26 RCSID(
"$Id: ce7c2d49009a03f36cd1df322b8522a13eb4e5ff $")
33 #include <freeradius-devel/io/pair.h>
34 #include <freeradius-devel/util/md5.h>
35 #include <freeradius-devel/util/net.h>
36 #include <freeradius-devel/util/proto.h>
37 #include <freeradius-devel/util/udp.h>
38 #include <freeradius-devel/protocol/radius/freeradius.internal.h>
81 #define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf_push
100 "Accounting-Response",
105 "Accounting-Message",
116 "Resource-Free-Request",
117 "Resource-Free-Response",
118 "Resource-Query-Request",
119 "Resource-Query-Response",
120 "Alternate-Resource-Reclaim-Request",
121 "NAS-Reboot-Request",
122 "NAS-Reboot-Response",
135 "Disconnect-Request",
145 "IP-Address-Allocate",
146 "IP-Address-Release",
206 if (
inlen >
sizeof(digest))
inlen =
sizeof(digest);
207 for (i = 0; i <
inlen; i++) digest[i] ^=
in[i];
235 if ((errno == EAGAIN) || (errno == EINTR))
return 0;
243 char buffer[INET6_ADDRSTRLEN];
257 packet_len = (header[2] * 256) + header[3];
265 "data, got %zu bytes", packet_len);
312 fr_strerror_printf(
"Secret is too long. Expected <= %u, got %zu", UINT16_MAX, secret_len);
327 end = packet + packet_len;
330 if ((end -
msg) < 2)
goto invalid_attribute;
332 if (
msg[0] != FR_MESSAGE_AUTHENTICATOR) {
333 if (
msg[1] < 2)
goto invalid_attribute;
335 if ((
msg +
msg[1]) > end) {
364 if (!vector)
goto need_original;
462 bool seen_ma =
false;
465 size_t packet_len = *packet_len_p;
493 if ((packet[0] == 0) ||
547 if (totallen > packet_len) {
549 packet_len, totallen);
560 if (totallen < packet_len) {
561 *packet_len_p = packet_len = totallen;
577 end = packet + packet_len;
585 if ((end - attr) < 2) {
606 attr[0], attr - packet);
615 if ((attr + attr[1]) > end) {
617 attr[0], attr - packet);
637 case FR_MESSAGE_AUTHENTICATOR:
640 attr[1] - 2, attr - packet);
668 if ((max_attributes > 0) &&
669 (num_attributes > max_attributes)) {
671 num_attributes, max_attributes);
687 if (require_ma && !seen_ma) {
741 memcpy(request_authenticator, packet + 4,
sizeof(request_authenticator));
749 end = packet + packet_len;
753 if ((end -
msg) < 2)
goto invalid_attribute;
755 if (
msg[0] != FR_MESSAGE_AUTHENTICATOR) {
756 if (
msg[1] < 2)
goto invalid_attribute;
758 if ((
msg +
msg[1]) > end) {
775 memcpy(message_authenticator,
msg + 2,
sizeof(message_authenticator));
781 require_ma && !found_ma) {
782 fr_strerror_const(
"Access-Request is missing the required Message-Authenticator attribute");
806 (
fr_digest_cmp(message_authenticator,
msg + 2,
sizeof(message_authenticator)) != 0)) {
807 memcpy(
msg + 2, message_authenticator,
sizeof(message_authenticator));
808 memcpy(packet + 4, request_authenticator,
sizeof(request_authenticator));
825 if (
fr_digest_cmp(request_authenticator, packet + 4,
sizeof(request_authenticator)) != 0) {
826 memcpy(packet + 4, request_authenticator,
sizeof(request_authenticator));
828 fr_strerror_const(
"invalid Response Authenticator (shared secret is incorrect)");
847 if ((c->
da->dict ==
dict) &&
848 (!c->
da->flags.internal || ((c->
da->attr > FR_TAG_BASE) && (c->
da->attr < (FR_TAG_BASE + 0x20))))) {
900 packet_ctx.
common = &common_ctx;
912 length_dbuff =
FR_DBUFF(&work_dbuff);
937 memcpy(common_ctx.
vector, original + 4,
sizeof(common_ctx.
vector));
953 memset(common_ctx.
vector, 0,
sizeof(common_ctx.
vector));
969 0x00, 0x00, 0x00, original[0]);
983 if (slen < 0)
return slen;
998 uint8_t *packet,
size_t packet_len,
1006 switch (packet[0]) {
1025 int code = packet[0];
1055 if (decode_ctx->
verify) {
1066 end = packet + packet_len;
1072 while (attr < end) {
1074 if (slen < 0)
return slen;
1085 talloc_free_children(decode_ctx->
tmp_ctx);
1098 uint8_t *packet,
size_t packet_len,
1108 packet_ctx.
common = &common_ctx;
1111 packet_ctx.
end = packet + packet_len;
1176 fr_strerror_const(
"Attributes of type 'extended' cannot be used inside of a 'struct'");
1185 if (flags->
extra)
return true;
1207 if (flags->
length > 253) {
1217 if (!flags->
subtype)
return true;
1232 if (!
parent->flags.is_root) {
1233 fr_strerror_const(
"Attributes with the 'concat' flag MUST be at the root of the dictionary");
1238 fr_strerror_const(
"Attributes with the 'concat' flag MUST be of data type 'octets'");
1251 fr_strerror_printf(
"The 'has_tag' flag can only be used for attributes of type 'integer' "
1256 if (!(
parent->flags.is_root ||
1259 fr_strerror_const(
"The 'has_tag' flag can only be used with RFC and VSA attributes");
1268 fr_strerror_const(
"The 'long' or 'extended' flag can only be used for attributes of type 'tlv'");
1272 if (!
parent->flags.is_root) {
1273 fr_strerror_const(
"The 'long' flag can only be used for top-level RFC attributes");
1291 "attributes of type 'string'");
1295 if (flags->
length == 0) {
1297 "'octets' data types");
1325 .default_type_size = 1,
1326 .default_type_length = 1,
static int const char char buffer[256]
#define L(_str)
Helper for initialising arrays of string literals.
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
#define FR_DBUFF_EXTEND_LOWAT_OR_RETURN(_dbuff_or_marker, _lowat)
Extend if we're below _lowat and return if we can't extend above _lowat.
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
#define FR_DBUFF_MEMSET_RETURN(_dbuff_or_marker, _c, _inlen)
Set _inlen bytes of a dbuff or marker to _c returning if there is insufficient space.
#define FR_DBUFF_OUT_MEMCPY_RETURN(_out, _dbuff_or_marker, _outlen)
Copy outlen bytes from the dbuff returning if there's insufficient data in the dbuff.
#define FR_DBUFF_IN_MEMCPY_RETURN(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into dbuff or marker returning if there's insufficient space.
#define fr_dbuff_in_memcpy(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into a dbuff or marker.
#define fr_dbuff_in(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff or marker.
#define FR_DBUFF_IN_RETURN(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff returning if there is insufficient space.
#define FR_DBUFF(_dbuff_or_marker)
Create a new dbuff pointing to the same underlying buffer.
#define FR_DBUFF_MAX(_dbuff_or_marker, _max)
Limit the maximum number of bytes available in the dbuff when passing it to another function.
#define FR_DBUFF_IN_BYTES_RETURN(_dbuff_or_marker,...)
Copy a byte sequence into a dbuff or marker returning if there's insufficient space.
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
static void * fr_dcursor_current(fr_dcursor_t *cursor)
Return the item the cursor current points to.
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
fr_radius_packet_code_t
RADIUS packet codes.
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
@ FR_RADIUS_CODE_UNDEFINED
Packet code has not been set.
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
#define fr_dict_autofree(_to_free)
unsigned int secret
this attribute should be omitted in debug mode
unsigned int extra
really "subtype is used by dict, not by protocol"
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autoload(_to_load)
char const * name
name of this protocol
uint8_t subtype
protocol-specific values, OR key fields
uint8_t length
length of the attribute
Specifies an attribute which must be present for the module to function.
Values of the encryption flags.
Specifies a dictionary which must be loaded/loadable for the module to function.
Protocol-specific callbacks in libfreeradius-PROTOCOL.
static void * fr_dlist_next(fr_dlist_head_t const *list_head, void const *ptr)
Get the next item in a list.
Head of a doubly linked list.
int fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen, uint8_t const *key, size_t key_len)
Calculate HMAC using internal MD5 implementation.
union fr_ipaddr_t::@121 addr
fr_dict_attr_t const * attr_state
fr_dict_attr_t const * attr_eap_message
fr_dict_t const * dict_freeradius
fr_dict_t const * dict_radius
fr_dict_attr_t const * attr_message_authenticator
int udp_recv_discard(int sockfd)
Discard the next UDP packet.
ssize_t udp_recv_peek(int sockfd, void *data, size_t data_len, int flags, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Peek at the header of a UDP packet.
fr_md5_update_t fr_md5_update
fr_md5_final_t fr_md5_final
void fr_md5_ctx_free_from_list(fr_md5_ctx_t **ctx)
fr_md5_ctx_t * fr_md5_ctx_alloc_from_list(void)
#define MD5_DIGEST_LENGTH
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
@ FR_TYPE_VSA
Vendor-Specific, for RADIUS attribute 26.
@ FR_TYPE_OCTETS
Raw octets.
int fr_digest_cmp(uint8_t const *a, uint8_t const *b, size_t length)
Do a comparison of two authentication digests by comparing the FULL data.
char const * inet_ntop(int af, void const *src, char *dst, size_t cnt)
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
#define RADIUS_HEADER_LENGTH
#define RADIUS_AUTH_VECTOR_LENGTH
static uint8_t const zeros[6]
fr_dict_attr_t const * attr_packet_type
fr_dict_protocol_t libfreeradius_radius_dict_protocol
fr_dict_autoload_t libfreeradius_radius_dict[]
fr_dict_attr_t const * attr_nas_filter_rule
static const bool disallow_tunnel_passwords[FR_RADIUS_CODE_MAX]
void * fr_radius_next_encodable(fr_dlist_head_t *list, void *current, void *uctx)
int fr_radius_verify(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_ma)
Verify a request / response packet.
fr_dict_attr_t const * attr_packet_authentication_vector
static const fr_radius_packet_code_t allowed_replies[FR_RADIUS_CODE_MAX]
If we get a reply, the request must come from one of a small number of packet types.
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen, char const *secret, uint8_t const *vector)
Do Ascend-Send / Recv-Secret calculation.
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
static uint32_t instance_count
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
fr_dict_attr_t const * attr_raw_attribute
fr_dict_attr_autoload_t libfreeradius_radius_dict_attr[]
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_ma, decode_fail_t *reason)
See if the data pointed to by PTR is a valid RADIUS packet.
fr_dict_attr_t const * attr_chap_challenge
fr_dict_attr_t const * attr_vendor_specific
ssize_t fr_radius_encode(uint8_t *packet, size_t packet_len, uint8_t const *original, char const *secret, size_t secret_len, int code, int id, fr_pair_list_t *vps)
Encode VPS into a raw RADIUS packet.
static bool attr_valid(UNUSED fr_dict_t *dict, fr_dict_attr_t const *parent, UNUSED char const *name, UNUSED int attr, fr_type_t type, fr_dict_attr_flags_t *flags)
int fr_radius_global_init(void)
size_t fr_radius_request_name_table_len
#define FR_DEBUG_STRERROR_PRINTF
fr_dict_attr_t const * attr_chargeable_user_identity
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)
Simple wrapper for callers who just need a shared secret.
static fr_table_num_ordered_t const subtype_table[]
void fr_radius_global_free(void)
ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original, char const *secret, size_t secret_len, int code, int id, fr_pair_list_t *vps)
fr_table_num_sorted_t const fr_radius_request_name_table[]
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
Basic validation of RADIUS packet header.
int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
ssize_t fr_radius_decode_foreign(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len)
ssize_t fr_radius_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx)
Create a "normal" fr_pair_t from the given data.
ssize_t fr_radius_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
Encode a data structure into a RADIUS attribute.
ssize_t fr_radius_encode_foreign(fr_dbuff_t *dbuff, fr_pair_list_t const *list)
static rc_request_t * current
@ FLAG_CONCAT
the attribute is concatenated
@ FLAG_ENCRYPT_ASCEND_SECRET
Encrypt attribute ascend style.
@ FLAG_ENCRYPT_TUNNEL_PASSWORD
Encrypt attribute RFC 2868 style.
@ FLAG_ENCRYPT_USER_PASSWORD
Encrypt attribute RFC 2865 style.
@ FLAG_TAGGED_TUNNEL_PASSWORD
the attribute has a tag and is encrypted
@ FLAG_HAS_TAG
the attribute has a tag
@ FLAG_EXTENDED_ATTR
the attribute is an extended attribute
@ FLAG_ABINARY
the attribute is in "abinary" format
@ FLAG_LONG_EXTENDED_ATTR
the attribute is a long extended attribute
fr_fast_rand_t rand_ctx
for tunnel passwords
#define flag_has_tag(_flags)
uint8_t request_code
original code for the request.
uint8_t const * request_authenticator
bool disallow_tunnel_passwords
not all packets can have tunnel passwords
#define flag_extended(_flags)
uint8_t const * end
end of the packet
uint8_t const * request_authenticator
uint8_t vector[RADIUS_AUTH_VECTOR_LENGTH]
vector for authenticating the reply
bool require_message_authenticator
@ DECODE_FAIL_INVALID_ATTRIBUTE
@ DECODE_FAIL_ATTRIBUTE_UNDERFLOW
@ DECODE_FAIL_MIN_LENGTH_FIELD
@ DECODE_FAIL_HEADER_OVERFLOW
@ DECODE_FAIL_ATTRIBUTE_TOO_SHORT
@ DECODE_FAIL_ATTRIBUTE_OVERFLOW
@ DECODE_FAIL_TOO_MANY_ATTRIBUTES
@ DECODE_FAIL_MIN_LENGTH_PACKET
@ DECODE_FAIL_MIN_LENGTH_MISMATCH
@ DECODE_FAIL_MA_INVALID_LENGTH
@ DECODE_FAIL_UNKNOWN_PACKET_CODE
bool verify
can skip verify for dynamic clients
#define flag_concat(_flags)
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
uint32_t fr_rand(void)
Return a 32-bit random number.
fr_aka_sim_id_type_t type
Stores an attribute, a value and various bits of other data.
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
An element in an arbitrarily ordered array of name to num mappings.
An element in a lexicographically sorted array of name to num mappings.
#define fr_pair_dcursor_iter_init(_cursor, _list, _iter, _uctx)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
#define fr_strerror_const_push(_msg)
#define fr_strerror_const(_msg)
static char const * fr_type_to_str(fr_type_t type)
Return a static string containing the type name.
return fr_dbuff_set(dbuff, &our_dbuff)
static size_t char fr_sbuff_t size_t inlen
static size_t char ** out