mirror of
https://github.com/openbsd/src.git
synced 2025-01-03 06:45:37 -08:00
Modify IPCP to use {D,NB}NS servers from RADIUS. Also move the
radius related functions from ppp.c to npppd_radius.c.
This commit is contained in:
parent
593962704d
commit
a168fdd3c6
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */
|
||||
/* $OpenBSD: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
@ -36,7 +36,7 @@
|
||||
* </ul></p>
|
||||
*/
|
||||
/* RFC 1994, 2433 */
|
||||
/* $Id: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */
|
||||
/* $Id: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/time.h>
|
||||
@ -914,7 +914,7 @@ chap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
|
||||
break;
|
||||
}
|
||||
}
|
||||
ppp_process_radius_framed_ip(_this->ppp, pkt);
|
||||
ppp_process_radius_attrs(_this->ppp, pkt);
|
||||
|
||||
return;
|
||||
auth_failed:
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: npppd.conf.5,v 1.32 2023/03/02 17:09:53 jmc Exp $
|
||||
.\" $OpenBSD: npppd.conf.5,v 1.33 2024/07/01 07:09:07 yasuoka Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: March 2 2023 $
|
||||
.Dd $Mdocdate: July 1 2024 $
|
||||
.Dt NPPPD.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -506,8 +506,22 @@ The default is
|
||||
This option can be used multiple times.
|
||||
.It Ic dns-servers Ar primary-server-address Op Ar secondary-server-address
|
||||
Specify the DNS servers' IP addresses.
|
||||
When this option is not specified and the authenticated realm
|
||||
.Pq eq. the RADIUS server
|
||||
specifies the DNS server addresses,
|
||||
they are used as the default.
|
||||
To stop using them any case,
|
||||
configure
|
||||
.Qq 0.0.0.0 .
|
||||
.It Ic nbns-servers Ar primary-server-address Op Ar secondary-server-address
|
||||
Specify the NetBIOS name servers' IP addresses.
|
||||
When this option is not specified and the authenticated realm
|
||||
.Pq eq. the RADIUS server
|
||||
specifies the NetBIOS server addresses,
|
||||
they are used as the default.
|
||||
To stop using them any case,
|
||||
configure
|
||||
.Qq 0.0.0.0 .
|
||||
.It Ic allow-user-selected-address Ar yes | no
|
||||
Specify whether
|
||||
.Xr npppd 8
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: npppd.h,v 1.19 2017/08/12 11:20:34 goda Exp $ */
|
||||
/* $OpenBSD: npppd.h,v 1.20 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
@ -174,7 +174,9 @@ struct ipcpconf {
|
||||
TAILQ_ENTRY(ipcpconf) entry;
|
||||
char name[NPPPD_GENERIC_NAME_LEN];
|
||||
bool dns_use_resolver;
|
||||
bool dns_configured;
|
||||
struct in_addr dns_servers[2];
|
||||
bool nbns_configured;
|
||||
struct in_addr nbns_servers[2];
|
||||
bool allow_user_select;
|
||||
struct in_addr_range *dynamic_pool;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: npppd_radius.c,v 1.10 2024/02/26 10:42:05 yasuoka Exp $ */
|
||||
/* $Id: npppd_radius.c,v 1.11 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
* All rights reserved.
|
||||
@ -38,6 +38,7 @@
|
||||
#include <sys/syslog.h>
|
||||
#include <netinet/in.h>
|
||||
#include <net/if_dl.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <stdint.h>
|
||||
@ -73,9 +74,11 @@ static void npppd_ppp_radius_acct_reqcb(void *, RADIUS_PACKET *, int, RADIUS_REQ
|
||||
* the given RADIUS packet and set them as the fields of ppp context.
|
||||
*/
|
||||
void
|
||||
ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
|
||||
ppp_process_radius_attrs(npppd_ppp *_this, RADIUS_PACKET *pkt)
|
||||
{
|
||||
struct in_addr ip4;
|
||||
struct in_addr ip4;
|
||||
int got_pri, got_sec;
|
||||
char buf0[40], buf1[40];
|
||||
|
||||
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4)
|
||||
== 0)
|
||||
@ -87,6 +90,53 @@ ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
|
||||
== 0)
|
||||
_this->realm_framed_ip_netmask = ip4;
|
||||
#endif
|
||||
|
||||
if (!ppp_ipcp(_this)->dns_configured) {
|
||||
got_pri = got_sec = 0;
|
||||
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
|
||||
RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER, &ip4) == 0) {
|
||||
got_pri = 1;
|
||||
_this->ipcp.dns_pri = ip4;
|
||||
}
|
||||
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
|
||||
RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER, &ip4) == 0) {
|
||||
got_sec = 1;
|
||||
_this->ipcp.dns_sec = ip4;
|
||||
}
|
||||
if (got_pri || got_sec)
|
||||
ppp_log(_this, LOG_INFO, "DNS server address%s "
|
||||
"(%s%s%s) %s configured by RADIUS server",
|
||||
((got_pri + got_sec) > 1)? "es" : "",
|
||||
(got_pri)? inet_ntop(AF_INET, &_this->ipcp.dns_pri,
|
||||
buf0, sizeof(buf0)) : "",
|
||||
(got_pri != 0 && got_sec != 0)? "," : "",
|
||||
(got_sec)? inet_ntop(AF_INET, &_this->ipcp.dns_sec,
|
||||
buf1, sizeof(buf1)) : "",
|
||||
((got_pri + got_sec) > 1)? "are" : "is");
|
||||
}
|
||||
if (!ppp_ipcp(_this)->nbns_configured) {
|
||||
got_pri = got_sec = 0;
|
||||
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
|
||||
RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER, &ip4) == 0) {
|
||||
got_pri = 1;
|
||||
_this->ipcp.nbns_pri = ip4;
|
||||
}
|
||||
if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT,
|
||||
RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER, &ip4) == 0) {
|
||||
got_sec = 1;
|
||||
_this->ipcp.nbns_sec = ip4;
|
||||
}
|
||||
if (got_pri || got_sec)
|
||||
ppp_log(_this, LOG_INFO, "NBNS server address%s "
|
||||
"(%s%s%s) %s configured by RADIUS server",
|
||||
((got_pri + got_sec) > 1)? "es" : "",
|
||||
(got_pri)? inet_ntop(AF_INET, &_this->ipcp.nbns_pri,
|
||||
buf0, sizeof(buf0)) : "",
|
||||
(got_pri != 0 && got_sec != 0)? "," : "",
|
||||
(got_sec)? inet_ntop(AF_INET, &_this->ipcp.nbns_sec,
|
||||
buf1, sizeof(buf1)) : "",
|
||||
((got_pri + got_sec) > 1)? "are" : "is");
|
||||
}
|
||||
}
|
||||
|
||||
/***********************************************************************
|
||||
@ -480,3 +530,35 @@ fail:
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set RADIUS attributes for RADIUS authentication request.
|
||||
* Return 0 on success.
|
||||
*/
|
||||
int
|
||||
ppp_set_radius_attrs_for_authreq(npppd_ppp *_this,
|
||||
radius_req_setting *rad_setting, RADIUS_PACKET *radpkt)
|
||||
{
|
||||
/* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */
|
||||
if (radius_prepare_nas_address(rad_setting, radpkt) != 0)
|
||||
goto fail;
|
||||
|
||||
/* RFC 2865 "5.6. Service-Type" */
|
||||
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE,
|
||||
RADIUS_SERVICE_TYPE_FRAMED) != 0)
|
||||
goto fail;
|
||||
|
||||
/* RFC 2865 "5.7. Framed-Protocol" */
|
||||
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL,
|
||||
RADIUS_FRAMED_PROTOCOL_PPP) != 0)
|
||||
goto fail;
|
||||
|
||||
if (_this->calling_number[0] != '\0') {
|
||||
if (radius_put_string_attr(radpkt,
|
||||
RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0)
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
fail:
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */
|
||||
/* $OpenBSD: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
@ -25,7 +25,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
/* $Id: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */
|
||||
/* $Id: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
/**@file
|
||||
* This file provides Password Authentication Protocol (PAP) handlers.
|
||||
* @author Yasuoka Masahiko
|
||||
@ -508,7 +508,7 @@ pap_radius_response(void *context, RADIUS_PACKET *pkt, int flags,
|
||||
}
|
||||
/* Authentication succeeded */
|
||||
pap_response(_this, 1, DEFAULT_SUCCESS_MESSAGE);
|
||||
ppp_process_radius_framed_ip(_this->ppp, pkt);
|
||||
ppp_process_radius_attrs(_this->ppp, pkt);
|
||||
|
||||
return;
|
||||
auth_failed:
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: parse.y,v 1.27 2023/04/19 13:33:37 jsg Exp $ */
|
||||
/* $OpenBSD: parse.y,v 1.28 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
|
||||
@ -818,19 +818,23 @@ ipcpopt : POOL_ADDRESS STRING ipcppooltype {
|
||||
}
|
||||
| DNS_SERVERS in4_addr in4_addr {
|
||||
curr_ipcpconf->dns_use_resolver = false;
|
||||
curr_ipcpconf->dns_configured = true;
|
||||
curr_ipcpconf->dns_servers[0] = $2;
|
||||
curr_ipcpconf->dns_servers[1] = $3;
|
||||
}
|
||||
| DNS_SERVERS in4_addr {
|
||||
curr_ipcpconf->dns_use_resolver = false;
|
||||
curr_ipcpconf->dns_configured = true;
|
||||
curr_ipcpconf->dns_servers[0] = $2;
|
||||
curr_ipcpconf->dns_servers[1].s_addr = 0;
|
||||
}
|
||||
| NBNS_SERVERS in4_addr in4_addr {
|
||||
curr_ipcpconf->nbns_configured = true;
|
||||
curr_ipcpconf->nbns_servers[0] = $2;
|
||||
curr_ipcpconf->nbns_servers[1] = $3;
|
||||
}
|
||||
| NBNS_SERVERS in4_addr {
|
||||
curr_ipcpconf->nbns_configured = true;
|
||||
curr_ipcpconf->nbns_servers[0] = $2;
|
||||
curr_ipcpconf->nbns_servers[1].s_addr = 0;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */
|
||||
/* $OpenBSD: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
@ -25,7 +25,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
/* $Id: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */
|
||||
/* $Id: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
/**@file
|
||||
* This file provides PPP(Point-to-Point Protocol, RFC 1661) and
|
||||
* {@link :: _npppd_ppp PPP instance} related functions.
|
||||
@ -1061,65 +1061,6 @@ ppp_log(npppd_ppp *_this, int prio, const char *fmt, ...)
|
||||
return status;
|
||||
}
|
||||
|
||||
#ifdef USE_NPPPD_RADIUS
|
||||
#define UCHAR_BUFSIZ 255
|
||||
/**
|
||||
* Process the Framed-IP-Address attribute and the Framed-IP-Netmask
|
||||
* attribute of given RADIUS packet.
|
||||
*/
|
||||
void
|
||||
ppp_process_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt)
|
||||
{
|
||||
struct in_addr ip4;
|
||||
|
||||
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4)
|
||||
== 0)
|
||||
_this->realm_framed_ip_address = ip4;
|
||||
|
||||
_this->realm_framed_ip_netmask.s_addr = 0xffffffffL;
|
||||
if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_NETMASK, &ip4)
|
||||
== 0)
|
||||
_this->realm_framed_ip_netmask = ip4;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set RADIUS attributes for RADIUS authentication request.
|
||||
* Return 0 on success.
|
||||
*/
|
||||
int
|
||||
ppp_set_radius_attrs_for_authreq(npppd_ppp *_this,
|
||||
radius_req_setting *rad_setting, RADIUS_PACKET *radpkt)
|
||||
{
|
||||
/* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */
|
||||
if (radius_prepare_nas_address(rad_setting, radpkt) != 0)
|
||||
goto fail;
|
||||
|
||||
/* RFC 2865 5.32. NAS-Identifier */
|
||||
if (radius_put_string_attr(radpkt, RADIUS_TYPE_NAS_IDENTIFIER, "npppd")
|
||||
!= 0)
|
||||
goto fail;
|
||||
|
||||
/* RFC 2865 "5.6. Service-Type" */
|
||||
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE,
|
||||
RADIUS_SERVICE_TYPE_FRAMED) != 0)
|
||||
goto fail;
|
||||
|
||||
/* RFC 2865 "5.7. Framed-Protocol" */
|
||||
if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL,
|
||||
RADIUS_FRAMED_PROTOCOL_PPP) != 0)
|
||||
goto fail;
|
||||
|
||||
if (_this->calling_number[0] != '\0') {
|
||||
if (radius_put_string_attr(radpkt,
|
||||
RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0)
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
fail:
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_NPPPD_PIPEX
|
||||
/** The callback function on network is available for pipex */
|
||||
static void
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ppp.h,v 1.24 2022/12/28 21:30:17 jmc Exp $ */
|
||||
/* $OpenBSD: ppp.h,v 1.25 2024/07/01 07:09:07 yasuoka Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009 Internet Initiative Japan Inc.
|
||||
@ -779,7 +779,7 @@ u_char *ppp_packetbuf (npppd_ppp *, int);
|
||||
int ppp_log (npppd_ppp *, int, const char *, ...) __printflike(3,4);
|
||||
void ppp_reset_idle_timeout(npppd_ppp *);
|
||||
#ifdef USE_NPPPD_RADIUS
|
||||
void ppp_process_radius_framed_ip (npppd_ppp *, RADIUS_PACKET *);
|
||||
void ppp_process_radius_attrs (npppd_ppp *, RADIUS_PACKET *);
|
||||
int ppp_set_radius_attrs_for_authreq (npppd_ppp *, radius_req_setting *, RADIUS_PACKET *);
|
||||
#endif
|
||||
struct tunnconf *ppp_get_tunnconf(npppd_ppp *);
|
||||
|
Loading…
Reference in New Issue
Block a user