The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 83287b98cc6623d40d5d26719ba35426afa21dbd $
19 * @file src/process/radius/base.c
20 * @brief RADIUS process module
21 *
22 * @copyright 2021 The FreeRADIUS server project.
23 * @copyright 2021 Network RADIUS SAS (legal@networkradius.com)
24 */
25#include <freeradius-devel/protocol/freeradius/freeradius.internal.h>
26
27#include <freeradius-devel/radius/radius.h>
28
29#include <freeradius-devel/server/main_config.h>
30#include <freeradius-devel/server/module.h>
31#include <freeradius-devel/server/pair.h>
32#include <freeradius-devel/server/protocol.h>
33#include <freeradius-devel/server/state.h>
34#include <freeradius-devel/server/rcode.h>
35#include <freeradius-devel/server/log.h>
36#include <freeradius-devel/unlang/xlat.h>
37
38#include <freeradius-devel/unlang/module.h>
39#include <freeradius-devel/unlang/interpret.h>
40#include <freeradius-devel/unlang/xlat_func.h>
41
42#include <freeradius-devel/util/debug.h>
43#include <freeradius-devel/util/pair.h>
44#include <freeradius-devel/util/value.h>
45
47static fr_dict_t const *dict_radius;
48
51 { .out = &dict_freeradius, .proto = "freeradius" },
52 { .out = &dict_radius, .proto = "radius" },
53 { NULL }
54};
55
60
70
73 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
74 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
75 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
76 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
77
78 { .out = &attr_acct_status_type, .name = "Acct-Status-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
79 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
80 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
81 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
82 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
83 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
84
85 { .out = &attr_original_packet_code, .name = "Extended-Attribute-1.Original-Packet-Code", .type = FR_TYPE_UINT32, .dict = &dict_radius },
86 { .out = &attr_error_cause, .name = "Error-Cause", .type = FR_TYPE_UINT32, .dict = &dict_radius },
87
88 { .out = &attr_event_timestamp, .name = "Event-Timestamp", .type = FR_TYPE_DATE, .dict = &dict_radius },
89
90 { NULL }
91};
92
95
98 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
99 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
100 { NULL }
101};
102
103/*
104 * RADIUS state machine configuration
105 */
134
135typedef struct {
136 fr_time_delta_t session_timeout;//!< Maximum time between the last response and next request.
137 uint32_t max_session; //!< Maximum ongoing session allowed.
138
139 uint8_t state_server_id;//!< Sets a specific byte in the state to allow the
140 //!< authenticating server to be identified in packet
141 //!<captures.
142
143 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
145
146typedef struct {
147 CONF_SECTION *server_cs; //!< Our virtual server.
148 process_radius_sections_t sections; //!< Pointers to various config sections
149 ///< we need to execute.
150 process_radius_auth_t auth; //!< Authentication configuration.
152
153/** Records fields from the original request so we have a known good copy
154 */
155typedef struct {
156 fr_value_box_list_head_t proxy_state; //!< These need to be copied into the response in exactly
157 ///< the same order as they were added.
160
161#define FR_RADIUS_PROCESS_CODE_VALID(_x) (FR_RADIUS_PACKET_CODE_VALID(_x) || (_x == FR_RADIUS_CODE_DO_NOT_RESPOND))
162
163#define PROCESS_PACKET_TYPE fr_radius_packet_code_t
164#define PROCESS_CODE_MAX FR_RADIUS_CODE_MAX
165#define PROCESS_CODE_DO_NOT_RESPOND FR_RADIUS_CODE_DO_NOT_RESPOND
166#define PROCESS_PACKET_CODE_VALID FR_RADIUS_PROCESS_CODE_VALID
167#define PROCESS_INST process_radius_t
168#define PROCESS_RCTX process_radius_rctx_t
169#define PROCESS_CODE_DYNAMIC_CLIENT FR_RADIUS_CODE_ACCESS_ACCEPT
170#include <freeradius-devel/server/process.h>
171
173 { FR_CONF_OFFSET("timeout", process_radius_auth_t, session_timeout), .dflt = "15" },
174 { FR_CONF_OFFSET("max", process_radius_auth_t, max_session), .dflt = "4096" },
175 { FR_CONF_OFFSET("state_server_id", process_radius_auth_t, state_server_id) },
176
178};
179
180static const conf_parser_t auth_config[] = {
181 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) session_config },
182
184};
185
186static const conf_parser_t config[] = {
187 { FR_CONF_POINTER("Access-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
188 .offset = offsetof(process_radius_t, auth), },
189
191};
192
193/*
194 * Debug the packet if requested.
195 */
196static void radius_packet_debug(request_t *request, fr_packet_t *packet, fr_pair_list_t *list, bool received)
197{
198#ifdef WITH_IFINDEX_NAME_RESOLUTION
199 char if_name[IFNAMSIZ];
200#endif
201
202 if (!packet) return;
203 if (!RDEBUG_ENABLED) return;
204
205 log_request(L_DBG, L_DBG_LVL_1, request, __FILE__, __LINE__, "%s %s ID %d from %s%pV%s:%i to %s%pV%s:%i "
206#ifdef WITH_IFINDEX_NAME_RESOLUTION
207 "%s%s%s"
208#endif
209 "",
210 received ? "Received" : "Sending",
212 packet->id,
213 packet->socket.inet.src_ipaddr.af == AF_INET6 ? "[" : "",
214 fr_box_ipaddr(packet->socket.inet.src_ipaddr),
215 packet->socket.inet.src_ipaddr.af == AF_INET6 ? "]" : "",
216 packet->socket.inet.src_port,
217 packet->socket.inet.dst_ipaddr.af == AF_INET6 ? "[" : "",
218 fr_box_ipaddr(packet->socket.inet.dst_ipaddr),
219 packet->socket.inet.dst_ipaddr.af == AF_INET6 ? "]" : "",
220 packet->socket.inet.dst_port
221#ifdef WITH_IFINDEX_NAME_RESOLUTION
222 , packet->socket.inet.ifindex ? "via " : "",
223 packet->socket.inet.ifindex ? fr_ifname_from_ifindex(if_name, packet->socket.inet.ifindex) : "",
224 packet->socket.inet.ifindex ? " " : ""
225#endif
226 );
227
228 if (received || request->parent) {
229 log_request_pair_list(L_DBG_LVL_1, request, NULL, list, NULL);
230 } else {
231 log_request_proto_pair_list(L_DBG_LVL_1, request, NULL, list, NULL);
232 }
233}
234
235/** Keep a copy of some attributes to keep them from being tamptered with
236 *
237 */
238static inline CC_HINT(always_inline)
240{
241 fr_pair_t *proxy_state;
242
243 /*
244 * Don't bother allocing the struct if there's no proxy state to store
245 */
246 proxy_state = fr_pair_find_by_da(&request->request_pairs, NULL, attr_proxy_state);
247 if (!proxy_state) return;
248
249 fr_value_box_list_init(&rctx->proxy_state);
250
251 /*
252 * We don't use fr_pair_list_copy_by_da, to avoid doing the lookup for
253 * the first proxy-state attr again.
254 */
255 do {
256 fr_value_box_t *proxy_state_value;
257
258 MEM((proxy_state_value = fr_value_box_acopy(rctx, &proxy_state->data)));
259 fr_value_box_list_insert_tail(&rctx->proxy_state, proxy_state_value);
260 } while ((proxy_state = fr_pair_find_by_da(&request->request_pairs, proxy_state, attr_proxy_state)));
261}
262
263static inline CC_HINT(always_inline)
265{
266 /*
267 * Proxy-State is a link-level signal between RADIUS
268 * client and server. RFC 2865 Section 5.33 says that
269 * Proxy-State is an opaque field, and implementations
270 * most not examine it, interpret it, or assign it any
271 * meaning. Implementations must also copy all Proxy-State
272 * from the request to the reply.
273 *
274 * The rlm_radius module already deletes any Proxy-State
275 * from the reply before appending the proxy reply to the
276 * current reply.
277 *
278 * If any policy creates Proxy-State, that could affect
279 * individual RADIUS links (perhaps), and that would be
280 * wrong. As such, we nuke any nonsensical Proxy-State
281 * added by policies or errant modules, and instead just
282 * do exactly what the RFCs require us to do. No more.
283 */
284 fr_pair_delete_by_da(&request->reply_pairs, attr_proxy_state);
285
286 RDEBUG3("Adding Proxy-State attributes from request");
287 RINDENT();
288 fr_value_box_list_foreach(&rctx->proxy_state, proxy_state_value) {
289 fr_pair_t *vp;
290
291 MEM(vp = fr_pair_afrom_da(request->reply_ctx, attr_proxy_state));
292 if (unlikely(fr_value_box_copy(vp, &vp->data, proxy_state_value) < 0)) {
293 RDEBUG2("Failed to copy Proxy-State value %pV", proxy_state_value);
295 break;
296 }
297 fr_pair_append(&request->reply_pairs, vp);
298 RDEBUG3("reply.%pP", vp);
299 }
300 REXDENT();
301}
302
303/** A wrapper around recv generic which stores fields from the request
304 */
305RECV(generic_radius_request)
306{
307 radius_request_pairs_store(request, mctx->rctx);
308
309 return CALL_RECV(generic);
310}
311
312/** A wrapper around send generic which restores fields
313 *
314 */
315RESUME(generic_radius_response)
316{
317 radius_request_pairs_to_reply(request, talloc_get_type_abort(mctx->rctx, process_radius_rctx_t));
318
319 return CALL_RESUME(send_generic);
320}
321
322RECV(access_request)
323{
325
326 /*
327 * Only reject if the state has already been thawed.
328 * It could be that the state value wasn't intended
329 * for us, and we're just proxying upstream.
330 */
331 if (fr_state_to_request(inst->auth.state_tree, request) < 0) {
332 return CALL_SEND_TYPE(FR_RADIUS_CODE_ACCESS_REJECT);
333 }
334
335 return CALL_RECV(generic_radius_request);
336}
337
338RESUME(auth_type);
339
340RESUME(access_request)
341{
342 rlm_rcode_t rcode = RESULT_RCODE;
343 fr_pair_t *vp;
344 CONF_SECTION *cs;
345 fr_dict_enum_value_t const *dv;
346 fr_process_state_t const *state;
348
350
352
353 /*
354 * See if the return code from "recv Access-Request" says we reject, or continue.
355 */
356 UPDATE_STATE(packet);
357
358 request->reply->code = state->packet_type[rcode];
359 if (!request->reply->code) request->reply->code = state->default_reply;
360
361 /*
362 * Something set reject, we're done.
363 */
364 if (request->reply->code == FR_RADIUS_CODE_ACCESS_REJECT) {
365 RDEBUG("The 'recv Access-Request' section returned %s - rejecting the request",
366 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
367
369 UPDATE_STATE(reply);
370
371 fr_assert(state->send != NULL);
372 return CALL_SEND_STATE(state);
373 }
374
375 if (request->reply->code) {
376 goto send_reply;
377 }
378
379 /*
380 * A policy _or_ a module can hard-code the reply.
381 */
382 if (!request->reply->code) {
383 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
384 if (vp && FR_RADIUS_PROCESS_CODE_VALID(vp->vp_uint32)) {
385 request->reply->code = vp->vp_uint32;
386 goto send_reply;
387 }
388 }
389
390 /*
391 * Run authenticate foo { ... }
392 *
393 * If we can't find Auth-Type, OR if we can't find
394 * Auth-Type = foo, then it's a reject.
395 */
396 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
397 if (!vp) {
398 RDEBUG("No 'Auth-Type' attribute found, cannot authenticate the user - rejecting the request");
399
400 reject:
401 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
402 goto send_reply;
403 }
404
405 dv = fr_dict_enum_by_value(vp->da, &vp->data);
406 if (!dv) {
407 RDEBUG("Invalid value for 'Auth-Type' attribute, cannot authenticate the user - rejecting the request");
408
409 goto reject;
410 }
411
412 /*
413 * The magic Auth-Type Accept value
414 * which means skip the authenticate
415 * section.
416 *
417 * And Reject means always reject. Tho the admin should
418 * just return "reject" from the section.
419 */
421 request->reply->code = FR_RADIUS_CODE_ACCESS_ACCEPT;
422 goto send_reply;
423
424 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
425 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
426 goto send_reply;
427 }
428
429 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
430 if (!cs) {
431 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
432 goto reject;
433 }
434
435 /*
436 * Run the "Authenticate = foo" section.
437 *
438 * And continue with sending the generic reply.
439 */
440 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
441 return unlang_module_yield_to_section(RESULT_P, request,
442 cs, RLM_MODULE_NOOP, resume_auth_type,
443 NULL, 0, mctx->rctx);
444}
445
446RESUME(auth_type)
447{
448 static const fr_process_rcode_t auth_type_rcode = {
457 };
458
459 rlm_rcode_t rcode = RESULT_RCODE;
460 fr_pair_t *vp;
461 fr_process_state_t const *state;
462
464
466
467 if (auth_type_rcode[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND) {
468 request->reply->code = auth_type_rcode[rcode];
469 UPDATE_STATE(reply);
470
471 RDEBUG("The 'authenticate' section returned %s - not sending a response",
472 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
473
474 fr_assert(state->send != NULL);
475 return state->send(p_result, mctx, request);
476 }
477
478 /*
479 * Most cases except handled...
480 */
481 if (auth_type_rcode[rcode]) request->reply->code = auth_type_rcode[rcode];
482
483 switch (request->reply->code) {
484 case 0:
485 RDEBUG("No reply code was set. Forcing to Access-Reject");
486 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
488
489 /*
490 * Print complaints before running "send Access-Reject"
491 */
493 RDEBUG2("Failed to authenticate the user");
494
495 /*
496 * Maybe the shared secret is wrong?
497 */
498 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password);
499 if (vp) {
500 if (RDEBUG_ENABLED2) {
501 uint8_t const *p;
502
503 p = (uint8_t const *) vp->vp_strvalue;
504 while (*p) {
505 int size;
506
507 size = fr_utf8_char(p, -1);
508 if (!size) {
509 RWDEBUG("Unprintable characters in the password. "
510 "Double-check the shared secret on the server "
511 "and the NAS!");
512 break;
513 }
514 p += size;
515 }
516 }
517 }
518 break;
519
520 /*
521 * Access-Challenge sections require a State. If there is
522 * none, create one here. This is so that the State
523 * attribute is accessible in the "send Access-Challenge"
524 * section.
525 */
527 if ((vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_state)) != NULL) {
528 uint8_t buffer[16];
529
530 fr_rand_buffer(buffer, sizeof(buffer));
531
533 fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
534 }
535 break;
536
537 default:
538 break;
539
540 }
541 UPDATE_STATE(reply);
542
543 fr_assert(state->send != NULL);
544 return state->send(p_result, mctx, request);
545}
546
547RESUME_FLAG(access_accept,UNUSED,)
548{
549 fr_pair_t *vp;
551
553
554 /*
555 * Check that there is a name which can be used to
556 * identify the user. The configuration depends on
557 * User-Name or Stripped-User-Name existing, and being
558 * (mostly) unique to that user.
559 */
560 if (!request->parent &&
561 ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name)) != NULL) &&
562 (vp->vp_strvalue[0] == '@') &&
563 !fr_pair_find_by_da(&request->request_pairs, NULL, attr_stripped_user_name)) {
564 RWDEBUG("User-Name is anonymized, and no Stripped-User-Name exists.");
565 RWDEBUG("It may be difficult or impossible to identify the user.");
566 RWDEBUG("Please update Stripped-User-Name with information which identifies the user.");
567 }
568
569 fr_state_discard(inst->auth.state_tree, request);
570 radius_request_pairs_to_reply(request, mctx->rctx);
572}
573
574RESUME_FLAG(access_reject,UNUSED,)
575{
577
579
580 fr_state_discard(inst->auth.state_tree, request);
581 radius_request_pairs_to_reply(request, mctx->rctx);
583}
584
585RESUME(access_challenge)
586{
588
590
591 /*
592 * Cache the state context, unless this is a subrequest.
593 * Subrequest state context will be handled by the caller.
594 *
595 * If this fails, don't respond to the request.
596 */
597 if (!request->parent && fr_request_to_state(inst->auth.state_tree, request) < 0) {
598 return CALL_SEND_TYPE(FR_RADIUS_CODE_DO_NOT_RESPOND);
599 }
600
601 fr_assert(request->reply->code == FR_RADIUS_CODE_ACCESS_CHALLENGE);
602 radius_request_pairs_to_reply(request, mctx->rctx);
604}
605
606/** A wrapper around recv generic which stores fields from the request
607 */
608RECV(accounting_request)
609{
610 fr_pair_t *acct_delay, *event_timestamp;
611
612 radius_request_pairs_store(request, mctx->rctx);
613
614 /*
615 * Acct-Delay-Time is horrific. Its existence in a packet means that any retransmissions can't
616 * be retransmissions! Instead, we have to send a brand new packet each time. This rewriting is
617 * expensive, causes ID churn, over-allocation of IDs, and makes it more difficult to discover
618 * end-to-end failures.
619 *
620 * As a result, we delete Acct-Delay-Time, and replace it with Event-Timestamp.
621 */
622 event_timestamp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp);
623 if (!event_timestamp) {
624 MEM(event_timestamp = fr_pair_afrom_da(request->request_ctx, attr_event_timestamp));
625 fr_pair_append(&request->request_pairs, event_timestamp);
626 event_timestamp->vp_date = fr_time_to_unix_time(request->packet->timestamp);
627
628 acct_delay = fr_pair_find_by_da(&request->request_pairs, NULL, attr_event_timestamp);
629 if (acct_delay) {
630 if (acct_delay->vp_uint32 < ((365 * 86400))) {
631 event_timestamp->vp_date = fr_unix_time_sub_time_delta(event_timestamp->vp_date, fr_time_delta_from_sec(acct_delay->vp_uint32));
632
633 RDEBUG("Accounting-Request packet contains %pP. Creating %pP",
634 acct_delay, event_timestamp);
635 }
636 } else {
637 RDEBUG("Accounting-Request packet is missing Event-Timestamp. Adding it to packet as %pP.", event_timestamp);
638 }
639 }
640
641 return CALL_RECV(generic);
642}
643
644RESUME(acct_type)
645{
646 static const fr_process_rcode_t acct_type_rcode = {
652 };
653
654 rlm_rcode_t rcode = RESULT_RCODE;
655 fr_process_state_t const *state;
656
658
660 fr_assert(FR_RADIUS_PROCESS_CODE_VALID(request->reply->code));
661
662 if (acct_type_rcode[rcode]) {
663 fr_assert(acct_type_rcode[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND);
664
665 request->reply->code = acct_type_rcode[rcode];
666 UPDATE_STATE(reply);
667
668 RDEBUG("The 'accounting' section returned %s - not sending a response",
669 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
670
671 fr_assert(state->send != NULL);
672 return state->send(p_result, mctx, request);
673 }
674
675 request->reply->code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE;
676 UPDATE_STATE(reply);
677
678 fr_assert(state->send != NULL);
679 return state->send(p_result, mctx, request);
680}
681
682RESUME(accounting_request)
683{
684 rlm_rcode_t rcode = RESULT_RCODE;
685 fr_pair_t *vp;
686 CONF_SECTION *cs;
687 fr_dict_enum_value_t const *dv;
688 fr_process_state_t const *state;
690
692
694
695 UPDATE_STATE(packet);
696 fr_assert(state->packet_type[rcode] != 0);
697
698 request->reply->code = state->packet_type[rcode];
699 UPDATE_STATE_CS(reply);
700
701 if (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) {
702 RDEBUG("The 'recv Accounting-Request' section returned %s - not sending a response",
703 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
704
706 fr_assert(state->send != NULL);
707 return CALL_SEND_STATE(state);
708 }
709
710 /*
711 * Run accounting foo { ... }
712 */
713 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_acct_status_type);
714 if (!vp) goto send_reply;
715
716 dv = fr_dict_enum_by_value(vp->da, &vp->data);
717 if (!dv) goto send_reply;
718
719 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
720 if (!cs) {
721 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
722 goto send_reply;
723 }
724
725 /*
726 * Run the "Acct-Status-Type = foo" section.
727 *
728 * And continue with sending the generic reply.
729 */
730 return unlang_module_yield_to_section(RESULT_P, request,
731 cs, RLM_MODULE_NOOP, resume_acct_type,
732 NULL, 0, mctx->rctx);
733}
734
735#if 0
736// @todo - send canned responses like in v3?
737RECV(status_server)
738{
740}
741
742RESUME(status_server)
743{
745}
746#endif
747
748RESUME(protocol_error)
749{
750 fr_pair_t *vp;
751
753
754 fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code));
755
756 /*
757 * https://tools.ietf.org/html/rfc7930#section-4
758 */
759 vp = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_original_packet_code);
760 if (!vp) {
761 vp = fr_pair_afrom_da(request->reply_ctx, attr_original_packet_code);
762 if (vp) {
763 vp->vp_uint32 = request->packet->code;
764 fr_pair_append(&request->reply_pairs, vp);
765 }
766 }
767
768 /*
769 * If there's no Error-Cause, then include a generic 404.
770 */
771 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_error_cause);
772 if (!vp) {
773 vp = fr_pair_afrom_da(request->reply_ctx, attr_error_cause);
774 if (vp) {
775 vp->vp_uint32 = FR_ERROR_CAUSE_VALUE_INVALID_REQUEST;
776 fr_pair_append(&request->reply_pairs, vp);
777 }
778 }
779
780 /*
781 * And do the generic processing after running a "send" section.
782 */
783 return CALL_RESUME(send_generic);
784}
785
786static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
787{
788 fr_process_state_t const *state;
789
791
793
794 request->component = "radius";
795 request->module = NULL;
796 fr_assert(request->proto_dict == dict_radius);
797
798 fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->packet->code));
799
800 UPDATE_STATE(packet);
801
802 if (!state->recv) {
803 REDEBUG("Invalid packet type (%u)", request->packet->code);
805 }
806
807 radius_packet_debug(request, request->packet, &request->request_pairs, true);
808
809 if (unlikely(request_is_dynamic_client(request))) {
810 return new_client(p_result, mctx, request);
811 }
812
813 return state->recv(p_result, mctx, request);
814}
815
817 { .required = true, .single = true, .type = FR_TYPE_OCTETS },
819};
820
821/** Validates a request against a know shared secret
822 *
823 * Designed for the specific purpose of verifying dynamic clients
824 * against a know shared secret.
825 *
826 * Example:
827@verbatim
828%radius.secret.verify(<secret>)
829@endverbatim
830 *
831 * @ingroup xlat_functions
832 */
834 request_t *request, fr_value_box_list_t *args)
835{
837 int ret;
838 bool require_message_authenticator = false;
839
841
842 if (request->proto_dict != dict_radius) return XLAT_ACTION_FAIL;
843
844 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, NULL));
845
846 /*
847 * Only Access-Requests require a Message-Authenticator.
848 * All the other packet types are signed using the
849 * authenticator field.
850 */
851 if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) require_message_authenticator = true;
852
853 ret = fr_radius_verify(request->packet->data, NULL, secret->vb_octets, secret->vb_length, require_message_authenticator, false);
854 switch (ret) {
855 case 0:
856 vb->vb_bool = true;
857 break;
858
859 default:
860 RPEDEBUG("Invalid packet");
861 return XLAT_ACTION_FAIL;
862
864 case -DECODE_FAIL_VERIFY:
865 RPEDEBUG("Failed to verify the packet signature");
866 vb->vb_bool = false;
867 break;
868 }
870
871 return XLAT_ACTION_DONE;
872}
873
874static int mod_instantiate(module_inst_ctx_t const *mctx)
875{
876 process_radius_t *inst = talloc_get_type_abort(mctx->mi->data, process_radius_t);
877
878 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
879
880 inst->auth.state_tree = fr_state_tree_init(inst, attr_state, main_config->spawn_workers, inst->auth.max_session,
881 inst->auth.session_timeout, inst->auth.state_server_id,
883
884 return 0;
885}
886
887static int mod_bootstrap(module_inst_ctx_t const *mctx)
888{
889 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
890
891 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
892
893 return 0;
894}
895
896static int mod_load(void)
897{
898 xlat_t *xlat;
899
900 if (unlikely(!(xlat = xlat_func_register(NULL, "radius.secret.verify", xlat_func_radius_secret_verify,
901 FR_TYPE_BOOL)))) return -1;
902
904
905 return 0;
906}
907
908static void mod_unload(void)
909{
910 xlat_func_unregister("radius.secret.verify");
911}
912
913/*
914 * rcodes not listed under a packet_type
915 * mean that the packet code will not be
916 * changed.
917 */
918static fr_process_state_t const process_state[] = {
920 .packet_type = {
927 },
928 .default_rcode = RLM_MODULE_NOOP,
929 .recv = recv_access_request,
930 .resume = resume_access_request,
931 .section_offset = offsetof(process_radius_sections_t, access_request),
932 },
934 .packet_type = {
940 },
941 .default_rcode = RLM_MODULE_NOOP,
942 .result_rcode = RLM_MODULE_OK,
943 .send = send_generic,
944 .resume = resume_access_accept,
945 .section_offset = offsetof(process_radius_sections_t, access_accept),
946 },
948 .packet_type = {
954 },
955 .default_rcode = RLM_MODULE_NOOP,
956 .result_rcode = RLM_MODULE_REJECT,
957 .send = send_generic,
958 .resume = resume_access_reject,
959 .section_offset = offsetof(process_radius_sections_t, access_reject),
960 },
962 .packet_type = {
968 },
969 .default_rcode = RLM_MODULE_NOOP,
970 .result_rcode = RLM_MODULE_OK,
971 .send = send_generic,
972 .resume = resume_access_challenge,
973 .section_offset = offsetof(process_radius_sections_t, access_challenge),
974 },
975
977 .packet_type = {
982
989 },
990 .default_rcode = RLM_MODULE_NOOP,
991 .recv = recv_accounting_request,
992 .resume = resume_accounting_request,
993 .section_offset = offsetof(process_radius_sections_t, accounting_request),
994 },
996 .packet_type = {
1003 },
1004 .default_rcode = RLM_MODULE_NOOP,
1005 .result_rcode = RLM_MODULE_OK,
1006 .send = send_generic,
1007 .resume = resume_generic_radius_response,
1008 .section_offset = offsetof(process_radius_sections_t, accounting_response),
1009 },
1010 [ FR_RADIUS_CODE_STATUS_SERVER ] = { /* @todo - negotiation, stats, etc. */
1011 .packet_type = {
1014
1022 },
1023 .default_rcode = RLM_MODULE_NOOP,
1024 .recv = recv_generic,
1025 .resume = resume_recv_generic,
1026 .section_offset = offsetof(process_radius_sections_t, status_server),
1027 },
1029 .packet_type = {
1034
1040 },
1041 .default_rcode = RLM_MODULE_NOOP,
1042 .recv = recv_generic_radius_request,
1043 .resume = resume_recv_generic,
1044 .section_offset = offsetof(process_radius_sections_t, coa_request),
1045 },
1047 .packet_type = {
1053 },
1054 .default_rcode = RLM_MODULE_NOOP,
1055 .result_rcode = RLM_MODULE_OK,
1056 .send = send_generic,
1057 .resume = resume_generic_radius_response,
1058 .section_offset = offsetof(process_radius_sections_t, coa_ack),
1059 },
1061 .packet_type = {
1067 },
1068 .default_rcode = RLM_MODULE_NOOP,
1069 .result_rcode = RLM_MODULE_NOTFOUND,
1070 .send = send_generic,
1071 .resume = resume_generic_radius_response,
1072 .section_offset = offsetof(process_radius_sections_t, coa_nak),
1073 },
1075 .packet_type = {
1080
1086 },
1087 .default_rcode = RLM_MODULE_NOOP,
1088 .recv = recv_generic,
1089 .resume = resume_recv_generic,
1090 .section_offset = offsetof(process_radius_sections_t, disconnect_request),
1091 },
1093 .packet_type = {
1099 },
1100 .default_rcode = RLM_MODULE_NOOP,
1101 .result_rcode = RLM_MODULE_OK,
1102 .send = send_generic,
1103 .resume = resume_generic_radius_response,
1104 .section_offset = offsetof(process_radius_sections_t, disconnect_ack),
1105 },
1107 .packet_type = {
1113 },
1114 .default_rcode = RLM_MODULE_NOOP,
1115 .result_rcode = RLM_MODULE_NOTFOUND,
1116 .send = send_generic,
1117 .resume = resume_generic_radius_response,
1118 .section_offset = offsetof(process_radius_sections_t, disconnect_nak),
1119 },
1120 [ FR_RADIUS_CODE_PROTOCOL_ERROR ] = { /* @todo - fill out required fields */
1121 .packet_type = {
1127 },
1128 .default_rcode = RLM_MODULE_NOOP,
1129 .result_rcode = RLM_MODULE_OK,
1130 .send = send_generic,
1131 .resume = resume_protocol_error,
1132 .section_offset = offsetof(process_radius_sections_t, protocol_error),
1133 },
1135 .packet_type = {
1140
1147 },
1148 .default_rcode = RLM_MODULE_NOOP,
1149 .result_rcode = RLM_MODULE_HANDLED,
1150 .send = send_generic,
1151 .resume = resume_send_generic,
1152 .section_offset = offsetof(process_radius_sections_t, do_not_respond),
1153 }
1154};
1155
1157 {
1158 .section = SECTION_NAME("recv", "Access-Request"),
1159 .actions = &mod_actions_authorize,
1160 .offset = PROCESS_CONF_OFFSET(access_request),
1161 },
1162 {
1163 .section = SECTION_NAME("send", "Access-Accept"),
1165 .offset = PROCESS_CONF_OFFSET(access_accept),
1166 },
1167 {
1168 .section = SECTION_NAME("send", "Access-Challenge"),
1170 .offset = PROCESS_CONF_OFFSET(access_challenge),
1171 },
1172 {
1173 .section = SECTION_NAME("send", "Access-Reject"),
1175 .offset = PROCESS_CONF_OFFSET(access_reject),
1176 },
1177
1178 {
1179 .section = SECTION_NAME("recv", "Accounting-Request"),
1181 .offset = PROCESS_CONF_OFFSET(accounting_request),
1182 },
1183 {
1184 .section = SECTION_NAME("send", "Accounting-Response"),
1186 .offset = PROCESS_CONF_OFFSET(accounting_response),
1187 },
1188
1189 {
1190 .section = SECTION_NAME("recv", "Status-Server"),
1192 .offset = PROCESS_CONF_OFFSET(status_server),
1193 },
1194 {
1195 .section = SECTION_NAME("recv", "CoA-Request"),
1197 .offset = PROCESS_CONF_OFFSET(coa_request),
1198 },
1199 {
1200 .section = SECTION_NAME("send", "CoA-ACK"),
1202 .offset = PROCESS_CONF_OFFSET(coa_ack),
1203 },
1204 {
1205 .section = SECTION_NAME("send", "CoA-NAK"),
1207 .offset = PROCESS_CONF_OFFSET(coa_nak),
1208 },
1209 {
1210 .section = SECTION_NAME("recv", "Disconnect-Request"),
1212 .offset = PROCESS_CONF_OFFSET(disconnect_request),
1213 },
1214 {
1215 .section = SECTION_NAME("send", "Disconnect-ACK"),
1217 .offset = PROCESS_CONF_OFFSET(disconnect_ack),
1218 },
1219 {
1220 .section = SECTION_NAME("send", "Disconnect-NAK"),
1222 .offset = PROCESS_CONF_OFFSET(disconnect_nak),
1223 },
1224 {
1225 .section = SECTION_NAME("send", "Protocol-Error"),
1227 .offset = PROCESS_CONF_OFFSET(protocol_error),
1228 },
1229 {
1230 .section = SECTION_NAME("send", "Do-Not-Respond"),
1232 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1233 },
1234 {
1235 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1237 },
1238 {
1239 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1241 },
1242
1243 DYNAMIC_CLIENT_SECTIONS,
1244
1246};
1247
1250 .common = {
1251 .magic = MODULE_MAGIC_INIT,
1252 .name = "radius",
1253 .config = config,
1256
1257 .onload = mod_load,
1258 .unload = mod_unload,
1259 .bootstrap = mod_bootstrap,
1260 .instantiate = mod_instantiate
1261 },
1262 .process = mod_process,
1263 .compile_list = compile_list,
1264 .dict = &dict_radius,
1265 .packet_type = &attr_packet_type
1266};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
static int const char char buffer[256]
Definition acutest.h:576
va_list args
Definition acutest.h:770
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:662
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:599
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
#define cf_parent(_cf)
Definition cf_util.h:101
#define cf_filename(_cf)
Definition cf_util.h:107
#define CF_IDENT_ANY
Definition cf_util.h:78
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
#define MEM(x)
Definition debug.h:36
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
@ FR_RADIUS_CODE_DO_NOT_RESPOND
Special rcode to indicate we will not respond.
Definition defs.h:54
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:263
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:237
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3404
char const * name
Enum name.
Definition dict.h:234
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Specifies a value which must be present for the module to function.
Definition dict.h:262
Value of an enumerated attribute.
Definition dict.h:233
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
static xlat_action_t xlat_func_radius_secret_verify(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Validates a request against a know shared secret.
Definition base.c:833
uint32_t fr_hash_string(char const *p)
Definition hash.c:865
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
fr_dict_attr_t const * attr_state
Definition base.c:103
fr_dict_t const * dict_radius
Definition base.c:78
fr_dict_attr_t const * attr_user_name
Definition base.c:104
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
void log_request_proto_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a list of protocol fr_pair_ts.
Definition log.c:852
void log_request(fr_log_type_t type, fr_log_lvl_t lvl, request_t *request, char const *file, int line, char const *fmt,...)
Marshal variadic log arguments into a va_list and pass to normal logging functions.
Definition log.c:610
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:828
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RDEBUG3(fmt,...)
Definition log.h:343
#define RPEDEBUG(fmt,...)
Definition log.h:376
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
talloc_free(reap)
@ L_DBG_LVL_1
Highest priority debug messages (-x).
Definition log.h:70
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
unlang_mod_actions_t const mod_actions_preacct
Definition mod_action.c:62
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:30
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:78
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:46
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:93
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:64
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2938
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:775
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:698
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1343
int fr_pair_delete_by_da(fr_pair_list_t *list, fr_dict_attr_t const *da)
Delete matching pairs from the specified list.
Definition pair.c:1685
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
size_t fr_utf8_char(uint8_t const *str, ssize_t inlen)
Checks for utf-8, taken from http://www.w3.org/International/questions/qa-forms-utf-8.
Definition print.c:39
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
static const virtual_server_compile_t compile_list[]
Definition base.c:214
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:401
static int mod_load(void)
Definition base.c:228
static void mod_unload(void)
Definition base.c:237
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:213
process_radius_auth_t auth
Authentication configuration.
Definition base.c:150
CONF_SECTION * access_challenge
Definition base.c:112
static fr_dict_attr_t const * attr_user_password
Definition base.c:66
CONF_SECTION * coa_nak
Definition base.c:121
static xlat_arg_parser_t const xlat_func_radius_secret_verify_args[]
Definition base.c:816
CONF_SECTION * disconnect_ack
Definition base.c:124
CONF_SECTION * protocol_error
Definition base.c:128
CONF_SECTION * new_client
Definition base.c:130
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:59
fr_dict_attr_autoload_t process_radius_dict_attr[]
Definition base.c:72
static const conf_parser_t session_config[]
Definition base.c:172
CONF_SECTION * coa_request
Definition base.c:119
fr_value_box_list_head_t proxy_state
These need to be copied into the response in exactly the same order as they were added.
Definition base.c:156
uint8_t state_server_id
Sets a specific byte in the state to allow the authenticating server to be identified in packet captu...
Definition base.c:139
fr_dict_enum_autoload_t process_radius_dict_enum[]
Definition base.c:97
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:887
fr_process_module_t process_radius
Definition base.c:1249
static fr_dict_attr_t const * attr_auth_type
Definition base.c:56
static void radius_request_pairs_to_reply(request_t *request, process_radius_rctx_t *rctx)
Definition base.c:264
#define FR_RADIUS_PROCESS_CODE_VALID(_x)
Definition base.c:161
CONF_SECTION * disconnect_nak
Definition base.c:125
CONF_SECTION * access_accept
Definition base.c:110
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:94
static void radius_request_pairs_store(request_t *request, process_radius_rctx_t *rctx)
Keep a copy of some attributes to keep them from being tamptered with.
Definition base.c:239
static fr_dict_attr_t const * attr_error_cause
Definition base.c:68
CONF_SECTION * add_client
Definition base.c:131
static const conf_parser_t auth_config[]
Definition base.c:180
fr_time_delta_t session_timeout
Maximum time between the last response and next request.
Definition base.c:136
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:147
CONF_SECTION * access_request
Definition base.c:109
static fr_dict_attr_t const * attr_proxy_state
Definition base.c:63
static void radius_packet_debug(request_t *request, fr_packet_t *packet, fr_pair_list_t *list, bool received)
Definition base.c:196
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:93
uint32_t max_session
Maximum ongoing session allowed.
Definition base.c:137
CONF_SECTION * status_server
Definition base.c:117
CONF_SECTION * access_reject
Definition base.c:111
static fr_dict_attr_t const * attr_acct_status_type
Definition base.c:61
CONF_SECTION * disconnect_request
Definition base.c:123
CONF_SECTION * accounting_request
Definition base.c:114
CONF_SECTION * coa_ack
Definition base.c:120
CONF_SECTION * do_not_respond
Definition base.c:127
process_radius_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:148
static fr_dict_attr_t const * attr_original_packet_code
Definition base.c:67
unlang_result_t result
Definition base.c:158
static const conf_parser_t config[]
Definition base.c:186
fr_dict_autoload_t process_radius_dict[]
Definition base.c:50
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:143
static fr_dict_attr_t const * attr_event_timestamp
Definition base.c:69
CONF_SECTION * accounting_response
Definition base.c:115
CONF_SECTION * deny_client
Definition base.c:132
Records fields from the original request so we have a known good copy.
Definition base.c:155
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
module_t common
Common fields for all loadable modules.
Common public symbol definition for all process modules.
int fr_radius_verify(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_message_authenticator, bool limit_proxy_state)
Verify a request / response packet.
Definition base.c:799
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:114
#define fr_assert(_expr)
Definition rad_assert.h:38
static char * secret
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG_ENABLED2()
Definition radclient.h:50
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define RDEBUG(fmt,...)
Definition radclient.h:53
#define RDEBUG_ENABLED()
Definition radclient.h:49
static void send_reply(int sockfd, fr_channel_data_t *reply)
@ DECODE_FAIL_MA_INVALID
Definition radius.h:177
@ DECODE_FAIL_VERIFY
Definition radius.h:178
#define FR_RADIUS_PACKET_CODE_VALID(_x)
Definition radius.h:52
void fr_rand_buffer(void *start, size_t length)
Definition rand.c:125
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
#define RETURN_UNLANG_FAIL
Definition rcode.h:59
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:47
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:45
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:44
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:48
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:43
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:52
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:49
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:51
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:50
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:53
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:46
#define request_is_dynamic_client(_x)
Definition request.h:188
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
#define MODULE_RCTX(_ctype)
Definition module.h:257
#define MODULE_INST(_ctype)
Definition module.h:255
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
#define pair_update_reply(_attr, _da)
Return or allocate a fr_pair_t in the reply list.
Definition pair.h:129
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, bool thread_safe, uint32_t max_sessions, fr_time_delta_t timeout, uint8_t server_id, uint32_t context_id)
Initialise a new state tree.
Definition state.c:220
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:605
int fr_request_to_state(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:736
int fr_state_to_request(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:659
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
eap_aka_sim_process_conf_t * inst
#define RESUME(_x)
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
#define talloc_get_type_abort_const
Definition talloc.h:287
static fr_unix_time_t fr_unix_time_sub_time_delta(fr_unix_time_t a, fr_time_delta_t b)
Definition time.h:341
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
static fr_unix_time_t fr_time_to_unix_time(fr_time_t when)
Convert an fr_time_t (internal time) to our version of unix time (wallclock time)
Definition time.h:688
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
uint8_t required
Argument must be present, and non-empty.
Definition xlat.h:146
#define XLAT_ARGS(_list,...)
Populate local variables with value boxes from the input list.
Definition xlat.h:383
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumend by an xlat function.
Definition xlat.h:145
unsigned int code
Packet code (type).
Definition packet.h:61
fr_socket_t socket
This packet was received on.
Definition packet.h:57
int id
Packet ID (used to link requests/responses).
Definition packet.h:60
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:742
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:4156
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:643
#define fr_box_ipaddr(_val)
Definition value.h:316
static fr_value_box_t * fr_value_box_acopy(TALLOC_CTX *ctx, fr_value_box_t const *src)
Copy an existing box, allocating a new box to hold its contents.
Definition value.h:737
#define fr_value_box_list_foreach(_list_head, _iter)
Definition value.h:224
static size_t char ** out
Definition value.h:1023
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
section_name_t const * section
Identifier for the section.
#define COMPILE_TERMINATOR
Processing sections which are allowed in this virtual server.
An xlat calling ctx.
Definition xlat_ctx.h:49
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition xlat_func.c:516