1 /* $OpenBSD: radiusd.c,v 1.20 2017/06/13 05:40:22 yasuoka Exp $ */ 2 3 /* 4 * Copyright (c) 2013 Internet Initiative Japan Inc. 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/socket.h> 21 #include <sys/queue.h> 22 #include <sys/uio.h> 23 #include <sys/wait.h> 24 #include <netinet/in.h> 25 26 #include <dlfcn.h> 27 #include <err.h> 28 #include <errno.h> 29 #include <event.h> 30 #include <fcntl.h> 31 #include <fnmatch.h> 32 #include <imsg.h> 33 #include <md5.h> 34 #include <netdb.h> 35 #include <pwd.h> 36 #include <signal.h> 37 #include <stdbool.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <syslog.h> 42 #include <unistd.h> 43 #include <util.h> 44 45 #include <radius.h> 46 47 #include "radiusd.h" 48 #include "radiusd_local.h" 49 #include "log.h" 50 #include "util.h" 51 #include "imsg_subr.h" 52 53 static int radiusd_start(struct radiusd *); 54 static void radiusd_stop(struct radiusd *); 55 static void radiusd_free(struct radiusd *); 56 static void radiusd_listen_on_event(int, short, void *); 57 static void radiusd_on_sigterm(int, short, void *); 58 static void radiusd_on_sigint(int, short, void *); 59 static void radiusd_on_sighup(int, short, void *); 60 static void radiusd_on_sigchld(int, short, void *); 61 static int radius_query_request_decoration(struct radius_query *); 62 static int radius_query_response_decoration( 63 struct radius_query *); 64 static const char *radius_code_string(int); 65 static int radiusd_access_response_fixup (struct radius_query *); 66 67 68 69 static void radiusd_module_reset_ev_handler( 70 struct radiusd_module *); 71 static int radiusd_module_imsg_read(struct radiusd_module *, 72 bool); 73 static void radiusd_module_imsg(struct radiusd_module *, 74 struct imsg *); 75 76 static struct radiusd_module_radpkt_arg * 77 radiusd_module_recv_radpkt(struct radiusd_module *, 78 struct imsg *, uint32_t, const char *); 79 static void radiusd_module_on_imsg_io(int, short, void *); 80 void radiusd_module_start(struct radiusd_module *); 81 void radiusd_module_stop(struct radiusd_module *); 82 static void radiusd_module_close(struct radiusd_module *); 83 static void radiusd_module_userpass(struct radiusd_module *, 84 struct radius_query *); 85 static void radiusd_module_access_request(struct radiusd_module *, 86 struct radius_query *); 87 88 static u_int radius_query_id_seq = 0; 89 int debug = 0; 90 91 static __dead void 92 usage(void) 93 { 94 extern char *__progname; 95 96 fprintf(stderr, "usage: %s [-dn] [-f file]\n", __progname); 97 exit(EXIT_FAILURE); 98 } 99 100 int 101 main(int argc, char *argv[]) 102 { 103 extern char *__progname; 104 const char *conffile = CONFFILE; 105 int ch; 106 struct radiusd *radiusd; 107 bool noaction = false; 108 struct passwd *pw; 109 110 while ((ch = getopt(argc, argv, "df:n")) != -1) 111 switch (ch) { 112 case 'd': 113 debug++; 114 break; 115 116 case 'f': 117 conffile = optarg; 118 break; 119 120 case 'n': 121 noaction = true; 122 break; 123 124 default: 125 usage(); 126 /* NOTREACHED */ 127 } 128 129 argc -= optind; 130 argv += optind; 131 132 if (argc != 0) 133 usage(); 134 135 if ((radiusd = calloc(1, sizeof(*radiusd))) == NULL) 136 err(1, "calloc"); 137 TAILQ_INIT(&radiusd->listen); 138 TAILQ_INIT(&radiusd->query); 139 140 log_init(debug); 141 if (parse_config(conffile, radiusd) != 0) 142 errx(EXIT_FAILURE, "config error"); 143 if (noaction) { 144 fprintf(stderr, "configuration OK\n"); 145 exit(EXIT_SUCCESS); 146 } 147 148 if (debug == 0) 149 daemon(0, 0); 150 event_init(); 151 152 if ((pw = getpwnam(RADIUSD_USER)) == NULL) 153 errx(EXIT_FAILURE, "user `%s' is not found in password " 154 "database", RADIUSD_USER); 155 156 if (chroot(pw->pw_dir) == -1) 157 err(EXIT_FAILURE, "chroot"); 158 if (chdir("/") == -1) 159 err(EXIT_FAILURE, "chdir(\"/\")"); 160 161 if (setgroups(1, &pw->pw_gid) || 162 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 163 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 164 err(EXIT_FAILURE, "cannot drop privileges"); 165 166 signal(SIGPIPE, SIG_IGN); 167 openlog(NULL, LOG_PID, LOG_DAEMON); 168 169 signal_set(&radiusd->ev_sigterm, SIGTERM, radiusd_on_sigterm, radiusd); 170 signal_set(&radiusd->ev_sigint, SIGINT, radiusd_on_sigint, radiusd); 171 signal_set(&radiusd->ev_sighup, SIGHUP, radiusd_on_sighup, radiusd); 172 signal_set(&radiusd->ev_sigchld, SIGCHLD, radiusd_on_sigchld, radiusd); 173 174 if (radiusd_start(radiusd) != 0) 175 errx(EXIT_FAILURE, "start failed"); 176 177 #ifdef RADIUSD_DEBUG 178 if (pledge("stdio inet proc", NULL) == -1) 179 err(EXIT_FAILURE, "pledge"); 180 #else 181 if (pledge("stdio inet", NULL) == -1) 182 err(EXIT_FAILURE, "pledge"); 183 #endif 184 185 if (event_loop(0) < 0) 186 radiusd_stop(radiusd); 187 188 radiusd_free(radiusd); 189 event_base_free(NULL); 190 191 exit(EXIT_SUCCESS); 192 } 193 194 static int 195 radiusd_start(struct radiusd *radiusd) 196 { 197 struct radiusd_listen *l; 198 struct radiusd_module *module; 199 int s; 200 char hbuf[NI_MAXHOST]; 201 202 TAILQ_FOREACH(l, &radiusd->listen, next) { 203 if (getnameinfo( 204 (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len, 205 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0) { 206 log_warn("%s: getnameinfo()", __func__); 207 goto on_error; 208 } 209 if ((s = socket(l->addr.ipv4.sin_family, 210 l->stype | SOCK_NONBLOCK, l->sproto)) < 0) { 211 log_warn("Listen %s port %d is failed: socket()", 212 hbuf, (int)htons(l->addr.ipv4.sin_port)); 213 goto on_error; 214 } 215 if (bind(s, (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len) 216 != 0) { 217 log_warn("Listen %s port %d is failed: bind()", 218 hbuf, (int)htons(l->addr.ipv4.sin_port)); 219 close(s); 220 goto on_error; 221 } 222 if (l->addr.ipv4.sin_family == AF_INET) 223 log_info("Start listening on %s:%d/udp", hbuf, 224 (int)ntohs(l->addr.ipv4.sin_port)); 225 else 226 log_info("Start listening on [%s]:%d/udp", hbuf, 227 (int)ntohs(l->addr.ipv4.sin_port)); 228 event_set(&l->ev, s, EV_READ | EV_PERSIST, 229 radiusd_listen_on_event, l); 230 if (event_add(&l->ev, NULL) != 0) { 231 log_warn("event_add() failed at %s()", __func__); 232 close(s); 233 goto on_error; 234 } 235 l->sock = s; 236 l->radiusd = radiusd; 237 } 238 239 signal_add(&radiusd->ev_sigterm, NULL); 240 signal_add(&radiusd->ev_sigint, NULL); 241 signal_add(&radiusd->ev_sighup, NULL); 242 signal_add(&radiusd->ev_sigchld, NULL); 243 244 TAILQ_FOREACH(module, &radiusd->module, next) { 245 radiusd_module_start(module); 246 } 247 248 return (0); 249 on_error: 250 radiusd_stop(radiusd); 251 252 return (-1); 253 } 254 255 static void 256 radiusd_stop(struct radiusd *radiusd) 257 { 258 char hbuf[NI_MAXHOST]; 259 struct radiusd_listen *l; 260 struct radiusd_module *module; 261 262 TAILQ_FOREACH_REVERSE(l, &radiusd->listen, radiusd_listen_head, next) { 263 if (l->sock >= 0) { 264 if (getnameinfo( 265 (struct sockaddr *)&l->addr, l->addr.ipv4.sin_len, 266 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0) 267 strlcpy(hbuf, "error", sizeof(hbuf)); 268 if (l->addr.ipv4.sin_family == AF_INET) 269 log_info("Stop listening on %s:%d/udp", hbuf, 270 (int)ntohs(l->addr.ipv4.sin_port)); 271 else 272 log_info("Stop listening on [%s]:%d/udp", hbuf, 273 (int)ntohs(l->addr.ipv4.sin_port)); 274 event_del(&l->ev); 275 close(l->sock); 276 } 277 l->sock = -1; 278 } 279 TAILQ_FOREACH(module, &radiusd->module, next) { 280 radiusd_module_stop(module); 281 radiusd_module_close(module); 282 } 283 if (signal_pending(&radiusd->ev_sigterm, NULL)) 284 signal_del(&radiusd->ev_sigterm); 285 if (signal_pending(&radiusd->ev_sigint, NULL)) 286 signal_del(&radiusd->ev_sigint); 287 if (signal_pending(&radiusd->ev_sighup, NULL)) 288 signal_del(&radiusd->ev_sighup); 289 if (signal_pending(&radiusd->ev_sigchld, NULL)) 290 signal_del(&radiusd->ev_sigchld); 291 } 292 293 static void 294 radiusd_free(struct radiusd *radiusd) 295 { 296 int i; 297 struct radiusd_listen *listn, *listnt; 298 struct radiusd_client *client, *clientt; 299 struct radiusd_module *module, *modulet; 300 struct radiusd_module_ref *modref, *modreft; 301 struct radiusd_authentication *authen, *authent; 302 303 TAILQ_FOREACH_SAFE(authen, &radiusd->authen, next, authent) { 304 TAILQ_REMOVE(&radiusd->authen, authen, next); 305 free(authen->auth); 306 TAILQ_FOREACH_SAFE(modref, &authen->deco, next, modreft) { 307 TAILQ_REMOVE(&authen->deco, modref, next); 308 free(modref); 309 } 310 for (i = 0; authen->username[i] != NULL; i++) 311 free(authen->username[i]); 312 free(authen->username); 313 free(authen); 314 } 315 TAILQ_FOREACH_SAFE(module, &radiusd->module, next, modulet) { 316 TAILQ_REMOVE(&radiusd->module, module, next); 317 radiusd_module_unload(module); 318 } 319 TAILQ_FOREACH_SAFE(client, &radiusd->client, next, clientt) { 320 TAILQ_REMOVE(&radiusd->client, client, next); 321 explicit_bzero(client->secret, sizeof(client->secret)); 322 free(client); 323 } 324 TAILQ_FOREACH_SAFE(listn, &radiusd->listen, next, listnt) { 325 TAILQ_REMOVE(&radiusd->listen, listn, next); 326 free(listn); 327 } 328 free(radiusd); 329 } 330 331 /*********************************************************************** 332 * Network event handlers 333 ***********************************************************************/ 334 #define IPv4_cmp(_in, _addr, _mask) ( \ 335 ((_in)->s_addr & (_mask)->addr.ipv4.s_addr) == \ 336 (_addr)->addr.ipv4.s_addr) 337 #define s6_addr32(_in6) ((uint32_t *)(_in6)->s6_addr) 338 #define IPv6_cmp(_in6, _addr, _mask) ( \ 339 ((s6_addr32(_in6)[3] & (_mask)->addr.addr32[3]) \ 340 == (_addr)->addr.addr32[3]) && \ 341 ((s6_addr32(_in6)[2] & (_mask)->addr.addr32[2]) \ 342 == (_addr)->addr.addr32[2]) && \ 343 ((s6_addr32(_in6)[1] & (_mask)->addr.addr32[1]) \ 344 == (_addr)->addr.addr32[1]) && \ 345 ((s6_addr32(_in6)[0] & (_mask)->addr.addr32[0]) \ 346 == (_addr)->addr.addr32[0])) 347 348 static void 349 radiusd_listen_on_event(int fd, short evmask, void *ctx) 350 { 351 int i, sz, req_id, req_code; 352 struct radiusd_listen *listn = ctx; 353 static u_char buf[65535]; 354 static char username[256]; 355 struct sockaddr_storage peer; 356 socklen_t peersz; 357 RADIUS_PACKET *packet = NULL; 358 char peerstr[NI_MAXHOST + NI_MAXSERV + 30]; 359 struct radiusd_authentication *authen; 360 struct radiusd_client *client; 361 struct radius_query *q; 362 #define in(_x) (((struct sockaddr_in *)_x)->sin_addr) 363 #define in6(_x) (((struct sockaddr_in6 *)_x)->sin6_addr) 364 365 if (evmask & EV_READ) { 366 peersz = sizeof(peer); 367 if ((sz = recvfrom(listn->sock, buf, sizeof(buf), 0, 368 (struct sockaddr *)&peer, &peersz)) < 0) { 369 if (errno == EAGAIN) 370 return; 371 log_warn("%s: recvfrom() failed", __func__); 372 goto on_error; 373 } 374 RADIUSD_ASSERT(peer.ss_family == AF_INET || 375 peer.ss_family == AF_INET6); 376 377 /* prepare some information about this messages */ 378 if (addrport_tostring((struct sockaddr *)&peer, peersz, 379 peerstr, sizeof(peerstr)) == NULL) { 380 log_warn("%s: getnameinfo() failed", __func__); 381 goto on_error; 382 } 383 if ((packet = radius_convert_packet(buf, sz)) == NULL) { 384 log_warn("%s: radius_convert_packet() failed", 385 __func__); 386 goto on_error; 387 } 388 req_id = radius_get_id(packet); 389 req_code = radius_get_code(packet); 390 391 /* 392 * Find a matching `client' entry 393 */ 394 TAILQ_FOREACH(client, &listn->radiusd->client, next) { 395 if (client->af != peer.ss_family) 396 continue; 397 if (peer.ss_family == AF_INET && 398 IPv4_cmp(&((struct sockaddr_in *)&peer)->sin_addr, 399 &client->addr, &client->mask)) 400 break; 401 else if (peer.ss_family == AF_INET6 && 402 IPv6_cmp(&((struct sockaddr_in6 *)&peer)->sin6_addr, 403 &client->addr, &client->mask)) 404 break; 405 } 406 if (client == NULL) { 407 log_warnx("Received %s(code=%d) from %s id=%d: " 408 "no `client' matches", radius_code_string(req_code), 409 req_code, peerstr, req_id); 410 goto on_error; 411 } 412 413 /* Check the client's Message-Authenticator */ 414 if (client->msgauth_required && 415 !radius_has_attr(packet, 416 RADIUS_TYPE_MESSAGE_AUTHENTICATOR)) { 417 log_warnx("Received %s(code=%d) from %s id=%d: " 418 "no message authenticator", 419 radius_code_string(req_code), req_code, peerstr, 420 req_id); 421 goto on_error; 422 } 423 424 if (radius_has_attr(packet, 425 RADIUS_TYPE_MESSAGE_AUTHENTICATOR) && 426 radius_check_message_authenticator(packet, client->secret) 427 != 0) { 428 log_warnx("Received %s(code=%d) from %s id=%d: " 429 "bad message authenticator", 430 radius_code_string(req_code), req_code, peerstr, 431 req_id); 432 goto on_error; 433 } 434 435 /* 436 * Find a duplicate request. In RFC 2865, it has the same 437 * source IP address and source UDP port and Identifier. 438 */ 439 TAILQ_FOREACH(q, &listn->radiusd->query, next) { 440 if (peer.ss_family == q->clientaddr.ss_family && 441 ((peer.ss_family == AF_INET && 442 in(&q->clientaddr).s_addr == 443 in(&peer).s_addr) || 444 (peer.ss_family == AF_INET6 && 445 IN6_ARE_ADDR_EQUAL( 446 &in6(&q->clientaddr), &in6(&peer)))) && 447 ((struct sockaddr_in *)&q->clientaddr)->sin_port == 448 ((struct sockaddr_in *)&peer)->sin_port && 449 req_id == q->req_id) 450 break; /* found it */ 451 } 452 if (q != NULL) { 453 log_info("Received %s(code=%d) from %s id=%d: " 454 "duplicate request by q=%u", 455 radius_code_string(req_code), req_code, peerstr, 456 req_id, q->id); 457 /* XXX RFC 5080 suggests to answer the cached result */ 458 goto on_error; 459 } 460 461 /* FIXME: we can support other request codes */ 462 if (req_code != RADIUS_CODE_ACCESS_REQUEST) { 463 log_info("Received %s(code=%d) from %s id=%d: %s " 464 "is not supported in this implementation", 465 radius_code_string(req_code), req_code, peerstr, 466 req_id, radius_code_string(req_code)); 467 goto on_error; 468 } 469 470 /* 471 * Find a matching `authenticate' entry 472 */ 473 if (radius_get_string_attr(packet, RADIUS_TYPE_USER_NAME, 474 username, sizeof(username)) != 0) { 475 log_info("Received %s(code=%d) from %s id=%d: " 476 "no User-Name attribute", 477 radius_code_string(req_code), req_code, peerstr, 478 req_id); 479 goto on_error; 480 } 481 TAILQ_FOREACH(authen, &listn->radiusd->authen, next) { 482 for (i = 0; authen->username[i] != NULL; i++) { 483 if (fnmatch(authen->username[i], username, 0) 484 == 0) 485 goto found; 486 } 487 } 488 if (authen == NULL) { 489 log_warnx("Received %s(code=%d) from %s id=%d " 490 "username=%s: no `authenticate' matches.", 491 radius_code_string(req_code), req_code, peerstr, 492 req_id, username); 493 goto on_error; 494 } 495 found: 496 if (!MODULE_DO_USERPASS(authen->auth->module) && 497 !MODULE_DO_ACCSREQ(authen->auth->module)) { 498 log_warnx("Received %s(code=%d) from %s id=%d " 499 "username=%s: module `%s' is not running.", 500 radius_code_string(req_code), req_code, peerstr, 501 req_id, username, authen->auth->module->name); 502 goto on_error; 503 } 504 if ((q = calloc(1, sizeof(struct radius_query))) == NULL) { 505 log_warn("%s: Out of memory", __func__); 506 goto on_error; 507 } 508 memcpy(&q->clientaddr, &peer, peersz); 509 strlcpy(q->username, username, sizeof(q->username)); 510 q->id = ++radius_query_id_seq; 511 q->clientaddrlen = peersz; 512 q->authen = authen; 513 q->listen = listn; 514 q->req = packet; 515 q->client = client; 516 q->req_id = req_id; 517 radius_get_authenticator(packet, q->req_auth); 518 519 if (radius_query_request_decoration(q) != 0) { 520 log_warnx( 521 "Received %s(code=%d) from %s id=%d username=%s " 522 "q=%u: failed to decorate the request", 523 radius_code_string(req_code), req_code, peerstr, 524 q->req_id, q->username, q->id); 525 radiusd_access_request_aborted(q); 526 return; 527 } 528 log_info("Received %s(code=%d) from %s id=%d username=%s " 529 "q=%u: `%s' authentication is starting", 530 radius_code_string(req_code), req_code, peerstr, q->req_id, 531 q->username, q->id, q->authen->auth->module->name); 532 TAILQ_INSERT_TAIL(&listn->radiusd->query, q, next); 533 534 if (MODULE_DO_ACCSREQ(authen->auth->module)) { 535 radiusd_module_access_request(authen->auth->module, q); 536 } else if (MODULE_DO_USERPASS(authen->auth->module)) 537 radiusd_module_userpass(authen->auth->module, q); 538 539 return; 540 } 541 on_error: 542 if (packet != NULL) 543 radius_delete_packet(packet); 544 #undef in 545 #undef in6 546 547 return; 548 } 549 550 static int 551 radius_query_request_decoration(struct radius_query *q) 552 { 553 struct radiusd_module_ref *deco; 554 555 TAILQ_FOREACH(deco, &q->authen->deco, next) { 556 /* XXX decoration doesn't work for this moment. */ 557 if (deco->module->request_decoration != NULL && 558 deco->module->request_decoration(NULL, q) != 0) { 559 log_warnx("q=%u request decoration `%s' failed", q->id, 560 deco->module->name); 561 return (-1); 562 } 563 } 564 565 return (0); 566 } 567 568 static int 569 radius_query_response_decoration(struct radius_query *q) 570 { 571 struct radiusd_module_ref *deco; 572 573 TAILQ_FOREACH(deco, &q->authen->deco, next) { 574 /* XXX decoration doesn't work for this moment. */ 575 if (deco->module->response_decoration != NULL && 576 deco->module->response_decoration(NULL, q) != 0) { 577 log_warnx("q=%u response decoration `%s' failed", q->id, 578 deco->module->name); 579 return (-1); 580 } 581 } 582 583 return (0); 584 } 585 586 /*********************************************************************** 587 * Callback functions from the modules 588 ***********************************************************************/ 589 void 590 radiusd_access_request_answer(struct radius_query *q) 591 { 592 int sz, res_id, res_code; 593 char buf[NI_MAXHOST + NI_MAXSERV + 30]; 594 const char *authen_secret = q->authen->auth->module->secret; 595 596 radius_set_request_packet(q->res, q->req); 597 598 if (authen_secret == NULL) { 599 /* 600 * The module couldn't check the autheticators 601 */ 602 if (radius_check_response_authenticator(q->res, 603 q->client->secret) != 0) { 604 log_info("Response from module has bad response " 605 "authenticator: id=%d", q->id); 606 goto on_error; 607 } 608 if (radius_has_attr(q->res, 609 RADIUS_TYPE_MESSAGE_AUTHENTICATOR) && 610 radius_check_message_authenticator(q->res, 611 q->client->secret) != 0) { 612 log_info("Response from module has bad message " 613 "authenticator: id=%d", q->id); 614 goto on_error; 615 } 616 } 617 618 /* Decorate the response */ 619 if (radius_query_response_decoration(q) != 0) 620 goto on_error; 621 622 if (radiusd_access_response_fixup(q) != 0) 623 goto on_error; 624 625 res_id = radius_get_id(q->res); 626 res_code = radius_get_code(q->res); 627 628 /* 629 * Reset response authenticator in the following cases: 630 * - response is modified by decorator 631 * - server's secret is differ from client's secret. 632 */ 633 if (q->res_modified > 0 || 634 (authen_secret != NULL && 635 strcmp(q->client->secret, authen_secret) != 0)) 636 radius_set_response_authenticator(q->res, q->client->secret); 637 638 log_info("Sending %s(code=%d) to %s id=%u q=%u", 639 radius_code_string(res_code), res_code, 640 addrport_tostring((struct sockaddr *)&q->clientaddr, 641 q->clientaddrlen, buf, sizeof(buf)), res_id, q->id); 642 643 if ((sz = sendto(q->listen->sock, radius_get_data(q->res), 644 radius_get_length(q->res), 0, 645 (struct sockaddr *)&q->clientaddr, q->clientaddrlen)) <= 0) 646 log_warn("Sending a RADIUS response failed"); 647 on_error: 648 radiusd_access_request_aborted(q); 649 } 650 651 void 652 radiusd_access_request_aborted(struct radius_query *q) 653 { 654 if (q->req != NULL) 655 radius_delete_packet(q->req); 656 if (q->res != NULL) 657 radius_delete_packet(q->res); 658 TAILQ_REMOVE(&q->listen->radiusd->query, q, next); 659 free(q); 660 } 661 662 /*********************************************************************** 663 * Signal handlers 664 ***********************************************************************/ 665 static void 666 radiusd_on_sigterm(int fd, short evmask, void *ctx) 667 { 668 struct radiusd *radiusd = ctx; 669 670 log_info("Received SIGTERM"); 671 radiusd_stop(radiusd); 672 } 673 674 static void 675 radiusd_on_sigint(int fd, short evmask, void *ctx) 676 { 677 struct radiusd *radiusd = ctx; 678 679 log_info("Received SIGINT"); 680 radiusd_stop(radiusd); 681 } 682 683 static void 684 radiusd_on_sighup(int fd, short evmask, void *ctx) 685 { 686 log_info("Received SIGHUP"); 687 } 688 689 static void 690 radiusd_on_sigchld(int fd, short evmask, void *ctx) 691 { 692 struct radiusd *radiusd = ctx; 693 struct radiusd_module *module; 694 pid_t pid; 695 int status; 696 697 log_debug("Received SIGCHLD"); 698 while ((pid = wait3(&status, WNOHANG, NULL)) != 0) { 699 if (pid == -1) 700 break; 701 TAILQ_FOREACH(module, &radiusd->module, next) { 702 if (module->pid == pid) { 703 if (WIFEXITED(status)) 704 log_warnx("module `%s'(pid=%d) exited " 705 "with status %d", module->name, 706 (int)pid, WEXITSTATUS(status)); 707 else 708 log_warnx("module `%s'(pid=%d) exited " 709 "by signal %d", module->name, 710 (int)pid, WTERMSIG(status)); 711 break; 712 } 713 } 714 if (!module) { 715 if (WIFEXITED(status)) 716 log_warnx("unkown child process pid=%d exited " 717 "with status %d", (int)pid, 718 WEXITSTATUS(status)); 719 else 720 log_warnx("unkown child process pid=%d exited " 721 "by signal %d", (int)pid, 722 WTERMSIG(status)); 723 } 724 } 725 } 726 727 static const char * 728 radius_code_string(int code) 729 { 730 int i; 731 struct _codestrings { 732 int code; 733 const char *string; 734 } codestrings[] = { 735 { RADIUS_CODE_ACCESS_REQUEST, "Access-Request" }, 736 { RADIUS_CODE_ACCESS_ACCEPT, "Access-Accept" }, 737 { RADIUS_CODE_ACCESS_REJECT, "Access-Reject" }, 738 { RADIUS_CODE_ACCOUNTING_REQUEST, "Accounting-Request" }, 739 { RADIUS_CODE_ACCOUNTING_RESPONSE, "Accounting-Response" }, 740 { RADIUS_CODE_ACCESS_CHALLENGE, "Access-Challenge" }, 741 { RADIUS_CODE_STATUS_SERVER, "Status-Server" }, 742 { RADIUS_CODE_STATUS_CLIENT, "Status-Clinet" }, 743 { -1, NULL } 744 }; 745 746 for (i = 0; codestrings[i].code != -1; i++) 747 if (codestrings[i].code == code) 748 return (codestrings[i].string); 749 750 return ("Unknown"); 751 } 752 753 void 754 radiusd_conf_init(struct radiusd *conf) 755 { 756 757 TAILQ_INIT(&conf->listen); 758 TAILQ_INIT(&conf->module); 759 TAILQ_INIT(&conf->authen); 760 TAILQ_INIT(&conf->client); 761 762 /* 763 * TODO: load the standard modules 764 */ 765 #if 0 766 static struct radiusd_module *radiusd_standard_modules[] = { 767 NULL 768 }; 769 770 u_int i; 771 struct radiusd_module *module; 772 for (i = 0; radiusd_standard_modules[i] != NULL; i++) { 773 module = radiusd_create_module_class( 774 radiusd_standard_modules[i]); 775 TAILQ_INSERT_TAIL(&conf->module, module, next); 776 } 777 #endif 778 779 return; 780 } 781 782 /* 783 * Fix some attributes which depend the secret value. 784 */ 785 static int 786 radiusd_access_response_fixup(struct radius_query *q) 787 { 788 int res_id; 789 size_t attrlen; 790 u_char req_auth[16], attrbuf[256]; 791 const char *olds, *news; 792 const char *authen_secret = q->authen->auth->module->secret; 793 794 olds = q->client->secret; 795 news = authen_secret; 796 if (news == NULL) 797 olds = news; 798 radius_get_authenticator(q->req, req_auth); 799 800 if ((authen_secret != NULL && 801 strcmp(authen_secret, q->client->secret) != 0) || 802 timingsafe_bcmp(q->req_auth, req_auth, 16) != 0) { 803 804 /* RFC 2865 Tunnel-Password */ 805 attrlen = sizeof(attrlen); 806 if (radius_get_raw_attr(q->res, RADIUS_TYPE_TUNNEL_PASSWORD, 807 attrbuf, &attrlen) == 0) { 808 radius_attr_unhide(news, req_auth, 809 attrbuf, attrbuf + 3, attrlen - 3); 810 radius_attr_hide(olds, q->req_auth, 811 attrbuf, attrbuf + 3, attrlen - 3); 812 813 radius_del_attr_all(q->res, 814 RADIUS_TYPE_TUNNEL_PASSWORD); 815 radius_put_raw_attr(q->res, 816 RADIUS_TYPE_TUNNEL_PASSWORD, attrbuf, attrlen); 817 q->res_modified++; 818 } 819 820 /* RFC 2548 Microsoft MPPE-{Send,Recv}-Key */ 821 attrlen = sizeof(attrlen); 822 if (radius_get_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT, 823 RADIUS_VTYPE_MPPE_SEND_KEY, attrbuf, &attrlen) == 0) { 824 825 /* Re-crypt the KEY */ 826 radius_attr_unhide(news, req_auth, 827 attrbuf, attrbuf + 2, attrlen - 2); 828 radius_attr_hide(olds, q->req_auth, 829 attrbuf, attrbuf + 2, attrlen - 2); 830 831 radius_del_vs_attr_all(q->res, RADIUS_VENDOR_MICROSOFT, 832 RADIUS_VTYPE_MPPE_SEND_KEY); 833 radius_put_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT, 834 RADIUS_VTYPE_MPPE_SEND_KEY, attrbuf, attrlen); 835 q->res_modified++; 836 } 837 attrlen = sizeof(attrlen); 838 if (radius_get_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT, 839 RADIUS_VTYPE_MPPE_RECV_KEY, attrbuf, &attrlen) == 0) { 840 841 /* Re-crypt the KEY */ 842 radius_attr_unhide(news, req_auth, 843 attrbuf, attrbuf + 2, attrlen - 2); 844 radius_attr_hide(olds, q->req_auth, 845 attrbuf, attrbuf + 2, attrlen - 2); 846 847 radius_del_vs_attr_all(q->res, RADIUS_VENDOR_MICROSOFT, 848 RADIUS_VTYPE_MPPE_RECV_KEY); 849 radius_put_vs_raw_attr(q->res, RADIUS_VENDOR_MICROSOFT, 850 RADIUS_VTYPE_MPPE_RECV_KEY, attrbuf, attrlen); 851 q->res_modified++; 852 } 853 } 854 855 res_id = radius_get_id(q->res); 856 if (res_id != q->req_id) { 857 /* authentication server change the id */ 858 radius_set_id(q->res, q->req_id); 859 q->res_modified++; 860 } 861 862 return (0); 863 } 864 865 void 866 radius_attr_hide(const char *secret, const char *authenticator, 867 const u_char *salt, u_char *plain, int plainlen) 868 { 869 int i, j; 870 u_char b[16]; 871 MD5_CTX md5ctx; 872 873 i = 0; 874 do { 875 MD5Init(&md5ctx); 876 MD5Update(&md5ctx, secret, strlen(secret)); 877 if (i == 0) { 878 MD5Update(&md5ctx, authenticator, 16); 879 if (salt != NULL) 880 MD5Update(&md5ctx, salt, 2); 881 } else 882 MD5Update(&md5ctx, plain + i - 16, 16); 883 MD5Final(b, &md5ctx); 884 885 for (j = 0; j < 16 && i < plainlen; i++, j++) 886 plain[i] ^= b[j]; 887 } while (i < plainlen); 888 } 889 890 void 891 radius_attr_unhide(const char *secret, const char *authenticator, 892 const u_char *salt, u_char *crypt0, int crypt0len) 893 { 894 int i, j; 895 u_char b[16]; 896 MD5_CTX md5ctx; 897 898 i = 16 * ((crypt0len - 1) / 16); 899 while (i >= 0) { 900 MD5Init(&md5ctx); 901 MD5Update(&md5ctx, secret, strlen(secret)); 902 if (i == 0) { 903 MD5Update(&md5ctx, authenticator, 16); 904 if (salt != NULL) 905 MD5Update(&md5ctx, salt, 2); 906 } else 907 MD5Update(&md5ctx, crypt0 + i - 16, 16); 908 MD5Final(b, &md5ctx); 909 910 for (j = 0; j < 16 && i + j < crypt0len; j++) 911 crypt0[i + j] ^= b[j]; 912 i -= 16; 913 } 914 } 915 916 static struct radius_query * 917 radiusd_find_query(struct radiusd *radiusd, u_int q_id) 918 { 919 struct radius_query *q; 920 921 TAILQ_FOREACH(q, &radiusd->query, next) { 922 if (q->id == q_id) 923 return (q); 924 } 925 return (NULL); 926 } 927 928 /*********************************************************************** 929 * radiusd module handling 930 ***********************************************************************/ 931 struct radiusd_module * 932 radiusd_module_load(struct radiusd *radiusd, const char *path, const char *name) 933 { 934 struct radiusd_module *module = NULL; 935 pid_t pid; 936 int ival, pairsock[] = { -1, -1 }; 937 const char *av[3]; 938 ssize_t n; 939 struct imsg imsg; 940 941 module = calloc(1, sizeof(struct radiusd_module)); 942 if (module == NULL) 943 fatal("Out of memory"); 944 module->radiusd = radiusd; 945 946 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pairsock) == -1) { 947 log_warn("Could not load module `%s'(%s): pipe()", name, path); 948 goto on_error; 949 } 950 951 pid = fork(); 952 if (pid == -1) { 953 log_warn("Could not load module `%s'(%s): fork()", name, path); 954 goto on_error; 955 } 956 if (pid == 0) { 957 setsid(); 958 close(pairsock[0]); 959 av[0] = path; 960 av[1] = name; 961 av[2] = NULL; 962 dup2(pairsock[1], STDIN_FILENO); 963 dup2(pairsock[1], STDOUT_FILENO); 964 close(pairsock[1]); 965 closefrom(STDERR_FILENO + 1); 966 execv(path, (char * const *)av); 967 log_warn("Failed to execute %s", path); 968 _exit(EXIT_FAILURE); 969 } 970 close(pairsock[1]); 971 972 module->fd = pairsock[0]; 973 if ((ival = fcntl(module->fd, F_GETFL)) < 0) { 974 log_warn("Could not load module `%s': fcntl(F_GETFL)", 975 name); 976 goto on_error; 977 } 978 if (fcntl(module->fd, F_SETFL, ival | O_NONBLOCK) < 0) { 979 log_warn("Could not load module `%s': fcntl(F_SETFL,O_NONBLOCK)", 980 name); 981 goto on_error; 982 } 983 strlcpy(module->name, name, sizeof(module->name)); 984 module->pid = pid; 985 imsg_init(&module->ibuf, module->fd); 986 987 if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT) <= 0 || 988 (n = imsg_get(&module->ibuf, &imsg)) <= 0) { 989 log_warnx("Could not load module `%s': module didn't " 990 "respond", name); 991 goto on_error; 992 } 993 if (imsg.hdr.type != IMSG_RADIUSD_MODULE_LOAD) { 994 imsg_free(&imsg); 995 log_warnx("Could not load module `%s': unknown imsg type=%d", 996 name, imsg.hdr.type); 997 goto on_error; 998 } 999 1000 module->capabilities = 1001 ((struct radiusd_module_load_arg *)imsg.data)->cap; 1002 1003 log_debug("Loaded module `%s' successfully. pid=%d", module->name, 1004 module->pid); 1005 imsg_free(&imsg); 1006 1007 return (module); 1008 1009 on_error: 1010 free(module); 1011 if (pairsock[0] >= 0) 1012 close(pairsock[0]); 1013 if (pairsock[1] >= 0) 1014 close(pairsock[1]); 1015 1016 return (NULL); 1017 } 1018 1019 void 1020 radiusd_module_start(struct radiusd_module *module) 1021 { 1022 int datalen; 1023 struct imsg imsg; 1024 struct timeval tv = { 0, 0 }; 1025 1026 RADIUSD_ASSERT(module->fd >= 0); 1027 imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_START, 0, 0, -1, 1028 NULL, 0); 1029 imsg_sync_flush(&module->ibuf, MODULE_IO_TIMEOUT); 1030 if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT) <= 0 || 1031 imsg_get(&module->ibuf, &imsg) <= 0) { 1032 log_warnx("Module `%s' could not start: no response", 1033 module->name); 1034 goto on_fail; 1035 } 1036 1037 datalen = imsg.hdr.len - IMSG_HEADER_SIZE; 1038 if (imsg.hdr.type != IMSG_OK) { 1039 if (imsg.hdr.type == IMSG_NG) { 1040 if (datalen > 0) 1041 log_warnx("Module `%s' could not start: %s", 1042 module->name, (char *)imsg.data); 1043 else 1044 log_warnx("Module `%s' could not start", 1045 module->name); 1046 } else 1047 log_warnx("Module `%s' could not started: module " 1048 "returned unknow message type %d", module->name, 1049 imsg.hdr.type); 1050 goto on_fail; 1051 } 1052 1053 event_set(&module->ev, module->fd, EV_READ, radiusd_module_on_imsg_io, 1054 module); 1055 event_add(&module->ev, &tv); 1056 log_debug("Module `%s' started successfully", module->name); 1057 1058 return; 1059 on_fail: 1060 radiusd_module_close(module); 1061 return; 1062 } 1063 1064 void 1065 radiusd_module_stop(struct radiusd_module *module) 1066 { 1067 module->stopped = true; 1068 1069 freezero(module->secret, strlen(module->secret)); 1070 module->secret = NULL; 1071 1072 if (module->fd >= 0) { 1073 imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_STOP, 0, 0, -1, 1074 NULL, 0); 1075 radiusd_module_reset_ev_handler(module); 1076 } 1077 } 1078 1079 static void 1080 radiusd_module_close(struct radiusd_module *module) 1081 { 1082 if (module->fd >= 0) { 1083 event_del(&module->ev); 1084 imsg_clear(&module->ibuf); 1085 close(module->fd); 1086 module->fd = -1; 1087 } 1088 } 1089 1090 void 1091 radiusd_module_unload(struct radiusd_module *module) 1092 { 1093 free(module->radpkt); 1094 radiusd_module_close(module); 1095 free(module); 1096 } 1097 1098 static void 1099 radiusd_module_on_imsg_io(int fd, short evmask, void *ctx) 1100 { 1101 struct radiusd_module *module = ctx; 1102 int ret; 1103 1104 if (evmask & EV_WRITE) 1105 module->writeready = true; 1106 1107 if (evmask & EV_READ || module->ibuf.r.wpos > IMSG_HEADER_SIZE) { 1108 if (radiusd_module_imsg_read(module, 1109 (evmask & EV_READ)? true : false) == -1) 1110 goto on_error; 1111 } 1112 1113 while (module->writeready && module->ibuf.w.queued) { 1114 ret = msgbuf_write(&module->ibuf.w); 1115 if (ret > 0) 1116 continue; 1117 module->writeready = false; 1118 if (ret == 0 && errno == EAGAIN) 1119 break; 1120 log_warn("Failed to write to module `%s': msgbuf_write()", 1121 module->name); 1122 goto on_error; 1123 } 1124 radiusd_module_reset_ev_handler(module); 1125 1126 return; 1127 on_error: 1128 radiusd_module_close(module); 1129 } 1130 1131 static void 1132 radiusd_module_reset_ev_handler(struct radiusd_module *module) 1133 { 1134 short evmask; 1135 struct timeval *tvp = NULL, tv = { 0, 0 }; 1136 1137 RADIUSD_ASSERT(module->fd >= 0); 1138 event_del(&module->ev); 1139 1140 evmask = EV_READ; 1141 if (module->ibuf.w.queued) { 1142 if (!module->writeready) 1143 evmask |= EV_WRITE; 1144 else 1145 tvp = &tv; /* fire immediately */ 1146 } else if (module->ibuf.r.wpos > IMSG_HEADER_SIZE) 1147 tvp = &tv; /* fire immediately */ 1148 1149 /* module stopped and no event handler is set */ 1150 if (evmask & EV_WRITE && tvp == NULL && module->stopped) { 1151 /* stop requested and no more to write */ 1152 radiusd_module_close(module); 1153 return; 1154 } 1155 1156 event_set(&module->ev, module->fd, evmask, radiusd_module_on_imsg_io, 1157 module); 1158 if (event_add(&module->ev, tvp) == -1) { 1159 log_warn("Could not set event handlers for module `%s': " 1160 "event_add()", module->name); 1161 radiusd_module_close(module); 1162 } 1163 } 1164 1165 static int 1166 radiusd_module_imsg_read(struct radiusd_module *module, bool doread) 1167 { 1168 int n; 1169 struct imsg imsg; 1170 1171 if (doread) { 1172 if ((n = imsg_read(&module->ibuf)) == -1 || n == 0) { 1173 if (n == -1 && errno == EAGAIN) 1174 return (0); 1175 if (n == -1) 1176 log_warn("Receiving a message from module `%s' " 1177 "failed: imsg_read", module->name); 1178 /* else closed */ 1179 radiusd_module_close(module); 1180 return (-1); 1181 } 1182 } 1183 for (;;) { 1184 if ((n = imsg_get(&module->ibuf, &imsg)) == -1) { 1185 log_warn("Receiving a message from module `%s' failed: " 1186 "imsg_get", module->name); 1187 return (-1); 1188 } 1189 if (n == 0) 1190 return (0); 1191 radiusd_module_imsg(module, &imsg); 1192 } 1193 1194 return (0); 1195 } 1196 1197 static void 1198 radiusd_module_imsg(struct radiusd_module *module, struct imsg *imsg) 1199 { 1200 int datalen; 1201 struct radius_query *q; 1202 u_int q_id; 1203 1204 datalen = imsg->hdr.len - IMSG_HEADER_SIZE; 1205 switch (imsg->hdr.type) { 1206 case IMSG_RADIUSD_MODULE_NOTIFY_SECRET: 1207 if (datalen > 0) { 1208 module->secret = strdup(imsg->data); 1209 if (module->secret == NULL) 1210 log_warn("Could not handle NOTIFY_SECRET " 1211 "from `%s'", module->name); 1212 } 1213 break; 1214 case IMSG_RADIUSD_MODULE_USERPASS_OK: 1215 case IMSG_RADIUSD_MODULE_USERPASS_FAIL: 1216 { 1217 char *msg = NULL; 1218 const char *msgtypestr; 1219 1220 msgtypestr = (imsg->hdr.type == IMSG_RADIUSD_MODULE_USERPASS_OK) 1221 ? "USERPASS_OK" : "USERPASS_NG"; 1222 1223 q_id = *(u_int *)imsg->data; 1224 if (datalen > (ssize_t)sizeof(u_int)) 1225 msg = (char *)(((u_int *)imsg->data) + 1); 1226 1227 q = radiusd_find_query(module->radiusd, q_id); 1228 if (q == NULL) { 1229 log_warnx("Received %s from `%s', but query id=%u " 1230 "unknown", msgtypestr, module->name, q_id); 1231 break; 1232 } 1233 1234 if ((q->res = radius_new_response_packet( 1235 (imsg->hdr.type == IMSG_RADIUSD_MODULE_USERPASS_OK) 1236 ? RADIUS_CODE_ACCESS_ACCEPT : RADIUS_CODE_ACCESS_REJECT, 1237 q->req)) == NULL) { 1238 log_warn("radius_new_response_packet() failed"); 1239 radiusd_access_request_aborted(q); 1240 } else { 1241 if (msg) 1242 radius_put_string_attr(q->res, 1243 RADIUS_TYPE_REPLY_MESSAGE, msg); 1244 radius_set_response_authenticator(q->res, 1245 q->client->secret); 1246 radiusd_access_request_answer(q); 1247 } 1248 break; 1249 } 1250 case IMSG_RADIUSD_MODULE_ACCSREQ_ANSWER: 1251 { 1252 static struct radiusd_module_radpkt_arg *ans; 1253 if (datalen < 1254 (ssize_t)sizeof(struct radiusd_module_radpkt_arg)) { 1255 log_warnx("Received ACCSREQ_ANSWER message, but " 1256 "length is wrong"); 1257 break; 1258 } 1259 q_id = ((struct radiusd_module_radpkt_arg *)imsg->data)->q_id; 1260 q = radiusd_find_query(module->radiusd, q_id); 1261 if (q == NULL) { 1262 log_warnx("Received ACCSREQ_ANSWER from %s, but query " 1263 "id=%u unknown", module->name, q_id); 1264 break; 1265 } 1266 if ((ans = radiusd_module_recv_radpkt(module, imsg, 1267 IMSG_RADIUSD_MODULE_ACCSREQ_ANSWER, 1268 "ACCSREQ_ANSWER")) != NULL) { 1269 q->res = radius_convert_packet( 1270 module->radpkt, module->radpktoff); 1271 q->res_modified = ans->modified; 1272 radiusd_access_request_answer(q); 1273 module->radpktoff = 0; 1274 } 1275 break; 1276 } 1277 case IMSG_RADIUSD_MODULE_ACCSREQ_ABORTED: 1278 { 1279 q_id = *((u_int *)imsg->data); 1280 q = radiusd_find_query(module->radiusd, q_id); 1281 if (q == NULL) { 1282 log_warnx("Received ACCSREQ_ABORT from %s, but query " 1283 "id=%u unknown", module->name, q_id); 1284 break; 1285 } 1286 radiusd_access_request_aborted(q); 1287 break; 1288 } 1289 default: 1290 RADIUSD_DBG(("Unhandled imsg type=%d", 1291 imsg->hdr.type)); 1292 } 1293 } 1294 1295 static struct radiusd_module_radpkt_arg * 1296 radiusd_module_recv_radpkt(struct radiusd_module *module, struct imsg *imsg, 1297 uint32_t imsg_type, const char *type_str) 1298 { 1299 struct radiusd_module_radpkt_arg *ans; 1300 int datalen, chunklen; 1301 1302 datalen = imsg->hdr.len - IMSG_HEADER_SIZE; 1303 ans = (struct radiusd_module_radpkt_arg *)imsg->data; 1304 if (module->radpktsiz < ans->datalen) { 1305 u_char *nradpkt; 1306 if ((nradpkt = realloc(module->radpkt, ans->datalen)) == NULL) { 1307 log_warn("Could not handle received %s message from " 1308 "`%s'", type_str, module->name); 1309 goto on_fail; 1310 } 1311 module->radpkt = nradpkt; 1312 module->radpktsiz = ans->datalen; 1313 } 1314 chunklen = datalen - sizeof(struct radiusd_module_radpkt_arg); 1315 if (chunklen > module->radpktsiz - module->radpktoff) { 1316 log_warnx("Could not handle received %s message from `%s': " 1317 "received length is too big", type_str, module->name); 1318 goto on_fail; 1319 } 1320 memcpy(module->radpkt + module->radpktoff, 1321 (caddr_t)(ans + 1), chunklen); 1322 module->radpktoff += chunklen; 1323 if (!ans->final) 1324 return (NULL); /* again */ 1325 if (module->radpktoff != module->radpktsiz) { 1326 log_warnx("Could not handle received %s message from `%s': " 1327 "length is mismatch", type_str, module->name); 1328 goto on_fail; 1329 } 1330 1331 return (ans); 1332 on_fail: 1333 module->radpktoff = 0; 1334 return (NULL); 1335 } 1336 1337 int 1338 radiusd_module_set(struct radiusd_module *module, const char *name, 1339 int argc, char * const * argv) 1340 { 1341 struct radiusd_module_set_arg arg; 1342 struct radiusd_module_object *val; 1343 int i, niov = 0; 1344 u_char *buf = NULL, *buf0; 1345 ssize_t n; 1346 size_t bufsiz = 0, bufoff = 0, bufsiz0; 1347 size_t vallen, valsiz; 1348 struct iovec iov[2]; 1349 struct imsg imsg; 1350 1351 memset(&arg, 0, sizeof(arg)); 1352 arg.nparamval = argc; 1353 strlcpy(arg.paramname, name, sizeof(arg.paramname)); 1354 1355 iov[niov].iov_base = &arg; 1356 iov[niov].iov_len = sizeof(struct radiusd_module_set_arg); 1357 niov++; 1358 1359 for (i = 0; i < argc; i++) { 1360 vallen = strlen(argv[i]) + 1; 1361 valsiz = sizeof(struct radiusd_module_object) + vallen; 1362 if (bufsiz < bufoff + valsiz) { 1363 bufsiz0 = bufoff + valsiz + 128; 1364 if ((buf0 = realloc(buf, bufsiz0)) == NULL) { 1365 log_warn("Failed to set config parameter to " 1366 "module `%s': realloc", module->name); 1367 goto on_error; 1368 } 1369 buf = buf0; 1370 bufsiz = bufsiz0; 1371 memset(buf + bufoff, 0, bufsiz - bufoff); 1372 } 1373 val = (struct radiusd_module_object *)(buf + bufoff); 1374 val->size = valsiz; 1375 memcpy(val + 1, argv[i], vallen); 1376 1377 bufoff += valsiz; 1378 } 1379 iov[niov].iov_base = buf; 1380 iov[niov].iov_len = bufoff; 1381 niov++; 1382 1383 if (imsg_composev(&module->ibuf, IMSG_RADIUSD_MODULE_SET_CONFIG, 0, 0, 1384 -1, iov, niov) == -1) { 1385 log_warn("Failed to set config parameter to module `%s': " 1386 "imsg_composev", module->name); 1387 goto on_error; 1388 } 1389 if (imsg_sync_flush(&module->ibuf, MODULE_IO_TIMEOUT) == -1) { 1390 log_warn("Failed to set config parameter to module `%s': " 1391 "imsg_flush_timeout", module->name); 1392 goto on_error; 1393 } 1394 for (;;) { 1395 if (imsg_sync_read(&module->ibuf, MODULE_IO_TIMEOUT) <= 0) { 1396 log_warn("Failed to get reply from module `%s': " 1397 "imsg_sync_read", module->name); 1398 goto on_error; 1399 } 1400 if ((n = imsg_get(&module->ibuf, &imsg)) > 0) 1401 break; 1402 if (n < 0) { 1403 log_warn("Failed to get reply from module `%s': " 1404 "imsg_get", module->name); 1405 goto on_error; 1406 } 1407 } 1408 if (imsg.hdr.type == IMSG_NG) { 1409 log_warnx("Could not set `%s' for module `%s': %s", name, 1410 module->name, (char *)imsg.data); 1411 goto on_error; 1412 } else if (imsg.hdr.type != IMSG_OK) { 1413 imsg_free(&imsg); 1414 log_warnx("Failed to get reply from module `%s': " 1415 "unknown imsg type=%d", module->name, imsg.hdr.type); 1416 goto on_error; 1417 } 1418 imsg_free(&imsg); 1419 1420 free(buf); 1421 return (0); 1422 1423 on_error: 1424 free(buf); 1425 return (-1); 1426 } 1427 1428 static void 1429 radiusd_module_userpass(struct radiusd_module *module, struct radius_query *q) 1430 { 1431 struct radiusd_module_userpass_arg userpass; 1432 1433 memset(&userpass, 0, sizeof(userpass)); 1434 userpass.q_id = q->id; 1435 1436 if (radius_get_user_password_attr(q->req, userpass.pass, 1437 sizeof(userpass.pass), q->client->secret) == 0) 1438 userpass.has_pass = true; 1439 else 1440 userpass.has_pass = false; 1441 1442 if (strlcpy(userpass.user, q->username, sizeof(userpass.user)) 1443 >= sizeof(userpass.user)) { 1444 log_warnx("Could request USERPASS to module `%s': " 1445 "User-Name too long", module->name); 1446 goto on_error; 1447 } 1448 imsg_compose(&module->ibuf, IMSG_RADIUSD_MODULE_USERPASS, 0, 0, -1, 1449 &userpass, sizeof(userpass)); 1450 radiusd_module_reset_ev_handler(module); 1451 return; 1452 on_error: 1453 radiusd_access_request_aborted(q); 1454 } 1455 1456 static void 1457 radiusd_module_access_request(struct radiusd_module *module, 1458 struct radius_query *q) 1459 { 1460 struct radiusd_module_radpkt_arg accsreq; 1461 struct iovec iov[2]; 1462 int off = 0, len, siz; 1463 const u_char *pkt; 1464 RADIUS_PACKET *radpkt; 1465 char pass[256]; 1466 1467 if ((radpkt = radius_convert_packet(radius_get_data(q->req), 1468 radius_get_length(q->req))) == NULL) { 1469 log_warn("Could not send ACCSREQ for `%s'", module->name); 1470 return; 1471 } 1472 if (q->client->secret[0] != '\0' && module->secret != NULL && 1473 radius_get_user_password_attr(radpkt, pass, sizeof(pass), 1474 q->client->secret) == 0) { 1475 radius_del_attr_all(radpkt, RADIUS_TYPE_USER_PASSWORD); 1476 (void)radius_put_raw_attr(radpkt, RADIUS_TYPE_USER_PASSWORD, 1477 pass, strlen(pass)); 1478 } 1479 1480 pkt = radius_get_data(radpkt); 1481 len = radius_get_length(radpkt); 1482 memset(&accsreq, 0, sizeof(accsreq)); 1483 accsreq.q_id = q->id; 1484 while (off < len) { 1485 siz = MAX_IMSGSIZE - sizeof(accsreq); 1486 if (len - off > siz) { 1487 accsreq.final = false; 1488 accsreq.datalen = siz; 1489 } else { 1490 accsreq.final = true; 1491 accsreq.datalen = len - off; 1492 } 1493 iov[0].iov_base = &accsreq; 1494 iov[0].iov_len = sizeof(accsreq); 1495 iov[1].iov_base = (caddr_t)pkt + off; 1496 iov[1].iov_len = accsreq.datalen; 1497 imsg_composev(&module->ibuf, IMSG_RADIUSD_MODULE_ACCSREQ, 0, 0, 1498 -1, iov, 2); 1499 off += accsreq.datalen; 1500 } 1501 radiusd_module_reset_ev_handler(module); 1502 radius_delete_packet(radpkt); 1503 1504 return; 1505 } 1506