The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
proto_radius.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 5ad093de534a02b2af1a9b01908d4dd6e71571f4 $
19 * @file proto_radius.c
20 * @brief RADIUS master protocol handler.
21 *
22 * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @copyright 2016 Alan DeKok (aland@freeradius.org)
24 */
25#include <freeradius-devel/radius/radius.h>
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/unlang/xlat_func.h>
28#include <freeradius-devel/server/module_rlm.h>
29#include <stdbool.h>
30#include "proto_radius.h"
31
32extern fr_app_t proto_radius;
33
34static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
35static int transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
36
37static conf_parser_t const limit_config[] = {
38 { FR_CONF_OFFSET("cleanup_delay", proto_radius_t, io.cleanup_delay), .dflt = "5.0" } ,
39 { FR_CONF_OFFSET("idle_timeout", proto_radius_t, io.idle_timeout), .dflt = "30.0" } ,
40 { FR_CONF_OFFSET("dynamic_timeout", proto_radius_t, io.dynamic_timeout), .dflt = "600.0" } ,
41 { FR_CONF_OFFSET("nak_lifetime", proto_radius_t, io.nak_lifetime), .dflt = "30.0" } ,
42
43 { FR_CONF_OFFSET("max_connections", proto_radius_t, io.max_connections), .dflt = "1024" } ,
44 { FR_CONF_OFFSET("max_clients", proto_radius_t, io.max_clients), .dflt = "256" } ,
45 { FR_CONF_OFFSET("max_pending_packets", proto_radius_t, io.max_pending_packets), .dflt = "256" } ,
46
47 /*
48 * For performance tweaking. NOT for normal humans.
49 */
50 { FR_CONF_OFFSET("max_packet_size", proto_radius_t, max_packet_size) } ,
51 { FR_CONF_OFFSET("num_messages", proto_radius_t, num_messages) } ,
52
53 CONF_PARSER_TERMINATOR
54};
55
56static const conf_parser_t priority_config[] = {
57 { FR_CONF_OFFSET("Access-Request", proto_radius_t, priorities[FR_RADIUS_CODE_ACCESS_REQUEST]),
58 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" },
59 { FR_CONF_OFFSET("Accounting-Request", proto_radius_t, priorities[FR_RADIUS_CODE_ACCOUNTING_REQUEST]),
60 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" },
61 { FR_CONF_OFFSET("CoA-Request", proto_radius_t, priorities[FR_RADIUS_CODE_COA_REQUEST]),
62 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "normal" },
63 { FR_CONF_OFFSET("Disconnect-Request", proto_radius_t, priorities[FR_RADIUS_CODE_DISCONNECT_REQUEST]),
64 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" },
65 { FR_CONF_OFFSET("Status-Server", proto_radius_t, priorities[FR_RADIUS_CODE_STATUS_SERVER]),
66 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "now" },
67
68 CONF_PARSER_TERMINATOR
69};
70
71static conf_parser_t const log_config[] = {
72 { FR_CONF_OFFSET("ignored_clients", proto_radius_t, io.log_ignored_clients), .dflt = "yes" } ,
73
74 CONF_PARSER_TERMINATOR
75};
76
77/** How to parse a RADIUS listen section
78 *
79 */
80static conf_parser_t const proto_radius_config[] = {
81 { FR_CONF_OFFSET_FLAGS("type", CONF_FLAG_NOT_EMPTY, proto_radius_t, allowed_types), .func = type_parse },
82 { FR_CONF_OFFSET_TYPE_FLAGS("transport", FR_TYPE_VOID, 0, proto_radius_t, io.submodule),
83 .func = transport_parse },
84
85 /*
86 * Check whether or not the *trailing* bits of a
87 * Tunnel-Password are zero, as they should be.
88 */
89 { FR_CONF_OFFSET("tunnel_password_zeros", proto_radius_t, tunnel_password_zeros) } ,
90
91 { FR_CONF_POINTER("limit", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) limit_config },
92 { FR_CONF_POINTER("priority", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) priority_config },
93
94 { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) log_config },
95
96 { FR_CONF_OFFSET("require_message_authenticator", proto_radius_t, require_message_authenticator),
97 .func = cf_table_parse_int,
98 .uctx = &(cf_table_parse_ctx_t){ .table = fr_radius_require_ma_table, .len = &fr_radius_require_ma_table_len },
99 .dflt = "no" },
100
101 { FR_CONF_OFFSET("limit_proxy_state", proto_radius_t, limit_proxy_state),
102 .func = cf_table_parse_int,
103 .uctx = &(cf_table_parse_ctx_t){ .table = fr_radius_limit_proxy_state_table, .len = &fr_radius_limit_proxy_state_table_len },
104 .dflt = "auto" },
105
106 CONF_PARSER_TERMINATOR
107};
108
109static fr_dict_t const *dict_radius;
110
111extern fr_dict_autoload_t proto_radius_dict[];
112fr_dict_autoload_t proto_radius_dict[] = {
113 { .out = &dict_radius, .proto = "radius" },
114 DICT_AUTOLOAD_TERMINATOR
115};
116
117static fr_dict_attr_t const *attr_packet_type;
118static fr_dict_attr_t const *attr_user_name;
119static fr_dict_attr_t const *attr_state;
120static fr_dict_attr_t const *attr_proxy_state;
121static fr_dict_attr_t const *attr_message_authenticator;
122static fr_dict_attr_t const *attr_eap_message;
123static fr_dict_attr_t const *attr_error_cause;
124static fr_dict_attr_t const *attr_packet_id;
125static fr_dict_attr_t const *attr_packet_authenticator;
126
127extern fr_dict_attr_autoload_t proto_radius_dict_attr[];
128fr_dict_attr_autoload_t proto_radius_dict_attr[] = {
129 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius},
130 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius},
131 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
132 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
133 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
134 { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
135 { .out = &attr_error_cause, .name = "Error-Cause", .type = FR_TYPE_UINT32, .dict = &dict_radius},
136 { .out = &attr_packet_id, .name = "Packet.Id", .type = FR_TYPE_UINT8, .dict = &dict_radius},
137 { .out = &attr_packet_authenticator, .name = "Packet.Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
138 DICT_AUTOLOAD_TERMINATOR
139};
140
141/** Translates the packet-type into a submodule name
142 *
143 * If we found a Packet-Type = Access-Request CONF_PAIR for example, here's we'd load
144 * the proto_radius_auth module.
145 *
146 * @param[in] ctx to allocate data in (instance of proto_radius).
147 * @param[out] out Where to write a module_instance_t containing the module handle and instance.
148 * @param[in] parent Base structure address.
149 * @param[in] ci #CONF_PAIR specifying the name of the type module.
150 * @param[in] rule unused.
151 * @return
152 * - 0 on success.
153 * - -1 on failure.
154 */
155static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
156{
157 proto_radius_t *inst = talloc_get_type_abort(parent, proto_radius_t);
158 fr_dict_enum_value_t const *dv;
159 CONF_PAIR *cp;
160 char const *value;
161
162 cp = cf_item_to_pair(ci);
163 value = cf_pair_value(cp);
164
165 dv = fr_dict_enum_by_name(attr_packet_type, value, -1);
166 if (!dv || (dv->value->vb_uint32 >= FR_RADIUS_CODE_MAX)) {
167 cf_log_err(ci, "Unknown RADIUS packet type '%s'", value);
168 return -1;
169 }
170
171 inst->allowed[dv->value->vb_uint32] = true;
172 *((char const **) out) = value;
173
174 return 0;
175}
176
177static int transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
178{
179 proto_radius_t *inst = talloc_get_type_abort(parent, proto_radius_t);
180 module_instance_t *mi;
181
182 if (unlikely(virtual_server_listen_transport_parse(ctx, out, parent, ci, rule) < 0)) {
183 return -1;
184 }
185
186 mi = talloc_get_type_abort(*(void **)out, module_instance_t);
187 inst->io.app_io = (fr_app_io_t const *)mi->exported;
188 inst->io.app_io_instance = mi->data;
189 inst->io.app_io_conf = mi->conf;
190
191 return 0;
192}
193
194/** Decode the packet
195 *
196 */
197static int mod_decode(void const *instance, request_t *request, uint8_t *const data, size_t data_len)
198{
199 proto_radius_t const *inst = talloc_get_type_abort_const(instance, proto_radius_t);
200 fr_io_track_t const *track = talloc_get_type_abort_const(request->async->packet_ctx, fr_io_track_t);
201 fr_io_address_t const *address = track->address;
202 fr_client_t *client = UNCONST(fr_client_t *, address->radclient);
203 fr_radius_ctx_t common_ctx;
204 fr_radius_decode_ctx_t decode_ctx;
205
206 fr_radius_require_ma_t require_message_authenticator = client->require_message_authenticator_is_set ?
207 client->require_message_authenticator:
208 inst->require_message_authenticator;
209 fr_radius_limit_proxy_state_t limit_proxy_state = client->limit_proxy_state_is_set ?
210 client->limit_proxy_state:
211 inst->limit_proxy_state;
212 fr_pair_t *packet_vp;
213
214 fr_assert(data[0] < FR_RADIUS_CODE_MAX);
215
216 common_ctx = (fr_radius_ctx_t) {
217 .secret = client->secret,
218 .secret_length = talloc_array_length(client->secret) - 1,
219 };
220
221 request->packet->code = data[0];
222
223 decode_ctx = (fr_radius_decode_ctx_t) {
224 .common = &common_ctx,
225 .tmp_ctx = talloc(request, uint8_t),
226 /* decode figures out request_authenticator */
227 .end = data + data_len,
228 .verify = client->active,
229 };
230
231 if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) {
232 /*
233 * bit1 is set if we've seen a packet, and the auto bit in require_message_authenticator is set/
234 * bit2 is set if we always require a message_authenticator.
235 * If either bit is high we require a message authenticator in the packet.
236 */
237 decode_ctx.require_message_authenticator = (
238 (client->received_message_authenticator & require_message_authenticator) |
239 (require_message_authenticator & FR_RADIUS_REQUIRE_MA_YES)
240 ) > 0;
241 decode_ctx.limit_proxy_state = (
242 (client->first_packet_no_proxy_state & limit_proxy_state) |
243 (limit_proxy_state & FR_RADIUS_LIMIT_PROXY_STATE_YES)
244 ) > 0;
245 }
246
247 /*
248 * The verify() routine over-writes the request packet vector.
249 *
250 * @todo - That needs to be changed.
251 */
252 request->packet->id = data[1];
253 request->reply->id = data[1];
254 memcpy(request->packet->vector, data + 4, sizeof(request->packet->vector));
255
256 request->packet->data = talloc_memdup(request->packet, data, data_len);
257 request->packet->data_len = data_len;
258
259 /*
260 * !client->active means a fake packet defining a dynamic client - so there will
261 * be no secret defined yet - so can't verify.
262 */
263 if (fr_radius_decode(request->request_ctx, &request->request_pairs,
264 data, data_len, &decode_ctx) < 0) {
265 talloc_free(decode_ctx.tmp_ctx);
266 RPEDEBUG("Failed decoding packet");
267 return -1;
268 }
269 talloc_free(decode_ctx.tmp_ctx);
270
271 /*
272 * Set the rest of the fields.
273 */
274 request->client = client;
275
276 request->packet->socket = address->socket;
277 fr_socket_addr_swap(&request->reply->socket, &address->socket);
278
279 if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) {
280 /*
281 * If require_message_authenticator is "auto" then
282 * we start requiring messages authenticator after
283 * the first Access-Request packet containing a
284 * verified one. This isn't vulnerable to the same
285 * attack as limit_proxy_state, as the attacker would
286 * need knowledge of the secret.
287 *
288 * Unfortunately there are too many cases where
289 * auto mode could break things (dealing with
290 * multiple clients behind a NAT for example).
291 */
292 if (!client->received_message_authenticator &&
293 fr_pair_find_by_da(&request->request_pairs, NULL, attr_message_authenticator)) {
294 /*
295 * Don't print debugging messages if all is OK.
296 */
297 if (require_message_authenticator == FR_RADIUS_REQUIRE_MA_YES) {
298 client->received_message_authenticator = true;
299
300 } else if (require_message_authenticator == FR_RADIUS_REQUIRE_MA_AUTO) {
301 if (!fr_pair_find_by_da(&request->request_pairs, NULL, attr_eap_message)) {
302 client->received_message_authenticator = true;
303
304 RINFO("Packet from client %pV (%pV) contained a valid Message-Authenticator. Setting \"require_message_authenticator = yes\"",
305 fr_box_ipaddr(client->ipaddr),
306 fr_box_strvalue_buffer(client->shortname));
307 } else {
308 RINFO("Packet from client %pV (%pV) contained a valid Message-Authenticator but also EAP-Message",
309 fr_box_ipaddr(client->ipaddr),
310 fr_box_strvalue_buffer(client->shortname));
311 RINFO("Not changing the value of 'require_message_authenticator = auto'");
312 }
313 }
314 }
315
316 /*
317 * It's important we only evaluate this on the
318 * first packet. Otherwise an attacker could send
319 * Access-Requests with no Proxy-State whilst
320 * spoofing a legitimate Proxy-Server, and causing an
321 * outage.
322 *
323 * The likelihood of an attacker sending a packet
324 * to coincide with the reboot of a RADIUS
325 * server is low. That said, 'auto' should likely
326 * not be enabled for internet facing servers.
327 */
328 if (!client->received_message_authenticator &&
329 (limit_proxy_state == FR_RADIUS_LIMIT_PROXY_STATE_AUTO) &&
330 client->active && !client->seen_first_packet) {
331 client->seen_first_packet = true;
332 client->first_packet_no_proxy_state = fr_pair_find_by_da(&request->request_pairs, NULL, attr_proxy_state) == NULL;
333
334 /* None of these should be errors */
335 if (!fr_pair_find_by_da(&request->request_pairs, NULL, attr_message_authenticator)) {
336 RWARN("Packet from %pV (%pV) did not contain Message-Authenticator:",
337 fr_box_ipaddr(client->ipaddr),
338 fr_box_strvalue_buffer(client->shortname));
339 RWARN("- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack.");
340 RWARN("- Then set 'require_message_authenticator = yes' in the client definition");
341 } else {
342 RWARN("Packet from %pV (%pV) contains Message-Authenticator:",
343 fr_box_ipaddr(client->ipaddr),
344 fr_box_strvalue_buffer(client->shortname));
345 RWARN("- Then set 'require_message_authenticator = yes' in the client definition");
346 }
347
348 RINFO("First packet from %pV (%pV) %s Proxy-State. Setting \"limit_proxy_state = %s\"",
349 fr_box_ipaddr(client->ipaddr),
350 fr_box_strvalue_buffer(client->shortname),
351 client->first_packet_no_proxy_state ? "did not contain" : "contained",
352 client->first_packet_no_proxy_state ? "yes" : "no");
353
354 if (!client->first_packet_no_proxy_state) {
355 RERROR("Packet from %pV (%pV) contains Proxy-State, but no Message-Authenticator:",
356 fr_box_ipaddr(client->ipaddr),
357 fr_box_strvalue_buffer(client->shortname));
358 RERROR("- Upgrade the client, as your network is vulnerable to the BlastRADIUS attack.");
359 RERROR("- Then set 'require_message_authenticator = yes' in the client definition");
360 }
361 }
362 }
363
364 REQUEST_VERIFY(request);
365
366 /*
367 * If we're defining a dynamic client, this packet is
368 * fake. We don't have a secret, so we mash all of the
369 * encrypted attributes to sane (i.e. non-hurtful)
370 * values.
371 */
372 if (!client->active) {
373 fr_pair_t *vp;
374
375 fr_assert(client->dynamic);
376
377 request_set_dynamic_client(request);
378
379 for (vp = fr_pair_list_head(&request->request_pairs);
380 vp != NULL;
381 vp = fr_pair_list_next(&request->request_pairs, vp)) {
382 if (fr_radius_flag_encrypted(vp->da)) {
383 switch (vp->vp_type) {
384 default:
385 break;
386
387 case FR_TYPE_UINT32:
388 vp->vp_uint32 = 0;
389 break;
390
391 case FR_TYPE_IPV4_ADDR:
392 vp->vp_ipv4addr = INADDR_ANY;
393 break;
394
395 case FR_TYPE_OCTETS:
396 fr_pair_value_memdup(vp, (uint8_t const *) "", 1, true);
397 break;
398
399 case FR_TYPE_STRING:
400 fr_pair_value_strdup(vp, "", true);
401 break;
402 }
403 }
404 }
405 }
406
407 /*
408 * Set the sequence to be at least one. This will
409 * prioritize replies to Access-Challenges over other
410 * packets. The sequence will be updated (if necessary)
411 * by the RADIUS state machine. If the request yields,
412 * it will get re-inserted with an updated sequence
413 * number.
414 */
415 if ((request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) &&
416 fr_pair_find_by_da(&request->request_pairs, NULL, attr_state)) {
417 request->sequence = 1;
418 }
419
420 if (fr_packet_pairs_from_packet(request->request_ctx, &request->request_pairs, request->packet) < 0) {
421 RPEDEBUG("Failed decoding 'Net.*' packet");
422 return -1;
423 }
424
425 /*
426 * Populate Packet structure with Id and Authenticator
427 */
428 MEM(packet_vp = fr_pair_afrom_da_nested(request->request_ctx, &request->request_pairs, attr_packet_id));
429 packet_vp->vp_uint8 = request->packet->id;
430 MEM(packet_vp = fr_pair_afrom_da_nested(request->request_ctx, &request->request_pairs, attr_packet_authenticator));
431 if (fr_value_box_memdup(packet_vp, &packet_vp->data, NULL, request->packet->data + 4,
432 RADIUS_AUTH_VECTOR_LENGTH, true) < 0) {
433 RPEDEBUG("Failed adding Authenticator pair");
434 return -1;
435 }
436
437 return 0;
438}
439
440static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
441{
442 fr_io_track_t *track = talloc_get_type_abort(request->async->packet_ctx, fr_io_track_t);
443 fr_io_address_t const *address = track->address;
444 uint32_t error_cause;
445 ssize_t data_len;
446 fr_client_t const *client;
447 fr_radius_ctx_t common_ctx = {};
448 fr_radius_encode_ctx_t encode_ctx;
449
450 client = address->radclient;
451 fr_assert(client);
452
453 /*
454 * No reply was set, and the client supports Protocol-Error. Go create one.
455 */
456 if (unlikely((buffer_len > 1) && (request->reply->code == 0) && client->protocol_error)) {
457 switch (request->packet->code) {
458 case FR_RADIUS_CODE_ACCESS_REQUEST:
459 RDEBUG2("There was no response configured - sending Access-Reject");
460 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
461 break;
462
463 case FR_RADIUS_CODE_COA_REQUEST:
464 RDEBUG2("There was no response configured - sending CoA-NAK");
465 request->reply->code = FR_RADIUS_CODE_COA_NAK;
466 goto not_routable;
467
468 case FR_RADIUS_CODE_DISCONNECT_REQUEST:
469 RDEBUG2("There was no response configured - sending Disconnect-NAK");
470 request->reply->code = FR_RADIUS_CODE_DISCONNECT_NAK;
471 goto not_routable;
472
473 case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
474 /*
475 * Send Protocol-Error reply.
476 *
477 * @todo - Session-Context-Not-Found is likely the wrong error.
478 */
479 RDEBUG2("There was no response configured - sending Protocol-Error");
480
481 request->reply->code = FR_RADIUS_CODE_PROTOCOL_ERROR;
482 error_cause = FR_ERROR_CAUSE_VALUE_SESSION_CONTEXT_NOT_FOUND;
483 goto force_reply;
484
485 default:
486 RDEBUG2("There was no response configured - not sending reply");
487 break;
488 }
489 }
490
491 /*
492 * Process layer NAK, or "Do not respond".
493 */
494 if ((buffer_len == 1) ||
495 (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) ||
496 (request->reply->code == 0) || (request->reply->code >= FR_RADIUS_CODE_MAX)) {
497 track->do_not_respond = true;
498 return 1;
499 }
500
501 /*
502 * Not all clients support Protocol-Error. The admin might have forced Protocol-Error, or we
503 * might have received a Protocol-Error from a home server.
504 */
505 if ((request->reply->code == FR_RADIUS_CODE_PROTOCOL_ERROR) && !client->protocol_error) {
506 fr_pair_t *vp;
507
508 switch (request->packet->code) {
509 case FR_RADIUS_CODE_ACCESS_REQUEST:
510 RWDEBUG("Client %s does not support Protocol-Error - rewriting to Access-Reject",
511 client->shortname);
512 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
513 break;
514
515 case FR_RADIUS_CODE_COA_REQUEST:
516 RWDEBUG2("Client %s does not support Protocol-Error - rewriting to CoA-NAK",
517 request->client->shortname);
518 request->reply->code = FR_RADIUS_CODE_COA_NAK;
519 goto not_routable;
520
521 case FR_RADIUS_CODE_DISCONNECT_REQUEST:
522 RWDEBUG2("Client %s does not support Protocol-Error - rewriting to Disconnect-NAK",
523 request->client->shortname);
524 request->reply->code = FR_RADIUS_CODE_DISCONNECT_NAK;
525
526 not_routable:
527 error_cause = FR_ERROR_CAUSE_VALUE_PROXY_REQUEST_NOT_ROUTABLE;
528
529 force_reply:
530 fr_pair_list_free(&request->reply_pairs);
531
532 MEM(vp = fr_pair_afrom_da(request->reply_ctx, attr_error_cause));
533 fr_pair_append(&request->reply_pairs, vp);
534 vp->vp_uint32 = error_cause;
535 break;
536
537 case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
538 default:
539 RWDEBUG2("Client %s does not support Protocol-Error - not replying to the client",
540 request->client->shortname);
541 track->do_not_respond = true;
542 return 1;
543 }
544 }
545
546 /*
547 * Dynamic client stuff
548 */
549 if (client->dynamic && !client->active) {
550 fr_client_t *new_client;
551
552 fr_assert(buffer_len >= sizeof(client));
553
554 /*
555 * We don't accept the new client, so don't do
556 * anything.
557 */
558 if (request->reply->code != FR_RADIUS_CODE_ACCESS_ACCEPT) {
559 *buffer = true;
560 return 1;
561 }
562
563 /*
564 * Allocate the client. If that fails, send back a NAK.
565 *
566 * @todo - deal with NUMA zones? Or just deal with this
567 * client being in different memory.
568 *
569 * Maybe we should create a CONF_SECTION from the client,
570 * and pass *that* back to mod_write(), which can then
571 * parse it to create the actual client....
572 */
573 new_client = client_afrom_request(NULL, request);
574 if (!new_client) {
575 PERROR("Failed creating new client");
576 *buffer = true;
577 return 1;
578 }
579
580 memcpy(buffer, &new_client, sizeof(new_client));
581 return sizeof(new_client);
582 }
583
584 /*
585 * Overwrite the src ip address on the outbound packet
586 * with the one specified by the client. This is useful
587 * to work around broken DSR implementations and other
588 * routing issues.
589 */
590 if (client->src_ipaddr.af != AF_UNSPEC) {
591 request->reply->socket.inet.src_ipaddr = client->src_ipaddr;
592 }
593
594 common_ctx = (fr_radius_ctx_t) {
595 .secret = client->secret,
596 .secret_length = talloc_array_length(client->secret) - 1,
597 };
598 encode_ctx = (fr_radius_encode_ctx_t) {
599 .common = &common_ctx,
600 .request_authenticator = request->packet->data + 4,
601 .rand_ctx = (fr_fast_rand_t) {
602 .a = fr_rand(),
603 .b = fr_rand(),
604 },
605 .request_code = request->packet->data[0],
606 .code = request->reply->code,
607 .id = request->reply->id,
608 };
609
610 data_len = fr_radius_encode(&FR_DBUFF_TMP(buffer, buffer_len), &request->reply_pairs, &encode_ctx);
611 if (data_len < 0) {
612 RPEDEBUG("Failed encoding RADIUS reply");
613 return -1;
614 }
615
616 if (fr_radius_sign(buffer, request->packet->data + 4,
617 (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1) < 0) {
618 RPEDEBUG("Failed signing RADIUS reply");
619 return -1;
620 }
621
622 fr_packet_net_from_pairs(request->reply, &request->reply_pairs);
623
624 if (RDEBUG_ENABLED) {
625 RDEBUG("Sending %s ID %i from %pV:%i to %pV:%i length %zu via socket %s",
626 fr_radius_packet_name[request->reply->code],
627 request->reply->id,
628 fr_box_ipaddr(request->reply->socket.inet.src_ipaddr),
629 request->reply->socket.inet.src_port,
630 fr_box_ipaddr(request->reply->socket.inet.dst_ipaddr),
631 request->reply->socket.inet.dst_port,
632 data_len,
633 request->async->listen->name);
634
635 log_request_pair_list(L_DBG_LVL_1, request, NULL, &request->reply_pairs, NULL);
636 }
637
638 return data_len;
639}
640
641static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
642{
643 proto_radius_t const *inst = talloc_get_type_abort_const(instance, proto_radius_t);
644
645 fr_assert(buffer[0] > 0);
646 fr_assert(buffer[0] < FR_RADIUS_CODE_MAX);
647
648 /*
649 * Disallowed packet
650 */
651 if (!inst->priorities[buffer[0]]) return 0;
652
653 if (!inst->allowed[buffer[0]]) return -1;
654
655 /*
656 * @todo - if we cared, we could also return -1 for "this
657 * is a bad packet". But that's really only for
658 * mod_inject, as we assume that app_io->read() always
659 * returns good packets.
660 */
661
662 /*
663 * Return the configured priority.
664 */
665 return inst->priorities[buffer[0]];
666}
667
668/** Open listen sockets/connect to external event source
669 *
670 * @param[in] instance Ctx data for this application.
671 * @param[in] sc to add our file descriptor to.
672 * @param[in] conf Listen section parsed to give us instance.
673 * @return
674 * - 0 on success.
675 * - -1 on failure.
676 */
677static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
678{
679 proto_radius_t *inst = talloc_get_type_abort(instance, proto_radius_t);
680
681 /*
682 * io.app_io should already be set
683 */
684 return fr_master_io_listen(&inst->io, sc,
685 inst->max_packet_size, inst->num_messages);
686}
687
688/** Instantiate the application
689 *
690 * Instantiate I/O and type submodules.
691 *
692 * @return
693 * - 0 on success.
694 * - -1 on failure.
695 */
696static int mod_instantiate(module_inst_ctx_t const *mctx)
697{
698 proto_radius_t *inst = talloc_get_type_abort(mctx->mi->data, proto_radius_t);
699
700 /*
701 * No IO module, it's an empty listener.
702 */
703 if (!inst->io.submodule) return 0;
704
705 /*
706 * These timers are usually protocol specific.
707 */
708 FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, >=, fr_time_delta_from_sec(1));
709 FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, <=, fr_time_delta_from_sec(600));
710
711 FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, >=, fr_time_delta_from_sec(1));
712 FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, <=, fr_time_delta_from_sec(600));
713
714 FR_TIME_DELTA_BOUND_CHECK("cleanup_delay", inst->io.cleanup_delay, <=, fr_time_delta_from_sec(30));
715 FR_TIME_DELTA_BOUND_CHECK("cleanup_delay", inst->io.cleanup_delay, >, fr_time_delta_from_sec(0));
716
717#if 0
718 /*
719 * No Access-Request packets, then no cleanup delay.
720 */
721 if (!inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) {
722 inst->io.cleanup_delay = 0;
723 }
724#endif
725
726 /*
727 * Ensure that the server CONF_SECTION is always set.
728 */
729 inst->io.server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
730
731 /*
732 * These configuration items are not printed by default,
733 * because normal people shouldn't be touching them.
734 */
735 if (!inst->max_packet_size && inst->io.app_io) inst->max_packet_size = inst->io.app_io->default_message_size;
736
737 if (!inst->num_messages) inst->num_messages = 256;
738
739 FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, >=, 32);
740 FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, <=, 65535);
741
742 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 1024);
743 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
744
745 /*
746 * Tell the master handler about the main protocol instance.
747 */
748 inst->io.app = &proto_radius;
749 inst->io.app_instance = inst;
750
751 /*
752 * We will need this for dynamic clients and connected sockets.
753 */
754 inst->io.mi = mctx->mi;
755
756 /*
757 * Instantiate the transport module before calling the
758 * common instantiation function.
759 */
760 if (module_instantiate(inst->io.submodule) < 0) return -1;
761
762 /*
763 * Instantiate the master io submodule
764 */
765 return fr_master_app_io.common.instantiate(MODULE_INST_CTX(inst->io.mi));
766}
767
768/** Get the authentication vector.
769 *
770 * Note that we don't allow people to get the reply vector, because
771 * it doesn't exist until the reply is sent.
772 *
773 */
774static xlat_action_t packet_vector_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
775 UNUSED xlat_ctx_t const *xctx, request_t *request,
776 UNUSED fr_value_box_list_t *in)
777{
778 fr_value_box_t *vb;
779
780 if (request->proto_dict != dict_radius) return XLAT_ACTION_FAIL;
781
782 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_OCTETS, NULL));
783 if (fr_value_box_memdup(vb, vb, NULL, request->packet->vector, sizeof(request->packet->vector), true) < 0) {
784 talloc_free(vb);
785 return XLAT_ACTION_FAIL;
786 }
787
788 fr_dcursor_append(out, vb);
789
790 return XLAT_ACTION_DONE;
791}
792
793
794static int mod_load(void)
795{
796 if (fr_radius_global_init() < 0) {
797 PERROR("Failed initialising protocol library");
798 return -1;
799 }
800
801
802 if (!xlat_func_register(NULL, "radius.packet.vector", packet_vector_xlat, FR_TYPE_OCTETS)) return -1;
803
804 return 0;
805}
806
807static void mod_unload(void)
808{
809 xlat_func_unregister("radius.packet.vector");
810
811 fr_radius_global_free();
812}
813
814fr_app_t proto_radius = {
815 .common = {
816 .magic = MODULE_MAGIC_INIT,
817 .name = "radius",
818 .config = proto_radius_config,
819 .inst_size = sizeof(proto_radius_t),
820 .onload = mod_load,
821 .unload = mod_unload,
822 .instantiate = mod_instantiate
823 },
824 .dict = &dict_radius,
825 .open = mod_open,
826 .decode = mod_decode,
827 .encode = mod_encode,
828 .priority = mod_priority_set
829};
buffer
static int const char char buffer[256]
Definition acutest.h:578
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition app_io.h:34
fr_app_io_t
Public structure describing an I/O path for a protocol.
Definition app_io.h:33
fr_app_t::common
module_t common
Common fields provided by all modules.
Definition application.h:72
fr_app_t
Describes a new application (protocol)
Definition application.h:71
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
unlikely
#define unlikely(_x)
Definition build.h:383
UNUSED
#define UNUSED
Definition build.h:317
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1622
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:614
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:337
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:271
FR_TIME_DELTA_BOUND_CHECK
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:531
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:450
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:426
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
cf_table_parse_ctx_t
Definition cf_parse.h:655
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_pair
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:70
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1581
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
channel_packet_priority_len
size_t channel_packet_priority_len
Definition channel.c:170
channel_packet_priority
fr_table_num_sorted_t const channel_packet_priority[]
Definition channel.c:164
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:516
fr_dcursor_append
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
fr_dcursor_s
Definition dcursor.h:93
MEM
#define MEM(x)
Definition debug.h:36
FR_RADIUS_CODE_ACCESS_REQUEST
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
FR_RADIUS_CODE_DISCONNECT_REQUEST
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
FR_RADIUS_CODE_DO_NOT_RESPOND
@ FR_RADIUS_CODE_DO_NOT_RESPOND
Special rcode to indicate we will not respond.
Definition defs.h:54
FR_RADIUS_CODE_MAX
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
FR_RADIUS_CODE_STATUS_SERVER
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
FR_RADIUS_CODE_COA_REQUEST
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
FR_RADIUS_CODE_ACCESS_ACCEPT
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
FR_RADIUS_CODE_COA_NAK
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
FR_RADIUS_CODE_DISCONNECT_NAK
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
FR_RADIUS_CODE_PROTOCOL_ERROR
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
FR_RADIUS_CODE_ACCOUNTING_REQUEST
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
FR_RADIUS_CODE_ACCESS_REJECT
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:289
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:302
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:252
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:308
fr_dict_enum_by_name
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3550
in
static fr_slen_t in
Definition dict.h:866
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:288
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:301
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:248
value
Test enumeration values.
Definition dict_test.h:92
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_ipaddr_t::af
int af
Address family.
Definition inet.h:64
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition base.h:336
fr_io_address_t::radclient
fr_client_t const * radclient
old-style client definition
Definition base.h:338
fr_io_address_t
Definition base.h:335
fr_client_s::ipaddr
fr_ipaddr_t ipaddr
IPv4/IPv6 address of the host.
Definition client.h:83
fr_client_s::received_message_authenticator
bool received_message_authenticator
Whether we've seen a message authenticator from this client in any previous packets.
Definition client.h:111
fr_client_s::require_message_authenticator
fr_radius_require_ma_t require_message_authenticator
Require RADIUS message authenticator for incoming packets.
Definition client.h:94
fr_client_s::secret
char const * secret
Secret PSK.
Definition client.h:90
fr_client_s::active
bool active
for dynamic clients
Definition client.h:120
fr_client_s::src_ipaddr
fr_ipaddr_t src_ipaddr
IPv4/IPv6 address to send responses from (family must match ipaddr).
Definition client.h:84
fr_client_s::require_message_authenticator_is_set
bool require_message_authenticator_is_set
Whether require_message_authenticator is set in the configuration.
Definition client.h:98
fr_client_s::seen_first_packet
bool seen_first_packet
Whether we've seen a packet from this client.
Definition client.h:114
fr_client_s::limit_proxy_state_is_set
bool limit_proxy_state_is_set
Whether limit_proxy_state is set in the configuration.
Definition client.h:109
fr_client_s::dynamic
bool dynamic
Whether the client was dynamically defined.
Definition client.h:119
fr_client_s::first_packet_no_proxy_state
bool first_packet_no_proxy_state
Whether that first packet contained a Proxy-State attribute.
Definition client.h:115
fr_client_s::shortname
char const * shortname
Client nickname.
Definition client.h:88
fr_client_s::protocol_error
bool protocol_error
Whether the client supports Protocol-Error.
Definition client.h:118
fr_client_s::limit_proxy_state
fr_radius_limit_proxy_state_t limit_proxy_state
Whether to allow Proxy-State in incoming packets that don't contain a message authenticator.
Definition client.h:105
fr_client_s
Describes a host allowed to send packets to the server.
Definition client.h:80
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:844
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:361
RWARN
#define RWARN(fmt,...)
Definition log.h:297
RWDEBUG2
#define RWDEBUG2(fmt,...)
Definition log.h:362
RERROR
#define RERROR(fmt,...)
Definition log.h:298
RINFO
#define RINFO(fmt,...)
Definition log.h:296
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:376
fr_packet_pairs_from_packet
int fr_packet_pairs_from_packet(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_packet_t const *packet)
Allocate a "Net." struct with src/dst host and port.
Definition packet.c:91
fr_packet_net_from_pairs
void fr_packet_net_from_pairs(fr_packet_t *packet, fr_pair_list_t const *list)
Convert pairs to information in a packet.
Definition packet.c:154
talloc_free
talloc_free(reap)
L_DBG_LVL_1
@ L_DBG_LVL_1
Highest priority debug messages (-x).
Definition log.h:70
fr_master_app_io
fr_app_io_t fr_master_app_io
Definition master.c:3280
fr_master_io_listen
int fr_master_io_listen(fr_io_instance_t *inst, fr_schedule_t *sc, size_t default_message_size, size_t num_messages)
Definition master.c:3070
fr_io_track_s::address
fr_io_address_t const * address
of this packet.. shared between multiple packets
Definition master.h:54
fr_io_track_s::do_not_respond
bool do_not_respond
don't respond
Definition master.h:50
fr_io_track_s
Definition master.h:40
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition merged_model.c:86
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
MODULE_INST_CTX
#define MODULE_INST_CTX(_mi)
Wrapper to create a module_inst_ctx_t as a compound literal.
Definition module_ctx.h:158
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
RADIUS_AUTH_VECTOR_LENGTH
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2948
fr_pair_value_strdup
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition pair.c:2648
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:708
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1353
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
fr_pair_afrom_da_nested
fr_pair_t * fr_pair_afrom_da_nested(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *da)
Create a pair (and all intermediate parents), and append it to the list.
Definition pair.c:481
encode_ctx
static fr_internal_encode_ctx_t encode_ctx
Definition proto_ldap_sync.c:34
mod_load
static int mod_load(void)
Definition proto_radius.c:794
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition proto_radius.c:117
mod_encode
static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
Definition proto_radius.c:440
packet_vector_xlat
static xlat_action_t packet_vector_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Get the authentication vector.
Definition proto_radius.c:774
attr_packet_authenticator
static fr_dict_attr_t const * attr_packet_authenticator
Definition proto_radius.c:125
attr_state
static fr_dict_attr_t const * attr_state
Definition proto_radius.c:119
proto_radius_dict
fr_dict_autoload_t proto_radius_dict[]
Definition proto_radius.c:112
limit_config
static conf_parser_t const limit_config[]
Definition proto_radius.c:37
attr_eap_message
static fr_dict_attr_t const * attr_eap_message
Definition proto_radius.c:122
type_parse
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
proto_radius
fr_app_t proto_radius
Definition proto_radius.c:814
mod_decode
static int mod_decode(void const *instance, request_t *request, uint8_t *const data, size_t data_len)
Decode the packet.
Definition proto_radius.c:197
dict_radius
static fr_dict_t const * dict_radius
Definition proto_radius.c:109
log_config
static conf_parser_t const log_config[]
Definition proto_radius.c:71
attr_error_cause
static fr_dict_attr_t const * attr_error_cause
Definition proto_radius.c:123
mod_unload
static void mod_unload(void)
Definition proto_radius.c:807
attr_proxy_state
static fr_dict_attr_t const * attr_proxy_state
Definition proto_radius.c:120
priority_config
static const conf_parser_t priority_config[]
Definition proto_radius.c:56
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition proto_radius.c:118
transport_parse
static int transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Definition proto_radius.c:177
attr_packet_id
static fr_dict_attr_t const * attr_packet_id
Definition proto_radius.c:124
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the application.
Definition proto_radius.c:696
mod_open
static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
Open listen sockets/connect to external event source.
Definition proto_radius.c:677
mod_priority_set
static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
Definition proto_radius.c:641
proto_radius_dict_attr
fr_dict_attr_autoload_t proto_radius_dict_attr[]
Definition proto_radius.c:128
attr_message_authenticator
static fr_dict_attr_t const * attr_message_authenticator
Definition proto_radius.c:121
proto_radius_config
static conf_parser_t const proto_radius_config[]
How to parse a RADIUS listen section.
Definition proto_radius.c:80
proto_radius.h
proto_radius_t
An instance of a proto_radius listen section.
Definition proto_radius.h:32
fr_radius_decode
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition base.c:1118
fr_radius_limit_proxy_state_table_len
size_t fr_radius_limit_proxy_state_table_len
Definition base.c:103
fr_radius_sign
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
Definition base.c:362
fr_radius_require_ma_table_len
size_t fr_radius_require_ma_table_len
Definition base.c:94
fr_radius_global_init
int fr_radius_global_init(void)
Definition base.c:1245
fr_radius_global_free
void fr_radius_global_free(void)
Definition base.c:1269
fr_radius_limit_proxy_state_table
fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[]
Definition base.c:96
fr_radius_require_ma_table
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:87
fr_radius_encode
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
Definition base.c:978
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:116
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient.h:53
RDEBUG_ENABLED
#define RDEBUG_ENABLED()
Definition radclient.h:49
fr_radius_require_ma_t
fr_radius_require_ma_t
Control whether Message-Authenticator is required in Access-Requests.
Definition radius.h:62
FR_RADIUS_REQUIRE_MA_YES
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
Definition radius.h:64
FR_RADIUS_REQUIRE_MA_AUTO
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
Definition radius.h:65
fr_radius_ctx_t::secret
char const * secret
Definition radius.h:95
fr_radius_decode_ctx_t::limit_proxy_state
bool limit_proxy_state
Don't allow Proxy-State in requests.
Definition radius.h:137
fr_radius_flag_encrypted
#define fr_radius_flag_encrypted(_da)
Definition radius.h:195
fr_radius_decode_ctx_t::require_message_authenticator
bool require_message_authenticator
Definition radius.h:136
fr_radius_decode_ctx_t::common
fr_radius_ctx_t const * common
Definition radius.h:125
fr_radius_limit_proxy_state_t
fr_radius_limit_proxy_state_t
Control whether Proxy-State is allowed in Access-Requests.
Definition radius.h:76
FR_RADIUS_LIMIT_PROXY_STATE_AUTO
@ FR_RADIUS_LIMIT_PROXY_STATE_AUTO
Do not allow Proxy-State unless:
Definition radius.h:82
FR_RADIUS_LIMIT_PROXY_STATE_YES
@ FR_RADIUS_LIMIT_PROXY_STATE_YES
Limit Proxy-State.
Definition radius.h:79
fr_radius_decode_ctx_t::tmp_ctx
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition radius.h:129
fr_radius_ctx_t
Definition radius.h:94
fr_radius_decode_ctx_t
Definition radius.h:124
fr_radius_encode_ctx_t
Definition radius.h:103
conf
static rs_t * conf
Definition radsniff.c:53
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
fr_fast_rand_t
Smaller fast random number generator.
Definition rand.h:54
REQUEST_VERIFY
#define REQUEST_VERIFY(_x)
Definition request.h:309
request_set_dynamic_client
#define request_set_dynamic_client(_x)
Definition request.h:189
fr_schedule_s
The scheduler.
Definition schedule.c:125
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
module_instance_s::data
void * data
Module's instance data.
Definition module.h:291
module_s::instantiate
module_instantiate_t instantiate
Callback to allow the module to register any per-instance resources like sockets and file handles.
Definition module.h:227
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
module_instance_s::exported
module_t * exported
Public module structure.
Definition module.h:296
module_instance_s
Module instance data.
Definition module.h:285
sc
static const uchar sc[16]
Definition smbdes.c:115
client_afrom_request
fr_client_t * client_afrom_request(TALLOC_CTX *ctx, request_t *request)
Create a new client, consuming all attributes in the control list of the request.
Definition client.c:923
module_instantiate
int module_instantiate(module_instance_t *instance)
Manually complete module setup by calling its instantiate function.
Definition module.c:1189
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3651
vp
fr_pair_t * vp
Definition state_machine.c:2293
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:244
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
xlat_action_t
xlat_action_t
Definition xlat.h:37
XLAT_ACTION_FAIL
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
XLAT_ACTION_DONE
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_pair_list_free
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
Definition pair_inline.c:112
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
parent
static fr_slen_t parent
Definition pair.h:841
fr_socket_addr_swap
static void fr_socket_addr_swap(fr_socket_t *dst, fr_socket_t const *src)
Swap src/dst information of a fr_socket_t.
Definition socket.h:121
fr_value_box_memdup
int fr_value_box_memdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, uint8_t const *src, size_t len, bool tainted)
Copy a buffer to a fr_value_box_t.
Definition value.c:4830
fr_value_box_alloc
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:643
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition value.h:316
fr_box_strvalue_buffer
#define fr_box_strvalue_buffer(_val)
Definition value.h:311
data
static fr_slen_t data
Definition value.h:1319
out
static size_t char ** out
Definition value.h:1023
virtual_server_listen_transport_parse
int virtual_server_listen_transport_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic conf_parser_t func for loading drivers.
Definition virtual_servers.c:206
xlat_ctx_s
An xlat calling ctx.
Definition xlat_ctx.h:49
xlat_func_register
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
xlat_func_unregister
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition xlat_func.c:516
Generated by   doxygen 1.9.8