The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
bio.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 6d7179322f33c86749f768a1f4e528b861758738 $
19 * @file src/modules/rlm_radius/bio.c
20 * @brief RADIUS BIO transport
21 *
22 * @copyright 2017 Network RADIUS SAS
23 * @copyright 2020 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
24 */
25
26#include <freeradius-devel/io/application.h>
27#include <freeradius-devel/io/listen.h>
28#include <freeradius-devel/io/pair.h>
29#include <freeradius-devel/missing.h>
30#include <freeradius-devel/server/connection.h>
31#include <freeradius-devel/util/debug.h>
32#include <freeradius-devel/util/heap.h>
33#include <freeradius-devel/util/rb_expire.h>
34
35#include <sys/socket.h>
36
37//#include "rlm_radius.h"
38#include "track.h"
39
40typedef enum {
41 LIMIT_PORTS_NONE = 0, //!< Source port not restricted
42 LIMIT_PORTS_STATIC, //!< Limited source ports for static home servers
43 LIMIT_PORTS_DYNAMIC //!< Limited source ports for dynamic home servers
45
46typedef struct {
47 char const *module_name; //!< the module that opened the connection
48 rlm_radius_t const *inst; //!< our instance
49 fr_event_list_t *el; //!< Event list.
50 trunk_t *trunk; //!< trunk handler
51 fr_bio_fd_config_t fd_config; //!< for threads or sockets
52 fr_bio_fd_info_t const *fd_info; //!< status of the FD.
53 fr_radius_ctx_t radius_ctx; //!< for signing packets
54 bio_limit_ports_t limit_source_ports; //!< What type of port limit is in use.
56
57typedef struct {
58 bio_handle_ctx_t ctx; //!< common struct for home servers and BIO handles
59
60 struct {
61 fr_bio_t *fd; //!< writing
62 uint32_t id; //!< for replication
63 fr_rb_expire_t expires; //!< for proxying / client sending
64 } bio;
65
69
71
72/** Track the handle, which is tightly correlated with the FD
73 *
74 */
75typedef struct {
76 bio_handle_ctx_t ctx; //!< common struct for home servers and BIO handles
77
78 int fd; //!< File descriptor.
79
80 struct {
81 fr_bio_t *main; //!< what we use for IO
82 fr_bio_t *fd; //!< raw FD
83 fr_bio_t *mem; //!< memory wrappers for stream sockets
84 } bio;
85
87
88 uint8_t last_id; //!< Used when replicating to ensure IDs are distributed
89 ///< evenly.
90
91 uint32_t max_packet_size; //!< Our max packet size. may be different from the parent.
92
93 uint8_t *buffer; //!< Receive buffer.
94 size_t buflen; //!< Receive buffer length.
95
96 radius_track_t *tt; //!< RADIUS ID tracking structure.
97
98 fr_time_t mrs_time; //!< Most recent sent time which had a reply.
99 fr_time_t last_reply; //!< When we last received a reply.
100 fr_time_t first_sent; //!< first time we sent a packet since going idle
101 fr_time_t last_sent; //!< last time we sent a packet.
102 fr_time_t last_idle; //!< last time we had nothing to do
103
104 fr_timer_t *zombie_ev; //!< Zombie timeout.
105
106 bool status_checking; //!< whether we're doing status checks
107 bio_request_t *status_u; //!< for sending status check packets
110
111
112/** Connect request_t to local tracking structure
113 *
114 */
117 rlm_rcode_t rcode; //!< from the transport
119
120 uint32_t priority; //!< copied from request->async->priority
121 fr_time_t recv_time; //!< copied from request->async->recv_time
122
123 uint32_t num_replies; //!< number of reply packets, sent is in retry.count
124
125 bool status_check; //!< is this packet a status check?
126 bool proxied; //!< is this request being proxied
127
128 fr_pair_list_t extra; //!< VPs for debugging, like Proxy-State.
129
130 uint8_t code; //!< Packet code.
131 uint8_t id; //!< Last ID assigned to this packet.
132 uint8_t *packet; //!< Packet we write to the network.
133 size_t packet_len; //!< Length of the packet.
134 size_t partial; //!< partially sent data
135
136 radius_track_entry_t *rr; //!< ID tracking, resend count, etc.
137 fr_timer_t *ev; //!< timer for retransmissions
138 fr_retry_t retry; //!< retransmission timers
139};
140
141typedef struct {
142 bio_handle_ctx_t ctx; //!< for copying to bio_handle_t
143
145
147 connection_t *connections[]; //!< for tracking outbound connections
149
150
151/** Turn a reply code into a module rcode;
152 *
153 */
169
171 UNUSED int flags, void *uctx);
172
173static int encode(bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t id);
174
175static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
176 bio_handle_t *h, request_t *request, bio_request_t *u,
177 uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
178 uint8_t *data, size_t data_len);
179
181
182static void mod_write(request_t *request, trunk_request_t *treq, bio_handle_t *h);
183
184static int _bio_request_free(bio_request_t *u);
185
186static int8_t home_server_cmp(void const *one, void const *two);
187
188#ifndef NDEBUG
189/** Log additional information about a tracking entry
190 *
191 * @param[in] te Tracking entry we're logging information for.
192 * @param[in] log destination.
193 * @param[in] log_type Type of log message.
194 * @param[in] file the logging request was made in.
195 * @param[in] line logging request was made on.
196 */
197static void bio_tracking_entry_log(fr_log_t const *log, fr_log_type_t log_type, char const *file, int line,
199{
200 request_t *request;
201
202 if (!te->request) return; /* Free entry */
203
204 request = talloc_get_type_abort(te->request, request_t);
205
206 fr_log(log, log_type, file, line, "request %s, allocated %s:%d", request->name,
207 request->alloc_file, request->alloc_line);
208
209 trunk_request_state_log(log, log_type, file, line, talloc_get_type_abort(te->uctx, trunk_request_t));
210}
211#endif
212
213/** Clear out any connection specific resources from a udp request
214 *
215 */
217{
218 TALLOC_FREE(u->packet);
220
221 /*
222 * Can have packet put no u->rr
223 * if this is part of a pre-trunk status check.
224 */
225 if (u->rr) radius_track_entry_release(&u->rr);
226
228}
229
230/** Reset a status_check packet, ready to reuse
231 *
232 */
234{
235 fr_assert(u->status_check == true);
236
237 h->status_checking = false;
238 u->num_replies = 0; /* Reset */
239 u->retry.start = fr_time_wrap(0);
240
242
244}
245
246/*
247 * Status-Server checks. Manually build the packet, and
248 * all of its associated glue.
249 */
251{
252 bio_request_t *u;
253 request_t *request;
254 rlm_radius_t const *inst = h->ctx.inst;
255 map_t *map = NULL;
256
258
259 MEM(request = request_local_alloc_external(h, (&(request_init_args_t){ .namespace = dict_radius })));
260 MEM(u = talloc_zero(request, bio_request_t));
261 talloc_set_destructor(u, _bio_request_free);
262
263 h->status_u = u;
264
265 h->status_request = request;
267
268 /*
269 * Status checks are prioritized over any other packet
270 */
271 u->priority = ~(uint32_t) 0;
272 u->status_check = true;
273
274 /*
275 * Allocate outside of the free list.
276 * There appears to be an issue where
277 * the thread destructor runs too
278 * early, and frees the freelist's
279 * head before the module destructor
280 * runs.
281 */
282 request->async = talloc_zero(request, fr_async_t);
283 talloc_const_free(request->name);
284 request->name = talloc_strdup(request, h->ctx.module_name);
285
286 request->packet = fr_packet_alloc(request, false);
287 request->reply = fr_packet_alloc(request, false);
288
289 /*
290 * Create the VPs, and ignore any errors
291 * creating them.
292 */
293 while ((map = map_list_next(&inst->status_check_map, map))) {
294 (void) map_to_request(request, map, map_to_vp, NULL);
295 }
296
297 /*
298 * Ensure that there's a NAS-Identifier, if one wasn't
299 * already added.
300 */
301 if (!fr_pair_find_by_da(&request->request_pairs, NULL, attr_nas_identifier)) {
302 fr_pair_t *vp;
303
305 fr_pair_value_strdup(vp, "status check - are you alive?", false);
306 }
307
308 /*
309 * Always add an Event-Timestamp, which will be the time
310 * at which the first packet is sent. Or for
311 * Status-Server, the time of the current packet.
312 */
313 if (!fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp)) {
315 }
316
317 /*
318 * Initialize the request IO ctx. Note that we don't set
319 * destructors.
320 */
321 u->code = inst->status_check;
322 request->packet->code = u->code;
323
324 DEBUG3("%s - Status check packet type will be %s", h->ctx.module_name, fr_radius_packet_name[u->code]);
325 log_request_pair_list(L_DBG_LVL_3, request, NULL, &request->request_pairs, NULL);
326}
327
328/** Connection errored
329 *
330 * We were signalled by the event loop that a fatal error occurred on this connection.
331 *
332 * @param[in] el The event list signalling.
333 * @param[in] fd that errored.
334 * @param[in] flags El flags.
335 * @param[in] fd_errno The nature of the error.
336 * @param[in] uctx The trunk connection handle (tconn).
337 */
338static void conn_init_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, int fd_errno, void *uctx)
339{
340 connection_t *conn = talloc_get_type_abort(uctx, connection_t);
341 bio_handle_t *h;
342
343 /*
344 * Connection must be in the connecting state when this fires
345 */
347
348 h = talloc_get_type_abort(conn->h, bio_handle_t);
349
350 ERROR("%s - Connection %s failed: %s", h->ctx.module_name, h->ctx.fd_info->name, fr_syserror(fd_errno));
351
353}
354
355/** Status check timer when opening the connection for the first time.
356 *
357 * Setup retries, or fail the connection.
358 */
359static void conn_init_timeout(UNUSED fr_timer_list_t *tl, fr_time_t now, void *uctx)
360{
361 connection_t *conn = talloc_get_type_abort(uctx, connection_t);
362 bio_handle_t *h;
363 bio_request_t *u;
364
365 /*
366 * Connection must be in the connecting state when this fires
367 */
369
370 h = talloc_get_type_abort(conn->h, bio_handle_t);
371 u = h->status_u;
372
373 /*
374 * We're only interested in contiguous, good, replies.
375 */
376 u->num_replies = 0;
377
378 switch (fr_retry_next(&u->retry, now)) {
379 case FR_RETRY_MRD:
380 DEBUG("%s - Reached maximum_retransmit_duration (%pVs > %pVs), failing status checks",
383 goto fail;
384
385 case FR_RETRY_MRC:
386 DEBUG("%s - Reached maximum_retransmit_count (%u > %u), failing status checks",
388 fail:
390 return;
391
393 if (fr_event_fd_insert(h, NULL, conn->el, h->fd, conn_init_writable, NULL,
394 conn_init_error, conn) < 0) {
395 PERROR("%s - Failed inserting FD event", h->ctx.module_name);
397 }
398 return;
399 }
400
401 fr_assert(0);
402}
403
404/** Perform the next step of init and negotiation.
405 *
406 */
407static void conn_init_next(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
408{
409 connection_t *conn = talloc_get_type_abort(uctx, connection_t);
410 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
411
412 if (fr_event_fd_insert(h, NULL, conn->el, h->fd, conn_init_writable, NULL, conn_init_error, conn) < 0) {
413 PERROR("%s - Failed inserting FD event", h->ctx.module_name);
415 }
416}
417
418/** Read the connection during the init and negotiation stage.
419 *
420 */
421static void conn_init_readable(fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
422{
423 connection_t *conn = talloc_get_type_abort(uctx, connection_t);
424 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
425 trunk_t *trunk = h->ctx.trunk;
426 rlm_radius_t const *inst = h->ctx.inst;
427 bio_request_t *u = h->status_u;
428 ssize_t slen;
429 fr_pair_list_t reply;
430 uint8_t code = 0;
431
432 fr_pair_list_init(&reply);
433 slen = fr_bio_read(h->bio.main, NULL, h->buffer, h->buflen);
434 if (slen == 0) {
435 /*
436 * @todo - set BIO FD EOF callback, so that we don't have to check it here.
437 */
438 if (h->ctx.fd_info->eof) goto failed;
439 return;
440 }
441
442 /*
443 * We're done reading, return.
444 */
445 if (slen == fr_bio_error(IO_WOULD_BLOCK)) return;
446
447 if (slen < 0) {
448 switch (errno) {
449 case ECONNREFUSED:
450 ERROR("%s - Failed reading response from socket: there is no server listening on outgoing connection %s",
451 h->ctx.module_name, h->ctx.fd_info->name);
452 break;
453
454 default:
455 ERROR("%s - Failed reading response from socket: %s",
456 h->ctx.module_name, fr_syserror(errno));
457 break;
458 }
459
460 failed:
462 return;
463 }
464
465 /*
466 * Where we just return in this function, we're letting
467 * the response timer take care of progressing the
468 * connection attempt.
469 */
470 fr_assert(slen >= RADIUS_HEADER_LENGTH); /* checked in verify */
471
472 if (u->id != h->buffer[1]) {
473 ERROR("%s - Received response with incorrect or expired ID. Expected %u, got %u",
474 h->ctx.module_name, u->id, h->buffer[1]);
475 return;
476 }
477
478 if (decode(h, &reply, &code,
480 h->buffer, slen) != DECODE_FAIL_NONE) return;
481
482 fr_pair_list_free(&reply); /* FIXME - Do something with these... */
483
484 /*
485 * Process the error, and count this as a success.
486 * This is usually used for dynamic configuration
487 * on startup.
488 */
490
491 /*
492 * Last trunk event was a failure, be more careful about
493 * bringing up the connection (require multiple responses).
494 */
495 if ((fr_time_gt(trunk->last_failed, fr_time_wrap(0)) && (fr_time_gt(trunk->last_failed, trunk->last_connected))) &&
496 (u->num_replies < inst->num_answers_to_alive)) {
497 /*
498 * Leave the timer in place. This timer is BOTH when we
499 * give up on the current status check, AND when we send
500 * the next status check.
501 */
502 DEBUG("%s - Received %u / %u replies for status check, on connection - %s",
503 h->ctx.module_name, u->num_replies, inst->num_answers_to_alive, h->ctx.fd_info->name);
504 DEBUG("%s - Next status check packet will be in %pVs",
506
507 /*
508 * Set the timer for the next retransmit.
509 */
510 if (fr_timer_at(h, el->tl, &u->ev, u->retry.next, false, conn_init_next, conn) < 0) {
512 }
513 return;
514 }
515
516 /*
517 * It's alive!
518 */
519 status_check_reset(h, u);
520
521 DEBUG("%s - Connection open - %s", h->ctx.module_name, h->ctx.fd_info->name);
522
524}
525
526/** Send initial negotiation.
527 *
528 */
529static void conn_init_writable(fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
530{
531 connection_t *conn = talloc_get_type_abort(uctx, connection_t);
532 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
533 bio_request_t *u = h->status_u;
534 ssize_t slen;
535
536 if (fr_time_eq(u->retry.start, fr_time_wrap(0))) {
537 u->id = fr_rand() & 0xff; /* We don't care what the value is here */
538 h->status_checking = true; /* Ensure this is valid */
539 fr_retry_init(&u->retry, fr_time(), &h->ctx.inst->retry[u->code]);
540
541 /*
542 * Status checks can never be retransmitted
543 * So increment the ID here.
544 */
545 } else {
547 u->id++;
548 }
549
550 DEBUG("%s - Sending %s ID %d over connection %s",
552
553 if (encode(h, h->status_request, u, u->id) < 0) {
554 fail:
556 return;
557 }
558 DEBUG3("Encoded packet");
559 HEXDUMP3(u->packet, u->packet_len, NULL);
560
561 fr_assert(u->packet != NULL);
563
564 slen = fr_bio_write(h->bio.main, NULL, u->packet, u->packet_len);
565
566 if (slen == fr_bio_error(IO_WOULD_BLOCK)) goto blocked;
567
568 if (slen < 0) {
569 ERROR("%s - Failed sending %s ID %d length %zu over connection %s: %s",
571
572
573 goto fail;
574 }
575
576 /*
577 * @todo - handle partial packets and blocked writes.
578 */
579 if ((size_t)slen < u->packet_len) {
580 blocked:
581 ERROR("%s - Failed sending %s ID %d length %zu over connection %s: writing is blocked",
583 goto fail;
584 }
585
586 /*
587 * Switch to waiting on read and insert the event
588 * for the response timeout.
589 */
590 if (fr_event_fd_insert(h, NULL, conn->el, h->fd, conn_init_readable, NULL, conn_init_error, conn) < 0) {
591 PERROR("%s - Failed inserting FD event", h->ctx.module_name);
592 goto fail;
593 }
594
595 DEBUG("%s - %s request. Expecting response within %pVs",
596 h->ctx.module_name, (u->retry.count == 1) ? "Originated" : "Retransmitted",
598
599 if (fr_timer_at(h, el->tl, &u->ev, u->retry.next, false, conn_init_timeout, conn) < 0) {
600 PERROR("%s - Failed inserting timer event", h->ctx.module_name);
601 goto fail;
602 }
603
604 /*
605 * Save a copy of the header + Authentication Vector for checking the response.
606 */
607 MEM(u->packet = talloc_memdup(u, u->packet, RADIUS_HEADER_LENGTH));
608}
609
610/** Free a connection handle, closing associated resources
611 *
612 */
614{
615 fr_assert(h != NULL);
616
617 fr_assert(h->fd >= 0);
618
620
621 /*
622 * The connection code will take care of deleting the FD from the event loop.
623 */
624
625 DEBUG("%s - Connection closed - %s", h->ctx.module_name, h->ctx.fd_info->name);
626
627 return 0;
628}
629
630static void bio_connected(fr_bio_t *bio)
631{
632 bio_handle_t *h = bio->uctx;
633
634 DEBUG("%s - Connection open - %s", h->ctx.module_name, h->ctx.fd_info->name);
635
637}
638
639static void bio_error(fr_bio_t *bio)
640{
641 bio_handle_t *h = bio->uctx;
642
643 DEBUG("%s - Connection failed - %s - %s", h->ctx.module_name, h->ctx.fd_info->name,
645
647}
648
649static fr_bio_verify_action_t rlm_radius_verify(UNUSED fr_bio_t *bio, void *verify_ctx, UNUSED void *packet_ctx, const void *data, size_t *size)
650{
652 size_t in_buffer = *size;
653 bio_handle_t *h = verify_ctx;
654 uint8_t const *hdr = data;
655 size_t want;
656
657 if (in_buffer < 20) {
658 *size = RADIUS_HEADER_LENGTH;
660 }
661
662 /*
663 * Packet is too large, discard it.
664 */
665 want = fr_nbo_to_uint16(hdr + 2);
666 if (want > h->ctx.inst->max_packet_size) {
667 ERROR("%s - Connection %s received too long packet", h->ctx.module_name, h->ctx.fd_info->name);
669 }
670
671 /*
672 * Not a full packet, we want more data.
673 */
674 if (want < *size) {
675 *size = want;
677 }
678
679#define REQUIRE_MA(_h) (((_h)->ctx.inst->require_message_authenticator == FR_RADIUS_REQUIRE_MA_YES) || *(_h)->ctx.inst->received_message_authenticator)
680
681 /*
682 * See if we need to discard the packet.
683 *
684 * @todo - rate limit these messages, and find a way to associate them with a request, or even
685 * the logging destination of the module.
686 */
687 if (!fr_radius_ok(data, size, h->ctx.inst->max_attributes, REQUIRE_MA(h), &failure)) {
689
690 PERROR("%s - Connection %s received bad packet", h->ctx.module_name, h->ctx.fd_info->name);
691
692 if (failure == DECODE_FAIL_MA_MISSING) {
694 ERROR("We are configured with 'require_message_authenticator = true'");
695 } else {
696 ERROR("We previously received a packet from this client which included a Message-Authenticator attribute");
697 }
698 }
699
700 if (h->ctx.fd_config.socket_type == SOCK_DGRAM) return FR_BIO_VERIFY_DISCARD;
701
703 }
704
705 /*
706 * @todo - check if the reply is allowed. Bad replies are discarded later, but it might be worth
707 * checking them here.
708 */
709
710 /*
711 * On input, *size is how much data we have. On output, *size is how much data we want.
712 */
713 return (in_buffer >= *size) ? FR_BIO_VERIFY_OK : FR_BIO_VERIFY_WANT_MORE;
714}
715
716
717/** Initialise a new outbound connection
718 *
719 * @param[out] h_out Where to write the new file descriptor.
720 * @param[in] conn to initialise.
721 * @param[in] uctx A #bio_thread_t
722 */
723CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
724static connection_state_t conn_init(void **h_out, connection_t *conn, void *uctx)
725{
726 int fd;
727 bio_handle_t *h;
728 bio_handle_ctx_t *ctx = uctx; /* thread or home server */
729 connection_t **to_save = NULL;
730
731 MEM(h = talloc_zero(conn, bio_handle_t));
732 h->ctx = *ctx;
733 h->conn = conn;
735 h->last_idle = fr_time();
736
737 MEM(h->buffer = talloc_array(h, uint8_t, h->max_packet_size));
738 h->buflen = h->max_packet_size;
739
740 MEM(h->tt = radius_track_alloc(h));
741
742 /*
743 * We are proxying to multiple home servers, but using a limited port range. We must track the
744 * source port for each home server, so that we only can select the right unused source port for
745 * this home server.
746 */
747 switch (ctx->limit_source_ports) {
748 case LIMIT_PORTS_NONE:
749 break;
750
751 /*
752 * Dynamic home servers store source port usage in the home_server_t
753 */
755 {
756 int i;
757 home_server_t *home = talloc_get_type_abort(ctx, home_server_t);
758
759 for (i = 0; i < home->num_ports; i++) {
760 if (!home->connections[i]) {
761 to_save = &home->connections[i];
762
763 /*
764 * Set the source port, but also leave the src_port_start and
765 * src_port_end alone.
766 */
768 break;
769 }
770 }
771
772 if (!to_save) {
773 ERROR("%s - Failed opening socket to home server %pV:%u - source port range is full",
775 goto fail;
776 }
777 }
778 break;
779
780 /*
781 * Static home servers store source port usage in bio_thread_t
782 */
784 {
785 int i;
786 bio_thread_t *thread = talloc_get_type_abort(ctx, bio_thread_t);
787
788 for (i = 0; i < thread->num_ports; i++) {
789 if (!thread->connections[i]) {
790 to_save = &thread->connections[i];
792 break;
793 }
794 }
795
796 if (!to_save) {
797 ERROR("%s - Failed opening socket to home server %pV:%u - source port range is full",
799 goto fail;
800 }
801 }
802 break;
803 }
804
805 h->bio.fd = fr_bio_fd_alloc(h, &h->ctx.fd_config, 0);
806 if (!h->bio.fd) {
807 PERROR("%s - failed opening socket", h->ctx.module_name);
808 fail:
809 talloc_free(h);
811 }
812
813 h->bio.fd->uctx = h;
815
816 fd = h->ctx.fd_info->socket.fd;
817 fr_assert(fd >= 0);
818
819 /*
820 * Create a memory BIO for stream sockets. We want to return only complete packets, and not
821 * partial packets.
822 *
823 * @todo - maybe we want to have a fr_bio_verify_t which is independent of fr_bio_mem_t. That
824 * way we don't need a memory BIO for UDP sockets, but we can still add a verification layer for
825 * UDP sockets?
826 */
827 h->bio.mem = fr_bio_mem_alloc(h, (h->ctx.fd_config.socket_type == SOCK_DGRAM) ? 0 : h->ctx.inst->max_packet_size * 4,
828 0, h->bio.fd);
829 if (!h->bio.mem) {
830 PERROR("%s - Failed allocating memory buffer - ", h->ctx.module_name);
831 goto fail;
832 }
833
834 if (fr_bio_mem_set_verify(h->bio.mem, rlm_radius_verify, h, (h->ctx.fd_config.socket_type == SOCK_DGRAM)) < 0) {
835 PERROR("%s - Failed setting validation callback - ", h->ctx.module_name);
836 goto fail;
837 }
838
839 /*
840 * Set the BIO read function to be the memory BIO, which will then call the packet verification
841 * routine.
842 */
843 h->bio.main = h->bio.mem;
844 h->bio.mem->uctx = h;
845
846 h->fd = fd;
847
848 talloc_set_destructor(h, _bio_handle_free);
849
850 /*
851 * If the socket isn't connected, then do that first.
852 */
854 int rcode;
855
857
858 /*
859 * We don't pass timeouts here because the trunk has it's own connection timeouts.
860 */
861 rcode = fr_bio_fd_connect_full(h->bio.fd, conn->el, bio_connected, bio_error, NULL, NULL);
862 if (rcode < 0) goto fail;
863
864 *h_out = h;
865
866 if (rcode == 0) return CONNECTION_STATE_CONNECTING;
867
868 fr_assert(rcode == 1);
870
871 /*
872 * If we're doing status checks, then we want at least
873 * one positive response before signalling that the
874 * connection is open.
875 *
876 * To do this we install special I/O handlers that
877 * only signal the connection as open once we get a
878 * status-check response.
879 */
880 } if (h->ctx.inst->status_check) {
882
883 /*
884 * Start status checking.
885 *
886 * If we've had no recent failures we need exactly
887 * one response to bring the connection online,
888 * otherwise we need inst->num_answers_to_alive
889 */
890 if (fr_event_fd_insert(h, NULL, conn->el, h->fd, NULL,
891 conn_init_writable, conn_init_error, conn) < 0) goto fail;
892
893 /*
894 * If we're not doing status-checks, signal the connection
895 * as open as soon as it becomes writable.
896 */
897 } else {
898 connection_signal_on_fd(conn, fd);
899 }
900
901 *h_out = h;
902
903 if (to_save) *to_save = conn;
904
906}
907
908/** Shutdown/close a file descriptor
909 *
910 */
911static void conn_close(UNUSED fr_event_list_t *el, void *handle, void *uctx)
912{
913 bio_handle_t *h = talloc_get_type_abort(handle, bio_handle_t);
914
915 /*
916 * There's tracking entries still allocated
917 * this is bad, they should have all been
918 * released.
919 */
920 if (h->tt && (h->tt->num_requests != 0)) {
921#ifndef NDEBUG
923#endif
924 fr_assert_fail("%u tracking entries still allocated at conn close", h->tt->num_requests);
925 }
926
927 /*
928 * We have opened a limited number of outbound source ports. This means that when we close a
929 * port, we have to mark it unused.
930 */
931 switch (h->ctx.limit_source_ports) {
932 case LIMIT_PORTS_NONE:
933 break;
934
936 {
937 int offset;
938 home_server_t *home = talloc_get_type_abort(uctx, home_server_t);
939
942
944 fr_assert(offset < home->num_ports);
945
946 fr_assert(home->connections[offset] == h->conn);
947
948 home->connections[offset] = NULL;
949 }
950 break;
951
953 {
954 int offset;
955 bio_thread_t *thread = talloc_get_type_abort(uctx, bio_thread_t);
956
959
961 fr_assert(offset < thread->num_ports);
962
963 fr_assert(thread->connections[offset] == h->conn);
964
965 thread->connections[offset] = NULL;
966 }
967 break;
968 }
969
970 DEBUG4("Freeing handle %p", handle);
971
972 talloc_free(h);
973}
974
975/** Connection failed
976 *
977 * @param[in] handle of connection that failed.
978 * @param[in] state the connection was in when it failed.
979 * @param[in] uctx UNUSED.
980 */
981static connection_state_t conn_failed(void *handle, connection_state_t state, UNUSED void *uctx)
982{
983 switch (state) {
984 /*
985 * If the connection was connected when it failed,
986 * we need to handle any outstanding packets and
987 * timer events before reconnecting.
988 */
990 {
991 bio_handle_t *h = talloc_get_type_abort(handle, bio_handle_t); /* h only available if connected */
992
993 /*
994 * Reset the Status-Server checks.
995 */
996 if (h->status_u) FR_TIMER_DISARM(h->status_u->ev);
997 break;
998
999 default:
1000 break;
1001 }
1002 }
1003
1004 return CONNECTION_STATE_INIT;
1005}
1006
1007CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
1009 connection_conf_t const *conf,
1010 char const *log_prefix, void *uctx)
1011{
1012 connection_t *conn;
1013 bio_handle_ctx_t *ctx = uctx; /* thread or home server */
1014
1015 conn = connection_alloc(tconn, el,
1017 .init = conn_init,
1018 .close = conn_close,
1019 .failed = conn_failed
1020 },
1021 conf,
1022 log_prefix,
1023 uctx);
1024 if (!conn) {
1025 PERROR("%s - Failed allocating state handler for new connection", ctx->inst->name);
1026 return NULL;
1027 }
1028 ctx->trunk = tconn->trunk;
1029 ctx->module_name = log_prefix;
1030
1031 return conn;
1032}
1033
1034/** Read and discard data
1035 *
1036 */
1037static void conn_discard(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
1038{
1039 trunk_connection_t *tconn = talloc_get_type_abort(uctx, trunk_connection_t);
1040 bio_handle_t *h = talloc_get_type_abort(tconn->conn->h, bio_handle_t);
1041 uint8_t buffer[4096];
1042 ssize_t slen;
1043
1044 while ((slen = fr_bio_read(h->bio.main, NULL, buffer, sizeof(buffer))) > 0);
1045
1046 if (slen < 0) {
1047 switch (errno) {
1048 case EBADF:
1049 case ECONNRESET:
1050 case ENOTCONN:
1051 case ETIMEDOUT:
1052 ERROR("%s - Failed draining socket: %s", h->ctx.module_name, fr_syserror(errno));
1054 break;
1055
1056 default:
1057 break;
1058 }
1059 }
1060}
1061
1062/** Connection errored
1063 *
1064 * We were signalled by the event loop that a fatal error occurred on this connection.
1065 *
1066 * @param[in] el The event list signalling.
1067 * @param[in] fd that errored.
1068 * @param[in] flags El flags.
1069 * @param[in] fd_errno The nature of the error.
1070 * @param[in] uctx The trunk connection handle (tconn).
1071 */
1072static void conn_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, int fd_errno, void *uctx)
1073{
1074 trunk_connection_t *tconn = talloc_get_type_abort(uctx, trunk_connection_t);
1075 connection_t *conn = tconn->conn;
1076 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
1077
1078 if (fd_errno) ERROR("%s - Connection %s failed: %s", h->ctx.module_name, h->ctx.fd_info->name, fr_syserror(fd_errno));
1079
1081}
1082
1083CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
1086 trunk_connection_event_t notify_on, UNUSED void *uctx)
1087{
1088 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
1089 fr_event_fd_cb_t read_fn = NULL;
1090 fr_event_fd_cb_t write_fn = NULL;
1091
1092 switch (notify_on) {
1093 /*
1094 * We may have sent multiple requests to the
1095 * other end, so it might be sending us multiple
1096 * replies. We want to drain the socket, instead
1097 * of letting the packets sit in the UDP receive
1098 * queue.
1099 */
1101 read_fn = conn_discard;
1102 break;
1103
1106 break;
1107
1110 break;
1111
1115 break;
1116
1117 }
1118
1119 /*
1120 * Over-ride read for replication.
1121 */
1123 read_fn = conn_discard;
1124
1125 if (fr_bio_fd_write_only(h->bio.fd) < 0) {
1126 PERROR("%s - Failed setting socket to write-only", h->ctx.module_name);
1128 return;
1129 }
1130 }
1131
1132 if (fr_event_fd_insert(h, NULL, el, h->fd,
1133 read_fn,
1134 write_fn,
1135 conn_error,
1136 tconn) < 0) {
1137 PERROR("%s - Failed inserting FD event", h->ctx.module_name);
1138
1139 /*
1140 * May free the connection!
1141 */
1143 }
1144}
1145
1146/*
1147 * Return negative numbers to put 'a' at the top of the heap.
1148 * Return positive numbers to put 'b' at the top of the heap.
1149 *
1150 * We want the value with the lowest timestamp to be prioritized at
1151 * the top of the heap.
1152 */
1153static int8_t request_prioritise(void const *one, void const *two)
1154{
1155 bio_request_t const *a = one;
1156 bio_request_t const *b = two;
1157 int8_t ret;
1158
1159 /*
1160 * Prioritise status check packets
1161 */
1162 ret = (b->status_check - a->status_check);
1163 if (ret != 0) return ret;
1164
1165 /*
1166 * Larger priority is more important.
1167 */
1168 ret = CMP(a->priority, b->priority);
1169 if (ret != 0) return ret;
1170
1171 /*
1172 * Smaller timestamp (i.e. earlier) is more important.
1173 */
1175}
1176
1177/** Decode response packet data, extracting relevant information and validating the packet
1178 *
1179 * @param[in] ctx to allocate pairs in.
1180 * @param[out] reply Pointer to head of pair list to add reply attributes to.
1181 * @param[out] response_code The type of response packet.
1182 * @param[in] h connection handle.
1183 * @param[in] request the request.
1184 * @param[in] u UDP request.
1185 * @param[in] request_authenticator from the original request.
1186 * @param[in] data to decode.
1187 * @param[in] data_len Length of input data.
1188 * @return
1189 * - DECODE_FAIL_NONE on success.
1190 * - DECODE_FAIL_* on failure.
1191 */
1192static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
1193 bio_handle_t *h, request_t *request, bio_request_t *u,
1194 uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
1195 uint8_t *data, size_t data_len)
1196{
1198 uint8_t code;
1199 fr_radius_decode_ctx_t decode_ctx;
1200
1201 *response_code = 0; /* Initialise to keep the rest of the code happy */
1202
1203 RHEXDUMP3(data, data_len, "Read packet");
1204
1205 decode_ctx = (fr_radius_decode_ctx_t) {
1206 .common = &h->ctx.radius_ctx,
1207 .request_code = u->code,
1208 .request_authenticator = request_authenticator,
1209 .tmp_ctx = talloc(ctx, uint8_t),
1210 .end = data + data_len,
1211 .verify = true,
1212 .require_message_authenticator = REQUIRE_MA(h),
1213 };
1214
1215 if (fr_radius_decode(ctx, reply, data, data_len, &decode_ctx) < 0) {
1216 talloc_free(decode_ctx.tmp_ctx);
1217 RPEDEBUG("Failed reading packet");
1218 return DECODE_FAIL_UNKNOWN;
1219 }
1220 talloc_free(decode_ctx.tmp_ctx);
1221
1222 code = data[0];
1223
1224 RDEBUG("Received %s ID %d length %zu reply packet on connection %s",
1225 fr_radius_packet_name[code], data[1], data_len, h->ctx.fd_info->name);
1226 log_request_pair_list(L_DBG_LVL_2, request, NULL, reply, NULL);
1227
1228 /*
1229 * This code is for BlastRADIUS mitigation.
1230 *
1231 * The scenario where this applies is where we send Message-Authenticator
1232 * but the home server doesn't support it or require it, in which case
1233 * the response can be manipulated by an attacker.
1234 */
1235 if ((u->code == FR_RADIUS_CODE_ACCESS_REQUEST) &&
1236 (inst->require_message_authenticator == FR_RADIUS_REQUIRE_MA_AUTO) &&
1237 !*(inst->received_message_authenticator) &&
1238 fr_pair_find_by_da(&request->request_pairs, NULL, attr_message_authenticator) &&
1239 !fr_pair_find_by_da(&request->request_pairs, NULL, attr_eap_message)) {
1240 RINFO("Packet contained a valid Message-Authenticator. Setting \"require_message_authenticator = yes\"");
1241 *(inst->received_message_authenticator) = true;
1242 }
1243
1244 *response_code = code;
1245
1246 /*
1247 * Record the fact we've seen a response
1248 */
1249 u->num_replies++;
1250
1251 /*
1252 * Fixup retry times
1253 */
1254 if (fr_time_gt(u->retry.start, h->mrs_time)) h->mrs_time = u->retry.start;
1255
1256 return DECODE_FAIL_NONE;
1257}
1258
1259static int encode(bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t id)
1260{
1261 ssize_t packet_len;
1263 rlm_radius_t const *inst = h->ctx.inst;
1264
1265 fr_assert(inst->allowed[u->code]);
1266 fr_assert(!u->packet);
1267
1268 u->packet_len = inst->max_packet_size;
1269 u->packet = h->buffer;
1270
1271 /*
1272 * We should have at minimum 64-byte packets, so don't
1273 * bother doing run-time checks here.
1274 */
1276
1278 .common = &h->ctx.radius_ctx,
1279 .rand_ctx = (fr_fast_rand_t) {
1280 .a = fr_rand(),
1281 .b = fr_rand(),
1282 },
1283 .code = u->code,
1284 .id = id,
1285 .add_proxy_state = u->proxied,
1286 };
1287
1288 /*
1289 * If we're sending a status check packet, update any
1290 * necessary timestamps. Also, don't add Proxy-State, as
1291 * we're originating the packet.
1292 */
1293 if (u->status_check) {
1294 fr_pair_t *vp;
1295
1296 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp);
1297 if (vp) vp->vp_date = fr_time_to_unix_time(u->retry.updated);
1298
1299 encode_ctx.add_proxy_state = false;
1300 }
1301
1302 /*
1303 * Encode it, leaving room for Proxy-State if necessary.
1304 */
1305 packet_len = fr_radius_encode(&FR_DBUFF_TMP(u->packet, u->packet_len),
1306 &request->request_pairs, &encode_ctx);
1307 if (fr_pair_encode_is_error(packet_len)) {
1308 RPERROR("Failed encoding packet");
1309
1310 error:
1311 TALLOC_FREE(u->packet);
1312 return -1;
1313 }
1314
1315 if (packet_len < 0) {
1316 size_t have;
1317 size_t need;
1318
1319 have = u->packet_len;
1320 need = have - packet_len;
1321
1322 if (need > RADIUS_MAX_PACKET_SIZE) {
1323 RERROR("Failed encoding packet. Have %zu bytes of buffer, need %zu bytes",
1324 have, need);
1325 } else {
1326 RERROR("Failed encoding packet. Have %zu bytes of buffer, need %zu bytes. "
1327 "Increase 'max_packet_size'", have, need);
1328 }
1329
1330 goto error;
1331 }
1332 /*
1333 * The encoded packet should NOT over-run the input buffer.
1334 */
1335 fr_assert((size_t) packet_len <= u->packet_len);
1336
1337 /*
1338 * Add Proxy-State to the tail end of the packet.
1339 *
1340 * We need to add it here, and NOT in
1341 * request->request_pairs, because multiple modules
1342 * may be sending the packets at the same time.
1343 */
1344 if (encode_ctx.add_proxy_state) {
1345 fr_pair_t *vp;
1346
1348 fr_pair_value_memdup(vp, (uint8_t const *) &inst->common_ctx.proxy_state, sizeof(inst->common_ctx.proxy_state), false);
1349 fr_pair_append(&u->extra, vp);
1350 packet_len += 2 + sizeof(inst->common_ctx.proxy_state);
1351 }
1352
1353 /*
1354 * Update our version of the packet length.
1355 */
1356 u->packet_len = packet_len;
1357
1358 /*
1359 * Now that we're done mangling the packet, sign it.
1360 */
1361 if (fr_radius_sign(u->packet, NULL, (uint8_t const *) h->ctx.radius_ctx.secret,
1362 h->ctx.radius_ctx.secret_length) < 0) {
1363 RPERROR("Failed signing packet");
1364 goto error;
1365 }
1366
1367 return 0;
1368}
1369
1370
1371/** Revive a connection after "revive_interval"
1372 *
1373 */
1374static void revive_timeout(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
1375{
1376 trunk_connection_t *tconn = talloc_get_type_abort(uctx, trunk_connection_t);
1377 bio_handle_t *h = talloc_get_type_abort(tconn->conn->h, bio_handle_t);
1378
1379 INFO("%s - Reviving connection %s", h->ctx.module_name, h->ctx.fd_info->name);
1381}
1382
1383/** Mark a connection dead after "zombie_interval"
1384 *
1385 */
1386static void zombie_timeout(fr_timer_list_t *tl, fr_time_t now, void *uctx)
1387{
1388 trunk_connection_t *tconn = talloc_get_type_abort(uctx, trunk_connection_t);
1389 bio_handle_t *h = talloc_get_type_abort(tconn->conn->h, bio_handle_t);
1390
1391 INFO("%s - No replies during 'zombie_period', marking connection %s as dead", h->ctx.module_name, h->ctx.fd_info->name);
1392
1393 /*
1394 * Don't use this connection, and re-queue all of its
1395 * requests onto other connections.
1396 */
1398
1399 /*
1400 * We do have status checks. Try to reconnect the
1401 * connection immediately. If the status checks pass,
1402 * then the connection will be marked "alive"
1403 */
1404 if (h->ctx.inst->status_check) {
1406 return;
1407 }
1408
1409 /*
1410 * Revive the connection after a time.
1411 */
1412 if (fr_timer_at(h, tl, &h->zombie_ev,
1413 fr_time_add(now, h->ctx.inst->revive_interval), false,
1414 revive_timeout, tconn) < 0) {
1415 ERROR("Failed inserting revive timeout for connection");
1417 }
1418}
1419
1420
1421/** See if the connection is zombied.
1422 *
1423 * We check for zombie when major events happen:
1424 *
1425 * 1) request hits its final timeout
1426 * 2) request timer hits, and it needs to be retransmitted
1427 * 3) a DUP packet comes in, and the request needs to be retransmitted
1428 * 4) we're sending a packet.
1429 *
1430 * There MIGHT not be retries configured, so we MUST check for zombie
1431 * when any new packet comes in. Similarly, there MIGHT not be new
1432 * packets, but retries are configured, so we have to check there,
1433 * too.
1434 *
1435 * Also, the socket might not be writable for a while. There MIGHT
1436 * be a long time between getting the timer / DUP signal, and the
1437 * request finally being written to the socket. So we need to check
1438 * for zombie at BOTH the timeout and the mux / write function.
1439 *
1440 * @return
1441 * - true if the connection is zombie.
1442 * - false if the connection is not zombie.
1443 */
1445{
1446 bio_handle_t *h = talloc_get_type_abort(tconn->conn->h, bio_handle_t);
1447
1448 /*
1449 * We're replicating, and don't care about the health of
1450 * the home server, and this function should not be called.
1451 */
1453
1454 /*
1455 * If we're status checking OR already zombie, don't go to zombie
1456 */
1457 if (h->status_checking || fr_timer_armed(h->zombie_ev)) return true;
1458
1459 if (fr_time_eq(now, fr_time_wrap(0))) now = fr_time();
1460
1461 /*
1462 * We received a reply since this packet was sent, the connection isn't zombie.
1463 */
1464 if (fr_time_gteq(h->last_reply, last_sent)) return false;
1465
1466 /*
1467 * If we've seen ANY response in the allowed window, then the connection is still alive.
1468 */
1469 if ((h->ctx.inst->mode == RLM_RADIUS_MODE_PROXY) && fr_time_gt(last_sent, fr_time_wrap(0)) &&
1470 (fr_time_lt(fr_time_add(last_sent, h->ctx.inst->response_window), now))) return false;
1471
1472 /*
1473 * Stop using it for new requests.
1474 */
1475 WARN("%s - Entering Zombie state - connection %s", h->ctx.module_name, h->ctx.fd_info->name);
1477
1478 if (h->ctx.inst->status_check) {
1479 h->status_checking = true;
1480
1481 /*
1482 * Queue up the status check packet. It will be sent
1483 * when the connection is writable.
1484 */
1486 h->status_u->treq = NULL;
1487
1489 h->status_u, h->status_u, true) != TRUNK_ENQUEUE_OK) {
1491 }
1492 } else {
1493 if (fr_timer_at(h, el->tl, &h->zombie_ev, fr_time_add(now, h->ctx.inst->zombie_period),
1494 false, zombie_timeout, tconn) < 0) {
1495 ERROR("Failed inserting zombie timeout for connection");
1497 }
1498 }
1499
1500 return true;
1501}
1502
1503static void mod_dup(request_t *request, bio_request_t *u)
1504{
1505 bio_handle_t *h;
1506
1507 h = talloc_get_type_abort(u->treq->tconn->conn->h, bio_handle_t);
1508
1509 if (h->ctx.fd_config.socket_type != SOCK_DGRAM) {
1510 RDEBUG("Using stream sockets - suppressing retransmission");
1511 return;
1512 }
1513
1514 /*
1515 * Arguably this should never happen for UDP sockets.
1516 */
1517 if (h->ctx.fd_info->write_blocked) {
1518 RDEBUG("IO is blocked - suppressing retransmission");
1519 return;
1520 }
1521 u->is_retry = true;
1522
1523 /*
1524 * We are doing synchronous proxying, retransmit
1525 * the current request on the same connection.
1526 *
1527 * If it's zombie, we still resend it. If the
1528 * connection is dead, then a callback will move
1529 * this request to a new connection.
1530 */
1531 mod_write(request, u->treq, h);
1532}
1533
1534static void do_retry(rlm_radius_t const *inst, bio_request_t *u, request_t *request, fr_retry_t const *retry);
1535
1536/** Handle module retries.
1537 *
1538 */
1539static void mod_retry(module_ctx_t const *mctx, request_t *request, fr_retry_t const *retry)
1540{
1541 bio_request_t *u = talloc_get_type_abort(mctx->rctx, bio_request_t);
1542 rlm_radius_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
1543
1544 do_retry(inst, u, request, retry);
1545}
1546
1547static void do_retry(rlm_radius_t const *inst, bio_request_t *u, request_t *request, fr_retry_t const *retry)
1548{
1549 trunk_request_t *treq = talloc_get_type_abort(u->treq, trunk_request_t);
1550 trunk_connection_t *tconn = treq->tconn;
1551 fr_time_t now = retry->updated;
1552
1553 fr_assert(request == treq->request);
1554 fr_assert(treq->preq); /* Must still have a protocol request */
1555 fr_assert(treq->preq == u);
1556
1557 switch (retry->state) {
1558 case FR_RETRY_CONTINUE:
1559 u->retry = *retry;
1560
1561 switch (treq->state) {
1564 fr_assert(0);
1565 break;
1566
1568 RDEBUG("Packet is still in the backlog queue to be sent - suppressing retransmission");
1569 return;
1570
1572 RDEBUG("Packet is still in the pending queue to be sent - suppressing retransmission");
1573 return;
1574
1576 RDEBUG("Packet was partially written, as IO is blocked - suppressing retransmission");
1577 return;
1578
1580 fr_assert(tconn);
1581
1582 mod_dup(request, u);
1583 return;
1584
1592 fr_assert(0);
1593 break;
1594 }
1595 break;
1596
1597 case FR_RETRY_MRD:
1598 REDEBUG("Reached maximum_retransmit_duration (%pVs > %pVs), failing request",
1600 break;
1601
1602 case FR_RETRY_MRC:
1603 REDEBUG("Reached maximum_retransmit_count (%u > %u), failing request",
1604 retry->count, retry->config->mrc);
1605 break;
1606 }
1607
1610
1611 /*
1612 * We don't do zombie stuff!
1613 */
1614 if (!tconn || (inst->mode == RLM_RADIUS_MODE_REPLICATE)) return;
1615
1616 check_for_zombie(unlang_interpret_event_list(request), tconn, now, retry->start);
1617}
1618
1619CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
1621 trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
1622{
1623 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
1624 trunk_request_t *treq;
1625 request_t *request;
1626
1627 if (unlikely(trunk_connection_pop_request(&treq, tconn) < 0)) return;
1628
1629 /*
1630 * No more requests to send
1631 */
1632 if (!treq) return;
1633
1634 request = treq->request;
1635
1636 mod_write(request, treq, h);
1637}
1638
1639static void mod_write(request_t *request, trunk_request_t *treq, bio_handle_t *h)
1640{
1641 rlm_radius_t const *inst = h->ctx.inst;
1642 bio_request_t *u;
1643 char const *action;
1644 uint8_t const *packet;
1645 size_t packet_len;
1646 ssize_t slen;
1647
1648 fr_assert((treq->state == TRUNK_REQUEST_STATE_PENDING) ||
1649 (treq->state == TRUNK_REQUEST_STATE_PARTIAL));
1650
1651 u = treq->preq;
1652
1654
1655 /*
1656 * If it's a partial packet, then write the partial bit.
1657 */
1658 if (u->partial) {
1659 fr_assert(u->partial < u->packet_len);
1660 packet = u->packet + u->partial;
1661 packet_len = u->packet_len - u->partial;
1662 goto do_write;
1663 }
1664
1665 /*
1666 * No previous packet, OR can't retransmit the
1667 * existing one. Oh well.
1668 *
1669 * Note that if we can't retransmit the previous
1670 * packet, then u->rr MUST already have been
1671 * deleted in the request_cancel() function
1672 * or request_release_conn() function when
1673 * the REQUEUE signal was received.
1674 */
1675 if (!u->packet) {
1676 fr_assert(!u->rr);
1677
1678 if (unlikely(radius_track_entry_reserve(&u->rr, treq, h->tt, request, u->code, treq) < 0)) {
1679#ifndef NDEBUG
1680 radius_track_state_log(&default_log, L_ERR, __FILE__, __LINE__,
1682#endif
1683 fr_assert_fail("Tracking entry allocation failed: %s", fr_strerror());
1685 return;
1686 }
1687 fr_assert(u->rr);
1688 u->id = u->rr->id;
1689
1690 RDEBUG("Sending %s ID %d length %zu over connection %s",
1692
1693 if (encode(h, request, u, u->id) < 0) {
1694 /*
1695 * Need to do this because request_conn_release
1696 * may not be called.
1697 */
1700 return;
1701 }
1702 RHEXDUMP3(u->packet, u->packet_len, "Encoded packet");
1703
1704 /*
1705 * Remember the authentication vector, which now has the
1706 * packet signature.
1707 */
1709 } else {
1710 RDEBUG("Retransmitting %s ID %d length %zu over connection %s",
1712 }
1713
1714 /*
1715 * @todo - When logging Message-Authenticator, don't print its' value.
1716 */
1717 log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->request_pairs, NULL);
1718 if (!fr_pair_list_empty(&u->extra)) log_request_pair_list(L_DBG_LVL_2, request, NULL, &u->extra, NULL);
1719
1720 packet = u->packet;
1721 packet_len = u->packet_len;
1722
1723do_write:
1724 fr_assert(packet != NULL);
1725 fr_assert(packet_len >= RADIUS_HEADER_LENGTH);
1726
1727 slen = fr_bio_write(h->bio.main, NULL, packet, packet_len);
1728
1729 /*
1730 * Can't write anything, requeue it on a different socket.
1731 */
1732 if (slen == fr_bio_error(IO_WOULD_BLOCK)) goto requeue;
1733
1734 if (slen < 0) {
1735 switch (errno) {
1736 /*
1737 * There is an error in the request.
1738 */
1739 case EMSGSIZE: /* Packet size exceeds max size allowed on socket */
1740 ERROR("%s - Failed sending data over connection %s: %s",
1741 h->ctx.module_name, h->ctx.fd_info->name, fr_syserror(errno));
1743 break;
1744
1745 /*
1746 * There is an error in the connection. The reconnection will re-queue any pending or
1747 * sent requests, so we don't have to do any cleanup.
1748 */
1749 default:
1750 ERROR("%s - Failed sending data over connection %s: %s",
1751 h->ctx.module_name, h->ctx.fd_info->name, fr_syserror(errno));
1753 break;
1754 }
1755
1756 return;
1757 }
1758
1759 /*
1760 * No data to send, ignore the write for partials, but otherwise requeue it.
1761 */
1762 if (slen == 0) {
1763 if (u->partial) return;
1764
1765 requeue:
1766 RWARN("%s - Failed sending data over connection %s: sent zero bytes",
1767 h->ctx.module_name, h->ctx.fd_info->name);
1769 return;
1770 }
1771
1772 packet_len += slen;
1773 if (packet_len < u->packet_len) {
1774 /*
1775 * The first time around, save a copy of the packet for later writing.
1776 */
1777 if (!u->partial) MEM(u->packet = talloc_memdup(u, u->packet, u->packet_len));
1778
1779 u->partial = packet_len;
1781 return;
1782 }
1783
1784 /*
1785 * For retransmissions.
1786 */
1787 u->partial = 0;
1788
1789 /*
1790 * Don't print anything extra for replication.
1791 */
1792 if (inst->mode == RLM_RADIUS_MODE_REPLICATE) {
1793 u->rcode = RLM_MODULE_OK;
1795 return;
1796 }
1797
1798 /*
1799 * On first packet, signal it as sent, and update stats.
1800 *
1801 * Later packets are just retransmissions to the BIO, and don't need to involve
1802 * the trunk code.
1803 */
1804 if (u->retry.count == 1) {
1805 h->last_sent = u->retry.start;
1807
1809
1810 action = u->proxied ? "Proxied" : "Originated";
1811
1812 } else {
1813 /*
1814 * We don't signal the trunk that it's been sent, it was already senty
1815 */
1816 action = "Retransmitted";
1817 }
1818
1820
1821 if (!u->proxied) {
1822 RDEBUG("%s request. Expecting response within %pVs", action,
1824
1825 } else {
1826 /*
1827 * If the packet doesn't get a response,
1828 * then bio_request_free() will notice, and run conn_zombie()
1829 */
1830 RDEBUG("%s request. Relying on NAS to perform more retransmissions", action);
1831 }
1832
1833 /*
1834 * We don't retransmit over TCP.
1835 */
1836 if (h->ctx.fd_config.socket_type != SOCK_DGRAM) return;
1837
1838 /*
1839 * If we only send one datagram packet, then don't bother saving it.
1840 */
1841 if (u->retry.config && u->retry.config->mrc == 1) {
1842 u->packet = NULL;
1843 return;
1844 }
1845
1846 MEM(u->packet = talloc_memdup(u, u->packet, u->packet_len));
1847}
1848
1849/** Deal with Protocol-Error replies, and possible negotiation
1850 *
1851 */
1853{
1854 bool error_601 = false;
1855 uint32_t response_length = 0;
1856 uint8_t const *attr, *end;
1857
1858 end = h->buffer + fr_nbo_to_uint16(h->buffer + 2);
1859
1860 for (attr = h->buffer + RADIUS_HEADER_LENGTH;
1861 attr < end;
1862 attr += attr[1]) {
1863 /*
1864 * Error-Cause = Response-Too-Big
1865 */
1866 if ((attr[0] == attr_error_cause->attr) && (attr[1] == 6)) {
1867 uint32_t error;
1868
1869 memcpy(&error, attr + 2, 4);
1870 error = ntohl(error);
1871 if (error == 601) error_601 = true;
1872 continue;
1873 }
1874
1875 /*
1876 * The other end wants us to increase our Response-Length
1877 */
1878 if ((attr[0] == attr_response_length->attr) && (attr[1] == 6)) {
1879 memcpy(&response_length, attr + 2, 4);
1880 continue;
1881 }
1882
1883 /*
1884 * Protocol-Error packets MUST contain an
1885 * Original-Packet-Code attribute.
1886 *
1887 * The attribute containing the
1888 * Original-Packet-Code is an extended
1889 * attribute.
1890 */
1891 if (attr[0] != attr_extended_attribute_1->attr) continue;
1892
1893 /*
1894 * ATTR + LEN + EXT-Attr + uint32
1895 */
1896 if (attr[1] != 7) continue;
1897
1898 /*
1899 * See if there's an Original-Packet-Code.
1900 */
1901 if (attr[2] != (uint8_t)attr_original_packet_code->attr) continue;
1902
1903 /*
1904 * Has to be an 8-bit number.
1905 */
1906 if ((attr[3] != 0) ||
1907 (attr[4] != 0) ||
1908 (attr[5] != 0)) {
1910 return;
1911 }
1912
1913 /*
1914 * The value has to match. We don't
1915 * currently multiplex different codes
1916 * with the same IDs on connections. So
1917 * this check is just for RFC compliance,
1918 * and for sanity.
1919 */
1920 if (attr[6] != u->code) {
1922 return;
1923 }
1924 }
1925
1926 /*
1927 * Error-Cause = Response-Too-Big
1928 *
1929 * The other end says it needs more room to send it's response
1930 *
1931 * Limit it to reasonable values.
1932 */
1933 if (error_601 && response_length && (response_length > h->buflen)) {
1934 if (response_length < 4096) response_length = 4096;
1935 if (response_length > 65535) response_length = 65535;
1936
1937 DEBUG("%s - Increasing buffer size to %u for connection %s", h->ctx.module_name, response_length, h->ctx.fd_info->name);
1938
1939 /*
1940 * Make sure to copy the packet over!
1941 */
1942 attr = h->buffer;
1943 h->buflen = response_length;
1944 MEM(h->buffer = talloc_array(h, uint8_t, h->buflen));
1945
1946 memcpy(h->buffer, attr, end - attr);
1947 }
1948
1949 /*
1950 * fail - something went wrong internally, or with the connection.
1951 * invalid - wrong response to packet
1952 * handled - best remaining alternative :(
1953 *
1954 * i.e. if the response is NOT accept, reject, whatever,
1955 * then we shouldn't allow the caller to do any more
1956 * processing of this packet. There was a protocol
1957 * error, and the response is valid, but not useful for
1958 * anything.
1959 */
1961}
1962
1963
1964/** Handle retries for a status check
1965 *
1966 */
1968{
1969 trunk_connection_t *tconn = talloc_get_type_abort(uctx, trunk_connection_t);
1970 bio_handle_t *h = talloc_get_type_abort(tconn->conn->h, bio_handle_t);
1971
1973 h->status_u, h->status_u, true) != TRUNK_ENQUEUE_OK) {
1975 }
1976}
1977
1978
1979/** Deal with replies replies to status checks and possible negotiation
1980 *
1981 */
1983{
1984 bio_handle_t *h = talloc_get_type_abort(treq->tconn->conn->h, bio_handle_t);
1985 rlm_radius_t const *inst = h->ctx.inst;
1986 bio_request_t *u = talloc_get_type_abort(treq->rctx, bio_request_t);
1987
1988 fr_assert(treq->preq == h->status_u);
1989 fr_assert(treq->rctx == h->status_u);
1990
1991 u->treq = NULL;
1992
1993 /*
1994 * @todo - do other negotiation and signaling.
1995 */
1997
1998 if (u->num_replies < inst->num_answers_to_alive) {
1999 DEBUG("Received %u / %u replies for status check, on connection - %s",
2000 u->num_replies, inst->num_answers_to_alive, h->ctx.fd_info->name);
2001 DEBUG("Next status check packet will be in %pVs", fr_box_time_delta(fr_time_sub(u->retry.next, now)));
2002
2003 /*
2004 * Set the timer for the next retransmit.
2005 */
2006 if (fr_timer_at(h, h->ctx.el->tl, &u->ev, u->retry.next, false, status_check_next, treq->tconn) < 0) {
2008 }
2009 return;
2010 }
2011
2012 DEBUG("Received enough replies to status check, marking connection as active - %s", h->ctx.fd_info->name);
2013
2014 /*
2015 * Set the "last idle" time to now, so that we don't
2016 * restart zombie_period until sufficient time has
2017 * passed.
2018 */
2019 h->last_idle = fr_time();
2020
2021 /*
2022 * Reset retry interval and retransmission counters
2023 * also frees u->ev.
2024 */
2025 status_check_reset(h, u);
2026 trunk_connection_signal_active(treq->tconn);
2027}
2028
2029CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
2031{
2032 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
2033
2034 DEBUG3("%s - Reading data for connection %s", h->ctx.module_name, h->ctx.fd_info->name);
2035
2036 while (true) {
2037 ssize_t slen;
2038
2039 trunk_request_t *treq;
2040 request_t *request;
2041 bio_request_t *u;
2044 uint8_t code = 0;
2045 fr_pair_list_t reply;
2046 fr_pair_t *vp;
2047
2048 fr_time_t now;
2049
2050 fr_pair_list_init(&reply);
2051
2052 /*
2053 * Drain the socket of all packets. If we're busy, this
2054 * saves a round through the event loop. If we're not
2055 * busy, a few extra system calls don't matter.
2056 */
2057 slen = fr_bio_read(h->bio.main, NULL, h->buffer, h->buflen);
2058 if (slen == 0) {
2059 /*
2060 * @todo - set BIO FD EOF callback, so that we don't have to check it here.
2061 */
2063 return;
2064 }
2065
2066 /*
2067 * We're done reading, return.
2068 */
2069 if (slen == fr_bio_error(IO_WOULD_BLOCK)) return;
2070
2071 if (slen < 0) {
2072 ERROR("%s - Failed reading response from socket: %s",
2073 h->ctx.module_name, fr_syserror(errno));
2075 return;
2076 }
2077
2078 fr_assert(slen >= RADIUS_HEADER_LENGTH); /* checked in verify */
2079
2080 /*
2081 * Note that we don't care about packet codes. All
2082 * packet codes share the same ID space.
2083 */
2084 rr = radius_track_entry_find(h->tt, h->buffer[1], NULL);
2085 if (!rr) {
2086 WARN("%s - Ignoring reply with ID %i that arrived too late",
2087 h->ctx.module_name, h->buffer[1]);
2088 continue;
2089 }
2090
2091 treq = talloc_get_type_abort(rr->uctx, trunk_request_t);
2092 request = treq->request;
2093 fr_assert(request != NULL);
2094 u = talloc_get_type_abort(treq->rctx, bio_request_t);
2095 fr_assert(u == treq->preq);
2096
2097 /*
2098 * Decode the incoming packet.
2099 */
2100 reason = decode(request->reply_ctx, &reply, &code, h, request, u, rr->vector, h->buffer, (size_t)slen);
2101 if (reason != DECODE_FAIL_NONE) continue;
2102
2103 /*
2104 * Only valid packets are processed
2105 * Otherwise an attacker could perform
2106 * a DoS attack against the proxying servers
2107 * by sending fake responses for upstream
2108 * servers.
2109 */
2110 h->last_reply = now = fr_time();
2111
2112 /*
2113 * Status-Server can have any reply code, we don't care
2114 * what it is. So long as it's signed properly, we
2115 * accept it. This flexibility is because we don't
2116 * expose Status-Server to the admins. It's only used by
2117 * this module for internal signalling.
2118 */
2119 if (u == h->status_u) {
2120 fr_pair_list_free(&reply); /* Probably want to pass this to status_check_reply? */
2121 status_check_reply(treq, now);
2123 continue;
2124 }
2125
2126 /*
2127 * Handle any state changes, etc. needed by receiving a
2128 * Protocol-Error reply packet.
2129 *
2130 * Protocol-Error is permitted as a reply to any
2131 * packet.
2132 */
2133 switch (code) {
2136 break;
2137
2138 default:
2139 break;
2140 }
2141
2142 /*
2143 * Mark up the request as being an Access-Challenge, if
2144 * required.
2145 *
2146 * We don't do this for other packet types, because the
2147 * ok/fail nature of the module return code will
2148 * automatically result in it the parent request
2149 * returning an ok/fail packet code.
2150 */
2152 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
2153 if (!vp) {
2154 MEM(vp = fr_pair_afrom_da(request->reply_ctx, attr_packet_type));
2156 fr_pair_append(&request->reply_pairs, vp);
2157 }
2158 }
2159
2160 /*
2161 * Delete Proxy-State attributes from the reply.
2162 */
2164
2165 /*
2166 * If the reply has Message-Authenticator, then over-ride its value with all zeros, so
2167 * that we don't confuse anyone reading the debug output.
2168 */
2169 if ((vp = fr_pair_find_by_da(&reply, NULL, attr_message_authenticator)) != NULL) {
2170 (void) fr_pair_value_memdup(vp, (uint8_t const *) "", 1, false);
2171 }
2172
2173 treq->request->reply->code = code;
2174 u->rcode = radius_code_to_rcode[code];
2175 fr_pair_list_append(&request->reply_pairs, &reply);
2177 }
2178}
2179
2180/*
2181 * This is the same as request_mux(), except that we immediately mark the request as complete.
2182 */
2183CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
2185 trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
2186{
2187 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
2188 trunk_request_t *treq;
2189
2190 if (unlikely(trunk_connection_pop_request(&treq, tconn) < 0)) return;
2191
2192 /*
2193 * No more requests to send
2194 */
2195 if (!treq) return;
2196
2197 mod_write(treq->request, treq, h);
2198}
2199
2200CC_NO_UBSAN(function) /* UBSAN: false positive - public vs private connection_t trips --fsanitize=function*/
2202{
2203 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
2204
2205 DEBUG3("%s - Reading data for connection %s", h->ctx.module_name, h->ctx.fd_info->name);
2206
2207 while (true) {
2208 ssize_t slen;
2209
2210 trunk_request_t *treq;
2211 request_t *request;
2212 bio_request_t *u;
2215 uint8_t code = 0;
2216 fr_pair_list_t reply;
2217
2218 fr_time_t now;
2219
2220 fr_pair_list_init(&reply);
2221
2222 /*
2223 * Drain the socket of all packets. If we're busy, this
2224 * saves a round through the event loop. If we're not
2225 * busy, a few extra system calls don't matter.
2226 */
2227 slen = fr_bio_read(h->bio.main, NULL, h->buffer, h->buflen);
2228 if (slen == 0) {
2229 /*
2230 * @todo - set BIO FD EOF callback, so that we don't have to check it here.
2231 */
2233 return;
2234 }
2235
2236 /*
2237 * We're done reading, return.
2238 */
2239 if (slen == fr_bio_error(IO_WOULD_BLOCK)) return;
2240
2241 if (slen < 0) {
2242 ERROR("%s - Failed reading response from socket: %s",
2243 h->ctx.module_name, fr_syserror(errno));
2245 return;
2246 }
2247
2248 fr_assert(slen >= RADIUS_HEADER_LENGTH); /* checked in verify */
2249
2250 /*
2251 * We only pay attention to Protocol-Error replies.
2252 *
2253 * All other packets are discarded.
2254 */
2256 continue;
2257 }
2258
2259 /*
2260 * Note that we don't care about packet codes. All
2261 * packet codes share the same ID space.
2262 */
2263 rr = radius_track_entry_find(h->tt, h->buffer[1], NULL);
2264 if (!rr) {
2265 WARN("%s - Ignoring reply with ID %i that arrived too late",
2266 h->ctx.module_name, h->buffer[1]);
2267 continue;
2268 }
2269
2270 treq = talloc_get_type_abort(rr->uctx, trunk_request_t);
2271 request = treq->request;
2272 fr_assert(request != NULL);
2273 u = talloc_get_type_abort(treq->rctx, bio_request_t);
2274 fr_assert(u == treq->preq);
2275
2276 /*
2277 * Decode the incoming packet
2278 */
2279 reason = decode(request->reply_ctx, &reply, &code, h, request, u, rr->vector, h->buffer, (size_t)slen);
2280 if (reason != DECODE_FAIL_NONE) continue;
2281
2282 /*
2283 * Only valid packets are processed
2284 * Otherwise an attacker could perform
2285 * a DoS attack against the proxying servers
2286 * by sending fake responses for upstream
2287 * servers.
2288 */
2289 h->last_reply = now = fr_time();
2290
2291 /*
2292 * Status-Server can have any reply code, we don't care
2293 * what it is. So long as it's signed properly, we
2294 * accept it. This flexibility is because we don't
2295 * expose Status-Server to the admins. It's only used by
2296 * this module for internal signalling.
2297 */
2298 if (u == h->status_u) {
2299 fr_pair_list_free(&reply); /* Probably want to pass this to status_check_reply? */
2300 status_check_reply(treq, now);
2302 continue;
2303 }
2304
2305 /*
2306 * Handle any state changes, etc. needed by receiving a
2307 * Protocol-Error reply packet.
2308 *
2309 * Protocol-Error is also permitted as a reply to any
2310 * packet.
2311 */
2313 }
2314}
2315
2316
2317/** Remove the request from any tracking structures
2318 *
2319 * Frees encoded packets if the request is being moved to a new connection
2320 */
2321static void request_cancel(UNUSED connection_t *conn, void *preq_to_reset,
2322 trunk_cancel_reason_t reason, UNUSED void *uctx)
2323{
2324 bio_request_t *u = preq_to_reset;
2325
2326 /*
2327 * Request has been requeued on the same
2328 * connection due to timeout or DUP signal. We
2329 * keep the same packet to avoid re-encoding it.
2330 */
2331 if (reason == TRUNK_CANCEL_REASON_REQUEUE) {
2332 /*
2333 * Delete the request_timeout
2334 *
2335 * Note: There might not be a request timeout
2336 * set in the case where the request was
2337 * queued for sendmmsg but never actually
2338 * sent.
2339 */
2340 FR_TIMER_DISARM(u->ev);
2341 }
2342
2343 /*
2344 * Other cancellations are dealt with by
2345 * request_conn_release as the request is removed
2346 * from the trunk.
2347 */
2348}
2349
2350/** Clear out anything associated with the handle from the request
2351 *
2352 */
2353static void request_conn_release(connection_t *conn, void *preq_to_reset, UNUSED void *uctx)
2354{
2355 bio_request_t *u = preq_to_reset;
2356 bio_handle_t *h = talloc_get_type_abort(conn->h, bio_handle_t);
2357
2358 FR_TIMER_DISARM(u->ev);
2360
2361 if (h->ctx.inst->mode == RLM_RADIUS_MODE_REPLICATE) return;
2362
2363 u->num_replies = 0;
2364
2365 /*
2366 * If there are no outstanding tracking entries
2367 * allocated then the connection is "idle".
2368 */
2369 if (!h->tt || (h->tt->num_requests == 0)) h->last_idle = fr_time();
2370}
2371
2372/** Write out a canned failure
2373 *
2374 */
2375static void request_fail(request_t *request, NDEBUG_UNUSED void *preq, void *rctx,
2376 NDEBUG_UNUSED trunk_request_state_t state, UNUSED void *uctx)
2377{
2378 bio_request_t *u = talloc_get_type_abort(rctx, bio_request_t);
2379
2380 fr_assert(u == preq);
2381
2382 fr_assert(!u->rr && !u->packet && fr_pair_list_empty(&u->extra) && !u->ev); /* Dealt with by request_conn_release */
2383
2385
2386 if (u->status_check) return;
2387
2389 u->treq = NULL;
2390
2392}
2393
2394/** Response has already been written to the rctx at this point
2395 *
2396 */
2397static void request_complete(request_t *request, NDEBUG_UNUSED void *preq, void *rctx, UNUSED void *uctx)
2398{
2399 bio_request_t *u = talloc_get_type_abort(rctx, bio_request_t);
2400
2401 fr_assert(u == preq);
2402
2403 fr_assert(!u->rr && !u->packet && fr_pair_list_empty(&u->extra) && !u->ev); /* Dealt with by request_conn_release */
2404
2405 if (u->status_check) return;
2406
2407 u->treq = NULL;
2408
2410}
2411
2412/** Resume execution of the request, returning the rcode set during trunk execution
2413 *
2414 */
2416{
2417 bio_request_t *u = talloc_get_type_abort(mctx->rctx, bio_request_t);
2418 rlm_rcode_t rcode = u->rcode;
2419
2420 talloc_free(u);
2421
2422 RETURN_UNLANG_RCODE(rcode);
2423}
2424
2425static void do_signal(rlm_radius_t const *inst, bio_request_t *u, request_t *request, fr_signal_t action);
2426
2427static void mod_signal(module_ctx_t const *mctx, UNUSED request_t *request, fr_signal_t action)
2428{
2430
2431 bio_request_t *u = talloc_get_type_abort(mctx->rctx, bio_request_t);
2432
2433 do_signal(inst, u, request, action);
2434}
2435
2436static void do_signal(rlm_radius_t const *inst, bio_request_t *u, UNUSED request_t *request, fr_signal_t action)
2437{
2438 /*
2439 * We received a duplicate packet, but we're not doing
2440 * synchronous proxying. Ignore the dup, and rely on the
2441 * IO submodule to time it's own retransmissions.
2442 */
2443 if ((action == FR_SIGNAL_DUP) && (inst->mode != RLM_RADIUS_MODE_PROXY)) return;
2444
2445 /*
2446 * If we don't have a treq associated with the
2447 * rctx it's likely because the request was
2448 * scheduled, but hasn't yet been resumed, and
2449 * has received a signal, OR has been resumed
2450 * and immediately cancelled as the event loop
2451 * is exiting, in which case
2452 * unlang_request_is_scheduled will return false
2453 * (don't use it).
2454 */
2455 if (!u->treq) return;
2456
2457 switch (action) {
2458 /*
2459 * The request is being cancelled, tell the
2460 * trunk so it can clean up the treq.
2461 */
2462 case FR_SIGNAL_CANCEL:
2464 u->treq = NULL;
2465 return;
2466
2467 /*
2468 * Requeue the request on the same connection
2469 * causing a "retransmission" if the request
2470 * has already been sent out.
2471 */
2472 case FR_SIGNAL_DUP:
2473 mod_dup(request, u);
2474 return;
2475
2476 default:
2477 return;
2478 }
2479}
2480
2481/** Free a bio_request_t
2482 *
2483 * Allows us to set break points for debugging.
2484 */
2486{
2487 if (!u->treq) return 0;
2488
2489#ifndef NDEBUG
2490 {
2491 trunk_request_t *treq;
2492 treq = talloc_get_type_abort(u->treq, trunk_request_t);
2493 fr_assert(treq->preq == u);
2494 }
2495#endif
2496
2497 fr_assert_msg(!fr_timer_armed(u->ev), "bio_request_t freed with active timer");
2498
2500
2501 fr_assert(u->rr == NULL);
2502
2503 return 0;
2504}
2505
2506static int mod_enqueue(bio_request_t **p_u, fr_retry_config_t const **p_retry_config,
2507 rlm_radius_t const *inst, trunk_t *trunk, request_t *request)
2508{
2509 bio_request_t *u;
2510 trunk_request_t *treq;
2512
2513 fr_assert(request->packet->code > 0);
2514 fr_assert(request->packet->code < FR_RADIUS_CODE_MAX);
2515
2516 /*
2517 * Do any necessary RADIUS level fixups
2518 * - check Proxy-State
2519 * - do CHAP-Challenge fixups
2520 */
2521 if (radius_fixups(inst, request) < 0) return 0;
2522
2523 treq = trunk_request_alloc(trunk, request);
2524 if (!treq) {
2525 REDEBUG("Failed allocating handler for request");
2526 return -1;
2527 }
2528
2529 MEM(u = talloc_zero(request, bio_request_t));
2530 talloc_set_destructor(u, _bio_request_free);
2531
2532 /*
2533 * Can't use compound literal - const issues.
2534 */
2535 u->code = request->packet->code;
2536 u->priority = request->priority;
2537 u->recv_time = request->async->recv_time;
2539
2540 u->retry.count = 1;
2541
2543
2544 switch(trunk_request_enqueue(&treq, trunk, request, u, u)) {
2545 case TRUNK_ENQUEUE_OK:
2547 break;
2548
2550 REDEBUG("Unable to queue packet - connections at maximum capacity");
2551 fail:
2552 fr_assert(!u->rr && !u->packet); /* Should not have been fed to the muxer */
2553 trunk_request_free(&treq); /* Return to the free list */
2554 talloc_free(u);
2555 return -1;
2556
2558 REDEBUG("All destinations are down - cannot send packet");
2559 goto fail;
2560
2561 case TRUNK_ENQUEUE_FAIL:
2562 REDEBUG("Unable to queue packet");
2563 goto fail;
2564 }
2565
2566 u->treq = treq; /* Remember for signalling purposes */
2567 fr_assert(treq->rctx == u);
2568
2569 /*
2570 * Figure out if we're originating the packet or proxying it. And also figure out if we have to
2571 * retry.
2572 */
2573 switch (inst->mode) {
2575 case RLM_RADIUS_MODE_UNCONNECTED_REPLICATE: /* unconnected sockets are UDP, and bypass the trunk */
2576 REDEBUG("Internal sanity check failed - connection trunking cannot be used for replication");
2577 return -1;
2578
2579 /*
2580 * We originate this packet if it was taken from the detail module, which doesn't have a
2581 * real client. @todo - do a better check here.
2582 *
2583 * We originate this packet if the parent request is not compatible with this one
2584 * (i.e. it's from a different protocol).
2585 *
2586 * We originate the packet if the parent is from the same dictionary, but has a different
2587 * packet code. This lets us receive Accounting-Request, and originate
2588 * Disconnect-Request.
2589 */
2592 if (!request->parent) {
2593 u->proxied = (request->client && request->client->cs != NULL);
2594
2595 } else if (!fr_dict_compatible(request->parent->proto_dict, request->proto_dict)) {
2596 u->proxied = false;
2597
2598 } else {
2599 u->proxied = (request->parent->packet->code == request->packet->code);
2600 }
2601
2602 /*
2603 * Proxied packets get a final timeout, as we retry only on DUP packets.
2604 */
2605 if (u->proxied) goto timeout_retry;
2606
2608
2609 /*
2610 * Client packets (i.e. packets we originate) get retries for UDP. And no retries for TCP.
2611 */
2613 if (inst->fd_config.socket_type == SOCK_DGRAM) {
2614 retry_config = &inst->retry[u->code];
2615 break;
2616 }
2618
2619 /*
2620 * Replicated packets are never retried, but they have a timeout if the socket isn't
2621 * ready for writing.
2622 */
2624 timeout_retry:
2625 retry_config = &inst->timeout_retry;
2626 break;
2627 }
2628
2629 /*
2630 * The event loop will take care of demux && sending the
2631 * packet, along with any retransmissions.
2632 */
2633 *p_u = u;
2634 *p_retry_config = retry_config;
2635
2636 return 1;
2637}
2638
2639static void home_server_free(void *data)
2640{
2641 home_server_t *home = data;
2642
2643 talloc_free(home);
2644}
2645
2648 .connection_notify = thread_conn_notify,
2649 .request_prioritise = request_prioritise,
2650 .request_mux = request_mux,
2651 .request_demux = request_demux,
2652 .request_conn_release = request_conn_release,
2653 .request_complete = request_complete,
2654 .request_fail = request_fail,
2655 .request_cancel = request_cancel,
2656};
2657
2660 .connection_notify = thread_conn_notify,
2661 .request_prioritise = request_prioritise,
2662 .request_mux = request_replicate_mux,
2663 .request_demux = request_replicate_demux,
2664 .request_conn_release = request_conn_release,
2665 .request_complete = request_complete,
2666 .request_fail = request_fail,
2667 .request_cancel = request_cancel,
2668};
2669
2670/** Instantiate thread data for the submodule.
2671 *
2672 */
2674{
2675 rlm_radius_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
2676 bio_thread_t *thread = talloc_get_type_abort(mctx->thread, bio_thread_t);
2677
2678 thread->ctx.el = mctx->el;
2679 thread->ctx.inst = inst;
2680 thread->ctx.fd_config = inst->fd_config;
2681 thread->ctx.radius_ctx = inst->common_ctx;
2682
2683 switch (inst->mode) {
2686 inst->home_server_lifetime);
2688
2689 default:
2690 /*
2691 * Assign each thread a portion of the available source port range.
2692 */
2693 if (thread->ctx.fd_config.src_port_start) {
2694 uint16_t range = inst->fd_config.src_port_end - inst->fd_config.src_port_start + 1;
2695 thread->num_ports = range / main_config->max_workers;
2696 thread->ctx.fd_config.src_port_start = inst->fd_config.src_port_start + (thread->num_ports * fr_schedule_worker_id());
2697 thread->ctx.fd_config.src_port_end = inst->fd_config.src_port_start + (thread->num_ports * (fr_schedule_worker_id() +1)) - 1;
2698 if (inst->mode != RLM_RADIUS_MODE_XLAT_PROXY) {
2699 thread->connections = talloc_zero_array(thread, connection_t *, thread->num_ports);
2701 }
2702 }
2703
2704 thread->ctx.trunk = trunk_alloc(thread, mctx->el, &io_funcs,
2705 &inst->trunk_conf, inst->name, thread, false);
2706 if (!thread->ctx.trunk) return -1;
2707 return 0;
2708
2710 /*
2711 * We can replicate over TCP, but that uses trunks.
2712 */
2713 if (inst->fd_config.socket_type == SOCK_DGRAM) break;
2714
2715 thread->ctx.trunk = trunk_alloc(thread, mctx->el, &io_replicate_funcs,
2716 &inst->trunk_conf, inst->name, thread, false);
2717 if (!thread->ctx.trunk) return -1;
2718 return 0;
2719
2721 break;
2722 }
2723
2724 /*
2725 * If we have a port range, allocate the source port based
2726 * on the range start, plus the thread ID. This means
2727 * that we can avoid "hunt and peck" attempts to open up
2728 * the source port.
2729 */
2730 if (thread->ctx.fd_config.src_port_start) {
2732 }
2733
2734 /*
2735 * Allocate an unconnected socket for replication.
2736 */
2737 thread->bio.fd = fr_bio_fd_alloc(thread, &thread->ctx.fd_config, 0);
2738 if (!thread->bio.fd) {
2739 PERROR("%s - failed opening socket", inst->name);
2740 return -1;
2741 }
2742
2743 thread->bio.fd->uctx = thread;
2744 thread->ctx.fd_info = fr_bio_fd_info(thread->bio.fd);
2745 fr_assert(thread->ctx.fd_info != NULL);
2746
2747 (void) fr_bio_fd_write_only(thread->bio.fd);
2748
2749 DEBUG("%s - Opened unconnected replication socket %s", inst->name, thread->ctx.fd_info->name);
2750 return 0;
2751}
2752
2754 { .required = true, .single = true, .type = FR_TYPE_COMBO_IP_ADDR },
2755 { .required = true, .single = true, .type = FR_TYPE_UINT16 },
2756 { .required = true, .single = true, .type = FR_TYPE_STRING },
2758};
2759
2760/*
2761 * %replicate.sendto.ipaddr(ipaddr, port, secret)
2762 */
2764 xlat_ctx_t const *xctx,
2765 request_t *request, fr_value_box_list_t *args)
2766{
2767 bio_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, bio_thread_t);
2768 fr_value_box_t *ipaddr, *port, *secret;
2769 ssize_t packet_len;
2770 uint8_t buffer[4096];
2771 fr_radius_ctx_t radius_ctx;
2774
2775 XLAT_ARGS(args, &ipaddr, &port, &secret);
2776
2777 /*
2778 * Can't change IP address families.
2779 */
2780 if (ipaddr->vb_ip.af != thread->ctx.fd_info->socket.af) {
2781 RPERROR("Invalid destination IP address family in %pV", ipaddr);
2782 return XLAT_ACTION_FAIL;
2783 }
2784
2785 /*
2786 * Warn if we're not replicating accounting data. It likely won't wokr/
2787 */
2788 if (request->packet->code != FR_RADIUS_CODE_ACCOUNTING_REQUEST) {
2789 RWDEBUG("Replication of packets other then Accounting-Request will likely not do what you want.");
2790 }
2791
2792 /*
2793 * Set up various context things.
2794 */
2795 radius_ctx = (fr_radius_ctx_t) {
2796 .secret = secret->vb_strvalue,
2797 .secret_length = secret->vb_length,
2798 .proxy_state = 0,
2799 };
2800
2802 .common = &radius_ctx,
2803 .rand_ctx = (fr_fast_rand_t) {
2804 .a = fr_rand(),
2805 .b = fr_rand(),
2806 },
2807 .code = request->packet->code,
2808 .id = thread->bio.id++ & 0xff,
2809 .add_proxy_state = false,
2810 };
2811
2812 /*
2813 * Encode the entire packet.
2814 */
2815 packet_len = fr_radius_encode(&FR_DBUFF_TMP(buffer, sizeof(buffer)),
2816 &request->request_pairs, &encode_ctx);
2817 if (fr_pair_encode_is_error(packet_len)) {
2818 RPERROR("Failed encoding packet");
2819 return XLAT_ACTION_FAIL;
2820 }
2821
2822 /*
2823 * Sign it.
2824 */
2825 if (fr_radius_sign(buffer, NULL, (uint8_t const *) radius_ctx.secret, radius_ctx.secret_length) < 0) {
2826 RPERROR("Failed signing packet");
2827 return XLAT_ACTION_FAIL;
2828 }
2829
2830 /*
2831 * Prepare destination address.
2832 */
2833 addr = (fr_bio_fd_packet_ctx_t) {
2834 .socket = thread->ctx.fd_info->socket,
2835 };
2836 addr.socket.inet.dst_ipaddr = ipaddr->vb_ip;
2837 addr.socket.inet.dst_port = port->vb_uint16;
2838
2839 RDEBUG("Replicating packet to %pV:%u", ipaddr, port->vb_uint16);
2840
2841 /*
2842 * We either send it, or fail.
2843 */
2844 packet_len = fr_bio_write(thread->bio.fd, &addr, buffer, packet_len);
2845 if (packet_len < 0) {
2846 RPERROR("Failed sending packet to %pV:%u", ipaddr, port->vb_uint16);
2847 return XLAT_ACTION_FAIL;
2848 }
2849
2850 /*
2851 * No return value.
2852 */
2853 return XLAT_ACTION_DONE;
2854}
2855
2856// **********************************************************************
2857
2858/** Dynamic home server code
2859 *
2860 */
2861
2862static int8_t home_server_cmp(void const *one, void const *two)
2863{
2864 home_server_t const *a = one;
2865 home_server_t const *b = two;
2866 int8_t rcode;
2867
2869 if (rcode != 0) return rcode;
2870
2872}
2873
2875 xlat_ctx_t const *xctx,
2876 request_t *request, UNUSED fr_value_box_list_t *in)
2877{
2878 bio_request_t *u = talloc_get_type_abort(xctx->rctx, bio_request_t);
2879 fr_value_box_t *dst;
2880
2881 if (u->rcode == RLM_MODULE_FAIL) return XLAT_ACTION_FAIL;
2882
2884 dst->vb_uint32 = request->reply->code;
2885
2886 fr_dcursor_append(out, dst);
2887
2888 return XLAT_ACTION_DONE;
2889}
2890
2891static void xlat_sendto_signal(xlat_ctx_t const *xctx, request_t *request, fr_signal_t action)
2892{
2893 rlm_radius_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_radius_t);
2894 bio_request_t *u = talloc_get_type_abort(xctx->rctx, bio_request_t);
2895
2896 do_signal(inst, u, request, action);
2897}
2898
2899/*
2900 * @todo - change this to mod_retry
2901 */
2902static void xlat_sendto_retry(xlat_ctx_t const *xctx, request_t *request, fr_retry_t const *retry)
2903{
2904 rlm_radius_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_radius_t);
2905 bio_request_t *u = talloc_get_type_abort(xctx->rctx, bio_request_t);
2906
2907 do_retry(inst, u, request, retry);
2908}
2909
2910/*
2911 * %proxy.sendto.ipaddr(ipaddr, port, secret)
2912 */
2914 xlat_ctx_t const *xctx,
2915 request_t *request, fr_value_box_list_t *args)
2916{
2917 rlm_radius_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_radius_t);
2918 bio_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, bio_thread_t);
2919 fr_value_box_t *ipaddr, *port, *secret;
2920 home_server_t *home;
2921 bio_request_t *u = NULL;
2922 fr_retry_config_t const *retry_config = NULL;
2923 int rcode;
2924
2925 XLAT_ARGS(args, &ipaddr, &port, &secret);
2926
2927 /*
2928 * Can't change IP address families.
2929 */
2930 if (ipaddr->vb_ip.af != thread->ctx.fd_config.src_ipaddr.af) {
2931 RDEBUG("Invalid destination IP address family in %pV", ipaddr);
2932 return XLAT_ACTION_DONE;
2933 }
2934
2935 home = fr_rb_find(&thread->bio.expires.tree, &(home_server_t) {
2936 .ctx = {
2937 .fd_config = (fr_bio_fd_config_t) {
2938 .dst_ipaddr = ipaddr->vb_ip,
2939 .dst_port = port->vb_uint16,
2940 },
2941 },
2942 });
2943 if (!home) {
2944 /*
2945 * Track which connections are made to this home server from which open ports.
2946 */
2947 MEM(home = (home_server_t *) talloc_zero_array(thread, uint8_t, sizeof(home_server_t) + sizeof(connection_t *) * thread->num_ports));
2948 talloc_set_type(home, home_server_t);
2949
2950 *home = (home_server_t) {
2951 .ctx = (bio_handle_ctx_t) {
2952 .el = unlang_interpret_event_list(request),
2953 .module_name = inst->name,
2954 .inst = inst,
2955 .limit_source_ports = (thread->num_ports > 0) ? LIMIT_PORTS_DYNAMIC : LIMIT_PORTS_NONE,
2956 },
2957 .num_ports = thread->num_ports,
2958 };
2959
2960 /*
2961 * Copy the home server configuration from the thread configuration. Then update it with
2962 * the needs of the home server.
2963 */
2964 home->ctx.fd_config = thread->ctx.fd_config;
2965 home->ctx.fd_config.type = FR_BIO_FD_CONNECTED;
2966 home->ctx.fd_config.dst_ipaddr = ipaddr->vb_ip;
2967 home->ctx.fd_config.dst_port = port->vb_uint32;
2968
2969 home->ctx.radius_ctx = (fr_radius_ctx_t) {
2970 .secret = talloc_strdup(home, secret->vb_strvalue),
2971 .secret_length = secret->vb_length,
2972 .proxy_state = inst->common_ctx.proxy_state,
2973 };
2974
2975 /*
2976 * Allocate the trunk and start it up.
2977 */
2978 home->ctx.trunk = trunk_alloc(home, unlang_interpret_event_list(request), &io_funcs,
2979 &inst->trunk_conf, inst->name, home, false);
2980 if (!home->ctx.trunk) {
2981 fail:
2982 talloc_free(home);
2983 return XLAT_ACTION_FAIL;
2984 }
2985
2986 if (!fr_rb_expire_insert(&thread->bio.expires, home, fr_time())) goto fail;
2987 } else {
2988 fr_rb_expire_t *expire = &thread->bio.expires;
2989 fr_time_t now = fr_time();
2990 home_server_t *old;
2991
2992 /*
2993 * We can't change secrets on the fly. The home
2994 * server has to expire first, and then the
2995 * secret can be changed.
2996 */
2997 if ((home->ctx.radius_ctx.secret_length != secret->vb_length) ||
2998 (strcmp(home->ctx.radius_ctx.secret, secret->vb_strvalue) != 0)) {
2999 RWDEBUG("The new secret is not the same as the old secret: Ignoring the new one");
3000 }
3001
3002 fr_rb_expire_update(expire, home, now);
3003
3004 while ((old = fr_dlist_head(&expire->head)) != NULL) {
3005 (void) talloc_get_type_abort(old, home_server_t);
3006
3007 fr_assert(old->ctx.trunk);
3008
3009 /*
3010 * Don't delete the home server we're about to use.
3011 */
3012 if (old == home) break;
3013
3014 /*
3015 * It still has a request allocated, do nothing.
3016 */
3017 if (old->ctx.trunk->req_alloc) break;
3018
3019 /*
3020 * Not yet time to expire.
3021 */
3022 if (fr_time_gt(old->expire.when, now)) break;
3023
3024 fr_dlist_remove(&expire->head, old);
3025 fr_rb_delete(&expire->tree, old);
3026 }
3027 }
3028
3029 /*
3030 * Enqueue the packet on the per-home-server trunk.
3031 */
3032 rcode = mod_enqueue(&u, &retry_config, inst, home->ctx.trunk, request);
3033 if (rcode == 0) return XLAT_ACTION_DONE;
3034
3035 if (rcode < 0) {
3036 REDEBUG("Failed enqueuing packet");
3037 return XLAT_ACTION_FAIL;
3038 }
3039 fr_assert(u != NULL);
3040 fr_assert(retry_config != NULL);
3041
3042 /*
3043 * Start the retry.
3044 *
3045 * @todo - change unlang_xlat_timeout_add() to unlang_xlat_retry_add().
3046 */
3047 fr_retry_init(&u->retry, fr_time(), retry_config);
3048
3051 u, retry_config);
3052}
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
static int const char char buffer[256]
Definition acutest.h:576
int const char * file
Definition acutest.h:702
va_list args
Definition acutest.h:770
int const char int line
Definition acutest.h:702
static ssize_t fr_bio_write(fr_bio_t *bio, void *packet_ctx, void const *buffer, size_t size)
Write raw data to a bio.
Definition base.h:184
static ssize_t fr_bio_read(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
Read raw data from a bio.
Definition base.h:161
void * uctx
user ctx, caller can manually set it.
Definition base.h:114
#define fr_bio_error(_x)
Definition base.h:200
#define NDEBUG_UNUSED
Definition build.h:328
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define CMP_PREFER_SMALLER(_a, _b)
Evaluates to +1 for a > b, and -1 for a < b.
Definition build.h:104
#define CC_NO_UBSAN(_sanitize)
Definition build.h:428
#define CMP(_a, _b)
Same as CMP_PREFER_SMALLER use when you don't really care about ordering, you just want an ordering.
Definition build.h:112
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
connection_state_t
Definition connection.h:47
@ CONNECTION_STATE_FAILED
Connection has failed.
Definition connection.h:56
@ CONNECTION_STATE_CONNECTED
File descriptor is open (ready for writing).
Definition connection.h:54
@ CONNECTION_STATE_INIT
Init state, sets up connection.
Definition connection.h:51
@ CONNECTION_STATE_CONNECTING
Waiting for connection to establish.
Definition connection.h:52
@ CONNECTION_FAILED
Connection is being reconnected because it failed.
Definition connection.h:85
Holds a complete set of functions for a connection.
Definition connection.h:193
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:514
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:202
#define fr_assert_fail(_msg,...)
Calls panic_action ifndef NDEBUG, else logs error.
Definition debug.h:208
#define MEM(x)
Definition debug.h:36
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
static fr_dict_attr_t const * attr_packet_type
Definition dhcpclient.c:89
#define ERROR(fmt,...)
Definition dhcpclient.c:41
int main(int argc, char **argv)
Definition dhcpclient.c:531
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
bool fr_dict_compatible(fr_dict_t const *dict1, fr_dict_t const *dict2)
See if two dictionaries have the same end parent.
Definition dict_util.c:2711
static fr_slen_t in
Definition dict.h:849
static void * fr_dlist_head(fr_dlist_head_t const *list_head)
Return the HEAD item of a list or NULL if the list is empty.
Definition dlist.h:486
static void * fr_dlist_remove(fr_dlist_head_t *list_head, void *ptr)
Remove an item from the list.
Definition dlist.h:638
#define fr_event_fd_insert(...)
Definition event.h:248
void(* fr_event_fd_cb_t)(fr_event_list_t *el, int fd, int flags, void *uctx)
Called when an IO event occurs on a file descriptor.
Definition event.h:151
int fr_bio_fd_connect_full(fr_bio_t *bio, fr_event_list_t *el, fr_bio_callback_t connected_cb, fr_bio_callback_t error_cb, fr_time_delta_t *timeout, fr_bio_callback_t timeout_cb)
Finalize a connect()
Definition fd.c:1187
fr_bio_t * fr_bio_fd_alloc(TALLOC_CTX *ctx, fr_bio_fd_config_t const *cfg, size_t offset)
Allocate a FD bio.
Definition fd.c:968
fr_bio_fd_info_t const * fr_bio_fd_info(fr_bio_t *bio)
Returns a pointer to the bio-specific information.
Definition fd.c:1284
int fr_bio_fd_write_only(fr_bio_t *bio)
Mark up a bio as write-only.
Definition fd.c:1337
fr_socket_t socket
as connected socket
Definition fd.h:129
char const * name
printable name of this BIO
Definition fd.h:134
uint16_t src_port
our port
Definition fd.h:91
bool eof
are we at EOF?
Definition fd.h:138
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition fd.h:68
fr_bio_fd_state_t state
connecting, open, closed, etc.
Definition fd.h:132
uint16_t src_port_start
limit source port ranges for client BIOs
Definition fd.h:94
@ FR_BIO_FD_STATE_CONNECTING
Definition fd.h:60
@ FR_BIO_FD_STATE_OPEN
error states must be before this
Definition fd.h:59
int connect_errno
from connect() or other APIs
Definition fd.h:140
fr_ipaddr_t dst_ipaddr
their IP address
Definition fd.h:89
uint16_t src_port_end
limit source port ranges for client BIOs
Definition fd.h:95
int socket_type
SOCK_STREAM or SOCK_DGRAM.
Definition fd.h:83
uint16_t dst_port
their port
Definition fd.h:92
fr_socket_t socket
socket information, including FD.
Definition fd.h:52
bool write_blocked
did we block on write?
Definition fd.h:137
fr_ipaddr_t src_ipaddr
our IP address
Definition fd.h:88
Configuration for sockets.
Definition fd.h:80
Run-time status of the socket.
Definition fd.h:128
Per-packet context.
Definition fd.h:51
int8_t fr_ipaddr_cmp(fr_ipaddr_t const *a, fr_ipaddr_t const *b)
Compare two ip addresses.
Definition inet.c:1347
int af
Address family.
Definition inet.h:64
void unlang_interpret_mark_runnable(request_t *request)
Mark a request as resumable.
Definition interpret.c:1620
fr_event_list_t * unlang_interpret_event_list(request_t *request)
Get the event list for the current interpreter.
Definition interpret.c:2017
Minimal data structure to use the new code.
Definition listen.h:59
static bool fr_pair_encode_is_error(ssize_t slen)
Determine if the return code for an encoding function is a fatal error.
Definition pair.h:74
fr_bio_t * fr_bio_mem_alloc(TALLOC_CTX *ctx, size_t read_size, size_t write_size, fr_bio_t *next)
Allocate a memory buffer bio.
Definition mem.c:723
int fr_bio_mem_set_verify(fr_bio_t *bio, fr_bio_verify_t verify, void *verify_ctx, bool datagram)
Set the verification function for memory bios.
Definition mem.c:901
HIDDEN fr_dict_attr_t const * attr_eap_message
Definition base.c:96
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:828
#define PERROR(_fmt,...)
Definition log.h:228
#define DEBUG3(_fmt,...)
Definition log.h:266
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RWARN(fmt,...)
Definition log.h:297
#define RERROR(fmt,...)
Definition log.h:298
#define DEBUG4(_fmt,...)
Definition log.h:267
#define RPERROR(fmt,...)
Definition log.h:302
#define RINFO(fmt,...)
Definition log.h:296
#define RPEDEBUG(fmt,...)
Definition log.h:376
#define HEXDUMP3(_data, _len, _fmt,...)
Definition log.h:723
#define RHEXDUMP3(_data, _len, _fmt,...)
Definition log.h:705
int map_to_vp(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, map_t const *map, UNUSED void *uctx)
Convert a map to a fr_pair_t.
Definition map.c:1593
int map_to_request(request_t *request, map_t const *map, radius_map_getvalue_t func, void *ctx)
Convert map_t to fr_pair_t (s) and add them to a request_t.
Definition map.c:1873
talloc_free(reap)
Stores all information relating to an event list.
Definition event.c:377
fr_log_t default_log
Definition log.c:288
void fr_log(fr_log_t const *log, fr_log_type_t type, char const *file, int line, char const *fmt,...)
Send a server log message to its destination.
Definition log.c:577
@ L_DBG_LVL_3
3rd highest priority debug messages (-xxx | -Xx).
Definition log.h:72
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
fr_log_type_t
Definition log.h:54
@ L_ERR
Error message.
Definition log.h:56
fr_packet_t * fr_packet_alloc(TALLOC_CTX *ctx, bool new_vector)
Allocate a new fr_packet_t.
Definition packet.c:38
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
uint32_t max_workers
for the scheduler
fr_bio_verify_action_t
Status returned by the verification callback.
Definition mem.h:32
@ FR_BIO_VERIFY_ERROR_CLOSE
fatal error, the bio should be closed.
Definition mem.h:36
@ FR_BIO_VERIFY_DISCARD
the packet should be discarded
Definition mem.h:34
@ FR_BIO_VERIFY_OK
packet is OK
Definition mem.h:33
@ FR_BIO_VERIFY_WANT_MORE
not enough data for one packet
Definition mem.h:35
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
unsigned short uint16_t
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT16
16 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
unsigned int uint32_t
long int ssize_t
unsigned char uint8_t
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
void * thread
Thread specific instance data.
Definition module_ctx.h:43
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68
void * thread
Thread instance data.
Definition module_ctx.h:67
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:64
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63
struct bio_thread_t::@184 bio
static int mod_enqueue(bio_request_t **p_u, fr_retry_config_t const **p_retry_config, rlm_radius_t const *inst, trunk_t *trunk, request_t *request)
Definition bio.c:2506
fr_bio_fd_config_t fd_config
for threads or sockets
Definition bio.c:51
int num_ports
Definition bio.c:146
static int8_t request_prioritise(void const *one, void const *two)
Definition bio.c:1153
static void do_retry(rlm_radius_t const *inst, bio_request_t *u, request_t *request, fr_retry_t const *retry)
Definition bio.c:1547
fr_timer_t * ev
timer for retransmissions
Definition bio.c:137
static bool check_for_zombie(fr_event_list_t *el, trunk_connection_t *tconn, fr_time_t now, fr_time_t last_sent)
See if the connection is zombied.
Definition bio.c:1444
static void request_replicate_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
Definition bio.c:2184
static void conn_init_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, int fd_errno, void *uctx)
Connection errored.
Definition bio.c:338
static void request_demux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
Definition bio.c:2030
static void conn_discard(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
Read and discard data.
Definition bio.c:1037
uint8_t id
Last ID assigned to this packet.
Definition bio.c:131
static void request_replicate_demux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
Definition bio.c:2201
uint32_t max_packet_size
Our max packet size. may be different from the parent.
Definition bio.c:91
static void do_signal(rlm_radius_t const *inst, bio_request_t *u, request_t *request, fr_signal_t action)
static void bio_connected(fr_bio_t *bio)
Definition bio.c:630
uint32_t num_replies
number of reply packets, sent is in retry.count
Definition bio.c:123
static const trunk_io_funcs_t io_funcs
Definition bio.c:2646
static void conn_close(UNUSED fr_event_list_t *el, void *handle, void *uctx)
Shutdown/close a file descriptor.
Definition bio.c:911
bio_limit_ports_t
Definition bio.c:40
@ LIMIT_PORTS_DYNAMIC
Limited source ports for dynamic home servers.
Definition bio.c:43
@ LIMIT_PORTS_NONE
Source port not restricted.
Definition bio.c:41
@ LIMIT_PORTS_STATIC
Limited source ports for static home servers.
Definition bio.c:42
uint32_t priority
copied from request->async->priority
Definition bio.c:120
static rlm_rcode_t radius_code_to_rcode[FR_RADIUS_CODE_MAX]
Turn a reply code into a module rcode;.
Definition bio.c:154
static void conn_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, int fd_errno, void *uctx)
Connection errored.
Definition bio.c:1072
char const * module_name
the module that opened the connection
Definition bio.c:47
fr_bio_fd_info_t const * fd_info
status of the FD.
Definition bio.c:52
connection_t * connections[]
for tracking outbound connections
Definition bio.c:147
struct bio_handle_t::@185 bio
static void mod_signal(module_ctx_t const *mctx, UNUSED request_t *request, fr_signal_t action)
Definition bio.c:2427
uint8_t last_id
Used when replicating to ensure IDs are distributed evenly.
Definition bio.c:88
static void mod_retry(module_ctx_t const *mctx, request_t *request, fr_retry_t const *retry)
Handle module retries.
Definition bio.c:1539
static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code, bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH], uint8_t *data, size_t data_len)
Decode response packet data, extracting relevant information and validating the packet.
Definition bio.c:1192
static void thread_conn_notify(trunk_connection_t *tconn, connection_t *conn, fr_event_list_t *el, trunk_connection_event_t notify_on, UNUSED void *uctx)
Definition bio.c:1084
static int encode(bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t id)
Definition bio.c:1259
fr_time_t last_reply
When we last received a reply.
Definition bio.c:99
static void request_conn_release(connection_t *conn, void *preq_to_reset, UNUSED void *uctx)
Clear out anything associated with the handle from the request.
Definition bio.c:2353
int fd
File descriptor.
Definition bio.c:78
bio_request_t * status_u
for sending status check packets
Definition bio.c:107
bio_handle_ctx_t ctx
common struct for home servers and BIO handles
Definition bio.c:58
static fr_bio_verify_action_t rlm_radius_verify(UNUSED fr_bio_t *bio, void *verify_ctx, UNUSED void *packet_ctx, const void *data, size_t *size)
Definition bio.c:649
static void mod_write(request_t *request, trunk_request_t *treq, bio_handle_t *h)
Definition bio.c:1639
#define REQUIRE_MA(_h)
fr_pair_list_t extra
VPs for debugging, like Proxy-State.
Definition bio.c:128
bool proxied
is this request being proxied
Definition bio.c:126
size_t buflen
Receive buffer length.
Definition bio.c:94
static void conn_init_readable(fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
Read the connection during the init and negotiation stage.
Definition bio.c:421
fr_time_t last_idle
last time we had nothing to do
Definition bio.c:102
static void bio_tracking_entry_log(fr_log_t const *log, fr_log_type_t log_type, char const *file, int line, radius_track_entry_t *te)
Log additional information about a tracking entry.
Definition bio.c:197
static xlat_action_t xlat_radius_replicate(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2763
radius_track_entry_t * rr
ID tracking, resend count, etc.
Definition bio.c:136
size_t packet_len
Length of the packet.
Definition bio.c:133
static int _bio_handle_free(bio_handle_t *h)
Free a connection handle, closing associated resources.
Definition bio.c:613
size_t partial
partially sent data
Definition bio.c:134
fr_event_list_t * el
Event list.
Definition bio.c:49
static void request_cancel(UNUSED connection_t *conn, void *preq_to_reset, trunk_cancel_reason_t reason, UNUSED void *uctx)
Remove the request from any tracking structures.
Definition bio.c:2321
static void home_server_free(void *data)
Definition bio.c:2639
int num_ports
Definition bio.c:66
static void protocol_error_reply(bio_request_t *u, bio_handle_t *h)
Deal with Protocol-Error replies, and possible negotiation.
Definition bio.c:1852
static void status_check_reset(bio_handle_t *h, bio_request_t *u)
Reset a status_check packet, ready to reuse.
Definition bio.c:233
static const trunk_io_funcs_t io_replicate_funcs
Definition bio.c:2658
static void request_fail(request_t *request, NDEBUG_UNUSED void *preq, void *rctx, NDEBUG_UNUSED trunk_request_state_t state, UNUSED void *uctx)
Write out a canned failure.
Definition bio.c:2375
fr_time_t recv_time
copied from request->async->recv_time
Definition bio.c:121
fr_retry_t retry
retransmission timers
Definition bio.c:138
static void conn_init_writable(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
static xlat_action_t xlat_radius_client(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2913
rlm_rcode_t rcode
from the transport
Definition bio.c:117
static void status_check_alloc(bio_handle_t *h)
Definition bio.c:250
fr_time_t mrs_time
Most recent sent time which had a reply.
Definition bio.c:98
bool status_checking
whether we're doing status checks
Definition bio.c:106
trunk_t * trunk
trunk handler
Definition bio.c:50
fr_time_t last_sent
last time we sent a packet.
Definition bio.c:101
static void zombie_timeout(fr_timer_list_t *tl, fr_time_t now, void *uctx)
Mark a connection dead after "zombie_interval".
Definition bio.c:1386
bio_handle_ctx_t ctx
for copying to bio_handle_t
Definition bio.c:142
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Instantiate thread data for the submodule.
Definition bio.c:2673
static void bio_error(fr_bio_t *bio)
Definition bio.c:639
static void status_check_reply(trunk_request_t *treq, fr_time_t now)
Deal with replies replies to status checks and possible negotiation.
Definition bio.c:1982
static void conn_init_next(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Perform the next step of init and negotiation.
Definition bio.c:407
bool is_retry
Definition bio.c:118
static int _bio_request_free(bio_request_t *u)
Free a bio_request_t.
Definition bio.c:2485
connection_t * conn
Definition bio.c:86
fr_time_t first_sent
first time we sent a packet since going idle
Definition bio.c:100
static unlang_action_t mod_resume(unlang_result_t *p_result, module_ctx_t const *mctx, UNUSED request_t *request)
Resume execution of the request, returning the rcode set during trunk execution.
Definition bio.c:2415
fr_timer_t * zombie_ev
Zombie timeout.
Definition bio.c:104
static connection_t * thread_conn_alloc(trunk_connection_t *tconn, fr_event_list_t *el, connection_conf_t const *conf, char const *log_prefix, void *uctx)
Definition bio.c:1008
static void xlat_sendto_retry(xlat_ctx_t const *xctx, request_t *request, fr_retry_t const *retry)
Definition bio.c:2902
static void bio_request_reset(bio_request_t *u)
Clear out any connection specific resources from a udp request.
Definition bio.c:216
trunk_request_t * treq
Definition bio.c:116
static xlat_action_t xlat_sendto_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Definition bio.c:2874
static void status_check_next(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Handle retries for a status check.
Definition bio.c:1967
rlm_radius_t const * inst
our instance
Definition bio.c:48
static connection_state_t conn_init(void **h_out, connection_t *conn, void *uctx)
Initialise a new outbound connection.
Definition bio.c:724
connection_t ** connections
Definition bio.c:67
fr_rb_expire_node_t expire
Definition bio.c:144
static void revive_timeout(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Revive a connection after "revive_interval".
Definition bio.c:1374
uint8_t * packet
Packet we write to the network.
Definition bio.c:132
static void conn_init_timeout(UNUSED fr_timer_list_t *tl, fr_time_t now, void *uctx)
Status check timer when opening the connection for the first time.
Definition bio.c:359
static connection_state_t conn_failed(void *handle, connection_state_t state, UNUSED void *uctx)
Connection failed.
Definition bio.c:981
bio_limit_ports_t limit_source_ports
What type of port limit is in use.
Definition bio.c:54
fr_radius_ctx_t radius_ctx
for signing packets
Definition bio.c:53
radius_track_t * tt
RADIUS ID tracking structure.
Definition bio.c:96
static void mod_dup(request_t *request, bio_request_t *u)
Definition bio.c:1503
bio_handle_ctx_t ctx
common struct for home servers and BIO handles
Definition bio.c:76
static int8_t home_server_cmp(void const *one, void const *two)
Dynamic home server code.
Definition bio.c:2862
uint8_t code
Packet code.
Definition bio.c:130
static void request_mux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn, connection_t *conn, UNUSED void *uctx)
Definition bio.c:1620
uint8_t * buffer
Receive buffer.
Definition bio.c:93
request_t * status_request
Definition bio.c:108
static void request_complete(request_t *request, NDEBUG_UNUSED void *preq, void *rctx, UNUSED void *uctx)
Response has already been written to the rctx at this point.
Definition bio.c:2397
bool status_check
is this packet a status check?
Definition bio.c:125
static xlat_arg_parser_t const xlat_radius_send_args[]
Definition bio.c:2753
static void xlat_sendto_signal(xlat_ctx_t const *xctx, request_t *request, fr_signal_t action)
Definition bio.c:2891
Track the handle, which is tightly correlated with the FD.
Definition bio.c:75
Connect request_t to local tracking structure.
Definition bio.c:115
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
#define RADIUS_HEADER_LENGTH
Definition net.h:80
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2938
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition pair.c:2638
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:698
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1343
int fr_pair_delete_by_da(fr_pair_list_t *list, fr_dict_attr_t const *da)
Delete matching pairs from the specified list.
Definition pair.c:1685
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
static fr_internal_encode_ctx_t encode_ctx
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition base.c:1109
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
Definition base.c:360
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
Definition base.c:974
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:114
#define fr_assert(_expr)
Definition rad_assert.h:38
static fr_dict_t const * dict_radius
static char * secret
static fr_dict_attr_t const * attr_proxy_state
Definition radclient.c:128
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG(fmt,...)
Definition radclient.h:53
#define WARN(fmt,...)
Definition radclient.h:47
#define INFO(fmt,...)
Definition radict.c:54
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
Definition radius.h:64
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
Definition radius.h:65
#define RADIUS_AUTH_VECTOR_OFFSET
Definition radius.h:33
fr_radius_decode_fail_t
Failure reasons.
Definition radius.h:162
@ DECODE_FAIL_UNKNOWN
Definition radius.h:179
@ DECODE_FAIL_NONE
Definition radius.h:163
@ DECODE_FAIL_MA_MISSING
Definition radius.h:176
@ DECODE_FAIL_UNKNOWN_PACKET_CODE
Definition radius.h:169
char const * secret
Definition radius.h:95
#define RADIUS_MAX_PACKET_SIZE
Definition radius.h:41
size_t secret_length
Definition radius.h:96
fr_radius_ctx_t const * common
Definition radius.h:125
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition radius.h:129
static rs_t * conf
Definition radsniff.c:53
static fr_dict_attr_t const * attr_extended_attribute_1
Definition radsnmp.c:108
static fr_dict_attr_t const * attr_message_authenticator
Definition radsnmp.c:112
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
Smaller fast random number generator.
Definition rand.h:54
void * fr_rb_find(fr_rb_tree_t const *tree, void const *data)
Find an element in the tree, returning the data, not the node.
Definition rb.c:577
bool fr_rb_delete(fr_rb_tree_t *tree, void const *data)
Remove node and free data (if a free function was specified)
Definition rb.c:741
bool fr_rb_expire_insert(fr_rb_expire_t *expire, void *data, fr_time_t now)
Attempt to find current data in the tree, if it does not exist insert it.
Definition rb_expire.c:39
void fr_rb_expire_update(fr_rb_expire_t *expire, void *data, fr_time_t now)
Definition rb_expire.c:55
#define fr_rb_expire_inline_talloc_init(_expire, _type, _field, _data_cmp, _data_free, _lifetime)
Definition rb_expire.h:50
fr_dlist_head_t head
Definition rb_expire.h:35
fr_rb_tree_t tree
Definition rb_expire.h:34
dlist for expiring old entries
Definition rb_expire.h:44
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:57
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:45
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:44
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:43
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:51
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:46
#define request_local_alloc_external(_ctx, _args)
Allocate a new external request outside of the request pool.
Definition request.h:335
Optional arguments for initialising requests.
Definition request.h:287
static fr_dict_attr_t const * attr_error_cause
Definition rlm_radius.c:192
static int radius_fixups(rlm_radius_t const *inst, request_t *request)
Do any RADIUS-layer fixups for proxying.
Definition rlm_radius.c:523
static fr_dict_attr_t const * attr_nas_identifier
Definition rlm_radius.c:197
static fr_dict_attr_t const * attr_original_packet_code
Definition rlm_radius.c:198
static fr_dict_attr_t const * attr_event_timestamp
Definition rlm_radius.c:193
static fr_dict_attr_t const * attr_response_length
Definition rlm_radius.c:199
fr_radius_require_ma_t require_message_authenticator
Require Message-Authenticator in responses.
Definition rlm_radius.h:80
fr_time_delta_t revive_interval
Definition rlm_radius.h:60
fr_retry_config_t retry[FR_RADIUS_CODE_MAX]
Definition rlm_radius.h:92
char const * name
Definition rlm_radius.h:56
uint32_t status_check
code of status-check type
Definition rlm_radius.h:84
rlm_radius_mode_t mode
proxy, client, etc.
Definition rlm_radius.h:76
@ RLM_RADIUS_MODE_XLAT_PROXY
radius.sendto.ipaddr(), but we do look for a reply.
Definition rlm_radius.h:47
@ RLM_RADIUS_MODE_INVALID
Definition rlm_radius.h:42
@ RLM_RADIUS_MODE_PROXY
we proxy to one home server
Definition rlm_radius.h:43
@ RLM_RADIUS_MODE_REPLICATE
to a particular destination
Definition rlm_radius.h:45
@ RLM_RADIUS_MODE_UNCONNECTED_REPLICATE
radius.sendto.ipaddr(), but we don't look for a reply
Definition rlm_radius.h:46
@ RLM_RADIUS_MODE_CLIENT
we are a client to one home server
Definition rlm_radius.h:44
uint32_t max_packet_size
Maximum packet size.
Definition rlm_radius.h:66
fr_time_delta_t response_window
Definition rlm_radius.h:58
uint32_t max_attributes
Maximum number of attributes to decode in response.
Definition rlm_radius.h:78
fr_time_delta_t zombie_period
Definition rlm_radius.h:59
static conf_parser_t retry_config[]
Definition rlm_tacacs.c:39
int fr_schedule_worker_id(void)
Return the worker id for the current thread.
Definition schedule.c:157
void connection_signal_reconnect(connection_t *conn, connection_reason_t reason)
Asynchronously signal the connection should be reconnected.
int connection_signal_on_fd(connection_t *conn, int fd)
Setup the connection to change states to connected or failed based on I/O events.
connection_t * connection_alloc(TALLOC_CTX *ctx, fr_event_list_t *el, connection_funcs_t const *funcs, connection_conf_t const *conf, char const *log_prefix, void const *uctx)
Allocate a new connection.
void connection_signal_connected(connection_t *conn)
Asynchronously signal that the connection is open.
void * data
Module's instance data.
Definition module.h:291
#define pair_append_request(_attr, _da)
Allocate and append a fr_pair_t to the request list.
Definition pair.h:37
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
@ FR_SIGNAL_DUP
A duplicate request was received.
Definition signal.h:44
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
eap_aka_sim_process_conf_t * inst
fr_pair_t * vp
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition state_test.c:8
Definition log.h:96
Value pair map.
Definition map.h:77
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
#define talloc_get_type_abort_const
Definition talloc.h:287
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:229
#define fr_time_gteq(_a, _b)
Definition time.h:238
static int64_t fr_time_unwrap(fr_time_t time)
Definition time.h:146
#define fr_time_wrap(_time)
Definition time.h:145
#define fr_time_lteq(_a, _b)
Definition time.h:240
#define fr_time_eq(_a, _b)
Definition time.h:241
#define fr_time_add(_a, _b)
Add a time/time delta together.
Definition time.h:196
#define fr_time_gt(_a, _b)
Definition time.h:237
#define fr_time_sub(_a, _b)
Subtract one time from another.
Definition time.h:229
static fr_unix_time_t fr_time_to_unix_time(fr_time_t when)
Convert an fr_time_t (internal time) to our version of unix time (wallclock time)
Definition time.h:688
#define fr_time_lt(_a, _b)
Definition time.h:239
"server local" time.
Definition time.h:69
An event timer list.
Definition timer.c:50
A timer event.
Definition timer.c:84
#define FR_TIMER_DELETE_RETURN(_ev_p)
Definition timer.h:110
#define FR_TIMER_DISARM(_ev)
Definition timer.h:91
static bool fr_timer_armed(fr_timer_t *ev)
Definition timer.h:120
#define fr_timer_at(...)
Definition timer.h:81
void radius_track_state_log(fr_log_t const *log, fr_log_type_t log_type, char const *file, int line, radius_track_t *tt, radius_track_log_extra_t extra)
Print out the state of every tracking entry.
Definition track.c:294
int radius_track_entry_update(radius_track_entry_t *te, uint8_t const *vector)
Update a tracking entry with the authentication vector.
Definition track.c:219
radius_track_entry_t * radius_track_entry_find(radius_track_t *tt, uint8_t packet_id, uint8_t const *vector)
Find a tracking entry from a request authenticator.
Definition track.c:248
radius_track_t * radius_track_alloc(TALLOC_CTX *ctx)
Create an radius_track_t.
Definition track.c:41
#define radius_track_entry_release(_te)
Definition track.h:90
void * uctx
Result/resumption context.
Definition track.h:47
uint8_t id
our ID
Definition track.h:50
unsigned int num_requests
number of requests in the allocation
Definition track.h:65
#define radius_track_entry_reserve(_te_out, _ctx, _tt, _request, _code, _uctx)
Definition track.h:82
request_t * request
as always...
Definition track.h:45
Track one request to a response.
Definition track.h:36
void trunk_connection_callback_readable(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
Standard I/O read function.
Definition trunk.c:4015
void trunk_connection_callback_writable(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
Standard I/O write function.
Definition trunk.c:4032
void trunk_request_signal_partial(trunk_request_t *treq)
Signal a partial write.
Definition trunk.c:2030
void trunk_request_signal_fail(trunk_request_t *treq)
Signal that a trunk request failed.
Definition trunk.c:2133
trunk_request_t * trunk_request_alloc(trunk_t *trunk, request_t *request)
(Pre-)Allocate a new trunk request
Definition trunk.c:2475
trunk_t * trunk_alloc(TALLOC_CTX *ctx, fr_event_list_t *el, trunk_io_funcs_t const *funcs, trunk_conf_t const *conf, char const *log_prefix, void const *uctx, bool delay_start)
Allocate a new collection of connections.
Definition trunk.c:4947
uint64_t trunk_connection_requests_requeue(trunk_connection_t *tconn, int states, uint64_t max, bool fail_bound)
Move requests off of a connection and requeue elsewhere.
Definition trunk.c:2011
trunk_enqueue_t trunk_request_enqueue_on_conn(trunk_request_t **treq_out, trunk_connection_t *tconn, request_t *request, void *preq, void *rctx, bool ignore_limits)
Enqueue additional requests on a specific connection.
Definition trunk.c:2742
trunk_enqueue_t trunk_request_enqueue(trunk_request_t **treq_out, trunk_t *trunk, request_t *request, void *preq, void *rctx)
Enqueue a request that needs data written to the trunk.
Definition trunk.c:2588
trunk_enqueue_t trunk_request_requeue(trunk_request_t *treq)
Re-enqueue a request on the same connection.
Definition trunk.c:2677
int trunk_connection_pop_request(trunk_request_t **treq_out, trunk_connection_t *tconn)
Pop a request off a connection's pending queue.
Definition trunk.c:3884
void trunk_request_signal_cancel(trunk_request_t *treq)
Cancel a trunk request.
Definition trunk.c:2153
void trunk_request_free(trunk_request_t **treq_to_free)
If the trunk request is freed then update the target requests.
Definition trunk.c:2323
void trunk_connection_signal_active(trunk_connection_t *tconn)
Signal a trunk connection is no longer full.
Definition trunk.c:3961
void trunk_connection_signal_inactive(trunk_connection_t *tconn)
Signal a trunk connection cannot accept more requests.
Definition trunk.c:3938
void trunk_request_signal_sent(trunk_request_t *treq)
Signal that the request was written to a connection successfully.
Definition trunk.c:2051
void trunk_request_signal_complete(trunk_request_t *treq)
Signal that a trunk request is complete.
Definition trunk.c:2095
void trunk_connection_signal_reconnect(trunk_connection_t *tconn, connection_reason_t reason)
Signal a trunk connection is no longer viable.
Definition trunk.c:4000
void trunk_request_state_log(fr_log_t const *log, fr_log_type_t log_type, char const *file, int line, trunk_request_t const *treq)
Definition trunk.c:2829
Associates request queues with a connection.
Definition trunk.c:133
Wraps a normal request.
Definition trunk.c:99
Main trunk management handle.
Definition trunk.c:197
#define TRUNK_REQUEST_STATE_ALL
All request states.
Definition trunk.h:195
trunk_connection_alloc_t connection_alloc
Allocate a new connection_t.
Definition trunk.h:733
trunk_connection_event_t
What type of I/O events the trunk connection is currently interested in receiving.
Definition trunk.h:72
@ TRUNK_CONN_EVENT_BOTH
Trunk should be notified if a connection is readable or writable.
Definition trunk.h:79
@ TRUNK_CONN_EVENT_WRITE
Trunk should be notified if a connection is writable.
Definition trunk.h:77
@ TRUNK_CONN_EVENT_NONE
Don't notify the trunk on connection state changes.
Definition trunk.h:73
@ TRUNK_CONN_EVENT_READ
Trunk should be notified if a connection is readable.
Definition trunk.h:75
trunk_cancel_reason_t
Reasons for a request being cancelled.
Definition trunk.h:55
@ TRUNK_CANCEL_REASON_REQUEUE
A previously sent request is being requeued.
Definition trunk.h:59
@ TRUNK_ENQUEUE_DST_UNAVAILABLE
Destination is down.
Definition trunk.h:153
@ TRUNK_ENQUEUE_FAIL
General failure.
Definition trunk.h:154
@ TRUNK_ENQUEUE_OK
Operation was successful.
Definition trunk.h:150
@ TRUNK_ENQUEUE_NO_CAPACITY
At maximum number of connections, and no connection has capacity.
Definition trunk.h:151
@ TRUNK_ENQUEUE_IN_BACKLOG
Request should be enqueued in backlog.
Definition trunk.h:149
trunk_request_state_t
Used for sanity checks and to simplify freeing.
Definition trunk.h:161
@ TRUNK_REQUEST_STATE_PARTIAL
Some of the request was written to the socket, more of it should be written later.
Definition trunk.h:170
@ TRUNK_REQUEST_STATE_REAPABLE
Request has been written, needs to persist, but we are not currently waiting for any response.
Definition trunk.h:173
@ TRUNK_REQUEST_STATE_UNASSIGNED
Transition state - Request currently not assigned to any connection.
Definition trunk.h:165
@ TRUNK_REQUEST_STATE_INIT
Initial state.
Definition trunk.h:162
@ TRUNK_REQUEST_STATE_CANCEL_SENT
We've informed the remote server that the request has been cancelled.
Definition trunk.h:185
@ TRUNK_REQUEST_STATE_COMPLETE
The request is complete.
Definition trunk.h:182
@ TRUNK_REQUEST_STATE_FAILED
The request failed.
Definition trunk.h:183
@ TRUNK_REQUEST_STATE_CANCEL
A request on a particular socket was cancel.
Definition trunk.h:184
@ TRUNK_REQUEST_STATE_CANCEL_PARTIAL
We partially wrote a cancellation request.
Definition trunk.h:187
@ TRUNK_REQUEST_STATE_BACKLOG
In the backlog.
Definition trunk.h:167
@ TRUNK_REQUEST_STATE_CANCEL_COMPLETE
Remote server has acknowledged our cancellation.
Definition trunk.h:188
@ TRUNK_REQUEST_STATE_PENDING
In the queue of a connection and is pending writing.
Definition trunk.h:168
@ TRUNK_REQUEST_STATE_SENT
Was written to a socket. Waiting for a response.
Definition trunk.h:172
I/O functions to pass to trunk_alloc.
Definition trunk.h:732
static fr_event_list_t * el
xlat_action_t unlang_xlat_yield_to_retry(request_t *request, xlat_func_t resume, fr_unlang_xlat_retry_t retry, xlat_func_signal_t signal, fr_signal_t sigmask, void *rctx, fr_retry_config_t const *retry_cfg)
Yield a request back to the interpreter, with retries.
Definition xlat.c:668
uint8_t required
Argument must be present, and non-empty.
Definition xlat.h:146
#define XLAT_ARGS(_list,...)
Populate local variables with value boxes from the input list.
Definition xlat.h:383
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumend by an xlat function.
Definition xlat.h:145
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
void fr_pair_list_append(fr_pair_list_t *dst, fr_pair_list_t *src)
Appends a list of fr_pair_t from a temporary list to a destination list.
fr_retry_state_t fr_retry_next(fr_retry_t *r, fr_time_t now)
Initialize a retransmission counter.
Definition retry.c:108
void fr_retry_init(fr_retry_t *r, fr_time_t now, fr_retry_config_t const *config)
Initialize a retransmission counter.
Definition retry.c:36
fr_time_t start
when we started the retransmission
Definition retry.h:53
fr_time_delta_t rt
retransmit interval
Definition retry.h:57
uint32_t mrc
Maximum retransmission count.
Definition retry.h:36
fr_retry_config_t const * config
master configuration
Definition retry.h:52
fr_retry_state_t state
so callers can see what state it's in.
Definition retry.h:60
@ FR_RETRY_MRC
reached maximum retransmission count
Definition retry.h:47
@ FR_RETRY_CONTINUE
Definition retry.h:46
@ FR_RETRY_MRD
reached maximum retransmission duration
Definition retry.h:48
uint32_t count
number of sent packets
Definition retry.h:58
fr_time_delta_t mrd
Maximum retransmission duration.
Definition retry.h:35
fr_time_t updated
last update, really a cached "now".
Definition retry.h:56
fr_time_t next
when the next timer should be set
Definition retry.h:55
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
int fd
File descriptor if this is a live socket.
Definition socket.h:81
char const * fr_strerror(void)
Get the last library error.
Definition strerror.c:553
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:643
#define fr_box_ipaddr(_val)
Definition value.h:316
static fr_slen_t data
Definition value.h:1291
#define fr_box_time_delta(_val)
Definition value.h:365
int nonnull(2, 5))
static size_t char ** out
Definition value.h:1023
void * rctx
Resume context.
Definition xlat_ctx.h:54
module_ctx_t const * mctx
Synthesised module calling ctx.
Definition xlat_ctx.h:52
An xlat calling ctx.
Definition xlat_ctx.h:49