From 5a3e1cb22bef6b2aac337a3cb309f75447c2ef29 Mon Sep 17 00:00:00 2001 From: jdegraeve Date: Thu, 9 Feb 2006 10:53:49 +0000 Subject: [PATCH] Lunch commitment for safety ;) git-svn-id: https://svn.m0n0.ch/wall/trunk@65 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- captiveportal/index.php | 618 ++++++++++++------------ captiveportal/radius_accounting.inc | 576 +++++++++++----------- captiveportal/radius_accounting_v2.inc | 273 +++++++---- captiveportal/radius_authentication.inc | 124 ++--- 4 files changed, 840 insertions(+), 751 deletions(-) diff --git a/captiveportal/index.php b/captiveportal/index.php index 4791c56..fb83d7e 100644 --- a/captiveportal/index.php +++ b/captiveportal/index.php @@ -1,32 +1,32 @@ #!/usr/local/bin/php . - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + $Id$ + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ require_once("functions.inc"); @@ -43,53 +43,53 @@ $orig_request = $_ENV['CAPTIVE_REQPATH']; $clientip = $_ENV['REMOTE_ADDR']; if (!$clientip) { - /* not good - bail out */ - exit; + /* not good - bail out */ + exit; } if (isset($config['captiveportal']['httpslogin'])) - $ourhostname = $config['captiveportal']['httpsname'] . ":8001"; + $ourhostname = $config['captiveportal']['httpsname'] . ":8001"; else - $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000"; + $ourhostname = $config['interfaces'][$config['captiveportal']['interface']]['ipaddr'] . ":8000"; if ($orig_host != $ourhostname) { - /* the client thinks it's connected to the desired web server, but instead - it's connected to us. Issue a redirect... */ - - if (isset($config['captiveportal']['httpslogin'])) - header("Location: https://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}")); - else - header("Location: http://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}")); - - exit; + /* the client thinks it's connected to the desired web server, but instead + it's connected to us. Issue a redirect... */ + + if (isset($config['captiveportal']['httpslogin'])) + header("Location: https://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}")); + else + header("Location: http://{$ourhostname}/?redirurl=" . urlencode("http://{$orig_host}{$orig_request}")); + + exit; } if (preg_match("/redirurl=(.*)/", $orig_request, $matches)) - $redirurl = urldecode($matches[1]); + $redirurl = urldecode($matches[1]); if ($_POST['redirurl']) - $redirurl = $_POST['redirurl']; + $redirurl = $_POST['redirurl']; $macfilter = !isset($config['captiveportal']['nomacfilter']); /* find MAC address for client */ $clientmac = arp_get_mac_by_ip($clientip); if (!$clientmac && $macfilter) { - /* unable to find MAC address - shouldn't happen! - bail out */ - captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR"); - /* We should return an error page to the client explaining what went wrong instead of exiting */ - exit; + /* unable to find MAC address - shouldn't happen! - bail out */ + captiveportal_logportalauth("unauthenticated","noclientmac",$clientip,"ERROR"); + /* We should return an error page to the client explaining what went wrong instead of exiting */ + exit; } /* find out if we need RADIUS + RADIUSMAC or not */ if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radius_enable = TRUE; - if ($radius_enable && isset($config['captiveportal']['radmac_enable'])) - $radmac_enable = TRUE; + $radius_enable = TRUE; + if ($radius_enable && isset($config['captiveportal']['radmac_enable'])) + $radmac_enable = TRUE; } if ($_POST['logout_id']) { - disconnect_client($_POST['logout_id']); - echo << Disconnecting... @@ -107,220 +107,220 @@ setTimeout('window.close();',5000) ; EOD; /* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */ } else if ($clientmac && portal_mac_fixed($clientmac)) { - /* punch hole in ipfw for pass thru mac addresses */ - portal_allow($clientip, $clientmac, "unauthenticated"); - exit; + /* punch hole in ipfw for pass thru mac addresses */ + portal_allow($clientip, $clientmac, "unauthenticated"); + exit; } else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) { - /* radius functions handle everything so we exit here since we're done */ - exit; + /* radius functions handle everything so we exit here since we're done */ + exit; } else if ($_POST['accept'] && $radius_enable) { - if ($_POST['auth_user'] && $_POST['auth_pass']) { - $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN"); - - if ($auth_list['auth_val'] == 1) { - captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']); - portal_reply_page($redirurl, "error", $auth_list['error']); - } - else if ($auth_list['auth_val'] == 3) { - captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']); - portal_reply_page($redirurl, "error", $auth_list['reply_message']); - } - } else { - captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR"); - portal_reply_page($redirurl, "error"); - } - + if ($_POST['auth_user'] && $_POST['auth_pass']) { + $auth_list = radius($_POST['auth_user'],$_POST['auth_pass'],$clientip,$clientmac,"USER LOGIN"); + + if ($auth_list['auth_val'] == 1) { + captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR",$auth_list['error']); + portal_reply_page($redirurl, "error", $auth_list['error']); + } + else if ($auth_list['auth_val'] == 3) { + captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE",$auth_list['reply_message']); + portal_reply_page($redirurl, "error", $auth_list['reply_message']); + } + } else { + captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"ERROR"); + portal_reply_page($redirurl, "error"); + } + } else if ($_POST['accept'] && $config['captiveportal']['auth_method'] == "local") { - //check against local usermanager - $userdb = &$config['captiveportal']['user']; - - $loginok = false; - - //erase expired accounts - if (is_array($userdb)) { - $moddb = false; - for ($i = 0; $i < count($userdb); $i++) { - if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) { - unset($userdb[$i]); - $moddb = true; - } - } - if ($moddb) - write_config(); - - $userdb = &$config['captiveportal']['user']; - - for ($i = 0; $i < count($userdb); $i++) { - if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) { - $loginok = true; - break; - } - } - } - - if ($loginok){ - captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN"); - portal_allow($clientip, $clientmac,$_POST['auth_user']); - } else { - captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE"); - portal_reply_page($redirurl, "error"); - } + //check against local usermanager + $userdb = &$config['captiveportal']['user']; + + $loginok = false; + + //erase expired accounts + if (is_array($userdb)) { + $moddb = false; + for ($i = 0; $i < count($userdb); $i++) { + if ($userdb[$i]['expirationdate'] && (strtotime("-1 day") > strtotime($userdb[$i]['expirationdate']))) { + unset($userdb[$i]); + $moddb = true; + } + } + if ($moddb) + write_config(); + + $userdb = &$config['captiveportal']['user']; + + for ($i = 0; $i < count($userdb); $i++) { + if (($userdb[$i]['name'] == $_POST['auth_user']) && ($userdb[$i]['password'] == md5($_POST['auth_pass']))) { + $loginok = true; + break; + } + } + } + + if ($loginok){ + captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN"); + portal_allow($clientip, $clientmac,$_POST['auth_user']); + } else { + captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"FAILURE"); + portal_reply_page($redirurl, "error"); + } } else if ($_POST['accept'] && $clientip) { - captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT"); - portal_allow($clientip, $clientmac, "unauthenticated"); + captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"ACCEPT"); + portal_allow($clientip, $clientmac, "unauthenticated"); } else { - /* display captive portal page */ - portal_reply_page($redirurl, "login"); + /* display captive portal page */ + portal_reply_page($redirurl, "login"); } exit; function portal_reply_page($redirurl, $type = null, $message = null) { - global $g, $config; + global $g, $config; - /* Get captive portal layout */ - if ($type == "login") - $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html"); - else - $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html"); + /* Get captive portal layout */ + if ($type == "login") + $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal.html"); + else + $htmltext = file_get_contents("{$g['varetc_path']}/captiveportal-error.html"); - /* substitute other variables */ - if (isset($config['captiveportal']['httpslogin'])) - $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext); - else - $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext); + /* substitute other variables */ + if (isset($config['captiveportal']['httpslogin'])) + $htmltext = str_replace("\$PORTAL_ACTION\$", "https://{$config['captiveportal']['httpsname']}:8001/", $htmltext); + else + $htmltext = str_replace("\$PORTAL_ACTION\$", "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/", $htmltext); - $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext); - $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext); + $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext); + $htmltext = str_replace("\$PORTAL_MESSAGE\$", htmlspecialchars($message), $htmltext); - echo $htmltext; + echo $htmltext; } function portal_mac_fixed($clientmac) { - global $g ; - - /* open captive portal mac db */ - if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) { - $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ; - if (!$fd) { - return FALSE; - } - while (!feof($fd)) { - $mac = trim(fgets($fd)) ; - if(strcasecmp($clientmac, $mac) == 0) { - fclose($fd) ; - return TRUE ; - } - } - fclose($fd) ; - } - return FALSE ; -} + global $g ; + + /* open captive portal mac db */ + if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) { + $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db","r") ; + if (!$fd) { + return FALSE; + } + while (!feof($fd)) { + $mac = trim(fgets($fd)) ; + if(strcasecmp($clientmac, $mac) == 0) { + fclose($fd) ; + return TRUE ; + } + } + fclose($fd) ; + } + return FALSE ; +} function portal_mac_radius($clientmac,$clientip) { - global $config ; + global $config ; - $radmac_secret = $config['captiveportal']['radmac_secret']; + $radmac_secret = $config['captiveportal']['radmac_secret']; - /* authentication against the radius server */ - $auth_list = radius($clientmac,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN"); - if ($auth_list['auth_val'] == 2) { - return TRUE; - } - return FALSE; + /* authentication against the radius server */ + $auth_list = radius($clientmac,$radmac_secret,$clientip,$clientmac,"MACHINE LOGIN"); + if ($auth_list['auth_val'] == 2) { + return TRUE; + } + return FALSE; } function portal_allow($clientip,$clientmac,$clientuser,$password = null, $session_timeout = null, $idle_timeout = null, $url_redirection = null, $session_terminate_time = null) { - global $redirurl, $g, $config; - - if ((isset($config['captiveportal']['noconcurrentlogins'])) && ($clientuser != 'unauthenticated')) - kick_concurrent_logins($clientuser); - - captiveportal_lock(); - - $ruleno = get_next_ipfw_ruleno(); - - /* generate unique session ID */ - $tod = gettimeofday(); - $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16); - - /* add ipfw rules for layer 3 */ - exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in"); - exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out"); - - /* add ipfw rules for layer 2 */ - if (!isset($config['captiveportal']['nomacfilter'])) { - $l2ruleno = $ruleno + 10000; - exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in"); - exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out"); - } - - /* read in client database */ - $cpdb = captiveportal_read_db(); - - $radiusservers = captiveportal_get_radius_servers(); - - /* find an existing entry and delete it */ - for ($i = 0; $i < count($cpdb); $i++) { - if(!strcasecmp($cpdb[$i][2],$clientip)) { - if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers[0]['ipaddr'], - $radiusservers[0]['acctport'], - $radiusservers[0]['key'], - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 13); // Port Preempted - } - mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); - unset($cpdb[$i]); - break; - } - } - - /* encode password in Base64 just in case it contains commas */ - $bpassword = base64_encode($password); - $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $clientuser, $sessionid, $bpassword, $session_timeout, $idle_timeout, $session_terminate_time); - - /* rewrite information to database */ - captiveportal_write_db($cpdb); - - /* write next rule number */ - $fd = @fopen("{$g['vardb_path']}/captiveportal.nextrule", "w"); - if ($fd) { - $ruleno++; - if ($ruleno > 19899) - $ruleno = 10000; /* wrap around */ - fwrite($fd, $ruleno); - fclose($fd); - } - - captiveportal_unlock(); - - /* redirect user to desired destination */ - if ($url_redirection) - $my_redirurl = $url_redirection; - else if ($config['captiveportal']['redirurl']) - $my_redirurl = $config['captiveportal']['redirurl']; - else - $my_redirurl = $redirurl; - - if(isset($config['captiveportal']['logoutwin_enable'])) { - - if (isset($config['captiveportal']['httpslogin'])) - $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/"; - else - $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/"; - - echo << 19899) + $ruleno = 10000; /* wrap around */ + fwrite($fd, $ruleno); + fclose($fd); + } + + captiveportal_unlock(); + + /* redirect user to desired destination */ + if ($url_redirection) + $my_redirurl = $url_redirection; + else if ($config['captiveportal']['redirurl']) + $my_redirurl = $config['captiveportal']['redirurl']; + else + $my_redirurl = $redirurl; + + if(isset($config['captiveportal']['logoutwin_enable'])) { + + if (isset($config['captiveportal']['httpslogin'])) + $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/"; + else + $logouturl = "http://{$config['interfaces'][$config['captiveportal']['interface']]['ipaddr']}:8000/"; + + echo << Redirecting... @@ -331,18 +331,18 @@ function portal_allow($clientip,$clientmac,$clientuser,$password = null, $sessio