Mercurial > hg > waaad

view extensions/radius_gw/sub_auth.c @ 403:bcc13af0825a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Improved initialization message
author Sebastien Decugis <sdecugis@nict.go.jp>
date Wed, 03 Jun 2009 18:14:17 +0900
parents 9d3dc44c9c22
children 9cb1799c40d1
line wrap: on
line source

/*********************************************************************************************************
* Software License Agreement (BSD License)                                                               *
* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
*													 *
* Copyright (c) 2009, WIDE Project and NICT								 *
* All rights reserved.											 *
* 													 *
* Redistribution and use of this software in source and binary forms, with or without modification, are  *
* permitted provided that the following conditions are met:						 *
* 													 *
* * Redistributions of source code must retain the above 						 *
*   copyright notice, this list of conditions and the 							 *
*   following disclaimer.										 *
*    													 *
* * Redistributions in binary form must reproduce the above 						 *
*   copyright notice, this list of conditions and the 							 *
*   following disclaimer in the documentation and/or other						 *
*   materials provided with the distribution.								 *
* 													 *
* * Neither the name of the WIDE Project or NICT nor the 						 *
*   names of its contributors may be used to endorse or 						 *
*   promote products derived from this software without 						 *
*   specific prior written permission of WIDE Project and 						 *
*   NICT.												 *
* 													 *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
*********************************************************************************************************/

/* Sub extension for handling RADIUS Accounting-Request messages */

#define IN_EXTENSION
#define DEFINE_DEBUG_MACRO	sub_auth
#define DECLARE_API_POINTERS
#include <waaad/waaad.h>

#include "rg_common.h"

#ifndef SUB_AUTH_VERBO
#define SUB_AUTH_VERBO 0
#endif /* SUB_AUTH_VERBO */


int sub_auth_verbosity = SUB_AUTH_VERBO;

/* Attributes missing from radius.h */
#define RADIUS_ATTR_CHAP_PASSWORD	3
#define RADIUS_ATTR_ARAP_PASSWORD	70

struct rga_conf_state {
	char * conffile;
};

static struct rga_conf_state * auth_conf_parse(char * conffile)
{
	struct rga_conf_state * cs;
	
	TRACE_ENTRY("%p", conffile);
	
	CHECK_MALLOC_DO( cs = malloc(sizeof(struct rga_conf_state)), return NULL );
	memset(cs, 0, sizeof(struct rga_conf_state));
	
	cs->conffile = conffile;
	
	if (conffile) {
		TRACE_DEBUG(INFO, "Sub extension Authentication (RFC2865, RFC3579) initialized with configuration: '%s'", cs->conffile);
	} else {
		TRACE_DEBUG(INFO, "Sub extension Authentication (RFC2865, RFC3579) initialized with default configuration");
	}
	
	return cs;
}

static void auth_conf_free(struct rga_conf_state * cs)
{
	TRACE_ENTRY("%p", cs);
	CHECK_PARAMS_DO( cs, );
	free(cs);
	return;
}

static int auth_rad_req(struct rga_conf_state * cs, sess_id_t ** session, struct radius_msg * rad_req, struct radius_msg ** rad_ans, msg_t ** diam_fw, void * cli )
{
	int idx;
	int got_id = 0;
	int got_mac = 0;
	int got_passwd = 0;
	int got_eap = 0;
	uint32_t status_type;
	
	TRACE_ENTRY("%p %p %p %p %p %p", cs, session, rad_req, rad_ans, diam_fw, cli);
	CHECK_PARAMS(rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCOUNTING_REQUEST) && rad_ans && diam_fw && *diam_fw);
	
	/* Check the message contains the NAS identification */
	for (idx = 0; idx < rad_req->attr_used; idx++) {
		struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]);
		switch (attr->type) {
			case RADIUS_ATTR_NAS_IP_ADDRESS:
			case RADIUS_ATTR_NAS_IDENTIFIER:
			case RADIUS_ATTR_NAS_IPV6_ADDRESS:
				got_id = 1;
				break;
			case RADIUS_ATTR_MESSAGE_AUTHENTICATOR:
				got_mac = 1;
				break;
			case RADIUS_ATTR_EAP_MESSAGE:
				got_eap = 1;
				break;
			case RADIUS_ATTR_USER_PASSWORD:
			case RADIUS_ATTR_CHAP_PASSWORD:
			case RADIUS_ATTR_ARAP_PASSWORD:
				got_passwd += 1;
				break;
		}
	}
			
	/* Check basic information is there */
	if (!got_id) {
		TRACE_DEBUG(INFO, "RADIUS Account-Request did not contain a NAS IP or Identifier attribute, reject.");
		return EINVAL;
	}
	/* [Note 1] An Access-Request that contains either a User-Password or
	   CHAP-Password or ARAP-Password or one or more EAP-Message attributes
	   MUST NOT contain more than one type of those four attributes.  If it
	   does not contain any of those four attributes, it SHOULD contain a
	   Message-Authenticator.  If any packet type contains an EAP-Message
	   attribute it MUST also contain a Message-Authenticator.  A RADIUS
	   server receiving an Access-Request not containing any of those four
	   attributes and also not containing a Message-Authenticator attribute
	   SHOULD silently discard it.  */
	if (((got_eap + got_passwd) > 1) || (got_eap && !got_mac) || (!got_eap && !got_passwd && !got_mac)) {
		TRACE_DEBUG(INFO, "RADIUS Account-Request not conform to RFC3579 sec 3.3 note 1, discard.");
		return EINVAL;
	}
	
	return ENOTSUP;
}

static int auth_diam_ans(struct rga_conf_state * cs, sess_id_t ** session, msg_t ** diam_ans, struct radius_msg ** rad_fw, void * cli )
{
	TRACE_ENTRY("%p %p %p %p %p", cs, session, diam_ans, rad_fw, cli);
	CHECK_PARAMS(cs);

	return ENOTSUP;
}

int rga_register(int version, waaad_api_t * waaad_api, struct radius_gw_api * api)
{
	TRACE_ENTRY("%d %p %p", version, waaad_api, api);
	CHECK_PARAMS( waaad_api && api );
	
	if (version != RADIUS_GW_API_VER) {
		log_error("ABI version mismatch, please recompile this extension (%s)\n", __FILE__);
		return EINVAL;
	}
	
	/* Required to use the waaad api from this sub-extension: */
	EXTENSION_API_INIT_INTERN( API_MODULE_ALL, "sub_auth", waaad_api );
	
	/* Initialize the radius_gw api callbacks */
	api->rga_conf_parse_cb = auth_conf_parse;
	api->rga_conf_free_cb  = auth_conf_free;
	api->rga_rad_req_cb    = auth_rad_req;
	api->rga_diam_ans_cb   = auth_diam_ans;
	
	/* We're done, we must not initialize any state here since the extension must be re-entrant, but in sample_conf_parse */
	return 0;
}
"Welcome to our mercurial repository"