diff options
author | Kozlov Dmitry <dima@server> | 2010-09-09 11:01:43 +0400 |
---|---|---|
committer | Kozlov Dmitry <dima@server> | 2010-09-09 11:01:43 +0400 |
commit | 29b03dcfbd3b4783b0192e5f8c9bb6281acf44d5 (patch) | |
tree | 7e530a420c4c303706e39cc917f0ad8ea5d657e2 /accel-pptpd/radius | |
parent | 4dcca9422c5c001789b17c3266f3db8e0590568d (diff) | |
download | accel-ppp-29b03dcfbd3b4783b0192e5f8c9bb6281acf44d5.tar.gz accel-ppp-29b03dcfbd3b4783b0192e5f8c9bb6281acf44d5.zip |
radius: implemented accounting (start/stop/interim-update)
Diffstat (limited to 'accel-pptpd/radius')
-rw-r--r-- | accel-pptpd/radius/CMakeLists.txt | 2 | ||||
-rw-r--r-- | accel-pptpd/radius/acct.c | 181 | ||||
-rw-r--r-- | accel-pptpd/radius/auth.c | 173 | ||||
-rw-r--r-- | accel-pptpd/radius/dictionary | 4 | ||||
-rw-r--r-- | accel-pptpd/radius/packet.c | 15 | ||||
-rw-r--r-- | accel-pptpd/radius/radius.c | 194 | ||||
-rw-r--r-- | accel-pptpd/radius/radius.h | 28 | ||||
-rw-r--r-- | accel-pptpd/radius/req.c | 180 |
8 files changed, 572 insertions, 205 deletions
diff --git a/accel-pptpd/radius/CMakeLists.txt b/accel-pptpd/radius/CMakeLists.txt index 17a8578..9655d91 100644 --- a/accel-pptpd/radius/CMakeLists.txt +++ b/accel-pptpd/radius/CMakeLists.txt @@ -4,6 +4,8 @@ SET(sources dict.c req.c packet.c + auth.c + acct.c ) ADD_LIBRARY(radius SHARED ${sources}) diff --git a/accel-pptpd/radius/acct.c b/accel-pptpd/radius/acct.c new file mode 100644 index 0000000..b342b33 --- /dev/null +++ b/accel-pptpd/radius/acct.c @@ -0,0 +1,181 @@ +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <sys/ioctl.h> +#include <linux/if_ppp.h> +#include <openssl/md5.h> + +#include "log.h" +#include "radius.h" + +static int req_set_RA(struct rad_req_t *req, const char *secret) +{ + MD5_CTX ctx; + + if (rad_packet_build(req->pack, req->RA)) + return -1; + + MD5_Init(&ctx); + MD5_Update(&ctx, req->pack->buf, req->pack->len); + MD5_Update(&ctx, secret, strlen(secret)); + MD5_Final(req->pack->buf + 4, &ctx); + + return 0; +} + +static void req_set_stat(struct rad_req_t *req, struct ppp_t *ppp) +{ + struct ifpppstatsreq ifreq; + + memset(&ifreq, 0, sizeof(ifreq)); + ifreq.stats_ptr = (void *)&ifreq.stats; + sprintf(ifreq.ifr__name, "ppp%i", ppp->unit_idx); + + if (ioctl(sock_fd, SIOCGPPPSTATS, &ifreq)) { + log_error("radius: failed to get ppp statistics: %s\n", strerror(errno)); + return; + } + + rad_req_change_int(req, "Acct-Input-Octets", ifreq.stats.p.ppp_ibytes); + rad_req_change_int(req, "Acct-Output-Octets", ifreq.stats.p.ppp_obytes); + rad_req_change_int(req, "Acct-Input-Packets", ifreq.stats.p.ppp_ipackets); + rad_req_change_int(req, "Acct-Output-Packets", ifreq.stats.p.ppp_opackets); + rad_req_change_int(req, "Acct-Session-Time", time(NULL) - ppp->start_time); +} + +static int rad_acct_read(struct triton_md_handler_t *h) +{ + struct rad_req_t *req = container_of(h, typeof(*req), hnd); + + req->reply = rad_packet_recv(h->fd); + if (!req->reply) + return 0; + + if (conf_verbose) { + log_debug("send "); + rad_packet_print(req->reply, log_debug); + } + + if (req->reply->code != CODE_ACCOUNTING_RESPONSE || req->reply->id != req->pack->id) { + rad_packet_free(req->reply); + req->reply = NULL; + } else { + req->pack->id++; + req->timeout.period = 0; + triton_timer_del(&req->timeout); + } + + return 0; +} + +static void rad_acct_timeout(struct triton_timer_t *t) +{ + struct rad_req_t *req = container_of(t, typeof(*req), timeout); + + rad_req_send(req); +} + +static void rad_acct_interim_update(struct triton_timer_t *t) +{ + struct radius_pd_t *rpd = container_of(t, typeof(*rpd), acct_interim_timer); + + if (rpd->acct_req->timeout.period) + return; + + rad_req_change_val(rpd->acct_req, "Acct-Status-Type", "Interim-Update", 4); + req_set_stat(rpd->acct_req, rpd->ppp); + req_set_RA(rpd->acct_req, conf_acct_server_secret); + rad_req_send(rpd->acct_req); + rpd->acct_req->timeout.period = conf_timeout * 1000; + triton_timer_add(rpd->ppp->ctrl->ctx, &rpd->acct_req->timeout, 0); +} + +int rad_acct_start(struct radius_pd_t *rpd) +{ + rpd->acct_req = rad_req_alloc(rpd, CODE_ACCOUNTING_REQUEST, rpd->ppp->username); + if (!rpd->acct_req) { + log_error("radius: out of memory\n"); + return -1; + } + + if (rad_req_acct_fill(rpd->acct_req)) { + log_error("radius:acct: failed to fill accounting attributes\n"); + goto out_err; + } + + //if (rad_req_add_val(rpd->acct_req, "Acct-Status-Type", "Start", 4)) + // goto out_err; + //if (rad_req_add_str(rpd->acct_req, "Acct-Session-Id", rpd->ppp->sessionid, PPP_SESSIONID_LEN, 1)) + // goto out_err; + + if (req_set_RA(rpd->acct_req, conf_acct_server_secret)) + goto out_err; + + if (rad_req_send(rpd->acct_req)) + goto out_err; + + rpd->acct_req->hnd.read = rad_acct_read; + + triton_md_register_handler(rpd->ppp->ctrl->ctx, &rpd->acct_req->hnd); + if (triton_md_enable_handler(&rpd->acct_req->hnd, MD_MODE_READ)) + goto out_err; + + rpd->acct_req->timeout.expire = rad_acct_timeout; + rpd->acct_req->timeout.period = conf_timeout * 1000; + if (triton_timer_add(rpd->ppp->ctrl->ctx, &rpd->acct_req->timeout, 0)) { + triton_md_unregister_handler(&rpd->acct_req->hnd); + goto out_err; + } + + rpd->acct_interim_timer.expire = rad_acct_interim_update; + rpd->acct_interim_timer.period = rpd->acct_interim_interval * 1000; + if (rpd->acct_interim_interval && triton_timer_add(rpd->ppp->ctrl->ctx, &rpd->acct_interim_timer, 0)) { + triton_md_unregister_handler(&rpd->acct_req->hnd); + triton_timer_del(&rpd->acct_req->timeout); + goto out_err; + } + return 0; + +out_err: + rad_req_free(rpd->acct_req); + rpd->acct_req = NULL; + return -1; +} + +void rad_acct_stop(struct radius_pd_t *rpd) +{ + int i; + + if (rpd->acct_interim_timer.period) + triton_timer_del(&rpd->acct_interim_timer); + + if (rpd->acct_req) { + triton_md_unregister_handler(&rpd->acct_req->hnd); + if (rpd->acct_req->timeout.period) + triton_timer_del(&rpd->acct_req->timeout); + + rad_req_change_val(rpd->acct_req, "Acct-Status-Type", "Stop", 4); + req_set_stat(rpd->acct_req, rpd->ppp); + req_set_RA(rpd->acct_req, conf_acct_server_secret); + /// !!! rad_req_add_val(rpd->acct_req, "Acct-Terminate-Cause", ""); + for(i = 0; i < conf_max_try; i++) { + if (rad_req_send(rpd->acct_req)) + break; + rad_req_wait(rpd->acct_req, conf_timeout); + if (!rpd->acct_req->reply) + continue; + if (rpd->acct_req->reply->id != rpd->acct_req->pack->id || rpd->acct_req->reply->code != CODE_ACCOUNTING_RESPONSE) { + rad_packet_free(rpd->acct_req->reply); + rpd->acct_req->reply = NULL; + } else + break; + } + if (!rpd->acct_req->reply) + log_warn("radius:acct_stop: no response\n"); + + rad_req_free(rpd->acct_req); + rpd->acct_req = NULL; + } +} + diff --git a/accel-pptpd/radius/auth.c b/accel-pptpd/radius/auth.c new file mode 100644 index 0000000..98c7aa8 --- /dev/null +++ b/accel-pptpd/radius/auth.c @@ -0,0 +1,173 @@ +#include <stdlib.h> +#include <string.h> +#include <openssl/md5.h> + +#include "log.h" +#include "pwdb.h" + +#include "radius.h" + + +static uint8_t* encrypt_password(const char *passwd, const char *secret, const uint8_t *RA, int *epasswd_len) +{ + uint8_t *epasswd; + int i, j, chunk_cnt; + uint8_t b[16], c[16]; + MD5_CTX ctx; + + chunk_cnt = (strlen(passwd) - 1) / 16 + 1; + + epasswd = malloc(chunk_cnt * 16); + if (!epasswd) { + log_error("radius: out of memory\n"); + return NULL; + } + + memset(epasswd, 0, chunk_cnt * 16); + memcpy(epasswd, passwd, strlen(passwd)); + memcpy(c, RA, 16); + + for (i = 0; i < chunk_cnt; i++) { + MD5_Init(&ctx); + MD5_Update(&ctx, secret, strlen(secret)); + MD5_Update(&ctx, c, 16); + MD5_Final(b, &ctx); + + for(j = 0; j < 16; j++) + epasswd[i * 16 + j] ^= b[j]; + + memcpy(c, epasswd + i * 16, 16); + } + + *epasswd_len = chunk_cnt * 16; + return epasswd; +} + +int rad_auth_pap(struct radius_pd_t *rpd, const char *username, va_list args) +{ + struct rad_req_t *req; + int i, r = PWDB_DENIED; + //int id = va_arg(args, int); + const char *passwd = va_arg(args, const char *); + uint8_t *epasswd; + int epasswd_len; + + req = rad_req_alloc(rpd, CODE_ACCESS_REQUEST, username); + if (!req) + return PWDB_DENIED; + + epasswd = encrypt_password(passwd, conf_auth_server_secret, req->RA, &epasswd_len); + if (!epasswd) + goto out; + + if (rad_req_add_str(req, "Password", (char*)epasswd, epasswd_len, 0)) { + free(epasswd); + goto out; + } + + free(epasswd); + + for(i = 0; i < conf_max_try; i++) { + if (rad_req_send(req)) + goto out; + + rad_req_wait(req, conf_timeout); + + if (req->reply) { + if (req->reply->id != req->pack->id) { + rad_packet_free(req->reply); + req->reply = NULL; + } else + break; + } + } + + if (req->reply && req->reply->code == CODE_ACCESS_ACCEPT) { + rad_proc_attrs(req); + r = PWDB_SUCCESS; + } + +out: + rad_req_free(req); + + return r; +} + +int rad_auth_chap_md5(struct radius_pd_t *rpd, const char *username, va_list args) +{ + struct rad_req_t *req; + int i, r = PWDB_DENIED; + char chap_password[17]; + + int id = va_arg(args, int); + const uint8_t *challenge = va_arg(args, const uint8_t *); + int challenge_len = va_arg(args, int); + const uint8_t *response = va_arg(args, const uint8_t *); + + chap_password[0] = id; + memcpy(chap_password + 1, response, 16); + + req = rad_req_alloc(rpd, CODE_ACCESS_REQUEST, username); + if (!req) + return PWDB_DENIED; + + if (challenge_len == 16) + memcpy(req->RA, challenge, 16); + else { + if (rad_req_add_str(req, "CHAP-Challenge", (char*)challenge, challenge_len, 0)) + goto out; + } + + if (rad_req_add_str(req, "CHAP-Password", chap_password, 17, 0)) + goto out; + + for(i = 0; i < conf_max_try; i++) { + if (rad_req_send(req)) + goto out; + + rad_req_wait(req, conf_timeout); + + if (req->reply) { + if (req->reply->id != req->pack->id) { + rad_packet_free(req->reply); + req->reply = NULL; + } else + break; + } + } + + if (!req->reply) + log_warn("radius:auth: no response\n"); + else if (req->reply->code == CODE_ACCESS_ACCEPT) { + rad_proc_attrs(req); + r = PWDB_SUCCESS; + } + +out: + rad_req_free(req); + + return r; +} + +int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list args) +{ + /*int id = va_arg(args, int); + const uint8_t *challenge = va_arg(args, const uint8_t *); + const uint8_t *lm_response = va_arg(args, const uint8_t *); + const uint8_t *nt_response = va_arg(args, const uint8_t *); + int flags = va_arg(args, int);*/ + return PWDB_NO_IMPL; +} + +int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list args) +{ + /*int id = va_arg(args, int); + const uint8_t *challenge = va_arg(args, const uint8_t *); + const uint8_t *peer_challenge = va_arg(args, const uint8_t *); + const uint8_t *response = va_arg(args, const uint8_t *); + int flags = va_arg(args, int); + uint8_t *authenticator = va_arg(args, uint8_t *);*/ + return PWDB_NO_IMPL; +} + + diff --git a/accel-pptpd/radius/dictionary b/accel-pptpd/radius/dictionary index caebe9d..25896eb 100644 --- a/accel-pptpd/radius/dictionary +++ b/accel-pptpd/radius/dictionary @@ -82,6 +82,8 @@ ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 integer ATTRIBUTE Connect-Info 77 string +ATTRIBUTE Acct-Interim-Interval 85 integer + # # RFC3162 IPv6 attributes # @@ -162,7 +164,7 @@ VALUE Login-Service PortMaster 3 VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 -VALUE Acct-Status-Type Alive 3 +VALUE Acct-Status-Type Interim-Update 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 diff --git a/accel-pptpd/radius/packet.c b/accel-pptpd/radius/packet.c index 627b6c5..e88e6e8 100644 --- a/accel-pptpd/radius/packet.c +++ b/accel-pptpd/radius/packet.c @@ -42,7 +42,11 @@ int rad_packet_build(struct rad_packet_t *pack, uint8_t *RA) struct rad_req_attr_t *attr; uint8_t *ptr; - ptr = malloc(pack->len); + if (pack->buf) + ptr = realloc(pack->buf, pack->len); + else + ptr = malloc(pack->len); + if (!ptr) { log_error("radius:packet: out of memory\n"); return -1; @@ -77,8 +81,7 @@ int rad_packet_build(struct rad_packet_t *pack, uint8_t *RA) ptr += attr->len; } - print_buf(pack->buf, pack->len); - + //print_buf(pack->buf, pack->len); return 0; } @@ -220,6 +223,12 @@ void rad_packet_print(struct rad_packet_t *pack, void (*print)(const char *fmt, case CODE_ACCESS_REJECT: print("Access-Reject"); break; + case CODE_ACCOUNTING_REQUEST: + printf("Accounting-Request"); + break; + case CODE_ACCOUNTING_RESPONSE: + printf("Accounting-Response"); + break; default: print("Unknown (%i)", pack->code); } diff --git a/accel-pptpd/radius/radius.c b/accel-pptpd/radius/radius.c index 89eb9fe..89491b3 100644 --- a/accel-pptpd/radius/radius.c +++ b/accel-pptpd/radius/radius.c @@ -5,8 +5,6 @@ #include <unistd.h> #include <arpa/inet.h> -#include <openssl/md5.h> - #include "log.h" #include "ppp.h" #include "pwdb.h" @@ -35,173 +33,16 @@ char *conf_acct_server_secret; static struct ppp_notified_t notified; -static struct radius_pd_t *find_pd(struct ppp_t *ppp); - -static void proc_attrs(struct rad_req_t *req) +void rad_proc_attrs(struct rad_req_t *req) { struct rad_req_attr_t *attr; list_for_each_entry(attr, &req->reply->attrs, entry) { - if (!strcmp(attr->attr->name, "Framed-IP-Address")) { + if (!strcmp(attr->attr->name, "Framed-IP-Address")) req->rpd->ipaddr = attr->val.ipaddr; - } - } -} - -static uint8_t* encrypt_password(const char *passwd, const char *secret, const uint8_t *RA, int *epasswd_len) -{ - uint8_t *epasswd; - int i, j, chunk_cnt; - uint8_t b[16], c[16]; - MD5_CTX ctx; - - chunk_cnt = (strlen(passwd) - 1) / 16 + 1; - - epasswd = malloc(chunk_cnt * 16); - if (!epasswd) { - log_error("radius: out of memory\n"); - return NULL; - } - - memset(epasswd, 0, chunk_cnt * 16); - memcpy(epasswd, passwd, strlen(passwd)); - memcpy(c, RA, 16); - - for (i = 0; i < chunk_cnt; i++) { - MD5_Init(&ctx); - MD5_Update(&ctx, secret, strlen(secret)); - MD5_Update(&ctx, c, 16); - MD5_Final(b, &ctx); - - for(j = 0; j < 16; j++) - epasswd[i * 16 + j] ^= b[j]; - - memcpy(c, epasswd + i * 16, 16); - } - - *epasswd_len = chunk_cnt * 16; - return epasswd; -} - -static int check_pap(struct radius_pd_t *rpd, const char *username, va_list args) -{ - struct rad_req_t *req; - int i, r = PWDB_DENIED; - //int id = va_arg(args, int); - const char *passwd = va_arg(args, const char *); - uint8_t *epasswd; - int epasswd_len; - - req = rad_req_alloc(rpd, CODE_ACCESS_REQUEST, username); - if (!req) - return PWDB_DENIED; - - req->server_name = conf_auth_server; - req->server_port = conf_auth_server_port; - - epasswd = encrypt_password(passwd, conf_auth_server_secret, req->RA, &epasswd_len); - if (!epasswd) - goto out; - - if (rad_req_add_str(req, "Password", (char*)epasswd, epasswd_len, 0)) { - free(epasswd); - goto out; - } - - free(epasswd); - - for(i = 0; i < conf_max_try; i++) { - if (rad_req_send(req)) - goto out; - - rad_req_wait(req, conf_timeout); - - if (req->reply) - break; - } - - if (req->reply && req->reply->code == CODE_ACCESS_ACCEPT) { - proc_attrs(req); - r = PWDB_SUCCESS; - } - -out: - rad_req_free(req); - - return r; -} - -static int check_chap_md5(struct radius_pd_t *rpd, const char *username, va_list args) -{ - struct rad_req_t *req; - int i, r = PWDB_DENIED; - char chap_password[17]; - - int id = va_arg(args, int); - const uint8_t *challenge = va_arg(args, const uint8_t *); - int challenge_len = va_arg(args, int); - const uint8_t *response = va_arg(args, const uint8_t *); - - chap_password[0] = id; - memcpy(chap_password + 1, response, 16); - - req = rad_req_alloc(rpd, CODE_ACCESS_REQUEST, username); - if (!req) - return PWDB_DENIED; - - req->server_name = conf_auth_server; - req->server_port = conf_auth_server_port; - - if (challenge_len == 16) - memcpy(req->RA, challenge, 16); - else { - if (rad_req_add_str(req, "CHAP-Challenge", (char*)challenge, challenge_len, 0)) - goto out; + else if (!strcmp(attr->attr->name, "Acct-Interim-Interval")) + req->rpd->acct_interim_interval = attr->val.integer; } - - if (rad_req_add_str(req, "CHAP-Password", chap_password, 17, 0)) - goto out; - - for(i = 0; i < conf_max_try; i++) { - if (rad_req_send(req)) - goto out; - - rad_req_wait(req, conf_timeout); - - if (req->reply) - break; - } - - if (req->reply && req->reply->code == CODE_ACCESS_ACCEPT) { - proc_attrs(req); - r = PWDB_SUCCESS; - } - -out: - rad_req_free(req); - - return r; -} - -static int check_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list args) -{ - /*int id = va_arg(args, int); - const uint8_t *challenge = va_arg(args, const uint8_t *); - const uint8_t *lm_response = va_arg(args, const uint8_t *); - const uint8_t *nt_response = va_arg(args, const uint8_t *); - int flags = va_arg(args, int);*/ - return PWDB_DENIED; -} - -static int check_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list args) -{ - /*int id = va_arg(args, int); - const uint8_t *challenge = va_arg(args, const uint8_t *); - const uint8_t *peer_challenge = va_arg(args, const uint8_t *); - const uint8_t *response = va_arg(args, const uint8_t *); - int flags = va_arg(args, int); - uint8_t *authenticator = va_arg(args, uint8_t *);*/ - return PWDB_DENIED; } static int check(struct pwdb_t *pwdb, struct ppp_t *ppp, const char *username, int type, va_list _args) @@ -215,19 +56,19 @@ static int check(struct pwdb_t *pwdb, struct ppp_t *ppp, const char *username, i switch(type) { case PPP_PAP: - r = check_pap(rpd, username, args); + r = rad_auth_pap(rpd, username, args); break; case PPP_CHAP: chap_type = va_arg(args, int); switch(chap_type) { case CHAP_MD5: - r = check_chap_md5(rpd, username, args); + r = rad_auth_chap_md5(rpd, username, args); break; case MSCHAP_V1: - r = check_mschap_v1(rpd, username, args); + r = rad_auth_mschap_v1(rpd, username, args); break; case MSCHAP_V2: - r = check_mschap_v2(rpd, username, args); + r = rad_auth_mschap_v2(rpd, username, args); break; } break; @@ -254,7 +95,7 @@ static int get_ip(struct ppp_t *ppp, in_addr_t *addr, in_addr_t *peer_addr) return -1; } -static void ppp_started(struct ppp_notified_t *n, struct ppp_t *ppp) +static void ppp_starting(struct ppp_notified_t *n, struct ppp_t *ppp) { struct radius_pd_t *pd = malloc(sizeof(*pd)); @@ -264,6 +105,19 @@ static void ppp_started(struct ppp_notified_t *n, struct ppp_t *ppp) list_add_tail(&pd->pd.entry, &ppp->pd_list); } +static void ppp_started(struct ppp_notified_t *n, struct ppp_t *ppp) +{ + struct radius_pd_t *rpd = find_pd(ppp); + + if (rad_acct_start(rpd)) + ppp_terminate(rpd->ppp, 0); +} +static void ppp_finishing(struct ppp_notified_t *n, struct ppp_t *ppp) +{ + struct radius_pd_t *rpd = find_pd(ppp); + + rad_acct_stop(rpd); +} static void ppp_finished(struct ppp_notified_t *n, struct ppp_t *ppp) { struct radius_pd_t *rpd = find_pd(ppp); @@ -272,7 +126,7 @@ static void ppp_finished(struct ppp_notified_t *n, struct ppp_t *ppp) free(rpd); } -static struct radius_pd_t *find_pd(struct ppp_t *ppp) +struct radius_pd_t *find_pd(struct ppp_t *ppp) { struct ppp_pd_t *pd; struct radius_pd_t *rpd; @@ -297,7 +151,9 @@ static struct pwdb_t pwdb = { }; static struct ppp_notified_t notified = { + .starting = ppp_starting, .started = ppp_started, + .finishing = ppp_finishing, .finished = ppp_finished, }; diff --git a/accel-pptpd/radius/radius.h b/accel-pptpd/radius/radius.h index 40b8320..c167151 100644 --- a/accel-pptpd/radius/radius.h +++ b/accel-pptpd/radius/radius.h @@ -18,11 +18,20 @@ #define CODE_ACCESS_REJECT 3 #define CODE_ACCESS_CHALLENGE 11 +#define CODE_ACCOUNTING_REQUEST 4 +#define CODE_ACCOUNTING_RESPONSE 5 + + struct radius_pd_t { struct ppp_pd_t pd; struct ppp_t *ppp; + + struct rad_req_t *acct_req; + struct triton_timer_t acct_interim_timer; + in_addr_t ipaddr; + int acct_interim_interval; }; typedef union @@ -92,8 +101,13 @@ extern int conf_timeout; extern int conf_verbose; extern char *conf_nas_identifier; extern char *conf_nas_ip_address; +extern char *conf_gw_ip_address; extern char *conf_auth_server; +extern char *conf_auth_server_secret; +extern int conf_auth_server_port; extern char *conf_acct_server; +extern char *conf_acct_server_secret; +extern int conf_acct_server_port; int rad_dict_load(const char *fname); void rad_dict_free(struct rad_dict_t *dict); @@ -103,12 +117,16 @@ struct rad_dict_value_t *rad_dict_find_val_name(struct rad_dict_attr_t *, const struct rad_dict_value_t *rad_dict_find_val(struct rad_dict_attr_t *, rad_value_t val); struct rad_req_t *rad_req_alloc(struct radius_pd_t *rpd, int code, const char *username); +int rad_req_acct_fill(struct rad_req_t *); void rad_req_free(struct rad_req_t *); int rad_req_send(struct rad_req_t *); int rad_req_wait(struct rad_req_t *, int); +struct rad_req_attr_t *rad_req_find_attr(struct rad_req_t *req, const char *name); int rad_req_add_int(struct rad_req_t *req, const char *name, int val); int rad_req_add_val(struct rad_req_t *req, const char *name, const char *val, int len); int rad_req_add_str(struct rad_req_t *req, const char *name, const char *val, int len, int printable); +int rad_req_change_int(struct rad_req_t *req, const char *name, int val); +int rad_req_change_val(struct rad_req_t *req, const char *name, const char *val, int len); struct rad_packet_t *rad_packet_alloc(int code); int rad_packet_build(struct rad_packet_t *pack, uint8_t *RA); @@ -116,6 +134,16 @@ struct rad_packet_t *rad_packet_recv(int fd); void rad_packet_free(struct rad_packet_t *); void rad_packet_print(struct rad_packet_t *pack, void (*print)(const char *fmt, ...)); +struct radius_pd_t *find_pd(struct ppp_t *ppp); +void rad_proc_attrs(struct rad_req_t *req); + +int rad_auth_pap(struct radius_pd_t *rpd, const char *username, va_list args); +int rad_auth_chap_md5(struct radius_pd_t *rpd, const char *username, va_list args); +int rad_auth_mschap_v1(struct radius_pd_t *rpd, const char *username, va_list args); +int rad_auth_mschap_v2(struct radius_pd_t *rpd, const char *username, va_list args); + +int rad_acct_start(struct radius_pd_t *rpd); +void rad_acct_stop(struct radius_pd_t *rpd); #endif diff --git a/accel-pptpd/radius/req.c b/accel-pptpd/radius/req.c index cc59a43..3d71bf8 100644 --- a/accel-pptpd/radius/req.c +++ b/accel-pptpd/radius/req.c @@ -7,7 +7,6 @@ #include <netinet/in.h> #include <arpa/inet.h> -#include "triton.h" #include "log.h" #include "radius.h" @@ -26,8 +25,9 @@ struct rad_req_t *rad_req_alloc(struct radius_pd_t *rpd, int code, const char *u memset(req, 0, sizeof(*req)); req->rpd = rpd; req->hnd.fd = -1; - req->hnd.read = rad_req_read; - req->timeout.expire = rad_req_timeout; + + req->server_name = conf_auth_server; + req->server_port = conf_auth_server_port; while (1) { if (read(urandom_fd, req->RA, 16) != 16) { @@ -64,6 +64,31 @@ out_err: return NULL; } +int rad_req_acct_fill(struct rad_req_t *req) +{ + req->server_name = conf_acct_server; + req->server_port = conf_acct_server_port; + + memset(req->RA, 0, sizeof(req->RA)); + + if (rad_req_add_val(req, "Acct-Status-Type", "Start", 4)) + return -1; + if (rad_req_add_str(req, "Acct-Session-Id", req->rpd->ppp->sessionid, PPP_SESSIONID_LEN, 1)) + return -1; + if (rad_req_add_int(req, "Acct-Session-Time", 0)) + return -1; + if (rad_req_add_int(req, "Acct-Input-Octets", 0)) + return -1; + if (rad_req_add_int(req, "Acct-Output-Octets", 0)) + return -1; + if (rad_req_add_int(req, "Acct-Input-Packets", 0)) + return -1; + if (rad_req_add_int(req, "Acct-Output-Packets", 0)) + return -1; + + return 0; +} + void rad_req_free(struct rad_req_t *req) { if (req->hnd.fd >= 0 ) @@ -75,46 +100,58 @@ void rad_req_free(struct rad_req_t *req) free(req); } -int rad_req_send(struct rad_req_t *req) +static int make_socket(struct rad_req_t *req) { struct sockaddr_in addr; - int n; - - if (req->hnd.fd == -1) { - req->hnd.fd = socket(PF_INET, SOCK_DGRAM, 0); - if (req->hnd.fd < 0) { - log_error("radius:socket: %s\n", strerror(errno)); - return -1; - } - - memset(&addr, 0, sizeof(addr)); - addr.sin_family = AF_INET; - if (conf_nas_ip_address) { - addr.sin_addr.s_addr = inet_addr(conf_nas_ip_address); - if (bind(req->hnd.fd, (struct sockaddr *) &addr, sizeof(addr))) { - log_error("radius:bind: %s\n", strerror(errno)); - goto out_err; - } - } + req->hnd.fd = socket(PF_INET, SOCK_DGRAM, 0); + if (req->hnd.fd < 0) { + log_error("radius:socket: %s\n", strerror(errno)); + return -1; + } - addr.sin_addr.s_addr = inet_addr(req->server_name); - addr.sin_port = htons(req->server_port); + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; - if (connect(req->hnd.fd, (struct sockaddr *) &addr, sizeof(addr))) { - log_error("radius:connect: %s\n", strerror(errno)); + if (conf_nas_ip_address) { + addr.sin_addr.s_addr = inet_addr(conf_nas_ip_address); + if (bind(req->hnd.fd, (struct sockaddr *) &addr, sizeof(addr))) { + log_error("radius:bind: %s\n", strerror(errno)); goto out_err; } + } - if (fcntl(req->hnd.fd, F_SETFL, O_NONBLOCK)) { - log_error("radius: failed to set nonblocking mode: %s\n", strerror(errno)); - goto out_err; - } + addr.sin_addr.s_addr = inet_addr(req->server_name); + addr.sin_port = htons(req->server_port); - if (rad_packet_build(req->pack, req->RA)) - goto out_err; + if (connect(req->hnd.fd, (struct sockaddr *) &addr, sizeof(addr))) { + log_error("radius:connect: %s\n", strerror(errno)); + goto out_err; + } + + if (fcntl(req->hnd.fd, F_SETFL, O_NONBLOCK)) { + log_error("radius: failed to set nonblocking mode: %s\n", strerror(errno)); + goto out_err; } + return 0; + +out_err: + close(req->hnd.fd); + req->hnd.fd = -1; + return -1; +} + +int rad_req_send(struct rad_req_t *req) +{ + int n; + + if (req->hnd.fd == -1 && make_socket(req)) + return -1; + + if (!req->pack->buf && rad_packet_build(req->pack, req->RA)) + goto out_err; + if (conf_verbose) { log_debug("send "); rad_packet_print(req->pack, log_debug); @@ -169,6 +206,19 @@ int rad_req_add_int(struct rad_req_t *req, const char *name, int val) return 0; } +int rad_req_change_int(struct rad_req_t *req, const char *name, int val) +{ + struct rad_req_attr_t *ra; + + ra = rad_req_find_attr(req, name); + if (!ra) + return -1; + + ra->val.integer = val; + + return 0; +} + int rad_req_add_str(struct rad_req_t *req, const char *name, const char *val, int len, int printable) { struct rad_req_attr_t *ra; @@ -204,6 +254,34 @@ int rad_req_add_str(struct rad_req_t *req, const char *name, const char *val, in return 0; } +int rad_req_change_str(struct rad_req_t *req, const char *name, const char *val, int len) +{ + struct rad_req_attr_t *ra; + + ra = rad_req_find_attr(req, name); + if (!ra) + return -1; + + if (ra->len != len) { + if (req->pack->len - ra->len + len >= REQ_LENGTH_MAX) + return -1; + + ra->val.string = realloc(ra->val.string, len + 1); + if (!ra->val.string) { + log_error("radius: out of memory\n"); + return -1; + } + + req->pack->len += len - ra->len; + ra->len = len; + } + + memcpy(ra->val.string, val, len); + ra->val.string[len] = 0; + + return 0; +} + int rad_req_add_val(struct rad_req_t *req, const char *name, const char *val, int len) { struct rad_req_attr_t *ra; @@ -235,6 +313,41 @@ int rad_req_add_val(struct rad_req_t *req, const char *name, const char *val, in return 0; } +int rad_req_change_val(struct rad_req_t *req, const char *name, const char *val, int len) +{ + struct rad_req_attr_t *ra; + struct rad_dict_value_t *v; + + ra = rad_req_find_attr(req, name); + if (!ra) + return -1; + + v = rad_dict_find_val_name(ra->attr, val); + if (!v) + return -1; + + if (req->pack->len - ra->len + len >= REQ_LENGTH_MAX) + return -1; + + req->pack->len += len - ra->len; + + ra->len = len; + ra->val = v->val; + + return 0; +} + +struct rad_req_attr_t *rad_req_find_attr(struct rad_req_t *req, const char *name) +{ + struct rad_req_attr_t *ra; + + list_for_each_entry(ra, &req->pack->attrs, entry) + if (!strcmp(ra->attr->name, name)) + return ra; + + return NULL; +} + static void req_wakeup(struct rad_req_t *req) { triton_context_wakeup(req->rpd->ppp->ctrl->ctx); @@ -260,6 +373,9 @@ static void rad_req_timeout(struct triton_timer_t *t) int rad_req_wait(struct rad_req_t *req, int timeout) { + req->hnd.read = rad_req_read; + req->timeout.expire = rad_req_timeout; + triton_context_register(&req->ctx); triton_md_register_handler(&req->ctx, &req->hnd); if (triton_md_enable_handler(&req->hnd, MD_MODE_READ)) |