Mercurial > hg > freeDiameter
view extensions/app_radgw/rgwx_auth.c @ 526:6fe3e5cf9fb2
Added a flag to disable NAI routing in RADIUS/Diameter gw
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Wed, 01 Sep 2010 16:21:15 +0900 |
| parents | ddbcd21af4e0 |
| children | 4cb8f63a0f67 |
line wrap: on
line source
/********************************************************************************************************* * Software License Agreement (BSD License) * * Author: Sebastien Decugis <sdecugis@nict.go.jp> * * * * Copyright (c) 2010, WIDE Project and NICT * * All rights reserved. * * * * Redistribution and use of this software in source and binary forms, with or without modification, are * * permitted provided that the following conditions are met: * * * * * Redistributions of source code must retain the above * * copyright notice, this list of conditions and the * * following disclaimer. * * * * * Redistributions in binary form must reproduce the above * * copyright notice, this list of conditions and the * * following disclaimer in the documentation and/or other * * materials provided with the distribution. * * * * * Neither the name of the WIDE Project or NICT nor the * * names of its contributors may be used to endorse or * * promote products derived from this software without * * specific prior written permission of WIDE Project and * * NICT. * * * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * *********************************************************************************************************/ /* RADIUS Access-Request messages translation plugin */ #include "rgw_common.h" /* Attributes missing from radius.h */ #define RADIUS_ATTR_CHAP_PASSWORD 3 #define RADIUS_ATTR_ARAP_PASSWORD 70 /* Other constants we use */ #define AI_NASREQ 1 /* Diameter NASREQ */ #define AI_EAP 5 /* Diameter EAP application */ #define CC_AA 265 /* AAR */ #define CC_DIAMETER_EAP 268 /* DER */ #define ACV_ART_AUTHORIZE_AUTHENTICATE 3 /* AUTHORIZE_AUTHENTICATE */ #define ACV_OAP_RADIUS 1 /* RADIUS */ #define ACV_ASS_STATE_MAINTAINED 0 /* STATE_MAINTAINED */ #define ACV_ASS_NO_STATE_MAINTAINED 1 /* NO_STATE_MAINTAINED */ #define ER_DIAMETER_MULTI_ROUND_AUTH 1001 #define ER_DIAMETER_LIMITED_SUCCESS 2002 /* The state we keep for this plugin */ struct rgwp_config { struct { struct dict_object * ARAP_Password; /* ARAP-Password */ struct dict_object * ARAP_Security; /* ARAP-Security */ struct dict_object * ARAP_Security_Data; /* ARAP-Security-Data */ struct dict_object * Auth_Application_Id; /* Auth-Application-Id */ struct dict_object * Auth_Request_Type; /* Auth-Request-Type */ struct dict_object * Authorization_Lifetime; /* Authorization-Lifetime */ struct dict_object * Callback_Number; /* Callback-Number */ struct dict_object * Called_Station_Id; /* Called-Station-Id */ struct dict_object * Calling_Station_Id; /* Calling-Station-Id */ struct dict_object * CHAP_Algorithm; /* CHAP-Algorithm */ struct dict_object * CHAP_Auth; /* CHAP-Auth */ struct dict_object * CHAP_Challenge; /* CHAP-Challenge */ struct dict_object * CHAP_Ident; /* CHAP-Ident */ struct dict_object * CHAP_Response; /* CHAP-Response */ struct dict_object * Destination_Host; /* Destination-Host */ struct dict_object * Destination_Realm; /* Destination-Realm */ struct dict_object * Connect_Info; /* Connect-Info */ struct dict_object * EAP_Payload; /* EAP-Payload */ struct dict_object * Error_Message; /* Error-Message */ struct dict_object * Error_Reporting_Host; /* Error-Reporting-Host */ struct dict_object * Failed_AVP; /* Failed-AVP */ struct dict_object * Framed_Compression; /* Framed-Compression */ struct dict_object * Framed_IP_Address; /* Framed-IP-Address */ struct dict_object * Framed_IP_Netmask; /* Framed-IP-Netmask */ struct dict_object * Framed_Interface_Id; /* Framed-Interface-Id */ struct dict_object * Framed_IPv6_Prefix; /* Framed-IPv6-Prefix */ struct dict_object * Framed_MTU; /* Framed-MTU */ struct dict_object * Framed_Protocol; /* Framed-Protocol */ struct dict_object * Login_IP_Host; /* Login-IP-Host */ struct dict_object * Login_IPv6_Host; /* Login-IPv6-Host */ struct dict_object * Login_LAT_Group; /* Login-LAT-Group */ struct dict_object * Login_LAT_Node; /* Login-LAT-Node */ struct dict_object * Login_LAT_Port; /* Login-LAT-Port */ struct dict_object * Login_LAT_Service; /* Login-LAT-Service */ struct dict_object * NAS_Identifier; /* NAS-Identifier */ struct dict_object * NAS_IP_Address; /* NAS-IP-Address */ struct dict_object * NAS_IPv6_Address; /* NAS-IPv6-Address */ struct dict_object * NAS_Port; /* NAS-Port */ struct dict_object * NAS_Port_Id; /* NAS-Port-Id */ struct dict_object * NAS_Port_Type; /* NAS-Port-Type */ struct dict_object * Origin_AAA_Protocol; /* Origin-AAA-Protocol */ struct dict_object * Origin_Host; /* Origin-Host */ struct dict_object * Origin_Realm; /* Origin-Realm */ struct dict_object * Originating_Line_Info; /* Originating-Line-Info */ struct dict_object * Port_Limit; /* Port-Limit */ struct dict_object * Re_Auth_Request_Type; /* Re-Auth-Request-Type */ struct dict_object * Result_Code; /* Result-Code */ struct dict_object * Service_Type; /* Service-Type */ struct dict_object * Session_Id; /* Session-Id */ struct dict_object * Session_Timeout; /* Session-Timeout */ struct dict_object * State; /* State */ struct dict_object * Tunneling; /* Tunneling */ struct dict_object * Tunnel_Type; /* Tunnel-Type */ struct dict_object * Tunnel_Medium_Type; /* Tunnel-Medium-Type */ struct dict_object * Tunnel_Client_Endpoint; /* Tunnel-Client-Endpoint */ struct dict_object * Tunnel_Server_Endpoint; /* Tunnel-Server-Endpoint */ struct dict_object * Tunnel_Private_Group_Id; /* Tunnel-Private-Group-Id */ struct dict_object * Tunnel_Preference; /* Tunnel-Preference */ struct dict_object * Tunnel_Client_Auth_Id; /* Tunnel-Client-Auth-Id */ struct dict_object * Tunnel_Server_Auth_Id; /* Tunnel-Server-Auth-Id */ struct dict_object * User_Name; /* User-Name */ struct dict_object * User_Password; /* User-Password */ } dict; /* cache of the dictionary objects we use */ struct session_handler * sess_hdl; /* We store RADIUS request authenticator information in the session */ char * confstr; int ignore_nai; }; /* Initialize the plugin */ static int auth_conf_parse(char * confstr, struct rgwp_config ** state) { struct rgwp_config * new; struct dict_object * app; TRACE_ENTRY("%p %p", confstr, state); CHECK_PARAMS( state ); CHECK_MALLOC( new = malloc(sizeof(struct rgwp_config)) ); memset(new, 0, sizeof(struct rgwp_config)); CHECK_FCT( fd_sess_handler_create( &new->sess_hdl, free ) ); new->confstr = confstr; if (strstr(confstr, "nonai")) new->ignore_nai = 1; /* Resolve all dictionary objects we use */ CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Password", &new->dict.ARAP_Password, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security", &new->dict.ARAP_Security, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security-Data", &new->dict.ARAP_Security_Data, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Application-Id", &new->dict.Auth_Application_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Request-Type", &new->dict.Auth_Request_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Authorization-Lifetime", &new->dict.Authorization_Lifetime, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Callback-Number", &new->dict.Callback_Number, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Called-Station-Id", &new->dict.Called_Station_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Calling-Station-Id", &new->dict.Calling_Station_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Algorithm", &new->dict.CHAP_Algorithm, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Auth", &new->dict.CHAP_Auth, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Challenge", &new->dict.CHAP_Challenge, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Ident", &new->dict.CHAP_Ident, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "CHAP-Response", &new->dict.CHAP_Response, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Connect-Info", &new->dict.Connect_Info, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Host", &new->dict.Destination_Host, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Realm", &new->dict.Destination_Realm, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "EAP-Payload", &new->dict.EAP_Payload, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Message", &new->dict.Error_Message, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Reporting-Host", &new->dict.Error_Reporting_Host, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Failed-AVP", &new->dict.Failed_AVP, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Compression", &new->dict.Framed_Compression, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Address", &new->dict.Framed_IP_Address, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Netmask", &new->dict.Framed_IP_Netmask, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Interface-Id", &new->dict.Framed_Interface_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPv6-Prefix", &new->dict.Framed_IPv6_Prefix, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-MTU", &new->dict.Framed_MTU, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Protocol", &new->dict.Framed_Protocol, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IP-Host", &new->dict.Login_IP_Host, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IPv6-Host", &new->dict.Login_IPv6_Host, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Group", &new->dict.Login_LAT_Group, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Node", &new->dict.Login_LAT_Node, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Port", &new->dict.Login_LAT_Port, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Service", &new->dict.Login_LAT_Service, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Identifier", &new->dict.NAS_Identifier, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IP-Address", &new->dict.NAS_IP_Address, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IPv6-Address", &new->dict.NAS_IPv6_Address, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port", &new->dict.NAS_Port, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Id", &new->dict.NAS_Port_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Type", &new->dict.NAS_Port_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-AAA-Protocol", &new->dict.Origin_AAA_Protocol, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Host", &new->dict.Origin_Host, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Realm", &new->dict.Origin_Realm, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Originating-Line-Info", &new->dict.Originating_Line_Info, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Port-Limit", &new->dict.Port_Limit, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Re-Auth-Request-Type", &new->dict.Re_Auth_Request_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Result-Code", &new->dict.Result_Code, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Service-Type", &new->dict.Service_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Id", &new->dict.Session_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Timeout", &new->dict.Session_Timeout, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "State", &new->dict.State, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunneling", &new->dict.Tunneling, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Type", &new->dict.Tunnel_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Medium-Type", &new->dict.Tunnel_Medium_Type, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Endpoint", &new->dict.Tunnel_Client_Endpoint, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Endpoint", &new->dict.Tunnel_Server_Endpoint, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Private-Group-Id", &new->dict.Tunnel_Private_Group_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Preference", &new->dict.Tunnel_Preference, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Auth-Id", &new->dict.Tunnel_Client_Auth_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Auth-Id", &new->dict.Tunnel_Server_Auth_Id, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "User-Name", &new->dict.User_Name, ENOENT) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "User-Password", &new->dict.User_Password, ENOENT) ); /* This plugin provides the following Diameter authentication applications support: */ CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_APPLICATION, APPLICATION_BY_NAME, "Diameter Network Access Server Application", &app, ENOENT) ); CHECK_FCT( fd_disp_app_support ( app, NULL, 1, 0 ) ); CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_APPLICATION, APPLICATION_BY_NAME, "Diameter Extensible Authentication Protocol (EAP) Application", &app, ENOENT) ); CHECK_FCT( fd_disp_app_support ( app, NULL, 1, 0 ) ); *state = new; return 0; } /* deinitialize */ static void auth_conf_free(struct rgwp_config * state) { TRACE_ENTRY("%p", state); CHECK_PARAMS_DO( state, return ); CHECK_FCT_DO( fd_sess_handler_destroy( &state->sess_hdl ), ); free(state); return; } /* Handle an incoming RADIUS request */ static int auth_rad_req( struct rgwp_config * cs, struct session ** session, struct radius_msg * rad_req, struct radius_msg ** rad_ans, struct msg ** diam_fw, struct rgw_client * cli ) { int idx; int got_id = 0; int got_mac = 0; int got_passwd = 0; int got_eap = 0; int got_empty_eap = 0; const char * prefix = "Diameter/"; size_t pref_len; uint8_t * dh = NULL; size_t dh_len = 0; uint8_t * dr = NULL; size_t dr_len = 0; uint8_t * si = NULL; size_t si_len = 0; uint8_t * un = NULL; size_t un_len = 0; size_t nattr_used = 0; struct avp ** avp_tun = NULL, *avp = NULL; union avp_value value; TRACE_ENTRY("%p %p %p %p %p %p", cs, session, rad_req, rad_ans, diam_fw, cli); CHECK_PARAMS(cs && session && rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCESS_REQUEST) && rad_ans && diam_fw && *diam_fw); pref_len = strlen(prefix); /* Guidelines: http://tools.ietf.org/html/rfc4005#section-9.1 http://tools.ietf.org/html/rfc4072#section-6.1 When a Translation Agent receives a RADIUS message, the following steps should be taken: - If a Message-Authenticator attribute is present, the value MUST be checked but not included in the Diameter message. If it is incorrect, the RADIUS message should be silently discarded. The gateway system SHOULD generate and include a Message- Authenticator in returned RADIUS responses. -> done in rgw_msg_auth_check - The transport address of the sender MUST be checked against the NAS identifying attributes. See the description of NAS- Identifier and NAS-IP-Address below. -> done in rgw_clients_check_origin - The Translation Agent must maintain transaction state information relevant to the RADIUS request, such as the Identifier field in the RADIUS header, any existing RADIUS Proxy-State attribute, and the source IP address and port number of the UDP packet. These may be maintained locally in a state table or saved in a Proxy-Info AVP group. A Diameter Session-Id AVP value must be created using a session state mapping mechanism. -> Identifier, source and port are saved along with the request, and associated with the session state. -> sub_echo_drop should handle the Proxy-State attribute (conf issue) - The Diameter Origin-Host and Origin-Realm AVPs MUST be created and added by using the information from an FQDN corresponding to the NAS-IP-Address attribute (preferred if available), and/or to the NAS-Identifier attribute. (Note that the RADIUS NAS-Identifier is not required to be an FQDN.) -> done in rgw_msg_create_base. - The response MUST have an Origin-AAA-Protocol AVP added, indicating the protocol of origin of the message. -> what "response" ??? Added to the AAR / DER in this function. - The Proxy-Info group SHOULD be added, with the local server's identity specified in the Proxy-Host AVP. This should ensure that the response is returned to this system. -> We don't need this, answer is always routed here anyway. For EAP: o RADIUS EAP-Message attribute(s) are translated to a Diameter EAP-Payload AVP. If multiple RADIUS EAP-Message attributes are present, they are concatenated and translated to a single Diameter EAP-Payload AVP. -> concatenation done by radius_msg_get_eap -> the remaining is specific conversion rules */ /* Check basic information is there, and also retrieve some attribute information */ for (idx = 0; idx < rad_req->attr_used; idx++) { struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]); uint8_t * attr_val = (uint8_t *)(attr + 1); size_t attr_len = attr->length - sizeof(struct radius_attr_hdr); switch (attr->type) { case RADIUS_ATTR_NAS_IP_ADDRESS: case RADIUS_ATTR_NAS_IDENTIFIER: case RADIUS_ATTR_NAS_IPV6_ADDRESS: got_id = 1; break; case RADIUS_ATTR_MESSAGE_AUTHENTICATOR: got_mac = 1; break; case RADIUS_ATTR_EAP_MESSAGE: got_eap = 1; if (attr->length == 2) got_empty_eap = 1; break; case RADIUS_ATTR_USER_PASSWORD: case RADIUS_ATTR_CHAP_PASSWORD: case RADIUS_ATTR_ARAP_PASSWORD: got_passwd += 1; break; /* Is there a State attribute with prefix "Diameter/" in the message? (in that case: Diameter/Destination-Host/Destination-Realm/Session-Id) */ /* NOTE: RFC4005 says "Origin-Host" here, but it's not coherent with the rules for answers. Destination-Host makes more sense */ case RADIUS_ATTR_STATE: if ((attr_len > pref_len + 5 /* for the '/'s and non empty strings */ ) && ! memcmp(attr_val, prefix, pref_len)) { int i, start; TRACE_DEBUG(ANNOYING, "Found a State attribute with '%s' prefix (attr #%d).", prefix, idx); /* Now parse the value and check its content is valid. Unfortunately we cannot use strchr here since strings are not \0-terminated */ i = start = pref_len; dh = attr_val + i; for (; (i < attr_len - 2) && (attr_val[i] != '/'); i++) /* loop */; if ( i >= attr_len - 2 ) continue; /* the attribute format is not good */ dh_len = i - start; start = ++i; dr = attr_val + i; for (; (i < attr_len - 1) && (attr_val[i] != '/'); i++) /* loop */; if ( i >= attr_len - 1 ) continue; /* the attribute format is not good */ dr_len = i - start; i++; si = attr_val + i; si_len = attr_len - i; TRACE_DEBUG(ANNOYING, "Attribute parsed successfully: DH:'%.*s' DR:'%.*s' SI:'%.*s'.", dh_len, dh, dr_len, dr, si_len, si); /* Remove from the message */ for (i = idx + 1; i < rad_req->attr_used; i++) rad_req->attr_pos[i - 1] = rad_req->attr_pos[i]; rad_req->attr_used -= 1; idx--; } break; case RADIUS_ATTR_USER_NAME: TRACE_DEBUG(ANNOYING, "Found a User-Name attribute: '%.*s'", attr_len, attr_len ? (char *)attr_val : ""); un = attr_val; un_len = attr_len; break; } } if (!got_id) { TRACE_DEBUG(INFO, "RADIUS Access-Request did not contain a NAS IP or Identifier attribute, reject."); return EINVAL; } /* [Note 1] An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attributes MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP-Message attribute it MUST also contain a Message-Authenticator. A RADIUS server receiving an Access-Request not containing any of those four attributes and also not containing a Message-Authenticator attribute SHOULD silently discard it. */ if (((got_eap + got_passwd) > 1) || (got_eap && !got_mac) || (!got_eap && !got_passwd && !got_mac)) { TRACE_DEBUG(INFO, "RADIUS Access-Request not conform to RFC3579 sec 3.3 note 1, discard."); return EINVAL; } /* - If the RADIUS request contained a State attribute and the prefix of the data is "Diameter/", the data following the prefix contains the Diameter Origin-Host/Origin-Realm/Session- Id. If no such attributes are present and the RADIUS command is an Access-Request, a new Session-Id is created. The Session-Id is included in the Session-Id AVP. */ /* Add the Destination-Realm AVP */ CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Realm, 0, &avp ) ); if (dr) { value.os.data = (unsigned char *)dr; value.os.len = dr_len; } else { int i = 0; if (un && ! cs->ignore_nai) { /* Is there an '@' in the user name? We don't care for decorated NAI here */ for (i = un_len - 2; i > 0; i--) { if (un[i] == '@') { i++; break; } } } if (i <= 0) { /* Not found in the User-Name => we use the local domain of this gateway */ value.os.data = (uint8_t *)fd_g_config->cnf_diamrlm; value.os.len = fd_g_config->cnf_diamrlm_len; } else { value.os.data = un + i; value.os.len = un_len - i; } } CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, *session ? MSG_BRW_LAST_CHILD : MSG_BRW_FIRST_CHILD, avp) ); /* Add the Destination-Host if found */ if (dh) { CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Host, 0, &avp ) ); value.os.data = (unsigned char *)dh; value.os.len = dh_len; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, *session ? MSG_BRW_LAST_CHILD : MSG_BRW_FIRST_CHILD, avp) ); } /* Create the session if it is not already done */ if (*session == NULL) { char * sess_str = NULL; if (si_len) { /* We already have the Session-Id, just use it */ CHECK_FCT( fd_sess_fromsid ( (char *) /* this cast will be removed later */ si, si_len, session, NULL) ); } else { /* Create a new Session-Id string */ char * fqdn; char * realm; /* Get information on the RADIUS client */ CHECK_FCT( rgw_clients_get_origin(cli, &fqdn, &realm) ); /* If we have a user name, create the new session with it */ if (un) { int len; /* If not found, create a new Session-Id. The format is: {fqdn;hi32;lo32;username;diamid} */ CHECK_MALLOC( sess_str = malloc(un_len + 1 /* ';' */ + fd_g_config->cnf_diamid_len + 1 /* '\0' */) ); len = sprintf(sess_str, "%.*s;%s", (int)un_len, un, fd_g_config->cnf_diamid); CHECK_FCT( fd_sess_new(session, fqdn, sess_str, len) ); free(sess_str); } else { /* We don't have enough information to create the Session-Id, the RADIUS message is probably invalid */ TRACE_DEBUG(INFO, "RADIUS Access-Request does not contain a User-Name attribute, rejecting."); return EINVAL; } } /* Now, add the Session-Id AVP at beginning of Diameter message */ CHECK_FCT( fd_sess_getsid(*session, &sess_str) ); TRACE_DEBUG(FULL, "[auth.rgwx] Translating new message for session '%s'...", sess_str); /* Add the Session-Id AVP as first AVP */ CHECK_FCT( fd_msg_avp_new ( cs->dict.Session_Id, 0, &avp ) ); value.os.data = (unsigned char *)sess_str; value.os.len = strlen(sess_str); CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_FIRST_CHILD, avp) ); } /* Add the appropriate command code & Auth-Application-Id */ { struct msg_hdr * header = NULL; CHECK_FCT( fd_msg_hdr ( *diam_fw, &header ) ); header->msg_flags = CMD_FLAG_REQUEST | CMD_FLAG_PROXIABLE; if (got_eap) { header->msg_code = CC_DIAMETER_EAP; header->msg_appl = AI_EAP; } else { header->msg_code = CC_AA; header->msg_appl = AI_NASREQ; } /* Add the Auth-Application-Id */ { CHECK_FCT( fd_msg_avp_new ( cs->dict.Auth_Application_Id, 0, &avp ) ); value.i32 = header->msg_appl; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } } /* The type of request is identified through the Auth-Request-Type AVP [BASE]. The recommended value for most RADIUS interoperabily situations is AUTHORIZE_AUTHENTICATE. */ /* Add Auth-Request-Type AVP */ { CHECK_FCT( fd_msg_avp_new ( cs->dict.Auth_Request_Type, 0, &avp ) ); value.i32 = ACV_ART_AUTHORIZE_AUTHENTICATE; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } /* Add Origin-AAA-Protocol AVP */ { CHECK_FCT( fd_msg_avp_new ( cs->dict.Origin_AAA_Protocol, 0, &avp ) ); value.i32 = ACV_OAP_RADIUS; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } /* Convert the EAP payload (concat RADIUS attributes) */ if (got_eap) { CHECK_FCT( fd_msg_avp_new ( cs->dict.EAP_Payload, 0, &avp ) ); /* o An empty RADIUS EAP-Message attribute (with length 2) signifies EAP-Start, and it is translated to an empty EAP-Payload AVP. */ if (got_empty_eap) { value.os.len = 0; value.os.data = (uint8_t *)""; } else { CHECK_MALLOC( value.os.data = radius_msg_get_eap(rad_req, &value.os.len) ); } CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } /* Tunnel AVPs need some preparation */ /* Convert the attributes one by one */ for (idx = 0; idx < rad_req->attr_used; idx++) { struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]); switch (attr->type) { /* This macro converts a RADIUS attribute to a Diameter AVP of type OctetString */ #define CONV2DIAM_STR( _dictobj_ ) \ CHECK_PARAMS( attr->length >= 2 ); \ /* Create the AVP with the specified dictionary model */ \ CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ value.os.len = attr->length - 2; \ value.os.data = (unsigned char *)(attr + 1); \ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ /* Add the AVP in the Diameter message. */ \ CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ /* Same thing, for scalar AVPs of 32 bits */ #define CONV2DIAM_32B( _dictobj_ ) \ CHECK_PARAMS( attr->length == 6 ); \ CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ { \ uint8_t * v = (uint8_t *)(attr + 1); \ value.u32 = (v[0] << 24) \ | (v[1] << 16) \ | (v[2] << 8) \ | v[3] ; \ } \ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ /* And the 64b version */ #define CONV2DIAM_64B( _dictobj_ ) \ CHECK_PARAMS( attr->length == 10); \ CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ { \ uint8_t * v = (uint8_t *)(attr + 1); \ value.u64 = ((uint64_t)(v[0]) << 56) \ | ((uint64_t)(v[1]) << 48) \ | ((uint64_t)(v[2]) << 40) \ | ((uint64_t)(v[3]) << 32) \ | ((uint64_t)(v[4]) << 24) \ | ((uint64_t)(v[5]) << 16) \ | ((uint64_t)(v[6]) << 8) \ | (uint64_t)(v[7]) ; \ } \ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \ /* RFC 2865 */ /* - The Destination-Realm AVP is created from the information found in the RADIUS User-Name attribute. -> done in rgw_msg_create_base */ case RADIUS_ATTR_USER_NAME: CONV2DIAM_STR( User_Name ); break; /* - If the RADIUS User-Password attribute is present, the password must be unencrypted by using the link's RADIUS shared secret. The unencrypted value must be forwarded in a User-Password AVP using Diameter security. */ case RADIUS_ATTR_USER_PASSWORD: if ((attr->length - 2) % 16) { TRACE_DEBUG(INFO, "Invalid length of User-Password attribute: %hhd", attr->length); return EINVAL; } { /* Decipher following this logic (refers to rfc2865#section-5.2 ) b1 = MD5(S + RA) p1 = c(1) xor b1 b2 = MD5(S + c(1)) p2 = c(2) xor b2 ... */ uint8_t *ciph = (uint8_t *)(attr+1); /* c(i) */ size_t ciph_len = attr->length - 2; uint8_t deciph[128]; /* pi */ size_t deciph_len = 0; uint8_t * secret; /* S */ size_t secret_len; uint8_t hash[16]; /* b(i) */ const uint8_t *addr[2]; size_t len[2]; /* Retrieve the shared secret */ CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); /* Initial b1 = MD5(S + RA) */ addr[0] = secret; len[0] = secret_len; addr[1] = rad_req->hdr->authenticator; len[1] = 16; md5_vector(2, addr, len, hash); /* loop */ while (deciph_len < ciph_len) { int i; /* pi = c(i) xor bi */ for (i = 0; i < 16; i++) deciph[deciph_len + i] = ciph[deciph_len + i] ^ hash[i]; /* do we have to remove the padding '\0's ? */ /* b(i+1) = MD5(S + c(i) */ addr[1] = ciph + deciph_len; md5_vector(2, addr, len, hash); deciph_len += 16; } /* Now save this value in the AVP */ CHECK_FCT( fd_msg_avp_new ( cs->dict.User_Password, 0, &avp ) ); value.os.data = &deciph[0]; value.os.len = deciph_len; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } break; /* - If the RADIUS CHAP-Password attribute is present, the Ident and Data portion of the attribute are used to create the CHAP-Auth grouped AVP. */ case RADIUS_ATTR_CHAP_PASSWORD: CHECK_PARAMS( attr->length == 19 /* RFC 2865 */); { uint8_t * c = (uint8_t *)(attr + 1); struct avp * chap_auth; CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Auth, 0, &chap_auth ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, chap_auth) ); CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Algorithm, 0, &avp ) ); value.u32 = 5; /* The only value defined currently... */ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Ident, 0, &avp ) ); value.os.data = c; value.os.len = 1; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); c++; CHECK_FCT( fd_msg_avp_new ( cs->dict.CHAP_Response, 0, &avp ) ); value.os.data = c; value.os.len = attr->length - 3; CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( chap_auth, MSG_BRW_LAST_CHILD, avp) ); } break; case RADIUS_ATTR_NAS_IP_ADDRESS: CONV2DIAM_STR( NAS_IP_Address ); break; case RADIUS_ATTR_NAS_PORT: CONV2DIAM_32B( NAS_Port ); break; case RADIUS_ATTR_SERVICE_TYPE: CONV2DIAM_32B( Service_Type ); break; case RADIUS_ATTR_FRAMED_PROTOCOL: CONV2DIAM_32B( Framed_Protocol ); break; case RADIUS_ATTR_FRAMED_IP_ADDRESS: CONV2DIAM_STR( Framed_IP_Address ); break; case RADIUS_ATTR_FRAMED_IP_NETMASK: CONV2DIAM_STR( Framed_IP_Netmask ); break; /* Framed-Routing never present in an Access-Request */ /* Filter-Id never present in an Access-Request */ case RADIUS_ATTR_FRAMED_MTU: CONV2DIAM_32B( Framed_MTU ); break; case RADIUS_ATTR_FRAMED_COMPRESSION: CONV2DIAM_32B( Framed_Compression ); break; case RADIUS_ATTR_LOGIN_IP_HOST: CONV2DIAM_STR( Login_IP_Host ); break; /* Login-Service never present in an Access-Request */ /* Login-TCP-Port never present in an Access-Request */ /* Reply-Message never present in an Access-Request */ case RADIUS_ATTR_CALLBACK_NUMBER: CONV2DIAM_STR( Callback_Number ); break; /* Callback-Id never present in an Access-Request */ /* Framed-Route never present in an Access-Request */ /* Framed-IPX-Network never present in an Access-Request */ case RADIUS_ATTR_STATE: CONV2DIAM_STR( State ); break; /* Class never present in an Access-Request */ case RADIUS_ATTR_VENDOR_SPECIFIC: /* RFC 4005, Section 9.6 : Systems that don't have vendor format knowledge MAY discard such attributes without knowing a suitable translation. [conversion rule in 9.6.2] */ if (attr->length >= 6) { uint32_t vendor_id; uint8_t * c = (uint8_t *)(attr + 1); vendor_id = c[0] << 24 | c[1] << 16 | c[2] << 8 | c[3]; c += 4; switch (vendor_id) { /* For the vendors we KNOW they follow the VSA recommended format, we convert following the rules of RFC4005 (9.6.2) */ case RADIUS_VENDOR_ID_MICROSOFT : /* RFC 2548 */ /* other vendors ? */ { size_t left; struct radius_attr_vendor *vtlv; left = attr->length - 6; vtlv = (struct radius_attr_vendor *)c; while ((left >= 2) && (vtlv->vendor_length <= left)) { /* Search our dictionary for corresponding Vendor's AVP */ struct dict_avp_request req; struct dict_object * avp_model = NULL; memset(&req, 0, sizeof(struct dict_avp_request)); req.avp_vendor = vendor_id; req.avp_code = vtlv->vendor_type; CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_CODE_AND_VENDOR, &req, &avp_model, 0) ); if (!avp_model) { TRACE_DEBUG(FULL, "Unknown attribute (vendor 0x%x, code 0x%x) ignored.", req.avp_vendor, req.avp_code); } else { CHECK_FCT( fd_msg_avp_new ( avp_model, 0, &avp ) ); value.os.len = vtlv->vendor_length - 2; value.os.data = (unsigned char *)(vtlv + 1); CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); } c += vtlv->vendor_length; left -= vtlv->vendor_length; vtlv = (struct radius_attr_vendor *)c; } } break; /* Other vendors we KNOw how to convert the attributes would be added here... */ /* case RADIUS_VENDOR_ID_CISCO : break; */ /* case RADIUS_VENDOR_ID_IETF : (extended RADIUS attributes) break; */ /* When we don't know, just discard the attribute... VSA are optional with regards to RADIUS anyway */ default: /* do nothing */ TRACE_DEBUG(FULL, "VSA attribute from vendor %d discarded", vendor_id); } } break; /* Session-Timeout never present in an Access-Request */ /* Idle-Timeout never present in an Access-Request */ /* Termination-Action never present in an Access-Request */ case RADIUS_ATTR_CALLED_STATION_ID: CONV2DIAM_STR( Called_Station_Id ); break; case RADIUS_ATTR_CALLING_STATION_ID: CONV2DIAM_STR( Calling_Station_Id ); break; case RADIUS_ATTR_NAS_IDENTIFIER: CONV2DIAM_STR( NAS_Identifier ); break; /* Proxy-State is handled by echo_drop.rgwx plugin, we ignore it here */ case RADIUS_ATTR_LOGIN_LAT_SERVICE: CONV2DIAM_STR( Login_LAT_Service ); break; case RADIUS_ATTR_LOGIN_LAT_NODE: CONV2DIAM_STR( Login_LAT_Node ); break; case RADIUS_ATTR_LOGIN_LAT_GROUP: CONV2DIAM_STR( Login_LAT_Group ); break; /* Framed-AppleTalk-Link never present in an Access-Request */ /* Framed-AppleTalk-Network never present in an Access-Request */ /* Framed-AppleTalk-Zone never present in an Access-Request */ case RADIUS_ATTR_CHAP_CHALLENGE: CONV2DIAM_STR( CHAP_Challenge ); break; case RADIUS_ATTR_NAS_PORT_TYPE: CONV2DIAM_32B( NAS_Port_Type ); break; case RADIUS_ATTR_PORT_LIMIT: CONV2DIAM_32B( Port_Limit ); break; case RADIUS_ATTR_LOGIN_LAT_PORT: CONV2DIAM_STR( Login_LAT_Port ); break; /* RFC 3162 */ case RADIUS_ATTR_NAS_IPV6_ADDRESS: CONV2DIAM_STR( NAS_IPv6_Address ); break; case RADIUS_ATTR_FRAMED_INTERFACE_ID: CONV2DIAM_64B( Framed_Interface_Id ); break; case RADIUS_ATTR_FRAMED_IPV6_PREFIX: CONV2DIAM_STR( Framed_IPv6_Prefix ); break; case RADIUS_ATTR_LOGIN_IPV6_HOST: CONV2DIAM_STR( Login_IPv6_Host ); break; /* Framed-IPv6-Route never present in an Access-Request */ /* Framed-IPv6-Pool never present in an Access-Request */ /* RFC 2868 */ /* Prepare the top-level Tunneling AVP for each tag values, as needed, and add to the Diameter message. This macro is called when an AVP is added inside the group, so we will not have empty grouped AVPs */ #define AVP_TUN_PREPARE() { \ if (avp_tun == NULL) { \ CHECK_MALLOC( avp_tun = calloc(sizeof(struct avp *), 32 ) ); \ } \ tag = *(uint8_t *)(attr + 1); \ if (tag > 0x1F) tag = 0; \ if (avp_tun[tag] == NULL) { \ CHECK_FCT( fd_msg_avp_new ( cs->dict.Tunneling, 0, &avp_tun[tag] ) ); \ CHECK_FCT( fd_msg_avp_add (*diam_fw, MSG_BRW_LAST_CHILD, avp_tun[tag]));\ } \ } /* Convert an attribute to an OctetString AVP and add inside the Tunneling AVP corresponding to the tag */ #define CONV2DIAM_TUN_STR( _dictobj_ ) { \ uint8_t tag; \ CHECK_PARAMS( attr->length >= 3); \ AVP_TUN_PREPARE(); \ CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ value.os.len = attr->length - (tag ? 3 : 2); \ value.os.data = ((unsigned char *)(attr + 1)) + (tag ? 1 : 0); \ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \ } /* Convert an attribute to a scalar AVP and add inside the Tunneling AVP corresponding to the tag */ #define CONV2DIAM_TUN_24B( _dictobj_ ) { \ uint8_t tag; \ CHECK_PARAMS( attr->length == 6); \ AVP_TUN_PREPARE(); \ CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \ { \ uint8_t * v = (uint8_t *)(attr + 1); \ value.u32 = (v[1] << 16) | (v[2] <<8) | v[3] ; \ } \ CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \ CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \ } /* - If the RADIUS message contains Tunnel information [RADTunnels], the attributes or tagged groups should each be converted to a Diameter Tunneling Grouped AVP set. If the tunnel information contains a Tunnel-Password attribute, the RADIUS encryption must be resolved, and the password forwarded, by using Diameter security methods. -> If the RADIUS message does not use properly the Tag info, result is unpredictable here.. */ case RADIUS_ATTR_TUNNEL_TYPE: CONV2DIAM_TUN_24B( Tunnel_Type ); break; case RADIUS_ATTR_TUNNEL_MEDIUM_TYPE: CONV2DIAM_TUN_24B( Tunnel_Medium_Type ); break; case RADIUS_ATTR_TUNNEL_CLIENT_ENDPOINT: CONV2DIAM_TUN_STR( Tunnel_Client_Endpoint ); break; case RADIUS_ATTR_TUNNEL_SERVER_ENDPOINT: CONV2DIAM_TUN_STR( Tunnel_Server_Endpoint ); break; /* Tunnel-Password never present in an Access-Request */ case RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID: CONV2DIAM_TUN_STR( Tunnel_Private_Group_Id ); break; /* Tunnel-Assignment-ID never present in an Access-Request */ case RADIUS_ATTR_TUNNEL_PREFERENCE: CONV2DIAM_TUN_24B( Tunnel_Preference ); break; case RADIUS_ATTR_TUNNEL_CLIENT_AUTH_ID: CONV2DIAM_TUN_STR( Tunnel_Client_Auth_Id ); break; case RADIUS_ATTR_TUNNEL_SERVER_AUTH_ID: CONV2DIAM_TUN_STR( Tunnel_Server_Auth_Id ); break; /* RFC 2869 */ case RADIUS_ATTR_ARAP_PASSWORD: CONV2DIAM_STR( ARAP_Password ); break; /* ARAP-Features never present in an Access-Request */ /* ARAP-Zone-Access never present in an Access-Request */ case RADIUS_ATTR_ARAP_SECURITY: CONV2DIAM_32B( ARAP_Security ); break; case RADIUS_ATTR_ARAP_SECURITY_DATA: CONV2DIAM_STR( ARAP_Security_Data ); break; /* Password-Retry never present in an Access-Request */ /* Prompt never present in an Access-Request */ case RADIUS_ATTR_CONNECT_INFO: CONV2DIAM_STR( Connect_Info ); break; /* Configuration-Token never present in an Access-Request */ /* ARAP-Challenge-Response never present in an Access-Request */ /* Acct-Interim-Interval never present in an Access-Request */ case RADIUS_ATTR_NAS_PORT_ID: CONV2DIAM_STR( NAS_Port_Id ); break; /* Framed-Pool never present in an Access-Request */ /* RFC 2869 / 3579 */ case RADIUS_ATTR_ORIGINATING_LINE_INFO: CONV2DIAM_STR( Originating_Line_Info ); break; case RADIUS_ATTR_MESSAGE_AUTHENTICATOR: case RADIUS_ATTR_EAP_MESSAGE: /* It was already handled, just remove the attribute */ break; /* Default */ default: /* unknown attribute */ /* We just keep the attribute in the RADIUS message */ rad_req->attr_pos[nattr_used++] = rad_req->attr_pos[idx]; } } /* Destroy tunnel pointers (if we used it) */ free(avp_tun); /* Update the radius message to remove all handled attributes */ rad_req->attr_used = nattr_used; /* Store the request identifier in the session (if provided) */ if (*session) { unsigned char * req_auth; CHECK_MALLOC(req_auth = malloc(16)); memcpy(req_auth, &rad_req->hdr->authenticator[0], 16); CHECK_FCT( fd_sess_state_store( cs->sess_hdl, *session, &req_auth ) ); } return 0; } static int auth_diam_ans( struct rgwp_config * cs, struct session * session, struct msg ** diam_ans, struct radius_msg ** rad_fw, struct rgw_client * cli, int * stateful ) { struct msg_hdr * hdr; struct avp *avp, *next, *avp_x, *avp_y, *asid, *aoh; struct avp_hdr *ahdr, *sid, *oh; uint8_t buf[254]; /* to store some attributes values (with final '\0') */ size_t sz; int ta_set = 0; int no_str = 0; /* indicate if an STR is required for this server */ uint8_t tuntag = 0; unsigned char * req_auth = NULL; TRACE_ENTRY("%p %p %p %p %p", cs, session, diam_ans, rad_fw, cli); CHECK_PARAMS(cs && session && diam_ans && *diam_ans && rad_fw && *rad_fw); /* Retrieve the request identified which was stored in the session */ if (session) { CHECK_FCT( fd_sess_state_retrieve( cs->sess_hdl, session, &req_auth ) ); } /* - If the Diameter Command-Code is set to AA-Answer and the Result-Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must send a RADIUS Access-Challenge. This must have the Origin-Host, Origin-Realm, and Diameter Session-Id AVPs encapsulated in the RADIUS State attribute, with the prefix "Diameter/", concatenated in the above order separated with "/" characters, in UTF-8 [UTF-8]. This is necessary to ensure that the Translation Agent receiving the subsequent RADIUS Access- Request will have access to the Session Identifier and be able to set the Destination-Host to the correct value. -> done here bellow - If the Command-Code is set to AA-Answer, the Diameter Session- Id AVP is saved in a new RADIUS Class attribute whose format consists of the string "Diameter/" followed by the Diameter Session Identifier. This will ensure that the subsequent Accounting messages, which could be received by any Translation Agent, would have access to the original Diameter Session Identifier. -> done here but only for Access-Accept messages (Result-Code = success) */ /* MACROS to help in the process: convert AVP data to RADIUS attributes. */ /* Control large attributes: _trunc_ = 0 => error; _trunc_ = 1 => truncate; _trunc = 2 => create several attributes */ #define CONV2RAD_STR( _attr_, _data_, _len_, _trunc_) { \ size_t __l = (size_t)(_len_); \ size_t __off = 0; \ TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ if ((_trunc_) == 0) { \ CHECK_PARAMS( __l <= 253 ); \ } \ if ((__l > 253) && (_trunc_ == 1)) { \ TRACE_DEBUG(INFO, "[auth.rgwx] AVP truncated in "#_attr_); \ __l = 253; \ } \ do { \ size_t __w = (__l > 253) ? 253 : __l; \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (_data_) + __off, __w)); \ __off += __w; \ __l -= __w; \ } while (__l); \ } #define CONV2RAD_32B( _attr_, _data_) { \ uint32_t __v = htonl((uint32_t)(_data_)); \ TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ } #define CONV2RAD_64B( _attr_, _data_) { \ uint64_t __v = htonll((uint64_t)(_data_)); \ TRACE_DEBUG(FULL, "Converting AVP to "#_attr_); \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ } /* Search the different AVPs we handle here */ CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Session_Id, &asid) ); CHECK_FCT( fd_msg_avp_hdr ( asid, &sid ) ); CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Host, &aoh) ); CHECK_FCT( fd_msg_avp_hdr ( aoh, &oh ) ); /* Check the Diameter error code */ CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Result_Code, &avp) ); ASSERT( avp ); /* otherwise the message should have been discarded a lot earlier because of ABNF */ CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); switch (ahdr->avp_value->u32) { case ER_DIAMETER_MULTI_ROUND_AUTH: (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_CHALLENGE; break; case ER_DIAMETER_SUCCESS: case ER_DIAMETER_LIMITED_SUCCESS: (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_ACCEPT; break; default: (*rad_fw)->hdr->code = RADIUS_CODE_ACCESS_REJECT; fd_log_debug("[auth.rgwx] Received Diameter answer with error code '%d' from server '%.*s', session %.*s, translating into Access-Reject\n", ahdr->avp_value->u32, oh->avp_value->os.len, oh->avp_value->os.data, sid->avp_value->os.len, sid->avp_value->os.data); CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Message, &avp) ); if (avp) { CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); fd_log_debug("[auth.rgwx] Error-Message content: '%.*s'\n", ahdr->avp_value->os.len, ahdr->avp_value->os.data); } CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Reporting_Host, &avp) ); if (avp) { CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); fd_log_debug("[auth.rgwx] Error-Reporting-Host: '%.*s'\n", ahdr->avp_value->os.len, ahdr->avp_value->os.data); } CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Failed_AVP, &avp) ); if (avp) { fd_log_debug("[auth.rgwx] Failed-AVP was included in the message.\n"); /* Dump its content ? */ } return 0; } /* Remove this Result-Code avp */ CHECK_FCT( fd_msg_free( avp ) ); /* Creation of the State or Class attribute with session information */ CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Realm, &avp) ); CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); /* Now, save the session-id and eventually server info in a STATE or CLASS attribute */ if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_CHALLENGE) { if (sizeof(buf) < (sz = snprintf((char *)buf, sizeof(buf), "Diameter/%.*s/%.*s/%.*s", (int)oh->avp_value->os.len, (char *)oh->avp_value->os.data, (int)ahdr->avp_value->os.len, (char *)ahdr->avp_value->os.data, (int)sid->avp_value->os.len, (char *)sid->avp_value->os.data))) { TRACE_DEBUG(INFO, "Data truncated in State attribute: %s", buf); } CONV2RAD_STR(RADIUS_ATTR_STATE, buf, sz, 0); } if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) { /* Add the Session-Id */ if (sizeof(buf) < (sz = snprintf((char *)buf, sizeof(buf), "Diameter/%.*s", (int)sid->avp_value->os.len, sid->avp_value->os.data))) { TRACE_DEBUG(INFO, "Data truncated in Class attribute: %s", buf); } CONV2RAD_STR(RADIUS_ATTR_CLASS, buf, sz, 0); } /* Unlink the Origin-Realm now; the others are unlinked at the end of this function */ CHECK_FCT( fd_msg_free( avp ) ); CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Session_Timeout, &avp) ); CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Authorization_Lifetime, &avp_x) ); CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Re_Auth_Request_Type, &avp_y) ); /* When translating a Diameter AA-Answer (with successful result code) to RADIUS Access-Accept that contains a Session-Timeout or Authorization-Lifetime AVP, take the following steps: - If the Diameter message contains a Session-Timeout AVP but no Authorization-Lifetime AVP, translate it to a Session-Timeout attribute (not a Termination-Action). */ if ((avp != NULL) && (avp_x == NULL)) { CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); } /* - If the Diameter message contains an Authorization-Lifetime AVP but no Session-Timeout AVP, translate it to a Session-Timeout attribute and a Termination-Action set to AA-REQUEST. (Remove Authorization-Lifetime and Re-Auth-Request-Type.) */ if ((avp == NULL) && (avp_x != NULL)) { CHECK_FCT( fd_msg_avp_hdr ( avp_x, &ahdr ) ); CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); ta_set = 1; } /* - If the Diameter message has both, the Session-Timeout must be greater than or equal to the Authorization-Lifetime (required by [BASE]). Translate it to a Session-Timeout value (with value from Authorization-Lifetime AVP, the smaller one) and with the Termination-Action set to AA-REQUEST. (Remove the Authorization-Lifetime and Re-Auth-Request-Type.) */ if ((avp != NULL) && (avp_x != NULL)) { CHECK_FCT( fd_msg_avp_hdr ( avp_x, &ahdr ) ); CONV2RAD_32B( RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32 ); CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); ta_set = 1; } /* -> Not too sure about Auth-Grace-Period... we'll just discard it for now */ if (avp) { CHECK_FCT( fd_msg_free( avp ) ); } if (avp_x) { CHECK_FCT( fd_msg_free( avp_x ) ); } if (avp_y) { CHECK_FCT( fd_msg_free( avp_y ) ); } /* - If a Proxy-State attribute was present in the RADIUS request, the same attribute is added in the response. This information may be found in the Proxy-Info AVP group, or in a local state table. -> handled by sub_echo_drop - If state information regarding the RADIUS request was saved in a Proxy-Info AVP or local state table, the RADIUS Identifier and UDP IP Address and port number are extracted and used in issuing the RADIUS reply. -> was saved with the full request */ /* Now loop in the list of AVPs and convert those that we know how */ CHECK_FCT( fd_msg_browse(*diam_ans, MSG_BRW_FIRST_CHILD, &next, NULL) ); while (next) { int handled = 1; avp = next; CHECK_FCT( fd_msg_browse(avp, MSG_BRW_NEXT, &next, NULL) ); CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) ); if (!(ahdr->avp_flags & AVP_FLAG_VENDOR)) { switch (ahdr->avp_code) { /* RFC 4005 (AVP in the order of the AA-Request/Answer AVP Table) */ case DIAM_ATTR_ACCT_INTERIM_INTERVAL: CONV2RAD_32B(RADIUS_ATTR_ACCT_INTERIM_INTERVAL, ahdr->avp_value->u32); break; case DIAM_ATTR_ARAP_CHALLENGE_RESPONSE: CONV2RAD_STR(RADIUS_ATTR_ARAP_CHALLENGE_RESPONSE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_ARAP_FEATURES: CONV2RAD_STR(RADIUS_ATTR_ARAP_FEATURES, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; /* ARAP-Password is not present in answers */ case DIAM_ATTR_ARAP_SECURITY: CONV2RAD_32B(RADIUS_ATTR_ARAP_SECURITY, ahdr->avp_value->u32); break; case DIAM_ATTR_ARAP_SECURITY_DATA: CONV2RAD_STR(RADIUS_ATTR_ARAP_SECURITY_DATA, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; case DIAM_ATTR_ARAP_ZONE_ACCESS: CONV2RAD_32B(RADIUS_ATTR_ARAP_ZONE_ACCESS, ahdr->avp_value->u32); break; case DIAM_ATTR_AUTH_APPLICATION_ID: /* We just remove this AVP */ break; case DIAM_ATTR_AUTH_GRACE_PERIOD: /* We just remove this AVP (?) */ break; case DIAM_ATTR_AUTH_REQUEST_TYPE: /* We only check the value */ if (ahdr->avp_value->u32 != 3) { fd_log_debug("[auth.rgwx] Received Diameter answer with Auth-Request-Type set to %d (%s) from server %.*s, session %.*s.\n" " This may cause interoperability problems with RADIUS.\n", ahdr->avp_value->u32, (ahdr->avp_value->u32 == 1) ? "AUTHENTICATE_ONLY" : ((ahdr->avp_value->u32 == 2) ? "AUTHORIZE_ONLY" : "???"), oh->avp_value->os.len, oh->avp_value->os.data, sid->avp_value->os.len, sid->avp_value->os.len); } break; case DIAM_ATTR_AUTH_SESSION_STATE: if ((!ta_set) && (ahdr->avp_value->u32 == ACV_ASS_STATE_MAINTAINED)) { CONV2RAD_32B( RADIUS_ATTR_TERMINATION_ACTION, RADIUS_TERMINATION_ACTION_RADIUS_REQUEST ); } if (ahdr->avp_value->u32 == ACV_ASS_NO_STATE_MAINTAINED) { no_str = 1; } break; /* Authorization-Lifetime already handled */ case DIAM_ATTR_CALLBACK_ID: CONV2RAD_STR(RADIUS_ATTR_CALLBACK_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_CALLBACK_NUMBER: CONV2RAD_STR(RADIUS_ATTR_CALLBACK_NUMBER, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; /* Called-Station-Id is not present in answers */ /* Calling-Station-Id is not present in answers */ /* CHAP-Auth is not present in answers */ /* CHAP-Challenge is not present in answers */ case DIAM_ATTR_CLASS: CONV2RAD_STR(RADIUS_ATTR_CLASS, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; case DIAM_ATTR_CONFIGURATION_TOKEN: /* We might as well remove it since it's not supposed to be sent to the NAS... */ CONV2RAD_STR(RADIUS_ATTR_CONFIGURATION_TOKEN, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; /* Connect-Info is not present in answers */ case DIAM_ATTR_FILTER_ID: CONV2RAD_STR(RADIUS_ATTR_FILTER_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; case DIAM_ATTR_FRAMED_APPLETALK_LINK: CONV2RAD_32B(RADIUS_ATTR_FRAMED_APPLETALK_LINK, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_APPLETALK_NETWORK: CONV2RAD_32B(RADIUS_ATTR_FRAMED_APPLETALK_NETWORK, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_APPLETALK_ZONE: CONV2RAD_STR(RADIUS_ATTR_FRAMED_APPLETALK_ZONE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_FRAMED_COMPRESSION: CONV2RAD_32B(RADIUS_ATTR_FRAMED_COMPRESSION, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_INTERFACE_ID: CONV2RAD_64B(RADIUS_ATTR_FRAMED_INTERFACE_ID, ahdr->avp_value->u64); break; case DIAM_ATTR_FRAMED_IP_ADDRESS: CONV2RAD_STR(RADIUS_ATTR_FRAMED_IP_ADDRESS, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_FRAMED_IP_NETMASK: CONV2RAD_STR(RADIUS_ATTR_FRAMED_IP_NETMASK, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_FRAMED_IPV6_PREFIX: CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_PREFIX, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_FRAMED_IPV6_POOL: CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_POOL, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_FRAMED_IPV6_ROUTE: CONV2RAD_STR(RADIUS_ATTR_FRAMED_IPV6_ROUTE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_FRAMED_IPX_NETWORK: CONV2RAD_32B(RADIUS_ATTR_FRAMED_IPX_NETWORK, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_MTU: CONV2RAD_32B(RADIUS_ATTR_FRAMED_MTU, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_POOL: CONV2RAD_STR(RADIUS_ATTR_FRAMED_POOL, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_FRAMED_PROTOCOL: CONV2RAD_32B(RADIUS_ATTR_FRAMED_PROTOCOL, ahdr->avp_value->u32); break; case DIAM_ATTR_FRAMED_ROUTE: CONV2RAD_STR(RADIUS_ATTR_FRAMED_ROUTE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_FRAMED_ROUTING: CONV2RAD_32B(RADIUS_ATTR_FRAMED_ROUTING, ahdr->avp_value->u32); break; case DIAM_ATTR_IDLE_TIMEOUT: CONV2RAD_32B(RADIUS_ATTR_IDLE_TIMEOUT, ahdr->avp_value->u32); break; case DIAM_ATTR_LOGIN_IP_HOST: CONV2RAD_STR(RADIUS_ATTR_LOGIN_IP_HOST, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_LOGIN_IPV6_HOST: CONV2RAD_STR(RADIUS_ATTR_LOGIN_IPV6_HOST, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 0); break; case DIAM_ATTR_LOGIN_LAT_GROUP: CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_GROUP, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_LOGIN_LAT_NODE: CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_NODE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_LOGIN_LAT_PORT: CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_PORT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_LOGIN_LAT_SERVICE: CONV2RAD_STR(RADIUS_ATTR_LOGIN_LAT_SERVICE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_LOGIN_SERVICE: CONV2RAD_32B(RADIUS_ATTR_LOGIN_SERVICE, ahdr->avp_value->u32); break; case DIAM_ATTR_LOGIN_TCP_PORT: CONV2RAD_32B(RADIUS_ATTR_LOGIN_TCP_PORT, ahdr->avp_value->u32); break; /* - If the Multi-Round-Time-Out AVP is present, the value of the AVP MUST be inserted in the RADIUS Session-Timeout AVP. o As described in [NASREQ], if the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH and the Multi-Round-Time-Out AVP is present, it is translated to the RADIUS Session-Timeout attribute. */ case DIAM_ATTR_MULTI_ROUND_TIMEOUT: CONV2RAD_32B(RADIUS_ATTR_SESSION_TIMEOUT, ahdr->avp_value->u32); break; case DIAM_ATTR_NAS_FILTER_RULE: /* This is not translatable to RADIUS */ fd_log_debug("[auth.rgwx] Received Diameter answer with non-translatable NAS-Filter-Rule AVP from '%.*s' (session: '%.*s'), ignoring.\n", oh->avp_value->os.len, oh->avp_value->os.data, sid->avp_value->os.len, sid->avp_value->os.data); handled = 0; break; /* NAS-Identifier is not present in answers */ /* NAS-IP-Address is not present in answers */ /* NAS-IPv6-Address is not present in answers */ /* NAS-Port is not present in answers */ /* NAS-Port-Id is not present in answers */ /* NAS-Port-Type is not present in answers */ case DIAM_ATTR_ORIGIN_AAA_PROTOCOL: /* We just remove this AVP */ break; /* Originating-Line-Info is not present in answers */ case DIAM_ATTR_PASSWORD_RETRY: CONV2RAD_32B(RADIUS_ATTR_PASSWORD_RETRY, ahdr->avp_value->u32); break; case DIAM_ATTR_PORT_LIMIT: CONV2RAD_32B(RADIUS_ATTR_PORT_LIMIT, ahdr->avp_value->u32); break; case DIAM_ATTR_PROMPT: CONV2RAD_32B(RADIUS_ATTR_PROMPT, ahdr->avp_value->u32); break; case DIAM_ATTR_QOS_FILTER_RULE: /* This is not translatable to RADIUS */ fd_log_debug("[auth.rgwx] Received Diameter answer with non-translatable QoS-Filter-Rule AVP from '%.*s' (session: '%.*s'), ignoring.\n", oh->avp_value->os.len, oh->avp_value->os.data, sid->avp_value->os.len, sid->avp_value->os.data); handled = 0; break; /* Re-Auth-Request-Type already handled */ case DIAM_ATTR_REPLY_MESSAGE: CONV2RAD_STR(RADIUS_ATTR_REPLY_MESSAGE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; case DIAM_ATTR_SERVICE_TYPE: CONV2RAD_32B(RADIUS_ATTR_SERVICE_TYPE, ahdr->avp_value->u32); break; case DIAM_ATTR_STATE: CONV2RAD_STR(RADIUS_ATTR_STATE, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 2); break; case DIAM_ATTR_TUNNELING: { #define CONV2RAD_TUN_STR( _attr_, _data_, _len_, _trunc_) { \ size_t __l = (size_t)(_len_); \ size_t __w = (__l > 252) ? 252 : __l; \ size_t __off = 0; \ if ((_trunc_) == 0) { \ CHECK_PARAMS( __l <= 252 ); \ } \ if ((__l > 252) && (_trunc_ == 1)) { \ TRACE_DEBUG(FULL, "Attribute truncated!"); \ __l = 252; \ } \ buf[0] = tuntag; \ memcpy(&buf[1], (_data_), __w); \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), &buf[0], __w + 1)); \ while (__l -= __w) { \ __off += __w; \ __w = (__l > 253) ? 253 : __l; \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (_data_) + __off, __w)); \ } \ } #define CONV2RAD_TUN_32B( _attr_, _data_) { \ uint32_t __v = htonl((uint32_t)(_data_) | (tuntag << 24)); \ CHECK_MALLOC(radius_msg_add_attr(*rad_fw, (_attr_), (uint8_t *)&__v, sizeof(__v))); \ } struct avp *inavp, *innext; tuntag++; CHECK_FCT( fd_msg_browse(avp, MSG_BRW_FIRST_CHILD, &innext, NULL) ); while (innext) { inavp = innext; CHECK_FCT( fd_msg_browse(inavp, MSG_BRW_NEXT, &innext, NULL) ); CHECK_FCT( fd_msg_avp_hdr ( inavp, &ahdr ) ); if ( ! (ahdr->avp_flags & AVP_FLAG_VENDOR)) { switch (ahdr->avp_code) { case DIAM_ATTR_TUNNEL_TYPE: CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_TYPE, ahdr->avp_value->u32); break; case DIAM_ATTR_TUNNEL_MEDIUM_TYPE: CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_MEDIUM_TYPE, ahdr->avp_value->u32); break; case DIAM_ATTR_TUNNEL_CLIENT_ENDPOINT: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_CLIENT_ENDPOINT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_TUNNEL_SERVER_ENDPOINT: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_SERVER_ENDPOINT, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_TUNNEL_PREFERENCE: CONV2RAD_TUN_32B( RADIUS_ATTR_TUNNEL_PREFERENCE, ahdr->avp_value->u32); break; case DIAM_ATTR_TUNNEL_CLIENT_AUTH_ID: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_CLIENT_AUTH_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_TUNNEL_SERVER_AUTH_ID: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_SERVER_AUTH_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_TUNNEL_ASSIGNMENT_ID: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_ASSIGNMENT_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; case DIAM_ATTR_TUNNEL_PASSWORD: { /* This AVP must be encoded for RADIUS (similar to radius_msg_add_attr_user_password) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Salt +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Salt (cont) | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ size_t pos; int i; uint8_t * secret; /* S */ size_t secret_len; uint8_t hash[16]; /* b(i) */ const uint8_t *addr[3]; size_t len[3]; /* We need the request authenticator */ CHECK_PARAMS(req_auth); /* Retrieve the shared secret */ CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); /* Beginning of the buffer */ buf[0] = tuntag; buf[1] = (uint8_t)(lrand48()); /* A (hi bits) */ buf[2] = (uint8_t)(lrand48()); /* A (low bits) */ /* The plain text string P */ CHECK_PARAMS(ahdr->avp_value->os.len < 240); buf[3] = ahdr->avp_value->os.len; memcpy(&buf[4], ahdr->avp_value->os.data, ahdr->avp_value->os.len); memset(&buf[4 + ahdr->avp_value->os.len], 0, sizeof(buf) - 4 - ahdr->avp_value->os.len); /* Initial b1 = MD5(S + R + A) */ addr[0] = secret; len[0] = secret_len; addr[1] = req_auth; len[1] = 16; addr[2] = &buf[1]; len[2] = 2; md5_vector(3, addr, len, hash); /* Initial c(1) = p(1) xor b(1) */ for (i = 0; i < 16; i++) { buf[i + 3] ^= hash[i]; } pos = 16; /* loop */ while (pos < ahdr->avp_value->os.len + 1) { addr[0] = secret; len[0] = secret_len; addr[1] = &buf[pos - 13]; len[1] = 16; /* b(i) = MD5( S + c(i-1) */ md5_vector(2, addr, len, hash); /* c(i) = p(i) xor b(i) */ for (i = 0; i < 16; i++) buf[pos + i + 3] ^= hash[i]; pos += 16; } CONV2RAD_STR(RADIUS_ATTR_TUNNEL_PASSWORD, &buf[0], pos + 3, 0); } break; case DIAM_ATTR_TUNNEL_PRIVATE_GROUP_ID: CONV2RAD_TUN_STR(RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; default: TRACE_DEBUG(FULL, "Ignored unknown AVP inside Tunneling AVP (%d)", ahdr->avp_code); } } else { TRACE_DEBUG(FULL, "Ignored unknown Vendor AVP inside Tunneling AVP (%d, %d)", ahdr->avp_vendor, ahdr->avp_code); } } } break; case DIAM_ATTR_USER_NAME: CONV2RAD_STR(RADIUS_ATTR_USER_NAME, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; /* User-Password never present in answers */ /* RFC 4072 (AVP in the order of the EAP Command AVP Table) */ /* o Diameter Accounting-EAP-Auth-Method AVPs, if present, are discarded. */ case DIAM_ATTR_ACCOUNTING_EAP_AUTH_METHOD: break; /* o Diameter EAP-Master-Session-Key AVP can be translated to the vendor-specific RADIUS MS-MPPE-Recv-Key and MS-MPPE-Send-Key attributes [RFC2548]. The first up to 32 octets of the key is stored into MS-MPPE-Recv-Key, and the next up to 32 octets (if present) are stored into MS-MPPE-Send-Key. The encryption of this attribute is described in [RFC2548]. */ case DIAM_ATTR_EAP_MASTER_SESSION_KEY: { uint8_t * secret; /* S */ size_t secret_len; size_t recv_len, send_len; /* We need the request authenticator */ CHECK_PARAMS(req_auth); /* Retrieve the shared secret */ CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len)); if (ahdr->avp_value->os.len != 64) { TRACE_DEBUG(INFO, "Received EAP-Master-Session-Key attribute with length %d != 64.\n", ahdr->avp_value->os.len) } CHECK_PARAMS(ahdr->avp_value->os.len <= 64); recv_len = ahdr->avp_value->os.len >= 32 ? 32 : ahdr->avp_value->os.len; send_len = ahdr->avp_value->os.len - recv_len; if ( ! radius_msg_add_mppe_keys(*rad_fw, req_auth, secret, secret_len, ahdr->avp_value->os.data + recv_len, send_len, ahdr->avp_value->os.data, recv_len) ) { TRACE_DEBUG(INFO, "Error while converting EAP-Master-Session-Key to RADIUS message"); return ENOMEM; } } break; case DIAM_ATTR_EAP_KEY_NAME: CONV2RAD_STR(RADIUS_ATTR_EAP_KEY_NAME, ahdr->avp_value->os.data, ahdr->avp_value->os.len, 1); break; /* o Diameter EAP-Payload AVP is translated to RADIUS EAP-Message attribute(s). If necessary, the value is split into multiple RADIUS EAP-Message attributes. */ case DIAM_ATTR_EAP_PAYLOAD: if ( ! radius_msg_add_eap(*rad_fw, ahdr->avp_value->os.data, ahdr->avp_value->os.len) ) { TRACE_DEBUG(INFO, "Error while converting EAP payload to RADIUS message"); return ENOMEM; } break; /* o Diameter EAP-Reissued-Payload AVP is translated to a message that contains RADIUS EAP-Message attribute(s), and a RADIUS Error-Cause attribute [RFC3576] with value 202 (decimal), "Invalid EAP Packet (Ignored)" [RFC3579]. */ case DIAM_ATTR_EAP_REISSUED_PAYLOAD: if ( ! radius_msg_add_eap(*rad_fw, ahdr->avp_value->os.data, ahdr->avp_value->os.len) ) { TRACE_DEBUG(INFO, "Error while converting EAP reissued payload to RADIUS message"); return ENOMEM; } if ( ! radius_msg_add_attr_int32(*rad_fw, RADIUS_ATTR_ERROR_CAUSE, 202) ) { TRACE_DEBUG(INFO, "Error while adding Error-Cause attribute in RADIUS message"); return ENOMEM; } break; default: /* Leave the AVP in the message for further treatment */ handled = 0; } } else { /* Vendor-specific AVPs */ switch (ahdr->avp_vendor) { default: /* unknown vendor */ handled = 0; } } if (handled) { CHECK_FCT( fd_msg_free( avp ) ); } } CHECK_FCT( fd_msg_free( asid ) ); CHECK_FCT( fd_msg_free( aoh ) ); free(req_auth); if ((*rad_fw)->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) { /* Add the auth-application-id required for STR, or 0 if no STR is required */ CHECK_FCT( fd_msg_hdr( *diam_ans, &hdr ) ); if (sizeof(buf) < (sz = snprintf((char *)buf, sizeof(buf), CLASS_AAI_PREFIX "%u", no_str ? 0 : hdr->msg_appl))) { TRACE_DEBUG(INFO, "Data truncated in Class attribute: %s", buf); } CONV2RAD_STR(RADIUS_ATTR_CLASS, buf, sz, 0); } return 0; } /* The exported symbol */ struct rgw_api rgwp_descriptor = { .rgwp_name = "auth", .rgwp_conf_parse = auth_conf_parse, .rgwp_conf_free = auth_conf_free, .rgwp_rad_req = auth_rad_req, .rgwp_diam_ans = auth_diam_ans };