1: /*
2: *
3: * chilli - ChilliSpot.org. A Wireless LAN Access Point Controller.
4: * Copyright (C) 2003, 2004, 2005 Mondru AB.
5: * Copyright (C) 2006 PicoPoint B.V.
6: * Copyright (c) 2007-2008 David Bird <david@coova.com>
7: *
8: * The contents of this file may be used under the terms of the GNU
9: * General Public License Version 2, provided that the above copyright
10: * notice and this permission notice is included in all copies or
11: * substantial portions of the software.
12: *
13: */
14:
15: #include "system.h"
16: #include "tun.h"
17: #include "ippool.h"
18: #include "radius.h"
19: #include "radius_wispr.h"
20: #include "radius_chillispot.h"
21: #include "redir.h"
22: #include "syserr.h"
23: #include "dhcp.h"
24: #include "cmdline.h"
25: #include "chilli.h"
26: #include "options.h"
27: #include "cmdsock.h"
28: #include "net.h"
29:
30: struct tun_t *tun; /* TUN instance */
31: struct ippool_t *ippool; /* Pool of IP addresses */
32: struct radius_t *radius; /* Radius client instance */
33: struct dhcp_t *dhcp = NULL; /* DHCP instance */
34: struct redir_t *redir = NULL; /* Redir instance */
35:
36: int connections=0;
37: struct app_conn_t *firstfreeconn=0; /* First free in linked list */
38: struct app_conn_t *lastfreeconn=0; /* Last free in linked list */
39: struct app_conn_t *firstusedconn=0; /* First used in linked list */
40: struct app_conn_t *lastusedconn=0; /* Last used in linked list */
41:
42: extern struct app_conn_t admin_session;
43:
44: time_t mainclock;
45: time_t checktime;
46: time_t rereadtime;
47:
48: static int keep_going = 1;
49: /*static int do_timeouts = 1;*/
50: static int do_sighup = 0;
51:
52: /* some IPv4LL/APIPA(rfc 3927) specific stuff for uamanyip */
53: struct in_addr ipv4ll_ip;
54: struct in_addr ipv4ll_mask;
55:
56: /* Forward declarations */
57: static int acct_req(struct app_conn_t *conn, uint8_t status_type);
58:
59: /* Fireman catches falling childs and eliminates zombies */
60: static void fireman(int signum) {
61: while (wait3(NULL, WNOHANG, NULL) > 0);
62: }
63:
64: /* Termination handler for clean shutdown */
65: static void termination_handler(int signum) {
66: if (options.debug) log_dbg("SIGTERM received!\n");
67: keep_going = 0;
68: }
69:
70: /* Alarm handler for general house keeping
71: void static alarm_handler(int signum) {
72: if (options.debug) log_dbg("SIGALRM received!\n");
73: do_timeouts = 1;
74: }*/
75:
76: /* Sighup handler for rereading configuration file */
77: static void sighup_handler(int signum) {
78: if (options.debug) log_dbg("SIGHUP received!\n");
79: do_sighup = 1;
80: }
81:
82:
83: static void set_sessionid(struct app_conn_t *appconn) {
84: snprintf(appconn->s_state.sessionid, sizeof(appconn->s_state.sessionid),
85: "%.8x%.8x", (int) mainclock, appconn->unit);
86: /*log_dbg("!!!! RESET CLASSLEN !!!!");*/
87: appconn->s_state.redir.classlen = 0;
88: }
89:
90: /* Used to write process ID to file. Assume someone else will delete */
91: void static log_pid(char *pidfile) {
92: FILE *file;
93: mode_t oldmask;
94:
95: oldmask = umask(022);
96: file = fopen(pidfile, "w");
97: umask(oldmask);
98: if(!file) return;
99: fprintf(file, "%d\n", getpid());
100: fclose(file);
101: }
102:
103: #ifdef LEAKY_BUCKET
104: /* Perform leaky bucket on up- and downlink traffic */
105: int static leaky_bucket(struct app_conn_t *conn, uint64_t octetsup, uint64_t octetsdown) {
106:
107: time_t timenow = mainclock;
108: uint64_t timediff;
109: int result = 0;
110:
111: timediff = timenow - conn->s_state.last_time;
112:
113: if (options.debug && (conn->s_params.bandwidthmaxup ||
114: conn->s_params.bandwidthmaxdown))
115: log_dbg("Leaky bucket timediff: %lld, bucketup: %lld, bucketdown: %lld, up: %lld, down: %lld",
116: timediff, conn->s_state.bucketup, conn->s_state.bucketdown,
117: octetsup, octetsdown);
118:
119: if (conn->s_params.bandwidthmaxup) {
120: /* Subtract what the leak since last time we visited */
121: if (conn->s_state.bucketup > ((timediff * conn->s_params.bandwidthmaxup) / 8)) {
122: conn->s_state.bucketup -= (timediff * conn->s_params.bandwidthmaxup) / 8;
123: }
124: else {
125: conn->s_state.bucketup = 0;
126: }
127:
128: if ((conn->s_state.bucketup + octetsup) > conn->s_state.bucketupsize) {
129: if (options.debug) log_dbg("Leaky bucket deleting uplink packet");
130: result = -1;
131: }
132: else {
133: conn->s_state.bucketup += octetsup;
134: }
135: }
136:
137: if (conn->s_params.bandwidthmaxdown) {
138: if (conn->s_state.bucketdown > ((timediff * conn->s_params.bandwidthmaxdown) / 8)) {
139: conn->s_state.bucketdown -= (timediff * conn->s_params.bandwidthmaxdown) / 8;
140: }
141: else {
142: conn->s_state.bucketdown = 0;
143: }
144:
145: if ((conn->s_state.bucketdown + octetsdown) > conn->s_state.bucketdownsize) {
146: if (options.debug) log_dbg("Leaky bucket deleting downlink packet");
147: result = -1;
148: }
149: else {
150: conn->s_state.bucketdown += octetsdown;
151: }
152: }
153:
154: conn->s_state.last_time = timenow;
155:
156: return result;
157: }
158: #endif
159:
160:
161: /* Run external script */
162: #define VAL_STRING 0
163: #define VAL_IN_ADDR 1
164: #define VAL_MAC_ADDR 2
165: #define VAL_ULONG 3
166: #define VAL_ULONG64 4
167: #define VAL_USHORT 5
168:
169: int set_env(char *name, char type, void *value, int len) {
170: char *v=0;
171: char s[1024];
172:
173: memset(s,0,sizeof(s));
174:
175: switch(type) {
176:
177: case VAL_IN_ADDR:
178: strncpy(s, inet_ntoa(*(struct in_addr *)value), sizeof(s));
179: v = s;
180: break;
181:
182: case VAL_MAC_ADDR:
183: {
184: uint8_t * mac = (uint8_t*)value;
185: snprintf(s, sizeof(s)-1, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
186: mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
187: v = s;
188: }
189: break;
190:
191: case VAL_ULONG:
192: snprintf(s, sizeof(s)-1, "%ld", (long int)*(uint32_t *)value);
193: v = s;
194: break;
195:
196: case VAL_ULONG64:
197: snprintf(s, sizeof(s)-1, "%ld", (long int)*(uint64_t *)value);
198: v = s;
199: break;
200:
201: case VAL_USHORT:
202: snprintf(s, sizeof(s)-1, "%d", (int)(*(uint16_t *)value));
203: v = s;
204: break;
205:
206: case VAL_STRING:
207: if (len != 0) {
208: if (len >= sizeof(s)) {
209: return -1;
210: }
211: strncpy(s, (char*)value, len);
212: s[len] = 0;
213: v = s;
214: } else {
215: v = (char*)value;
216: }
217: break;
218: }
219:
220: if (name != NULL && v != NULL) {
221: if (setenv(name, v, 1) != 0) {
222: log_err(errno, "setenv(%s, %s, 1) did not return 0!", name, v);
223: return -1;
224: }
225: }
226:
227: return 0;
228: }
229:
230: int runscript(struct app_conn_t *appconn, char* script) {
231: int status;
232:
233: if ((status = fork()) < 0) {
234: log_err(errno,
235: "fork() returned -1!");
236: return 0;
237: }
238:
239: if (status > 0) { /* Parent */
240: return 0;
241: }
242:
243: /*
244: if (clearenv() != 0) {
245: log_err(errno,
246: "clearenv() did not return 0!");
247: exit(0);
248: }
249: */
250:
251: set_env("DEV", VAL_STRING, tun->_interfaces[0].devname, 0);
252: set_env("NET", VAL_IN_ADDR, &appconn->net, 0);
253: set_env("MASK", VAL_IN_ADDR, &appconn->mask, 0);
254: set_env("ADDR", VAL_IN_ADDR, &appconn->ourip, 0);
255: set_env("USER_NAME", VAL_STRING, appconn->s_state.redir.username, 0);
256: set_env("NAS_IP_ADDRESS", VAL_IN_ADDR,&options.radiuslisten, 0);
257: set_env("SERVICE_TYPE", VAL_STRING, "1", 0);
258: set_env("FRAMED_IP_ADDRESS", VAL_IN_ADDR, &appconn->hisip, 0);
259: set_env("FILTER_ID", VAL_STRING, appconn->s_params.filteridbuf, 0);
260: set_env("STATE", VAL_STRING, appconn->s_state.redir.statebuf, appconn->s_state.redir.statelen);
261: set_env("CLASS", VAL_STRING, appconn->s_state.redir.classbuf, appconn->s_state.redir.classlen);
262: set_env("SESSION_TIMEOUT", VAL_ULONG64, &appconn->s_params.sessiontimeout, 0);
263: set_env("IDLE_TIMEOUT", VAL_ULONG, &appconn->s_params.idletimeout, 0);
264: set_env("CALLING_STATION_ID", VAL_MAC_ADDR, appconn->hismac, 0);
265: set_env("CALLED_STATION_ID", VAL_MAC_ADDR, appconn->ourmac, 0);
266: set_env("NAS_ID", VAL_STRING, options.radiusnasid, 0);
267: set_env("NAS_PORT_TYPE", VAL_STRING, "19", 0);
268: set_env("ACCT_SESSION_ID", VAL_STRING, appconn->s_state.sessionid, 0);
269: set_env("ACCT_INTERIM_INTERVAL", VAL_USHORT, &appconn->s_params.interim_interval, 0);
270: set_env("WISPR_LOCATION_ID", VAL_STRING, options.radiuslocationid, 0);
271: set_env("WISPR_LOCATION_NAME", VAL_STRING, options.radiuslocationname, 0);
272: set_env("WISPR_BANDWIDTH_MAX_UP", VAL_ULONG, &appconn->s_params.bandwidthmaxup, 0);
273: set_env("WISPR_BANDWIDTH_MAX_DOWN", VAL_ULONG, &appconn->s_params.bandwidthmaxdown, 0);
274: /*set_env("WISPR-SESSION_TERMINATE_TIME", VAL_USHORT, &appconn->sessionterminatetime, 0);*/
275: set_env("CHILLISPOT_MAX_INPUT_OCTETS", VAL_ULONG64, &appconn->s_params.maxinputoctets, 0);
276: set_env("CHILLISPOT_MAX_OUTPUT_OCTETS", VAL_ULONG64, &appconn->s_params.maxoutputoctets, 0);
277: set_env("CHILLISPOT_MAX_TOTAL_OCTETS", VAL_ULONG64, &appconn->s_params.maxtotaloctets, 0);
278:
279: if (execl(script, script, (char *) 0) != 0) {
280: log_err(errno,
281: "execl() did not return 0!");
282: exit(0);
283: }
284:
285: exit(0);
286: }
287:
288: /***********************************************************
289: *
290: * Functions handling uplink protocol authentication.
291: * Called in response to radius access request response.
292: *
293: ***********************************************************/
294:
295: static int newip(struct ippoolm_t **ipm, struct in_addr *hisip) {
296: if (ippool_newip(ippool, ipm, hisip, 1)) {
297: if (ippool_newip(ippool, ipm, hisip, 0)) {
298: log_err(0, "Failed to allocate either static or dynamic IP address");
299: return -1;
300: }
301: }
302: return 0;
303: }
304:
305:
306: /*
307: * A few functions to manage connections
308: */
309:
310: int static initconn()
311: {
312: checktime = rereadtime = mainclock;
313: return 0;
314: }
315:
316: int static newconn(struct app_conn_t **conn) {
317: int n;
318:
319: if (!firstfreeconn) {
320:
321: if (connections == APP_NUM_CONN) {
322: log_err(0, "reached max connections!");
323: return -1;
324: }
325:
326: n = ++connections;
327:
328: if (!(*conn = calloc(1, sizeof(struct app_conn_t)))) {
329: log_err(0, "Out of memory!");
330: return -1;
331: }
332:
333: } else {
334:
335: *conn = firstfreeconn;
336: n = (*conn)->unit;
337:
338: /* Remove from link of free */
339: if (firstfreeconn->next) {
340: firstfreeconn->next->prev = NULL;
341: firstfreeconn = firstfreeconn->next;
342: }
343: else { /* Took the last one */
344: firstfreeconn = NULL;
345: lastfreeconn = NULL;
346: }
347:
348: /* Initialise structures */
349: memset(*conn, 0, sizeof(struct app_conn_t));
350: }
351:
352: /* Insert into link of used */
353: if (firstusedconn) {
354: firstusedconn->prev = *conn;
355: (*conn)->next = firstusedconn;
356: }
357: else { /* First insert */
358: lastusedconn = *conn;
359: }
360:
361: firstusedconn = *conn;
362:
363: (*conn)->inuse = 1;
364: (*conn)->unit = n;
365:
366: return 0; /* Success */
367: }
368:
369: int static freeconn(struct app_conn_t *conn) {
370: int n = conn->unit;
371:
372: /* Remove from link of used */
373: if ((conn->next) && (conn->prev)) {
374: conn->next->prev = conn->prev;
375: conn->prev->next = conn->next;
376: }
377: else if (conn->next) { /* && prev == 0 */
378: conn->next->prev = NULL;
379: firstusedconn = conn->next;
380: }
381: else if (conn->prev) { /* && next == 0 */
382: conn->prev->next = NULL;
383: lastusedconn = conn->prev;
384: }
385: else { /* if ((next == 0) && (prev == 0)) */
386: firstusedconn = NULL;
387: lastusedconn = NULL;
388: }
389:
390: /* Initialise structures */
391: memset(conn, 0, sizeof(struct app_conn_t));
392: conn->unit = n;
393:
394: /* Insert into link of free */
395: if (firstfreeconn) {
396: firstfreeconn->prev = conn;
397: }
398: else { /* First insert */
399: lastfreeconn = conn;
400: }
401:
402: conn->next = firstfreeconn;
403: firstfreeconn = conn;
404:
405: return 0;
406: }
407:
408: int static getconn(struct app_conn_t **conn, uint32_t nasip, uint32_t nasport) {
409: struct app_conn_t *appconn;
410:
411: /* Count the number of used connections */
412: appconn = firstusedconn;
413: while (appconn) {
414: if (!appconn->inuse) {
415: log_err(0, "Connection with inuse == 0!");
416: }
417: if ((appconn->nasip == nasip) && (appconn->nasport == nasport)) {
418: *conn = appconn;
419: return 0;
420: }
421: appconn = appconn->next;
422: }
423:
424: return -1; /* Not found */
425: }
426:
427: int static dnprot_terminate(struct app_conn_t *appconn) {
428: appconn->s_state.authenticated = 0;
429: printstatus(appconn);
430: switch (appconn->dnprot) {
431: case DNPROT_WPA:
432: case DNPROT_EAPOL:
433: if (appconn->dnlink)
434: ((struct dhcp_conn_t*) appconn->dnlink)->authstate = DHCP_AUTH_NONE;
435: return 0;
436: case DNPROT_MAC:
437: case DNPROT_UAM:
438: case DNPROT_DHCP_NONE:
439: case DNPROT_NULL:
440: if (appconn->dnlink)
441: ((struct dhcp_conn_t*) appconn->dnlink)->authstate = DHCP_AUTH_DNAT;
442: return 0;
443: default:
444: log_err(0, "Unknown downlink protocol");
445: return 0;
446: }
447: }
448:
449:
450:
451: /* Check for:
452: * - Session-Timeout
453: * - Idle-Timeout
454: * - Interim-Interim accounting
455: * - Reread configuration file and DNS entries
456: */
457:
458: void session_interval(struct app_conn_t *conn) {
459: time_t timenow = mainclock;
460: uint32_t sessiontime;
461: uint32_t idletime;
462: uint32_t interimtime;
463:
464: sessiontime = timenow - conn->s_state.start_time;
465: idletime = timenow - conn->s_state.last_time;
466: interimtime = timenow - conn->s_state.interim_time;
467:
468: if ((conn->s_params.sessiontimeout) &&
469: (sessiontime > conn->s_params.sessiontimeout)) {
470: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_SESSION_TIMEOUT);
471: }
472: else if ((conn->s_params.sessionterminatetime) &&
473: (timenow > conn->s_params.sessionterminatetime)) {
474: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_SESSION_TIMEOUT);
475: }
476: else if ((conn->s_params.idletimeout) &&
477: (idletime > conn->s_params.idletimeout)) {
478: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_IDLE_TIMEOUT);
479: }
480: else if ((conn->s_params.maxinputoctets) &&
481: (conn->s_state.input_octets > conn->s_params.maxinputoctets)) {
482: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_SESSION_TIMEOUT);
483: }
484: else if ((conn->s_params.maxoutputoctets) &&
485: (conn->s_state.output_octets > conn->s_params.maxoutputoctets)) {
486: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_SESSION_TIMEOUT);
487: }
488: else if ((conn->s_params.maxtotaloctets) &&
489: ((conn->s_state.input_octets + conn->s_state.output_octets) >
490: conn->s_params.maxtotaloctets)) {
491: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_SESSION_TIMEOUT);
492: }
493: else if ((conn->s_params.interim_interval) &&
494: (interimtime > conn->s_params.interim_interval)) {
495: acct_req(conn, RADIUS_STATUS_TYPE_INTERIM_UPDATE);
496: }
497: }
498:
499: int static checkconn()
500: {
501: time_t timenow = mainclock;
502: struct app_conn_t *conn;
503: struct dhcp_conn_t* dhcpconn;
504: uint32_t checkdiff;
505: uint32_t rereaddiff;
506:
507: checkdiff = timenow - checktime;
508:
509: if (checkdiff < CHECK_INTERVAL)
510: return 0;
511:
512: checktime = timenow;
513:
514: if (admin_session.s_state.authenticated) {
515: session_interval(&admin_session);
516: }
517:
518: for (conn = firstusedconn; conn; conn=conn->next) {
519: if ((conn->inuse != 0) && (conn->s_state.authenticated == 1)) {
520: if (!(dhcpconn = (struct dhcp_conn_t *)conn->dnlink)) {
521: log_err(0, "No downlink protocol");
522: return -1;
523: }
524: session_interval(conn);
525: }
526: }
527:
528: /* Reread configuration file and recheck DNS */
529: if (options.interval) {
530: rereaddiff = timenow - rereadtime;
531: if (rereaddiff >= options.interval) {
532: rereadtime = timenow;
533: do_sighup = 1;
534: }
535: }
536:
537: return 0;
538: }
539:
540: /* Kill all connections and send Radius Acct Stop */
541: int static killconn()
542: {
543: struct app_conn_t *conn;
544:
545: for (conn = firstusedconn; conn; conn=conn->next) {
546: if ((conn->inuse != 0) && (conn->s_state.authenticated == 1)) {
547: terminate_appconn(conn, RADIUS_TERMINATE_CAUSE_NAS_REBOOT);
548: }
549: }
550:
551: if (admin_session.s_state.authenticated) {
552: admin_session.s_state.terminate_cause = RADIUS_TERMINATE_CAUSE_NAS_REBOOT;
553: acct_req(&admin_session, RADIUS_STATUS_TYPE_STOP);
554: }
555:
556: acct_req(&admin_session, RADIUS_STATUS_TYPE_ACCOUNTING_OFF);
557:
558: return 0;
559: }
560:
561: /* Compare a MAC address to the addresses given in the macallowed option */
562: int static maccmp(unsigned char *mac) {
563: int i;
564:
565: for (i=0; i<options.macoklen; i++)
566: if (!memcmp(mac, options.macok[i], PKT_ETH_ALEN))
567: return 0;
568:
569: return -1;
570: }
571:
572: int static macauth_radius(struct app_conn_t *appconn,
573: struct dhcp_fullpacket_t *dhcp_pkt, size_t dhcp_len) {
574: struct dhcp_conn_t *dhcpconn = (struct dhcp_conn_t *)appconn->dnlink;
575: struct radius_packet_t radius_pack;
576: char mac[MACSTRLEN+1];
577:
578: log_dbg("Starting mac radius authentication");
579:
580: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_REQUEST)) {
581: log_err(0, "radius_default_pack() failed");
582: return -1;
583: }
584:
585: /* Include his MAC address */
586: snprintf(mac, MACSTRLEN+1, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
587: dhcpconn->hismac[0], dhcpconn->hismac[1],
588: dhcpconn->hismac[2], dhcpconn->hismac[3],
589: dhcpconn->hismac[4], dhcpconn->hismac[5]);
590:
591: strncpy(appconn->s_state.redir.username, mac, USERNAMESIZE);
592:
593: if (options.macsuffix)
594: strncat(appconn->s_state.redir.username, options.macsuffix, USERNAMESIZE);
595:
596: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_NAME, 0, 0, 0,
597: (uint8_t*) appconn->s_state.redir.username,
598: strlen(appconn->s_state.redir.username));
599:
600: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_PASSWORD, 0, 0, 0,
601: (uint8_t*) (options.macpasswd ? options.macpasswd : appconn->s_state.redir.username),
602: options.macpasswd ? strlen(options.macpasswd) : strlen(appconn->s_state.redir.username));
603:
604: appconn->authtype = PAP_PASSWORD;
605:
606: radius_addattr(radius, &radius_pack, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0,
607: (uint8_t*) mac, MACSTRLEN);
608:
609: radius_addcalledstation(radius, &radius_pack);
610:
611: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT, 0, 0,
612: appconn->unit, NULL, 0);
613:
614: radius_addnasip(radius, &radius_pack);
615:
616: radius_addattr(radius, &radius_pack, RADIUS_ATTR_SERVICE_TYPE, 0, 0,
617: RADIUS_SERVICE_TYPE_LOGIN, NULL, 0); /* WISPr_V1.0 */
618:
619: /* Include NAS-Identifier if given in configuration options */
620: if (options.radiusnasid)
621: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_IDENTIFIER, 0, 0, 0,
622: (uint8_t*) options.radiusnasid, strlen(options.radiusnasid));
623:
624: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_SESSION_ID, 0, 0, 0,
625: (uint8_t*) appconn->s_state.sessionid, REDIR_SESSIONID_LEN-1);
626:
627: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT_TYPE, 0, 0,
628: options.radiusnasporttype, NULL, 0);
629:
630:
631: if (options.radiuslocationid)
632: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
633: RADIUS_VENDOR_WISPR, RADIUS_ATTR_WISPR_LOCATION_ID, 0,
634: (uint8_t*) options.radiuslocationid,
635: strlen(options.radiuslocationid));
636:
637: if (options.radiuslocationname)
638: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
639: RADIUS_VENDOR_WISPR, RADIUS_ATTR_WISPR_LOCATION_NAME, 0,
640: (uint8_t*) options.radiuslocationname,
641: strlen(options.radiuslocationname));
642:
643: if (options.dhcpradius && dhcp_pkt) {
644: struct dhcp_tag_t *tag = 0;
645:
646: #define maptag(OPT,VSA)\
647: if (!dhcp_gettag(&dhcp_pkt->dhcp, ntohs(dhcp_pkt->udph.len)-PKT_UDP_HLEN, &tag, OPT)) { \
648: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC, \
649: RADIUS_VENDOR_CHILLISPOT, VSA, 0, (uint8_t *) tag->v, tag->l); }
650: /*
651: * Mapping of DHCP options to RADIUS Vendor Specific Attributes
652: */
653: maptag( DHCP_OPTION_PARAMETER_REQUEST_LIST, RADIUS_ATTR_CHILLISPOT_DHCP_PARAMETER_REQUEST_LIST );
654: maptag( DHCP_OPTION_VENDOR_CLASS_IDENTIFIER, RADIUS_ATTR_CHILLISPOT_DHCP_VENDOR_CLASS_ID );
655: maptag( DHCP_OPTION_CLIENT_IDENTIFIER, RADIUS_ATTR_CHILLISPOT_DHCP_CLIENT_ID );
656: maptag( DHCP_OPTION_CLIENT_FQDN, RADIUS_ATTR_CHILLISPOT_DHCP_CLIENT_FQDN );
657: maptag( DHCP_OPTION_HOSTNAME, RADIUS_ATTR_CHILLISPOT_DHCP_HOSTNAME );
658: #undef maptag
659: }
660:
661: radius_addattr(radius, &radius_pack, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
662: 0, 0, 0, NULL, RADIUS_MD5LEN);
663:
664: return radius_req(radius, &radius_pack, appconn);
665: }
666:
667:
668: /*********************************************************
669: *
670: * radius proxy functions
671: * Used to send a response to a received radius request
672: *
673: *********************************************************/
674:
675: /* Reply with an access reject */
676: int static radius_access_reject(struct app_conn_t *conn) {
677: struct radius_packet_t radius_pack;
678:
679: conn->radiuswait = 0;
680:
681: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_REJECT)) {
682: log_err(0, "radius_default_pack() failed");
683: return -1;
684: }
685:
686: radius_pack.id = conn->radiusid;
687: radius_resp(radius, &radius_pack, &conn->radiuspeer, conn->authenticator);
688: return 0;
689: }
690:
691: /* Reply with an access challenge */
692: int static radius_access_challenge(struct app_conn_t *conn) {
693: struct radius_packet_t radius_pack;
694: size_t offset = 0;
695: size_t eaplen = 0;
696:
697: conn->radiuswait = 0;
698:
699: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_CHALLENGE)){
700: log_err(0, "radius_default_pack() failed");
701: return -1;
702: }
703:
704: radius_pack.id = conn->radiusid;
705:
706: /* Include EAP */
707: do {
708: if ((conn->challen - offset) > RADIUS_ATTR_VLEN)
709: eaplen = RADIUS_ATTR_VLEN;
710: else
711: eaplen = conn->challen - offset;
712:
713: if (radius_addattr(radius, &radius_pack, RADIUS_ATTR_EAP_MESSAGE, 0, 0, 0,
714: conn->chal + offset, eaplen)) {
715: log_err(0, "radius_default_pack() failed");
716: return -1;
717: }
718: offset += eaplen;
719: } while (offset < conn->challen);
720:
721: if (conn->s_state.redir.statelen) {
722: radius_addattr(radius, &radius_pack, RADIUS_ATTR_STATE, 0, 0, 0,
723: conn->s_state.redir.statebuf,
724: conn->s_state.redir.statelen);
725: }
726:
727: radius_addattr(radius, &radius_pack, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
728: 0, 0, 0, NULL, RADIUS_MD5LEN);
729:
730: radius_resp(radius, &radius_pack, &conn->radiuspeer, conn->authenticator);
731: return 0;
732: }
733:
734: /* Send off an access accept */
735:
736: int static radius_access_accept(struct app_conn_t *conn) {
737: struct radius_packet_t radius_pack;
738: size_t offset = 0;
739: size_t eaplen = 0;
740:
741: uint8_t mppekey[RADIUS_ATTR_VLEN];
742: size_t mppelen;
743:
744: conn->radiuswait = 0;
745:
746: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_ACCEPT)) {
747: log_err(0, "radius_default_pack() failed");
748: return -1;
749: }
750:
751: radius_pack.id = conn->radiusid;
752:
753: /* Include EAP (if present) */
754: offset = 0;
755: while (offset < conn->challen) {
756: if ((conn->challen - offset) > RADIUS_ATTR_VLEN)
757: eaplen = RADIUS_ATTR_VLEN;
758: else
759: eaplen = conn->challen - offset;
760:
761: radius_addattr(radius, &radius_pack, RADIUS_ATTR_EAP_MESSAGE, 0, 0, 0,
762: conn->chal + offset, eaplen);
763:
764: offset += eaplen;
765: }
766:
767: if (conn->sendlen) {
768: radius_keyencode(radius, mppekey, RADIUS_ATTR_VLEN,
769: &mppelen, conn->sendkey,
770: conn->sendlen, conn->authenticator,
771: radius->proxysecret, radius->proxysecretlen);
772:
773: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
774: RADIUS_VENDOR_MS, RADIUS_ATTR_MS_MPPE_SEND_KEY, 0,
775: (uint8_t *)mppekey, mppelen);
776: }
777:
778: if (conn->recvlen) {
779: radius_keyencode(radius, mppekey, RADIUS_ATTR_VLEN,
780: &mppelen, conn->recvkey,
781: conn->recvlen, conn->authenticator,
782: radius->proxysecret, radius->proxysecretlen);
783:
784: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
785: RADIUS_VENDOR_MS, RADIUS_ATTR_MS_MPPE_RECV_KEY, 0,
786: (uint8_t *)mppekey, mppelen);
787: }
788:
789: radius_addattr(radius, &radius_pack, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
790: 0, 0, 0, NULL, RADIUS_MD5LEN);
791:
792: radius_resp(radius, &radius_pack, &conn->radiuspeer, conn->authenticator);
793: return 0;
794: }
795:
796:
797: /*********************************************************
798: *
799: * radius accounting functions
800: * Used to send accounting request to radius server
801: *
802: *********************************************************/
803:
804: static int acct_req(struct app_conn_t *conn, uint8_t status_type)
805: {
806: struct radius_packet_t radius_pack;
807: char mac[MACSTRLEN+1];
808: char portid[16+1];
809: time_t timenow;
810: uint32_t timediff;
811:
812: if (RADIUS_STATUS_TYPE_START == status_type) {
813: conn->s_state.start_time = mainclock;
814: conn->s_state.interim_time = mainclock;
815: conn->s_state.last_time = mainclock;
816: conn->s_state.input_packets = 0;
817: conn->s_state.output_packets = 0;
818: conn->s_state.input_octets = 0;
819: conn->s_state.output_octets = 0;
820: }
821:
822: if (RADIUS_STATUS_TYPE_INTERIM_UPDATE == status_type) {
823: conn->s_state.interim_time = mainclock;
824: }
825:
826: if (radius_default_pack(radius, &radius_pack,
827: RADIUS_CODE_ACCOUNTING_REQUEST)) {
828: log_err(0, "radius_default_pack() failed");
829: return -1;
830: }
831:
832: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_STATUS_TYPE, 0, 0,
833: status_type, NULL, 0);
834:
835: if (RADIUS_STATUS_TYPE_ACCOUNTING_ON != status_type &&
836: RADIUS_STATUS_TYPE_ACCOUNTING_OFF != status_type) {
837:
838: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_NAME, 0, 0, 0,
839: (uint8_t*) conn->s_state.redir.username,
840: strlen(conn->s_state.redir.username));
841:
842: if (conn->s_state.redir.classlen) {
843: radius_addattr(radius, &radius_pack, RADIUS_ATTR_CLASS, 0, 0, 0,
844: conn->s_state.redir.classbuf,
845: conn->s_state.redir.classlen);
846: }
847:
848: if (conn->is_adminsession) {
849: radius_addattr(radius, &radius_pack, RADIUS_ATTR_SERVICE_TYPE, 0, 0,
850: RADIUS_SERVICE_TYPE_ADMIN_USER, NULL, 0);
851: } else {
852: snprintf(mac, MACSTRLEN+1, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
853: conn->hismac[0], conn->hismac[1],
854: conn->hismac[2], conn->hismac[3],
855: conn->hismac[4], conn->hismac[5]);
856:
857: radius_addattr(radius, &radius_pack, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0,
858: (uint8_t*) mac, MACSTRLEN);
859:
860: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT_TYPE, 0, 0,
861: options.radiusnasporttype, NULL, 0);
862:
863: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT, 0, 0,
864: conn->unit, NULL, 0);
865:
866: snprintf(portid, 16+1, "%.8d", conn->unit);
867: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT_ID, 0, 0, 0,
868: (uint8_t*) portid, strlen(portid));
869:
870: radius_addattr(radius, &radius_pack, RADIUS_ATTR_FRAMED_IP_ADDRESS, 0, 0,
871: ntohl(conn->hisip.s_addr), NULL, 0);
872:
873: }
874:
875: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_SESSION_ID, 0, 0, 0,
876: (uint8_t*) conn->s_state.sessionid, REDIR_SESSIONID_LEN-1);
877:
878: }
879:
880: radius_addnasip(radius, &radius_pack);
881:
882: radius_addcalledstation(radius, &radius_pack);
883:
884:
885: /* Include NAS-Identifier if given in configuration options */
886: if (options.radiusnasid)
887: (void) radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_IDENTIFIER, 0, 0, 0,
888: (uint8_t*) options.radiusnasid,
889: strlen(options.radiusnasid));
890:
891: /*
892: (void) radius_addattr(radius, &radius_pack, RADIUS_ATTR_FRAMED_MTU, 0, 0,
893: conn->mtu, NULL, 0);*/
894:
895: if ((status_type == RADIUS_STATUS_TYPE_STOP) ||
896: (status_type == RADIUS_STATUS_TYPE_INTERIM_UPDATE)) {
897:
898: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_INPUT_OCTETS, 0, 0,
899: (uint32_t) conn->s_state.input_octets, NULL, 0);
900: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_OUTPUT_OCTETS, 0, 0,
901: (uint32_t) conn->s_state.output_octets, NULL, 0);
902:
903: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_INPUT_GIGAWORDS,
904: 0, 0, (uint32_t) (conn->s_state.input_octets >> 32), NULL, 0);
905: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS,
906: 0, 0, (uint32_t) (conn->s_state.output_octets >> 32), NULL, 0);
907:
908: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_INPUT_PACKETS, 0, 0,
909: conn->s_state.input_packets, NULL, 0);
910: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_OUTPUT_PACKETS, 0, 0,
911: conn->s_state.output_packets, NULL, 0);
912:
913: timenow = mainclock;
914: timediff = timenow - conn->s_state.start_time;
915:
916: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_SESSION_TIME, 0, 0,
917: timediff, NULL, 0);
918: }
919:
920: if (options.radiuslocationid)
921: (void) radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
922: RADIUS_VENDOR_WISPR, RADIUS_ATTR_WISPR_LOCATION_ID, 0,
923: (uint8_t*) options.radiuslocationid,
924: strlen(options.radiuslocationid));
925:
926: if (options.radiuslocationname)
927: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
928: RADIUS_VENDOR_WISPR, RADIUS_ATTR_WISPR_LOCATION_NAME, 0,
929: (uint8_t*) options.radiuslocationname,
930: strlen(options.radiuslocationname));
931:
932:
933: if (status_type == RADIUS_STATUS_TYPE_STOP ||
934: status_type == RADIUS_STATUS_TYPE_ACCOUNTING_OFF) {
935:
936: radius_addattr(radius, &radius_pack, RADIUS_ATTR_ACCT_TERMINATE_CAUSE,
937: 0, 0, conn->s_state.terminate_cause, NULL, 0);
938:
939: if (status_type == RADIUS_STATUS_TYPE_STOP) {
940: /* TODO: This probably belongs somewhere else */
941: if (options.condown) {
942: if (options.debug)
943: log_dbg("Calling connection down script: %s\n",options.condown);
944: runscript(conn, options.condown);
945: }
946: }
947: }
948:
949: radius_req(radius, &radius_pack, conn);
950:
951: return 0;
952: }
953:
954:
955:
956: /***********************************************************
957: *
958: * Functions handling downlink protocol authentication.
959: * Called in response to radius access request response.
960: *
961: ***********************************************************/
962:
963: int static dnprot_reject(struct app_conn_t *appconn) {
964: struct dhcp_conn_t* dhcpconn = NULL;
965: /*struct ippoolm_t *ipm;*/
966:
967: switch (appconn->dnprot) {
968:
969: case DNPROT_EAPOL:
970: if (!(dhcpconn = (struct dhcp_conn_t*) appconn->dnlink)) {
971: log_err(0, "No downlink protocol");
972: return 0;
973: }
974:
975: dhcp_sendEAPreject(dhcpconn, NULL, 0);
976: return 0;
977:
978: case DNPROT_UAM:
979: log_err(0, "Rejecting UAM");
980: return 0;
981:
982: case DNPROT_WPA:
983: return radius_access_reject(appconn);
984:
985: case DNPROT_MAC:
986: /* remove the username since we're not logged in */
987: if (!appconn->s_state.authenticated)
988: strncpy(appconn->s_state.redir.username, "-", USERNAMESIZE);
989:
990: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
991: log_err(0, "No downlink protocol");
992: return 0;
993: }
994:
995: if (options.macauthdeny) {
996: dhcpconn->authstate = DHCP_AUTH_DROP;
997: appconn->dnprot = DNPROT_NULL;
998: }
999: else {
1000: dhcpconn->authstate = DHCP_AUTH_NONE;
1001: appconn->dnprot = DNPROT_UAM;
1002: }
1003:
1004: return 0;
1005:
1006: case DNPROT_NULL:
1007: return 0;
1008:
1009: default:
1010: log_err(0, "Unknown downlink protocol");
1011: return 0;
1012: }
1013: }
1014:
1015: int static dnprot_challenge(struct app_conn_t *appconn) {
1016: struct dhcp_conn_t* dhcpconn = NULL;
1017:
1018: switch (appconn->dnprot) {
1019:
1020: case DNPROT_EAPOL:
1021: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
1022: log_err(0, "No downlink protocol");
1023: return 0;
1024: }
1025:
1026: dhcp_sendEAP(dhcpconn, appconn->chal, appconn->challen);
1027: break;
1028:
1029: case DNPROT_NULL:
1030: case DNPROT_UAM:
1031: case DNPROT_MAC:
1032: break;
1033:
1034: case DNPROT_WPA:
1035: radius_access_challenge(appconn);
1036: break;
1037:
1038: default:
1039: log_err(0, "Unknown downlink protocol");
1040: }
1041:
1042: return 0;
1043: }
1044:
1045: int static dnprot_accept(struct app_conn_t *appconn) {
1046: struct dhcp_conn_t* dhcpconn = NULL;
1047:
1048: if (appconn->is_adminsession) return 0;
1049:
1050: if (!appconn->hisip.s_addr) {
1051: log_err(0, "IP address not allocated");
1052: return 0;
1053: }
1054:
1055: switch (appconn->dnprot) {
1056: case DNPROT_EAPOL:
1057: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
1058: log_err(0, "No downlink protocol");
1059: return 0;
1060: }
1061:
1062: dhcp_set_addrs(dhcpconn,
1063: &appconn->hisip, &appconn->mask,
1064: &appconn->ourip, &appconn->mask,
1065: &appconn->dns1, &appconn->dns2,
1066: options.domain);
1067:
1068: /* This is the one and only place eapol authentication is accepted */
1069:
1070: dhcpconn->authstate = DHCP_AUTH_PASS;
1071:
1072: /* Tell client it was successful */
1073: dhcp_sendEAP(dhcpconn, appconn->chal, appconn->challen);
1074:
1075: log_warn(0, "Do not know how to set encryption keys on this platform!");
1076: break;
1077:
1078: case DNPROT_UAM:
1079: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
1080: log_err(0, "No downlink protocol");
1081: return 0;
1082: }
1083:
1084: dhcp_set_addrs(dhcpconn,
1085: &appconn->hisip, &appconn->mask,
1086: &appconn->ourip, &appconn->mask,
1087: &appconn->dns1, &appconn->dns2,
1088: options.domain);
1089:
1090: /* This is the one and only place UAM authentication is accepted */
1091: dhcpconn->authstate = DHCP_AUTH_PASS;
1092: appconn->s_params.flags &= ~REQUIRE_UAM_AUTH;
1093: break;
1094:
1095: case DNPROT_WPA:
1096: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
1097: log_err(0, "No downlink protocol");
1098: return 0;
1099: }
1100:
1101: dhcp_set_addrs(dhcpconn,
1102: &appconn->hisip, &appconn->mask,
1103: &appconn->ourip, &appconn->mask,
1104: &appconn->dns1, &appconn->dns2,
1105: options.domain);
1106:
1107: /* This is the one and only place WPA authentication is accepted */
1108: if (appconn->s_params.flags & REQUIRE_UAM_AUTH) {
1109: appconn->dnprot = DNPROT_DHCP_NONE;
1110: dhcpconn->authstate = DHCP_AUTH_NONE;
1111: }
1112: else {
1113: dhcpconn->authstate = DHCP_AUTH_PASS;
1114: }
1115:
1116: /* Tell access point it was successful */
1117: radius_access_accept(appconn);
1118:
1119: break;
1120:
1121: case DNPROT_MAC:
1122: if (!(dhcpconn = (struct dhcp_conn_t *)appconn->dnlink)) {
1123: log_err(0, "No downlink protocol");
1124: return 0;
1125: }
1126:
1127: dhcp_set_addrs(dhcpconn,
1128: &appconn->hisip, &appconn->mask,
1129: &appconn->ourip, &appconn->mask,
1130: &appconn->dns1, &appconn->dns2,
1131: options.domain);
1132:
1133: dhcpconn->authstate = DHCP_AUTH_PASS;
1134: break;
1135:
1136: case DNPROT_NULL:
1137: case DNPROT_DHCP_NONE:
1138: return 0;
1139:
1140: default:
1141: log_err(0, "Unknown downlink protocol");
1142: return 0;
1143: }
1144:
1145: if (appconn->s_params.flags & REQUIRE_UAM_SPLASH)
1146: dhcpconn->authstate = DHCP_AUTH_SPLASH;
1147:
1148: if (!(appconn->s_params.flags & REQUIRE_UAM_AUTH)) {
1149: /* This is the one and only place state is switched to authenticated */
1150: appconn->s_state.authenticated = 1;
1151:
1152: /* Run connection up script */
1153: if (options.conup) {
1154: if (options.debug) log_dbg("Calling connection up script: %s\n", options.conup);
1155: runscript(appconn, options.conup);
1156: }
1157:
1158: printstatus(appconn);
1159:
1160: if (!(appconn->s_params.flags & IS_UAM_REAUTH))
1161: acct_req(appconn, RADIUS_STATUS_TYPE_START);
1162: }
1163:
1164: appconn->s_params.flags &= ~IS_UAM_REAUTH;
1165: return 0;
1166: }
1167:
1168:
1169: /*
1170: * Tun callbacks
1171: *
1172: * Called from the tun_decaps function. This method is passed either
1173: * a Ethernet frame or an IP packet.
1174: */
1175:
1176: int cb_tun_ind(struct tun_t *tun, void *pack, size_t len, int idx) {
1177: struct in_addr dst;
1178: struct ippoolm_t *ipm;
1179: struct app_conn_t *appconn;
1180: struct pkt_ipphdr_t *ipph;
1181:
1182: int ethhdr = !!(tun(tun, idx).flags & NET_ETHHDR);
1183:
1184: if (ethhdr) {
1185: struct pkt_ethhdr_t *ethh = (struct pkt_ethhdr_t *)pack;
1186: uint16_t prot = ntohs(ethh->prot);
1187:
1188: ipph = (struct pkt_ipphdr_t *)((char *)pack + PKT_ETH_HLEN);
1189:
1190: if (prot == PKT_ETH_PROTO_ARP) {
1191: /*
1192: * send arp reply with us being target
1193: */
1194: struct arp_fullpacket_t *p = (struct arp_fullpacket_t *)pack;
1195: struct arp_fullpacket_t packet;
1196: struct in_addr reqaddr;
1197: size_t length = sizeof(packet);
1198:
1199: log_dbg("arp: dst=%.2x:%.2x:%.2x:%.2x:%.2x:%.2x src=%.2x:%.2x:%.2x:%.2x:%.2x:%.2x prot=%.4x\n",
1200: ethh->dst[0],ethh->dst[1],ethh->dst[2],ethh->dst[3],ethh->dst[4],ethh->dst[5],
1201: ethh->src[0],ethh->src[1],ethh->src[2],ethh->src[3],ethh->src[4],ethh->src[5],
1202: ntohs(ethh->prot));
1203:
1204: /* Get local copy */
1205: memcpy(&reqaddr.s_addr, p->arp.tpa, PKT_IP_ALEN);
1206:
1207: if (ippool_getip(ippool, &ipm, &reqaddr)) {
1208: if (options.debug)
1209: log_dbg("ARP for unknown IP %s\n", inet_ntoa(reqaddr));
1210: return 0;
1211: }
1212:
1213: if ((appconn = (struct app_conn_t *)ipm->peer) == NULL ||
1214: (appconn->dnlink) == NULL) {
1215: log_err(0, "No peer protocol defined for ARP request");
1216: return 0;
1217: }
1218:
1219: /* Get packet default values */
1220: memset(&packet, 0, sizeof(packet));
1221:
1222: /* ARP Payload */
1223: packet.arp.hrd = htons(DHCP_HTYPE_ETH);
1224: packet.arp.pro = htons(PKT_ETH_PROTO_IP);
1225: packet.arp.hln = PKT_ETH_ALEN;
1226: packet.arp.pln = PKT_IP_ALEN;
1227: packet.arp.op = htons(DHCP_ARP_REPLY);
1228:
1229: /* Source address */
1230: /*memcpy(packet.arp.sha, dhcp->arp_hwaddr, PKT_ETH_ALEN);
1231: memcpy(packet.arp.spa, &dhcp->ourip.s_addr, PKT_IP_ALEN);*/
1232: /*memcpy(packet.arp.sha, appconn->hismac, PKT_ETH_ALEN);*/
1233: memcpy(packet.arp.sha, tun->_interfaces[0].hwaddr, PKT_ETH_ALEN);
1234: memcpy(packet.arp.spa, &appconn->hisip.s_addr, PKT_IP_ALEN);
1235:
1236: /* Target address */
1237: /*memcpy(packet.arp.tha, &appconn->hismac, PKT_ETH_ALEN);
1238: memcpy(packet.arp.tpa, &appconn->hisip.s_addr, PKT_IP_ALEN); */
1239: memcpy(packet.arp.tha, p->arp.sha, PKT_ETH_ALEN);
1240: memcpy(packet.arp.tpa, p->arp.spa, PKT_IP_ALEN);
1241:
1242: /* Ethernet header */
1243: memcpy(packet.ethh.dst, p->ethh.src, PKT_ETH_ALEN);
1244: memcpy(packet.ethh.src, dhcp->ipif.hwaddr, PKT_ETH_ALEN);
1245: packet.ethh.prot = htons(PKT_ETH_PROTO_ARP);
1246:
1247: return tun_encaps(tun, &packet, length, idx);
1248: }
1249: } else {
1250: ipph = (struct pkt_ipphdr_t *)pack;
1251: }
1252:
1253: /*if (options.debug)
1254: log_dbg("cb_tun_ind. Packet received: Forwarding to link layer");*/
1255:
1256: dst.s_addr = ipph->daddr;
1257:
1258: if (ippool_getip(ippool, &ipm, &dst)) {
1259: if (options.debug)
1260: log_dbg("dropping packet with unknown destination: %s", inet_ntoa(dst));
1261: return 0;
1262: }
1263:
1264: if ((appconn = (struct app_conn_t *)ipm->peer) == NULL ||
1265: (appconn->dnlink) == NULL) {
1266: log_err(0, "No peer protocol defined");
1267: return 0;
1268: }
1269:
1270: /* If the ip src is uamlisten and psrc is uamport we won't call leaky_bucket */
1271: if ( ! (ipph->saddr == options.uamlisten.s_addr &&
1272: (ipph->sport == htons(options.uamport) ||
1273: ipph->sport == htons(options.uamuiport)))) {
1274: if (appconn->s_state.authenticated == 1) {
1275:
1276: #ifndef LEAKY_BUCKET
1277: appconn->s_state.last_time = mainclock;
1278: #endif
1279:
1280: #ifdef LEAKY_BUCKET
1281: #ifndef COUNT_DOWNLINK_DROP
1282: if (leaky_bucket(appconn, 0, len)) return 0;
1283: #endif
1284: #endif
1285: if (options.swapoctets) {
1286: appconn->s_state.output_packets++;
1287: appconn->s_state.output_octets += len;
1288: if (admin_session.s_state.authenticated) {
1289: admin_session.s_state.output_packets++;
1290: admin_session.s_state.output_octets+=len;
1291: }
1292: } else {
1293: appconn->s_state.input_packets++;
1294: appconn->s_state.input_octets += len;
1295: if (admin_session.s_state.authenticated) {
1296: admin_session.s_state.input_packets++;
1297: admin_session.s_state.input_octets+=len;
1298: }
1299: }
1300: #ifdef LEAKY_BUCKET
1301: #ifdef COUNT_DOWNLINK_DROP
1302: if (leaky_bucket(appconn, 0, len)) return 0;
1303: #endif
1304: #endif
1305: }
1306: }
1307:
1308: switch (appconn->dnprot) {
1309: case DNPROT_NULL:
1310: case DNPROT_DHCP_NONE:
1311: break;
1312:
1313: case DNPROT_UAM:
1314: case DNPROT_WPA:
1315: case DNPROT_MAC:
1316: case DNPROT_EAPOL:
1317: dhcp_data_req((struct dhcp_conn_t *)appconn->dnlink, pack, len, ethhdr);
1318: break;
1319:
1320: default:
1321: log_err(0, "Unknown downlink protocol: %d", appconn->dnprot);
1322: break;
1323: }
1324:
1325: return 0;
1326: }
1327:
1328:
1329: /*********************************************************
1330: *
1331: * Redir callbacks
1332: *
1333: *********************************************************/
1334:
1335: int cb_redir_getstate(struct redir_t *redir, struct in_addr *addr,
1336: struct redir_conn_t *conn) {
1337: struct ippoolm_t *ipm;
1338: struct app_conn_t *appconn;
1339: struct dhcp_conn_t *dhcpconn;
1340:
1341: if (ippool_getip(ippool, &ipm, addr)) {
1342: return -1;
1343: }
1344:
1345: if ( (appconn = (struct app_conn_t *)ipm->peer) == NULL ||
1346: (dhcpconn = (struct dhcp_conn_t *)appconn->dnlink) == NULL ) {
1347: log_warn(0, "No peer protocol defined");
1348: return -1;
1349: }
1350:
1351: conn->nasip = options.radiuslisten;
1352: conn->nasport = appconn->unit;
1353: memcpy(conn->hismac, dhcpconn->hismac, PKT_ETH_ALEN);
1354: memcpy(conn->ourmac, dhcpconn->ourmac, PKT_ETH_ALEN);
1355: conn->ourip = appconn->ourip;
1356: conn->hisip = appconn->hisip;
1357:
1358: memcpy(&conn->s_params, &appconn->s_params, sizeof(appconn->s_params));
1359: memcpy(&conn->s_state, &appconn->s_state, sizeof(appconn->s_state));
1360:
1361: /* reset state */
1362: appconn->uamexit=0;
1363:
1364: return conn->s_state.authenticated == 1;
1365: }
1366:
1367:
1368: /*********************************************************
1369: *
1370: * Functions supporting radius callbacks
1371: *
1372: *********************************************************/
1373:
1374: /* Handle an accounting request */
1375: int accounting_request(struct radius_packet_t *pack,
1376: struct sockaddr_in *peer) {
1377: struct radius_attr_t *hismacattr = NULL;
1378: struct radius_attr_t *typeattr = NULL;
1379: struct radius_attr_t *nasipattr = NULL;
1380: struct radius_attr_t *nasportattr = NULL;
1381: struct radius_packet_t radius_pack;
1382: struct app_conn_t *appconn = NULL;
1383: struct dhcp_conn_t *dhcpconn = NULL;
1384: uint8_t hismac[PKT_ETH_ALEN];
1385: char macstr[RADIUS_ATTR_VLEN];
1386: size_t macstrlen;
1387: unsigned int temp[PKT_ETH_ALEN];
1388: uint32_t nasip = 0;
1389: uint32_t nasport = 0;
1390: int i;
1391:
1392:
1393: if (radius_default_pack(radius, &radius_pack,
1394: RADIUS_CODE_ACCOUNTING_RESPONSE)) {
1395: log_err(0, "radius_default_pack() failed");
1396: return -1;
1397: }
1398: radius_pack.id = pack->id;
1399:
1400: /* Status type */
1401: if (radius_getattr(pack, &typeattr, RADIUS_ATTR_ACCT_STATUS_TYPE, 0, 0, 0)) {
1402: log_err(0, "Status type is missing from radius request");
1403: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1404: return 0;
1405: }
1406:
1407: if (typeattr->v.i != htonl(RADIUS_STATUS_TYPE_STOP)) {
1408: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1409: return 0;
1410: }
1411:
1412:
1413: /* NAS IP */
1414: if (!radius_getattr(pack, &nasipattr, RADIUS_ATTR_NAS_IP_ADDRESS, 0, 0, 0)) {
1415: if ((nasipattr->l-2) != sizeof(appconn->nasip)) {
1416: log_err(0, "Wrong length of NAS IP address");
1417: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1418: }
1419: nasip = nasipattr->v.i;
1420: }
1421:
1422: /* NAS PORT */
1423: if (!radius_getattr(pack, &nasportattr, RADIUS_ATTR_NAS_PORT, 0, 0, 0)) {
1424: if ((nasportattr->l-2) != sizeof(appconn->nasport)) {
1425: log_err(0, "Wrong length of NAS port");
1426: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1427: }
1428: nasport = nasportattr->v.i;
1429: }
1430:
1431: /* Calling Station ID (MAC Address) */
1432: if (!radius_getattr(pack, &hismacattr, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0)) {
1433: if (options.debug) {
1434: log_dbg("Calling Station ID is: %.*s", hismacattr->l-2, hismacattr->v.t);
1435: }
1436: if ((macstrlen = (size_t)hismacattr->l-2) >= (RADIUS_ATTR_VLEN-1)) {
1437: log_err(0, "Wrong length of called station ID");
1438: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1439: }
1440: memcpy(macstr, hismacattr->v.t, macstrlen);
1441: macstr[macstrlen] = 0;
1442:
1443: /* Replace anything but hex with space */
1444: for (i=0; i<macstrlen; i++)
1445: if (!isxdigit(macstr[i])) macstr[i] = 0x20;
1446:
1447: if (sscanf (macstr, "%2x %2x %2x %2x %2x %2x",
1448: &temp[0], &temp[1], &temp[2],
1449: &temp[3], &temp[4], &temp[5]) != 6) {
1450: log_err(0,
1451: "Failed to convert Calling Station ID to MAC Address");
1452: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1453: }
1454:
1455: for(i = 0; i < PKT_ETH_ALEN; i++)
1456: hismac[i] = temp[i];
1457: }
1458:
1459: if (hismacattr) { /* Look for mac address.*/
1460: if (dhcp_hashget(dhcp, &dhcpconn, hismac)) {
1461: log_err(0, "Unknown connection");
1462: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1463: return 0;
1464: }
1465: if (!(dhcpconn->peer) || !((struct app_conn_t *)dhcpconn->peer)->uplink) {
1466: log_err(0,"No peer protocol defined");
1467: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1468: }
1469: appconn = (struct app_conn_t*) dhcpconn->peer;
1470: }
1471: else if (nasipattr && nasportattr) { /* Look for NAS IP / Port */
1472: if (getconn(&appconn, nasip, nasport)) {
1473: log_err(0, "Unknown connection");
1474: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1475: return 0;
1476: }
1477: }
1478: else {
1479: log_err(0,
1480: "Calling Station ID or NAS IP/Port is missing from radius request");
1481: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1482: return 0;
1483: }
1484:
1485: /* Silently ignore radius request if allready processing one */
1486: if (appconn->radiuswait) {
1487: if (appconn->radiuswait == 2) {
1488: log_dbg("Giving up on previous packet.. not dropping this one");
1489: appconn->radiuswait=0;
1490: } else {
1491: log_dbg("Dropping RADIUS while waiting");
1492: appconn->radiuswait++;
1493: return 0;
1494: }
1495: }
1496:
1497: /* TODO: Check validity of pointers */
1498:
1499: switch (appconn->dnprot) {
1500: case DNPROT_UAM:
1501: log_err(0,"Auth stop received for UAM");
1502: break;
1503: case DNPROT_WPA:
1504: dhcpconn = (struct dhcp_conn_t*) appconn->dnlink;
1505: if (!dhcpconn) {
1506: log_err(0,"No downlink protocol");
1507: return 0;
1508: }
1509: /* Connection is simply deleted */
1510: dhcp_freeconn(dhcpconn, RADIUS_TERMINATE_CAUSE_LOST_CARRIER);
1511: break;
1512: default:
1513: log_err(0,"Unhandled downlink protocol %d", appconn->dnprot);
1514: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1515: return 0;
1516: }
1517:
1518: radius_resp(radius, &radius_pack, peer, pack->authenticator);
1519:
1520: return 0;
1521: }
1522:
1523:
1524: int access_request(struct radius_packet_t *pack,
1525: struct sockaddr_in *peer) {
1526: int n;
1527: struct radius_packet_t radius_pack;
1528:
1529: struct ippoolm_t *ipm = NULL;
1530:
1531: struct radius_attr_t *hisipattr = NULL;
1532: struct radius_attr_t *nasipattr = NULL;
1533: struct radius_attr_t *nasportattr = NULL;
1534: struct radius_attr_t *hismacattr = NULL;
1535: struct radius_attr_t *uidattr = NULL;
1536: struct radius_attr_t *pwdattr = NULL;
1537: struct radius_attr_t *eapattr = NULL;
1538:
1539: struct in_addr hisip;
1540: char pwd[RADIUS_ATTR_VLEN];
1541: size_t pwdlen;
1542: uint8_t hismac[PKT_ETH_ALEN];
1543: char macstr[RADIUS_ATTR_VLEN];
1544: size_t macstrlen;
1545: unsigned int temp[PKT_ETH_ALEN];
1546: char mac[MACSTRLEN+1];
1547: int i;
1548:
1549: struct app_conn_t *appconn = NULL;
1550: struct dhcp_conn_t *dhcpconn = NULL;
1551:
1552: uint8_t resp[EAP_LEN]; /* EAP response */
1553: size_t resplen; /* Length of EAP response */
1554:
1555: size_t offset = 0;
1556: size_t eaplen = 0;
1557: int instance = 0;
1558:
1559: if (options.debug)
1560: log_dbg("RADIUS Access-Request received");
1561:
1562: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_REJECT)) {
1563: log_err(0, "radius_default_pack() failed");
1564: return -1;
1565: }
1566:
1567: radius_pack.id = pack->id;
1568:
1569: /* User is identified by either IP address OR MAC address */
1570:
1571: /* Framed IP address (Conditional) */
1572: if (!radius_getattr(pack, &hisipattr, RADIUS_ATTR_FRAMED_IP_ADDRESS, 0, 0, 0)) {
1573: if (options.debug) {
1574: log_dbg("Framed IP address is: ");
1575: for (n=0; n<hisipattr->l-2; n++) log_dbg("%.2x", hisipattr->v.t[n]);
1576: log_dbg("\n");
1577: }
1578: if ((hisipattr->l-2) != sizeof(hisip.s_addr)) {
1579: log_err(0, "Wrong length of framed IP address");
1580: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1581: }
1582: hisip.s_addr = hisipattr->v.i;
1583: }
1584:
1585: /* Calling Station ID: MAC Address (Conditional) */
1586: if (!radius_getattr(pack, &hismacattr, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0)) {
1587: if (options.debug) {
1588: log_dbg("Calling Station ID is: %.*s", hismacattr->l-2, hismacattr->v.t);
1589: }
1590: if ((macstrlen = (size_t)hismacattr->l-2) >= (RADIUS_ATTR_VLEN-1)) {
1591: log_err(0, "Wrong length of called station ID");
1592: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1593: }
1594: memcpy(macstr, hismacattr->v.t, macstrlen);
1595: macstr[macstrlen] = 0;
1596:
1597: /* Replace anything but hex with space */
1598: for (i=0; i<macstrlen; i++)
1599: if (!isxdigit(macstr[i])) macstr[i] = 0x20;
1600:
1601: if (sscanf (macstr, "%2x %2x %2x %2x %2x %2x",
1602: &temp[0], &temp[1], &temp[2],
1603: &temp[3], &temp[4], &temp[5]) != 6) {
1604: log_err(0, "Failed to convert Calling Station ID to MAC Address");
1605: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1606: }
1607:
1608: for(i = 0; i < PKT_ETH_ALEN; i++)
1609: hismac[i] = temp[i];
1610: }
1611:
1612: /* Framed IP address or MAC Address must be given in request */
1613: if ((!hisipattr) && (!hismacattr)) {
1614: log_err(0, "Framed IP address or Calling Station ID is missing from radius request");
1615: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1616: }
1617:
1618: /* Username (Mandatory) */
1619: if (radius_getattr(pack, &uidattr, RADIUS_ATTR_USER_NAME, 0, 0, 0)) {
1620: log_err(0, "User-Name is missing from radius request");
1621: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1622: }
1623:
1624: if (hisipattr) { /* Find user based on IP address */
1625: if (ippool_getip(ippool, &ipm, &hisip)) {
1626: log_err(0, "RADIUS-Request: IP Address not found");
1627: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1628: }
1629:
1630: if ((appconn = (struct app_conn_t *)ipm->peer) == NULL ||
1631: (dhcpconn = (struct dhcp_conn_t *)appconn->dnlink) == NULL) {
1632: log_err(0, "RADIUS-Request: No peer protocol defined");
1633: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1634: }
1635: }
1636: else if (hismacattr) { /* Look for mac address. If not found allocate new */
1637: if (dhcp_hashget(dhcp, &dhcpconn, hismac)) {
1638: if (dhcp_newconn(dhcp, &dhcpconn, hismac)) {
1639: log_err(0, "Out of connections");
1640: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1641: }
1642: }
1643: if (!(dhcpconn->peer)) {
1644: log_err(0, "No peer protocol defined");
1645: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1646: }
1647: appconn = (struct app_conn_t *)dhcpconn->peer;
1648: /*if (appconn->dnprot == DNPROT_DHCP_NONE)
1649: appconn->dnprot = DNPROT_WPA;*/
1650: }
1651: else {
1652: log_err(0, "Framed IP address or Calling Station ID is missing from radius request");
1653: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1654: }
1655:
1656: /* Silently ignore radius request if allready processing one */
1657: if (appconn->radiuswait) {
1658: if (appconn->radiuswait == 2) {
1659: log_dbg("Giving up on previous packet.. not dropping this one");
1660: appconn->radiuswait=0;
1661: } else {
1662: log_dbg("Dropping RADIUS while waiting");
1663: appconn->radiuswait++;
1664: return 0;
1665: }
1666: }
1667:
1668: /* Password */
1669: if (!radius_getattr(pack, &pwdattr, RADIUS_ATTR_USER_PASSWORD, 0, 0, 0)) {
1670: if (radius_pwdecode(radius, (uint8_t*) pwd, RADIUS_ATTR_VLEN, &pwdlen,
1671: pwdattr->v.t, pwdattr->l-2, pack->authenticator,
1672: radius->proxysecret,
1673: radius->proxysecretlen)) {
1674: log_err(0, "radius_pwdecode() failed");
1675: return -1;
1676: }
1677: if (options.debug) log_dbg("Password is: %s\n", pwd);
1678: }
1679:
1680: /* Get EAP message */
1681: resplen = 0;
1682: do {
1683: eapattr=NULL;
1684: if (!radius_getattr(pack, &eapattr, RADIUS_ATTR_EAP_MESSAGE, 0, 0,
1685: instance++)) {
1686: if ((resplen + (size_t)eapattr->l-2) > EAP_LEN) {
1687: log(LOG_INFO, "EAP message too long");
1688: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1689: }
1690: memcpy(resp + resplen, eapattr->v.t, (size_t)eapattr->l-2);
1691: resplen += (size_t)eapattr->l-2;
1692: }
1693: } while (eapattr);
1694:
1695:
1696: /* Passwd or EAP must be given in request */
1697: if ((!pwdattr) && (!resplen)) {
1698: log_err(0, "Password or EAP meaasge is missing from radius request");
1699: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1700: }
1701:
1702: /* ChilliSpot Notes:
1703: Dublicate logins should be allowed as it might be the terminal
1704: moving from one access point to another. It is however
1705: unacceptable to login with another username on top of an allready
1706: existing connection
1707:
1708: TODO: New username should be allowed, but should result in
1709: a accounting stop message for the old connection.
1710: this does however pose a denial of service attack possibility
1711:
1712: If allready logged in send back accept message with username
1713: TODO ? Should this be a reject: Dont login twice ?
1714: */
1715:
1716: /* Terminate previous session if trying to login with another username */
1717: if ((appconn->s_state.authenticated == 1) &&
1718: ((strlen(appconn->s_state.redir.username) != uidattr->l-2) ||
1719: (memcmp(appconn->s_state.redir.username, uidattr->v.t, uidattr->l-2)))) {
1720: terminate_appconn(appconn, RADIUS_TERMINATE_CAUSE_USER_REQUEST);
1721: /* DWB: But, let's not reject someone who is trying to authenticate under
1722: a new (potentially) valid account - that is for the up-stream RADIUS to discern
1723: return radius_resp(radius, &radius_pack, peer, pack->authenticator);*/
1724: }
1725:
1726: /* Radius auth only for DHCP */
1727: /*if ((appconn->dnprot != DNPROT_UAM) && (appconn->dnprot != DNPROT_WPA)) { */
1728: /*return radius_resp(radius, &radius_pack, peer, pack->authenticator);*/
1729: appconn->dnprot = DNPROT_WPA;
1730: /* }*/
1731:
1732: /* NAS IP */
1733: if (!radius_getattr(pack, &nasipattr, RADIUS_ATTR_NAS_IP_ADDRESS, 0, 0, 0)) {
1734: if ((nasipattr->l-2) != sizeof(appconn->nasip)) {
1735: log_err(0, "Wrong length of NAS IP address");
1736: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1737: }
1738: appconn->nasip = nasipattr->v.i;
1739: }
1740:
1741: /* NAS PORT */
1742: if (!radius_getattr(pack, &nasportattr, RADIUS_ATTR_NAS_PORT, 0, 0, 0)) {
1743: if ((nasportattr->l-2) != sizeof(appconn->nasport)) {
1744: log_err(0, "Wrong length of NAS port");
1745: return radius_resp(radius, &radius_pack, peer, pack->authenticator);
1746: }
1747: appconn->nasport = nasportattr->v.i;
1748: }
1749:
1750: /* Store parameters for later use */
1751: if (uidattr->l-2<=USERNAMESIZE) {
1752: strncpy(appconn->s_state.redir.username,
1753: (char *)uidattr->v.t, uidattr->l-2);
1754: }
1755:
1756: appconn->radiuswait = 1;
1757: appconn->radiusid = pack->id;
1758:
1759: if (pwdattr)
1760: appconn->authtype = PAP_PASSWORD;
1761: else
1762: appconn->authtype = EAP_MESSAGE;
1763:
1764: memcpy(&appconn->radiuspeer, peer, sizeof(*peer));
1765: memcpy(appconn->authenticator, pack->authenticator, RADIUS_AUTHLEN);
1766: memcpy(appconn->hismac, dhcpconn->hismac, PKT_ETH_ALEN);
1767: memcpy(appconn->ourmac, dhcpconn->ourmac, PKT_ETH_ALEN);
1768:
1769: /* Build up radius request */
1770: radius_pack.code = RADIUS_CODE_ACCESS_REQUEST;
1771: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_NAME, 0, 0, 0,
1772: uidattr->v.t, uidattr->l - 2);
1773:
1774: if (appconn->s_state.redir.statelen) {
1775: radius_addattr(radius, &radius_pack, RADIUS_ATTR_STATE, 0, 0, 0,
1776: appconn->s_state.redir.statebuf,
1777: appconn->s_state.redir.statelen);
1778: }
1779:
1780: if (pwdattr)
1781: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_PASSWORD, 0, 0, 0,
1782: (uint8_t*) pwd, pwdlen);
1783:
1784: /* Include EAP (if present) */
1785: offset = 0;
1786: while (offset < resplen) {
1787:
1788: if ((resplen - offset) > RADIUS_ATTR_VLEN)
1789: eaplen = RADIUS_ATTR_VLEN;
1790: else
1791: eaplen = resplen - offset;
1792:
1793: radius_addattr(radius, &radius_pack, RADIUS_ATTR_EAP_MESSAGE, 0, 0, 0,
1794: resp + offset, eaplen);
1795:
1796: offset += eaplen;
1797: }
1798:
1799: if (resplen) {
1800: if (options.wpaguests)
1801: radius_addattr(radius, &radius_pack, RADIUS_ATTR_VENDOR_SPECIFIC,
1802: RADIUS_VENDOR_CHILLISPOT, RADIUS_ATTR_CHILLISPOT_CONFIG,
1803: 0, (uint8_t*)"allow-wpa-guests", 16);
1804:
1805: radius_addattr(radius, &radius_pack, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
1806: 0, 0, 0, NULL, RADIUS_MD5LEN);
1807: }
1808:
1809: /* Include his MAC address */
1810: snprintf(mac, MACSTRLEN+1, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
1811: appconn->hismac[0], appconn->hismac[1],
1812: appconn->hismac[2], appconn->hismac[3],
1813: appconn->hismac[4], appconn->hismac[5]);
1814:
1815: radius_addattr(radius, &radius_pack, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0,
1816: (uint8_t*) mac, MACSTRLEN);
1817:
1818: radius_addcalledstation(radius, &radius_pack);
1819:
1820: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT_TYPE, 0, 0,
1821: options.radiusnasporttype, NULL, 0);
1822:
1823: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT, 0, 0,
1824: appconn->unit, NULL, 0);
1825:
1826: radius_addnasip(radius, &radius_pack);
1827:
1828: /* Include NAS-Identifier if given in configuration options */
1829: if (options.radiusnasid)
1830: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_IDENTIFIER, 0, 0, 0,
1831: (uint8_t*) options.radiusnasid, strlen(options.radiusnasid));
1832:
1833: return radius_req(radius, &radius_pack, appconn);
1834: }
1835:
1836:
1837: /*********************************************************
1838: *
1839: * radius proxy callback functions (request from radius server)
1840: *
1841: *********************************************************/
1842:
1843: /* Radius callback when radius request has been received */
1844: int cb_radius_ind(struct radius_t *rp, struct radius_packet_t *pack,
1845: struct sockaddr_in *peer) {
1846:
1847: if (rp != radius) {
1848: log_err(0, "Radius callback from unknown instance");
1849: return 0;
1850: }
1851:
1852: switch (pack->code) {
1853: case RADIUS_CODE_ACCOUNTING_REQUEST: /* TODO: Exclude ??? */
1854: return accounting_request(pack, peer);
1855: case RADIUS_CODE_ACCESS_REQUEST:
1856: return access_request(pack, peer);
1857: default:
1858: log_err(0, "Unsupported radius request received: %d", pack->code);
1859: return 0;
1860: }
1861: }
1862:
1863:
1864: int upprot_getip(struct app_conn_t *appconn,
1865: struct in_addr *hisip, int statip) {
1866: struct ippoolm_t *ipm;
1867:
1868: /* If IP address is allready allocated: Fill it in */
1869: /* This should only happen for UAM */
1870: /* TODO */
1871: if (appconn->uplink) {
1872: ipm = (struct ippoolm_t *)appconn->uplink;
1873: }
1874: else {
1875: /* Allocate static or dynamic IP address */
1876:
1877: if (newip(&ipm, hisip))
1878: return dnprot_reject(appconn);
1879:
1880: appconn->hisip.s_addr = ipm->addr.s_addr;
1881:
1882: /* TODO: Too many "listen" and "our" addresses having around */
1883: appconn->ourip.s_addr = options.dhcplisten.s_addr;
1884:
1885: appconn->uplink = ipm;
1886: ipm->peer = appconn;
1887: }
1888:
1889: return dnprot_accept(appconn);
1890:
1891: }
1892:
1893: void config_radius_session(struct session_params *params, struct radius_packet_t *pack, int reconfig) {
1894: struct radius_attr_t *attr = NULL;
1895:
1896: /* Session timeout */
1897: if (!radius_getattr(pack, &attr, RADIUS_ATTR_SESSION_TIMEOUT, 0, 0, 0))
1898: params->sessiontimeout = ntohl(attr->v.i);
1899: else if (!reconfig)
1900: params->sessiontimeout = 0;
1901:
1902: /* Idle timeout */
1903: if (!radius_getattr(pack, &attr, RADIUS_ATTR_IDLE_TIMEOUT, 0, 0, 0))
1904: params->idletimeout = ntohl(attr->v.i);
1905: else if (!reconfig)
1906: params->idletimeout = 0;
1907:
1908: /* Filter ID */
1909: if (!radius_getattr(pack, &attr, RADIUS_ATTR_FILTER_ID, 0, 0, 0)) {
1910: params->filteridlen = attr->l-2;
1911: memcpy(params->filteridbuf, attr->v.t, attr->l-2);
1912: params->filteridbuf[attr->l-2] = 0;
1913: }
1914: else if (!reconfig) {
1915: params->filteridlen = 0;
1916: params->filteridbuf[0] = 0;
1917: }
1918:
1919: /* Interim interval */
1920: if (!radius_getattr(pack, &attr, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 0, 0, 0)) {
1921: params->interim_interval = ntohl(attr->v.i);
1922: if (params->interim_interval < 60) {
1923: log_err(0, "Received too small radius Acct-Interim-Interval: %d; resettings to default.",
1924: params->interim_interval);
1925: params->interim_interval = options.definteriminterval;
1926: }
1927: }
1928: else if (!reconfig)
1929: params->interim_interval = 0;
1930:
1931: /* Bandwidth up */
1932: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1933: RADIUS_VENDOR_WISPR,
1934: RADIUS_ATTR_WISPR_BANDWIDTH_MAX_UP, 0))
1935: params->bandwidthmaxup = ntohl(attr->v.i);
1936: else if (!reconfig)
1937: params->bandwidthmaxup = 0;
1938:
1939: /* Bandwidth down */
1940: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1941: RADIUS_VENDOR_WISPR,
1942: RADIUS_ATTR_WISPR_BANDWIDTH_MAX_DOWN, 0))
1943: params->bandwidthmaxdown = ntohl(attr->v.i);
1944: else if (!reconfig)
1945: params->bandwidthmaxdown = 0;
1946:
1947: #ifdef RADIUS_ATTR_CHILLISPOT_BANDWIDTH_MAX_UP
1948: /* Bandwidth up */
1949: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1950: RADIUS_VENDOR_CHILLISPOT,
1951: RADIUS_ATTR_CHILLISPOT_BANDWIDTH_MAX_UP, 0))
1952: params->bandwidthmaxup = ntohl(attr->v.i) * 1000;
1953: #endif
1954:
1955: #ifdef RADIUS_ATTR_CHILLISPOT_BANDWIDTH_MAX_DOWN
1956: /* Bandwidth down */
1957: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1958: RADIUS_VENDOR_CHILLISPOT,
1959: RADIUS_ATTR_CHILLISPOT_BANDWIDTH_MAX_DOWN, 0))
1960: params->bandwidthmaxdown = ntohl(attr->v.i) * 1000;
1961: #endif
1962:
1963: /* Max input octets */
1964: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1965: RADIUS_VENDOR_CHILLISPOT,
1966: RADIUS_ATTR_CHILLISPOT_MAX_INPUT_OCTETS, 0))
1967: params->maxinputoctets = ntohl(attr->v.i);
1968: else if (!reconfig)
1969: params->maxinputoctets = 0;
1970:
1971: /* Max output octets */
1972: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1973: RADIUS_VENDOR_CHILLISPOT,
1974: RADIUS_ATTR_CHILLISPOT_MAX_OUTPUT_OCTETS, 0))
1975: params->maxoutputoctets = ntohl(attr->v.i);
1976: else if (!reconfig)
1977: params->maxoutputoctets = 0;
1978:
1979: /* Max total octets */
1980: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1981: RADIUS_VENDOR_CHILLISPOT,
1982: RADIUS_ATTR_CHILLISPOT_MAX_TOTAL_OCTETS, 0))
1983: params->maxtotaloctets = ntohl(attr->v.i);
1984: else if (!reconfig)
1985: params->maxtotaloctets = 0;
1986:
1987: /* Route Index, look-up by interface name */
1988: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
1989: RADIUS_VENDOR_CHILLISPOT,
1990: RADIUS_ATTR_CHILLISPOT_ROUTE_TO_INTERFACE, 0)) {
1991: char name[256];
1992: memcpy(name, attr->v.t, attr->l-2);
1993: name[attr->l-2] = 0;
1994: params->routeidx = tun_name2idx(tun, name);
1995: }
1996: else if (!reconfig) {
1997: params->routeidx = tun->routeidx;
1998: }
1999:
2000: {
2001: const char *uamauth = "require-uam-auth";
2002: const char *uamallowed = "uamallowed=";
2003: const char *splash = "splash";
2004: size_t offset = 0;
2005: int is_splash = 0;
2006:
2007: /* Always reset the per session passthroughs */
2008: params->pass_through_count = 0;
2009:
2010: while (!radius_getnextattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
2011: RADIUS_VENDOR_CHILLISPOT, RADIUS_ATTR_CHILLISPOT_CONFIG,
2012: 0, &offset)) {
2013: size_t len = (size_t)attr->l-2;
2014: char *val = (char *)attr->v.t;
2015:
2016: if (options.wpaguests && len == strlen(uamauth) && !memcmp(val, uamauth, len)) {
2017: log_dbg("received wpaguests");
2018: params->flags |= REQUIRE_UAM_AUTH;
2019: }
2020: else if (len == strlen(splash) && !memcmp(val, splash, strlen(splash))) {
2021: log_dbg("received splash response");
2022: params->flags |= REQUIRE_UAM_SPLASH;
2023: is_splash = 1;
2024: }
2025: else if (len > strlen(uamallowed) && !memcmp(val, uamallowed, strlen(uamallowed))) {
2026: val[len]=0;
2027: pass_throughs_from_string(params->pass_throughs,
2028: SESSION_PASS_THROUGH_MAX,
2029: ¶ms->pass_through_count,
2030: val + strlen(uamallowed));
2031: }
2032: }
2033:
2034: offset = 0;
2035: params->url[0]=0;
2036: while (!radius_getnextattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
2037: RADIUS_VENDOR_WISPR, RADIUS_ATTR_WISPR_REDIRECTION_URL,
2038: 0, &offset)) {
2039: size_t clen, nlen = (size_t)attr->l-2;
2040: char *url = (char*)attr->v.t;
2041: clen = strlen((char*)params->url);
2042:
2043: if (clen + nlen > sizeof(params->url)-1)
2044: nlen = sizeof(params->url)-clen-1;
2045:
2046: strncpy((char*)(params->url + clen), url, nlen);
2047: params->url[nlen+clen]=0;
2048:
2049: if (!splash)
2050: params->flags |= REQUIRE_REDIRECT;
2051: }
2052: }
2053:
2054: /* Session-Terminate-Time */
2055: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC,
2056: RADIUS_VENDOR_WISPR,
2057: RADIUS_ATTR_WISPR_SESSION_TERMINATE_TIME, 0)) {
2058: char attrs[RADIUS_ATTR_VLEN+1];
2059: struct tm stt;
2060: int tzhour, tzmin;
2061: char *tz;
2062: int result;
2063:
2064: memcpy(attrs, attr->v.t, attr->l-2);
2065: attrs[attr->l-2] = 0;
2066:
2067: memset(&stt, 0, sizeof(stt));
2068:
2069: result = sscanf(attrs, "%d-%d-%dT%d:%d:%d %d:%d",
2070: &stt.tm_year, &stt.tm_mon, &stt.tm_mday,
2071: &stt.tm_hour, &stt.tm_min, &stt.tm_sec,
2072: &tzhour, &tzmin);
2073:
2074: if (result == 8) { /* Timezone */
2075: /* tzhour and tzmin is hours and minutes east of GMT */
2076: /* timezone is defined as seconds west of GMT. Excludes DST */
2077: stt.tm_year -= 1900;
2078: stt.tm_mon -= 1;
2079: stt.tm_hour -= tzhour; /* Adjust for timezone */
2080: stt.tm_min -= tzmin; /* Adjust for timezone */
2081: /* stt.tm_hour += daylight;*/
2082: /*stt.tm_min -= (timezone / 60);*/
2083: tz = getenv("TZ");
2084: setenv("TZ", "", 1); /* Set environment to UTC */
2085: tzset();
2086: params->sessionterminatetime = mktime(&stt);
2087: if (tz)
2088: setenv("TZ", tz, 1);
2089: else
2090: unsetenv("TZ");
2091: tzset();
2092: }
2093: else if (result >= 6) { /* Local time */
2094: tzset();
2095: stt.tm_year -= 1900;
2096: stt.tm_mon -= 1;
2097: stt.tm_isdst = -1; /*daylight;*/
2098: params->sessionterminatetime = mktime(&stt);
2099: }
2100: else {
2101: params->sessionterminatetime = 0;
2102: log(LOG_WARNING, "Illegal WISPr-Session-Terminate-Time received: %s", attrs);
2103: }
2104: }
2105: else if (!reconfig)
2106: params->sessionterminatetime = 0;
2107: }
2108:
2109: static int chilliauth_cb(struct radius_t *radius,
2110: struct radius_packet_t *pack,
2111: struct radius_packet_t *pack_req, void *cbp) {
2112: struct radius_attr_t *attr = NULL;
2113: size_t offset = 0;
2114:
2115: if (!pack) {
2116: log_err(0, "Radius request timed out");
2117: return 0;
2118: }
2119:
2120: if ((pack->code != RADIUS_CODE_ACCESS_REJECT) &&
2121: (pack->code != RADIUS_CODE_ACCESS_CHALLENGE) &&
2122: (pack->code != RADIUS_CODE_ACCESS_ACCEPT)) {
2123: log_err(0, "Unknown radius access reply code %d", pack->code);
2124: return 0;
2125: }
2126:
2127: /* ACCESS-ACCEPT */
2128: if (pack->code != RADIUS_CODE_ACCESS_ACCEPT) {
2129: log_err(0, "Administrative-User Login Failed");
2130: return 0;
2131: }
2132:
2133: while (!radius_getnextattr(pack, &attr,
2134: RADIUS_ATTR_VENDOR_SPECIFIC,
2135: RADIUS_VENDOR_CHILLISPOT,
2136: RADIUS_ATTR_CHILLISPOT_CONFIG,
2137: 0, &offset)) {
2138: char value[RADIUS_ATTR_VLEN+1] = "";
2139: strncpy(value, (const char *)attr->v.t, attr->l - 2);
2140:
2141: /* build the command line argv here and pass to config parser! */
2142: /* XXX */
2143: printf("%s\n", value);
2144: }
2145:
2146: if (!admin_session.s_state.authenticated) {
2147: admin_session.s_state.authenticated = 1;
2148: acct_req(&admin_session, RADIUS_STATUS_TYPE_START);
2149: }
2150:
2151: return 0;
2152: }
2153:
2154: int cb_radius_acct_conf(struct radius_t *radius,
2155: struct radius_packet_t *pack,
2156: struct radius_packet_t *pack_req, void *cbp) {
2157: struct app_conn_t *appconn = (struct app_conn_t*) cbp;
2158: if (!appconn) {
2159: log_err(0,"No peer protocol defined");
2160: return 0;
2161: }
2162: config_radius_session(&appconn->s_params, pack, 1); /*XXX*/
2163: return 0;
2164: }
2165:
2166: /*********************************************************
2167: *
2168: * radius callback functions (response from radius server)
2169: *
2170: *********************************************************/
2171:
2172: /* Radius callback when access accept/reject/challenge has been received */
2173: int cb_radius_auth_conf(struct radius_t *radius,
2174: struct radius_packet_t *pack,
2175: struct radius_packet_t *pack_req, void *cbp) {
2176: struct radius_attr_t *hisipattr = NULL;
2177: struct radius_attr_t *lmntattr = NULL;
2178: struct radius_attr_t *sendattr = NULL;
2179: struct radius_attr_t *recvattr = NULL;
2180: struct radius_attr_t *succattr = NULL;
2181: struct radius_attr_t *policyattr = NULL;
2182: struct radius_attr_t *typesattr = NULL;
2183:
2184: struct radius_attr_t *eapattr = NULL;
2185: struct radius_attr_t *stateattr = NULL;
2186: struct radius_attr_t *classattr = NULL;
2187:
2188: int instance = 0;
2189: struct in_addr *hisip = NULL;
2190: int statip = 0;
2191:
2192: struct app_conn_t *appconn = (struct app_conn_t*) cbp;
2193:
2194: if (options.debug)
2195: log_dbg("Received access request confirmation from radius server\n");
2196:
2197: if (!appconn) {
2198: log_err(0,"No peer protocol defined");
2199: return 0;
2200: }
2201:
2202: /* Initialise */
2203: appconn->s_state.redir.statelen = 0;
2204: appconn->challen = 0;
2205: appconn->sendlen = 0;
2206: appconn->recvlen = 0;
2207: appconn->lmntlen = 0;
2208:
2209:
2210: if (!pack) { /* Timeout */
2211: log_err(0, "Radius request timed out");
2212: return dnprot_reject(appconn);
2213: }
2214:
2215: /* ACCESS-REJECT */
2216: if (pack->code == RADIUS_CODE_ACCESS_REJECT) {
2217: if (options.debug)
2218: log_dbg("Received access reject from radius server");
2219: config_radius_session(&appconn->s_params, pack, 0); /*XXX*/
2220: return dnprot_reject(appconn);
2221: }
2222:
2223: /* Get State */
2224: if (!radius_getattr(pack, &stateattr, RADIUS_ATTR_STATE, 0, 0, 0)) {
2225: appconn->s_state.redir.statelen = stateattr->l-2;
2226: memcpy(appconn->s_state.redir.statebuf, stateattr->v.t, stateattr->l-2);
2227: }
2228:
2229: /* ACCESS-CHALLENGE */
2230: if (pack->code == RADIUS_CODE_ACCESS_CHALLENGE) {
2231: if (options.debug)
2232: log_dbg("Received access challenge from radius server");
2233:
2234: /* Get EAP message */
2235: appconn->challen = 0;
2236: do {
2237: eapattr=NULL;
2238: if (!radius_getattr(pack, &eapattr, RADIUS_ATTR_EAP_MESSAGE, 0, 0, instance++)) {
2239: if ((appconn->challen + eapattr->l-2) > EAP_LEN) {
2240: log(LOG_INFO, "EAP message too long");
2241: return dnprot_reject(appconn);
2242: }
2243: memcpy(appconn->chal+appconn->challen, eapattr->v.t, eapattr->l-2);
2244: appconn->challen += eapattr->l-2;
2245: }
2246: } while (eapattr);
2247:
2248: if (!appconn->challen) {
2249: log(LOG_INFO, "No EAP message found");
2250: return dnprot_reject(appconn);
2251: }
2252:
2253: return dnprot_challenge(appconn);
2254: }
2255:
2256: /* ACCESS-ACCEPT */
2257: if (pack->code != RADIUS_CODE_ACCESS_ACCEPT) {
2258: log_err(0, "Unknown code of radius access request confirmation");
2259: return dnprot_reject(appconn);
2260: }
2261:
2262: /* Class */
2263: if (!radius_getattr(pack, &classattr, RADIUS_ATTR_CLASS, 0, 0, 0)) {
2264: appconn->s_state.redir.classlen = classattr->l-2;
2265: memcpy(appconn->s_state.redir.classbuf, classattr->v.t, classattr->l-2);
2266: /*log_dbg("!!!! CLASSLEN = %d !!!!", appconn->s_state.redir.classlen);*/
2267: }
2268: else {
2269: /*log_dbg("!!!! RESET CLASSLEN !!!!");*/
2270: appconn->s_state.redir.classlen = 0;
2271: }
2272:
2273: /* Framed IP address (Optional) */
2274: if (!radius_getattr(pack, &hisipattr, RADIUS_ATTR_FRAMED_IP_ADDRESS, 0, 0, 0)) {
2275: if ((hisipattr->l-2) != sizeof(struct in_addr)) {
2276: log_err(0, "Wrong length of framed IP address");
2277: return dnprot_reject(appconn);
2278: }
2279: hisip = (struct in_addr*) &(hisipattr->v.i);
2280: statip = 1;
2281: }
2282: else {
2283: hisip = (struct in_addr*) &appconn->reqip.s_addr;
2284: }
2285:
2286: config_radius_session(&appconn->s_params, pack, 0);
2287:
2288: if (options.dhcpradius) {
2289: struct dhcp_conn_t *dhcpconn = (struct dhcp_conn_t *)appconn->dnlink;
2290: struct radius_attr_t *attr = NULL;
2291: if (dhcpconn) {
2292: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC, RADIUS_VENDOR_CHILLISPOT,
2293: RADIUS_ATTR_CHILLISPOT_DHCP_SERVER_NAME, 0)) {
2294: memcpy(dhcpconn->dhcp_opts.sname, attr->v.t, attr->l-2);
2295: }
2296: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC, RADIUS_VENDOR_CHILLISPOT,
2297: RADIUS_ATTR_CHILLISPOT_DHCP_FILENAME, 0)) {
2298: memcpy(dhcpconn->dhcp_opts.file, attr->v.t, attr->l-2);
2299: }
2300: if (!radius_getattr(pack, &attr, RADIUS_ATTR_VENDOR_SPECIFIC, RADIUS_VENDOR_CHILLISPOT,
2301: RADIUS_ATTR_CHILLISPOT_DHCP_OPTION, 0)) {
2302: memcpy(dhcpconn->dhcp_opts.options, attr->v.t,
2303: dhcpconn->dhcp_opts.option_length = attr->l-2);
2304: }
2305: }
2306: }
2307:
2308: if (appconn->s_params.sessionterminatetime) {
2309: time_t timenow = mainclock;
2310: if (timenow > appconn->s_params.sessionterminatetime) {
2311: log(LOG_WARNING, "WISPr-Session-Terminate-Time in the past received, rejecting");
2312: return dnprot_reject(appconn);
2313: }
2314: }
2315:
2316: #ifdef LEAKY_BUCKET
2317: if (appconn->s_params.bandwidthmaxup) {
2318: #ifdef BUCKET_SIZE
2319: appconn->s_state.bucketupsize = BUCKET_SIZE;
2320: #else
2321: appconn->s_state.bucketupsize = appconn->s_params.bandwidthmaxup / 8000 * BUCKET_TIME;
2322: if (appconn->s_state.bucketupsize < BUCKET_SIZE_MIN)
2323: appconn->s_state.bucketupsize = BUCKET_SIZE_MIN;
2324: #endif
2325: }
2326: #endif
2327:
2328: #ifdef LEAKY_BUCKET
2329: if (appconn->s_params.bandwidthmaxdown) {
2330: #ifdef BUCKET_SIZE
2331: appconn->s_state.bucketdownsize = BUCKET_SIZE;
2332: #else
2333: appconn->s_state.bucketdownsize = appconn->s_params.bandwidthmaxdown / 8000 * BUCKET_TIME;
2334: if (appconn->s_state.bucketdownsize < BUCKET_SIZE_MIN)
2335: appconn->s_state.bucketdownsize = BUCKET_SIZE_MIN;
2336: #endif
2337: }
2338: #endif
2339:
2340: /* EAP Message */
2341: appconn->challen = 0;
2342: do {
2343: eapattr=NULL;
2344: if (!radius_getattr(pack, &eapattr, RADIUS_ATTR_EAP_MESSAGE, 0, 0,
2345: instance++)) {
2346: if ((appconn->challen + eapattr->l-2) > EAP_LEN) {
2347: log(LOG_INFO, "EAP message too long");
2348: return dnprot_reject(appconn);
2349: }
2350: memcpy(appconn->chal+appconn->challen,
2351: eapattr->v.t, eapattr->l-2);
2352: appconn->challen += eapattr->l-2;
2353: }
2354: } while (eapattr);
2355:
2356: /* Get sendkey */
2357: if (!radius_getattr(pack, &sendattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2358: RADIUS_VENDOR_MS,
2359: RADIUS_ATTR_MS_MPPE_SEND_KEY, 0)) {
2360: if (radius_keydecode(radius, appconn->sendkey, RADIUS_ATTR_VLEN, &appconn->sendlen,
2361: (uint8_t *)&sendattr->v.t, sendattr->l-2,
2362: pack_req->authenticator,
2363: radius->secret, radius->secretlen)) {
2364: log_err(0, "radius_keydecode() failed!");
2365: return dnprot_reject(appconn);
2366: }
2367: }
2368:
2369: /* Get recvkey */
2370: if (!radius_getattr(pack, &recvattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2371: RADIUS_VENDOR_MS,
2372: RADIUS_ATTR_MS_MPPE_RECV_KEY, 0)) {
2373: if (radius_keydecode(radius, appconn->recvkey, RADIUS_ATTR_VLEN, &appconn->recvlen,
2374: (uint8_t *)&recvattr->v.t, recvattr->l-2,
2375: pack_req->authenticator,
2376: radius->secret, radius->secretlen) ) {
2377: log_err(0, "radius_keydecode() failed!");
2378: return dnprot_reject(appconn);
2379: }
2380: }
2381:
2382: /* Get LMNT keys */
2383: if (!radius_getattr(pack, &lmntattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2384: RADIUS_VENDOR_MS,
2385: RADIUS_ATTR_MS_CHAP_MPPE_KEYS, 0)) {
2386:
2387: /* TODO: Check length of vendor attributes */
2388: if (radius_pwdecode(radius, appconn->lmntkeys, RADIUS_MPPEKEYSSIZE,
2389: &appconn->lmntlen, (uint8_t *)&lmntattr->v.t,
2390: lmntattr->l-2, pack_req->authenticator,
2391: radius->secret, radius->secretlen)) {
2392: log_err(0, "radius_pwdecode() failed");
2393: return dnprot_reject(appconn);
2394: }
2395: }
2396:
2397: /* Get encryption policy */
2398: if (!radius_getattr(pack, &policyattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2399: RADIUS_VENDOR_MS,
2400: RADIUS_ATTR_MS_MPPE_ENCRYPTION_POLICY, 0)) {
2401: appconn->policy = ntohl(policyattr->v.i);
2402: }
2403:
2404: /* Get encryption types */
2405: if (!radius_getattr(pack, &typesattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2406: RADIUS_VENDOR_MS,
2407: RADIUS_ATTR_MS_MPPE_ENCRYPTION_TYPES, 0)) {
2408: appconn->types = ntohl(typesattr->v.i);
2409: }
2410:
2411:
2412: /* Get MS_Chap_v2 SUCCESS */
2413: if (!radius_getattr(pack, &succattr, RADIUS_ATTR_VENDOR_SPECIFIC,
2414: RADIUS_VENDOR_MS,
2415: RADIUS_ATTR_MS_CHAP2_SUCCESS, 0)) {
2416: if ((succattr->l-5) != MS2SUCCSIZE) {
2417: log_err(0, "Wrong length of MS-CHAP2 success: %d", succattr->l-5);
2418: return dnprot_reject(appconn);
2419: }
2420: memcpy(appconn->ms2succ, ((void*)&succattr->v.t)+3, MS2SUCCSIZE);
2421: }
2422:
2423: /* for the admin session */
2424: if (appconn->is_adminsession) {
2425: return chilliauth_cb(radius, pack, pack_req, cbp);
2426: }
2427:
2428: switch(appconn->authtype) {
2429:
2430: case PAP_PASSWORD:
2431: appconn->policy = 0; /* TODO */
2432: break;
2433:
2434: case EAP_MESSAGE:
2435: if (!appconn->challen) {
2436: log(LOG_INFO, "No EAP message found");
2437: return dnprot_reject(appconn);
2438: }
2439: break;
2440:
2441: case CHAP_DIGEST_MD5:
2442: appconn->policy = 0; /* TODO */
2443: break;
2444:
2445: case CHAP_MICROSOFT:
2446: if (!lmntattr) {
2447: log(LOG_INFO, "No MPPE keys found");
2448: return dnprot_reject(appconn);
2449: }
2450: if (!succattr) {
2451: log_err(0, "No MS-CHAP2 success found");
2452: return dnprot_reject(appconn);
2453: }
2454: break;
2455:
2456: case CHAP_MICROSOFT_V2:
2457: if (!sendattr) {
2458: log(LOG_INFO, "No MPPE sendkey found");
2459: return dnprot_reject(appconn);
2460: }
2461:
2462: if (!recvattr) {
2463: log(LOG_INFO, "No MPPE recvkey found");
2464: return dnprot_reject(appconn);
2465: }
2466:
2467: break;
2468:
2469: default:
2470: log_err(0, "Unknown authtype");
2471: return dnprot_reject(appconn);
2472: }
2473:
2474: return upprot_getip(appconn, hisip, statip);
2475: }
2476:
2477:
2478: /* Radius callback when coa or disconnect request has been received */
2479: int cb_radius_coa_ind(struct radius_t *radius, struct radius_packet_t *pack,
2480: struct sockaddr_in *peer) {
2481: struct app_conn_t *appconn;
2482: struct radius_attr_t *uattr = NULL;
2483: struct radius_attr_t *sattr = NULL;
2484: struct radius_packet_t radius_pack;
2485: int found = 0;
2486: int iscoa = 0;
2487:
2488: if (options.debug)
2489: log_dbg("Received coa or disconnect request\n");
2490:
2491: if (pack->code != RADIUS_CODE_DISCONNECT_REQUEST &&
2492: pack->code != RADIUS_CODE_COA_REQUEST) {
2493: log_err(0, "Radius packet not supported: %d,\n", pack->code);
2494: return -1;
2495: }
2496:
2497: iscoa = pack->code == RADIUS_CODE_COA_REQUEST;
2498:
2499: /* Get username */
2500: if (radius_getattr(pack, &uattr, RADIUS_ATTR_USER_NAME, 0, 0, 0)) {
2501: log_warn(0, "Username must be included in disconnect request");
2502: return -1;
2503: }
2504:
2505: if (!radius_getattr(pack, &sattr, RADIUS_ATTR_ACCT_SESSION_ID, 0, 0, 0))
2506: if (options.debug)
2507: log_dbg("Session-id present in disconnect. Only disconnecting that session\n");
2508:
2509:
2510: if (options.debug)
2511: log_dbg("Looking for session [username=%.*s,sessionid=%.*s]",
2512: uattr->l-2, uattr->v.t, sattr ? sattr->l-2 : 3, sattr ? (char*)sattr->v.t : "all");
2513:
2514: for (appconn = firstusedconn; appconn; appconn = appconn->next) {
2515: if (!appconn->inuse) { log_err(0, "Connection with inuse == 0!"); }
2516:
2517: if ((appconn->s_state.authenticated) &&
2518: (strlen(appconn->s_state.redir.username) == uattr->l-2 &&
2519: !memcmp(appconn->s_state.redir.username, uattr->v.t, uattr->l-2)) &&
2520: (!sattr ||
2521: (strlen(appconn->s_state.sessionid) == sattr->l-2 &&
2522: !strncasecmp(appconn->s_state.sessionid, (char*)sattr->v.t, sattr->l-2)))) {
2523:
2524: if (options.debug)
2525: log_dbg("Found session\n");
2526:
2527: if (iscoa)
2528: config_radius_session(&appconn->s_params, pack, 0);
2529: else
2530: terminate_appconn(appconn, RADIUS_TERMINATE_CAUSE_ADMIN_RESET);
2531:
2532: found = 1;
2533: }
2534: }
2535:
2536: if (found) {
2537: if (radius_default_pack(radius, &radius_pack,
2538: iscoa ? RADIUS_CODE_COA_ACK : RADIUS_CODE_DISCONNECT_ACK)) {
2539: log_err(0, "radius_default_pack() failed");
2540: return -1;
2541: }
2542: }
2543: else {
2544: if (radius_default_pack(radius, &radius_pack,
2545: iscoa ? RADIUS_CODE_COA_NAK : RADIUS_CODE_DISCONNECT_NAK)) {
2546: log_err(0, "radius_default_pack() failed");
2547: return -1;
2548: }
2549: }
2550:
2551: radius_pack.id = pack->id;
2552: (void) radius_coaresp(radius, &radius_pack, peer, pack->authenticator);
2553:
2554: return 0;
2555: }
2556:
2557:
2558: /***********************************************************
2559: *
2560: * dhcp callback functions
2561: *
2562: ***********************************************************/
2563:
2564: /* DHCP callback for allocating new IP address */
2565: /* In the case of WPA it is allready allocated,
2566: * for UAM address is allocated before authentication */
2567: int cb_dhcp_request(struct dhcp_conn_t *conn, struct in_addr *addr,
2568: struct dhcp_fullpacket_t *dhcp_pkt, size_t dhcp_len) {
2569: struct app_conn_t *appconn = conn->peer;
2570: struct ippoolm_t *ipm;
2571:
2572: if (options.debug)
2573: log_dbg("DHCP request for IP address");
2574:
2575: if (!appconn) {
2576: log_err(0, "Peer protocol not defined");
2577: return -1;
2578: }
2579:
2580: /* if uamanyip is on we have to filter out which ip's are allowed */
2581: if (options.uamanyip && addr && addr->s_addr) {
2582: if ((addr->s_addr & ipv4ll_mask.s_addr) == ipv4ll_ip.s_addr) {
2583: /* clients with an IPv4LL ip normally have no default gw assigned, rendering uamanyip useless
2584: They must rather get a proper dynamic ip via dhcp */
2585: log_dbg("IPv4LL/APIPA address requested, ignoring");
2586: return -1;
2587: }
2588: }
2589:
2590: appconn->reqip.s_addr = addr->s_addr; /* Save for MAC auth later */
2591:
2592: if (appconn->uplink) {
2593:
2594: /*
2595: * IP Address is already known and allocated.
2596: */
2597: ipm = (struct ippoolm_t*) appconn->uplink;
2598:
2599: } else if ((options.macoklen) &&
2600: (appconn->dnprot == DNPROT_DHCP_NONE) &&
2601: !maccmp(conn->hismac)) {
2602:
2603: /*
2604: * When using macallowed option, and hismac matches.
2605: */
2606: appconn->dnprot = DNPROT_MAC;
2607:
2608: if (options.macallowlocal) {
2609:
2610: /*
2611: * Local MAC allowed list, authenticate without RADIUS.
2612: */
2613: upprot_getip(appconn, &appconn->reqip, 0);/**/
2614: dnprot_accept(appconn);
2615: log_info("Granted MAC=%.2X-%.2X-%.2X-%.2X-%.2X-%.2X with IP=%s access without radius auth" ,
2616: conn->hismac[0], conn->hismac[1],
2617: conn->hismac[2], conn->hismac[3],
2618: conn->hismac[4], conn->hismac[5],
2619: inet_ntoa(appconn->hisip));
2620: } else {
2621:
2622: /*
2623: * Otherwise, authenticate with RADIUS.
2624: */
2625: macauth_radius(appconn, dhcp_pkt, dhcp_len);
2626: }
2627:
2628: return -1;
2629:
2630: } else if ((options.macauth) &&
2631: (appconn->dnprot == DNPROT_DHCP_NONE)) {
2632:
2633: /*
2634: * Using macauth option to authenticate via RADIUS.
2635: */
2636: appconn->dnprot = DNPROT_MAC;
2637:
2638: macauth_radius(appconn, dhcp_pkt, dhcp_len);
2639:
2640: return -1;
2641:
2642: } else {
2643:
2644: if (appconn->dnprot != DNPROT_DHCP_NONE) {
2645: log_warn(0, "Requested IP address when already allocated");
2646: }
2647:
2648: /* Allocate dynamic IP address */
2649: /*XXX if (ippool_newip(ippool, &ipm, &appconn->reqip, 0)) {*/
2650: if (newip(&ipm, &appconn->reqip)) {
2651: log_err(0, "Failed allocate dynamic IP address");
2652: return -1;
2653: }
2654:
2655: appconn->hisip.s_addr = ipm->addr.s_addr;
2656:
2657: log(LOG_NOTICE, "Client MAC=%.2X-%.2X-%.2X-%.2X-%.2X-%.2X assigned IP %s" ,
2658: conn->hismac[0], conn->hismac[1],
2659: conn->hismac[2], conn->hismac[3],
2660: conn->hismac[4], conn->hismac[5],
2661: inet_ntoa(appconn->hisip));
2662:
2663: /* TODO: Too many "listen" and "our" addresses hanging around */
2664: appconn->ourip.s_addr = options.dhcplisten.s_addr;
2665:
2666: appconn->uplink = ipm;
2667: ipm->peer = appconn;
2668: }
2669:
2670: dhcp_set_addrs(conn,
2671: &ipm->addr, &options.mask,
2672: &appconn->ourip, &appconn->mask,
2673: &options.dns1, &options.dns2,
2674: options.domain);
2675:
2676: /* if not already authenticated, ensure DNAT authstate */
2677: if (!appconn->s_state.authenticated)
2678: conn->authstate = DHCP_AUTH_DNAT;
2679:
2680: /* If IP was requested before authentication it was UAM */
2681: if (appconn->dnprot == DNPROT_DHCP_NONE)
2682: appconn->dnprot = DNPROT_UAM;
2683:
2684: return 0;
2685: }
2686:
2687: /* DHCP callback for establishing new connection */
2688: int cb_dhcp_connect(struct dhcp_conn_t *conn) {
2689: struct app_conn_t *appconn;
2690:
2691: log(LOG_NOTICE, "New DHCP request from MAC=%.2X-%.2X-%.2X-%.2X-%.2X-%.2X" ,
2692: conn->hismac[0], conn->hismac[1],
2693: conn->hismac[2], conn->hismac[3],
2694: conn->hismac[4], conn->hismac[5]);
2695:
2696: if (options.debug)
2697: log_dbg("New DHCP connection established");
2698:
2699: /* Allocate new application connection */
2700: if (newconn(&appconn)) {
2701: log_err(0, "Failed to allocate connection");
2702: return 0;
2703: }
2704:
2705: appconn->dnlink = conn;
2706: appconn->dnprot = DNPROT_DHCP_NONE;
2707: conn->peer = appconn;
2708:
2709: appconn->net.s_addr = options.net.s_addr;
2710: appconn->mask.s_addr = options.mask.s_addr;
2711: appconn->dns1.s_addr = options.dns1.s_addr;
2712: appconn->dns2.s_addr = options.dns2.s_addr;
2713:
2714: memcpy(appconn->hismac, conn->hismac, PKT_ETH_ALEN);
2715: memcpy(appconn->ourmac, conn->ourmac, PKT_ETH_ALEN);
2716:
2717: set_sessionid(appconn);
2718:
2719: conn->authstate = DHCP_AUTH_NONE; /* TODO: Not yet authenticated */
2720:
2721: return 0;
2722: }
2723:
2724: int cb_dhcp_getinfo(struct dhcp_conn_t *conn, bstring b, int fmt) {
2725: time_t timenow = mainclock;
2726: struct app_conn_t *appconn;
2727: uint32_t sessiontime = 0;
2728: uint32_t idletime = 0;
2729:
2730: if (!conn->peer) return 2;
2731: appconn = (struct app_conn_t*) conn->peer;
2732: if (!appconn->inuse) return 2;
2733:
2734: if (appconn->s_state.authenticated) {
2735: sessiontime = timenow - appconn->s_state.start_time;
2736: idletime = timenow - appconn->s_state.last_time;
2737: }
2738:
2739: switch(fmt) {
2740: case LIST_JSON_FMT:
2741: if (appconn->s_state.authenticated)
2742: session_json_fmt(&appconn->s_state, &appconn->s_params, b, 0);
2743: break;
2744: default:
2745: {
2746: bstring tmp = bfromcstr("");
2747: bassignformat(tmp, " %.*s %d %.*s %d/%d %d/%d %.*s",
2748: appconn->s_state.sessionid[0] ? strlen(appconn->s_state.sessionid) : 1,
2749: appconn->s_state.sessionid[0] ? appconn->s_state.sessionid : "-",
2750: appconn->s_state.authenticated,
2751: appconn->s_state.redir.username[0] ? strlen(appconn->s_state.redir.username) : 1,
2752: appconn->s_state.redir.username[0] ? appconn->s_state.redir.username : "-",
2753: sessiontime, (int)appconn->s_params.sessiontimeout,
2754: idletime, (int)appconn->s_params.idletimeout,
2755: appconn->s_state.redir.userurl[0] ? strlen(appconn->s_state.redir.userurl) : 1,
2756: appconn->s_state.redir.userurl[0] ? appconn->s_state.redir.userurl : "-");
2757: bconcat(b, tmp);
2758: bdestroy(tmp);
2759: }
2760: }
2761: return 0;
2762: }
2763:
2764: int terminate_appconn(struct app_conn_t *appconn, int terminate_cause) {
2765: if (appconn->s_state.authenticated == 1) { /* Only send accounting if logged in */
2766: dnprot_terminate(appconn);
2767: appconn->s_state.terminate_cause = terminate_cause;
2768: acct_req(appconn, RADIUS_STATUS_TYPE_STOP);
2769:
2770: /* should memory be cleared here?? */
2771: memset(&appconn->s_params, 0, sizeof(appconn->s_params));
2772: set_sessionid(appconn);
2773: }
2774: return 0;
2775: }
2776:
2777: /* Callback when a dhcp connection is deleted */
2778: int cb_dhcp_disconnect(struct dhcp_conn_t *conn, int term_cause) {
2779: struct app_conn_t *appconn;
2780:
2781: log(LOG_INFO, "DHCP addr released by MAC=%.2X-%.2X-%.2X-%.2X-%.2X-%.2X IP=%s",
2782: conn->hismac[0], conn->hismac[1],
2783: conn->hismac[2], conn->hismac[3],
2784: conn->hismac[4], conn->hismac[5],
2785: inet_ntoa(conn->hisip));
2786:
2787: if (options.debug) log_dbg("DHCP connection removed");
2788:
2789: if (!conn->peer) return 0; /* No appconn allocated. Stop here */
2790: appconn = (struct app_conn_t*) conn->peer;
2791:
2792: if ((appconn->dnprot != DNPROT_DHCP_NONE) &&
2793: (appconn->dnprot != DNPROT_UAM) &&
2794: (appconn->dnprot != DNPROT_MAC) &&
2795: (appconn->dnprot != DNPROT_WPA) &&
2796: (appconn->dnprot != DNPROT_EAPOL)) {
2797: return 0; /* DNPROT_WPA and DNPROT_EAPOL are unaffected by dhcp release? */
2798: }
2799:
2800: terminate_appconn(appconn,
2801: term_cause ? term_cause :
2802: appconn->s_state.terminate_cause ?
2803: appconn->s_state.terminate_cause :
2804: RADIUS_TERMINATE_CAUSE_LOST_CARRIER);
2805:
2806: /* ALPAPAD */
2807: if (appconn->uplink) {
2808: if (options.uamanyip) {
2809: struct ippoolm_t *member = (struct ippoolm_t *) appconn->uplink;
2810: if (member->inuse == 2) {
2811: struct in_addr mask;
2812: mask.s_addr = 0xffffffff;
2813: log_dbg("Removing route: %s %d\n", inet_ntoa(member->addr),
2814: net_del_route(&member->addr, &appconn->ourip, &mask));
2815: }
2816: }
2817: if (ippool_freeip(ippool, (struct ippoolm_t *) appconn->uplink)) {
2818: log_err(0, "ippool_freeip() failed!");
2819: }
2820: }
2821:
2822: freeconn(appconn);
2823:
2824: return 0;
2825: }
2826:
2827:
2828: /* Callback for receiving messages from dhcp */
2829: int cb_dhcp_data_ind(struct dhcp_conn_t *conn, void *pack, size_t len) {
2830: struct app_conn_t *appconn = conn->peer;
2831: /*struct dhcp_ethhdr_t *ethh = (struct dhcp_ethhdr_t *)pack;*/
2832: struct pkt_ipphdr_t *ipph = (struct pkt_ipphdr_t *)((char*)pack + PKT_ETH_HLEN);
2833:
2834: /*if (options.debug)
2835: log_dbg("cb_dhcp_data_ind. Packet received. DHCP authstate: %d\n",
2836: conn->authstate);*/
2837:
2838: if (ipph->saddr != conn->hisip.s_addr) {
2839: if (options.debug)
2840: log_dbg("Received packet with spoofed source!");
2841: return 0;
2842: }
2843:
2844: if (!appconn) {
2845: log_err(0, "No peer protocol defined");
2846: return -1;
2847: }
2848:
2849: switch (appconn->dnprot) {
2850: case DNPROT_NULL:
2851: case DNPROT_DHCP_NONE:
2852: return -1;
2853:
2854: case DNPROT_UAM:
2855: case DNPROT_WPA:
2856: case DNPROT_MAC:
2857: case DNPROT_EAPOL:
2858: break;
2859:
2860: default:
2861: log_err(0, "Unknown downlink protocol: %d", appconn->dnprot);
2862: break;
2863: }
2864:
2865: /* If the ip dst is uamlisten and pdst is uamport we won't call leaky_bucket,
2866: * and we always send these packets through to the tun/tap interface (index 0)
2867: */
2868: if (ipph->daddr == options.uamlisten.s_addr &&
2869: (ipph->dport == htons(options.uamport) ||
2870: ipph->dport == htons(options.uamuiport)))
2871: return tun_encaps(tun, pack, len, 0);
2872:
2873: if (appconn->s_state.authenticated == 1) {
2874:
2875: #ifndef LEAKY_BUCKET
2876: appconn->s_state.last_time = mainclock;
2877: #endif
2878:
2879: #ifdef LEAKY_BUCKET
2880: #ifndef COUNT_UPLINK_DROP
2881: if (leaky_bucket(appconn, len, 0)) return 0;
2882: #endif
2883: #endif
2884: if (options.swapoctets) {
2885: appconn->s_state.input_packets++;
2886: appconn->s_state.input_octets +=len;
2887: if (admin_session.s_state.authenticated) {
2888: admin_session.s_state.input_packets++;
2889: admin_session.s_state.input_octets+=len;
2890: }
2891: } else {
2892: appconn->s_state.output_packets++;
2893: appconn->s_state.output_octets +=len;
2894: if (admin_session.s_state.authenticated) {
2895: admin_session.s_state.output_packets++;
2896: admin_session.s_state.output_octets+=len;
2897: }
2898: }
2899: #ifdef LEAKY_BUCKET
2900: #ifdef COUNT_UPLINK_DROP
2901: if (leaky_bucket(appconn, len, 0)) return 0;
2902: #endif
2903: #endif
2904: }
2905:
2906: return tun_encaps(tun, pack, len, appconn->s_params.routeidx);
2907: }
2908:
2909: /* Callback for receiving messages from eapol */
2910: int cb_dhcp_eap_ind(struct dhcp_conn_t *conn, void *pack, size_t len) {
2911: struct eap_packet_t *eap = (struct eap_packet_t *)pack;
2912: struct app_conn_t *appconn = conn->peer;
2913: struct radius_packet_t radius_pack;
2914: char mac[MACSTRLEN+1];
2915: size_t offset;
2916:
2917: if (options.debug) log_dbg("EAP Packet received");
2918:
2919: /* If this is the first EAPOL authentication request */
2920: if ((appconn->dnprot == DNPROT_DHCP_NONE) ||
2921: (appconn->dnprot == DNPROT_EAPOL)) {
2922: if ((eap->code == 2) && /* Response */
2923: (eap->type == 1) && /* Identity */
2924: (len > 5) && /* Must be at least 5 octets */
2925: ((len - 5) <= USERNAMESIZE )) {
2926: memcpy(appconn->s_state.redir.username, eap->payload, len - 5);
2927: appconn->dnprot = DNPROT_EAPOL;
2928: appconn->authtype = EAP_MESSAGE;
2929: }
2930: else if (appconn->dnprot == DNPROT_DHCP_NONE) {
2931: log_err(0, "Initial EAP response was not a valid identity response!");
2932: return 0;
2933: }
2934: }
2935:
2936: /* Return if not EAPOL */
2937: if (appconn->dnprot != DNPROT_EAPOL) {
2938: log_warn(0, "Received EAP message, processing for authentication");
2939: appconn->dnprot = DNPROT_EAPOL;
2940: return 0;
2941: }
2942:
2943: if (radius_default_pack(radius, &radius_pack, RADIUS_CODE_ACCESS_REQUEST)) {
2944: log_err(0, "radius_default_pack() failed");
2945: return -1;
2946: }
2947:
2948: /* Build up radius request */
2949: radius_pack.code = RADIUS_CODE_ACCESS_REQUEST;
2950:
2951: radius_addattr(radius, &radius_pack, RADIUS_ATTR_USER_NAME, 0, 0, 0,
2952: (uint8_t*) appconn->s_state.redir.username,
2953: strlen(appconn->s_state.redir.username));
2954:
2955: if (appconn->s_state.redir.statelen) {
2956: radius_addattr(radius, &radius_pack, RADIUS_ATTR_STATE, 0, 0, 0,
2957: appconn->s_state.redir.statebuf,
2958: appconn->s_state.redir.statelen);
2959: }
2960:
2961: /* Include EAP (if present) */
2962: offset = 0;
2963: while (offset < len) {
2964: size_t eaplen;
2965:
2966: if ((len - offset) > RADIUS_ATTR_VLEN)
2967: eaplen = RADIUS_ATTR_VLEN;
2968: else
2969: eaplen = len - offset;
2970:
2971: radius_addattr(radius, &radius_pack, RADIUS_ATTR_EAP_MESSAGE, 0, 0, 0,
2972: pack + offset, eaplen);
2973:
2974: offset += eaplen;
2975: }
2976:
2977: if (len)
2978: radius_addattr(radius, &radius_pack, RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
2979: 0, 0, 0, NULL, RADIUS_MD5LEN);
2980:
2981: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT_TYPE, 0, 0,
2982: options.radiusnasporttype, NULL, 0);
2983:
2984: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_PORT, 0, 0,
2985: appconn->unit, NULL, 0);
2986:
2987: radius_addnasip(radius, &radius_pack);
2988:
2989: snprintf(mac, MACSTRLEN+1, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
2990: appconn->hismac[0], appconn->hismac[1],
2991: appconn->hismac[2], appconn->hismac[3],
2992: appconn->hismac[4], appconn->hismac[5]);
2993:
2994: radius_addattr(radius, &radius_pack, RADIUS_ATTR_CALLING_STATION_ID, 0, 0, 0,
2995: (uint8_t*) mac, MACSTRLEN);
2996:
2997: radius_addcalledstation(radius, &radius_pack);
2998:
2999: /* Include NAS-Identifier if given in configuration options */
3000: if (options.radiusnasid)
3001: radius_addattr(radius, &radius_pack, RADIUS_ATTR_NAS_IDENTIFIER, 0, 0, 0,
3002: (uint8_t*) options.radiusnasid,
3003: strlen(options.radiusnasid));
3004:
3005: return radius_req(radius, &radius_pack, appconn);
3006: }
3007:
3008:
3009: /***********************************************************
3010: *
3011: * uam message handling functions
3012: *
3013: ***********************************************************/
3014:
3015: int static uam_msg(struct redir_msg_t *msg) {
3016:
3017: struct ippoolm_t *ipm;
3018: struct app_conn_t *appconn = NULL;
3019: struct dhcp_conn_t* dhcpconn;
3020:
3021: if (ippool_getip(ippool, &ipm, &msg->mdata.addr)) {
3022: if (options.debug)
3023: log_dbg("UAM login with unknown IP address: %s", inet_ntoa(msg->mdata.addr));
3024: return 0;
3025: }
3026:
3027: if ((appconn = (struct app_conn_t *)ipm->peer) == NULL ||
3028: (dhcpconn = (struct dhcp_conn_t *)appconn->dnlink) == NULL) {
3029: log_err(0, "No peer protocol defined");
3030: return 0;
3031: }
3032:
3033: if (msg->mdata.opt & REDIR_MSG_OPT_REDIR)
3034: memcpy(&appconn->s_state.redir, &msg->mdata.redir, sizeof(msg->mdata.redir));
3035:
3036: if (msg->mdata.opt & REDIR_MSG_OPT_PARAMS)
3037: memcpy(&appconn->s_params, &msg->mdata.params, sizeof(msg->mdata.params));
3038:
3039: switch(msg->mtype) {
3040:
3041: case REDIR_LOGIN:
3042: if (appconn->uamabort) {
3043: log_info("UAM login from username=%s IP=%s was aborted!",
3044: msg->mdata.redir.username, inet_ntoa(appconn->hisip));
3045: appconn->uamabort = 0;
3046: return 0;
3047: }
3048:
3049: log_info("Successful UAM login from username=%s IP=%s",
3050: msg->mdata.redir.username, inet_ntoa(appconn->hisip));
3051:
3052: /* Initialise */
3053: appconn->s_params.routeidx = tun->routeidx;
3054: appconn->s_state.redir.statelen = 0;
3055: appconn->challen = 0;
3056: appconn->sendlen = 0;
3057: appconn->recvlen = 0;
3058: appconn->lmntlen = 0;
3059:
3060: memcpy(appconn->hismac, dhcpconn->hismac, PKT_ETH_ALEN);
3061: memcpy(appconn->ourmac, dhcpconn->ourmac, PKT_ETH_ALEN);
3062:
3063: appconn->policy = 0; /* TODO */
3064:
3065: #ifdef LEAKY_BUCKET
3066: #ifdef BUCKET_SIZE
3067: appconn->s_state.bucketupsize = BUCKET_SIZE;
3068: #else
3069: appconn->s_state.bucketupsize = appconn->s_params.bandwidthmaxup / 8000 * BUCKET_TIME;
3070: if (appconn->s_state.bucketupsize < BUCKET_SIZE_MIN)
3071: appconn->s_state.bucketupsize = BUCKET_SIZE_MIN;
3072: #endif
3073: #endif
3074:
3075: #ifdef LEAKY_BUCKET
3076: #ifdef BUCKET_SIZE
3077: appconn->s_state.bucketdownsize = BUCKET_SIZE;
3078: #else
3079: appconn->s_state.bucketdownsize = appconn->s_params.bandwidthmaxdown / 8000 * BUCKET_TIME;
3080: if (appconn->s_state.bucketdownsize < BUCKET_SIZE_MIN)
3081: appconn->s_state.bucketdownsize = BUCKET_SIZE_MIN;
3082: #endif
3083: #endif
3084:
3085: return upprot_getip(appconn, NULL, 0);
3086:
3087: case REDIR_LOGOUT:
3088:
3089: log_info("Received UAM logoff from username=%s IP=%s",
3090: appconn->s_state.redir.username, inet_ntoa(appconn->hisip));
3091:
3092: if (options.debug)
3093: log_dbg("Received logoff from UAM\n");
3094:
3095: if (appconn->s_state.authenticated == 1) {
3096: terminate_appconn(appconn, RADIUS_TERMINATE_CAUSE_USER_REQUEST);
3097: appconn->s_state.uamtime = 0;
3098: appconn->s_params.sessiontimeout = 0;
3099: appconn->s_params.idletimeout = 0;
3100: }
3101:
3102: appconn->s_state.uamtime = mainclock;
3103: dhcpconn->authstate = DHCP_AUTH_DNAT;
3104: appconn->uamabort = 0;
3105:
3106: break;
3107:
3108: case REDIR_ABORT:
3109:
3110: log_info("Received UAM abort from IP=%s", inet_ntoa(appconn->hisip));
3111:
3112: appconn->uamabort = 1; /* Next login will be aborted */
3113: appconn->s_state.uamtime = 0; /* Force generation of new challenge */
3114: dhcpconn->authstate = DHCP_AUTH_DNAT;
3115:
3116: terminate_appconn(appconn, RADIUS_TERMINATE_CAUSE_USER_REQUEST);
3117:
3118: break;
3119:
3120: case REDIR_CHALLENGE:
3121: appconn->s_state.uamtime = mainclock;
3122: appconn->uamabort = 0;
3123: break;
3124:
3125: case REDIR_NOTYET:
3126: break;
3127: }
3128:
3129: return 0;
3130: }
3131:
3132: static int cmdsock_accept(int sock) {
3133: struct sockaddr_un remote;
3134: struct cmdsock_request req;
3135:
3136: bstring s = 0;
3137: size_t len;
3138: int csock;
3139: int rval = 0;
3140:
3141: if (options.debug)
3142: log_dbg("Processing cmdsock request...\n");
3143:
3144: len = sizeof(remote);
3145: if ((csock = accept(sock, (struct sockaddr *)&remote, &len)) == -1) {
3146: perror("cmdsock_accept()/accept()");
3147: return -1;
3148: }
3149:
3150: if (read(csock, &req, sizeof(req)) != sizeof(req)) {
3151: perror("cmdsock_accept()/read()");
3152: close(csock);
3153: return -1;
3154: }
3155:
3156: switch(req.type) {
3157:
3158: case CMDSOCK_DHCP_LIST:
3159: s = bfromcstr("");
3160: if (dhcp) dhcp_list(dhcp, s, 0, 0,
3161: req.options & CMDSOCK_OPT_JSON ?
3162: LIST_JSON_FMT : LIST_SHORT_FMT);
3163: write(csock, s->data, s->slen);
3164: break;
3165:
3166: case CMDSOCK_DHCP_DROP:
3167: case CMDSOCK_DHCP_RELEASE:
3168: if (dhcp) dhcp_release_mac(dhcp, req.data.mac, RADIUS_TERMINATE_CAUSE_ADMIN_RESET);
3169: break;
3170:
3171: case CMDSOCK_LIST:
3172: s = bfromcstr("");
3173: if (dhcp) dhcp_list(dhcp, s, 0, 0,
3174: req.options & CMDSOCK_OPT_JSON ?
3175: LIST_JSON_FMT : LIST_LONG_FMT);
3176: write(csock, s->data, s->slen);
3177: break;
3178:
3179: case CMDSOCK_SHOW:
3180: /*ToDo*/
3181: break;
3182:
3183: case CMDSOCK_ROUTE_SET:
3184: {
3185: struct dhcp_conn_t *conn = dhcp->firstusedconn;
3186: log_dbg("looking to authorized session %s",inet_ntoa(req.data.sess.ip));
3187: while (conn && conn->inuse) {
3188: if (conn->peer) {
3189: struct app_conn_t * appconn = (struct app_conn_t*)conn->peer;
3190: if (!memcmp(appconn->hismac, req.data.mac, 6)) {
3191: log_dbg("routeidx %s %d",appconn->s_state.sessionid, req.data.sess.params.routeidx);
3192: appconn->s_params.routeidx = req.data.sess.params.routeidx;
3193: break;
3194: }
3195: }
3196: conn = conn->next;
3197: }
3198: }
3199: /* drop through */
3200: case CMDSOCK_ROUTE:
3201: {
3202: int i;
3203: bstring b = bfromcstr("routes:\n");
3204: write(csock, b->data, b->slen);
3205: for (i=0; i<tun->_interface_count; i++) {
3206: bassignformat(b, "idx: %d dev: %s%s\n",
3207: i, tun->_interfaces[i].devname,
3208: i == 0 ? " (tun/tap)":"");
3209: write(csock, b->data, b->slen);
3210: }
3211:
3212: {
3213: struct dhcp_conn_t *conn = dhcp->firstusedconn;
3214: bassignformat(b, "subscribers:\n");
3215: write(csock, b->data, b->slen);
3216: while (conn) {
3217: struct app_conn_t *appconn = (struct app_conn_t *)conn->peer;
3218: bassignformat(b, "mac: %.2X-%.2X-%.2X-%.2X-%.2X-%.2X -> idx: %d\n",
3219: appconn->hismac[0], appconn->hismac[1],
3220: appconn->hismac[2], appconn->hismac[3],
3221: appconn->hismac[4], appconn->hismac[5],
3222: appconn->s_params.routeidx);
3223: write(csock, b->data, b->slen);
3224: conn = conn->next;
3225: }
3226: }
3227: bdestroy(b);
3228: }
3229: break;
3230:
3231: case CMDSOCK_AUTHORIZE:
3232: if (dhcp) {
3233: struct dhcp_conn_t *dhcpconn = dhcp->firstusedconn;
3234: log_dbg("looking to authorized session %s",inet_ntoa(req.data.sess.ip));
3235: while (dhcpconn && dhcpconn->inuse) {
3236: if (dhcpconn->peer) {
3237: struct app_conn_t * appconn = (struct app_conn_t*) dhcpconn->peer;
3238: if ( (req.data.sess.ip.s_addr == 0 || appconn->hisip.s_addr == req.data.sess.ip.s_addr) &&
3239: (req.data.sess.sessionid[0] == 0 || !strcmp(appconn->s_state.sessionid,req.data.sess.sessionid))
3240: ){
3241: char *uname = req.data.sess.username;
3242: log_dbg("remotely authorized session %s",appconn->s_state.sessionid);
3243: memcpy(&appconn->s_params, &req.data.sess.params, sizeof(req.data.sess.params));
3244: if (uname[0]) strncpy(appconn->s_state.redir.username, uname, USERNAMESIZE);
3245: dnprot_accept(appconn);
3246: break;
3247: }
3248: }
3249: dhcpconn = dhcpconn->next;
3250: }
3251: }
3252: break;
3253:
3254: default:
3255: perror("unknown command");
3256: close(csock);
3257: rval = -1;
3258: }
3259:
3260: if (s) bdestroy(s);
3261: shutdown(csock, 2);
3262: close(csock);
3263:
3264: return rval;
3265: }
3266:
3267: /* Function that will create and write a status file in statedir*/
3268: int printstatus(struct app_conn_t *appconn) {
3269: char *statedir = options.statedir ? options.statedir : DEFSTATEDIR;
3270: struct app_conn_t *apptemp;
3271: FILE *file;
3272: char filedest[512];
3273: time_t timenow = mainclock;
3274: struct stat statbuf;
3275:
3276: if (!options.usestatusfile)
3277: return 0;
3278:
3279: if (strlen(statedir)>sizeof(filedest)-1)
3280: return -1;
3281:
3282: if (stat(statedir, &statbuf)) {
3283: log_err(errno, "statedir (%s) does not exist", statedir);
3284: return -1;
3285: }
3286:
3287: if (!S_ISDIR(statbuf.st_mode)) {
3288: log_err(0, "statedir (%s) not a directory", statedir);
3289: return -1;
3290: }
3291:
3292: strcpy(filedest, statedir);
3293: strcat(filedest, "/chillispot.state");
3294:
3295: file = fopen(filedest, "w");
3296: if (!file) { log_err(errno, "could not open file %s", filedest); return -1; }
3297: fprintf(file, "#Version:1.1\n");
3298: fprintf(file, "#SessionID = SID\n#Start-Time = ST\n");
3299: fprintf(file, "#SessionTimeOut = STO\n#SessionTerminateTime = STT\n");
3300: fprintf(file, "#Timestamp: %d\n", timenow);
3301: fprintf(file, "#User, IP, MAC, SID, ST, STO, STT\n");
3302: if(appconn == NULL)
3303: {
3304: fclose(file);
3305: return 0;
3306: }
3307: apptemp = appconn;
3308: while(apptemp != NULL)
3309: {
3310: if(apptemp->s_state.authenticated==1)
3311: {
3312: fprintf(file, "%s, %s, %.2X-%.2X-%.2X-%.2X-%.2X-%.2X, %s, %d, %d, %d\n",
3313: apptemp->s_state.redir.username,
3314: inet_ntoa(apptemp->hisip),
3315: apptemp->hismac[0], apptemp->hismac[1],
3316: apptemp->hismac[2], apptemp->hismac[3],
3317: apptemp->hismac[4], apptemp->hismac[5],
3318: apptemp->s_state.sessionid,
3319: apptemp->s_state.start_time,
3320: apptemp->s_params.sessiontimeout,
3321: apptemp->s_params.sessionterminatetime);
3322: }
3323: apptemp = apptemp->prev;
3324: }
3325: apptemp = appconn->next;
3326: while(apptemp != NULL)
3327: {
3328: if(apptemp->s_state.authenticated==1)
3329: {
3330: fprintf(file, "%s, %s, %.2X-%.2X-%.2X-%.2X-%.2X-%.2X, %s, %d, %d, %d\n",
3331: apptemp->s_state.redir.username,
3332: inet_ntoa(apptemp->hisip),
3333: apptemp->hismac[0], apptemp->hismac[1],
3334: apptemp->hismac[2], apptemp->hismac[3],
3335: apptemp->hismac[4], apptemp->hismac[5],
3336: apptemp->s_state.sessionid,
3337: apptemp->s_state.start_time,
3338: apptemp->s_params.sessiontimeout,
3339: apptemp->s_params.sessionterminatetime);
3340: }
3341: apptemp = apptemp->next;
3342: }
3343: fclose(file);
3344: return 0;
3345: }
3346:
3347: static void fixup_options() {
3348: /*
3349: * If we have no nasmac configured, lets default it here, after creating the dhcp
3350: */
3351: if (!options.nasmac) {
3352: char mac[24];
3353:
3354: sprintf(mac, "%.2X-%.2X-%.2X-%.2X-%.2X-%.2X",
3355: dhcp->ipif.hwaddr[0],dhcp->ipif.hwaddr[1],dhcp->ipif.hwaddr[2],
3356: dhcp->ipif.hwaddr[3],dhcp->ipif.hwaddr[4],dhcp->ipif.hwaddr[5]);
3357:
3358: options.nasmac = strdup(mac);
3359: }
3360:
3361: }
3362:
3363: int chilli_main(int argc, char **argv) {
3364:
3365: int maxfd = 0; /* For select() */
3366: fd_set fds; /* For select() */
3367: struct timeval idleTime; /* How long to select() */
3368: int status;
3369: int msgresult;
3370:
3371: struct redir_msg_t msg;
3372: struct sigaction act;
3373: /* struct itimerval itval; */
3374: int lastSecond = 0, thisSecond;
3375:
3376: int cmdsock = -1;
3377:
3378: /* open a connection to the syslog daemon */
3379: /*openlog(PACKAGE, LOG_PID, LOG_DAEMON);*/
3380: openlog(PACKAGE, (LOG_PID | LOG_PERROR), LOG_DAEMON);
3381:
3382: /* Process options given in configuration file and command line */
3383: if (process_options(argc, argv, 0))
3384: exit(1);
3385:
3386: /* foreground */
3387: /* If flag not given run as a daemon */
3388: if (!options.foreground) {
3389: /* Close the standard file descriptors. */
3390: /* Is this really needed ? */
3391: freopen("/dev/null", "w", stdout);
3392: freopen("/dev/null", "w", stderr);
3393: freopen("/dev/null", "r", stdin);
3394: if (daemon(1, 1)) {
3395: log_err(errno, "daemon() failed!");
3396: }
3397: }
3398:
3399: if (options.logfacility<0||options.logfacility>LOG_NFACILITIES)
3400: options.logfacility=LOG_FAC(LOG_LOCAL6);
3401:
3402: closelog();
3403: openlog(PACKAGE, LOG_PID, (options.logfacility<<3));
3404:
3405: /* This has to be done after we have our final pid */
3406: log_pid((options.pidfile && *options.pidfile) ? options.pidfile : DEFPIDFILE);
3407:
3408: if (options.debug)
3409: log_dbg("ChilliSpot version %s started.\n", VERSION);
3410:
3411: syslog(LOG_INFO, "CoovaChilli(ChilliSpot) %s. Copyright 2002-2005 Mondru AB. Licensed under GPL. "
3412: "Copyright 2006-2008 David Bird <dbird@acm.org>. Licensed under GPL. "
3413: "See http://coova.org/ for details.", VERSION);
3414:
3415: mainclock = time(0);
3416:
3417: printstatus(NULL);
3418:
3419: /* Create a tunnel interface */
3420: if (tun_new(&tun)) {
3421: log_err(0, "Failed to create tun");
3422: exit(1);
3423: }
3424:
3425: /*tun_setaddr(tun, &options.dhcplisten, &options.net, &options.mask);*/
3426: tun_setaddr(tun, &options.dhcplisten, &options.dhcplisten, &options.mask);
3427: tun_set_cb_ind(tun, cb_tun_ind);
3428:
3429: if (tun) tun_maxfd(tun, maxfd);
3430: if (options.ipup) tun_runscript(tun, options.ipup);
3431:
3432:
3433: /* Create an instance of dhcp */
3434: if (dhcp_new(&dhcp, APP_NUM_CONN, options.dhcpif,
3435: options.dhcpusemac, options.dhcpmac, options.dhcpusemac,
3436: &options.dhcplisten, options.lease, 1,
3437: &options.uamlisten, options.uamport,
3438: options.eapolenable)) {
3439: log_err(0, "Failed to create dhcp");
3440: exit(1);
3441: }
3442:
3443: net_maxfd(&dhcp->ipif, maxfd);
3444: net_maxfd(&dhcp->arpif, maxfd);
3445: net_maxfd(&dhcp->eapif, maxfd);
3446:
3447: fd_max(dhcp->relayfd, maxfd);
3448:
3449: dhcp_set_cb_request(dhcp, cb_dhcp_request);
3450: dhcp_set_cb_connect(dhcp, cb_dhcp_connect);
3451: dhcp_set_cb_disconnect(dhcp, cb_dhcp_disconnect);
3452: dhcp_set_cb_data_ind(dhcp, cb_dhcp_data_ind);
3453: dhcp_set_cb_eap_ind(dhcp, cb_dhcp_eap_ind);
3454: dhcp_set_cb_getinfo(dhcp, cb_dhcp_getinfo);
3455:
3456: if (dhcp_set(dhcp, (options.debug & DEBUG_DHCP))) {
3457: log_err(0, "Failed to set DHCP parameters");
3458: exit(1);
3459: }
3460:
3461: fixup_options();
3462:
3463: /* Create an instance of radius */
3464: if (radius_new(&radius,
3465: &options.radiuslisten, options.coaport, options.coanoipcheck,
3466: &options.proxylisten, options.proxyport,
3467: &options.proxyaddr, &options.proxymask,
3468: options.proxysecret)) {
3469: log_err(0, "Failed to create radius");
3470: return -1;
3471: }
3472:
3473: if (radius->fd > maxfd)
3474: maxfd = radius->fd;
3475:
3476: if ((radius->proxyfd != -1) && (radius->proxyfd > maxfd))
3477: maxfd = radius->proxyfd;
3478:
3479: radius_set(radius, dhcp ? dhcp->ipif.hwaddr : 0, (options.debug & DEBUG_RADIUS));
3480: radius_set_cb_auth_conf(radius, cb_radius_auth_conf);
3481: radius_set_cb_coa_ind(radius, cb_radius_coa_ind);
3482: radius_set_cb_ind(radius, cb_radius_ind);
3483:
3484: if (options.acct_update)
3485: radius_set_cb_acct_conf(radius, cb_radius_acct_conf);
3486:
3487: /* Initialise connections */
3488: initconn();
3489:
3490: /* Allocate ippool for dynamic IP address allocation */
3491: if (ippool_new(&ippool,
3492: options.dynip,
3493: options.dhcpstart,
3494: options.dhcpend,
3495: options.statip,
3496: options.allowdyn,
3497: options.allowstat)) {
3498: log_err(0, "Failed to allocate IP pool!");
3499: exit(1);
3500: }
3501:
3502: /* Create an instance of redir */
3503: if (redir_new(&redir, &options.uamlisten, options.uamport, options.uamuiport)) {
3504: log_err(0, "Failed to create redir");
3505: return -1;
3506: }
3507:
3508: if (redir->fd[0] > maxfd) maxfd = redir->fd[0];
3509: if (redir->fd[1] > maxfd) maxfd = redir->fd[1];
3510: redir_set(redir, (options.debug));
3511: redir_set_cb_getstate(redir, cb_redir_getstate);
3512:
3513: memset(&admin_session, 0, sizeof(admin_session));
3514: memcpy(admin_session.ourmac, dhcp->ipif.hwaddr, sizeof(dhcp->ipif.hwaddr));
3515: acct_req(&admin_session, RADIUS_STATUS_TYPE_ACCOUNTING_ON);
3516:
3517: if (options.adminuser) {
3518: admin_session.is_adminsession = 1;
3519: strncpy(admin_session.s_state.redir.username,
3520: options.adminuser, sizeof(admin_session.s_state.redir.username));
3521: set_sessionid(&admin_session);
3522: chilliauth_radius(radius);
3523: }
3524:
3525: if (options.cmdsocket) {
3526: cmdsock = cmdsock_init();
3527: if (cmdsock > 0)
3528: maxfd = cmdsock;
3529: }
3530:
3531: /* Set up signal handlers */
3532: memset(&act, 0, sizeof(act));
3533:
3534: act.sa_handler = fireman;
3535: sigaction(SIGCHLD, &act, NULL);
3536:
3537: act.sa_handler = termination_handler;
3538: sigaction(SIGTERM, &act, NULL);
3539: sigaction(SIGINT, &act, NULL);
3540:
3541: act.sa_handler = sighup_handler;
3542: sigaction(SIGHUP, &act, NULL);
3543:
3544: /*
3545: act.sa_handler = alarm_handler;
3546: sigaction(SIGALRM, &act, NULL);
3547:
3548: memset(&itval, 0, sizeof(itval));
3549: itval.it_interval.tv_sec = 0;
3550: itval.it_interval.tv_usec = 500000; / * TODO 0.5 second * /
3551: itval.it_value.tv_sec = 0;
3552: itval.it_value.tv_usec = 500000; / * TODO 0.5 second * /
3553:
3554: if (setitimer(ITIMER_REAL, &itval, NULL)) {
3555: log_err(errno, "setitimer() failed!");
3556: }
3557: */
3558:
3559: /* setup IPv4LL/APIPA network ip and mask for uamanyip exception */
3560: inet_aton("169.254.0.0", &ipv4ll_ip);
3561: inet_aton("255.255.0.0", &ipv4ll_mask);
3562:
3563: if (options.debug)
3564: log_dbg("Waiting for client request...");
3565:
3566:
3567: /******************************************************************/
3568: /* Main select loop */
3569: /******************************************************************/
3570:
3571: mainclock = time(0);
3572: while (keep_going) {
3573:
3574: if (do_sighup) {
3575: reprocess_options(argc, argv);
3576: fixup_options();
3577:
3578: do_sighup = 0;
3579:
3580: /* Reinit DHCP parameters */
3581: if (dhcp)
3582: dhcp_set(dhcp, (options.debug & DEBUG_DHCP));
3583:
3584: /* Reinit RADIUS parameters */
3585: radius_set(radius, dhcp ? dhcp->ipif.hwaddr : 0, (options.debug & DEBUG_RADIUS));
3586:
3587: /* Reinit Redir parameters */
3588: redir_set(redir, options.debug);
3589:
3590: if (options.adminuser)
3591: chilliauth_radius(radius);
3592: }
3593:
3594: if (lastSecond != (thisSecond = mainclock) /*do_timeouts*/) {
3595: radius_timeout(radius);
3596:
3597: if (dhcp)
3598: dhcp_timeout(dhcp);
3599:
3600: checkconn();
3601: lastSecond = thisSecond;
3602: /*do_timeouts = 0;*/
3603: }
3604:
3605: fd_zero(&fds);
3606:
3607: if (tun) tun_fdset(tun, &fds);
3608: if (dhcp) {
3609: net_fdset(&dhcp->ipif, &fds);
3610: #if defined(__linux__)
3611: net_fdset(&dhcp->arpif, &fds);
3612: net_fdset(&dhcp->eapif, &fds);
3613: fd_set(dhcp->relayfd, &fds);
3614: #endif
3615: }
3616:
3617: fd_set(radius->fd, &fds);
3618: fd_set(radius->proxyfd, &fds);
3619: fd_set(redir->fd[0], &fds);
3620: fd_set(redir->fd[1], &fds);
3621: fd_set(cmdsock, &fds);
3622:
3623: idleTime.tv_sec = 0; /*IDLETIME;*/
3624: idleTime.tv_usec = 500;
3625: /*radius_timeleft(radius, &idleTime);
3626: if (dhcp) dhcp_timeleft(dhcp, &idleTime);*/
3627: switch (status = select(maxfd + 1, &fds, NULL, NULL, &idleTime /* NULL */)) {
3628: case -1:
3629: if (EINTR != errno) {
3630: log_err(errno, "select() returned -1!");
3631: }
3632: break;
3633: case 0:
3634: default:
3635: break;
3636: }
3637:
3638: mainclock = time(0);
3639:
3640: if ((msgresult =
3641: TEMP_FAILURE_RETRY(msgrcv(redir->msgid, (struct msgbuf *)&msg,
3642: sizeof(msg.mdata), 0, IPC_NOWAIT))) == -1) {
3643: if ((errno != EAGAIN) && (errno != ENOMSG))
3644: log_err(errno, "msgrcv() failed!");
3645: }
3646:
3647: if (msgresult > 0)
3648: uam_msg(&msg);
3649:
3650: if (status > 0) {
3651:
3652: if (tun) tun_ckset(tun, &fds);
3653:
3654: if (dhcp) {
3655:
3656: if (fd_isset(dhcp->relayfd, &fds) && dhcp_relay_decaps(dhcp) < 0)
3657: log_err(0, "dhcp_relay_decaps() failed!");
3658:
3659: #if defined(__linux__)
3660:
3661: if (net_isset(&dhcp->ipif, &fds) && dhcp_decaps(dhcp) < 0)
3662: log_err(0, "dhcp_decaps() failed!");
3663:
3664: if (net_isset(&dhcp->arpif, &fds) && dhcp_arp_ind(dhcp) < 0)
3665: log_err(0, "dhcp_arpind() failed!");
3666:
3667: if (net_isset(&dhcp->eapif, &fds) && dhcp_eapol_ind(dhcp) < 0)
3668: log_err(0, "dhcp_eapol_ind() failed!");
3669:
3670: #elif defined (__FreeBSD__) || defined (__APPLE__) || defined (__OpenBSD__)
3671:
3672: if (net_isset(&dhcp->ipif, &fds) && dhcp_decaps(dhcp) < 0)
3673: log_err(0, "dhcp_decaps() failed!");
3674:
3675: #endif
3676:
3677: }
3678:
3679: if (fd_isset(radius->fd, &fds) && radius_decaps(radius) < 0)
3680: log_err(0, "radius_ind() failed!");
3681:
3682: if (fd_isset(radius->proxyfd, &fds) && radius_proxy_ind(radius) < 0)
3683: log_err(0, "radius_proxy_ind() failed!");
3684:
3685: if (fd_isset(redir->fd[0], &fds) && redir_accept(redir, 0) < 0)
3686: log_err(0, "redir_accept() failed!");
3687:
3688: if (fd_isset(redir->fd[1], &fds) && redir_accept(redir, 1) < 0)
3689: log_err(0, "redir_accept() failed!");
3690:
3691: if (fd_isset(cmdsock, &fds) && cmdsock_accept(cmdsock) < 0)
3692: log_err(0, "cmdsock_accept() failed!");
3693:
3694: }
3695: }
3696:
3697: if (options.debug)
3698: log_dbg("Terminating ChilliSpot!");
3699:
3700: killconn();
3701:
3702: if (redir)
3703: redir_free(redir);
3704:
3705: if (radius)
3706: radius_free(radius);
3707:
3708: if (dhcp)
3709: dhcp_free(dhcp);
3710:
3711: if (tun && options.ipdown)
3712: tun_runscript(tun, options.ipdown);
3713:
3714: if (tun)
3715: tun_free(tun);
3716:
3717: if (ippool)
3718: ippool_free(ippool);
3719:
3720: return 0;
3721:
3722: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to chilli.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / coova-chilli / src