/* * rad_continue_send_request() has given us `got' (non-zero). Deal with it. */ static void radius_Process(struct radius *r, int got) { char *argv[MAXARGS], *nuke; struct bundle *bundle; int argc, addrs, res, width; size_t len; struct ncprange dest; struct ncpaddr gw; const void *data; const char *stype; u_int32_t ipaddr, vendor; struct in_addr ip; #ifndef NOINET6 uint8_t ipv6addr[INET6_ADDRSTRLEN]; struct in6_addr ip6; #endif r->cx.fd = -1; /* Stop select()ing */ stype = r->cx.auth ? "auth" : "acct"; switch (got) { case RAD_ACCESS_ACCEPT: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius(%s): ACCEPT received\n", stype); if (!r->cx.auth) { rad_close(r->cx.rad); return; } break; case RAD_ACCESS_REJECT: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius(%s): REJECT received\n", stype); if (!r->cx.auth) { rad_close(r->cx.rad); return; } break; case RAD_ACCESS_CHALLENGE: /* we can't deal with this (for now) ! */ log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "Radius: CHALLENGE received (can't handle yet)\n"); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; case RAD_ACCOUNTING_RESPONSE: /* * It's probably not ideal to log this at PHASE level as we'll see * too much stuff going to the log when ``set rad_alive'' is used. * So we differ from older behaviour (ppp version 3.1 and before) * and just log accounting responses to LogRADIUS. */ log_Printf(LogRADIUS, "Radius(%s): Accounting response received\n", stype); if (r->cx.auth) auth_Failure(r->cx.auth); /* unexpected !!! */ /* No further processing for accounting requests, please */ rad_close(r->cx.rad); return; case -1: log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, "radius(%s): %s\n", stype, rad_strerror(r->cx.rad)); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; default: log_Printf(LogERROR, "rad_send_request(%s): Failed %d: %s\n", stype, got, rad_strerror(r->cx.rad)); if (r->cx.auth) auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } /* Let's see what we've got in our reply */ r->ip.s_addr = r->mask.s_addr = INADDR_NONE; r->mtu = 0; r->vj = 0; while ((res = rad_get_attr(r->cx.rad, &data, &len)) > 0) { switch (res) { case RAD_FRAMED_IP_ADDRESS: r->ip = rad_cvt_addr(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IP %s\n", inet_ntoa(r->ip)); break; case RAD_FILTER_ID: free(r->filterid); if ((r->filterid = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Filter \"%s\"\n", r->filterid); break; case RAD_SESSION_TIMEOUT: r->sessiontime = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Session-Timeout %lu\n", r->sessiontime); break; case RAD_FRAMED_IP_NETMASK: r->mask = rad_cvt_addr(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Netmask %s\n", inet_ntoa(r->mask)); break; case RAD_FRAMED_MTU: r->mtu = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MTU %lu\n", r->mtu); break; case RAD_FRAMED_ROUTING: /* Disabled for now - should we automatically set up some filters ? */ /* rad_cvt_int(data); */ /* bit 1 = Send routing packets */ /* bit 2 = Receive routing packets */ break; case RAD_FRAMED_COMPRESSION: r->vj = rad_cvt_int(data) == 1 ? 1 : 0; log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " VJ %sabled\n", r->vj ? "en" : "dis"); break; case RAD_FRAMED_ROUTE: /* * We expect a string of the format ``dest[/bits] gw [metrics]'' * Any specified metrics are ignored. MYADDR and HISADDR are * understood for ``dest'' and ``gw'' and ``0.0.0.0'' is the same * as ``HISADDR''. */ if ((nuke = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Route: %s\n", nuke); bundle = r->cx.auth->physical->dl->bundle; ip.s_addr = INADDR_ANY; ncpaddr_setip4(&gw, ip); ncprange_setip4host(&dest, ip); argc = command_Interpret(nuke, strlen(nuke), argv); if (argc < 0) log_Printf(LogWARN, "radius: %s: Syntax error\n", argc == 1 ? argv[0] : "\"\""); else if (argc < 2) log_Printf(LogWARN, "radius: %s: Invalid route\n", argc == 1 ? argv[0] : "\"\""); else if ((strcasecmp(argv[0], "default") != 0 && !ncprange_aton(&dest, &bundle->ncp, argv[0])) || !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) log_Printf(LogWARN, "radius: %s %s: Invalid route\n", argv[0], argv[1]); else { ncprange_getwidth(&dest, &width); if (width == 32 && strchr(argv[0], '/') == NULL) { /* No mask specified - use the natural mask */ ncprange_getip4addr(&dest, &ip); ncprange_setip4mask(&dest, addr2mask(ip)); } addrs = 0; if (!strncasecmp(argv[0], "HISADDR", 7)) addrs = ROUTE_DSTHISADDR; else if (!strncasecmp(argv[0], "MYADDR", 6)) addrs = ROUTE_DSTMYADDR; if (ncpaddr_getip4addr(&gw, &ipaddr) && ipaddr == INADDR_ANY) { addrs |= ROUTE_GWHISADDR; ncpaddr_setip4(&gw, bundle->ncp.ipcp.peer_ip); } else if (strcasecmp(argv[1], "HISADDR") == 0) addrs |= ROUTE_GWHISADDR; route_Add(&r->routes, addrs, &dest, &gw); } free(nuke); break; case RAD_REPLY_MESSAGE: free(r->repstr); if ((r->repstr = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " Reply-Message \"%s\"\n", r->repstr); break; #ifndef NOINET6 case RAD_FRAMED_IPV6_PREFIX: free(r->ipv6prefix); if ((r->ipv6prefix = rad_cvt_ipv6prefix(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_ipv6prefix: %s\n", "Malformed attribute in response"); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } inet_ntop(AF_INET6, &r->ipv6prefix[2], ipv6addr, sizeof(ipv6addr)); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IPv6 %s/%d\n", ipv6addr, r->ipv6prefix[1]); break; case RAD_FRAMED_IPV6_ROUTE: /* * We expect a string of the format ``dest[/bits] gw [metrics]'' * Any specified metrics are ignored. MYADDR6 and HISADDR6 are * understood for ``dest'' and ``gw'' and ``::'' is the same * as ``HISADDR6''. */ if ((nuke = rad_cvt_string(data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " IPv6 Route: %s\n", nuke); bundle = r->cx.auth->physical->dl->bundle; ncpaddr_setip6(&gw, &in6addr_any); ncprange_set(&dest, &gw, 0); argc = command_Interpret(nuke, strlen(nuke), argv); if (argc < 0) log_Printf(LogWARN, "radius: %s: Syntax error\n", argc == 1 ? argv[0] : "\"\""); else if (argc < 2) log_Printf(LogWARN, "radius: %s: Invalid route\n", argc == 1 ? argv[0] : "\"\""); else if ((strcasecmp(argv[0], "default") != 0 && !ncprange_aton(&dest, &bundle->ncp, argv[0])) || !ncpaddr_aton(&gw, &bundle->ncp, argv[1])) log_Printf(LogWARN, "radius: %s %s: Invalid route\n", argv[0], argv[1]); else { addrs = 0; if (!strncasecmp(argv[0], "HISADDR6", 8)) addrs = ROUTE_DSTHISADDR6; else if (!strncasecmp(argv[0], "MYADDR6", 7)) addrs = ROUTE_DSTMYADDR6; if (ncpaddr_getip6(&gw, &ip6) && IN6_IS_ADDR_UNSPECIFIED(&ip6)) { addrs |= ROUTE_GWHISADDR6; ncpaddr_copy(&gw, &bundle->ncp.ipv6cp.hisaddr); } else if (strcasecmp(argv[1], "HISADDR6") == 0) addrs |= ROUTE_GWHISADDR6; route_Add(&r->ipv6routes, addrs, &dest, &gw); } free(nuke); break; #endif case RAD_VENDOR_SPECIFIC: if ((res = rad_get_vendor_attr(&vendor, &data, &len)) <= 0) { log_Printf(LogERROR, "rad_get_vendor_attr: %s (failing!)\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } switch (vendor) { case RAD_VENDOR_MICROSOFT: switch (res) { #ifndef NODES case RAD_MICROSOFT_MS_CHAP_ERROR: free(r->errstr); if (len == 0) r->errstr = NULL; else { if (len < 3 || ((const char *)data)[1] != '=') { /* * Only point at the String field if we don't think the * peer has misformatted the response. */ data = (const char *)data + 1; len--; } else log_Printf(LogWARN, "Warning: The MS-CHAP-Error " "attribute is mis-formatted. Compensating\n"); if ((r->errstr = rad_cvt_string((const char *)data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-CHAP-Error \"%s\"\n", r->errstr); } break; case RAD_MICROSOFT_MS_CHAP2_SUCCESS: free(r->msrepstr); if (len == 0) r->msrepstr = NULL; else { if (len < 3 || ((const char *)data)[1] != '=') { /* * Only point at the String field if we don't think the * peer has misformatted the response. */ data = (const char *)data + 1; len--; } else log_Printf(LogWARN, "Warning: The MS-CHAP2-Success " "attribute is mis-formatted. Compensating\n"); if ((r->msrepstr = rad_cvt_string((const char *)data, len)) == NULL) { log_Printf(LogERROR, "rad_cvt_string: %s\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); rad_close(r->cx.rad); return; } log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-CHAP2-Success \"%s\"\n", r->msrepstr); } break; case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY: r->mppe.policy = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Encryption-Policy %s\n", radius_policyname(r->mppe.policy)); break; case RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES: r->mppe.types = rad_cvt_int(data); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Encryption-Types %s\n", radius_typesname(r->mppe.types)); break; case RAD_MICROSOFT_MS_MPPE_RECV_KEY: free(r->mppe.recvkey); demangle(r, data, len, &r->mppe.recvkey, &r->mppe.recvkeylen); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Recv-Key ********\n"); break; case RAD_MICROSOFT_MS_MPPE_SEND_KEY: demangle(r, data, len, &r->mppe.sendkey, &r->mppe.sendkeylen); log_Printf(log_IsKept(LogRADIUS) ? LogRADIUS : LogPHASE, " MS-MPPE-Send-Key ********\n"); break; #endif default: log_Printf(LogDEBUG, "Dropping MICROSOFT vendor specific " "RADIUS attribute %d\n", res); break; } break; default: log_Printf(LogDEBUG, "Dropping vendor %lu RADIUS attribute %d\n", (unsigned long)vendor, res); break; } break; default: log_Printf(LogDEBUG, "Dropping RADIUS attribute %d\n", res); break; } } if (res == -1) { log_Printf(LogERROR, "rad_get_attr: %s (failing!)\n", rad_strerror(r->cx.rad)); auth_Failure(r->cx.auth); } else if (got == RAD_ACCESS_REJECT) auth_Failure(r->cx.auth); else { r->valid = 1; auth_Success(r->cx.auth); } rad_close(r->cx.rad); }
int iface_Show(struct cmdargs const *arg) { struct ncpaddr ncpaddr; struct iface *iface = arg->bundle->iface, *current; unsigned f; int flags; #ifndef NOINET6 int scopeid, width; #endif struct in_addr mask; current = iface_Create(iface->name); flags = iface->flags = current->flags; iface_Free(current); prompt_Printf(arg->prompt, "%s (idx %d) <", iface->name, iface->index); for (f = 0; f < sizeof if_flags / sizeof if_flags[0]; f++) if ((if_flags[f].flag & flags)) { prompt_Printf(arg->prompt, "%s%s", flags == iface->flags ? "" : ",", if_flags[f].value); flags &= ~if_flags[f].flag; } #if 0 if (flags) prompt_Printf(arg->prompt, "%s0x%x", flags == iface->flags ? "" : ",", flags); #endif prompt_Printf(arg->prompt, "> mtu %lu has %d address%s:\n", iface->mtu, iface->addrs, iface->addrs == 1 ? "" : "es"); for (f = 0; f < iface->addrs; f++) { ncprange_getaddr(&iface->addr[f].ifa, &ncpaddr); switch (ncprange_family(&iface->addr[f].ifa)) { case AF_INET: prompt_Printf(arg->prompt, " inet %s --> ", ncpaddr_ntoa(&ncpaddr)); if (ncpaddr_family(&iface->addr[f].peer) == AF_UNSPEC) prompt_Printf(arg->prompt, "255.255.255.255"); else prompt_Printf(arg->prompt, "%s", ncpaddr_ntoa(&iface->addr[f].peer)); ncprange_getip4mask(&iface->addr[f].ifa, &mask); prompt_Printf(arg->prompt, " netmask 0x%08lx", (long)ntohl(mask.s_addr)); break; #ifndef NOINET6 case AF_INET6: prompt_Printf(arg->prompt, " inet6 %s", ncpaddr_ntoa(&ncpaddr)); if (ncpaddr_family(&iface->addr[f].peer) != AF_UNSPEC) prompt_Printf(arg->prompt, " --> %s", ncpaddr_ntoa(&iface->addr[f].peer)); ncprange_getwidth(&iface->addr[f].ifa, &width); if (ncpaddr_family(&iface->addr[f].peer) == AF_UNSPEC) prompt_Printf(arg->prompt, " prefixlen %d", width); if ((scopeid = ncprange_scopeid(&iface->addr[f].ifa)) != -1) prompt_Printf(arg->prompt, " scopeid 0x%x", (unsigned)scopeid); break; #endif } prompt_Printf(arg->prompt, "\n"); } return 0; }
static int filter_Parse(struct ncp *ncp, int argc, char const *const *argv, struct filterent *ofp) { struct filterent fe; struct protoent *pe; char *wp; int action, family, ruleno, val, width; ruleno = strtol(*argv, &wp, 0); if (*argv == wp || ruleno >= MAXFILTERS) { log_Printf(LogWARN, "Parse: invalid filter number.\n"); return 0; } if (ruleno < 0) { for (ruleno = 0; ruleno < MAXFILTERS; ruleno++) { ofp->f_action = A_NONE; ofp++; } log_Printf(LogWARN, "Parse: filter cleared.\n"); return 1; } ofp += ruleno; if (--argc == 0) { log_Printf(LogWARN, "Parse: missing action.\n"); return 0; } argv++; memset(&fe, '\0', sizeof fe); val = strtol(*argv, &wp, 0); if (!*wp && val >= 0 && val < MAXFILTERS) { if (val <= ruleno) { log_Printf(LogWARN, "Parse: Can only jump forward from rule %d\n", ruleno); return 0; } action = val; } else if (!strcmp(*argv, "permit")) { action = A_PERMIT; } else if (!strcmp(*argv, "deny")) { action = A_DENY; } else if (!strcmp(*argv, "clear")) { ofp->f_action = A_NONE; return 1; } else { log_Printf(LogWARN, "Parse: %s: bad action\n", *argv); return 0; } fe.f_action = action; argc--; argv++; if (argc && argv[0][0] == '!' && !argv[0][1]) { fe.f_invert = 1; argc--; argv++; } ncprange_init(&fe.f_src); ncprange_init(&fe.f_dst); if (argc == 0) pe = NULL; else if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) { if (argc < 2) { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } else if (strcasecmp(*argv, "any") == 0 || ncprange_aton(&fe.f_src, ncp, *argv)) { family = ncprange_family(&fe.f_src); if (!ncprange_getwidth(&fe.f_src, &width)) width = 0; if (width == 0) ncprange_init(&fe.f_src); fe.f_srctype = addrtype(*argv); argc--; argv++; if (strcasecmp(*argv, "any") == 0 || ncprange_aton(&fe.f_dst, ncp, *argv)) { if (ncprange_family(&fe.f_dst) != AF_UNSPEC && ncprange_family(&fe.f_src) != AF_UNSPEC && family != ncprange_family(&fe.f_dst)) { log_Printf(LogWARN, "Parse: src and dst address families differ\n"); return 0; } if (!ncprange_getwidth(&fe.f_dst, &width)) width = 0; if (width == 0) ncprange_init(&fe.f_dst); fe.f_dsttype = addrtype(*argv); argc--; argv++; } else { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } if (argc) { if ((pe = getprotobyname(*argv)) == NULL && strcmp(*argv, "all") != 0) { log_Printf(LogWARN, "Parse: %s: Protocol expected\n", *argv); return 0; } else { argc--; argv++; } } } else { log_Printf(LogWARN, "Parse: Protocol or address pair expected\n"); return 0; } } else { argc--; argv++; } if (argc >= 2 && strcmp(*argv, "timeout") == 0) { fe.timeout = strtoul(argv[1], NULL, 10); argc -= 2; argv += 2; } val = 1; fe.f_proto = (pe == NULL) ? 0 : pe->p_proto; switch (fe.f_proto) { case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_IPIP: #ifndef NOINET6 case IPPROTO_IPV6: #endif val = ParseUdpOrTcp(argc, argv, pe, &fe); break; case IPPROTO_ICMP: #ifndef NOINET6 case IPPROTO_ICMPV6: #endif val = ParseIcmp(argc, argv, &fe); break; default: val = ParseGeneric(argc, &fe); break; } log_Printf(LogDEBUG, "Parse: Src: %s\n", ncprange_ntoa(&fe.f_src)); log_Printf(LogDEBUG, "Parse: Dst: %s\n", ncprange_ntoa(&fe.f_dst)); log_Printf(LogDEBUG, "Parse: Proto: %d\n", fe.f_proto); log_Printf(LogDEBUG, "Parse: src: %s (%d)\n", filter_Op2Nam(fe.f_srcop), fe.f_srcport); log_Printf(LogDEBUG, "Parse: dst: %s (%d)\n", filter_Op2Nam(fe.f_dstop), fe.f_dstport); log_Printf(LogDEBUG, "Parse: estab: %u\n", fe.f_estab); log_Printf(LogDEBUG, "Parse: syn: %u\n", fe.f_syn); log_Printf(LogDEBUG, "Parse: finrst: %u\n", fe.f_finrst); if (val) *ofp = fe; return val; }