1464 lines
62 KiB
C
1464 lines
62 KiB
C
/*********************************************************************************************************
|
|
* Software License Agreement (BSD License) *
|
|
* Author: Sebastien Decugis <sdecugis@freediameter.net> *
|
|
* *
|
|
* Copyright (c) 2013, WIDE Project and NICT *
|
|
* All rights reserved. *
|
|
* *
|
|
* Redistribution and use of this software in source and binary forms, with or without modification, are *
|
|
* permitted provided that the following conditions are met: *
|
|
* *
|
|
* * Redistributions of source code must retain the above *
|
|
* copyright notice, this list of conditions and the *
|
|
* following disclaimer. *
|
|
* *
|
|
* * Redistributions in binary form must reproduce the above *
|
|
* copyright notice, this list of conditions and the *
|
|
* following disclaimer in the documentation and/or other *
|
|
* materials provided with the distribution. *
|
|
* *
|
|
* * Neither the name of the WIDE Project or NICT nor the *
|
|
* names of its contributors may be used to endorse or *
|
|
* promote products derived from this software without *
|
|
* specific prior written permission of WIDE Project and *
|
|
* NICT. *
|
|
* *
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
|
|
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
|
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
|
|
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
|
|
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
|
|
*********************************************************************************************************/
|
|
|
|
/* RADIUS Accounting-Request messages translation plugin */
|
|
|
|
#include "rgw_common.h"
|
|
|
|
|
|
/* Other constants we use */
|
|
#define AI_ACCT 3 /* Diameter Base Accounting application */
|
|
#define CC_AC 271 /* ACR/ACA */
|
|
#define ACV_ART_START_RECORD 2 /* START_RECORD */
|
|
#define ACV_ART_INTERIM_RECORD 3 /* INTERIM_RECORD */
|
|
#define ACV_ART_STOP_RECORD 4 /* STOP_RECORD */
|
|
#define ACV_ART_AUTHORIZE_AUTHENTICATE 3 /* AUTHORIZE_AUTHENTICATE */
|
|
|
|
|
|
/* The state we keep for this plugin */
|
|
struct rgwp_config {
|
|
struct {
|
|
struct dict_object * Accounting_Record_Number; /* Accounting-Record-Number */
|
|
struct dict_object * Accounting_Record_Type; /* Accounting-Record-Type */
|
|
struct dict_object * Acct_Application_Id; /* Acct-Application-Id */
|
|
struct dict_object * Acct_Delay_Time; /* Acct-Delay-Time */
|
|
struct dict_object * Accounting_Input_Octets; /* Accounting-Input-Octets */
|
|
struct dict_object * Accounting_Output_Octets; /* Accounting-Output-Octets */
|
|
struct dict_object * Accounting_Input_Packets; /* Accounting-Input-Packets */
|
|
struct dict_object * Accounting_Output_Packets; /* Accounting-Output-Packets */
|
|
struct dict_object * Acct_Link_Count; /* Acct-Link-Count */
|
|
struct dict_object * Acct_Authentic; /* Acct-Authentic */
|
|
struct dict_object * Acct_Multi_Session_Id; /* Acct-Multi-Session-Id */
|
|
struct dict_object * Acct_Session_Id; /* Acct-Session-Id */
|
|
struct dict_object * Acct_Session_Time; /* Acct-Session-Time */
|
|
|
|
struct dict_object * ARAP_Password; /* ARAP-Password */
|
|
struct dict_object * ARAP_Security; /* ARAP-Security */
|
|
struct dict_object * ARAP_Security_Data; /* ARAP-Security-Data */
|
|
struct dict_object * Auth_Application_Id; /* Auth-Application-Id */
|
|
struct dict_object * Auth_Request_Type; /* Auth-Request-Type */
|
|
struct dict_object * Authorization_Lifetime; /* Authorization-Lifetime */
|
|
struct dict_object * Callback_Number; /* Callback-Number */
|
|
struct dict_object * Callback_Id; /* Callback-Id */
|
|
struct dict_object * Called_Station_Id; /* Called-Station-Id */
|
|
struct dict_object * Calling_Station_Id; /* Calling-Station-Id */
|
|
struct dict_object * Class; /* Class */
|
|
struct dict_object * CHAP_Algorithm; /* CHAP-Algorithm */
|
|
struct dict_object * CHAP_Auth; /* CHAP-Auth */
|
|
struct dict_object * CHAP_Challenge; /* CHAP-Challenge */
|
|
struct dict_object * CHAP_Ident; /* CHAP-Ident */
|
|
struct dict_object * CHAP_Response; /* CHAP-Response */
|
|
struct dict_object * Connect_Info; /* Connect-Info */
|
|
struct dict_object * Destination_Host; /* Destination-Host */
|
|
struct dict_object * Destination_Realm; /* Destination-Realm */
|
|
struct dict_object * EAP_Payload; /* EAP-Payload */
|
|
struct dict_object * Error_Message; /* Error-Message */
|
|
struct dict_object * Error_Reporting_Host; /* Error-Reporting-Host */
|
|
struct dict_object * Event_Timestamp; /* Event-Timestamp */
|
|
struct dict_object * Failed_AVP; /* Failed-AVP */
|
|
struct dict_object * Framed_AppleTalk_Link; /* Framed-AppleTalk-Link */
|
|
struct dict_object * Framed_AppleTalk_Network; /* Framed-AppleTalk-Network */
|
|
struct dict_object * Framed_AppleTalk_Zone; /* Framed-AppleTalk-Zone */
|
|
struct dict_object * Framed_Compression; /* Framed-Compression */
|
|
struct dict_object * Framed_IP_Address; /* Framed-IP-Address */
|
|
struct dict_object * Framed_IP_Netmask; /* Framed-IP-Netmask */
|
|
struct dict_object * Framed_Interface_Id; /* Framed-Interface-Id */
|
|
struct dict_object * Framed_IPv6_Prefix; /* Framed-IPv6-Prefix */
|
|
struct dict_object * Framed_IPX_Network; /* Framed-IPX-Network */
|
|
struct dict_object * Framed_MTU; /* Framed-MTU */
|
|
struct dict_object * Framed_Protocol; /* Framed-Protocol */
|
|
struct dict_object * Framed_Pool; /* Framed-Pool */
|
|
struct dict_object * Framed_IPv6_Route; /* Framed-IPv6-Route */
|
|
struct dict_object * Framed_IPv6_Pool; /* Framed-IPv6-Pool */
|
|
struct dict_object * Framed_Route; /* Framed-Route */
|
|
struct dict_object * Framed_Routing; /* Framed-Routing */
|
|
struct dict_object * Filter_Id; /* Filter-Id */
|
|
struct dict_object * Idle_Timeout; /* Idle-Timeout */
|
|
struct dict_object * Login_IP_Host; /* Login-IP-Host */
|
|
struct dict_object * Login_IPv6_Host; /* Login-IPv6-Host */
|
|
struct dict_object * Login_LAT_Group; /* Login-LAT-Group */
|
|
struct dict_object * Login_LAT_Node; /* Login-LAT-Node */
|
|
struct dict_object * Login_LAT_Port; /* Login-LAT-Port */
|
|
struct dict_object * Login_LAT_Service; /* Login-LAT-Service */
|
|
struct dict_object * Login_Service; /* Login-Service */
|
|
struct dict_object * Login_TCP_Port; /* Login-TCP-Port */
|
|
struct dict_object * NAS_Identifier; /* NAS-Identifier */
|
|
struct dict_object * NAS_IP_Address; /* NAS-IP-Address */
|
|
struct dict_object * NAS_IPv6_Address; /* NAS-IPv6-Address */
|
|
struct dict_object * NAS_Port; /* NAS-Port */
|
|
struct dict_object * NAS_Port_Id; /* NAS-Port-Id */
|
|
struct dict_object * NAS_Port_Type; /* NAS-Port-Type */
|
|
struct dict_object * Origin_AAA_Protocol; /* Origin-AAA-Protocol */
|
|
struct dict_object * Origin_Host; /* Origin-Host */
|
|
struct dict_object * Origin_Realm; /* Origin-Realm */
|
|
struct dict_object * Originating_Line_Info; /* Originating-Line-Info */
|
|
struct dict_object * Port_Limit; /* Port-Limit */
|
|
struct dict_object * Re_Auth_Request_Type; /* Re-Auth-Request-Type */
|
|
struct dict_object * Result_Code; /* Result-Code */
|
|
struct dict_object * Service_Type; /* Service-Type */
|
|
struct dict_object * Session_Id; /* Session-Id */
|
|
struct dict_object * Session_Timeout; /* Session-Timeout */
|
|
struct dict_object * State; /* State */
|
|
struct dict_object * Termination_Cause; /* Termination-Cause */
|
|
struct dict_object * Tunneling; /* Tunneling */
|
|
struct dict_object * Tunnel_Type; /* Tunnel-Type */
|
|
struct dict_object * Tunnel_Assignment_Id; /* Tunnel-Assignment-Id */
|
|
struct dict_object * Tunnel_Medium_Type; /* Tunnel-Medium-Type */
|
|
struct dict_object * Tunnel_Client_Endpoint; /* Tunnel-Client-Endpoint */
|
|
struct dict_object * Tunnel_Server_Endpoint; /* Tunnel-Server-Endpoint */
|
|
struct dict_object * Tunnel_Private_Group_Id; /* Tunnel-Private-Group-Id */
|
|
struct dict_object * Tunnel_Preference; /* Tunnel-Preference */
|
|
struct dict_object * Tunnel_Client_Auth_Id; /* Tunnel-Client-Auth-Id */
|
|
struct dict_object * Tunnel_Server_Auth_Id; /* Tunnel-Server-Auth-Id */
|
|
struct dict_object * User_Name; /* User-Name */
|
|
|
|
struct dict_object * Session_Termination_Request;/* STR */
|
|
} dict; /* cache of the dictionary objects we use */
|
|
struct session_handler * sess_hdl; /* We store RADIUS request authenticator information in the session */
|
|
char * confstr;
|
|
|
|
int ignore_nai;
|
|
};
|
|
|
|
/* The state we store in the session */
|
|
struct sess_state {
|
|
application_id_t auth_appl; /* Auth-Application-Id used for this session, if available (stored in a Class attribute) */
|
|
int send_str; /* If not 0, we must send a STR when the ACA is received. */
|
|
uint32_t term_cause; /* If not 0, the Termination-Cause to put in the STR. */
|
|
};
|
|
|
|
static DECLARE_FD_DUMP_PROTOTYPE(acct_conf_session_state_dump, struct sess_state * st)
|
|
{
|
|
return fd_dump_extend( FD_DUMP_STD_PARAMS, "[rgwx sess_state](@%p): aai:%x str:%d TC:%u", st, st->auth_appl, st->send_str, st->term_cause);
|
|
}
|
|
|
|
/* Initialize the plugin */
|
|
static int acct_conf_parse(char * conffile, struct rgwp_config ** state)
|
|
{
|
|
struct rgwp_config * new;
|
|
struct dict_object * app;
|
|
|
|
TRACE_ENTRY("%p %p", conffile, state);
|
|
CHECK_PARAMS( state );
|
|
|
|
CHECK_MALLOC( new = malloc(sizeof(struct rgwp_config)) );
|
|
memset(new, 0, sizeof(struct rgwp_config));
|
|
|
|
CHECK_FCT( fd_sess_handler_create( &new->sess_hdl, (void *)free, acct_conf_session_state_dump, NULL ) );
|
|
new->confstr = conffile;
|
|
|
|
if (conffile && strstr(conffile, "nonai"))
|
|
new->ignore_nai = 1;
|
|
|
|
/* Resolve all dictionary objects we use */
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Record-Number", &new->dict.Accounting_Record_Number, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Record-Type", &new->dict.Accounting_Record_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Application-Id", &new->dict.Acct_Application_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Delay-Time", &new->dict.Acct_Delay_Time, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Input-Octets", &new->dict.Accounting_Input_Octets, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Output-Octets", &new->dict.Accounting_Output_Octets, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Input-Packets", &new->dict.Accounting_Input_Packets, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Accounting-Output-Packets", &new->dict.Accounting_Output_Packets, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Authentic", &new->dict.Acct_Authentic, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Link-Count", &new->dict.Acct_Link_Count, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Multi-Session-Id", &new->dict.Acct_Multi_Session_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Session-Id", &new->dict.Acct_Session_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Session-Time", &new->dict.Acct_Session_Time, ENOENT) );
|
|
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Password", &new->dict.ARAP_Password, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security", &new->dict.ARAP_Security, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "ARAP-Security-Data", &new->dict.ARAP_Security_Data, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Application-Id", &new->dict.Auth_Application_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Request-Type", &new->dict.Auth_Request_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Authorization-Lifetime", &new->dict.Authorization_Lifetime, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Callback-Number", &new->dict.Callback_Number, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Callback-Id", &new->dict.Callback_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Called-Station-Id", &new->dict.Called_Station_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Calling-Station-Id", &new->dict.Calling_Station_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Class", &new->dict.Class, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Connect-Info", &new->dict.Connect_Info, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Host", &new->dict.Destination_Host, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Destination-Realm", &new->dict.Destination_Realm, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "EAP-Payload", &new->dict.EAP_Payload, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Message", &new->dict.Error_Message, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Error-Reporting-Host", &new->dict.Error_Reporting_Host, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Event-Timestamp", &new->dict.Event_Timestamp, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Failed-AVP", &new->dict.Failed_AVP, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-AppleTalk-Link", &new->dict.Framed_AppleTalk_Link, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-AppleTalk-Network", &new->dict.Framed_AppleTalk_Network, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-AppleTalk-Zone", &new->dict.Framed_AppleTalk_Zone, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Compression", &new->dict.Framed_Compression, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Address", &new->dict.Framed_IP_Address, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IP-Netmask", &new->dict.Framed_IP_Netmask, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Interface-Id", &new->dict.Framed_Interface_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPv6-Prefix", &new->dict.Framed_IPv6_Prefix, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPX-Network", &new->dict.Framed_IPX_Network, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-MTU", &new->dict.Framed_MTU, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Protocol", &new->dict.Framed_Protocol, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Pool", &new->dict.Framed_Pool, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Route", &new->dict.Framed_Route, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPv6-Route", &new->dict.Framed_IPv6_Route, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-IPv6-Pool", &new->dict.Framed_IPv6_Pool, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Framed-Routing", &new->dict.Framed_Routing, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Filter-Id", &new->dict.Filter_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Idle-Timeout", &new->dict.Idle_Timeout, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IP-Host", &new->dict.Login_IP_Host, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-IPv6-Host", &new->dict.Login_IPv6_Host, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Group", &new->dict.Login_LAT_Group, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Node", &new->dict.Login_LAT_Node, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Port", &new->dict.Login_LAT_Port, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-LAT-Service", &new->dict.Login_LAT_Service, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-Service", &new->dict.Login_Service, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Login-TCP-Port", &new->dict.Login_TCP_Port, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Identifier", &new->dict.NAS_Identifier, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IP-Address", &new->dict.NAS_IP_Address, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-IPv6-Address", &new->dict.NAS_IPv6_Address, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port", &new->dict.NAS_Port, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Id", &new->dict.NAS_Port_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "NAS-Port-Type", &new->dict.NAS_Port_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-AAA-Protocol", &new->dict.Origin_AAA_Protocol, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Host", &new->dict.Origin_Host, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Origin-Realm", &new->dict.Origin_Realm, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Originating-Line-Info", &new->dict.Originating_Line_Info, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Port-Limit", &new->dict.Port_Limit, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Re-Auth-Request-Type", &new->dict.Re_Auth_Request_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Result-Code", &new->dict.Result_Code, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Service-Type", &new->dict.Service_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Id", &new->dict.Session_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Session-Timeout", &new->dict.Session_Timeout, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "State", &new->dict.State, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Termination-Cause", &new->dict.Termination_Cause, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunneling", &new->dict.Tunneling, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Assignment-Id", &new->dict.Tunnel_Assignment_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Type", &new->dict.Tunnel_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Medium-Type", &new->dict.Tunnel_Medium_Type, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Endpoint", &new->dict.Tunnel_Client_Endpoint, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Endpoint", &new->dict.Tunnel_Server_Endpoint, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Private-Group-Id", &new->dict.Tunnel_Private_Group_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Preference", &new->dict.Tunnel_Preference, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Client-Auth-Id", &new->dict.Tunnel_Client_Auth_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Tunnel-Server-Auth-Id", &new->dict.Tunnel_Server_Auth_Id, ENOENT) );
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "User-Name", &new->dict.User_Name, ENOENT) );
|
|
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_COMMAND, CMD_BY_NAME, "Session-Termination-Request", &new->dict.Session_Termination_Request, ENOENT) );
|
|
|
|
/* This plugin provides the following Diameter authentication applications support: */
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_APPLICATION, APPLICATION_BY_NAME, "Diameter Base Accounting", &app, ENOENT) );
|
|
CHECK_FCT( fd_disp_app_support ( app, NULL, 0, 1 ) );
|
|
|
|
*state = new;
|
|
return 0;
|
|
}
|
|
|
|
/* deinitialize */
|
|
static void acct_conf_free(struct rgwp_config * state)
|
|
{
|
|
TRACE_ENTRY("%p", state);
|
|
CHECK_PARAMS_DO( state, return );
|
|
CHECK_FCT_DO( fd_sess_handler_destroy( &state->sess_hdl, NULL ), );
|
|
free(state);
|
|
return;
|
|
}
|
|
|
|
/* Incoming RADIUS request */
|
|
static int acct_rad_req( struct rgwp_config * cs, struct radius_msg * rad_req, struct radius_msg ** rad_ans, struct msg ** diam_fw, struct rgw_client * cli )
|
|
{
|
|
int idx;
|
|
int send_str=0;
|
|
uint32_t str_cause=0;
|
|
uint32_t e2eid = 0;
|
|
application_id_t auth_appl=0;
|
|
int got_id = 0;
|
|
uint32_t status_type;
|
|
uint32_t termination_action = 0;
|
|
uint32_t gigawords_in=0, gigawords_out=0;
|
|
size_t nattr_used = 0;
|
|
union avp_value value;
|
|
struct avp ** avp_tun = NULL, *avp = NULL;
|
|
struct session * sess;
|
|
|
|
const char * prefix = "Diameter/";
|
|
size_t pref_len;
|
|
os0_t si = NULL;
|
|
size_t si_len = 0;
|
|
os0_t un = NULL;
|
|
size_t un_len = 0;
|
|
|
|
TRACE_ENTRY("%p %p %p %p %p", cs, rad_req, rad_ans, diam_fw, cli);
|
|
CHECK_PARAMS(rad_req && (rad_req->hdr->code == RADIUS_CODE_ACCOUNTING_REQUEST) && rad_ans && diam_fw && *diam_fw);
|
|
|
|
pref_len = strlen(prefix);
|
|
|
|
/*
|
|
Either NAS-IP-Address or NAS-Identifier MUST be present in a
|
|
RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS-
|
|
Port-Type attribute or both unless the service does not involve a
|
|
port or the NAS does not distinguish among its ports.
|
|
*/
|
|
/* We also enforce that the message contains a CLASS attribute with Diameter/ prefix containing the Session-Id. */
|
|
for (idx = 0; idx < rad_req->attr_used; idx++) {
|
|
struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]);
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
size_t attr_len = attr->length - sizeof(struct radius_attr_hdr);
|
|
|
|
switch (attr->type) {
|
|
case RADIUS_ATTR_NAS_IP_ADDRESS:
|
|
case RADIUS_ATTR_NAS_IDENTIFIER:
|
|
case RADIUS_ATTR_NAS_IPV6_ADDRESS:
|
|
got_id = 1;
|
|
break;
|
|
|
|
case RADIUS_ATTR_TERMINATION_ACTION:
|
|
CHECK_PARAMS( attr->length == 6 );
|
|
termination_action = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_INPUT_GIGAWORDS:
|
|
CHECK_PARAMS( attr->length == 6 );
|
|
gigawords_in = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS:
|
|
CHECK_PARAMS( attr->length == 6 );
|
|
gigawords_out = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
break;
|
|
|
|
case RADIUS_ATTR_CLASS:
|
|
if ((attr_len > pref_len ) && ! strncmp((char *)v, prefix, pref_len)) {
|
|
int i;
|
|
si = v + pref_len;
|
|
si_len = attr_len - pref_len;
|
|
TRACE_DEBUG(ANNOYING, "Found Class attribute with '%s' prefix (attr #%d), SI:'%.*s'.", prefix, idx, (int)si_len, si);
|
|
/* Remove from the message */
|
|
for (i = idx + 1; i < rad_req->attr_used; i++)
|
|
rad_req->attr_pos[i - 1] = rad_req->attr_pos[i];
|
|
rad_req->attr_used -= 1;
|
|
}
|
|
break;
|
|
|
|
case RADIUS_ATTR_USER_NAME:
|
|
if (attr_len) {
|
|
un = v;
|
|
un_len = attr_len;
|
|
TRACE_DEBUG(ANNOYING, "Found a User-Name attribute: '%.*s'", (int)un_len, un);
|
|
}
|
|
break;
|
|
|
|
}
|
|
}
|
|
|
|
/* Check basic information is there */
|
|
if (!got_id || radius_msg_get_attr_int32(rad_req, RADIUS_ATTR_ACCT_STATUS_TYPE, &status_type)) {
|
|
TRACE_DEBUG(INFO, "[acct.rgwx] RADIUS Account-Request from %s did not contain a NAS ip/identifier or Acct-Status-Type attribute, reject.", rgw_clients_id(cli));
|
|
return EINVAL;
|
|
}
|
|
|
|
/*
|
|
-- RFC2866:
|
|
In Accounting-Request Packets, the Authenticator value is a 16
|
|
octet MD5 [5] checksum, called the Request Authenticator.
|
|
|
|
The NAS and RADIUS accounting server share a secret. The Request
|
|
Authenticator field in Accounting-Request packets contains a one-
|
|
way MD5 hash calculated over a stream of octets consisting of the
|
|
Code + Identifier + Length + 16 zero octets + request attributes +
|
|
shared secret (where + indicates concatenation). The 16 octet MD5
|
|
hash value is stored in the Authenticator field of the
|
|
Accounting-Request packet.
|
|
|
|
Note that the Request Authenticator of an Accounting-Request can
|
|
not be done the same way as the Request Authenticator of a RADIUS
|
|
Access-Request, because there is no User-Password attribute in an
|
|
Accounting-Request.
|
|
|
|
|
|
-- RFC5080:
|
|
The Request Authenticator field MUST contain the correct data, as
|
|
given by the above calculation. Invalid packets are silently
|
|
discarded. Note that some early implementations always set the
|
|
Request Authenticator to all zeros. New implementations of RADIUS
|
|
clients MUST use the above algorithm to calculate the Request
|
|
Authenticator field. New RADIUS server implementations MUST
|
|
silently discard invalid packets.
|
|
|
|
*/
|
|
{
|
|
uint8_t save[MD5_MAC_LEN];
|
|
uint8_t * secret;
|
|
size_t secret_len;
|
|
|
|
/* Get the shared secret */
|
|
CHECK_FCT(rgw_clients_getkey(cli, &secret, &secret_len));
|
|
|
|
/* Copy the received Request Authenticator */
|
|
memcpy(&save[0], &rad_req->hdr->authenticator[0], MD5_MAC_LEN);
|
|
|
|
/* Compute the same authenticator */
|
|
radius_msg_finish_acct(rad_req, secret, secret_len);
|
|
|
|
/* And now compare with the received value */
|
|
if (memcmp(&save[0], &rad_req->hdr->authenticator[0], MD5_MAC_LEN)) {
|
|
/* Invalid authenticator */
|
|
TRACE_BUFFER(FD_LOG_DEBUG, FULL+1, "Received ReqAuth: ", &save[0], MD5_MAC_LEN, "" );
|
|
TRACE_BUFFER(FD_LOG_DEBUG, FULL+1, "Expected ReqAuth: ", &rad_req->hdr->authenticator[0], MD5_MAC_LEN, "" );
|
|
TRACE_DEBUG(INFO, "[acct.rgwx] Invalid Request Authenticator in Account-Request from %s, discarding the message.", rgw_clients_id(cli));
|
|
return EINVAL;
|
|
}
|
|
}
|
|
|
|
|
|
/* Handle the Accounting-On case: nothing to do, just reply OK */
|
|
if (status_type == RADIUS_ACCT_STATUS_TYPE_ACCOUNTING_ON) {
|
|
TRACE_DEBUG(FULL, "[acct.rgwx] Received Accounting-On Acct-Status-Type attribute, replying without translation to Diameter.");
|
|
CHECK_MALLOC( *rad_ans = radius_msg_new(RADIUS_CODE_ACCOUNTING_RESPONSE, rad_req->hdr->identifier) );
|
|
return -2;
|
|
}
|
|
|
|
if (status_type == RADIUS_ACCT_STATUS_TYPE_ACCOUNTING_OFF) {
|
|
TRACE_DEBUG(FULL, "[acct.rgwx] Received Accounting-Off Acct-Status-Type attribute, we must terminate all active sessions.");
|
|
TODO("RADIUS side is rebooting, send STR on all sessions???");
|
|
return ENOTSUP;
|
|
}
|
|
|
|
/* Check if we got a valid session information, otherwise the server will not be able to handle the data... */
|
|
if (!si) {
|
|
TRACE_DEBUG(INFO, "[acct.rgwx] RADIUS Account-Request from %s did not contain a CLASS attribute with Diameter session information, reject.", rgw_clients_id(cli));
|
|
return EINVAL;
|
|
}
|
|
|
|
/* Add the Destination-Realm */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Realm, 0, &avp ) );
|
|
idx = 0;
|
|
if (un && ! cs->ignore_nai) {
|
|
/* Is there an '@' in the user name? We don't care for decorated NAI here */
|
|
for (idx = un_len - 2; idx > 0; idx--) {
|
|
if (un[idx] == '@') {
|
|
idx++;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (idx == 0) {
|
|
/* Not found in the User-Name => we use the local domain of this gateway */
|
|
value.os.data = (uint8_t *)fd_g_config->cnf_diamrlm;
|
|
value.os.len = fd_g_config->cnf_diamrlm_len;
|
|
} else {
|
|
value.os.data = un + idx;
|
|
value.os.len = un_len - idx;
|
|
}
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_FIRST_CHILD, avp) );
|
|
|
|
/* Create the Session-Id AVP */
|
|
{
|
|
CHECK_FCT( fd_sess_fromsid_msg ( si, si_len, &sess, NULL) );
|
|
|
|
TRACE_DEBUG(FULL, "[acct.rgwx] Translating new accounting message for session '%.*s'...", (int)si_len, si);
|
|
|
|
/* Add the Session-Id AVP as first AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Session_Id, 0, &avp ) );
|
|
value.os.data = (unsigned char *)si;
|
|
value.os.len = si_len;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_FIRST_CHILD, avp) );
|
|
CHECK_FCT( fd_msg_sess_set(*diam_fw, sess) );
|
|
}
|
|
|
|
|
|
/* Add the command code */
|
|
{
|
|
struct msg_hdr * header = NULL;
|
|
CHECK_FCT( fd_msg_hdr ( *diam_fw, &header ) );
|
|
header->msg_flags = CMD_FLAG_REQUEST | CMD_FLAG_PROXIABLE;
|
|
header->msg_code = CC_AC;
|
|
header->msg_appl = AI_ACCT;
|
|
|
|
/* Add the Acct-Application-Id */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Acct_Application_Id, 0, &avp ) );
|
|
value.i32 = header->msg_appl;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* save the end to end id */
|
|
e2eid = header->msg_eteid;
|
|
}
|
|
|
|
/* Convert the RADIUS attributes, as they appear in the message */
|
|
for (idx = 0; idx < rad_req->attr_used; idx++) {
|
|
struct radius_attr_hdr * attr = (struct radius_attr_hdr *)(rad_req->buf + rad_req->attr_pos[idx]);
|
|
|
|
switch (attr->type) {
|
|
/*
|
|
Any attribute valid in a RADIUS Access-Request or Access-Accept
|
|
packet is valid in a RADIUS Accounting-Request packet, except that
|
|
the following attributes MUST NOT be present in an Accounting-
|
|
Request: User-Password, CHAP-Password, Reply-Message, State.
|
|
*/
|
|
case RADIUS_ATTR_USER_PASSWORD:
|
|
case RADIUS_ATTR_CHAP_PASSWORD:
|
|
case RADIUS_ATTR_REPLY_MESSAGE:
|
|
case RADIUS_ATTR_STATE:
|
|
case RADIUS_ATTR_MESSAGE_AUTHENTICATOR:
|
|
case RADIUS_ATTR_EAP_MESSAGE:
|
|
TRACE_DEBUG(INFO, "[acct.rgwx] RADIUS Account-Request contains a forbidden attribute (%hhd), reject.", attr->type);
|
|
return EINVAL;
|
|
|
|
|
|
/* This macro converts a RADIUS attribute to a Diameter AVP of type OctetString */
|
|
#define CONV2DIAM_STR( _dictobj_ ) \
|
|
CHECK_PARAMS( attr->length >= 2 ); \
|
|
/* Create the AVP with the specified dictionary model */ \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \
|
|
value.os.len = attr->length - 2; \
|
|
value.os.data = (unsigned char *)(attr + 1); \
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \
|
|
/* Add the AVP in the Diameter message. */ \
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \
|
|
|
|
/* Same thing, for scalar AVPs of 32 bits */
|
|
#define CONV2DIAM_32B( _dictobj_ ) \
|
|
CHECK_PARAMS( attr->length == 6 ); \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \
|
|
{ \
|
|
uint8_t * v = (uint8_t *)(attr + 1); \
|
|
value.u32 = (v[0] << 24) \
|
|
| (v[1] << 16) \
|
|
| (v[2] << 8) \
|
|
| v[3] ; \
|
|
} \
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \
|
|
|
|
/* And the 64b version */
|
|
#define CONV2DIAM_64B( _dictobj_ ) \
|
|
CHECK_PARAMS( attr->length == 10); \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \
|
|
{ \
|
|
uint8_t * v = (uint8_t *)(attr + 1); \
|
|
value.u64 = ((uint64_t)(v[0]) << 56) \
|
|
| ((uint64_t)(v[1]) << 48) \
|
|
| ((uint64_t)(v[2]) << 40) \
|
|
| ((uint64_t)(v[3]) << 32) \
|
|
| ((uint64_t)(v[4]) << 24) \
|
|
| ((uint64_t)(v[5]) << 16) \
|
|
| ((uint64_t)(v[6]) << 8) \
|
|
| (uint64_t)(v[7]) ; \
|
|
} \
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) ); \
|
|
|
|
|
|
/* Attributes as listed in RFC2866, section 5.13 and RFC4005, section 10.2.1 */
|
|
case RADIUS_ATTR_USER_NAME:
|
|
CONV2DIAM_STR( User_Name );
|
|
break;
|
|
|
|
case RADIUS_ATTR_NAS_IP_ADDRESS:
|
|
CONV2DIAM_STR( NAS_IP_Address );
|
|
break;
|
|
|
|
case RADIUS_ATTR_NAS_PORT:
|
|
CONV2DIAM_32B( NAS_Port );
|
|
break;
|
|
|
|
case RADIUS_ATTR_SERVICE_TYPE:
|
|
CONV2DIAM_32B( Service_Type );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_PROTOCOL:
|
|
CONV2DIAM_32B( Framed_Protocol );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IP_ADDRESS:
|
|
CONV2DIAM_STR( Framed_IP_Address );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IP_NETMASK:
|
|
CONV2DIAM_STR( Framed_IP_Netmask );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_ROUTING:
|
|
CONV2DIAM_32B( Framed_Routing );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FILTER_ID:
|
|
CONV2DIAM_STR( Filter_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_MTU:
|
|
CONV2DIAM_32B( Framed_MTU );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_COMPRESSION:
|
|
CONV2DIAM_32B( Framed_Compression );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_IP_HOST:
|
|
CONV2DIAM_STR( Login_IP_Host );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_SERVICE:
|
|
CONV2DIAM_32B( Login_Service );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_TCP_PORT:
|
|
CONV2DIAM_32B( Login_TCP_Port );
|
|
break;
|
|
|
|
case RADIUS_ATTR_CALLBACK_NUMBER:
|
|
CONV2DIAM_STR( Callback_Number );
|
|
break;
|
|
|
|
case RADIUS_ATTR_CALLBACK_ID:
|
|
CONV2DIAM_STR( Callback_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_ROUTE:
|
|
CONV2DIAM_STR( Framed_Route );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IPX_NETWORK:
|
|
CONV2DIAM_32B( Framed_IPX_Network );
|
|
break;
|
|
|
|
case RADIUS_ATTR_CLASS:
|
|
CONV2DIAM_STR( Class );
|
|
/* In addition, save the data in the session if it is "our" CLASS_AAI_PREFIX Class attribute */
|
|
{
|
|
char buf[32];
|
|
char * attr_val, *auth_val;
|
|
attr_val = (char *)(attr + 1);
|
|
auth_val = attr_val + CONSTSTRLEN(CLASS_AAI_PREFIX);
|
|
if ( (attr->length > sizeof(struct radius_attr_hdr) + CONSTSTRLEN(CLASS_AAI_PREFIX) )
|
|
&& (attr->length < sizeof(struct radius_attr_hdr) + CONSTSTRLEN(CLASS_AAI_PREFIX) + sizeof(buf))
|
|
&& ! strncmp(attr_val, CLASS_AAI_PREFIX, CONSTSTRLEN(CLASS_AAI_PREFIX))) {
|
|
|
|
memset(buf, 0, sizeof(buf));
|
|
memcpy(buf, auth_val, attr->length - sizeof(struct radius_attr_hdr) - CONSTSTRLEN(CLASS_AAI_PREFIX));
|
|
if (sscanf(buf, "%u", &auth_appl) == 1) {
|
|
TRACE_DEBUG(ANNOYING, "Found Class attribute with '%s' prefix (attr #%d), AAI:%u.", CLASS_AAI_PREFIX, idx, auth_appl);
|
|
}
|
|
}
|
|
}
|
|
break;
|
|
|
|
case RADIUS_ATTR_VENDOR_SPECIFIC:
|
|
if (attr->length >= 6) {
|
|
uint32_t vendor_id;
|
|
uint8_t * c = (uint8_t *)(attr + 1);
|
|
|
|
vendor_id = c[0] << 24 | c[1] << 16 | c[2] << 8 | c[3];
|
|
c += 4;
|
|
|
|
switch (vendor_id) {
|
|
|
|
/* For the vendors we KNOW they follow the VSA recommended format, we convert following the rules of RFC4005 (9.6.2) */
|
|
case RADIUS_VENDOR_ID_MICROSOFT : /* RFC 2548 */
|
|
/* other vendors ? */
|
|
{
|
|
size_t left;
|
|
struct radius_attr_vendor *vtlv;
|
|
|
|
left = attr->length - 6;
|
|
vtlv = (struct radius_attr_vendor *)c;
|
|
|
|
while ((left >= 2) && (vtlv->vendor_length <= left)) {
|
|
/* Search our dictionary for corresponding Vendor's AVP */
|
|
struct dict_avp_request req;
|
|
struct dict_object * avp_model = NULL;
|
|
memset(&req, 0, sizeof(struct dict_avp_request));
|
|
req.avp_vendor = vendor_id;
|
|
req.avp_code = vtlv->vendor_type;
|
|
|
|
CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_CODE_AND_VENDOR, &req, &avp_model, 0) );
|
|
if (!avp_model) {
|
|
TRACE_DEBUG(FULL, "Unknown attribute (vendor 0x%x, code 0x%x) ignored.", req.avp_vendor, req.avp_code);
|
|
} else {
|
|
CHECK_FCT( fd_msg_avp_new ( avp_model, 0, &avp ) );
|
|
value.os.len = vtlv->vendor_length - 2;
|
|
value.os.data = (unsigned char *)(vtlv + 1);
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
}
|
|
c += vtlv->vendor_length;
|
|
left -= vtlv->vendor_length;
|
|
vtlv = (struct radius_attr_vendor *)c;
|
|
}
|
|
}
|
|
break;
|
|
|
|
/* Other vendors we KNOw how to convert the attributes would be added here... */
|
|
/* case RADIUS_VENDOR_ID_CISCO :
|
|
break; */
|
|
/* case RADIUS_VENDOR_ID_IETF : (extended RADIUS attributes)
|
|
break; */
|
|
|
|
/* When we don't know, just discard the attribute... VSA are optional with regards to RADIUS anyway */
|
|
default:
|
|
/* do nothing */
|
|
TRACE_DEBUG(FULL, "VSA attribute from vendor %d discarded", vendor_id);
|
|
|
|
}
|
|
}
|
|
break;
|
|
|
|
case RADIUS_ATTR_SESSION_TIMEOUT:
|
|
/* Translation depends on Termination-Action : rfc4005#section-9.2.1 */
|
|
if (termination_action != RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
|
|
CONV2DIAM_32B( Session_Timeout );
|
|
} else {
|
|
CONV2DIAM_32B( Authorization_Lifetime );
|
|
/* And add this additional AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Re_Auth_Request_Type, 0, &avp ) );
|
|
value.u32 = ACV_ART_AUTHORIZE_AUTHENTICATE;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
}
|
|
break;
|
|
|
|
case RADIUS_ATTR_IDLE_TIMEOUT:
|
|
CONV2DIAM_32B( Idle_Timeout );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TERMINATION_ACTION:
|
|
/* Just remove */
|
|
break;
|
|
|
|
case RADIUS_ATTR_CALLED_STATION_ID:
|
|
CONV2DIAM_STR( Called_Station_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_CALLING_STATION_ID:
|
|
CONV2DIAM_STR( Calling_Station_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_NAS_IDENTIFIER:
|
|
CONV2DIAM_STR( NAS_Identifier );
|
|
break;
|
|
|
|
/* Proxy-State is handled by echo_drop.rgwx plugin, we ignore it here */
|
|
|
|
case RADIUS_ATTR_LOGIN_LAT_SERVICE:
|
|
CONV2DIAM_STR( Login_LAT_Service );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_LAT_NODE:
|
|
CONV2DIAM_STR( Login_LAT_Node );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_LAT_GROUP:
|
|
CONV2DIAM_STR( Login_LAT_Group );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_APPLETALK_LINK:
|
|
CONV2DIAM_32B( Framed_AppleTalk_Link );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_APPLETALK_NETWORK:
|
|
CONV2DIAM_32B( Framed_AppleTalk_Network );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_APPLETALK_ZONE:
|
|
CONV2DIAM_STR( Framed_AppleTalk_Zone );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_STATUS_TYPE:
|
|
/*
|
|
- If the RADIUS message received is an Accounting-Request, the
|
|
Acct-Status-Type attribute value must be converted to a
|
|
Accounting-Record-Type AVP value. If the Acct-Status-Type
|
|
attribute value is STOP, the local server MUST issue a
|
|
Session-Termination-Request message once the Diameter
|
|
Accounting-Answer message has been received.
|
|
*/
|
|
switch (status_type) {
|
|
case RADIUS_ACCT_STATUS_TYPE_START:
|
|
value.u32 = ACV_ART_START_RECORD;
|
|
break;
|
|
case RADIUS_ACCT_STATUS_TYPE_STOP:
|
|
value.u32 = ACV_ART_STOP_RECORD;
|
|
send_str = 1; /* Register this info in the session */
|
|
break;
|
|
case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
|
|
value.u32 = ACV_ART_INTERIM_RECORD;
|
|
break;
|
|
default:
|
|
TRACE_DEBUG(INFO, "Unknown RADIUS_ATTR_ACCT_STATUS_TYPE value %d, aborting...", status_type);
|
|
return ENOTSUP;
|
|
}
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Record_Type, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* While here, we also add the Accouting-Record-Number AVP.
|
|
The Accounting-Record-Number AVP (AVP Code 485) is of type Unsigned32
|
|
and identifies this record within one session. As Session-Id AVPs
|
|
are globally unique, the combination of Session-Id and Accounting-
|
|
Record-Number AVPs is also globally unique, and can be used in
|
|
matching accounting records with confirmations. An easy way to
|
|
produce unique numbers is to set the value to 0 for records of type
|
|
EVENT_RECORD and START_RECORD, and set the value to 1 for the first
|
|
INTERIM_RECORD, 2 for the second, and so on until the value for
|
|
STOP_RECORD is one more than for the last INTERIM_RECORD.
|
|
|
|
-- we actually use the end-to-end id of the message here, which remains constant
|
|
if we send a duplicate, so it has the same properties as the suggested algorithm.
|
|
Anyway, it assumes that we are not converting twice the same RADIUS message.
|
|
. */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Record_Number, 0, &avp ) );
|
|
value.u32 = e2eid;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_DELAY_TIME:
|
|
CONV2DIAM_32B( Acct_Delay_Time );
|
|
break;
|
|
|
|
/*
|
|
- If the RADIUS message contains the Accounting-Input-Octets,
|
|
Accounting-Input-Packets, Accounting-Output-Octets, or
|
|
Accounting-Output-Packets, these attributes must be converted
|
|
to the Diameter equivalents. Further, if the Acct-Input-
|
|
Gigawords or Acct-Output-Gigawords attributes are present,
|
|
these must be used to properly compute the Diameter accounting
|
|
AVPs.
|
|
*/
|
|
case RADIUS_ATTR_ACCT_INPUT_OCTETS:
|
|
memset(&value, 0, sizeof(value));
|
|
{
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
value.u64 = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
}
|
|
value.u64 += ((uint64_t)gigawords_in << 32);
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Input_Octets, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_OUTPUT_OCTETS:
|
|
memset(&value, 0, sizeof(value));
|
|
{
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
value.u64 = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
}
|
|
value.u64 += ((uint64_t)gigawords_out << 32);
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Output_Octets, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_SESSION_ID:
|
|
CONV2DIAM_STR( Acct_Session_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_AUTHENTIC:
|
|
CONV2DIAM_32B( Acct_Authentic );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_SESSION_TIME:
|
|
CONV2DIAM_32B( Acct_Session_Time );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_INPUT_PACKETS:
|
|
memset(&value, 0, sizeof(value));
|
|
{
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
value.u64 = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
}
|
|
/* value.u64 += (gigawords_in << 32); */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Input_Packets, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_OUTPUT_PACKETS:
|
|
memset(&value, 0, sizeof(value));
|
|
{
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
value.u64 = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
}
|
|
/* value.u64 += (gigawords_out << 32); */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Accounting_Output_Packets, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
break;
|
|
|
|
/*
|
|
- If the Accounting message contains an Acct-Termination-Cause
|
|
attribute, it should be translated to the equivalent
|
|
Termination-Cause AVP value.
|
|
*/
|
|
case RADIUS_ATTR_ACCT_TERMINATE_CAUSE:
|
|
/* rfc4005#section-9.3.5 */
|
|
{
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
str_cause = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
}
|
|
str_cause += 10; /* This seems to be the rule, we can modify later if needed */
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_MULTI_SESSION_ID:
|
|
CONV2DIAM_STR( Acct_Multi_Session_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_ACCT_LINK_COUNT:
|
|
CONV2DIAM_32B( Acct_Link_Count );
|
|
break;
|
|
|
|
/* CHAP-Challenge is not present in Accounting-Request */
|
|
|
|
case RADIUS_ATTR_NAS_PORT_TYPE:
|
|
CONV2DIAM_32B( NAS_Port_Type );
|
|
break;
|
|
|
|
case RADIUS_ATTR_PORT_LIMIT:
|
|
CONV2DIAM_32B( Port_Limit );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_LAT_PORT:
|
|
CONV2DIAM_STR( Login_LAT_Port );
|
|
break;
|
|
|
|
/* RFC 3162 */
|
|
case RADIUS_ATTR_NAS_IPV6_ADDRESS:
|
|
CONV2DIAM_STR( NAS_IPv6_Address );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_INTERFACE_ID:
|
|
CONV2DIAM_64B( Framed_Interface_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IPV6_PREFIX:
|
|
CONV2DIAM_STR( Framed_IPv6_Prefix );
|
|
break;
|
|
|
|
case RADIUS_ATTR_LOGIN_IPV6_HOST:
|
|
CONV2DIAM_STR( Login_IPv6_Host );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IPV6_ROUTE:
|
|
CONV2DIAM_STR( Framed_IPv6_Route );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_IPV6_POOL:
|
|
CONV2DIAM_STR( Framed_IPv6_Pool );
|
|
break;
|
|
|
|
/* RFC 2868 */
|
|
/* Prepare the top-level Tunneling AVP for each tag values, as needed, and add to the Diameter message.
|
|
This macro is called when an AVP is added inside the group, so we will not have empty grouped AVPs */
|
|
#define AVP_TUN_PREPARE() { \
|
|
if (avp_tun == NULL) { \
|
|
CHECK_MALLOC( avp_tun = calloc(sizeof(struct avp *), 32 ) ); \
|
|
} \
|
|
tag = *(uint8_t *)(attr + 1); \
|
|
if (tag > 0x1F) tag = 0; \
|
|
if (avp_tun[tag] == NULL) { \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Tunneling, 0, &avp_tun[tag] ) ); \
|
|
CHECK_FCT( fd_msg_avp_add (*diam_fw, MSG_BRW_LAST_CHILD, avp_tun[tag]));\
|
|
} \
|
|
}
|
|
|
|
/* Convert an attribute to an OctetString AVP and add inside the Tunneling AVP corresponding to the tag */
|
|
#define CONV2DIAM_TUN_STR( _dictobj_ ) { \
|
|
uint8_t tag; \
|
|
CHECK_PARAMS( attr->length >= 3); \
|
|
AVP_TUN_PREPARE(); \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \
|
|
value.os.len = attr->length - (tag ? 3 : 2); \
|
|
value.os.data = ((unsigned char *)(attr + 1)) + (tag ? 1 : 0); \
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \
|
|
CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \
|
|
}
|
|
|
|
/* Convert an attribute to a scalar AVP and add inside the Tunneling AVP corresponding to the tag */
|
|
#define CONV2DIAM_TUN_24B( _dictobj_ ) { \
|
|
uint8_t tag; \
|
|
CHECK_PARAMS( attr->length == 6); \
|
|
AVP_TUN_PREPARE(); \
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict._dictobj_, 0, &avp ) ); \
|
|
{ \
|
|
uint8_t * v = (uint8_t *)(attr + 1); \
|
|
value.u32 = (v[1] << 16) | (v[2] <<8) | v[3] ; \
|
|
} \
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) ); \
|
|
CHECK_FCT( fd_msg_avp_add ( avp_tun[tag], MSG_BRW_LAST_CHILD, avp) ); \
|
|
}
|
|
|
|
/*
|
|
- If the RADIUS message contains Tunnel information [RADTunnels],
|
|
the attributes or tagged groups should each be converted to a
|
|
Diameter Tunneling Grouped AVP set. If the tunnel information
|
|
contains a Tunnel-Password attribute, the RADIUS encryption
|
|
must be resolved, and the password forwarded, by using Diameter
|
|
security methods.
|
|
-> If the RADIUS message does not use properly the Tag info, result is unpredictable here..
|
|
*/
|
|
case RADIUS_ATTR_TUNNEL_TYPE:
|
|
CONV2DIAM_TUN_24B( Tunnel_Type );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TUNNEL_MEDIUM_TYPE:
|
|
CONV2DIAM_TUN_24B( Tunnel_Medium_Type );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TUNNEL_CLIENT_ENDPOINT:
|
|
CONV2DIAM_TUN_STR( Tunnel_Client_Endpoint );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TUNNEL_SERVER_ENDPOINT:
|
|
CONV2DIAM_TUN_STR( Tunnel_Server_Endpoint );
|
|
break;
|
|
|
|
/* Tunnel-Password never present in an Accounting-Request */
|
|
|
|
case RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID:
|
|
CONV2DIAM_TUN_STR( Tunnel_Private_Group_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TUNNEL_ASSIGNMENT_ID:
|
|
CONV2DIAM_TUN_STR( Tunnel_Assignment_Id );
|
|
break;
|
|
|
|
/* Tunnel-Reference never present in an Accounting-Request */
|
|
|
|
case RADIUS_ATTR_TUNNEL_CLIENT_AUTH_ID:
|
|
CONV2DIAM_TUN_STR( Tunnel_Client_Auth_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_TUNNEL_SERVER_AUTH_ID:
|
|
CONV2DIAM_TUN_STR( Tunnel_Server_Auth_Id );
|
|
break;
|
|
|
|
/* RFC 2869 */
|
|
/*
|
|
Acct-Input-Gigawords, Acct-Output-
|
|
Gigawords, Event-Timestamp, and NAS-Port-Id may have 0-1 instances in
|
|
an Accounting-Request packet. Connect-Info may have 0+ instances in
|
|
an Accounting-Request packet. The other attributes added in this
|
|
document must not be present in an Accounting-Request.
|
|
*/
|
|
case RADIUS_ATTR_ACCT_INPUT_GIGAWORDS:
|
|
break; /* we already saved the value in gigawords_in */
|
|
|
|
case RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS:
|
|
break; /* we already saved the value in gigawords_out */
|
|
|
|
case RADIUS_ATTR_EVENT_TIMESTAMP:
|
|
/* RADIUS:
|
|
The Value field is four octets encoding an unsigned integer with
|
|
the number of seconds since January 1, 1970 00:00 UTC.
|
|
Diameter:
|
|
The Time format is derived from the OctetString AVP Base Format.
|
|
The string MUST contain four octets, in the same format as the
|
|
first four bytes are in the NTP timestamp format. The NTP
|
|
Timestamp format is defined in Chapter 3 of [RFC4330].
|
|
|
|
This represents the number of seconds since 0h on 1 January 1900
|
|
with respect to the Coordinated Universal Time (UTC).
|
|
|
|
-- RFC4330:
|
|
NTP timestamps are represented as a 64-bit unsigned
|
|
fixed-point number, in seconds relative to 0h on 1 January 1900. The
|
|
integer part is in the first 32 bits, and the fraction part in the
|
|
last 32 bits. In the fraction part, the non-significant low-order
|
|
bits are not specified and are ordinarily set to 0.
|
|
*/
|
|
{
|
|
uint32_t ts;
|
|
|
|
uint8_t * v = (uint8_t *)(attr + 1);
|
|
/* Read the RADIUS attribute value */
|
|
ts = (v[0] << 24)
|
|
| (v[1] << 16)
|
|
| (v[2] << 8)
|
|
| v[3] ;
|
|
|
|
/* Add the 70 missing years */
|
|
ts += 2208988800U; /* 60 * 60 * 24 * ( 365 * 70 + 17 ) */
|
|
|
|
/* Convert to network byte order */
|
|
ts = htonl(ts);
|
|
|
|
/* Diameter Time datatype is derived from OctetString */
|
|
value.os.data = (void *) &ts;
|
|
value.os.len = sizeof(uint32_t);
|
|
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Event_Timestamp, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( *diam_fw, MSG_BRW_LAST_CHILD, avp) );
|
|
}
|
|
break;
|
|
|
|
case RADIUS_ATTR_NAS_PORT_ID:
|
|
CONV2DIAM_STR( NAS_Port_Id );
|
|
break;
|
|
|
|
case RADIUS_ATTR_CONNECT_INFO:
|
|
CONV2DIAM_STR( Connect_Info );
|
|
break;
|
|
|
|
case RADIUS_ATTR_FRAMED_POOL: /* To follow the IPv6 version */
|
|
CONV2DIAM_STR( Framed_Pool );
|
|
break;
|
|
|
|
|
|
/* RFC 3579 */
|
|
/*
|
|
The EAP-Message and Message-Authenticator attributes specified in
|
|
this document MUST NOT be present in an Accounting-Request.
|
|
*/
|
|
case RADIUS_ATTR_ORIGINATING_LINE_INFO:
|
|
CONV2DIAM_STR( Originating_Line_Info );
|
|
break;
|
|
|
|
/* Default */
|
|
default: /* unknown attribute */
|
|
/* We just keep the attribute in the RADIUS message */
|
|
rad_req->attr_pos[nattr_used++] = rad_req->attr_pos[idx];
|
|
}
|
|
}
|
|
|
|
/* Update the radius message to remove all handled attributes */
|
|
rad_req->attr_used = nattr_used;
|
|
|
|
/* Store useful information in the session */
|
|
{
|
|
struct sess_state * st;
|
|
|
|
CHECK_MALLOC( st = malloc(sizeof(struct sess_state)) );
|
|
memset(st, 0, sizeof(struct sess_state));
|
|
st->auth_appl = auth_appl;
|
|
if (auth_appl) { /* We use the value 0 for servers which indicated NO STATE MAINTAINED, hence have no need for STR */
|
|
st->send_str = send_str;
|
|
}
|
|
st->term_cause = str_cause;
|
|
CHECK_FCT( fd_sess_state_store( cs->sess_hdl, sess, &st ) );
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Callback when an STA is received after having sent an STR. */
|
|
static void handle_sta(void * data, struct msg ** answer)
|
|
{
|
|
struct rgwp_config * cs = data;
|
|
struct avp *avp;
|
|
struct avp_hdr *ahdr;
|
|
|
|
CHECK_PARAMS_DO( data && answer && *answer, goto out );
|
|
|
|
/* Check the Diameter error code */
|
|
CHECK_FCT_DO( fd_msg_search_avp (*answer, cs->dict.Result_Code, &avp), goto out );
|
|
CHECK_PARAMS_DO( avp, goto out );
|
|
CHECK_FCT_DO( fd_msg_avp_hdr ( avp, &ahdr ), goto out );
|
|
if (ahdr->avp_value->u32 != ER_DIAMETER_SUCCESS)
|
|
goto out;
|
|
|
|
/* OK, discard the message without complaining */
|
|
fd_msg_free(*answer);
|
|
*answer = NULL;
|
|
|
|
out:
|
|
if (answer && *answer) {
|
|
char * buf = NULL; size_t buflen;
|
|
CHECK_MALLOC_DO( fd_msg_dump_treeview(&buf, &buflen, NULL, *answer, NULL, 0, 1), );
|
|
TRACE_DEBUG(INFO, "Received the following problematic STA message, discarding anyway: %s", buf ?: "<error>");
|
|
free(buf);
|
|
|
|
fd_msg_free(*answer);
|
|
*answer = NULL;
|
|
}
|
|
return;
|
|
}
|
|
|
|
static int acct_diam_ans( struct rgwp_config * cs, struct msg ** diam_ans, struct radius_msg ** rad_fw, struct rgw_client * cli )
|
|
{
|
|
struct session * sess;
|
|
struct sess_state * st = NULL, stloc;
|
|
struct avp *avp, *next;
|
|
struct avp_hdr *ahdr, *oh, *or;
|
|
os0_t sid = NULL;
|
|
size_t sidlen;
|
|
|
|
TRACE_ENTRY("%p %p %p %p", cs, diam_ans, rad_fw, cli);
|
|
CHECK_PARAMS(cs);
|
|
|
|
CHECK_FCT( fd_msg_sess_get(fd_g_config->cnf_dict, *diam_ans, &sess, NULL) );
|
|
if (sess) {
|
|
CHECK_FCT( fd_sess_state_retrieve( cs->sess_hdl, sess, &st ) );
|
|
CHECK_FCT( fd_sess_getsid(sess, &sid, &sidlen) );
|
|
}
|
|
|
|
if (!st) {
|
|
TRACE_DEBUG(INFO, "Received an ACA without corresponding session information, cannot translate to RADIUS");
|
|
return EINVAL;
|
|
}
|
|
|
|
/* Free the state */
|
|
memcpy(&stloc, st, sizeof(struct sess_state));
|
|
free(st);
|
|
st = &stloc;
|
|
|
|
/* Search these AVPs first */
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Host, &avp) );
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &oh ) );
|
|
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Origin_Realm, &avp) );
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &or ) );
|
|
|
|
/* Check the Diameter error code */
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Result_Code, &avp) );
|
|
ASSERT( avp ); /* otherwise the message should have been discarded a lot earlier because of ABNF */
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) );
|
|
switch (ahdr->avp_value->u32) {
|
|
case ER_DIAMETER_SUCCESS:
|
|
case ER_DIAMETER_LIMITED_SUCCESS:
|
|
(*rad_fw)->hdr->code = RADIUS_CODE_ACCOUNTING_RESPONSE;
|
|
break;
|
|
|
|
default:
|
|
fd_log_debug("[acct.rgwx] Received Diameter answer with error code '%d' from server '%.*s', session %.*s, not translating into Accounting-Response",
|
|
ahdr->avp_value->u32,
|
|
(int)oh->avp_value->os.len, oh->avp_value->os.data,
|
|
(int)sidlen, sid);
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Message, &avp) );
|
|
if (avp) {
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) );
|
|
fd_log_debug("[acct.rgwx] Error-Message content: '%.*s'",
|
|
(int)ahdr->avp_value->os.len, ahdr->avp_value->os.data);
|
|
}
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Error_Reporting_Host, &avp) );
|
|
if (avp) {
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) );
|
|
fd_log_debug("[acct.rgwx] Error-Reporting-Host: '%.*s'",
|
|
(int)ahdr->avp_value->os.len, ahdr->avp_value->os.data);
|
|
}
|
|
CHECK_FCT( fd_msg_search_avp (*diam_ans, cs->dict.Failed_AVP, &avp) );
|
|
if (avp) {
|
|
fd_log_debug("[acct.rgwx] Failed-AVP was included in the message.");
|
|
/* Dump its content ? */
|
|
}
|
|
|
|
/* Now, destroy the Diameter message, since we know it is not converted to RADIUS */
|
|
CHECK_FCT( fd_msg_free(*diam_ans) );
|
|
*diam_ans = NULL;
|
|
|
|
return -1;
|
|
}
|
|
/* Remove this Result-Code avp */
|
|
CHECK_FCT( fd_msg_free( avp ) );
|
|
|
|
/* If it was a response to a STOP record, we must send an STR for this session */
|
|
if (st->send_str) {
|
|
struct msg * str = NULL;
|
|
struct msg_hdr * hdr = NULL;
|
|
DiamId_t fqdn;
|
|
size_t fqdn_len;
|
|
DiamId_t realm;
|
|
size_t realm_len;
|
|
union avp_value avp_val;
|
|
|
|
/* Create a new STR message */
|
|
CHECK_FCT( fd_msg_new ( cs->dict.Session_Termination_Request, MSGFL_ALLOC_ETEID, &str ) );
|
|
|
|
/* Set the application-id to the auth application if available, accounting otherwise (not sure what is actually expected...) */
|
|
CHECK_FCT( fd_msg_hdr ( str, &hdr ) );
|
|
hdr->msg_appl = st->auth_appl ?: AI_ACCT;
|
|
|
|
/* Add the Session-Id AVP as first AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Session_Id, 0, &avp ) );
|
|
avp_val.os.data = sid;
|
|
avp_val.os.len = sidlen;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &avp_val ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_FIRST_CHILD, avp) );
|
|
CHECK_FCT( fd_sess_ref_msg(sess) );
|
|
|
|
/* Add the Destination-Realm as next AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Destination_Realm, 0, &avp ) );
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, or->avp_value ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* Get information on the NAS */
|
|
CHECK_FCT( rgw_clients_get_origin(cli, &fqdn, &fqdn_len, &realm, &realm_len) );
|
|
|
|
/* Add the Origin-Host as next AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Origin_Host, 0, &avp ) );
|
|
memset(&avp_val, 0, sizeof(avp_val));
|
|
avp_val.os.data = (unsigned char *)fqdn;
|
|
avp_val.os.len = fqdn_len;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &avp_val ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* Add the Origin-Realm as next AVP */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Origin_Realm, 0, &avp ) );
|
|
memset(&avp_val, 0, sizeof(avp_val));
|
|
avp_val.os.data = (unsigned char *)realm;
|
|
avp_val.os.len = realm_len;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &avp_val ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* Auth-Application-Id -- if we did not get it from our Class attribute, we just set "0" */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Auth_Application_Id, 0, &avp ) );
|
|
avp_val.u32 = st->auth_appl;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &avp_val ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* Termination-Cause */
|
|
CHECK_FCT( fd_msg_avp_new ( cs->dict.Termination_Cause, 0, &avp ) );
|
|
avp_val.u32 = st->term_cause;
|
|
CHECK_FCT( fd_msg_avp_setvalue ( avp, &avp_val ) );
|
|
CHECK_FCT( fd_msg_avp_add ( str, MSG_BRW_LAST_CHILD, avp) );
|
|
|
|
/* Send this message */
|
|
CHECK_FCT( fd_msg_send ( &str, handle_sta, cs ) );
|
|
}
|
|
|
|
/*
|
|
No attributes should be found in
|
|
Accounting-Response packets except Proxy-State and possibly Vendor-
|
|
Specific.
|
|
*/
|
|
|
|
/* Now loop in the list of AVPs and convert those that we know how */
|
|
CHECK_FCT( fd_msg_browse(*diam_ans, MSG_BRW_FIRST_CHILD, &next, NULL) );
|
|
|
|
while (next) {
|
|
int handled = 1;
|
|
avp = next;
|
|
CHECK_FCT( fd_msg_browse(avp, MSG_BRW_NEXT, &next, NULL) );
|
|
|
|
CHECK_FCT( fd_msg_avp_hdr ( avp, &ahdr ) );
|
|
|
|
if (!(ahdr->avp_flags & AVP_FLAG_VENDOR)) {
|
|
switch (ahdr->avp_code) {
|
|
/* Based on RFC4005, sec 3.10 */
|
|
case DIAM_ATTR_SESSION_ID:
|
|
case DIAM_ATTR_ORIGIN_HOST:
|
|
case DIAM_ATTR_ORIGIN_REALM:
|
|
case DIAM_ATTR_ACCOUNTING_RECORD_TYPE:
|
|
case DIAM_ATTR_ACCOUNTING_RECORD_NUMBER:
|
|
case DIAM_ATTR_ACCT_APPLICATION_ID:
|
|
case DIAM_ATTR_VENDOR_SPECIFIC_APPLICATION_ID:
|
|
case DIAM_ATTR_USER_NAME:
|
|
case DIAM_ATTR_ACCOUNTING_SUB_SESSION_ID:
|
|
case DIAM_ATTR_ACCT_SESSION_ID:
|
|
case DIAM_ATTR_ACCT_MULTI_SESSION_ID:
|
|
case DIAM_ATTR_EVENT_TIMESTAMP:
|
|
case DIAM_ATTR_ORIGIN_AAA_PROTOCOL:
|
|
case DIAM_ATTR_ORIGIN_STATE_ID:
|
|
case DIAM_ATTR_NAS_IDENTIFIER:
|
|
case DIAM_ATTR_NAS_IP_ADDRESS:
|
|
case DIAM_ATTR_NAS_IPV6_ADDRESS:
|
|
case DIAM_ATTR_NAS_PORT:
|
|
case DIAM_ATTR_NAS_PORT_ID:
|
|
case DIAM_ATTR_NAS_PORT_TYPE:
|
|
case DIAM_ATTR_SERVICE_TYPE:
|
|
case DIAM_ATTR_TERMINATION_CAUSE:
|
|
case DIAM_ATTR_ACCOUNTING_REALTIME_REQUIRED:
|
|
case DIAM_ATTR_ACCT_INTERIM_INTERVAL:
|
|
case DIAM_ATTR_CLASS:
|
|
/* We just remove these AVP, they are not expected in RADIUS client */
|
|
break;
|
|
|
|
default:
|
|
/* Leave the AVP in the message for further treatment */
|
|
handled = 0;
|
|
}
|
|
} else {
|
|
/* Vendor-specific AVPs */
|
|
switch (ahdr->avp_vendor) {
|
|
|
|
default: /* unknown vendor */
|
|
handled = 0;
|
|
}
|
|
}
|
|
|
|
if (handled) {
|
|
CHECK_FCT( fd_msg_free( avp ) );
|
|
}
|
|
}
|
|
|
|
/*
|
|
The Authenticator field in an Accounting-Response packet is called
|
|
the Response Authenticator, and contains a one-way MD5 hash
|
|
calculated over a stream of octets consisting of the Accounting-
|
|
Response Code, Identifier, Length, the Request Authenticator field
|
|
from the Accounting-Request packet being replied to, and the
|
|
response attributes if any, followed by the shared secret. The
|
|
resulting 16 octet MD5 hash value is stored in the Authenticator
|
|
field of the Accounting-Response packet.
|
|
|
|
-- done in radius_msg_finish_srv
|
|
*/
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* The exported symbol */
|
|
struct rgw_api rgwp_descriptor = {
|
|
.rgwp_name = "acct",
|
|
.rgwp_conf_parse = acct_conf_parse,
|
|
.rgwp_conf_free = acct_conf_free,
|
|
.rgwp_rad_req = acct_rad_req,
|
|
.rgwp_diam_ans = acct_diam_ans
|
|
};
|