26 #include <freeradius-devel/server/protocol.h>
27 #include <freeradius-devel/radius/tcp.h>
28 #include <freeradius-devel/util/trie.h>
29 #include <freeradius-devel/radius/radius.h>
30 #include <freeradius-devel/io/application.h>
31 #include <freeradius-devel/io/listen.h>
32 #include <freeradius-devel/io/schedule.h>
108 size_t packet_len, in_buffer;
119 if (packet_len <= *leftover) {
132 data_size = read(thread->
sockfd,
buffer + *leftover, buffer_len - *leftover);
135 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
165 DEBUG2(
"proto_radius_tcp - other side closed the socket.");
174 DEBUG(
"proto_radius_tcp got invalid packet code %d",
buffer[0]);
179 in_buffer = data_size + *leftover;
185 *leftover = in_buffer;
198 if (in_buffer < packet_len) {
199 *leftover = in_buffer;
207 *leftover = in_buffer - packet_len;
216 DEBUG2(
"proto_radius_tcp got a packet which isn't RADIUS");
231 DEBUG2(
"proto_radius_tcp - Received %s ID %d length %d %s",
233 (
int) packet_len, thread->
name);
277 data_size = write(thread->
sockfd,
buffer + written, buffer_len - written);
282 if (data_size <= 0)
return data_size;
307 return data_size + written;
325 *dynamic_clients =
inst->dynamic_clients;
346 PERROR(
"Failed opening TCP socket");
355 PERROR(
"Failed binding socket");
359 if (listen(
sockfd, 8) < 0) {
361 PERROR(
"Failed listening on socket");
396 void const *one,
void const *two)
407 if (
inst->dedup_authenticator) {
409 if (ret != 0)
return ret;
416 ret = (a[1] < b[1]) - (a[1] > b[1]);
417 if (ret != 0)
return ret;
422 return (a[0] < b[0]) - (a[0] > b[0]);
446 if (
inst->ipaddr.af == AF_UNSPEC) {
447 cf_log_err(
conf,
"No 'ipaddr' was specified in the 'tcp' section");
451 if (
inst->recv_buff_is_set) {
462 if (!
inst->port_name) {
467 s = getservbyname(
inst->port_name,
"tcp");
473 inst->port = ntohl(s->s_port);
484 num = talloc_array_length(
inst->allow);
486 if (
inst->dynamic_clients) {
487 cf_log_err(
conf,
"The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
493 for (i = 0; i < num; i++) {
499 if (
inst->allow[i].af !=
inst->ipaddr.af) {
500 cf_log_err(
conf,
"Address family in entry %zd - 'allow = %pV' does not match 'ipaddr'",
509 &
inst->allow[i].addr,
inst->allow[i].prefix);
528 &
inst->allow[i].addr,
inst->allow[i].prefix);
529 if (network && (network->
prefix <=
inst->allow[i].prefix)) {
532 cf_log_err(
conf,
"Entry is completely enclosed inside of a previously defined network");
542 &
inst->allow[i].addr,
inst->allow[i].prefix,
543 &
inst->allow[i]) < 0) {
553 num = talloc_array_length(
inst->deny);
560 for (i = 0; i < num; i++) {
566 if (
inst->deny[i].af !=
inst->ipaddr.af) {
567 cf_log_err(
conf,
"Address family in entry %zd - 'deny = %pV' does not match 'ipaddr'",
576 &
inst->deny[i].addr,
inst->deny[i].prefix);
586 &
inst->deny[i].addr,
inst->deny[i].prefix);
588 cf_log_err(
conf,
"The network in entry %zd - 'deny = %pV' is not contained "
598 if (network->
af !=
inst->ipaddr.af) {
599 cf_log_err(
conf,
"The network in entry %zd - 'deny = %pV' overlaps with "
610 &
inst->deny[i].addr,
inst->deny[i].prefix,
611 &
inst->deny[i]) < 0) {
620 inst->deny[i].af = AF_UNSPEC;
636 if (!
inst->clients) {
656 if (client)
return client;
665 .name =
"radius_tcp",
671 .default_message_size = 4096,
static int const char char buffer[256]
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
module_t common
Common fields to all loadable modules.
Public structure describing an I/O path for a protocol.
#define CONF_PARSER_TERMINATOR
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
Common header for all CONF_* types.
A section grouping multiple CONF_PAIR.
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
#define cf_log_err(_cf, _fmt,...)
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
uint8_t prefix
Prefix length - Between 0-32 for IPv4 and 0-128 for IPv6.
fr_socket_t socket
src/dst ip and port.
void const * app_io_instance
I/O path configuration context.
void * thread_instance
thread / socket context
int fd
file descriptor for this socket - set by open
Describes a host allowed to send packets to the server.
#define PDEBUG2(_fmt,...)
uint8_t * packet
really a tracking structure, not a packet
size_t reply_len
length of reply, or 1 for "do not reply"
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
int fr_nonblock(UNUSED int fd)
module_instance_t * mi
Instance of the module being instantiated.
Temporary structure to hold arguments for instantiation calls.
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
#define RADIUS_HEADER_LENGTH
#define RADIUS_AUTH_VECTOR_LENGTH
fr_app_io_t proto_radius_tcp
fr_client_list_t * clients
local clients
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
char const * interface
Interface to bind to.
fr_io_address_t * connection
for connected sockets.
fr_ipaddr_t * allow
allowed networks for dynamic clients
uint16_t port
Port to listen on.
fr_trie_t * trie
for parsed networks
static int mod_open(fr_listen_t *li)
Open a TCP listener for RADIUS.
bool dynamic_clients
whether we have dynamic clients
static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
uint32_t max_packet_size
for message ring buffer.
fr_ipaddr_t * deny
denied networks for dynamic clients
static char const * mod_name(fr_listen_t *li)
static const conf_parser_t networks_config[]
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
char const * port_name
Name of the port for getservent().
static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
fr_ipaddr_t ipaddr
IP address to listen on.
char const * name
socket name
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
uint32_t max_attributes
Limit maximum decodable attributes.
bool dedup_authenticator
dedup using the request authenticator
fr_stats_t stats
statistics for this socket
uint32_t recv_buff
How big the kernel's receive buffer should be.
bool recv_buff_is_set
Whether we were provided with a recv_buff.
CONF_SECTION * cs
our configuration
static int mod_instantiate(module_inst_ctx_t const *mctx)
static const conf_parser_t tcp_listen_config[]
static int mod_track_compare(void const *instance, UNUSED void *thread_instance, UNUSED fr_client_t *client, void const *one, void const *two)
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
#define RADIUS_MAX_ATTRIBUTES
CONF_SECTION * conf
Module's instance configuration.
void * data
Module's instance data.
module_instance_t const * parent
Parent module's instance (if any).
fr_uint_t total_responses
fr_uint_t total_unknown_types
fr_uint_t total_malformed_requests
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
eap_aka_sim_process_conf_t * inst
#define fr_time()
Allow us to arbitrarily manipulate time.
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
#define talloc_get_type_abort_const
fr_trie_t * fr_trie_alloc(TALLOC_CTX *ctx, fr_trie_key_t get_key, fr_free_t free_data)
Allocate a trie.
void * fr_trie_match_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Match a key and length in a trie and return user ctx, if any.
int fr_trie_insert_by_key(fr_trie_t *ft, void const *key, size_t keylen, void const *data)
Insert a key and user ctx into a trie.
void * fr_trie_lookup_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Lookup a key in a trie and return user ctx, if any.
#define fr_box_ipaddr(_val)