Mercurial > hg > waaad
view extensions/radius_gw/sub_auth.c @ 396:9d3dc44c9c22
Added comments from RFC4005
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Mon, 01 Jun 2009 18:21:15 +0900 |
parents | b1eb38915f04 |
children | bcc13af0825a |
line wrap: on
line source
/********************************************************************************************************* * Software License Agreement (BSD License) * * Author: Sebastien Decugis <sdecugis@nict.go.jp> * * * * Copyright (c) 2009, WIDE Project and NICT * * All rights reserved. * * * * Redistribution and use of this software in source and binary forms, with or without modification, are * * permitted provided that the following conditions are met: * * * * * Redistributions of source code must retain the above * * copyright notice, this list of conditions and the * * following disclaimer. * * * * * Redistributions in binary form must reproduce the above * * copyright notice, this list of conditions and the * * following disclaimer in the documentation and/or other * * materials provided with the distribution. * * * * * Neither the name of the WIDE Project or NICT nor the * * names of its contributors may be used to endorse or * * promote products derived from this software without * * specific prior written permission of WIDE Project and * * NICT. * * * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * *********************************************************************************************************/ /* Sub extension for handling RADIUS Accounting-Request messages */ #define IN_EXTENSION #define DEFINE_DEBUG_MACRO sub_auth #define DECLARE_API_POINTERS #include <waaad/waaad.h> #include "rg_common.h" #ifndef SUB_AUTH_VERBO #define SUB_AUTH_VERBO 0 #endif /* SUB_AUTH_VERBO */ int sub_auth_verbosity = SUB_AUTH_VERBO; /* Attributes missing from radius.h */ #define RADIUS_ATTR_CHAP_PASSWORD 3 #define RADIUS_ATTR_ARAP_PASSWORD 70 struct rga_conf_state { char * conffile; }; static struct rga_conf_state * auth_conf_parse(char * conffile) { struct rga_conf_state * cs; TRACE_ENTRY("%p", conffile); CHECK_MALLOC_DO( cs = malloc(sizeof(struct rga_conf_state)), return NULL ); memset(cs, 0, sizeof(struct rga_conf_state)); if (conffile) cs->conffile = conffile; else cs->conffile = "-"; TRACE_DEBUG(INFO, "Sub extension Authentication (RFC2865, RFC3579) initialized with configuration: '%s'", cs->conffile); return cs; } static void auth_conf_free(struct rga_conf_state * cs) { TRACE_ENTRY("%p", cs); CHECK_PARAMS_DO( cs, ); free(cs); return; } static int auth_rad_req(struct rga_conf_state * cs, sess_id_t ** session, struct radius_msg * rad_req, struct radius_msg ** rad_ans, msg_t ** diam_fw, void * cli ) { int idx; int got_id = 0; int got_mac = 0; int got_passwd = 0; int got_eap = 0; uint32_t status_type; TRACE_ENTRY("%p %p %p %p %p %p", cs, session, rad_req, rad_ans, diam_fw, cli); CHECK_PARAMS(rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCOUNTING_REQUEST) && rad_ans && diam_fw && *diam_fw); /* Check the message contains the NAS identification */ for (idx = 0; idx < rad_req->attr_used; idx++) { struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]); switch (attr->type) { case RADIUS_ATTR_NAS_IP_ADDRESS: case RADIUS_ATTR_NAS_IDENTIFIER: case RADIUS_ATTR_NAS_IPV6_ADDRESS: got_id = 1; break; case RADIUS_ATTR_MESSAGE_AUTHENTICATOR: got_mac = 1; break; case RADIUS_ATTR_EAP_MESSAGE: got_eap = 1; break; case RADIUS_ATTR_USER_PASSWORD: case RADIUS_ATTR_CHAP_PASSWORD: case RADIUS_ATTR_ARAP_PASSWORD: got_passwd += 1; break; } } /* Check basic information is there */ if (!got_id) { TRACE_DEBUG(INFO, "RADIUS Account-Request did not contain a NAS IP or Identifier attribute, reject."); return EINVAL; } /* [Note 1] An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attributes MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP-Message attribute it MUST also contain a Message-Authenticator. A RADIUS server receiving an Access-Request not containing any of those four attributes and also not containing a Message-Authenticator attribute SHOULD silently discard it. */ if (((got_eap + got_passwd) > 1) || (got_eap && !got_mac) || (!got_eap && !got_passwd && !got_mac)) { TRACE_DEBUG(INFO, "RADIUS Account-Request not conform to RFC3579 sec 3.3 note 1, discard."); return EINVAL; } return ENOTSUP; } static int auth_diam_ans(struct rga_conf_state * cs, sess_id_t ** session, msg_t ** diam_ans, struct radius_msg ** rad_fw, void * cli ) { TRACE_ENTRY("%p %p %p %p %p", cs, session, diam_ans, rad_fw, cli); CHECK_PARAMS(cs); return ENOTSUP; } int rga_register(int version, waaad_api_t * waaad_api, struct radius_gw_api * api) { TRACE_ENTRY("%d %p %p", version, waaad_api, api); CHECK_PARAMS( waaad_api && api ); if (version != RADIUS_GW_API_VER) { log_error("ABI version mismatch, please recompile this extension (%s)\n", __FILE__); return EINVAL; } /* Required to use the waaad api from this sub-extension: */ EXTENSION_API_INIT_INTERN( API_MODULE_ALL, "sub_auth", waaad_api ); /* Initialize the radius_gw api callbacks */ api->rga_conf_parse_cb = auth_conf_parse; api->rga_conf_free_cb = auth_conf_free; api->rga_rad_req_cb = auth_rad_req; api->rga_diam_ans_cb = auth_diam_ans; /* We're done, we must not initialize any state here since the extension must be re-entrant, but in sample_conf_parse */ return 0; }