layer)); + struct ppp_lcp_t *lcp=malloc(sizeof(*lcp)); + memset(lcp,0,sizeof(*lcp)); - layer->h.proto=PPP_LCP; - layer->h.recv=lcp_recv; + lcp->ppp=ppp; + lcp->fsm.ppp=ppp; - layer->ppp=ppp; - ppp_fsm_init(layer); + lcp->hnd.proto=PPP_LCP; + lcp->hnd.recv=lcp_recv; + + ppp_register_handler(ppp,&lcp->hnd); + + ppp_fsm_init(&lcp->fsm); - layer->layer_started=lcp_layer_started; - layer->send_conf_req=send_conf_req; - layer->send_conf_ack=send_conf_ack; - layer->send_conf_nak=send_conf_nak; - layer->send_conf_rej=send_conf_rej; + lcp->fsm.layer_up=lcp_layer_up; + lcp->fsm.layer_down=lcp_layer_down; + lcp->fsm.send_conf_req=send_conf_req; + lcp->fsm.send_conf_ack=send_conf_ack; + lcp->fsm.send_conf_nak=send_conf_nak; + lcp->fsm.send_conf_rej=send_conf_rej; - ppp_fsm_init(layer); - ppp_fsm_lower_up(layer); - ppp_fsm_open(layer); + lcp_options_init(lcp); + INIT_LIST_HEAD(&lcp->ropt_list); - ppp_register_handler(&layer->h); + ppp_fsm_lower_up(&lcp->fsm); + ppp_fsm_open(&lcp->fsm); + + ppp->lcp=lcp; } -static void lcp_layer_up(struct ppp_layer_t *l) +void lcp_finish(struct ppp_t *ppp) { - ppp_layer_started(l->ppp); + struct ppp_lcp_t *lcp=ppp->lcp; + + ppp_unregister_handler(ppp,&lcp->hnd); + lcp_options_free(lcp); + + free(lcp); } -static void lcp_layer_down(struct ppp_layer_t *l) + +static void lcp_layer_up(struct ppp_fsm_t *fsm) { - ppp_terminate(l->ppp); + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + ppp_layer_started(lcp->ppp); } -static void send_conf_req(struct ppp_layer_t*l) +static void lcp_layer_down(struct ppp_fsm_t *fsm) { - uint8_t buf[128],*ptr=buf; - struct lcp_opt_hdr_t *opt0; - struct lcp_opt16_t *opt16; - struct lcp_opt32_t *opt32; - struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr; ptr+=sizeof(*lcp_hdr); - - log_msg("send [LCP ConfReq"); - lcp_hdr->proto=PPP_LCP; - lcp_hdr->code=CONFREQ; - lcp_hdr->id=++l->id; - lcp_hdr->len=0; - log_msg(" id=%x",lcp_hdr->id); - - //mru - opt16=(struct lcp_opt16_t*)ptr; ptr+=sizeof(*opt16); - opt16->hdr.type=CI_MRU; - opt16->hdr.len=4; - opt16->val=htons(l->options.lcp.mtu); - log_msg(" <mru %i>",l->options.lcp.mtu); - - //auth - opt32=(struct lcp_opt32_t*)ptr;; - if (auth_get_conf_req(l,opt32)) - ptr+=opt32->hdr.len; - - //magic - opt32=(struct lcp_opt32_t*)ptr; ptr+=sizeof(*opt32); - opt32->hdr.type=CI_MAGIC; - opt32->hdr.len=6; - opt32->val=htonl(l->options.lcp.magic); - log_msg(" <magic %x>",l->options.lcp.magic); + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + ppp_terminate(lcp->ppp); +} +static void print_ropt(struct recv_opt_t *ropt) +{ + int i; + uint8_t *ptr=(uint8_t*)ropt->hdr; - //pcomp - if (l->options.lcp.pcomp==1 || (l->options.lcp.pcomp==3 && l->options.lcp.neg_pcomp!=-1)) + log_debug(" <"); + for(i=0; i<ropt->len; i++) { - opt0=(struct lcp_opt_hdr_t*)ptr; ptr+=sizeof(*opt0); - opt0->type=CI_PCOMP; - opt0->len=2; - log_msg(" <pcomp>"); + log_debug(" %x",ptr[i]); } + log_debug(">"); +} - //acccomp - if (l->options.lcp.accomp==1 || (l->options.lcp.accomp==3 && l->options.lcp.neg_accomp!=-1)) +static void send_conf_req(struct ppp_fsm_t *fsm) +{ + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + uint8_t *buf=malloc(lcp->conf_req_len), *ptr=buf; + struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr; + struct lcp_option_t *lopt; + int n; + + log_debug("send [LCP ConfReq"); + lcp_hdr->proto=htons(PPP_LCP); + lcp_hdr->code=CONFREQ; + lcp_hdr->id=++lcp->fsm.id; + lcp_hdr->len=0; + log_debug(" id=%x",lcp_hdr->id); + + ptr+=sizeof(*lcp_hdr); + + list_for_each_entry(lopt,&lcp->options,entry) { - opt0=(struct lcp_opt_hdr_t*)ptr; ptr+=sizeof(*opt0); - opt0->type=CI_ACCOMP; - opt0->len=2; - log_msg(" <accomp>"); + n=lopt->h->send_conf_req(lcp,lopt,ptr); + if (n) + { + log_debug(" "); + lopt->h->print(log_debug,lopt,NULL); + ptr+=n; + } } - log_msg("]\n"); + + log_debug("]\n"); - lcp_hdr->len=ptr-buf; - ppp_send(l->ppp,lcp_hdr,lcp_hdr->len+2); + lcp_hdr->len=htons((ptr-buf)-2); + ppp_send(lcp->ppp,lcp_hdr,ptr-buf); } -static void send_conf_ack(struct ppp_layer_t*l) + +static void send_conf_ack(struct ppp_fsm_t *fsm) { - struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)l->ppp->in_buf; + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)lcp->ppp->in_buf; hdr->code=CONFACK; - log_msg("send [LCP ConfAck id=%x\n",l->recv_id); + log_debug("send [LCP ConfAck id=%x ]\n",lcp->fsm.recv_id); - ppp_send(l->ppp,hdr,hdr->len+2); + ppp_send(lcp->ppp,hdr,ntohs(hdr->len)+2); } -static void send_conf_nak(struct ppp_layer_t*l) + +static void send_conf_nak(struct ppp_fsm_t *fsm) { + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + uint8_t *buf=malloc(lcp->conf_req_len), *ptr=buf; + struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr; + struct lcp_option_t *lopt; + + log_debug("send [LCP ConfNak id=%x",lcp->fsm.recv_id); + + lcp_hdr->proto=htons(PPP_LCP); + lcp_hdr->code=CONFNAK; + lcp_hdr->id=lcp->fsm.recv_id; + lcp_hdr->len=0; + + ptr+=sizeof(*lcp_hdr); + + list_for_each_entry(lopt,&lcp->options,entry) + { + if (lopt->state==LCP_OPT_NAK) + { + log_debug(" "); + lopt->h->print(log_debug,lopt,NULL); + ptr+=lopt->h->send_conf_nak(lcp,lopt,ptr); + } + } + + log_debug("]\n"); + + lcp_hdr->len=htons((ptr-buf)-2); + ppp_send(lcp->ppp,lcp_hdr,ptr-buf); } -static void send_conf_rej(struct ppp_layer_t*l) + +static void send_conf_rej(struct ppp_fsm_t *fsm) { - struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)l->ppp->in_buf; + struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm); + uint8_t *buf=malloc(lcp->ropt_len), *ptr=buf; + struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr; + struct recv_opt_t *ropt; + + log_debug("send [LCP ConfRej id=%x ",lcp->fsm.recv_id); + + lcp_hdr->proto=htons(PPP_LCP); + lcp_hdr->code=CONFREJ; + lcp_hdr->id=lcp->fsm.recv_id; + lcp_hdr->len=0; - hdr->code=CONFREJ; - log_msg("send [LCP ConfRej id=%x\n",l->recv_id); + ptr+=sizeof(*lcp_hdr); - ppp_send(l->ppp,hdr,hdr->len+2); + list_for_each_entry(ropt,&lcp->ropt_list,entry) + { + if (ropt->state==LCP_OPT_REJ) + { + log_debug(" "); + if (ropt->lopt) ropt->lopt->h->print(log_debug,ropt->lopt,(uint8_t*)ropt->hdr); + else print_ropt(ropt); + memcpy(ptr,ropt->hdr,ropt->len); + ptr+=ropt->len; + } + } + + log_debug("]\n"); + + lcp_hdr->len=htons((ptr-buf)-2); + ppp_send(lcp->ppp,lcp_hdr,ptr-buf); } -static int lcp_recv_conf_req(struct ppp_layer_t*l,uint8_t *data,int size) +static int lcp_recv_conf_req(struct ppp_lcp_t *lcp,uint8_t *data,int size) { - struct lcp_opt_hdr_t *opt; - struct lcp_opt16_t *opt16; + struct lcp_opt_hdr_t *hdr; + struct recv_opt_t *ropt; + struct lcp_option_t *lopt; + int r,ret=1; + + lcp->ropt_len=size; + + while(size>0) + { + hdr=(struct lcp_opt_hdr_t *)data; + + ropt=malloc(sizeof(*ropt)); + if (hdr->len>size) ropt->len=size; + else ropt->len=hdr->len; + ropt->hdr=hdr; + ropt->state=LCP_OPT_NONE; + list_add_tail(&ropt->entry,&lcp->ropt_list); + + data+=ropt->len; + size-=ropt->len; + } + + list_for_each_entry(lopt,&lcp->options,entry) + lopt->state=LCP_OPT_NONE; + + log_debug("recv [LCP ConfReq id=%x",lcp->fsm.recv_id); + list_for_each_entry(ropt,&lcp->ropt_list,entry) + { + list_for_each_entry(lopt,&lcp->options,entry) + { + if (lopt->id==ropt->hdr->id) + { + log_debug(" "); + lopt->h->print(log_debug,lopt,(uint8_t*)ropt->hdr); + r=lopt->h->recv_conf_req(lcp,lopt,(uint8_t*)ropt->hdr); + lopt->state=r; + ropt->state=r; + if (r<ret) ret=r; + } + } + } + log_debug("]\n"); + + /*list_for_each_entry(lopt,&lcp->options,entry) + { + if (lopt->state==LCP_OPT_NONE) + { + r=lopt->h->recv_conf_req(lcp,lopt,NULL); + lopt->state=r; + if (r<ret) ret=r; + } + }*/ + + return ret; +} + +static void lcp_free_conf_req(struct ppp_lcp_t *lcp) +{ + struct recv_opt_t *ropt; + + while(!list_empty(&lcp->ropt_list)) + { + ropt=list_entry(lcp->ropt_list.next,typeof(*ropt),entry); + list_del(&ropt->entry); + free(ropt); + } +} + +static int lcp_recv_conf_rej(struct ppp_lcp_t *lcp,uint8_t *data,int size) +{ + struct lcp_opt_hdr_t *hdr; + struct lcp_option_t *lopt; int res=0; - log_debug("recv [LCP ConfReq id=%x",l->recv_id); + log_debug("recv [LCP ConfRej id=%x",lcp->fsm.recv_id); - while(size) + if (lcp->fsm.recv_id!=lcp->fsm.id) { - opt=(struct lcp_opt_hdr_t *)data; - switch(opt->type) + log_debug(": id mismatch ]\n"); + return 0; + } + + while(size>0) + { + hdr=(struct lcp_opt_hdr_t *)data; + + list_for_each_entry(lopt,&lcp->options,entry) { - case CI_MRU: - opt16=(struct lcp_opt16_t*)data; - l->options.lcp.neg_mru=ntohs(opt16->val); - log_debug(" <mru %i>",l->options.lcp.neg_mru); - break; - case CI_ASYNCMAP: - log_debug(" <asyncmap ...>"); - break; - case CI_AUTHTYPE: - if (auth_recv_conf_req(l,opt)) - res=-1; - break; - case CI_MAGIC: - if (*(uint32_t*)data==l->options.lcp.magic) - { - log_error("loop detected\n"); - res=-1; - } - break; - case CI_PCOMP: - log_debug(" <pcomp>"); - if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=1; - else { - l->options.lcp.neg_pcomp=-2; - res=-1; - } - break; - case CI_ACCOMP: - log_debug(" <accomp>"); - if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=1; - else { - l->options.lcp.neg_accomp=-2; + if (lopt->id==hdr->id) + { + if (lopt->h->recv_conf_rej(lcp,lopt,data)) res=-1; - } break; + } } - data+=opt->len; - size-=opt->len; + + data+=hdr->len; + size-=hdr->len; } - log_debug("\n"); + log_debug("]\n"); return res; } -static int lcp_recv_conf_rej(struct ppp_layer_t*l,uint8_t *data,int size) +static int lcp_recv_conf_nak(struct ppp_lcp_t *lcp,uint8_t *data,int size) { - struct lcp_opt_hdr_t *opt; - struct lcp_opt16_t *opt16; + struct lcp_opt_hdr_t *hdr; + struct lcp_option_t *lopt; int res=0; - log_debug("recv [LCP ConfRej id=%x",l->recv_id); + log_debug("recv [LCP ConfNak id=%x",lcp->fsm.recv_id); - if (l->recv_id!=l->id) + if (lcp->fsm.recv_id!=lcp->fsm.id) { - log_debug(": id mismatch\n"); + log_debug(": id mismatch ]\n"); return 0; } - while(size) + while(size>0) { - opt=(struct lcp_opt_hdr_t *)data; - switch(opt->type) + hdr=(struct lcp_opt_hdr_t *)data; + + list_for_each_entry(lopt,&lcp->options,entry) { - case CI_MRU: - opt16=(struct lcp_opt16_t*)data; - log_debug(" <mru %i>",l->options.lcp.neg_mru); - break; - case CI_ASYNCMAP: - log_debug(" <asyncmap ...>"); - break; - case CI_AUTHTYPE: - if (auth_recv_conf_rej(l,opt)) - res=-1; - break; - case CI_MAGIC: - if (*(uint32_t*)data==l->options.lcp.magic) - { - log_error("loop detected\n"); + if (lopt->id==hdr->id) + { + log_debug(" "); + lopt->h->print(log_debug,lopt,data); + if (lopt->h->recv_conf_nak(lcp,lopt,data)) res=-1; - } - break; - case CI_PCOMP: - log_debug(" <pcomp>"); - if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=-1; - else { - l->options.lcp.neg_pcomp=-2; - res=-1; - } - break; - case CI_ACCOMP: - log_debug(" <accomp>"); - if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=-1; - else { - l->options.lcp.neg_accomp=-2; - res=-1; - } break; + } } - data+=opt->len; - size-=opt->len; + + data+=hdr->len; + size-=hdr->len; } - log_debug("\n"); + log_debug("]\n"); return res; } -static int lcp_recv_conf_nak(struct ppp_layer_t*l,uint8_t *data,int size) + +static int lcp_recv_conf_ack(struct ppp_lcp_t *lcp,uint8_t *data,int size) { - struct lcp_opt_hdr_t *opt; - struct lcp_opt16_t *opt16; + struct lcp_opt_hdr_t *hdr; + struct lcp_option_t *lopt; int res=0; - log_debug("recv [LCP ConfNak id=%x",l->recv_id); + log_debug("recv [LCP ConfAck id=%x",lcp->fsm.recv_id); - if (l->recv_id!=l->id) + if (lcp->fsm.recv_id!=lcp->fsm.id) { - log_debug(": id mismatch\n"); + log_debug(": id mismatch ]\n"); return 0; } - while(size) + while(size>0) { - opt=(struct lcp_opt_hdr_t *)data; - switch(opt->type) + hdr=(struct lcp_opt_hdr_t *)data; + + list_for_each_entry(lopt,&lcp->options,entry) { - case CI_MRU: - opt16=(struct lcp_opt16_t*)data; - log_debug(" <mru %i>",l->options.lcp.neg_mru); - break; - case CI_ASYNCMAP: - log_debug(" <asyncmap ...>"); - break; - case CI_AUTHTYPE: - if (auth_recv_conf_nak(l,opt)) - res=-1; - break; - case CI_MAGIC: - if (*(uint32_t*)data==l->options.lcp.magic) - { - log_error("loop detected\n"); - res=-1; - } - break; - case CI_PCOMP: - log_debug(" <pcomp>"); - if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=-1; - else { - l->options.lcp.neg_pcomp=-2; - res=-1; - } - break; - case CI_ACCOMP: - log_debug(" <accomp>"); - if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=-1; - else { - l->options.lcp.neg_accomp=-2; - res=-1; - } + if (lopt->id==hdr->id) + { + log_debug(" "); + lopt->h->print(log_debug,lopt,data); + if (lopt->h->recv_conf_ack) + lopt->h->recv_conf_ack(lcp,lopt,data); break; + } } - data+=opt->len; - size-=opt->len; + + data+=hdr->len; + size-=hdr->len; } - log_debug("\n"); + log_debug("]\n"); return res; } -static void lcp_recv_echo_repl(struct ppp_layer_t*l,uint8_t *data,int size) + +static void lcp_recv_echo_repl(struct ppp_lcp_t *lcp,uint8_t *data,int size) { } -void send_echo_reply(struct ppp_layer_t *layer) +void send_echo_reply(struct ppp_lcp_t *lcp) { struct lcp_echo_reply_t { @@ -329,73 +431,107 @@ void send_echo_reply(struct ppp_layer_t *layer) struct lcp_opt32_t magic; } __attribute__((packed)) msg = { - .hdr.proto=PPP_LCP, + .hdr.proto=htons(PPP_LCP), .hdr.code=ECHOREP, - .hdr.id=layer->recv_id, - .hdr.len=8, - .magic.val=layer->options.lcp.magic, + .hdr.id=lcp->fsm.recv_id, + .hdr.len=htons(8), + .magic.val=0, }; - ppp_send(layer->ppp,&msg,msg.hdr.len+2); + ppp_send(lcp->ppp,&msg,ntohs(msg.hdr.len)+2); } static void lcp_recv(struct ppp_handler_t*h) { struct lcp_hdr_t *hdr; - struct ppp_layer_t *l=container_of(h,typeof(*l),h); + struct ppp_lcp_t *lcp=container_of(h,typeof(*lcp),hnd); + int r; + char *term_msg; - if (l->ppp->in_buf_size<PPP_HEADERLEN+2) + if (lcp->ppp->in_buf_size<PPP_HEADERLEN+2) { log_warn("LCP: short packet received\n"); return; } - hdr=(struct lcp_hdr_t *)l->ppp->in_buf; + hdr=(struct lcp_hdr_t *)lcp->ppp->in_buf; if (ntohs(hdr->len)<PPP_HEADERLEN) { log_warn("LCP: short packet received\n"); return; } - l->recv_id=hdr->id; + lcp->fsm.recv_id=hdr->id; switch(hdr->code) { case CONFREQ: - if (lcp_recv_conf_req(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN)) - ppp_fsm_recv_conf_req_bad(l); - else - ppp_fsm_recv_conf_req_good(l); + r=lcp_recv_conf_req(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); + switch(r) + { + case LCP_OPT_ACK: + ppp_fsm_recv_conf_req_ack(&lcp->fsm); + break; + case LCP_OPT_NAK: + ppp_fsm_recv_conf_req_nak(&lcp->fsm); + break; + case LCP_OPT_REJ: + ppp_fsm_recv_conf_req_rej(&lcp->fsm); + break; + } + lcp_free_conf_req(lcp); + if (r==LCP_OPT_FAIL) + ppp_terminate(lcp->ppp); break; case CONFACK: - //lcp_recv_conf_ack(l,hdr+1,ntohs(hdr->len)-PPP_HDRLEN); - ppp_fsm_recv_conf_ack(l); + lcp_recv_conf_ack(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); + ppp_fsm_recv_conf_ack(&lcp->fsm); break; case CONFNAK: - lcp_recv_conf_nak(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); - ppp_fsm_recv_conf_rej(l); + lcp_recv_conf_nak(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); + ppp_fsm_recv_conf_rej(&lcp->fsm); break; case CONFREJ: - lcp_recv_conf_rej(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); - ppp_fsm_recv_conf_rej(l); + lcp_recv_conf_rej(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); + ppp_fsm_recv_conf_rej(&lcp->fsm); break; case TERMREQ: - ppp_fsm_recv_term_req(l); + term_msg=strndup((uint8_t*)(hdr+1),ntohs(hdr->len)); + log_debug("recv [LCP TermReq id=%x \"%s\"]\n",hdr->id,term_msg); + free(term_msg); + ppp_fsm_recv_term_req(&lcp->fsm); break; case TERMACK: - ppp_fsm_recv_term_ack(l); + term_msg=strndup((uint8_t*)(hdr+1),ntohs(hdr->len)); + log_debug("recv [LCP TermAck id=%x \"%s\"]\n",hdr->id,term_msg); + free(term_msg); + ppp_fsm_recv_term_ack(&lcp->fsm); break; case CODEREJ: - ppp_fsm_recv_code_rej_bad(l); + log_debug("recv [LCP CodeRej id=%x]\n",hdr->id); + ppp_fsm_recv_code_rej_bad(&lcp->fsm); break; case ECHOREQ: - send_echo_reply(l); + send_echo_reply(lcp); break; case ECHOREP: - lcp_recv_echo_repl(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); + lcp_recv_echo_repl(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN); break; default: - ppp_fsm_recv_unk(l); + ppp_fsm_recv_unk(&lcp->fsm); break; } } +int lcp_option_register(struct lcp_option_handler_t *h) +{ + /*struct lcp_option_drv_t *p; + + list_for_each_entry(p,option_drv_list,entry) + if (p->id==h->id) + return -1;*/ + + list_add_tail(&h->entry,&option_handlers); + + return 0; +} + diff --git a/accel-pptpd/ppp_lcp.h b/accel-pptpd/ppp_lcp.h index 5c77a3f..54235c4 100644 --- a/accel-pptpd/ppp_lcp.h +++ b/accel-pptpd/ppp_lcp.h @@ -3,13 +3,15 @@ #include <stdint.h> +#include "triton/triton.h" +#include "ppp_fsm.h" /* * Options. */ #define CI_VENDOR 0 /* Vendor Specific */ #define CI_MRU 1 /* Maximum Receive Unit */ #define CI_ASYNCMAP 2 /* Async Control Character Map */ -#define CI_AUTHTYPE 3 /* Authentication Type */ +#define CI_AUTH 3 /* Authentication Type */ #define CI_QUALITY 4 /* Quality Protocol */ #define CI_MAGIC 5 /* Magic Number */ #define CI_PCOMP 7 /* Protocol Field Compression */ @@ -39,7 +41,7 @@ struct lcp_hdr_t } __attribute__((packed)); struct lcp_opt_hdr_t { - uint8_t type; + uint8_t id; uint8_t len; } __attribute__((packed)); struct lcp_opt8_t @@ -58,7 +60,68 @@ struct lcp_opt32_t uint32_t val; } __attribute__((packed)); +/*struct lcp_options_t +{ + int magic; + int mtu; + int mru; + int accomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled + int pcomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled + // negotiated options; + int neg_mru; + int neg_mtu; + int neg_accomp; // -1 - rejected + int neg_pcomp; + int neg_auth[AUTH_MAX]; +};*/ + +#define LCP_OPT_NONE 0 +#define LCP_OPT_ACK 1 +#define LCP_OPT_NAK -1 +#define LCP_OPT_REJ -2 +#define LCP_OPT_FAIL -3 + +struct ppp_lcp_t; +struct lcp_option_handler_t; + +struct lcp_option_t +{ + struct list_head entry; + int id; + int len; + int state; + struct lcp_option_handler_t *h; +}; + +struct lcp_option_handler_t +{ + struct list_head entry; + struct lcp_option_t* (*init)(struct ppp_lcp_t*); + int (*send_conf_req)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*send_conf_rej)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*send_conf_nak)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*recv_conf_req)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*recv_conf_rej)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*recv_conf_nak)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + int (*recv_conf_ack)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*); + void (*free)(struct ppp_lcp_t*,struct lcp_option_t*); + void (*print)(void (*print)(const char *fmt,...), struct lcp_option_t*,uint8_t*); +}; + +struct ppp_lcp_t +{ + struct ppp_handler_t hnd; + struct ppp_fsm_t fsm; + struct ppp_t *ppp; + struct list_head options; + + struct list_head ropt_list; // last received ConfReq + int ropt_len; + + int conf_req_len; +}; +int lcp_option_register(struct lcp_option_handler_t *h); #endif diff --git a/accel-pptpd/pwdb.c b/accel-pptpd/pwdb.c new file mode 100644 index 0000000..12130b3 --- /dev/null +++ b/accel-pptpd/pwdb.c @@ -0,0 +1,7 @@ +#include "pwdb.h" +#include "ppp.h" + +int pwdb_check(struct ppp_t *ppp,const char *username,const char *password) +{ + return 0; +} diff --git a/accel-pptpd/pwdb.h b/accel-pptpd/pwdb.h new file mode 100644 index 0000000..820e269 --- /dev/null +++ b/accel-pptpd/pwdb.h @@ -0,0 +1,9 @@ +#ifndef PWDB_H +#define PWDB_H + +struct ppp_t; + +int pwdb_check(struct ppp_t*,const char *username,const char *password); + +#endif + diff --git a/accel-pptpd/triton/timer.c b/accel-pptpd/triton/timer.c index 2ea36cb..2fa4be8 100644 --- a/accel-pptpd/triton/timer.c +++ b/accel-pptpd/triton/timer.c @@ -27,6 +27,11 @@ void triton_timer_add(struct triton_timer_t*tt) { struct timer_t *t=(struct timer_t *)malloc(sizeof(struct timer_t)); + if (!tt->expire_tv.tv_sec) + { + gettimeofday(&tt->expire_tv,NULL); + tv_add(&tt->expire_tv,tt->period); + } t->del=0; t->timer=tt; tt->active=1; diff --git a/doc/rfc3576.txt b/doc/rfc3576.txt new file mode 100644 index 0000000..89fd9eb --- /dev/null +++ b/doc/rfc3576.txt @@ -0,0 +1,1683 @@ + + + + + + +Network Working Group M. Chiba +Request for Comments: 3576 G. Dommety +Category: Informational M. Eklund + Cisco Systems, Inc. + D. Mitton + Circular Logic, UnLtd. + B. Aboba + Microsoft Corporation + July 2003 + + + Dynamic Authorization Extensions to Remote + Authentication Dial In User Service (RADIUS) + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document describes a currently deployed extension to the Remote + Authentication Dial In User Service (RADIUS) protocol, allowing + dynamic changes to a user session, as implemented by network access + server products. This includes support for disconnecting users and + changing authorizations applicable to a user session. + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 1] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Applicability. . . . . . . . . . . . . . . . . . . . . . 3 + 1.2. Requirements Language . . . . . . . . . . . . . . . . . 5 + 1.3. Terminology. . . . . . . . . . . . . . . . . . . . . . . 5 + 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 2.1. Disconnect Messages (DM) . . . . . . . . . . . . . . . . 5 + 2.2. Change-of-Authorization Messages (CoA) . . . . . . . . . 6 + 2.3. Packet Format. . . . . . . . . . . . . . . . . . . . . . 7 + 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 3.1. Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13 + 3.2. Table of Attributes. . . . . . . . . . . . . . . . . . . 16 + 4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20 + 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 21 + 5.1. Authorization Issues . . . . . . . . . . . . . . . . . . 21 + 5.2. Impersonation. . . . . . . . . . . . . . . . . . . . . . 22 + 5.3. IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22 + 5.4. Replay Protection. . . . . . . . . . . . . . . . . . . . 25 + 6. Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 26 + 7.2. Informative References . . . . . . . . . . . . . . . . . 27 + 8. Intellectual Property Statement. . . . . . . . . . . . . . . . 28 + 9. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 28 + 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29 + 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30 + + + + + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 2] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +1. Introduction + + The RADIUS protocol, defined in [RFC2865], does not support + unsolicited messages sent from the RADIUS server to the Network + Access Server (NAS). + + However, there are many instances in which it is desirable for + changes to be made to session characteristics, without requiring the + NAS to initiate the exchange. For example, it may be desirable for + administrators to be able to terminate a user session in progress. + Alternatively, if the user changes authorization level, this may + require that authorization attributes be added/deleted from a user + session. + + To overcome these limitations, several vendors have implemented + additional RADIUS commands in order to be able to support unsolicited + messages sent from the RADIUS server to the NAS. These extended + commands provide support for Disconnect and Change-of-Authorization + (CoA) messages. Disconnect messages cause a user session to be + terminated immediately, whereas CoA messages modify session + authorization attributes such as data filters. + +1.1. Applicability + + This protocol is being recommended for publication as an + Informational RFC rather than as a standards-track RFC because of + problems that cannot be fixed without creating incompatibilities with + deployed implementations. This includes security vulnerabilities, as + well as semantic ambiguities resulting from the design of the + Change-of-Authorization (CoA) commands. While fixes are recommended, + they cannot be made mandatory since this would be incompatible with + existing implementations. + + Existing implementations of this protocol do not support + authorization checks, so that an ISP sharing a NAS with another ISP + could disconnect or change authorizations for another ISP's users. + In order to remedy this problem, a "Reverse Path Forwarding" check is + recommended. See Section 5.1. for details. + + Existing implementations utilize per-packet authentication and + integrity protection algorithms with known weaknesses [MD5Attack]. + To provide stronger per-packet authentication and integrity + protection, the use of IPsec is recommended. See Section 5.3. for + details. + + + + + + + +Chiba, et al. Informational [Page 3] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Existing implementations lack replay protection. In order to support + replay detection, it is recommended that the Event-Timestamp + Attribute be added to all messages in situations where IPsec replay + protection is not employed. Implementations should be configurable + to silently discard messages lacking the Event-Timestamp Attribute. + See Section 5.4. for details. + + The approach taken with CoA commands in existing implementations + results in a semantic ambiguity. Existing implementations of the + CoA-Request identify the affected session, as well as supply the + authorization changes. Since RADIUS Attributes included within + existing implementations of the CoA-Request can be used for session + identification or authorization change, it may not be clear which + function a given attribute is serving. + + The problem does not exist within [Diameter], in which authorization + change is requested by a command using Attribute Value Pairs (AVPs) + solely for identification, resulting in initiation of a standard + Request/Response sequence where authorization changes are supplied. + As a result, in no command can Diameter AVPs have multiple potential + meanings. + + Due to differences in handling change-of-authorization requests in + RADIUS and Diameter, it may be difficult or impossible for a + Diameter/RADIUS gateway to successfully translate existing + implementations of this specification to equivalent messages in + Diameter. For example, a Diameter command changing any attribute + used for identification within existing CoA-Request implementations + cannot be translated, since such an authorization change is + impossible to carry out in existing implementations. Similarly, + translation between existing implementations of Disconnect-Request or + CoA-Request messages and Diameter is tricky because a Disconnect- + Request or CoA-Request message will need to be translated to multiple + Diameter commands. + + To simplify translation between RADIUS and Diameter, a Service-Type + Attribute with value "Authorize Only" can (optionally) be included + within a Disconnect-Request or CoA-Request. Such a Request contains + only identification attributes. A NAS supporting the "Authorize + Only" Service-Type within a Disconnect-Request or CoA-Request + responds with a NAK containing a Service-Type Attribute with value + "Authorize Only" and an Error-Cause Attribute with value "Request + Initiated". The NAS will then send an Access-Request containing a + Service-Type Attribute with a value of "Authorize Only". This usage + sequence is akin to what occurs in Diameter and so is more easily + translated by a Diameter/RADIUS gateway. + + + + + +Chiba, et al. Informational [Page 4] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +1.2. Requirements Language + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. The key + words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", + "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document + are to be interpreted as described in [RFC2119]. + +1.3. Terminology + + This document frequently uses the following terms: + + Network Access Server (NAS): The device providing access to the + network. + + service: The NAS provides a service to the user, + such as IEEE 802 or PPP. + + session: Each service provided by the NAS to a + user constitutes a session, with the + beginning of the session defined as the + point where service is first provided + and the end of the session defined as + the point where service is ended. A + user may have multiple sessions in + parallel or series if the NAS supports + that. + + silently discard: This means the implementation discards + the packet without further processing. + The implementation SHOULD provide the + capability of logging the error, + including the contents of the silently + discarded packet, and SHOULD record the + event in a statistics counter. + +2. Overview + + This section describes the most commonly implemented features of + Disconnect and Change-of-Authorization messages. + +2.1. Disconnect Messages (DM) + + A Disconnect-Request packet is sent by the RADIUS server in order to + terminate a user session on a NAS and discard all associated session + context. The Disconnect-Request packet is sent to UDP port 3799, and + identifies the NAS as well as the user session to be terminated by + inclusion of the identification attributes described in Section 3. + + + +Chiba, et al. Informational [Page 5] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + +----------+ Disconnect-Request +----------+ + | | <-------------------- | | + | NAS | | RADIUS | + | | Disconnect-Response | Server | + | | ---------------------> | | + +----------+ +----------+ + + The NAS responds to a Disconnect-Request packet sent by a RADIUS + server with a Disconnect-ACK if all associated session context is + discarded and the user session is no longer connected, or a + Disconnect-NAK, if the NAS was unable to disconnect the session and + discard all associated session context. A NAS MUST respond to a + Disconnect-Request including a Service-Type Attribute with value + "Authorize Only" with a Disconnect-NAK; a Disconnect-ACK MUST NOT be + sent. A NAS MUST respond to a Disconnect-Request including a + Service-Type Attribute with an unsupported value with a Disconnect- + NAK; an Error-Cause Attribute with value "Unsupported Service" MAY be + included. A Disconnect-ACK MAY contain the Attribute + Acct-Terminate-Cause (49) [RFC2866] with the value set to 6 for + Admin-Reset. + +2.2. Change-of-Authorization Messages (CoA) + + CoA-Request packets contain information for dynamically changing + session authorizations. This is typically used to change data + filters. The data filters can be of either the ingress or egress + kind, and are sent in addition to the identification attributes as + described in section 3. The port used, and packet format (described + in Section 2.3.), are the same as that for Disconnect-Request + Messages. + + The following attribute MAY be sent in a CoA-Request: + + Filter-ID (11) - Indicates the name of a data filter list to be + applied for the session that the identification + attributes map to. + + +----------+ CoA-Request +----------+ + | | <-------------------- | | + | NAS | | RADIUS | + | | CoA-Response | Server | + | | ---------------------> | | + +----------+ +----------+ + + The NAS responds to a CoA-Request sent by a RADIUS server with a + CoA-ACK if the NAS is able to successfully change the authorizations + for the user session, or a CoA-NAK if the Request is unsuccessful. A + NAS MUST respond to a CoA-Request including a Service-Type Attribute + + + +Chiba, et al. Informational [Page 6] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be + sent. A NAS MUST respond to a CoA-Request including a Service-Type + Attribute with an unsupported value with a CoA-NAK; an Error-Cause + Attribute with value "Unsupported Service" MAY be included. + +2.3. Packet Format + + For either Disconnect-Request or CoA-Request messages UDP port 3799 + is used as the destination port. For responses, the source and + destination ports are reversed. Exactly one RADIUS packet is + encapsulated in the UDP Data field. + + A summary of the data format is shown below. The fields are + transmitted from left to right. + + The packet format consists of the fields: Code, Identifier, Length, + Authenticator, and Attributes in Type:Length:Value (TLV) format. All + fields hold the same meaning as those described in RADIUS [RFC2865]. + The Authenticator field MUST be calculated in the same way as is + specified for an Accounting-Request in [RFC2866]. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + The Code field is one octet, and identifies the type of RADIUS + packet. Packets received with an invalid Code field MUST be + silently discarded. RADIUS codes (decimal) for this extension are + assigned as follows: + + 40 - Disconnect-Request [RFC2882] + 41 - Disconnect-ACK [RFC2882] + 42 - Disconnect-NAK [RFC2882] + 43 - CoA-Request [RFC2882] + 44 - CoA-ACK [RFC2882] + 45 - CoA-NAK [RFC2882] + + + + +Chiba, et al. Informational [Page 7] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Identifier + + The Identifier field is one octet, and aids in matching requests + and replies. The RADIUS client can detect a duplicate request if + it has the same server source IP address and source UDP port and + Identifier within a short span of time. + + Unlike RADIUS as defined in [RFC2865], the responsibility for + retransmission of Disconnect-Request and CoA-Request messages lies + with the RADIUS server. If after sending these messages, the + RADIUS server does not receive a response, it will retransmit. + + The Identifier field MUST be changed whenever the content of the + Attributes field changes, or whenever a valid reply has been + received for a previous request. For retransmissions where the + contents are identical, the Identifier MUST remain unchanged. + + If the RADIUS server is retransmitting a Disconnect-Request or + CoA-Request to the same client as before, and the Attributes have + not changed, the same Request Authenticator, Identifier and source + port MUST be used. If any Attributes have changed, a new + Authenticator and Identifier MUST be used. + + Note that if the Event-Timestamp Attribute is included, it will be + updated when the packet is retransmitted, changing the content of + the Attributes field and requiring a new Identifier and Request + Authenticator. + + If the Request to a primary proxy fails, a secondary proxy must be + queried, if available. Issues relating to failover algorithms are + described in [AAATransport]. Since this represents a new request, + a new Request Authenticator and Identifier MUST be used. However, + where the RADIUS server is sending directly to the client, + failover typically does not make sense, since Disconnect or CoA + messages need to be delivered to the NAS where the session + resides. + + Length + + The Length field is two octets. It indicates the length of the + packet including the Code, Identifier, Length, Authenticator and + Attribute fields. Octets outside the range of the Length field + MUST be treated as padding and ignored on reception. If the + packet is shorter than the Length field indicates, it MUST be + silently discarded. The minimum length is 20 and the maximum + length is 4096. + + + + + +Chiba, et al. Informational [Page 8] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Authenticator + + The Authenticator field is sixteen (16) octets. The most + significant octet is transmitted first. This value is used to + authenticate the messages between the RADIUS server and client. + + Request Authenticator + + In Request packets, the Authenticator value is a 16 octet MD5 + [RFC1321] checksum, called the Request Authenticator. The Request + Authenticator is calculated the same way as for an Accounting- + Request, specified in [RFC2866]. + + Note that the Request Authenticator of a Disconnect or CoA-Request + cannot be done the same way as the Request Authenticator of a + RADIUS Access-Request, because there is no User-Password Attribute + in a Disconnect-Request or CoA-Request. + + Response Authenticator + + The Authenticator field in a Response packet (e.g. Disconnect-ACK, + Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the Response + Authenticator, and contains a one-way MD5 hash calculated over a + stream of octets consisting of the Code, Identifier, Length, the + Request Authenticator field from the packet being replied to, and + the response Attributes if any, followed by the shared secret. + The resulting 16 octet MD5 hash value is stored in the + Authenticator field of the Response packet. + + Administrative note: As noted in [RFC2865] Section 3, the secret + (password shared between the client and the RADIUS server) SHOULD be + at least as large and unguessable as a well-chosen password. RADIUS + clients MUST use the source IP address of the RADIUS UDP packet to + decide which shared secret to use, so that requests can be proxied. + + Attributes + + In Disconnect and CoA-Request messages, all Attributes are treated + as mandatory. A NAS MUST respond to a CoA-Request containing one + or more unsupported Attributes or Attribute values with a CoA-NAK; + a Disconnect-Request containing one or more unsupported Attributes + or Attribute values MUST be answered with a Disconnect-NAK. State + changes resulting from a CoA-Request MUST be atomic: if the + Request is successful, a CoA-ACK is sent, and all requested + authorization changes MUST be made. If the CoA-Request is + unsuccessful, a CoA-NAK MUST be sent, and the requested + + + + + +Chiba, et al. Informational [Page 9] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + authorization changes MUST NOT be made. Similarly, a state change + MUST NOT occur as a result of an unsuccessful Disconnect-Request; + here a Disconnect-NAK MUST be sent. + + Since within this specification attributes may be used for + identification, authorization or other purposes, even if a NAS + implements an attribute for use with RADIUS authentication and + accounting, it may not support inclusion of that attribute within + Disconnect-Request or CoA-Request messages, given the difference + in attribute semantics. This is true even for attributes + specified within [RFC2865], [RFC2868], [RFC2869] or [RFC3162] as + allowable within Access-Accept messages. + + As a result, attributes beyond those specified in Section 3.2. + SHOULD NOT be included within Disconnect or CoA messages since + this could produce unpredictable results. + + When using a forwarding proxy, the proxy must be able to alter the + packet as it passes through in each direction. When the proxy + forwards a Disconnect or CoA-Request, it MAY add a Proxy-State + Attribute, and when the proxy forwards a response, it MUST remove + its Proxy-State Attribute if it added one. Proxy-State is always + added or removed after any other Proxy-States, but no other + assumptions regarding its location within the list of Attributes + can be made. Since Disconnect and CoA responses are authenticated + on the entire packet contents, the stripping of the Proxy-State + Attribute invalidates the integrity check - so the proxy needs to + recompute it. A forwarding proxy MUST NOT modify existing Proxy- + State, State, or Class Attributes present in the packet. + + If there are any Proxy-State Attributes in a Disconnect-Request or + CoA-Request received from the server, the forwarding proxy MUST + include those Proxy-State Attributes in its response to the + server. The forwarding proxy MAY include the Proxy-State + Attributes in the Disconnect-Request or CoA-Request when it + forwards the request, or it MAY omit them in the forwarded + request. If the forwarding proxy omits the Proxy-State Attributes + in the request, it MUST attach them to the response before sending + it to the server. + + + + + + + + + + + + +Chiba, et al. Informational [Page 10] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +3. Attributes + + In Disconnect-Request and CoA-Request packets, certain attributes are + used to uniquely identify the NAS as well as a user session on the + NAS. All NAS identification attributes included in a Request message + MUST match in order for a Disconnect-Request or CoA-Request to be + successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. + For session identification attributes, the User-Name and Acct- + Session-Id Attributes, if included, MUST match in order for a + Disconnect-Request or CoA-Request to be successful; other session + identification attributes SHOULD match. Where a mismatch of session + identification attributes is detected, a Disconnect-NAK or CoA-NAK + SHOULD be sent. The ability to use NAS or session identification + attributes to map to unique/multiple sessions is beyond the scope of + this document. Identification attributes include NAS and session + identification attributes, as described below. + + NAS identification attributes + + Attribute # Reference Description + --------- --- --------- ----------- + NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. + NAS-Identifier 32 [RFC2865] String identifying the NAS. + NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. + + + + + + + + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 11] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Session identification attributes + + Attribute # Reference Description + --------- --- --------- ----------- + User-Name 1 [RFC2865] The name of the user + associated with the session. + NAS-Port 5 [RFC2865] The port on which the + session is terminated. + Framed-IP-Address 8 [RFC2865] The IPv4 address associated + with the session. + Called-Station-Id 30 [RFC2865] The link address to which + the session is connected. + Calling-Station-Id 31 [RFC2865] The link address from which + the session is connected. + Acct-Session-Id 44 [RFC2866] The identifier uniquely + identifying the session + on the NAS. + Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely + identifying related sessions. + NAS-Port-Type 61 [RFC2865] The type of port used. + NAS-Port-Id 87 [RFC2869] String identifying the port + where the session is. + Originating-Line-Info 94 [NASREQ] Provides information on the + characteristics of the line + from which a session + originated. + Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier + associated with the session; + always sent with + Framed-IPv6-Prefix. + Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated + with the session, always sent + with Framed-Interface-Id. + + To address security concerns described in Section 5.1., the User-Name + Attribute SHOULD be present in Disconnect-Request or CoA-Request + packets; one or more additional session identification attributes MAY + also be present. To address security concerns described in Section + 5.2., one or more of the NAS-IP-Address or NAS-IPv6-Address + Attributes SHOULD be present in Disconnect-Request or CoA-Request + packets; the NAS-Identifier Attribute MAY be present in addition. + + If one or more authorization changes specified in a CoA-Request + cannot be carried out, or if one or more attributes or attribute- + values is unsupported, a CoA-NAK MUST be sent. Similarly, if there + are one or more unsupported attributes or attribute values in a + Disconnect-Request, a Disconnect-NAK MUST be sent. + + + + +Chiba, et al. Informational [Page 12] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Where a Service-Type Attribute with value "Authorize Only" is + included within a CoA-Request or Disconnect-Request, attributes + representing an authorization change MUST NOT be included; only + identification attributes are permitted. If attributes other than + NAS or session identification attributes are included in such a CoA- + Request, implementations MUST send a CoA-NAK; an Error-Cause + Attribute with value "Unsupported Attribute" MAY be included. + Similarly, if attributes other than NAS or session identification + attributes are included in such a Disconnect-Request, implementations + MUST send a Disconnect-NAK; an Error-Cause Attribute with value + "Unsupported Attribute" MAY be included. + +3.1. Error-Cause + + Description + + It is possible that the NAS cannot honor Disconnect-Request or + CoA-Request messages for some reason. The Error-Cause Attribute + provides more detail on the cause of the problem. It MAY be + included within Disconnect-ACK, Disconnect-NAK and CoA-NAK + messages. + + A summary of the Error-Cause Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 101 for Error-Cause + + Length + + 6 + + Value + + The Value field is four octets, containing an integer specifying + the cause of the error. Values 0-199 and 300-399 are reserved. + Values 200-299 represent successful completion, so that these + values may only be sent within Disconnect-ACK or CoA-ACK message + and MUST NOT be sent within a Disconnect-NAK or CoA-NAK. Values + + + +Chiba, et al. Informational [Page 13] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + 400-499 represent fatal errors committed by the RADIUS server, so + that they MAY be sent within CoA-NAK or Disconnect-NAK messages, + and MUST NOT be sent within CoA-ACK or Disconnect-ACK messages. + Values 500-599 represent fatal errors occurring on a NAS or RADIUS + proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK + messages, and MUST NOT be sent within CoA-ACK or Disconnect-ACK + messages. Error-Cause values SHOULD be logged by the RADIUS + server. Error-Code values (expressed in decimal) include: + + # Value + --- ----- + 201 Residual Session Context Removed + 202 Invalid EAP Packet (Ignored) + 401 Unsupported Attribute + 402 Missing Attribute + 403 NAS Identification Mismatch + 404 Invalid Request + 405 Unsupported Service + 406 Unsupported Extension + 501 Administratively Prohibited + 502 Request Not Routable (Proxy) + 503 Session Context Not Found + 504 Session Context Not Removable + 505 Other Proxy Processing Error + 506 Resources Unavailable + 507 Request Initiated + + "Residual Session Context Removed" is sent in response to a + Disconnect-Request if the user session is no longer active, but + residual session context was found and successfully removed. This + value is only sent within a Disconnect-ACK and MUST NOT be sent + within a CoA-ACK, Disconnect-NAK or CoA-NAK. + + "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT be + sent by implementations of this specification. + + "Unsupported Attribute" is a fatal error sent if a Request contains + an attribute (such as a Vendor-Specific or EAP-Message Attribute) + that is not supported. + + "Missing Attribute" is a fatal error sent if critical attributes + (such as NAS or session identification attributes) are missing from a + Request. + + "NAS Identification Mismatch" is a fatal error sent if one or more + NAS identification attributes (see Section 3.) do not match the + identity of the NAS receiving the Request. + + + + +Chiba, et al. Informational [Page 14] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + "Invalid Request" is a fatal error sent if some other aspect of the + Request is invalid, such as if one or more attributes (such as EAP- + Message Attribute(s)) are not formatted properly. + + "Unsupported Service" is a fatal error sent if a Service-Type + Attribute included with the Request is sent with an invalid or + unsupported value. + + "Unsupported Extension" is a fatal error sent due to lack of support + for an extension such as Disconnect and/or CoA messages. This will + typically be sent by a proxy receiving an ICMP port unreachable + message after attempting to forward a Request to the NAS. + + "Administratively Prohibited" is a fatal error sent if the NAS is + configured to prohibit honoring of Request messages for the specified + session. + + "Request Not Routable" is a fatal error which MAY be sent by a RADIUS + proxy and MUST NOT be sent by a NAS. It indicates that the RADIUS + proxy was unable to determine how to route the Request to the NAS. + For example, this can occur if the required entries are not present + in the proxy's realm routing table. + + "Session Context Not Found" is a fatal error sent if the session + context identified in the Request does not exist on the NAS. + + "Session Context Not Removable" is a fatal error sent in response to + a Disconnect-Request if the NAS was able to locate the session + context, but could not remove it for some reason. It MUST NOT be + sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a + Disconnect-NAK. + + "Other Proxy Processing Error" is a fatal error sent in response to a + Request that could not be processed by a proxy, for reasons other + than routing. + + "Resources Unavailable" is a fatal error sent when a Request could + not be honored due to lack of available NAS resources (memory, non- + volatile storage, etc.). + + "Request Initiated" is a fatal error sent in response to a Request + including a Service-Type Attribute with a value of "Authorize Only". + It indicates that the Disconnect-Request or CoA-Request has not been + honored, but that a RADIUS Access-Request including a Service-Type + Attribute with value "Authorize Only" is being sent to the RADIUS + server. + + + + + +Chiba, et al. Informational [Page 15] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +3.2. Table of Attributes + + The following table provides a guide to which attributes may be found + in which packets, and in what quantity. + + Change-of-Authorization Messages + + Request ACK NAK # Attribute + 0-1 0 0 1 User-Name [Note 1] + 0-1 0 0 4 NAS-IP-Address [Note 1] + 0-1 0 0 5 NAS-Port [Note 1] + 0-1 0 0-1 6 Service-Type [Note 6] + 0-1 0 0 7 Framed-Protocol [Note 3] + 0-1 0 0 8 Framed-IP-Address [Note 1] + 0-1 0 0 9 Framed-IP-Netmask [Note 3] + 0-1 0 0 10 Framed-Routing [Note 3] + 0+ 0 0 11 Filter-ID [Note 3] + 0-1 0 0 12 Framed-MTU [Note 3] + 0+ 0 0 13 Framed-Compression [Note 3] + 0+ 0 0 14 Login-IP-Host [Note 3] + 0-1 0 0 15 Login-Service [Note 3] + 0-1 0 0 16 Login-TCP-Port [Note 3] + 0+ 0 0 18 Reply-Message [Note 2] + 0-1 0 0 19 Callback-Number [Note 3] + 0-1 0 0 20 Callback-Id [Note 3] + 0+ 0 0 22 Framed-Route [Note 3] + 0-1 0 0 23 Framed-IPX-Network [Note 3] + 0-1 0-1 0-1 24 State [Note 7] + 0+ 0 0 25 Class [Note 3] + 0+ 0 0 26 Vendor-Specific [Note 3] + 0-1 0 0 27 Session-Timeout [Note 3] + 0-1 0 0 28 Idle-Timeout [Note 3] + 0-1 0 0 29 Termination-Action [Note 3] + 0-1 0 0 30 Called-Station-Id [Note 1] + 0-1 0 0 31 Calling-Station-Id [Note 1] + 0-1 0 0 32 NAS-Identifier [Note 1] + 0+ 0+ 0+ 33 Proxy-State + 0-1 0 0 34 Login-LAT-Service [Note 3] + 0-1 0 0 35 Login-LAT-Node [Note 3] + 0-1 0 0 36 Login-LAT-Group [Note 3] + 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] + 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] + 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] + 0-1 0 0 44 Acct-Session-Id [Note 1] + 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] + 0-1 0-1 0-1 55 Event-Timestamp + 0-1 0 0 61 NAS-Port-Type [Note 1] + Request ACK NAK # Attribute + + + +Chiba, et al. Informational [Page 16] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Request ACK NAK # Attribute + 0-1 0 0 62 Port-Limit [Note 3] + 0-1 0 0 63 Login-LAT-Port [Note 3] + 0+ 0 0 64 Tunnel-Type [Note 5] + 0+ 0 0 65 Tunnel-Medium-Type [Note 5] + 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] + 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] + 0+ 0 0 69 Tunnel-Password [Note 5] + 0-1 0 0 71 ARAP-Features [Note 3] + 0-1 0 0 72 ARAP-Zone-Access [Note 3] + 0+ 0 0 78 Configuration-Token [Note 3] + 0+ 0-1 0 79 EAP-Message [Note 2] + 0-1 0-1 0-1 80 Message-Authenticator + 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] + 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] + 0+ 0 0 83 Tunnel-Preference [Note 5] + 0-1 0 0 85 Acct-Interim-Interval [Note 3] + 0-1 0 0 87 NAS-Port-Id [Note 1] + 0-1 0 0 88 Framed-Pool [Note 3] + 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] + 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] + 0-1 0 0 94 Originating-Line-Info [Note 1] + 0-1 0 0 95 NAS-IPv6-Address [Note 1] + 0-1 0 0 96 Framed-Interface-Id [Note 1] + 0+ 0 0 97 Framed-IPv6-Prefix [Note 1] + 0+ 0 0 98 Login-IPv6-Host [Note 3] + 0+ 0 0 99 Framed-IPv6-Route [Note 3] + 0-1 0 0 100 Framed-IPv6-Pool [Note 3] + 0 0 0+ 101 Error-Cause + Request ACK NAK # Attribute + + Disconnect Messages + + Request ACK NAK # Attribute + 0-1 0 0 1 User-Name [Note 1] + 0-1 0 0 4 NAS-IP-Address [Note 1] + 0-1 0 0 5 NAS-Port [Note 1] + 0-1 0 0-1 6 Service-Type [Note 6] + 0-1 0 0 8 Framed-IP-Address [Note 1] + 0+ 0 0 18 Reply-Message [Note 2] + 0-1 0-1 0-1 24 State [Note 7] + 0+ 0 0 25 Class [Note 4] + 0+ 0 0 26 Vendor-Specific + 0-1 0 0 30 Called-Station-Id [Note 1] + 0-1 0 0 31 Calling-Station-Id [Note 1] + 0-1 0 0 32 NAS-Identifier [Note 1] + 0+ 0+ 0+ 33 Proxy-State + Request ACK NAK # Attribute + + + +Chiba, et al. Informational [Page 17] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Request ACK NAK # Attribute + 0-1 0 0 44 Acct-Session-Id [Note 1] + 0-1 0-1 0 49 Acct-Terminate-Cause + 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] + 0-1 0-1 0-1 55 Event-Timestamp + 0-1 0 0 61 NAS-Port-Type [Note 1] + 0+ 0-1 0 79 EAP-Message [Note 2] + 0-1 0-1 0-1 80 Message-Authenticator + 0-1 0 0 87 NAS-Port-Id [Note 1] + 0-1 0 0 94 Originating-Line-Info [Note 1] + 0-1 0 0 95 NAS-IPv6-Address [Note 1] + 0-1 0 0 96 Framed-Interface-Id [Note 1] + 0+ 0 0 97 Framed-IPv6-Prefix [Note 1] + 0 0+ 0+ 101 Error-Cause + Request ACK NAK # Attribute + + [Note 1] Where NAS or session identification attributes are included + in Disconnect-Request or CoA-Request messages, they are used for + identification purposes only. These attributes MUST NOT be used for + purposes other than identification (e.g. within CoA-Request messages + to request authorization changes). + + [Note 2] The Reply-Message Attribute is used to present a displayable + message to the user. The message is only displayed as a result of a + successful Disconnect-Request or CoA-Request (where a Disconnect-ACK + or CoA-ACK is subsequently sent). Where EAP is used for + authentication, an EAP-Message/Notification-Request Attribute is sent + instead, and Disconnect-ACK or CoA-ACK messages contain an EAP- + Message/Notification-Response Attribute. + + [Note 3] When included within a CoA-Request, these attributes + represent an authorization change request. When one of these + attributes is omitted from a CoA-Request, the NAS assumes that the + attribute value is to remain unchanged. Attributes included in a + CoA-Request replace all existing value(s) of the same attribute(s). + + [Note 4] When included within a successful Disconnect-Request (where + a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be + sent unmodified by the client to the accounting server in the + Accounting Stop packet. If the Disconnect-Request is unsuccessful, + then the Class Attribute is not processed. + + [Note 5] When included within a CoA-Request, these attributes + represent an authorization change request. Where tunnel attribute(s) + are sent within a successful CoA-Request, all existing tunnel + attributes are removed and replaced by the new attribute(s). + + + + + +Chiba, et al. Informational [Page 18] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + [Note 6] When included within a Disconnect-Request or CoA-Request, a + Service-Type Attribute with value "Authorize Only" indicates that the + Request only contains NAS and session identification attributes, and + that the NAS should attempt reauthorization by sending an Access- + Request with a Service-Type Attribute with value "Authorize Only". + This enables a usage model akin to that supported in Diameter, thus + easing translation between the two protocols. Support for the + Service-Type Attribute is optional within CoA-Request and + Disconnect-Request messages; where it is not included, the Request + message may contain both identification and authorization attributes. + A NAS that does not support the Service-Type Attribute with the value + "Authorize Only" within a Disconnect-Request MUST respond with a + Disconnect-NAK including no Service-Type Attribute; an Error-Cause + Attribute with value "Unsupported Service" MAY be included. A NAS + that does not support the Service-Type Attribute with the value + "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK + including no Service-Type Attribute; an Error-Cause Attribute with + value "Unsupported Service" MAY be included. + + A NAS supporting the "Authorize Only" Service-Type value within + Disconnect-Request or CoA-Request messages MUST respond with a + Disconnect-NAK or CoA-NAK respectively, containing a Service-Type + Attribute with value "Authorize Only", and an Error-Cause Attribute + with value "Request Initiated". The NAS then sends an Access-Request + to the RADIUS server with a Service-Type Attribute with value + "Authorize Only". This Access-Request SHOULD contain the NAS + attributes from the Disconnect or CoA-Request, as well as the session + attributes from the Request legal for inclusion in an Access-Request + as specified in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As + noted in [RFC2869] Section 5.19, a Message-Authenticator attribute + SHOULD be included in an Access-Request that does not contain a + User-Password, CHAP-Password, ARAP-Password or EAP-Message Attribute. + The RADIUS server should send back an Access-Accept to (re-)authorize + the session or an Access-Reject to refuse to (re-)authorize it. + + [Note 7] The State Attribute is available to be sent by the RADIUS + server to the NAS in a Disconnect-Request or CoA-Request message and + MUST be sent unmodified from the NAS to the RADIUS server in a + subsequent ACK or NAK message. If a Service-Type Attribute with + value "Authorize Only" is included in a Disconnect-Request or CoA- + Request along with a State Attribute, then the State Attribute MUST + be sent unmodified from the NAS to the RADIUS server in the resulting + Access-Request sent to the RADIUS server, if any. The State + Attribute is also available to be sent by the RADIUS server to the + NAS in a CoA-Request that also includes a Termination-Action + Attribute with the value of RADIUS-Request. If the client performs + the Termination-Action by sending a new Access-Request upon + termination of the current session, it MUST include the State + + + +Chiba, et al. Informational [Page 19] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Attribute unchanged in that Access-Request. In either usage, the + client MUST NOT interpret the Attribute locally. A Disconnect- + Request or CoA-Request packet must have only zero or one State + Attribute. Usage of the State Attribute is implementation dependent. + If the RADIUS server does not recognize the State Attribute in the + Access-Request, then it MUST send an Access-Reject. + + The following table defines the meaning of the above table entries. + + 0 This attribute MUST NOT be present in packet. + 0+ Zero or more instances of this attribute MAY be present in + packet. + 0-1 Zero or one instance of this attribute MAY be present in packet. + 1 Exactly one instance of this attribute MUST be present in packet. + +4. IANA Considerations + + This document uses the RADIUS [RFC2865] namespace, see + <http://www.iana.org/assignments/radius-types>. There are six + updates for the section: RADIUS Packet Type Codes. These Packet + Types are allocated in [RADIANA]: + + 40 - Disconnect-Request + 41 - Disconnect-ACK + 42 - Disconnect-NAK + 43 - CoA-Request + 44 - CoA-ACK + 45 - CoA-NAK + + Allocation of a new Service-Type value for "Authorize Only" is + requested. This document also uses the UDP [RFC768] namespace, see + <http://www.iana.org/assignments/port-numbers>. The authors request + a port assignment from the Registered ports range. Finally, this + specification allocates the Error-Cause Attribute (101) with the + following decimal values: + + # Value + --- ----- + 201 Residual Session Context Removed + 202 Invalid EAP Packet (Ignored) + 401 Unsupported Attribute + 402 Missing Attribute + 403 NAS Identification Mismatch + 404 Invalid Request + 405 Unsupported Service + 406 Unsupported Extension + 501 Administratively Prohibited + 502 Request Not Routable (Proxy) + + + +Chiba, et al. Informational [Page 20] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + 503 Session Context Not Found + 504 Session Context Not Removable + 505 Other Proxy Processing Error + 506 Resources Unavailable + 507 Request Initiated + +5. Security Considerations + +5.1. Authorization Issues + + Where a NAS is shared by multiple providers, it is undesirable for + one provider to be able to send Disconnect-Request or CoA-Requests + affecting the sessions of another provider. + + A NAS or RADIUS proxy MUST silently discard Disconnect-Request or + CoA-Request messages from untrusted sources. By default, a RADIUS + proxy SHOULD perform a "reverse path forwarding" (RPF) check to + verify that a Disconnect-Request or CoA-Request originates from an + authorized RADIUS server. In addition, it SHOULD be possible to + explicitly authorize additional sources of Disconnect-Request or + CoA-Request packets relating to certain classes of sessions. For + example, a particular source can be explicitly authorized to send + CoA-Request messages relating to users within a set of realms. + + To perform the RPF check, the proxy uses the session identification + attributes included in Disconnect-Request or CoA-Request messages, in + order to determine the RADIUS server(s) to which an equivalent + Access-Request could be routed. If the source address of the + Disconnect-Request or CoA-Request is within this set, then the + Request is forwarded; otherwise it MUST be silently discarded. + + Typically the proxy will extract the realm from the Network Access + Identifier [RFC2486] included within the User-Name Attribute, and + determine the corresponding RADIUS servers in the proxy routing + tables. The RADIUS servers for that realm are then compared against + the source address of the packet. Where no RADIUS proxy is present, + the RPF check will need to be performed by the NAS itself. + + Since authorization to send a Disconnect-Request or CoA-Request is + determined based on the source address and the corresponding shared + secret, the NASes or proxies SHOULD configure a different shared + secret for each RADIUS server. + + + + + + + + + +Chiba, et al. Informational [Page 21] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +5.2. Impersonation + + [RFC2865] Section 3 states: + + A RADIUS server MUST use the source IP address of the RADIUS UDP + packet to decide which shared secret to use, so that RADIUS + requests can be proxied. + + When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or + NAS-IPv6-Address Attributes will typically not match the source + address observed by the RADIUS server. Since the NAS-Identifier + Attribute need not contain an FQDN, this attribute may not be + resolvable to the source address observed by the RADIUS server, even + when no proxy is present. + + As a result, the authenticity check performed by a RADIUS server or + proxy does not verify the correctness of NAS identification + attributes. This makes it possible for a rogue NAS to forge NAS-IP- + Address, NAS-IPv6-Address or NAS-Identifier Attributes within a + RADIUS Access-Request in order to impersonate another NAS. It is + also possible for a rogue NAS to forge session identification + attributes such as the Called-Station-Id, Calling-Station-Id, or + Originating-Line-Info [NASREQ]. This could fool the RADIUS server + into sending Disconnect-Request or CoA-Request messages containing + forged session identification attributes to a NAS targeted by an + attacker. + + To address these vulnerabilities RADIUS proxies SHOULD check whether + NAS identification attributes (see Section 3.) match the source + address of packets originating from the NAS. Where one or more + attributes do not match, Disconnect-Request or CoA-Request messages + SHOULD be silently discarded. + + Such a check may not always be possible. Since the NAS-Identifier + Attribute need not correspond to an FQDN, it may not be resolvable to + an IP address to be matched against the source address. Also, where + a NAT exists between the RADIUS client and proxy, checking the NAS- + IP-Address or NAS-IPv6-Address Attributes may not be feasible. + +5.3. IPsec Usage Guidelines + + In addition to security vulnerabilities unique to Disconnect or CoA + messages, the protocol exchanges described in this document are + susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is + RECOMMENDED that IPsec be employed to afford better security. + + + + + + +Chiba, et al. Informational [Page 22] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + Implementations of this specification SHOULD support IPsec [RFC2401] + along with IKE [RFC2409] for key management. IPsec ESP [RFC2406] + with a non-null transform SHOULD be supported, and IPsec ESP with a + non-null encryption transform and authentication support SHOULD be + used to provide per-packet confidentiality, authentication, integrity + and replay protection. IKE SHOULD be used for key management. + + Within RADIUS [RFC2865], a shared secret is used for hiding + Attributes such as User-Password, as well as used in computation of + the Response Authenticator. In RADIUS accounting [RFC2866], the + shared secret is used in computation of both the Request + Authenticator and the Response Authenticator. + + Since in RADIUS a shared secret is used to provide confidentiality as + well as integrity protection and authentication, only use of IPsec + ESP with a non-null transform can provide security services + sufficient to substitute for RADIUS application-layer security. + Therefore, where IPsec AH or ESP null is used, it will typically + still be necessary to configure a RADIUS shared secret. + + Where RADIUS is run over IPsec ESP with a non-null transform, the + secret shared between the NAS and the RADIUS server MAY NOT be + configured. In this case, a shared secret of zero length MUST be + assumed. However, a RADIUS server that cannot know whether incoming + traffic is IPsec-protected MUST be configured with a non-null RADIUS + shared secret. + + When IPsec ESP is used with RADIUS, per-packet authentication, + integrity and replay protection MUST be used. 3DES-CBC MUST be + supported as an encryption transform and AES-CBC SHOULD be supported. + AES-CBC SHOULD be offered as a preferred encryption transform if + supported. HMAC-SHA1-96 MUST be supported as an authentication + transform. DES-CBC SHOULD NOT be used as the encryption transform. + + A typical IPsec policy for an IPsec-capable RADIUS client is + "Initiate IPsec, from me to any destination port UDP 1812". This + IPsec policy causes an IPsec SA to be set up by the RADIUS client + prior to sending RADIUS traffic. If some RADIUS servers contacted by + the client do not support IPsec, then a more granular policy will be + required: "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, + destination port UDP 1812." + + For a client implementing this specification, the policy would be + "Accept IPsec, from any to me, destination port UDP 3799". This + causes the RADIUS client to accept (but not require) use of IPsec. + It may not be appropriate to require IPsec for all RADIUS servers + connecting to an IPsec-enabled RADIUS client, since some RADIUS + servers may not support IPsec. + + + +Chiba, et al. Informational [Page 23] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept + IPsec, from any to me, destination port 1812". This causes the + RADIUS server to accept (but not require) use of IPsec. It may not + be appropriate to require IPsec for all RADIUS clients connecting to + an IPsec-enabled RADIUS server, since some RADIUS clients may not + support IPsec. + + For servers implementing this specification, the policy would be + "Initiate IPsec, from me to any, destination port UDP 3799". This + causes the RADIUS server to initiate IPsec when sending RADIUS + extension traffic to any RADIUS client. If some RADIUS clients + contacted by the server do not support IPsec, then a more granular + policy will be required, such as "Initiate IPsec, from me to IPsec- + capable-RADIUS-client, destination port UDP 3799". + + Where IPsec is used for security, and no RADIUS shared secret is + configured, it is important that the RADIUS client and server perform + an authorization check. Before enabling a host to act as a RADIUS + client, the RADIUS server SHOULD check whether the host is authorized + to provide network access. Similarly, before enabling a host to act + as a RADIUS server, the RADIUS client SHOULD check whether the host + is authorized for that role. + + RADIUS servers can be configured with the IP addresses (for IKE + Aggressive Mode with pre-shared keys) or FQDNs (for certificate + authentication) of RADIUS clients. Alternatively, if a separate + Certification Authority (CA) exists for RADIUS clients, then the + RADIUS server can configure this CA as a trust anchor [RFC3280] for + use with IPsec. + + Similarly, RADIUS clients can be configured with the IP addresses + (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for + certificate authentication) of RADIUS servers. Alternatively, if a + separate CA exists for RADIUS servers, then the RADIUS client can + configure this CA as a trust anchor for use with IPsec. + + Since unlike SSL/TLS, IKE does not permit certificate policies to be + set on a per-port basis, certificate policies need to apply to all + uses of IPsec on RADIUS clients and servers. In IPsec deployment + supporting only certificate authentication, a management station + initiating an IPsec-protected telnet session to the RADIUS server + would need to obtain a certificate chaining to the RADIUS client CA. + Issuing such a certificate might not be appropriate if the management + station was not authorized as a RADIUS client. + + Where RADIUS clients may obtain their IP address dynamically (such as + an Access Point supporting DHCP), Main Mode with pre-shared keys + [RFC2409] SHOULD NOT be used, since this requires use of a group + + + +Chiba, et al. Informational [Page 24] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + pre-shared key; instead, Aggressive Mode SHOULD be used. Where + RADIUS client addresses are statically assigned, either Aggressive + Mode or Main Mode MAY be used. With certificate authentication, Main + Mode SHOULD be used. + + Care needs to be taken with IKE Phase 1 Identity Payload selection in + order to enable mapping of identities to pre-shared keys, even with + Aggressive Mode. Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity + Payloads are used and addresses are dynamically assigned, mapping of + identities to keys is not possible, so that group pre-shared keys are + still a practical necessity. As a result, the ID_FQDN identity + payload SHOULD be employed in situations where Aggressive mode is + utilized along with pre-shared keys and IP addresses are dynamically + assigned. This approach also has other advantages, since it allows + the RADIUS server and client to configure themselves based on the + fully qualified domain name of their peers. + + Note that with IPsec, security services are negotiated at the + granularity of an IPsec SA, so that RADIUS exchanges requiring a set + of security services different from those negotiated with existing + IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs + are also advisable where quality of service considerations dictate + different handling RADIUS conversations. Attempting to apply + different quality of service to connections handled by the same IPsec + SA can result in reordering, and falling outside the replay window. + For a discussion of the issues, see [RFC2983]. + +5.4. Replay Protection + + Where IPsec replay protection is not used, the Event-Timestamp (55) + Attribute [RFC2869] SHOULD be included within all messages. When + this attribute is present, both the NAS and the RADIUS server MUST + check that the Event-Timestamp Attribute is current within an + acceptable time window. If the Event-Timestamp Attribute is not + current, then the message MUST be silently discarded. This implies + the need for time synchronization within the network, which can be + achieved by a variety of means, including secure NTP, as described in + [NTPAUTH]. + + Both the NAS and the RADIUS server SHOULD be configurable to silently + discard messages lacking an Event-Timestamp Attribute. A default + time window of 300 seconds is recommended. + + + + + + + + + +Chiba, et al. Informational [Page 25] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +6. Example Traces + + Disconnect Request with User-Name: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# + 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. + 32: 6d63 6869 6261 + + Disconnect Request with Acct-Session-ID: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... + 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. + 32: 3930 3233 3435 3637 90234567 + + Disconnect Request with Framed-IP-Address: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... + 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... + 32: 0a00 0203 + +7. References + +7.1. Normative References + + [RFC1305] Mills, D., "Network Time Protocol (version 3) + Specification, Implementation and Analysis", RFC 1305, + March 1992. + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC + 1321, April 1992. + + [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for + the Internet Protocol", RFC 2401, November 1998. + + [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security + Payload (ESP)", RFC 2406, November 1998. + + [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange + (IKE)", RFC 2409, November 1998. + + + + + +Chiba, et al. Informational [Page 26] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing + an IANA Considerations Section in RFCs", BCP 26, RFC + 2434, October 1998. + + [RFC2486] Aboba, B. and M. Beadles, "The Network Access + Identifier", RFC 2486, January 1999. + + [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS + Extensions", RFC 2869, June 2000. + + [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", + RFC 3162, August 2001. + + [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet + X.509 Public Key Infrastructure Certificate and + Certificate Revocation List (CRL) Profile", RFC 3280, + April 2002. + + [RADIANA] Aboba, B., "IANA Considerations for RADIUS (Remote + Authentication Dial In User Service)", RFC 3575, July + 2003. + +7.2. Informative References + + [RFC2882] Mitton, D., "Network Access Server Requirements: + Extended RADIUS Practices", RFC 2882, July 2000. + + [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC + 2983, October 2000. + + [AAATransport] Aboba, B. and J. Wood, "Authentication, Authorization + and Accounting (AAA) Transport Profile", RFC 3539, + June 2003. + + [Diameter] Calhoun, P., et al., "Diameter Base Protocol", Work in + Progress. + + [MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent + Attack", CryptoBytes Vol.2 No.2, Summer 1996. + + [NASREQ] Calhoun, P., et al., "Diameter Network Access Server + Application", Work in Progress. + + + +Chiba, et al. Informational [Page 27] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + + [NTPAUTH] Mills, D., "Public Key Cryptography for the Network + Time Protocol", Work in Progress. + +8. Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards- related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementers or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + +9. Acknowledgments + + This protocol was first developed and distributed by Ascend + Communications. Example code was distributed in their free server + kit. + + The authors would like to acknowledge the valuable suggestions and + feedback from the following people: + + Avi Lior <avi@bridgewatersystems.com>, + Randy Bush <randy@psg.net>, + Steve Bellovin <smb@research.att.com> + Glen Zorn <gwz@cisco.com>, + Mark Jones <mjones@bridgewatersystems.com>, + Claudio Lapidus <clapidus@hotmail.com>, + Anurag Batta <Anurag_Batta@3com.com>, + Kuntal Chowdhury <chowdury@nortelnetworks.com>, and + Tim Moore <timmoore@microsoft.com>. + Russ Housley <housley@vigilsec.com> + + + + + + + +Chiba, et al. Informational [Page 28] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +10. Authors' Addresses + + Murtaza Chiba + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose CA, 95134 + + EMail: mchiba@cisco.com + Phone: +1 408 525 7198 + + Gopal Dommety + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose, CA 95134 + + EMail: gdommety@cisco.com + Phone: +1 408 525 1404 + + Mark Eklund + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose, CA 95134 + + EMail: meklund@cisco.com + Phone: +1 865 671 6255 + + David Mitton + Circular Logic UnLtd. + 733 Turnpike Street #154 + North Andover, MA 01845 + + EMail: david@mitton.com + Phone: +1 978 683 1814 + + Bernard Aboba + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + + EMail: bernarda@microsoft.com + Phone: +1 425 706 6605 + Fax: +1 425 936 7329 + + + + + + + + + +Chiba, et al. Informational [Page 29] + +RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 + + +11. Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 30] + |