25#include <freeradius-devel/radius/radius.h>
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/unlang/xlat_func.h>
28#include <freeradius-devel/server/module_rlm.h>
171 inst->allowed[dv->
value->vb_uint32] =
true;
188 inst->io.app_io_instance = mi->
data;
237 if (*
fmt)
msg = talloc_asprintf(NULL,
fmt, ap);
241 EDEBUG2(
"proto_radius - discarding packet on socket %s from client %pV port %u - %s (%s)",
247 EDEBUG2(
"proto_radius - discarding packet on socket %s - %s (%s)",
251 EDEBUG2(
"For more information, please see " DOC_ROOT_URL "/troubleshooting/network/%s.html",
url[reason]);
271 inst->require_message_authenticator;
274 inst->limit_proxy_state;
281 .secret_length = talloc_array_length(client->
secret) - 1,
284 request->packet->code =
data[0];
288 .tmp_ctx = talloc(request,
uint8_t),
290 .end =
data + data_len,
315 request->packet->id =
data[1];
316 request->reply->id =
data[1];
317 memcpy(request->packet->vector,
data + 4,
sizeof(request->packet->vector));
319 request->packet->data = talloc_memdup(request->packet,
data, data_len);
320 request->packet->data_len = data_len;
327 data, data_len, &decode_ctx) < 0) {
339 request->client = client;
341 request->packet->socket = address->
socket;
369 RINFO(
"Packet from client %pV (%pV) contained a valid Message-Authenticator. Setting \"require_message_authenticator = yes\"",
373 RINFO(
"Packet from client %pV (%pV) contained a valid Message-Authenticator but also EAP-Message",
376 RINFO(
"Not changing the value of 'require_message_authenticator = auto'");
401 RWARN(
"Packet from %pV (%pV) did not contain Message-Authenticator:",
404 RWARN(
"- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack.");
405 RWARN(
"- Then set 'require_message_authenticator = yes' in the client definition");
407 RWARN(
"Packet from %pV (%pV) contains Message-Authenticator:",
410 RWARN(
"- Then set 'require_message_authenticator = yes' in the client definition");
413 RINFO(
"First packet from %pV (%pV) %s Proxy-State. Setting \"limit_proxy_state = %s\"",
420 RERROR(
"Packet from %pV (%pV) contains Proxy-State, but no Message-Authenticator:",
423 RERROR(
"- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack.");
424 RERROR(
"- Then set 'require_message_authenticator = yes' in the client definition");
448 switch (
vp->vp_type) {
457 vp->vp_ipv4addr = INADDR_ANY;
482 request->sequence = 1;
486 RPEDEBUG(
"Failed decoding 'Net.*' packet");
494 packet_vp->vp_uint8 = request->packet->id;
498 RPEDEBUG(
"Failed adding Authenticator pair");
522 switch (request->packet->code) {
524 RDEBUG2(
"There was no response configured - sending Access-Reject");
529 RDEBUG2(
"There was no response configured - sending CoA-NAK");
534 RDEBUG2(
"There was no response configured - sending Disconnect-NAK");
544 RDEBUG2(
"There was no response configured - sending Protocol-Error");
547 error_cause = FR_ERROR_CAUSE_VALUE_SESSION_CONTEXT_NOT_FOUND;
551 RDEBUG2(
"There was no response configured - not sending reply");
559 if ((buffer_len == 1) ||
573 switch (request->packet->code) {
575 RWDEBUG(
"Client %s does not support Protocol-Error - rewriting to Access-Reject",
581 RWDEBUG2(
"Client %s does not support Protocol-Error - rewriting to CoA-NAK",
582 request->client->shortname);
587 RWDEBUG2(
"Client %s does not support Protocol-Error - rewriting to Disconnect-NAK",
588 request->client->shortname);
592 error_cause = FR_ERROR_CAUSE_VALUE_PROXY_REQUEST_NOT_ROUTABLE;
599 vp->vp_uint32 = error_cause;
604 RWDEBUG2(
"Client %s does not support Protocol-Error - not replying to the client",
605 request->client->shortname);
640 PERROR(
"Failed creating new client");
645 memcpy(
buffer, &new_client,
sizeof(new_client));
646 return sizeof(new_client);
656 request->reply->socket.inet.src_ipaddr = client->
src_ipaddr;
661 .secret_length = talloc_array_length(client->
secret) - 1,
664 .common = &common_ctx,
665 .request_authenticator = request->packet->data + 4,
670 .request_code = request->packet->data[0],
671 .code = request->reply->code,
672 .id = request->reply->id,
673#ifdef NAS_VIOLATES_RFC
674 .allow_vulnerable_clients = client->allow_vulnerable_clients,
680 RPEDEBUG(
"Failed encoding RADIUS reply");
686 RPEDEBUG(
"Failed signing RADIUS reply");
693 RDEBUG(
"Sending %s ID %i from %pV:%i to %pV:%i length %zu via socket %s",
697 request->reply->socket.inet.src_port,
699 request->reply->socket.inet.dst_port,
701 request->async->listen->name);
753 inst->max_packet_size,
inst->num_messages);
771 if (!
inst->io.submodule)
return 0;
790 inst->io.cleanup_delay = 0;
803 if (!
inst->max_packet_size &&
inst->io.app_io)
inst->max_packet_size =
inst->io.app_io->default_message_size;
805 if (!
inst->num_messages)
inst->num_messages = 256;
851 if (
fr_value_box_memdup(vb, vb, NULL, request->packet->vector,
sizeof(request->packet->vector),
true) < 0) {
865 PERROR(
"Failed initialising protocol library");
static int const char char buffer[256]
static int const char * fmt
module_t common
Common fields to all loadable modules.
Public structure describing an I/O path for a protocol.
module_t common
Common fields provided by all modules.
Describes a new application (protocol)
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
#define CONF_PARSER_TERMINATOR
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
Common header for all CONF_* types.
Configuration AVP similar to a fr_pair_t.
A section grouping multiple CONF_PAIR.
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
#define cf_log_err(_cf, _fmt,...)
size_t channel_packet_priority_len
fr_table_num_sorted_t const channel_packet_priority[]
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
@ FR_RADIUS_CODE_DO_NOT_RESPOND
Special rcode to indicate we will not respond.
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
fr_value_box_t const * value
Enum value (what name maps to).
#define DICT_AUTOLOAD_TERMINATOR
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
Value of an enumerated attribute.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
fr_socket_t socket
src/dst ip and port.
fr_client_t const * radclient
old-style client definition
fr_ipaddr_t ipaddr
IPv4/IPv6 address of the host.
bool received_message_authenticator
Whether we've seen a message authenticator from this client in any previous packets.
fr_radius_require_ma_t require_message_authenticator
Require RADIUS message authenticator for incoming packets.
char const * secret
Secret PSK.
bool active
for dynamic clients
fr_ipaddr_t src_ipaddr
IPv4/IPv6 address to send responses from (family must match ipaddr).
bool require_message_authenticator_is_set
Whether require_message_authenticator is set in the configuration.
bool seen_first_packet
Whether we've seen a packet from this client.
bool limit_proxy_state_is_set
Whether limit_proxy_state is set in the configuration.
bool dynamic
Whether the client was dynamically defined.
bool first_packet_no_proxy_state
Whether that first packet contained a Proxy-State attribute.
char const * shortname
Client nickname.
bool protocol_error
Whether the client supports Protocol-Error.
fr_radius_limit_proxy_state_t limit_proxy_state
Whether to allow Proxy-State in incoming packets that don't contain a message authenticator.
Describes a host allowed to send packets to the server.
void log_request_proto_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a list of protocol fr_pair_ts.
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
#define RWDEBUG2(fmt,...)
#define RPEDEBUG(fmt,...)
#define EDEBUG2(_fmt,...)
int fr_packet_pairs_from_packet(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_packet_t const *packet)
Allocate a "Net." struct with src/dst host and port.
void fr_packet_net_from_pairs(fr_packet_t *packet, fr_pair_list_t const *list)
Convert pairs to information in a packet.
@ L_DBG_LVL_1
Highest priority debug messages (-x).
fr_app_io_t fr_master_app_io
int fr_master_io_listen(fr_io_instance_t *inst, fr_schedule_t *sc, size_t default_message_size, size_t num_messages)
fr_io_address_t const * address
of this packet.. shared between multiple packets
bool do_not_respond
don't respond
fr_listen_t const * li
listener associated with this tracking structure
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_OCTETS
Raw octets.
#define MODULE_INST_CTX(_mi)
Wrapper to create a module_inst_ctx_t as a compound literal.
module_instance_t * mi
Instance of the module being instantiated.
Temporary structure to hold arguments for instantiation calls.
#define RADIUS_AUTH_VECTOR_LENGTH
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
fr_pair_t * fr_pair_afrom_da_nested(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *da)
Create a pair (and all intermediate parents), and append it to the list.
static fr_internal_encode_ctx_t encode_ctx
static int mod_load(void)
static fr_dict_attr_t const * attr_packet_type
static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
static xlat_action_t packet_vector_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Get the authentication vector.
static char const * url[FR_RADIUS_FAIL_MAX+1]
static fr_dict_attr_t const * attr_packet_authenticator
static fr_dict_attr_t const * attr_state
fr_dict_autoload_t proto_radius_dict[]
static conf_parser_t const limit_config[]
static fr_dict_attr_t const * attr_eap_message
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
void proto_radius_log(fr_listen_t const *li, fr_radius_decode_fail_t reason, fr_socket_t const *sock, char const *fmt,...)
Log a message in a canonical format.
static int mod_decode(void const *instance, request_t *request, uint8_t *const data, size_t data_len)
Decode the packet.
static fr_dict_t const * dict_radius
static conf_parser_t const log_config[]
static fr_dict_attr_t const * attr_error_cause
static void mod_unload(void)
static fr_dict_attr_t const * attr_proxy_state
static const conf_parser_t priority_config[]
static fr_dict_attr_t const * attr_user_name
static int transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static fr_dict_attr_t const * attr_packet_id
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the application.
static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
Open listen sockets/connect to external event source.
static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
fr_dict_attr_autoload_t proto_radius_dict_attr[]
static fr_dict_attr_t const * attr_message_authenticator
static conf_parser_t const proto_radius_config[]
How to parse a RADIUS listen section.
An instance of a proto_radius listen section.
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
size_t fr_radius_limit_proxy_state_table_len
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
char const * fr_radius_decode_fail_reason[FR_RADIUS_FAIL_MAX+1]
size_t fr_radius_require_ma_table_len
int fr_radius_global_init(void)
void fr_radius_global_free(void)
fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[]
fr_table_num_sorted_t const fr_radius_require_ma_table[]
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
fr_radius_require_ma_t
Control whether Message-Authenticator is required in Access-Requests.
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
fr_radius_decode_fail_t
Failure reasons.
@ FR_RADIUS_FAIL_ATTRIBUTE_DECODE
@ FR_RADIUS_FAIL_UNEXPECTED_REQUEST_CODE
@ FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW
@ FR_RADIUS_FAIL_MA_INVALID_LENGTH
@ FR_RADIUS_FAIL_MIN_LENGTH_FIELD
@ FR_RADIUS_FAIL_INVALID_ATTRIBUTE
@ FR_RADIUS_FAIL_IO_ERROR
@ FR_RADIUS_FAIL_MAX_LENGTH_PACKET
@ FR_RADIUS_FAIL_MA_MISSING
@ FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES
@ FR_RADIUS_FAIL_UNEXPECTED_RESPONSE_CODE
@ FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE
@ FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH
@ FR_RADIUS_FAIL_NO_MATCHING_REQUEST
@ FR_RADIUS_FAIL_HEADER_OVERFLOW
@ FR_RADIUS_FAIL_PROXY_STATE_MISSING
@ FR_RADIUS_FAIL_MIN_LENGTH_PACKET
@ FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT
@ FR_RADIUS_FAIL_MA_INVALID
bool limit_proxy_state
Don't allow Proxy-State in requests.
#define fr_radius_flag_encrypted(_da)
bool require_message_authenticator
fr_radius_ctx_t const * common
fr_radius_limit_proxy_state_t
Control whether Proxy-State is allowed in Access-Requests.
@ FR_RADIUS_LIMIT_PROXY_STATE_AUTO
Do not allow Proxy-State unless:
@ FR_RADIUS_LIMIT_PROXY_STATE_YES
Limit Proxy-State.
fr_radius_decode_fail_t reason
reason for decode failure
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
uint32_t fr_rand(void)
Return a 32-bit random number.
Smaller fast random number generator.
#define REQUEST_VERIFY(_x)
#define request_set_dynamic_client(_x)
CONF_SECTION * conf
Module's instance configuration.
void * data
Module's instance data.
module_instantiate_t instantiate
Callback to allow the module to register any per-instance resources like sockets and file handles.
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
module_t * exported
Public module structure.
static const uchar sc[16]
fr_client_t * client_afrom_request(TALLOC_CTX *ctx, request_t *request)
Create a new client, consuming all attributes in the control list of the request.
int module_instantiate(module_instance_t *instance)
Manually complete module setup by calling its instantiate function.
eap_aka_sim_process_conf_t * inst
Stores an attribute, a value and various bits of other data.
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
#define talloc_get_type_abort_const
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
@ XLAT_ACTION_FAIL
An xlat function failed.
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
static void fr_socket_addr_swap(fr_socket_t *dst, fr_socket_t const *src)
Swap src/dst information of a fr_socket_t.
Holds information necessary for binding or connecting to a socket.
int fr_value_box_memdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, uint8_t const *src, size_t len, bool tainted)
Copy a buffer to a fr_value_box_t.
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
#define fr_box_ipaddr(_val)
#define fr_box_strvalue_buffer(_val)
static size_t char ** out
int virtual_server_listen_transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic conf_parser_t func for loading drivers.
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
void xlat_func_unregister(char const *name)
Unregister an xlat function.
1.9.8