The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 0997c38c1388af82c7b990b5329ffe62c630b229 $
19 *
20 * @file protocols/radius/base.c
21 * @brief Functions to send/receive radius packets.
22 *
23 * @copyright 2000-2003,2006 The FreeRADIUS server project
24 */
25RCSID("$Id: 0997c38c1388af82c7b990b5329ffe62c630b229 $")
26
27#include <fcntl.h>
28#include <ctype.h>
29
30#include "attrs.h"
31#include "radius.h"
32
33#include <freeradius-devel/io/pair.h>
34#include <freeradius-devel/util/md5.h>
35#include <freeradius-devel/util/net.h>
36#include <freeradius-devel/util/proto.h>
37#include <freeradius-devel/util/table.h>
38#include <freeradius-devel/util/udp.h>
39#include <freeradius-devel/protocol/radius/freeradius.internal.h>
40
42
45
48 { .out = &dict_freeradius, .proto = "freeradius" },
49 { .out = &dict_radius, .proto = "radius" },
50 { NULL }
51};
52
62
65 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
66 { .out = &attr_packet_authentication_vector, .name = "Packet-Authentication-Vector", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
67 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
68 { .out = &attr_chargeable_user_identity, .name = "Chargeable-User-Identity", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
69
70 { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
71 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
72 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
73 { .out = &attr_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_VSA, .dict = &dict_radius },
74 { .out = &attr_nas_filter_rule, .name = "NAS-Filter-Rule", .type = FR_TYPE_STRING, .dict = &dict_radius },
75 { NULL }
76};
77
78/*
79 * Some messages get printed out only in debugging mode.
80 */
81#define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf
82#define FR_DEBUG_STRERROR_PRINTF_PUSH if (fr_debug_lvl) fr_strerror_printf_push
83
92
101
112
114 "", //!< 0
115 "Access-Request",
116 "Access-Accept",
117 "Access-Reject",
118 "Accounting-Request",
119 "Accounting-Response",
120 "Accounting-Status",
121 "Password-Request",
122 "Password-Accept",
123 "Password-Reject",
124 "Accounting-Message", //!< 10
125 "Access-Challenge",
126 "Status-Server",
127 "Status-Client",
128 "14",
129 "15",
130 "16",
131 "17",
132 "18",
133 "19",
134 "20", //!< 20
135 "Resource-Free-Request",
136 "Resource-Free-Response",
137 "Resource-Query-Request",
138 "Resource-Query-Response",
139 "Alternate-Resource-Reclaim-Request",
140 "NAS-Reboot-Request",
141 "NAS-Reboot-Response",
142 "28",
143 "Next-Passcode",
144 "New-Pin", //!< 30
145 "Terminate-Session",
146 "Password-Expired",
147 "Event-Request",
148 "Event-Response",
149 "35",
150 "36",
151 "37",
152 "38",
153 "39",
154 "Disconnect-Request", //!< 40
155 "Disconnect-ACK",
156 "Disconnect-NAK",
157 "CoA-Request",
158 "CoA-ACK",
159 "CoA-NAK",
160 "46",
161 "47",
162 "48",
163 "49",
164 "IP-Address-Allocate", //!< 50
165 "IP-Address-Release",
166 "Protocol-Error",
167};
168
169
170/** If we get a reply, the request must come from one of a small
171 * number of packet types.
172 */
188
191
192static int dict_flag_encrypt(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules)
193{
194 static fr_table_num_sorted_t const encrypted[] = {
195 { L("Ascend-Secret"), RADIUS_FLAG_ENCRYPT_ASCEND_SECRET },
196 { L("Tunnel-Password"), RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD },
197 { L("User-Password"), RADIUS_FLAG_ENCRYPT_USER_PASSWORD}
198 };
199 static size_t encrypted_len = NUM_ELEMENTS(encrypted);
200
203
205 if (encrypt == RADIUS_FLAG_ENCRYPT_INVALID) {
206 fr_strerror_printf("Unknown encryption type '%s'", value);
207 return -1;
208 }
209
210 flags->encrypt = encrypt;
211
212 return 0;
213}
214
218
220 { L("abinary"), { .func = dict_flag_abinary } },
221 { L("concat"), { .func = dict_flag_concat } },
222 { L("encrypt"), { .func = dict_flag_encrypt, .needs_value = true } },
223 { L("extended"), { .func = dict_flag_extended } },
224 { L("has_tag"), { .func = dict_flag_has_tag } },
225 { L("long_extended"), { .func = dict_flag_long_extended } }
226};
227
228int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
229{
230 int i;
231
232 if ((code <= 0) || (code >= FR_RADIUS_CODE_MAX)) return -1;
233
234 for (i = 1; i < FR_RADIUS_CODE_MAX; i++) {
235 allowed[i] |= (allowed_replies[i] == (fr_radius_packet_code_t) code);
236 }
237
238 return 0;
239}
240
241/** Do Ascend-Send / Recv-Secret calculation.
242 *
243 * The secret is hidden by xoring with a MD5 digest created from
244 * the RADIUS shared secret and the authentication vector.
245 * We put them into MD5 in the reverse order from that used when
246 * encrypting passwords to RADIUS.
247 */
249 char const *secret, uint8_t const *vector)
250{
251 fr_md5_ctx_t *md5_ctx;
252 size_t i;
254 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
255
256 FR_DBUFF_EXTEND_LOWAT_OR_RETURN(&work_dbuff, sizeof(digest));
257
258 md5_ctx = fr_md5_ctx_alloc_from_list();
260 fr_md5_update(md5_ctx, (uint8_t const *) secret, talloc_array_length(secret) - 1);
261 fr_md5_final(digest, md5_ctx);
263
264 if (inlen > sizeof(digest)) inlen = sizeof(digest);
265 for (i = 0; i < inlen; i++) digest[i] ^= in[i];
266
267 fr_dbuff_in_memcpy(&work_dbuff, digest, sizeof(digest));
268
269 return fr_dbuff_set(dbuff, &work_dbuff);
270}
271
272/** Basic validation of RADIUS packet header
273 *
274 * @note fr_strerror errors are only available if fr_debug_lvl > 0. This is to reduce CPU time
275 * consumed when discarding malformed packet.
276 *
277 * @param[in] sockfd we're reading from.
278 * @param[out] src_ipaddr of the packet.
279 * @param[out] src_port of the packet.
280 * @param[out] code Pointer to where to write the packet code.
281 * @return
282 * - -1 on failure.
283 * - 1 on decode error.
284 * - >= RADIUS_HEADER_LENGTH on success. This is the packet length as specified in the header.
285 */
286ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
287{
288 ssize_t data_len, packet_len;
289 uint8_t header[4];
290
291 data_len = udp_recv_peek(sockfd, header, sizeof(header), UDP_FLAGS_PEEK, src_ipaddr, src_port);
292 if (data_len < 0) {
293 if ((errno == EAGAIN) || (errno == EINTR)) return 0;
294 return -1;
295 }
296
297 /*
298 * Too little data is available, discard the packet.
299 */
300 if (data_len < 4) {
301 char buffer[INET6_ADDRSTRLEN];
302
303 FR_DEBUG_STRERROR_PRINTF("Expected at least 4 bytes of header data, got %zd bytes", data_len);
304invalid:
305 FR_DEBUG_STRERROR_PRINTF_PUSH("Invalid data from %s",
306 inet_ntop(src_ipaddr->af, &src_ipaddr->addr, buffer, sizeof(buffer)));
307 (void) udp_recv_discard(sockfd);
308
309 return 0;
310 }
311
312 /*
313 * See how long the packet says it is.
314 */
315 packet_len = (header[2] * 256) + header[3];
316
317 /*
318 * The length in the packet says it's less than
319 * a RADIUS header length: discard it.
320 */
321 if (packet_len < RADIUS_HEADER_LENGTH) {
322 FR_DEBUG_STRERROR_PRINTF("Expected at least " STRINGIFY(RADIUS_HEADER_LENGTH) " bytes of packet "
323 "data, got %zd bytes", packet_len);
324 goto invalid;
325 }
326
327 /*
328 * Enforce RFC requirements, for sanity.
329 * Anything after 4k will be discarded.
330 */
331 if (packet_len > MAX_PACKET_LEN) {
332 FR_DEBUG_STRERROR_PRINTF("Length field value too large, expected maximum of "
333 STRINGIFY(MAX_PACKET_LEN) " bytes, got %zd bytes", packet_len);
334 goto invalid;
335 }
336
337 *code = header[0];
338
339 /*
340 * The packet says it's this long, but the actual UDP
341 * size could still be smaller.
342 */
343 return packet_len;
344}
345
346/** Sign a previously encoded packet
347 *
348 * Calculates the request/response authenticator for packets which need it, and fills
349 * in the message-authenticator value if the attribute is present in the encoded packet.
350 *
351 * @param[in,out] packet (request or response).
352 * @param[in] vector original packet vector to use
353 * @param[in] secret to sign the packet with.
354 * @param[in] secret_len The length of the secret.
355 * @return
356 * - <0 on error
357 * - 0 on success
358 */
359int fr_radius_sign(uint8_t *packet, uint8_t const *vector,
360 uint8_t const *secret, size_t secret_len)
361{
362 uint8_t *msg, *end;
363 size_t packet_len = fr_nbo_to_uint16(packet + 2);
364
365 /*
366 * No real limit on secret length, this is just
367 * to catch uninitialised fields.
368 */
369 if (!fr_cond_assert(secret_len <= UINT16_MAX)) {
370 fr_strerror_printf("Secret is too long. Expected <= %u, got %zu",
371 (unsigned int) UINT16_MAX, secret_len);
372 return -1;
373 }
374
375 if (packet_len < RADIUS_HEADER_LENGTH) {
376 fr_strerror_const("Packet must be encoded before calling fr_radius_sign()");
377 return -1;
378 }
379
380 /*
381 * Find Message-Authenticator. Its value has to be
382 * calculated before we calculate the Request
383 * Authenticator or the Response Authenticator.
384 */
385 msg = packet + RADIUS_HEADER_LENGTH;
386 end = packet + packet_len;
387
388 while (msg < end) {
389 if ((end - msg) < 2) goto invalid_attribute;
390
391 if (msg[0] != FR_MESSAGE_AUTHENTICATOR) {
392 if (msg[1] < 2) goto invalid_attribute;
393
394 if ((msg + msg[1]) > end) {
395 invalid_attribute:
396 fr_strerror_printf("Invalid attribute at offset %zd", msg - packet);
397 return -1;
398 }
399 msg += msg[1];
400 continue;
401 }
402
403 if (msg[1] < 18) {
404 fr_strerror_const("Message-Authenticator is too small");
405 return -1;
406 }
407
408 switch (packet[0]) {
412 memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH);
413 break;
414
423 if (!vector) goto need_original;
424 memcpy(packet + 4, vector, RADIUS_AUTH_VECTOR_LENGTH);
425 break;
426
429 /* packet + 4 MUST be the Request Authenticator filled with random data */
430 break;
431
432 default:
433 goto bad_packet;
434 }
435
436 /*
437 * Force Message-Authenticator to be zero,
438 * calculate the HMAC, and put it into the
439 * Message-Authenticator attribute.
440 */
441 memset(msg + 2, 0, RADIUS_AUTH_VECTOR_LENGTH);
442 fr_hmac_md5(msg + 2, packet, packet_len, secret, secret_len);
443 break;
444 }
445
446 /*
447 * Initialize the request authenticator.
448 */
449 switch (packet[0]) {
453 memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH);
454 break;
455
465 if (!vector) {
466 need_original:
467 fr_strerror_const("Cannot sign response packet without a request packet");
468 return -1;
469 }
470 memcpy(packet + 4, vector, RADIUS_AUTH_VECTOR_LENGTH);
471 break;
472
473 /*
474 * The Request Authenticator is random numbers.
475 * We don't need to sign anything else, so
476 * return.
477 */
480 return 0;
481
482 default:
483 bad_packet:
484 fr_strerror_printf("Cannot sign unknown packet code %u", packet[0]);
485 return -1;
486 }
487
488 /*
489 * Request / Response Authenticator = MD5(packet + secret)
490 */
491 {
492 fr_md5_ctx_t *md5_ctx;
493
494 md5_ctx = fr_md5_ctx_alloc_from_list();
495 fr_md5_update(md5_ctx, packet, packet_len);
496 fr_md5_update(md5_ctx, secret, secret_len);
497 fr_md5_final(packet + 4, md5_ctx);
499 }
500
501 return 0;
502}
503
504
505/** See if the data pointed to by PTR is a valid RADIUS packet.
506 *
507 * @param[in] packet to check.
508 * @param[in,out] packet_len_p The size of the packet data.
509 * @param[in] max_attributes to allow in the packet.
510 * @param[in] require_message_authenticator whether we require Message-Authenticator.
511 * @param[in] reason if not NULL, will have the failure reason written to where it points.
512 * @return
513 * - True on success.
514 * - False on failure.
515 */
516bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
517 uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
518{
519 uint8_t const *attr, *end;
520 size_t totallen;
521 bool seen_ma = false;
522 uint32_t num_attributes;
524 size_t packet_len = *packet_len_p;
525
526 /*
527 * Check for packets smaller than the packet header.
528 *
529 * RFC 2865, Section 3., subsection 'length' says:
530 *
531 * "The minimum length is 20 ..."
532 */
533 if (packet_len < RADIUS_HEADER_LENGTH) {
534 FR_DEBUG_STRERROR_PRINTF("Packet is too short (received %zu < minimum 20)",
535 packet_len);
537 goto finish;
538 }
539
540
541 /*
542 * Check for packets with mismatched size.
543 * i.e. We've received 128 bytes, and the packet header
544 * says it's 256 bytes long.
545 */
546 totallen = fr_nbo_to_uint16(packet + 2);
547
548 /*
549 * Code of 0 is not understood.
550 * Code of 16 or greater is not understood.
551 */
552 if ((packet[0] == 0) ||
553 (packet[0] >= FR_RADIUS_CODE_MAX)) {
554 FR_DEBUG_STRERROR_PRINTF("Unknown packet code %d", packet[0]);
556 goto finish;
557 }
558
559 switch (packet[0]) {
560 /*
561 * Message-Authenticator is required in Status-Server
562 * packets, otherwise they can be trivially forged.
563 */
565 require_message_authenticator = true;
566 break;
567
568 /*
569 * Message-Authenticator may or may not be
570 * required for Access-* packets.
571 */
576 break;
577
578 /*
579 * Message-Authenticator is not required for all other packets.
580 */
581 default:
582 require_message_authenticator = false;
583 break;
584 }
585
586 /*
587 * Repeat the length checks. This time, instead of
588 * looking at the data we received, look at the value
589 * of the 'length' field inside of the packet.
590 *
591 * Check for packets smaller than the packet header.
592 *
593 * RFC 2865, Section 3., subsection 'length' says:
594 *
595 * "The minimum length is 20 ..."
596 */
597 if (totallen < RADIUS_HEADER_LENGTH) {
598 FR_DEBUG_STRERROR_PRINTF("Length in header is too small (length %zu < minimum 20)",
599 totallen);
601 goto finish;
602 }
603
604 /*
605 * And again, for the value of the 'length' field.
606 *
607 * RFC 2865, Section 3., subsection 'length' says:
608 *
609 * " ... and maximum length is 4096."
610 *
611 * HOWEVER. This requirement is for the network layer.
612 * If the code gets here, we assume that a well-formed
613 * packet is an OK packet.
614 *
615 * We allow both the UDP data length, and the RADIUS
616 * "length" field to contain up to 64K of data.
617 */
618
619 /*
620 * RFC 2865, Section 3., subsection 'length' says:
621 *
622 * "If the packet is shorter than the Length field
623 * indicates, it MUST be silently discarded."
624 *
625 * i.e. No response to the NAS.
626 */
627 if (totallen > packet_len) {
628 FR_DEBUG_STRERROR_PRINTF("Packet is truncated (received %zu < packet header length of %zu)",
629 packet_len, totallen);
631 goto finish;
632 }
633
634 /*
635 * RFC 2865, Section 3., subsection 'length' says:
636 *
637 * "Octets outside the range of the Length field MUST be
638 * treated as padding and ignored on reception."
639 */
640 if (totallen < packet_len) {
641 *packet_len_p = packet_len = totallen;
642 }
643
644 /*
645 * Walk through the packet's attributes, ensuring that
646 * they add up EXACTLY to the size of the packet.
647 *
648 * If they don't, then the attributes either under-fill
649 * or over-fill the packet. Any parsing of the packet
650 * is impossible, and will result in unknown side effects.
651 *
652 * This would ONLY happen with buggy RADIUS implementations,
653 * or with an intentional attack. Either way, we do NOT want
654 * to be vulnerable to this problem.
655 */
656 attr = packet + RADIUS_HEADER_LENGTH;
657 end = packet + packet_len;
658 num_attributes = 0;
659
660 while (attr < end) {
661 /*
662 * We need at least 2 bytes to check the
663 * attribute header.
664 */
665 if ((end - attr) < 2) {
666 FR_DEBUG_STRERROR_PRINTF("Attribute header overflows the packet");
668 goto finish;
669 }
670
671 /*
672 * Attribute number zero is NOT defined.
673 */
674 if (attr[0] == 0) {
675 FR_DEBUG_STRERROR_PRINTF("Invalid attribute 0 at offset %zd", attr - packet);
677 goto finish;
678 }
679
680 /*
681 * Attributes are at LEAST as long as the ID & length
682 * fields. Anything shorter is an invalid attribute.
683 */
684 if (attr[1] < 2) {
685 FR_DEBUG_STRERROR_PRINTF("Attribute %u is too short at offset %zd",
686 attr[0], attr - packet);
688 goto finish;
689 }
690
691 /*
692 * If there are fewer bytes in the packet than in the
693 * attribute, it's a bad packet.
694 */
695 if ((attr + attr[1]) > end) {
696 FR_DEBUG_STRERROR_PRINTF("Attribute %u data overflows the packet starting at offset %zd",
697 attr[0], attr - packet);
699 goto finish;
700 }
701
702 /*
703 * Sanity check the attributes for length.
704 */
705 switch (attr[0]) {
706 default: /* don't do anything by default */
707 break;
708
709 /*
710 * If there's an EAP-Message, we require
711 * a Message-Authenticator.
712 */
713 case FR_EAP_MESSAGE:
714 require_message_authenticator = true;
715 break;
716
717 case FR_MESSAGE_AUTHENTICATOR:
718 if (attr[1] != 2 + RADIUS_AUTH_VECTOR_LENGTH) {
719 FR_DEBUG_STRERROR_PRINTF("Message-Authenticator has invalid length (%d != 18) at offset %zd",
720 attr[1] - 2, attr - packet);
722 goto finish;
723 }
724 seen_ma = true;
725 break;
726 }
727
728 attr += attr[1];
729 num_attributes++; /* seen one more attribute */
730 }
731
732 /*
733 * If the attributes add up to a packet, it's allowed.
734 *
735 * If not, we complain, and throw the packet away.
736 */
737 if (attr != end) {
738 FR_DEBUG_STRERROR_PRINTF("Attributes do NOT exactly fill the packet");
740 goto finish;
741 }
742
743 /*
744 * If we're configured to look for a maximum number of
745 * attributes, and we've seen more than that maximum,
746 * then throw the packet away, as a possible DoS.
747 */
748 if ((max_attributes > 0) &&
749 (num_attributes > max_attributes)) {
750 FR_DEBUG_STRERROR_PRINTF("Possible DoS attack - too many attributes in request (received %u, max %u are allowed).",
751 num_attributes, max_attributes);
753 goto finish;
754 }
755
756 /*
757 * http://www.freeradius.org/rfc/rfc2869.html#EAP-Message
758 *
759 * A packet with an EAP-Message attribute MUST also have
760 * a Message-Authenticator attribute.
761 *
762 * A Message-Authenticator all by itself is OK, though.
763 *
764 * Similarly, Status-Server packets MUST contain
765 * Message-Authenticator attributes.
766 */
767 if (require_message_authenticator && !seen_ma) {
768 FR_DEBUG_STRERROR_PRINTF("We require Message-Authenticator attribute, but it is not in the packet");
769 failure = DECODE_FAIL_MA_MISSING;
770 goto finish;
771 }
772
773finish:
774
775 if (reason) {
776 *reason = failure;
777 }
778 return (failure == DECODE_FAIL_NONE);
779}
780
781
782/** Verify a request / response packet
783 *
784 * This function does its work by calling fr_radius_sign(), and then
785 * comparing the signature in the packet with the one we calculated.
786 * If they differ, there's a problem.
787 *
788 * @param[in] packet the raw RADIUS packet (request or response)
789 * @param[in] vector the original packet vector
790 * @param[in] secret the shared secret
791 * @param[in] secret_len the length of the secret
792 * @param[in] require_message_authenticator whether we require Message-Authenticator.
793 * @param[in] limit_proxy_state whether we allow Proxy-State without Message-Authenticator.
794 * @return
795 * < <0 on error (negative fr_radius_decode_fail_t)
796 * - 0 on success.
797 */
798int fr_radius_verify(uint8_t *packet, uint8_t const *vector,
799 uint8_t const *secret, size_t secret_len,
800 bool require_message_authenticator, bool limit_proxy_state)
801{
802 bool found_message_authenticator = false;
803 bool found_proxy_state = false;
804 int rcode;
805 int code;
806 uint8_t *msg, *end;
807 size_t packet_len = fr_nbo_to_uint16(packet + 2);
808 uint8_t request_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
809 uint8_t message_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
810
811 if (packet_len < RADIUS_HEADER_LENGTH) {
812 fr_strerror_printf("invalid packet length %zu", packet_len);
814 }
815
816 code = packet[0];
817 if (!code || (code >= FR_RADIUS_CODE_MAX)) {
818 fr_strerror_printf("Unknown reply code %d", code);
820 }
821
822 memcpy(request_authenticator, packet + 4, sizeof(request_authenticator));
823
824 /*
825 * Find Message-Authenticator. Its value has to be
826 * calculated before we calculate the Request
827 * Authenticator or the Response Authenticator.
828 */
829 msg = packet + RADIUS_HEADER_LENGTH;
830 end = packet + packet_len;
831
832 while (msg < end) {
833 if ((end - msg) < 2) goto invalid_attribute;
834
835 if (msg[0] != FR_MESSAGE_AUTHENTICATOR) {
836 if (msg[1] < 2) goto invalid_attribute;
837
838 /*
839 * If we're not allowing Proxy-State without
840 * Message-authenticator, we need to record
841 * the fact we found Proxy-State.
842 */
843 if (limit_proxy_state && (msg[0] == FR_PROXY_STATE)) found_proxy_state = true;
844
845 if ((msg + msg[1]) > end) {
846 invalid_attribute:
847 fr_strerror_printf("invalid attribute at offset %zd", msg - packet);
849 }
850 msg += msg[1];
851 continue;
852 }
853
854 if (msg[1] < 18) {
855 fr_strerror_const("too small Message-Authenticator");
857 }
858
859 /*
860 * Found it, save a copy.
861 */
862 memcpy(message_authenticator, msg + 2, sizeof(message_authenticator));
863 found_message_authenticator = true;
864 break;
865 }
866
867 if (packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) {
868 if (limit_proxy_state && found_proxy_state && !found_message_authenticator) {
869 fr_strerror_const("Proxy-State is not allowed without Message-Authenticator");
871 }
872
873 if (require_message_authenticator && !found_message_authenticator) {
874 fr_strerror_const("Access-Request is missing the required Message-Authenticator attribute");
876 }
877 }
878
879 /*
880 * Overwrite the contents of Message-Authenticator
881 * with the one we calculate.
882 */
883 rcode = fr_radius_sign(packet, vector, secret, secret_len);
884 if (rcode < 0) {
885 fr_strerror_const_push("Failed calculating correct authenticator");
886 return -DECODE_FAIL_VERIFY;
887 }
888
889 /*
890 * Check the Message-Authenticator first.
891 *
892 * If it's invalid, restore the original
893 * Message-Authenticator and Request Authenticator
894 * fields.
895 *
896 * If it's valid the original and calculated
897 * message authenticators are the same, so we don't
898 * need to do anything.
899 */
900 if ((msg < end) &&
901 (fr_digest_cmp(message_authenticator, msg + 2, sizeof(message_authenticator)) != 0)) {
902 memcpy(msg + 2, message_authenticator, sizeof(message_authenticator));
903 memcpy(packet + 4, request_authenticator, sizeof(request_authenticator));
904
905 fr_strerror_const("invalid Message-Authenticator (shared secret is incorrect)");
907 }
908
909 /*
910 * These are random numbers, so there's no point in
911 * comparing them.
912 */
913 if ((packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) || (packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) {
914 return 0;
915 }
916
917 /*
918 * Check the Request Authenticator.
919 */
920 if (fr_digest_cmp(request_authenticator, packet + 4, sizeof(request_authenticator)) != 0) {
921 memcpy(packet + 4, request_authenticator, sizeof(request_authenticator));
922 if (vector) {
923 fr_strerror_const("invalid Response Authenticator (shared secret is incorrect)");
924 } else {
925 fr_strerror_const("invalid Request Authenticator (shared secret is incorrect)");
926 }
927 return -DECODE_FAIL_VERIFY;
928 }
929
930 return 0;
931}
932
933void *fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx);
934
935void *fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx)
936{
937 fr_pair_t *c = current;
938 fr_dict_t *dict = talloc_get_type_abort(uctx, fr_dict_t);
939
940 while ((c = fr_dlist_next(cursor->dlist, c))) {
941 PAIR_VERIFY(c);
942 if ((c->da->dict == dict) &&
943 (!c->da->flags.internal || ((c->da->attr > FR_TAG_BASE) && (c->da->attr < (FR_TAG_BASE + 0x20))))) {
944 break;
945 }
946 }
947
948 return c;
949}
950
951
954 // can be in Access-Accept
957
960
962
963 [ FR_RADIUS_CODE_COA_ACK ] = true,
964 [ FR_RADIUS_CODE_COA_NAK ] = true,
965
969
971};
972
974{
975 ssize_t slen;
976 fr_pair_t const *vp;
977 fr_dcursor_t cursor;
978 fr_dbuff_t work_dbuff, length_dbuff;
979
981
982 /*
983 * The RADIUS header can't do more than 64K of data.
984 */
985 work_dbuff = FR_DBUFF_MAX(dbuff, 65535);
986
987 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, packet_ctx->code, packet_ctx->id);
988 length_dbuff = FR_DBUFF(&work_dbuff);
990
991 switch (packet_ctx->code) {
994 packet_ctx->request_authenticator = fr_dbuff_current(&work_dbuff);
995
996 /*
997 * Allow over-rides of the authentication vector for testing.
998 */
1000 if (vp && (vp->vp_length >= RADIUS_AUTH_VECTOR_LENGTH)) {
1001 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_octets, RADIUS_AUTH_VECTOR_LENGTH);
1002 } else {
1003 int i;
1004
1005 for (i = 0; i < 4; i++) {
1006 FR_DBUFF_IN_RETURN(&work_dbuff, (uint32_t) fr_rand());
1007 }
1008 }
1009 break;
1010
1020 if (!packet_ctx->request_authenticator) {
1021 fr_strerror_const("Cannot encode response without request");
1022 return -1;
1023 }
1025 break;
1026
1029 /*
1030 * Tunnel-Password encoded attributes are allowed
1031 * in CoA-Request packets, by RFC 5176 Section
1032 * 3.6. HOWEVER, the tunnel passwords are
1033 * "encrypted" using the Request Authenticator,
1034 * which is all zeros! That makes them much
1035 * easier to decrypt. The only solution here is
1036 * to say "don't do that!"
1037 */
1039 packet_ctx->request_authenticator = fr_dbuff_current(&work_dbuff);
1040
1042 break;
1043
1044 default:
1045 fr_strerror_printf("Cannot encode unknown packet code %d", packet_ctx->code);
1046 return -1;
1047 }
1048
1049 /*
1050 * Always add Message-Authenticator after the packet
1051 * header for insecure transport protocols.
1052 */
1053 if (!packet_ctx->common->secure_transport) switch (packet_ctx->code) {
1059 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_MESSAGE_AUTHENTICATOR, 0x12,
1060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
1062 packet_ctx->seen_message_authenticator = true;
1063 }
1064
1065 /*
1066 * If we're sending Protocol-Error, add in
1067 * Original-Packet-Code manually. If the user adds it
1068 * later themselves, well, too bad.
1069 */
1070 if (packet_ctx->code == FR_RADIUS_CODE_PROTOCOL_ERROR) {
1071 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_EXTENDED_ATTRIBUTE_1, 0x07, 0x04 /* Original-Packet-Code */,
1072 0x00, 0x00, 0x00, packet_ctx->request_code);
1073 }
1074
1075 /*
1076 * Loop over the reply attributes for the packet.
1077 */
1079 while ((vp = fr_dcursor_current(&cursor))) {
1080 PAIR_VERIFY(vp);
1081
1082 /*
1083 * Encode an individual VP
1084 */
1085 slen = fr_radius_encode_pair(&work_dbuff, &cursor, packet_ctx);
1086 if (slen < 0) return slen;
1087 } /* done looping over all attributes */
1088
1089 /*
1090 * Add Proxy-State to the end of the packet if the caller requested it.
1091 */
1092 if (packet_ctx->add_proxy_state) {
1093 FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_PROXY_STATE, (uint8_t) (2 + sizeof(packet_ctx->common->proxy_state)));
1094 FR_DBUFF_IN_RETURN(&work_dbuff, packet_ctx->common->proxy_state);
1095 }
1096
1097 /*
1098 * Fill in the length field we zeroed out earlier.
1099 *
1100 */
1101 fr_dbuff_in(&length_dbuff, (uint16_t) (fr_dbuff_used(&work_dbuff)));
1102
1103 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), fr_dbuff_used(&work_dbuff), "%s encoded packet", __FUNCTION__);
1104
1105 return fr_dbuff_set(dbuff, &work_dbuff);
1106}
1107
1109 uint8_t *packet, size_t packet_len,
1110 fr_radius_decode_ctx_t *decode_ctx)
1111{
1112 ssize_t slen;
1113 uint8_t const *attr, *end;
1114 static const uint8_t zeros[RADIUS_AUTH_VECTOR_LENGTH] = {};
1115
1116 if (!decode_ctx->request_authenticator) {
1117 switch (packet[0]) {
1120 decode_ctx->request_authenticator = packet + 4;
1121 break;
1122
1126 decode_ctx->request_authenticator = zeros;
1127 break;
1128
1129 default:
1130 fr_strerror_const("No authentication vector passed for packet decode");
1131 return -1;
1132 }
1133 }
1134
1135 if (decode_ctx->request_code) {
1136 unsigned int code = packet[0];
1137
1138 if (code >= FR_RADIUS_CODE_MAX) {
1140 }
1141 if (decode_ctx->request_code >= FR_RADIUS_CODE_MAX) {
1143 }
1144
1145 if (!allowed_replies[code]) {
1146 fr_strerror_printf("%s packet received unknown reply code %s",
1149 }
1150
1151 /*
1152 * Protocol error can reply to any packet.
1153 *
1154 * Status-Server can get any reply.
1155 *
1156 * Otherwise the reply code must be associated with the request code we sent.
1157 */
1159 (allowed_replies[code] != decode_ctx->request_code)) {
1160 fr_strerror_printf("%s packet received invalid reply code %s",
1163 }
1164 }
1165
1166 /*
1167 * We can skip verification for dynamic client checks, and where packets are unsigned as with
1168 * RADIUS/1.1.
1169 */
1170 if (decode_ctx->verify) {
1171 if (!decode_ctx->request_authenticator) decode_ctx->request_authenticator = zeros;
1172
1173 if (fr_radius_verify(packet, decode_ctx->request_authenticator,
1174 (uint8_t const *) decode_ctx->common->secret, decode_ctx->common->secret_length,
1175 decode_ctx->require_message_authenticator, decode_ctx->limit_proxy_state) < 0) {
1176 return -1;
1177 }
1178 }
1179
1180 attr = packet + 20;
1181 end = packet + packet_len;
1182
1183 /*
1184 * The caller MUST have called fr_radius_ok() first. If
1185 * he doesn't, all hell breaks loose.
1186 */
1187 while (attr < end) {
1188 slen = fr_radius_decode_pair(ctx, out, attr, (end - attr), decode_ctx);
1189 if (slen < 0) return slen;
1190
1191 /*
1192 * If slen is larger than the room in the packet,
1193 * all kinds of bad things happen.
1194 */
1195 if (!fr_cond_assert(slen <= (end - attr))) {
1196 return -slen;
1197 }
1198
1199 attr += slen;
1200 talloc_free_children(decode_ctx->tmp_ctx);
1201 }
1202
1203 /*
1204 * We've parsed the whole packet, return that.
1205 */
1206 return packet_len;
1207}
1208
1209/** Simple wrapper for callers who just need a shared secret
1210 *
1211 */
1213 uint8_t *packet, size_t packet_len,
1214 uint8_t const *vector, char const *secret)
1215{
1216 ssize_t rcode;
1217 fr_radius_ctx_t common_ctx = {};
1218 fr_radius_decode_ctx_t packet_ctx = {};
1219
1220 common_ctx.secret = secret;
1221 common_ctx.secret_length = strlen(secret);
1222
1223 packet_ctx.common = &common_ctx;
1224 packet_ctx.tmp_ctx = talloc(ctx, uint8_t);
1225 packet_ctx.request_authenticator = vector;
1226 packet_ctx.end = packet + packet_len;
1227
1228 rcode = fr_radius_decode(ctx, out, packet, packet_len, &packet_ctx);
1229 talloc_free(packet_ctx.tmp_ctx);
1230
1231 return rcode;
1232}
1233
1235{
1236 if (instance_count > 0) {
1238 return 0;
1239 }
1240
1242
1244 fail:
1246 return -1;
1247 }
1248
1251 goto fail;
1252 }
1253
1254 return 0;
1255}
1256
1258{
1259 if (--instance_count != 0) return;
1260
1262}
1263
1265{
1267
1268 if (da->parent->type == FR_TYPE_STRUCT) {
1269 if (flags->extended) {
1270 fr_strerror_const("Attributes of type 'extended' cannot be used inside of a 'struct'");
1271 return false;
1272 }
1273
1274 if (flags->long_extended) {
1275 fr_strerror_const("Attributes of type 'long_extended' cannot be used inside of a 'struct'");
1276 return false;
1277 }
1278
1279
1280 if (flags->concat) {
1281 fr_strerror_const("Attributes of type 'concat' cannot be used inside of a 'struct'");
1282 return false;
1283 }
1284
1285 if (flags->has_tag) {
1286 fr_strerror_const("Attributes of type 'concat' cannot be used inside of a 'struct'");
1287 return false;
1288 }
1289
1290 if (flags->abinary) {
1291 fr_strerror_const("Attributes of type 'abinary' cannot be used inside of a 'struct'");
1292 return false;
1293 }
1294
1295 if (flags->encrypt > 0) {
1296 fr_strerror_const("Attributes of type 'encrypt' cannot be used inside of a 'struct'");
1297 return false;
1298 }
1299
1300 return true;
1301 }
1302
1303 if (da->flags.length > 253) {
1304 fr_strerror_printf("Attributes cannot be more than 253 octets in length");
1305 return false;
1306 }
1307 /*
1308 * Secret things are secret.
1309 */
1310 if (flags->encrypt != 0) da->flags.secret = true;
1311
1312 if (flags->concat) {
1313 if (!da->parent->flags.is_root) {
1314 fr_strerror_const("Attributes with the 'concat' flag MUST be at the root of the dictionary");
1315 return false;
1316 }
1317
1318 if (da->type != FR_TYPE_OCTETS) {
1319 fr_strerror_const("Attributes with the 'concat' flag MUST be of data type 'octets'");
1320 return false;
1321 }
1322
1323 return true; /* can't use any other flag */
1324 }
1325
1326 /*
1327 * Tagged attributes can only be of two data types. They
1328 * can, however, be VSAs.
1329 */
1330 if (flags->has_tag) {
1331 if ((da->type != FR_TYPE_UINT32) && (da->type != FR_TYPE_STRING)) {
1332 fr_strerror_printf("The 'has_tag' flag can only be used for attributes of type 'integer' "
1333 "or 'string'");
1334 return false;
1335 }
1336
1337 if (!(da->parent->flags.is_root ||
1338 ((da->parent->type == FR_TYPE_VENDOR) &&
1339 (da->parent->parent && da->parent->parent->type == FR_TYPE_VSA)))) {
1340 fr_strerror_const("The 'has_tag' flag can only be used with RFC and VSA attributes");
1341 return false;
1342 }
1343
1344 return true;
1345 }
1346
1347 if (flags->extended) {
1348 if (da->type != FR_TYPE_TLV) {
1349 fr_strerror_const("The 'long' or 'extended' flag can only be used for attributes of type 'tlv'");
1350 return false;
1351 }
1352
1353 if (!da->parent->flags.is_root) {
1354 fr_strerror_const("The 'long' flag can only be used for top-level RFC attributes");
1355 return false;
1356 }
1357
1358 return true;
1359 }
1360
1361 /*
1362 * Stupid hacks for MS-CHAP-MPPE-Keys. The User-Password
1363 * encryption method has no provisions for encoding the
1364 * length of the data. For User-Password, the data is
1365 * (presumably) all printable non-zero data. For
1366 * MS-CHAP-MPPE-Keys, the data is binary crap. So... we
1367 * MUST specify a length in the dictionary.
1368 */
1369 if ((flags->encrypt == RADIUS_FLAG_ENCRYPT_USER_PASSWORD) && (da->type != FR_TYPE_STRING)) {
1370 if (da->type != FR_TYPE_OCTETS) {
1371 fr_strerror_printf("The 'encrypt=User-Password' flag can only be used with "
1372 "attributes of type 'string'");
1373 return false;
1374 }
1375
1376 if (da->flags.length == 0) {
1377 fr_strerror_printf("The 'encrypt=User-Password' flag MUST be used with an explicit length for "
1378 "'octets' data types");
1379 return false;
1380 }
1381 }
1382
1383 switch (da->type) {
1384 case FR_TYPE_STRING:
1385 break;
1386
1387 case FR_TYPE_TLV:
1388 case FR_TYPE_IPV4_ADDR:
1389 case FR_TYPE_UINT32:
1390 case FR_TYPE_OCTETS:
1391 if (flags->encrypt != RADIUS_FLAG_ENCRYPT_ASCEND_SECRET) break;
1393
1394 default:
1395 if (flags->encrypt) {
1396 fr_strerror_printf("The 'encrypt' flag cannot be used with attributes of type '%s'",
1397 fr_type_to_str(da->type));
1398 return false;
1399 }
1400 }
1401
1402 return true;
1403}
1404
1407 .name = "radius",
1408 .default_type_size = 1,
1409 .default_type_length = 1,
1410 .attr = {
1411 .flags = {
1412 .table = radius_flags,
1413 .table_len = NUM_ELEMENTS(radius_flags),
1414 .len = sizeof(fr_radius_attr_flags_t),
1415 },
1416 .valid = attr_valid,
1417 },
1418
1419 .init = fr_radius_global_init,
1420 .free = fr_radius_global_free,
1421
1422 .decode = fr_radius_decode_foreign,
1423 .encode = fr_radius_encode_foreign,
1424};
static int const char char buffer[256]
Definition acutest.h:576
log_entry msg
Definition acutest.h:794
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define STRINGIFY(x)
Definition build.h:197
#define UNUSED
Definition build.h:317
#define NUM_ELEMENTS(_t)
Definition build.h:339
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
Definition dbuff.h:767
#define FR_DBUFF_EXTEND_LOWAT_OR_RETURN(_dbuff_or_marker, _lowat)
Extend if we're below _lowat and return if we can't extend above _lowat.
Definition dbuff.h:673
#define fr_dbuff_current(_dbuff_or_marker)
Return the 'current' position of a dbuff or marker.
Definition dbuff.h:911
#define fr_dbuff_set(_dst, _src)
Set the 'current' position in a dbuff or marker using another dbuff or marker, a char pointer,...
Definition dbuff.h:1004
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
Definition dbuff.h:898
#define FR_DBUFF_MEMSET_RETURN(_dbuff_or_marker, _c, _inlen)
Set _inlen bytes of a dbuff or marker to _c returning if there is insufficient space.
Definition dbuff.h:1508
#define FR_DBUFF_IN_MEMCPY_RETURN(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1382
#define fr_dbuff_in_memcpy(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into a dbuff or marker.
Definition dbuff.h:1350
#define fr_dbuff_in(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff or marker.
Definition dbuff.h:1567
#define FR_DBUFF_IN_RETURN(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff returning if there is insufficient space.
Definition dbuff.h:1585
#define FR_DBUFF(_dbuff_or_marker)
Create a new dbuff pointing to the same underlying buffer.
Definition dbuff.h:222
#define FR_DBUFF_MAX(_dbuff_or_marker, _max)
Limit the maximum number of bytes available in the dbuff when passing it to another function.
Definition dbuff.h:301
#define FR_DBUFF_IN_BYTES_RETURN(_dbuff_or_marker,...)
Copy a byte sequence into a dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1472
static void * fr_dcursor_current(fr_dcursor_t *cursor)
Return the item the cursor current points to.
Definition dcursor.h:339
fr_dlist_head_t * dlist
Head of the doubly linked list being iterated over.
Definition dcursor.h:94
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
fr_radius_packet_code_t
RADIUS packet codes.
Definition defs.h:31
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
@ FR_RADIUS_CODE_UNDEFINED
Packet code has not been set.
Definition defs.h:32
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
#define MAX_PACKET_LEN
Definition defs.h:68
static int sockfd
Definition dhcpclient.c:56
#define fr_dict_autofree(_to_free)
Definition dict.h:870
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4134
@ FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC
Protocol specific extensions.
Definition dict.h:177
#define fr_dict_autoload(_to_load)
Definition dict.h:867
static fr_slen_t in
Definition dict.h:841
char const * name
name of this protocol
Definition dict.h:435
#define FR_DICT_ATTR_FLAG_FUNC(_struct, _name)
Define a flag setting function, which sets one bit in a fr_dict_attr_flags_t.
Definition dict.h:414
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Protocol specific custom flag definitnion.
Definition dict.h:404
Protocol-specific callbacks in libfreeradius-PROTOCOL.
Definition dict.h:434
static void * fr_dict_attr_ext(fr_dict_attr_t const *da, fr_dict_attr_ext_t ext)
Definition dict_ext.h:140
Test enumeration values.
Definition dict_test.h:92
static void * fr_dlist_next(fr_dlist_head_t const *list_head, void const *ptr)
Get the next item in a list.
Definition dlist.h:555
int fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen, uint8_t const *key, size_t key_len)
Calculate HMAC using internal MD5 implementation.
Definition hmac_md5.c:119
int af
Address family.
Definition inet.h:64
union fr_ipaddr_t::@136 addr
IPv4/6 prefix.
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
fr_dict_attr_t const * attr_state
Definition base.c:103
fr_dict_attr_t const * attr_eap_message
Definition base.c:96
fr_dict_t const * dict_radius
Definition base.c:78
fr_dict_attr_t const * attr_message_authenticator
Definition base.c:94
static int dict_flag_encrypt(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules)
Definition base.c:227
static uint32_t instance_count
Definition base.c:44
talloc_free(reap)
int udp_recv_discard(int sockfd)
Discard the next UDP packet.
Definition udp.c:75
ssize_t udp_recv_peek(int sockfd, void *data, size_t data_len, int flags, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Peek at the header of a UDP packet.
Definition udp.c:95
fr_md5_update_t fr_md5_update
Definition md5.c:442
fr_md5_final_t fr_md5_final
Definition md5.c:443
void fr_md5_ctx_free_from_list(fr_md5_ctx_t **ctx)
Definition md5.c:522
fr_md5_ctx_t * fr_md5_ctx_alloc_from_list(void)
Definition md5.c:477
void fr_md5_ctx_t
Definition md5.h:28
#define MD5_DIGEST_LENGTH
unsigned short uint16_t
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
@ FR_TYPE_VSA
Vendor-Specific, for RADIUS attribute 26.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
long int ssize_t
unsigned char uint8_t
int fr_digest_cmp(uint8_t const *a, uint8_t const *b, size_t length)
Do a comparison of two authentication digests by comparing the FULL data.
Definition misc.c:472
char const * inet_ntop(int af, void const *src, char *dst, size_t cnt)
Definition missing.c:443
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
#define RADIUS_HEADER_LENGTH
Definition net.h:80
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
static uint8_t const zeros[6]
Definition base.c:93
static bool attr_valid(fr_dict_attr_t *da)
Definition base.c:443
fr_dict_protocol_t libfreeradius_radius_dict_protocol
Definition base.c:1406
fr_dict_autoload_t libfreeradius_radius_dict[]
Definition base.c:47
fr_dict_attr_t const * attr_nas_filter_rule
Definition base.c:61
static const bool disallow_tunnel_passwords[FR_RADIUS_CODE_MAX]
Definition base.c:952
static fr_dict_flag_parser_t const radius_flags[]
Definition base.c:219
fr_dict_attr_t const * attr_packet_authentication_vector
Definition base.c:54
static const fr_radius_packet_code_t allowed_replies[FR_RADIUS_CODE_MAX]
If we get a reply, the request must come from one of a small number of packet types.
Definition base.c:173
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen, char const *secret, uint8_t const *vector)
Do Ascend-Send / Recv-Secret calculation.
Definition base.c:248
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition base.c:1108
size_t fr_radius_limit_proxy_state_table_len
Definition base.c:100
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len)
Sign a previously encoded packet.
Definition base.c:359
int fr_radius_verify(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_message_authenticator, bool limit_proxy_state)
Verify a request / response packet.
Definition base.c:798
fr_dict_attr_autoload_t libfreeradius_radius_dict_attr[]
Definition base.c:64
size_t fr_radius_require_ma_table_len
Definition base.c:91
fr_dict_attr_t const * attr_chap_challenge
Definition base.c:55
void * fr_radius_next_encodable(fr_dcursor_t *cursor, void *current, void *uctx)
Definition base.c:935
fr_dict_attr_t const * attr_vendor_specific
Definition base.c:60
int fr_radius_global_init(void)
Definition base.c:1234
size_t fr_radius_request_name_table_len
Definition base.c:111
#define FR_DEBUG_STRERROR_PRINTF
Definition base.c:81
fr_dict_attr_t const * attr_chargeable_user_identity
Definition base.c:56
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)
Simple wrapper for callers who just need a shared secret.
Definition base.c:1212
void fr_radius_global_free(void)
Definition base.c:1257
fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[]
Definition base.c:93
fr_table_num_sorted_t const fr_radius_request_name_table[]
Definition base.c:102
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:84
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
See if the data pointed to by PTR is a valid RADIUS packet.
Definition base.c:516
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
Definition base.c:973
#define FR_DEBUG_STRERROR_PRINTF_PUSH
Definition base.c:82
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:113
ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
Basic validation of RADIUS packet header.
Definition base.c:286
int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
Definition base.c:228
ssize_t fr_radius_decode_foreign(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len)
Definition decode.c:2092
ssize_t fr_radius_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx)
Create a "normal" fr_pair_t from the given data.
Definition decode.c:1985
ssize_t fr_radius_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
Encode a data structure into a RADIUS attribute.
Definition encode.c:1515
ssize_t fr_radius_encode_foreign(fr_dbuff_t *dbuff, fr_pair_list_t const *list)
Definition encode.c:1680
VQP attributes.
static rc_request_t * current
static char * secret
unsigned int has_tag
Attribute has a tag.
Definition radius.h:156
bool secure_transport
for TLS
Definition radius.h:98
@ FR_RADIUS_REQUIRE_MA_NO
Do not require Message-Authenticator.
Definition radius.h:63
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
Definition radius.h:64
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
Definition radius.h:65
fr_radius_ctx_t const * common
Definition radius.h:104
uint8_t request_code
original code for the request.
Definition radius.h:132
uint8_t const * request_authenticator
Definition radius.h:127
unsigned int abinary
Attribute is in "abinary" format.
Definition radius.h:157
fr_radius_decode_fail_t
Failure reasons.
Definition radius.h:162
@ DECODE_FAIL_INVALID_ATTRIBUTE
Definition radius.h:170
@ DECODE_FAIL_ATTRIBUTE_UNDERFLOW
Definition radius.h:174
@ DECODE_FAIL_MIN_LENGTH_FIELD
Definition radius.h:166
@ DECODE_FAIL_HEADER_OVERFLOW
Definition radius.h:168
@ DECODE_FAIL_ATTRIBUTE_TOO_SHORT
Definition radius.h:171
@ DECODE_FAIL_MA_INVALID
Definition radius.h:177
@ DECODE_FAIL_ATTRIBUTE_OVERFLOW
Definition radius.h:172
@ DECODE_FAIL_TOO_MANY_ATTRIBUTES
Definition radius.h:175
@ DECODE_FAIL_NONE
Definition radius.h:163
@ DECODE_FAIL_MIN_LENGTH_PACKET
Definition radius.h:164
@ DECODE_FAIL_MIN_LENGTH_MISMATCH
Definition radius.h:167
@ DECODE_FAIL_VERIFY
Definition radius.h:178
@ DECODE_FAIL_MA_INVALID_LENGTH
Definition radius.h:173
@ DECODE_FAIL_MA_MISSING
Definition radius.h:176
@ DECODE_FAIL_UNKNOWN_PACKET_CODE
Definition radius.h:169
bool disallow_tunnel_passwords
not all packets can have tunnel passwords
Definition radius.h:120
char const * secret
Definition radius.h:95
unsigned int concat
Attribute is concatenated.
Definition radius.h:155
uint8_t const * end
end of the packet
Definition radius.h:130
bool limit_proxy_state
Don't allow Proxy-State in requests.
Definition radius.h:137
uint64_t proxy_state
Definition radius.h:100
uint8_t const * request_authenticator
Definition radius.h:106
unsigned int extended
Attribute is an extended attribute.
Definition radius.h:154
fr_radius_attr_flags_encrypt_t encrypt
Attribute is encrypted.
Definition radius.h:158
bool require_message_authenticator
Definition radius.h:136
size_t secret_length
Definition radius.h:96
bool verify
can skip verify for dynamic clients
Definition radius.h:135
fr_radius_ctx_t const * common
Definition radius.h:125
@ FR_RADIUS_LIMIT_PROXY_STATE_NO
Do not limit Proxy-State.
Definition radius.h:77
@ FR_RADIUS_LIMIT_PROXY_STATE_AUTO
Do not allow Proxy-State unless:
Definition radius.h:82
@ FR_RADIUS_LIMIT_PROXY_STATE_YES
Limit Proxy-State.
Definition radius.h:79
unsigned int long_extended
Attribute is a long extended attribute.
Definition radius.h:153
fr_radius_attr_flags_encrypt_t
Definition radius.h:144
@ RADIUS_FLAG_ENCRYPT_INVALID
Invalid encryption flag.
Definition radius.h:145
@ RADIUS_FLAG_ENCRYPT_USER_PASSWORD
Encrypt attribute RFC 2865 style.
Definition radius.h:147
@ RADIUS_FLAG_ENCRYPT_ASCEND_SECRET
Encrypt attribute ascend style.
Definition radius.h:149
@ RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD
Encrypt attribute RFC 2868 style.
Definition radius.h:148
static fr_radius_attr_flags_t const * fr_radius_attr_flags(fr_dict_attr_t const *da)
Return RADIUS-specific flags for a given attribute.
Definition radius.h:187
bool add_proxy_state
do we add a Proxy-State?
Definition radius.h:119
bool seen_message_authenticator
Definition radius.h:121
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition radius.h:129
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
#define UDP_FLAGS_PEEK
Definition udp.h:39
#define fr_pair_dcursor_iter_init(_cursor, _list, _iter, _uctx)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
Definition pair.h:567
#define PAIR_VERIFY(_x)
Definition pair.h:191
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition proto.h:42
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
#define fr_strerror_const_push(_msg)
Definition strerror.h:227
#define fr_strerror_const(_msg)
Definition strerror.h:223
static char const * fr_type_to_str(fr_type_t type)
Return a static string containing the type name.
Definition types.h:450
static size_t char fr_sbuff_t size_t inlen
Definition value.h:1020
static size_t char ** out
Definition value.h:1020