From a168fdd3c6f33b0f83bab8f2f3429e79ddc2ec79 Mon Sep 17 00:00:00 2001 From: yasuoka Date: Mon, 1 Jul 2024 07:09:07 +0000 Subject: [PATCH] Modify IPCP to use {D,NB}NS servers from RADIUS. Also move the radius related functions from ppp.c to npppd_radius.c. --- usr.sbin/npppd/npppd/chap.c | 6 +- usr.sbin/npppd/npppd/npppd.conf.5 | 18 +++++- usr.sbin/npppd/npppd/npppd.h | 4 +- usr.sbin/npppd/npppd/npppd_radius.c | 88 ++++++++++++++++++++++++++++- usr.sbin/npppd/npppd/pap.c | 6 +- usr.sbin/npppd/npppd/parse.y | 6 +- usr.sbin/npppd/npppd/ppp.c | 63 +-------------------- usr.sbin/npppd/npppd/ppp.h | 4 +- 8 files changed, 119 insertions(+), 76 deletions(-) diff --git a/usr.sbin/npppd/npppd/chap.c b/usr.sbin/npppd/npppd/chap.c index 9668d059a65..512a7c54398 100644 --- a/usr.sbin/npppd/npppd/chap.c +++ b/usr.sbin/npppd/npppd/chap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */ +/* $OpenBSD: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -36,7 +36,7 @@ *

*/ /* RFC 1994, 2433 */ -/* $Id: chap.c,v 1.18 2024/02/26 08:47:28 yasuoka Exp $ */ +/* $Id: chap.c,v 1.19 2024/07/01 07:09:07 yasuoka Exp $ */ #include #include #include @@ -914,7 +914,7 @@ chap_radius_response(void *context, RADIUS_PACKET *pkt, int flags, break; } } - ppp_process_radius_framed_ip(_this->ppp, pkt); + ppp_process_radius_attrs(_this->ppp, pkt); return; auth_failed: diff --git a/usr.sbin/npppd/npppd/npppd.conf.5 b/usr.sbin/npppd/npppd/npppd.conf.5 index 2c38b222100..eac9a71e14b 100644 --- a/usr.sbin/npppd/npppd/npppd.conf.5 +++ b/usr.sbin/npppd/npppd/npppd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: npppd.conf.5,v 1.32 2023/03/02 17:09:53 jmc Exp $ +.\" $OpenBSD: npppd.conf.5,v 1.33 2024/07/01 07:09:07 yasuoka Exp $ .\" .\" Copyright (c) 2012 YASUOKA Masahiko .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 2 2023 $ +.Dd $Mdocdate: July 1 2024 $ .Dt NPPPD.CONF 5 .Os .Sh NAME @@ -506,8 +506,22 @@ The default is This option can be used multiple times. .It Ic dns-servers Ar primary-server-address Op Ar secondary-server-address Specify the DNS servers' IP addresses. +When this option is not specified and the authenticated realm +.Pq eq. the RADIUS server +specifies the DNS server addresses, +they are used as the default. +To stop using them any case, +configure +.Qq 0.0.0.0 . .It Ic nbns-servers Ar primary-server-address Op Ar secondary-server-address Specify the NetBIOS name servers' IP addresses. +When this option is not specified and the authenticated realm +.Pq eq. the RADIUS server +specifies the NetBIOS server addresses, +they are used as the default. +To stop using them any case, +configure +.Qq 0.0.0.0 . .It Ic allow-user-selected-address Ar yes | no Specify whether .Xr npppd 8 diff --git a/usr.sbin/npppd/npppd/npppd.h b/usr.sbin/npppd/npppd/npppd.h index 3fc4e96771c..3cf9b2bcbcc 100644 --- a/usr.sbin/npppd/npppd/npppd.h +++ b/usr.sbin/npppd/npppd/npppd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd.h,v 1.19 2017/08/12 11:20:34 goda Exp $ */ +/* $OpenBSD: npppd.h,v 1.20 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -174,7 +174,9 @@ struct ipcpconf { TAILQ_ENTRY(ipcpconf) entry; char name[NPPPD_GENERIC_NAME_LEN]; bool dns_use_resolver; + bool dns_configured; struct in_addr dns_servers[2]; + bool nbns_configured; struct in_addr nbns_servers[2]; bool allow_user_select; struct in_addr_range *dynamic_pool; diff --git a/usr.sbin/npppd/npppd/npppd_radius.c b/usr.sbin/npppd/npppd/npppd_radius.c index 2e0c4c75705..c9d030e2b45 100644 --- a/usr.sbin/npppd/npppd/npppd_radius.c +++ b/usr.sbin/npppd/npppd/npppd_radius.c @@ -1,4 +1,4 @@ -/* $Id: npppd_radius.c,v 1.10 2024/02/26 10:42:05 yasuoka Exp $ */ +/* $Id: npppd_radius.c,v 1.11 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. * All rights reserved. @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -73,9 +74,11 @@ static void npppd_ppp_radius_acct_reqcb(void *, RADIUS_PACKET *, int, RADIUS_REQ * the given RADIUS packet and set them as the fields of ppp context. */ void -ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt) +ppp_process_radius_attrs(npppd_ppp *_this, RADIUS_PACKET *pkt) { - struct in_addr ip4; + struct in_addr ip4; + int got_pri, got_sec; + char buf0[40], buf1[40]; if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4) == 0) @@ -87,6 +90,53 @@ ppp_proccess_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt) == 0) _this->realm_framed_ip_netmask = ip4; #endif + + if (!ppp_ipcp(_this)->dns_configured) { + got_pri = got_sec = 0; + if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER, &ip4) == 0) { + got_pri = 1; + _this->ipcp.dns_pri = ip4; + } + if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER, &ip4) == 0) { + got_sec = 1; + _this->ipcp.dns_sec = ip4; + } + if (got_pri || got_sec) + ppp_log(_this, LOG_INFO, "DNS server address%s " + "(%s%s%s) %s configured by RADIUS server", + ((got_pri + got_sec) > 1)? "es" : "", + (got_pri)? inet_ntop(AF_INET, &_this->ipcp.dns_pri, + buf0, sizeof(buf0)) : "", + (got_pri != 0 && got_sec != 0)? "," : "", + (got_sec)? inet_ntop(AF_INET, &_this->ipcp.dns_sec, + buf1, sizeof(buf1)) : "", + ((got_pri + got_sec) > 1)? "are" : "is"); + } + if (!ppp_ipcp(_this)->nbns_configured) { + got_pri = got_sec = 0; + if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER, &ip4) == 0) { + got_pri = 1; + _this->ipcp.nbns_pri = ip4; + } + if (radius_get_vs_ipv4_attr(pkt, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER, &ip4) == 0) { + got_sec = 1; + _this->ipcp.nbns_sec = ip4; + } + if (got_pri || got_sec) + ppp_log(_this, LOG_INFO, "NBNS server address%s " + "(%s%s%s) %s configured by RADIUS server", + ((got_pri + got_sec) > 1)? "es" : "", + (got_pri)? inet_ntop(AF_INET, &_this->ipcp.nbns_pri, + buf0, sizeof(buf0)) : "", + (got_pri != 0 && got_sec != 0)? "," : "", + (got_sec)? inet_ntop(AF_INET, &_this->ipcp.nbns_sec, + buf1, sizeof(buf1)) : "", + ((got_pri + got_sec) > 1)? "are" : "is"); + } } /*********************************************************************** @@ -480,3 +530,35 @@ fail: #endif return 1; } + +/** + * Set RADIUS attributes for RADIUS authentication request. + * Return 0 on success. + */ +int +ppp_set_radius_attrs_for_authreq(npppd_ppp *_this, + radius_req_setting *rad_setting, RADIUS_PACKET *radpkt) +{ + /* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */ + if (radius_prepare_nas_address(rad_setting, radpkt) != 0) + goto fail; + + /* RFC 2865 "5.6. Service-Type" */ + if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE, + RADIUS_SERVICE_TYPE_FRAMED) != 0) + goto fail; + + /* RFC 2865 "5.7. Framed-Protocol" */ + if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL, + RADIUS_FRAMED_PROTOCOL_PPP) != 0) + goto fail; + + if (_this->calling_number[0] != '\0') { + if (radius_put_string_attr(radpkt, + RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0) + return 1; + } + return 0; +fail: + return 1; +} diff --git a/usr.sbin/npppd/npppd/pap.c b/usr.sbin/npppd/npppd/pap.c index 0d43f72af80..f234f23ea56 100644 --- a/usr.sbin/npppd/npppd/pap.c +++ b/usr.sbin/npppd/npppd/pap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */ +/* $OpenBSD: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* $Id: pap.c,v 1.13 2024/02/26 08:47:28 yasuoka Exp $ */ +/* $Id: pap.c,v 1.14 2024/07/01 07:09:07 yasuoka Exp $ */ /**@file * This file provides Password Authentication Protocol (PAP) handlers. * @author Yasuoka Masahiko @@ -508,7 +508,7 @@ pap_radius_response(void *context, RADIUS_PACKET *pkt, int flags, } /* Authentication succeeded */ pap_response(_this, 1, DEFAULT_SUCCESS_MESSAGE); - ppp_process_radius_framed_ip(_this->ppp, pkt); + ppp_process_radius_attrs(_this->ppp, pkt); return; auth_failed: diff --git a/usr.sbin/npppd/npppd/parse.y b/usr.sbin/npppd/npppd/parse.y index 669e3050e8e..a589c5a7047 100644 --- a/usr.sbin/npppd/npppd/parse.y +++ b/usr.sbin/npppd/npppd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.27 2023/04/19 13:33:37 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.28 2024/07/01 07:09:07 yasuoka Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -818,19 +818,23 @@ ipcpopt : POOL_ADDRESS STRING ipcppooltype { } | DNS_SERVERS in4_addr in4_addr { curr_ipcpconf->dns_use_resolver = false; + curr_ipcpconf->dns_configured = true; curr_ipcpconf->dns_servers[0] = $2; curr_ipcpconf->dns_servers[1] = $3; } | DNS_SERVERS in4_addr { curr_ipcpconf->dns_use_resolver = false; + curr_ipcpconf->dns_configured = true; curr_ipcpconf->dns_servers[0] = $2; curr_ipcpconf->dns_servers[1].s_addr = 0; } | NBNS_SERVERS in4_addr in4_addr { + curr_ipcpconf->nbns_configured = true; curr_ipcpconf->nbns_servers[0] = $2; curr_ipcpconf->nbns_servers[1] = $3; } | NBNS_SERVERS in4_addr { + curr_ipcpconf->nbns_configured = true; curr_ipcpconf->nbns_servers[0] = $2; curr_ipcpconf->nbns_servers[1].s_addr = 0; } diff --git a/usr.sbin/npppd/npppd/ppp.c b/usr.sbin/npppd/npppd/ppp.c index 64716acc9ef..5aff7506f6c 100644 --- a/usr.sbin/npppd/npppd/ppp.c +++ b/usr.sbin/npppd/npppd/ppp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */ +/* $OpenBSD: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* $Id: ppp.c,v 1.31 2024/02/26 10:42:05 yasuoka Exp $ */ +/* $Id: ppp.c,v 1.32 2024/07/01 07:09:07 yasuoka Exp $ */ /**@file * This file provides PPP(Point-to-Point Protocol, RFC 1661) and * {@link :: _npppd_ppp PPP instance} related functions. @@ -1061,65 +1061,6 @@ ppp_log(npppd_ppp *_this, int prio, const char *fmt, ...) return status; } -#ifdef USE_NPPPD_RADIUS -#define UCHAR_BUFSIZ 255 -/** - * Process the Framed-IP-Address attribute and the Framed-IP-Netmask - * attribute of given RADIUS packet. - */ -void -ppp_process_radius_framed_ip(npppd_ppp *_this, RADIUS_PACKET *pkt) -{ - struct in_addr ip4; - - if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, &ip4) - == 0) - _this->realm_framed_ip_address = ip4; - - _this->realm_framed_ip_netmask.s_addr = 0xffffffffL; - if (radius_get_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_NETMASK, &ip4) - == 0) - _this->realm_framed_ip_netmask = ip4; -} - -/** - * Set RADIUS attributes for RADIUS authentication request. - * Return 0 on success. - */ -int -ppp_set_radius_attrs_for_authreq(npppd_ppp *_this, - radius_req_setting *rad_setting, RADIUS_PACKET *radpkt) -{ - /* RFC 2865 "5.4 NAS-IP-Address" or RFC3162 "2.1. NAS-IPv6-Address" */ - if (radius_prepare_nas_address(rad_setting, radpkt) != 0) - goto fail; - - /* RFC 2865 5.32. NAS-Identifier */ - if (radius_put_string_attr(radpkt, RADIUS_TYPE_NAS_IDENTIFIER, "npppd") - != 0) - goto fail; - - /* RFC 2865 "5.6. Service-Type" */ - if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_SERVICE_TYPE, - RADIUS_SERVICE_TYPE_FRAMED) != 0) - goto fail; - - /* RFC 2865 "5.7. Framed-Protocol" */ - if (radius_put_uint32_attr(radpkt, RADIUS_TYPE_FRAMED_PROTOCOL, - RADIUS_FRAMED_PROTOCOL_PPP) != 0) - goto fail; - - if (_this->calling_number[0] != '\0') { - if (radius_put_string_attr(radpkt, - RADIUS_TYPE_CALLING_STATION_ID, _this->calling_number) != 0) - return 1; - } - return 0; -fail: - return 1; -} -#endif - #ifdef USE_NPPPD_PIPEX /** The callback function on network is available for pipex */ static void diff --git a/usr.sbin/npppd/npppd/ppp.h b/usr.sbin/npppd/npppd/ppp.h index ebabe30fa1c..c42059af0c0 100644 --- a/usr.sbin/npppd/npppd/ppp.h +++ b/usr.sbin/npppd/npppd/ppp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ppp.h,v 1.24 2022/12/28 21:30:17 jmc Exp $ */ +/* $OpenBSD: ppp.h,v 1.25 2024/07/01 07:09:07 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -779,7 +779,7 @@ u_char *ppp_packetbuf (npppd_ppp *, int); int ppp_log (npppd_ppp *, int, const char *, ...) __printflike(3,4); void ppp_reset_idle_timeout(npppd_ppp *); #ifdef USE_NPPPD_RADIUS -void ppp_process_radius_framed_ip (npppd_ppp *, RADIUS_PACKET *); +void ppp_process_radius_attrs (npppd_ppp *, RADIUS_PACKET *); int ppp_set_radius_attrs_for_authreq (npppd_ppp *, radius_req_setting *, RADIUS_PACKET *); #endif struct tunnconf *ppp_get_tunnconf(npppd_ppp *); -- 2.20.1