vpn.c

RADIUS协议的认证计费服务

	for (x = *vpn_router; x != (VPN_ROUTER *) NULL;)
	{
		free (x->hostname);
		*vpn_router = x->next;
		free (x);
		x = *vpn_router;
	}

	return;
} /* end of free_vpn_rtr () */

/******************************************************************************
 *
 *	Function: add_vpn_info
 *
 *	Purpose:  Adds VPN ID, VPN Name, VPN Neighbor/Gateway to the
 *		  authentication request.
 *
 *****************************************************************************/

int
add_vpn_info (authreq, auth_ent)

AUTH_REQ       *authreq;
AUTH_ENTRY     *auth_ent;

{
	VPN_INFO       *vpn;
	VPN_ROUTER     *router;
	UINT4           tmp_ip;
	UINT4           tmp_vpn;
	char           *func = "add_vpn_info";

	dprintf(2, (LOG_DAEMON, LOG_DEBUG, "%s: entered", func));

	if ((vpn = auth_ent->vpn) == (VPN_INFO *) NULL)
	{
		logit (LOG_DAEMON, LOG_ERR, "%s: NULL VPN pointer for '%s'",
			func, (auth_ent->name == (char *) NULL)
						? "?" : auth_ent->name);
		return 1;
	}

	router = vpn->router;

	/*
	 *	VPN ID, Name, and Neighbor must be inserted by the Proxy.
	 *	If the remote server inserted these values, remove them.
	 */
	avpair_del (&authreq->cur_request, PW_USR_VPN_ID, VC_USR);
	avpair_del (&authreq->cur_request, PW_USR_VPN_NAME, VC_USR);
	avpair_del (&authreq->cur_request, PW_USR_VPN_NEIGHBOR, VC_USR);
	if (vpn->type != GATEWAYS_ONLY)
	{
		tmp_vpn = htonl(vpn->id); /* for avpair_add_vend() call below */
		if ((avpair_add_vend (&authreq->cur_request, PW_USR_VPN_ID,
					&tmp_vpn, INT_LEN, VC_USR)) == NULL_VP)
		{
			logit (LOG_DAEMON, LOG_ERR,
			       "%s: Problem adding VPN ID for VPN %d, Realm %s",
				func, vpn->id, auth_ent->name);
			return 0;
		}

		if ((avpair_add_vend (&authreq->cur_request, PW_USR_VPN_NAME,
					vpn->name, -1, VC_USR)) == NULL_VP)
		{
			logit (LOG_DAEMON, LOG_ERR,
			     "%s: Problem adding VPN Name for VPN %d, Realm %s",
				func, vpn->id, auth_ent->name);
			avpair_del (&authreq->cur_request,
					PW_USR_VPN_ID, VC_USR);
			return 0;
		}

		if (vpn->type == PW_USR_VPN_NEIGHBOR &&
			router == (VPN_ROUTER *) NULL)
		{
			logit (LOG_DAEMON, LOG_ERR,
				"%s: Missing VPN Neighbor for VPN %d, Realm %s",
				func, vpn->id, auth_ent->name);
			avpair_del (&authreq->cur_request,
					PW_USR_VPN_ID, VC_USR);
			avpair_del (&authreq->cur_request,
					PW_USR_VPN_NAME, VC_USR);
			return 0;
		}

		if (vpn->type == PW_USR_VPN_NEIGHBOR)
		{
			if (find_host_by_name (&tmp_ip, router->hostname) != 0)
			{
				logit (LOG_DAEMON, LOG_ERR,
				  "%s: Problem resolving IP address for %s",
					func, router->hostname);
				avpair_del (&authreq->cur_request,
						 PW_USR_VPN_ID, VC_USR);
				avpair_del (&authreq->cur_request,
						 PW_USR_VPN_NAME, VC_USR);
				return 0;
			}

			/* tmp_ip = htonl(router->ipaddr); */
			if ((avpair_add_vend (&authreq->cur_request,
					PW_USR_VPN_NEIGHBOR, &tmp_ip,
					IP_ADDR_LEN, VC_USR)) == NULL_VP)
			{
				logit (LOG_DAEMON, LOG_ERR,
			 "%s: Problem adding VPN Neighbor for VPN %d, Realm %s",
					func, vpn->id, auth_ent->name);
				avpair_del (&authreq->cur_request,
						PW_USR_VPN_ID, VC_USR);
				avpair_del (&authreq->cur_request,
						PW_USR_VPN_NAME, VC_USR);
				return 0;
			}

		}
		else /* PW_USR_VPN_GATEWAY */
		{
			if (get_vp_vend (authreq->cur_request,
					PW_USR_VPN_GATEWAY, VC_USR) != NULL_VP)
			{
				/*
				 * Gateways can be defined on both the Proxy
				 * and the Remote server.  If the Remote
				 * server already inserted the gateways,
				 * leave them as they are.  The Proxy must
				 * not add gateways in this case.
				 */
				logit (LOG_DAEMON, LOG_INFO,
"%s: VPN Gateways already added for VPN %d\(by Remote Server).\nNot Adding Gateways defined here",
					func, vpn->id);
				return 1;
			}

			if (add_vpn_gateway (authreq, router) == 0)
			{
				avpair_del (&authreq->cur_request,
						 PW_USR_VPN_ID, VC_USR);
				avpair_del (&authreq->cur_request,
						 PW_USR_VPN_NAME, VC_USR);
				avpair_del (&authreq->cur_request,
						 PW_USR_VPN_GATEWAY, VC_USR);
				return 0;
			}
		}
	} /* end if (vpn->type != GATEWAYS_ONLY) */
	else /* GATEWAYS ONLY */
	{
		if (add_vpn_gateway (authreq, router) == 0)
		{
			avpair_del (&authreq->cur_request,
					 PW_USR_VPN_GATEWAY, VC_USR);
			return 0;
		}
	}
	return 1;
} /* end of add_vpn_info () */

#define GATEWAY_AV_LEN 	AUTH_VECTOR_LEN+IP_ADDR_LEN+GATEWAY_FORMAT_LEN+TUNNEL_REF_LEN
/***************************************************************************
 *
 *	Function: add_vpn_gateway
 *
 *	Purpose:  Adds VPN-Gateway attribute type to given list.
 *
 ***************************************************************************/

static int
add_vpn_gateway (authreq, router)

AUTH_REQ       *authreq;
VPN_ROUTER     *router;

{
	char            count = 0;
	UINT2           tunnel_ref;
	int             i;
	int             index;
	int             result;
	UINT4           ip;
	UINT4           sk;
	u_char         *ptr;
	CLIENT_ENTRY   *ce;
	VPN_ROUTER     *rtr_ptr;
	char            buffer[AUTH_VECTOR_LEN];
	char            session_key[SESSION_KEY_LEN];
	char            vp_val[GATEWAY_AV_LEN];
	char           *func = "add_vpn_gateway";

	memset (session_key, 0, SESSION_KEY_LEN);

#ifdef BSDI
	srandom (time (0));
#else
	srand48 (time (0));
#endif	/* BSDI */

	ptr = (u_char *) session_key;
	for (i = 0; i < SESSION_KEY_LEN / 4; i++, ptr += sizeof (UINT4))
	{

#ifdef BSDI
		sk = random ();
#else
		sk = lrand48 ();
#endif	/* BSDI */

		memcpy (ptr, (char *) &sk, sizeof (UINT4));
	}

#ifdef USR_DEBUG
	fprintf (stderr, "%s: SESSION-KEY = ", func);
	ptr = (u_char *) session_key;
	for (i = 0; i < SESSION_KEY_LEN; i++, ptr++)
	{
		fprintf (stderr,"%02x ", *ptr);
	}
	fprintf (stderr,"\n");
#endif	/* USR_DEBUG */

	for (rtr_ptr = router;
		rtr_ptr != (VPN_ROUTER *) NULL;
		rtr_ptr = rtr_ptr->next)
	{
		result = find_client_by_name (rtr_ptr->hostname, &ip, &ce);
		if (result == -1)
		{
			logit (LOG_DAEMON, LOG_ERR,
		    "%s: %s does not have a matching entry in the Clients file",
				func, rtr_ptr->hostname);
			continue;
		}
		else if (result != 0)
		{
			logit (LOG_DAEMON, LOG_ERR,
			       "%s: Couldn't reslove IP address for %s",
			       func, rtr_ptr->hostname);
			continue;
		}
		memset (buffer, 0, AUTH_VECTOR_LEN);
		memset (vp_val, 0, GATEWAY_AV_LEN);

		gen_gw_vector (buffer, (char *) authreq->repvec,
				ce->secret, session_key);
		vp_val[0] = VPN_GATEWAY_FORMAT;
		index = GATEWAY_FORMAT_LEN;

		dprintf(2, (LOG_AUTH, LOG_DEBUG,
			"%s: index = %d", func, index));

		ip = ntohl (ip);
		memcpy (&vp_val[index], (char *) &ip, sizeof (UINT4));
		/* index += IP_ADDR_LEN + AUTH_VECTOR_LEN; */
		index += IP_ADDR_LEN;
		memcpy (&vp_val[index], buffer, AUTH_VECTOR_LEN);
		index += AUTH_VECTOR_LEN;
		fprintf (stderr, "%s: index = %d\n", func, index);
		if (rtr_ptr->tunnel_present == TRUE)
		{
			tunnel_ref = htons(rtr_ptr->tunnel_refresh);
		}
		else
		{
			tunnel_ref = 0;
		}
		memcpy (&vp_val[index], (char *) &tunnel_ref, TUNNEL_REF_LEN);
		index += TUNNEL_REF_LEN;

		dprintf(2, (LOG_AUTH, LOG_DEBUG,
			"%s: again, index = %d", func, index));

		if (avpair_add_vend (&authreq->cur_request, PW_USR_VPN_GATEWAY,
					vp_val, index, VC_USR) == NULL_VP)
		{
			logit (LOG_DAEMON, LOG_ERR,
				"%s: Problem adding VPN Gateway %s", func,
				rtr_ptr->hostname);
			return 0;
		}
		count++;
	}

	if (count > 0)
	{
		memset (vp_val, 0, GATEWAY_AV_LEN);
		memset (buffer, 0, AUTH_VECTOR_LEN);

		gen_gw_vector (buffer, (char *) authreq->repvec,
				authreq->client->secret, session_key);
		memcpy (vp_val, buffer, AUTH_VECTOR_LEN);
		if (avpair_add_vend (&authreq->cur_request, PW_USR_AUTH_VECTOR,
				vp_val, AUTH_VECTOR_LEN, VC_USR) == NULL_VP)
		{
			logit (LOG_DAEMON, LOG_ERR,
				"%s: Problem adding VPN Auth. Vector", func);
			return 0;
		}
	}
	return 1;
} /* end of add_vpn_gateway () */

/***************************************************************************
 *
 *	Function: gen_gw_vector
 *
 *	Purpose:  Generates the special vector required in the
 *		  PW_USR_VPN_GATEWAY attribute
 *
 ***************************************************************************/

static void
gen_gw_vector (buffer, vector, secret, session_key)

char           *buffer;
char           *vector;
char           *secret;
char           *session_key;

{
	int             i;
	int             secretlen;
	char            md5buf[AUTH_VECTOR_LEN + MAX_SECRET_LENGTH];
	char           *func = "gen_gw_vector";

	memcpy (md5buf, vector, AUTH_VECTOR_LEN);
	secretlen = strlen (secret);
	memcpy (md5buf + AUTH_VECTOR_LEN, secret, secretlen);
	md5_calc (buffer, md5buf, AUTH_VECTOR_LEN + secretlen);

	for (i = 0; i < SESSION_KEY_LEN; i++)
	{
		buffer[i] ^= session_key[i];
	}
	return;
} /* end of gen_gw_vector () */

/***************************************************************************
 *
 *	Function: proxy_vector_proc
 *
 *	Purpose: Generates the special proxy vector.
 *
 ***************************************************************************/

void
proxy_vector_proc (authreq, remote_secret, vector)

AUTH_REQ       *authreq;
char           *remote_secret;
char           *vector;

{
	int             i;
	int             secretlen;
	u_char         *ptr;
	char            buffer[AUTH_VECTOR_LEN + MAX_SECRET_LENGTH];
	char            session_key[SESSION_KEY_LEN];
	char            temp[AUTH_VECTOR_LEN];
	char           *func = "proxy_vector_proc";

	secretlen = strlen (remote_secret);
	memcpy (buffer, authreq->repvec, AUTH_VECTOR_LEN);
	memcpy (buffer + AUTH_VECTOR_LEN, remote_secret, secretlen);

	md5_calc (temp, buffer, AUTH_VECTOR_LEN + secretlen);

	for (i = 0; i < SESSION_KEY_LEN; i++)
	{
		vector[i] ^= temp[i];
	}

	memset (session_key, 0, SESSION_KEY_LEN);
	memcpy (session_key, vector, SESSION_KEY_LEN);

#ifdef USR_DEBUG
	fprintf (stderr, "%s: SESSION-KEY at Proxy is ", func);
	ptr = (u_char *) session_key;
	for (i = 0; i < SESSION_KEY_LEN; i++, ptr++)
	{
		fprintf (stderr, "%02x ", *ptr);
	}
	fprintf (stderr, "\n");
#endif	/* USR_DEBUG */

	memset (vector, 0, AUTH_STRING1_LEN);

	gen_gw_vector (vector, (char *) authreq->repvec,
			authreq->client->secret, session_key);
	return;
} /* end of proxy_vector_proc () */

/***************************************************************************
 *
 *      Function: find_vpn
 *
 *      Purpose: Finds the VPN ID, given the host IP address and file prefix
 *
 **************************************************************************/

int
find_vpn (authreq)

AUTH_REQ       *authreq;

{
	FILE_LIST      *file_ent;
	AUTH_ENTRY     *aent;
	struct in_addr  addr;
	char            found = FALSE;
	char           *func = "find_vpn";

	dprintf(2, (LOG_DAEMON, LOG_DEBUG, "%s: entered", func));

	if ((file_ent = find_file_ent (authreq->client->file_pfx)) ==
			(FILE_LIST *) NULL)
	{
		logit (LOG_DAEMON, LOG_DEBUG,
		       "%s: Couldn't find authfile with prefix %s", func,
		       authreq->client->file_pfx);
		return (1);
	}

	for (aent = file_ent->auth_list; aent != (AUTH_ENTRY *) NULL;
			aent = aent->next)
	{
		if (get_ipaddr (aent->host) == authreq->ipaddr)
		{
			/*
			 *	The host address in the authfile entry matches
			 *	the IP address of the DAS which sent this
			 *	request.  So get the PW_USR_VPN_ID.
			 */
			if ((avpair_add_vend (&authreq->cur_request,
						PW_USR_VPN_ID, &aent->vpn->id,
						INT_LEN, VC_USR)) == NULL_VP)
			{
				avpair_del (&authreq->cur_request,
						PW_USR_VPN_ID, VC_USR);
				return (1);
			}
			found = TRUE;
		}
	}

	if (found == FALSE)
	{
		addr.s_addr = authreq->ipaddr;
		logit (LOG_DAEMON, LOG_DEBUG,
		"%s: Couldn't find a matching entry in the authfile for %s",
		       func, inet_ntoa (addr));
		return (1);
	}
	return 0;
} /* end of find_vpn () */

#endif  /* USR_CCA */