summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--accel-pptpd/CMakeLists.txt8
-rw-r--r--accel-pptpd/auth_pap.c134
-rw-r--r--accel-pptpd/lcp_base_opt.c75
-rw-r--r--accel-pptpd/lcp_opt_accomp.c92
-rw-r--r--accel-pptpd/lcp_opt_magic.c81
-rw-r--r--accel-pptpd/lcp_opt_mru.c97
-rw-r--r--accel-pptpd/lcp_opt_pcomp.c92
-rw-r--r--accel-pptpd/log.c15
-rw-r--r--accel-pptpd/ppp.c44
-rw-r--r--accel-pptpd/ppp.h26
-rw-r--r--accel-pptpd/ppp_auth.c282
-rw-r--r--accel-pptpd/ppp_auth.h34
-rw-r--r--accel-pptpd/ppp_ccp.c12
-rw-r--r--accel-pptpd/ppp_fsm.c118
-rw-r--r--accel-pptpd/ppp_fsm.h84
-rw-r--r--accel-pptpd/ppp_ipcp.c12
-rw-r--r--accel-pptpd/ppp_lcp.c638
-rw-r--r--accel-pptpd/ppp_lcp.h67
-rw-r--r--accel-pptpd/pwdb.c7
-rw-r--r--accel-pptpd/pwdb.h9
-rw-r--r--accel-pptpd/triton/timer.c5
-rw-r--r--doc/rfc3576.txt1683
22 files changed, 3085 insertions, 530 deletions
diff --git a/accel-pptpd/CMakeLists.txt b/accel-pptpd/CMakeLists.txt
index 2e46e5b..3279141 100644
--- a/accel-pptpd/CMakeLists.txt
+++ b/accel-pptpd/CMakeLists.txt
@@ -12,6 +12,14 @@ ADD_EXECUTABLE(pptpd
ppp.c
ppp_fsm.c
ppp_lcp.c
+ lcp_opt_mru.c
+ lcp_opt_magic.c
+ lcp_opt_pcomp.c
+ lcp_opt_accomp.c
ppp_auth.c
+ ppp_ccp.c
+ ppp_ipcp.c
+ auth_pap.c
+ pwdb.c
)
TARGET_LINK_LIBRARIES(pptpd pthread triton)
diff --git a/accel-pptpd/auth_pap.c b/accel-pptpd/auth_pap.c
index ed0f6bf..95d5b1e 100644
--- a/accel-pptpd/auth_pap.c
+++ b/accel-pptpd/auth_pap.c
@@ -1,3 +1,8 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+
#include "log.h"
#include "ppp.h"
#include "ppp_auth.h"
@@ -7,14 +12,23 @@
#define HDR_LEN (sizeof(struct pap_hdr_t)-2)
-static int lcp_get_conf_req(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*);
-static int lcp_recv_conf_req(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*);
-static int begin(struct auth_driver_t*, struct ppp_t*);
-static int terminate(struct auth_driver_t*, struct ppp_t*);
+#define PAP_REQ 1
+#define PAP_ACK 2
+#define PAP_NAK 3
+
+char *strndup(const char *s, size_t n);
+
+static struct auth_data_t* auth_data_init(struct ppp_t *ppp);
+static void auth_data_free(struct ppp_t*, struct auth_data_t*);
+static int lcp_send_conf_req(struct ppp_t*, struct auth_data_t*, uint8_t*);
+static int lcp_recv_conf_req(struct ppp_t*, struct auth_data_t*, uint8_t*);
+static int pap_start(struct ppp_t*, struct auth_data_t*);
+static int pap_finish(struct ppp_t*, struct auth_data_t*);
static void pap_recv(struct ppp_handler_t*h);
-struct pap_proto_t
+struct pap_auth_data_t
{
+ struct auth_data_t auth;
struct ppp_handler_t h;
struct ppp_t *ppp;
};
@@ -34,91 +48,98 @@ struct pap_ack_t
char msg[0];
} __attribute__((packed));
-static struct auth_driver_t pap=
+static struct ppp_auth_handler_t pap=
{
- .type=PPP_PAP,
- .get_conf_req=lcp_get_conf_req,
+ .name="PAP",
+ .init=auth_data_init,
+ .free=auth_data_free,
+ .send_conf_req=lcp_send_conf_req,
.recv_conf_req=lcp_recv_conf_req,
.start=pap_start,
.finish=pap_finish,
};
+static struct auth_data_t* auth_data_init(struct ppp_t *ppp)
+{
+ struct pap_auth_data_t *d=malloc(sizeof(*d));
+
+ memset(d,0,sizeof(*d));
+ d->auth.proto=PPP_PAP;
+ d->ppp=ppp;
-int plugin_init(void)
+ return &d->auth;
+}
+
+static void auth_data_free(struct ppp_t *ppp,struct auth_data_t *auth)
{
- if (auth_register(&pap))
- {
- log_error("pap: failed to register driver\n");
- return -1;
- }
+ struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth);
- return 0;
+ free(d);
}
-static int pap_start(struct auth_driver_t *d, struct ppp_t *ppp)
+static int pap_start(struct ppp_t *ppp, struct auth_data_t *auth)
{
- struct pap_proto_t *p=malloc(sizeof(*p));
+ struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth);
- memset(&p,0,sizeof(*p));
- p->h.proto=PPP_PAP;
- p->h.recv=pap_recv;
- p->ppp=ppp;
- ppp->auth_pd=p;
+ d->h.proto=PPP_PAP;
+ d->h.recv=pap_recv;
- ppp_register_handler(p->ppp,p->h);
+ ppp_register_handler(ppp,&d->h);
return 0;
}
-static int pap_finish(struct auth_driver_t *d, struct ppp_t *ppp)
+static int pap_finish(struct ppp_t *ppp, struct auth_data_t *auth)
{
- struct pap_proto_t *p=(struct pap_proto_t*)ppp->auth_pd;
-
- ppp_unregister_handler(p->ppp,p->h);
+ struct pap_auth_data_t *d=container_of(auth,typeof(*d),auth);
- free(p);
+ ppp_unregister_handler(ppp,&d->h);
return 0;
}
-static int lcp_get_conf_req(struct auth_driver_t *d, struct ppp_t *ppp, struct lcp_opt32_t *opt)
+static int lcp_send_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr)
{
return 0;
}
-static int lcp_recv_conf_req(struct auth_driver_t *d, struct ppp_t *ppp, struct lcp_opt32_t *opt)
+static int lcp_recv_conf_req(struct ppp_t *ppp, struct auth_data_t *d, uint8_t *ptr)
{
return 0;
}
-static void pap_send_ack(struct pap_proto_t *p, int id)
+static void pap_send_ack(struct pap_auth_data_t *p, int id)
{
uint8_t buf[128];
struct pap_ack_t *msg=(struct pap_ack_t*)buf;
- msg->hdr.proto=PPP_PAP;
+ msg->hdr.proto=htons(PPP_PAP);
msg->hdr.code=PAP_ACK;
msg->hdr.id=id;
- msg->hdr.len=HDR_LEN+1+sizeof(MSG_SUCCESSED);
- msg->len=sizeof(MSG_SUCCESSED);
+ msg->hdr.len=htons(HDR_LEN+1+sizeof(MSG_SUCCESSED));
+ msg->msg_len=sizeof(MSG_SUCCESSED)-1;
memcpy(msg->msg,MSG_SUCCESSED,sizeof(MSG_SUCCESSED));
- ppp_send(p->ppp,msg,msg->hdr.len+2);
+ log_debug("send [PAP AuthAck id=%x \"%s\"]\n",id,MSG_SUCCESSED);
+
+ ppp_send(p->ppp,msg,ntohs(msg->hdr.len)+2);
}
-static void pap_send_nack(struct pap_proto_t *p,int id)
+static void pap_send_nak(struct pap_auth_data_t *p,int id)
{
uint8_t buf[128];
struct pap_ack_t *msg=(struct pap_ack_t*)buf;
- msg->hdr.proto=PPP_PAP;
- msg->hdr.code=PAP_NACK;
+ msg->hdr.proto=htons(PPP_PAP);
+ msg->hdr.code=PAP_NAK;
msg->hdr.id=id;
- msg->hdr.len=HDR_LEN+1+sizeof(MSG_FAILED);
- msg->len=sizeof(MSG_FAILED);
+ msg->hdr.len=htons(HDR_LEN+1+sizeof(MSG_FAILED));
+ msg->msg_len=sizeof(MSG_FAILED)-1;
memcpy(msg->msg,MSG_FAILED,sizeof(MSG_FAILED));
- ppp_send(p->ppp,msg,msg->hdr.len+2);
+ log_debug("send [PAP AuthNak id=%x \"%s\"]\n",id,MSG_FAILED);
+
+ ppp_send(p->ppp,msg,ntohs(msg->hdr.len)+2);
}
-static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr)
+static int pap_recv_req(struct pap_auth_data_t *p,struct pap_hdr_t *hdr)
{
int ret;
char *peer_id;
@@ -126,29 +147,31 @@ static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr)
int peer_id_len;
int passwd_len;
uint8_t *ptr=(uint8_t*)(hdr+1);
-
+
+ log_debug("recv [PAP AuthReq id=%x]\n",hdr->id);
+
peer_id_len=*(uint8_t*)ptr; ptr++;
- if (peer_id_len>htons(hdr->len)-sizeof(*hdr)-1)
+ if (peer_id_len>ntohs(hdr->len)-sizeof(*hdr)+2-1)
{
log_warn("PAP: short packet received\n");
return -1;
}
- peer_id=ptr; ptr+=peer_id_len;
+ peer_id=(char*)ptr; ptr+=peer_id_len;
passwd_len=*(uint8_t*)ptr; ptr++;
- if (passwd_len>htons(hdr->len)-sizeof(*hdr)-2-peer_id_len)
+ if (passwd_len>ntohs(hdr->len)-sizeof(*hdr)+2-2-peer_id_len)
{
log_warn("PAP: short packet received\n");
return -1;
}
- peer_id=stdndup(peer_id,peer_id_len);
- passwd=stdndup(ptr,passwd_len);
+ peer_id=strndup((const char*)peer_id,peer_id_len);
+ passwd=strndup((const char*)ptr,passwd_len);
if (pwdb_check(peer_id,passwd))
{
log_warn("PAP: authentication error\n");
- pap_send_nack(p,hdr->id);
+ pap_send_nak(p,hdr->id);
auth_failed(p->ppp);
ret=-1;
}else
@@ -166,19 +189,24 @@ static int pap_recv_req(struct pap_proto_t *p,struct pap_hdr_t *hdr)
static void pap_recv(struct ppp_handler_t *h)
{
- struct pap_proto_t *p=container_of(h,typeof(*p),h);
- struct pap_hdr_t *hdr=(struct pap_hdr_t *)p->ppp->in_buf;
+ struct pap_auth_data_t *d=container_of(h,typeof(*d),h);
+ struct pap_hdr_t *hdr=(struct pap_hdr_t *)d->ppp->in_buf;
- if (p->ppp->in_buf_size<sizeof(*hdr) || htons(hdr->len)<HDR_LEN || htons(hdr->len)<p->ppp->in_buf_size-2)
+ if (d->ppp->in_buf_size<sizeof(*hdr) || ntohs(hdr->len)<HDR_LEN || ntohs(hdr->len)<d->ppp->in_buf_size-2)
{
log_warn("PAP: short packet received\n");
return;
}
- if (hdr->code==PAP_REQ) pap_recv_req(p,hdr);
+ if (hdr->code==PAP_REQ) pap_recv_req(d,hdr);
else
{
log_warn("PAP: unknown code received %x\n",hdr->code);
}
}
+static void __init auth_pap_init()
+{
+ ppp_auth_register_handler(&pap);
+}
+
diff --git a/accel-pptpd/lcp_base_opt.c b/accel-pptpd/lcp_base_opt.c
new file mode 100644
index 0000000..352dee2
--- /dev/null
+++ b/accel-pptpd/lcp_base_opt.c
@@ -0,0 +1,75 @@
+#include "ppp_lcp.h"
+
+static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp);
+static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+
+struct mru_option_t
+{
+ struct lcp_option_t opt;
+ int mru;
+ int mtu;
+};
+
+static struct lcp_option_handler_t opt_mru=
+{
+ .id=CI_MRU,
+ .init=mru_init,
+ .send_conf_req=mru_send_conf_req,
+ .send_conf_nak=mru_send_conf_nak,
+ .recv_conf_req=mru_recv_conf_req,
+ .free=mru_free,
+};
+
+static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp)
+{
+ struct mru_option_t *mru_opt=malloc(sizeof(*mru_opt));
+ memset(mru_opt,0,sizeof(*mru_opt));
+ mru_opt->mtu=0;
+ mru_opt->mru=1500;
+ mru_opt->opt.len=4;
+
+ return &mru_opt->opt;
+}
+
+static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+
+ free(mru_opt);
+}
+
+static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ opt16->hdr.type=CI_MRU;
+ opt16->hdr.len=4;
+ opt16->val=htons(mru_opt->mru);
+ return 4;
+}
+
+static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ opt16->hdr.type=CI_MRU;
+ opt16->hdr.len=4;
+ opt16->val=htons(mru_opt->mtu);
+ return 4;
+}
+
+static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+
+ if (!mru_opt->mtu || mru_opt->mtu==ntohs(opt16->val))
+ {
+ mru_opt->mtu=ntohs(opt16->val);
+ return LCP_OPT_ACK;
+ }else return LCP_OPT_NAK;
+}
+
diff --git a/accel-pptpd/lcp_opt_accomp.c b/accel-pptpd/lcp_opt_accomp.c
new file mode 100644
index 0000000..9191563
--- /dev/null
+++ b/accel-pptpd/lcp_opt_accomp.c
@@ -0,0 +1,92 @@
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "ppp.h"
+#include "ppp_lcp.h"
+#include "log.h"
+
+static struct lcp_option_t *accomp_init(struct ppp_lcp_t *lcp);
+static void accomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int accomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int accomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int accomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static void accomp_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr);
+
+struct accomp_option_t
+{
+ struct lcp_option_t opt;
+ int accomp; // 0 - disabled, 1 - enabled, 2 - allow,disabled, 3 - allow,enabled
+};
+
+static struct lcp_option_handler_t accomp_opt_hnd=
+{
+ .init=accomp_init,
+ .send_conf_req=accomp_send_conf_req,
+ .send_conf_nak=accomp_send_conf_nak,
+ .recv_conf_req=accomp_recv_conf_req,
+ .free=accomp_free,
+ .print=accomp_print,
+};
+
+static struct lcp_option_t *accomp_init(struct ppp_lcp_t *lcp)
+{
+ struct accomp_option_t *accomp_opt=malloc(sizeof(*accomp_opt));
+ memset(accomp_opt,0,sizeof(*accomp_opt));
+ accomp_opt->accomp=2;
+ accomp_opt->opt.id=CI_ACCOMP;
+ accomp_opt->opt.len=2;
+
+ return &accomp_opt->opt;
+}
+
+static void accomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
+{
+ struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt);
+
+ free(accomp_opt);
+}
+
+static int accomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt);
+ struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr;
+ if (accomp_opt->accomp==1 || accomp_opt->accomp==3)
+ {
+ opt0->id=CI_ACCOMP;
+ opt0->len=2;
+ return 2;
+ }
+ return 0;
+}
+
+static int accomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt);
+ struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr;
+ opt0->id=CI_ACCOMP;
+ opt0->len=2;
+ return 2;
+}
+
+static int accomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct accomp_option_t *accomp_opt=container_of(opt,typeof(*accomp_opt),opt);
+
+ if (accomp_opt->accomp>0)
+ {
+ accomp_opt->accomp=1;
+ return LCP_OPT_ACK;
+ }else return LCP_OPT_NAK;
+}
+
+static void accomp_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr)
+{
+ print("<accomp>");
+}
+
+static void __init accomp_opt_init()
+{
+ lcp_option_register(&accomp_opt_hnd);
+}
+
diff --git a/accel-pptpd/lcp_opt_magic.c b/accel-pptpd/lcp_opt_magic.c
new file mode 100644
index 0000000..53438b9
--- /dev/null
+++ b/accel-pptpd/lcp_opt_magic.c
@@ -0,0 +1,81 @@
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "ppp.h"
+#include "ppp_lcp.h"
+#include "log.h"
+
+static struct lcp_option_t *magic_init(struct ppp_lcp_t *lcp);
+static void magic_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int magic_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int magic_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static void magic_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr);
+
+struct magic_option_t
+{
+ struct lcp_option_t opt;
+ int magic;
+};
+
+static struct lcp_option_handler_t magic_opt_hnd=
+{
+ .init=magic_init,
+ .send_conf_req=magic_send_conf_req,
+ .recv_conf_req=magic_recv_conf_req,
+ .free=magic_free,
+ .print=magic_print,
+};
+
+static struct lcp_option_t *magic_init(struct ppp_lcp_t *lcp)
+{
+ struct magic_option_t *magic_opt=malloc(sizeof(*magic_opt));
+ memset(magic_opt,0,sizeof(*magic_opt));
+ magic_opt->magic=random();
+ magic_opt->opt.id=CI_MAGIC;
+ magic_opt->opt.len=6;
+
+ return &magic_opt->opt;
+}
+
+static void magic_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
+{
+ struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt);
+
+ free(magic_opt);
+}
+
+static int magic_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt);
+ struct lcp_opt32_t *opt32=(struct lcp_opt32_t*)ptr;
+ opt32->hdr.id=CI_MAGIC;
+ opt32->hdr.len=6;
+ opt32->val=htonl(magic_opt->magic);
+ return 6;
+}
+
+static int magic_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt);
+ struct lcp_opt32_t *opt32=(struct lcp_opt32_t*)ptr;
+
+ if (magic_opt->magic==ntohl(opt32->val))
+ {
+ log_error("loop detected");
+ return -1;
+ }
+ return LCP_OPT_ACK;
+}
+
+static void magic_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct magic_option_t *magic_opt=container_of(opt,typeof(*magic_opt),opt);
+
+ print("<magic %04x>",magic_opt->magic);
+}
+
+static void __init magic_opt_init()
+{
+ lcp_option_register(&magic_opt_hnd);
+}
diff --git a/accel-pptpd/lcp_opt_mru.c b/accel-pptpd/lcp_opt_mru.c
new file mode 100644
index 0000000..153b0e0
--- /dev/null
+++ b/accel-pptpd/lcp_opt_mru.c
@@ -0,0 +1,97 @@
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "ppp.h"
+#include "ppp_lcp.h"
+#include "log.h"
+
+static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp);
+static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static void mru_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr);
+
+struct mru_option_t
+{
+ struct lcp_option_t opt;
+ int mru;
+ int mtu;
+};
+
+static struct lcp_option_handler_t mru_opt_hnd=
+{
+ .init=mru_init,
+ .send_conf_req=mru_send_conf_req,
+ .send_conf_nak=mru_send_conf_nak,
+ .recv_conf_req=mru_recv_conf_req,
+ .free=mru_free,
+ .print=mru_print,
+};
+
+static struct lcp_option_t *mru_init(struct ppp_lcp_t *lcp)
+{
+ struct mru_option_t *mru_opt=malloc(sizeof(*mru_opt));
+ memset(mru_opt,0,sizeof(*mru_opt));
+ mru_opt->mtu=0;
+ mru_opt->mru=1500;
+ mru_opt->opt.id=CI_MRU;
+ mru_opt->opt.len=4;
+
+ return &mru_opt->opt;
+}
+
+static void mru_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+
+ free(mru_opt);
+}
+
+static int mru_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ opt16->hdr.id=CI_MRU;
+ opt16->hdr.len=4;
+ opt16->val=htons(mru_opt->mru);
+ return 4;
+}
+
+static int mru_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ opt16->hdr.id=CI_MRU;
+ opt16->hdr.len=4;
+ opt16->val=htons(mru_opt->mtu);
+ return 4;
+}
+
+static int mru_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+
+ if (!mru_opt->mtu || mru_opt->mtu==ntohs(opt16->val))
+ {
+ mru_opt->mtu=ntohs(opt16->val);
+ return LCP_OPT_ACK;
+ }else return LCP_OPT_NAK;
+}
+
+static void mru_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct mru_option_t *mru_opt=container_of(opt,typeof(*mru_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+
+ if (ptr) print("<mru %i>",ntohs(opt16->val));
+ else print("<mru %i>",mru_opt->mru);
+}
+
+static void __init mru_opt_init()
+{
+ lcp_option_register(&mru_opt_hnd);
+}
+
diff --git a/accel-pptpd/lcp_opt_pcomp.c b/accel-pptpd/lcp_opt_pcomp.c
new file mode 100644
index 0000000..79d77c6
--- /dev/null
+++ b/accel-pptpd/lcp_opt_pcomp.c
@@ -0,0 +1,92 @@
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+#include "ppp.h"
+#include "ppp_lcp.h"
+#include "log.h"
+
+static struct lcp_option_t *pcomp_init(struct ppp_lcp_t *lcp);
+static void pcomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int pcomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int pcomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int pcomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static void pcomp_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr);
+
+struct pcomp_option_t
+{
+ struct lcp_option_t opt;
+ int pcomp; // 0 - disabled, 1 - enabled, 2 - allow,disabled, 3 - allow,enabled
+};
+
+static struct lcp_option_handler_t pcomp_opt_hnd=
+{
+ .init=pcomp_init,
+ .send_conf_req=pcomp_send_conf_req,
+ .send_conf_nak=pcomp_send_conf_nak,
+ .recv_conf_req=pcomp_recv_conf_req,
+ .free=pcomp_free,
+ .print=pcomp_print,
+};
+
+static struct lcp_option_t *pcomp_init(struct ppp_lcp_t *lcp)
+{
+ struct pcomp_option_t *pcomp_opt=malloc(sizeof(*pcomp_opt));
+ memset(pcomp_opt,0,sizeof(*pcomp_opt));
+ pcomp_opt->pcomp=2;
+ pcomp_opt->opt.id=CI_PCOMP;
+ pcomp_opt->opt.len=2;
+
+ return &pcomp_opt->opt;
+}
+
+static void pcomp_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
+{
+ struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt);
+
+ free(pcomp_opt);
+}
+
+static int pcomp_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt);
+ struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr;
+ if (pcomp_opt->pcomp==1 || pcomp_opt->pcomp==3)
+ {
+ opt0->id=CI_PCOMP;
+ opt0->len=2;
+ return 2;
+ }
+ return 0;
+}
+
+static int pcomp_send_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt);
+ struct lcp_opt_hdr_t *opt0=(struct lcp_opt_hdr_t*)ptr;
+ opt0->id=CI_PCOMP;
+ opt0->len=2;
+ return 2;
+}
+
+static int pcomp_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct pcomp_option_t *pcomp_opt=container_of(opt,typeof(*pcomp_opt),opt);
+
+ if (pcomp_opt->pcomp>0)
+ {
+ pcomp_opt->pcomp=1;
+ return LCP_OPT_ACK;
+ }else return LCP_OPT_NAK;
+}
+
+static void pcomp_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr)
+{
+ print("<pcomp>");
+}
+
+static void __init pcomp_opt_init()
+{
+ lcp_option_register(&pcomp_opt_hnd);
+}
+
diff --git a/accel-pptpd/log.c b/accel-pptpd/log.c
index 454e997..4ee86e1 100644
--- a/accel-pptpd/log.c
+++ b/accel-pptpd/log.c
@@ -34,7 +34,7 @@
#define LOG_DEBUG 3
static FILE *log_file=NULL;
-static int log_level=1;
+static int log_level=10;
static int log_color=1;
static const char* level_name[]={"error","warning","info","debug"};
static const char* level_color[]={RED_COLOR,YELLOW_COLOR,GREEN_COLOR,BLUE_COLOR};
@@ -46,15 +46,18 @@ static void do_log(int level,const char *fmt,va_list ap)
{
struct timeval tv;
- pthread_mutex_lock(&lock);
- gettimeofday(&tv,NULL);
- if (log_color) fprintf(log_file,"[%s%li.%03li] [%s]%s ",level_color[level],tv.tv_sec,tv.tv_usec/1000,NORMAL_COLOR,level_name[level]);
- else fprintf(log_file,"[%li.%03li] [%s] ",tv.tv_sec,tv.tv_usec/1000,level_name[level]);
+ //pthread_mutex_lock(&lock);
+ if (msg_completed)
+ {
+ gettimeofday(&tv,NULL);
+ if (log_color) fprintf(log_file,"[%s%li.%03li] [%s]%s ",level_color[level],tv.tv_sec,tv.tv_usec/1000,NORMAL_COLOR,level_name[level]);
+ else fprintf(log_file,"[%li.%03li] [%s] ",tv.tv_sec,tv.tv_usec/1000,level_name[level]);
+ }
vfprintf(log_file,fmt,ap);
msg_completed=fmt[strlen(fmt)-1]=='\n';
- if (msg_completed) pthread_mutex_unlock(&lock);
+ //if (msg_completed) pthread_mutex_unlock(&lock);
}
void log_error(const char *fmt,...)
{
diff --git a/accel-pptpd/ppp.c b/accel-pptpd/ppp.c
index f8a1be5..b032b06 100644
--- a/accel-pptpd/ppp.c
+++ b/accel-pptpd/ppp.c
@@ -86,13 +86,10 @@ int establish_ppp(struct ppp_t *ppp)
ppp->h->twait=-1;
triton_md_register_handler(ppp->h);
triton_md_enable_handler(ppp->h,MD_MODE_READ);
- INIT_LIST_HEAD(&ppp->layers);
+ INIT_LIST_HEAD(&ppp->handlers);
- ppp->lcp_layer=ppp_lcp_init(ppp);
- /*list_add_tail(&ppp->lcp_layer->entry,&ppp->layers);
- ppp_fsm_open(ppp->lcp_layer);
- ppp_fsm_lower_up(ppp->lcp_layer);*/
ppp->cur_layer=PPP_LAYER_LCP;
+
lcp_start(ppp);
return 0;
@@ -104,6 +101,14 @@ exit_close_chan:
return -1;
}
+void print_buf(uint8_t *buf,int size)
+{
+ int i;
+ for(i=0;i<size;i++)
+ printf("%x ",buf[i]);
+ printf("\n");
+}
+
int ppp_send(struct ppp_t *ppp, void *data, int size)
{
int n;
@@ -111,32 +116,38 @@ int ppp_send(struct ppp_t *ppp, void *data, int size)
if (ppp->out_buf_size) return -1;
if (size>PPP_MTU+PPP_HDRLEN) return -1;
+ printf("ppp: send: ");
+ print_buf((uint8_t*)data,size);
+
n=write(ppp->unit_fd,data,size);
- if (n>=0)
+ /*if (n>=0)
{
if (n!=ppp->out_buf_size-ppp->out_buf_pos)
{
ppp->out_buf_pos+=n;
triton_md_enable_handler(ppp->h,MD_MODE_WRITE);
}
- }
+ }*/
return n;
}
static void ppp_read(struct triton_md_handler_t*h)
{
struct ppp_t *ppp=(struct ppp_t *)h->pd;
- struct ppp_layer_t *l=NULL;
+ struct ppp_handler_t *ppp_h=NULL;
uint16_t proto;
ppp->in_buf_size=read(h->fd,ppp->in_buf,PPP_MRU+PPP_HDRLEN);
+ printf("ppp: recv: ");
+ print_buf(ppp->in_buf,ppp->in_buf_size);
+
proto=ntohs(*(uint16_t*)ppp->in_buf);
- list_for_each_entry(l,&ppp->layers,entry)
+ list_for_each_entry(ppp_h,&ppp->handlers,entry)
{
- if (l->proto==proto)
+ if (ppp_h->proto==proto)
{
- l->recv(l);
+ ppp_h->recv(ppp_h);
return;
}
}
@@ -166,7 +177,6 @@ static void ppp_timeout(struct triton_md_handler_t*h)
void ppp_layer_started(struct ppp_t *ppp)
{
- int i;
switch(ppp->cur_layer)
{
case PPP_LAYER_LCP:
@@ -204,3 +214,13 @@ void ppp_terminate(struct ppp_t *ppp)
}
}
+
+void ppp_register_handler(struct ppp_t *ppp,struct ppp_handler_t *h)
+{
+ list_add_tail(&h->entry,&ppp->handlers);
+}
+void ppp_unregister_handler(struct ppp_t *ppp,struct ppp_handler_t *h)
+{
+ list_del(&h->entry);
+}
+
diff --git a/accel-pptpd/ppp.h b/accel-pptpd/ppp.h
index 4a4c70e..83ad8ed 100644
--- a/accel-pptpd/ppp.h
+++ b/accel-pptpd/ppp.h
@@ -2,7 +2,7 @@
#define PPP_H
#include <sys/types.h>
-#include "ppp_fsm.h"
+#include "list.h"
/*
* Packet header = Code, id, length.
@@ -46,6 +46,10 @@
#define PPP_LAYER_CCP 3
#define PPP_LAYER_IPCP 4
+#define AUTH_MAX 3
+
+struct ppp_lcp_t;
+
struct ppp_t
{
struct triton_md_handler_t *h;
@@ -77,8 +81,7 @@ struct ppp_t
struct list_head handlers;
int cur_layer;
- struct ppp_layer_t *lcp_layer;
- void *auth_pd;
+ struct ppp_lcp_t *lcp;
};
struct ppp_handler_t
@@ -94,17 +97,30 @@ int ppp_send(struct ppp_t *ppp, void *data, int size);
void ppp_init(void);
-struct ppp_layer_t* ppp_lcp_init(struct ppp_t *ppp);
+struct ppp_fsm_t* ppp_lcp_init(struct ppp_t *ppp);
void ppp_layer_started(struct ppp_t *ppp);
void ppp_terminate(struct ppp_t *ppp);
+void ppp_register_handler(struct ppp_t*,struct ppp_handler_t*);
+void ppp_unregister_handler(struct ppp_t*,struct ppp_handler_t*);
+
+void lcp_start(struct ppp_t*);
+void lcp_finish(struct ppp_t*);
+int auth_start(struct ppp_t*);
+void auth_finish(struct ppp_t*);
+int ccp_start(struct ppp_t*);
+void ccp_finish(struct ppp_t*);
+int ipcp_start(struct ppp_t*);
+void ipcp_finish(struct ppp_t*);
+
+#define __init __attribute__((constructor))
+
#undef offsetof
#ifdef __compiler_offsetof
#define offsetof(TYPE,MEMBER) __compiler_offsetof(TYPE,MEMBER)
#else
#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
#endif
-#endif /* __KERNEL__ */
#define container_of(ptr, type, member) ({ \
const typeof( ((type *)0)->member ) *__mptr = (ptr); \
diff --git a/accel-pptpd/ppp_auth.c b/accel-pptpd/ppp_auth.c
index 1117c21..6fc4801 100644
--- a/accel-pptpd/ppp_auth.c
+++ b/accel-pptpd/ppp_auth.c
@@ -1,129 +1,245 @@
-#include "triton/triton.h"
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
#include "ppp.h"
#include "ppp_lcp.h"
-#include "ppp_fsm.h"
+#include "log.h"
+
#include "ppp_auth.h"
-static LIST_HEAD(drv_list);
-int auth_register(struct auth_driver_t *new)
+static LIST_HEAD(auth_handlers);
+static int extra_opt_len=0;
+
+static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp);
+static void auth_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt);
+static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr);
+static void auth_print(void (*print)(const char *fmt,...),struct lcp_option_t*, uint8_t *ptr);
+
+struct auth_option_t
+{
+ struct lcp_option_t opt;
+ struct list_head auth_list;
+ struct auth_data_t *auth;
+ struct auth_data_t *peer_auth;
+};
+
+static struct lcp_option_handler_t auth_opt_hnd=
{
- struct auth_driver_t *drv;
+ .init=auth_init,
+ .send_conf_req=auth_send_conf_req,
+ .send_conf_nak=auth_send_conf_req,
+ .recv_conf_req=auth_recv_conf_req,
+ .recv_conf_nak=auth_recv_conf_nak,
+ .recv_conf_rej=auth_recv_conf_rej,
+ .recv_conf_ack=auth_recv_conf_ack,
+ .free=auth_free,
+ .print=auth_print,
+};
- list_for_each_entry(drv,&drv_list,entry)
+static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp)
+{
+ struct ppp_auth_handler_t *h;
+ struct auth_data_t *d;
+ struct auth_option_t *auth_opt=malloc(sizeof(*auth_opt));
+ memset(auth_opt,0,sizeof(*auth_opt));
+ auth_opt->opt.id=CI_AUTH;
+ auth_opt->opt.len=4+extra_opt_len;
+
+ INIT_LIST_HEAD(&auth_opt->auth_list);
+
+ list_for_each_entry(h,&auth_handlers,entry)
{
- if (drv->type==new->type)
- return -1;
+ d=h->init(lcp->ppp);
+ d->h=h;
+ list_add_tail(&d->entry,&auth_opt->auth_list);
}
- list_add_tail(&new->entry,&drv_list);
- return 0;
+
+ return &auth_opt->opt;
}
-int auth_get_conf_req(struct ppp_layer_t *l, struct lcp_opt32_t *opt)
+static void auth_free(struct ppp_lcp_t *lcp, struct lcp_option_t *opt)
{
- int i,n;
- struct auth_driver_t *drv;
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ struct auth_data_t *d;
- for(i=0; i<AUTH_MAX; i++)
- {
- if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]>0)
- goto cont;
- }
- for(i=0; i<AUTH_MAX; i++)
+ while(!list_empty(&auth_opt->auth_list))
{
- if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]==0)
- goto cont;
+ d=list_entry(auth_opt->auth_list.next,typeof(*d),entry);
+ list_del(&d->entry);
+ d->h->free(lcp->ppp,d);
}
- return -1;
-cont:
- list_for_each_entry(drv,&drv_list,entry)
+ free(auth_opt);
+}
+
+static int auth_send_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ struct auth_data_t *d;
+ int n;
+
+ if (list_empty(&auth_opt->auth_list)) return 0;
+
+ if (!auth_opt->auth)
{
- if (drv->type==l->ppp->auth[i])
- break;
+ d=list_entry(auth_opt->auth_list.next,typeof(*d),entry);
+ auth_opt->auth=d;
}
- n=drv->get_conf_req(drv,l,opt);
- opt->val=l->auth[i];
- opt->hdr.len=6+n;
- return 0;
+
+ opt16->hdr.id=CI_AUTH;
+ opt16->val=htons(auth_opt->auth->proto);
+ n=auth_opt->auth->h->send_conf_req(lcp->ppp,auth_opt->auth,(uint8_t*)(opt16+1));
+ opt16->hdr.len=4+n;
+
+ return 4+n;
}
-int auth_recv_conf_req(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr)
+
+static int auth_recv_conf_req(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
{
- struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr;
- struct auth_driver_t *drv;
- int i;
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ struct auth_data_t *d;
- for(i=0; i<AUTH_MAX; i++)
+ if (list_empty(&auth_opt->auth_list))
+ return LCP_OPT_REJ;
+
+ list_for_each_entry(d,&auth_opt->auth_list,entry)
{
- if (l->ppp->auth[i]==opt->val)
+ if (d->proto==ntohs(opt16->val))
{
- list_for_each_entry(drv,&drv_list,entry)
- {
- if (drv->type==l->ppp->auth[i])
- {
- if (drv->recv_conf_req(drv,l->ppp,opt))
- return -1;
- l->options.lcp.neg_auth[i]=1;
- return 0;
- }
- }
- return -1;
+ if (d->h->recv_conf_req(lcp->ppp,d,(uint8_t*)(opt16+1)))
+ break;
+ auth_opt->peer_auth=d;
+ return LCP_OPT_ACK;
}
}
- return -1;
+
+ list_for_each_entry(d,&auth_opt->auth_list,entry)
+ {
+ if (d->state!=LCP_OPT_NAK)
+ {
+ auth_opt->peer_auth=d;
+ return LCP_OPT_NAK;
+ }
+ }
+
+ log_msg("cann't negotiate authentication type\n");
+ return LCP_OPT_FAIL;
}
-int auth_recv_conf_rej(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr)
+
+static int auth_recv_conf_ack(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
{
- struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr;
- int i;
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+
+ auth_opt->peer_auth=NULL;
- for(i=0; i<AUTH_MAX; i++)
+ return 0;
+}
+
+static int auth_recv_conf_nak(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ struct auth_data_t *d;
+
+ list_for_each_entry(d,&auth_opt->auth_list,entry)
{
- if (l->ppp->auth[i]==opt->val)
+ if (d->proto==ntohs(opt16->val))
{
- l->options.lcp.neg_auth[i]=-1;
- break;
+ d->state=LCP_OPT_NAK;
+ if (d->h->recv_conf_req(lcp->ppp,d,(uint8_t*)(opt16+1)))
+ break;
+ auth_opt->auth=d;
+ return 0;
}
}
- for(i=0; i<AUTH_MAX; i++)
+
+ list_for_each_entry(d,&auth_opt->auth_list,entry)
{
- if (l->ppp->auth[i] && l->options.lcp.neg_auth[i]!=-1)
+ if (d->state!=LCP_OPT_NAK)
return 0;
}
+
+ log_msg("cann't negotiate authentication type\n");
+ return -1;
+}
+
+static int auth_recv_conf_rej(struct ppp_lcp_t *lcp, struct lcp_option_t *opt, uint8_t *ptr)
+{
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+
+ if (list_empty(&auth_opt->auth_list))
+ return 0;
+
+ log_msg("cann't negotiate authentication type\n");
return -1;
}
-int auth_recv_conf_nak(struct ppp_layer_t *l, struct lcp_opt_hdr_t *hdr)
+
+static void auth_print(void (*print)(const char *fmt,...),struct lcp_option_t *opt, uint8_t *ptr)
{
- struct lcp_opt32_t *opt=(struct lcp_opt32_t*)hdr;
- int i;
+ struct auth_option_t *auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ struct lcp_opt16_t *opt16=(struct lcp_opt16_t*)ptr;
+ struct auth_data_t *d;
- for(i=0; i<AUTH_MAX; i++)
+ if (ptr)
{
- if (l->ppp->auth[i]==opt->val)
+ list_for_each_entry(d,&auth_opt->auth_list,entry)
{
- l->options.lcp.neg_auth[i]=2;
- return 0;
+ if (d->proto==ntohs(opt16->val))
+ goto print_d;
}
+
+ print("<auth %02x>",ntohs(opt16->val));
+ return;
}
- return -1;
+ else if (auth_opt->auth) d=auth_opt->auth;
+ else return;
+
+print_d:
+ print("<auth %s>",d->h->name);
}
+int ppp_auth_register_handler(struct ppp_auth_handler_t *h)
+{
+ list_add_tail(&h->entry,&auth_handlers);
+ return 0;
+}
+
+static void __init auth_opt_init()
+{
+ lcp_option_register(&auth_opt_hnd);
+}
+
+
+
+
+
+
+
+
int auth_start(struct ppp_t *ppp)
{
- int i;
- struct auth_driver_t *drv;
+ struct lcp_option_t *opt;
+ struct auth_option_t *auth_opt;
- for(i=0; i<AUTH_MAX; i++)
+ list_for_each_entry(opt,&ppp->lcp->options,entry)
{
- if (ppp->lcp_layer->options.lcp.neg_auth[i]==1)
+ if (opt->id==CI_AUTH)
{
- list_for_each_entry(drv,&drv_list,entry)
+ auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ if (auth_opt->auth)
{
- if (drv->type==ppp->auth[i])
- return drv->start(ppp);
+ auth_opt->auth->h->start(ppp,auth_opt->auth);
+ return 1;
}
- return -1;
+ break;
}
}
@@ -132,21 +248,17 @@ int auth_start(struct ppp_t *ppp)
void auth_finish(struct ppp_t *ppp)
{
- int i;
- struct auth_driver_t *drv;
+ struct lcp_option_t *opt;
+ struct auth_option_t *auth_opt;
- for(i=0; i<AUTH_MAX; i++)
+ list_for_each_entry(opt,&ppp->lcp->options,entry)
{
- if (ppp->lcp_layer->options.lcp.neg_auth[i]==1)
+ if (opt->id==CI_AUTH)
{
- list_for_each_entry(drv,&drv_list,entry)
- {
- if (drv->type==ppp->auth[i])
- {
- drv->finish(ppp);
- return;
- }
- }
+ auth_opt=container_of(opt,typeof(*auth_opt),opt);
+ if (auth_opt->auth)
+ auth_opt->auth->h->finish(ppp,auth_opt->auth);
+ break;
}
}
}
diff --git a/accel-pptpd/ppp_auth.h b/accel-pptpd/ppp_auth.h
index 064bf24..f1880d5 100644
--- a/accel-pptpd/ppp_auth.h
+++ b/accel-pptpd/ppp_auth.h
@@ -3,24 +3,32 @@
#include "list.h"
-struct ppp_layer_t;
-struct lcp_opt_hdr_t;
-struct lcp_opt32_t;
+struct ppp_auth_handler_t;
-struct auth_driver_t
+struct auth_data_t
{
struct list_head entry;
- int type;
- int (*get_conf_req)(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*);
- int (*recv_conf_req)(struct auth_driver_t*, struct ppp_t*, struct lcp_opt32_t*);
- int (*begin)(struct auth_driver_t*, struct ppp_t*);
- int (*terminate)(struct auth_driver_t*, struct ppp_t*);
+ int proto;
+ int state;
+ struct ppp_auth_handler_t *h;
};
-int auth_get_conf_req(struct ppp_layer_t *l, struct lcp_opt32_t *);
-int auth_recv_conf_req(struct ppp_layer_t *l, struct lcp_opt_hdr_t *);
-int auth_recv_conf_rej(struct ppp_layer_t *l, struct lcp_opt_hdr_t *);
-int auth_recv_conf_nak(struct ppp_layer_t *l, struct lcp_opt_hdr_t *);
+struct ppp_auth_handler_t
+{
+ struct list_head entry;
+ const char *name;
+ struct auth_data_t* (*init)(struct ppp_t*);
+ int (*send_conf_req)(struct ppp_t*, struct auth_data_t*, uint8_t*);
+ int (*recv_conf_req)(struct ppp_t*, struct auth_data_t*, uint8_t*);
+ int (*start)(struct ppp_t*, struct auth_data_t*);
+ int (*finish)(struct ppp_t*, struct auth_data_t*);
+ void (*free)(struct ppp_t*,struct auth_data_t*);
+};
+
+int ppp_auth_register_handler(struct ppp_auth_handler_t*);
+
+void auth_successed(struct ppp_t *ppp);
+void auth_failed(struct ppp_t *ppp);
#endif
diff --git a/accel-pptpd/ppp_ccp.c b/accel-pptpd/ppp_ccp.c
new file mode 100644
index 0000000..2f3ce4a
--- /dev/null
+++ b/accel-pptpd/ppp_ccp.c
@@ -0,0 +1,12 @@
+#include "ppp.h"
+
+int ccp_start(struct ppp_t *ppp)
+{
+ return 0;
+}
+
+void ccp_finish(struct ppp_t *ppp)
+{
+
+}
+
diff --git a/accel-pptpd/ppp_fsm.c b/accel-pptpd/ppp_fsm.c
index fdbcbe9..e2884c2 100644
--- a/accel-pptpd/ppp_fsm.c
+++ b/accel-pptpd/ppp_fsm.c
@@ -14,16 +14,17 @@
#include "ppp.h"
#include "ppp_fsm.h"
#include "ppp_lcp.h"
+#include "log.h"
-void send_term_req(struct ppp_layer_t *layer);
-void send_term_ack(struct ppp_layer_t *layer);
-void send_echo_reply(struct ppp_layer_t *layer);
+void send_term_req(struct ppp_fsm_t *layer);
+void send_term_ack(struct ppp_fsm_t *layer);
+void send_echo_reply(struct ppp_fsm_t *layer);
-static void init_req_counter(struct ppp_layer_t *layer,int timeout);
-static void zero_req_counter(struct ppp_layer_t *layer);
+static void init_req_counter(struct ppp_fsm_t *layer,int timeout);
+static void zero_req_counter(struct ppp_fsm_t *layer);
static int restart_timer_func(struct triton_timer_t*t);
-void ppp_fsm_init(struct ppp_layer_t *layer)
+void ppp_fsm_init(struct ppp_fsm_t *layer)
{
layer->fsm_state=FSM_Initial;
layer->restart_timer.active=0;
@@ -34,10 +35,9 @@ void ppp_fsm_init(struct ppp_layer_t *layer)
layer->max_terminate=2;
layer->max_configure=10;
layer->max_failure=5;
- layer->id=0;
}
-void ppp_fsm_lower_up(struct ppp_layer_t *layer)
+void ppp_fsm_lower_up(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -55,7 +55,7 @@ void ppp_fsm_lower_up(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_lower_down(struct ppp_layer_t *layer)
+void ppp_fsm_lower_down(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -82,7 +82,7 @@ void ppp_fsm_lower_down(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_open(struct ppp_layer_t *layer)
+void ppp_fsm_open(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -103,18 +103,15 @@ void ppp_fsm_open(struct ppp_layer_t *layer)
layer->fsm_state=FSM_Stopping;
case FSM_Stopped:
case FSM_Opened:
- if (layer->opt_restart)
- {
- ppp_fsm_lower_down(layer);
- ppp_fsm_lower_up(layer);
- }
+ ppp_fsm_lower_down(layer);
+ ppp_fsm_lower_up(layer);
break;
default:
break;
}
}
-void ppp_fsm_close(struct ppp_layer_t *layer)
+void ppp_fsm_close(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -143,7 +140,7 @@ void ppp_fsm_close(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_timeout0(struct ppp_layer_t *layer)
+void ppp_fsm_timeout0(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -162,7 +159,7 @@ void ppp_fsm_timeout0(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_timeout1(struct ppp_layer_t *layer)
+void ppp_fsm_timeout1(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -179,14 +176,13 @@ void ppp_fsm_timeout1(struct ppp_layer_t *layer)
case FSM_Ack_Sent:
if (layer->layer_finished) layer->layer_finished(layer);
layer->fsm_state=FSM_Stopped;
- layer->opt_passive=1;
break;
default:
break;
}
}
-void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer)
+void ppp_fsm_recv_conf_req_ack(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -219,7 +215,37 @@ void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer)
+void ppp_fsm_recv_conf_req_nak(struct ppp_fsm_t *layer)
+{
+ switch(layer->fsm_state)
+ {
+ case FSM_Closed:
+ send_term_ack(layer);
+ break;
+ case FSM_Stopped:
+ //if (layer->init_req_cnt) layer->init_req_cnt(layer);
+ init_req_counter(layer,layer->max_configure);
+ if (layer->send_conf_req) layer->send_conf_req(layer);
+ case FSM_Ack_Sent:
+ if (layer->send_conf_nak) layer->send_conf_nak(layer);
+ layer->fsm_state=FSM_Req_Sent;
+ break;
+ case FSM_Req_Sent:
+ case FSM_Ack_Rcvd:
+ if (layer->send_conf_nak) layer->send_conf_nak(layer);
+ break;
+ case FSM_Opened:
+ if (layer->layer_down) layer->layer_down(layer);
+ if (layer->send_conf_req) layer->send_conf_req(layer);
+ if (layer->send_conf_nak) layer->send_conf_nak(layer);
+ layer->fsm_state=FSM_Req_Sent;
+ break;
+ default:
+ break;
+ }
+}
+
+void ppp_fsm_recv_conf_req_rej(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -249,7 +275,7 @@ void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer)
+void ppp_fsm_recv_conf_ack(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -282,7 +308,7 @@ void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer)
+void ppp_fsm_recv_conf_rej(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -314,7 +340,7 @@ void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_term_req(struct ppp_layer_t *layer)
+void ppp_fsm_recv_term_req(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -337,7 +363,7 @@ void ppp_fsm_recv_term_req(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer)
+void ppp_fsm_recv_term_ack(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -362,12 +388,12 @@ void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_unk(struct ppp_layer_t *layer)
+void ppp_fsm_recv_unk(struct ppp_fsm_t *layer)
{
if (layer->send_conf_rej) layer->send_conf_rej(layer);
}
-void ppp_fsm_recv_code_rej_perm(struct ppp_layer_t *layer)
+void ppp_fsm_recv_code_rej_perm(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
@@ -379,15 +405,13 @@ void ppp_fsm_recv_code_rej_perm(struct ppp_layer_t *layer)
}
}
-void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer)
+void ppp_fsm_recv_code_rej_bad(struct ppp_fsm_t *layer)
{
switch(layer->fsm_state)
{
case FSM_Opened:
if (layer->layer_down) layer->layer_down(layer);
- //if (layer->init_req_cnt) layer->init_req_cnt(layer);
- init_req_counter(layer,layer->max_configure);
- if (layer->send_conf_req) layer->send_conf_req(layer);
+ send_term_req(layer);
layer->fsm_state=FSM_Stopping;
break;
case FSM_Closing:
@@ -406,53 +430,55 @@ void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer)
}
}
-void send_term_req(struct ppp_layer_t *layer)
+void send_term_req(struct ppp_fsm_t *layer)
{
struct lcp_hdr_t hdr={
- .proto=PPP_LCP,
+ .proto=htons(PPP_LCP),
.code=TERMREQ,
.id=++layer->id,
- .len=4,
+ .len=htons(4),
};
- ppp_send(layer->ppp,&hdr,hdr.len);
+ log_debug("send [LCP TermReq id=%i \"\"]\n",hdr.id);
+
+ ppp_send(layer->ppp,&hdr,6);
}
-void send_term_ack(struct ppp_layer_t *layer)
+void send_term_ack(struct ppp_fsm_t *layer)
{
struct lcp_hdr_t hdr={
- .proto=PPP_LCP,
+ .proto=htons(PPP_LCP),
.code=TERMACK,
.id=layer->recv_id,
- .len=4,
+ .len=htons(4),
};
- ppp_send(layer->ppp,&hdr,hdr.len);
-}
-void ppp_fsm_recv(struct ppp_layer_t *layer)
-{
+ log_debug("send [LCP TermAck id=%i \"\"]\n",hdr.id);
+
+ ppp_send(layer->ppp,&hdr,6);
}
-static void init_req_counter(struct ppp_layer_t *layer,int timeout)
+static void init_req_counter(struct ppp_fsm_t *layer,int timeout)
{
triton_timer_del(&layer->restart_timer);
+ layer->restart_timer.expire_tv.tv_sec=0;
triton_timer_add(&layer->restart_timer);
layer->restart_counter=timeout;
}
-static void zero_req_counter(struct ppp_layer_t *layer)
+static void zero_req_counter(struct ppp_fsm_t *layer)
{
triton_timer_del(&layer->restart_timer);
+ layer->restart_timer.expire_tv.tv_sec=0;
triton_timer_add(&layer->restart_timer);
layer->restart_counter=0;
}
static int restart_timer_func(struct triton_timer_t*t)
{
- struct ppp_layer_t *layer=(struct ppp_layer_t *)t->pd;
+ struct ppp_fsm_t *layer=(struct ppp_fsm_t *)t->pd;
if (layer->restart_counter)
{
ppp_fsm_timeout0(layer);
- layer->restart_counter--;
return 1;
}
diff --git a/accel-pptpd/ppp_fsm.h b/accel-pptpd/ppp_fsm.h
index 3ed6284..eddafcf 100644
--- a/accel-pptpd/ppp_fsm.h
+++ b/accel-pptpd/ppp_fsm.h
@@ -1,9 +1,6 @@
#ifndef PPP_FSM_H
#define PPP_FSM_H
-#include "triton/triton.h"
-#include "list.h"
-
typedef enum {FSM_Initial=0,FSM_Starting,FSM_Closed,FSM_Stopped,FSM_Closing,FSM_Stopping,FSM_Req_Sent,FSM_Ack_Rcvd,FSM_Ack_Sent,FSM_Opened} FSM_STATE;
/*
* CP (LCP, IPCP, etc.) codes.
@@ -18,35 +15,13 @@ typedef enum {FSM_Initial=0,FSM_Starting,FSM_Closed,FSM_Stopped,FSM_Closing,FSM_
#define ECHOREQ 9 /* Echo Request */
#define ECHOREP 10 /* Echo Reply */
-struct ppp_hdr_t;
-
-#define AUTH_MAX 3
-struct lcp_options_t
-{
- int magic;
- int mtu;
- int mru;
- int accomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled
- int pcomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled
- // negotiated options;
- int neg_mru;
- int neg_mtu;
- int neg_accomp; // -1 - rejected
- int neg_pcomp;
- int neg_auth[AUTH_MAX];
-};
+struct ppp_t;
-struct ppp_layer_t
+struct ppp_fsm_t
{
- struct ppp_handler_t h;
struct ppp_t *ppp;
FSM_STATE fsm_state;
- union
- {
- struct lcp_options_t lcp;
- } options;
-
struct triton_timer_t restart_timer;
int restart_counter;
int max_terminate;
@@ -56,38 +31,33 @@ struct ppp_layer_t
int id;
int recv_id;
- int opt_restart:1;
- int opt_passive:1;
-
- void *last_conf_req;
//fsm handling
- void (*layer_up)(struct ppp_layer_t*);
- void (*layer_down)(struct ppp_layer_t*);
- void (*layer_started)(struct ppp_layer_t*);
- void (*layer_finished)(struct ppp_layer_t*);
- void (*send_conf_req)(struct ppp_layer_t*);
- void (*send_conf_ack)(struct ppp_layer_t*);
- void (*send_conf_nak)(struct ppp_layer_t*);
- void (*send_conf_rej)(struct ppp_layer_t*);
+ void (*layer_up)(struct ppp_fsm_t*);
+ void (*layer_down)(struct ppp_fsm_t*);
+ void (*layer_started)(struct ppp_fsm_t*);
+ void (*layer_finished)(struct ppp_fsm_t*);
+ void (*send_conf_req)(struct ppp_fsm_t*);
+ void (*send_conf_ack)(struct ppp_fsm_t*);
+ void (*send_conf_nak)(struct ppp_fsm_t*);
+ void (*send_conf_rej)(struct ppp_fsm_t*);
};
-void ppp_fsm_init(struct ppp_layer_t*);
-void ppp_fsm_recv(struct ppp_layer_t*);
-
-void ppp_fsm_lower_up(struct ppp_layer_t *layer);
-void ppp_fsm_lower_down(struct ppp_layer_t *layer);
-void ppp_fsm_open(struct ppp_layer_t *layer);
-void ppp_fsm_close(struct ppp_layer_t *layer);
-void ppp_fsm_timeout0(struct ppp_layer_t *layer);
-void ppp_fsm_timeout1(struct ppp_layer_t *layer);
-void ppp_fsm_recv_conf_req_good(struct ppp_layer_t *layer);
-void ppp_fsm_recv_conf_req_bad(struct ppp_layer_t *layer);
-void ppp_fsm_recv_conf_ack(struct ppp_layer_t *layer);
-void ppp_fsm_recv_conf_rej(struct ppp_layer_t *layer);
-void ppp_fsm_recv_term_req(struct ppp_layer_t *layer);
-void ppp_fsm_recv_term_ack(struct ppp_layer_t *layer);
-void ppp_fsm_recv_unk(struct ppp_layer_t *layer);
-void ppp_fsm_recv_code_rej_bad(struct ppp_layer_t *layer);
-void ppp_fsm_recv_echo(struct ppp_layer_t *layer);
+void ppp_fsm_init(struct ppp_fsm_t*);
+
+void ppp_fsm_lower_up(struct ppp_fsm_t*);
+void ppp_fsm_lower_down(struct ppp_fsm_t*);
+void ppp_fsm_open(struct ppp_fsm_t*);
+void ppp_fsm_close(struct ppp_fsm_t*);
+void ppp_fsm_timeout0(struct ppp_fsm_t *layer);
+void ppp_fsm_timeout1(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_conf_req_ack(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_conf_req_nak(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_conf_req_rej(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_conf_ack(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_conf_rej(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_term_req(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_term_ack(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_unk(struct ppp_fsm_t *layer);
+void ppp_fsm_recv_code_rej_bad(struct ppp_fsm_t *layer);
#endif
diff --git a/accel-pptpd/ppp_ipcp.c b/accel-pptpd/ppp_ipcp.c
new file mode 100644
index 0000000..09b0483
--- /dev/null
+++ b/accel-pptpd/ppp_ipcp.c
@@ -0,0 +1,12 @@
+#include "ppp.h"
+
+int ipcp_start(struct ppp_t *ppp)
+{
+ return 0;
+}
+
+void ipcp_finish(struct ppp_t *ppp)
+{
+
+}
+
diff --git a/accel-pptpd/ppp_lcp.c b/accel-pptpd/ppp_lcp.c
index 2d1dee0..21b7fb2 100644
--- a/accel-pptpd/ppp_lcp.c
+++ b/accel-pptpd/ppp_lcp.c
@@ -10,318 +10,420 @@
#include "log.h"
#include "ppp.h"
-#include "ppp_fsm.h"
#include "ppp_lcp.h"
-#include "ppp_auth.h"
-
-char* accomp="allow,disabled";
-char* pcomp="allow,disabled";
-char* auth="pap,eap,mschap-v2";
-char* mppe="allow,disabled";
-char* pwdb="radius";
-
-static void lcp_layer_up(struct ppp_layer_t*);
-static void lcp_layer_down(struct ppp_layer_t*);
-static void send_conf_req(struct ppp_layer_t*);
-static void send_conf_ack(struct ppp_layer_t*);
-static void send_conf_nak(struct ppp_layer_t*);
-static void send_conf_rej(struct ppp_layer_t*);
-static void lcp_recv(struct ppp_layer_t*);
+
+struct recv_opt_t
+{
+ struct list_head entry;
+ struct lcp_opt_hdr_t *hdr;
+ int len;
+ int state;
+ struct lcp_option_t *lopt;
+};
+
+static LIST_HEAD(option_handlers);
+
+static void lcp_layer_up(struct ppp_fsm_t*);
+static void lcp_layer_down(struct ppp_fsm_t*);
+static void send_conf_req(struct ppp_fsm_t*);
+static void send_conf_ack(struct ppp_fsm_t*);
+static void send_conf_nak(struct ppp_fsm_t*);
+static void send_conf_rej(struct ppp_fsm_t*);
+static void lcp_recv(struct ppp_handler_t*);
+
+static void lcp_options_init(struct ppp_lcp_t *lcp)
+{
+ struct lcp_option_t *lopt;
+ struct lcp_option_handler_t *h;
+
+ INIT_LIST_HEAD(&lcp->options);
+
+ list_for_each_entry(h,&option_handlers,entry)
+ {
+ lopt=h->init(lcp);
+ if (lopt)
+ {
+ lopt->h=h;
+ list_add_tail(&lopt->entry,&lcp->options);
+ lcp->conf_req_len+=lopt->len;
+ }
+ }
+}
+
+static void lcp_options_free(struct ppp_lcp_t *lcp)
+{
+ struct lcp_option_t *lopt;
+
+ while(!list_empty(&lcp->options))
+ {
+ lopt=list_entry(lcp->options.next,typeof(*lopt),entry);
+ list_del(&lopt->entry);
+ lopt->h->free(lcp,lopt);
+ }
+}
void lcp_start(struct ppp_t *ppp)
{
- struct ppp_layer_t *layer=malloc(sizeof(*layer));
- memset(layer,0,sizeof(*layer));
+ struct ppp_lcp_t *lcp=malloc(sizeof(*lcp));
+ memset(lcp,0,sizeof(*lcp));
- layer->h.proto=PPP_LCP;
- layer->h.recv=lcp_recv;
+ lcp->ppp=ppp;
+ lcp->fsm.ppp=ppp;
- layer->ppp=ppp;
- ppp_fsm_init(layer);
+ lcp->hnd.proto=PPP_LCP;
+ lcp->hnd.recv=lcp_recv;
+
+ ppp_register_handler(ppp,&lcp->hnd);
+
+ ppp_fsm_init(&lcp->fsm);
- layer->layer_started=lcp_layer_started;
- layer->send_conf_req=send_conf_req;
- layer->send_conf_ack=send_conf_ack;
- layer->send_conf_nak=send_conf_nak;
- layer->send_conf_rej=send_conf_rej;
+ lcp->fsm.layer_up=lcp_layer_up;
+ lcp->fsm.layer_down=lcp_layer_down;
+ lcp->fsm.send_conf_req=send_conf_req;
+ lcp->fsm.send_conf_ack=send_conf_ack;
+ lcp->fsm.send_conf_nak=send_conf_nak;
+ lcp->fsm.send_conf_rej=send_conf_rej;
- ppp_fsm_init(layer);
- ppp_fsm_lower_up(layer);
- ppp_fsm_open(layer);
+ lcp_options_init(lcp);
+ INIT_LIST_HEAD(&lcp->ropt_list);
- ppp_register_handler(&layer->h);
+ ppp_fsm_lower_up(&lcp->fsm);
+ ppp_fsm_open(&lcp->fsm);
+
+ ppp->lcp=lcp;
}
-static void lcp_layer_up(struct ppp_layer_t *l)
+void lcp_finish(struct ppp_t *ppp)
{
- ppp_layer_started(l->ppp);
+ struct ppp_lcp_t *lcp=ppp->lcp;
+
+ ppp_unregister_handler(ppp,&lcp->hnd);
+ lcp_options_free(lcp);
+
+ free(lcp);
}
-static void lcp_layer_down(struct ppp_layer_t *l)
+
+static void lcp_layer_up(struct ppp_fsm_t *fsm)
{
- ppp_terminate(l->ppp);
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ ppp_layer_started(lcp->ppp);
}
-static void send_conf_req(struct ppp_layer_t*l)
+static void lcp_layer_down(struct ppp_fsm_t *fsm)
{
- uint8_t buf[128],*ptr=buf;
- struct lcp_opt_hdr_t *opt0;
- struct lcp_opt16_t *opt16;
- struct lcp_opt32_t *opt32;
- struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr; ptr+=sizeof(*lcp_hdr);
-
- log_msg("send [LCP ConfReq");
- lcp_hdr->proto=PPP_LCP;
- lcp_hdr->code=CONFREQ;
- lcp_hdr->id=++l->id;
- lcp_hdr->len=0;
- log_msg(" id=%x",lcp_hdr->id);
-
- //mru
- opt16=(struct lcp_opt16_t*)ptr; ptr+=sizeof(*opt16);
- opt16->hdr.type=CI_MRU;
- opt16->hdr.len=4;
- opt16->val=htons(l->options.lcp.mtu);
- log_msg(" <mru %i>",l->options.lcp.mtu);
-
- //auth
- opt32=(struct lcp_opt32_t*)ptr;;
- if (auth_get_conf_req(l,opt32))
- ptr+=opt32->hdr.len;
-
- //magic
- opt32=(struct lcp_opt32_t*)ptr; ptr+=sizeof(*opt32);
- opt32->hdr.type=CI_MAGIC;
- opt32->hdr.len=6;
- opt32->val=htonl(l->options.lcp.magic);
- log_msg(" <magic %x>",l->options.lcp.magic);
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ ppp_terminate(lcp->ppp);
+}
+static void print_ropt(struct recv_opt_t *ropt)
+{
+ int i;
+ uint8_t *ptr=(uint8_t*)ropt->hdr;
- //pcomp
- if (l->options.lcp.pcomp==1 || (l->options.lcp.pcomp==3 && l->options.lcp.neg_pcomp!=-1))
+ log_debug(" <");
+ for(i=0; i<ropt->len; i++)
{
- opt0=(struct lcp_opt_hdr_t*)ptr; ptr+=sizeof(*opt0);
- opt0->type=CI_PCOMP;
- opt0->len=2;
- log_msg(" <pcomp>");
+ log_debug(" %x",ptr[i]);
}
+ log_debug(">");
+}
- //acccomp
- if (l->options.lcp.accomp==1 || (l->options.lcp.accomp==3 && l->options.lcp.neg_accomp!=-1))
+static void send_conf_req(struct ppp_fsm_t *fsm)
+{
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ uint8_t *buf=malloc(lcp->conf_req_len), *ptr=buf;
+ struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr;
+ struct lcp_option_t *lopt;
+ int n;
+
+ log_debug("send [LCP ConfReq");
+ lcp_hdr->proto=htons(PPP_LCP);
+ lcp_hdr->code=CONFREQ;
+ lcp_hdr->id=++lcp->fsm.id;
+ lcp_hdr->len=0;
+ log_debug(" id=%x",lcp_hdr->id);
+
+ ptr+=sizeof(*lcp_hdr);
+
+ list_for_each_entry(lopt,&lcp->options,entry)
{
- opt0=(struct lcp_opt_hdr_t*)ptr; ptr+=sizeof(*opt0);
- opt0->type=CI_ACCOMP;
- opt0->len=2;
- log_msg(" <accomp>");
+ n=lopt->h->send_conf_req(lcp,lopt,ptr);
+ if (n)
+ {
+ log_debug(" ");
+ lopt->h->print(log_debug,lopt,NULL);
+ ptr+=n;
+ }
}
- log_msg("]\n");
+
+ log_debug("]\n");
- lcp_hdr->len=ptr-buf;
- ppp_send(l->ppp,lcp_hdr,lcp_hdr->len+2);
+ lcp_hdr->len=htons((ptr-buf)-2);
+ ppp_send(lcp->ppp,lcp_hdr,ptr-buf);
}
-static void send_conf_ack(struct ppp_layer_t*l)
+
+static void send_conf_ack(struct ppp_fsm_t *fsm)
{
- struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)l->ppp->in_buf;
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)lcp->ppp->in_buf;
hdr->code=CONFACK;
- log_msg("send [LCP ConfAck id=%x\n",l->recv_id);
+ log_debug("send [LCP ConfAck id=%x ]\n",lcp->fsm.recv_id);
- ppp_send(l->ppp,hdr,hdr->len+2);
+ ppp_send(lcp->ppp,hdr,ntohs(hdr->len)+2);
}
-static void send_conf_nak(struct ppp_layer_t*l)
+
+static void send_conf_nak(struct ppp_fsm_t *fsm)
{
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ uint8_t *buf=malloc(lcp->conf_req_len), *ptr=buf;
+ struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr;
+ struct lcp_option_t *lopt;
+
+ log_debug("send [LCP ConfNak id=%x",lcp->fsm.recv_id);
+
+ lcp_hdr->proto=htons(PPP_LCP);
+ lcp_hdr->code=CONFNAK;
+ lcp_hdr->id=lcp->fsm.recv_id;
+ lcp_hdr->len=0;
+
+ ptr+=sizeof(*lcp_hdr);
+
+ list_for_each_entry(lopt,&lcp->options,entry)
+ {
+ if (lopt->state==LCP_OPT_NAK)
+ {
+ log_debug(" ");
+ lopt->h->print(log_debug,lopt,NULL);
+ ptr+=lopt->h->send_conf_nak(lcp,lopt,ptr);
+ }
+ }
+
+ log_debug("]\n");
+
+ lcp_hdr->len=htons((ptr-buf)-2);
+ ppp_send(lcp->ppp,lcp_hdr,ptr-buf);
}
-static void send_conf_rej(struct ppp_layer_t*l)
+
+static void send_conf_rej(struct ppp_fsm_t *fsm)
{
- struct lcp_hdr_t *hdr=(struct lcp_hdr_t*)l->ppp->in_buf;
+ struct ppp_lcp_t *lcp=container_of(fsm,typeof(*lcp),fsm);
+ uint8_t *buf=malloc(lcp->ropt_len), *ptr=buf;
+ struct lcp_hdr_t *lcp_hdr=(struct lcp_hdr_t*)ptr;
+ struct recv_opt_t *ropt;
+
+ log_debug("send [LCP ConfRej id=%x ",lcp->fsm.recv_id);
+
+ lcp_hdr->proto=htons(PPP_LCP);
+ lcp_hdr->code=CONFREJ;
+ lcp_hdr->id=lcp->fsm.recv_id;
+ lcp_hdr->len=0;
- hdr->code=CONFREJ;
- log_msg("send [LCP ConfRej id=%x\n",l->recv_id);
+ ptr+=sizeof(*lcp_hdr);
- ppp_send(l->ppp,hdr,hdr->len+2);
+ list_for_each_entry(ropt,&lcp->ropt_list,entry)
+ {
+ if (ropt->state==LCP_OPT_REJ)
+ {
+ log_debug(" ");
+ if (ropt->lopt) ropt->lopt->h->print(log_debug,ropt->lopt,(uint8_t*)ropt->hdr);
+ else print_ropt(ropt);
+ memcpy(ptr,ropt->hdr,ropt->len);
+ ptr+=ropt->len;
+ }
+ }
+
+ log_debug("]\n");
+
+ lcp_hdr->len=htons((ptr-buf)-2);
+ ppp_send(lcp->ppp,lcp_hdr,ptr-buf);
}
-static int lcp_recv_conf_req(struct ppp_layer_t*l,uint8_t *data,int size)
+static int lcp_recv_conf_req(struct ppp_lcp_t *lcp,uint8_t *data,int size)
{
- struct lcp_opt_hdr_t *opt;
- struct lcp_opt16_t *opt16;
+ struct lcp_opt_hdr_t *hdr;
+ struct recv_opt_t *ropt;
+ struct lcp_option_t *lopt;
+ int r,ret=1;
+
+ lcp->ropt_len=size;
+
+ while(size>0)
+ {
+ hdr=(struct lcp_opt_hdr_t *)data;
+
+ ropt=malloc(sizeof(*ropt));
+ if (hdr->len>size) ropt->len=size;
+ else ropt->len=hdr->len;
+ ropt->hdr=hdr;
+ ropt->state=LCP_OPT_NONE;
+ list_add_tail(&ropt->entry,&lcp->ropt_list);
+
+ data+=ropt->len;
+ size-=ropt->len;
+ }
+
+ list_for_each_entry(lopt,&lcp->options,entry)
+ lopt->state=LCP_OPT_NONE;
+
+ log_debug("recv [LCP ConfReq id=%x",lcp->fsm.recv_id);
+ list_for_each_entry(ropt,&lcp->ropt_list,entry)
+ {
+ list_for_each_entry(lopt,&lcp->options,entry)
+ {
+ if (lopt->id==ropt->hdr->id)
+ {
+ log_debug(" ");
+ lopt->h->print(log_debug,lopt,(uint8_t*)ropt->hdr);
+ r=lopt->h->recv_conf_req(lcp,lopt,(uint8_t*)ropt->hdr);
+ lopt->state=r;
+ ropt->state=r;
+ if (r<ret) ret=r;
+ }
+ }
+ }
+ log_debug("]\n");
+
+ /*list_for_each_entry(lopt,&lcp->options,entry)
+ {
+ if (lopt->state==LCP_OPT_NONE)
+ {
+ r=lopt->h->recv_conf_req(lcp,lopt,NULL);
+ lopt->state=r;
+ if (r<ret) ret=r;
+ }
+ }*/
+
+ return ret;
+}
+
+static void lcp_free_conf_req(struct ppp_lcp_t *lcp)
+{
+ struct recv_opt_t *ropt;
+
+ while(!list_empty(&lcp->ropt_list))
+ {
+ ropt=list_entry(lcp->ropt_list.next,typeof(*ropt),entry);
+ list_del(&ropt->entry);
+ free(ropt);
+ }
+}
+
+static int lcp_recv_conf_rej(struct ppp_lcp_t *lcp,uint8_t *data,int size)
+{
+ struct lcp_opt_hdr_t *hdr;
+ struct lcp_option_t *lopt;
int res=0;
- log_debug("recv [LCP ConfReq id=%x",l->recv_id);
+ log_debug("recv [LCP ConfRej id=%x",lcp->fsm.recv_id);
- while(size)
+ if (lcp->fsm.recv_id!=lcp->fsm.id)
{
- opt=(struct lcp_opt_hdr_t *)data;
- switch(opt->type)
+ log_debug(": id mismatch ]\n");
+ return 0;
+ }
+
+ while(size>0)
+ {
+ hdr=(struct lcp_opt_hdr_t *)data;
+
+ list_for_each_entry(lopt,&lcp->options,entry)
{
- case CI_MRU:
- opt16=(struct lcp_opt16_t*)data;
- l->options.lcp.neg_mru=ntohs(opt16->val);
- log_debug(" <mru %i>",l->options.lcp.neg_mru);
- break;
- case CI_ASYNCMAP:
- log_debug(" <asyncmap ...>");
- break;
- case CI_AUTHTYPE:
- if (auth_recv_conf_req(l,opt))
- res=-1;
- break;
- case CI_MAGIC:
- if (*(uint32_t*)data==l->options.lcp.magic)
- {
- log_error("loop detected\n");
- res=-1;
- }
- break;
- case CI_PCOMP:
- log_debug(" <pcomp>");
- if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=1;
- else {
- l->options.lcp.neg_pcomp=-2;
- res=-1;
- }
- break;
- case CI_ACCOMP:
- log_debug(" <accomp>");
- if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=1;
- else {
- l->options.lcp.neg_accomp=-2;
+ if (lopt->id==hdr->id)
+ {
+ if (lopt->h->recv_conf_rej(lcp,lopt,data))
res=-1;
- }
break;
+ }
}
- data+=opt->len;
- size-=opt->len;
+
+ data+=hdr->len;
+ size-=hdr->len;
}
- log_debug("\n");
+ log_debug("]\n");
return res;
}
-static int lcp_recv_conf_rej(struct ppp_layer_t*l,uint8_t *data,int size)
+static int lcp_recv_conf_nak(struct ppp_lcp_t *lcp,uint8_t *data,int size)
{
- struct lcp_opt_hdr_t *opt;
- struct lcp_opt16_t *opt16;
+ struct lcp_opt_hdr_t *hdr;
+ struct lcp_option_t *lopt;
int res=0;
- log_debug("recv [LCP ConfRej id=%x",l->recv_id);
+ log_debug("recv [LCP ConfNak id=%x",lcp->fsm.recv_id);
- if (l->recv_id!=l->id)
+ if (lcp->fsm.recv_id!=lcp->fsm.id)
{
- log_debug(": id mismatch\n");
+ log_debug(": id mismatch ]\n");
return 0;
}
- while(size)
+ while(size>0)
{
- opt=(struct lcp_opt_hdr_t *)data;
- switch(opt->type)
+ hdr=(struct lcp_opt_hdr_t *)data;
+
+ list_for_each_entry(lopt,&lcp->options,entry)
{
- case CI_MRU:
- opt16=(struct lcp_opt16_t*)data;
- log_debug(" <mru %i>",l->options.lcp.neg_mru);
- break;
- case CI_ASYNCMAP:
- log_debug(" <asyncmap ...>");
- break;
- case CI_AUTHTYPE:
- if (auth_recv_conf_rej(l,opt))
- res=-1;
- break;
- case CI_MAGIC:
- if (*(uint32_t*)data==l->options.lcp.magic)
- {
- log_error("loop detected\n");
+ if (lopt->id==hdr->id)
+ {
+ log_debug(" ");
+ lopt->h->print(log_debug,lopt,data);
+ if (lopt->h->recv_conf_nak(lcp,lopt,data))
res=-1;
- }
- break;
- case CI_PCOMP:
- log_debug(" <pcomp>");
- if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=-1;
- else {
- l->options.lcp.neg_pcomp=-2;
- res=-1;
- }
- break;
- case CI_ACCOMP:
- log_debug(" <accomp>");
- if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=-1;
- else {
- l->options.lcp.neg_accomp=-2;
- res=-1;
- }
break;
+ }
}
- data+=opt->len;
- size-=opt->len;
+
+ data+=hdr->len;
+ size-=hdr->len;
}
- log_debug("\n");
+ log_debug("]\n");
return res;
}
-static int lcp_recv_conf_nak(struct ppp_layer_t*l,uint8_t *data,int size)
+
+static int lcp_recv_conf_ack(struct ppp_lcp_t *lcp,uint8_t *data,int size)
{
- struct lcp_opt_hdr_t *opt;
- struct lcp_opt16_t *opt16;
+ struct lcp_opt_hdr_t *hdr;
+ struct lcp_option_t *lopt;
int res=0;
- log_debug("recv [LCP ConfNak id=%x",l->recv_id);
+ log_debug("recv [LCP ConfAck id=%x",lcp->fsm.recv_id);
- if (l->recv_id!=l->id)
+ if (lcp->fsm.recv_id!=lcp->fsm.id)
{
- log_debug(": id mismatch\n");
+ log_debug(": id mismatch ]\n");
return 0;
}
- while(size)
+ while(size>0)
{
- opt=(struct lcp_opt_hdr_t *)data;
- switch(opt->type)
+ hdr=(struct lcp_opt_hdr_t *)data;
+
+ list_for_each_entry(lopt,&lcp->options,entry)
{
- case CI_MRU:
- opt16=(struct lcp_opt16_t*)data;
- log_debug(" <mru %i>",l->options.lcp.neg_mru);
- break;
- case CI_ASYNCMAP:
- log_debug(" <asyncmap ...>");
- break;
- case CI_AUTHTYPE:
- if (auth_recv_conf_nak(l,opt))
- res=-1;
- break;
- case CI_MAGIC:
- if (*(uint32_t*)data==l->options.lcp.magic)
- {
- log_error("loop detected\n");
- res=-1;
- }
- break;
- case CI_PCOMP:
- log_debug(" <pcomp>");
- if (l->options.lcp.pcomp>=1) l->options.lcp.neg_pcomp=-1;
- else {
- l->options.lcp.neg_pcomp=-2;
- res=-1;
- }
- break;
- case CI_ACCOMP:
- log_debug(" <accomp>");
- if (l->options.lcp.accomp>=1) l->options.lcp.neg_accomp=-1;
- else {
- l->options.lcp.neg_accomp=-2;
- res=-1;
- }
+ if (lopt->id==hdr->id)
+ {
+ log_debug(" ");
+ lopt->h->print(log_debug,lopt,data);
+ if (lopt->h->recv_conf_ack)
+ lopt->h->recv_conf_ack(lcp,lopt,data);
break;
+ }
}
- data+=opt->len;
- size-=opt->len;
+
+ data+=hdr->len;
+ size-=hdr->len;
}
- log_debug("\n");
+ log_debug("]\n");
return res;
}
-static void lcp_recv_echo_repl(struct ppp_layer_t*l,uint8_t *data,int size)
+
+static void lcp_recv_echo_repl(struct ppp_lcp_t *lcp,uint8_t *data,int size)
{
}
-void send_echo_reply(struct ppp_layer_t *layer)
+void send_echo_reply(struct ppp_lcp_t *lcp)
{
struct lcp_echo_reply_t
{
@@ -329,73 +431,107 @@ void send_echo_reply(struct ppp_layer_t *layer)
struct lcp_opt32_t magic;
} __attribute__((packed)) msg =
{
- .hdr.proto=PPP_LCP,
+ .hdr.proto=htons(PPP_LCP),
.hdr.code=ECHOREP,
- .hdr.id=layer->recv_id,
- .hdr.len=8,
- .magic.val=layer->options.lcp.magic,
+ .hdr.id=lcp->fsm.recv_id,
+ .hdr.len=htons(8),
+ .magic.val=0,
};
- ppp_send(layer->ppp,&msg,msg.hdr.len+2);
+ ppp_send(lcp->ppp,&msg,ntohs(msg.hdr.len)+2);
}
static void lcp_recv(struct ppp_handler_t*h)
{
struct lcp_hdr_t *hdr;
- struct ppp_layer_t *l=container_of(h,typeof(*l),h);
+ struct ppp_lcp_t *lcp=container_of(h,typeof(*lcp),hnd);
+ int r;
+ char *term_msg;
- if (l->ppp->in_buf_size<PPP_HEADERLEN+2)
+ if (lcp->ppp->in_buf_size<PPP_HEADERLEN+2)
{
log_warn("LCP: short packet received\n");
return;
}
- hdr=(struct lcp_hdr_t *)l->ppp->in_buf;
+ hdr=(struct lcp_hdr_t *)lcp->ppp->in_buf;
if (ntohs(hdr->len)<PPP_HEADERLEN)
{
log_warn("LCP: short packet received\n");
return;
}
- l->recv_id=hdr->id;
+ lcp->fsm.recv_id=hdr->id;
switch(hdr->code)
{
case CONFREQ:
- if (lcp_recv_conf_req(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN))
- ppp_fsm_recv_conf_req_bad(l);
- else
- ppp_fsm_recv_conf_req_good(l);
+ r=lcp_recv_conf_req(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
+ switch(r)
+ {
+ case LCP_OPT_ACK:
+ ppp_fsm_recv_conf_req_ack(&lcp->fsm);
+ break;
+ case LCP_OPT_NAK:
+ ppp_fsm_recv_conf_req_nak(&lcp->fsm);
+ break;
+ case LCP_OPT_REJ:
+ ppp_fsm_recv_conf_req_rej(&lcp->fsm);
+ break;
+ }
+ lcp_free_conf_req(lcp);
+ if (r==LCP_OPT_FAIL)
+ ppp_terminate(lcp->ppp);
break;
case CONFACK:
- //lcp_recv_conf_ack(l,hdr+1,ntohs(hdr->len)-PPP_HDRLEN);
- ppp_fsm_recv_conf_ack(l);
+ lcp_recv_conf_ack(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
+ ppp_fsm_recv_conf_ack(&lcp->fsm);
break;
case CONFNAK:
- lcp_recv_conf_nak(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
- ppp_fsm_recv_conf_rej(l);
+ lcp_recv_conf_nak(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
+ ppp_fsm_recv_conf_rej(&lcp->fsm);
break;
case CONFREJ:
- lcp_recv_conf_rej(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
- ppp_fsm_recv_conf_rej(l);
+ lcp_recv_conf_rej(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
+ ppp_fsm_recv_conf_rej(&lcp->fsm);
break;
case TERMREQ:
- ppp_fsm_recv_term_req(l);
+ term_msg=strndup((uint8_t*)(hdr+1),ntohs(hdr->len));
+ log_debug("recv [LCP TermReq id=%x \"%s\"]\n",hdr->id,term_msg);
+ free(term_msg);
+ ppp_fsm_recv_term_req(&lcp->fsm);
break;
case TERMACK:
- ppp_fsm_recv_term_ack(l);
+ term_msg=strndup((uint8_t*)(hdr+1),ntohs(hdr->len));
+ log_debug("recv [LCP TermAck id=%x \"%s\"]\n",hdr->id,term_msg);
+ free(term_msg);
+ ppp_fsm_recv_term_ack(&lcp->fsm);
break;
case CODEREJ:
- ppp_fsm_recv_code_rej_bad(l);
+ log_debug("recv [LCP CodeRej id=%x]\n",hdr->id);
+ ppp_fsm_recv_code_rej_bad(&lcp->fsm);
break;
case ECHOREQ:
- send_echo_reply(l);
+ send_echo_reply(lcp);
break;
case ECHOREP:
- lcp_recv_echo_repl(l,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
+ lcp_recv_echo_repl(lcp,(uint8_t*)(hdr+1),ntohs(hdr->len)-PPP_HDRLEN);
break;
default:
- ppp_fsm_recv_unk(l);
+ ppp_fsm_recv_unk(&lcp->fsm);
break;
}
}
+int lcp_option_register(struct lcp_option_handler_t *h)
+{
+ /*struct lcp_option_drv_t *p;
+
+ list_for_each_entry(p,option_drv_list,entry)
+ if (p->id==h->id)
+ return -1;*/
+
+ list_add_tail(&h->entry,&option_handlers);
+
+ return 0;
+}
+
diff --git a/accel-pptpd/ppp_lcp.h b/accel-pptpd/ppp_lcp.h
index 5c77a3f..54235c4 100644
--- a/accel-pptpd/ppp_lcp.h
+++ b/accel-pptpd/ppp_lcp.h
@@ -3,13 +3,15 @@
#include <stdint.h>
+#include "triton/triton.h"
+#include "ppp_fsm.h"
/*
* Options.
*/
#define CI_VENDOR 0 /* Vendor Specific */
#define CI_MRU 1 /* Maximum Receive Unit */
#define CI_ASYNCMAP 2 /* Async Control Character Map */
-#define CI_AUTHTYPE 3 /* Authentication Type */
+#define CI_AUTH 3 /* Authentication Type */
#define CI_QUALITY 4 /* Quality Protocol */
#define CI_MAGIC 5 /* Magic Number */
#define CI_PCOMP 7 /* Protocol Field Compression */
@@ -39,7 +41,7 @@ struct lcp_hdr_t
} __attribute__((packed));
struct lcp_opt_hdr_t
{
- uint8_t type;
+ uint8_t id;
uint8_t len;
} __attribute__((packed));
struct lcp_opt8_t
@@ -58,7 +60,68 @@ struct lcp_opt32_t
uint32_t val;
} __attribute__((packed));
+/*struct lcp_options_t
+{
+ int magic;
+ int mtu;
+ int mru;
+ int accomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled
+ int pcomp; // 0 - disabled, 1 - enable, 2 - allow, disabled, 3 - allow,enabled
+ // negotiated options;
+ int neg_mru;
+ int neg_mtu;
+ int neg_accomp; // -1 - rejected
+ int neg_pcomp;
+ int neg_auth[AUTH_MAX];
+};*/
+
+#define LCP_OPT_NONE 0
+#define LCP_OPT_ACK 1
+#define LCP_OPT_NAK -1
+#define LCP_OPT_REJ -2
+#define LCP_OPT_FAIL -3
+
+struct ppp_lcp_t;
+struct lcp_option_handler_t;
+
+struct lcp_option_t
+{
+ struct list_head entry;
+ int id;
+ int len;
+ int state;
+ struct lcp_option_handler_t *h;
+};
+
+struct lcp_option_handler_t
+{
+ struct list_head entry;
+ struct lcp_option_t* (*init)(struct ppp_lcp_t*);
+ int (*send_conf_req)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*send_conf_rej)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*send_conf_nak)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*recv_conf_req)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*recv_conf_rej)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*recv_conf_nak)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ int (*recv_conf_ack)(struct ppp_lcp_t*,struct lcp_option_t*,uint8_t*);
+ void (*free)(struct ppp_lcp_t*,struct lcp_option_t*);
+ void (*print)(void (*print)(const char *fmt,...), struct lcp_option_t*,uint8_t*);
+};
+
+struct ppp_lcp_t
+{
+ struct ppp_handler_t hnd;
+ struct ppp_fsm_t fsm;
+ struct ppp_t *ppp;
+ struct list_head options;
+
+ struct list_head ropt_list; // last received ConfReq
+ int ropt_len;
+
+ int conf_req_len;
+};
+int lcp_option_register(struct lcp_option_handler_t *h);
#endif
diff --git a/accel-pptpd/pwdb.c b/accel-pptpd/pwdb.c
new file mode 100644
index 0000000..12130b3
--- /dev/null
+++ b/accel-pptpd/pwdb.c
@@ -0,0 +1,7 @@
+#include "pwdb.h"
+#include "ppp.h"
+
+int pwdb_check(struct ppp_t *ppp,const char *username,const char *password)
+{
+ return 0;
+}
diff --git a/accel-pptpd/pwdb.h b/accel-pptpd/pwdb.h
new file mode 100644
index 0000000..820e269
--- /dev/null
+++ b/accel-pptpd/pwdb.h
@@ -0,0 +1,9 @@
+#ifndef PWDB_H
+#define PWDB_H
+
+struct ppp_t;
+
+int pwdb_check(struct ppp_t*,const char *username,const char *password);
+
+#endif
+
diff --git a/accel-pptpd/triton/timer.c b/accel-pptpd/triton/timer.c
index 2ea36cb..2fa4be8 100644
--- a/accel-pptpd/triton/timer.c
+++ b/accel-pptpd/triton/timer.c
@@ -27,6 +27,11 @@ void triton_timer_add(struct triton_timer_t*tt)
{
struct timer_t *t=(struct timer_t *)malloc(sizeof(struct timer_t));
+ if (!tt->expire_tv.tv_sec)
+ {
+ gettimeofday(&tt->expire_tv,NULL);
+ tv_add(&tt->expire_tv,tt->period);
+ }
t->del=0;
t->timer=tt;
tt->active=1;
diff --git a/doc/rfc3576.txt b/doc/rfc3576.txt
new file mode 100644
index 0000000..89fd9eb
--- /dev/null
+++ b/doc/rfc3576.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group M. Chiba
+Request for Comments: 3576 G. Dommety
+Category: Informational M. Eklund
+ Cisco Systems, Inc.
+ D. Mitton
+ Circular Logic, UnLtd.
+ B. Aboba
+ Microsoft Corporation
+ July 2003
+
+
+ Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document describes a currently deployed extension to the Remote
+ Authentication Dial In User Service (RADIUS) protocol, allowing
+ dynamic changes to a user session, as implemented by network access
+ server products. This includes support for disconnecting users and
+ changing authorizations applicable to a user session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 1]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Applicability. . . . . . . . . . . . . . . . . . . . . . 3
+ 1.2. Requirements Language . . . . . . . . . . . . . . . . . 5
+ 1.3. Terminology. . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.1. Disconnect Messages (DM) . . . . . . . . . . . . . . . . 5
+ 2.2. Change-of-Authorization Messages (CoA) . . . . . . . . . 6
+ 2.3. Packet Format. . . . . . . . . . . . . . . . . . . . . . 7
+ 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 3.1. Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13
+ 3.2. Table of Attributes. . . . . . . . . . . . . . . . . . . 16
+ 4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20
+ 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 21
+ 5.1. Authorization Issues . . . . . . . . . . . . . . . . . . 21
+ 5.2. Impersonation. . . . . . . . . . . . . . . . . . . . . . 22
+ 5.3. IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22
+ 5.4. Replay Protection. . . . . . . . . . . . . . . . . . . . 25
+ 6. Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 26
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 27
+ 8. Intellectual Property Statement. . . . . . . . . . . . . . . . 28
+ 9. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 28
+ 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
+ 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 2]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+1. Introduction
+
+ The RADIUS protocol, defined in [RFC2865], does not support
+ unsolicited messages sent from the RADIUS server to the Network
+ Access Server (NAS).
+
+ However, there are many instances in which it is desirable for
+ changes to be made to session characteristics, without requiring the
+ NAS to initiate the exchange. For example, it may be desirable for
+ administrators to be able to terminate a user session in progress.
+ Alternatively, if the user changes authorization level, this may
+ require that authorization attributes be added/deleted from a user
+ session.
+
+ To overcome these limitations, several vendors have implemented
+ additional RADIUS commands in order to be able to support unsolicited
+ messages sent from the RADIUS server to the NAS. These extended
+ commands provide support for Disconnect and Change-of-Authorization
+ (CoA) messages. Disconnect messages cause a user session to be
+ terminated immediately, whereas CoA messages modify session
+ authorization attributes such as data filters.
+
+1.1. Applicability
+
+ This protocol is being recommended for publication as an
+ Informational RFC rather than as a standards-track RFC because of
+ problems that cannot be fixed without creating incompatibilities with
+ deployed implementations. This includes security vulnerabilities, as
+ well as semantic ambiguities resulting from the design of the
+ Change-of-Authorization (CoA) commands. While fixes are recommended,
+ they cannot be made mandatory since this would be incompatible with
+ existing implementations.
+
+ Existing implementations of this protocol do not support
+ authorization checks, so that an ISP sharing a NAS with another ISP
+ could disconnect or change authorizations for another ISP's users.
+ In order to remedy this problem, a "Reverse Path Forwarding" check is
+ recommended. See Section 5.1. for details.
+
+ Existing implementations utilize per-packet authentication and
+ integrity protection algorithms with known weaknesses [MD5Attack].
+ To provide stronger per-packet authentication and integrity
+ protection, the use of IPsec is recommended. See Section 5.3. for
+ details.
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 3]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Existing implementations lack replay protection. In order to support
+ replay detection, it is recommended that the Event-Timestamp
+ Attribute be added to all messages in situations where IPsec replay
+ protection is not employed. Implementations should be configurable
+ to silently discard messages lacking the Event-Timestamp Attribute.
+ See Section 5.4. for details.
+
+ The approach taken with CoA commands in existing implementations
+ results in a semantic ambiguity. Existing implementations of the
+ CoA-Request identify the affected session, as well as supply the
+ authorization changes. Since RADIUS Attributes included within
+ existing implementations of the CoA-Request can be used for session
+ identification or authorization change, it may not be clear which
+ function a given attribute is serving.
+
+ The problem does not exist within [Diameter], in which authorization
+ change is requested by a command using Attribute Value Pairs (AVPs)
+ solely for identification, resulting in initiation of a standard
+ Request/Response sequence where authorization changes are supplied.
+ As a result, in no command can Diameter AVPs have multiple potential
+ meanings.
+
+ Due to differences in handling change-of-authorization requests in
+ RADIUS and Diameter, it may be difficult or impossible for a
+ Diameter/RADIUS gateway to successfully translate existing
+ implementations of this specification to equivalent messages in
+ Diameter. For example, a Diameter command changing any attribute
+ used for identification within existing CoA-Request implementations
+ cannot be translated, since such an authorization change is
+ impossible to carry out in existing implementations. Similarly,
+ translation between existing implementations of Disconnect-Request or
+ CoA-Request messages and Diameter is tricky because a Disconnect-
+ Request or CoA-Request message will need to be translated to multiple
+ Diameter commands.
+
+ To simplify translation between RADIUS and Diameter, a Service-Type
+ Attribute with value "Authorize Only" can (optionally) be included
+ within a Disconnect-Request or CoA-Request. Such a Request contains
+ only identification attributes. A NAS supporting the "Authorize
+ Only" Service-Type within a Disconnect-Request or CoA-Request
+ responds with a NAK containing a Service-Type Attribute with value
+ "Authorize Only" and an Error-Cause Attribute with value "Request
+ Initiated". The NAS will then send an Access-Request containing a
+ Service-Type Attribute with a value of "Authorize Only". This usage
+ sequence is akin to what occurs in Diameter and so is more easily
+ translated by a Diameter/RADIUS gateway.
+
+
+
+
+
+Chiba, et al. Informational [Page 4]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+1.2. Requirements Language
+
+ In this document, several words are used to signify the requirements
+ of the specification. These words are often capitalized. The key
+ words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
+ "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
+ are to be interpreted as described in [RFC2119].
+
+1.3. Terminology
+
+ This document frequently uses the following terms:
+
+ Network Access Server (NAS): The device providing access to the
+ network.
+
+ service: The NAS provides a service to the user,
+ such as IEEE 802 or PPP.
+
+ session: Each service provided by the NAS to a
+ user constitutes a session, with the
+ beginning of the session defined as the
+ point where service is first provided
+ and the end of the session defined as
+ the point where service is ended. A
+ user may have multiple sessions in
+ parallel or series if the NAS supports
+ that.
+
+ silently discard: This means the implementation discards
+ the packet without further processing.
+ The implementation SHOULD provide the
+ capability of logging the error,
+ including the contents of the silently
+ discarded packet, and SHOULD record the
+ event in a statistics counter.
+
+2. Overview
+
+ This section describes the most commonly implemented features of
+ Disconnect and Change-of-Authorization messages.
+
+2.1. Disconnect Messages (DM)
+
+ A Disconnect-Request packet is sent by the RADIUS server in order to
+ terminate a user session on a NAS and discard all associated session
+ context. The Disconnect-Request packet is sent to UDP port 3799, and
+ identifies the NAS as well as the user session to be terminated by
+ inclusion of the identification attributes described in Section 3.
+
+
+
+Chiba, et al. Informational [Page 5]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ +----------+ Disconnect-Request +----------+
+ | | <-------------------- | |
+ | NAS | | RADIUS |
+ | | Disconnect-Response | Server |
+ | | ---------------------> | |
+ +----------+ +----------+
+
+ The NAS responds to a Disconnect-Request packet sent by a RADIUS
+ server with a Disconnect-ACK if all associated session context is
+ discarded and the user session is no longer connected, or a
+ Disconnect-NAK, if the NAS was unable to disconnect the session and
+ discard all associated session context. A NAS MUST respond to a
+ Disconnect-Request including a Service-Type Attribute with value
+ "Authorize Only" with a Disconnect-NAK; a Disconnect-ACK MUST NOT be
+ sent. A NAS MUST respond to a Disconnect-Request including a
+ Service-Type Attribute with an unsupported value with a Disconnect-
+ NAK; an Error-Cause Attribute with value "Unsupported Service" MAY be
+ included. A Disconnect-ACK MAY contain the Attribute
+ Acct-Terminate-Cause (49) [RFC2866] with the value set to 6 for
+ Admin-Reset.
+
+2.2. Change-of-Authorization Messages (CoA)
+
+ CoA-Request packets contain information for dynamically changing
+ session authorizations. This is typically used to change data
+ filters. The data filters can be of either the ingress or egress
+ kind, and are sent in addition to the identification attributes as
+ described in section 3. The port used, and packet format (described
+ in Section 2.3.), are the same as that for Disconnect-Request
+ Messages.
+
+ The following attribute MAY be sent in a CoA-Request:
+
+ Filter-ID (11) - Indicates the name of a data filter list to be
+ applied for the session that the identification
+ attributes map to.
+
+ +----------+ CoA-Request +----------+
+ | | <-------------------- | |
+ | NAS | | RADIUS |
+ | | CoA-Response | Server |
+ | | ---------------------> | |
+ +----------+ +----------+
+
+ The NAS responds to a CoA-Request sent by a RADIUS server with a
+ CoA-ACK if the NAS is able to successfully change the authorizations
+ for the user session, or a CoA-NAK if the Request is unsuccessful. A
+ NAS MUST respond to a CoA-Request including a Service-Type Attribute
+
+
+
+Chiba, et al. Informational [Page 6]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be
+ sent. A NAS MUST respond to a CoA-Request including a Service-Type
+ Attribute with an unsupported value with a CoA-NAK; an Error-Cause
+ Attribute with value "Unsupported Service" MAY be included.
+
+2.3. Packet Format
+
+ For either Disconnect-Request or CoA-Request messages UDP port 3799
+ is used as the destination port. For responses, the source and
+ destination ports are reversed. Exactly one RADIUS packet is
+ encapsulated in the UDP Data field.
+
+ A summary of the data format is shown below. The fields are
+ transmitted from left to right.
+
+ The packet format consists of the fields: Code, Identifier, Length,
+ Authenticator, and Attributes in Type:Length:Value (TLV) format. All
+ fields hold the same meaning as those described in RADIUS [RFC2865].
+ The Authenticator field MUST be calculated in the same way as is
+ specified for an Accounting-Request in [RFC2866].
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Authenticator |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Attributes ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-
+
+ Code
+
+ The Code field is one octet, and identifies the type of RADIUS
+ packet. Packets received with an invalid Code field MUST be
+ silently discarded. RADIUS codes (decimal) for this extension are
+ assigned as follows:
+
+ 40 - Disconnect-Request [RFC2882]
+ 41 - Disconnect-ACK [RFC2882]
+ 42 - Disconnect-NAK [RFC2882]
+ 43 - CoA-Request [RFC2882]
+ 44 - CoA-ACK [RFC2882]
+ 45 - CoA-NAK [RFC2882]
+
+
+
+
+Chiba, et al. Informational [Page 7]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Identifier
+
+ The Identifier field is one octet, and aids in matching requests
+ and replies. The RADIUS client can detect a duplicate request if
+ it has the same server source IP address and source UDP port and
+ Identifier within a short span of time.
+
+ Unlike RADIUS as defined in [RFC2865], the responsibility for
+ retransmission of Disconnect-Request and CoA-Request messages lies
+ with the RADIUS server. If after sending these messages, the
+ RADIUS server does not receive a response, it will retransmit.
+
+ The Identifier field MUST be changed whenever the content of the
+ Attributes field changes, or whenever a valid reply has been
+ received for a previous request. For retransmissions where the
+ contents are identical, the Identifier MUST remain unchanged.
+
+ If the RADIUS server is retransmitting a Disconnect-Request or
+ CoA-Request to the same client as before, and the Attributes have
+ not changed, the same Request Authenticator, Identifier and source
+ port MUST be used. If any Attributes have changed, a new
+ Authenticator and Identifier MUST be used.
+
+ Note that if the Event-Timestamp Attribute is included, it will be
+ updated when the packet is retransmitted, changing the content of
+ the Attributes field and requiring a new Identifier and Request
+ Authenticator.
+
+ If the Request to a primary proxy fails, a secondary proxy must be
+ queried, if available. Issues relating to failover algorithms are
+ described in [AAATransport]. Since this represents a new request,
+ a new Request Authenticator and Identifier MUST be used. However,
+ where the RADIUS server is sending directly to the client,
+ failover typically does not make sense, since Disconnect or CoA
+ messages need to be delivered to the NAS where the session
+ resides.
+
+ Length
+
+ The Length field is two octets. It indicates the length of the
+ packet including the Code, Identifier, Length, Authenticator and
+ Attribute fields. Octets outside the range of the Length field
+ MUST be treated as padding and ignored on reception. If the
+ packet is shorter than the Length field indicates, it MUST be
+ silently discarded. The minimum length is 20 and the maximum
+ length is 4096.
+
+
+
+
+
+Chiba, et al. Informational [Page 8]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Authenticator
+
+ The Authenticator field is sixteen (16) octets. The most
+ significant octet is transmitted first. This value is used to
+ authenticate the messages between the RADIUS server and client.
+
+ Request Authenticator
+
+ In Request packets, the Authenticator value is a 16 octet MD5
+ [RFC1321] checksum, called the Request Authenticator. The Request
+ Authenticator is calculated the same way as for an Accounting-
+ Request, specified in [RFC2866].
+
+ Note that the Request Authenticator of a Disconnect or CoA-Request
+ cannot be done the same way as the Request Authenticator of a
+ RADIUS Access-Request, because there is no User-Password Attribute
+ in a Disconnect-Request or CoA-Request.
+
+ Response Authenticator
+
+ The Authenticator field in a Response packet (e.g. Disconnect-ACK,
+ Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the Response
+ Authenticator, and contains a one-way MD5 hash calculated over a
+ stream of octets consisting of the Code, Identifier, Length, the
+ Request Authenticator field from the packet being replied to, and
+ the response Attributes if any, followed by the shared secret.
+ The resulting 16 octet MD5 hash value is stored in the
+ Authenticator field of the Response packet.
+
+ Administrative note: As noted in [RFC2865] Section 3, the secret
+ (password shared between the client and the RADIUS server) SHOULD be
+ at least as large and unguessable as a well-chosen password. RADIUS
+ clients MUST use the source IP address of the RADIUS UDP packet to
+ decide which shared secret to use, so that requests can be proxied.
+
+ Attributes
+
+ In Disconnect and CoA-Request messages, all Attributes are treated
+ as mandatory. A NAS MUST respond to a CoA-Request containing one
+ or more unsupported Attributes or Attribute values with a CoA-NAK;
+ a Disconnect-Request containing one or more unsupported Attributes
+ or Attribute values MUST be answered with a Disconnect-NAK. State
+ changes resulting from a CoA-Request MUST be atomic: if the
+ Request is successful, a CoA-ACK is sent, and all requested
+ authorization changes MUST be made. If the CoA-Request is
+ unsuccessful, a CoA-NAK MUST be sent, and the requested
+
+
+
+
+
+Chiba, et al. Informational [Page 9]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ authorization changes MUST NOT be made. Similarly, a state change
+ MUST NOT occur as a result of an unsuccessful Disconnect-Request;
+ here a Disconnect-NAK MUST be sent.
+
+ Since within this specification attributes may be used for
+ identification, authorization or other purposes, even if a NAS
+ implements an attribute for use with RADIUS authentication and
+ accounting, it may not support inclusion of that attribute within
+ Disconnect-Request or CoA-Request messages, given the difference
+ in attribute semantics. This is true even for attributes
+ specified within [RFC2865], [RFC2868], [RFC2869] or [RFC3162] as
+ allowable within Access-Accept messages.
+
+ As a result, attributes beyond those specified in Section 3.2.
+ SHOULD NOT be included within Disconnect or CoA messages since
+ this could produce unpredictable results.
+
+ When using a forwarding proxy, the proxy must be able to alter the
+ packet as it passes through in each direction. When the proxy
+ forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
+ Attribute, and when the proxy forwards a response, it MUST remove
+ its Proxy-State Attribute if it added one. Proxy-State is always
+ added or removed after any other Proxy-States, but no other
+ assumptions regarding its location within the list of Attributes
+ can be made. Since Disconnect and CoA responses are authenticated
+ on the entire packet contents, the stripping of the Proxy-State
+ Attribute invalidates the integrity check - so the proxy needs to
+ recompute it. A forwarding proxy MUST NOT modify existing Proxy-
+ State, State, or Class Attributes present in the packet.
+
+ If there are any Proxy-State Attributes in a Disconnect-Request or
+ CoA-Request received from the server, the forwarding proxy MUST
+ include those Proxy-State Attributes in its response to the
+ server. The forwarding proxy MAY include the Proxy-State
+ Attributes in the Disconnect-Request or CoA-Request when it
+ forwards the request, or it MAY omit them in the forwarded
+ request. If the forwarding proxy omits the Proxy-State Attributes
+ in the request, it MUST attach them to the response before sending
+ it to the server.
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 10]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+3. Attributes
+
+ In Disconnect-Request and CoA-Request packets, certain attributes are
+ used to uniquely identify the NAS as well as a user session on the
+ NAS. All NAS identification attributes included in a Request message
+ MUST match in order for a Disconnect-Request or CoA-Request to be
+ successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
+ For session identification attributes, the User-Name and Acct-
+ Session-Id Attributes, if included, MUST match in order for a
+ Disconnect-Request or CoA-Request to be successful; other session
+ identification attributes SHOULD match. Where a mismatch of session
+ identification attributes is detected, a Disconnect-NAK or CoA-NAK
+ SHOULD be sent. The ability to use NAS or session identification
+ attributes to map to unique/multiple sessions is beyond the scope of
+ this document. Identification attributes include NAS and session
+ identification attributes, as described below.
+
+ NAS identification attributes
+
+ Attribute # Reference Description
+ --------- --- --------- -----------
+ NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS.
+ NAS-Identifier 32 [RFC2865] String identifying the NAS.
+ NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 11]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Session identification attributes
+
+ Attribute # Reference Description
+ --------- --- --------- -----------
+ User-Name 1 [RFC2865] The name of the user
+ associated with the session.
+ NAS-Port 5 [RFC2865] The port on which the
+ session is terminated.
+ Framed-IP-Address 8 [RFC2865] The IPv4 address associated
+ with the session.
+ Called-Station-Id 30 [RFC2865] The link address to which
+ the session is connected.
+ Calling-Station-Id 31 [RFC2865] The link address from which
+ the session is connected.
+ Acct-Session-Id 44 [RFC2866] The identifier uniquely
+ identifying the session
+ on the NAS.
+ Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
+ identifying related sessions.
+ NAS-Port-Type 61 [RFC2865] The type of port used.
+ NAS-Port-Id 87 [RFC2869] String identifying the port
+ where the session is.
+ Originating-Line-Info 94 [NASREQ] Provides information on the
+ characteristics of the line
+ from which a session
+ originated.
+ Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
+ associated with the session;
+ always sent with
+ Framed-IPv6-Prefix.
+ Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
+ with the session, always sent
+ with Framed-Interface-Id.
+
+ To address security concerns described in Section 5.1., the User-Name
+ Attribute SHOULD be present in Disconnect-Request or CoA-Request
+ packets; one or more additional session identification attributes MAY
+ also be present. To address security concerns described in Section
+ 5.2., one or more of the NAS-IP-Address or NAS-IPv6-Address
+ Attributes SHOULD be present in Disconnect-Request or CoA-Request
+ packets; the NAS-Identifier Attribute MAY be present in addition.
+
+ If one or more authorization changes specified in a CoA-Request
+ cannot be carried out, or if one or more attributes or attribute-
+ values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
+ are one or more unsupported attributes or attribute values in a
+ Disconnect-Request, a Disconnect-NAK MUST be sent.
+
+
+
+
+Chiba, et al. Informational [Page 12]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Where a Service-Type Attribute with value "Authorize Only" is
+ included within a CoA-Request or Disconnect-Request, attributes
+ representing an authorization change MUST NOT be included; only
+ identification attributes are permitted. If attributes other than
+ NAS or session identification attributes are included in such a CoA-
+ Request, implementations MUST send a CoA-NAK; an Error-Cause
+ Attribute with value "Unsupported Attribute" MAY be included.
+ Similarly, if attributes other than NAS or session identification
+ attributes are included in such a Disconnect-Request, implementations
+ MUST send a Disconnect-NAK; an Error-Cause Attribute with value
+ "Unsupported Attribute" MAY be included.
+
+3.1. Error-Cause
+
+ Description
+
+ It is possible that the NAS cannot honor Disconnect-Request or
+ CoA-Request messages for some reason. The Error-Cause Attribute
+ provides more detail on the cause of the problem. It MAY be
+ included within Disconnect-ACK, Disconnect-NAK and CoA-NAK
+ messages.
+
+ A summary of the Error-Cause Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 101 for Error-Cause
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets, containing an integer specifying
+ the cause of the error. Values 0-199 and 300-399 are reserved.
+ Values 200-299 represent successful completion, so that these
+ values may only be sent within Disconnect-ACK or CoA-ACK message
+ and MUST NOT be sent within a Disconnect-NAK or CoA-NAK. Values
+
+
+
+Chiba, et al. Informational [Page 13]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ 400-499 represent fatal errors committed by the RADIUS server, so
+ that they MAY be sent within CoA-NAK or Disconnect-NAK messages,
+ and MUST NOT be sent within CoA-ACK or Disconnect-ACK messages.
+ Values 500-599 represent fatal errors occurring on a NAS or RADIUS
+ proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK
+ messages, and MUST NOT be sent within CoA-ACK or Disconnect-ACK
+ messages. Error-Cause values SHOULD be logged by the RADIUS
+ server. Error-Code values (expressed in decimal) include:
+
+ # Value
+ --- -----
+ 201 Residual Session Context Removed
+ 202 Invalid EAP Packet (Ignored)
+ 401 Unsupported Attribute
+ 402 Missing Attribute
+ 403 NAS Identification Mismatch
+ 404 Invalid Request
+ 405 Unsupported Service
+ 406 Unsupported Extension
+ 501 Administratively Prohibited
+ 502 Request Not Routable (Proxy)
+ 503 Session Context Not Found
+ 504 Session Context Not Removable
+ 505 Other Proxy Processing Error
+ 506 Resources Unavailable
+ 507 Request Initiated
+
+ "Residual Session Context Removed" is sent in response to a
+ Disconnect-Request if the user session is no longer active, but
+ residual session context was found and successfully removed. This
+ value is only sent within a Disconnect-ACK and MUST NOT be sent
+ within a CoA-ACK, Disconnect-NAK or CoA-NAK.
+
+ "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT be
+ sent by implementations of this specification.
+
+ "Unsupported Attribute" is a fatal error sent if a Request contains
+ an attribute (such as a Vendor-Specific or EAP-Message Attribute)
+ that is not supported.
+
+ "Missing Attribute" is a fatal error sent if critical attributes
+ (such as NAS or session identification attributes) are missing from a
+ Request.
+
+ "NAS Identification Mismatch" is a fatal error sent if one or more
+ NAS identification attributes (see Section 3.) do not match the
+ identity of the NAS receiving the Request.
+
+
+
+
+Chiba, et al. Informational [Page 14]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ "Invalid Request" is a fatal error sent if some other aspect of the
+ Request is invalid, such as if one or more attributes (such as EAP-
+ Message Attribute(s)) are not formatted properly.
+
+ "Unsupported Service" is a fatal error sent if a Service-Type
+ Attribute included with the Request is sent with an invalid or
+ unsupported value.
+
+ "Unsupported Extension" is a fatal error sent due to lack of support
+ for an extension such as Disconnect and/or CoA messages. This will
+ typically be sent by a proxy receiving an ICMP port unreachable
+ message after attempting to forward a Request to the NAS.
+
+ "Administratively Prohibited" is a fatal error sent if the NAS is
+ configured to prohibit honoring of Request messages for the specified
+ session.
+
+ "Request Not Routable" is a fatal error which MAY be sent by a RADIUS
+ proxy and MUST NOT be sent by a NAS. It indicates that the RADIUS
+ proxy was unable to determine how to route the Request to the NAS.
+ For example, this can occur if the required entries are not present
+ in the proxy's realm routing table.
+
+ "Session Context Not Found" is a fatal error sent if the session
+ context identified in the Request does not exist on the NAS.
+
+ "Session Context Not Removable" is a fatal error sent in response to
+ a Disconnect-Request if the NAS was able to locate the session
+ context, but could not remove it for some reason. It MUST NOT be
+ sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
+ Disconnect-NAK.
+
+ "Other Proxy Processing Error" is a fatal error sent in response to a
+ Request that could not be processed by a proxy, for reasons other
+ than routing.
+
+ "Resources Unavailable" is a fatal error sent when a Request could
+ not be honored due to lack of available NAS resources (memory, non-
+ volatile storage, etc.).
+
+ "Request Initiated" is a fatal error sent in response to a Request
+ including a Service-Type Attribute with a value of "Authorize Only".
+ It indicates that the Disconnect-Request or CoA-Request has not been
+ honored, but that a RADIUS Access-Request including a Service-Type
+ Attribute with value "Authorize Only" is being sent to the RADIUS
+ server.
+
+
+
+
+
+Chiba, et al. Informational [Page 15]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+3.2. Table of Attributes
+
+ The following table provides a guide to which attributes may be found
+ in which packets, and in what quantity.
+
+ Change-of-Authorization Messages
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 1 User-Name [Note 1]
+ 0-1 0 0 4 NAS-IP-Address [Note 1]
+ 0-1 0 0 5 NAS-Port [Note 1]
+ 0-1 0 0-1 6 Service-Type [Note 6]
+ 0-1 0 0 7 Framed-Protocol [Note 3]
+ 0-1 0 0 8 Framed-IP-Address [Note 1]
+ 0-1 0 0 9 Framed-IP-Netmask [Note 3]
+ 0-1 0 0 10 Framed-Routing [Note 3]
+ 0+ 0 0 11 Filter-ID [Note 3]
+ 0-1 0 0 12 Framed-MTU [Note 3]
+ 0+ 0 0 13 Framed-Compression [Note 3]
+ 0+ 0 0 14 Login-IP-Host [Note 3]
+ 0-1 0 0 15 Login-Service [Note 3]
+ 0-1 0 0 16 Login-TCP-Port [Note 3]
+ 0+ 0 0 18 Reply-Message [Note 2]
+ 0-1 0 0 19 Callback-Number [Note 3]
+ 0-1 0 0 20 Callback-Id [Note 3]
+ 0+ 0 0 22 Framed-Route [Note 3]
+ 0-1 0 0 23 Framed-IPX-Network [Note 3]
+ 0-1 0-1 0-1 24 State [Note 7]
+ 0+ 0 0 25 Class [Note 3]
+ 0+ 0 0 26 Vendor-Specific [Note 3]
+ 0-1 0 0 27 Session-Timeout [Note 3]
+ 0-1 0 0 28 Idle-Timeout [Note 3]
+ 0-1 0 0 29 Termination-Action [Note 3]
+ 0-1 0 0 30 Called-Station-Id [Note 1]
+ 0-1 0 0 31 Calling-Station-Id [Note 1]
+ 0-1 0 0 32 NAS-Identifier [Note 1]
+ 0+ 0+ 0+ 33 Proxy-State
+ 0-1 0 0 34 Login-LAT-Service [Note 3]
+ 0-1 0 0 35 Login-LAT-Node [Note 3]
+ 0-1 0 0 36 Login-LAT-Group [Note 3]
+ 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
+ 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
+ 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
+ 0-1 0 0 44 Acct-Session-Id [Note 1]
+ 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
+ 0-1 0-1 0-1 55 Event-Timestamp
+ 0-1 0 0 61 NAS-Port-Type [Note 1]
+ Request ACK NAK # Attribute
+
+
+
+Chiba, et al. Informational [Page 16]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 62 Port-Limit [Note 3]
+ 0-1 0 0 63 Login-LAT-Port [Note 3]
+ 0+ 0 0 64 Tunnel-Type [Note 5]
+ 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
+ 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
+ 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
+ 0+ 0 0 69 Tunnel-Password [Note 5]
+ 0-1 0 0 71 ARAP-Features [Note 3]
+ 0-1 0 0 72 ARAP-Zone-Access [Note 3]
+ 0+ 0 0 78 Configuration-Token [Note 3]
+ 0+ 0-1 0 79 EAP-Message [Note 2]
+ 0-1 0-1 0-1 80 Message-Authenticator
+ 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
+ 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
+ 0+ 0 0 83 Tunnel-Preference [Note 5]
+ 0-1 0 0 85 Acct-Interim-Interval [Note 3]
+ 0-1 0 0 87 NAS-Port-Id [Note 1]
+ 0-1 0 0 88 Framed-Pool [Note 3]
+ 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
+ 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
+ 0-1 0 0 94 Originating-Line-Info [Note 1]
+ 0-1 0 0 95 NAS-IPv6-Address [Note 1]
+ 0-1 0 0 96 Framed-Interface-Id [Note 1]
+ 0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
+ 0+ 0 0 98 Login-IPv6-Host [Note 3]
+ 0+ 0 0 99 Framed-IPv6-Route [Note 3]
+ 0-1 0 0 100 Framed-IPv6-Pool [Note 3]
+ 0 0 0+ 101 Error-Cause
+ Request ACK NAK # Attribute
+
+ Disconnect Messages
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 1 User-Name [Note 1]
+ 0-1 0 0 4 NAS-IP-Address [Note 1]
+ 0-1 0 0 5 NAS-Port [Note 1]
+ 0-1 0 0-1 6 Service-Type [Note 6]
+ 0-1 0 0 8 Framed-IP-Address [Note 1]
+ 0+ 0 0 18 Reply-Message [Note 2]
+ 0-1 0-1 0-1 24 State [Note 7]
+ 0+ 0 0 25 Class [Note 4]
+ 0+ 0 0 26 Vendor-Specific
+ 0-1 0 0 30 Called-Station-Id [Note 1]
+ 0-1 0 0 31 Calling-Station-Id [Note 1]
+ 0-1 0 0 32 NAS-Identifier [Note 1]
+ 0+ 0+ 0+ 33 Proxy-State
+ Request ACK NAK # Attribute
+
+
+
+Chiba, et al. Informational [Page 17]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 44 Acct-Session-Id [Note 1]
+ 0-1 0-1 0 49 Acct-Terminate-Cause
+ 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
+ 0-1 0-1 0-1 55 Event-Timestamp
+ 0-1 0 0 61 NAS-Port-Type [Note 1]
+ 0+ 0-1 0 79 EAP-Message [Note 2]
+ 0-1 0-1 0-1 80 Message-Authenticator
+ 0-1 0 0 87 NAS-Port-Id [Note 1]
+ 0-1 0 0 94 Originating-Line-Info [Note 1]
+ 0-1 0 0 95 NAS-IPv6-Address [Note 1]
+ 0-1 0 0 96 Framed-Interface-Id [Note 1]
+ 0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
+ 0 0+ 0+ 101 Error-Cause
+ Request ACK NAK # Attribute
+
+ [Note 1] Where NAS or session identification attributes are included
+ in Disconnect-Request or CoA-Request messages, they are used for
+ identification purposes only. These attributes MUST NOT be used for
+ purposes other than identification (e.g. within CoA-Request messages
+ to request authorization changes).
+
+ [Note 2] The Reply-Message Attribute is used to present a displayable
+ message to the user. The message is only displayed as a result of a
+ successful Disconnect-Request or CoA-Request (where a Disconnect-ACK
+ or CoA-ACK is subsequently sent). Where EAP is used for
+ authentication, an EAP-Message/Notification-Request Attribute is sent
+ instead, and Disconnect-ACK or CoA-ACK messages contain an EAP-
+ Message/Notification-Response Attribute.
+
+ [Note 3] When included within a CoA-Request, these attributes
+ represent an authorization change request. When one of these
+ attributes is omitted from a CoA-Request, the NAS assumes that the
+ attribute value is to remain unchanged. Attributes included in a
+ CoA-Request replace all existing value(s) of the same attribute(s).
+
+ [Note 4] When included within a successful Disconnect-Request (where
+ a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be
+ sent unmodified by the client to the accounting server in the
+ Accounting Stop packet. If the Disconnect-Request is unsuccessful,
+ then the Class Attribute is not processed.
+
+ [Note 5] When included within a CoA-Request, these attributes
+ represent an authorization change request. Where tunnel attribute(s)
+ are sent within a successful CoA-Request, all existing tunnel
+ attributes are removed and replaced by the new attribute(s).
+
+
+
+
+
+Chiba, et al. Informational [Page 18]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [Note 6] When included within a Disconnect-Request or CoA-Request, a
+ Service-Type Attribute with value "Authorize Only" indicates that the
+ Request only contains NAS and session identification attributes, and
+ that the NAS should attempt reauthorization by sending an Access-
+ Request with a Service-Type Attribute with value "Authorize Only".
+ This enables a usage model akin to that supported in Diameter, thus
+ easing translation between the two protocols. Support for the
+ Service-Type Attribute is optional within CoA-Request and
+ Disconnect-Request messages; where it is not included, the Request
+ message may contain both identification and authorization attributes.
+ A NAS that does not support the Service-Type Attribute with the value
+ "Authorize Only" within a Disconnect-Request MUST respond with a
+ Disconnect-NAK including no Service-Type Attribute; an Error-Cause
+ Attribute with value "Unsupported Service" MAY be included. A NAS
+ that does not support the Service-Type Attribute with the value
+ "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
+ including no Service-Type Attribute; an Error-Cause Attribute with
+ value "Unsupported Service" MAY be included.
+
+ A NAS supporting the "Authorize Only" Service-Type value within
+ Disconnect-Request or CoA-Request messages MUST respond with a
+ Disconnect-NAK or CoA-NAK respectively, containing a Service-Type
+ Attribute with value "Authorize Only", and an Error-Cause Attribute
+ with value "Request Initiated". The NAS then sends an Access-Request
+ to the RADIUS server with a Service-Type Attribute with value
+ "Authorize Only". This Access-Request SHOULD contain the NAS
+ attributes from the Disconnect or CoA-Request, as well as the session
+ attributes from the Request legal for inclusion in an Access-Request
+ as specified in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As
+ noted in [RFC2869] Section 5.19, a Message-Authenticator attribute
+ SHOULD be included in an Access-Request that does not contain a
+ User-Password, CHAP-Password, ARAP-Password or EAP-Message Attribute.
+ The RADIUS server should send back an Access-Accept to (re-)authorize
+ the session or an Access-Reject to refuse to (re-)authorize it.
+
+ [Note 7] The State Attribute is available to be sent by the RADIUS
+ server to the NAS in a Disconnect-Request or CoA-Request message and
+ MUST be sent unmodified from the NAS to the RADIUS server in a
+ subsequent ACK or NAK message. If a Service-Type Attribute with
+ value "Authorize Only" is included in a Disconnect-Request or CoA-
+ Request along with a State Attribute, then the State Attribute MUST
+ be sent unmodified from the NAS to the RADIUS server in the resulting
+ Access-Request sent to the RADIUS server, if any. The State
+ Attribute is also available to be sent by the RADIUS server to the
+ NAS in a CoA-Request that also includes a Termination-Action
+ Attribute with the value of RADIUS-Request. If the client performs
+ the Termination-Action by sending a new Access-Request upon
+ termination of the current session, it MUST include the State
+
+
+
+Chiba, et al. Informational [Page 19]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Attribute unchanged in that Access-Request. In either usage, the
+ client MUST NOT interpret the Attribute locally. A Disconnect-
+ Request or CoA-Request packet must have only zero or one State
+ Attribute. Usage of the State Attribute is implementation dependent.
+ If the RADIUS server does not recognize the State Attribute in the
+ Access-Request, then it MUST send an Access-Reject.
+
+ The following table defines the meaning of the above table entries.
+
+ 0 This attribute MUST NOT be present in packet.
+ 0+ Zero or more instances of this attribute MAY be present in
+ packet.
+ 0-1 Zero or one instance of this attribute MAY be present in packet.
+ 1 Exactly one instance of this attribute MUST be present in packet.
+
+4. IANA Considerations
+
+ This document uses the RADIUS [RFC2865] namespace, see
+ <http://www.iana.org/assignments/radius-types>. There are six
+ updates for the section: RADIUS Packet Type Codes. These Packet
+ Types are allocated in [RADIANA]:
+
+ 40 - Disconnect-Request
+ 41 - Disconnect-ACK
+ 42 - Disconnect-NAK
+ 43 - CoA-Request
+ 44 - CoA-ACK
+ 45 - CoA-NAK
+
+ Allocation of a new Service-Type value for "Authorize Only" is
+ requested. This document also uses the UDP [RFC768] namespace, see
+ <http://www.iana.org/assignments/port-numbers>. The authors request
+ a port assignment from the Registered ports range. Finally, this
+ specification allocates the Error-Cause Attribute (101) with the
+ following decimal values:
+
+ # Value
+ --- -----
+ 201 Residual Session Context Removed
+ 202 Invalid EAP Packet (Ignored)
+ 401 Unsupported Attribute
+ 402 Missing Attribute
+ 403 NAS Identification Mismatch
+ 404 Invalid Request
+ 405 Unsupported Service
+ 406 Unsupported Extension
+ 501 Administratively Prohibited
+ 502 Request Not Routable (Proxy)
+
+
+
+Chiba, et al. Informational [Page 20]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ 503 Session Context Not Found
+ 504 Session Context Not Removable
+ 505 Other Proxy Processing Error
+ 506 Resources Unavailable
+ 507 Request Initiated
+
+5. Security Considerations
+
+5.1. Authorization Issues
+
+ Where a NAS is shared by multiple providers, it is undesirable for
+ one provider to be able to send Disconnect-Request or CoA-Requests
+ affecting the sessions of another provider.
+
+ A NAS or RADIUS proxy MUST silently discard Disconnect-Request or
+ CoA-Request messages from untrusted sources. By default, a RADIUS
+ proxy SHOULD perform a "reverse path forwarding" (RPF) check to
+ verify that a Disconnect-Request or CoA-Request originates from an
+ authorized RADIUS server. In addition, it SHOULD be possible to
+ explicitly authorize additional sources of Disconnect-Request or
+ CoA-Request packets relating to certain classes of sessions. For
+ example, a particular source can be explicitly authorized to send
+ CoA-Request messages relating to users within a set of realms.
+
+ To perform the RPF check, the proxy uses the session identification
+ attributes included in Disconnect-Request or CoA-Request messages, in
+ order to determine the RADIUS server(s) to which an equivalent
+ Access-Request could be routed. If the source address of the
+ Disconnect-Request or CoA-Request is within this set, then the
+ Request is forwarded; otherwise it MUST be silently discarded.
+
+ Typically the proxy will extract the realm from the Network Access
+ Identifier [RFC2486] included within the User-Name Attribute, and
+ determine the corresponding RADIUS servers in the proxy routing
+ tables. The RADIUS servers for that realm are then compared against
+ the source address of the packet. Where no RADIUS proxy is present,
+ the RPF check will need to be performed by the NAS itself.
+
+ Since authorization to send a Disconnect-Request or CoA-Request is
+ determined based on the source address and the corresponding shared
+ secret, the NASes or proxies SHOULD configure a different shared
+ secret for each RADIUS server.
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 21]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+5.2. Impersonation
+
+ [RFC2865] Section 3 states:
+
+ A RADIUS server MUST use the source IP address of the RADIUS UDP
+ packet to decide which shared secret to use, so that RADIUS
+ requests can be proxied.
+
+ When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or
+ NAS-IPv6-Address Attributes will typically not match the source
+ address observed by the RADIUS server. Since the NAS-Identifier
+ Attribute need not contain an FQDN, this attribute may not be
+ resolvable to the source address observed by the RADIUS server, even
+ when no proxy is present.
+
+ As a result, the authenticity check performed by a RADIUS server or
+ proxy does not verify the correctness of NAS identification
+ attributes. This makes it possible for a rogue NAS to forge NAS-IP-
+ Address, NAS-IPv6-Address or NAS-Identifier Attributes within a
+ RADIUS Access-Request in order to impersonate another NAS. It is
+ also possible for a rogue NAS to forge session identification
+ attributes such as the Called-Station-Id, Calling-Station-Id, or
+ Originating-Line-Info [NASREQ]. This could fool the RADIUS server
+ into sending Disconnect-Request or CoA-Request messages containing
+ forged session identification attributes to a NAS targeted by an
+ attacker.
+
+ To address these vulnerabilities RADIUS proxies SHOULD check whether
+ NAS identification attributes (see Section 3.) match the source
+ address of packets originating from the NAS. Where one or more
+ attributes do not match, Disconnect-Request or CoA-Request messages
+ SHOULD be silently discarded.
+
+ Such a check may not always be possible. Since the NAS-Identifier
+ Attribute need not correspond to an FQDN, it may not be resolvable to
+ an IP address to be matched against the source address. Also, where
+ a NAT exists between the RADIUS client and proxy, checking the NAS-
+ IP-Address or NAS-IPv6-Address Attributes may not be feasible.
+
+5.3. IPsec Usage Guidelines
+
+ In addition to security vulnerabilities unique to Disconnect or CoA
+ messages, the protocol exchanges described in this document are
+ susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is
+ RECOMMENDED that IPsec be employed to afford better security.
+
+
+
+
+
+
+Chiba, et al. Informational [Page 22]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Implementations of this specification SHOULD support IPsec [RFC2401]
+ along with IKE [RFC2409] for key management. IPsec ESP [RFC2406]
+ with a non-null transform SHOULD be supported, and IPsec ESP with a
+ non-null encryption transform and authentication support SHOULD be
+ used to provide per-packet confidentiality, authentication, integrity
+ and replay protection. IKE SHOULD be used for key management.
+
+ Within RADIUS [RFC2865], a shared secret is used for hiding
+ Attributes such as User-Password, as well as used in computation of
+ the Response Authenticator. In RADIUS accounting [RFC2866], the
+ shared secret is used in computation of both the Request
+ Authenticator and the Response Authenticator.
+
+ Since in RADIUS a shared secret is used to provide confidentiality as
+ well as integrity protection and authentication, only use of IPsec
+ ESP with a non-null transform can provide security services
+ sufficient to substitute for RADIUS application-layer security.
+ Therefore, where IPsec AH or ESP null is used, it will typically
+ still be necessary to configure a RADIUS shared secret.
+
+ Where RADIUS is run over IPsec ESP with a non-null transform, the
+ secret shared between the NAS and the RADIUS server MAY NOT be
+ configured. In this case, a shared secret of zero length MUST be
+ assumed. However, a RADIUS server that cannot know whether incoming
+ traffic is IPsec-protected MUST be configured with a non-null RADIUS
+ shared secret.
+
+ When IPsec ESP is used with RADIUS, per-packet authentication,
+ integrity and replay protection MUST be used. 3DES-CBC MUST be
+ supported as an encryption transform and AES-CBC SHOULD be supported.
+ AES-CBC SHOULD be offered as a preferred encryption transform if
+ supported. HMAC-SHA1-96 MUST be supported as an authentication
+ transform. DES-CBC SHOULD NOT be used as the encryption transform.
+
+ A typical IPsec policy for an IPsec-capable RADIUS client is
+ "Initiate IPsec, from me to any destination port UDP 1812". This
+ IPsec policy causes an IPsec SA to be set up by the RADIUS client
+ prior to sending RADIUS traffic. If some RADIUS servers contacted by
+ the client do not support IPsec, then a more granular policy will be
+ required: "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server,
+ destination port UDP 1812."
+
+ For a client implementing this specification, the policy would be
+ "Accept IPsec, from any to me, destination port UDP 3799". This
+ causes the RADIUS client to accept (but not require) use of IPsec.
+ It may not be appropriate to require IPsec for all RADIUS servers
+ connecting to an IPsec-enabled RADIUS client, since some RADIUS
+ servers may not support IPsec.
+
+
+
+Chiba, et al. Informational [Page 23]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept
+ IPsec, from any to me, destination port 1812". This causes the
+ RADIUS server to accept (but not require) use of IPsec. It may not
+ be appropriate to require IPsec for all RADIUS clients connecting to
+ an IPsec-enabled RADIUS server, since some RADIUS clients may not
+ support IPsec.
+
+ For servers implementing this specification, the policy would be
+ "Initiate IPsec, from me to any, destination port UDP 3799". This
+ causes the RADIUS server to initiate IPsec when sending RADIUS
+ extension traffic to any RADIUS client. If some RADIUS clients
+ contacted by the server do not support IPsec, then a more granular
+ policy will be required, such as "Initiate IPsec, from me to IPsec-
+ capable-RADIUS-client, destination port UDP 3799".
+
+ Where IPsec is used for security, and no RADIUS shared secret is
+ configured, it is important that the RADIUS client and server perform
+ an authorization check. Before enabling a host to act as a RADIUS
+ client, the RADIUS server SHOULD check whether the host is authorized
+ to provide network access. Similarly, before enabling a host to act
+ as a RADIUS server, the RADIUS client SHOULD check whether the host
+ is authorized for that role.
+
+ RADIUS servers can be configured with the IP addresses (for IKE
+ Aggressive Mode with pre-shared keys) or FQDNs (for certificate
+ authentication) of RADIUS clients. Alternatively, if a separate
+ Certification Authority (CA) exists for RADIUS clients, then the
+ RADIUS server can configure this CA as a trust anchor [RFC3280] for
+ use with IPsec.
+
+ Similarly, RADIUS clients can be configured with the IP addresses
+ (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for
+ certificate authentication) of RADIUS servers. Alternatively, if a
+ separate CA exists for RADIUS servers, then the RADIUS client can
+ configure this CA as a trust anchor for use with IPsec.
+
+ Since unlike SSL/TLS, IKE does not permit certificate policies to be
+ set on a per-port basis, certificate policies need to apply to all
+ uses of IPsec on RADIUS clients and servers. In IPsec deployment
+ supporting only certificate authentication, a management station
+ initiating an IPsec-protected telnet session to the RADIUS server
+ would need to obtain a certificate chaining to the RADIUS client CA.
+ Issuing such a certificate might not be appropriate if the management
+ station was not authorized as a RADIUS client.
+
+ Where RADIUS clients may obtain their IP address dynamically (such as
+ an Access Point supporting DHCP), Main Mode with pre-shared keys
+ [RFC2409] SHOULD NOT be used, since this requires use of a group
+
+
+
+Chiba, et al. Informational [Page 24]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ pre-shared key; instead, Aggressive Mode SHOULD be used. Where
+ RADIUS client addresses are statically assigned, either Aggressive
+ Mode or Main Mode MAY be used. With certificate authentication, Main
+ Mode SHOULD be used.
+
+ Care needs to be taken with IKE Phase 1 Identity Payload selection in
+ order to enable mapping of identities to pre-shared keys, even with
+ Aggressive Mode. Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity
+ Payloads are used and addresses are dynamically assigned, mapping of
+ identities to keys is not possible, so that group pre-shared keys are
+ still a practical necessity. As a result, the ID_FQDN identity
+ payload SHOULD be employed in situations where Aggressive mode is
+ utilized along with pre-shared keys and IP addresses are dynamically
+ assigned. This approach also has other advantages, since it allows
+ the RADIUS server and client to configure themselves based on the
+ fully qualified domain name of their peers.
+
+ Note that with IPsec, security services are negotiated at the
+ granularity of an IPsec SA, so that RADIUS exchanges requiring a set
+ of security services different from those negotiated with existing
+ IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs
+ are also advisable where quality of service considerations dictate
+ different handling RADIUS conversations. Attempting to apply
+ different quality of service to connections handled by the same IPsec
+ SA can result in reordering, and falling outside the replay window.
+ For a discussion of the issues, see [RFC2983].
+
+5.4. Replay Protection
+
+ Where IPsec replay protection is not used, the Event-Timestamp (55)
+ Attribute [RFC2869] SHOULD be included within all messages. When
+ this attribute is present, both the NAS and the RADIUS server MUST
+ check that the Event-Timestamp Attribute is current within an
+ acceptable time window. If the Event-Timestamp Attribute is not
+ current, then the message MUST be silently discarded. This implies
+ the need for time synchronization within the network, which can be
+ achieved by a variety of means, including secure NTP, as described in
+ [NTPAUTH].
+
+ Both the NAS and the RADIUS server SHOULD be configurable to silently
+ discard messages lacking an Event-Timestamp Attribute. A default
+ time window of 300 seconds is recommended.
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 25]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+6. Example Traces
+
+ Disconnect Request with User-Name:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....#
+ 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^..
+ 32: 6d63 6869 6261
+
+ Disconnect Request with Acct-Session-ID:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(.....
+ 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,.
+ 32: 3930 3233 3435 3637 90234567
+
+ Disconnect Request with Framed-IP-Address:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(.....
+ 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ...
+ 32: 0a00 0203
+
+7. References
+
+7.1. Normative References
+
+ [RFC1305] Mills, D., "Network Time Protocol (version 3)
+ Specification, Implementation and Analysis", RFC 1305,
+ March 1992.
+
+ [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC
+ 1321, April 1992.
+
+ [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
+ Keyed-Hashing for Message Authentication", RFC 2104,
+ February 1997.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
+ the Internet Protocol", RFC 2401, November 1998.
+
+ [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+
+
+
+
+Chiba, et al. Informational [Page 26]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing
+ an IANA Considerations Section in RFCs", BCP 26, RFC
+ 2434, October 1998.
+
+ [RFC2486] Aboba, B. and M. Beadles, "The Network Access
+ Identifier", RFC 2486, January 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS
+ Extensions", RFC 2869, June 2000.
+
+ [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6",
+ RFC 3162, August 2001.
+
+ [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
+ X.509 Public Key Infrastructure Certificate and
+ Certificate Revocation List (CRL) Profile", RFC 3280,
+ April 2002.
+
+ [RADIANA] Aboba, B., "IANA Considerations for RADIUS (Remote
+ Authentication Dial In User Service)", RFC 3575, July
+ 2003.
+
+7.2. Informative References
+
+ [RFC2882] Mitton, D., "Network Access Server Requirements:
+ Extended RADIUS Practices", RFC 2882, July 2000.
+
+ [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC
+ 2983, October 2000.
+
+ [AAATransport] Aboba, B. and J. Wood, "Authentication, Authorization
+ and Accounting (AAA) Transport Profile", RFC 3539,
+ June 2003.
+
+ [Diameter] Calhoun, P., et al., "Diameter Base Protocol", Work in
+ Progress.
+
+ [MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent
+ Attack", CryptoBytes Vol.2 No.2, Summer 1996.
+
+ [NASREQ] Calhoun, P., et al., "Diameter Network Access Server
+ Application", Work in Progress.
+
+
+
+Chiba, et al. Informational [Page 27]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [NTPAUTH] Mills, D., "Public Key Cryptography for the Network
+ Time Protocol", Work in Progress.
+
+8. Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards- related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementers or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+9. Acknowledgments
+
+ This protocol was first developed and distributed by Ascend
+ Communications. Example code was distributed in their free server
+ kit.
+
+ The authors would like to acknowledge the valuable suggestions and
+ feedback from the following people:
+
+ Avi Lior <avi@bridgewatersystems.com>,
+ Randy Bush <randy@psg.net>,
+ Steve Bellovin <smb@research.att.com>
+ Glen Zorn <gwz@cisco.com>,
+ Mark Jones <mjones@bridgewatersystems.com>,
+ Claudio Lapidus <clapidus@hotmail.com>,
+ Anurag Batta <Anurag_Batta@3com.com>,
+ Kuntal Chowdhury <chowdury@nortelnetworks.com>, and
+ Tim Moore <timmoore@microsoft.com>.
+ Russ Housley <housley@vigilsec.com>
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 28]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+10. Authors' Addresses
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ EMail: mchiba@cisco.com
+ Phone: +1 408 525 7198
+
+ Gopal Dommety
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose, CA 95134
+
+ EMail: gdommety@cisco.com
+ Phone: +1 408 525 1404
+
+ Mark Eklund
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose, CA 95134
+
+ EMail: meklund@cisco.com
+ Phone: +1 865 671 6255
+
+ David Mitton
+ Circular Logic UnLtd.
+ 733 Turnpike Street #154
+ North Andover, MA 01845
+
+ EMail: david@mitton.com
+ Phone: +1 978 683 1814
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ EMail: bernarda@microsoft.com
+ Phone: +1 425 706 6605
+ Fax: +1 425 936 7329
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 29]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+11. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assignees.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 30]
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-21 09:44:35 +0000