1
0
mirror of https://github.com/openbsd/src.git synced 2025-01-03 06:45:37 -08:00

Modify IPCP to use {D,NB}NS servers from RADIUS. Also move the

radius related functions from ppp.c to npppd_radius.c.
This commit is contained in:
yasuoka 2024-07-01 07:09:07 +00:00
parent 593962704d
commit a168fdd3c6
8 changed files with 119 additions and 76 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */
/* $OpenBSD: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -36,7 +36,7 @@
* </ul></p>
*/
/* RFC 1994, 2433 */
/* $Id: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */
/* $Id: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
@ -914,7 +914,7 @@ chap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
break;
}
}
ppp_process_radius_framed_ip(_this->ppp, pkt);
ppp_process_radius_attrs(_this->ppp, pkt);
return;
auth_failed:

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: npppd.conf.5,v 1.32 2023/03/02 17:09:53 jmc Exp $
.\" $OpenBSD: npppd.conf.5,v 1.33 2024/07/01 07:09:07 yasuoka Exp $
.\"
.\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: March 2 2023 $
.Dd $Mdocdate: July 1 2024 $
.Dt NPPPD.CONF 5
.Os
.Sh NAME
@ -506,8 +506,22 @@ The default is
This option can be used multiple times.
.It Ic dns-servers Ar primary-server-address Op Ar secondary-server-address
Specify the DNS servers' IP addresses.
When this option is not specified and the authenticated realm
.Pq eq. the RADIUS server
specifies the DNS server addresses,
they are used as the default.
To stop using them any case,
configure
.Qq 0.0.0.0 .
.It Ic nbns-servers Ar primary-server-address Op Ar secondary-server-address
Specify the NetBIOS name servers' IP addresses.
When this option is not specified and the authenticated realm
.Pq eq. the RADIUS server
specifies the NetBIOS server addresses,
they are used as the default.
To stop using them any case,
configure
.Qq 0.0.0.0 .
.It Ic allow-user-selected-address Ar yes | no
Specify whether
.Xr npppd 8

View File

@ -1,4 +1,4 @@
/* $OpenBSD: npppd.h,v 1.19 2017/08/12 11:20:34 goda Exp $ */
/* $OpenBSD: npppd.h,v 1.20 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -174,7 +174,9 @@ struct ipcpconf {
TAILQ_ENTRY(ipcpconf) entry;
char name[NPPPD_GENERIC_NAME_LEN];
bool dns_use_resolver;
bool dns_configured;
struct in_addr dns_servers[2];
bool nbns_configured;
struct in_addr nbns_servers[2];
bool allow_user_select;
struct in_addr_range *dynamic_pool;

View File

@ -1,4 +1,4 @@
/* $Id: npppd_radius.c,v 1.10 2024/02/26 10:42:05 yasuoka Exp $ */
/* $Id: npppd_radius.c,v 1.11 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
* All rights reserved.
@ -38,6 +38,7 @@
#include <sys/syslog.h>
#include <netinet/in.h>
#include <net/if_dl.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <netdb.h>
#include <stdint.h>
@ -73,9 +74,11 @@ static void npppd_ppp_radius_acct_reqcb(void *, RADIUS_PACKET *, int, RADIUS_REQ
* the given RADIUS packet and set them as the fields of ppp context.
*/
void
ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
ppp_process_radius_attrs(npppd_ppp *_this, RADIUS_PACKET *pkt)
{
struct in_addr ip4;
struct in_addr ip4;
int got_pri, got_sec;
char buf0[40], buf1[40];
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4)
== 0)
@ -87,6 +90,53 @@ ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
== 0)
_this->realm_framed_ip_netmask = ip4;
#endif
if (!ppp_ipcp(_this)->dns_configured) {
got_pri = got_sec = 0;
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER, &ip4) == 0) {
got_pri = 1;
_this->ipcp.dns_pri = ip4;
}
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER, &ip4) == 0) {
got_sec = 1;
_this->ipcp.dns_sec = ip4;
}
if (got_pri || got_sec)
ppp_log(_this, LOG_INFO, "DNS server address%s "
"(%s%s%s) %s configured by RADIUS server",
((got_pri + got_sec) > 1)? "es" : "",
(got_pri)? inet_ntop(AF_INET, &_this->ipcp.dns_pri,
buf0, sizeof(buf0)) : "",
(got_pri != 0 && got_sec != 0)? "," : "",
(got_sec)? inet_ntop(AF_INET, &_this->ipcp.dns_sec,
buf1, sizeof(buf1)) : "",
((got_pri + got_sec) > 1)? "are" : "is");
}
if (!ppp_ipcp(_this)->nbns_configured) {
got_pri = got_sec = 0;
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER, &ip4) == 0) {
got_pri = 1;
_this->ipcp.nbns_pri = ip4;
}
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER, &ip4) == 0) {
got_sec = 1;
_this->ipcp.nbns_sec = ip4;
}
if (got_pri || got_sec)
ppp_log(_this, LOG_INFO, "NBNS server address%s "
"(%s%s%s) %s configured by RADIUS server",
((got_pri + got_sec) > 1)? "es" : "",
(got_pri)? inet_ntop(AF_INET, &_this->ipcp.nbns_pri,
buf0, sizeof(buf0)) : "",
(got_pri != 0 && got_sec != 0)? "," : "",
(got_sec)? inet_ntop(AF_INET, &_this->ipcp.nbns_sec,
buf1, sizeof(buf1)) : "",
((got_pri + got_sec) > 1)? "are" : "is");
}
}
/***********************************************************************
@ -480,3 +530,35 @@ fail:
#endif
return 1;
}
/**
* Set RADIUS attributes for RADIUS authentication request.
* Return 0 on success.
*/
int
ppp_set_radius_attrs_for_authreq(npppd_ppp *_this,
radius_req_setting *rad_setting, RADIUS_PACKET *radpkt)
{
/* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */
if (radius_prepare_nas_address(rad_setting, radpkt) != 0)
goto fail;
/* RFC 2865 "5.6. Service-Type" */
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE,
RADIUS_SERVICE_TYPE_FRAMED) != 0)
goto fail;
/* RFC 2865 "5.7. Framed-Protocol" */
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL,
RADIUS_FRAMED_PROTOCOL_PPP) != 0)
goto fail;
if (_this->calling_number[0] != '\0') {
if (radius_put_string_attr(radpkt,
RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0)
return 1;
}
return 0;
fail:
return 1;
}

View File

@ -1,4 +1,4 @@
/* $OpenBSD: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */
/* $OpenBSD: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */
/* $Id: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */
/**@file
* This file provides Password Authentication Protocol (PAP) handlers.
* @author Yasuoka Masahiko
@ -508,7 +508,7 @@ pap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
}
/* Authentication succeeded */
pap_response(_this, 1, DEFAULT_SUCCESS_MESSAGE);
ppp_process_radius_framed_ip(_this->ppp, pkt);
ppp_process_radius_attrs(_this->ppp, pkt);
return;
auth_failed:

View File

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.27 2023/04/19 13:33:37 jsg Exp $ */
/* $OpenBSD: parse.y,v 1.28 2024/07/01 07:09:07 yasuoka Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -818,19 +818,23 @@ ipcpopt : POOL_ADDRESS STRING ipcppooltype {
}
| DNS_SERVERS in4_addr in4_addr {
curr_ipcpconf->dns_use_resolver = false;
curr_ipcpconf->dns_configured = true;
curr_ipcpconf->dns_servers[0] = $2;
curr_ipcpconf->dns_servers[1] = $3;
}
| DNS_SERVERS in4_addr {
curr_ipcpconf->dns_use_resolver = false;
curr_ipcpconf->dns_configured = true;
curr_ipcpconf->dns_servers[0] = $2;
curr_ipcpconf->dns_servers[1].s_addr = 0;
}
| NBNS_SERVERS in4_addr in4_addr {
curr_ipcpconf->nbns_configured = true;
curr_ipcpconf->nbns_servers[0] = $2;
curr_ipcpconf->nbns_servers[1] = $3;
}
| NBNS_SERVERS in4_addr {
curr_ipcpconf->nbns_configured = true;
curr_ipcpconf->nbns_servers[0] = $2;
curr_ipcpconf->nbns_servers[1].s_addr = 0;
}

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */
/* $OpenBSD: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */
/* $Id: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */
/**@file
* This file provides PPP(Point-to-Point Protocol, RFC 1661) and
* {@link :: _npppd_ppp PPP instance} related functions.
@ -1061,65 +1061,6 @@ ppp_log(npppd_ppp *_this, int prio, const char *fmt, ...)
return status;
}
#ifdef USE_NPPPD_RADIUS
#define UCHAR_BUFSIZ 255
/**
* Process the Framed-IP-Address attribute and the Framed-IP-Netmask
* attribute of given RADIUS packet.
*/
void
ppp_process_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
{
struct in_addr ip4;
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4)
== 0)
_this->realm_framed_ip_address = ip4;
_this->realm_framed_ip_netmask.s_addr = 0xffffffffL;
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_NETMASK, &ip4)
== 0)
_this->realm_framed_ip_netmask = ip4;
}
/**
* Set RADIUS attributes for RADIUS authentication request.
* Return 0 on success.
*/
int
ppp_set_radius_attrs_for_authreq(npppd_ppp *_this,
radius_req_setting *rad_setting, RADIUS_PACKET *radpkt)
{
/* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */
if (radius_prepare_nas_address(rad_setting, radpkt) != 0)
goto fail;
/* RFC 2865 5.32. NAS-Identifier */
if (radius_put_string_attr(radpkt, RADIUS_TYPE_NAS_IDENTIFIER, "npppd")
!= 0)
goto fail;
/* RFC 2865 "5.6. Service-Type" */
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE,
RADIUS_SERVICE_TYPE_FRAMED) != 0)
goto fail;
/* RFC 2865 "5.7. Framed-Protocol" */
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL,
RADIUS_FRAMED_PROTOCOL_PPP) != 0)
goto fail;
if (_this->calling_number[0] != '\0') {
if (radius_put_string_attr(radpkt,
RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0)
return 1;
}
return 0;
fail:
return 1;
}
#endif
#ifdef USE_NPPPD_PIPEX
/** The callback function on network is available for pipex */
static void

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ppp.h,v 1.24 2022/12/28 21:30:17 jmc Exp $ */
/* $OpenBSD: ppp.h,v 1.25 2024/07/01 07:09:07 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -779,7 +779,7 @@ u_char *ppp_packetbuf (npppd_ppp *, int);
int ppp_log (npppd_ppp *, int, const char *, ...) __printflike(3,4);
void ppp_reset_idle_timeout(npppd_ppp *);
#ifdef USE_NPPPD_RADIUS
void ppp_process_radius_framed_ip (npppd_ppp *, RADIUS_PACKET *);
void ppp_process_radius_attrs (npppd_ppp *, RADIUS_PACKET *);
int ppp_set_radius_attrs_for_authreq (npppd_ppp *, radius_req_setting *, RADIUS_PACKET *);
#endif
struct tunnconf *ppp_get_tunnconf(npppd_ppp *);