 |
The FreeRADIUS server
$Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
|
|
The FreeRADIUS server
$Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
|
#include <freeradius-devel/radius/defs.h>#include <freeradius-devel/util/packet.h>#include <freeradius-devel/util/rand.h>#include <freeradius-devel/util/log.h>#include <freeradius-devel/util/dbuff.h>
Include dependency graph for radius.h: This graph shows which files directly or indirectly include this file:Go to the source code of this file.
Data Structures | |
| struct | fr_radius_ctx_t |
| struct | fr_radius_decode_ctx_t |
| struct | fr_radius_encode_ctx_t |
| struct | fr_radius_tag_ctx_t |
Functions | |
| void | _fr_packet_log_hex (fr_log_t const *log, fr_packet_t const *packet, char const *file, int line) |
| ssize_t | fr_packet_encode (fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret)) |
| Encode a packet. More... | |
| bool | fr_packet_ok (fr_packet_t *packet, uint32_t max_attributes, bool require_ma, decode_fail_t *reason)) |
| See if the data pointed to by PTR is a valid RADIUS packet. More... | |
| fr_packet_t * | fr_packet_recv (TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_ma) |
| Receive UDP client requests, and fill in the basics of a fr_packet_t structure. More... | |
| int | fr_packet_send (fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret)) |
| Reply to the request. More... | |
| int | fr_packet_sign (fr_packet_t *packet, fr_packet_t const *original, char const *secret)) |
| Sign a previously encoded packet. More... | |
| int | fr_packet_verify (fr_packet_t *packet, fr_packet_t *original, char const *secret)) |
| Verify the Request/Response Authenticator (and Message-Authenticator if present) of a packet. More... | |
| int | fr_radius_allow_reply (int code, bool allowed[static FR_RADIUS_CODE_MAX]) |
| ssize_t | fr_radius_ascend_secret (fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen, char const *secret, uint8_t const *vector) |
| Do Ascend-Send / Recv-Secret calculation. More... | |
| ssize_t | fr_radius_decode (TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx) |
| ssize_t | fr_radius_decode_abinary (fr_pair_t *vp, uint8_t const *data, size_t data_len) |
| Print an Ascend binary filter attribute to a string,. More... | |
| ssize_t | fr_radius_decode_foreign (TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len) |
| ssize_t | fr_radius_decode_pair (TALLOC_CTX *ctx, fr_pair_list_t *list, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx) |
| Create a "normal" fr_pair_t from the given data. More... | |
| ssize_t | fr_radius_decode_pair_value (TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *parent, uint8_t const *data, size_t const attr_len, void *packet_ctx) |
| Create any kind of VP from the attribute contents. More... | |
| ssize_t | fr_radius_decode_simple (TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)) |
| Simple wrapper for callers who just need a shared secret. More... | |
| ssize_t | fr_radius_decode_tlv (TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *parent, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx) |
| Convert TLVs to one or more VPs. More... | |
| int | fr_radius_decode_tlv_ok (uint8_t const *data, size_t length, size_t dv_type, size_t dv_length) |
| Check if a set of RADIUS formatted TLVs are OK. More... | |
| ssize_t | fr_radius_encode (uint8_t *packet, size_t packet_len, uint8_t const *original, char const *secret, size_t secret_len, int code, int id, fr_pair_list_t *vps) |
| Encode VPS into a raw RADIUS packet. More... | |
| ssize_t | fr_radius_encode_abinary (fr_pair_t const *vp, fr_dbuff_t *dbuff) |
| Encode a string to abinary. More... | |
| ssize_t | fr_radius_encode_dbuff (fr_dbuff_t *dbuff, uint8_t const *original, char const *secret, UNUSED size_t secret_len, int code, int id, fr_pair_list_t *vps) |
| ssize_t | fr_radius_encode_foreign (fr_dbuff_t *dbuff, fr_pair_list_t const *list) |
| ssize_t | fr_radius_encode_pair (fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx) |
| Encode a data structure into a RADIUS attribute. More... | |
| void | fr_radius_global_free (void) |
| int | fr_radius_global_init (void) |
| bool | fr_radius_ok (uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_ma, decode_fail_t *reason)) |
| See if the data pointed to by PTR is a valid RADIUS packet. More... | |
| void | fr_radius_packet_header_log (fr_log_t const *log, fr_packet_t *packet, bool received) |
| void | fr_radius_packet_log (fr_log_t const *log, fr_packet_t *packet, fr_pair_list_t *list, bool received) |
| ssize_t | fr_radius_recv_header (int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code) |
| Basic validation of RADIUS packet header. More... | |
| int | fr_radius_sign (uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)) |
| Sign a previously encoded packet. More... | |
| int | fr_radius_verify (uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_ma)) |
| Verify a request / response packet. More... | |
Variables | |
| char const * | fr_radius_packet_name [FR_RADIUS_CODE_MAX] |
| fr_table_num_sorted_t const | fr_radius_request_name_table [] |
| size_t | fr_radius_request_name_table_len |
| struct fr_radius_ctx_t |
| Data Fields | ||
|---|---|---|
| uint32_t | acct_delay_time | additional time to add to acct_delay_time |
| bool | add_proxy_state | do we add a Proxy-State? |
| uint64_t | my_proxy_state | if so, this is its value |
| char const * | secret | |
| size_t | secret_length | |
| uint8_t | vector[RADIUS_AUTH_VECTOR_LENGTH] | vector for authenticating the reply |
| struct fr_radius_decode_ctx_t |
Collaboration diagram for fr_radius_decode_ctx_t:| Data Fields | ||
|---|---|---|
| fr_radius_ctx_t * | common | |
| uint8_t const * | end | end of the packet |
| uint8_t const * | request_authenticator | |
| uint8_t | request_code | original code for the request. |
| bool | require_message_authenticator | |
| fr_pair_list_t * | tag_root | Where to insert tag attributes. |
| TALLOC_CTX * | tag_root_ctx | Where to allocate new tag attributes. |
| fr_radius_tag_ctx_t ** | tags | for decoding tagged attributes |
| TALLOC_CTX * | tmp_ctx | for temporary things cleaned up during decoding |
| bool | tunnel_password_zeros | check for trailing zeros on decode |
| bool | verify | can skip verify for dynamic clients |
| struct fr_radius_encode_ctx_t |
Collaboration diagram for fr_radius_encode_ctx_t:| Data Fields | ||
|---|---|---|
| fr_radius_ctx_t * | common | |
| bool | disallow_tunnel_passwords | not all packets can have tunnel passwords |
| fr_fast_rand_t | rand_ctx | for tunnel passwords |
| uint8_t const * | request_authenticator | |
| int | salt_offset | for tunnel passwords |
| bool | seen_message_authenticator | |
| uint8_t | tag | current tag for encoding |
| struct fr_radius_tag_ctx_t |
| #define AUTH_PASS_LEN (RADIUS_AUTH_VECTOR_LENGTH) |
| #define flag_abinary | ( | _flags | ) | (!(_flags)->extra && (_flags)->subtype == FLAG_ABINARY) |
| #define flag_concat | ( | _flags | ) | (!(_flags)->extra && (_flags)->subtype == FLAG_CONCAT) |
| #define flag_encrypted | ( | _flags | ) | (!(_flags)->extra && (_flags)->subtype >= FLAG_TAGGED_TUNNEL_PASSWORD) |
| #define flag_extended | ( | _flags | ) | (!(_flags)->extra && (((_flags)->subtype == FLAG_EXTENDED_ATTR) || (_flags)->subtype == FLAG_LONG_EXTENDED_ATTR)) |
| #define flag_has_tag | ( | _flags | ) | (!(_flags)->extra && (((_flags)->subtype == FLAG_HAS_TAG) || ((_flags)->subtype == FLAG_TAGGED_TUNNEL_PASSWORD))) |
| #define flag_long_extended | ( | _flags | ) | (!(_flags)->extra && (_flags)->subtype == FLAG_LONG_EXTENDED_ATTR) |
| #define flag_tunnel_password | ( | _flags | ) | (!(_flags)->extra && (((_flags)->subtype == FLAG_ENCRYPT_TUNNEL_PASSWORD) || ((_flags)->subtype == FLAG_TAGGED_TUNNEL_PASSWORD))) |
| #define fr_packet_log_hex | ( | _log, | |
| _packet | |||
| ) | _fr_packet_log_hex(_log, _packet, __FILE__, __LINE__) |
| #define FR_RADIUS_PACKET_CODE_VALID | ( | _x | ) | ((_x > 0) && (_x < FR_RADIUS_CODE_MAX)) |
| anonymous enum |
subtype values for RADIUS
Order of the flags is important for the flag_foo() checks.
| enum decode_fail_t |
| void _fr_packet_log_hex | ( | fr_log_t const * | log, |
| fr_packet_t const * | packet, | ||
| char const * | file, | ||
| int | line | ||
| ) |
| ssize_t fr_packet_encode | ( | fr_packet_t * | packet, |
| fr_pair_list_t * | list, | ||
| fr_packet_t const * | original, | ||
| char const * | secret | ||
| ) |
| bool fr_packet_ok | ( | fr_packet_t * | packet, |
| uint32_t | max_attributes, | ||
| bool | require_ma, | ||
| decode_fail_t * | reason | ||
| ) |
See if the data pointed to by PTR is a valid RADIUS packet.
Packet is not 'const * const' because we may update data_len, if there's more data in the UDP packet than in the RADIUS packet.
| [in] | packet | to check. |
| [in] | max_attributes | to decode. |
| [in] | require_ma | to require Message-Authenticator. |
| [out] | reason | if not NULL, will have the failure reason written to where it points. |
Definition at line 115 of file packet.c.
Here is the call graph for this function: Here is the caller graph for this function:| fr_packet_t* fr_packet_recv | ( | TALLOC_CTX * | ctx, |
| int | fd, | ||
| int | flags, | ||
| uint32_t | max_attributes, | ||
| bool | require_ma | ||
| ) |
Receive UDP client requests, and fill in the basics of a fr_packet_t structure.
Definition at line 211 of file packet.c.
Here is the call graph for this function: Here is the caller graph for this function:| int fr_packet_send | ( | fr_packet_t * | packet, |
| fr_pair_list_t * | list, | ||
| fr_packet_t const * | original, | ||
| char const * | secret | ||
| ) |
| int fr_packet_sign | ( | fr_packet_t * | packet, |
| fr_packet_t const * | original, | ||
| char const * | secret | ||
| ) |
| int fr_packet_verify | ( | fr_packet_t * | packet, |
| fr_packet_t * | original, | ||
| char const * | secret | ||
| ) |
| int fr_radius_allow_reply | ( | int | code, |
| bool | allowed[static FR_RADIUS_CODE_MAX] | ||
| ) |
| ssize_t fr_radius_ascend_secret | ( | fr_dbuff_t * | dbuff, |
| uint8_t const * | in, | ||
| size_t | inlen, | ||
| char const * | secret, | ||
| uint8_t const * | vector | ||
| ) |
Do Ascend-Send / Recv-Secret calculation.
The secret is hidden by xoring with a MD5 digest created from the RADIUS shared secret and the authentication vector. We put them into MD5 in the reverse order from that used when encrypting passwords to RADIUS.
Definition at line 190 of file base.c.
Here is the call graph for this function: Here is the caller graph for this function:| ssize_t fr_radius_decode | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | out, | ||
| uint8_t * | packet, | ||
| size_t | packet_len, | ||
| fr_radius_decode_ctx_t * | decode_ctx | ||
| ) |
Print an Ascend binary filter attribute to a string,.
Grrr... Ascend makes the server do this work, instead of doing it on the NAS.
| [in,out] | vp | Where the decoded string will be stored. |
| [in] | data | binary data to decodee |
| [in] | data_len | length of the binary data to decodee |
Definition at line 1322 of file abinary.c.
Here is the call graph for this function:| ssize_t fr_radius_decode_foreign | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | out, | ||
| uint8_t const * | data, | ||
| size_t | data_len | ||
| ) |
| ssize_t fr_radius_decode_pair | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | list, | ||
| uint8_t const * | data, | ||
| size_t | data_len, | ||
| fr_radius_decode_ctx_t * | packet_ctx | ||
| ) |
| ssize_t fr_radius_decode_pair_value | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | out, | ||
| fr_dict_attr_t const * | parent, | ||
| uint8_t const * | data, | ||
| size_t const | attr_len, | ||
| void * | decode_ctx | ||
| ) |
Create any kind of VP from the attribute contents.
"length" is AT LEAST the length of this attribute, as we expect the caller to have verified the data with fr_packet_ok(). "length" may be up to the length of the packet.
This function will ONLY return -1 on programmer error or OOM. If there's anything wrong with the attribute, it will ALWAYS create a "raw" attribute.
Definition at line 1475 of file decode.c.
Here is the call graph for this function: Here is the caller graph for this function:| ssize_t fr_radius_decode_simple | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | out, | ||
| uint8_t * | packet, | ||
| size_t | packet_len, | ||
| uint8_t const * | vector, | ||
| char const * | secret | ||
| ) |
| ssize_t fr_radius_decode_tlv | ( | TALLOC_CTX * | ctx, |
| fr_pair_list_t * | list, | ||
| fr_dict_attr_t const * | parent, | ||
| uint8_t const * | data, | ||
| size_t | data_len, | ||
| fr_radius_decode_ctx_t * | packet_ctx | ||
| ) |
| ssize_t fr_radius_encode_abinary | ( | fr_pair_t const * | vp, |
| fr_dbuff_t * | dbuff | ||
| ) |
Encode a string to abinary.
This routine will call routines to parse entries from an ASCII format to a binary format recognized by the Ascend boxes.
| vp | VP to encode |
| dbuff | where to write the VP data |
Definition at line 1198 of file abinary.c.
Here is the call graph for this function: Here is the caller graph for this function:| ssize_t fr_radius_encode_dbuff | ( | fr_dbuff_t * | dbuff, |
| uint8_t const * | original, | ||
| char const * | secret, | ||
| UNUSED size_t | secret_len, | ||
| int | code, | ||
| int | id, | ||
| fr_pair_list_t * | vps | ||
| ) |
| ssize_t fr_radius_encode_foreign | ( | fr_dbuff_t * | dbuff, |
| fr_pair_list_t const * | list | ||
| ) |
| ssize_t fr_radius_encode_pair | ( | fr_dbuff_t * | dbuff, |
| fr_dcursor_t * | cursor, | ||
| void * | encode_ctx | ||
| ) |
Encode a data structure into a RADIUS attribute.
This is the main entry point into the encoder. It sets up the encoder array we use for tracking our TLV/VSA nesting and then calls the appropriate dispatch function.
| [out] | dbuff | Where to write encoded data. |
| [in] | cursor | Specifying attribute to encode. |
| [in] | encode_ctx | Additional data such as the shared secret to use. |
Definition at line 1498 of file encode.c.
Here is the call graph for this function: Here is the caller graph for this function:| void fr_radius_global_free | ( | void | ) |
| int fr_radius_global_init | ( | void | ) |
| bool fr_radius_ok | ( | uint8_t const * | packet, |
| size_t * | packet_len_p, | ||
| uint32_t | max_attributes, | ||
| bool | require_ma, | ||
| decode_fail_t * | reason | ||
| ) |
See if the data pointed to by PTR is a valid RADIUS packet.
| [in] | packet | to check. |
| [in,out] | packet_len_p | The size of the packet data. |
| [in] | max_attributes | to allow in the packet. |
| [in] | require_ma | whether we require Message-Authenticator. |
| [in] | reason | if not NULL, will have the failure reason written to where it points. |
Definition at line 259 of file merged_model.c.
Here is the call graph for this function: Here is the caller graph for this function:| void fr_radius_packet_header_log | ( | fr_log_t const * | log, |
| fr_packet_t * | packet, | ||
| bool | received | ||
| ) |
| void fr_radius_packet_log | ( | fr_log_t const * | log, |
| fr_packet_t * | packet, | ||
| fr_pair_list_t * | list, | ||
| bool | received | ||
| ) |
| ssize_t fr_radius_recv_header | ( | int | sockfd, |
| fr_ipaddr_t * | src_ipaddr, | ||
| uint16_t * | src_port, | ||
| unsigned int * | code | ||
| ) |
Basic validation of RADIUS packet header.
| [in] | sockfd | we're reading from. |
| [out] | src_ipaddr | of the packet. |
| [out] | src_port | of the packet. |
| [out] | code | Pointer to where to write the packet code. |
Definition at line 228 of file base.c.
Here is the call graph for this function: Here is the caller graph for this function:| int fr_radius_sign | ( | uint8_t * | packet, |
| uint8_t const * | vector, | ||
| uint8_t const * | secret, | ||
| size_t | secret_len | ||
| ) |
Sign a previously encoded packet.
Calculates the request/response authenticator for packets which need it, and fills in the message-authenticator value if the attribute is present in the encoded packet.
| [in,out] | packet | (request or response). |
| [in] | vector | original packet vector to use |
| [in] | secret | to sign the packet with. |
| [in] | secret_len | The length of the secret. |
Definition at line 301 of file base.c.
Here is the call graph for this function: Here is the caller graph for this function:| int fr_radius_verify | ( | uint8_t * | packet, |
| uint8_t const * | vector, | ||
| uint8_t const * | secret, | ||
| size_t | secret_len, | ||
| bool | require_ma | ||
| ) |
Verify a request / response packet.
This function does its work by calling fr_radius_sign(), and then comparing the signature in the packet with the one we calculated. If they differ, there's a problem.
| [in] | packet | the raw RADIUS packet (request or response) |
| [in] | vector | the original packet vector |
| [in] | secret | the shared secret |
| [in] | secret_len | the length of the secret |
| [in] | require_ma | whether we require Message-Authenticator. |
Definition at line 719 of file base.c.
Here is the call graph for this function: Here is the caller graph for this function:
|
extern |
|
extern |
1.9.1