/************ private functions *************/
static SECURID_SESSION *securid_sessionlist_delete(rlm_securid_t *inst, SECURID_SESSION *session)
{
rbnode_t *node;
node = rbtree_find(inst->session_tree, session);
if (!node) return NULL;
session = rbtree_node2data(inst->session_tree, node);
/*
* Delete old session from the tree.
*/
rbtree_delete(inst->session_tree, node);
/*
* And unsplice it from the linked list.
*/
if (session->prev) {
session->prev->next = session->next;
} else {
inst->session_head = session->next;
}
if (session->next) {
session->next->prev = session->prev;
} else {
inst->session_tail = session->prev;
}
session->prev = session->next = NULL;
return session;
}
/*
* Look up a particular request, using:
*
* Request Id, request code, source IP, source port,
*
* Note that we do NOT use the request vector to look up requests.
*
* We MUST NOT have two requests with identical (id/code/IP/port), and
* different vectors. This is a serious error!
*/
REQUEST *rl_find_proxy(RADIUS_PACKET *packet)
{
rbnode_t *node;
REQUEST myrequest, *maybe = NULL;
RADIUS_PACKET myproxy;
/*
* If we use the socket FD as an indicator,
* then that implicitely contains information
* as to our src ipaddr/port, so we don't need
* to use that in the comparisons.
*/
myproxy.sockfd = packet->sockfd;
myproxy.id = packet->id;
myproxy.dst_ipaddr = packet->src_ipaddr;
myproxy.dst_port = packet->src_port;
#ifndef NDEBUG
myrequest.magic = REQUEST_MAGIC;
#endif
myrequest.proxy = &myproxy;
pthread_mutex_lock(&proxy_mutex);
node = rbtree_find(proxy_tree, &myrequest);
if (node) {
maybe = rbtree_node2data(proxy_tree, node);
rad_assert(maybe->proxy_outstanding > 0);
maybe->proxy_outstanding--;
/*
* Received all of the replies we expect.
* delete it from both trees.
*/
if (maybe->proxy_outstanding == 0) {
rl_delete_proxy(&myrequest, node);
}
}
pthread_mutex_unlock(&proxy_mutex);
return maybe;
}
static eap_handler_t *eaplist_delete(rlm_eap_t *inst, REQUEST *request,
eap_handler_t *handler)
{
rbnode_t *node;
node = rbtree_find(inst->session_tree, handler);
if (!node) return NULL;
handler = rbtree_node2data(inst->session_tree, node);
RDEBUG("Finished EAP session with state "
"0x%02x%02x%02x%02x%02x%02x%02x%02x",
handler->state[0], handler->state[1],
handler->state[2], handler->state[3],
handler->state[4], handler->state[5],
handler->state[6], handler->state[7]);
/*
* Delete old handler from the tree.
*/
rbtree_delete(inst->session_tree, node);
/*
* And unsplice it from the linked list.
*/
if (handler->prev) {
handler->prev->next = handler->next;
} else {
inst->session_head = handler->next;
}
if (handler->next) {
handler->next->prev = handler->prev;
} else {
inst->session_tail = handler->prev;
}
handler->prev = handler->next = NULL;
return handler;
}
/*
* Find a a previous EAP-Request sent by us, which matches
* the current EAP-Response.
*
* Then, release the handle from the list, and return it to
* the caller.
*
* Also since we fill the eap_ds with the present EAP-Response we
* got to free the prev_eapds & move the eap_ds to prev_eapds
*/
static EAP_HANDLER *eaplist_find(rlm_eap_t *inst, REQUEST *request)
{
int i;
VALUE_PAIR *state;
rbnode_t *node;
EAP_HANDLER *handler, myHandler;
/*
* We key the sessions off of the 'state' attribute, so it
* must exist.
*/
state = pairfind(request->packet->vps, PW_STATE, 0, TAG_ANY);
if (!state ||
(state->length != EAP_STATE_LEN)) {
return NULL;
}
myHandler.src_ipaddr = request->packet->src_ipaddr;
memcpy(myHandler.state, state->vp_strvalue, sizeof(myHandler.state));
/*
* Playing with a data structure shared among threads
* means that we need a lock, to avoid conflict.
*/
pthread_mutex_lock(&(inst->session_mutex));
/*
* Check the first few handlers in the list, and delete
* them if they're too old. We don't need to check them
* all, as incoming requests will quickly cause older
* handlers to be deleted.
*
*/
for (i = 0; i < 2; i++) {
handler = inst->session_head;
if (handler &&
((request->timestamp - handler->timestamp) > inst->timer_limit)) {
node = rbtree_find(inst->session_tree, handler);
rad_assert(node != NULL);
rbtree_delete(inst->session_tree, node);
/*
* handler == inst->session_head
*/
inst->session_head = handler->next;
if (handler->next) {
handler->next->prev = NULL;
} else {
inst->session_head = NULL;
}
eap_handler_free(handler);
}
}
handler = NULL;
node = rbtree_find(inst->session_tree, &myHandler);
if (node) {
handler = rbtree_node2data(inst->session_tree, node);
/*
* Delete old handler from the tree.
*/
rbtree_delete(inst->session_tree, node);
/*
* And unsplice it from the linked list.
*/
if (handler->prev) {
handler->prev->next = handler->next;
} else {
inst->session_head = handler->next;
}
if (handler->next) {
handler->next->prev = handler->prev;
} else {
inst->session_tail = handler->prev;
}
handler->prev = handler->next = NULL;
}
pthread_mutex_unlock(&(inst->session_mutex));
/*
* Not found.
*/
if (!node) {
RDEBUG2("Request not found in the list");
return NULL;
}
/*
* Found, but state verification failed.
*/
if (!handler) {
radlog(L_ERR, "rlm_eap2: State verification failed.");
return NULL;
}
RDEBUG2("Request found, released from the list");
return handler;
}
/*
* Store logins in the RADIUS utmp file.
*/
static rlm_rcode_t radutmp_accounting(void *instance, REQUEST *request)
{
rlm_radutmp_t *inst = instance;
struct radutmp utmp, u;
VALUE_PAIR *vp;
int status = -1;
uint32_t nas_address = 0;
uint32_t framed_address = 0;
int protocol = -1;
int fd;
int port_seen = 0;
char buffer[256];
char filename[1024];
char ip_name[32]; /* 255.255.255.255 */
const char *nas;
NAS_PORT *nas_port, myPort;
radutmp_cache_t *cache;
int read_size;
rbnode_t *node;
/*
* Which type is this.
*/
if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE, 0, TAG_ANY)) == NULL) {
radlog(L_ERR, "rlm_radutmp: No Accounting-Status-Type record.");
return RLM_MODULE_NOOP;
}
status = vp->vp_integer;
/*
* Look for weird reboot packets.
*
* ComOS (up to and including 3.5.1b20) does not send
* standard PW_STATUS_ACCOUNTING_* messages.
*
* Check for: o no Acct-Session-Time, or time of 0
* o Acct-Session-Id of "00000000".
*
* We could also check for NAS-Port, that attribute
* should NOT be present (but we don't right now).
*/
if ((status != PW_STATUS_ACCOUNTING_ON) &&
(status != PW_STATUS_ACCOUNTING_OFF)) do {
int check1 = 0;
int check2 = 0;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME, 0, TAG_ANY))
== NULL || vp->vp_date == 0)
check1 = 1;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_ID, 0, TAG_ANY))
!= NULL && vp->length == 8 &&
memcmp(vp->vp_strvalue, "00000000", 8) == 0)
check2 = 1;
if (check1 == 0 || check2 == 0) {
#if 0 /* Cisco sometimes sends START records without username. */
radlog(L_ERR, "rlm_radutmp: no username in record");
return RLM_MODULE_FAIL;
#else
break;
#endif
}
radlog(L_INFO, "rlm_radutmp: converting reboot records.");
if (status == PW_STATUS_STOP)
status = PW_STATUS_ACCOUNTING_OFF;
if (status == PW_STATUS_START)
status = PW_STATUS_ACCOUNTING_ON;
} while(0);
memset(&utmp, 0, sizeof(utmp));
utmp.porttype = 'A';
/*
* First, find the interesting attributes.
*/
for (vp = request->packet->vps; vp; vp = vp->next) {
switch (vp->da->attribute) {
case PW_LOGIN_IP_HOST:
case PW_FRAMED_IP_ADDRESS:
framed_address = vp->vp_ipaddr;
utmp.framed_address = vp->vp_ipaddr;
break;
case PW_FRAMED_PROTOCOL:
protocol = vp->vp_integer;
break;
case PW_NAS_IP_ADDRESS:
nas_address = vp->vp_ipaddr;
utmp.nas_address = vp->vp_ipaddr;
break;
case PW_NAS_PORT:
utmp.nas_port = vp->vp_integer;
port_seen = 1;
break;
case PW_ACCT_DELAY_TIME:
utmp.delay = vp->vp_integer;
break;
case PW_ACCT_SESSION_ID:
/*
* If it's too big, only use the
* last bit.
*/
if (vp->length > sizeof(utmp.session_id)) {
int length = vp->length - sizeof(utmp.session_id);
/*
* Ascend is br0ken - it
* adds a \0 to the end
* of any string.
* Compensate.
*/
if (vp->vp_strvalue[vp->length - 1] == 0) {
length--;
}
memcpy(utmp.session_id,
vp->vp_strvalue + length,
sizeof(utmp.session_id));
} else {
memset(utmp.session_id, 0,
sizeof(utmp.session_id));
memcpy(utmp.session_id,
vp->vp_strvalue,
vp->length);
}
break;
case PW_NAS_PORT_TYPE:
if (vp->vp_integer <= 4)
utmp.porttype = porttypes[vp->vp_integer];
break;
case PW_CALLING_STATION_ID:
if(inst->callerid_ok)
strlcpy(utmp.caller_id,
(char *)vp->vp_strvalue,
sizeof(utmp.caller_id));
break;
}
}
/*
* If we didn't find out the NAS address, use the
* originator's IP address.
*/
if (nas_address == 0) {
nas_address = request->packet->src_ipaddr;
utmp.nas_address = nas_address;
nas = request->client->shortname;
} else if (request->packet->src_ipaddr.ipaddr.ip4addr.s_addr == nas_address) { /* might be a client, might not be. */
nas = request->client->shortname;
} else {
/*
* The NAS isn't a client, it's behind
* a proxy server. In that case, just
* get the IP address.
*/
nas = ip_ntoa(ip_name, nas_address);
}
/*
* Set the protocol field.
*/
if (protocol == PW_PPP)
utmp.proto = 'P';
else if (protocol == PW_SLIP)
utmp.proto = 'S';
else
utmp.proto = 'T';
utmp.time = request->timestamp - utmp.delay;
/*
* Get the utmp filename, via xlat.
*/
radius_xlat(filename, sizeof(filename), inst->filename, request, NULL);
/*
* Future: look up filename in filename tree, to get
* radutmp_cache_t pointer
*/
cache = &inst->cache;
/*
* For now, double-check the filename, to be sure it isn't
* changing.
*/
if (!cache->filename) {
cache->filename = strdup(filename);
rad_assert(cache->filename != NULL);
} else if (strcmp(cache->filename, filename) != 0) {
radlog(L_ERR, "rlm_radutmp: We do not support dynamically named files.");
return RLM_MODULE_FAIL;
}
/*
* If the lookup failed, create a new one, and add it
* to the filename tree, and cache the file, as below.
*/
/*
* For aging, in the future.
*/
cache->last_used = request->timestamp;
/*
* If we haven't already read the file, then read the
* entire file, in order to cache its entries.
*/
if (!cache->cached_file) {
cache_file(inst, cache);
}
/*
* See if this was a reboot.
*
* Hmm... we may not want to zap all of the users when
* the NAS comes up, because of issues with receiving
* UDP packets out of order.
*/
if (status == PW_STATUS_ACCOUNTING_ON && nas_address) {
radlog(L_INFO, "rlm_radutmp: NAS %s restarted (Accounting-On packet seen)",
nas);
if (!radutmp_zap(inst, cache, nas_address, utmp.time)) {
rad_assert(0 == 1);
}
return RLM_MODULE_OK;
}
if (status == PW_STATUS_ACCOUNTING_OFF && nas_address) {
radlog(L_INFO, "rlm_radutmp: NAS %s rebooted (Accounting-Off packet seen)",
nas);
if (!radutmp_zap(inst, cache, nas_address, utmp.time)) {
rad_assert(0 == 1);
}
return RLM_MODULE_OK;
}
/*
* If we don't know this type of entry, then pretend we
* succeeded.
*/
if (status != PW_STATUS_START &&
status != PW_STATUS_STOP &&
status != PW_STATUS_ALIVE) {
radlog(L_ERR, "rlm_radutmp: NAS %s port %u unknown packet type %d, ignoring it.",
nas, utmp.nas_port, status);
return RLM_MODULE_NOOP;
}
/*
* Perhaps we don't want to store this record into
* radutmp. We skip records:
*
* - without a NAS-Port (telnet / tcp access)
* - with the username "!root" (console admin login)
*/
if (!port_seen) {
DEBUG2(" rlm_radutmp: No NAS-Port in the packet. Cannot do anything.");
DEBUG2(" rlm_radumtp: WARNING: checkrad will probably not work!");
return RLM_MODULE_NOOP;
}
/*
* Translate the User-Name attribute, or whatever else
* they told us to use.
*/
*buffer = '\0';
radius_xlat(buffer, sizeof(buffer), inst->username, request, NULL);
/*
* Don't log certain things...
*/
if (strcmp(buffer, "!root") == 0) {
DEBUG2(" rlm_radutmp: Not recording administrative user");
return RLM_MODULE_NOOP;
}
strlcpy(utmp.login, buffer, RUT_NAMESIZE);
/*
* First, try to open the file. If it doesn't exist,
* nuke the existing caches, and try to create it.
*
* FIXME: Create any intermediate directories, as
* appropriate. See rlm_detail.
*/
fd = open(cache->filename, O_RDWR, inst->permission);
if (fd < 0) {
if (errno == ENOENT) {
DEBUG2(" rlm_radutmp: File %s doesn't exist, creating it.", cache->filename);
if (!cache_reset(inst, cache)) return RLM_MODULE_FAIL;
/*
* Try to create the file.
*/
fd = open(cache->filename, O_RDWR | O_CREAT,
inst->permission);
}
} else { /* exists, but may be empty */
struct stat buf;
/*
* If the file is empty, reset the cache.
*/
if ((stat(cache->filename, &buf) == 0) &&
(buf.st_size == 0) &&
(!cache_reset(inst, cache))) {
return RLM_MODULE_FAIL;
}
DEBUG2(" rlm_radutmp: File %s was truncated. Resetting cache.",
cache->filename);
}
/*
* Error from creation, or error other than ENOENT: die.
*/
if (fd < 0) {
radlog(L_ERR, "rlm_radutmp: Error accessing file %s: %s",
cache->filename, strerror(errno));
return RLM_MODULE_FAIL;
}
/*
* OK. Now that we've prepared everything we want to do,
* let's see if we've cached the entry.
*/
myPort.nas_address = utmp.nas_address;
myPort.nas_port = utmp.nas_port;
pthread_mutex_lock(&cache->mutex);
node = rbtree_find(cache->nas_ports, &myPort);
pthread_mutex_unlock(&cache->mutex);
if (node) {
nas_port = rbtree_node2data(cache->nas_ports, node);
#if 0
/*
* stat the file, and get excited if it's been
* truncated.
*
* i.e wipe out the cache, and re-read the file.
*/
/*
* Now find the new entry.
*/
pthread_mutex_lock(&cache->mutex);
node = rbtree_find(cache->nas_ports, &myPort);
pthread_mutex_unlock(&cache->mutex);
#endif
}
if (!node) {
radutmp_simul_t *user;
/*
* Not found in the cache, and we're trying to
* delete an existing record: ignore it.
*/
if (status == PW_STATUS_STOP) {
DEBUG2(" rlm_radumtp: Logout entry for NAS %s port %u with no Login: ignoring it.",
nas, utmp.nas_port);
return RLM_MODULE_NOOP;
}
pthread_mutex_lock(&cache->mutex);
/*
* It's a START or ALIVE. Try to find a free
* offset where we can store the new entry, or
* create one, if one doesn't already exist.
*/
if (!cache->free_offsets) {
cache->free_offsets = rad_malloc(sizeof(NAS_PORT));
memset(cache->free_offsets, 0,
sizeof(*(cache->free_offsets)));
cache->free_offsets->offset = cache->max_offset;
cache->max_offset += sizeof(u);
}
/*
* Grab the offset, and put it into the various
* caches.
*/
nas_port = cache->free_offsets;
cache->free_offsets = nas_port->next;
nas_port->nas_address = nas_address;
nas_port->nas_port = utmp.nas_port;
if (!rbtree_insert(cache->nas_ports, nas_port)) {
rad_assert(0 == 1);
}
/*
* Allocate new entry, and add it
* to the tree.
*/
user = rad_malloc(sizeof(user));
strlcpy(user->login, utmp.login,
sizeof(user->login));
user->simul_count = 1;
if (!rbtree_insert(inst->user_tree, user)) {
rad_assert(0 == 1);
}
pthread_mutex_unlock(&cache->mutex);
}
/*
* Entry was found, or newly created in the cache.
* Seek to the place in the file.
*/
lseek(fd, nas_port->offset, SEEK_SET);
/*
* Lock the utmp file, prefer lockf() over flock().
*/
rad_lockfd(fd, LOCK_LEN);
/*
* If it WAS found in the cache, double-check it against
* what is in the file.
*/
if (node) {
/*
* If we didn't read anything, then this entry
* doesn't exist.
*
* Similarly, if the entry in the file doesn't
* match what we recall, then nuke the cache
* entry.
*/
read_size = read(fd, &u, sizeof(u));
if ((read_size < 0) ||
((read_size > 0) && (read_size != sizeof(u)))) {
/*
* Bad read, or bad record.
*/
radlog(L_ERR, "rlm_radutmp: Badly formed file %s",
cache->filename);
close(fd);
return RLM_MODULE_FAIL;
}
rad_assert(read_size != 0);
/*
* We've read a record, go poke at it.
*/
if (read_size > 0) {
/*
* If these aren't true, then
*
* a) we have cached a "logout" entry,
* which we don't do.
*
* b) we have cached the wrong NAS address
*
* c) we have cached the wrong NAS port.
*/
rad_assert(u.type == P_LOGIN);
rad_assert(u.nas_address == utmp.nas_address);
rad_assert(u.nas_port == utmp.nas_port);
/*
* An update for the same session.
*/
if (strncmp(utmp.session_id, u.session_id,
sizeof(u.session_id)) == 0) {
/*
* It's a duplicate start, so we
* don't bother writing it.
*/
if (status == PW_STATUS_START) {
DEBUG2(" rlm_radutmp: Login entry for NAS %s port %u duplicate, ignoring it.",
nas, u.nas_port);
close(fd);
return RLM_MODULE_OK;
/*
* ALIVE for this session, keep the
* original login time.
*/
} else if (status == PW_STATUS_ALIVE) {
utmp.time = u.time;
/*
* Stop: delete it from our cache.
*/
} else if (status == PW_STATUS_STOP) {
radutmp_simul_t *user, myUser;
pthread_mutex_lock(&cache->mutex);
rbtree_deletebydata(cache->nas_ports,
nas_port);
strlcpy(myUser.login,
u.login, sizeof(myUser.login));
user = rbtree_finddata(inst->user_tree,
&myUser);
rad_assert(user != NULL);
rad_assert(user->simul_count > 0);
user->simul_count--;
if (user->simul_count == 0) {
rbtree_deletebydata(inst->user_tree, user);
}
pthread_mutex_unlock(&cache->mutex);
} else {
/*
* We don't know how to
* handle this.
*/
rad_assert(0 == 1);
}
} else { /* session ID doesn't match */
/*
* STOP for the right NAS & port,
* but the Acct-Session-Id is
* different. This means that
* we missed the original "stop",
* and a new "start".
*/
if (status == PW_STATUS_STOP) {
radlog(L_ERR, "rlm_radutmp: Logout entry for NAS %s port %u has old Acct-Session-ID, ignoring it.",
nas, u.nas_port);
close(fd);
return RLM_MODULE_OK;
}
} /* checked session ID's */
} /* else we haven't read anything from the file. */
} /* else the entry wasn't cached, but could have been inserted */
/*
* Hmm... we may have received a start or alive packet
* AFTER a stop or nas-down, in that case, we want to
* discard the new packet. However, the original code
* could over-write an idle record with a new login
* record for another NAS && port, so we won't worry
* about this case too much.
*/
/*
* Seek to where the entry is, and write it blindly.
*/
lseek(fd, nas_port->offset, SEEK_SET); /* FIXME: err */
if (status != PW_STATUS_STOP) {
utmp.type = P_LOGIN;
rad_assert(nas_port != NULL); /* it WAS cached */
} else {
/* FIXME: maybe assert that the entry was deleted... */
memcpy(&utmp, &u, sizeof(utmp));
utmp.type = P_IDLE;
}
write(fd, &utmp, sizeof(utmp)); /* FIXME: err */
close(fd); /* and implicitly release the locks */
return RLM_MODULE_OK;
}
