diff options
| author | Brian Somers <brian@FreeBSD.org> | 1999-01-28 01:56:34 +0000 |
|---|---|---|
| committer | Brian Somers <brian@FreeBSD.org> | 1999-01-28 01:56:34 +0000 |
| commit | 972a1bcf5db5ee4c5520a1d29d3c81e81bdec84f (patch) | |
| tree | abf712056c6d04b9db1781a70efa0546f37a6cbb /usr.sbin/ppp | |
| parent | 485111b55ba6751a1405384bfe9dc696fb7a8e2a (diff) | |
| download | src-972a1bcf5db5ee4c5520a1d29d3c81e81bdec84f.tar.gz src-972a1bcf5db5ee4c5520a1d29d3c81e81bdec84f.zip | |
Initial RADIUS support (using libradius). See the man page for
details. Compiling with -DNORADIUS (the default for `release')
removes support.
TODO: The functionality in libradius::rad_send_request() needs
to be supplied as a set of routines so that ppp doesn't
have to wait indefinitely for the radius server(s). Instead,
we need to get a descriptor back, select() on the descriptor,
and ask libradius to service it when necessary.
For now, ppp blocks SIGALRM while in rad_send_request(), so
it misses PAP/CHAP retries & timeouts if they occur.
Only PAP is functional. When CHAP is attempted, libradius
complains that no User-Password has been specified... rfc2138
says that it *mustn't* be used for CHAP :-(
Sponsored by: Internet Business Solutions Ltd., Switzerland
Notes
Notes:
svn path=/head/; revision=43313
Diffstat (limited to 'usr.sbin/ppp')
38 files changed, 982 insertions, 193 deletions
diff --git a/usr.sbin/ppp/Makefile b/usr.sbin/ppp/Makefile index 696479e3af8c..e519ab41aa9c 100644 --- a/usr.sbin/ppp/Makefile +++ b/usr.sbin/ppp/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile,v 1.49 1998/10/20 00:19:38 brian Exp $ +# $Id: Makefile,v 1.50 1998/10/22 02:32:48 brian Exp $ PROG= ppp SRCS= arp.c async.c auth.c bundle.c cbcp.c ccp.c chap.c chat.c command.c \ @@ -7,14 +7,12 @@ SRCS= arp.c async.c auth.c bundle.c cbcp.c ccp.c chap.c chat.c command.c \ mp.c pap.c physical.c pred.c probe.c prompt.c route.c server.c \ sig.c slcompress.c systems.c throughput.c timer.c tun.c vjcomp.c CFLAGS+=-Wall -LDADD+= -lutil -lz -DPADD+= ${LIBUTIL} ${LIBZ} +LDADD+= -lcrypt -lmd -lutil -lz +DPADD+= ${LIBCRYPT} ${LIBMD} ${LIBUTIL} ${LIBZ} BINMODE=4554 BINOWN= root BINGRP= network MAN8= ppp.8 -LDADD+= -lmd -lcrypt -DPADD+= ${LIBMD} ${LIBCRYPT} .if defined(RELEASE_CRUNCH) CFLAGS+=-DRELEASE_CRUNCH @@ -38,12 +36,22 @@ LDADD+= -ldes DPADD+= ${LIBDES} .endif +.if defined(NORADIUS) +CFLAGS+=-DNORADIUS +.else +.if !defined(RELEASE_CRUNCH) +SRCS+= radius.c +LDADD+= -lradius +DPADD+= ${LIBRADIUS} +.endif +.endif + .if defined(RELEASE_CRUNCH) -# We must create these objects because the crunchgen will link them, +# We must create these objects because crunchgen will link them, # and we don't want any unused symbols to spoil the final link. -CFLAGS+=-DNOALIAS -SRCS+= alias_cmd.c chap_ms.c -chap_ms.o alias_cmd.o: +CFLAGS+=-DNOALIAS -DNORADIUS +SRCS+= alias_cmd.c chap_ms.c radius.c +chap_ms.o alias_cmd.o radius.o: >null_${.PREFIX}.c cc -c -o ${.TARGET} null_${.PREFIX}.c .endif diff --git a/usr.sbin/ppp/alias_cmd.c b/usr.sbin/ppp/alias_cmd.c index efe0d67bb589..3a86a8e7aed9 100644 --- a/usr.sbin/ppp/alias_cmd.c +++ b/usr.sbin/ppp/alias_cmd.c @@ -2,10 +2,10 @@ * The code in this file was written by Eivind Eklund <perhaps@yes.no>, * who places it in the public domain without restriction. * - * $Id: alias_cmd.c,v 1.17 1998/08/26 17:39:36 brian Exp $ + * $Id: alias_cmd.c,v 1.18 1998/09/17 00:45:25 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> @@ -44,6 +44,9 @@ #include "link.h" #include "mp.h" #include "filter.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" diff --git a/usr.sbin/ppp/arp.c b/usr.sbin/ppp/arp.c index 283d90943fba..892228c5eff8 100644 --- a/usr.sbin/ppp/arp.c +++ b/usr.sbin/ppp/arp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: arp.c,v 1.30 1998/08/26 17:39:36 brian Exp $ + * $Id: arp.c,v 1.31 1998/10/26 19:07:38 brian Exp $ * */ @@ -25,7 +25,7 @@ * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/socket.h> #include <net/if.h> #include <net/route.h> @@ -62,6 +62,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "arp.h" diff --git a/usr.sbin/ppp/auth.c b/usr.sbin/ppp/auth.c index 8d479843fabb..f9cc80352a73 100644 --- a/usr.sbin/ppp/auth.c +++ b/usr.sbin/ppp/auth.c @@ -17,12 +17,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: auth.c,v 1.33 1998/08/26 17:39:36 brian Exp $ + * $Id: auth.c,v 1.34 1998/12/17 00:28:12 brian Exp $ * * TODO: * o Implement check against with registered IP addresses. */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -53,6 +53,9 @@ #include "lcpproto.h" #include "filter.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" const char * @@ -105,12 +108,12 @@ auth_SetPhoneList(const char *name, char *phone, int phonelen) if (n < 5) continue; if (strcmp(vector[0], name) == 0) { - CloseSecret(fp); - if (*vector[4] == '\0') + CloseSecret(fp); + if (*vector[4] == '\0') return 0; strncpy(phone, vector[4], phonelen - 1); phone[phonelen - 1] = '\0'; - return 1; /* Valid */ + return 1; /* Valid */ } } CloseSecret(fp); @@ -128,10 +131,20 @@ auth_Select(struct bundle *bundle, const char *name) char buff[LINE_LEN]; if (*name == '\0') { - ipcp_Setup(&bundle->ncp.ipcp); + ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE); return 1; } +#ifndef NORADIUS + if (bundle->radius.valid && bundle->radius.ip.s_addr != INADDR_NONE) { + /* We've got a radius IP - it overrides everything */ + if (!ipcp_UseHisIPaddr(bundle, bundle->radius.ip)) + return 0; + ipcp_Setup(&bundle->ncp.ipcp, bundle->radius.mask.s_addr); + /* Continue with ppp.secret in case we've got a new label */ + } +#endif + fp = OpenSecret(SECRETFILE); if (fp != NULL) { while (fgets(buff, sizeof buff, fp)) { @@ -143,14 +156,20 @@ auth_Select(struct bundle *bundle, const char *name) if (n < 2) continue; if (strcmp(vector[0], name) == 0) { - CloseSecret(fp); - if (n > 2 && *vector[2] && strcmp(vector[2], "*") && - !ipcp_UseHisaddr(bundle, vector[2], 1)) - return 0; - ipcp_Setup(&bundle->ncp.ipcp); - if (n > 3 && *vector[3] && strcmp(vector[3], "*")) - bundle_SetLabel(bundle, vector[3]); - return 1; /* Valid */ + CloseSecret(fp); +#ifndef NORADIUS + if (!bundle->radius.valid || bundle->radius.ip.s_addr == INADDR_NONE) { +#endif + if (n > 2 && *vector[2] && strcmp(vector[2], "*") && + !ipcp_UseHisaddr(bundle, vector[2], 1)) + return 0; + ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE); +#ifndef NORADIUS + } +#endif + if (n > 3 && *vector[3] && strcmp(vector[3], "*")) + bundle_SetLabel(bundle, vector[3]); + return 1; /* Valid */ } } CloseSecret(fp); @@ -158,16 +177,21 @@ auth_Select(struct bundle *bundle, const char *name) #ifndef NOPASSWDAUTH /* Let 'em in anyway - they must have been in the passwd file */ - ipcp_Setup(&bundle->ncp.ipcp); + ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE); return 1; #else - /* Disappeared from ppp.secret ? */ +#ifndef NORADIUS + if (bundle->radius.valid) + return 1; +#endif + + /* Disappeared from ppp.secret ??? */ return 0; #endif } int -auth_Validate(struct bundle *bundle, const char *system, +auth_Validate(struct bundle *bundle, const char *name, const char *key, struct physical *physical) { /* Used by PAP routines */ @@ -177,6 +201,11 @@ auth_Validate(struct bundle *bundle, const char *system, char *vector[5]; char buff[LINE_LEN]; +#ifndef NORADIUS + if (*bundle->radius.cfg.file) + return radius_Authenticate(&bundle->radius, bundle, name, key, NULL); +#endif + fp = OpenSecret(SECRETFILE); if (fp != NULL) { while (fgets(buff, sizeof buff, fp)) { @@ -187,9 +216,9 @@ auth_Validate(struct bundle *bundle, const char *system, n = MakeArgs(buff, vector, VECSIZE(vector)); if (n < 2) continue; - if (strcmp(vector[0], system) == 0) { - CloseSecret(fp); - return auth_CheckPasswd(vector[0], vector[1], key); + if (strcmp(vector[0], name) == 0) { + CloseSecret(fp); + return auth_CheckPasswd(name, vector[1], key); } } CloseSecret(fp); @@ -197,14 +226,14 @@ auth_Validate(struct bundle *bundle, const char *system, #ifndef NOPASSWDAUTH if (Enabled(bundle, OPT_PASSWDAUTH)) - return auth_CheckPasswd(system, "*", key); + return auth_CheckPasswd(name, "*", key); #endif return 0; /* Invalid */ } char * -auth_GetSecret(struct bundle *bundle, const char *system, int len, +auth_GetSecret(struct bundle *bundle, const char *name, int len, struct physical *physical) { /* Used by CHAP routines */ @@ -226,7 +255,7 @@ auth_GetSecret(struct bundle *bundle, const char *system, int len, n = MakeArgs(buff, vector, VECSIZE(vector)); if (n < 2) continue; - if (strlen(vector[0]) == len && strncmp(vector[0], system, len) == 0) { + if (strlen(vector[0]) == len && strncmp(vector[0], name, len) == 0) { CloseSecret(fp); return vector[1]; } diff --git a/usr.sbin/ppp/bundle.c b/usr.sbin/ppp/bundle.c index 89388b951b6b..681cafdecce0 100644 --- a/usr.sbin/ppp/bundle.c +++ b/usr.sbin/ppp/bundle.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: bundle.c,v 1.42 1998/12/14 19:24:28 brian Exp $ + * $Id: bundle.c,v 1.43 1999/01/06 00:08:03 brian Exp $ */ #include <sys/param.h> @@ -76,6 +76,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "async.h" #include "physical.h" @@ -134,7 +137,6 @@ bundle_NewPhase(struct bundle *bundle, u_int new) break; case PHASE_NETWORK: - ipcp_Setup(&bundle->ncp.ipcp); fsm_Up(&bundle->ncp.ipcp.fsm); fsm_Open(&bundle->ncp.ipcp.fsm); bundle->phase = new; @@ -874,6 +876,9 @@ bundle_Create(const char *prefix, int type, const char **argv) bundle.autoload.done = 0; bundle.autoload.running = 0; memset(&bundle.choked.timer, '\0', sizeof bundle.choked.timer); +#ifndef NORADIUS + radius_Init(&bundle.radius); +#endif /* Clean out any leftover crud */ iface_Clear(bundle.iface, IFACE_CLEAR_ALL); @@ -933,6 +938,11 @@ bundle_Destroy(struct bundle *bundle) ipcp_CleanInterface(&bundle->ncp.ipcp); bundle_DownInterface(bundle); +#ifndef NORADIUS + /* Tell the radius server the bad news */ + radius_Destroy(&bundle->radius); +#endif + /* Again, these are all DATALINK_CLOSED unless we're abending */ dl = bundle->links; while (dl) @@ -1224,6 +1234,11 @@ bundle_ShowStatus(struct cmdargs const *arg) prompt_Printf(arg->prompt, " Choked Timer: %ds\n", arg->bundle->cfg.choked.timeout); + +#ifndef NORADIUS + radius_Show(&arg->bundle->radius, arg->prompt); +#endif + prompt_Printf(arg->prompt, " Idle Timer: "); if (arg->bundle->cfg.idle_timeout) { prompt_Printf(arg->prompt, "%ds", arg->bundle->cfg.idle_timeout); diff --git a/usr.sbin/ppp/bundle.h b/usr.sbin/ppp/bundle.h index 0eb20e44a748..5e2866fb17ba 100644 --- a/usr.sbin/ppp/bundle.h +++ b/usr.sbin/ppp/bundle.h @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: bundle.h,v 1.19 1998/10/29 02:12:54 brian Exp $ + * $Id: bundle.h,v 1.20 1998/12/10 18:36:30 brian Exp $ */ #define PHASE_DEAD 0 /* Link is dead */ @@ -87,8 +87,8 @@ struct bundle { struct { int idle_timeout; /* NCP Idle timeout value */ struct { - char name[50]; /* PAP/CHAP system name */ - char key[50]; /* PAP/CHAP key */ + char name[AUTHLEN]; /* PAP/CHAP system name */ + char key[AUTHLEN]; /* PAP/CHAP key */ } auth; unsigned opt; /* Uses OPT_ bits from above */ char label[50]; /* last thing `load'ed */ @@ -102,7 +102,7 @@ struct bundle { } autoload; struct { - int timeout; /* How long to leave the output queue choked */ + int timeout; /* How long to leave the output queue choked */ } choked; } cfg; @@ -112,19 +112,19 @@ struct bundle { } ncp; struct { - struct filter in; /* incoming packet filter */ - struct filter out; /* outgoing packet filter */ - struct filter dial; /* dial-out packet filter */ - struct filter alive; /* keep-alive packet filter */ + struct filter in; /* incoming packet filter */ + struct filter out; /* outgoing packet filter */ + struct filter dial; /* dial-out packet filter */ + struct filter alive; /* keep-alive packet filter */ } filter; struct { - struct pppTimer timer; /* timeout after cfg.idle_timeout */ + struct pppTimer timer; /* timeout after cfg.idle_timeout */ time_t done; } idle; struct { - int fd; /* write status here */ + int fd; /* write status here */ } notify; struct { @@ -135,8 +135,12 @@ struct bundle { } autoload; struct { - struct pppTimer timer; /* choked output queue timer */ + struct pppTimer timer; /* choked output queue timer */ } choked; + +#ifndef NORADIUS + struct radius radius; /* Info retrieved from radius server */ +#endif }; #define descriptor2bundle(d) \ diff --git a/usr.sbin/ppp/cbcp.c b/usr.sbin/ppp/cbcp.c index defa43186dd2..9433baf6e17c 100644 --- a/usr.sbin/ppp/cbcp.c +++ b/usr.sbin/ppp/cbcp.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: cbcp.c,v 1.7 1998/10/31 17:38:48 brian Exp $ + * $Id: cbcp.c,v 1.8 1999/01/19 22:15:25 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/un.h> diff --git a/usr.sbin/ppp/ccp.c b/usr.sbin/ppp/ccp.c index 00c8560c70e1..4e15b1d93cb6 100644 --- a/usr.sbin/ppp/ccp.c +++ b/usr.sbin/ppp/ccp.c @@ -17,12 +17,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ccp.c,v 1.39 1998/08/26 17:39:36 brian Exp $ + * $Id: ccp.c,v 1.40 1998/08/26 18:07:56 brian Exp $ * * TODO: * o Support other compression protocols */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -57,6 +57,9 @@ #include "mp.h" #include "async.h" #include "physical.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" static void CcpSendConfigReq(struct fsm *); diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c index c2652d61a118..21d189887727 100644 --- a/usr.sbin/ppp/chap.c +++ b/usr.sbin/ppp/chap.c @@ -17,11 +17,11 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: chap.c,v 1.36 1998/08/07 18:42:47 brian Exp $ + * $Id: chap.c,v 1.37 1998/08/26 18:07:56 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -57,6 +57,9 @@ #include "link.h" #include "physical.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "chat.h" #include "cbcp.h" @@ -102,12 +105,24 @@ chap_SendChallenge(struct authinfo *auth, int chapid, struct physical *physical) randinit(); cp = chap->challenge_data; - *cp++ = chap->challenge_len = random() % 32 + 16; - for (i = 0; i < chap->challenge_len; i++) - *cp++ = random() & 0xff; - len = strlen(physical->dl->bundle->cfg.auth.name); - memcpy(cp, physical->dl->bundle->cfg.auth.name, len); - cp += len; +#ifndef NORADIUS + if (*physical->dl->bundle->radius.cfg.file) { + /* For radius, our challenge is 16 readable NUL terminated bytes :*/ + *cp++ = chap->challenge_len = 16; + for (i = 0; i < chap->challenge_len; i++) + *cp++ = (random() & (0x7f - 0x20)) + 0x20; + *cp = '\0'; + } else { +#endif + *cp++ = chap->challenge_len = random() % (CHAPCHALLENGELEN-16) + 16; + for (i = 0; i < chap->challenge_len; i++) + *cp++ = random() & 0xff; + len = strlen(physical->dl->bundle->cfg.auth.name); + memcpy(cp, physical->dl->bundle->cfg.auth.name, len); + cp += len; +#ifndef NORADIUS + } +#endif ChapOutput(physical, CHAP_CHALLENGE, chapid, chap->challenge_data, cp - chap->challenge_data, NULL); } @@ -121,7 +136,7 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp, char *cp, *argp, *ap, *name, *digest; char *keyp; MD5_CTX MD5context; /* context for MD5 */ - char answer[100]; + char answer[CHAPDIGESTLEN]; char cdigest[16]; #ifdef HAVE_DES int ix; @@ -214,11 +229,25 @@ RecvChapTalk(struct bundle *bundle, struct fsmheader *chp, struct mbuf *bp, /* * Get a secret key corresponds to the peer */ - keyp = auth_GetSecret(bundle, name, namelen, physical); - if (keyp) { - /* - * Compute correct digest value - */ +#ifndef NORADIUS + if (*bundle->radius.cfg.file) { + char chapname[AUTHLEN]; + + if (namelen > AUTHLEN - 1) + namelen = AUTHLEN - 1; + strncpy(chapname, name, namelen); + chapname[namelen] = '\0'; + strncpy(answer, cp-1, 17); + answer[17] = '\0'; + + if (radius_Authenticate(&bundle->radius, bundle, chapname, answer, + physical->dl->chap.challenge_data + 1)) + break; /* And there was much rejoicing ! */ + + } else +#endif + if ((keyp = auth_GetSecret(bundle, name, namelen, physical))) { + /* Compute correct digest value */ keylen = strlen(keyp); ap = answer; *ap++ = chp->id; diff --git a/usr.sbin/ppp/chat.c b/usr.sbin/ppp/chat.c index 8c41aa21f49b..6fda79eb8577 100644 --- a/usr.sbin/ppp/chat.c +++ b/usr.sbin/ppp/chat.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: chat.c,v 1.51 1998/08/07 18:42:47 brian Exp $ + * $Id: chat.c,v 1.52 1998/10/27 22:53:25 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -66,6 +66,9 @@ #include "filter.h" #include "cbcp.h" #include "datalink.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #define BUFLEFT(c) (sizeof (c)->buf - ((c)->bufend - (c)->buf)) diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index f31cb8b242c8..c0ab10b37602 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -17,10 +17,10 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.c,v 1.176 1998/11/05 21:59:47 brian Exp $ + * $Id: command.c,v 1.177 1998/12/14 01:15:34 brian Exp $ * */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> @@ -76,6 +76,9 @@ #include "link.h" #include "physical.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "server.h" #include "prompt.h" @@ -115,6 +118,7 @@ #define VAR_CHOKED 26 #define VAR_SENDPIPE 27 #define VAR_RECVPIPE 28 +#define VAR_RADIUS 29 /* ``accept|deny|disable|enable'' masks */ #define NEG_HISMASK (1) @@ -134,7 +138,7 @@ #define NEG_DNS 50 const char Version[] = "2.0"; -const char VersionDate[] = "$Date: 1998/11/05 21:59:47 $"; +const char VersionDate[] = "$Date: 1998/12/14 01:15:34 $"; static int ShowCommand(struct cmdargs const *); static int TerminalCommand(struct cmdargs const *); @@ -1297,7 +1301,7 @@ SetInterfaceAddr(struct cmdargs const *arg) iplist_reset(&ipcp->cfg.peer_list); if (arg->argc > arg->argn) { - if (!ParseAddr(ipcp, arg->argc - arg->argn, arg->argv + arg->argn, + if (!ParseAddr(ipcp, arg->argv[arg->argn], &ipcp->cfg.my_range.ipaddr, &ipcp->cfg.my_range.mask, &ipcp->cfg.my_range.width)) return 1; @@ -1616,10 +1620,10 @@ SetVariable(struct cmdargs const *arg) addr[0].s_addr = addr[1].s_addr = INADDR_ANY; if (arg->argc > arg->argn) { - ParseAddr(&arg->bundle->ncp.ipcp, 1, arg->argv + arg->argn, + ParseAddr(&arg->bundle->ncp.ipcp, arg->argv[arg->argn], addr, &dummyaddr, &dummyint); if (arg->argc > arg->argn+1) - ParseAddr(&arg->bundle->ncp.ipcp, 1, arg->argv + arg->argn + 1, + ParseAddr(&arg->bundle->ncp.ipcp, arg->argv[arg->argn + 1], addr + 1, &dummyaddr, &dummyint); if (addr[1].s_addr == INADDR_ANY) @@ -1691,6 +1695,22 @@ SetVariable(struct cmdargs const *arg) long_val = atol(argp); arg->bundle->ncp.ipcp.cfg.recvpipe = long_val; break; + +#ifndef NORADIUS + case VAR_RADIUS: + if (!*argp) + *arg->bundle->radius.cfg.file = '\0'; + else if (access(argp, R_OK)) { + log_Printf(LogWARN, "%s: %s\n", argp, strerror(errno)); + return 1; + } else { + strncpy(arg->bundle->radius.cfg.file, argp, + sizeof arg->bundle->radius.cfg.file - 1); + arg->bundle->radius.cfg.file + [sizeof arg->bundle->radius.cfg.file - 1] = '\0'; + } + break; +#endif } return err ? 1 : 0; @@ -1788,6 +1808,10 @@ static struct cmdtab const SetCommands[] = { "set phone phone1[:phone2[...]]", (const void *)VAR_PHONE}, {"proctitle", "title", SetProcTitle, LOCAL_AUTH, "Process title", "set proctitle [value]"}, +#ifndef NORADIUS + {"radius", NULL, SetVariable, LOCAL_AUTH, + "RADIUS Config", "set radius cfgfile", (const void *)VAR_RADIUS}, +#endif {"reconnect", NULL, datalink_SetReconnect, LOCAL_AUTH | LOCAL_CX, "Reconnect timeout", "set reconnect value ntries"}, {"recvpipe", NULL, SetVariable, LOCAL_AUTH, @@ -1844,7 +1868,7 @@ AddCommand(struct cmdargs const *arg) else { int width; - if (!ParseAddr(&arg->bundle->ncp.ipcp, 1, arg->argv + arg->argn, + if (!ParseAddr(&arg->bundle->ncp.ipcp, arg->argv[arg->argn], &dest, &netmask, &width)) return -1; if (!strncasecmp(arg->argv[arg->argn], "MYADDR", 6)) @@ -1873,7 +1897,8 @@ AddCommand(struct cmdargs const *arg) gateway = GetIpAddr(arg->argv[arg->argn+gw]); if (bundle_SetRoute(arg->bundle, RTM_ADD, dest, gateway, netmask, - arg->cmd->args ? 1 : 0, (addrs & ROUTE_GWHISADDR) ? 1 : 0)) + arg->cmd->args ? 1 : 0, (addrs & ROUTE_GWHISADDR) ? 1 : 0) + && addrs != ROUTE_STATIC) route_Add(&arg->bundle->ncp.ipcp.route, addrs, dest, netmask, gateway); return 0; @@ -2355,24 +2380,24 @@ IfaceAddCommand(struct cmdargs const *arg) struct in_addr ifa, mask, brd; if (arg->argc == arg->argn + 1) { - if (!ParseAddr(NULL, 1, arg->argv + arg->argn, &ifa, NULL, NULL)) + if (!ParseAddr(NULL, arg->argv[arg->argn], &ifa, NULL, NULL)) return -1; mask.s_addr = brd.s_addr = INADDR_BROADCAST; } else { if (arg->argc == arg->argn + 2) { - if (!ParseAddr(NULL, 1, arg->argv + arg->argn, &ifa, &mask, &bits)) + if (!ParseAddr(NULL, arg->argv[arg->argn], &ifa, &mask, &bits)) return -1; n = 1; } else if (arg->argc == arg->argn + 3) { - if (!ParseAddr(NULL, 1, arg->argv + arg->argn, &ifa, NULL, NULL)) + if (!ParseAddr(NULL, arg->argv[arg->argn], &ifa, NULL, NULL)) return -1; - if (!ParseAddr(NULL, 1, arg->argv + arg->argn + 1, &mask, NULL, NULL)) + if (!ParseAddr(NULL, arg->argv[arg->argn + 1], &mask, NULL, NULL)) return -1; n = 2; } else return -1; - if (!ParseAddr(NULL, 1, arg->argv + arg->argn + n, &brd, NULL, NULL)) + if (!ParseAddr(NULL, arg->argv[arg->argn + n], &brd, NULL, NULL)) return -1; } @@ -2392,7 +2417,7 @@ IfaceDeleteCommand(struct cmdargs const *arg) if (arg->argc != arg->argn + 1) return -1; - if (!ParseAddr(NULL, 1, arg->argv + arg->argn, &ifa, NULL, NULL)) + if (!ParseAddr(NULL, arg->argv[arg->argn], &ifa, NULL, NULL)) return -1; if (arg->bundle->ncp.ipcp.fsm.state == ST_OPENED && diff --git a/usr.sbin/ppp/datalink.c b/usr.sbin/ppp/datalink.c index 7e7f8f9fb129..6fe60de14e17 100644 --- a/usr.sbin/ppp/datalink.c +++ b/usr.sbin/ppp/datalink.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: datalink.c,v 1.24 1999/01/12 21:50:20 brian Exp $ + * $Id: datalink.c,v 1.25 1999/01/20 18:06:52 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -58,6 +58,9 @@ #include "ipcp.h" #include "filter.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "chat.h" #include "auth.h" diff --git a/usr.sbin/ppp/defs.h b/usr.sbin/ppp/defs.h index faf23ea67b9a..dffc5e0d6727 100644 --- a/usr.sbin/ppp/defs.h +++ b/usr.sbin/ppp/defs.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: defs.h,v 1.35 1998/08/07 18:42:48 brian Exp $ + * $Id: defs.h,v 1.36 1998/08/25 17:48:42 brian Exp $ * * TODO: */ @@ -44,6 +44,9 @@ #define DIAL_NEXT_TIMEOUT 3 /* Default Hold time to next number redial */ #define SCRIPT_LEN 512 /* Size of login scripts */ #define LINE_LEN SCRIPT_LEN /* Size of login scripts */ +#define AUTHLEN 50 /* Size of authname/authkey */ +#define CHAPDIGESTLEN 100 /* Maximum chap digest */ +#define CHAPCHALLENGELEN 48 /* Maximum chap challenge */ #define MAXARGS 40 /* How many args per config line */ #define NCP_IDLE_TIMEOUT 180 /* Drop all links */ #define CHOKED_TIMEOUT 120 /* Delete queued packets w/ blocked tun */ diff --git a/usr.sbin/ppp/filter.c b/usr.sbin/ppp/filter.c index cd5a6443eb4f..c9972fdf3d43 100644 --- a/usr.sbin/ppp/filter.c +++ b/usr.sbin/ppp/filter.c @@ -17,12 +17,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: filter.c,v 1.25 1998/06/27 12:03:48 brian Exp $ + * $Id: filter.c,v 1.26 1998/10/22 02:32:48 brian Exp $ * * TODO: Shoud send ICMP error message when we discard packets. */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> @@ -54,6 +54,9 @@ #include "descriptor.h" #include "prompt.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" static int filter_Nam2Proto(int, char const *const *); @@ -71,34 +74,38 @@ static const u_int32_t netmasks[33] = { 0xFFFFFFF8, 0xFFFFFFFC, 0xFFFFFFFE, 0xFFFFFFFF, }; +struct in_addr +bits2mask(int bits) +{ + struct in_addr result; + + result.s_addr = htonl(netmasks[bits]); + return result; +} + int -ParseAddr(struct ipcp *ipcp, int argc, char const *const *argv, +ParseAddr(struct ipcp *ipcp, const char *data, struct in_addr *paddr, struct in_addr *pmask, int *pwidth) { int bits, len; char *wp; const char *cp; - if (argc < 1) { - log_Printf(LogWARN, "ParseAddr: address/mask is expected.\n"); - return (0); - } - if (pmask) pmask->s_addr = INADDR_BROADCAST; /* Assume 255.255.255.255 as default */ - cp = pmask || pwidth ? strchr(*argv, '/') : NULL; - len = cp ? cp - *argv : strlen(*argv); + cp = pmask || pwidth ? strchr(data, '/') : NULL; + len = cp ? cp - data : strlen(data); - if (ipcp && strncasecmp(*argv, "HISADDR", len) == 0) + if (ipcp && strncasecmp(data, "HISADDR", len) == 0) *paddr = ipcp->peer_ip; - else if (ipcp && strncasecmp(*argv, "MYADDR", len) == 0) + else if (ipcp && strncasecmp(data, "MYADDR", len) == 0) *paddr = ipcp->my_ip; else if (len > 15) - log_Printf(LogWARN, "ParseAddr: %s: Bad address\n", *argv); + log_Printf(LogWARN, "ParseAddr: %s: Bad address\n", data); else { char s[16]; - strncpy(s, *argv, len); + strncpy(s, data, len); s[len] = '\0'; if (inet_aton(s, paddr) == 0) { log_Printf(LogWARN, "ParseAddr: %s: Bad address\n", s); @@ -125,7 +132,7 @@ ParseAddr(struct ipcp *ipcp, int argc, char const *const *argv, if (paddr->s_addr == INADDR_ANY) pmask->s_addr = INADDR_ANY; else - pmask->s_addr = htonl(netmasks[bits]); + *pmask = bits2mask(bits); } return (1); @@ -302,7 +309,7 @@ Parse(struct ipcp *ipcp, int argc, char const *const *argv, argc--; argv++; - if (filterdata.action == A_DENY) { + if (argc && filterdata.action == A_DENY) { if (!strcmp(*argv, "host")) { filterdata.action |= A_UHOST; argc--; @@ -313,21 +320,26 @@ Parse(struct ipcp *ipcp, int argc, char const *const *argv, argv++; } } + proto = filter_Nam2Proto(argc, argv); if (proto == P_NONE) { - if (ParseAddr(ipcp, argc, argv, &filterdata.saddr, &filterdata.smask, - &filterdata.swidth)) { + if (!argc) + log_Printf(LogWARN, "Parse: address/mask is expected.\n"); + else if (ParseAddr(ipcp, *argv, &filterdata.saddr, &filterdata.smask, + &filterdata.swidth)) { argc--; argv++; proto = filter_Nam2Proto(argc, argv); - if (proto == P_NONE) { - if (ParseAddr(ipcp, argc, argv, &filterdata.daddr, &filterdata.dmask, + if (!argc) + log_Printf(LogWARN, "Parse: address/mask is expected.\n"); + else if (proto == P_NONE) { + if (ParseAddr(ipcp, *argv, &filterdata.daddr, &filterdata.dmask, &filterdata.dwidth)) { argc--; argv++; } proto = filter_Nam2Proto(argc, argv); - if (proto != P_NONE) { + if (argc && proto != P_NONE) { argc--; argv++; } diff --git a/usr.sbin/ppp/filter.h b/usr.sbin/ppp/filter.h index 0505e7d6e300..d0c5d2c2f63c 100644 --- a/usr.sbin/ppp/filter.h +++ b/usr.sbin/ppp/filter.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: filter.h,v 1.12 1998/05/21 21:45:16 brian Exp $ + * $Id: filter.h,v 1.13 1999/01/19 22:16:01 brian Exp $ * * TODO: */ @@ -83,10 +83,11 @@ struct filter { struct ipcp; struct cmdargs; -extern int ParseAddr(struct ipcp *, int, char const *const *, struct in_addr *, +extern int ParseAddr(struct ipcp *, const char *, struct in_addr *, struct in_addr *, int *); extern int filter_Show(struct cmdargs const *); extern int filter_Set(struct cmdargs const *); extern const char * filter_Action2Nam(int); extern const char *filter_Proto2Nam(int); extern const char *filter_Op2Nam(int); +extern struct in_addr bits2mask(int); diff --git a/usr.sbin/ppp/fsm.c b/usr.sbin/ppp/fsm.c index 9cc3fd5e2d1b..5af170b9761d 100644 --- a/usr.sbin/ppp/fsm.c +++ b/usr.sbin/ppp/fsm.c @@ -17,12 +17,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: fsm.c,v 1.36 1998/08/01 01:02:41 brian Exp $ + * $Id: fsm.c,v 1.37 1998/09/04 18:25:59 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -49,6 +49,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "async.h" #include "physical.h" diff --git a/usr.sbin/ppp/hdlc.c b/usr.sbin/ppp/hdlc.c index d03c9f377163..ce5db4616517 100644 --- a/usr.sbin/ppp/hdlc.c +++ b/usr.sbin/ppp/hdlc.c @@ -17,11 +17,11 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: hdlc.c,v 1.35 1998/08/01 01:02:12 brian Exp $ + * $Id: hdlc.c,v 1.36 1998/08/07 18:42:48 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -61,6 +61,9 @@ #include "cbcp.h" #include "datalink.h" #include "filter.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" static u_int16_t const fcstab[256] = { diff --git a/usr.sbin/ppp/iface.c b/usr.sbin/ppp/iface.c index bca10ee0c3c6..d3dfc89ae43c 100644 --- a/usr.sbin/ppp/iface.c +++ b/usr.sbin/ppp/iface.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: iface.c,v 1.1 1998/10/22 02:32:49 brian Exp $ + * $Id: iface.c,v 1.2 1998/10/26 19:07:36 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <net/if.h> @@ -65,6 +65,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "prompt.h" #include "iface.h" diff --git a/usr.sbin/ppp/ip.c b/usr.sbin/ppp/ip.c index aa7207de1d88..ac3b54a5dbe8 100644 --- a/usr.sbin/ppp/ip.c +++ b/usr.sbin/ppp/ip.c @@ -17,13 +17,13 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ip.c,v 1.53 1998/09/17 00:45:26 brian Exp $ + * $Id: ip.c,v 1.54 1998/11/10 00:32:39 brian Exp $ * * TODO: * o Return ICMP message for filterd packet * and optionaly record it into log. */ -#include <sys/types.h> +#include <sys/param.h> #ifdef __OpenBSD__ #include <sys/socket.h> #endif @@ -66,6 +66,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "vjcomp.h" #include "tun.h" diff --git a/usr.sbin/ppp/ipcp.c b/usr.sbin/ppp/ipcp.c index eae5f4c93ed1..0635412e21d6 100644 --- a/usr.sbin/ppp/ipcp.c +++ b/usr.sbin/ppp/ipcp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.c,v 1.67 1998/10/22 02:32:49 brian Exp $ + * $Id: ipcp.c,v 1.68 1998/10/26 19:07:39 brian Exp $ * * TODO: * o More RFC1772 backward compatibility @@ -73,6 +73,9 @@ #include "link.h" #include "physical.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "id.h" #include "arp.h" @@ -278,7 +281,7 @@ ipcp_Show(struct cmdargs const *arg) if (ipcp->route) { prompt_Printf(arg->prompt, "\n"); - route_ShowSticky(arg->prompt, ipcp->route); + route_ShowSticky(arg->prompt, ipcp->route, "Sticky routes", 1); } prompt_Printf(arg->prompt, "\nDefaults:\n"); @@ -378,7 +381,7 @@ ipcp_Init(struct ipcp *ipcp, struct bundle *bundle, struct link *l, throughput_init(&ipcp->throughput); memset(ipcp->Queue, '\0', sizeof ipcp->Queue); - ipcp_Setup(ipcp); + ipcp_Setup(ipcp, INADDR_NONE); } void @@ -388,13 +391,14 @@ ipcp_SetLink(struct ipcp *ipcp, struct link *l) } void -ipcp_Setup(struct ipcp *ipcp) +ipcp_Setup(struct ipcp *ipcp, u_int32_t mask) { struct iface *iface = ipcp->fsm.bundle->iface; int pos, n; ipcp->fsm.open_mode = 0; ipcp->fsm.maxconfig = 10; + ipcp->ifmask.s_addr = mask == INADDR_NONE ? ipcp->cfg.netmask.s_addr : mask; if (iplist_isvalid(&ipcp->cfg.peer_list)) { /* Try to give the peer a previously configured IP address */ @@ -446,7 +450,11 @@ ipcp_Setup(struct ipcp *ipcp) ipcp->my_ip = ipcp->cfg.my_range.ipaddr; } - if (IsEnabled(ipcp->cfg.vj.neg)) + if (IsEnabled(ipcp->cfg.vj.neg) +#ifndef NORADIUS + || (ipcp->fsm.bundle->radius.valid && ipcp->fsm.bundle->radius.vj) +#endif + ) ipcp->my_compproto = (PROTO_VJCOMP << 16) + ((ipcp->cfg.vj.slots - 1) << 8) + ipcp->cfg.vj.slotcomp; @@ -496,16 +504,11 @@ ipcp_SetIPaddress(struct bundle *bundle, struct in_addr myaddr, u_int32_t addr; addr = htonl(myaddr.s_addr); - if (IN_CLASSA(addr)) - mask.s_addr = htonl(IN_CLASSA_NET); - else if (IN_CLASSB(addr)) - mask.s_addr = htonl(IN_CLASSB_NET); - else - mask.s_addr = htonl(IN_CLASSC_NET); + mask.s_addr = addr2mask(addr); - if (bundle->ncp.ipcp.cfg.netmask.s_addr != INADDR_ANY && - (ntohl(bundle->ncp.ipcp.cfg.netmask.s_addr) & mask.s_addr) == mask.s_addr) - mask.s_addr = htonl(bundle->ncp.ipcp.cfg.netmask.s_addr); + if (bundle->ncp.ipcp.ifmask.s_addr != INADDR_ANY && + (ntohl(bundle->ncp.ipcp.ifmask.s_addr) & mask.s_addr) == mask.s_addr) + mask.s_addr = htonl(bundle->ncp.ipcp.ifmask.s_addr); oaddr.s_addr = bundle->iface->in_addrs ? bundle->iface->in_addr[0].ifa.s_addr : INADDR_ANY; @@ -524,6 +527,11 @@ ipcp_SetIPaddress(struct bundle *bundle, struct in_addr myaddr, if (Enabled(bundle, OPT_SROUTES)) route_Change(bundle, bundle->ncp.ipcp.route, myaddr, hisaddr); +#ifndef NORADIUS + if (bundle->radius.valid) + route_Change(bundle, bundle->radius.routes, myaddr, hisaddr); +#endif + if (Enabled(bundle, OPT_PROXY) || Enabled(bundle, OPT_PROXYALL)) { int s = ID0socket(AF_INET, SOCK_DGRAM, 0); if (s < 0) @@ -705,7 +713,7 @@ IpcpLayerDown(struct fsm *fp) system_Select(fp->bundle, "MYADDR", LINKDOWNFILE, NULL, NULL); } - ipcp_Setup(ipcp); + ipcp_Setup(ipcp, INADDR_NONE); } int @@ -1115,6 +1123,23 @@ ipcp_Input(struct ipcp *ipcp, struct bundle *bundle, struct mbuf *bp) } int +ipcp_UseHisIPaddr(struct bundle *bundle, struct in_addr hisaddr) +{ + struct ipcp *ipcp = &bundle->ncp.ipcp; + + memset(&ipcp->cfg.peer_range, '\0', sizeof ipcp->cfg.peer_range); + iplist_reset(&ipcp->cfg.peer_list); + ipcp->peer_ip = ipcp->cfg.peer_range.ipaddr = hisaddr; + ipcp->cfg.peer_range.mask.s_addr = INADDR_BROADCAST; + ipcp->cfg.peer_range.width = 32; + + if (ipcp_SetIPaddress(bundle, ipcp->cfg.my_range.ipaddr, hisaddr, 0) < 0) + return 0; + + return 1; /* Ok */ +} + +int ipcp_UseHisaddr(struct bundle *bundle, const char *hisaddr, int setaddr) { struct ipcp *ipcp = &bundle->ncp.ipcp; @@ -1138,7 +1163,7 @@ ipcp_UseHisaddr(struct bundle *bundle, const char *hisaddr, int setaddr) log_Printf(LogWARN, "%s: Invalid range !\n", hisaddr); return 0; } - } else if (ParseAddr(ipcp, 1, &hisaddr, &ipcp->cfg.peer_range.ipaddr, + } else if (ParseAddr(ipcp, hisaddr, &ipcp->cfg.peer_range.ipaddr, &ipcp->cfg.peer_range.mask, &ipcp->cfg.peer_range.width) != 0) { ipcp->peer_ip.s_addr = ipcp->cfg.peer_range.ipaddr.s_addr; diff --git a/usr.sbin/ppp/ipcp.h b/usr.sbin/ppp/ipcp.h index 5b5fc9bccd50..2c6b5e13956b 100644 --- a/usr.sbin/ppp/ipcp.h +++ b/usr.sbin/ppp/ipcp.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.h,v 1.21 1998/10/22 02:32:49 brian Exp $ + * $Id: ipcp.h,v 1.22 1998/10/26 19:07:39 brian Exp $ * * TODO: */ @@ -34,6 +34,14 @@ #define TY_SECONDARY_NBNS 132 #define TY_ADJUST_NS 119 /* subtract from NS val for REJECT bit */ +#define addr2mask(addr) ( \ + IN_CLASSA(addr) ? \ + htonl(IN_CLASSA_NET) : \ + IN_CLASSB(addr) ? \ + htonl(IN_CLASSB_NET) : htonl(IN_CLASSC_NET) \ +) + + struct sticky_route; struct in_range { @@ -53,7 +61,7 @@ struct ipcp { } vj; struct in_range my_range; /* MYADDR spec */ - struct in_addr netmask; /* netmask (unused by most OSs) */ + struct in_addr netmask; /* Iface netmask (unused by most OSs) */ struct in_range peer_range; /* HISADDR spec */ struct iplist peer_list; /* Ranges of HISADDR values */ @@ -84,6 +92,8 @@ struct ipcp { struct in_addr peer_ip; /* IP address he's willing to use */ u_int32_t peer_compproto; /* VJ params he's willing to use */ + struct in_addr ifmask; /* Interface netmask */ + struct in_addr my_ip; /* IP address I'm willing to use */ u_int32_t my_compproto; /* VJ params I'm willing to use */ @@ -102,13 +112,14 @@ struct cmdargs; extern void ipcp_Init(struct ipcp *, struct bundle *, struct link *, const struct fsm_parent *); -extern void ipcp_Setup(struct ipcp *); +extern void ipcp_Setup(struct ipcp *, u_int32_t); extern void ipcp_SetLink(struct ipcp *, struct link *); extern int ipcp_Show(struct cmdargs const *); extern void ipcp_Input(struct ipcp *, struct bundle *, struct mbuf *); extern void ipcp_AddInOctets(struct ipcp *, int); extern void ipcp_AddOutOctets(struct ipcp *, int); +extern int ipcp_UseHisIPaddr(struct bundle *, struct in_addr); extern int ipcp_UseHisaddr(struct bundle *, const char *, int); extern int ipcp_vjset(struct cmdargs const *); extern void ipcp_CleanInterface(struct ipcp *); diff --git a/usr.sbin/ppp/lcp.c b/usr.sbin/ppp/lcp.c index 10165fd1d24b..4c138ec740f1 100644 --- a/usr.sbin/ppp/lcp.c +++ b/usr.sbin/ppp/lcp.c @@ -17,13 +17,13 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: lcp.c,v 1.65 1998/10/17 12:28:02 brian Exp $ + * $Id: lcp.c,v 1.66 1999/01/12 21:50:20 brian Exp $ * * TODO: * o Limit data field length by MRU */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -64,6 +64,9 @@ #include "chap.h" #include "cbcp.h" #include "datalink.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" /* for received LQRs */ diff --git a/usr.sbin/ppp/lqr.c b/usr.sbin/ppp/lqr.c index a54af4168d5a..ff17a243f8aa 100644 --- a/usr.sbin/ppp/lqr.c +++ b/usr.sbin/ppp/lqr.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: lqr.c,v 1.29 1998/06/27 23:48:49 brian Exp $ + * $Id: lqr.c,v 1.30 1998/08/07 18:42:49 brian Exp $ * * o LQR based on RFC1333 * @@ -26,7 +26,7 @@ * o Allow user to configure LQM method and interval. */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/un.h> #include <string.h> diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c index 910f48c9e882..506454a40074 100644 --- a/usr.sbin/ppp/main.c +++ b/usr.sbin/ppp/main.c @@ -17,12 +17,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: main.c,v 1.146 1998/12/10 18:36:30 brian Exp $ + * $Id: main.c,v 1.147 1999/01/25 10:19:03 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -64,6 +64,9 @@ #include "descriptor.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "auth.h" #include "systems.h" diff --git a/usr.sbin/ppp/modem.c b/usr.sbin/ppp/modem.c index 6ffb5650632c..8879b254c2dd 100644 --- a/usr.sbin/ppp/modem.c +++ b/usr.sbin/ppp/modem.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: modem.c,v 1.99 1998/08/26 18:07:56 brian Exp $ + * $Id: modem.c,v 1.100 1999/01/10 01:26:28 brian Exp $ * * TODO: */ @@ -69,6 +69,9 @@ #include "link.h" #include "physical.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "prompt.h" #include "chat.h" diff --git a/usr.sbin/ppp/mp.c b/usr.sbin/ppp/mp.c index 201ce6692bd6..c2e551590761 100644 --- a/usr.sbin/ppp/mp.c +++ b/usr.sbin/ppp/mp.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: mp.c,v 1.16 1998/09/04 18:25:59 brian Exp $ + * $Id: mp.c,v 1.17 1998/10/24 01:08:45 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -71,6 +71,9 @@ #include "chap.h" #include "cbcp.h" #include "datalink.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "ip.h" #include "prompt.h" diff --git a/usr.sbin/ppp/nat_cmd.c b/usr.sbin/ppp/nat_cmd.c index efe0d67bb589..3a86a8e7aed9 100644 --- a/usr.sbin/ppp/nat_cmd.c +++ b/usr.sbin/ppp/nat_cmd.c @@ -2,10 +2,10 @@ * The code in this file was written by Eivind Eklund <perhaps@yes.no>, * who places it in the public domain without restriction. * - * $Id: alias_cmd.c,v 1.17 1998/08/26 17:39:36 brian Exp $ + * $Id: alias_cmd.c,v 1.18 1998/09/17 00:45:25 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> @@ -44,6 +44,9 @@ #include "link.h" #include "mp.h" #include "filter.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" diff --git a/usr.sbin/ppp/pap.c b/usr.sbin/ppp/pap.c index 95a39c6977e6..9bdbb930291e 100644 --- a/usr.sbin/ppp/pap.c +++ b/usr.sbin/ppp/pap.c @@ -18,11 +18,11 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: pap.c,v 1.26 1998/08/07 18:42:50 brian Exp $ + * $Id: pap.c,v 1.27 1998/08/26 18:07:57 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -53,6 +53,9 @@ #include "ipcp.h" #include "filter.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "chat.h" #include "chap.h" diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 31d12095a8ea..c45ac21d0752 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -1,4 +1,4 @@ -.\" $Id: ppp.8,v 1.141 1999/01/19 22:15:41 brian Exp $ +.\" $Id: ppp.8,v 1.142 1999/01/19 22:16:02 brian Exp $ .Dd 20 September 1995 .nr XX \w'\fC00' .Os FreeBSD @@ -109,11 +109,29 @@ CHAP authentication and .Nm is compiled with DES support, an appropriate MD4/DES response will be made. +.It Supports RADIUS authentication. +An extension to PAP and CHAP, +.Em \&R Ns No emote +.Em \&A Ns No ccess +.Em \&D Ns No ial +.Em \&I Ns No n +.Em \&U Ns No ser +.Em \&S Ns No ervice +allows authentication information to be stored in a central or +distributed database along with various per-user framed connection +characteristics. If +.Pa libradius +is available at compile time, +.Nm +will use it to make +.Em RADIUS +requests when configured to do so. .It Supports Proxy Arp. When -.Em PPP -is set up as server, you can also configure it to do proxy arp for your -connection. +.Nm +is set up as server, it can be configured to make one or more proxy arp +entries on behalf of the client. This allows routing to the LAN without +configuring each machine on that LAN. .It Supports packet filtering. User can define four kinds of filters: the .Em in @@ -3498,6 +3516,95 @@ command must appear in as it is not known when the commands in .Pa ppp.conf are executed. +.It set radius Op Ar config-file +This command enables RADIUS support (if it's compiled in). +.Ar config-file +refers to the radius client configuration file as described in +.Xr radius.conf 5 . +If PAP or CHAP are +.Dq enable Ns No d , +.Nm +behaves as a +.Em \&N Ns No etwork +.Em \&A Ns No ccess +.Em \&S Ns No erver +and uses the configured RADIUS server to authenticate rather than +authenticating from the +.Pa ppp.secret +file or from the passwd database. +.Pp +If neither PAP or CHAP are enabled, +.Dq set radius +will do nothing. +.Pp +.Nm +uses the following attributes from the RADIUS reply: +.Bl -tag -width XXX -offset XXX +.It RAD_FRAMED_IP_ADDRESS +The peer IP address is set to the given value. +.It RAD_FRAMED_IP_NETMASK +The tun interface netmask is set to the given value. +.It RAD_FRAMED_MTU +If the given MTU is less than the peers MRU as agreed during LCP +negotiation, *and* it is less that any configured MTU (see the +.Dq set mru +command), the tun interface MTU is set to the given value. +.It RAD_FRAMED_COMPRESSION +If the received compression type is +.Dq 1 , +.Nm +will request VJ compression during IPCP negotiations despite any +.Dq disable vj +configuration command. +.It RAD_FRAMED_ROUTE +The received string is expected to be in the format +.Ar dest Ns Op / Ns Ar bits +.Ar gw +.Op Ar metrics . +Any specified metrics are ignored. +.Dv MYADDR +and +.Dv HISADDR +are understood as valid values for +.Ar dest +and +.Ar gw , +.Dq default +can be used for +.Ar dest +to sepcify the default route, and +.Dq 0.0.0.0 +is understood to be the same as +.Dq default +for +.Ar dest +and +.Dv HISADDR +for +.Ar gw . +.Pp +For example, a returned value of +.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 +would result in a routing table entry to the 1.2.3.0/24 network via +.Dv HISADDR +and a returned value of +.Dq 0.0.0.0 0.0.0.0 +or +.Dq default HISADDR +would result in a default route to +.Dv HISADDR . +.Pp +All RADIUS routes are applied after any sticky routes are applied, making +RADIUS routes override configured routes. This also applies for RADIUS +routes that don't include the +.Dv MYADDR +or +.Dv HISADDR +keywords. +.Pp +.El +Values received from the RADIUS server may be viewed using +.Dq show bundle . .It set reconnect Ar timeout ntries Should the line drop unexpectedly (due to loss of CD or LQR failure), a connection will be re-established after the given @@ -3841,6 +3948,7 @@ This socket is used to pass links between different instances of .Xr ping 8 , .Xr pppctl 8 , .Xr pppd 8 , +.Xr radius.conf 5 , .Xr route 8 , .Xr syslogd 8 , .Xr traceroute 8 , diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 31d12095a8ea..c45ac21d0752 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -1,4 +1,4 @@ -.\" $Id: ppp.8,v 1.141 1999/01/19 22:15:41 brian Exp $ +.\" $Id: ppp.8,v 1.142 1999/01/19 22:16:02 brian Exp $ .Dd 20 September 1995 .nr XX \w'\fC00' .Os FreeBSD @@ -109,11 +109,29 @@ CHAP authentication and .Nm is compiled with DES support, an appropriate MD4/DES response will be made. +.It Supports RADIUS authentication. +An extension to PAP and CHAP, +.Em \&R Ns No emote +.Em \&A Ns No ccess +.Em \&D Ns No ial +.Em \&I Ns No n +.Em \&U Ns No ser +.Em \&S Ns No ervice +allows authentication information to be stored in a central or +distributed database along with various per-user framed connection +characteristics. If +.Pa libradius +is available at compile time, +.Nm +will use it to make +.Em RADIUS +requests when configured to do so. .It Supports Proxy Arp. When -.Em PPP -is set up as server, you can also configure it to do proxy arp for your -connection. +.Nm +is set up as server, it can be configured to make one or more proxy arp +entries on behalf of the client. This allows routing to the LAN without +configuring each machine on that LAN. .It Supports packet filtering. User can define four kinds of filters: the .Em in @@ -3498,6 +3516,95 @@ command must appear in as it is not known when the commands in .Pa ppp.conf are executed. +.It set radius Op Ar config-file +This command enables RADIUS support (if it's compiled in). +.Ar config-file +refers to the radius client configuration file as described in +.Xr radius.conf 5 . +If PAP or CHAP are +.Dq enable Ns No d , +.Nm +behaves as a +.Em \&N Ns No etwork +.Em \&A Ns No ccess +.Em \&S Ns No erver +and uses the configured RADIUS server to authenticate rather than +authenticating from the +.Pa ppp.secret +file or from the passwd database. +.Pp +If neither PAP or CHAP are enabled, +.Dq set radius +will do nothing. +.Pp +.Nm +uses the following attributes from the RADIUS reply: +.Bl -tag -width XXX -offset XXX +.It RAD_FRAMED_IP_ADDRESS +The peer IP address is set to the given value. +.It RAD_FRAMED_IP_NETMASK +The tun interface netmask is set to the given value. +.It RAD_FRAMED_MTU +If the given MTU is less than the peers MRU as agreed during LCP +negotiation, *and* it is less that any configured MTU (see the +.Dq set mru +command), the tun interface MTU is set to the given value. +.It RAD_FRAMED_COMPRESSION +If the received compression type is +.Dq 1 , +.Nm +will request VJ compression during IPCP negotiations despite any +.Dq disable vj +configuration command. +.It RAD_FRAMED_ROUTE +The received string is expected to be in the format +.Ar dest Ns Op / Ns Ar bits +.Ar gw +.Op Ar metrics . +Any specified metrics are ignored. +.Dv MYADDR +and +.Dv HISADDR +are understood as valid values for +.Ar dest +and +.Ar gw , +.Dq default +can be used for +.Ar dest +to sepcify the default route, and +.Dq 0.0.0.0 +is understood to be the same as +.Dq default +for +.Ar dest +and +.Dv HISADDR +for +.Ar gw . +.Pp +For example, a returned value of +.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 +would result in a routing table entry to the 1.2.3.0/24 network via +.Dv HISADDR +and a returned value of +.Dq 0.0.0.0 0.0.0.0 +or +.Dq default HISADDR +would result in a default route to +.Dv HISADDR . +.Pp +All RADIUS routes are applied after any sticky routes are applied, making +RADIUS routes override configured routes. This also applies for RADIUS +routes that don't include the +.Dv MYADDR +or +.Dv HISADDR +keywords. +.Pp +.El +Values received from the RADIUS server may be viewed using +.Dq show bundle . .It set reconnect Ar timeout ntries Should the line drop unexpectedly (due to loss of CD or LQR failure), a connection will be re-established after the given @@ -3841,6 +3948,7 @@ This socket is used to pass links between different instances of .Xr ping 8 , .Xr pppctl 8 , .Xr pppd 8 , +.Xr radius.conf 5 , .Xr route 8 , .Xr syslogd 8 , .Xr traceroute 8 , diff --git a/usr.sbin/ppp/prompt.c b/usr.sbin/ppp/prompt.c index cdd230474465..7228a6824c6d 100644 --- a/usr.sbin/ppp/prompt.c +++ b/usr.sbin/ppp/prompt.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: prompt.c,v 1.11 1998/08/09 15:34:11 brian Exp $ + * $Id: prompt.c,v 1.12 1998/08/26 17:39:37 brian Exp $ */ #include <sys/param.h> @@ -63,6 +63,9 @@ #include "link.h" #include "physical.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "chat.h" #include "chap.h" diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c new file mode 100644 index 000000000000..70611e409e70 --- /dev/null +++ b/usr.sbin/ppp/radius.c @@ -0,0 +1,287 @@ +/* + * Copyright 1999 Internet Business Solutions Ltd., Switzerland + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id:$ + * + */ + +#include <sys/param.h> +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <arpa/inet.h> +#include <sys/un.h> + +#include <errno.h> +#include <radlib.h> +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <termios.h> + +#include "defs.h" +#include "log.h" +#include "descriptor.h" +#include "prompt.h" +#include "timer.h" +#include "fsm.h" +#include "iplist.h" +#include "slcompress.h" +#include "throughput.h" +#include "lqr.h" +#include "hdlc.h" +#include "mbuf.h" +#include "ipcp.h" +#include "route.h" +#include "command.h" +#include "filter.h" +#include "server.h" +#include "lcp.h" +#include "ccp.h" +#include "link.h" +#include "mp.h" +#include "radius.h" +#include "bundle.h" + +void +radius_Init(struct radius *r) +{ + r->valid = 0; + *r->cfg.file = '\0';; +} + +void +radius_Destroy(struct radius *r) +{ + r->valid = 0; + route_DeleteAll(&r->routes); +} + +int +radius_Authenticate(struct radius *r, struct bundle *bundle, const char *name, + const char *key, const char *challenge) +{ + struct rad_handle *h; + sigset_t alrm, prevset; + const void *data; + int got, len, argc, addrs; + char *argv[MAXARGS], *nuke; + struct in_range dest; + struct in_addr gw; + + radius_Destroy(r); + + if (!*r->cfg.file) + return 0; + + if ((h = rad_open()) == NULL) { + log_Printf(LogERROR, "rad_open: %s\n", strerror(errno)); + return 0; + } + + if (rad_config(h, r->cfg.file) != 0) { + log_Printf(LogERROR, "rad_config: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + if (rad_create_request(h, RAD_ACCESS_REQUEST) != 0) { + log_Printf(LogERROR, "rad_create_request: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + if (rad_put_string(h, RAD_USER_NAME, name) != 0 || + rad_put_int(h, RAD_SERVICE_TYPE, RAD_FRAMED) != 0 || + rad_put_int(h, RAD_FRAMED_PROTOCOL, RAD_PPP) != 0) { + log_Printf(LogERROR, "rad_put: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + if (challenge != NULL) { /* CHAP */ + if (rad_put_string(h, RAD_CHAP_PASSWORD, key) != 0 || + rad_put_string(h, RAD_CHAP_CHALLENGE, challenge) != 0) { + log_Printf(LogERROR, "CHAP: rad_put_string: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + } else if (rad_put_string(h, RAD_USER_PASSWORD, key) != 0) { /* PAP */ + /* We're talking PAP */ + log_Printf(LogERROR, "PAP: rad_put_string: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + /* + * Having to do this is bad news. The right way is to grab the + * descriptor that rad_send_request() selects on and add it to + * our own selection list (making a full ``struct descriptor''), + * then to ``continue'' the call when the descriptor is ready. + * This requires altering libradius.... + */ + sigemptyset(&alrm); + sigaddset(&alrm, SIGALRM); + sigprocmask(SIG_BLOCK, &alrm, &prevset); + got = rad_send_request(h); + sigprocmask(SIG_SETMASK, &prevset, NULL); + + switch (got) { + case RAD_ACCESS_ACCEPT: + break; + + case RAD_ACCESS_CHALLENGE: + /* we can't deal with this (for now) ! */ + log_Printf(LogPHASE, "Can't handle radius CHALLENGEs !\n"); + rad_close(h); + return 0; + + case -1: + log_Printf(LogPHASE, "radius: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + + default: + log_Printf(LogERROR, "rad_send_request: Failed %d: %s\n", + got, rad_strerror(h)); + rad_close(h); + return 0; + + case RAD_ACCESS_REJECT: + log_Printf(LogPHASE, "radius: Rejected !\n"); + rad_close(h); + return 0; + } + + /* So we've been accepted ! Let's see what we've got in our reply :-I */ + r->ip.s_addr = r->mask.s_addr = INADDR_NONE; + r->mtu = 0; + r->vj = 0; + while ((got = rad_get_attr(h, &data, &len)) > 0) { + switch (got) { + case RAD_FRAMED_IP_ADDRESS: + r->ip = rad_cvt_addr(data); + log_Printf(LogDEBUG, "radius: Got IP %s\n", inet_ntoa(r->ip)); + break; + + case RAD_FRAMED_IP_NETMASK: + r->mask = rad_cvt_addr(data); + log_Printf(LogDEBUG, "radius: Got MASK %s\n", inet_ntoa(r->mask)); + break; + + case RAD_FRAMED_MTU: + r->mtu = rad_cvt_int(data); + log_Printf(LogDEBUG, "radius: Got MTU %lu\n", r->mtu); + break; + + case RAD_FRAMED_ROUTING: + /* Disabled for now - should we automatically set up some filters ? */ + /* rad_cvt_int(data); */ + /* bit 1 = Send routing packets */ + /* bit 2 = Receive routing packets */ + break; + + case RAD_FRAMED_COMPRESSION: + r->vj = rad_cvt_int(data) == 1 ? 1 : 0; + log_Printf(LogDEBUG, "radius: Got VJ %sabled\n", r->vj ? "en" : "dis"); + break; + + case RAD_FRAMED_ROUTE: + /* + * We expect a string of the format ``dest[/bits] gw [metrics]'' + * Any specified metrics are ignored. MYADDR and HISADDR are + * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same + * as ``HISADDR''. + */ + + if ((nuke = rad_cvt_string(data, len)) == NULL) { + log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + dest.ipaddr.s_addr = dest.mask.s_addr = INADDR_ANY; + dest.width = 0; + argc = command_Interpret(nuke, strlen(nuke), argv); + if (argc < 2) + log_Printf(LogWARN, "radius: %s: Invalid route\n", + argc == 1 ? argv[0] : "\"\""); + else if ((strcasecmp(argv[0], "default") != 0 && + !ParseAddr(&bundle->ncp.ipcp, argv[0], &dest.ipaddr, + &dest.mask, &dest.width)) || + !ParseAddr(&bundle->ncp.ipcp, argv[1], &gw, NULL, NULL)) + log_Printf(LogWARN, "radius: %s %s: Invalid route\n", + argv[0], argv[1]); + else { + if (dest.width == 32 && strchr(argv[0], '/') == NULL) + /* No mask specified - use the natural mask */ + dest.mask.s_addr = addr2mask(dest.ipaddr.s_addr); + addrs = 0; + + if (!strncasecmp(argv[0], "HISADDR", 7)) + addrs = ROUTE_DSTHISADDR; + else if (!strncasecmp(argv[0], "MYADDR", 6)) + addrs = ROUTE_DSTMYADDR; + + if (gw.s_addr == INADDR_ANY) { + addrs |= ROUTE_GWHISADDR; + gw = bundle->ncp.ipcp.peer_ip; + } else if (strcasecmp(argv[1], "HISADDR") == 0) + addrs |= ROUTE_GWHISADDR; + + route_Add(&r->routes, addrs, dest.ipaddr, dest.mask, gw); + } + free(nuke); + break; + } + } + + if (got == -1) { + log_Printf(LogERROR, "rad_get_attr: %s\n", rad_strerror(h)); + rad_close(h); + return 0; + } + + log_Printf(LogPHASE, "radius: SUCCESS\n"); + + rad_close(h); + return r->valid = 1; +} + +void +radius_Show(struct radius *r, struct prompt *p) +{ + prompt_Printf(p, " Radius config: %s", *r->cfg.file ? r->cfg.file : "none"); + if (r->valid) { + prompt_Printf(p, "\n IP: %s\n", inet_ntoa(r->ip)); + prompt_Printf(p, " Netmask: %s\n", inet_ntoa(r->mask)); + prompt_Printf(p, " MTU: %lu\n", r->mtu); + prompt_Printf(p, " VJ: %sabled\n", r->vj ? "en" : "dis"); + if (r->routes) + route_ShowSticky(p, r->routes, " Routes", 16); + } else + prompt_Printf(p, " (not authenticated)\n"); +} diff --git a/usr.sbin/ppp/radius.h b/usr.sbin/ppp/radius.h new file mode 100644 index 000000000000..0b02f21fc0a6 --- /dev/null +++ b/usr.sbin/ppp/radius.h @@ -0,0 +1,48 @@ +/* + * Copyright 1999 Internet Business Solutions Ltd., Switzerland + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id:$ + */ + +struct radius { + unsigned valid : 1; /* Is this structure valid ? */ + unsigned vj : 1; /* FRAMED Compression */ + struct in_addr ip; /* FRAMED IP */ + struct in_addr mask; /* FRAMED Netmask */ + unsigned long mtu; /* FRAMED MTU */ + struct sticky_route *routes; /* FRAMED Routes */ + struct { + char file[MAXPATHLEN]; /* Radius config file */ + } cfg; +}; + +struct bundle; + +extern void radius_Init(struct radius *); +extern void radius_Destroy(struct radius *); + +extern void radius_Show(struct radius *, struct prompt *); +extern int radius_Authenticate(struct radius *, struct bundle *, const char *, + const char *, const char *); diff --git a/usr.sbin/ppp/route.c b/usr.sbin/ppp/route.c index 7f70efb7bd53..5b366d2b81b2 100644 --- a/usr.sbin/ppp/route.c +++ b/usr.sbin/ppp/route.c @@ -17,11 +17,11 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: route.c,v 1.53 1998/08/17 06:42:40 brian Exp $ + * $Id: route.c,v 1.54 1998/10/22 02:32:50 brian Exp $ * */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/socket.h> #include <net/if_types.h> #include <net/route.h> @@ -58,6 +58,9 @@ #include "filter.h" #include "descriptor.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "route.h" #include "prompt.h" @@ -486,29 +489,29 @@ void route_Add(struct sticky_route **rp, int type, struct in_addr dst, struct in_addr mask, struct in_addr gw) { - if (type != ROUTE_STATIC) { - struct sticky_route *r; - int dsttype = type & ROUTE_DSTANY; - - r = NULL; - while (*rp) { - if ((dsttype && dsttype == ((*rp)->type & ROUTE_DSTANY)) || - (!dsttype && (*rp)->dst.s_addr == dst.s_addr)) { - r = *rp; - *rp = r->next; - } else - rp = &(*rp)->next; - } + struct sticky_route *r; + int dsttype = type & ROUTE_DSTANY; - if (!r) - r = (struct sticky_route *)malloc(sizeof(struct sticky_route)); - r->type = type; - r->next = NULL; - r->dst = dst; - r->mask = mask; - r->gw = gw; - *rp = r; + r = NULL; + while (*rp) { + if ((dsttype && dsttype == ((*rp)->type & ROUTE_DSTANY)) || + (!dsttype && (*rp)->dst.s_addr == dst.s_addr)) { + /* Oops, we already have this route - unlink it */ + free(r); /* impossible really */ + r = *rp; + *rp = r->next; + } else + rp = &(*rp)->next; } + + if (!r) + r = (struct sticky_route *)malloc(sizeof(struct sticky_route)); + r->type = type; + r->next = NULL; + r->dst = dst; + r->mask = mask; + r->gw = gw; + *rp = r; } void @@ -541,15 +544,22 @@ route_DeleteAll(struct sticky_route **rp) } void -route_ShowSticky(struct prompt *p, struct sticky_route *r) +route_ShowSticky(struct prompt *p, struct sticky_route *r, const char *tag, + int indent) { int def; + int tlen = strlen(tag); + + if (tlen + 2 > indent) + prompt_Printf(p, "%s:\n%*s", tag, indent, ""); + else + prompt_Printf(p, "%s:%*s", tag, indent - tlen - 1, ""); - prompt_Printf(p, "Sticky routes:\n"); for (; r; r = r->next) { def = r->dst.s_addr == INADDR_ANY && r->mask.s_addr == INADDR_ANY; - prompt_Printf(p, " add "); + prompt_Printf(p, "%*sadd ", tlen ? 0 : indent, ""); + tlen = 0; if (r->type & ROUTE_DSTMYADDR) prompt_Printf(p, "MYADDR"); else if (r->type & ROUTE_DSTHISADDR) diff --git a/usr.sbin/ppp/route.h b/usr.sbin/ppp/route.h index cd0877d5c496..590a4e2bbe15 100644 --- a/usr.sbin/ppp/route.h +++ b/usr.sbin/ppp/route.h @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: route.h,v 1.10.2.6 1998/05/05 23:30:13 brian Exp $ + * $Id: route.h,v 1.11 1998/05/21 21:48:12 brian Exp $ * */ @@ -50,4 +50,5 @@ extern void route_Add(struct sticky_route **, int, struct in_addr, extern void route_Delete(struct sticky_route **, int, struct in_addr); extern void route_DeleteAll(struct sticky_route **); extern void route_Clean(struct bundle *, struct sticky_route *); -extern void route_ShowSticky(struct prompt *, struct sticky_route *); +extern void route_ShowSticky(struct prompt *, struct sticky_route *, + const char *, int); diff --git a/usr.sbin/ppp/slcompress.c b/usr.sbin/ppp/slcompress.c index 0a1b9c1b8404..c5d576e350d3 100644 --- a/usr.sbin/ppp/slcompress.c +++ b/usr.sbin/ppp/slcompress.c @@ -17,13 +17,13 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: slcompress.c,v 1.19 1998/06/27 12:03:50 brian Exp $ + * $Id: slcompress.c,v 1.20 1998/08/26 17:39:37 brian Exp $ * * Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989: * - Initial distribution. */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/tcp.h> @@ -53,6 +53,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" void diff --git a/usr.sbin/ppp/tun.c b/usr.sbin/ppp/tun.c index 6d97e38c4b75..d8edbd8217e1 100644 --- a/usr.sbin/ppp/tun.c +++ b/usr.sbin/ppp/tun.c @@ -23,10 +23,10 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: tun.c,v 1.9 1998/08/09 16:41:01 brian Exp $ + * $Id: tun.c,v 1.10 1998/10/22 02:32:50 brian Exp $ */ -#include <sys/types.h> +#include <sys/param.h> #include <sys/socket.h> /* For IFF_ defines */ #include <net/if.h> /* For IFF_ defines */ #include <netinet/in.h> @@ -57,6 +57,9 @@ #include "ccp.h" #include "link.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "tun.h" @@ -67,7 +70,15 @@ tun_configure(struct bundle *bundle, int mtu) memset(&info, '\0', sizeof info); info.type = IFT_PPP; - info.mtu = mtu; +#ifndef NORADIUS + if (bundle->radius.valid && bundle->radius.mtu && bundle->radius.mtu < mtu) { + log_Printf(LogLCP, "Reducing MTU to radius value %lu\n", + bundle->radius.mtu); + info.mtu = bundle->radius.mtu; + } else +#endif + info.mtu = mtu; + info.baudrate = bundle->ifSpeed; #ifdef __OpenBSD__ info.flags = IFF_UP|IFF_POINTOPOINT; diff --git a/usr.sbin/ppp/vjcomp.c b/usr.sbin/ppp/vjcomp.c index 8ff5b92015c7..e402c033a24a 100644 --- a/usr.sbin/ppp/vjcomp.c +++ b/usr.sbin/ppp/vjcomp.c @@ -17,11 +17,11 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vjcomp.c,v 1.22 1998/08/07 18:42:51 brian Exp $ + * $Id: vjcomp.c,v 1.23 1998/08/26 18:07:57 brian Exp $ * * TODO: */ -#include <sys/types.h> +#include <sys/param.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -48,6 +48,9 @@ #include "filter.h" #include "descriptor.h" #include "mp.h" +#ifndef NORADIUS +#include "radius.h" +#endif #include "bundle.h" #include "vjcomp.h" |