Functions to send/receive radius packets. More...

#include <fcntl.h>
#include <ctype.h>
#include "attrs.h"
#include <freeradius-devel/io/pair.h>
#include <freeradius-devel/util/md5.h>
#include <freeradius-devel/util/net.h>
#include <freeradius-devel/util/proto.h>
#include <freeradius-devel/util/udp.h>
#include <freeradius-devel/protocol/radius/freeradius.internal.h>

Include dependency graph for base.c:

Go to the source code of this file.

Macros
#define	FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf_push

Functions
static bool	attr_valid (UNUSED fr_dict_t dict, fr_dict_attr_t const parent, UNUSED char const name, UNUSED int attr, fr_type_t type, fr_dict_attr_flags_t flags)

int	fr_radius_allow_reply (int code, bool allowed[static FR_RADIUS_CODE_MAX])

ssize_t	fr_radius_ascend_secret (fr_dbuff_t dbuff, uint8_t const in, size_t inlen, char const secret, uint8_t const vector)
	Do Ascend-Send / Recv-Secret calculation. More...

ssize_t	fr_radius_decode (TALLOC_CTX ctx, fr_pair_list_t out, uint8_t packet, size_t packet_len, fr_radius_decode_ctx_t decode_ctx)

ssize_t	fr_radius_decode_simple (TALLOC_CTX ctx, fr_pair_list_t out, uint8_t packet, size_t packet_len, uint8_t const vector, char const *secret)
	Simple wrapper for callers who just need a shared secret. More...

ssize_t	fr_radius_encode (uint8_t packet, size_t packet_len, uint8_t const original, char const secret, size_t secret_len, int code, int id, fr_pair_list_t vps)
	Encode VPS into a raw RADIUS packet. More...

ssize_t	fr_radius_encode_dbuff (fr_dbuff_t dbuff, uint8_t const original, char const secret, size_t secret_len, int code, int id, fr_pair_list_t vps)

void	fr_radius_global_free (void)

int	fr_radius_global_init (void)

void *	fr_radius_next_encodable (fr_dlist_head_t list, void current, void *uctx)

bool	fr_radius_ok (uint8_t const packet, size_t packet_len_p, uint32_t max_attributes, bool require_ma, decode_fail_t *reason)
	See if the data pointed to by PTR is a valid RADIUS packet. More...

ssize_t	fr_radius_recv_header (int sockfd, fr_ipaddr_t src_ipaddr, uint16_t src_port, unsigned int *code)
	Basic validation of RADIUS packet header. More...

int	fr_radius_sign (uint8_t packet, uint8_t const vector, uint8_t const *secret, size_t secret_len)
	Sign a previously encoded packet. More...

int	fr_radius_verify (uint8_t packet, uint8_t const vector, uint8_t const *secret, size_t secret_len, bool require_ma)
	Verify a request / response packet. More...

Variables
static const fr_radius_packet_code_t	allowed_replies [FR_RADIUS_CODE_MAX]
	If we get a reply, the request must come from one of a small number of packet types. More...

fr_dict_attr_t const *	attr_chap_challenge

fr_dict_attr_t const *	attr_chargeable_user_identity

fr_dict_attr_t const *	attr_eap_message

fr_dict_attr_t const *	attr_message_authenticator

fr_dict_attr_t const *	attr_nas_filter_rule

fr_dict_attr_t const *	attr_packet_authentication_vector

fr_dict_attr_t const *	attr_packet_type

fr_dict_attr_t const *	attr_raw_attribute

fr_dict_attr_t const *	attr_state

fr_dict_attr_t const *	attr_vendor_specific

fr_dict_t const *	dict_freeradius

fr_dict_t const *	dict_radius

static const bool	disallow_tunnel_passwords [FR_RADIUS_CODE_MAX]

char const *	fr_radius_packet_name [FR_RADIUS_CODE_MAX]

fr_table_num_sorted_t const	fr_radius_request_name_table []

size_t	fr_radius_request_name_table_len = NUM_ELEMENTS(fr_radius_request_name_table)

static uint32_t	instance_count = 0

fr_dict_autoload_t	libfreeradius_radius_dict []

fr_dict_attr_autoload_t	libfreeradius_radius_dict_attr []

fr_dict_protocol_t	libfreeradius_radius_dict_protocol

static fr_table_num_ordered_t const	subtype_table []

Detailed Description

Functions to send/receive radius packets.

Id: ce7c2d49009a03f36cd1df322b8522a13eb4e5ff

Copyright: 2000-2003,2006 The FreeRADIUS server project

Definition in file base.c.

Macro Definition Documentation

◆ FR_DEBUG_STRERROR_PRINTF

#define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf_push

Definition at line 81 of file base.c.

Function Documentation

◆ attr_valid()

static bool attr_valid	(	UNUSED fr_dict_t *	dict,
		fr_dict_attr_t const *	parent,
		UNUSED char const *	name,
		UNUSED int	attr,
		fr_type_t	type,
		fr_dict_attr_flags_t *	flags
	)

static

Definition at line 1171 of file base.c.

Here is the call graph for this function:

◆ fr_radius_allow_reply()

int fr_radius_allow_reply	(	int	code,
		bool	allowed[static FR_RADIUS_CODE_MAX]
	)

Definition at line 170 of file base.c.

Here is the caller graph for this function:

◆ fr_radius_ascend_secret()

ssize_t fr_radius_ascend_secret	(	fr_dbuff_t *	dbuff,
		uint8_t const *	in,
		size_t	inlen,
		char const *	secret,
		uint8_t const *	vector
	)

Do Ascend-Send / Recv-Secret calculation.

The secret is hidden by xoring with a MD5 digest created from the RADIUS shared secret and the authentication vector. We put them into MD5 in the reverse order from that used when encrypting passwords to RADIUS.

Definition at line 190 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_decode()

ssize_t fr_radius_decode	(	TALLOC_CTX *	ctx,
		fr_pair_list_t *	out,
		uint8_t *	packet,
		size_t	packet_len,
		fr_radius_decode_ctx_t *	decode_ctx
	)

Definition at line 997 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_decode_simple()

ssize_t fr_radius_decode_simple	(	TALLOC_CTX *	ctx,
		fr_pair_list_t *	out,
		uint8_t *	packet,
		size_t	packet_len,
		uint8_t const *	vector,
		char const *	secret
	)

Simple wrapper for callers who just need a shared secret.

Definition at line 1097 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_encode()

ssize_t fr_radius_encode	(	uint8_t *	packet,
		size_t	packet_len,
		uint8_t const *	original,
		char const *	secret,
		size_t	secret_len,
		int	code,
		int	id,
		fr_pair_list_t *	vps
	)

Encode VPS into a raw RADIUS packet.

Definition at line 860 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_encode_dbuff()

ssize_t fr_radius_encode_dbuff	(	fr_dbuff_t *	dbuff,
		uint8_t const *	original,
		char const *	secret,
		size_t	secret_len,
		int	code,
		int	id,
		fr_pair_list_t *	vps
	)

Definition at line 887 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_global_free()

void fr_radius_global_free ( void )

Definition at line 1142 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_global_init()

int fr_radius_global_init ( void )

Definition at line 1119 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_next_encodable()

void * fr_radius_next_encodable	(	fr_dlist_head_t *	list,
		void *	current,
		void *	uctx
	)

Definition at line 840 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_ok()

bool fr_radius_ok	(	uint8_t const *	packet,
		size_t *	packet_len_p,
		uint32_t	max_attributes,
		bool	require_ma,
		decode_fail_t *	reason
	)

See if the data pointed to by PTR is a valid RADIUS packet.

Parameters

[in]	packet	to check.
[in,out]	packet_len_p	The size of the packet data.
[in]	max_attributes	to allow in the packet.
[in]	require_ma	whether we require Message-Authenticator.
[in]	reason	if not NULL, will have the failure reason written to where it points.

Returns

True on success.
False on failure.

Definition at line 457 of file base.c.

Here is the call graph for this function:

◆ fr_radius_recv_header()

ssize_t fr_radius_recv_header	(	int	sockfd,
		fr_ipaddr_t *	src_ipaddr,
		uint16_t *	src_port,
		unsigned int *	code
	)

Basic validation of RADIUS packet header.

Note: fr_strerror errors are only available if fr_debug_lvl > 0. This is to reduce CPU time consumed when discarding malformed packet.

Parameters

[in]	sockfd	we're reading from.
[out]	src_ipaddr	of the packet.
[out]	src_port	of the packet.
[out]	code	Pointer to where to write the packet code.

Returns

-1 on failure.
1 on decode error.
>= RADIUS_HEADER_LENGTH on success. This is the packet length as specified in the header.

Definition at line 228 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_sign()

int fr_radius_sign	(	uint8_t *	packet,
		uint8_t const *	vector,
		uint8_t const *	secret,
		size_t	secret_len
	)

Sign a previously encoded packet.

Calculates the request/response authenticator for packets which need it, and fills in the message-authenticator value if the attribute is present in the encoded packet.

Parameters

[in,out]	packet	(request or response).
[in]	vector	original packet vector to use
[in]	secret	to sign the packet with.
[in]	secret_len	The length of the secret.

Returns

<0 on error
0 on success

Definition at line 301 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_radius_verify()

int fr_radius_verify	(	uint8_t *	packet,
		uint8_t const *	vector,
		uint8_t const *	secret,
		size_t	secret_len,
		bool	require_ma
	)

Verify a request / response packet.

This function does its work by calling fr_radius_sign(), and then comparing the signature in the packet with the one we calculated. If they differ, there's a problem.

Parameters

[in]	packet	the raw RADIUS packet (request or response)
[in]	vector	the original packet vector
[in]	secret	the shared secret
[in]	secret_len	the length of the secret
[in]	require_ma	whether we require Message-Authenticator.

Returns

-2 if the message authenticator or request authenticator was invalid.
-1 if we were unable to verify the shared secret, or the packet was in some other way malformed.
0 on success.

Definition at line 719 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

◆ allowed_replies

const fr_radius_packet_code_t allowed_replies[FR_RADIUS_CODE_MAX]

static

Initial value:

= {
        [FR_RADIUS_CODE_ACCESS_ACCEPT]          = FR_RADIUS_CODE_ACCESS_REQUEST,
        [FR_RADIUS_CODE_ACCESS_CHALLENGE]       = FR_RADIUS_CODE_ACCESS_REQUEST,
        [FR_RADIUS_CODE_ACCESS_REJECT]          = FR_RADIUS_CODE_ACCESS_REQUEST,
 
        [FR_RADIUS_CODE_ACCOUNTING_RESPONSE]    = FR_RADIUS_CODE_ACCOUNTING_REQUEST,
 
        [FR_RADIUS_CODE_COA_ACK]                = FR_RADIUS_CODE_COA_REQUEST,
        [FR_RADIUS_CODE_COA_NAK]                = FR_RADIUS_CODE_COA_REQUEST,
 
        [FR_RADIUS_CODE_DISCONNECT_ACK]         = FR_RADIUS_CODE_DISCONNECT_REQUEST,
        [FR_RADIUS_CODE_DISCONNECT_NAK]         = FR_RADIUS_CODE_DISCONNECT_REQUEST,
 
        [FR_RADIUS_CODE_PROTOCOL_ERROR]         = FR_RADIUS_CODE_PROTOCOL_ERROR,        
}

If we get a reply, the request must come from one of a small number of packet types.

Definition at line 154 of file base.c.

◆ attr_chap_challenge

fr_dict_attr_t const* attr_chap_challenge

Definition at line 55 of file base.c.

◆ attr_chargeable_user_identity

fr_dict_attr_t const* attr_chargeable_user_identity

Definition at line 56 of file base.c.

◆ attr_eap_message

fr_dict_attr_t const* attr_eap_message

Definition at line 57 of file base.c.

◆ attr_message_authenticator

fr_dict_attr_t const* attr_message_authenticator

Definition at line 58 of file base.c.

◆ attr_nas_filter_rule

fr_dict_attr_t const* attr_nas_filter_rule

Definition at line 61 of file base.c.

◆ attr_packet_authentication_vector

fr_dict_attr_t const* attr_packet_authentication_vector

Definition at line 53 of file base.c.

◆ attr_packet_type

fr_dict_attr_t const* attr_packet_type

Definition at line 52 of file base.c.

◆ attr_raw_attribute

fr_dict_attr_t const* attr_raw_attribute

Definition at line 54 of file base.c.

◆ attr_state

fr_dict_attr_t const* attr_state

Definition at line 59 of file base.c.

◆ attr_vendor_specific

fr_dict_attr_t const* attr_vendor_specific

Definition at line 60 of file base.c.

◆ dict_freeradius

fr_dict_t const* dict_freeradius

Definition at line 42 of file base.c.

◆ dict_radius

fr_dict_t const* dict_radius

Definition at line 43 of file base.c.

◆ disallow_tunnel_passwords

const bool disallow_tunnel_passwords[FR_RADIUS_CODE_MAX]

static

Initial value:

= {
        [ FR_RADIUS_CODE_ACCESS_REQUEST ] = true,
        
        [ FR_RADIUS_CODE_ACCESS_REJECT ] = true,
        [ FR_RADIUS_CODE_ACCESS_CHALLENGE ] = true,
 
        [ FR_RADIUS_CODE_ACCOUNTING_REQUEST ] = true,
        [ FR_RADIUS_CODE_ACCOUNTING_RESPONSE ] = true,
 
        [ FR_RADIUS_CODE_STATUS_SERVER ] = true,
 
        [ FR_RADIUS_CODE_COA_ACK ] = true,
        [ FR_RADIUS_CODE_COA_NAK ] = true,
 
        [ FR_RADIUS_CODE_DISCONNECT_REQUEST ] = true,
        [ FR_RADIUS_CODE_DISCONNECT_ACK ] = true,
        [ FR_RADIUS_CODE_DISCONNECT_NAK ] = true,
 
        [ FR_RADIUS_CODE_PROTOCOL_ERROR ] = true,
}

Definition at line 866 of file base.c.

◆ fr_radius_packet_name

char const* fr_radius_packet_name[FR_RADIUS_CODE_MAX]

Definition at line 94 of file base.c.

◆ fr_radius_request_name_table

fr_table_num_sorted_t const fr_radius_request_name_table[]

Initial value:

= {
        { L("acct"),    FR_RADIUS_CODE_ACCOUNTING_REQUEST       },
        { L("auth"),    FR_RADIUS_CODE_ACCESS_REQUEST           },
        { L("auto"),    FR_RADIUS_CODE_UNDEFINED                },
        { L("challenge"),       FR_RADIUS_CODE_ACCESS_CHALLENGE },
        { L("coa"),     FR_RADIUS_CODE_COA_REQUEST              },
        { L("disconnect"),      FR_RADIUS_CODE_DISCONNECT_REQUEST       },
        { L("status"),  FR_RADIUS_CODE_STATUS_SERVER            }
}

Definition at line 83 of file base.c.

◆ fr_radius_request_name_table_len

size_t fr_radius_request_name_table_len = NUM_ELEMENTS(fr_radius_request_name_table)

Definition at line 92 of file base.c.

◆ instance_count

uint32_t instance_count = 0

static

Definition at line 40 of file base.c.

◆ libfreeradius_radius_dict

fr_dict_autoload_t libfreeradius_radius_dict

Initial value:

= {
        { .out = &dict_freeradius, .proto = "freeradius" },
        { .out = &dict_radius, .proto = "radius" },
        { NULL }
}

Definition at line 46 of file base.c.

◆ libfreeradius_radius_dict_attr

fr_dict_attr_autoload_t libfreeradius_radius_dict_attr

Initial value:

= {
        { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
        { .out = &attr_packet_authentication_vector, .name = "Packet-Authentication-Vector", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_chargeable_user_identity, .name = "Chargeable-User-Identity", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
 
        { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
        { .out = &attr_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_VSA, .dict = &dict_radius },
        { .out = &attr_nas_filter_rule, .name = "NAS-Filter-Rule", .type = FR_TYPE_STRING, .dict = &dict_radius },
        { NULL }
}

Definition at line 64 of file base.c.

◆ libfreeradius_radius_dict_protocol

fr_dict_protocol_t libfreeradius_radius_dict_protocol

Initial value:

= {
        .name = "radius",
        .default_type_size = 1,
        .default_type_length = 1,
        .subtype_table = subtype_table,
        .subtype_table_len = NUM_ELEMENTS(subtype_table),
        .attr_valid = attr_valid,
 
        .init = fr_radius_global_init,
        .free = fr_radius_global_free,
 
        .decode = fr_radius_decode_foreign,
        .encode = fr_radius_encode_foreign,
}

Definition at line 1323 of file base.c.

◆ subtype_table

fr_table_num_ordered_t const subtype_table[]

static

Initial value:

= {
        { L("long-extended"),           FLAG_LONG_EXTENDED_ATTR },
        { L("extended"),                FLAG_EXTENDED_ATTR },
        { L("concat"),                  FLAG_CONCAT },
        { L("has_tag"),                 FLAG_HAS_TAG },
        { L("abinary"),                 FLAG_ABINARY },
        { L("has_tag,encrypt=2"),       FLAG_TAGGED_TUNNEL_PASSWORD },
 
        { L("encrypt=1"),               FLAG_ENCRYPT_USER_PASSWORD },
        { L("encrypt=2"),               FLAG_ENCRYPT_TUNNEL_PASSWORD },
        { L("encrypt=3"),               FLAG_ENCRYPT_ASCEND_SECRET },
 
        
        { L("encrypt=User-Password"),   FLAG_ENCRYPT_USER_PASSWORD },
        { L("encrypt=Tunnel-Password"), FLAG_ENCRYPT_TUNNEL_PASSWORD },
        { L("encrypt=Ascend-Secret"),   FLAG_ENCRYPT_ASCEND_SECRET },
}

Definition at line 1151 of file base.c.

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ FR_DEBUG_STRERROR_PRINTF

Function Documentation

◆ attr_valid()

◆ fr_radius_allow_reply()

◆ fr_radius_ascend_secret()

◆ fr_radius_decode()

◆ fr_radius_decode_simple()

◆ fr_radius_encode()

◆ fr_radius_encode_dbuff()

◆ fr_radius_global_free()

◆ fr_radius_global_init()

◆ fr_radius_next_encodable()

◆ fr_radius_ok()

◆ fr_radius_recv_header()

◆ fr_radius_sign()

◆ fr_radius_verify()

Variable Documentation

◆ allowed_replies

◆ attr_chap_challenge

◆ attr_chargeable_user_identity

◆ attr_eap_message

◆ attr_message_authenticator

◆ attr_nas_filter_rule

◆ attr_packet_authentication_vector

◆ attr_packet_type

◆ attr_raw_attribute

◆ attr_state

◆ attr_vendor_specific

◆ dict_freeradius

◆ dict_radius

◆ disallow_tunnel_passwords

◆ fr_radius_packet_name

◆ fr_radius_request_name_table

◆ fr_radius_request_name_table_len

◆ instance_count

◆ libfreeradius_radius_dict

◆ libfreeradius_radius_dict_attr

◆ libfreeradius_radius_dict_protocol

◆ subtype_table