The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
proto_radius.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 11f39a3f5f82c6bf83acf60e96ec0ca4693f9396 $
19  * @file proto_radius.c
20  * @brief RADIUS master protocol handler.
21  *
22  * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23  * @copyright 2016 Alan DeKok (aland@freeradius.org)
24  */
25 #include <freeradius-devel/radius/radius.h>
26 #include <freeradius-devel/io/listen.h>
27 #include <freeradius-devel/unlang/xlat_func.h>
28 #include <freeradius-devel/server/module_rlm.h>
29 #include "proto_radius.h"
30 
31 extern fr_app_t proto_radius;
32 
33 static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
34 static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
35 
36 static conf_parser_t const limit_config[] = {
37  { FR_CONF_OFFSET("cleanup_delay", proto_radius_t, io.cleanup_delay), .dflt = "5.0" } ,
38  { FR_CONF_OFFSET("idle_timeout", proto_radius_t, io.idle_timeout), .dflt = "30.0" } ,
39  { FR_CONF_OFFSET("nak_lifetime", proto_radius_t, io.nak_lifetime), .dflt = "30.0" } ,
40 
41  { FR_CONF_OFFSET("max_connections", proto_radius_t, io.max_connections), .dflt = "1024" } ,
42  { FR_CONF_OFFSET("max_clients", proto_radius_t, io.max_clients), .dflt = "256" } ,
43  { FR_CONF_OFFSET("max_pending_packets", proto_radius_t, io.max_pending_packets), .dflt = "256" } ,
44 
45  /*
46  * For performance tweaking. NOT for normal humans.
47  */
48  { FR_CONF_OFFSET("max_packet_size", proto_radius_t, max_packet_size) } ,
49  { FR_CONF_OFFSET("num_messages", proto_radius_t, num_messages) } ,
50 
51  CONF_PARSER_TERMINATOR
52 };
53 
54 static const conf_parser_t priority_config[] = {
55  { FR_CONF_OFFSET("Access-Request", proto_radius_t, priorities[FR_RADIUS_CODE_ACCESS_REQUEST]),
56  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" },
57  { FR_CONF_OFFSET("Accounting-Request", proto_radius_t, priorities[FR_RADIUS_CODE_ACCOUNTING_REQUEST]),
58  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" },
59  { FR_CONF_OFFSET("CoA-Request", proto_radius_t, priorities[FR_RADIUS_CODE_COA_REQUEST]),
60  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "normal" },
61  { FR_CONF_OFFSET("Disconnect-Request", proto_radius_t, priorities[FR_RADIUS_CODE_DISCONNECT_REQUEST]),
62  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" },
63  { FR_CONF_OFFSET("Status-Server", proto_radius_t, priorities[FR_RADIUS_CODE_STATUS_SERVER]),
64  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "now" },
65 
66  CONF_PARSER_TERMINATOR
67 };
68 
69 /** How to parse a RADIUS listen section
70  *
71  */
72 static conf_parser_t const proto_radius_config[] = {
73  { FR_CONF_OFFSET_FLAGS("type", CONF_FLAG_NOT_EMPTY, proto_radius_t, allowed_types), .func = type_parse },
74  { FR_CONF_OFFSET_TYPE_FLAGS("transport", FR_TYPE_VOID, 0, proto_radius_t, io.submodule),
75  .func = transport_parse },
76 
77  /*
78  * Check whether or not the *trailing* bits of a
79  * Tunnel-Password are zero, as they should be.
80  */
81  { FR_CONF_OFFSET("tunnel_password_zeros", proto_radius_t, tunnel_password_zeros) } ,
82 
83  { FR_CONF_POINTER("limit", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) limit_config },
84  { FR_CONF_POINTER("priority", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) priority_config },
85 
86  CONF_PARSER_TERMINATOR
87 };
88 
89 static fr_dict_t const *dict_radius;
90 
91 extern fr_dict_autoload_t proto_radius_dict[];
92 fr_dict_autoload_t proto_radius_dict[] = {
93  { .out = &dict_radius, .proto = "radius" },
94  { NULL }
95 };
96 
97 static fr_dict_attr_t const *attr_packet_type;
98 static fr_dict_attr_t const *attr_user_name;
99 static fr_dict_attr_t const *attr_state;
100 
101 extern fr_dict_attr_autoload_t proto_radius_dict_attr[];
102 fr_dict_attr_autoload_t proto_radius_dict_attr[] = {
103  { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius},
104  { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius},
105  { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
106  { NULL }
107 };
108 
109 /** Wrapper around dl_instance which translates the packet-type into a submodule name
110  *
111  * If we found a Packet-Type = Access-Request CONF_PAIR for example, here's we'd load
112  * the proto_radius_auth module.
113  *
114  * @param[in] ctx to allocate data in (instance of proto_radius).
115  * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
116  * @param[in] parent Base structure address.
117  * @param[in] ci #CONF_PAIR specifying the name of the type module.
118  * @param[in] rule unused.
119  * @return
120  * - 0 on success.
121  * - -1 on failure.
122  */
123 static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
124 {
125  proto_radius_t *inst = talloc_get_type_abort(parent, proto_radius_t);
126  fr_dict_enum_value_t *dv;
127  CONF_PAIR *cp;
128  char const *value;
129 
130  cp = cf_item_to_pair(ci);
131  value = cf_pair_value(cp);
132 
133  dv = fr_dict_enum_by_name(attr_packet_type, value, -1);
134  if (!dv || (dv->value->vb_uint32 >= FR_RADIUS_CODE_MAX)) {
135  cf_log_err(ci, "Unknown RADIUS packet type '%s'", value);
136  return -1;
137  }
138 
139  inst->allowed[dv->value->vb_uint32] = true;
140  *((char const **) out) = value;
141 
142  return 0;
143 }
144 
145 /** Wrapper around dl_instance
146  *
147  * @param[in] ctx to allocate data in (instance of proto_radius).
148  * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
149  * @param[in] parent Base structure address.
150  * @param[in] ci #CONF_PAIR specifying the name of the type module.
151  * @param[in] rule unused.
152  * @return
153  * - 0 on success.
154  * - -1 on failure.
155  */
156 static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
157 {
158  char const *name = cf_pair_value(cf_item_to_pair(ci));
159  dl_module_inst_t *parent_inst;
160  proto_radius_t *inst;
161  CONF_SECTION *listen_cs = cf_item_to_section(cf_parent(ci));
162  CONF_SECTION *transport_cs;
163  dl_module_inst_t *dl_mod_inst;
164 
165  transport_cs = cf_section_find(listen_cs, name, NULL);
166 
167  parent_inst = cf_data_value(cf_data_find(listen_cs, dl_module_inst_t, "proto_radius"));
168  fr_assert(parent_inst);
169 
170  /*
171  * Set the allowed codes so that we can compile them as
172  * necessary.
173  */
174  inst = talloc_get_type_abort(parent_inst->data, proto_radius_t);
175  inst->io.transport = name;
176 
177  /*
178  * Allocate an empty section if one doesn't exist
179  * this is so defaults get parsed.
180  */
181  if (!transport_cs) {
182  transport_cs = cf_section_alloc(listen_cs, listen_cs, name, NULL);
183  inst->io.app_io_conf = transport_cs;
184  }
185 
186  if (dl_module_instance(ctx, &dl_mod_inst, parent_inst,
187  DL_MODULE_TYPE_SUBMODULE, name, dl_module_inst_name_from_conf(transport_cs)) < 0) return -1;
188  if (dl_module_conf_parse(dl_mod_inst, transport_cs) < 0) {
189  talloc_free(dl_mod_inst);
190  return -1;
191  }
192  *((dl_module_inst_t **)out) = dl_mod_inst;
193 
194  return 0;
195 }
196 
197 /** Decode the packet
198  *
199  */
200 static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *const data, size_t data_len)
201 {
202  fr_io_track_t const *track = talloc_get_type_abort_const(request->async->packet_ctx, fr_io_track_t);
203  fr_io_address_t const *address = track->address;
204  fr_client_t const *client;
205  fr_radius_ctx_t common_ctx;
206  fr_radius_decode_ctx_t decode_ctx;
207 
208  fr_assert(data[0] < FR_RADIUS_CODE_MAX);
209 
210  /*
211  * Set the request dictionary so that we can do
212  * generic->protocol attribute conversions as
213  * the request runs through the server.
214  */
215  request->dict = dict_radius;
216 
217  client = address->radclient;
218 
219  common_ctx = (fr_radius_ctx_t) {
220  .secret = client->secret,
221  .secret_length = talloc_array_length(client->secret) - 1,
222  };
223 
224  decode_ctx = (fr_radius_decode_ctx_t) {
225  .common = &common_ctx,
226  .tmp_ctx = talloc(request, uint8_t),
227  /* decode figures out request_authenticator */
228  .end = data + data_len,
229  .verify = client->active,
230  .require_message_authenticator = client->message_authenticator,
231  };
232 
233  /*
234  * The verify() routine over-writes the request packet vector.
235  *
236  * @todo - That needs to be changed.
237  */
238  request->packet->code = data[0];
239  request->packet->id = data[1];
240  request->reply->id = data[1];
241  memcpy(request->packet->vector, data + 4, sizeof(request->packet->vector));
242 
243  request->packet->data = talloc_memdup(request->packet, data, data_len);
244  request->packet->data_len = data_len;
245 
246  /*
247  * !client->active means a fake packet defining a dynamic client - so there will
248  * be no secret defined yet - so can't verify.
249  */
250  if (fr_radius_decode(request->request_ctx, &request->request_pairs,
251  data, data_len, &decode_ctx) < 0) {
252  talloc_free(decode_ctx.tmp_ctx);
253  RPEDEBUG("Failed reading packet");
254  return -1;
255  }
256  talloc_free(decode_ctx.tmp_ctx);
257 
258  /*
259  * Set the rest of the fields.
260  */
261  request->client = UNCONST(fr_client_t *, client);
262 
263  request->packet->socket = address->socket;
264  fr_socket_addr_swap(&request->reply->socket, &address->socket);
265 
266  REQUEST_VERIFY(request);
267 
268  /*
269  * If we're defining a dynamic client, this packet is
270  * fake. We don't have a secret, so we mash all of the
271  * encrypted attributes to sane (i.e. non-hurtful)
272  * values.
273  */
274  if (!client->active) {
275  fr_pair_t *vp;
276 
277  fr_assert(client->dynamic);
278 
279  request_set_dynamic_client(request);
280 
281  for (vp = fr_pair_list_head(&request->request_pairs);
282  vp != NULL;
283  vp = fr_pair_list_next(&request->request_pairs, vp)) {
284  if (flag_encrypted(&vp->da->flags)) {
285  switch (vp->vp_type) {
286  default:
287  break;
288 
289  case FR_TYPE_UINT32:
290  vp->vp_uint32 = 0;
291  break;
292 
293  case FR_TYPE_IPV4_ADDR:
294  vp->vp_ipv4addr = INADDR_ANY;
295  break;
296 
297  case FR_TYPE_OCTETS:
298  fr_pair_value_memdup(vp, (uint8_t const *) "", 1, true);
299  break;
300 
301  case FR_TYPE_STRING:
302  fr_pair_value_strdup(vp, "", true);
303  break;
304  }
305  }
306  }
307  }
308 
309  /*
310  * Set the sequence to be at least one. This will
311  * prioritize replies to Access-Challenges over other
312  * packets. The sequence will be updated (if necessary)
313  * by the RADIUS state machine. If the request yields,
314  * it will get re-inserted with an updated sequence
315  * number.
316  */
317  if ((request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) &&
318  fr_pair_find_by_da(&request->request_pairs, NULL, attr_state)) {
319  request->async->sequence = 1;
320  }
321 
322  if (fr_packet_pairs_from_packet(request->request_ctx, &request->request_pairs, request->packet) < 0) {
323  RPEDEBUG("Failed decoding 'Net.*' packet");
324  return -1;
325  }
326 
327  return 0;
328 }
329 
330 static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
331 {
332  fr_io_track_t *track = talloc_get_type_abort(request->async->packet_ctx, fr_io_track_t);
333  fr_io_address_t const *address = track->address;
334  ssize_t data_len;
335  fr_client_t const *client;
336 
337  /*
338  * Process layer NAK, or "Do not respond".
339  */
340  if ((buffer_len == 1) ||
341  (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) ||
342  (request->reply->code == 0) || (request->reply->code >= FR_RADIUS_CODE_MAX)) {
343  track->do_not_respond = true;
344  return 1;
345  }
346 
347  client = address->radclient;
348  fr_assert(client);
349 
350  /*
351  * Dynamic client stuff
352  */
353  if (client->dynamic && !client->active) {
354  fr_client_t *new_client;
355 
356  fr_assert(buffer_len >= sizeof(client));
357 
358  /*
359  * We don't accept the new client, so don't do
360  * anything.
361  */
362  if (request->reply->code != FR_RADIUS_CODE_ACCESS_ACCEPT) {
363  *buffer = true;
364  return 1;
365  }
366 
367  /*
368  * Allocate the client. If that fails, send back a NAK.
369  *
370  * @todo - deal with NUMA zones? Or just deal with this
371  * client being in different memory.
372  *
373  * Maybe we should create a CONF_SECTION from the client,
374  * and pass *that* back to mod_write(), which can then
375  * parse it to create the actual client....
376  */
377  new_client = client_afrom_request(NULL, request);
378  if (!new_client) {
379  PERROR("Failed creating new client");
380  *buffer = true;
381  return 1;
382  }
383 
384  memcpy(buffer, &new_client, sizeof(new_client));
385  return sizeof(new_client);
386  }
387 
388  /*
389  * Overwrite the src ip address on the outbound packet
390  * with the one specified by the client. This is useful
391  * to work around broken DSR implementations and other
392  * routing issues.
393  */
394  if (client->src_ipaddr.af != AF_UNSPEC) {
395  request->reply->socket.inet.src_ipaddr = client->src_ipaddr;
396  }
397 
398  data_len = fr_radius_encode(buffer, buffer_len, request->packet->data,
399  client->secret, talloc_array_length(client->secret) - 1,
400  request->reply->code, request->reply->id, &request->reply_pairs);
401  if (data_len < 0) {
402  RPEDEBUG("Failed encoding RADIUS reply");
403  return -1;
404  }
405 
406  if (fr_radius_sign(buffer, request->packet->data + 4,
407  (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1) < 0) {
408  RPEDEBUG("Failed signing RADIUS reply");
409  return -1;
410  }
411 
412  fr_packet_pairs_to_packet(request->reply, &request->reply_pairs);
413 
414  if (RDEBUG_ENABLED) {
415  RDEBUG("Sending %s ID %i from %pV:%i to %pV:%i length %zu via socket %s",
416  fr_radius_packet_name[request->reply->code],
417  request->reply->id,
418  fr_box_ipaddr(request->reply->socket.inet.src_ipaddr),
419  request->reply->socket.inet.src_port,
420  fr_box_ipaddr(request->reply->socket.inet.dst_ipaddr),
421  request->reply->socket.inet.dst_port,
422  data_len,
423  request->async->listen->name);
424 
425  log_request_pair_list(L_DBG_LVL_1, request, NULL, &request->reply_pairs, NULL);
426  }
427 
428  return data_len;
429 }
430 
431 static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
432 {
433  proto_radius_t const *inst = talloc_get_type_abort_const(instance, proto_radius_t);
434 
435  fr_assert(buffer[0] > 0);
436  fr_assert(buffer[0] < FR_RADIUS_CODE_MAX);
437 
438  /*
439  * Disallowed packet
440  */
441  if (!inst->priorities[buffer[0]]) return 0;
442 
443  if (!inst->allowed[buffer[0]]) return -1;
444 
445  /*
446  * @todo - if we cared, we could also return -1 for "this
447  * is a bad packet". But that's really only for
448  * mod_inject, as we assume that app_io->read() always
449  * returns good packets.
450  */
451 
452  /*
453  * Return the configured priority.
454  */
455  return inst->priorities[buffer[0]];
456 }
457 
458 /** Open listen sockets/connect to external event source
459  *
460  * @param[in] instance Ctx data for this application.
461  * @param[in] sc to add our file descriptor to.
462  * @param[in] conf Listen section parsed to give us instance.
463  * @return
464  * - 0 on success.
465  * - -1 on failure.
466  */
467 static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
468 {
469  proto_radius_t *inst = talloc_get_type_abort(instance, proto_radius_t);
470 
471  inst->io.app = &proto_radius;
472  inst->io.app_instance = instance;
473 
474  /*
475  * io.app_io should already be set
476  */
477  return fr_master_io_listen(inst, &inst->io, sc,
478  inst->max_packet_size, inst->num_messages);
479 }
480 
481 /** Instantiate the application
482  *
483  * Instantiate I/O and type submodules.
484  *
485  * @return
486  * - 0 on success.
487  * - -1 on failure.
488  */
489 static int mod_instantiate(module_inst_ctx_t const *mctx)
490 {
491  proto_radius_t *inst = talloc_get_type_abort(mctx->inst->data, proto_radius_t);
492 
493  /*
494  * No IO module, it's an empty listener.
495  */
496  if (!inst->io.submodule) return 0;
497 
498  /*
499  * These configuration items are not printed by default,
500  * because normal people shouldn't be touching them.
501  */
502  if (!inst->max_packet_size && inst->io.app_io) inst->max_packet_size = inst->io.app_io->default_message_size;
503 
504  if (!inst->num_messages) inst->num_messages = 256;
505 
506  FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, >=, 32);
507  FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, <=, 65535);
508 
509  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 1024);
510  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
511 
512  /*
513  * Instantiate the master io submodule
514  */
515  return fr_master_app_io.common.instantiate(MODULE_INST_CTX(inst->io.dl_inst));
516 }
517 
518 
519 /** Bootstrap the application
520  *
521  * Bootstrap I/O and type submodules.
522  *
523  * @return
524  * - 0 on success.
525  * - -1 on failure.
526  */
527 static int mod_bootstrap(module_inst_ctx_t const *mctx)
528 {
529  proto_radius_t *inst = talloc_get_type_abort(mctx->inst->data, proto_radius_t);
530 
531  /*
532  * Ensure that the server CONF_SECTION is always set.
533  */
534  inst->io.server_cs = cf_item_to_section(cf_parent(mctx->inst->conf));
535 
536  /*
537  * No IO module, it's an empty listener.
538  */
539  if (!inst->io.submodule) return 0;
540 
541  /*
542  * These timers are usually protocol specific.
543  */
544  FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, >=, fr_time_delta_from_sec(1));
545  FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, <=, fr_time_delta_from_sec(600));
546 
547  FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, >=, fr_time_delta_from_sec(1));
548  FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, <=, fr_time_delta_from_sec(600));
549 
550  FR_TIME_DELTA_BOUND_CHECK("cleanup_delay", inst->io.cleanup_delay, <=, fr_time_delta_from_sec(30));
551  FR_TIME_DELTA_BOUND_CHECK("cleanup_delay", inst->io.cleanup_delay, >, fr_time_delta_from_sec(0));
552 
553 #if 0
554  /*
555  * No Access-Request packets, then no cleanup delay.
556  */
557  if (!inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) {
558  inst->io.cleanup_delay = 0;
559  }
560 #endif
561 
562  /*
563  * Tell the master handler about the main protocol instance.
564  */
565  inst->io.app = &proto_radius;
566  inst->io.app_instance = inst;
567 
568  /*
569  * We will need this for dynamic clients and connected sockets.
570  */
571  inst->io.dl_inst = dl_module_instance_by_data(inst);
572  fr_assert(inst != NULL);
573 
574  /*
575  * Bootstrap the master IO handler.
576  */
577  return fr_master_app_io.common.bootstrap(MODULE_INST_CTX(inst->io.dl_inst));
578 }
579 
580 /** Get the authentication vector.
581  *
582  * Note that we don't allow people to get the reply vector, because
583  * it doesn't exist until the reply is sent.
584  *
585  */
586 static xlat_action_t packet_vector_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
587  UNUSED xlat_ctx_t const *xctx, request_t *request,
588  UNUSED fr_value_box_list_t *in)
589 {
590  fr_value_box_t *vb;
591 
592  if (request->dict != dict_radius) return XLAT_ACTION_FAIL;
593 
594  MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_OCTETS, NULL));
595  if (fr_value_box_memdup(vb, vb, NULL, request->packet->vector, sizeof(request->packet->vector), true) < 0) {
596  talloc_free(vb);
597  return XLAT_ACTION_FAIL;
598  }
599 
600  fr_dcursor_append(out, vb);
601 
602  return XLAT_ACTION_DONE;
603 }
604 
605 
606 static int mod_load(void)
607 {
608  if (fr_radius_global_init() < 0) {
609  PERROR("Failed initialising protocol library");
610  return -1;
611  }
612 
613 
614  if (!xlat_func_register(NULL, "radius.packet.vector", packet_vector_xlat, FR_TYPE_OCTETS)) return -1;
615 
616  return 0;
617 }
618 
619 static void mod_unload(void)
620 {
621  xlat_func_unregister("radius.packet.vector");
622 
623  fr_radius_global_free();
624 }
625 
626 fr_app_t proto_radius = {
627  .common = {
628  .magic = MODULE_MAGIC_INIT,
629  .name = "radius",
630  .config = proto_radius_config,
631  .inst_size = sizeof(proto_radius_t),
632  .onload = mod_load,
633  .unload = mod_unload,
634  .bootstrap = mod_bootstrap,
635  .instantiate = mod_instantiate
636  },
637  .dict = &dict_radius,
638  .open = mod_open,
639  .decode = mod_decode,
640  .encode = mod_encode,
641  .priority = mod_priority_set
642 };
buffer
static int const char char buffer[256]
Definition: acutest.h:574
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition: app_io.h:34
fr_app_t::common
module_t common
Common fields provided by all modules.
Definition: application.h:72
fr_app_t
Describes a new application (protocol)
Definition: application.h:71
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition: build.h:165
UNUSED
#define UNUSED
Definition: build.h:313
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition: cf_parse.c:1474
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:626
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:486
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:256
FR_TIME_DELTA_BOUND_CHECK
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:497
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition: cf_parse.h:421
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:400
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
cf_table_parse_ctx_t
Definition: cf_parse.h:621
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:563
cf_item
Common header for all CONF_* types.
Definition: cf_priv.h:49
cf_pair
Configuration AVP similar to a fr_pair_t.
Definition: cf_priv.h:70
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:89
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition: cf_util.c:629
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition: cf_util.c:970
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition: cf_util.c:1511
cf_data_value
void * cf_data_value(CONF_DATA const *cd)
Return the user assigned value of CONF_DATA.
Definition: cf_util.c:1680
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:649
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:265
cf_data_find
#define cf_data_find(_cf, _type, _name)
Definition: cf_util.h:220
cf_parent
#define cf_parent(_cf)
Definition: cf_util.h:98
cf_section_alloc
#define cf_section_alloc(_ctx, _parent, _name1, _name2)
Definition: cf_util.h:137
channel_packet_priority_len
size_t channel_packet_priority_len
Definition: channel.c:170
channel_packet_priority
fr_table_num_sorted_t const channel_packet_priority[]
Definition: channel.c:164
fr_dcursor_append
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition: dcursor.h:405
fr_dcursor_s
Definition: dcursor.h:93
FR_RADIUS_CODE_ACCESS_REQUEST
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition: defs.h:33
FR_RADIUS_CODE_DISCONNECT_REQUEST
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition: defs.h:46
FR_RADIUS_CODE_DO_NOT_RESPOND
@ FR_RADIUS_CODE_DO_NOT_RESPOND
Special rcode to indicate we will not respond.
Definition: defs.h:54
FR_RADIUS_CODE_MAX
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition: defs.h:53
FR_RADIUS_CODE_STATUS_SERVER
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition: defs.h:44
FR_RADIUS_CODE_COA_REQUEST
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition: defs.h:49
FR_RADIUS_CODE_ACCESS_ACCEPT
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition: defs.h:34
FR_RADIUS_CODE_ACCOUNTING_REQUEST
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition: defs.h:36
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition: dict.h:250
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition: dict.h:263
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition: dict.h:213
fr_dict_enum_by_name
fr_dict_enum_value_t * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition: dict_util.c:2992
in
static fr_slen_t in
Definition: dict.h:645
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition: dict.h:249
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition: dict.h:262
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition: dict.h:209
value
Test enumeration values.
Definition: dict_test.h:92
dl_module_instance
int dl_module_instance(TALLOC_CTX *ctx, dl_module_inst_t **out, dl_module_inst_t const *parent, dl_module_type_t type, char const *mod_name, char const *inst_name)
Load a module and parse its CONF_SECTION in one operation.
Definition: dl_module.c:552
dl_module_inst_name_from_conf
char const * dl_module_inst_name_from_conf(CONF_SECTION *conf)
Avoid boilerplate when setting the module instance name.
Definition: dl_module.c:584
dl_module_instance_by_data
dl_module_inst_t const * dl_module_instance_by_data(void const *data)
Lookup a dl_module_inst_t via instance data.
Definition: dl_module.c:215
dl_module_conf_parse
int dl_module_conf_parse(dl_module_inst_t *dl_inst, CONF_SECTION *conf)
Definition: dl_module.c:594
DL_MODULE_TYPE_SUBMODULE
@ DL_MODULE_TYPE_SUBMODULE
Driver (or method in the case of EAP)
Definition: dl_module.h:71
dl_module_instance_s::data
void *_CONST data
Module instance's parsed configuration.
Definition: dl_module.h:165
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:65
dl_module_instance_s::conf
CONF_SECTION *_CONST conf
Module's instance configuration.
Definition: dl_module.h:166
dl_module_instance_s
A module/inst tuple.
Definition: dl_module.h:162
fr_ipaddr_t::af
int af
Address family.
Definition: inet.h:64
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition: base.h:336
fr_io_address_t::radclient
fr_client_t const * radclient
old-style client definition
Definition: base.h:338
fr_io_address_t
Definition: base.h:335
fr_client_s::secret
char const * secret
Secret PSK.
Definition: client.h:87
fr_client_s::active
bool active
for dynamic clients
Definition: client.h:91
fr_client_s::src_ipaddr
fr_ipaddr_t src_ipaddr
IPv4/IPv6 address to send responses from (family must match ipaddr).
Definition: client.h:81
fr_client_s::message_authenticator
bool message_authenticator
Require RADIUS message authenticator in requests.
Definition: client.h:89
fr_client_s::dynamic
bool dynamic
Whether the client was dynamically defined.
Definition: client.h:90
fr_client_s
Describes a host allowed to send packets to the server.
Definition: client.h:77
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition: log.c:821
PERROR
#define PERROR(_fmt,...)
Definition: log.h:228
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition: log.h:376
fr_packet_pairs_to_packet
void fr_packet_pairs_to_packet(fr_packet_t *packet, fr_pair_list_t const *list)
Convert pairs to information in a packet.
Definition: packet.c:136
fr_packet_pairs_from_packet
int fr_packet_pairs_from_packet(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_packet_t const *packet)
Allocate a "Net." struct with src/dst host and port.
Definition: packet.c:86
talloc_free
talloc_free(reap)
L_DBG_LVL_1
@ L_DBG_LVL_1
Highest priority debug messages (-x).
Definition: log.h:70
fr_master_app_io
fr_app_io_t fr_master_app_io
Definition: master.c:3131
fr_master_io_listen
int fr_master_io_listen(TALLOC_CTX *ctx, fr_io_instance_t *inst, fr_schedule_t *sc, size_t default_message_size, size_t num_messages)
Definition: master.c:2923
fr_io_track_s::address
fr_io_address_t const * address
of this packet.. shared between multiple packets
Definition: master.h:54
fr_io_track_s::do_not_respond
bool do_not_respond
don't respond
Definition: master.h:50
fr_io_track_s
Definition: master.h:40
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition: merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition: merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition: merged_model.c:84
ssize_t
long int ssize_t
Definition: merged_model.c:24
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
fr_dict_attr_t
Definition: merged_model.c:133
fr_dict_t
Definition: merged_model.c:198
fr_value_box_t
Definition: merged_model.c:136
request_t
Definition: merged_model.c:210
MODULE_INST_CTX
#define MODULE_INST_CTX(_dl_inst)
Wrapper to create a module_inst_ctx_t as a compound literal.
Definition: module_ctx.h:153
module_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:52
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:51
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:688
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition: pair.c:2978
fr_pair_value_strdup
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition: pair.c:2631
mod_load
static int mod_load(void)
Definition: proto_radius.c:606
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition: proto_radius.c:97
mod_encode
static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
Definition: proto_radius.c:330
packet_vector_xlat
static xlat_action_t packet_vector_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Get the authentication vector.
Definition: proto_radius.c:586
attr_state
static fr_dict_attr_t const * attr_state
Definition: proto_radius.c:99
proto_radius_dict
fr_dict_autoload_t proto_radius_dict[]
Definition: proto_radius.c:92
limit_config
static conf_parser_t const limit_config[]
Definition: proto_radius.c:36
type_parse
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
proto_radius
fr_app_t proto_radius
Definition: proto_radius.c:626
dict_radius
static fr_dict_t const * dict_radius
Definition: proto_radius.c:89
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Bootstrap the application.
Definition: proto_radius.c:527
mod_unload
static void mod_unload(void)
Definition: proto_radius.c:619
mod_decode
static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *const data, size_t data_len)
Decode the packet.
Definition: proto_radius.c:200
priority_config
static const conf_parser_t priority_config[]
Definition: proto_radius.c:54
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition: proto_radius.c:98
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the application.
Definition: proto_radius.c:489
mod_open
static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
Open listen sockets/connect to external event source.
Definition: proto_radius.c:467
mod_priority_set
static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
Definition: proto_radius.c:431
proto_radius_dict_attr
fr_dict_attr_autoload_t proto_radius_dict_attr[]
Definition: proto_radius.c:102
proto_radius_config
static conf_parser_t const proto_radius_config[]
How to parse a RADIUS listen section.
Definition: proto_radius.c:72
transport_parse
static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
proto_radius.h
proto_radius_t
An instance of a proto_radius listen section.
Definition: proto_radius.h:32
fr_radius_decode
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition: base.c:997
fr_radius_sign
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
Definition: base.c:301
fr_radius_encode
ssize_t fr_radius_encode(uint8_t *packet, size_t packet_len, uint8_t const *original, char const *secret, size_t secret_len, int code, int id, fr_pair_list_t *vps)
Encode VPS into a raw RADIUS packet.
Definition: base.c:860
fr_radius_global_init
int fr_radius_global_init(void)
Definition: base.c:1119
fr_radius_global_free
void fr_radius_global_free(void)
Definition: base.c:1142
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition: base.c:94
RDEBUG
#define RDEBUG(fmt,...)
Definition: radclient.h:53
RDEBUG_ENABLED
#define RDEBUG_ENABLED()
Definition: radclient.h:49
fr_radius_ctx_t::secret
char const * secret
Definition: radius.h:111
flag_encrypted
#define flag_encrypted(_flags)
Definition: radius.h:100
fr_radius_decode_ctx_t::common
fr_radius_ctx_t * common
Definition: radius.h:137
fr_radius_decode_ctx_t::tmp_ctx
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition: radius.h:141
fr_radius_ctx_t
Definition: radius.h:110
fr_radius_decode_ctx_t
Definition: radius.h:136
conf
static rs_t * conf
Definition: radsniff.c:53
REQUEST_VERIFY
#define REQUEST_VERIFY(_x)
Definition: request.h:275
request_set_dynamic_client
#define request_set_dynamic_client(_x)
Definition: request.h:163
name
static char const * name
Definition: rlm_redis_ippool_tool.c:156
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_rest.c:1312
fr_schedule_s
The scheduler.
Definition: schedule.c:125
module_s::instantiate
module_instantiate_t instantiate
Definition: module.h:146
module_s::bootstrap
module_instantiate_t bootstrap
Definition: module.h:145
sc
static const uchar sc[16]
Definition: smbdes.c:115
client_afrom_request
fr_client_t * client_afrom_request(TALLOC_CTX *ctx, request_t *request)
Create a new client, consuming all attributes in the control list of the request.
Definition: client.c:915
fr_assert
fr_assert(0)
MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633
vp
fr_pair_t * vp
Definition: state_machine.c:2271
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition: pair.h:69
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:270
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition: time.h:588
xlat_action_t
xlat_action_t
Definition: xlat.h:35
XLAT_ACTION_FAIL
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition: xlat.h:42
XLAT_ACTION_DONE
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition: xlat.h:41
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition: pair_inline.c:43
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition: pair_inline.c:70
parent
static fr_slen_t parent
Definition: pair.h:844
fr_socket_addr_swap
static void fr_socket_addr_swap(fr_socket_t *dst, fr_socket_t const *src)
Swap src/dst information of a fr_socket_t.
Definition: socket.h:121
fr_value_box_memdup
int fr_value_box_memdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, uint8_t const *src, size_t len, bool tainted)
Copy a buffer to a fr_value_box_t.
Definition: value.c:4417
fr_value_box_alloc
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition: value.h:608
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition: value.h:287
data
static fr_slen_t data
Definition: value.h:1259
out
static size_t char ** out
Definition: value.h:984
xlat_ctx_t
An xlat calling ctx.
Definition: xlat_ctx.h:42
xlat_func_register
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition: xlat_func.c:195
xlat_func_unregister
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition: xlat_func.c:531
Generated by   doxygen 1.9.1