Mercurial > hg > freeDiameter
annotate extensions/app_radgw/rgwx_auth.c @ 388:554fe1d67acc
Fix small issue in the gateway
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Tue, 06 Jul 2010 14:54:06 +0900 |
parents | ce8d20725308 |
children | 26aafbbc1640 |
rev | line source |
---|---|
256 | 1 /********************************************************************************************************* |
2 * Software License Agreement (BSD License) * | |
3 * Author: Sebastien Decugis <sdecugis@nict.go.jp> * | |
4 * * | |
258
5df55136361b
Updated copyright information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
256
diff
changeset
|
5 * Copyright (c) 2010, WIDE Project and NICT * |
256 | 6 * All rights reserved. * |
7 * * | |
8 * Redistribution and use of this software in source and binary forms, with or without modification, are * | |
9 * permitted provided that the following conditions are met: * | |
10 * * | |
11 * * Redistributions of source code must retain the above * | |
12 * copyright notice, this list of conditions and the * | |
13 * following disclaimer. * | |
14 * * | |
15 * * Redistributions in binary form must reproduce the above * | |
16 * copyright notice, this list of conditions and the * | |
17 * following disclaimer in the documentation and/or other * | |
18 * materials provided with the distribution. * | |
19 * * | |
20 * * Neither the name of the WIDE Project or NICT nor the * | |
21 * names of its contributors may be used to endorse or * | |
22 * promote products derived from this software without * | |
23 * specific prior written permission of WIDE Project and * | |
24 * NICT. * | |
25 * * | |
26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * | |
27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * | |
28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * | |
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * | |
30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * | |
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * | |
32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * | |
33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * | |
34 *********************************************************************************************************/ | |
35 | |
36 /* RADIUS Access-Request messages translation plugin */ | |
37 | |
38 #include "rgw_common.h" | |
39 | |
40 /* Attributes missing from radius.h */ | |
41 #define RADIUS_ATTR_CHAP_PASSWORD 3 | |
42 #define RADIUS_ATTR_ARAP_PASSWORD 70 | |
43 | |
44 /* Other constants we use */ | |
45 #define AI_NASREQ 1 /* Diameter NASREQ */ | |
46 #define AI_EAP 5 /* Diameter EAP application */ | |
47 #define CC_AA 265 /* AAR */ | |
48 #define CC_DIAMETER_EAP 268 /* DER */ | |
49 #define ACV_ART_AUTHORIZE_AUTHENTICATE 3 /* AUTHORIZE_AUTHENTICATE */ | |
50 #define ACV_OAP_RADIUS 1 /* RADIUS */ | |
51 #define ACV_ASS_STATE_MAINTAINED 0 /* STATE_MAINTAINED */ | |
296
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
52 #define ACV_ASS_NO_STATE_MAINTAINED 1 /* NO_STATE_MAINTAINED */ |
256 | 53 #define ER_DIAMETER_MULTI_ROUND_AUTH 1001 |
54 #define ER_DIAMETER_LIMITED_SUCCESS 2002 | |
55 | |
56 /* The state we keep for this plugin */ | |
57 struct rgwp_config { | |
58 struct { | |
59 struct dict_object * ARAP_Password; /* ARAP-Password */ | |
60 struct dict_object * ARAP_Security; /* ARAP-Security */ | |
61 struct dict_object * ARAP_Security_Data; /* ARAP-Security-Data */ | |
62 struct dict_object * Auth_Application_Id; /* Auth-Application-Id */ | |
63 struct dict_object * Auth_Request_Type; /* Auth-Request-Type */ | |
64 struct dict_object * Authorization_Lifetime; /* Authorization-Lifetime */ | |
65 struct dict_object * Callback_Number; /* Callback-Number */ | |
66 struct dict_object * Called_Station_Id; /* Called-Station-Id */ | |
67 struct dict_object * Calling_Station_Id; /* Calling-Station-Id */ | |
68 struct dict_object * CHAP_Algorithm; /* CHAP-Algorithm */ | |
69 struct dict_object * CHAP_Auth; /* CHAP-Auth */ | |
70 struct dict_object * CHAP_Challenge; /* CHAP-Challenge */ | |
71 struct dict_object * CHAP_Ident; /* CHAP-Ident */ | |
72 struct dict_object * CHAP_Response; /* CHAP-Response */ | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
73 struct dict_object * Destination_Host; /* Destination-Host */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
74 struct dict_object * Destination_Realm; /* Destination-Realm */ |
256 | 75 struct dict_object * Connect_Info; /* Connect-Info */ |
76 struct dict_object * EAP_Payload; /* EAP-Payload */ | |
77 struct dict_object * Error_Message; /* Error-Message */ | |
78 struct dict_object * Error_Reporting_Host; /* Error-Reporting-Host */ | |
79 struct dict_object * Failed_AVP; /* Failed-AVP */ | |
80 struct dict_object * Framed_Compression; /* Framed-Compression */ | |
81 struct dict_object * Framed_IP_Address; /* Framed-IP-Address */ | |
82 struct dict_object * Framed_IP_Netmask; /* Framed-IP-Netmask */ | |
83 struct dict_object * Framed_Interface_Id; /* Framed-Interface-Id */ | |
84 struct dict_object * Framed_IPv6_Prefix; /* Framed-IPv6-Prefix */ | |
85 struct dict_object * Framed_MTU; /* Framed-MTU */ | |
86 struct dict_object * Framed_Protocol; /* Framed-Protocol */ | |
87 struct dict_object * Login_IP_Host; /* Login-IP-Host */ | |
88 struct dict_object * Login_IPv6_Host; /* Login-IPv6-Host */ | |
89 struct dict_object * Login_LAT_Group; /* Login-LAT-Group */ | |
90 struct dict_object * Login_LAT_Node; /* Login-LAT-Node */ | |
91 struct dict_object * Login_LAT_Port; /* Login-LAT-Port */ | |
92 struct dict_object * Login_LAT_Service; /* Login-LAT-Service */ | |
93 struct dict_object * NAS_Identifier; /* NAS-Identifier */ | |
94 struct dict_object * NAS_IP_Address; /* NAS-IP-Address */ | |
95 struct dict_object * NAS_IPv6_Address; /* NAS-IPv6-Address */ | |
96 struct dict_object * NAS_Port; /* NAS-Port */ | |
97 struct dict_object * NAS_Port_Id; /* NAS-Port-Id */ | |
98 struct dict_object * NAS_Port_Type; /* NAS-Port-Type */ | |
99 struct dict_object * Origin_AAA_Protocol; /* Origin-AAA-Protocol */ | |
100 struct dict_object * Origin_Host; /* Origin-Host */ | |
101 struct dict_object * Origin_Realm; /* Origin-Realm */ | |
102 struct dict_object * Originating_Line_Info; /* Originating-Line-Info */ | |
103 struct dict_object * Port_Limit; /* Port-Limit */ | |
104 struct dict_object * Re_Auth_Request_Type; /* Re-Auth-Request-Type */ | |
105 struct dict_object * Result_Code; /* Result-Code */ | |
106 struct dict_object * Service_Type; /* Service-Type */ | |
107 struct dict_object * Session_Id; /* Session-Id */ | |
108 struct dict_object * Session_Timeout; /* Session-Timeout */ | |
109 struct dict_object * State; /* State */ | |
110 struct dict_object * Tunneling; /* Tunneling */ | |
111 struct dict_object * Tunnel_Type; /* Tunnel-Type */ | |
112 struct dict_object * Tunnel_Medium_Type; /* Tunnel-Medium-Type */ | |
113 struct dict_object * Tunnel_Client_Endpoint; /* Tunnel-Client-Endpoint */ | |
114 struct dict_object * Tunnel_Server_Endpoint; /* Tunnel-Server-Endpoint */ | |
115 struct dict_object * Tunnel_Private_Group_Id; /* Tunnel-Private-Group-Id */ | |
116 struct dict_object * Tunnel_Preference; /* Tunnel-Preference */ | |
117 struct dict_object * Tunnel_Client_Auth_Id; /* Tunnel-Client-Auth-Id */ | |
118 struct dict_object * Tunnel_Server_Auth_Id; /* Tunnel-Server-Auth-Id */ | |
119 struct dict_object * User_Name; /* User-Name */ | |
120 struct dict_object * User_Password; /* User-Password */ | |
121 | |
122 } dict; /* cache of the dictionary objects we use */ | |
271
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
123 struct session_handler * sess_hdl; /* We store RADIUS request authenticator information in the session */ |
256 | 124 char * confstr; |
125 }; | |
126 | |
127 /* Initialize the plugin */ | |
128 static int auth_conf_parse(char * conffile, struct rgwp_config ** state) | |
129 { | |
130 struct rgwp_config * new; | |
264
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
131 struct dict_object * app; |
256 | 132 |
133 TRACE_ENTRY("%p %p", conffile, state); | |
134 CHECK_PARAMS( state ); | |
135 | |
136 CHECK_MALLOC( new = malloc(sizeof(struct rgwp_config)) ); | |
137 memset(new, 0, sizeof(struct rgwp_config)); | |
138 | |
139 CHECK_FCT( fd_sess_handler_create( &new->sess_hdl, free ) ); | |
140 new->confstr = conffile; | |
141 | |
142 /* Resolve all dictionary objects we use */ | |
143 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Password", &new->dict.ARAP_Password, ENOENT) ); | |
144 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security", &new->dict.ARAP_Security, ENOENT) ); | |
145 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security-Data", &new->dict.ARAP_Security_Data, ENOENT) ); | |
146 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Application-Id", &new->dict.Auth_Application_Id, ENOENT) ); | |
147 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Request-Type", &new->dict.Auth_Request_Type, ENOENT) ); | |
148 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Authorization-Lifetime", &new->dict.Authorization_Lifetime, ENOENT) ); | |
149 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Callback-Number", &new->dict.Callback_Number, ENOENT) ); | |
150 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Called-Station-Id", &new->dict.Called_Station_Id, ENOENT) ); | |
151 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Calling-Station-Id", &new->dict.Calling_Station_Id, ENOENT) ); | |
152 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Algorithm", &new->dict.CHAP_Algorithm, ENOENT) ); | |
153 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Auth", &new->dict.CHAP_Auth, ENOENT) ); | |
154 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Challenge", &new->dict.CHAP_Challenge, ENOENT) ); | |
155 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Ident", &new->dict.CHAP_Ident, ENOENT) ); | |
156 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Response", &new->dict.CHAP_Response, ENOENT) ); | |
157 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Connect-Info", &new->dict.Connect_Info, ENOENT) ); | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
158 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Host", &new->dict.Destination_Host, ENOENT) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
159 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Realm", &new->dict.Destination_Realm, ENOENT) ); |
256 | 160 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "EAP-Payload", &new->dict.EAP_Payload, ENOENT) ); |
161 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Message", &new->dict.Error_Message, ENOENT) ); | |
162 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Reporting-Host", &new->dict.Error_Reporting_Host, ENOENT) ); | |
163 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Failed-AVP", &new->dict.Failed_AVP, ENOENT) ); | |
164 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Compression", &new->dict.Framed_Compression, ENOENT) ); | |
165 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Address", &new->dict.Framed_IP_Address, ENOENT) ); | |
166 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Netmask", &new->dict.Framed_IP_Netmask, ENOENT) ); | |
167 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Interface-Id", &new->dict.Framed_Interface_Id, ENOENT) ); | |
168 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPv6-Prefix", &new->dict.Framed_IPv6_Prefix, ENOENT) ); | |
169 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-MTU", &new->dict.Framed_MTU, ENOENT) ); | |
170 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Protocol", &new->dict.Framed_Protocol, ENOENT) ); | |
171 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IP-Host", &new->dict.Login_IP_Host, ENOENT) ); | |
172 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IPv6-Host", &new->dict.Login_IPv6_Host, ENOENT) ); | |
173 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Group", &new->dict.Login_LAT_Group, ENOENT) ); | |
174 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Node", &new->dict.Login_LAT_Node, ENOENT) ); | |
175 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Port", &new->dict.Login_LAT_Port, ENOENT) ); | |
176 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Service", &new->dict.Login_LAT_Service, ENOENT) ); | |
177 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Identifier", &new->dict.NAS_Identifier, ENOENT) ); | |
178 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IP-Address", &new->dict.NAS_IP_Address, ENOENT) ); | |
179 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IPv6-Address", &new->dict.NAS_IPv6_Address, ENOENT) ); | |
180 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port", &new->dict.NAS_Port, ENOENT) ); | |
181 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Id", &new->dict.NAS_Port_Id, ENOENT) ); | |
182 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Type", &new->dict.NAS_Port_Type, ENOENT) ); | |
183 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-AAA-Protocol", &new->dict.Origin_AAA_Protocol, ENOENT) ); | |
184 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Host", &new->dict.Origin_Host, ENOENT) ); | |
185 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Realm", &new->dict.Origin_Realm, ENOENT) ); | |
186 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Originating-Line-Info", &new->dict.Originating_Line_Info, ENOENT) ); | |
187 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Port-Limit", &new->dict.Port_Limit, ENOENT) ); | |
188 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Re-Auth-Request-Type", &new->dict.Re_Auth_Request_Type, ENOENT) ); | |
189 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Result-Code", &new->dict.Result_Code, ENOENT) ); | |
190 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Service-Type", &new->dict.Service_Type, ENOENT) ); | |
191 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Id", &new->dict.Session_Id, ENOENT) ); | |
192 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Timeout", &new->dict.Session_Timeout, ENOENT) ); | |
193 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "State", &new->dict.State, ENOENT) ); | |
194 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunneling", &new->dict.Tunneling, ENOENT) ); | |
195 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Type", &new->dict.Tunnel_Type, ENOENT) ); | |
196 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Medium-Type", &new->dict.Tunnel_Medium_Type, ENOENT) ); | |
197 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Endpoint", &new->dict.Tunnel_Client_Endpoint, ENOENT) ); | |
198 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Endpoint", &new->dict.Tunnel_Server_Endpoint, ENOENT) ); | |
199 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Private-Group-Id", &new->dict.Tunnel_Private_Group_Id, ENOENT) ); | |
200 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Preference", &new->dict.Tunnel_Preference, ENOENT) ); | |
201 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Auth-Id", &new->dict.Tunnel_Client_Auth_Id, ENOENT) ); | |
202 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Auth-Id", &new->dict.Tunnel_Server_Auth_Id, ENOENT) ); | |
203 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "User-Name", &new->dict.User_Name, ENOENT) ); | |
204 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "User-Password", &new->dict.User_Password, ENOENT) ); | |
205 | |
264
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
206 /* This plugin provides the following Diameter authentication applications support: */ |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
207 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_APPLICATION, APPLICATION_BY_NAME, "Diameter Network Access Server Application", &app, ENOENT) ); |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
208 CHECK_FCT( fd_disp_app_support ( app, NULL, 1, 0 ) ); |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
209 |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
210 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_APPLICATION, APPLICATION_BY_NAME, "Diameter Extensible Authentication Protocol (EAP) Application", &app, ENOENT) ); |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
211 CHECK_FCT( fd_disp_app_support ( app, NULL, 1, 0 ) ); |
a3b2cde34f7b
Advertize support for translated applications
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
262
diff
changeset
|
212 |
262
cc2c568ef319
Missing affectation
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
213 *state = new; |
256 | 214 return 0; |
215 } | |
216 | |
217 /* deinitialize */ | |
218 static void auth_conf_free(struct rgwp_config * state) | |
219 { | |
220 TRACE_ENTRY("%p", state); | |
221 CHECK_PARAMS_DO( state, return ); | |
222 CHECK_FCT_DO( fd_sess_handler_destroy( &state->sess_hdl ), ); | |
223 free(state); | |
224 return; | |
225 } | |
226 | |
227 /* Handle an incoming RADIUS request */ | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
228 static int auth_rad_req( struct rgwp_config * cs, struct session ** session, struct radius_msg * rad_req, struct radius_msg ** rad_ans, struct msg ** diam_fw, struct rgw_client * cli ) |
256 | 229 { |
230 int idx; | |
231 int got_id = 0; | |
232 int got_mac = 0; | |
233 int got_passwd = 0; | |
234 int got_eap = 0; | |
235 int got_empty_eap = 0; | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
236 const char * prefix = "Diameter/"; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
237 size_t pref_len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
238 char * dh = NULL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
239 size_t dh_len = 0; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
240 char * dr = NULL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
241 size_t dr_len = 0; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
242 char * si = NULL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
243 size_t si_len = 0; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
244 char * un = NULL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
245 size_t un_len = 0; |
256 | 246 uint32_t status_type; |
247 size_t nattr_used = 0; | |
248 struct avp ** avp_tun = NULL, *avp = NULL; | |
249 union avp_value value; | |
250 | |
251 TRACE_ENTRY("%p %p %p %p %p %p", cs, session, rad_req, rad_ans, diam_fw, cli); | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
252 CHECK_PARAMS(cs && session && rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCESS_REQUEST) && rad_ans && diam_fw && *diam_fw); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
253 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
254 pref_len = strlen(prefix); |
256 | 255 |
256 /* | |
257 Guidelines: | |
258 http://tools.ietf.org/html/rfc4005#section-9.1 | |
259 http://tools.ietf.org/html/rfc4072#section-6.1 | |
260 | |
261 When a Translation Agent receives a RADIUS message, the following | |
262 steps should be taken: | |
263 | |
264 - If a Message-Authenticator attribute is present, the value MUST | |
265 be checked but not included in the Diameter message. If it is | |
266 incorrect, the RADIUS message should be silently discarded. | |
267 The gateway system SHOULD generate and include a Message- | |
268 Authenticator in returned RADIUS responses. | |
269 -> done in rgw_msg_auth_check | |
270 | |
271 - The transport address of the sender MUST be checked against the | |
272 NAS identifying attributes. See the description of NAS- | |
273 Identifier and NAS-IP-Address below. | |
274 -> done in rgw_clients_check_origin | |
275 | |
276 - The Translation Agent must maintain transaction state | |
277 information relevant to the RADIUS request, such as the | |
278 Identifier field in the RADIUS header, any existing RADIUS | |
279 Proxy-State attribute, and the source IP address and port | |
280 number of the UDP packet. These may be maintained locally in a | |
281 state table or saved in a Proxy-Info AVP group. A Diameter | |
282 Session-Id AVP value must be created using a session state | |
283 mapping mechanism. | |
284 -> Identifier, source and port are saved along with the request, | |
285 and associated with the session state. | |
286 -> sub_echo_drop should handle the Proxy-State attribute (conf issue) | |
287 | |
288 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created | |
289 and added by using the information from an FQDN corresponding | |
290 to the NAS-IP-Address attribute (preferred if available), | |
291 and/or to the NAS-Identifier attribute. (Note that the RADIUS | |
292 NAS-Identifier is not required to be an FQDN.) | |
293 -> done in rgw_msg_create_base. | |
294 | |
295 - The response MUST have an Origin-AAA-Protocol AVP added, | |
296 indicating the protocol of origin of the message. | |
297 -> what "response" ??? Added to the AAR / DER in this function. | |
298 | |
299 - The Proxy-Info group SHOULD be added, with the local server's | |
300 identity specified in the Proxy-Host AVP. This should ensure | |
301 that the response is returned to this system. | |
302 -> We don't need this, answer is always routed here anyway. | |
303 | |
304 For EAP: | |
305 | |
306 o RADIUS EAP-Message attribute(s) are translated to a Diameter | |
307 EAP-Payload AVP. If multiple RADIUS EAP-Message attributes are | |
308 present, they are concatenated and translated to a single Diameter | |
309 EAP-Payload AVP. | |
310 -> concatenation done by radius_msg_get_eap | |
311 | |
312 -> the remaining is specific conversion rules | |
313 */ | |
314 | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
315 /* Check basic information is there, and also retrieve some attribute information */ |
256 | 316 for (idx = 0; idx < rad_req->attr_used; idx++) { |
317 struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]); | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
318 char * attr_val = (char *)(attr + 1); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
319 size_t attr_len = attr->length - sizeof(struct radius_attr_hdr); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
320 |
256 | 321 switch (attr->type) { |
322 case RADIUS_ATTR_NAS_IP_ADDRESS: | |
323 case RADIUS_ATTR_NAS_IDENTIFIER: | |
324 case RADIUS_ATTR_NAS_IPV6_ADDRESS: | |
325 got_id = 1; | |
326 break; | |
327 case RADIUS_ATTR_MESSAGE_AUTHENTICATOR: | |
328 got_mac = 1; | |
329 break; | |
330 case RADIUS_ATTR_EAP_MESSAGE: | |
331 got_eap = 1; | |
332 if (attr->length == 2) | |
333 got_empty_eap = 1; | |
334 break; | |
335 case RADIUS_ATTR_USER_PASSWORD: | |
336 case RADIUS_ATTR_CHAP_PASSWORD: | |
337 case RADIUS_ATTR_ARAP_PASSWORD: | |
338 got_passwd += 1; | |
339 break; | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
340 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
341 /* Is there a State attribute with prefix "Diameter/" in the message? (in that case: Diameter/Destination-Host/Destination-Realm/Session-Id) */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
342 /* NOTE: RFC4005 says "Origin-Host" here, but it's not coherent with the rules for answers. Destination-Host makes more sense */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
343 case RADIUS_ATTR_STATE: |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
344 if ((attr_len > pref_len + 5 /* for the '/'s and non empty strings */ ) |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
345 && ! strncmp(attr_val, prefix, pref_len)) { /* should we make it strncasecmp? */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
346 int i, start; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
347 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
348 TRACE_DEBUG(ANNOYING, "Found a State attribute with '%s' prefix (attr #%d).", prefix, idx); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
349 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
350 /* Now parse the value and check its content is valid. Unfortunately we cannot use strchr here since strings are not \0-terminated */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
351 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
352 i = start = pref_len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
353 dh = attr_val + i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
354 for (; (i < attr_len - 2) && (attr_val[i] != '/'); i++) /* loop */; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
355 if ( i >= attr_len - 2 ) continue; /* the attribute format is not good */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
356 dh_len = i - start; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
357 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
358 start = ++i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
359 dr = attr_val + i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
360 for (; (i < attr_len - 1) && (attr_val[i] != '/'); i++) /* loop */; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
361 if ( i >= attr_len - 1 ) continue; /* the attribute format is not good */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
362 dr_len = i - start; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
363 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
364 i++; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
365 si = attr_val + i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
366 si_len = attr_len - i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
367 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
368 TRACE_DEBUG(ANNOYING, "Attribute parsed successfully: DH:'%.*s' DR:'%.*s' SI:'%.*s'.", dh_len, dh, dr_len, dr, si_len, si); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
369 /* Remove from the message */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
370 for (i = idx + 1; i < rad_req->attr_used; i++) |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
371 rad_req->attr_pos[i - 1] = rad_req->attr_pos[i]; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
372 rad_req->attr_used -= 1; |
384 | 373 idx--; |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
374 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
375 break; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
376 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
377 case RADIUS_ATTR_USER_NAME: |
388
554fe1d67acc
Fix small issue in the gateway
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
386
diff
changeset
|
378 TRACE_DEBUG(ANNOYING, "Found a User-Name attribute: '%.*s'", attr_len, attr_len ? attr_val : ""); |
386
ce8d20725308
Allow empty User-Name RADIUS attributes
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
385
diff
changeset
|
379 un = attr_val; |
ce8d20725308
Allow empty User-Name RADIUS attributes
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
385
diff
changeset
|
380 un_len = attr_len; |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
381 break; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
382 |
256 | 383 } |
384 } | |
385 if (!got_id) { | |
386 TRACE_DEBUG(INFO, "RADIUS Access-Request did not contain a NAS IP or Identifier attribute, reject."); | |
387 return EINVAL; | |
388 } | |
389 /* [Note 1] An Access-Request that contains either a User-Password or | |
390 CHAP-Password or ARAP-Password or one or more EAP-Message attributes | |
391 MUST NOT contain more than one type of those four attributes. If it | |
392 does not contain any of those four attributes, it SHOULD contain a | |
393 Message-Authenticator. If any packet type contains an EAP-Message | |
394 attribute it MUST also contain a Message-Authenticator. A RADIUS | |
395 server receiving an Access-Request not containing any of those four | |
396 attributes and also not containing a Message-Authenticator attribute | |
397 SHOULD silently discard it. */ | |
398 if (((got_eap + got_passwd) > 1) || (got_eap && !got_mac) || (!got_eap && !got_passwd && !got_mac)) { | |
399 TRACE_DEBUG(INFO, "RADIUS Access-Request not conform to RFC3579 sec 3.3 note 1, discard."); | |
400 return EINVAL; | |
401 } | |
402 | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
403 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
404 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
405 /* |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
406 - If the RADIUS request contained a State attribute and the |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
407 prefix of the data is "Diameter/", the data following the |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
408 prefix contains the Diameter Origin-Host/Origin-Realm/Session- |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
409 Id. If no such attributes are present and the RADIUS command |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
410 is an Access-Request, a new Session-Id is created. The |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
411 Session-Id is included in the Session-Id AVP. |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
412 */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
413 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
414 /* Add the Destination-Realm AVP */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
415 CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Realm, 0, &avp ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
416 if (dr) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
417 value.os.data = (unsigned char *)dr; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
418 value.os.len = dr_len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
419 } else { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
420 int i = 0; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
421 if (un) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
422 /* Is there an '@' in the user name? We don't care for decorated NAI here */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
423 for (i = un_len - 2; i > 0; i--) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
424 if (un[i] == '@') { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
425 i++; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
426 break; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
427 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
428 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
429 } |
388
554fe1d67acc
Fix small issue in the gateway
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
386
diff
changeset
|
430 if (i <= 0) { |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
431 /* Not found in the User-Name => we use the local domain of this gateway */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
432 value.os.data = fd_g_config->cnf_diamrlm; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
433 value.os.len = fd_g_config->cnf_diamrlm_len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
434 } else { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
435 value.os.data = un + i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
436 value.os.len = un_len - i; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
437 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
438 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
439 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
440 CHECK_FCT( fd_msg_avp_add ( *diam_fw, *session ? MSG_BRW_LAST_CHILD : MSG_BRW_FIRST_CHILD, avp) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
441 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
442 /* Add the Destination-Host if found */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
443 if (dh) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
444 CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Host, 0, &avp ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
445 value.os.data = (unsigned char *)dh; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
446 value.os.len = dh_len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
447 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
448 CHECK_FCT( fd_msg_avp_add ( *diam_fw, *session ? MSG_BRW_LAST_CHILD : MSG_BRW_FIRST_CHILD, avp) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
449 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
450 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
451 /* Create the session if it is not already done */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
452 if (*session == NULL) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
453 char * sess_str = NULL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
454 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
455 if (si_len) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
456 /* We already have the Session-Id, just use it */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
457 CHECK_FCT( fd_sess_fromsid ( si, si_len, session, NULL) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
458 } else { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
459 /* Create a new Session-Id string */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
460 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
461 char * fqdn; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
462 char * realm; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
463 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
464 /* Get information on the RADIUS client */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
465 CHECK_FCT( rgw_clients_get_origin(cli, &fqdn, &realm) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
466 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
467 /* If we have a user name, create the new session with it */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
468 if (un) { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
469 int len; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
470 /* If not found, create a new Session-Id. The format is: {fqdn;hi32;lo32;username;diamid} */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
471 CHECK_MALLOC( sess_str = malloc(un_len + 1 /* ';' */ + fd_g_config->cnf_diamid_len + 1 /* '\0' */) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
472 len = sprintf(sess_str, "%.*s;%s", un_len, un, fd_g_config->cnf_diamid); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
473 CHECK_FCT( fd_sess_new(session, fqdn, sess_str, len) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
474 free(sess_str); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
475 } else { |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
476 /* We don't have enough information to create the Session-Id, the RADIUS message is probably invalid */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
477 TRACE_DEBUG(INFO, "RADIUS Access-Request does not contain a User-Name attribute, rejecting."); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
478 return EINVAL; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
479 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
480 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
481 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
482 /* Now, add the Session-Id AVP at beginning of Diameter message */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
483 CHECK_FCT( fd_sess_getsid(*session, &sess_str) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
484 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
485 TRACE_DEBUG(FULL, "[auth.rgwx] Translating new message for session '%s'...", sess_str); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
486 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
487 /* Add the Session-Id AVP as first AVP */ |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
488 CHECK_FCT( fd_msg_avp_new ( cs->dict.Session_Id, 0, &avp ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
489 value.os.data = (unsigned char *)sess_str; |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
490 value.os.len = strlen(sess_str); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
491 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
492 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_FIRST_CHILD, avp) ); |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
493 } |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
494 |
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
495 |
256 | 496 /* Add the appropriate command code & Auth-Application-Id */ |
497 { | |
498 struct msg_hdr * header = NULL; | |
499 CHECK_FCT( fd_msg_hdr ( *diam_fw, &header ) ); | |
500 header->msg_flags = CMD_FLAG_REQUEST | CMD_FLAG_PROXIABLE; | |
501 if (got_eap) { | |
502 header->msg_code = CC_DIAMETER_EAP; | |
503 header->msg_appl = AI_EAP; | |
504 } else { | |
505 header->msg_code = CC_AA; | |
506 header->msg_appl = AI_NASREQ; | |
507 } | |
508 | |
509 /* Add the Auth-Application-Id */ | |
510 { | |
511 CHECK_FCT( fd_msg_avp_new ( cs->dict.Auth_Application_Id, 0, &avp ) ); | |
512 value.i32 = header->msg_appl; | |
513 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
514 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
515 } | |
516 } | |
517 | |
518 /* The type of request is identified through the Auth-Request-Type AVP | |
519 [BASE]. The recommended value for most RADIUS interoperabily | |
520 situations is AUTHORIZE_AUTHENTICATE. */ | |
521 | |
522 /* Add Auth-Request-Type AVP */ | |
523 { | |
524 CHECK_FCT( fd_msg_avp_new ( cs->dict.Auth_Request_Type, 0, &avp ) ); | |
525 value.i32 = ACV_ART_AUTHORIZE_AUTHENTICATE; | |
526 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
527 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
528 } | |
529 | |
530 /* Add Origin-AAA-Protocol AVP */ | |
531 { | |
532 CHECK_FCT( fd_msg_avp_new ( cs->dict.Origin_AAA_Protocol, 0, &avp ) ); | |
533 value.i32 = ACV_OAP_RADIUS; | |
534 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
535 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
536 } | |
537 | |
538 /* Convert the EAP payload (concat RADIUS attributes) */ | |
539 if (got_eap) { | |
540 CHECK_FCT( fd_msg_avp_new ( cs->dict.EAP_Payload, 0, &avp ) ); | |
541 | |
542 /* o An empty RADIUS EAP-Message attribute (with length 2) signifies | |
543 EAP-Start, and it is translated to an empty EAP-Payload AVP. */ | |
544 if (got_empty_eap) { | |
545 value.os.len = 0; | |
546 value.os.data = ""; | |
547 } else { | |
548 CHECK_MALLOC( value.os.data = radius_msg_get_eap(rad_req, &value.os.len) ); | |
549 } | |
550 | |
551 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
552 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
553 } | |
554 | |
555 /* Tunnel AVPs need some preparation */ | |
556 /* Convert the attributes one by one */ | |
557 for (idx = 0; idx < rad_req->attr_used; idx++) { | |
558 struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]); | |
559 | |
560 switch (attr->type) { | |
561 | |
562 /* This macro converts a RADIUS attribute to a Diameter AVP of type OctetString */ | |
563 #define CONV2DIAM_STR( _dictobj_ ) \ | |
564 CHECK_PARAMS( attr->length >= 2 ); \ | |
565 /* Create the AVP with the specified dictionary model */ \ | |
566 CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ | |
567 value.os.len = attr->length - 2; \ | |
568 value.os.data = (unsigned char *)(attr + 1); \ | |
569 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ | |
570 /* Add the AVP in the Diameter message. */ \ | |
571 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ | |
572 | |
573 /* Same thing, for scalar AVPs of 32 bits */ | |
574 #define CONV2DIAM_32B( _dictobj_ ) \ | |
575 CHECK_PARAMS( attr->length == 6 ); \ | |
576 CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ | |
577 { \ | |
578 uint8_t * v = (uint8_t *)(attr + 1); \ | |
579 value.u32 = (v[0] << 24) \ | |
580 | (v[1] << 16) \ | |
581 | (v[2] << 8) \ | |
582 | v[3] ; \ | |
583 } \ | |
584 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ | |
585 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ | |
586 | |
587 /* And the 64b version */ | |
588 #define CONV2DIAM_64B( _dictobj_ ) \ | |
589 CHECK_PARAMS( attr->length == 10); \ | |
590 CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ | |
591 { \ | |
592 uint8_t * v = (uint8_t *)(attr + 1); \ | |
593 value.u64 = ((uint64_t)(v[0]) << 56) \ | |
594 | ((uint64_t)(v[1]) << 48) \ | |
595 | ((uint64_t)(v[2]) << 40) \ | |
596 | ((uint64_t)(v[3]) << 32) \ | |
597 | ((uint64_t)(v[4]) << 24) \ | |
598 | ((uint64_t)(v[5]) << 16) \ | |
599 | ((uint64_t)(v[6]) << 8) \ | |
600 | (uint64_t)(v[7]) ; \ | |
601 } \ | |
602 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ | |
603 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ | |
604 | |
605 /* RFC 2865 */ | |
606 /* | |
607 - The Destination-Realm AVP is created from the information found | |
608 in the RADIUS User-Name attribute. | |
609 -> done in rgw_msg_create_base | |
610 */ | |
611 case RADIUS_ATTR_USER_NAME: | |
612 CONV2DIAM_STR( User_Name ); | |
613 break; | |
614 | |
615 /* | |
616 - If the RADIUS User-Password attribute is present, the password | |
617 must be unencrypted by using the link's RADIUS shared secret. | |
618 The unencrypted value must be forwarded in a User-Password AVP | |
619 using Diameter security. | |
620 */ | |
621 case RADIUS_ATTR_USER_PASSWORD: | |
622 if ((attr->length - 2) % 16) { | |
623 TRACE_DEBUG(INFO, "Invalid length of User-Password attribute: %hhd", attr->length); | |
624 return EINVAL; | |
625 } | |
626 { | |
627 /* Decipher following this logic (refers to rfc2865#section-5.2 ) | |
628 b1 = MD5(S + RA) p1 = c(1) xor b1 | |
629 b2 = MD5(S + c(1)) p2 = c(2) xor b2 | |
630 ... | |
631 */ | |
632 | |
633 uint8_t *ciph = (uint8_t *)(attr+1); /* c(i) */ | |
634 size_t ciph_len = attr->length - 2; | |
635 uint8_t deciph[128]; /* pi */ | |
636 size_t deciph_len = 0; | |
637 uint8_t * secret; /* S */ | |
638 size_t secret_len; | |
639 uint8_t hash[16]; /* b(i) */ | |
640 const uint8_t *addr[2]; | |
641 size_t len[2]; | |
642 | |
643 /* Retrieve the shared secret */ | |
644 CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); | |
645 | |
646 /* Initial b1 = MD5(S + RA) */ | |
647 addr[0] = secret; | |
648 len[0] = secret_len; | |
649 addr[1] = rad_req->hdr->authenticator; | |
650 len[1] = 16; | |
651 md5_vector(2, addr, len, hash); | |
652 | |
653 /* loop */ | |
654 while (deciph_len < ciph_len) { | |
655 int i; | |
656 /* pi = c(i) xor bi */ | |
657 for (i = 0; i < 16; i++) | |
658 deciph[deciph_len + i] = ciph[deciph_len + i] ^ hash[i]; | |
659 /* do we have to remove the padding '\0's ? */ | |
660 | |
661 /* b(i+1) = MD5(S + c(i) */ | |
662 addr[1] = ciph + deciph_len; | |
663 md5_vector(2, addr, len, hash); | |
664 | |
665 deciph_len += 16; | |
666 } | |
667 | |
668 /* Now save this value in the AVP */ | |
669 CHECK_FCT( fd_msg_avp_new ( cs->dict.User_Password, 0, &avp ) ); | |
670 value.os.data = &deciph[0]; | |
671 value.os.len = deciph_len; | |
672 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
673 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
674 } | |
675 break; | |
676 | |
677 | |
678 /* | |
679 - If the RADIUS CHAP-Password attribute is present, the Ident and | |
680 Data portion of the attribute are used to create the CHAP-Auth | |
681 grouped AVP. | |
682 */ | |
683 case RADIUS_ATTR_CHAP_PASSWORD: | |
684 CHECK_PARAMS( attr->length == 19 /* RFC 2865 */); | |
685 { | |
686 uint8_t * c = (uint8_t *)(attr + 1); | |
687 struct avp * chap_auth; | |
688 CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Auth, 0, &chap_auth ) ); | |
689 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, chap_auth) ); | |
690 | |
691 CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Algorithm, 0, &avp ) ); | |
692 value.u32 = 5; /* The only value defined currently... */ | |
693 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
694 CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); | |
695 | |
696 CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Ident, 0, &avp ) ); | |
697 value.os.data = c; | |
698 value.os.len = 1; | |
699 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
700 CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); | |
701 | |
702 c++; | |
703 | |
704 CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Response, 0, &avp ) ); | |
705 value.os.data = c; | |
706 value.os.len = attr->length - 3; | |
707 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
708 CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); | |
709 } | |
710 break; | |
711 | |
712 case RADIUS_ATTR_NAS_IP_ADDRESS: | |
713 CONV2DIAM_STR( NAS_IP_Address ); | |
714 break; | |
715 | |
716 case RADIUS_ATTR_NAS_PORT: | |
717 CONV2DIAM_32B( NAS_Port ); | |
718 break; | |
719 | |
720 case RADIUS_ATTR_SERVICE_TYPE: | |
721 CONV2DIAM_32B( Service_Type ); | |
722 break; | |
723 | |
724 case RADIUS_ATTR_FRAMED_PROTOCOL: | |
725 CONV2DIAM_32B( Framed_Protocol ); | |
726 break; | |
727 | |
728 case RADIUS_ATTR_FRAMED_IP_ADDRESS: | |
729 CONV2DIAM_STR( Framed_IP_Address ); | |
730 break; | |
731 | |
732 case RADIUS_ATTR_FRAMED_IP_NETMASK: | |
733 CONV2DIAM_STR( Framed_IP_Netmask ); | |
734 break; | |
735 | |
736 /* Framed-Routing never present in an Access-Request */ | |
737 /* Filter-Id never present in an Access-Request */ | |
738 | |
739 case RADIUS_ATTR_FRAMED_MTU: | |
740 CONV2DIAM_32B( Framed_MTU ); | |
741 break; | |
742 | |
743 case RADIUS_ATTR_FRAMED_COMPRESSION: | |
744 CONV2DIAM_32B( Framed_Compression ); | |
745 break; | |
746 | |
747 case RADIUS_ATTR_LOGIN_IP_HOST: | |
748 CONV2DIAM_STR( Login_IP_Host ); | |
749 break; | |
750 | |
751 /* Login-Service never present in an Access-Request */ | |
752 /* Login-TCP-Port never present in an Access-Request */ | |
753 /* Reply-Message never present in an Access-Request */ | |
754 | |
755 case RADIUS_ATTR_CALLBACK_NUMBER: | |
756 CONV2DIAM_STR( Callback_Number ); | |
757 break; | |
758 | |
759 /* Callback-Id never present in an Access-Request */ | |
760 /* Framed-Route never present in an Access-Request */ | |
761 /* Framed-IPX-Network never present in an Access-Request */ | |
762 | |
763 case RADIUS_ATTR_STATE: | |
764 CONV2DIAM_STR( State ); | |
765 break; | |
766 | |
767 /* Class never present in an Access-Request */ | |
768 | |
769 case RADIUS_ATTR_VENDOR_SPECIFIC: | |
770 /* RFC 4005, Section 9.6 : | |
771 Systems that don't have vendor format knowledge MAY discard such | |
772 attributes without knowing a suitable translation. | |
773 | |
774 [conversion rule in 9.6.2] | |
775 */ | |
776 if (attr->length >= 6) { | |
777 uint32_t vendor_id; | |
778 uint8_t * c = (uint8_t *)(attr + 1); | |
779 | |
780 vendor_id = c[0] << 24 | c[1] << 16 | c[2] << 8 | c[3]; | |
781 c += 4; | |
782 | |
783 switch (vendor_id) { | |
784 | |
785 /* For the vendors we KNOW they follow the VSA recommended format, we convert following the rules of RFC4005 (9.6.2) */ | |
786 case RADIUS_VENDOR_ID_MICROSOFT : /* RFC 2548 */ | |
787 /* other vendors ? */ | |
788 { | |
789 size_t left; | |
790 struct radius_attr_vendor *vtlv; | |
791 | |
792 left = attr->length - 6; | |
793 vtlv = (struct radius_attr_vendor *)c; | |
794 | |
795 while ((left >= 2) && (vtlv->vendor_length <= left)) { | |
796 /* Search our dictionary for corresponding Vendor's AVP */ | |
797 struct dict_avp_request req; | |
798 struct dict_object * avp_model = NULL; | |
799 memset(&req, 0, sizeof(struct dict_avp_request)); | |
800 req.avp_vendor = vendor_id; | |
801 req.avp_code = vtlv->vendor_type; | |
802 | |
803 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_CODE_AND_VENDOR, &req, &avp_model, 0) ); | |
804 if (!avp_model) { | |
805 TRACE_DEBUG(FULL, "Unknown attribute (vendor 0x%x, code 0x%x) ignored.", req.avp_vendor, req.avp_code); | |
806 } else { | |
807 CHECK_FCT( fd_msg_avp_new ( avp_model, 0, &avp ) ); | |
808 value.os.len = vtlv->vendor_length - 2; | |
809 value.os.data = (unsigned char *)(vtlv + 1); | |
810 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); | |
811 CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); | |
812 } | |
813 c += vtlv->vendor_length; | |
814 left -= vtlv->vendor_length; | |
815 vtlv = (struct radius_attr_vendor *)c; | |
816 } | |
817 } | |
818 break; | |
819 | |
820 /* Other vendors we KNOw how to convert the attributes would be added here... */ | |
821 /* case RADIUS_VENDOR_ID_CISCO : | |
822 break; */ | |
823 /* case RADIUS_VENDOR_ID_IETF : (extended RADIUS attributes) | |
824 break; */ | |
825 | |
826 /* When we don't know, just discard the attribute... VSA are optional with regards to RADIUS anyway */ | |
827 default: | |
828 /* do nothing */ | |
829 TRACE_DEBUG(FULL, "VSA attribute from vendor %d discarded", vendor_id); | |
830 | |
831 } | |
832 } | |
833 break; | |
834 | |
835 /* Session-Timeout never present in an Access-Request */ | |
836 /* Idle-Timeout never present in an Access-Request */ | |
837 /* Termination-Action never present in an Access-Request */ | |
838 | |
839 case RADIUS_ATTR_CALLED_STATION_ID: | |
840 CONV2DIAM_STR( Called_Station_Id ); | |
841 break; | |
842 | |
843 case RADIUS_ATTR_CALLING_STATION_ID: | |
844 CONV2DIAM_STR( Calling_Station_Id ); | |
845 break; | |
846 | |
847 case RADIUS_ATTR_NAS_IDENTIFIER: | |
848 CONV2DIAM_STR( NAS_Identifier ); | |
849 break; | |
850 | |
851 /* Proxy-State is handled by echo_drop.rgwx plugin, we ignore it here */ | |
852 | |
853 case RADIUS_ATTR_LOGIN_LAT_SERVICE: | |
854 CONV2DIAM_STR( Login_LAT_Service ); | |
855 break; | |
856 | |
857 case RADIUS_ATTR_LOGIN_LAT_NODE: | |
858 CONV2DIAM_STR( Login_LAT_Node ); | |
859 break; | |
860 | |
861 case RADIUS_ATTR_LOGIN_LAT_GROUP: | |
862 CONV2DIAM_STR( Login_LAT_Group ); | |
863 break; | |
864 | |
865 /* Framed-AppleTalk-Link never present in an Access-Request */ | |
866 /* Framed-AppleTalk-Network never present in an Access-Request */ | |
867 /* Framed-AppleTalk-Zone never present in an Access-Request */ | |
868 | |
869 case RADIUS_ATTR_CHAP_CHALLENGE: | |
870 CONV2DIAM_STR( CHAP_Challenge ); | |
871 break; | |
872 | |
873 case RADIUS_ATTR_NAS_PORT_TYPE: | |
874 CONV2DIAM_32B( NAS_Port_Type ); | |
875 break; | |
876 | |
877 case RADIUS_ATTR_PORT_LIMIT: | |
878 CONV2DIAM_32B( Port_Limit ); | |
879 break; | |
880 | |
881 case RADIUS_ATTR_LOGIN_LAT_PORT: | |
882 CONV2DIAM_STR( Login_LAT_Port ); | |
883 break; | |
884 | |
885 | |
886 /* RFC 3162 */ | |
887 case RADIUS_ATTR_NAS_IPV6_ADDRESS: | |
888 CONV2DIAM_STR( NAS_IPv6_Address ); | |
889 break; | |
890 | |
891 case RADIUS_ATTR_FRAMED_INTERFACE_ID: | |
892 CONV2DIAM_64B( Framed_Interface_Id ); | |
893 break; | |
894 | |
895 case RADIUS_ATTR_FRAMED_IPV6_PREFIX: | |
896 CONV2DIAM_STR( Framed_IPv6_Prefix ); | |
897 break; | |
898 | |
899 case RADIUS_ATTR_LOGIN_IPV6_HOST: | |
900 CONV2DIAM_STR( Login_IPv6_Host ); | |
901 break; | |
902 | |
903 /* Framed-IPv6-Route never present in an Access-Request */ | |
904 /* Framed-IPv6-Pool never present in an Access-Request */ | |
905 | |
906 | |
907 /* RFC 2868 */ | |
908 /* Prepare the top-level Tunneling AVP for each tag values, as needed, and add to the Diameter message. | |
909 This macro is called when an AVP is added inside the group, so we will not have empty grouped AVPs */ | |
910 #define AVP_TUN_PREPARE() { \ | |
911 if (avp_tun == NULL) { \ | |
912 CHECK_MALLOC( avp_tun = calloc(sizeof(struct avp *), 32 ) ); \ | |
913 } \ | |
914 tag = *(uint8_t *)(attr + 1); \ | |
915 if (tag > 0x1F) tag = 0; \ | |
916 if (avp_tun[tag] == NULL) { \ | |
271
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
917 CHECK_FCT( fd_msg_avp_new ( cs->dict.Tunneling, 0, &avp_tun[tag] ) ); \ |
256 | 918 CHECK_FCT( fd_msg_avp_add (*diam_fw, MSG_BRW_LAST_CHILD, avp_tun[tag]));\ |
919 } \ | |
920 } | |
921 | |
922 /* Convert an attribute to an OctetString AVP and add inside the Tunneling AVP corresponding to the tag */ | |
271
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
923 #define CONV2DIAM_TUN_STR( _dictobj_ ) { \ |
256 | 924 uint8_t tag; \ |
925 CHECK_PARAMS( attr->length >= 3); \ | |
926 AVP_TUN_PREPARE(); \ | |
927 CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ | |
928 value.os.len = attr->length - (tag ? 3 : 2); \ | |
929 value.os.data = ((unsigned char *)(attr + 1)) + (tag ? 1 : 0); \ | |
930 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ | |
931 CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \ | |
932 } | |
933 | |
934 /* Convert an attribute to a scalar AVP and add inside the Tunneling AVP corresponding to the tag */ | |
271
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
935 #define CONV2DIAM_TUN_24B( _dictobj_ ) { \ |
256 | 936 uint8_t tag; \ |
937 CHECK_PARAMS( attr->length == 6); \ | |
938 AVP_TUN_PREPARE(); \ | |
939 CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ | |
940 { \ | |
941 uint8_t * v = (uint8_t *)(attr + 1); \ | |
942 value.u32 = (v[1] << 16) | (v[2] <<8) | v[3] ; \ | |
943 } \ | |
944 CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ | |
945 CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \ | |
946 } | |
947 | |
948 /* | |
949 - If the RADIUS message contains Tunnel information [RADTunnels], | |
950 the attributes or tagged groups should each be converted to a | |
951 Diameter Tunneling Grouped AVP set. If the tunnel information | |
952 contains a Tunnel-Password attribute, the RADIUS encryption | |
953 must be resolved, and the password forwarded, by using Diameter | |
954 security methods. | |
955 -> If the RADIUS message does not use properly the Tag info, result is unpredictable here.. | |
956 */ | |
957 case RADIUS_ATTR_TUNNEL_TYPE: | |
958 CONV2DIAM_TUN_24B( Tunnel_Type ); | |
959 break; | |
960 | |
961 case RADIUS_ATTR_TUNNEL_MEDIUM_TYPE: | |
962 CONV2DIAM_TUN_24B( Tunnel_Medium_Type ); | |
963 break; | |
964 | |
965 case RADIUS_ATTR_TUNNEL_CLIENT_ENDPOINT: | |
966 CONV2DIAM_TUN_STR( Tunnel_Client_Endpoint ); | |
967 break; | |
968 | |
969 case RADIUS_ATTR_TUNNEL_SERVER_ENDPOINT: | |
970 CONV2DIAM_TUN_STR( Tunnel_Server_Endpoint ); | |
971 break; | |
972 | |
973 /* Tunnel-Password never present in an Access-Request */ | |
974 | |
975 case RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID: | |
976 CONV2DIAM_TUN_STR( Tunnel_Private_Group_Id ); | |
977 break; | |
978 | |
979 /* Tunnel-Assignment-ID never present in an Access-Request */ | |
980 | |
981 case RADIUS_ATTR_TUNNEL_PREFERENCE: | |
982 CONV2DIAM_TUN_24B( Tunnel_Preference ); | |
983 break; | |
984 | |
985 case RADIUS_ATTR_TUNNEL_CLIENT_AUTH_ID: | |
986 CONV2DIAM_TUN_STR( Tunnel_Client_Auth_Id ); | |
987 break; | |
988 | |
989 case RADIUS_ATTR_TUNNEL_SERVER_AUTH_ID: | |
990 CONV2DIAM_TUN_STR( Tunnel_Server_Auth_Id ); | |
991 break; | |
992 | |
993 | |
994 /* RFC 2869 */ | |
995 case RADIUS_ATTR_ARAP_PASSWORD: | |
996 CONV2DIAM_STR( ARAP_Password ); | |
997 break; | |
998 | |
999 /* ARAP-Features never present in an Access-Request */ | |
1000 /* ARAP-Zone-Access never present in an Access-Request */ | |
1001 | |
1002 case RADIUS_ATTR_ARAP_SECURITY: | |
1003 CONV2DIAM_32B( ARAP_Security ); | |
1004 break; | |
1005 | |
1006 case RADIUS_ATTR_ARAP_SECURITY_DATA: | |
1007 CONV2DIAM_STR( ARAP_Security_Data ); | |
1008 break; | |
1009 | |
1010 /* Password-Retry never present in an Access-Request */ | |
1011 /* Prompt never present in an Access-Request */ | |
1012 | |
1013 case RADIUS_ATTR_CONNECT_INFO: | |
1014 CONV2DIAM_STR( Connect_Info ); | |
1015 break; | |
1016 | |
1017 /* Configuration-Token never present in an Access-Request */ | |
1018 /* ARAP-Challenge-Response never present in an Access-Request */ | |
1019 /* Acct-Interim-Interval never present in an Access-Request */ | |
1020 | |
1021 case RADIUS_ATTR_NAS_PORT_ID: | |
1022 CONV2DIAM_STR( NAS_Port_Id ); | |
1023 break; | |
1024 | |
1025 /* Framed-Pool never present in an Access-Request */ | |
1026 | |
1027 | |
1028 /* RFC 2869 / 3579 */ | |
1029 case RADIUS_ATTR_ORIGINATING_LINE_INFO: | |
1030 CONV2DIAM_STR( Originating_Line_Info ); | |
1031 break; | |
1032 | |
1033 case RADIUS_ATTR_MESSAGE_AUTHENTICATOR: | |
1034 case RADIUS_ATTR_EAP_MESSAGE: | |
1035 /* It was already handled, just remove the attribute */ | |
1036 break; | |
1037 | |
1038 /* Default */ | |
1039 default: /* unknown attribute */ | |
1040 /* We just keep the attribute in the RADIUS message */ | |
1041 rad_req->attr_pos[nattr_used++] = rad_req->attr_pos[idx]; | |
1042 } | |
1043 } | |
1044 | |
1045 /* Destroy tunnel pointers (if we used it) */ | |
1046 free(avp_tun); | |
1047 | |
1048 /* Update the radius message to remove all handled attributes */ | |
1049 rad_req->attr_used = nattr_used; | |
1050 | |
1051 /* Store the request identifier in the session (if provided) */ | |
385
69057a6d68ec
Fix a possible race condition
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
384
diff
changeset
|
1052 if (*session) { |
256 | 1053 unsigned char * req_auth; |
1054 CHECK_MALLOC(req_auth = malloc(16)); | |
1055 memcpy(req_auth, &rad_req->hdr->authenticator[0], 16); | |
1056 | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
1057 CHECK_FCT( fd_sess_state_store( cs->sess_hdl, *session, &req_auth ) ); |
256 | 1058 } |
1059 | |
1060 return 0; | |
1061 } | |
1062 | |
356
e203fc0c95e3
Updated the app_radgw extension to allow more souple management of sessions, and stateful gateway features.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
296
diff
changeset
|
1063 static int auth_diam_ans( struct rgwp_config * cs, struct session * session, struct msg ** diam_ans, struct radius_msg ** rad_fw, struct rgw_client * cli, int * stateful ) |
256 | 1064 { |
273
bce8e5b7bf78
Added code to send an STR after a STOP accounting record in RADIUS
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
271
diff
changeset
|
1065 struct msg_hdr * hdr; |
256 | 1066 struct avp *avp, *next, *avp_x, *avp_y, *asid, *aoh; |
1067 struct avp_hdr *ahdr, *sid, *oh; | |
1068 char buf[254]; /* to store some attributes values (with final '\0') */ | |
1069 int ta_set = 0; | |
296
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1070 int no_str = 0; /* indicate if an STR is required for this server */ |
256 | 1071 uint8_t tuntag = 0; |
1072 unsigned char * req_auth = NULL; | |
1073 | |
1074 TRACE_ENTRY("%p %p %p %p %p", cs, session, diam_ans, rad_fw, cli); | |
1075 CHECK_PARAMS(cs && session && diam_ans && *diam_ans && rad_fw && *rad_fw); | |
1076 | |
1077 /* Retrieve the request identified which was stored in the session */ | |
1078 if (session) { | |
1079 CHECK_FCT( fd_sess_state_retrieve( cs->sess_hdl, session, &req_auth ) ); | |
1080 } | |
1081 | |
1082 /* | |
1083 - If the Diameter Command-Code is set to AA-Answer and the | |
1084 Result-Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the | |
1085 gateway must send a RADIUS Access-Challenge. This must have | |
1086 the Origin-Host, Origin-Realm, and Diameter Session-Id AVPs | |
1087 encapsulated in the RADIUS State attribute, with the prefix | |
1088 "Diameter/", concatenated in the above order separated with "/" | |
1089 characters, in UTF-8 [UTF-8]. This is necessary to ensure that | |
1090 the Translation Agent receiving the subsequent RADIUS Access- | |
1091 Request will have access to the Session Identifier and be able | |
1092 to set the Destination-Host to the correct value. | |
1093 -> done here bellow | |
1094 | |
1095 - If the Command-Code is set to AA-Answer, the Diameter Session- | |
1096 Id AVP is saved in a new RADIUS Class attribute whose format | |
1097 consists of the string "Diameter/" followed by the Diameter | |
1098 Session Identifier. This will ensure that the subsequent | |
1099 Accounting messages, which could be received by any Translation | |
1100 Agent, would have access to the original Diameter Session | |
1101 Identifier. | |
1102 -> done here but only for Access-Accept messages (Result-Code = success) | |
1103 */ | |
1104 | |
1105 /* MACROS to help in the process: convert AVP data to RADIUS attributes. */ | |
1106 /* Control large attributes: _trunc_ = 0 => error; _trunc_ = 1 => truncate; _trunc = 2 => create several attributes */ | |
1107 #define CONV2RAD_STR( _attr_, _data_, _len_, _trunc_) { \ | |
1108 size_t __l = (size_t)(_len_); \ | |
1109 size_t __off = 0; \ | |
1110 TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ | |
1111 if ((_trunc_) == 0) { \ | |
1112 CHECK_PARAMS( __l <= 253 ); \ | |
1113 } \ | |
1114 if ((__l > 253) && (_trunc_ == 1)) { \ | |
1115 TRACE_DEBUG(INFO, "[auth.rgwx] AVP truncated in "#_attr_); \ | |
1116 __l = 253; \ | |
1117 } \ | |
1118 do { \ | |
1119 size_t __w = (__l > 253) ? 253 : __l; \ | |
1120 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (_data_) + __off, __w)); \ | |
1121 __off += __w; \ | |
1122 __l -= __w; \ | |
1123 } while (__l); \ | |
1124 } | |
1125 | |
1126 #define CONV2RAD_32B( _attr_, _data_) { \ | |
1127 uint32_t __v = htonl((uint32_t)(_data_)); \ | |
1128 TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ | |
1129 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ | |
1130 } | |
1131 | |
1132 #define CONV2RAD_64B( _attr_, _data_) { \ | |
1133 uint64_t __v = htonll((uint64_t)(_data_)); \ | |
1134 TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ | |
1135 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ | |
1136 } | |
1137 | |
1138 /* Search the different AVPs we handle here */ | |
1139 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Session_Id, &asid) ); | |
1140 CHECK_FCT( fd_msg_avp_hdr ( asid, &sid ) ); | |
1141 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Host, &aoh) ); | |
1142 CHECK_FCT( fd_msg_avp_hdr ( aoh, &oh ) ); | |
1143 | |
1144 /* Check the Diameter error code */ | |
1145 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Result_Code, &avp) ); | |
1146 ASSERT( avp ); /* otherwise the message should have been discarded a lot earlier because of ABNF */ | |
1147 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1148 switch (ahdr->avp_value->u32) { | |
1149 case ER_DIAMETER_MULTI_ROUND_AUTH: | |
1150 (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_CHALLENGE; | |
1151 break; | |
1152 case ER_DIAMETER_SUCCESS: | |
1153 case ER_DIAMETER_LIMITED_SUCCESS: | |
1154 (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_ACCEPT; | |
1155 break; | |
1156 | |
1157 default: | |
1158 (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_REJECT; | |
1159 fd_log_debug("[auth.rgwx] Received Diameter answer with error code '%d' from server '%.*s', session %.*s, translating into Access-Reject\n", | |
1160 ahdr->avp_value->u32, | |
1161 oh->avp_value->os.len, oh->avp_value->os.data, | |
1162 sid->avp_value->os.len, sid->avp_value->os.data); | |
1163 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Message, &avp) ); | |
1164 if (avp) { | |
1165 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1166 fd_log_debug("[auth.rgwx] Error-Message content: '%.*s'\n", | |
1167 ahdr->avp_value->os.len, ahdr->avp_value->os.data); | |
1168 } | |
1169 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Reporting_Host, &avp) ); | |
1170 if (avp) { | |
1171 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1172 fd_log_debug("[auth.rgwx] Error-Reporting-Host: '%.*s'\n", | |
1173 ahdr->avp_value->os.len, ahdr->avp_value->os.data); | |
1174 } | |
1175 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Failed_AVP, &avp) ); | |
1176 if (avp) { | |
1177 fd_log_debug("[auth.rgwx] Failed-AVP was included in the message.\n"); | |
1178 /* Dump its content ? */ | |
1179 } | |
1180 return 0; | |
1181 } | |
1182 /* Remove this Result-Code avp */ | |
1183 CHECK_FCT( fd_msg_free( avp ) ); | |
1184 | |
1185 /* Creation of the State or Class attribute with session information */ | |
1186 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Realm, &avp) ); | |
1187 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1188 | |
1189 /* Now, save the session-id and eventually server info in a STATE or CLASS attribute */ | |
1190 if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_CHALLENGE) { | |
1191 if (sizeof(buf) < snprintf(buf, sizeof(buf), "Diameter/%.*s/%.*s/%.*s", | |
1192 oh->avp_value->os.len, oh->avp_value->os.data, | |
1193 ahdr->avp_value->os.len, ahdr->avp_value->os.data, | |
1194 sid->avp_value->os.len, sid->avp_value->os.data)) { | |
1195 TRACE_DEBUG(INFO, "Data truncated in State attribute: %s", buf); | |
1196 } | |
1197 CONV2RAD_STR(RADIUS_ATTR_STATE, buf, strlen(buf), 0); | |
1198 } | |
296
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1199 |
256 | 1200 if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) { |
273
bce8e5b7bf78
Added code to send an STR after a STOP accounting record in RADIUS
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
271
diff
changeset
|
1201 /* Add the Session-Id */ |
256 | 1202 if (sizeof(buf) < snprintf(buf, sizeof(buf), "Diameter/%.*s", |
1203 sid->avp_value->os.len, sid->avp_value->os.data)) { | |
1204 TRACE_DEBUG(INFO, "Data truncated in Class attribute: %s", buf); | |
1205 } | |
1206 CONV2RAD_STR(RADIUS_ATTR_CLASS, buf, strlen(buf), 0); | |
1207 } | |
1208 | |
1209 /* Unlink the Origin-Realm now; the others are unlinked at the end of this function */ | |
1210 CHECK_FCT( fd_msg_free( avp ) ); | |
1211 | |
1212 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Session_Timeout, &avp) ); | |
1213 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Authorization_Lifetime, &avp_x) ); | |
1214 CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Re_Auth_Request_Type, &avp_y) ); | |
1215 /* | |
1216 When translating a Diameter AA-Answer (with successful result code) | |
1217 to RADIUS Access-Accept that contains a Session-Timeout or | |
1218 Authorization-Lifetime AVP, take the following steps: | |
1219 | |
1220 - If the Diameter message contains a Session-Timeout AVP but no | |
1221 Authorization-Lifetime AVP, translate it to a Session-Timeout | |
1222 attribute (not a Termination-Action). | |
1223 */ | |
1224 if ((avp != NULL) && (avp_x == NULL)) { | |
1225 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1226 CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); | |
1227 } | |
1228 | |
1229 /* | |
1230 - If the Diameter message contains an Authorization-Lifetime AVP | |
1231 but no Session-Timeout AVP, translate it to a Session-Timeout | |
1232 attribute and a Termination-Action set to AA-REQUEST. (Remove | |
1233 Authorization-Lifetime and Re-Auth-Request-Type.) | |
1234 */ | |
1235 if ((avp == NULL) && (avp_x != NULL)) { | |
1236 CHECK_FCT( fd_msg_avp_hdr ( avp_x, &ahdr ) ); | |
1237 CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); | |
1238 CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); | |
1239 ta_set = 1; | |
1240 } | |
1241 | |
1242 /* | |
1243 - If the Diameter message has both, the Session-Timeout must be | |
1244 greater than or equal to the Authorization-Lifetime (required | |
1245 by [BASE]). Translate it to a Session-Timeout value (with | |
1246 value from Authorization-Lifetime AVP, the smaller one) and | |
1247 with the Termination-Action set to AA-REQUEST. (Remove the | |
1248 Authorization-Lifetime and Re-Auth-Request-Type.) | |
1249 */ | |
1250 if ((avp != NULL) && (avp_x != NULL)) { | |
1251 CHECK_FCT( fd_msg_avp_hdr ( avp_x, &ahdr ) ); | |
1252 CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); | |
1253 CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); | |
1254 ta_set = 1; | |
1255 } | |
1256 | |
1257 /* -> Not too sure about Auth-Grace-Period... we'll just discard it for now */ | |
1258 | |
1259 if (avp) { | |
1260 CHECK_FCT( fd_msg_free( avp ) ); | |
1261 } | |
1262 if (avp_x) { | |
1263 CHECK_FCT( fd_msg_free( avp_x ) ); | |
1264 } | |
1265 if (avp_y) { | |
1266 CHECK_FCT( fd_msg_free( avp_y ) ); | |
1267 } | |
1268 | |
1269 | |
1270 /* | |
1271 - If a Proxy-State attribute was present in the RADIUS request, | |
1272 the same attribute is added in the response. This information | |
1273 may be found in the Proxy-Info AVP group, or in a local state | |
1274 table. | |
1275 -> handled by sub_echo_drop | |
1276 | |
1277 - If state information regarding the RADIUS request was saved in | |
1278 a Proxy-Info AVP or local state table, the RADIUS Identifier | |
1279 and UDP IP Address and port number are extracted and used in | |
1280 issuing the RADIUS reply. | |
1281 -> was saved with the full request | |
1282 */ | |
1283 | |
1284 | |
1285 /* Now loop in the list of AVPs and convert those that we know how */ | |
1286 CHECK_FCT( fd_msg_browse(*diam_ans, MSG_BRW_FIRST_CHILD, &next, NULL) ); | |
1287 | |
1288 while (next) { | |
1289 int handled = 1; | |
1290 avp = next; | |
1291 CHECK_FCT( fd_msg_browse(avp, MSG_BRW_NEXT, &next, NULL) ); | |
1292 | |
1293 CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); | |
1294 | |
1295 if (!(ahdr->avp_flags & AVP_FLAG_VENDOR)) { | |
1296 switch (ahdr->avp_code) { | |
1297 | |
1298 /* RFC 4005 (AVP in the order of the AA-Request/Answer AVP Table) */ | |
1299 case DIAM_ATTR_ACCT_INTERIM_INTERVAL: | |
1300 CONV2RAD_32B(RADIUS_ATTR_ACCT_INTERIM_INTERVAL, ahdr->avp_value->u32); | |
1301 break; | |
1302 | |
1303 case DIAM_ATTR_ARAP_CHALLENGE_RESPONSE: | |
1304 CONV2RAD_STR(RADIUS_ATTR_ARAP_CHALLENGE_RESPONSE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1305 break; | |
1306 | |
1307 case DIAM_ATTR_ARAP_FEATURES: | |
1308 CONV2RAD_STR(RADIUS_ATTR_ARAP_FEATURES, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1309 break; | |
1310 | |
1311 /* ARAP-Password is not present in answers */ | |
1312 | |
1313 case DIAM_ATTR_ARAP_SECURITY: | |
1314 CONV2RAD_32B(RADIUS_ATTR_ARAP_SECURITY, ahdr->avp_value->u32); | |
1315 break; | |
1316 | |
1317 case DIAM_ATTR_ARAP_SECURITY_DATA: | |
1318 CONV2RAD_STR(RADIUS_ATTR_ARAP_SECURITY_DATA, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1319 break; | |
1320 | |
1321 case DIAM_ATTR_ARAP_ZONE_ACCESS: | |
1322 CONV2RAD_32B(RADIUS_ATTR_ARAP_ZONE_ACCESS, ahdr->avp_value->u32); | |
1323 break; | |
1324 | |
1325 case DIAM_ATTR_AUTH_APPLICATION_ID: | |
1326 /* We just remove this AVP */ | |
1327 break; | |
1328 | |
1329 case DIAM_ATTR_AUTH_GRACE_PERIOD: | |
1330 /* We just remove this AVP (?) */ | |
1331 break; | |
1332 | |
1333 case DIAM_ATTR_AUTH_REQUEST_TYPE: | |
1334 /* We only check the value */ | |
1335 if (ahdr->avp_value->u32 != 3) { | |
1336 fd_log_debug("[auth.rgwx] Received Diameter answer with Auth-Request-Type set to %d (%s) from server %.*s, session %.*s.\n" | |
1337 " This may cause interoperability problems with RADIUS.\n", | |
1338 ahdr->avp_value->u32, | |
1339 (ahdr->avp_value->u32 == 1) ? "AUTHENTICATE_ONLY" : | |
1340 ((ahdr->avp_value->u32 == 2) ? "AUTHORIZE_ONLY" : "???"), | |
1341 oh->avp_value->os.len, oh->avp_value->os.data, | |
1342 sid->avp_value->os.len, sid->avp_value->os.len); | |
1343 } | |
1344 break; | |
1345 | |
1346 case DIAM_ATTR_AUTH_SESSION_STATE: | |
1347 if ((!ta_set) && (ahdr->avp_value->u32 == ACV_ASS_STATE_MAINTAINED)) { | |
1348 CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); | |
1349 } | |
296
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1350 |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1351 if (ahdr->avp_value->u32 == ACV_ASS_NO_STATE_MAINTAINED) { |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1352 no_str = 1; |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1353 } |
256 | 1354 break; |
1355 | |
1356 /* Authorization-Lifetime already handled */ | |
1357 | |
1358 case DIAM_ATTR_CALLBACK_ID: | |
1359 CONV2RAD_STR(RADIUS_ATTR_CALLBACK_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1360 break; | |
1361 | |
1362 case DIAM_ATTR_CALLBACK_NUMBER: | |
1363 CONV2RAD_STR(RADIUS_ATTR_CALLBACK_NUMBER, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1364 break; | |
1365 | |
1366 /* Called-Station-Id is not present in answers */ | |
1367 /* Calling-Station-Id is not present in answers */ | |
1368 /* CHAP-Auth is not present in answers */ | |
1369 /* CHAP-Challenge is not present in answers */ | |
1370 | |
1371 case DIAM_ATTR_CLASS: | |
1372 CONV2RAD_STR(RADIUS_ATTR_CLASS, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1373 break; | |
1374 | |
1375 case DIAM_ATTR_CONFIGURATION_TOKEN: | |
1376 /* We might as well remove it since it's not supposed to be sent to the NAS... */ | |
1377 CONV2RAD_STR(RADIUS_ATTR_CONFIGURATION_TOKEN, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1378 break; | |
1379 | |
1380 /* Connect-Info is not present in answers */ | |
1381 | |
1382 case DIAM_ATTR_FILTER_ID: | |
1383 CONV2RAD_STR(RADIUS_ATTR_FILTER_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1384 break; | |
1385 | |
1386 case DIAM_ATTR_FRAMED_APPLETALK_LINK: | |
1387 CONV2RAD_32B(RADIUS_ATTR_FRAMED_APPLETALK_LINK, ahdr->avp_value->u32); | |
1388 break; | |
1389 | |
1390 case DIAM_ATTR_FRAMED_APPLETALK_NETWORK: | |
1391 CONV2RAD_32B(RADIUS_ATTR_FRAMED_APPLETALK_NETWORK, ahdr->avp_value->u32); | |
1392 break; | |
1393 | |
1394 case DIAM_ATTR_FRAMED_APPLETALK_ZONE: | |
1395 CONV2RAD_STR(RADIUS_ATTR_FRAMED_APPLETALK_ZONE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1396 break; | |
1397 | |
1398 case DIAM_ATTR_FRAMED_COMPRESSION: | |
1399 CONV2RAD_32B(RADIUS_ATTR_FRAMED_COMPRESSION, ahdr->avp_value->u32); | |
1400 break; | |
1401 | |
1402 case DIAM_ATTR_FRAMED_INTERFACE_ID: | |
1403 CONV2RAD_64B(RADIUS_ATTR_FRAMED_INTERFACE_ID, ahdr->avp_value->u64); | |
1404 break; | |
1405 | |
1406 case DIAM_ATTR_FRAMED_IP_ADDRESS: | |
1407 CONV2RAD_STR(RADIUS_ATTR_FRAMED_IP_ADDRESS, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1408 break; | |
1409 | |
1410 case DIAM_ATTR_FRAMED_IP_NETMASK: | |
1411 CONV2RAD_STR(RADIUS_ATTR_FRAMED_IP_NETMASK, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1412 break; | |
1413 | |
1414 case DIAM_ATTR_FRAMED_IPV6_PREFIX: | |
1415 CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_PREFIX, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1416 break; | |
1417 | |
1418 case DIAM_ATTR_FRAMED_IPV6_POOL: | |
1419 CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_POOL, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1420 break; | |
1421 | |
1422 case DIAM_ATTR_FRAMED_IPV6_ROUTE: | |
1423 CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_ROUTE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1424 break; | |
1425 | |
1426 case DIAM_ATTR_FRAMED_IPX_NETWORK: | |
1427 CONV2RAD_32B(RADIUS_ATTR_FRAMED_IPX_NETWORK, ahdr->avp_value->u32); | |
1428 break; | |
1429 | |
1430 case DIAM_ATTR_FRAMED_MTU: | |
1431 CONV2RAD_32B(RADIUS_ATTR_FRAMED_MTU, ahdr->avp_value->u32); | |
1432 break; | |
1433 | |
1434 case DIAM_ATTR_FRAMED_POOL: | |
1435 CONV2RAD_STR(RADIUS_ATTR_FRAMED_POOL, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1436 break; | |
1437 | |
1438 case DIAM_ATTR_FRAMED_PROTOCOL: | |
1439 CONV2RAD_32B(RADIUS_ATTR_FRAMED_PROTOCOL, ahdr->avp_value->u32); | |
1440 break; | |
1441 | |
1442 case DIAM_ATTR_FRAMED_ROUTE: | |
1443 CONV2RAD_STR(RADIUS_ATTR_FRAMED_ROUTE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1444 break; | |
1445 | |
1446 case DIAM_ATTR_FRAMED_ROUTING: | |
1447 CONV2RAD_32B(RADIUS_ATTR_FRAMED_ROUTING, ahdr->avp_value->u32); | |
1448 break; | |
1449 | |
1450 case DIAM_ATTR_IDLE_TIMEOUT: | |
1451 CONV2RAD_32B(RADIUS_ATTR_IDLE_TIMEOUT, ahdr->avp_value->u32); | |
1452 break; | |
1453 | |
1454 case DIAM_ATTR_LOGIN_IP_HOST: | |
1455 CONV2RAD_STR(RADIUS_ATTR_LOGIN_IP_HOST, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1456 break; | |
1457 | |
1458 case DIAM_ATTR_LOGIN_IPV6_HOST: | |
1459 CONV2RAD_STR(RADIUS_ATTR_LOGIN_IPV6_HOST, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); | |
1460 break; | |
1461 | |
1462 case DIAM_ATTR_LOGIN_LAT_GROUP: | |
1463 CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_GROUP, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1464 break; | |
1465 | |
1466 case DIAM_ATTR_LOGIN_LAT_NODE: | |
1467 CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_NODE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1468 break; | |
1469 | |
1470 case DIAM_ATTR_LOGIN_LAT_PORT: | |
1471 CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_PORT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1472 break; | |
1473 | |
1474 case DIAM_ATTR_LOGIN_LAT_SERVICE: | |
1475 CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_SERVICE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1476 break; | |
1477 | |
1478 case DIAM_ATTR_LOGIN_SERVICE: | |
1479 CONV2RAD_32B(RADIUS_ATTR_LOGIN_SERVICE, ahdr->avp_value->u32); | |
1480 break; | |
1481 | |
1482 case DIAM_ATTR_LOGIN_TCP_PORT: | |
1483 CONV2RAD_32B(RADIUS_ATTR_LOGIN_TCP_PORT, ahdr->avp_value->u32); | |
1484 break; | |
1485 | |
1486 /* | |
1487 - If the | |
1488 Multi-Round-Time-Out AVP is present, the value of the AVP MUST | |
1489 be inserted in the RADIUS Session-Timeout AVP. | |
1490 | |
1491 o As described in [NASREQ], if the Result-Code AVP set to | |
1492 DIAMETER_MULTI_ROUND_AUTH and the Multi-Round-Time-Out AVP is | |
1493 present, it is translated to the RADIUS Session-Timeout attribute. | |
1494 */ | |
1495 case DIAM_ATTR_MULTI_ROUND_TIMEOUT: | |
1496 CONV2RAD_32B(RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32); | |
1497 break; | |
1498 | |
1499 case DIAM_ATTR_NAS_FILTER_RULE: | |
1500 /* This is not translatable to RADIUS */ | |
1501 fd_log_debug("[auth.rgwx] Received Diameter answer with non-translatable NAS-Filter-Rule AVP from '%.*s' (session: '%.*s'), ignoring.\n", | |
1502 oh->avp_value->os.len, oh->avp_value->os.data, | |
1503 sid->avp_value->os.len, sid->avp_value->os.data); | |
1504 handled = 0; | |
1505 break; | |
1506 | |
1507 /* NAS-Identifier is not present in answers */ | |
1508 /* NAS-IP-Address is not present in answers */ | |
1509 /* NAS-IPv6-Address is not present in answers */ | |
1510 /* NAS-Port is not present in answers */ | |
1511 /* NAS-Port-Id is not present in answers */ | |
1512 /* NAS-Port-Type is not present in answers */ | |
1513 | |
1514 case DIAM_ATTR_ORIGIN_AAA_PROTOCOL: | |
1515 /* We just remove this AVP */ | |
1516 break; | |
1517 | |
1518 /* Originating-Line-Info is not present in answers */ | |
1519 | |
1520 case DIAM_ATTR_PASSWORD_RETRY: | |
1521 CONV2RAD_32B(RADIUS_ATTR_PASSWORD_RETRY, ahdr->avp_value->u32); | |
1522 break; | |
1523 | |
1524 case DIAM_ATTR_PORT_LIMIT: | |
1525 CONV2RAD_32B(RADIUS_ATTR_PORT_LIMIT, ahdr->avp_value->u32); | |
1526 break; | |
1527 | |
1528 case DIAM_ATTR_PROMPT: | |
1529 CONV2RAD_32B(RADIUS_ATTR_PROMPT, ahdr->avp_value->u32); | |
1530 break; | |
1531 | |
1532 case DIAM_ATTR_QOS_FILTER_RULE: | |
1533 /* This is not translatable to RADIUS */ | |
1534 fd_log_debug("[auth.rgwx] Received Diameter answer with non-translatable QoS-Filter-Rule AVP from '%.*s' (session: '%.*s'), ignoring.\n", | |
1535 oh->avp_value->os.len, oh->avp_value->os.data, | |
1536 sid->avp_value->os.len, sid->avp_value->os.data); | |
1537 handled = 0; | |
1538 break; | |
1539 | |
1540 /* Re-Auth-Request-Type already handled */ | |
1541 | |
1542 case DIAM_ATTR_REPLY_MESSAGE: | |
1543 CONV2RAD_STR(RADIUS_ATTR_REPLY_MESSAGE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1544 break; | |
1545 | |
1546 case DIAM_ATTR_SERVICE_TYPE: | |
1547 CONV2RAD_32B(RADIUS_ATTR_SERVICE_TYPE, ahdr->avp_value->u32); | |
1548 break; | |
1549 | |
1550 case DIAM_ATTR_STATE: | |
1551 CONV2RAD_STR(RADIUS_ATTR_STATE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); | |
1552 break; | |
1553 | |
1554 case DIAM_ATTR_TUNNELING: | |
1555 { | |
1556 #define CONV2RAD_TUN_STR( _attr_, _data_, _len_, _trunc_) { \ | |
1557 size_t __l = (size_t)(_len_); \ | |
1558 size_t __w = (__l > 252) ? 252 : __l; \ | |
1559 size_t __off = 0; \ | |
1560 if ((_trunc_) == 0) { \ | |
1561 CHECK_PARAMS( __l <= 252 ); \ | |
1562 } \ | |
1563 if ((__l > 252) && (_trunc_ == 1)) { \ | |
1564 TRACE_DEBUG(FULL, "Attribute truncated!"); \ | |
1565 __l = 252; \ | |
1566 } \ | |
1567 buf[0] = tuntag; \ | |
1568 memcpy(&buf[1], (_data_), __w); \ | |
1569 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), &buf[0], __w + 1)); \ | |
1570 while (__l -= __w) { \ | |
1571 __off += __w; \ | |
1572 __w = (__l > 253) ? 253 : __l; \ | |
1573 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (_data_) + __off, __w)); \ | |
1574 } \ | |
1575 } | |
1576 | |
1577 #define CONV2RAD_TUN_32B( _attr_, _data_) { \ | |
1578 uint32_t __v = htonl((uint32_t)(_data_) | (tuntag << 24)); \ | |
1579 CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ | |
1580 } | |
1581 struct avp *inavp, *innext; | |
1582 tuntag++; | |
1583 CHECK_FCT( fd_msg_browse(avp, MSG_BRW_FIRST_CHILD, &innext, NULL) ); | |
1584 while (innext) { | |
1585 inavp = innext; | |
1586 CHECK_FCT( fd_msg_browse(inavp, MSG_BRW_NEXT, &innext, NULL) ); | |
1587 CHECK_FCT( fd_msg_avp_hdr ( inavp, &ahdr ) ); | |
1588 | |
1589 if (ahdr->avp_flags & AVP_FLAG_VENDOR == 0) { | |
1590 switch (ahdr->avp_code) { | |
1591 case DIAM_ATTR_TUNNEL_TYPE: | |
1592 CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_TYPE, ahdr->avp_value->u32); | |
1593 break; | |
1594 | |
1595 case DIAM_ATTR_TUNNEL_MEDIUM_TYPE: | |
1596 CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_MEDIUM_TYPE, ahdr->avp_value->u32); | |
1597 break; | |
1598 | |
1599 case DIAM_ATTR_TUNNEL_CLIENT_ENDPOINT: | |
1600 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_CLIENT_ENDPOINT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1601 break; | |
1602 | |
1603 case DIAM_ATTR_TUNNEL_SERVER_ENDPOINT: | |
1604 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_SERVER_ENDPOINT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1605 break; | |
1606 | |
1607 case DIAM_ATTR_TUNNEL_PREFERENCE: | |
1608 CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_PREFERENCE, ahdr->avp_value->u32); | |
1609 break; | |
1610 | |
1611 case DIAM_ATTR_TUNNEL_CLIENT_AUTH_ID: | |
1612 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_CLIENT_AUTH_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1613 break; | |
1614 | |
1615 case DIAM_ATTR_TUNNEL_SERVER_AUTH_ID: | |
1616 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_SERVER_AUTH_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1617 break; | |
1618 | |
271
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
1619 case DIAM_ATTR_TUNNEL_ASSIGNMENT_ID: |
411314907b43
Added translation of Accounting messages
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
264
diff
changeset
|
1620 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_ASSIGNMENT_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); |
256 | 1621 break; |
1622 | |
1623 case DIAM_ATTR_TUNNEL_PASSWORD: | |
1624 { | |
1625 /* This AVP must be encoded for RADIUS (similar to radius_msg_add_attr_user_password) | |
1626 0 1 2 3 | |
1627 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
1628 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
1629 | Type | Length | Tag | Salt | |
1630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
1631 Salt (cont) | String ... | |
1632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
1633 */ | |
1634 size_t pos; | |
1635 int i; | |
1636 size_t buflen; | |
1637 uint8_t * secret; /* S */ | |
1638 size_t secret_len; | |
1639 uint8_t hash[16]; /* b(i) */ | |
1640 const uint8_t *addr[3]; | |
1641 size_t len[3]; | |
1642 | |
1643 /* We need the request authenticator */ | |
1644 CHECK_PARAMS(req_auth); | |
1645 | |
1646 /* Retrieve the shared secret */ | |
1647 CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); | |
1648 | |
1649 /* Beginning of the buffer */ | |
1650 buf[0] = tuntag; | |
1651 buf[1] = (uint8_t)(lrand48()); /* A (hi bits) */ | |
1652 buf[2] = (uint8_t)(lrand48()); /* A (low bits) */ | |
1653 | |
1654 /* The plain text string P */ | |
1655 CHECK_PARAM(ahdr->avp_value->os.len < 240); | |
1656 buf[3] = ahdr->avp_value->os.len; | |
1657 memcpy(&buf[4], ahdr->avp_value->os.data, ahdr->avp_value->os.len); | |
1658 memset(&buf[4 + ahdr->avp_value->os.len], 0, sizeof(buf) - 4 - ahdr->avp_value->os.len); | |
1659 | |
1660 /* Initial b1 = MD5(S + R + A) */ | |
1661 addr[0] = secret; | |
1662 len[0] = secret_len; | |
1663 addr[1] = req_auth; | |
1664 len[1] = 16; | |
1665 addr[2] = &buf[1]; | |
1666 len[2] = 2; | |
1667 md5_vector(3, addr, len, hash); | |
1668 | |
1669 /* Initial c(1) = p(1) xor b(1) */ | |
1670 for (i = 0; i < 16; i++) { | |
1671 buf[i + 3] ^= hash[i]; | |
1672 } | |
1673 pos = 16; | |
1674 | |
1675 /* loop */ | |
1676 while (pos < ahdr->avp_value->os.len + 1) { | |
1677 addr[0] = secret; | |
1678 len[0] = secret_len; | |
1679 addr[1] = &buf[pos - 13]; | |
1680 len[1] = 16; | |
1681 /* b(i) = MD5( S + c(i-1) */ | |
1682 md5_vector(2, addr, len, hash); | |
1683 | |
1684 /* c(i) = p(i) xor b(i) */ | |
1685 for (i = 0; i < 16; i++) | |
1686 buf[pos + i + 3] ^= hash[i]; | |
1687 | |
1688 pos += 16; | |
1689 } | |
1690 | |
1691 CONV2RAD_STR(RADIUS_ATTR_TUNNEL_PASSWORD, &buf[0], pos + 3, 0); | |
1692 } | |
1693 break; | |
1694 | |
1695 case DIAM_ATTR_TUNNEL_PRIVATE_GROUP_ID: | |
1696 CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1697 break; | |
1698 | |
1699 default: | |
1700 TRACE_DEBUG(FULL, "Ignored unknown AVP inside Tunneling AVP (%d)", ahdr->avp_code); | |
1701 } | |
1702 } else { | |
1703 TRACE_DEBUG(FULL, "Ignored unknown Vendor AVP inside Tunneling AVP (%d, %d)", ahdr->avp_vendor, ahdr->avp_code); | |
1704 } | |
1705 } | |
1706 } | |
1707 break; | |
1708 | |
1709 case DIAM_ATTR_USER_NAME: | |
1710 CONV2RAD_STR(RADIUS_ATTR_USER_NAME, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1711 break; | |
1712 | |
1713 /* User-Password never present in answers */ | |
1714 | |
1715 /* RFC 4072 (AVP in the order of the EAP Command AVP Table) */ | |
1716 /* | |
1717 o Diameter Accounting-EAP-Auth-Method AVPs, if present, are | |
1718 discarded. | |
1719 */ | |
1720 case DIAM_ATTR_ACCOUNTING_EAP_AUTH_METHOD: | |
1721 break; | |
1722 | |
1723 /* | |
1724 o Diameter EAP-Master-Session-Key AVP can be translated to the | |
1725 vendor-specific RADIUS MS-MPPE-Recv-Key and MS-MPPE-Send-Key | |
1726 attributes [RFC2548]. The first up to 32 octets of the key is | |
1727 stored into MS-MPPE-Recv-Key, and the next up to 32 octets (if | |
1728 present) are stored into MS-MPPE-Send-Key. The encryption of this | |
1729 attribute is described in [RFC2548]. | |
1730 */ | |
1731 case DIAM_ATTR_EAP_MASTER_SESSION_KEY: | |
1732 { | |
1733 uint8_t * secret; /* S */ | |
1734 size_t secret_len; | |
1735 size_t recv_len, send_len; | |
1736 | |
1737 /* We need the request authenticator */ | |
1738 CHECK_PARAMS(req_auth); | |
1739 | |
1740 /* Retrieve the shared secret */ | |
1741 CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); | |
1742 | |
1743 if (ahdr->avp_value->os.len != 64) { | |
1744 TRACE_DEBUG(INFO, "Received EAP-Master-Session-Key attribute with length %d != 64.\n", ahdr->avp_value->os.len) | |
1745 } | |
1746 | |
1747 CHECK_PARAMS(ahdr->avp_value->os.len <= 64); | |
1748 recv_len = ahdr->avp_value->os.len >= 32 ? 32 : ahdr->avp_value->os.len; | |
1749 send_len = ahdr->avp_value->os.len - recv_len; | |
1750 | |
1751 if ( ! radius_msg_add_mppe_keys(*rad_fw, req_auth, secret, secret_len, | |
1752 ahdr->avp_value->os.data + recv_len, send_len, | |
1753 ahdr->avp_value->os.data, recv_len) ) { | |
1754 TRACE_DEBUG(INFO, "Error while converting EAP-Master-Session-Key to RADIUS message"); | |
1755 return ENOMEM; | |
1756 } | |
1757 } | |
1758 break; | |
1759 | |
1760 case DIAM_ATTR_EAP_KEY_NAME: | |
1761 CONV2RAD_STR(RADIUS_ATTR_EAP_KEY_NAME, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); | |
1762 break; | |
1763 | |
1764 /* | |
1765 o Diameter EAP-Payload AVP is translated to RADIUS EAP-Message | |
1766 attribute(s). If necessary, the value is split into multiple | |
1767 RADIUS EAP-Message attributes. | |
1768 */ | |
1769 case DIAM_ATTR_EAP_PAYLOAD: | |
1770 if ( ! radius_msg_add_eap(*rad_fw, ahdr->avp_value->os.data, ahdr->avp_value->os.len) ) { | |
1771 TRACE_DEBUG(INFO, "Error while converting EAP payload to RADIUS message"); | |
1772 return ENOMEM; | |
1773 } | |
1774 break; | |
1775 | |
1776 /* | |
1777 o Diameter EAP-Reissued-Payload AVP is translated to a message that | |
1778 contains RADIUS EAP-Message attribute(s), and a RADIUS Error-Cause | |
1779 attribute [RFC3576] with value 202 (decimal), "Invalid EAP Packet | |
1780 (Ignored)" [RFC3579]. | |
1781 */ | |
1782 case DIAM_ATTR_EAP_REISSUED_PAYLOAD: | |
1783 if ( ! radius_msg_add_eap(*rad_fw, ahdr->avp_value->os.data, ahdr->avp_value->os.len) ) { | |
1784 TRACE_DEBUG(INFO, "Error while converting EAP reissued payload to RADIUS message"); | |
1785 return ENOMEM; | |
1786 } | |
1787 | |
1788 if ( ! radius_msg_add_attr_int32(*rad_fw, RADIUS_ATTR_ERROR_CAUSE, 202) ) { | |
1789 TRACE_DEBUG(INFO, "Error while adding Error-Cause attribute in RADIUS message"); | |
1790 return ENOMEM; | |
1791 } | |
1792 break; | |
1793 | |
1794 default: | |
1795 /* Leave the AVP in the message for further treatment */ | |
1796 handled = 0; | |
1797 } | |
1798 } else { | |
1799 /* Vendor-specific AVPs */ | |
1800 switch (ahdr->avp_vendor) { | |
1801 | |
1802 default: /* unknown vendor */ | |
1803 handled = 0; | |
1804 } | |
1805 } | |
1806 | |
1807 if (handled) { | |
1808 CHECK_FCT( fd_msg_free( avp ) ); | |
1809 } | |
1810 } | |
1811 | |
1812 CHECK_FCT( fd_msg_free( asid ) ); | |
1813 CHECK_FCT( fd_msg_free( aoh ) ); | |
1814 free(req_auth); | |
1815 | |
296
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1816 if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) { |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1817 /* Add the auth-application-id required for STR, or 0 if no STR is required */ |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1818 CHECK_FCT( fd_msg_hdr( *diam_ans, &hdr ) ); |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1819 if (sizeof(buf) < snprintf(buf, sizeof(buf), CLASS_AAI_PREFIX "%u", |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1820 no_str ? 0 : hdr->msg_appl)) { |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1821 TRACE_DEBUG(INFO, "Data truncated in Class attribute: %s", buf); |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1822 } |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1823 CONV2RAD_STR(RADIUS_ATTR_CLASS, buf, strlen(buf), 0); |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1824 } |
e11a9f90a65a
Do not send STR if the auth server sent NO_STATE_MAINTAINED
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
273
diff
changeset
|
1825 |
256 | 1826 return 0; |
1827 } | |
1828 | |
1829 /* The exported symbol */ | |
1830 struct rgw_api rgwp_descriptor = { | |
1831 .rgwp_name = "auth", | |
1832 .rgwp_conf_parse = auth_conf_parse, | |
1833 .rgwp_conf_free = auth_conf_free, | |
1834 .rgwp_rad_req = auth_rad_req, | |
1835 .rgwp_diam_ans = auth_diam_ans | |
1836 }; |