From: yasuoka Date: Sun, 15 Sep 2024 11:08:50 +0000 (+0000) Subject: Add handling of "Class" attribute. diff from markus X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=9ca241fcbd1e3e57a03aa8097496cb954222290b;p=openbsd Add handling of "Class" attribute. diff from markus ok markus --- diff --git a/sbin/iked/config.c b/sbin/iked/config.c index d4204509522..def970e05a0 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $ */ +/* $OpenBSD: config.c,v 1.99 2024/09/15 11:08:50 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -178,6 +178,7 @@ config_free_sa(struct iked *env, struct iked_sa *sa) ibuf_free(sa->sa_eap.id_buf); free(sa->sa_eapid); ibuf_free(sa->sa_eapmsk); + ibuf_free(sa->sa_eapclass); free(sa->sa_cp_addr); free(sa->sa_cp_addr6); diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 5d95dd92908..d3da0b7b38d 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $ */ +/* $OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -491,6 +491,7 @@ struct iked_sa { char *sa_eapid; /* EAP identity */ struct iked_id sa_eap; /* EAP challenge */ struct ibuf *sa_eapmsk; /* EAK session key */ + struct ibuf *sa_eapclass; /* EAP/RADIUS class */ struct iked_proposals sa_proposals; /* SA proposals */ struct iked_childsas sa_childsas; /* IPsec Child SAs */ diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index ccbab9de1cb..b6e8ecee93c 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $ */ +/* $OpenBSD: ikev2.c,v 1.388 2024/09/15 11:08:50 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -4774,6 +4774,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa) /* sa_eapid needs to be set on both for radius accounting */ if (sa->sa_eapid) nsa->sa_eapid = strdup(sa->sa_eapid); + if (sa->sa_eapclass) + nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass); log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)", SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8), diff --git a/sbin/iked/radius.c b/sbin/iked/radius.c index e14c83560ad..fcaf52198c2 100644 --- a/sbin/iked/radius.c +++ b/sbin/iked/radius.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radius.c,v 1.12 2024/09/11 00:41:51 yasuoka Exp $ */ +/* $OpenBSD: radius.c,v 1.13 2024/09/15 11:08:50 yasuoka Exp $ */ /* * Copyright (c) 2024 Internet Initiative Japan Inc. @@ -270,6 +270,16 @@ iked_radius_on_event(int fd, short ev, void *ctx) req->rr_sa->sa_eapid = req->rr_user; req->rr_user = NULL; + if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval, + &attrlen) == 0) { + ibuf_free(req->rr_sa->sa_eapclass); + if ((req->rr_sa->sa_eapclass = ibuf_new(attrval, + attrlen)) == NULL) { + log_info("%s: ibuf_new() failed: %s", __func__, + strerror(errno)); + } + } + sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS); /* Map RADIUS attributes to cp */ @@ -748,6 +758,10 @@ iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype) switch (stype) { case RADIUS_ACCT_STATUS_TYPE_START: + if (req->rr_sa && req->rr_sa->sa_eapclass != NULL) + radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS, + ibuf_data(req->rr_sa->sa_eapclass), + ibuf_size(req->rr_sa->sa_eapclass)); break; case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE: case RADIUS_ACCT_STATUS_TYPE_STOP: