users.c

RADIUS协议的认证计费服务

/*
 * RADIUS -- Remote Authentication Dial In User Service
 * 
 * 
 * Livingston Enterprises, Inc. 6920 Koll Center Parkway Pleasanton, CA   94566
 * 
 * Copyright 1992 Livingston Enterprises, Inc.
 * 
 * Permission to use, copy, modify, and distribute this software for any
 * purpose and without fee is hereby granted, provided that this copyright
 * and permission notice appear on all copies and supporting documentation,
 * the name of Livingston Enterprises, Inc. not be used in advertising or
 * publicity pertaining to distribution of the program without specific
 * prior permission, and notice be given in supporting documentation that
 * copying and distribution is by permission of Livingston Enterprises, Inc.
 * 
 * Livingston Enterprises, Inc. makes no representations about the suitability
 * of this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 *      Copyright (c) 1996 Ascend Communications, Inc.
 *      All rights reserved.
 *
 *      Permission to copy, display, distribute and make derivative works
 *      from this material in whole or in part for any purpose is granted
 *      provided that the above copyright notice and this paragraph are
 *      duplicated in all copies.  THIS SOFTWARE IS PROVIDED "AS IS" AND
 *      WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING, WITHOUT
 *      LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 *      FOR A PARTICULAR PURPOSE.
 *
 */

/*
 * Copyright [C] The Regents of the University of Michigan and Merit Network,
 * Inc. 1992, 1993, 1994, 1995, 1996, 1997, 1998 All Rights Reserved
 *
 * Permission to use, copy, and modify this software and its documentation 
 * for any purpose and without fee is hereby granted, provided: 
 *
 * 1) that the above copyright notice and this permission notice appear in all
 *    copies of the software and derivative works or modified versions thereof, 
 *
 * 2) that both the copyright notice and this permission and disclaimer notice 
 *    appear in all supporting documentation, and 
 *
 * 3) that all derivative works made from this material are returned to the
 *    Regents of the University of Michigan and Merit Network, Inc. with
 *    permission to copy, to display, to distribute, and to make derivative
 *    works from the provided material in whole or in part for any purpose.
 *
 * Users of this code are requested to notify Merit Network, Inc. of such use
 * by sending email to aaa-admin@merit.edu
 *
 * Please also use aaa-admin@merit.edu to inform Merit Network, Inc of any
 * derivative works.
 *
 * Distribution of this software or derivative works or the associated
 * documentation is not allowed without an additional license.
 *
 * Licenses for other uses are available on an individually negotiated
 * basis.  Contact aaa-license@merit.edu for more information.
 *
 * THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE REGENTS OF THE
 * UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE
 * FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR
 * THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE.  The Regents of the
 * University of Michigan and Merit Network, Inc. shall not be liable for any
 * special, indirect, incidental or consequential damages with respect to any
 * claim by Licensee or any third party arising from use of the software.
 *
 * Merit AAA Server Support
 * Merit Network, Inc.
 * 4251 Plymouth Road, Suite C.
 * Ann Arbor, Michigan, USA 48105-2785
 *
 * attn:  John Vollbrecht
 * voice: 734-764-9430
 * fax:   734-647-3185
 * email: aaa-admin@merit.edu
 *
 */

/*
 *
 * Public entry points in this file:
 * 
 * add_file_list
 * addr_is_us
 * change_pw
 * client_is_us
 * client_queue_size
 * config_files
 * config_fini
 * config_init
 * dns_recv
 * find_auth_type
 * find_auth_ent
 * find_client
 * find_client_by_name
 * find_file_ent [[if USR_CCA is defined]]
 * find_host_by_name
 * free_user_ent
 * get_client_list
 * get_default_file_entry
 * get_our_addr
 * host_is_us
 * ip_hostname
 * pair_parse
 * return_file_list
 * update_expire
 * user_find
 * user_gettime
 * user_update
 * 
 */

static char     sccsid[] =
		"@(#)users.c 1.3 Copyright 1992 Livingston Enterprises Inc";

static char     rcsid[] = "$Id: users.c,v 1.1.1.1 2001/08/10 20:49:29 bonze Exp $";

#include	<sys/types.h>
#include	<sys/param.h>
#include	<sys/socket.h>
#include	<sys/time.h>
#include	<netinet/in.h>
#include	<arpa/inet.h>

#include	<stdio.h>
#include	<stdlib.h>
#include	<netdb.h>
#include	<memory.h>
#include	<unistd.h>
#include	<ctype.h>
#include	<dirent.h>
#include	<syslog.h>

#include	"radius.h"

static int         fieldcpy PROTO((char *, char **, int));

#ifdef USR_CCA
static char        check_user PROTO((USER_ENTRY *));
FILE_LIST         *find_file_ent PROTO((char *));
#else	/* USR_CCA */
static FILE_LIST  *find_file_ent PROTO((char *));
#endif	/* USR_CCA */

static void        free_clients PROTO((CLIENT_ENTRY *));
static void        free_file_lists PROTO((void));
static int         get_client_type PROTO((int, VENDOR_LIST **));

#ifdef USR_CCA
static char        parse_dns_nbns PROTO((char **, UINT4 *, UINT4 *));
#endif	/* USR_CCA */

static char       *parse_id PROTO((char *));
static int         read_auth PROTO((FILE_LIST *, int));
static int         read_clients PROTO((int));
static int         read_users PROTO((FILE_LIST *, int));

#if defined(ultrix) || defined(__hpux) || defined(__bsdi__) || defined(linux) || defined(SCO)
extern int         h_errno;
#endif	/* ultrix */

extern char        send_buffer[RAD_SEND_BUFFER_SIZE];
extern char        recv_buffer[RAD_RECV_BUFFER_SIZE];
extern char        ourhostname[MAXHOSTNAMELEN];
extern AATV       *authtype_tv[]; /* AATVs by authentication types */
extern int         debug_flag;
extern int         dumpcore;
extern char       *radius_dir;
extern FILE       *ddt;
extern int         authfile_cnt;
extern int         clients_cnt;
extern int         users_cnt;
extern int         file_logging; /* 0 => syslog, 1 => logfile, 2 => stderr */
extern AATV       *rad_ipc_aatv;
extern FILE       *msgfd;

int                default_reply_holdtime = CLEANUP_DELAY;
int                spawn_flag = 1; /* 0 => no spawning, 1 => spawning allowed */
int                dnspid = 0;     /* PID of current DNS resolver process */
UINT4              dns_address_aging = ADDRESS_AGING;
UINT4              dns_address_window = 60;	/* one minute */
int                doing_init = 1;	/* Always initing if not engine */
char               default_radius_server[128] = DEFAULT_RADIUS_SERVER;
char               default_tacacs_server[128] = DEFAULT_TACACS_SERVER;
char               authfile_id[128];
char               clients_id[128];
int                rad_ipc_port = 0;
MF_ENT             dns_addr_mf = { 0, 0 };	/* For DNS address structs. */
MF_ENT             dns_client_mf = { 0, 0 };	/* For DNS address structs. */
MF_ENT             dns_name_mf = { 0, 0 };	/* For DNS address structs. */
MF_ENT             vendor_mf = { 0, 0 };	/* For vendors. */
MF_ENT             vendor_list_mf = { 0, 0 };	/* For vendor lists. */

#ifdef USR_CCA
char               dns_done = FALSE;
UINT4              self_ip[SELF_IP_LEN]; /* Used with multi-homed servers */
#else	/* USR_CCA */
static UINT4       self_ip[11];		/* Used with multi-homed servers */
#endif	/* USR_CCA */

static FILE_LIST  *file_list = (FILE_LIST *) NULL;
static CLIENT_ENTRY *client_list = (CLIENT_ENTRY *) NULL;
static int         is_engine = 0;	/* rlmadmin(8) will not change this */
static CLIENT_ENTRY *old_clients;
static UINT4       last_client_ipaddr;
static CLIENT_ENTRY *last_client_found;
static char       *last_client_name;

/*************************************************************************
 *
 *	Function: add_file_list
 *
 *	Purpose: Find an existing FILE_LIST entry on file_list with the
 *		 specified prefix or add and init a new one if the
 *		 entry doesn't already exist.
 *
 *************************************************************************/

int
add_file_list (prefix)

char           *prefix;

{
	FILE_LIST      *file_ent;
	FILE_LIST     **fl_prev;

#ifdef USR_CCA
	ADDR_POOL      *apool;
#endif /* USR_CCA */

	static char    *func = "add_file_list";

	dprintf(4, (LOG_AUTH, LOG_DEBUG, "%s: entered", func));

	for (fl_prev = &file_list, file_ent = file_list;
		file_ent;
		fl_prev = &file_ent->next, file_ent = *fl_prev)
	{
		if (strcmp (file_ent->prefix, prefix) == 0)
		{
			return 0;
		}
	}

	if ((file_ent = (FILE_LIST *) calloc (1, sizeof (FILE_LIST)))
							== (FILE_LIST *) NULL)
	{
		logit (LOG_DAEMON, LOG_ALERT,
			"%s: Couldn't allocate FILE_ENTRY storage", func);
		return (-1);
	}
	file_ent->prefix = add_string (prefix, ASIS);
	file_ent->user_list = (USER_ENTRY *) NULL;
	file_ent->auth_list = (AUTH_ENTRY *) NULL;

#ifdef USR_CCA
	/*
	 *	Add an entry for the default pool. That is, the pool for
	 *	users who are statically assigned Framed IP addresses in
	 *	the users file.
	 */
	if ((file_ent->pool_list = (ADDR_POOL *) calloc (1, sizeof (ADDR_POOL)))
							== (ADDR_POOL *) NULL)
	{
		logit (LOG_DAEMON, LOG_ALERT,
			"%s: Couldn't allocate ADDR_POOL storage", func);
		return (-1);
	}
	apool = file_ent->pool_list;
	apool->name = DEF_POOL_NAME;
	apool->ip_address = 0;
	apool->netmask = 0;
	apool->network = 0;
	apool->range = 0;
	apool->count = 0;
	apool->user_q = (ASSIGNED_IP *) NULL;
	apool->next = (ADDR_POOL *) NULL;
#endif	/* USR_CCA */

	file_ent->next = (FILE_LIST *) NULL;
	*fl_prev = file_ent;

	return 0;
} /* end of add_file_list () */

/*************************************************************************
 *
 *	Function: addr_is_us
 *
 *	Purpose: Determine if we are the given host.
 *
 *	Returns: 1 if the given address is ours,
 *		 0 otherwise.
 *
 *************************************************************************/

int
addr_is_us (addr)

UINT4           addr;

{
	UINT4           *adptr;

	for (adptr = self_ip; *adptr > 0; adptr++)
	{
		if (*adptr == addr)
		{
			return 1;
		}
	}

	return 0;
} /* end of addr_is_us () */

/*************************************************************************
 *
 *	Function: change_pw
 *
 *	Purpose: Find the named user and change the password to the new value.
 *
 *	Remarks: This is called from passchange() only after the new
 *		 password has been validated.  The user was previously
 *		 found using user_find() so we know the user is in memory.
 *
 *	Returns: zero, if user's password has been changed in memory,
 *		 non-zero, otherwise.
 *
 *************************************************************************/

int
change_pw (name, protocol, curpass, newpass)

char           *name;
int             protocol;
VALUE_PAIR     *curpass;
char           *newpass;

{
	int             namelen;
	FILE_LIST      *file_ent;
	VALUE_PAIR     *dbpass;	
	VALUE_PAIR     *prot_ent;
	USER_ENTRY     *user_ent;
	USER_ENTRY     *dflt_ent;
	FILE           *debugout = stdout;
	static char    *func = "change_pw";

	dprintf(2, (LOG_AUTH, LOG_DEBUG, "%s: entered", func));

	if ((file_ent = find_file_ent ((char *) NULL)) == (FILE_LIST *) NULL)
	{
		return (-1);
	}

	dflt_ent = file_list->user_list;

	/*
	 *	If there is no user file for this prefix, then use the
	 *	first entry in file_list as the default file_ent.
	 */
	if ((user_ent = file_ent->user_list) == (USER_ENTRY *) NULL)
	{
		if (dflt_ent == (USER_ENTRY *) NULL)
		{
			/* No file entry, no password */
			 return (-1);
		}

		user_ent = dflt_ent;
	}

	if ((namelen = strlen (name)) == 0)
	{
		return 1;	/* A null name would match every line. */
	}

	/*
	 *	First check what type of lookup to do.
	 *	See if user file(s) have been cached in memory.
	 */

	for (; user_ent; user_ent = user_ent->next)
	{
		/* Allow match for entry specifying framed protocol
		 * type specified in "protocol".  An entry with a 
		 * matching name but no framed-protocol type check 
		 * item matches unconditionally.  An entry with a 
		 * matching name and a framed-protocol type check 
		 * item must match value in "protocol".
		 */
		if (strcmp (user_ent->name, name) == 0)
		{
			if ((prot_ent = get_vp (user_ent->check,
						PW_FRAMED_PROTOCOL)) == NULL_VP)
			{
				break;
			}

			if (prot_ent->lvalue == protocol)
			{
				break;
			}
		}
	}

	if (!user_ent)	/* rc 1 => User not found */
	{
		return 1;
	}

	/* Find the password entry. */
	dbpass = get_vp_ci (user_ent->check, CI_USER_PASSWORD, 0);

	if ((dbpass == NULL_VP) || (dbpass->strvalue == (char *) NULL))
	{
		/* Missing our local copy of the password */
		logit (LOG_DAEMON, LOG_ERR,
			"%s: - Missing Local Password: %s", func);
		return 1;
	}

	/* Let's be paranoid about this */
	if (strcmp (dbpass->strvalue, curpass->strvalue))
	{
		logit (LOG_DAEMON, LOG_ERR,
			"%s: - Password does not match cached password.", func);
		return 1;
	}

	/* Go ahead and change it */	
	avpair_string_mod (dbpass, newpass, -1);

	if (debug_flag >= 2)
	{
		if (ddt)
		{
			debugout = ddt;
		}
		fprintf (debugout, "Check items:\n");
		debug_list (debugout, user_ent->check);
		fprintf (debugout, "Reply items:\n");
		debug_list (debugout, user_ent->reply);
	}
	return (0);	/* rc 0 => User found */

} /* end of change_pw () */

#ifdef USR_CCA

/*************************************************************************
 *
 *	Function: check_user
 *
 *	Purpose: Processes Simultaneous-Use, Sessions-Allowed and
 *		 Address-Pool attributes, and checks for a valid
 *		 Termination-Action value.
 *
 ************************************************************************/

static char
check_user (user_ent)

USER_ENTRY      *user_ent;

{
	VALUE_PAIR      *vp;
	char            *func = "check_user";

	if ((vp = get_vp_ci (user_ent->reply, CI_SIMULTANEOUS_USE, 0))
								!= NULL_VP)
	{
		user_ent->sessions = vp->lvalue;
		avpair_del (&user_ent->reply, CI_SIMULTANEOUS_USE, 0);
	}

	if ((vp = get_vp_ci (user_ent->reply, CI_ADDRESS_POOL_NAME, 0))
								!= NULL_VP)
	{
		user_ent->pool_name = vp->strvalue;
		avpair_del (&user_ent->reply, CI_ADDRESS_POOL_NAME, 0);
		if ((vp = get_vp (user_ent->reply, PW_FRAMED_IP_ADDRESS))
								!= NULL_VP)
		{
			logit (LOG_DAEMON,LOG_ERR,
       "%s: User %s has a static Framed-IP-Address and an Address Pool defined",
				func, user_ent->name);
			return (-1);
		}
	}

	if (user_ent->sessions > 1 ||
		strcmp (user_ent->pool_name, DEF_POOL_NAME) != 0)
	{
		if (((vp = get_vp (user_ent->reply,
					PW_TERMINATION_ACTION)) == NULL_VP))
		{
			/*
			 *	This user's resources are to be managed.
			 *	A Termination-Action attribute is required.
			 */
			logit (LOG_DAEMON, LOG_ERR,
			   "%s: User %s-> Missing Termination Action attribute",
				func, user_ent->name);
			return (-1);
		}
		else if (vp->lvalue != MANAGE_RESOURCES)
		{
			logit (LOG_DAEMON, LOG_ERR,
			   "%s: User %s-> Invalid Termination Action Attribute",
				func, user_ent->name);
			return (-1);
		}
	}

	return (0);

} /* end of check_user () */

#endif /* USR_CCA */

/*************************************************************************
 *
 *	Function: client_is_us
 *
 *	Purpose: Determine if we are the given host.
 *
 *	Returns: 1, if the given hostname is the name of this host,
 *		 0, otherwise.
 *
 *************************************************************************/

int
client_is_us (ce)

CLIENT_ENTRY    *ce;

{