# HG changeset patch
# User Sebastien Decugis <sdecugis@nict.go.jp>
# Date 1243587651 -32400
# Node ID b1eb38915f0451fecbfd5a97b6dd0b5387b7395a
# Parent  f63adc1b3e9992588712fe5af172f4641cef28df
Added skeleton for sub_auth

diff -r f63adc1b3e99 -r b1eb38915f04 extensions/radius_gw/CMakeLists.txt
--- a/extensions/radius_gw/CMakeLists.txt	Fri May 29 17:39:38 2009 +0900
+++ b/extensions/radius_gw/CMakeLists.txt	Fri May 29 18:00:51 2009 +0900
@@ -81,6 +81,13 @@
 	   TARGET_LINK_LIBRARIES(sub_echo_drop rg_common)
  	ENDIF (BUILD_SUB_ECHO_DROP)
 
+OPTION(BUILD_SUB_AUTH "Build RADIUS Authentication & Authorization sub-extension? (RFC2865, RFC3579)" ON)
+ 	IF (BUILD_SUB_AUTH)
+	   ADD_DEFINITIONS(-DSUB_AUTH_VERBO=2)
+ 	   ADD_LIBRARY(sub_auth MODULE ${RG_COMMON_HEADER} sub_auth.c)
+	   TARGET_LINK_LIBRARIES(sub_auth rg_common)
+ 	ENDIF (BUILD_SUB_AUTH)
+
 OPTION(BUILD_SUB_ACCT "Build RADIUS Accounting sub-extension? (RFC2866)" ON)
  	IF (BUILD_SUB_ACCT)
 	   ADD_DEFINITIONS(-DSUB_ACCT_VERBO=2)
diff -r f63adc1b3e99 -r b1eb38915f04 extensions/radius_gw/sub_auth.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/radius_gw/sub_auth.c	Fri May 29 18:00:51 2009 +0900
@@ -0,0 +1,173 @@
+/*********************************************************************************************************
+* Software License Agreement (BSD License)                                                               *
+* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
+*													 *
+* Copyright (c) 2009, WIDE Project and NICT								 *
+* All rights reserved.											 *
+* 													 *
+* Redistribution and use of this software in source and binary forms, with or without modification, are  *
+* permitted provided that the following conditions are met:						 *
+* 													 *
+* * Redistributions of source code must retain the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer.										 *
+*    													 *
+* * Redistributions in binary form must reproduce the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer in the documentation and/or other						 *
+*   materials provided with the distribution.								 *
+* 													 *
+* * Neither the name of the WIDE Project or NICT nor the 						 *
+*   names of its contributors may be used to endorse or 						 *
+*   promote products derived from this software without 						 *
+*   specific prior written permission of WIDE Project and 						 *
+*   NICT.												 *
+* 													 *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
+* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
+* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
+* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
+* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
+*********************************************************************************************************/
+
+/* Sub extension for handling RADIUS Accounting-Request messages */
+
+#define IN_EXTENSION
+#define DEFINE_DEBUG_MACRO	sub_auth
+#define DECLARE_API_POINTERS
+#include <waaad/waaad.h>
+
+#include "rg_common.h"
+
+#ifndef SUB_AUTH_VERBO
+#define SUB_AUTH_VERBO 0
+#endif /* SUB_AUTH_VERBO */
+
+
+int sub_auth_verbosity = SUB_AUTH_VERBO;
+
+/* Attributes missing from radius.h */
+#define RADIUS_ATTR_CHAP_PASSWORD	3
+#define RADIUS_ATTR_ARAP_PASSWORD	70
+
+struct rga_conf_state {
+	char * conffile;
+};
+
+static struct rga_conf_state * auth_conf_parse(char * conffile)
+{
+	struct rga_conf_state * cs;
+	
+	TRACE_ENTRY("%p", conffile);
+	
+	CHECK_MALLOC_DO( cs = malloc(sizeof(struct rga_conf_state)), return NULL );
+	memset(cs, 0, sizeof(struct rga_conf_state));
+	
+	if (conffile)
+		cs->conffile = conffile;
+	else
+		cs->conffile = "-";
+	
+	TRACE_DEBUG(INFO, "Sub extension Authentication (RFC2865, RFC3579) initialized with configuration: '%s'", cs->conffile);
+	return cs;
+}
+
+static void auth_conf_free(struct rga_conf_state * cs)
+{
+	TRACE_ENTRY("%p", cs);
+	CHECK_PARAMS_DO( cs, );
+	free(cs);
+	return;
+}
+
+static int auth_rad_req(struct rga_conf_state * cs, sess_id_t ** session, struct radius_msg * rad_req, struct radius_msg ** rad_ans, msg_t ** diam_fw, void * cli )
+{
+	int idx;
+	int got_id = 0;
+	int got_mac = 0;
+	int got_passwd = 0;
+	int got_eap = 0;
+	uint32_t status_type;
+	
+	TRACE_ENTRY("%p %p %p %p %p %p", cs, session, rad_req, rad_ans, diam_fw, cli);
+	CHECK_PARAMS(rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCOUNTING_REQUEST) && rad_ans && diam_fw && *diam_fw);
+	
+	/* Check the message contains the NAS identification */
+	for (idx = 0; idx < rad_req->attr_used; idx++) {
+		struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]);
+		switch (attr->type) {
+			case RADIUS_ATTR_NAS_IP_ADDRESS:
+			case RADIUS_ATTR_NAS_IDENTIFIER:
+			case RADIUS_ATTR_NAS_IPV6_ADDRESS:
+				got_id = 1;
+				break;
+			case RADIUS_ATTR_MESSAGE_AUTHENTICATOR:
+				got_mac = 1;
+				break;
+			case RADIUS_ATTR_EAP_MESSAGE:
+				got_eap = 1;
+				break;
+			case RADIUS_ATTR_USER_PASSWORD:
+			case RADIUS_ATTR_CHAP_PASSWORD:
+			case RADIUS_ATTR_ARAP_PASSWORD:
+				got_passwd += 1;
+				break;
+		}
+	}
+			
+	/* Check basic information is there */
+	if (!got_id) {
+		TRACE_DEBUG(INFO, "RADIUS Account-Request did not contain a NAS IP or Identifier attribute, reject.");
+		return EINVAL;
+	}
+	/* [Note 1] An Access-Request that contains either a User-Password or
+	   CHAP-Password or ARAP-Password or one or more EAP-Message attributes
+	   MUST NOT contain more than one type of those four attributes.  If it
+	   does not contain any of those four attributes, it SHOULD contain a
+	   Message-Authenticator.  If any packet type contains an EAP-Message
+	   attribute it MUST also contain a Message-Authenticator.  A RADIUS
+	   server receiving an Access-Request not containing any of those four
+	   attributes and also not containing a Message-Authenticator attribute
+	   SHOULD silently discard it.  */
+	if (((got_eap + got_passwd) > 1) || (got_eap && !got_mac) || (!got_eap && !got_passwd && !got_mac)) {
+		TRACE_DEBUG(INFO, "RADIUS Account-Request not conform to RFC3579 sec 3.3 note 1, discard.");
+		return EINVAL;
+	}
+	
+	
+	return ENOTSUP;
+}
+
+static int auth_diam_ans(struct rga_conf_state * cs, sess_id_t ** session, msg_t ** diam_ans, struct radius_msg ** rad_fw, void * cli )
+{
+	TRACE_ENTRY("%p %p %p %p %p", cs, session, diam_ans, rad_fw, cli);
+	CHECK_PARAMS(cs);
+
+	return ENOTSUP;
+}
+
+int rga_register(int version, waaad_api_t * waaad_api, struct radius_gw_api * api)
+{
+	TRACE_ENTRY("%d %p %p", version, waaad_api, api);
+	CHECK_PARAMS( waaad_api && api );
+	
+	if (version != RADIUS_GW_API_VER) {
+		log_error("ABI version mismatch, please recompile this extension (%s)\n", __FILE__);
+		return EINVAL;
+	}
+	
+	/* Required to use the waaad api from this sub-extension: */
+	EXTENSION_API_INIT_INTERN( API_MODULE_ALL, "sub_auth", waaad_api );
+	
+	/* Initialize the radius_gw api callbacks */
+	api->rga_conf_parse_cb = auth_conf_parse;
+	api->rga_conf_free_cb  = auth_conf_free;
+	api->rga_rad_req_cb    = auth_rad_req;
+	api->rga_diam_ans_cb   = auth_diam_ans;
+	
+	/* We're done, we must not initialize any state here since the extension must be re-entrant, but in sample_conf_parse */
+	return 0;
+}