The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: efc8bd2b8c1c0843102350b3e2a7542f42432aaf $
19 *
20 * @file protocols/radius/base.c
21 * @brief Functions to send/receive radius packets.
22 *
23 * @copyright 2000-2003,2006 The FreeRADIUS server project
24 */
25RCSID("$Id: efc8bd2b8c1c0843102350b3e2a7542f42432aaf $")
26
27#include <fcntl.h>
28#include <ctype.h>
29
30#include "attrs.h"
31#include "radius.h"
32
33#include <freeradius-devel/io/pair.h>
34#include <freeradius-devel/util/md5.h>
35#include <freeradius-devel/util/net.h>
36#include <freeradius-devel/util/proto.h>
37#include <freeradius-devel/util/table.h>
38#include <freeradius-devel/util/udp.h>
39#include <freeradius-devel/protocol/radius/freeradius.internal.h>
40
42static bool instantiated = false;
43
46
49 { .out = &dict_freeradius, .proto = "freeradius" },
50 { .out = &dict_radius, .proto = "radius" },
51 { NULL }
52};
53
63
66 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
67 { .out = &attr_packet_authentication_vector, .name = "Packet-Authentication-Vector", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
68 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
69 { .out = &attr_chargeable_user_identity, .name = "Chargeable-User-Identity", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
70
71 { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
72 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
73 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
74 { .out = &attr_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_VSA, .dict = &dict_radius },
75 { .out = &attr_nas_filter_rule, .name = "NAS-Filter-Rule", .type = FR_TYPE_STRING, .dict = &dict_radius },
76 { NULL }
77};
78
79/*
80 * Some messages get printed out only in debugging mode.
81 */
82#define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf
83#define FR_DEBUG_STRERROR_PRINTF_PUSH if (fr_debug_lvl) fr_strerror_printf_push
84
93
102
113
115 "", //!< 0
116 "Access-Request",
117 "Access-Accept",
118 "Access-Reject",
119 "Accounting-Request",
120 "Accounting-Response",
121 "Accounting-Status",
122 "Password-Request",
123 "Password-Accept",
124 "Password-Reject",
125 "Accounting-Message", //!< 10
126 "Access-Challenge",
127 "Status-Server",
128 "Status-Client",
129 "14",
130 "15",
131 "16",
132 "17",
133 "18",
134 "19",
135 "20", //!< 20
136 "Resource-Free-Request",
137 "Resource-Free-Response",
138 "Resource-Query-Request",
139 "Resource-Query-Response",
140 "Alternate-Resource-Reclaim-Request",
141 "NAS-Reboot-Request",
142 "NAS-Reboot-Response",
143 "28",
144 "Next-Passcode",
145 "New-Pin", //!< 30
146 "Terminate-Session",
147 "Password-Expired",
148 "Event-Request",
149 "Event-Response",
150 "35",
151 "36",
152 "37",
153 "38",
154 "39",
155 "Disconnect-Request", //!< 40
156 "Disconnect-ACK",
157 "Disconnect-NAK",
158 "CoA-Request",
159 "CoA-ACK",
160 "CoA-NAK",
161 "46",
162 "47",
163 "48",
164 "49",
165 "IP-Address-Allocate", //!< 50
166 "IP-Address-Release",
167 "Protocol-Error",
168};
169
170
171/** If we get a reply, the request must come from one of a small
172 * number of packet types.
173 */
189
192
193static int dict_flag_encrypt(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules)
194{
195 static fr_table_num_sorted_t const encrypted[] = {
196 { L("Ascend-Secret"), RADIUS_FLAG_ENCRYPT_ASCEND_SECRET },
197 { L("Tunnel-Password"), RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD },
198 { L("User-Password"), RADIUS_FLAG_ENCRYPT_USER_PASSWORD}
199 };
200 static size_t encrypted_len = NUM_ELEMENTS(encrypted);
201
204
206 if (encrypt == RADIUS_FLAG_ENCRYPT_INVALID) {
207 fr_strerror_printf("Unknown encryption type '%s'", value);
208 return -1;
209 }
210
211 flags->encrypt = encrypt;
212
213 return 0;
214}
215
219
221 { L("abinary"), { .func = dict_flag_abinary } },
222 { L("concat"), { .func = dict_flag_concat } },
223 { L("encrypt"), { .func = dict_flag_encrypt, .needs_value = true } },
224 { L("extended"), { .func = dict_flag_extended } },
225 { L("has_tag"), { .func = dict_flag_has_tag } },
226 { L("long_extended"), { .func = dict_flag_long_extended } }
227};
228
229int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
230{
231 int i;
232
233 if ((code <= 0) || (code >= FR_RADIUS_CODE_MAX)) return -1;
234
235 for (i = 1; i < FR_RADIUS_CODE_MAX; i++) {
236 allowed[i] |= (allowed_replies[i] == (fr_radius_packet_code_t) code);
237 }
238
239 return 0;
240}
241
242/** Do Ascend-Send / Recv-Secret calculation.
243 *
244 * The secret is hidden by xoring with a MD5 digest created from
245 * the RADIUS shared secret and the authentication vector.
246 * We put them into MD5 in the reverse order from that used when
247 * encrypting passwords to RADIUS.
248 */
250 char const *secret, uint8_t const *vector)
251{
252 fr_md5_ctx_t *md5_ctx;
253 size_t i;
255 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
256
257 FR_DBUFF_EXTEND_LOWAT_OR_RETURN(&work_dbuff, sizeof(digest));
258
259 md5_ctx = fr_md5_ctx_alloc_from_list();
261 fr_md5_update(md5_ctx, (uint8_t const *) secret, talloc_array_length(secret) - 1);
262 fr_md5_final(digest, md5_ctx);
264
265 if (inlen > sizeof(digest)) inlen = sizeof(digest);
266 for (i = 0; i < inlen; i++) digest[i] ^= in[i];
267
268 fr_dbuff_in_memcpy(&work_dbuff, digest, sizeof(digest));
269
270 return fr_dbuff_set(dbuff, &work_dbuff);
271}
272
273/** Basic validation of RADIUS packet header
274 *
275 * @note fr_strerror errors are only available if fr_debug_lvl > 0. This is to reduce CPU time
276 * consumed when discarding malformed packet.
277 *
278 * @param[in] sockfd we're reading from.
279 * @param[out] src_ipaddr of the packet.
280 * @param[out] src_port of the packet.
281 * @param[out] code Pointer to where to write the packet code.
282 * @return
283 * - -1 on failure.
284 * - 1 on decode error.
285 * - >= RADIUS_HEADER_LENGTH on success. This is the packet length as specified in the header.
286 */
287ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
288{
289 ssize_t data_len, packet_len;
290 uint8_t header[4];
291
292 data_len = udp_recv_peek(sockfd, header, sizeof(header), UDP_FLAGS_PEEK, src_ipaddr, src_port);
293 if (data_len < 0) {
294 if ((errno == EAGAIN) || (errno == EINTR)) return 0;
295 return -1;
296 }
297
298 /*
299 * Too little data is available, discard the packet.
300 */
301 if (data_len < 4) {
302 char buffer[INET6_ADDRSTRLEN];
303
304 FR_DEBUG_STRERROR_PRINTF("Expected at least 4 bytes of header data, got %zd bytes", data_len);
305invalid:
306 FR_DEBUG_STRERROR_PRINTF_PUSH("Invalid data from %s",
307 inet_ntop(src_ipaddr->af, &src_ipaddr->addr, buffer, sizeof(buffer)));
308 (void) udp_recv_discard(sockfd);
309
310 return 0;
311 }
312
313 /*
314 * See how long the packet says it is.
315 */
316 packet_len = (header[2] * 256) + header[3];
317
318 /*
319 * The length in the packet says it's less than
320 * a RADIUS header length: discard it.
321 */
322 if (packet_len < RADIUS_HEADER_LENGTH) {
323 FR_DEBUG_STRERROR_PRINTF("Expected at least " STRINGIFY(RADIUS_HEADER_LENGTH) " bytes of packet "
324 "data, got %zd bytes", packet_len);
325 goto invalid;
326 }
327
328 /*
329 * Enforce RFC requirements, for sanity.
330 * Anything after 4k will be discarded.
331 */
332 if (packet_len > MAX_PACKET_LEN) {
333 FR_DEBUG_STRERROR_PRINTF("Length field value too large, expected maximum of "
334 STRINGIFY(MAX_PACKET_LEN) " bytes, got %zd bytes", packet_len);
335 goto invalid;
336 }
337
338 *code = header[0];
339
340 /*
341 * The packet says it's this long, but the actual UDP
342 * size could still be smaller.
343 */
344 return packet_len;
345}
346
347/** Sign a previously encoded packet
348 *
349 * Calculates the request/response authenticator for packets which need it, and fills
350 * in the message-authenticator value if the attribute is present in the encoded packet.
351 *
352 * @param[in,out] packet (request or response).
353 * @param[in] vector original packet vector to use
354 * @param[in] secret to sign the packet with.
355 * @param[in] secret_len The length of the secret.
356 * @return
357 * - <0 on error
358 * - 0 on success
359 */
360int fr_radius_sign(uint8_t *packet, uint8_t const *vector,
361 uint8_t const *secret, size_t secret_len)
362{
363 uint8_t *msg, *end;
364 size_t packet_len = fr_nbo_to_uint16(packet + 2);
365
366 /*
367 * No real limit on secret length, this is just
368 * to catch uninitialised fields.
369 */
370 if (!fr_cond_assert(secret_len <= UINT16_MAX)) {
371 fr_strerror_printf("Secret is too long. Expected <= %u, got %zu",
372 (unsigned int) UINT16_MAX, secret_len);
373 return -1;
374 }
375
376 if (packet_len < RADIUS_HEADER_LENGTH) {
377 fr_strerror_const("Packet must be encoded before calling fr_radius_sign()");
378 return -1;
379 }
380
381 /*
382 * Find Message-Authenticator. Its value has to be
383 * calculated before we calculate the Request
384 * Authenticator or the Response Authenticator.
385 */
386 msg = packet + RADIUS_HEADER_LENGTH;
387 end = packet + packet_len;
388
389 while (msg < end) {
390 if ((end - msg) < 2) goto invalid_attribute;
391
392 if (msg[0] != FR_MESSAGE_AUTHENTICATOR) {
393 if (msg[1] < 2) goto invalid_attribute;
394
395 if ((msg + msg[1]) > end) {
396 invalid_attribute:
397 fr_strerror_printf("Invalid attribute at offset %zd", msg - packet);
398 return -1;
399 }
400 msg += msg[1];
401 continue;
402 }
403
404 if (msg[1] < 18) {
405 fr_strerror_const("Message-Authenticator is too small");
406 return -1;
407 }
408
409 switch (packet[0]) {
413 memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH);
414 break;
415
424 if (!vector) goto need_original;
425 memcpy(packet + 4, vector, RADIUS_AUTH_VECTOR_LENGTH);
426 break;
427
430 /* packet + 4 MUST be the Request Authenticator filled with random data */
431 break;
432
433 default:
434 goto bad_packet;
435 }
436
437 /*
438 * Force Message-Authenticator to be zero,
439 * calculate the HMAC, and put it into the
440 * Message-Authenticator attribute.
441 */
442 memset(msg + 2, 0, RADIUS_AUTH_VECTOR_LENGTH);
443 fr_hmac_md5(msg + 2, packet, packet_len, secret, secret_len);
444 break;
445 }
446
447 /*
448 * Initialize the request authenticator.
449 */
450 switch (packet[0]) {
454 memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH);
455 break;
456
466 if (!vector) {
467 need_original:
468 fr_strerror_const("Cannot sign response packet without a request packet");
469 return -1;
470 }
471 memcpy(packet + 4, vector, RADIUS_AUTH_VECTOR_LENGTH);
472 break;
473
474 /*
475 * The Request Authenticator is random numbers.
476 * We don't need to sign anything else, so
477 * return.
478 */
481 return 0;
482
483 default:
484 bad_packet:
485 fr_strerror_printf("Cannot sign unknown packet code %u", packet[0]);
486 return -1;
487 }
488
489 /*
490 * Request / Response Authenticator = MD5(packet + secret)
491 */
492 {
493 fr_md5_ctx_t *md5_ctx;
494
495 md5_ctx = fr_md5_ctx_alloc_from_list();
496 fr_md5_update(md5_ctx, packet, packet_len);
497 fr_md5_update(md5_ctx, secret, secret_len);
498 fr_md5_final(packet + 4, md5_ctx);
500 }
501
502 return 0;
503}
504
505
506/** See if the data pointed to by PTR is a valid RADIUS packet.
507 *
508 * @param[in] packet to check.
509 * @param[in,out] packet_len_p The size of the packet data.
510 * @param[in] max_attributes to allow in the packet.
511 * @param[in] require_message_authenticator whether we require Message-Authenticator.
512 * @param[in] reason if not NULL, will have the failure reason written to where it points.
513 * @return
514 * - True on success.
515 * - False on failure.
516 */
517bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
518 uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
519{
520 uint8_t const *attr, *end;
521 size_t totallen;
522 bool seen_ma = false;
523 uint32_t num_attributes;
525 size_t packet_len = *packet_len_p;
526
527 /*
528 * Check for packets smaller than the packet header.
529 *
530 * RFC 2865, Section 3., subsection 'length' says:
531 *
532 * "The minimum length is 20 ..."
533 */
534 if (packet_len < RADIUS_HEADER_LENGTH) {
535 FR_DEBUG_STRERROR_PRINTF("Packet is too short (received %zu < minimum 20)",
536 packet_len);
538 goto finish;
539 }
540
541
542 /*
543 * Check for packets with mismatched size.
544 * i.e. We've received 128 bytes, and the packet header
545 * says it's 256 bytes long.
546 */
547 totallen = fr_nbo_to_uint16(packet + 2);
548
549 /*
550 * Code of 0 is not understood.
551 * Code of 16 or greater is not understood.
552 */
553 if ((packet[0] == 0) ||
554 (packet[0] >= FR_RADIUS_CODE_MAX)) {
555 FR_DEBUG_STRERROR_PRINTF("Unknown packet code %d", packet[0]);
557 goto finish;
558 }
559
560 switch (packet[0]) {
561 /*
562 * Message-Authenticator is required in Status-Server
563 * packets, otherwise they can be trivially forged.
564 */
566 require_message_authenticator = true;
567 break;
568
569 /*
570 * Message-Authenticator may or may not be
571 * required for Access-* packets.
572 */
577 break;
578
579 /*
580 * Message-Authenticator is not required for all other packets.
581 */
582 default:
583 require_message_authenticator = false;
584 break;
585 }
586
587 /*
588 * Repeat the length checks. This time, instead of
589 * looking at the data we received, look at the value
590 * of the 'length' field inside of the packet.
591 *
592 * Check for packets smaller than the packet header.
593 *
594 * RFC 2865, Section 3., subsection 'length' says:
595 *
596 * "The minimum length is 20 ..."
597 */
598 if (totallen < RADIUS_HEADER_LENGTH) {
599 FR_DEBUG_STRERROR_PRINTF("Length in header is too small (length %zu < minimum 20)",
600 totallen);
602 goto finish;
603 }
604
605 /*
606 * And again, for the value of the 'length' field.
607 *
608 * RFC 2865, Section 3., subsection 'length' says:
609 *
610 * " ... and maximum length is 4096."
611 *
612 * HOWEVER. This requirement is for the network layer.
613 * If the code gets here, we assume that a well-formed
614 * packet is an OK packet.
615 *
616 * We allow both the UDP data length, and the RADIUS
617 * "length" field to contain up to 64K of data.
618 */
619
620 /*
621 * RFC 2865, Section 3., subsection 'length' says:
622 *
623 * "If the packet is shorter than the Length field
624 * indicates, it MUST be silently discarded."
625 *
626 * i.e. No response to the NAS.
627 */
628 if (totallen > packet_len) {
629 FR_DEBUG_STRERROR_PRINTF("Packet is truncated (received %zu < packet header length of %zu)",
630 packet_len, totallen);
632 goto finish;
633 }
634
635 /*
636 * RFC 2865, Section 3., subsection 'length' says:
637 *
638 * "Octets outside the range of the Length field MUST be
639 * treated as padding and ignored on reception."
640 */
641 if (totallen < packet_len) {
642 *packet_len_p = packet_len = totallen;
643 }
644
645 /*
646 * Walk through the packet's attributes, ensuring that
647 * they add up EXACTLY to the size of the packet.
648 *
649 * If they don't, then the attributes either under-fill
650 * or over-fill the packet. Any parsing of the packet
651 * is impossible, and will result in unknown side effects.
652 *
653 * This would ONLY happen with buggy RADIUS implementations,
654 * or with an intentional attack. Either way, we do NOT want
655 * to be vulnerable to this problem.
656 */
657 attr = packet + RADIUS_HEADER_LENGTH;
658 end = packet + packet_len;
659 num_attributes = 0;
660
661 while (attr < end) {
662 /*
663 * We need at least 2 bytes to check the
664 * attribute header.
665 */
666 if ((end - attr) < 2) {
667 FR_DEBUG_STRERROR_PRINTF("Attribute header overflows the packet");
669 goto finish;
670 }
671
672 /*
673 * Attribute number zero is NOT defined.
674 */
675 if (attr[0] == 0) {
676 FR_DEBUG_STRERROR_PRINTF("Invalid attribute 0 at offset %zd", attr - packet);
678 goto finish;
679 }
680
681 /*
682 * Attributes are at LEAST as long as the ID & length
683 * fields. Anything shorter is an invalid attribute.
684 */
685 if (attr[1] < 2) {
686 FR_DEBUG_STRERROR_PRINTF("Attribute %u is too short at offset %zd",
687 attr[0], attr - packet);
689 goto finish;
690 }
691
692 /*
693 * If there are fewer bytes in the packet than in the
694 * attribute, it's a bad packet.
695 */
696 if ((attr + attr[1]) > end) {
697 FR_DEBUG_STRERROR_PRINTF("Attribute %u data overflows the packet starting at offset %zd",
698 attr[0], attr - packet);
700 goto finish;
701 }
702
703 /*
704 * Sanity check the attributes for length.
705 */
706 switch (attr[0]) {
707 default: /* don't do anything by default */
708 break;
709
710 /*
711 * If there's an EAP-Message, we require
712 * a Message-Authenticator.
713 */
714 case FR_EAP_MESSAGE:
715 require_message_authenticator = true;
716 break;
717
718 case FR_MESSAGE_AUTHENTICATOR:
719 if (attr[1] != 2 + RADIUS_AUTH_VECTOR_LENGTH) {
720 FR_DEBUG_STRERROR_PRINTF("Message-Authenticator has invalid length (%d != 18) at offset %zd",
721 attr[1] - 2, attr - packet);
723 goto finish;
724 }
725 seen_ma = true;
726 break;
727 }
728
729 attr += attr[1];
730 num_attributes++; /* seen one more attribute */
731 }
732
733 /*
734 * If the attributes add up to a packet, it's allowed.
735 *
736 * If not, we complain, and throw the packet away.
737 */
738 if (attr != end) {
739 FR_DEBUG_STRERROR_PRINTF("Attributes do NOT exactly fill the packet");
741 goto finish;
742 }
743
744 /*
745 * If we're configured to look for a maximum number of
746 * attributes, and we've seen more than that maximum,
747 * then throw the packet away, as a possible DoS.
748 */
749 if ((max_attributes > 0) &&
750 (num_attributes > max_attributes)) {
751 FR_DEBUG_STRERROR_PRINTF("Possible DoS attack - too many attributes in request (received %u, max %u are allowed).",
752 num_attributes, max_attributes);
754 goto finish;
755 }
756
757 /*
758 * http://www.freeradius.org/rfc/rfc2869.html#EAP-Message
759 *
760 * A packet with an EAP-Message attribute MUST also have
761 * a Message-Authenticator attribute.
762 *
763 * A Message-Authenticator all by itself is OK, though.
764 *
765 * Similarly, Status-Server packets MUST contain
766 * Message-Authenticator attributes.
767 */
768 if (require_message_authenticator && !seen_ma) {
769 FR_DEBUG_STRERROR_PRINTF("We require Message-Authenticator attribute, but it is not in the packet");
770 failure = DECODE_FAIL_MA_MISSING;
771 goto finish;
772 }
773
774finish:
775
776 if (reason) {
777 *reason = failure;
778 }
779 return (failure == DECODE_FAIL_NONE);
780}
781
782
783/** Verify a request / response packet
784 *
785 * This function does its work by calling fr_radius_sign(), and then
786 * comparing the signature in the packet with the one we calculated.
787 * If they differ, there's a problem.
788 *
789 * @param[in] packet the raw RADIUS packet (request or response)
790 * @param[in] vector the original packet vector
791 * @param[in] secret the shared secret
792 * @param[in] secret_len the length of the secret
793 * @param[in] require_message_authenticator whether we require Message-Authenticator.
794 * @param[in] limit_proxy_state whether we allow Proxy-State without Message-Authenticator.
795 * @return
796 * < <0 on error (negative fr_radius_decode_fail_t)
797 * - 0 on success.
798 */
799int fr_radius_verify(uint8_t *packet, uint8_t const *vector,
800 uint8_t const *secret, size_t secret_len,
801 bool require_message_authenticator, bool limit_proxy_state)
802{
803 bool found_message_authenticator = false;
804 bool found_proxy_state = false;
805 int rcode;
806 int code;
807 uint8_t *msg, *end;
808 size_t packet_len = fr_nbo_to_uint16(packet + 2);
809 uint8_t request_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
810 uint8_t message_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
811
812 if (packet_len < RADIUS_HEADER_LENGTH) {
813 fr_strerror_printf("invalid packet length %zu", packet_len);
815 }
816
817 code = packet[0];
818 if (!code || (code >= FR_RADIUS_CODE_MAX)) {
819 fr_strerror_printf("Unknown reply code %d", code);
821 }
822
823 memcpy(request_authenticator, packet + 4, sizeof(request_authenticator));
824
825 /*
826 * Find Message-Authenticator. Its value has to be
827 * calculated before we calculate the Request
828 * Authenticator or the Response Authenticator.
829 */
830 msg = packet + RADIUS_HEADER_LENGTH;
831 end = packet + packet_len;
832
833 while (msg < end) {
834 if ((end - msg) < 2) goto invalid_attribute;
835
836 if (msg[0] != FR_MESSAGE_AUTHENTICATOR) {
837 if (msg[1] < 2) goto invalid_attribute;
838
839 /*
840 * If we're not allowing Proxy-State without
841 * Message-authenticator, we need to record
842 * the fact we found Proxy-State.
843 */
844 if (limit_proxy_state && (msg[0] == FR_PROXY_STATE)) found_proxy_state = true;
845
846 if ((msg + msg[1]) > end) {
847 invalid_attribute:
848 fr_strerror_printf("invalid attribute at offset %zd", msg - packet);
850 }
851 msg += msg[1];
852 continue;
853 }
854
855 if (msg[1] < 18) {
856 fr_strerror_const("too small Message-Authenticator");
858 }
859
860 /*
861 * Found it, save a copy.
862 */
863 memcpy(message_authenticator, msg + 2, sizeof(message_authenticator));
864 found_message_authenticator = true;
865 break;
866 }
867
868 if (packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) {
869 if (limit_proxy_state && found_proxy_state && !found_message_authenticator) {
870 fr_strerror_const("Proxy-State is not allowed without Message-Authenticator");
872 }
873
874 if (require_message_authenticator && !found_message_authenticator) {
875 fr_strerror_const("Access-Request is missing the required Message-Authenticator attribute");
877 }
878 }
879
880 /*
881 * Overwrite the contents of Message-Authenticator
882 * with the one we calculate.
883 */
884 rcode = fr_radius_sign(packet, vector, secret, secret_len);
885 if (rcode < 0) {
886 fr_strerror_const_push("Failed calculating correct authenticator");
887 return -DECODE_FAIL_VERIFY;
888 }
889
890 /*
891 * Check the Message-Authenticator first.
892 *
893 * If it's invalid, restore the original
894 * Message-Authenticator and Request Authenticator
895 * fields.
896 *
897 * If it's valid the original and calculated
898 * message authenticators are the same, so we don't
899 * need to do anything.
900 */
901 if ((msg < end) &&
902 (fr_digest_cmp(message_authenticator, msg + 2, sizeof(message_authenticator)) != 0)) {
903 memcpy(msg + 2, message_authenticator, sizeof(message_authenticator));
904 memcpy(packet + 4, request_authenticator, sizeof(request_authenticator));
905
906 fr_strerror_const("invalid Message-Authenticator (shared secret is incorrect)");
908 }
909
910 /*
911 * These are random numbers, so there's no point in
912 * comparing them.
913 */
914 if ((packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) || (packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) {
915 return 0;
916 }
917
918 /*
919 * Check the Request Authenticator.
920 */
921 if (fr_digest_cmp(request_authenticator, packet + 4, sizeof(request_authenticator)) != 0) {
922 memcpy(packet + 4, request_authenticator, sizeof(request_authenticator));
923 if (vector) {
924 fr_strerror_const("invalid Response Authenticator (shared secret is incorrect)");
925 } else {
926 fr_strerror_const("invalid Request Authenticator (shared secret is incorrect)");
927 }
928 return -DECODE_FAIL_VERIFY;
929 }
930
931 return 0;
932}
933
934void *fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx);
935
936void *fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx)
937{
938 fr_pair_t *c = current;
939 fr_dict_t *dict = talloc_get_type_abort(uctx, fr_dict_t);
940
941 while ((c = fr_dlist_next(cursor->dlist, c))) {
942 PAIR_VERIFY(c);
943 if ((c->da->dict == dict) &&
944 (!c->da->flags.internal || ((c->da->attr > FR_TAG_BASE) && (c->da->attr < (FR_TAG_BASE + 0x20))))) {
945 break;
946 }
947 }
948
949 return c;
950}
951
952
955 // can be in Access-Accept
958
961
963
964 [ FR_RADIUS_CODE_COA_ACK ] = true,
965 [ FR_RADIUS_CODE_COA_NAK ] = true,
966
970
972};
973
975{
976 ssize_t slen;
977 fr_pair_t const *vp;
978 fr_dcursor_t cursor;
979 fr_dbuff_t work_dbuff, length_dbuff;
980
982
983 /*
984 * The RADIUS header can't do more than 64K of data.
985 */
986 work_dbuff = FR_DBUFF_MAX(dbuff, 65535);
987
988 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, packet_ctx->code, packet_ctx->id);
989 length_dbuff = FR_DBUFF(&work_dbuff);
991
992 switch (packet_ctx->code) {
995 packet_ctx->request_authenticator = fr_dbuff_current(&work_dbuff);
996
997 /*
998 * Allow over-rides of the authentication vector for testing.
999 */
1001 if (vp && (vp->vp_length >= RADIUS_AUTH_VECTOR_LENGTH)) {
1002 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_octets, RADIUS_AUTH_VECTOR_LENGTH);
1003 } else {
1004 int i;
1005
1006 for (i = 0; i < 4; i++) {
1007 FR_DBUFF_IN_RETURN(&work_dbuff, (uint32_t) fr_rand());
1008 }
1009 }
1010 break;
1011
1021 if (!packet_ctx->request_authenticator) {
1022 fr_strerror_const("Cannot encode response without request");
1023 return -1;
1024 }
1026 break;
1027
1030 /*
1031 * Tunnel-Password encoded attributes are allowed
1032 * in CoA-Request packets, by RFC 5176 Section
1033 * 3.6. HOWEVER, the tunnel passwords are
1034 * "encrypted" using the Request Authenticator,
1035 * which is all zeros! That makes them much
1036 * easier to decrypt. The only solution here is
1037 * to say "don't do that!"
1038 */
1040 packet_ctx->request_authenticator = fr_dbuff_current(&work_dbuff);
1041
1043 break;
1044
1045 default:
1046 fr_strerror_printf("Cannot encode unknown packet code %d", packet_ctx->code);
1047 return -1;
1048 }
1049
1050 /*
1051 * Always add Message-Authenticator after the packet
1052 * header for insecure transport protocols.
1053 */
1054 if (!packet_ctx->common->secure_transport) switch (packet_ctx->code) {
1060 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_MESSAGE_AUTHENTICATOR, 0x12,
1061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1062 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
1063 packet_ctx->seen_message_authenticator = true;
1064 }
1065
1066 /*
1067 * If we're sending Protocol-Error, add in
1068 * Original-Packet-Code manually. If the user adds it
1069 * later themselves, well, too bad.
1070 */
1071 if (packet_ctx->code == FR_RADIUS_CODE_PROTOCOL_ERROR) {
1072 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_EXTENDED_ATTRIBUTE_1, 0x07, 0x04 /* Original-Packet-Code */,
1073 0x00, 0x00, 0x00, packet_ctx->request_code);
1074 }
1075
1076 /*
1077 * Loop over the reply attributes for the packet.
1078 */
1080 while ((vp = fr_dcursor_current(&cursor))) {
1081 PAIR_VERIFY(vp);
1082
1083 /*
1084 * Encode an individual VP
1085 */
1086 slen = fr_radius_encode_pair(&work_dbuff, &cursor, packet_ctx);
1087 if (slen < 0) return slen;
1088 } /* done looping over all attributes */
1089
1090 /*
1091 * Add Proxy-State to the end of the packet if the caller requested it.
1092 */
1093 if (packet_ctx->add_proxy_state) {
1094 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_PROXY_STATE, (uint8_t) (2 + sizeof(packet_ctx->common->proxy_state)));
1095 FR_DBUFF_IN_RETURN(&work_dbuff, packet_ctx->common->proxy_state);
1096 }
1097
1098 /*
1099 * Fill in the length field we zeroed out earlier.
1100 *
1101 */
1102 fr_dbuff_in(&length_dbuff, (uint16_t) (fr_dbuff_used(&work_dbuff)));
1103
1104 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), fr_dbuff_used(&work_dbuff), "%s encoded packet", __FUNCTION__);
1105
1106 return fr_dbuff_set(dbuff, &work_dbuff);
1107}
1108
1110 uint8_t *packet, size_t packet_len,
1111 fr_radius_decode_ctx_t *decode_ctx)
1112{
1113 ssize_t slen;
1114 uint8_t const *attr, *end;
1115 static const uint8_t zeros[RADIUS_AUTH_VECTOR_LENGTH] = {};
1116
1117 if (!decode_ctx->request_authenticator) {
1118 switch (packet[0]) {
1121 decode_ctx->request_authenticator = packet + 4;
1122 break;
1123
1127 decode_ctx->request_authenticator = zeros;
1128 break;
1129
1130 default:
1131 fr_strerror_const("No authentication vector passed for packet decode");
1132 return -1;
1133 }
1134 }
1135
1136 if (decode_ctx->request_code) {
1137 unsigned int code = packet[0];
1138
1139 if (code >= FR_RADIUS_CODE_MAX) {
1141 }
1142 if (decode_ctx->request_code >= FR_RADIUS_CODE_MAX) {
1144 }
1145
1146 if (!allowed_replies[code]) {
1147 fr_strerror_printf("%s packet received unknown reply code %s",
1150 }
1151
1152 /*
1153 * Protocol error can reply to any packet.
1154 *
1155 * Status-Server can get any reply.
1156 *
1157 * Otherwise the reply code must be associated with the request code we sent.
1158 */
1160 (allowed_replies[code] != decode_ctx->request_code)) {
1161 fr_strerror_printf("%s packet received invalid reply code %s",
1164 }
1165 }
1166
1167 /*
1168 * We can skip verification for dynamic client checks, and where packets are unsigned as with
1169 * RADIUS/1.1.
1170 */
1171 if (decode_ctx->verify) {
1172 if (!decode_ctx->request_authenticator) decode_ctx->request_authenticator = zeros;
1173
1174 if (fr_radius_verify(packet, decode_ctx->request_authenticator,
1175 (uint8_t const *) decode_ctx->common->secret, decode_ctx->common->secret_length,
1176 decode_ctx->require_message_authenticator, decode_ctx->limit_proxy_state) < 0) {
1177 return -1;
1178 }
1179 }
1180
1181 attr = packet + 20;
1182 end = packet + packet_len;
1183
1184 /*
1185 * The caller MUST have called fr_radius_ok() first. If
1186 * he doesn't, all hell breaks loose.
1187 */
1188 while (attr < end) {
1189 slen = fr_radius_decode_pair(ctx, out, attr, (end - attr), decode_ctx);
1190 if (slen < 0) return slen;
1191
1192 /*
1193 * If slen is larger than the room in the packet,
1194 * all kinds of bad things happen.
1195 */
1196 if (!fr_cond_assert(slen <= (end - attr))) {
1197 return -slen;
1198 }
1199
1200 attr += slen;
1201 talloc_free_children(decode_ctx->tmp_ctx);
1202 }
1203
1204 /*
1205 * We've parsed the whole packet, return that.
1206 */
1207 return packet_len;
1208}
1209
1210/** Simple wrapper for callers who just need a shared secret
1211 *
1212 */
1214 uint8_t *packet, size_t packet_len,
1215 uint8_t const *vector, char const *secret)
1216{
1217 ssize_t rcode;
1218 fr_radius_ctx_t common_ctx = {};
1219 fr_radius_decode_ctx_t packet_ctx = {};
1220
1221 common_ctx.secret = secret;
1222 common_ctx.secret_length = strlen(secret);
1223
1224 packet_ctx.common = &common_ctx;
1225 packet_ctx.tmp_ctx = talloc(ctx, uint8_t);
1226 packet_ctx.request_authenticator = vector;
1227 packet_ctx.end = packet + packet_len;
1228
1229 rcode = fr_radius_decode(ctx, out, packet, packet_len, &packet_ctx);
1230 talloc_free(packet_ctx.tmp_ctx);
1231
1232 return rcode;
1233}
1234
1236{
1237 if (instance_count > 0) {
1239 return 0;
1240 }
1241
1243
1245 fail:
1247 return -1;
1248 }
1249
1252 goto fail;
1253 }
1254
1255 instantiated = true;
1256 return 0;
1257}
1258
1260{
1261 if (!instantiated) return;
1262
1263 if (--instance_count != 0) return;
1264
1266}
1267
1269{
1271
1272 if (da->parent->type == FR_TYPE_STRUCT) {
1273 if (flags->extended) {
1274 fr_strerror_const("Attributes of type 'extended' cannot be used inside of a 'struct'");
1275 return false;
1276 }
1277
1278 if (flags->long_extended) {
1279 fr_strerror_const("Attributes of type 'long_extended' cannot be used inside of a 'struct'");
1280 return false;
1281 }
1282
1283
1284 if (flags->concat) {
1285 fr_strerror_const("Attributes of type 'concat' cannot be used inside of a 'struct'");
1286 return false;
1287 }
1288
1289 if (flags->has_tag) {
1290 fr_strerror_const("Attributes of type 'concat' cannot be used inside of a 'struct'");
1291 return false;
1292 }
1293
1294 if (flags->abinary) {
1295 fr_strerror_const("Attributes of type 'abinary' cannot be used inside of a 'struct'");
1296 return false;
1297 }
1298
1299 if (flags->encrypt > 0) {
1300 fr_strerror_const("Attributes of type 'encrypt' cannot be used inside of a 'struct'");
1301 return false;
1302 }
1303
1304 return true;
1305 }
1306
1307 if (da->flags.length > 253) {
1308 fr_strerror_printf("Attributes cannot be more than 253 octets in length");
1309 return false;
1310 }
1311 /*
1312 * Secret things are secret.
1313 */
1314 if (flags->encrypt != 0) da->flags.secret = true;
1315
1316 if (flags->concat) {
1317 if (!da->parent->flags.is_root) {
1318 fr_strerror_const("Attributes with the 'concat' flag MUST be at the root of the dictionary");
1319 return false;
1320 }
1321
1322 if (da->type != FR_TYPE_OCTETS) {
1323 fr_strerror_const("Attributes with the 'concat' flag MUST be of data type 'octets'");
1324 return false;
1325 }
1326
1327 return true; /* can't use any other flag */
1328 }
1329
1330 /*
1331 * Tagged attributes can only be of two data types. They
1332 * can, however, be VSAs.
1333 */
1334 if (flags->has_tag) {
1335 if ((da->type != FR_TYPE_UINT32) && (da->type != FR_TYPE_STRING)) {
1336 fr_strerror_printf("The 'has_tag' flag can only be used for attributes of type 'integer' "
1337 "or 'string'");
1338 return false;
1339 }
1340
1341 if (!(da->parent->flags.is_root ||
1342 ((da->parent->type == FR_TYPE_VENDOR) &&
1343 (da->parent->parent && da->parent->parent->type == FR_TYPE_VSA)))) {
1344 fr_strerror_const("The 'has_tag' flag can only be used with RFC and VSA attributes");
1345 return false;
1346 }
1347
1348 return true;
1349 }
1350
1351 if (flags->extended) {
1352 if (da->type != FR_TYPE_TLV) {
1353 fr_strerror_const("The 'long' or 'extended' flag can only be used for attributes of type 'tlv'");
1354 return false;
1355 }
1356
1357 if (!da->parent->flags.is_root) {
1358 fr_strerror_const("The 'long' flag can only be used for top-level RFC attributes");
1359 return false;
1360 }
1361
1362 return true;
1363 }
1364
1365 /*
1366 * Stupid hacks for MS-CHAP-MPPE-Keys. The User-Password
1367 * encryption method has no provisions for encoding the
1368 * length of the data. For User-Password, the data is
1369 * (presumably) all printable non-zero data. For
1370 * MS-CHAP-MPPE-Keys, the data is binary crap. So... we
1371 * MUST specify a length in the dictionary.
1372 */
1373 if ((flags->encrypt == RADIUS_FLAG_ENCRYPT_USER_PASSWORD) && (da->type != FR_TYPE_STRING)) {
1374 if (da->type != FR_TYPE_OCTETS) {
1375 fr_strerror_printf("The 'encrypt=User-Password' flag can only be used with "
1376 "attributes of type 'string'");
1377 return false;
1378 }
1379
1380 if (da->flags.length == 0) {
1381 fr_strerror_printf("The 'encrypt=User-Password' flag MUST be used with an explicit length for "
1382 "'octets' data types");
1383 return false;
1384 }
1385 }
1386
1387 switch (da->type) {
1388 case FR_TYPE_STRING:
1389 break;
1390
1391 case FR_TYPE_TLV:
1392 case FR_TYPE_IPV4_ADDR:
1393 case FR_TYPE_UINT32:
1394 case FR_TYPE_OCTETS:
1395 if (flags->encrypt != RADIUS_FLAG_ENCRYPT_ASCEND_SECRET) break;
1397
1398 default:
1399 if (flags->encrypt) {
1400 fr_strerror_printf("The 'encrypt' flag cannot be used with attributes of type '%s'",
1401 fr_type_to_str(da->type));
1402 return false;
1403 }
1404 }
1405
1406 return true;
1407}
1408
1411 .name = "radius",
1412 .default_type_size = 1,
1413 .default_type_length = 1,
1414 .attr = {
1415 .flags = {
1416 .table = radius_flags,
1417 .table_len = NUM_ELEMENTS(radius_flags),
1418 .len = sizeof(fr_radius_attr_flags_t),
1419 },
1420 .valid = attr_valid,
1421 },
1422
1423 .init = fr_radius_global_init,
1424 .free = fr_radius_global_free,
1425
1426 .decode = fr_radius_decode_foreign,
1427 .encode = fr_radius_encode_foreign,
1428};
static int const char char buffer[256]
Definition acutest.h:576
log_entry msg
Definition acutest.h:794
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define STRINGIFY(x)
Definition build.h:197
#define UNUSED
Definition build.h:317
#define NUM_ELEMENTS(_t)
Definition build.h:339
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
Definition dbuff.h:767
#define FR_DBUFF_EXTEND_LOWAT_OR_RETURN(_dbuff_or_marker, _lowat)
Extend if we're below _lowat and return if we can't extend above _lowat.
Definition dbuff.h:673
#define fr_dbuff_current(_dbuff_or_marker)
Return the 'current' position of a dbuff or marker.
Definition dbuff.h:911
#define fr_dbuff_set(_dst, _src)
Set the 'current' position in a dbuff or marker using another dbuff or marker, a char pointer,...
Definition dbuff.h:1004
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
Definition dbuff.h:898
#define FR_DBUFF_MEMSET_RETURN(_dbuff_or_marker, _c, _inlen)
Set _inlen bytes of a dbuff or marker to _c returning if there is insufficient space.
Definition dbuff.h:1508
#define FR_DBUFF_IN_MEMCPY_RETURN(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1382
#define fr_dbuff_in_memcpy(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into a dbuff or marker.
Definition dbuff.h:1350
#define fr_dbuff_in(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff or marker.
Definition dbuff.h:1567
#define FR_DBUFF_IN_RETURN(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff returning if there is insufficient space.
Definition dbuff.h:1585
#define FR_DBUFF(_dbuff_or_marker)
Create a new dbuff pointing to the same underlying buffer.
Definition dbuff.h:222
#define FR_DBUFF_MAX(_dbuff_or_marker, _max)
Limit the maximum number of bytes available in the dbuff when passing it to another function.
Definition dbuff.h:301
#define FR_DBUFF_IN_BYTES_RETURN(_dbuff_or_marker,...)
Copy a byte sequence into a dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1472
static void * fr_dcursor_current(fr_dcursor_t *cursor)
Return the item the cursor current points to.
Definition dcursor.h:339
fr_dlist_head_t * dlist
Head of the doubly linked list being iterated over.
Definition dcursor.h:94
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:131
fr_radius_packet_code_t
RADIUS packet codes.
Definition defs.h:31
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
@ FR_RADIUS_CODE_UNDEFINED
Packet code has not been set.
Definition defs.h:32
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
#define MAX_PACKET_LEN
Definition defs.h:68
static int sockfd
Definition dhcpclient.c:56
#define fr_dict_autofree(_to_free)
Definition dict.h:870
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4134
@ FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC
Protocol specific extensions.
Definition dict.h:177
#define fr_dict_autoload(_to_load)
Definition dict.h:867
static fr_slen_t in
Definition dict.h:841
char const * name
name of this protocol
Definition dict.h:435
#define FR_DICT_ATTR_FLAG_FUNC(_struct, _name)
Define a flag setting function, which sets one bit in a fr_dict_attr_flags_t.
Definition dict.h:414
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Protocol specific custom flag definitnion.
Definition dict.h:404
Protocol-specific callbacks in libfreeradius-PROTOCOL.
Definition dict.h:434
static void * fr_dict_attr_ext(fr_dict_attr_t const *da, fr_dict_attr_ext_t ext)
Definition dict_ext.h:140
Test enumeration values.
Definition dict_test.h:92
static void * fr_dlist_next(fr_dlist_head_t const *list_head, void const *ptr)
Get the next item in a list.
Definition dlist.h:555
int fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen, uint8_t const *key, size_t key_len)
Calculate HMAC using internal MD5 implementation.
Definition hmac_md5.c:119
int af
Address family.
Definition inet.h:64
union fr_ipaddr_t::@136 addr
IPv4/6 prefix.
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
fr_dict_attr_t const * attr_state
Definition base.c:103
fr_dict_attr_t const * attr_eap_message
Definition base.c:96
fr_dict_t const * dict_radius
Definition base.c:78
fr_dict_attr_t const * attr_message_authenticator
Definition base.c:94
static int dict_flag_encrypt(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules)
Definition base.c:227
static uint32_t instance_count
Definition base.c:44
talloc_free(reap)
int udp_recv_discard(int sockfd)
Discard the next UDP packet.
Definition udp.c:75
ssize_t udp_recv_peek(int sockfd, void *data, size_t data_len, int flags, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Peek at the header of a UDP packet.
Definition udp.c:95
fr_md5_update_t fr_md5_update
Definition md5.c:442
fr_md5_final_t fr_md5_final
Definition md5.c:443
void fr_md5_ctx_free_from_list(fr_md5_ctx_t **ctx)
Definition md5.c:522
fr_md5_ctx_t * fr_md5_ctx_alloc_from_list(void)
Definition md5.c:477
void fr_md5_ctx_t
Definition md5.h:28
#define MD5_DIGEST_LENGTH
unsigned short uint16_t
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
@ FR_TYPE_VSA
Vendor-Specific, for RADIUS attribute 26.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
long int ssize_t
unsigned char uint8_t
int fr_digest_cmp(uint8_t const *a, uint8_t const *b, size_t length)
Do a comparison of two authentication digests by comparing the FULL data.
Definition misc.c:473
char const * inet_ntop(int af, void const *src, char *dst, size_t cnt)
Definition missing.c:443
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
#define RADIUS_HEADER_LENGTH
Definition net.h:80
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
static uint8_t const zeros[6]
Definition base.c:105
static bool instantiated
Definition base.c:34
static bool attr_valid(fr_dict_attr_t *da)
Definition base.c:443
fr_dict_protocol_t libfreeradius_radius_dict_protocol
Definition base.c:1410
fr_dict_autoload_t libfreeradius_radius_dict[]
Definition base.c:48
fr_dict_attr_t const * attr_nas_filter_rule
Definition base.c:62
static const bool disallow_tunnel_passwords[FR_RADIUS_CODE_MAX]
Definition base.c:953
static fr_dict_flag_parser_t const radius_flags[]
Definition base.c:220
fr_dict_attr_t const * attr_packet_authentication_vector
Definition base.c:55
static const fr_radius_packet_code_t allowed_replies[FR_RADIUS_CODE_MAX]
If we get a reply, the request must come from one of a small number of packet types.
Definition base.c:174
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen, char const *secret, uint8_t const *vector)
Do Ascend-Send / Recv-Secret calculation.
Definition base.c:249
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition base.c:1109
size_t fr_radius_limit_proxy_state_table_len
Definition base.c:101
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
Definition base.c:360
int fr_radius_verify(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_message_authenticator, bool limit_proxy_state)
Verify a request / response packet.
Definition base.c:799
fr_dict_attr_autoload_t libfreeradius_radius_dict_attr[]
Definition base.c:65
size_t fr_radius_require_ma_table_len
Definition base.c:92
fr_dict_attr_t const * attr_chap_challenge
Definition base.c:56
void * fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx)
Definition base.c:936
fr_dict_attr_t const * attr_vendor_specific
Definition base.c:61
int fr_radius_global_init(void)
Definition base.c:1235
size_t fr_radius_request_name_table_len
Definition base.c:112
#define FR_DEBUG_STRERROR_PRINTF
Definition base.c:82
fr_dict_attr_t const * attr_chargeable_user_identity
Definition base.c:57
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)
Simple wrapper for callers who just need a shared secret.
Definition base.c:1213
void fr_radius_global_free(void)
Definition base.c:1259
fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[]
Definition base.c:94
fr_table_num_sorted_t const fr_radius_request_name_table[]
Definition base.c:103
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:85
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
See if the data pointed to by PTR is a valid RADIUS packet.
Definition base.c:517
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
Definition base.c:974
#define FR_DEBUG_STRERROR_PRINTF_PUSH
Definition base.c:83
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:114
ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
Basic validation of RADIUS packet header.
Definition base.c:287
int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
Definition base.c:229
ssize_t fr_radius_decode_foreign(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len)
Definition decode.c:2092
ssize_t fr_radius_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx)
Create a "normal" fr_pair_t from the given data.
Definition decode.c:1985
ssize_t fr_radius_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
Encode a data structure into a RADIUS attribute.
Definition encode.c:1515
ssize_t fr_radius_encode_foreign(fr_dbuff_t *dbuff, fr_pair_list_t const *list)
Definition encode.c:1680
VQP attributes.
static rc_request_t * current
static char * secret
unsigned int has_tag
Attribute has a tag.
Definition radius.h:156
bool secure_transport
for TLS
Definition radius.h:98
@ FR_RADIUS_REQUIRE_MA_NO
Do not require Message-Authenticator.
Definition radius.h:63
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
Definition radius.h:64
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
Definition radius.h:65
fr_radius_ctx_t const * common
Definition radius.h:104
uint8_t request_code
original code for the request.
Definition radius.h:132
uint8_t const * request_authenticator
Definition radius.h:127
unsigned int abinary
Attribute is in "abinary" format.
Definition radius.h:157
fr_radius_decode_fail_t
Failure reasons.
Definition radius.h:162
@ DECODE_FAIL_INVALID_ATTRIBUTE
Definition radius.h:170
@ DECODE_FAIL_ATTRIBUTE_UNDERFLOW
Definition radius.h:174
@ DECODE_FAIL_MIN_LENGTH_FIELD
Definition radius.h:166
@ DECODE_FAIL_HEADER_OVERFLOW
Definition radius.h:168
@ DECODE_FAIL_ATTRIBUTE_TOO_SHORT
Definition radius.h:171
@ DECODE_FAIL_MA_INVALID
Definition radius.h:177
@ DECODE_FAIL_ATTRIBUTE_OVERFLOW
Definition radius.h:172
@ DECODE_FAIL_TOO_MANY_ATTRIBUTES
Definition radius.h:175
@ DECODE_FAIL_NONE
Definition radius.h:163
@ DECODE_FAIL_MIN_LENGTH_PACKET
Definition radius.h:164
@ DECODE_FAIL_MIN_LENGTH_MISMATCH
Definition radius.h:167
@ DECODE_FAIL_VERIFY
Definition radius.h:178
@ DECODE_FAIL_MA_INVALID_LENGTH
Definition radius.h:173
@ DECODE_FAIL_MA_MISSING
Definition radius.h:176
@ DECODE_FAIL_UNKNOWN_PACKET_CODE
Definition radius.h:169
bool disallow_tunnel_passwords
not all packets can have tunnel passwords
Definition radius.h:120
char const * secret
Definition radius.h:95
unsigned int concat
Attribute is concatenated.
Definition radius.h:155
uint8_t const * end
end of the packet
Definition radius.h:130
bool limit_proxy_state
Don't allow Proxy-State in requests.
Definition radius.h:137
uint64_t proxy_state
Definition radius.h:100
uint8_t const * request_authenticator
Definition radius.h:106
unsigned int extended
Attribute is an extended attribute.
Definition radius.h:154
fr_radius_attr_flags_encrypt_t encrypt
Attribute is encrypted.
Definition radius.h:158
bool require_message_authenticator
Definition radius.h:136
size_t secret_length
Definition radius.h:96
bool verify
can skip verify for dynamic clients
Definition radius.h:135
fr_radius_ctx_t const * common
Definition radius.h:125
@ FR_RADIUS_LIMIT_PROXY_STATE_NO
Do not limit Proxy-State.
Definition radius.h:77
@ FR_RADIUS_LIMIT_PROXY_STATE_AUTO
Do not allow Proxy-State unless:
Definition radius.h:82
@ FR_RADIUS_LIMIT_PROXY_STATE_YES
Limit Proxy-State.
Definition radius.h:79
unsigned int long_extended
Attribute is a long extended attribute.
Definition radius.h:153
fr_radius_attr_flags_encrypt_t
Definition radius.h:144
@ RADIUS_FLAG_ENCRYPT_INVALID
Invalid encryption flag.
Definition radius.h:145
@ RADIUS_FLAG_ENCRYPT_USER_PASSWORD
Encrypt attribute RFC 2865 style.
Definition radius.h:147
@ RADIUS_FLAG_ENCRYPT_ASCEND_SECRET
Encrypt attribute ascend style.
Definition radius.h:149
@ RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD
Encrypt attribute RFC 2868 style.
Definition radius.h:148
static fr_radius_attr_flags_t const * fr_radius_attr_flags(fr_dict_attr_t const *da)
Return RADIUS-specific flags for a given attribute.
Definition radius.h:187
bool add_proxy_state
do we add a Proxy-State?
Definition radius.h:119
bool seen_message_authenticator
Definition radius.h:121
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition radius.h:129
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
#define UDP_FLAGS_PEEK
Definition udp.h:39
#define fr_pair_dcursor_iter_init(_cursor, _list, _iter, _uctx)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
Definition pair.h:569
#define PAIR_VERIFY(_x)
Definition pair.h:193
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition proto.h:42
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
#define fr_strerror_const_push(_msg)
Definition strerror.h:227
#define fr_strerror_const(_msg)
Definition strerror.h:223
static char const * fr_type_to_str(fr_type_t type)
Return a static string containing the type name.
Definition types.h:452
static size_t char fr_sbuff_t size_t inlen
Definition value.h:1022
static size_t char ** out
Definition value.h:1022