File: | src/usr.sbin/radiusd/radiusd/../radiusd.c |
Warning: | line 130, column 2 Value stored to 'argv' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: radiusd.c,v 1.27 2019/06/28 13:32:49 deraadt Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (c) 2013 Internet Initiative Japan Inc. |
5 | * |
6 | * Permission to use, copy, modify, and distribute this software for any |
7 | * purpose with or without fee is hereby granted, provided that the above |
8 | * copyright notice and this permission notice appear in all copies. |
9 | * |
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | */ |
18 | |
19 | #include <sys/types.h> |
20 | #include <sys/socket.h> |
21 | #include <sys/queue.h> |
22 | #include <sys/uio.h> |
23 | #include <sys/wait.h> |
24 | #include <netinet/in.h> |
25 | |
26 | #include <dlfcn.h> |
27 | #include <err.h> |
28 | #include <errno(*__errno()).h> |
29 | #include <event.h> |
30 | #include <fcntl.h> |
31 | #include <fnmatch.h> |
32 | #include <imsg.h> |
33 | #include <md5.h> |
34 | #include <netdb.h> |
35 | #include <pwd.h> |
36 | #include <signal.h> |
37 | #include <stdbool.h> |
38 | #include <stdio.h> |
39 | #include <stdlib.h> |
40 | #include <string.h> |
41 | #include <syslog.h> |
42 | #include <unistd.h> |
43 | #include <util.h> |
44 | |
45 | #include <radius.h> |
46 | |
47 | #include "radiusd.h" |
48 | #include "radiusd_local.h" |
49 | #include "log.h" |
50 | #include "util.h" |
51 | #include "imsg_subr.h" |
52 | |
53 | static int radiusd_start(struct radiusd *); |
54 | static void radiusd_stop(struct radiusd *); |
55 | static void radiusd_free(struct radiusd *); |
56 | static void radiusd_listen_on_event(int, short, void *); |
57 | static void radiusd_on_sigterm(int, short, void *); |
58 | static void radiusd_on_sigint(int, short, void *); |
59 | static void radiusd_on_sighup(int, short, void *); |
60 | static void radiusd_on_sigchld(int, short, void *); |
61 | static int radius_query_request_decoration(struct radius_query *); |
62 | static int radius_query_response_decoration( |
63 | struct radius_query *); |
64 | static const char *radius_code_string(int); |
65 | static int radiusd_access_response_fixup (struct radius_query *); |
66 | |
67 | |
68 | |
69 | static void radiusd_module_reset_ev_handler( |
70 | struct radiusd_module *); |
71 | static int radiusd_module_imsg_read(struct radiusd_module *, |
72 | bool_Bool); |
73 | static void radiusd_module_imsg(struct radiusd_module *, |
74 | struct imsg *); |
75 | |
76 | static struct radiusd_module_radpkt_arg * |
77 | radiusd_module_recv_radpkt(struct radiusd_module *, |
78 | struct imsg *, uint32_t, const char *); |
79 | static void radiusd_module_on_imsg_io(int, short, void *); |
80 | void radiusd_module_start(struct radiusd_module *); |
81 | void radiusd_module_stop(struct radiusd_module *); |
82 | static void radiusd_module_close(struct radiusd_module *); |
83 | static void radiusd_module_userpass(struct radiusd_module *, |
84 | struct radius_query *); |
85 | static void radiusd_module_access_request(struct radiusd_module *, |
86 | struct radius_query *); |
87 | |
88 | static u_int radius_query_id_seq = 0; |
89 | int debug = 0; |
90 | |
91 | static __dead__attribute__((__noreturn__)) void |
92 | usage(void) |
93 | { |
94 | extern char *__progname; |
95 | |
96 | fprintf(stderr(&__sF[2]), "usage: %s [-dn] [-f file]\n", __progname); |
97 | exit(EXIT_FAILURE1); |
98 | } |
99 | |
100 | int |
101 | main(int argc, char *argv[]) |
102 | { |
103 | extern char *__progname; |
104 | const char *conffile = CONFFILE"/etc/radiusd.conf"; |
105 | int ch; |
106 | struct radiusd *radiusd; |
107 | bool_Bool noaction = false0; |
108 | struct passwd *pw; |
109 | |
110 | while ((ch = getopt(argc, argv, "df:n")) != -1) |
111 | switch (ch) { |
112 | case 'd': |
113 | debug++; |
114 | break; |
115 | |
116 | case 'f': |
117 | conffile = optarg; |
118 | break; |
119 | |
120 | case 'n': |
121 | noaction = true1; |
122 | break; |
123 | |
124 | default: |
125 | usage(); |
126 | /* NOTREACHED */ |
127 | } |
128 | |
129 | argc -= optind; |
130 | argv += optind; |
Value stored to 'argv' is never read | |
131 | |
132 | if (argc != 0) |
133 | usage(); |
134 | |
135 | if ((radiusd = calloc(1, sizeof(*radiusd))) == NULL((void *)0)) |
136 | err(1, "calloc"); |
137 | TAILQ_INIT(&radiusd->listen)do { (&radiusd->listen)->tqh_first = ((void *)0); ( &radiusd->listen)->tqh_last = &(&radiusd-> listen)->tqh_first; } while (0); |
138 | TAILQ_INIT(&radiusd->query)do { (&radiusd->query)->tqh_first = ((void *)0); (& radiusd->query)->tqh_last = &(&radiusd->query )->tqh_first; } while (0); |
139 | |
140 | log_init(debug); |
141 | if (parse_config(conffile, radiusd) != 0) |
142 | errx(EXIT_FAILURE1, "config error"); |
143 | if (noaction) { |
144 | fprintf(stderr(&__sF[2]), "configuration OK\n"); |
145 | exit(EXIT_SUCCESS0); |
146 | } |
147 | |
148 | if (debug == 0) |
149 | daemon(0, 0); |
150 | event_init(); |
151 | |
152 | if ((pw = getpwnam(RADIUSD_USER"_radiusd")) == NULL((void *)0)) |
153 | errx(EXIT_FAILURE1, "user `%s' is not found in password " |
154 | "database", RADIUSD_USER"_radiusd"); |
155 | |
156 | if (chroot(pw->pw_dir) == -1) |
157 | err(EXIT_FAILURE1, "chroot"); |
158 | if (chdir("/") == -1) |
159 | err(EXIT_FAILURE1, "chdir(\"/\")"); |
160 | |
161 | if (setgroups(1, &pw->pw_gid) || |
162 | setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || |
163 | setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) |
164 | err(EXIT_FAILURE1, "cannot drop privileges"); |
165 | |
166 | signal(SIGPIPE13, SIG_IGN(void (*)(int))1); |
167 | openlog(NULL((void *)0), LOG_PID0x01, LOG_DAEMON(3<<3)); |
168 | |
169 | signal_set(&radiusd->ev_sigterm, SIGTERM, radiusd_on_sigterm, radiusd)event_set(&radiusd->ev_sigterm, 15, 0x08|0x10, radiusd_on_sigterm , radiusd); |
170 | signal_set(&radiusd->ev_sigint, SIGINT, radiusd_on_sigint, radiusd)event_set(&radiusd->ev_sigint, 2, 0x08|0x10, radiusd_on_sigint , radiusd); |
171 | signal_set(&radiusd->ev_sighup, SIGHUP, radiusd_on_sighup, radiusd)event_set(&radiusd->ev_sighup, 1, 0x08|0x10, radiusd_on_sighup , radiusd); |
172 | signal_set(&radiusd->ev_sigchld, SIGCHLD, radiusd_on_sigchld, radiusd)event_set(&radiusd->ev_sigchld, 20, 0x08|0x10, radiusd_on_sigchld , radiusd); |
173 | |
174 | if (radiusd_start(radiusd) != 0) |
175 | errx(EXIT_FAILURE1, "start failed"); |
176 | |
177 | if (pledge("stdio inet", NULL((void *)0)) == -1) |
178 | err(EXIT_FAILURE1, "pledge"); |
179 | |
180 | if (event_loop(0) < 0) |
181 | radiusd_stop(radiusd); |
182 | |
183 | radiusd_free(radiusd); |
184 | event_base_free(NULL((void *)0)); |
185 | |
186 | exit(EXIT_SUCCESS0); |
187 | } |
188 | |
189 | static int |
190 | radiusd_start(struct radiusd *radiusd) |
191 | { |
192 | struct radiusd_listen *l; |
193 | struct radiusd_module *module; |
194 | int s; |
195 | char hbuf[NI_MAXHOST256]; |
196 | |
197 | TAILQ_FOREACH(l, &radiusd->listen, next)for((l) = ((&radiusd->listen)->tqh_first); (l) != ( (void *)0); (l) = ((l)->next.tqe_next)) { |
198 | if (getnameinfo( |
199 | (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len, |
200 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1) != 0) { |
201 | log_warn("%s: getnameinfo()", __func__); |
202 | goto on_error; |
203 | } |
204 | if ((s = socket(l->addr.ipv4.sin_family, |
205 | l->stype | SOCK_NONBLOCK0x4000, l->sproto)) == -1) { |
206 | log_warn("Listen %s port %d is failed: socket()", |
207 | hbuf, (int)htons(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
208 | goto on_error; |
209 | } |
210 | if (bind(s, (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len) |
211 | != 0) { |
212 | log_warn("Listen %s port %d is failed: bind()", |
213 | hbuf, (int)htons(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
214 | close(s); |
215 | goto on_error; |
216 | } |
217 | if (l->addr.ipv4.sin_family == AF_INET2) |
218 | log_info("Start listening on %s:%d/udp", hbuf, |
219 | (int)ntohs(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
220 | else |
221 | log_info("Start listening on [%s]:%d/udp", hbuf, |
222 | (int)ntohs(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
223 | event_set(&l->ev, s, EV_READ0x02 | EV_PERSIST0x10, |
224 | radiusd_listen_on_event, l); |
225 | if (event_add(&l->ev, NULL((void *)0)) != 0) { |
226 | log_warn("event_add() failed at %s()", __func__); |
227 | close(s); |
228 | goto on_error; |
229 | } |
230 | l->sock = s; |
231 | l->radiusd = radiusd; |
232 | } |
233 | |
234 | signal_add(&radiusd->ev_sigterm, NULL)event_add(&radiusd->ev_sigterm, ((void *)0)); |
235 | signal_add(&radiusd->ev_sigint, NULL)event_add(&radiusd->ev_sigint, ((void *)0)); |
236 | signal_add(&radiusd->ev_sighup, NULL)event_add(&radiusd->ev_sighup, ((void *)0)); |
237 | signal_add(&radiusd->ev_sigchld, NULL)event_add(&radiusd->ev_sigchld, ((void *)0)); |
238 | |
239 | TAILQ_FOREACH(module, &radiusd->module, next)for((module) = ((&radiusd->module)->tqh_first); (module ) != ((void *)0); (module) = ((module)->next.tqe_next)) { |
240 | if (debug > 0) |
241 | radiusd_module_set(module, "_debug", 0, NULL((void *)0)); |
242 | radiusd_module_start(module); |
243 | } |
244 | |
245 | return (0); |
246 | on_error: |
247 | radiusd_stop(radiusd); |
248 | |
249 | return (-1); |
250 | } |
251 | |
252 | static void |
253 | radiusd_stop(struct radiusd *radiusd) |
254 | { |
255 | char hbuf[NI_MAXHOST256]; |
256 | struct radiusd_listen *l; |
257 | struct radiusd_module *module; |
258 | |
259 | TAILQ_FOREACH_REVERSE(l, &radiusd->listen, radiusd_listen_head, next)for((l) = (*(((struct radiusd_listen_head *)((&radiusd-> listen)->tqh_last))->tqh_last)); (l) != ((void *)0); (l ) = (*(((struct radiusd_listen_head *)((l)->next.tqe_prev) )->tqh_last))) { |
260 | if (l->sock >= 0) { |
261 | if (getnameinfo( |
262 | (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len, |
263 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1) != 0) |
264 | strlcpy(hbuf, "error", sizeof(hbuf)); |
265 | if (l->addr.ipv4.sin_family == AF_INET2) |
266 | log_info("Stop listening on %s:%d/udp", hbuf, |
267 | (int)ntohs(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
268 | else |
269 | log_info("Stop listening on [%s]:%d/udp", hbuf, |
270 | (int)ntohs(l->addr.ipv4.sin_port)(__uint16_t)(__builtin_constant_p(l->addr.ipv4.sin_port) ? (__uint16_t)(((__uint16_t)(l->addr.ipv4.sin_port) & 0xffU ) << 8 | ((__uint16_t)(l->addr.ipv4.sin_port) & 0xff00U ) >> 8) : __swap16md(l->addr.ipv4.sin_port))); |
271 | event_del(&l->ev); |
272 | close(l->sock); |
273 | } |
274 | l->sock = -1; |
275 | } |
276 | TAILQ_FOREACH(module, &radiusd->module, next)for((module) = ((&radiusd->module)->tqh_first); (module ) != ((void *)0); (module) = ((module)->next.tqe_next)) { |
277 | radiusd_module_stop(module); |
278 | radiusd_module_close(module); |
279 | } |
280 | if (signal_pending(&radiusd->ev_sigterm, NULL)event_pending(&radiusd->ev_sigterm, 0x08, ((void *)0))) |
281 | signal_del(&radiusd->ev_sigterm)event_del(&radiusd->ev_sigterm); |
282 | if (signal_pending(&radiusd->ev_sigint, NULL)event_pending(&radiusd->ev_sigint, 0x08, ((void *)0))) |
283 | signal_del(&radiusd->ev_sigint)event_del(&radiusd->ev_sigint); |
284 | if (signal_pending(&radiusd->ev_sighup, NULL)event_pending(&radiusd->ev_sighup, 0x08, ((void *)0))) |
285 | signal_del(&radiusd->ev_sighup)event_del(&radiusd->ev_sighup); |
286 | if (signal_pending(&radiusd->ev_sigchld, NULL)event_pending(&radiusd->ev_sigchld, 0x08, ((void *)0))) |
287 | signal_del(&radiusd->ev_sigchld)event_del(&radiusd->ev_sigchld); |
288 | } |
289 | |
290 | static void |
291 | radiusd_free(struct radiusd *radiusd) |
292 | { |
293 | int i; |
294 | struct radiusd_listen *listn, *listnt; |
295 | struct radiusd_client *client, *clientt; |
296 | struct radiusd_module *module, *modulet; |
297 | struct radiusd_module_ref *modref, *modreft; |
298 | struct radiusd_authentication *authen, *authent; |
299 | |
300 | TAILQ_FOREACH_SAFE(authen, &radiusd->authen, next, authent)for ((authen) = ((&radiusd->authen)->tqh_first); (authen ) != ((void *)0) && ((authent) = ((authen)->next.tqe_next ), 1); (authen) = (authent)) { |
301 | TAILQ_REMOVE(&radiusd->authen, authen, next)do { if (((authen)->next.tqe_next) != ((void *)0)) (authen )->next.tqe_next->next.tqe_prev = (authen)->next.tqe_prev ; else (&radiusd->authen)->tqh_last = (authen)-> next.tqe_prev; *(authen)->next.tqe_prev = (authen)->next .tqe_next; ; ; } while (0); |
302 | free(authen->auth); |
303 | TAILQ_FOREACH_SAFE(modref, &authen->deco, next, modreft)for ((modref) = ((&authen->deco)->tqh_first); (modref ) != ((void *)0) && ((modreft) = ((modref)->next.tqe_next ), 1); (modref) = (modreft)) { |
304 | TAILQ_REMOVE(&authen->deco, modref, next)do { if (((modref)->next.tqe_next) != ((void *)0)) (modref )->next.tqe_next->next.tqe_prev = (modref)->next.tqe_prev ; else (&authen->deco)->tqh_last = (modref)->next .tqe_prev; *(modref)->next.tqe_prev = (modref)->next.tqe_next ; ; ; } while (0); |
305 | free(modref); |
306 | } |
307 | for (i = 0; authen->username[i] != NULL((void *)0); i++) |
308 | free(authen->username[i]); |
309 | free(authen->username); |
310 | free(authen); |
311 | } |
312 | TAILQ_FOREACH_SAFE(module, &radiusd->module, next, modulet)for ((module) = ((&radiusd->module)->tqh_first); (module ) != ((void *)0) && ((modulet) = ((module)->next.tqe_next ), 1); (module) = (modulet)) { |
313 | TAILQ_REMOVE(&radiusd->module, module, next)do { if (((module)->next.tqe_next) != ((void *)0)) (module )->next.tqe_next->next.tqe_prev = (module)->next.tqe_prev ; else (&radiusd->module)->tqh_last = (module)-> next.tqe_prev; *(module)->next.tqe_prev = (module)->next .tqe_next; ; ; } while (0); |
314 | radiusd_module_unload(module); |
315 | } |
316 | TAILQ_FOREACH_SAFE(client, &radiusd->client, next, clientt)for ((client) = ((&radiusd->client)->tqh_first); (client ) != ((void *)0) && ((clientt) = ((client)->next.tqe_next ), 1); (client) = (clientt)) { |
317 | TAILQ_REMOVE(&radiusd->client, client, next)do { if (((client)->next.tqe_next) != ((void *)0)) (client )->next.tqe_next->next.tqe_prev = (client)->next.tqe_prev ; else (&radiusd->client)->tqh_last = (client)-> next.tqe_prev; *(client)->next.tqe_prev = (client)->next .tqe_next; ; ; } while (0); |
318 | explicit_bzero(client->secret, sizeof(client->secret)); |
319 | free(client); |
320 | } |
321 | TAILQ_FOREACH_SAFE(listn, &radiusd->listen, next, listnt)for ((listn) = ((&radiusd->listen)->tqh_first); (listn ) != ((void *)0) && ((listnt) = ((listn)->next.tqe_next ), 1); (listn) = (listnt)) { |
322 | TAILQ_REMOVE(&radiusd->listen, listn, next)do { if (((listn)->next.tqe_next) != ((void *)0)) (listn)-> next.tqe_next->next.tqe_prev = (listn)->next.tqe_prev; else (&radiusd->listen)->tqh_last = (listn)->next.tqe_prev ; *(listn)->next.tqe_prev = (listn)->next.tqe_next; ; ; } while (0); |
323 | free(listn); |
324 | } |
325 | free(radiusd); |
326 | } |
327 | |
328 | /*********************************************************************** |
329 | * Network event handlers |
330 | ***********************************************************************/ |
331 | #define IPv4_cmp(_in, _addr, _mask)( ((_in)->s_addr & (_mask)->addr.ipv4.s_addr) == (_addr )->addr.ipv4.s_addr) ( \ |
332 | ((_in)->s_addr & (_mask)->addr.ipv4.s_addr) == \ |
333 | (_addr)->addr.ipv4.s_addr) |
334 | #define s6_addr32(_in6)((uint32_t *)(_in6)->__u6_addr.__u6_addr8) ((uint32_t *)(_in6)->s6_addr__u6_addr.__u6_addr8) |
335 | #define IPv6_cmp(_in6, _addr, _mask)( ((((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[3] & (_mask )->addr.addr32[3]) == (_addr)->addr.addr32[3]) && ((((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[2] & (_mask )->addr.addr32[2]) == (_addr)->addr.addr32[2]) && ((((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[1] & (_mask )->addr.addr32[1]) == (_addr)->addr.addr32[1]) && ((((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[0] & (_mask )->addr.addr32[0]) == (_addr)->addr.addr32[0])) ( \ |
336 | ((s6_addr32(_in6)((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[3] & (_mask)->addr.addr32[3]) \ |
337 | == (_addr)->addr.addr32[3]) && \ |
338 | ((s6_addr32(_in6)((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[2] & (_mask)->addr.addr32[2]) \ |
339 | == (_addr)->addr.addr32[2]) && \ |
340 | ((s6_addr32(_in6)((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[1] & (_mask)->addr.addr32[1]) \ |
341 | == (_addr)->addr.addr32[1]) && \ |
342 | ((s6_addr32(_in6)((uint32_t *)(_in6)->__u6_addr.__u6_addr8)[0] & (_mask)->addr.addr32[0]) \ |
343 | == (_addr)->addr.addr32[0])) |
344 | |
345 | static void |
346 | radiusd_listen_on_event(int fd, short evmask, void *ctx) |
347 | { |
348 | int i, sz, req_id, req_code; |
349 | struct radiusd_listen *listn = ctx; |
350 | static u_char buf[65535]; |
351 | static char username[256]; |
352 | struct sockaddr_storage peer; |
353 | socklen_t peersz; |
354 | RADIUS_PACKET *packet = NULL((void *)0); |
355 | char peerstr[NI_MAXHOST256 + NI_MAXSERV32 + 30]; |
356 | struct radiusd_authentication *authen; |
357 | struct radiusd_client *client; |
358 | struct radius_query *q; |
359 | #define in(_x) (((struct sockaddr_in *)_x)->sin_addr) |
360 | #define in6(_x) (((struct sockaddr_in6 *)_x)->sin6_addr) |
361 | |
362 | if (evmask & EV_READ0x02) { |
363 | peersz = sizeof(peer); |
364 | if ((sz = recvfrom(listn->sock, buf, sizeof(buf), 0, |
365 | (struct sockaddr *)&peer, &peersz)) == -1) { |
366 | if (errno(*__errno()) == EAGAIN35) |
367 | return; |
368 | log_warn("%s: recvfrom() failed", __func__); |
369 | goto on_error; |
370 | } |
371 | RADIUSD_ASSERT(peer.ss_family == AF_INET ||do { if (!(peer.ss_family == 2 || peer.ss_family == 24)) { log_warnx ( "ASSERT(%s) failed in %s() at %s:%d", "peer.ss_family == AF_INET || peer.ss_family == AF_INET6" , __func__, "/usr/src/usr.sbin/radiusd/radiusd/../radiusd.c", 372); if (debug) abort(); } } while (0 ) |
372 | peer.ss_family == AF_INET6)do { if (!(peer.ss_family == 2 || peer.ss_family == 24)) { log_warnx ( "ASSERT(%s) failed in %s() at %s:%d", "peer.ss_family == AF_INET || peer.ss_family == AF_INET6" , __func__, "/usr/src/usr.sbin/radiusd/radiusd/../radiusd.c", 372); if (debug) abort(); } } while (0 ); |
373 | |
374 | /* prepare some information about this messages */ |
375 | if (addrport_tostring((struct sockaddr *)&peer, peersz, |
376 | peerstr, sizeof(peerstr)) == NULL((void *)0)) { |
377 | log_warn("%s: getnameinfo() failed", __func__); |
378 | goto on_error; |
379 | } |
380 | if ((packet = radius_convert_packet(buf, sz)) == NULL((void *)0)) { |
381 | log_warn("%s: radius_convert_packet() failed", |
382 | __func__); |
383 | goto on_error; |
384 | } |
385 | req_id = radius_get_id(packet); |
386 | req_code = radius_get_code(packet); |
387 | |
388 | /* |
389 | * Find a matching `client' entry |
390 | */ |
391 | TAILQ_FOREACH(client, &listn->radiusd->client, next)for((client) = ((&listn->radiusd->client)->tqh_first ); (client) != ((void *)0); (client) = ((client)->next.tqe_next )) { |
392 | if (client->af != peer.ss_family) |
393 | continue; |
394 | if (peer.ss_family == AF_INET2 && |
395 | IPv4_cmp(&((struct sockaddr_in *)&peer)->sin_addr,( ((&((struct sockaddr_in *)&peer)->sin_addr)-> s_addr & (&client->mask)->addr.ipv4.s_addr) == ( &client->addr)->addr.ipv4.s_addr) |
396 | &client->addr, &client->mask)( ((&((struct sockaddr_in *)&peer)->sin_addr)-> s_addr & (&client->mask)->addr.ipv4.s_addr) == ( &client->addr)->addr.ipv4.s_addr)) |
397 | break; |
398 | else if (peer.ss_family == AF_INET624 && |
399 | IPv6_cmp(&((struct sockaddr_in6 *)&peer)->sin6_addr,( ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)-> sin6_addr)->__u6_addr.__u6_addr8)[3] & (&client-> mask)->addr.addr32[3]) == (&client->addr)->addr. addr32[3]) && ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)->sin6_addr)->__u6_addr.__u6_addr8)[2] & (&client->mask)->addr.addr32[2]) == (&client-> addr)->addr.addr32[2]) && ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)->sin6_addr)->__u6_addr.__u6_addr8 )[1] & (&client->mask)->addr.addr32[1]) == (& client->addr)->addr.addr32[1]) && ((((uint32_t * )(&((struct sockaddr_in6 *)&peer)->sin6_addr)-> __u6_addr.__u6_addr8)[0] & (&client->mask)->addr .addr32[0]) == (&client->addr)->addr.addr32[0])) |
400 | &client->addr, &client->mask)( ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)-> sin6_addr)->__u6_addr.__u6_addr8)[3] & (&client-> mask)->addr.addr32[3]) == (&client->addr)->addr. addr32[3]) && ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)->sin6_addr)->__u6_addr.__u6_addr8)[2] & (&client->mask)->addr.addr32[2]) == (&client-> addr)->addr.addr32[2]) && ((((uint32_t *)(&((struct sockaddr_in6 *)&peer)->sin6_addr)->__u6_addr.__u6_addr8 )[1] & (&client->mask)->addr.addr32[1]) == (& client->addr)->addr.addr32[1]) && ((((uint32_t * )(&((struct sockaddr_in6 *)&peer)->sin6_addr)-> __u6_addr.__u6_addr8)[0] & (&client->mask)->addr .addr32[0]) == (&client->addr)->addr.addr32[0]))) |
401 | break; |
402 | } |
403 | if (client == NULL((void *)0)) { |
404 | log_warnx("Received %s(code=%d) from %s id=%d: " |
405 | "no `client' matches", radius_code_string(req_code), |
406 | req_code, peerstr, req_id); |
407 | goto on_error; |
408 | } |
409 | |
410 | /* Check the client's Message-Authenticator */ |
411 | if (client->msgauth_required && |
412 | !radius_has_attr(packet, |
413 | RADIUS_TYPE_MESSAGE_AUTHENTICATOR80)) { |
414 | log_warnx("Received %s(code=%d) from %s id=%d: " |
415 | "no message authenticator", |
416 | radius_code_string(req_code), req_code, peerstr, |
417 | req_id); |
418 | goto on_error; |
419 | } |
420 | |
421 | if (radius_has_attr(packet, |
422 | RADIUS_TYPE_MESSAGE_AUTHENTICATOR80) && |
423 | radius_check_message_authenticator(packet, client->secret) |
424 | != 0) { |
425 | log_warnx("Received %s(code=%d) from %s id=%d: " |
426 | "bad message authenticator", |
427 | radius_code_string(req_code), req_code, peerstr, |
428 | req_id); |
429 | goto on_error; |
430 | } |
431 | |
432 | /* |
433 | * Find a duplicate request. In RFC 2865, it has the same |
434 | * source IP address and source UDP port and Identifier. |
435 | */ |
436 | TAILQ_FOREACH(q, &listn->radiusd->query, next)for((q) = ((&listn->radiusd->query)->tqh_first); (q) != ((void *)0); (q) = ((q)->next.tqe_next)) { |
437 | if (peer.ss_family == q->clientaddr.ss_family && |
438 | ((peer.ss_family == AF_INET2 && |
439 | in(&q->clientaddr).s_addr == |
440 | in(&peer).s_addr) || |
441 | (peer.ss_family == AF_INET624 && |
442 | IN6_ARE_ADDR_EQUAL((memcmp(&(&in6(&q->clientaddr))->__u6_addr. __u6_addr8[0], &(&in6(&peer))->__u6_addr.__u6_addr8 [0], sizeof(struct in6_addr)) == 0) |
443 | &in6(&q->clientaddr), &in6(&peer))(memcmp(&(&in6(&q->clientaddr))->__u6_addr. __u6_addr8[0], &(&in6(&peer))->__u6_addr.__u6_addr8 [0], sizeof(struct in6_addr)) == 0))) && |
444 | ((struct sockaddr_in *)&q->clientaddr)->sin_port == |
445 | ((struct sockaddr_in *)&peer)->sin_port && |
446 | req_id == q->req_id) |
447 | break; /* found it */ |
448 | } |
449 | if (q != NULL((void *)0)) { |
450 | log_info("Received %s(code=%d) from %s id=%d: " |
451 | "duplicate request by q=%u", |
452 | radius_code_string(req_code), req_code, peerstr, |
453 | req_id, q->id); |
454 | /* XXX RFC 5080 suggests to answer the cached result */ |
455 | goto on_error; |
456 | } |
457 | |
458 | /* FIXME: we can support other request codes */ |
459 | if (req_code != RADIUS_CODE_ACCESS_REQUEST1) { |
460 | log_info("Received %s(code=%d) from %s id=%d: %s " |
461 | "is not supported in this implementation", |
462 | radius_code_string(req_code), req_code, peerstr, |
463 | req_id, radius_code_string(req_code)); |
464 | goto on_error; |
465 | } |
466 | |
467 | /* |
468 | * Find a matching `authenticate' entry |
469 | */ |
470 | if (radius_get_string_attr(packet, RADIUS_TYPE_USER_NAME1, |
471 | username, sizeof(username)) != 0) { |
472 | log_info("Received %s(code=%d) from %s id=%d: " |
473 | "no User-Name attribute", |
474 | radius_code_string(req_code), req_code, peerstr, |
475 | req_id); |
476 | goto on_error; |
477 | } |
478 | TAILQ_FOREACH(authen, &listn->radiusd->authen, next)for((authen) = ((&listn->radiusd->authen)->tqh_first ); (authen) != ((void *)0); (authen) = ((authen)->next.tqe_next )) { |
479 | for (i = 0; authen->username[i] != NULL((void *)0); i++) { |
480 | if (fnmatch(authen->username[i], username, 0) |
481 | == 0) |
482 | goto found; |
483 | } |
484 | } |
485 | if (authen == NULL((void *)0)) { |
486 | log_warnx("Received %s(code=%d) from %s id=%d " |
487 | "username=%s: no `authenticate' matches.", |
488 | radius_code_string(req_code), req_code, peerstr, |
489 | req_id, username); |
490 | goto on_error; |
491 | } |
492 | found: |
493 | if (!MODULE_DO_USERPASS(authen->auth->module)((authen->auth->module)->fd >= 0 && ((authen ->auth->module)->capabilities & 0x1) != 0) && |
494 | !MODULE_DO_ACCSREQ(authen->auth->module)((authen->auth->module)->fd >= 0 && ((authen ->auth->module)->capabilities & 0x2) != 0)) { |
495 | log_warnx("Received %s(code=%d) from %s id=%d " |
496 | "username=%s: module `%s' is not running.", |
497 | radius_code_string(req_code), req_code, peerstr, |
498 | req_id, username, authen->auth->module->name); |
499 | goto on_error; |
500 | } |
501 | if ((q = calloc(1, sizeof(struct radius_query))) == NULL((void *)0)) { |
502 | log_warn("%s: Out of memory", __func__); |
503 | goto on_error; |
504 | } |
505 | memcpy(&q->clientaddr, &peer, peersz); |
506 | strlcpy(q->username, username, sizeof(q->username)); |
507 | q->id = ++radius_query_id_seq; |
508 | q->clientaddrlen = peersz; |
509 | q->authen = authen; |
510 | q->listen = listn; |
511 | q->req = packet; |
512 | q->client = client; |
513 | q->req_id = req_id; |
514 | radius_get_authenticator(packet, q->req_auth); |
515 | |
516 | if (radius_query_request_decoration(q) != 0) { |
517 | log_warnx( |
518 | "Received %s(code=%d) from %s id=%d username=%s " |
519 | "q=%u: failed to decorate the request", |
520 | radius_code_string(req_code), req_code, peerstr, |
521 | q->req_id, q->username, q->id); |
522 | radiusd_access_request_aborted(q); |
523 | return; |
524 | } |
525 | log_info("Received %s(code=%d) from %s id=%d username=%s " |
526 | "q=%u: `%s' authentication is starting", |
527 | radius_code_string(req_code), req_code, peerstr, q->req_id, |
528 | q->username, q->id, q->authen->auth->module->name); |
529 | TAILQ_INSERT_TAIL(&listn->radiusd->query, q, next)do { (q)->next.tqe_next = ((void *)0); (q)->next.tqe_prev = (&listn->radiusd->query)->tqh_last; *(&listn ->radiusd->query)->tqh_last = (q); (&listn->radiusd ->query)->tqh_last = &(q)->next.tqe_next; } while (0); |
530 | |
531 | if (MODULE_DO_ACCSREQ(authen->auth->module)((authen->auth->module)->fd >= 0 && ((authen ->auth->module)->capabilities & 0x2) != 0)) { |
532 | radiusd_module_access_request(authen->auth->module, q); |
533 | } else if (MODULE_DO_USERPASS(authen->auth->module)((authen->auth->module)->fd >= 0 && ((authen ->auth->module)->capabilities & 0x1) != 0)) |
534 | radiusd_module_userpass(authen->auth->module, q); |
535 | |
536 | return; |
537 | } |
538 | on_error: |
539 | if (packet != NULL((void *)0)) |
540 | radius_delete_packet(packet); |
541 | #undef in |
542 | #undef in6 |
543 | |
544 | return; |
545 | } |
546 | |
547 | static int |
548 | radius_query_request_decoration(struct radius_query *q) |
549 | { |
550 | struct radiusd_module_ref *deco; |
551 | |
552 | TAILQ_FOREACH(deco, &q->authen->deco, next)for((deco) = ((&q->authen->deco)->tqh_first); (deco ) != ((void *)0); (deco) = ((deco)->next.tqe_next)) { |
553 | /* XXX decoration doesn't work for this moment. */ |
554 | if (deco->module->request_decoration != NULL((void *)0) && |
555 | deco->module->request_decoration(NULL((void *)0), q) != 0) { |
556 | log_warnx("q=%u request decoration `%s' failed", q->id, |
557 | deco->module->name); |
558 | return (-1); |
559 | } |
560 | } |
561 | |
562 | return (0); |
563 | } |
564 | |
565 | static int |
566 | radius_query_response_decoration(struct radius_query *q) |
567 | { |
568 | struct radiusd_module_ref *deco; |
569 | |
570 | TAILQ_FOREACH(deco, &q->authen->deco, next)for((deco) = ((&q->authen->deco)->tqh_first); (deco ) != ((void *)0); (deco) = ((deco)->next.tqe_next)) { |
571 | /* XXX decoration doesn't work for this moment. */ |
572 | if (deco->module->response_decoration != NULL((void *)0) && |
573 | deco->module->response_decoration(NULL((void *)0), q) != 0) { |
574 | log_warnx("q=%u response decoration `%s' failed", q->id, |
575 | deco->module->name); |
576 | return (-1); |
577 | } |
578 | } |
579 | |
580 | return (0); |
581 | } |
582 | |
583 | /*********************************************************************** |
584 | * Callback functions from the modules |
585 | ***********************************************************************/ |
586 | void |
587 | radiusd_access_request_answer(struct radius_query *q) |
588 | { |
589 | int sz, res_id, res_code; |
590 | char buf[NI_MAXHOST256 + NI_MAXSERV32 + 30]; |
591 | const char *authen_secret = q->authen->auth->module->secret; |
592 | |
593 | radius_set_request_packet(q->res, q->req); |
594 | |
595 | if (authen_secret == NULL((void *)0)) { |
596 | /* |
597 | * The module couldn't check the autheticators |
598 | */ |
599 | if (radius_check_response_authenticator(q->res, |
600 | q->client->secret) != 0) { |
601 | log_info("Response from module has bad response " |
602 | "authenticator: id=%d", q->id); |
603 | goto on_error; |
604 | } |
605 | if (radius_has_attr(q->res, |
606 | RADIUS_TYPE_MESSAGE_AUTHENTICATOR80) && |
607 | radius_check_message_authenticator(q->res, |
608 | q->client->secret) != 0) { |
609 | log_info("Response from module has bad message " |
610 | "authenticator: id=%d", q->id); |
611 | goto on_error; |
612 | } |
613 | } |
614 | |
615 | /* Decorate the response */ |
616 | if (radius_query_response_decoration(q) != 0) |
617 | goto on_error; |
618 | |
619 | if (radiusd_access_response_fixup(q) != 0) |
620 | goto on_error; |
621 | |
622 | res_id = radius_get_id(q->res); |
623 | res_code = radius_get_code(q->res); |
624 | |
625 | /* Reset response/message authenticator */ |
626 | if (radius_has_attr(q->res, RADIUS_TYPE_MESSAGE_AUTHENTICATOR80)) |
627 | radius_del_attr_all(q->res, RADIUS_TYPE_MESSAGE_AUTHENTICATOR80); |
628 | radius_put_message_authenticator(q->res, q->client->secret); |
629 | radius_set_response_authenticator(q->res, q->client->secret); |
630 | |
631 | log_info("Sending %s(code=%d) to %s id=%u q=%u", |
632 | radius_code_string(res_code), res_code, |
633 | addrport_tostring((struct sockaddr *)&q->clientaddr, |
634 | q->clientaddrlen, buf, sizeof(buf)), res_id, q->id); |
635 | |
636 | if ((sz = sendto(q->listen->sock, radius_get_data(q->res), |
637 | radius_get_length(q->res), 0, |
638 | (struct sockaddr *)&q->clientaddr, q->clientaddrlen)) <= 0) |
639 | log_warn("Sending a RADIUS response failed"); |
640 | on_error: |
641 | radiusd_access_request_aborted(q); |
642 | } |
643 | |
644 | void |
645 | radiusd_access_request_aborted(struct radius_query *q) |
646 | { |
647 | if (q->req != NULL((void *)0)) |
648 | radius_delete_packet(q->req); |
649 | if (q->res != NULL((void *)0)) |
650 | radius_delete_packet(q->res); |
651 | TAILQ_REMOVE(&q->listen->radiusd->query, q, next)do { if (((q)->next.tqe_next) != ((void *)0)) (q)->next .tqe_next->next.tqe_prev = (q)->next.tqe_prev; else (& q->listen->radiusd->query)->tqh_last = (q)->next .tqe_prev; *(q)->next.tqe_prev = (q)->next.tqe_next; ; ; } while (0); |
652 | free(q); |
653 | } |
654 | |
655 | /*********************************************************************** |
656 | * Signal handlers |
657 | ***********************************************************************/ |
658 | static void |
659 | radiusd_on_sigterm(int fd, short evmask, void *ctx) |
660 | { |
661 | struct radiusd *radiusd = ctx; |
662 | |
663 | log_info("Received SIGTERM"); |
664 | radiusd_stop(radiusd); |
665 | } |
666 | |
667 | static void |
668 | radiusd_on_sigint(int fd, short evmask, void *ctx) |
669 | { |
670 | struct radiusd *radiusd = ctx; |
671 | |
672 | log_info("Received SIGINT"); |
673 | radiusd_stop(radiusd); |
674 | } |
675 | |
676 | static void |
677 | radiusd_on_sighup(int fd, short evmask, void *ctx) |
678 | { |
679 | log_info("Received SIGHUP"); |
680 | } |
681 | |
682 | static void |
683 | radiusd_on_sigchld(int fd, short evmask, void *ctx) |
684 | { |
685 | struct radiusd *radiusd = ctx; |
686 | struct radiusd_module *module; |
687 | pid_t pid; |
688 | int status; |
689 | |
690 | log_debug("Received SIGCHLD"); |
691 | while ((pid = wait3(&status, WNOHANG1, NULL((void *)0))) != 0) { |
692 | if (pid == -1) |
693 | break; |
694 | TAILQ_FOREACH(module, &radiusd->module, next)for((module) = ((&radiusd->module)->tqh_first); (module ) != ((void *)0); (module) = ((module)->next.tqe_next)) { |
695 | if (module->pid == pid) { |
696 | if (WIFEXITED(status)(((status) & 0177) == 0)) |
697 | log_warnx("module `%s'(pid=%d) exited " |
698 | "with status %d", module->name, |
699 | (int)pid, WEXITSTATUS(status)(int)(((unsigned)(status) >> 8) & 0xff)); |
700 | else |
701 | log_warnx("module `%s'(pid=%d) exited " |
702 | "by signal %d", module->name, |
703 | (int)pid, WTERMSIG(status)(((status) & 0177))); |
704 | break; |
705 | } |
706 | } |
707 | if (!module) { |
708 | if (WIFEXITED(status)(((status) & 0177) == 0)) |
709 | log_warnx("unkown child process pid=%d exited " |
710 | "with status %d", (int)pid, |
711 | WEXITSTATUS(status)(int)(((unsigned)(status) >> 8) & 0xff)); |
712 | else |
713 | log_warnx("unkown child process pid=%d exited " |
714 | "by signal %d", (int)pid, |
715 | WTERMSIG(status)(((status) & 0177))); |
716 | } |
717 | } |
718 | } |
719 | |
720 | static const char * |
721 | radius_code_string(int code) |
722 | { |
723 | int i; |
724 | struct _codestrings { |
725 | int code; |
726 | const char *string; |
727 | } codestrings[] = { |
728 | { RADIUS_CODE_ACCESS_REQUEST1, "Access-Request" }, |
729 | { RADIUS_CODE_ACCESS_ACCEPT2, "Access-Accept" }, |
730 | { RADIUS_CODE_ACCESS_REJECT3, "Access-Reject" }, |
731 | { RADIUS_CODE_ACCOUNTING_REQUEST4, "Accounting-Request" }, |
732 | { RADIUS_CODE_ACCOUNTING_RESPONSE5, "Accounting-Response" }, |
733 | { RADIUS_CODE_ACCESS_CHALLENGE11, "Access-Challenge" }, |
734 | { RADIUS_CODE_STATUS_SERVER12, "Status-Server" }, |
735 | { RADIUS_CODE_STATUS_CLIENT13, "Status-Client" }, |
736 | { -1, NULL((void *)0) } |
737 | }; |
738 | |
739 | for (i = 0; codestrings[i].code != -1; i++) |
740 | if (codestrings[i].code == code) |
741 | return (codestrings[i].string); |
742 | |
743 | return ("Unknown"); |
744 | } |
745 | |
746 | void |
747 | radiusd_conf_init(struct radiusd *conf) |
748 | { |
749 | |
750 | TAILQ_INIT(&conf->listen)do { (&conf->listen)->tqh_first = ((void *)0); (& conf->listen)->tqh_last = &(&conf->listen)-> tqh_first; } while (0); |
751 | TAILQ_INIT(&conf->module)do { (&conf->module)->tqh_first = ((void *)0); (& conf->module)->tqh_last = &(&conf->module)-> tqh_first; } while (0); |
752 | TAILQ_INIT(&conf->authen)do { (&conf->authen)->tqh_first = ((void *)0); (& conf->authen)->tqh_last = &(&conf->authen)-> tqh_first; } while (0); |
753 | TAILQ_INIT(&conf->client)do { (&conf->client)->tqh_first = ((void *)0); (& conf->client)->tqh_last = &(&conf->client)-> tqh_first; } while (0); |
754 | |
755 | /* |
756 | * TODO: load the standard modules |
757 | */ |
758 | #if 0 |
759 | static struct radiusd_module *radiusd_standard_modules[] = { |
760 | NULL((void *)0) |
761 | }; |
762 | |
763 | u_int i; |
764 | struct radiusd_module *module; |
765 | for (i = 0; radiusd_standard_modules[i] != NULL((void *)0); i++) { |
766 | module = radiusd_create_module_class( |
767 | radiusd_standard_modules[i]); |
768 | TAILQ_INSERT_TAIL(&conf->module, module, next)do { (module)->next.tqe_next = ((void *)0); (module)->next .tqe_prev = (&conf->module)->tqh_last; *(&conf-> module)->tqh_last = (module); (&conf->module)->tqh_last = &(module)->next.tqe_next; } while (0); |
769 | } |
770 | #endif |
771 | |
772 | return; |
773 | } |
774 | |
775 | /* |
776 | * Fix some attributes which depend the secret value. |
777 | */ |
778 | static int |
779 | radiusd_access_response_fixup(struct radius_query *q) |
780 | { |
781 | int res_id; |
782 | size_t attrlen; |
783 | u_char req_auth[16], attrbuf[256]; |
784 | const char *authen_secret = q->authen->auth->module->secret; |
785 | |
786 | radius_get_authenticator(q->req, req_auth); |
787 | |
788 | if ((authen_secret != NULL((void *)0) && |
789 | strcmp(authen_secret, q->client->secret) != 0) || |
790 | timingsafe_bcmp(q->req_auth, req_auth, 16) != 0) { |
791 | const char *olds = q->client->secret; |
792 | const char *news = authen_secret; |
793 | |
794 | /* RFC 2865 Tunnel-Password */ |
795 | attrlen = sizeof(attrlen); |
796 | if (radius_get_raw_attr(q->res, RADIUS_TYPE_TUNNEL_PASSWORD69, |
797 | attrbuf, &attrlen) == 0) { |
798 | radius_attr_unhide(news, req_auth, |
799 | attrbuf, attrbuf + 3, attrlen - 3); |
800 | radius_attr_hide(olds, q->req_auth, |
801 | attrbuf, attrbuf + 3, attrlen - 3); |
802 | |
803 | radius_del_attr_all(q->res, |
804 | RADIUS_TYPE_TUNNEL_PASSWORD69); |
805 | radius_put_raw_attr(q->res, |
806 | RADIUS_TYPE_TUNNEL_PASSWORD69, attrbuf, attrlen); |
807 | } |
808 | |
809 | /* RFC 2548 Microsoft MPPE-{Send,Recv}-Key */ |
810 | attrlen = sizeof(attrlen); |
811 | if (radius_get_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT311, |
812 | RADIUS_VTYPE_MPPE_SEND_KEY16, attrbuf, &attrlen) == 0) { |
813 | |
814 | /* Re-crypt the KEY */ |
815 | radius_attr_unhide(news, req_auth, |
816 | attrbuf, attrbuf + 2, attrlen - 2); |
817 | radius_attr_hide(olds, q->req_auth, |
818 | attrbuf, attrbuf + 2, attrlen - 2); |
819 | |
820 | radius_del_vs_attr_all(q->res, RADIUS_VENDOR_MICROSOFT311, |
821 | RADIUS_VTYPE_MPPE_SEND_KEY16); |
822 | radius_put_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT311, |
823 | RADIUS_VTYPE_MPPE_SEND_KEY16, attrbuf, attrlen); |
824 | } |
825 | attrlen = sizeof(attrlen); |
826 | if (radius_get_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT311, |
827 | RADIUS_VTYPE_MPPE_RECV_KEY17, attrbuf, &attrlen) == 0) { |
828 | |
829 | /* Re-crypt the KEY */ |
830 | radius_attr_unhide(news, req_auth, |
831 | attrbuf, attrbuf + 2, attrlen - 2); |
832 | radius_attr_hide(olds, q->req_auth, |
833 | attrbuf, attrbuf + 2, attrlen - 2); |
834 | |
835 | radius_del_vs_attr_all(q->res, RADIUS_VENDOR_MICROSOFT311, |
836 | RADIUS_VTYPE_MPPE_RECV_KEY17); |
837 | radius_put_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT311, |
838 | RADIUS_VTYPE_MPPE_RECV_KEY17, attrbuf, attrlen); |
839 | } |
840 | } |
841 | |
842 | res_id = radius_get_id(q->res); |
843 | if (res_id != q->req_id) { |
844 | /* authentication server change the id */ |
845 | radius_set_id(q->res, q->req_id); |
846 | } |
847 | |
848 | return (0); |
849 | } |
850 | |
851 | void |
852 | radius_attr_hide(const char *secret, const char *authenticator, |
853 | const u_char *salt, u_char *plain, int plainlen) |
854 | { |
855 | int i, j; |
856 | u_char b[16]; |
857 | MD5_CTX md5ctx; |
858 | |
859 | i = 0; |
860 | do { |
861 | MD5Init(&md5ctx); |
862 | MD5Update(&md5ctx, secret, strlen(secret)); |
863 | if (i == 0) { |
864 | MD5Update(&md5ctx, authenticator, 16); |
865 | if (salt != NULL((void *)0)) |
866 | MD5Update(&md5ctx, salt, 2); |
867 | } else |
868 | MD5Update(&md5ctx, plain + i - 16, 16); |
869 | MD5Final(b, &md5ctx); |
870 | |
871 | for (j = 0; j < 16 && i < plainlen; i++, j++) |
872 | plain[i] ^= b[j]; |
873 | } while (i < plainlen); |
874 | } |
875 | |
876 | void |
877 | radius_attr_unhide(const char *secret, const char *authenticator, |
878 | const u_char *salt, u_char *crypt0, int crypt0len) |
879 | { |
880 | int i, j; |
881 | u_char b[16]; |
882 | MD5_CTX md5ctx; |
883 | |
884 | i = 16 * ((crypt0len - 1) / 16); |
885 | while (i >= 0) { |
886 | MD5Init(&md5ctx); |
887 | MD5Update(&md5ctx, secret, strlen(secret)); |
888 | if (i == 0) { |
889 | MD5Update(&md5ctx, authenticator, 16); |
890 | if (salt != NULL((void *)0)) |
891 | MD5Update(&md5ctx, salt, 2); |
892 | } else |
893 | MD5Update(&md5ctx, crypt0 + i - 16, 16); |
894 | MD5Final(b, &md5ctx); |
895 | |
896 | for (j = 0; j < 16 && i + j < crypt0len; j++) |
897 | crypt0[i + j] ^= b[j]; |
898 | i -= 16; |
899 | } |
900 | } |
901 | |
902 | static struct radius_query * |
903 | radiusd_find_query(struct radiusd *radiusd, u_int q_id) |
904 | { |
905 | struct radius_query *q; |
906 | |
907 | TAILQ_FOREACH(q, &radiusd->query, next)for((q) = ((&radiusd->query)->tqh_first); (q) != (( void *)0); (q) = ((q)->next.tqe_next)) { |
908 | if (q->id == q_id) |
909 | return (q); |
910 | } |
911 | return (NULL((void *)0)); |
912 | } |
913 | |
914 | /*********************************************************************** |
915 | * radiusd module handling |
916 | ***********************************************************************/ |
917 | struct radiusd_module * |
918 | radiusd_module_load(struct radiusd *radiusd, const char *path, const char *name) |
919 | { |
920 | struct radiusd_module *module = NULL((void *)0); |
921 | pid_t pid; |
922 | int ival, pairsock[] = { -1, -1 }; |
923 | const char *av[3]; |
924 | ssize_t n; |
925 | struct imsg imsg; |
926 | |
927 | module = calloc(1, sizeof(struct radiusd_module)); |
928 | if (module == NULL((void *)0)) |
929 | fatal("Out of memory"); |
930 | module->radiusd = radiusd; |
931 | |
932 | if (socketpair(AF_UNIX1, SOCK_STREAM1, PF_UNSPEC0, pairsock) == -1) { |
933 | log_warn("Could not load module `%s'(%s): pipe()", name, path); |
934 | goto on_error; |
935 | } |
936 | |
937 | pid = fork(); |
938 | if (pid == -1) { |
939 | log_warn("Could not load module `%s'(%s): fork()", name, path); |
940 | goto on_error; |
941 | } |
942 | if (pid == 0) { |
943 | setsid(); |
944 | close(pairsock[0]); |
945 | av[0] = path; |
946 | av[1] = name; |
947 | av[2] = NULL((void *)0); |
948 | dup2(pairsock[1], STDIN_FILENO0); |
949 | dup2(pairsock[1], STDOUT_FILENO1); |
950 | close(pairsock[1]); |
951 | closefrom(STDERR_FILENO2 + 1); |
952 | execv(path, (char * const *)av); |
953 | log_warn("Failed to execute %s", path); |
954 | _exit(EXIT_FAILURE1); |
955 | } |
956 | close(pairsock[1]); |
957 | |
958 | module->fd = pairsock[0]; |
959 | if ((ival = fcntl(module->fd, F_GETFL3)) == -1) { |
960 | log_warn("Could not load module `%s': fcntl(F_GETFL)", |
961 | name); |
962 | goto on_error; |
963 | } |
964 | if (fcntl(module->fd, F_SETFL4, ival | O_NONBLOCK0x0004) == -1) { |
965 | log_warn("Could not load module `%s': fcntl(F_SETFL,O_NONBLOCK)", |
966 | name); |
967 | goto on_error; |
968 | } |
969 | strlcpy(module->name, name, sizeof(module->name)); |
970 | module->pid = pid; |
971 | imsg_init(&module->ibuf, module->fd); |
972 | |
973 | if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT2000) <= 0 || |
974 | (n = imsg_get(&module->ibuf, &imsg)) <= 0) { |
975 | log_warnx("Could not load module `%s': module didn't " |
976 | "respond", name); |
977 | goto on_error; |
978 | } |
979 | if (imsg.hdr.type != IMSG_RADIUSD_MODULE_LOAD) { |
980 | imsg_free(&imsg); |
981 | log_warnx("Could not load module `%s': unknown imsg type=%d", |
982 | name, imsg.hdr.type); |
983 | goto on_error; |
984 | } |
985 | |
986 | module->capabilities = |
987 | ((struct radiusd_module_load_arg *)imsg.data)->cap; |
988 | |
989 | log_debug("Loaded module `%s' successfully. pid=%d", module->name, |
990 | module->pid); |
991 | imsg_free(&imsg); |
992 | |
993 | return (module); |
994 | |
995 | on_error: |
996 | free(module); |
997 | if (pairsock[0] >= 0) |
998 | close(pairsock[0]); |
999 | if (pairsock[1] >= 0) |
1000 | close(pairsock[1]); |
1001 | |
1002 | return (NULL((void *)0)); |
1003 | } |
1004 | |
1005 | void |
1006 | radiusd_module_start(struct radiusd_module *module) |
1007 | { |
1008 | int datalen; |
1009 | struct imsg imsg; |
1010 | struct timeval tv = { 0, 0 }; |
1011 | |
1012 | RADIUSD_ASSERT(module->fd >= 0)do { if (!(module->fd >= 0)) { log_warnx( "ASSERT(%s) failed in %s() at %s:%d" , "module->fd >= 0", __func__, "/usr/src/usr.sbin/radiusd/radiusd/../radiusd.c" , 1012); if (debug) abort(); } } while (0 ); |
1013 | imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_START, 0, 0, -1, |
1014 | NULL((void *)0), 0); |
1015 | imsg_sync_flush(&module->ibuf, MODULE_IO_TIMEOUT2000); |
1016 | if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT2000) <= 0 || |
1017 | imsg_get(&module->ibuf, &imsg) <= 0) { |
1018 | log_warnx("Module `%s' could not start: no response", |
1019 | module->name); |
1020 | goto on_fail; |
1021 | } |
1022 | |
1023 | datalen = imsg.hdr.len - IMSG_HEADER_SIZEsizeof(struct imsg_hdr); |
1024 | if (imsg.hdr.type != IMSG_OK) { |
1025 | if (imsg.hdr.type == IMSG_NG) { |
1026 | if (datalen > 0) |
1027 | log_warnx("Module `%s' could not start: %s", |
1028 | module->name, (char *)imsg.data); |
1029 | else |
1030 | log_warnx("Module `%s' could not start", |
1031 | module->name); |
1032 | } else |
1033 | log_warnx("Module `%s' could not started: module " |
1034 | "returned unknow message type %d", module->name, |
1035 | imsg.hdr.type); |
1036 | goto on_fail; |
1037 | } |
1038 | |
1039 | event_set(&module->ev, module->fd, EV_READ0x02, radiusd_module_on_imsg_io, |
1040 | module); |
1041 | event_add(&module->ev, &tv); |
1042 | log_debug("Module `%s' started successfully", module->name); |
1043 | |
1044 | return; |
1045 | on_fail: |
1046 | radiusd_module_close(module); |
1047 | return; |
1048 | } |
1049 | |
1050 | void |
1051 | radiusd_module_stop(struct radiusd_module *module) |
1052 | { |
1053 | module->stopped = true1; |
1054 | |
1055 | if (module->secret != NULL((void *)0)) { |
1056 | freezero(module->secret, strlen(module->secret)); |
1057 | module->secret = NULL((void *)0); |
1058 | } |
1059 | |
1060 | if (module->fd >= 0) { |
1061 | imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_STOP, 0, 0, -1, |
1062 | NULL((void *)0), 0); |
1063 | radiusd_module_reset_ev_handler(module); |
1064 | } |
1065 | } |
1066 | |
1067 | static void |
1068 | radiusd_module_close(struct radiusd_module *module) |
1069 | { |
1070 | if (module->fd >= 0) { |
1071 | event_del(&module->ev); |
1072 | imsg_clear(&module->ibuf); |
1073 | close(module->fd); |
1074 | module->fd = -1; |
1075 | } |
1076 | } |
1077 | |
1078 | void |
1079 | radiusd_module_unload(struct radiusd_module *module) |
1080 | { |
1081 | free(module->radpkt); |
1082 | radiusd_module_close(module); |
1083 | free(module); |
1084 | } |
1085 | |
1086 | static void |
1087 | radiusd_module_on_imsg_io(int fd, short evmask, void *ctx) |
1088 | { |
1089 | struct radiusd_module *module = ctx; |
1090 | int ret; |
1091 | |
1092 | if (evmask & EV_WRITE0x04) |
1093 | module->writeready = true1; |
1094 | |
1095 | if (evmask & EV_READ0x02 || module->ibuf.r.wpos > IMSG_HEADER_SIZEsizeof(struct imsg_hdr)) { |
1096 | if (radiusd_module_imsg_read(module, |
1097 | (evmask & EV_READ0x02)? true1 : false0) == -1) |
1098 | goto on_error; |
1099 | } |
1100 | |
1101 | while (module->writeready && module->ibuf.w.queued) { |
1102 | ret = msgbuf_write(&module->ibuf.w); |
1103 | if (ret > 0) |
1104 | continue; |
1105 | module->writeready = false0; |
1106 | if (ret == 0 && errno(*__errno()) == EAGAIN35) |
1107 | break; |
1108 | log_warn("Failed to write to module `%s': msgbuf_write()", |
1109 | module->name); |
1110 | goto on_error; |
1111 | } |
1112 | radiusd_module_reset_ev_handler(module); |
1113 | |
1114 | return; |
1115 | on_error: |
1116 | radiusd_module_close(module); |
1117 | } |
1118 | |
1119 | static void |
1120 | radiusd_module_reset_ev_handler(struct radiusd_module *module) |
1121 | { |
1122 | short evmask; |
1123 | struct timeval *tvp = NULL((void *)0), tv = { 0, 0 }; |
1124 | |
1125 | RADIUSD_ASSERT(module->fd >= 0)do { if (!(module->fd >= 0)) { log_warnx( "ASSERT(%s) failed in %s() at %s:%d" , "module->fd >= 0", __func__, "/usr/src/usr.sbin/radiusd/radiusd/../radiusd.c" , 1125); if (debug) abort(); } } while (0 ); |
1126 | event_del(&module->ev); |
1127 | |
1128 | evmask = EV_READ0x02; |
1129 | if (module->ibuf.w.queued) { |
1130 | if (!module->writeready) |
1131 | evmask |= EV_WRITE0x04; |
1132 | else |
1133 | tvp = &tv; /* fire immediately */ |
1134 | } else if (module->ibuf.r.wpos > IMSG_HEADER_SIZEsizeof(struct imsg_hdr)) |
1135 | tvp = &tv; /* fire immediately */ |
1136 | |
1137 | /* module stopped and no event handler is set */ |
1138 | if (evmask & EV_WRITE0x04 && tvp == NULL((void *)0) && module->stopped) { |
1139 | /* stop requested and no more to write */ |
1140 | radiusd_module_close(module); |
1141 | return; |
1142 | } |
1143 | |
1144 | event_set(&module->ev, module->fd, evmask, radiusd_module_on_imsg_io, |
1145 | module); |
1146 | if (event_add(&module->ev, tvp) == -1) { |
1147 | log_warn("Could not set event handlers for module `%s': " |
1148 | "event_add()", module->name); |
1149 | radiusd_module_close(module); |
1150 | } |
1151 | } |
1152 | |
1153 | static int |
1154 | radiusd_module_imsg_read(struct radiusd_module *module, bool_Bool doread) |
1155 | { |
1156 | int n; |
1157 | struct imsg imsg; |
1158 | |
1159 | if (doread) { |
1160 | if ((n = imsg_read(&module->ibuf)) == -1 || n == 0) { |
1161 | if (n == -1 && errno(*__errno()) == EAGAIN35) |
1162 | return (0); |
1163 | if (n == -1) |
1164 | log_warn("Receiving a message from module `%s' " |
1165 | "failed: imsg_read", module->name); |
1166 | /* else closed */ |
1167 | radiusd_module_close(module); |
1168 | return (-1); |
1169 | } |
1170 | } |
1171 | for (;;) { |
1172 | if ((n = imsg_get(&module->ibuf, &imsg)) == -1) { |
1173 | log_warn("Receiving a message from module `%s' failed: " |
1174 | "imsg_get", module->name); |
1175 | return (-1); |
1176 | } |
1177 | if (n == 0) |
1178 | return (0); |
1179 | radiusd_module_imsg(module, &imsg); |
1180 | } |
1181 | |
1182 | return (0); |
1183 | } |
1184 | |
1185 | static void |
1186 | radiusd_module_imsg(struct radiusd_module *module, struct imsg *imsg) |
1187 | { |
1188 | int datalen; |
1189 | struct radius_query *q; |
1190 | u_int q_id; |
1191 | |
1192 | datalen = imsg->hdr.len - IMSG_HEADER_SIZEsizeof(struct imsg_hdr); |
1193 | switch (imsg->hdr.type) { |
1194 | case IMSG_RADIUSD_MODULE_NOTIFY_SECRET: |
1195 | if (datalen > 0) { |
1196 | module->secret = strdup(imsg->data); |
1197 | if (module->secret == NULL((void *)0)) |
1198 | log_warn("Could not handle NOTIFY_SECRET " |
1199 | "from `%s'", module->name); |
1200 | } |
1201 | break; |
1202 | case IMSG_RADIUSD_MODULE_USERPASS_OK: |
1203 | case IMSG_RADIUSD_MODULE_USERPASS_FAIL: |
1204 | { |
1205 | char *msg = NULL((void *)0); |
1206 | const char *msgtypestr; |
1207 | |
1208 | msgtypestr = (imsg->hdr.type == IMSG_RADIUSD_MODULE_USERPASS_OK) |
1209 | ? "USERPASS_OK" : "USERPASS_NG"; |
1210 | |
1211 | q_id = *(u_int *)imsg->data; |
1212 | if (datalen > (ssize_t)sizeof(u_int)) |
1213 | msg = (char *)(((u_int *)imsg->data) + 1); |
1214 | |
1215 | q = radiusd_find_query(module->radiusd, q_id); |
1216 | if (q == NULL((void *)0)) { |
1217 | log_warnx("Received %s from `%s', but query id=%u " |
1218 | "unknown", msgtypestr, module->name, q_id); |
1219 | break; |
1220 | } |
1221 | |
1222 | if ((q->res = radius_new_response_packet( |
1223 | (imsg->hdr.type == IMSG_RADIUSD_MODULE_USERPASS_OK) |
1224 | ? RADIUS_CODE_ACCESS_ACCEPT2 : RADIUS_CODE_ACCESS_REJECT3, |
1225 | q->req)) == NULL((void *)0)) { |
1226 | log_warn("radius_new_response_packet() failed"); |
1227 | radiusd_access_request_aborted(q); |
1228 | } else { |
1229 | if (msg) |
1230 | radius_put_string_attr(q->res, |
1231 | RADIUS_TYPE_REPLY_MESSAGE18, msg); |
1232 | radius_set_response_authenticator(q->res, |
1233 | q->client->secret); |
1234 | radiusd_access_request_answer(q); |
1235 | } |
1236 | break; |
1237 | } |
1238 | case IMSG_RADIUSD_MODULE_ACCSREQ_ANSWER: |
1239 | { |
1240 | static struct radiusd_module_radpkt_arg *ans; |
1241 | if (datalen < |
1242 | (ssize_t)sizeof(struct radiusd_module_radpkt_arg)) { |
1243 | log_warnx("Received ACCSREQ_ANSWER message, but " |
1244 | "length is wrong"); |
1245 | break; |
1246 | } |
1247 | q_id = ((struct radiusd_module_radpkt_arg *)imsg->data)->q_id; |
1248 | q = radiusd_find_query(module->radiusd, q_id); |
1249 | if (q == NULL((void *)0)) { |
1250 | log_warnx("Received ACCSREQ_ANSWER from %s, but query " |
1251 | "id=%u unknown", module->name, q_id); |
1252 | break; |
1253 | } |
1254 | if ((ans = radiusd_module_recv_radpkt(module, imsg, |
1255 | IMSG_RADIUSD_MODULE_ACCSREQ_ANSWER, |
1256 | "ACCSREQ_ANSWER")) != NULL((void *)0)) { |
1257 | q->res = radius_convert_packet( |
1258 | module->radpkt, module->radpktoff); |
1259 | radiusd_access_request_answer(q); |
1260 | module->radpktoff = 0; |
1261 | } |
1262 | break; |
1263 | } |
1264 | case IMSG_RADIUSD_MODULE_ACCSREQ_ABORTED: |
1265 | { |
1266 | q_id = *((u_int *)imsg->data); |
1267 | q = radiusd_find_query(module->radiusd, q_id); |
1268 | if (q == NULL((void *)0)) { |
1269 | log_warnx("Received ACCSREQ_ABORT from %s, but query " |
1270 | "id=%u unknown", module->name, q_id); |
1271 | break; |
1272 | } |
1273 | radiusd_access_request_aborted(q); |
1274 | break; |
1275 | } |
1276 | default: |
1277 | RADIUSD_DBG(("Unhandled imsg type=%d", |
1278 | imsg->hdr.type)); |
1279 | } |
1280 | } |
1281 | |
1282 | static struct radiusd_module_radpkt_arg * |
1283 | radiusd_module_recv_radpkt(struct radiusd_module *module, struct imsg *imsg, |
1284 | uint32_t imsg_type, const char *type_str) |
1285 | { |
1286 | struct radiusd_module_radpkt_arg *ans; |
1287 | int datalen, chunklen; |
1288 | |
1289 | datalen = imsg->hdr.len - IMSG_HEADER_SIZEsizeof(struct imsg_hdr); |
1290 | ans = (struct radiusd_module_radpkt_arg *)imsg->data; |
1291 | if (module->radpktsiz < ans->pktlen) { |
1292 | u_char *nradpkt; |
1293 | if ((nradpkt = realloc(module->radpkt, ans->pktlen)) == NULL((void *)0)) { |
1294 | log_warn("Could not handle received %s message from " |
1295 | "`%s'", type_str, module->name); |
1296 | goto on_fail; |
1297 | } |
1298 | module->radpkt = nradpkt; |
1299 | module->radpktsiz = ans->pktlen; |
1300 | } |
1301 | chunklen = datalen - sizeof(struct radiusd_module_radpkt_arg); |
1302 | if (chunklen > module->radpktsiz - module->radpktoff) { |
1303 | log_warnx("Could not handle received %s message from `%s': " |
1304 | "received length is too big", type_str, module->name); |
1305 | goto on_fail; |
1306 | } |
1307 | memcpy(module->radpkt + module->radpktoff, |
1308 | (caddr_t)(ans + 1), chunklen); |
1309 | module->radpktoff += chunklen; |
1310 | if (!ans->final) |
1311 | return (NULL((void *)0)); /* again */ |
1312 | if (module->radpktoff != ans->pktlen) { |
1313 | log_warnx("Could not handle received %s message from `%s': " |
1314 | "length is mismatch", type_str, module->name); |
1315 | goto on_fail; |
1316 | } |
1317 | |
1318 | return (ans); |
1319 | on_fail: |
1320 | module->radpktoff = 0; |
1321 | return (NULL((void *)0)); |
1322 | } |
1323 | |
1324 | int |
1325 | radiusd_module_set(struct radiusd_module *module, const char *name, |
1326 | int argc, char * const * argv) |
1327 | { |
1328 | struct radiusd_module_set_arg arg; |
1329 | struct radiusd_module_object *val; |
1330 | int i, niov = 0; |
1331 | u_char *buf = NULL((void *)0), *buf0; |
1332 | ssize_t n; |
1333 | size_t bufsiz = 0, bufoff = 0, bufsiz0; |
1334 | size_t vallen, valsiz; |
1335 | struct iovec iov[2]; |
1336 | struct imsg imsg; |
1337 | |
1338 | memset(&arg, 0, sizeof(arg)); |
1339 | arg.nparamval = argc; |
1340 | strlcpy(arg.paramname, name, sizeof(arg.paramname)); |
1341 | |
1342 | iov[niov].iov_base = &arg; |
1343 | iov[niov].iov_len = sizeof(struct radiusd_module_set_arg); |
1344 | niov++; |
1345 | |
1346 | for (i = 0; i < argc; i++) { |
1347 | vallen = strlen(argv[i]) + 1; |
1348 | valsiz = sizeof(struct radiusd_module_object) + vallen; |
1349 | if (bufsiz < bufoff + valsiz) { |
1350 | bufsiz0 = bufoff + valsiz + 128; |
1351 | if ((buf0 = realloc(buf, bufsiz0)) == NULL((void *)0)) { |
1352 | log_warn("Failed to set config parameter to " |
1353 | "module `%s': realloc", module->name); |
1354 | goto on_error; |
1355 | } |
1356 | buf = buf0; |
1357 | bufsiz = bufsiz0; |
1358 | memset(buf + bufoff, 0, bufsiz - bufoff); |
1359 | } |
1360 | val = (struct radiusd_module_object *)(buf + bufoff); |
1361 | val->size = valsiz; |
1362 | memcpy(val + 1, argv[i], vallen); |
1363 | |
1364 | bufoff += valsiz; |
1365 | } |
1366 | iov[niov].iov_base = buf; |
1367 | iov[niov].iov_len = bufoff; |
1368 | niov++; |
1369 | |
1370 | if (imsg_composev(&module->ibuf, IMSG_RADIUSD_MODULE_SET_CONFIG, 0, 0, |
1371 | -1, iov, niov) == -1) { |
1372 | log_warn("Failed to set config parameter to module `%s': " |
1373 | "imsg_composev", module->name); |
1374 | goto on_error; |
1375 | } |
1376 | if (imsg_sync_flush(&module->ibuf, MODULE_IO_TIMEOUT2000) == -1) { |
1377 | log_warn("Failed to set config parameter to module `%s': " |
1378 | "imsg_flush_timeout", module->name); |
1379 | goto on_error; |
1380 | } |
1381 | for (;;) { |
1382 | if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT2000) <= 0) { |
1383 | log_warn("Failed to get reply from module `%s': " |
1384 | "imsg_sync_read", module->name); |
1385 | goto on_error; |
1386 | } |
1387 | if ((n = imsg_get(&module->ibuf, &imsg)) > 0) |
1388 | break; |
1389 | if (n < 0) { |
1390 | log_warn("Failed to get reply from module `%s': " |
1391 | "imsg_get", module->name); |
1392 | goto on_error; |
1393 | } |
1394 | } |
1395 | if (imsg.hdr.type == IMSG_NG) { |
1396 | log_warnx("Could not set `%s' for module `%s': %s", name, |
1397 | module->name, (char *)imsg.data); |
1398 | goto on_error; |
1399 | } else if (imsg.hdr.type != IMSG_OK) { |
1400 | imsg_free(&imsg); |
1401 | log_warnx("Failed to get reply from module `%s': " |
1402 | "unknown imsg type=%d", module->name, imsg.hdr.type); |
1403 | goto on_error; |
1404 | } |
1405 | imsg_free(&imsg); |
1406 | |
1407 | free(buf); |
1408 | return (0); |
1409 | |
1410 | on_error: |
1411 | free(buf); |
1412 | return (-1); |
1413 | } |
1414 | |
1415 | static void |
1416 | radiusd_module_userpass(struct radiusd_module *module, struct radius_query *q) |
1417 | { |
1418 | struct radiusd_module_userpass_arg userpass; |
1419 | |
1420 | memset(&userpass, 0, sizeof(userpass)); |
1421 | userpass.q_id = q->id; |
1422 | |
1423 | if (radius_get_user_password_attr(q->req, userpass.pass, |
1424 | sizeof(userpass.pass), q->client->secret) == 0) |
1425 | userpass.has_pass = true1; |
1426 | else |
1427 | userpass.has_pass = false0; |
1428 | |
1429 | if (strlcpy(userpass.user, q->username, sizeof(userpass.user)) |
1430 | >= sizeof(userpass.user)) { |
1431 | log_warnx("Could request USERPASS to module `%s': " |
1432 | "User-Name too long", module->name); |
1433 | goto on_error; |
1434 | } |
1435 | imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_USERPASS, 0, 0, -1, |
1436 | &userpass, sizeof(userpass)); |
1437 | radiusd_module_reset_ev_handler(module); |
1438 | return; |
1439 | on_error: |
1440 | radiusd_access_request_aborted(q); |
1441 | } |
1442 | |
1443 | static void |
1444 | radiusd_module_access_request(struct radiusd_module *module, |
1445 | struct radius_query *q) |
1446 | { |
1447 | struct radiusd_module_radpkt_arg accsreq; |
1448 | struct iovec iov[2]; |
1449 | int off = 0, len, siz; |
1450 | const u_char *pkt; |
1451 | RADIUS_PACKET *radpkt; |
1452 | char pass[256]; |
1453 | |
1454 | if ((radpkt = radius_convert_packet(radius_get_data(q->req), |
1455 | radius_get_length(q->req))) == NULL((void *)0)) { |
1456 | log_warn("Could not send ACCSREQ for `%s'", module->name); |
1457 | return; |
1458 | } |
1459 | if (q->client->secret[0] != '\0' && module->secret != NULL((void *)0) && |
1460 | radius_get_user_password_attr(radpkt, pass, sizeof(pass), |
1461 | q->client->secret) == 0) { |
1462 | radius_del_attr_all(radpkt, RADIUS_TYPE_USER_PASSWORD2); |
1463 | (void)radius_put_raw_attr(radpkt, RADIUS_TYPE_USER_PASSWORD2, |
1464 | pass, strlen(pass)); |
1465 | } |
1466 | |
1467 | pkt = radius_get_data(radpkt); |
1468 | len = radius_get_length(radpkt); |
1469 | memset(&accsreq, 0, sizeof(accsreq)); |
1470 | accsreq.q_id = q->id; |
1471 | accsreq.pktlen = len; |
1472 | while (off < len) { |
1473 | siz = MAX_IMSGSIZE16384 - sizeof(accsreq); |
1474 | if (len - off > siz) |
1475 | accsreq.final = false0; |
1476 | else { |
1477 | accsreq.final = true1; |
1478 | siz = len - off; |
1479 | } |
1480 | iov[0].iov_base = &accsreq; |
1481 | iov[0].iov_len = sizeof(accsreq); |
1482 | iov[1].iov_base = (caddr_t)pkt + off; |
1483 | iov[1].iov_len = siz; |
1484 | imsg_composev(&module->ibuf, IMSG_RADIUSD_MODULE_ACCSREQ, 0, 0, |
1485 | -1, iov, 2); |
1486 | off += siz; |
1487 | } |
1488 | radiusd_module_reset_ev_handler(module); |
1489 | radius_delete_packet(radpkt); |
1490 | |
1491 | return; |
1492 | } |