Add handling of "Class" attribute. diff from markus
authoryasuoka <yasuoka@openbsd.org>
Sun, 15 Sep 2024 11:08:50 +0000 (11:08 +0000)
committeryasuoka <yasuoka@openbsd.org>
Sun, 15 Sep 2024 11:08:50 +0000 (11:08 +0000)
ok markus

sbin/iked/config.c
sbin/iked/iked.h
sbin/iked/ikev2.c
sbin/iked/radius.c

index d420450..def970e 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $     */
+/*     $OpenBSD: config.c,v 1.99 2024/09/15 11:08:50 yasuoka Exp $     */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -178,6 +178,7 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
        ibuf_free(sa->sa_eap.id_buf);
        free(sa->sa_eapid);
        ibuf_free(sa->sa_eapmsk);
+       ibuf_free(sa->sa_eapclass);
 
        free(sa->sa_cp_addr);
        free(sa->sa_cp_addr6);
index 5d95dd9..d3da0b7 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $      */
+/*     $OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $      */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -491,6 +491,7 @@ struct iked_sa {
        char                            *sa_eapid;      /* EAP identity */
        struct iked_id                   sa_eap;        /* EAP challenge */
        struct ibuf                     *sa_eapmsk;     /* EAK session key */
+       struct ibuf                     *sa_eapclass;   /* EAP/RADIUS class */
 
        struct iked_proposals            sa_proposals;  /* SA proposals */
        struct iked_childsas             sa_childsas;   /* IPsec Child SAs */
index ccbab9d..b6e8ece 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $     */
+/*     $OpenBSD: ikev2.c,v 1.388 2024/09/15 11:08:50 yasuoka Exp $     */
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4774,6 +4774,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
        /* sa_eapid needs to be set on both for radius accounting */
        if (sa->sa_eapid)
                nsa->sa_eapid = strdup(sa->sa_eapid);
+       if (sa->sa_eapclass)
+               nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass);
 
        log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)",
            SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),
index e14c835..fcaf521 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: radius.c,v 1.12 2024/09/11 00:41:51 yasuoka Exp $     */
+/*     $OpenBSD: radius.c,v 1.13 2024/09/15 11:08:50 yasuoka Exp $     */
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -270,6 +270,16 @@ iked_radius_on_event(int fd, short ev, void *ctx)
                        req->rr_sa->sa_eapid = req->rr_user;
                req->rr_user = NULL;
 
+               if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval,
+                   &attrlen) == 0) {
+                       ibuf_free(req->rr_sa->sa_eapclass);
+                       if ((req->rr_sa->sa_eapclass = ibuf_new(attrval,
+                           attrlen)) == NULL) {
+                               log_info("%s: ibuf_new() failed: %s", __func__,
+                                   strerror(errno));
+                       }
+               }
+
                sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
 
                /* Map RADIUS attributes to cp */
@@ -748,6 +758,10 @@ iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
 
        switch (stype) {
        case RADIUS_ACCT_STATUS_TYPE_START:
+               if (req->rr_sa && req->rr_sa->sa_eapclass != NULL)
+                       radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS,
+                           ibuf_data(req->rr_sa->sa_eapclass),
+                           ibuf_size(req->rr_sa->sa_eapclass));
                break;
        case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
        case RADIUS_ACCT_STATUS_TYPE_STOP: