All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
tls_listen.c
Go to the documentation of this file.
1 /*
2  * tls.c
3  *
4  * Version: $Id: 092ed9e8b77ee808e006b3df05d4fedff9a35e72 $
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19  *
20  * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21  * Copyright 2003 Alan DeKok <aland@freeradius.org>
22  * Copyright 2006 The FreeRADIUS server project
23  */
24 
25 RCSID("$Id: 092ed9e8b77ee808e006b3df05d4fedff9a35e72 $")
26 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
27 
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/process.h>
30 #include <freeradius-devel/rad_assert.h>
31 
32 #ifdef HAVE_SYS_STAT_H
33 #include <sys/stat.h>
34 #endif
35 
36 #ifdef WITH_TLS
37 #ifdef HAVE_OPENSSL_RAND_H
38 #include <openssl/rand.h>
39 #endif
40 
41 #ifdef HAVE_OPENSSL_OCSP_H
42 #include <openssl/ocsp.h>
43 #endif
44 
45 /*
46  * This is easier than ifdef's throughout the code.
47  */
48 #ifdef HAVE_PTHREAD_H
49 # define PTHREAD_MUTEX_LOCK pthread_mutex_lock
50 # define PTHREAD_MUTEX_UNLOCK pthread_mutex_unlock
51 #else
52 # define PTHREAD_MUTEX_LOCK(_x)
53 # define PTHREAD_MUTEX_UNLOCK(_x)
54 #endif
55 
56 static void dump_hex(char const *msg, uint8_t const *data, size_t data_len)
57 {
58  size_t i;
59 
60  if (rad_debug_lvl < 3) return;
61 
62  printf("%s %d\n", msg, (int) data_len);
63  if (data_len > 256) data_len = 256;
64 
65  for (i = 0; i < data_len; i++) {
66  if ((i & 0x0f) == 0x00) printf ("%02x: ", (unsigned int) i);
67  printf("%02x ", data[i]);
68  if ((i & 0x0f) == 0x0f) printf ("\n");
69  }
70  printf("\n");
71  fflush(stdout);
72 }
73 
74 static void tls_socket_close(rad_listen_t *listener)
75 {
76  listen_socket_t *sock = listener->data;
77 
78  SSL_shutdown(sock->tls_session->ssl);
79 
80  listener->status = RAD_LISTEN_STATUS_EOL;
81  listener->tls = NULL; /* parent owns this! */
82 
83  /*
84  * Tell the event handler that an FD has disappeared.
85  */
86  DEBUG("Client has closed connection");
87  radius_update_listener(listener);
88 
89  /*
90  * Do NOT free the listener here. It's in use by
91  * a request, and will need to hang around until
92  * all of the requests are done.
93  *
94  * It is instead free'd in remove_from_request_hash()
95  */
96 }
97 
98 static int CC_HINT(nonnull) tls_socket_write(rad_listen_t *listener, REQUEST *request)
99 {
100  uint8_t *p;
101  ssize_t rcode;
102  listen_socket_t *sock = listener->data;
103 
104  p = sock->tls_session->dirty_out.data;
105 
106  while (p < (sock->tls_session->dirty_out.data + sock->tls_session->dirty_out.used)) {
107  RDEBUG3("Writing to socket %d", request->packet->sockfd);
108  rcode = write(request->packet->sockfd, p,
109  (sock->tls_session->dirty_out.data + sock->tls_session->dirty_out.used) - p);
110  if (rcode <= 0) {
111  RDEBUG("Error writing to TLS socket: %s", fr_syserror(errno));
112 
113  tls_socket_close(listener);
114  return 0;
115  }
116  p += rcode;
117  }
118 
119  sock->tls_session->dirty_out.used = 0;
120 
121  return 1;
122 }
123 
124 
125 static int tls_socket_recv(rad_listen_t *listener)
126 {
127  bool doing_init = false;
128  ssize_t rcode;
129  RADIUS_PACKET *packet;
130  REQUEST *request;
131  listen_socket_t *sock = listener->data;
132  fr_tls_status_t status;
133  RADCLIENT *client = sock->client;
134 
135  if (!sock->packet) {
136  sock->packet = fr_radius_alloc(sock, false);
137  if (!sock->packet) return 0;
138 
139  sock->packet->sockfd = listener->fd;
140  sock->packet->src_ipaddr = sock->other_ipaddr;
141  sock->packet->src_port = sock->other_port;
142  sock->packet->dst_ipaddr = sock->my_ipaddr;
143  sock->packet->dst_port = sock->my_port;
144 
145  if (sock->request) sock->request->packet = talloc_steal(sock->request, sock->packet);
146  }
147 
148  /*
149  * Allocate a REQUEST for debugging, and initialize the TLS session.
150  */
151  if (!sock->request) {
152  sock->request = request = request_alloc(sock);
153  if (!sock->request) {
154  ERROR("Out of memory");
155  return 0;
156  }
157 
158  rad_assert(request->packet == NULL);
159  rad_assert(sock->packet != NULL);
160  request->packet = talloc_steal(request, sock->packet);
161 
162  request->component = "<tls-connect>";
163 
164  request->reply = fr_radius_alloc(request, false);
165  if (!request->reply) return 0;
166 
167  rad_assert(sock->tls_session == NULL);
168 
169  sock->tls_session = tls_session_init_server(sock, listener->tls, sock->request,
170  listener->tls->require_client_cert);
171  if (!sock->tls_session) {
172  TALLOC_FREE(sock->request);
173  sock->packet = NULL;
174  return 0;
175  }
176 
177  SSL_set_ex_data(sock->tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
178 
179  doing_init = true;
180  }
181 
182  rad_assert(sock->request != NULL);
183  rad_assert(sock->request->packet != NULL);
184  rad_assert(sock->packet != NULL);
185  rad_assert(sock->tls_session != NULL);
186 
187  request = sock->request;
188 
189  RDEBUG3("Reading from socket %d", request->packet->sockfd);
190  PTHREAD_MUTEX_LOCK(&sock->mutex);
191  rcode = read(request->packet->sockfd,
192  sock->tls_session->dirty_in.data,
193  sizeof(sock->tls_session->dirty_in.data));
194  if ((rcode < 0) && (errno == ECONNRESET)) {
195  do_close:
196  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
197  DEBUG("Closing TLS socket from client port %u", sock->other_port);
198  tls_socket_close(listener);
199  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
200  return 0;
201  }
202 
203  if (rcode < 0) {
204  RDEBUG("Error reading TLS socket: %s", fr_syserror(errno));
205  goto do_close;
206  }
207 
208  /*
209  * Normal socket close.
210  */
211  if (rcode == 0) goto do_close;
212 
213  sock->tls_session->dirty_in.used = rcode;
214 
215  dump_hex("READ FROM SSL", sock->tls_session->dirty_in.data, sock->tls_session->dirty_in.used);
216 
217  /*
218  * Catch attempts to use non-SSL.
219  */
220  if (doing_init && (sock->tls_session->dirty_in.data[0] != handshake)) {
221  RDEBUG("Non-TLS data sent to TLS socket: closing");
222  goto do_close;
223  }
224 
225  /*
226  * If we need to do more initialization, do that here.
227  */
228  if (!SSL_is_init_finished(sock->tls_session->ssl)) {
229  if (!tls_handshake_recv(request, sock->tls_session)) {
230  RDEBUG("FAILED in TLS handshake receive");
231  goto do_close;
232  }
233 
234  /*
235  * More ACK data to send. Do so.
236  */
237  if (sock->tls_session->dirty_out.used > 0) {
238  tls_socket_write(listener, request);
239  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
240  return 0;
241  }
242 
243  /*
244  * FIXME: Run the request through a virtual
245  * server in order to see if we like the
246  * certificate presented by the client.
247  */
248  }
249 
250  /*
251  * Try to get application data.
252  */
253  status = tls_application_data(sock->tls_session, request);
254  RDEBUG("Application data status %d", status);
255 
256  if (status == FR_TLS_RECORD_FRAGMENT_MORE) {
257  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
258  return 0;
259  }
260 
261  if (sock->tls_session->clean_out.used == 0) {
262  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
263  return 0;
264  }
265 
266  /*
267  * We now have a bunch of application data.
268  */
269  dump_hex("TUNNELED DATA > ", sock->tls_session->clean_out.data, sock->tls_session->clean_out.used);
270 
271  /*
272  * If the packet is a complete RADIUS packet, return it to
273  * the caller. Otherwise...
274  */
275  if ((sock->tls_session->clean_out.used < 20) ||
276  (((sock->tls_session->clean_out.data[2] << 8) | sock->tls_session->clean_out.data[3]) != (int) sock->tls_session->clean_out.used)) {
277  RDEBUG("Received bad packet: Length %zd contents %d",
278  sock->tls_session->clean_out.used,
279  (sock->tls_session->clean_out.data[2] << 8) | sock->tls_session->clean_out.data[3]);
280  goto do_close;
281  }
282 
283  packet = sock->packet;
284  packet->data = talloc_array(packet, uint8_t, sock->tls_session->clean_out.used);
285  packet->data_len = sock->tls_session->clean_out.used;
286  sock->tls_session->record_to_buff(&sock->tls_session->clean_out, packet->data, packet->data_len);
287  packet->vps = NULL;
288  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
289 
290  if (!fr_radius_ok(packet, 0, NULL)) {
291  if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
292  DEBUG("Closing TLS socket from client");
293  PTHREAD_MUTEX_LOCK(&sock->mutex);
294  tls_socket_close(listener);
295  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
296  return 0; /* do_close unlocks the mutex */
297  }
298 
299  /*
300  * Copied from src/lib/radius.c, fr_radius_recv();
301  */
302  if (fr_debug_lvl) {
303  char host_ipaddr[INET6_ADDRSTRLEN];
304 
305  if (is_radius_code(packet->code)) {
306  RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
307  fr_packet_codes[packet->code],
308  inet_ntop(packet->src_ipaddr.af,
309  &packet->src_ipaddr.ipaddr,
310  host_ipaddr, sizeof(host_ipaddr)),
311  packet->src_port,
312  packet->id, (int) packet->data_len);
313  } else {
314  RDEBUG("tls_recv: Packet from host %s port %d code=%d, id=%d, length=%d",
315  inet_ntop(packet->src_ipaddr.af,
316  &packet->src_ipaddr.ipaddr,
317  host_ipaddr, sizeof(host_ipaddr)),
318  packet->src_port,
319  packet->code,
320  packet->id, (int) packet->data_len);
321  }
322  }
323 
324  FR_STATS_INC(auth, total_requests);
325 
326  return 1;
327 }
328 
329 
330 int dual_tls_recv(rad_listen_t *listener)
331 {
332  RADIUS_PACKET *packet;
333  RAD_REQUEST_FUNP fun = NULL;
334  listen_socket_t *sock = listener->data;
335  RADCLIENT *client = sock->client;
336 
337  if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
338 
339  if (!tls_socket_recv(listener)) {
340  return 0;
341  }
342 
343  rad_assert(sock->packet != NULL);
344  rad_assert(sock->tls_session != NULL);
345  rad_assert(client != NULL);
346 
347  packet = talloc_steal(NULL, sock->packet);
348  sock->packet = NULL;
349 
350  gettimeofday(&packet->timestamp, NULL);
351 
352  /*
353  * Some sanity checks, based on the packet code.
354  *
355  * "auth+acct" are marked as "auth", with the "dual" flag
356  * set.
357  */
358  switch (packet->code) {
360  if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
361  FR_STATS_INC(auth, total_requests);
362  fun = rad_authenticate;
363  break;
364 
365 #ifdef WITH_ACCOUNTING
367  if (listener->type != RAD_LISTEN_ACCT) {
368  /*
369  * Allow auth + dual. Disallow
370  * everything else.
371  */
372  if (!((listener->type == RAD_LISTEN_AUTH) &&
373  (listener->dual))) {
374  goto bad_packet;
375  }
376  }
377  FR_STATS_INC(acct, total_requests);
378  fun = rad_accounting;
379  break;
380 #endif
381 
383  if (!main_config.status_server) {
384  FR_STATS_INC(auth, total_unknown_types);
385  WARN("Ignoring Status-Server request due to security configuration");
386  fr_radius_free(&packet);
387  return 0;
388  }
389  fun = rad_status_server;
390  break;
391 
392  default:
393  bad_packet:
394  FR_STATS_INC(auth, total_unknown_types);
395 
396  DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED",
397  packet->code, client->shortname, packet->src_port);
398  fr_radius_free(&packet);
399  return 0;
400  } /* switch over packet types */
401 
402  if (!request_receive(NULL, listener, packet, client, fun)) {
403  FR_STATS_INC(auth, total_packets_dropped);
404  fr_radius_free(&packet);
405  return 0;
406  }
407 
408  return 1;
409 }
410 
411 
412 /*
413  * Send a response packet
414  */
415 int dual_tls_send(rad_listen_t *listener, REQUEST *request)
416 {
417  listen_socket_t *sock = listener->data;
418 
419  VERIFY_REQUEST(request);
420 
421  rad_assert(request->listener == listener);
422  rad_assert(listener->send == dual_tls_send);
423 
424  if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
425 
426  /*
427  * Accounting reject's are silently dropped.
428  *
429  * We do it here to avoid polluting the rest of the
430  * code with this knowledge
431  */
432  if (request->reply->code == 0) return 0;
433 
434  /*
435  * Pack the VPs
436  */
437  if (fr_radius_encode(request->reply, request->packet,
438  request->client->secret) < 0) {
439  RERROR("Failed encoding packet: %s", fr_strerror());
440  return 0;
441  }
442 
443  /*
444  * Sign the packet.
445  */
446  if (fr_radius_sign(request->reply, request->packet,
447  request->client->secret) < 0) {
448  RERROR("Failed signing packet: %s", fr_strerror());
449  return 0;
450  }
451 
452  PTHREAD_MUTEX_LOCK(&sock->mutex);
453 
454  /*
455  * Write the packet to the SSL buffers.
456  */
457  sock->tls_session->record_from_buff(&sock->tls_session->clean_in,
458  request->reply->data, request->reply->data_len);
459 
460  dump_hex("TUNNELED DATA < ", sock->tls_session->clean_in.data, sock->tls_session->clean_in.used);
461 
462  /*
463  * Do SSL magic to get encrypted data.
464  */
465  tls_handshake_send(request, sock->tls_session);
466 
467  /*
468  * And finally write the data to the socket.
469  */
470  if (sock->tls_session->dirty_out.used > 0) {
471  dump_hex("WRITE TO SSL", sock->tls_session->dirty_out.data, sock->tls_session->dirty_out.used);
472 
473  tls_socket_write(listener, request);
474  }
475  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
476 
477  return 0;
478 }
479 
480 
481 #ifdef WITH_PROXY
482 /*
483  * Read from the SSL socket. Safe with either blocking or
484  * non-blocking IO. This level of complexity is probably not
485  * necessary, as each packet gets put into one SSL application
486  * record. When SSL has a full record, we should be able to read
487  * the entire packet via one SSL_read().
488  *
489  * When SSL has a partial record, SSL_read() will return
490  * WANT_READ or WANT_WRITE, and zero application data.
491  *
492  * Called with the mutex held.
493  */
494 static ssize_t proxy_tls_read(rad_listen_t *listener)
495 {
496  int rcode;
497  size_t length;
498  uint8_t *data;
499  listen_socket_t *sock = listener->data;
500 
501  /*
502  * Get the maximum size of data to receive.
503  */
504  if (!sock->data) sock->data = talloc_array(sock, uint8_t,
505  sock->tls_session->mtu);
506 
507  data = sock->data;
508 
509  if (sock->partial < 4) {
510  rcode = SSL_read(sock->tls_session->ssl, data + sock->partial,
511  4 - sock->partial);
512  if (rcode <= 0) {
513  int err = SSL_get_error(sock->tls_session->ssl, rcode);
514  switch (err) {
515  case SSL_ERROR_WANT_READ:
516  case SSL_ERROR_WANT_WRITE:
517  return 0; /* do some more work later */
518 
519  case SSL_ERROR_ZERO_RETURN:
520  /* remote end sent close_notify, send one back */
521  SSL_shutdown(sock->tls_session->ssl);
522 
523  case SSL_ERROR_SYSCALL:
524  do_close:
525  return -1;
526 
527  default:
528  while ((err = ERR_get_error())) {
529  DEBUG("proxy recv says %s",
530  ERR_error_string(err, NULL));
531  }
532 
533  goto do_close;
534  }
535  }
536 
537  sock->partial = rcode;
538  } /* try reading the packet header */
539 
540  if (sock->partial < 4) return 0; /* read more data */
541 
542  length = (data[2] << 8) | data[3];
543 
544  /*
545  * Do these checks only once, when we read the header.
546  */
547  if (sock->partial == 4) {
548  DEBUG3("Proxy received header saying we have a packet of %u bytes",
549  (unsigned int) length);
550 
551  /*
552  * FIXME: allocate a RADIUS_PACKET, and set
553  * "data" to be as large as necessary.
554  */
555  if (length > sock->tls_session->mtu) {
556  INFO("Received packet will be too large! Set \"fragment_size = %u\"",
557  (data[2] << 8) | data[3]);
558  goto do_close;
559  }
560  }
561 
562  /*
563  * Try to read some more.
564  */
565  if (sock->partial < length) {
566  rcode = SSL_read(sock->tls_session->ssl, data + sock->partial,
567  length - sock->partial);
568  if (rcode <= 0) {
569  switch (SSL_get_error(sock->tls_session->ssl, rcode)) {
570  case SSL_ERROR_WANT_READ:
571  case SSL_ERROR_WANT_WRITE:
572  return 0;
573 
574  case SSL_ERROR_ZERO_RETURN:
575  /* remote end sent close_notify, send one back */
576  SSL_shutdown(sock->tls_session->ssl);
577  goto do_close;
578  default:
579  goto do_close;
580  }
581  }
582 
583  sock->partial += rcode;
584  }
585 
586  /*
587  * If we're not done, say so.
588  *
589  * Otherwise, reset the partially read data flag, and say
590  * we have a packet.
591  */
592  if (sock->partial < length) {
593  return 0;
594  }
595 
596  sock->partial = 0; /* we've now read the packet */
597  return length;
598 }
599 
600 
601 int proxy_tls_recv(rad_listen_t *listener)
602 {
603  listen_socket_t *sock = listener->data;
604  char buffer[256];
605  RADIUS_PACKET *packet;
606  uint8_t *data;
607  ssize_t data_len;
608 
609  if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
610 
611  DEBUG3("Proxy SSL socket has data to read");
612  PTHREAD_MUTEX_LOCK(&sock->mutex);
613  data_len = proxy_tls_read(listener);
614  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
615 
616  if (data_len < 0) {
617  DEBUG("Closing TLS socket to home server");
618  PTHREAD_MUTEX_LOCK(&sock->mutex);
619  tls_socket_close(listener);
620  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
621  return 0;
622  }
623 
624  if (data_len == 0) return 0; /* not done yet */
625 
626  data = sock->data;
627 
628  packet = fr_radius_alloc(sock, false);
629  packet->sockfd = listener->fd;
630  packet->src_ipaddr = sock->other_ipaddr;
631  packet->src_port = sock->other_port;
632  packet->dst_ipaddr = sock->my_ipaddr;
633  packet->dst_port = sock->my_port;
634  packet->code = data[0];
635  packet->id = data[1];
636  packet->data_len = data_len;
637  packet->data = talloc_array(packet, uint8_t, packet->data_len);
638  memcpy(packet->data, data, packet->data_len);
639  memcpy(packet->vector, packet->data + 4, 16);
640 
641  /*
642  * FIXME: Client MIB updates?
643  */
644  switch (packet->code) {
648  break;
649 
650 #ifdef WITH_ACCOUNTING
652  break;
653 #endif
654 
655  default:
656  /*
657  * FIXME: Update MIB for packet types?
658  */
659  ERROR("Invalid packet code %d sent to a proxy port "
660  "from home server %s port %d - ID %d : IGNORED",
661  packet->code,
662  fr_inet_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
663  packet->src_port, packet->id);
664  fr_radius_free(&packet);
665  return 0;
666  }
667 
668  if (!request_proxy_reply(packet)) {
669  fr_radius_free(&packet);
670  return 0;
671  }
672 
673  return 1;
674 }
675 
676 
677 int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
678 {
679  int rcode;
680  listen_socket_t *sock = listener->data;
681 
682  VERIFY_REQUEST(request);
683 
684  if ((listener->status != RAD_LISTEN_STATUS_INIT) &&
685  (listener->status != RAD_LISTEN_STATUS_KNOWN)) return 0;
686 
687  /*
688  * Normal proxying calls us with the data already
689  * encoded. The "ping home server" code does not. So,
690  * if there's no packet, encode it here.
691  */
692  if (!request->proxy->data) {
693  request->proxy_listener->encode(request->proxy_listener,
694  request);
695  }
696 
697  DEBUG3("Proxy is writing %u bytes to SSL",
698  (unsigned int) request->proxy->data_len);
699  PTHREAD_MUTEX_LOCK(&sock->mutex);
700  rcode = SSL_write(sock->tls_session->ssl, request->proxy->data,
701  request->proxy->data_len);
702  if (rcode < 0) {
703  int err;
704 
705  err = ERR_get_error();
706  switch (err) {
707  case SSL_ERROR_NONE:
708  case SSL_ERROR_WANT_READ:
709  case SSL_ERROR_WANT_WRITE:
710  break; /* let someone else retry */
711 
712  default:
713  DEBUG("proxy SSL_write says %s",
714  ERR_error_string(err, NULL));
715  DEBUG("Closing TLS socket to home server");
716  tls_socket_close(listener);
717  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
718  return 0;
719  }
720  }
721  PTHREAD_MUTEX_UNLOCK(&sock->mutex);
722 
723  return 1;
724 }
725 #endif /* WITH_PROXY */
726 
727 #endif /* WITH_TLS */
int sockfd
Socket this packet was read from.
Definition: libradius.h:147
int id
Packet ID (used to link requests/responses).
Definition: libradius.h:154
struct timeval timestamp
When we received the packet.
Definition: libradius.h:159
#define DEBUG3(fmt,...)
Definition: log.h:177
#define RERROR(fmt,...)
Definition: log.h:207
RADCLIENT * client
Definition: listen.h:158
bfd_auth_t auth
Definition: proto_bfd.c:209
RFC2865 - Access-Challenge.
Definition: radius.h:102
Main server configuration.
Definition: radiusd.h:108
RAD_LISTEN_TYPE type
Definition: listen.h:76
uint16_t other_port
Definition: listen.h:141
uint16_t my_port
Definition: listen.h:122
int rad_accounting(REQUEST *)
Definition: acct.c:38
char const * fr_packet_codes[FR_MAX_PACKET_CODE]
Definition: radius.c:101
fr_ipaddr_t other_ipaddr
Definition: listen.h:140
fr_ipaddr_t src_ipaddr
Src IP address of packet.
Definition: libradius.h:149
#define INFO(fmt,...)
Definition: log.h:143
int fd
Definition: listen.h:77
#define CC_HINT(_x)
Definition: build.h:71
VALUE_PAIR * vps
Result of decoding the packet into VALUE_PAIRs.
Definition: libradius.h:162
char const * inet_ntop(int af, void const *src, char *dst, size_t cnt)
Definition: missing.c:538
char const * secret
Secret PSK.
Definition: clients.h:43
#define PTHREAD_MUTEX_LOCK(_x)
Definition: cbuff.c:32
uint8_t length
Definition: proto_bfd.c:203
rad_listen_t * listener
The listener that received the request.
Definition: radiusd.h:218
#define VERIFY_REQUEST(_x)
Definition: radiusd.h:188
uint8_t * data
Packet data (body).
Definition: libradius.h:160
rad_listen_send_t send
Definition: listen.h:96
uint16_t dst_port
DST Port of packet.
Definition: libradius.h:152
uint16_t src_port
Src port of packet.
Definition: libradius.h:151
fr_ipaddr_t dst_ipaddr
Dst IP address of packet.
Definition: libradius.h:150
fr_ipaddr_t my_ipaddr
Definition: listen.h:121
int fr_debug_lvl
Definition: misc.c:40
#define FR_STATS_INC(_x, _y)
Definition: stats.h:89
RFC2866 - Accounting-Response.
Definition: radius.h:96
RADIUS_PACKET * proxy
Outgoing request to proxy server.
Definition: radiusd.h:237
RFC2865 - Access-Reject.
Definition: radius.h:94
int af
Address family.
Definition: inet.h:42
#define rad_assert(expr)
Definition: rad_assert.h:38
RFC2865 - Access-Request.
Definition: radius.h:92
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition: log.c:238
#define DEBUG(fmt,...)
Definition: log.h:175
int(* RAD_REQUEST_FUNP)(REQUEST *)
Definition: process.h:51
bool fr_radius_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
See if the data pointed to by PTR is a valid RADIUS packet.
Definition: radius.c:731
char const * component
Section the request is in.
Definition: radiusd.h:254
int rad_authenticate(REQUEST *)
Definition: auth.c:348
RFC2866 - Accounting-Request.
Definition: radius.h:95
RADIUS_PACKET * fr_radius_alloc(TALLOC_CTX *ctx, bool new_vector)
Allocate a new RADIUS_PACKET.
Definition: radius.c:1651
union fr_ipaddr_t::@1 ipaddr
unsigned int code
Packet code (type).
Definition: libradius.h:155
#define PTHREAD_MUTEX_UNLOCK(_x)
Definition: cbuff.c:33
RFC2865 - Access-Accept.
Definition: radius.h:93
RADIUS_PACKET * reply
Outgoing response.
Definition: radiusd.h:225
bool dual
Definition: listen.h:83
uint8_t vector[AUTH_VECTOR_LEN]
RADIUS authentication vector.
Definition: libradius.h:157
char const * fr_strerror(void)
Get the last library error.
Definition: log.c:212
int request_receive(TALLOC_CTX *ctx, rad_listen_t *listener, RADIUS_PACKET *packet, RADCLIENT *client, RAD_REQUEST_FUNP fun)
Definition: process.c:1523
Describes a host allowed to send packets to the server.
Definition: clients.h:35
uint8_t data[]
Definition: eap_pwd.h:625
rad_listen_t * proxy_listener
Listener for outgoing requests.
Definition: radiusd.h:236
log_lvl_t rad_debug_lvl
Global debugging level.
Definition: log.c:49
void fr_radius_free(RADIUS_PACKET **)
Free a RADIUS_PACKET.
Definition: radius.c:1727
size_t data_len
Length of packet data.
Definition: libradius.h:161
RADIUS_PACKET * packet
Incoming request.
Definition: radiusd.h:221
#define WARN(fmt,...)
Definition: log.h:144
int status
Definition: listen.h:79
RADIUS_PACKET * packet
Definition: listen.h:160
int fr_radius_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, char const *secret)
Encode a packet.
Definition: radius.c:1318
RFC2865/RFC5997 - Status Server (request)
Definition: radius.h:103
bool status_server
Whether to respond to status-server messages.
Definition: radiusd.h:129
void * data
Definition: listen.h:103
int request_proxy_reply(RADIUS_PACKET *packet)
Definition: process.c:2418
int rad_status_server(REQUEST *request)
Definition: listen.c:596
RADCLIENT * client
The client that originally sent us the request.
Definition: radiusd.h:219
#define RCSID(id)
Definition: build.h:135
void radius_update_listener(rad_listen_t *listener)
Definition: process.c:336
char const * fr_inet_ntoh(fr_ipaddr_t const *src, char *out, size_t outlen)
Perform reverse resolution of an IP address.
Definition: inet.c:226
#define DEBUG_ENABLED
True if global debug level 1 messages are enabled.
Definition: log.h:169
#define RDEBUG(fmt,...)
Definition: log.h:243
#define ERROR(fmt,...)
Definition: log.h:145
#define is_radius_code(_x)
Definition: libradius.h:372
REQUEST * request_alloc(TALLOC_CTX *ctx)
Create a new REQUEST data structure.
Definition: request.c:85
#define USES_APPLE_DEPRECATED_API
Definition: build.h:122
rad_listen_encode_t encode
Definition: listen.h:97
char const * shortname
Client nickname.
Definition: clients.h:41
#define RDEBUG3(fmt,...)
Definition: log.h:245
int fr_radius_sign(RADIUS_PACKET *packet, RADIUS_PACKET const *original, char const *secret)
Sign a previously encoded packet.
Definition: radius.c:389