/* * Copyright (c) 2009 Mark Fullmer * Copyright (c) 2009 Mark Fullmer and the Ohio State University * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: urd.c 176 2011-05-16 02:17:30Z maf $ */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if HAVE_STRINGS_H #include #endif #if HAVE_STRING_H #include #endif #ifdef OOTP_ENABLE #include "otplib.h" #include "ffdb.h" #endif /* OOTP_ENABLE */ #include "pw.h" #include "rad.h" #include "xerr.h" /* * XXX * copy proxy variables into reply packet per RFC? * packet stress testing */ static void usage(void); static int server_secret_load(char *fname, char *buf, int buf_len); static u_long scan_ip(char *s); static int write_pidfile(char *fname); #define URDCTX_USER_NAME (allow_n_logins ?\ urdctx->req.user_name_base : urdctx->req.user_name) int main(int argc, char **argv) { extern char *ootp_version; struct sockaddr_in loc_addr; struct urd_ctx *urdctx; struct pass_db_ctx *pdbctx; #ifdef OOTP_ENABLE struct otp_ctx *otpctx; struct otp_user ou; char *otpdb_fname; int otp_allow_unknown, otpdb_flags, otp_enable; #endif /* OOTP_ENABLE */ fd_set rfd; u_long tmpul; uint64_t rep_state, rep_otp_count; uint32_t local_ip; uint16_t local_port; uint8_t rep_code; uint rem_addr_len; char *au_fname, *pwfile_fname, *server_secret_fname, *endptr, *loc; char server_secret[URD_SECRET_LEN+1], buf[1024], *pid_fname, *as_name; char *service; int rep_enc_flags, rep_cache_flags, debug, daemon_mode, pdb_type; int drop, drop_mode, req_cache_hit, buf_l, pkt_fd, r, i, otp_window; int opt_version, otp_display_count, tmp_cache_flags; int disable_authorized_users, allow_n_logins; struct option longopts[] = { { "authorized-users-db", 1, (void*)0L, 'a'}, { "disable-authorized-users", 0, (void*)0L, 'A'}, { "bind-ip-address", 1, (void*)0L, 'b'}, { "bind-udp-port", 1, (void*)0L, 'B'}, #ifdef OOTP_ENABLE { "display-count", 0, (void*)0L, 'c'}, #endif /* OOTP_ENABLE */ { "debug", 1, (void*)0L, 'd'}, { "disable-daemon-mode", 0, (void*)0L, 'D'}, { "help", 0, (void*)0L, 'h'}, { "help", 0, (void*)0L, '?'}, { "pam-authentication-enable", 0, (void*)0L, 'm'}, { "pam-authentication-exclusive", 0, (void*)0L, 'M'}, { "n-logins-enable", 0, (void*)0L, 'n'}, #ifdef OOTP_ENABLE { "otp-db", 1, (void*)0L, 'o'}, { "otp-disable", 0, (void*)0L, 'O'}, #endif /* OOTP_ENABLE */ { "password-db", 1, (void*)0L, 'p'}, { "pidfile", 1, (void*)0L, 'P'}, { "server-secret", 1, (void*)0L, 's'}, { "pam-service-name", 1, (void*)0L, 'S'}, #ifdef OOTP_ENABLE { "otp-allow-unknown-user", 0, (void*)0L, 'u'}, { "service-name", 0, (void*)0L, 'V'}, { "otp-challenge-window", 1, (void*)0L, 'w'}, #endif /* OOTP_ENABLE */ { "debug-drop-udp-packets", 0, (void*)0L, 'x'}, { "version", 0, &opt_version, 1}, { 0, 0, 0, 0}, }; bzero(&loc_addr, sizeof loc_addr); bzero(&pkt_fd, sizeof pkt_fd); bzero(&rfd, sizeof rfd); allow_n_logins = 0; opt_version = 0; debug = 0; daemon_mode = 1; au_fname = "/var/urd/authorized_users"; disable_authorized_users = 0; pwfile_fname = "/var/urd/passwd"; server_secret_fname = "/var/urd/server_secret"; pid_fname = (char*)0L; local_ip = INADDR_ANY; local_port = URD_PORT; drop = 1; drop_mode = 0; otp_window = OTP_WINDOW_DEFAULT; pdb_type = PASS_DB_TYPE_LOCAL; as_name = "urd"; service = "urd"; #ifdef OOTP_ENABLE otpctx = (struct otp_ctx*)0L; otpdb_fname = OTP_DB_FNAME; otp_allow_unknown = 0; otpdb_flags = 0; otp_enable = 1; otp_display_count = 0; #endif /* OOTP_ENABLE */ xerr_setid(argv[0]); #ifdef OOTP_ENABLE while ((i = getopt_long(argc, argv, "AhduDOx?a:cb:B:mMno:p:s:S:P:V:w:", longopts, (int*)0L)) != -1) { #else while ((i = getopt_long(argc, argv, "AhdDx?a:b:B:mMnp:s:S:P:V:", longopts, (int*)0L)) != -1) { #endif /* OOTP_ENABLE */ switch (i) { case 'a': au_fname = optarg; break; case 'A': disable_authorized_users = 1; break; case 'b': if (!(local_ip = scan_ip(optarg))) xerr_errx(1, "scan_ip(%s): fatal", optarg); break; case 'B': tmpul = strtoul(optarg, &endptr, 0); if (*endptr) xerr_errx(1, "stroul(%s): failed at %c.", optarg, *endptr); if (tmpul > 0xFFFF) xerr_errx(1, "UDP port out of range 0..65535."); local_port = tmpul; break; case 'c': otp_display_count = 1; break; case 'd': debug ++; #ifdef OOTP_ENABLE otpdb_flags |= OTP_DB_VERBOSE; #endif /* OOTP_ENABLE */ break; case 'D': daemon_mode = 0; break; case 'h': case '?': usage(); exit(0); break; case 'm': pdb_type = PASS_DB_TYPE_PAM; break; case 'M': /* xxx only here for compatability */ disable_authorized_users = 1; break; case 'n': allow_n_logins = 1; break; #ifdef OOTP_ENABLE case 'o': otpdb_fname = optarg; break; case 'O': otp_enable = 0; break; #endif /* OOTP_ENABLE */ case 'p': pwfile_fname = optarg; break; case 'P': pid_fname = optarg; break; case 's': server_secret_fname = optarg; break; case 'S': as_name = optarg; break; case 'V': service = optarg; break; #ifdef OOTP_ENABLE case 'u': otp_allow_unknown = 1; break; case 'w': tmpul = strtoul(optarg, &endptr, 0); if (*endptr) xerr_errx(1, "stroul(%s): failed at %c.", optarg, *endptr); if (tmpul > OTP_WINDOW_MAX) xerr_errx(1, "Challenge window %lu > %lu.", tmpul, OTP_WINDOW_MAX); otp_window = tmpul; break; #endif /* OOTP_ENABLE */ case 'x': drop_mode = 1; break; case 0: if (opt_version) { printf("%s\n", ootp_version); exit(0); } default: xerr_errx(1, "getopt_long(): fatal."); } /* switch */ } /* while getopt_long() */ if (daemon_mode) { xerr_setsyslog2(1); /* use syslog for output */ /* run in the background */ if (daemon(0, 0) < 0) xerr_err(1, "dameon()"); } /* daemon_mode */ buf_l = snprintf(buf, sizeof(buf), "urd start:"); if (debug) { for (i = 0; i < argc; ++i) buf_l += snprintf(buf+buf_l, sizeof(buf)-buf_l, " %s", argv[i]); } xerr_info(buf); /* init to recv UDP datagrams */ loc_addr.sin_family = AF_INET; loc_addr.sin_addr.s_addr = htonl(local_ip); loc_addr.sin_port = htons(local_port); /* construct pid file name */ if (!pid_fname) { if (local_ip || (local_port != URD_PORT)) { buf_l = snprintf(buf, sizeof(buf), "/var/urd/pid.%s.%d", inet_ntoa(loc_addr.sin_addr), (int)local_port); } else { buf_l = snprintf(buf, sizeof(buf), "/var/urd/pid"); } pid_fname = (char*)&buf; } /* write out pidfile */ if (write_pidfile(pid_fname) < 0) xerr_errx(1, "write_pidfile(%s): fatal", buf); /* load shared server secret */ if (server_secret_load(server_secret_fname, server_secret, URD_SECRET_LEN+1) < 0) xerr_errx(1, "server_secret_load(%s): fatal", server_secret_fname); /* location is password file or pam service name */ if (pdb_type == PASS_DB_TYPE_LOCAL) loc = pwfile_fname; else if (pdb_type == PASS_DB_TYPE_PAM) loc = as_name; else xerr_errx(1, "loc fatal, pdb_type=%d", pdb_type); /* disable authorized users? */ if (disable_authorized_users) { if (pdb_type == PASS_DB_TYPE_LOCAL) pdb_type = PASS_DB_TYPE_EX_LOCAL; else if (pdb_type == PASS_DB_TYPE_PAM) pdb_type = PASS_DB_TYPE_EX_PAM; else xerr_errx(1, "au fatal, pdb_type=%d", pdb_type); } /* setup password database */ if (!(pdbctx = pass_db_ctx_new(loc, au_fname, pdb_type))) xerr_errx(1, "pass_db_ctx_new(%s,%s): fatal", pwfile_fname, au_fname); pass_db_debug(pdbctx, debug); /* load password database */ if (pass_db_load(pdbctx) < 0) xerr_errx(1, "pass_db_load(): fatal"); if (debug) pass_db_stats(pdbctx); /* socket to receive URD datagrams */ if ((pkt_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) xerr_err(1, "socket()"); #ifdef OOTP_ENABLE /* creat OTP context */ if (otp_enable) if (!(otpctx = otp_db_open(otpdb_fname, otpdb_flags))) xerr_errx(1, "otp_db_open(%s): failed", otpdb_fname); #endif /* OOTP_ENABLE */ /* create radius context */ if (!(urdctx = urd_ctx_new(server_secret))) xerr_errx(1, "urd_ctx_new(): fatal"); urd_debug(urdctx, debug); /* bind socket to address */ if (bind(pkt_fd, (struct sockaddr*)&loc_addr, sizeof(loc_addr)) < 0) xerr_err(1, "bind(%s)", inet_ntoa(loc_addr.sin_addr)); while (1) { /* grab a datagram */ rem_addr_len = sizeof (urdctx->req.rem_addr); if ((urdctx->req.pkt_len = recvfrom(pkt_fd, &urdctx->req.pkt_buf, (size_t)URD_MAX_DGRAM_LEN, 0, (struct sockaddr*)&urdctx->req.rem_addr, &rem_addr_len)) < 0) { xerr_warn("recvfrom()"); continue; } /* * Handle two types of authentication requests, those with state, and * those without. Auth requests with state are used to tie the * OTP phase of a two phase authentication (reusable password, OTP) * together into a session. * * A request cache is kept with the code and state used for a reply * This is required for OTP to work robustly in an environment where * the client may have lost the reply from the server and retransmits * (OTP will only work once). * * Requests with state which can not be tied to the initial * request without state (ie the reusable password phase) are * dropped. * * The request cache and state cache are unified with a hash * table for each. Cache entries are stored in a fixed size * ring buffer. * * request with no state: * req_cache lookup: * hit : * rep_code and state_counter from cache * miss : * rep_code based on pw_auth and otp requirements: * access-reject: (no state, failed password auth) * access-accept: (no state, user does not need OTP) * access-challenge: (increment state) * reply: * reject: don't encode state or rep_msg * access-challenge: encode state and rep_msg * access-accept: don't encode state or rep_msg * * request with state: * req_cache lookup: * hit : * rep_code and state_counter from cache * rep_msg from cache * miss : * state_cache lookup : * hit : * rep_code based on otp_auth: * access-reject: encode state, no rep_msg * access-accept: encode state, no rep_msg * access-challenge: not permitted here * miss : * bogus, no previous state from pw_auth phase, reject, log * * reply: * reject: encode state, no rep_msg * access-accept: encode state, no rep_msg * access-challenge: not permitted here * */ /* reply constructed from cache? */ req_cache_hit = 0; /* decode/sanity check request */ if ((r = urd_req_decode(urdctx)) < 0) { xerr_warnx("urd_req_decode(): failed"); continue; } /* non fatal packet decode xerr_error, ignore it */ if (r > 1) continue; if (debug) urd_req_dump(urdctx); /* RADIUS ACCESS-REQUEST? */ if (urdctx->req.dgram_header.code == RADIUS_CODE_ACCESS_REQUEST) { if (debug) xerr_info("req: ACCESS-REQUEST"); /* check for minimum TLV's in packet */ if ((!urdctx->req.tlv_User_Name) || (!urdctx->req.tlv_User_Password) || ((!urdctx->req.tlv_NAS_IP_Address) && (!urdctx->req.tlv_NAS_Identifier))) { xerr_warnx("req: min required fields missing"); continue; } req_cache_hit = 0; rep_code = RADIUS_CODE_ACCESS_REJECT; rep_state = 0LL; rep_enc_flags = 0; rep_cache_flags = 0; rep_otp_count = 0; /* initial no state access request */ if (!urdctx->req.tlv_State) { if (debug) xerr_info("req: (no state)"); /* first check the cache for a previously composed reply */ if ((r = urd_req_cache_lookup(urdctx, &rep_code, &rep_state, &rep_otp_count, &tmp_cache_flags)) < 0) xerr_errx(1, "urd_req_cache_lookup(): fatal"); /* hit, then skip to response gen */ if (r == URD_REQ_CACHE_HIT) { req_cache_hit = 1; if ((rep_code == RADIUS_CODE_ACCESS_REJECT) || (rep_code == RADIUS_CODE_ACCESS_ACCEPT)) { rep_enc_flags = 0x0; } else if (rep_code == RADIUS_CODE_ACCESS_CHALLENGE) { rep_enc_flags = URD_ENCODE_FLAG_STATE; if (tmp_cache_flags & URD_CACHE_FLAG_MSG) rep_enc_flags |= URD_ENCODE_FLAG_MSG; } if (debug) xerr_info("req: cache hit"); goto access_request_rep; } else { if (debug) xerr_info("req: cache miss"); } /* cache lookup invalid, default to ACCESS_REJECT */ rep_code = RADIUS_CODE_ACCESS_REJECT; /* authenticate user */ if ((r = pass_db_auth(pdbctx, URDCTX_USER_NAME, urdctx->req.user_pass)) < 0) xerr_errx(1, "pass_db_auth(): fatal"); /* valid password? */ if (r != PASS_DB_AUTH_SUCCESS) { if (debug) xerr_info("req: fail auth via pass_db_auth() "); goto access_request_rep; } else { if (debug) xerr_info("req: pass auth via pass_db_auth() "); } /* special urd_stats user? */ if (!strcmp(urdctx->req.user_name, "urd_stats")) { urd_state_cache_stats(urdctx); urd_req_cache_stats(urdctx); goto access_request_rep; } /* special urd_debug user? */ if (!strcmp(urdctx->req.user_name, "urd_debug")) { if (debug) { debug = 0; urd_debug(urdctx, 0); } else { debug = 1; urd_debug(urdctx, 1); } goto access_request_rep; } #ifndef OOTP_ENABLE /* * without one time passwords compiled in, no additional auth * checks are required, reply with ACCEPT */ rep_code = RADIUS_CODE_ACCESS_ACCEPT; rep_enc_flags = 0x0; if (debug) xerr_info("req: ACCEPT (nothing more to do)."); goto access_request_rep; #else /* OOTP_ENABLE */ /* * if one time passwords are disabled then the password * check above meets auth requirements. Reply with ACCESS_ACCEPT. * */ if (!otp_enable) { rep_code = RADIUS_CODE_ACCESS_ACCEPT; rep_enc_flags = 0x0; if (debug) xerr_info("req: ACCEPT with OTP disabled."); goto access_request_rep; } /* * check OTP */ if ((r = otp_user_exists(otpctx, URDCTX_USER_NAME)) < 0) xerr_errx(1, "otp_user_exists(): fail."); /* * if user does not exist and not okay to allow non OTP users * then authentication request fails with default ACCESS_REJECT. */ if ((r == 1) && (otp_allow_unknown == 0)) { if (debug) xerr_info("req: fail via otp_user_exists() allow_unknown=0"); /* reply with an REJECT */ rep_code = RADIUS_CODE_ACCESS_REJECT; rep_enc_flags = 0x0; goto access_request_rep; } /* * if user does not exist in database and okay to allow non OTP * users then authentication request is successful without OTP. * password check was done above, reply with ACCEPT */ if ((r == 1) && (otp_allow_unknown == 1)) { if (debug) xerr_info("req: pass via otp_user_exists() allow_unknown=1"); /* reply with an ACCEPT, no state, no challenge message */ rep_code = RADIUS_CODE_ACCESS_ACCEPT; rep_enc_flags = 0x0; goto access_request_rep; } /* * unknown response from otp_user_exists() */ if (r != 0) { if (debug) xerr_info("otp_user_exists() unknown response r=%d", r); /* reply with an REJECT */ rep_code = RADIUS_CODE_ACCESS_REJECT; rep_enc_flags = 0x0; goto access_request_rep; } if (otp_urec_open(otpctx, URDCTX_USER_NAME, &ou, O_RDONLY, FFDB_OP_LOCK_EX) < 0) xerr_errx(1, "otp_urec_open(%s): failed.", URDCTX_USER_NAME); if (otp_urec_get(otpctx, &ou) < 0) xerr_errx(1, "otp_urec_get(): failed."); if (otp_urec_close(otpctx, &ou) < 0) xerr_errx(1, "otp_urec_close(): failed."); /* disabled user defaults to ACCESS_REJECT */ if (ou.status == OTP_STATUS_DISABLED) { if (debug) xerr_info("req: fail via otp_user_get() (disabled)"); goto access_request_rep; } /* inactive user does not need OTP */ if (ou.status == OTP_STATUS_INACTIVE) { /* reply with an ACCEPT, no state, no challenge message */ rep_code = RADIUS_CODE_ACCESS_ACCEPT; rep_enc_flags = 0x0; if (debug) xerr_info("req: pass via otp_user_get() (inactive)"); goto access_request_rep; } /* verify count not at ceiling */ if (ou.count >= ou.count_ceil) { if (debug) xerr_info("req: fail ou.count >= ou.count_ceil."); goto access_request_rep; } /* * made it this far then user is in authorized_users database, * reusable password is valid in password database, and user * exists in the OTP database in an active state */ if (ou.status == OTP_STATUS_ACTIVE) { /* reply with challenge, challenge message, new state */ rep_code = RADIUS_CODE_ACCESS_CHALLENGE; rep_enc_flags = URD_ENCODE_FLAG_STATE; rep_state = ++urdctx->state_counter; rep_otp_count = ou.count; rep_cache_flags = URD_CACHE_FLAG_STATE; if (otp_display_count || ou.flags & OTP_FLAGS_DSPCNT) { rep_enc_flags |= URD_ENCODE_FLAG_MSG; rep_cache_flags |= URD_CACHE_FLAG_MSG; } if (ou.flags & OTP_FLAGS_SEND_TOKEN) { if (otp_user_send_token(otpctx, URDCTX_USER_NAME, service) < 0) xerr_warnx("otp_user_send_token(): failed."); } if (debug) xerr_info("req: pass via otp_user_get() (active)"); goto access_request_rep; } #endif /* OOTP_ENABLE */ } else if (urdctx->req.tlv_State) { #ifndef OOTP_ENABLE /* * without one time passwords compiled in, a request with * state will always return REJECT. * */ /* reply with inbound state */ rep_state = urdctx->req.state_counter; if (debug) xerr_info("req: state set, nothing to do, REJECT."); goto access_request_rep; #else /* OOTP_ENABLE */ /* request has state, always reply with it */ rep_enc_flags = URD_ENCODE_FLAG_STATE; if (debug) xerr_info("req: (state)"); if ((r = urd_req_cache_lookup(urdctx, &rep_code, &rep_state, &rep_otp_count, &tmp_cache_flags)) < 0) xerr_errx(1, "urd_req_cache_lookup(): fatal"); /* hit, then skip to response gen */ if (r == URD_REQ_CACHE_HIT) { req_cache_hit = 1; if (debug) xerr_info("req: cache hit"); goto access_request_rep; } else { if (debug) xerr_info("req: cache miss"); } /* cache lookup invalid, default to ACCESS_REJECT */ rep_code = RADIUS_CODE_ACCESS_REJECT; /* reply with inbound state */ rep_state = urdctx->req.state_counter; /* * state cache lookup -- user must have previously authenticated * successfully to continue */ if ((r = urd_state_cache_lookup(urdctx, &rep_code)) < 0) xerr_errx(1, "urd_state_cache_lookup(): fatal"); /* if no hit then can not continue */ if (r != URD_REQ_CACHE_HIT) { if (debug) xerr_info("state: cache miss (user not validated with passwd)"); /* cache lookup invalid, default to ACCESS_REJECT */ rep_code = RADIUS_CODE_ACCESS_REJECT; goto access_request_rep; } else { if (debug) xerr_info("state: cache hit"); } /* double check code */ if (rep_code != RADIUS_CODE_ACCESS_CHALLENGE) { if (debug) xerr_warnx("req: fail cache'd state rep_code"); goto access_request_rep; } /* * default to ACCESS_REJECT. State cache lookup will have * ACCESS_CHALLENGE code as it is shared with the request cache. */ rep_code = RADIUS_CODE_ACCESS_REJECT; if ((r = otp_user_exists(otpctx, URDCTX_USER_NAME)) < 0) xerr_errx(1, "otp_user_exists(): fail."); /* user exist?, if not failure */ /* note, initial access request checked this */ if (r != 0) { if (debug) xerr_info("req: fail via otp_user_exists()"); goto access_request_rep; } if (otp_urec_open(otpctx, URDCTX_USER_NAME, &ou, O_RDONLY, FFDB_OP_LOCK_EX) < 0) xerr_errx(1, "otp_urec_open(%s): failed.", URDCTX_USER_NAME); if (otp_urec_get(otpctx, &ou) < 0) xerr_errx(1, "otp_urec_get(): failed."); if (otp_urec_close(otpctx, &ou) < 0) xerr_errx(1, "otp_urec_close(): failed."); /* note, initial access request checked this */ if (ou.status != OTP_STATUS_ACTIVE) { if (debug) xerr_info("req: fail via otp_user_get() (not ACTIVE)"); goto access_request_rep; } /* verify count not at ceiling */ /* note, initial access request checked this */ if (ou.count >= ou.count_ceil) { if (debug) xerr_info("req: fail ou.count >= ou.count_ceil."); goto access_request_rep; } if ((r = otp_user_auth(otpctx, URDCTX_USER_NAME, urdctx->req.user_pass, otp_window)) < 0) xerr_errx(1, "otp_user_auth(): failed."); if (r == OTP_AUTH_PASS) { rep_code = RADIUS_CODE_ACCESS_ACCEPT; if (debug) xerr_info("req: pass via otp_user_auth()"); goto access_request_rep; } else { if (debug) xerr_info("req: fail via otp_user_auth()"); } /* failed authentication... */ #endif /* OOTP_ENABLE */ } else { xerr_info("unsupported code=%2.2X", (int)urdctx->req.dgram_header.code); } /* type of request */ /* reply to request */ access_request_rep: if (debug) { if (rep_code == RADIUS_CODE_ACCESS_ACCEPT) xerr_info("rep: ACCESS-ACCEPT"); else if (rep_code == RADIUS_CODE_ACCESS_REJECT) xerr_info("rep: ACCESS-REJECT"); else if (rep_code == RADIUS_CODE_ACCESS_CHALLENGE) xerr_info("rep: ACCESS-CHALLENGE"); } /* debug */ /* * construct reply */ if (urd_rep_encode(urdctx, rep_code, rep_state, rep_otp_count, rep_enc_flags) < 0) { xerr_errx(1, "urd_rep_encode(): fatal"); } /* update reply cache */ if (urd_req_cache_update(urdctx, rep_code, rep_state, rep_otp_count, rep_cache_flags) < 0) xerr_errx(1, "urd_req_cache_update(): fatal"); /* debugging / drop every other packet */ if (drop_mode) { if (drop) { drop = 0; continue; /* skip packet send */ } else { drop = 1; } } if (sendto(pkt_fd, &urdctx->rep.pkt_buf, urdctx->rep.pkt_len, 0, (struct sockaddr*) &urdctx->rep.rem_addr, sizeof(urdctx->rep.rem_addr)) < 0) { xerr_err(1, "sendto()"); } } /* ACCESS_REQUEST */ } /* forever */ /* not reached */ /* cleanup */ pass_db_ctx_free(pdbctx); #ifdef OOTP_ENABLE otp_db_close(otpctx); #endif /* OOTP_ENABLE */ } /* main */ /* * function: scan_ip * * IP address in string S is converted to a u_long * (borrowed from tcpdump) * * left shift any partial dotted quads, ie 10 is 0x0a000000 not 0x0a * so scan_ip_prefix() works for standard prefix notation, ie 10/8 */ u_long scan_ip(char *s) { struct hostent *he; struct in_addr *ina; u_long addr = 0; uint n; int dns, shift; char *t; /* if there is anything ascii in here, this may be a hostname */ for (dns = 0, t = s; *t; ++t) { if (islower((int)*t) || isupper((int)*t)) { dns = 1; break; } } if (dns) { if (!(he = gethostbyname(s))) goto numeric; if (he->h_addrtype != AF_INET) goto numeric; if (he->h_length != sizeof (uint32_t)) goto numeric; ina = (struct in_addr*)*he->h_addr_list; return (ntohl(ina->s_addr)); } /* dns */ shift = 0; numeric: while (1) { /* n is the nibble */ n = 0; /* nibble's are . bounded */ while (*s && (*s != '.') && (*s != ' ') && (*s != '\t')) n = n * 10 + *s++ - '0'; /* shift in the nibble */ addr <<=8; addr |= n & 0xff; ++shift; /* return on end of string */ if ((!*s) || (*s == ' ') || (*s == '\t')) goto ndone; /* skip the . */ ++s; } /* forever */ ndone: for (; shift < 4; ++shift) addr <<=8; return addr; } /* scan_ip */ /* * function: server_secret_load() * * load a one line secret (password) from fname into buf of length buf_len * secret is assumed to be ASCII and will be null terminated * * returns: < 0 : fail * 0 : success */ int server_secret_load(char *fname, char *buf, int buf_len) { struct stat sb; int fd, len, ret, i; fd = -1; ret = -1; /* open secret file */ if ((fd = open(fname, O_RDONLY, 0)) < 0) { xerr_warn("open(%s)", fname); goto server_secret_load_out; } /* grab size */ if (fstat(fd, &sb) < 0) { xerr_warn("stat(%s)", fname); goto server_secret_load_out; } if ((sb.st_size+1) >= buf_len) { xerr_warn("secret buffer too small"); goto server_secret_load_out; } if ((len = read(fd, buf, sb.st_size)) < 0) { xerr_warn("read(%s)", fname); goto server_secret_load_out; } if (len != sb.st_size) { xerr_warnx("short read(%s)", fname); goto server_secret_load_out; } /* strip \n */ for (i = 0; i < sb.st_size; ++i) if (buf[i] == '\n') buf[i] = 0; /* ensure null termination */ buf[sb.st_size] = 0; /* success */ ret = 0; server_secret_load_out: if (fd != -1) close(fd); return ret; } /* server_secret_load */ /* * function: write_pidfile() * * Store proces ID in ASII to fname. * * returns: < 0 : fail * 0 : success */ int write_pidfile(char *fname) { int fd, buf_l; char buf[512]; buf_l = snprintf(buf, sizeof(buf), "%lu\n", (unsigned long)getpid()); if ((fd = open(fname, O_WRONLY|O_CREAT|O_TRUNC, 0644)) < 0 ) { xerr_warn("open(%s)", fname); return -1; } if (write(fd, buf, buf_l) < 0) { xerr_warn("write(%s)", fname); close (fd); return -1; } return (close(fd)); } /* write_pidfile */ /* * function: usage() * */ void usage(void) { #ifdef OOTP_ENABLE fprintf(stderr, "urd [-AhcdDmMnOux?] [-a allowed_users_file] [-b local_ip] [-B local_port ]\n"); fprintf(stderr, " [-o otp_db] [-p passwd_file] [-P pid_file] [-s secret_file]\n"); #else fprintf(stderr, "urd [-AdDmMnhx?] [-a allowed_users_file] [-b local_ip] [-B local_port ]\n"); fprintf(stderr, " [-p passwd_file] [-P pid_file] [-s secret_file]\n"); #endif /* OOTP_ENABLE */ fprintf(stderr, " [-S auth_service_name] [-w otp_window]\n\n"); fprintf(stderr, " -A disable authorized_users file (all users in passwd_file valid)\n"); fprintf(stderr, " -h help\n"); fprintf(stderr, " -d enable debugging\n"); fprintf(stderr, " -D disable daemon mode\n"); fprintf(stderr, " -m use PAM for password authentication\n"); fprintf(stderr, " -M use PAM exclusively for password authentication\n"); #ifdef OOTP_ENABLE fprintf(stderr, " -O disable one time passwords\n"); fprintf(stderr, " -u allow users which do not exist in OTP database\n"); #endif /* OOTP_ENABLE */ fprintf(stderr, " -x drop alternate replies (debugging)\n"); } /* help */