The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
radclient.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: bb03a8c79c64b76b943d611346e263279776ef22 $
19 *
20 * @file src/bin/radclient.c
21 * @brief General radius client and debug tool.
22 *
23 * @copyright 2000,2006,2014 The FreeRADIUS server project
24 * @copyright 2000 Miquel van Smoorenburg (miquels@cistron.nl)
25 * @copyright 2000 Alan DeKok (aland@freeradius.org)
26 */
27
28RCSID("$Id: bb03a8c79c64b76b943d611346e263279776ef22 $")
29
30#include <freeradius-devel/util/conf.h>
31#include <freeradius-devel/util/syserror.h>
32#include <freeradius-devel/util/atexit.h>
33#include <freeradius-devel/util/pair_legacy.h>
34#include <freeradius-devel/util/time.h>
35#include <freeradius-devel/server/packet.h>
36#include <freeradius-devel/radius/list.h>
37#include <freeradius-devel/radius/radius.h>
38#include <freeradius-devel/util/chap.h>
39#ifdef HAVE_OPENSSL_SSL_H
40#include <openssl/ssl.h>
41#endif
42#include <ctype.h>
43
44#ifdef HAVE_GETOPT_H
45# include <getopt.h>
46#endif
47
48#include <assert.h>
49
50typedef struct request_s request_t; /* to shut up warnings about mschap.h */
51
52#include "smbdes.h"
53#include "mschap.h"
54
55#include "radclient.h"
56
57#define pair_update_request(_attr, _da) do { \
58 _attr = fr_pair_find_by_da(&request->request_pairs, NULL, _da); \
59 if (!_attr) { \
60 _attr = fr_pair_afrom_da(request, _da); \
61 assert(_attr != NULL); \
62 fr_pair_append(&request->request_pairs, _attr); \
63 } \
64 } while (0)
65
66static int retries = 3;
67static fr_time_delta_t timeout = fr_time_delta_wrap((int64_t)5 * NSEC); /* 5 seconds */
68static fr_time_delta_t sleep_time = fr_time_delta_wrap(-1);
69static char *secret = NULL;
70static bool do_output = true;
71
72static const char *attr_coa_filter_name = "User-Name";
73
74static rc_stats_t stats;
75
76static uint16_t server_port = 0;
77static int packet_code = FR_RADIUS_CODE_UNDEFINED;
78static fr_ipaddr_t server_ipaddr;
79static int resend_count = 1;
80static bool done = true;
81static bool print_filename = false;
82static bool blast_radius = false;
83
84static fr_ipaddr_t client_ipaddr;
85static uint16_t client_port = 0;
86
87static int sockfd;
88static int last_used_id = -1;
89
90static int ipproto = IPPROTO_UDP;
91
92static bool do_coa = false;
93static int coafd;
94static uint16_t coa_port = FR_COA_UDP_PORT;
95static fr_rb_tree_t *coa_tree = NULL;
96
97static fr_packet_list_t *packet_list = NULL;
98
99static fr_dlist_head_t rc_request_list;
100
101static char const *radclient_version = RADIUSD_VERSION_BUILD("radclient");
102
103static fr_dict_t const *dict_freeradius;
104static fr_dict_t const *dict_radius;
105
106extern fr_dict_autoload_t radclient_dict[];
107fr_dict_autoload_t radclient_dict[] = {
108 { .out = &dict_freeradius, .proto = "freeradius" },
109 { .out = &dict_radius, .proto = "radius" },
110 { NULL }
111};
112
113static fr_dict_attr_t const *attr_cleartext_password;
114
115static fr_dict_attr_t const *attr_ms_chap_challenge;
116static fr_dict_attr_t const *attr_ms_chap_password;
117static fr_dict_attr_t const *attr_ms_chap_response;
118
119static fr_dict_attr_t const *attr_radclient_test_name;
120static fr_dict_attr_t const *attr_request_authenticator;
121
122static fr_dict_attr_t const *attr_chap_password;
123static fr_dict_attr_t const *attr_chap_challenge;
124static fr_dict_attr_t const *attr_packet_type;
125static fr_dict_attr_t const *attr_user_name;
126static fr_dict_attr_t const *attr_user_password;
127static fr_dict_attr_t const *attr_proxy_state;
128
129static fr_dict_attr_t const *attr_radclient_coa_filename;
130static fr_dict_attr_t const *attr_radclient_coa_filter;
131
132static fr_dict_attr_t const *attr_coa_filter = NULL;
133
134extern fr_dict_attr_autoload_t radclient_dict_attr[];
135fr_dict_attr_autoload_t radclient_dict_attr[] = {
136 { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
137 { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
138 { .out = &attr_ms_chap_password, .name = "Password.MS-CHAP", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
139 { .out = &attr_ms_chap_response, .name = "Vendor-Specific.Microsoft.CHAP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
140
141 { .out = &attr_radclient_test_name, .name = "Radclient-Test-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
142 { .out = &attr_request_authenticator, .name = "Request-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
143
144 { .out = &attr_radclient_coa_filename, .name = "Radclient-CoA-Filename", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
145 { .out = &attr_radclient_coa_filter, .name = "Radclient-CoA-Filter", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
146
147 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
148 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
149 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
150 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
151 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
152 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
153
154 { NULL }
155};
156
157static NEVER_RETURNS void usage(void)
158{
159 fprintf(stderr, "Usage: radclient [options] server[:port] <command> [<secret>]\n");
160
161 fprintf(stderr, " <command> One of auth, acct, status, coa, disconnect or auto.\n");
162 fprintf(stderr, " -4 Use IPv4 address of server\n");
163 fprintf(stderr, " -6 Use IPv6 address of server.\n");
164 fprintf(stderr, " -A <attribute> Use named 'attribute' to match CoA requests to packets. Default is User-Name\n");
165 fprintf(stderr, " -b Mandate checks for Blast RADIUS issue (this is not set by default).\n");
166 fprintf(stderr, " -C [<client_ip>:]<client_port> Client source port and source IP address. Port values may be 1..65535\n");
167 fprintf(stderr, " -c <count> Send each packet 'count' times.\n");
168 fprintf(stderr, " -d <raddb> Set user dictionary directory (defaults to " RADDBDIR ").\n");
169 fprintf(stderr, " -D <dictdir> Set main dictionary directory (defaults to " DICTDIR ").\n");
170 fprintf(stderr, " -f <request>[:<expected>][:<coa_reply>][:<coa_expected>] Read packets from file, not stdin.\n");
171 fprintf(stderr, " If a second file is provided, it will be used to verify responses\n");
172 fprintf(stderr, " -F Print the file name, packet number and reply code.\n");
173 fprintf(stderr, " -h Print usage help information.\n");
174 fprintf(stderr, " -i <id> Set request id to 'id'. Values may be 0..255\n");
175 fprintf(stderr, " -n <num> Send N requests/s\n");
176 fprintf(stderr, " -o <port> Set CoA listening port (defaults to 3799)\n");
177 fprintf(stderr, " -p <num> Send 'num' packets from a file in parallel.\n");
178 fprintf(stderr, " -P <proto> Use proto (tcp or udp) for transport.\n");
179 fprintf(stderr, " -r <retries> If timeout, retry sending the packet 'retries' times.\n");
180 fprintf(stderr, " -s Print out summary information of auth results.\n");
181 fprintf(stderr, " -S <file> read secret from file, not command line.\n");
182 fprintf(stderr, " -t <timeout> Wait 'timeout' seconds before retrying (may be a floating point number).\n");
183 fprintf(stderr, " -v Show program version information.\n");
184 fprintf(stderr, " -x Debugging mode.\n");
185
186 fr_exit_now(EXIT_SUCCESS);
187}
188
189/*
190 * Free a radclient struct, which may (or may not)
191 * already be in the list.
192 */
193static int _rc_request_free(rc_request_t *request)
194{
195 fr_dlist_remove(&rc_request_list, request);
196
197 if (do_coa) (void) fr_rb_delete_by_inline_node(coa_tree, &request->node);
198
199 return 0;
200}
201
202#ifdef HAVE_OPENSSL_SSL_H
203#include <openssl/provider.h>
204
205static OSSL_PROVIDER *openssl_default_provider = NULL;
206static OSSL_PROVIDER *openssl_legacy_provider = NULL;
207
208static int openssl3_init(void)
209{
210 /*
211 * Load the default provider for most algorithms
212 */
213 openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
214 if (!openssl_default_provider) {
215 ERROR("(TLS) Failed loading default provider");
216 return -1;
217 }
218
219 /*
220 * Needed for MD4
221 *
222 * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
223 */
224 openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
225 if (!openssl_legacy_provider) {
226 ERROR("(TLS) Failed loading legacy provider");
227 return -1;
228 }
229
230 return 0;
231}
232
233static void openssl3_free(void)
234{
235 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
236 ERROR("Failed unloading default provider");
237 }
238 openssl_default_provider = NULL;
239
240 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
241 ERROR("Failed unloading legacy provider");
242 }
243 openssl_legacy_provider = NULL;
244}
245#else
246#define openssl3_init()
247#define openssl3_free()
248#endif
249
250static int mschapv1_encode(fr_packet_t *packet, fr_pair_list_t *list,
251 char const *password)
252{
253 unsigned int i;
254 uint8_t *p;
255 fr_pair_t *challenge, *reply;
256 uint8_t nthash[16];
257
258 fr_pair_delete_by_da(list, attr_ms_chap_challenge);
259 fr_pair_delete_by_da(list, attr_ms_chap_response);
260
261 MEM(challenge = fr_pair_afrom_da(packet, attr_ms_chap_challenge));
262
263 fr_pair_append(list, challenge);
264
265 MEM(p = talloc_array(challenge, uint8_t, 8));
266 fr_pair_value_memdup_buffer_shallow(challenge, p, false);
267
268 for (i = 0; i < challenge->vp_length; i++) {
269 p[i] = fr_rand();
270 }
271
272 MEM(reply = fr_pair_afrom_da(packet, attr_ms_chap_response));
273 fr_pair_append(list, reply);
274 p = talloc_zero_array(reply, uint8_t, 50); /* really reply->da->flags.length */
275 fr_pair_value_memdup_buffer_shallow(reply, p, false);
276
277 p[1] = 0x01; /* NT hash */
278
279 if (mschap_nt_password_hash(nthash, password) < 0) return 0;
280
281 smbdes_mschap(nthash, challenge->vp_octets, p + 26);
282 return 1;
283}
284
285
286static int getport(char const *name)
287{
288 struct servent *svp;
289
290 svp = getservbyname(name, "udp");
291 if (!svp) return 0;
292
293 return ntohs(svp->s_port);
294}
295
296/*
297 * Set a port from the request type if we don't already have one
298 */
299static void radclient_get_port(fr_radius_packet_code_t type, uint16_t *port)
300{
301 switch (type) {
302 default:
303 case FR_RADIUS_CODE_ACCESS_REQUEST:
304 case FR_RADIUS_CODE_ACCESS_CHALLENGE:
305 case FR_RADIUS_CODE_STATUS_SERVER:
306 if (*port == 0) *port = getport("radius");
307 if (*port == 0) *port = FR_AUTH_UDP_PORT;
308 return;
309
310 case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
311 if (*port == 0) *port = getport("radacct");
312 if (*port == 0) *port = FR_ACCT_UDP_PORT;
313 return;
314
315 case FR_RADIUS_CODE_DISCONNECT_REQUEST:
316 if (*port == 0) *port = FR_POD_UDP_PORT;
317 return;
318
319 case FR_RADIUS_CODE_COA_REQUEST:
320 if (*port == 0) *port = FR_COA_UDP_PORT;
321 return;
322
323 case FR_RADIUS_CODE_UNDEFINED:
324 if (*port == 0) *port = 0;
325 return;
326 }
327}
328
329/*
330 * Resolve a port to a request type
331 */
332static fr_radius_packet_code_t radclient_get_code(uint16_t port)
333{
334 /*
335 * getport returns 0 if the service doesn't exist
336 * so we need to return early, to avoid incorrect
337 * codes.
338 */
339 if (port == 0) return FR_RADIUS_CODE_UNDEFINED;
340
341 if ((port == getport("radius")) || (port == FR_AUTH_UDP_PORT) || (port == FR_AUTH_UDP_PORT_ALT)) {
342 return FR_RADIUS_CODE_ACCESS_REQUEST;
343 }
344 if ((port == getport("radacct")) || (port == FR_ACCT_UDP_PORT) || (port == FR_ACCT_UDP_PORT_ALT)) {
345 return FR_RADIUS_CODE_ACCOUNTING_REQUEST;
346 }
347 if (port == FR_COA_UDP_PORT) return FR_RADIUS_CODE_COA_REQUEST;
348
349 return FR_RADIUS_CODE_UNDEFINED;
350}
351
352
353static bool already_hex(fr_pair_t *vp)
354{
355 size_t i;
356
357 if (!vp || (vp->vp_type != FR_TYPE_OCTETS)) return true;
358
359 /*
360 * If it's 17 octets, it *might* be already encoded.
361 * Or, it might just be a 17-character password (maybe UTF-8)
362 * Check it for non-printable characters. The odds of ALL
363 * of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
364 * or 1/(2^51), which is pretty much zero.
365 */
366 for (i = 0; i < vp->vp_length; i++) {
367 if (vp->vp_octets[i] < 32) {
368 return true;
369 }
370 }
371
372 return false;
373}
374
375/*
376 * Read one CoA reply and possibly filter
377 */
378static int coa_init(rc_request_t *parent, FILE *coa_reply, char const *reply_filename, bool *coa_reply_done, FILE *coa_filter, char const *filter_filename, bool *coa_filter_done)
379{
380 rc_request_t *request;
381 fr_pair_t *vp;
382
383 /*
384 * Allocate it.
385 */
386 MEM(request = talloc_zero(parent, rc_request_t));
387 MEM(request->reply = fr_packet_alloc(request, false));
388
389 /*
390 * Don't initialize src/dst IP/port, or anything else. That will be read from the network.
391 */
392 fr_pair_list_init(&request->filter);
393 fr_pair_list_init(&request->request_pairs);
394 fr_pair_list_init(&request->reply_pairs);
395
396 /*
397 * Read the reply VP's.
398 */
399 if (fr_pair_list_afrom_file(request, dict_radius,
400 &request->reply_pairs, coa_reply, coa_reply_done) < 0) {
401 REDEBUG("Error parsing \"%s\"", reply_filename);
402 error:
403 talloc_free(request);
404 return -1;
405 }
406
407 /*
408 * The reply can be empty. In which case we just send an empty ACK.
409 */
410 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
411 if (vp) request->reply->code = vp->vp_uint32;
412
413 /*
414 * Read in filter VP's.
415 */
416 if (coa_filter) {
417 if (fr_pair_list_afrom_file(request, dict_radius,
418 &request->filter, coa_filter, coa_filter_done) < 0) {
419 REDEBUG("Error parsing \"%s\"", filter_filename);
420 goto error;
421 }
422
423 if (*coa_filter_done && !*coa_reply_done) {
424 REDEBUG("Differing number of replies/filters in %s:%s "
425 "(too many replies))", reply_filename, filter_filename);
426 goto error;
427 }
428
429 if (!*coa_filter_done && *coa_reply_done) {
430 REDEBUG("Differing number of replies/filters in %s:%s "
431 "(too many filters))", reply_filename, filter_filename);
432 goto error;
433 }
434
435 /*
436 * This allows efficient list comparisons later
437 */
438 fr_pair_list_sort(&request->filter, fr_pair_cmp_by_da);
439 }
440
441 request->name = parent->name;
442
443 /*
444 * Automatically set the response code from the request code
445 * (if one wasn't already set).
446 */
447 if (request->filter_code == FR_RADIUS_CODE_UNDEFINED) {
448 request->filter_code = FR_RADIUS_CODE_COA_REQUEST;
449 }
450
451 parent->coa = request;
452
453 /*
454 * Ensure that the packet is also tracked in the CoA tree.
455 */
456 fr_assert(coa_tree);
457 if (!fr_rb_insert(coa_tree, parent)) {
458 ERROR("Failed inserting packet from %s into CoA tree", request->name);
459 fr_exit_now(1);
460 }
461
462 return 0;
463}
464
465/*
466 * Initialize a radclient data structure and add it to
467 * the global linked list.
468 */
469static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
470{
471 FILE *packets, *filters = NULL;
472
473 fr_pair_t *vp;
474 rc_request_t *request = NULL;
475 bool packets_done = false;
476 uint64_t num = 0;
477
478 FILE *coa_reply = NULL;
479 FILE *coa_filter = NULL;
480 bool coa_reply_done = false;
481 bool coa_filter_done = false;
482
483 assert(files->packets != NULL);
484
485 /*
486 * Determine where to read the VP's from.
487 */
488 if (strcmp(files->packets, "-") != 0) {
489 packets = fopen(files->packets, "r");
490 if (!packets) {
491 ERROR("Error opening %s: %s", files->packets, fr_syserror(errno));
492 return -1;
493 }
494
495 /*
496 * Read in the pairs representing the expected response.
497 */
498 if (files->filters) {
499 filters = fopen(files->filters, "r");
500 if (!filters) {
501 ERROR("Error opening %s: %s", files->filters, fr_syserror(errno));
502 goto error;
503 }
504 }
505
506 if (files->coa_reply) {
507 coa_reply = fopen(files->coa_reply, "r");
508 if (!coa_reply) {
509 ERROR("Error opening %s: %s", files->coa_reply, fr_syserror(errno));
510 goto error;
511 }
512 }
513
514 if (files->coa_filter) {
515 coa_filter = fopen(files->coa_filter, "r");
516 if (!coa_filter) {
517 ERROR("Error opening %s: %s", files->coa_filter, fr_syserror(errno));
518 goto error;
519 }
520 }
521 } else {
522 packets = stdin;
523 }
524
525 /*
526 * Loop until the file is done.
527 */
528 do {
529 char const *coa_reply_filename = NULL;
530 char const *coa_filter_filename = NULL;
531
532 /*
533 * Allocate it.
534 */
535 MEM(request = talloc_zero(ctx, rc_request_t));
536 MEM(request->packet = fr_packet_alloc(request, true));
537 request->packet->uctx = request;
538
539 request->packet->socket.inet.src_ipaddr = client_ipaddr;
540 request->packet->socket.inet.src_port = client_port;
541 request->packet->socket.inet.dst_ipaddr = server_ipaddr;
542 request->packet->socket.inet.dst_port = server_port;
543 request->packet->socket.type = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
544
545 request->files = files;
546 request->packet->id = last_used_id;
547 request->num = num++;
548
549 fr_pair_list_init(&request->filter);
550 fr_pair_list_init(&request->request_pairs);
551 fr_pair_list_init(&request->reply_pairs);
552
553 /*
554 * Read the request VP's.
555 */
556 if (fr_pair_list_afrom_file(request, dict_radius,
557 &request->request_pairs, packets, &packets_done) < 0) {
558 char const *input;
559
560 if ((files->packets[0] == '-') && (files->packets[1] == '\0')) {
561 input = "stdin";
562 } else {
563 input = files->packets;
564 }
565
566 REDEBUG("Error parsing \"%s\"", input);
567 goto error;
568 }
569
570 /*
571 * Skip empty entries
572 */
573 if (fr_pair_list_empty(&request->request_pairs)) {
574 WARN("Skipping \"%s\": No Attributes", files->packets);
575 talloc_free(request);
576 continue;
577 }
578
579 /*
580 * Read in filter VP's.
581 */
582 if (filters) {
583 bool filters_done;
584
585 if (fr_pair_list_afrom_file(request, dict_radius,
586 &request->filter, filters, &filters_done) < 0) {
587 REDEBUG("Error parsing \"%s\"", files->filters);
588 goto error;
589 }
590
591 if (filters_done && !packets_done) {
592 REDEBUG("Differing number of packets/filters in %s:%s "
593 "(too many requests))", files->packets, files->filters);
594 goto error;
595 }
596
597 if (!filters_done && packets_done) {
598 REDEBUG("Differing number of packets/filters in %s:%s "
599 "(too many filters))", files->packets, files->filters);
600 goto error;
601 }
602
603 vp = fr_pair_find_by_da(&request->filter, NULL, attr_packet_type);
604 if (vp) {
605 request->filter_code = vp->vp_uint32;
606 fr_pair_delete(&request->filter, vp);
607 }
608
609 /*
610 * This allows efficient list comparisons later
611 */
612 fr_pair_list_sort(&request->filter, fr_pair_cmp_by_da);
613 }
614
615 /*
616 * Process special attributes
617 */
618 for (vp = fr_pair_list_head(&request->request_pairs);
619 vp;
620 vp = fr_pair_list_next(&request->request_pairs, vp)) {
621 /*
622 * Allow it to set the packet type in
623 * the attributes read from the file.
624 */
625 if (vp->da == attr_packet_type) {
626 request->packet->code = vp->vp_uint32;
627 } else if (vp->da == attr_request_authenticator) {
628 if (vp->vp_length > sizeof(request->packet->vector)) {
629 memcpy(request->packet->vector, vp->vp_octets, sizeof(request->packet->vector));
630 } else {
631 memset(request->packet->vector, 0, sizeof(request->packet->vector));
632 memcpy(request->packet->vector, vp->vp_octets, vp->vp_length);
633 }
634 } else if (vp->da == attr_cleartext_password) {
635 request->password = vp;
636 /*
637 * Keep a copy of the the password attribute.
638 */
639 } else if (vp->da == attr_chap_password) {
640 /*
641 * If it's already hex, do nothing.
642 */
643 if ((vp->vp_length == 17) && (already_hex(vp))) continue;
644
645 /*
646 * CHAP-Password is octets, so it may not be zero terminated.
647 */
648 pair_update_request(request->password, attr_cleartext_password);
649 fr_pair_value_bstrndup(request->password, vp->vp_strvalue, vp->vp_length, true);
650 } else if ((vp->da == attr_user_password) ||
651 (vp->da == attr_ms_chap_password)) {
652 pair_update_request(request->password, attr_cleartext_password);
653 fr_pair_value_bstrndup(request->password, vp->vp_strvalue, vp->vp_length, true);
654
655 } else if (vp->da == attr_radclient_test_name) {
656 request->name = vp->vp_strvalue;
657
658 } else if (vp->da == attr_radclient_coa_filename) {
659 coa_reply_filename = vp->vp_strvalue;
660
661 } else if (vp->da == attr_radclient_coa_filter) {
662 coa_filter_filename = vp->vp_strvalue;
663 }
664 } /* loop over the VP's we read in */
665
666 /*
667 * Use the default set on the command line
668 */
669 if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) request->packet->code = packet_code;
670
671 /*
672 * Fill in the packet header from attributes, and then
673 * re-realize the attributes.
674 */
675 fr_packet_net_from_pairs(request->packet, &request->request_pairs);
676
677 /*
678 * Default to the filename
679 */
680 if (!request->name) request->name = request->files->packets;
681
682 /*
683 * Automatically set the response code from the request code
684 * (if one wasn't already set).
685 */
686 if (request->filter_code == FR_RADIUS_CODE_UNDEFINED) {
687 switch (request->packet->code) {
688 case FR_RADIUS_CODE_ACCESS_REQUEST:
689 request->filter_code = FR_RADIUS_CODE_ACCESS_ACCEPT;
690 break;
691
692 case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
693 request->filter_code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE;
694 break;
695
696 case FR_RADIUS_CODE_COA_REQUEST:
697 request->filter_code = FR_RADIUS_CODE_COA_ACK;
698 break;
699
700 case FR_RADIUS_CODE_DISCONNECT_REQUEST:
701 request->filter_code = FR_RADIUS_CODE_DISCONNECT_ACK;
702 break;
703
704 case FR_RADIUS_CODE_STATUS_SERVER:
705 switch (radclient_get_code(request->packet->socket.inet.dst_port)) {
706 case FR_RADIUS_CODE_ACCESS_REQUEST:
707 request->filter_code = FR_RADIUS_CODE_ACCESS_ACCEPT;
708 break;
709
710 case FR_RADIUS_CODE_ACCOUNTING_REQUEST:
711 request->filter_code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE;
712 break;
713
714 default:
715 request->filter_code = FR_RADIUS_CODE_UNDEFINED;
716 break;
717 }
718 break;
719
720 case FR_RADIUS_CODE_UNDEFINED:
721 REDEBUG("Packet-Type must be defined,"
722 "or a well known RADIUS port");
723 goto error;
724
725 default:
726 REDEBUG("Can't determine expected reply.Packet-Type for Packet-Type %i",
727 request->packet->code);
728 goto error;
729 }
730 /*
731 * Automatically set the request code from the response code
732 * (if one wasn't already set).
733 */
734 } else if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) {
735 switch (request->filter_code) {
736 case FR_RADIUS_CODE_ACCESS_ACCEPT:
737 case FR_RADIUS_CODE_ACCESS_REJECT:
738 request->packet->code = FR_RADIUS_CODE_ACCESS_REQUEST;
739 break;
740
741 case FR_RADIUS_CODE_ACCOUNTING_RESPONSE:
742 request->packet->code = FR_RADIUS_CODE_ACCOUNTING_REQUEST;
743 break;
744
745 case FR_RADIUS_CODE_DISCONNECT_ACK:
746 case FR_RADIUS_CODE_DISCONNECT_NAK:
747 request->packet->code = FR_RADIUS_CODE_DISCONNECT_REQUEST;
748 break;
749
750 case FR_RADIUS_CODE_COA_ACK:
751 case FR_RADIUS_CODE_COA_NAK:
752 request->packet->code = FR_RADIUS_CODE_COA_REQUEST;
753 break;
754
755 default:
756 REDEBUG("Can't determine expected Packet-Type for reply.Packet-Type %i",
757 request->filter_code);
758 goto error;
759 }
760 }
761
762 /*
763 * Automatically set the dst port (if one wasn't already set).
764 */
765 if (request->packet->socket.inet.dst_port == 0) {
766 radclient_get_port(request->packet->code, &request->packet->socket.inet.dst_port);
767 if (request->packet->socket.inet.dst_port == 0) {
768 REDEBUG("Can't determine destination port");
769 goto error;
770 }
771 }
772
773 /*
774 * Read in the CoA filename and filter.
775 */
776 if (coa_reply_filename) {
777 if (coa_reply) {
778 RDEBUG("Cannot specify CoA file on both the command line and via Radclient-CoA-Filename");
779 goto error;
780 }
781
782 coa_reply = fopen(coa_reply_filename, "r");
783 if (!coa_reply) {
784 ERROR("Error opening %s: %s", coa_reply_filename, fr_syserror(errno));
785 goto error;
786 }
787
788 if (coa_filter_filename) {
789 coa_filter = fopen(coa_filter_filename, "r");
790 if (!coa_filter) {
791 ERROR("Error opening %s: %s", coa_filter_filename, fr_syserror(errno));
792 goto error;
793 }
794 } else {
795 coa_filter = NULL;
796 }
797
798 if (coa_init(request, coa_reply, coa_reply_filename, &coa_reply_done,
799 coa_filter, coa_filter_filename, &coa_filter_done) < 0) {
800 goto error;
801 }
802
803 fclose(coa_reply);
804 coa_reply = NULL;
805 if (coa_filter) {
806 fclose(coa_filter);
807 coa_filter = NULL;
808 }
809 do_coa = true;
810
811 } else if (coa_reply) {
812 if (coa_init(request, coa_reply, coa_reply_filename, &coa_reply_done,
813 coa_filter, coa_filter_filename, &coa_filter_done) < 0) {
814 goto error;
815 }
816
817 if (coa_reply_done != packets_done) {
818 REDEBUG("Differing number of packets in input file and coa_reply in %s:%s ",
819 files->packets, files->coa_reply);
820 goto error;
821
822 }
823 }
824
825 /*
826 * Add it to the tail of the list.
827 */
828 fr_dlist_insert_tail(&rc_request_list, request);
829
830 /*
831 * Set the destructor so it removes itself from the
832 * request list when freed. We don't set this until
833 * the packet is actually in the list, else we trigger
834 * the asserts in the free callback.
835 */
836 talloc_set_destructor(request, _rc_request_free);
837 } while (!packets_done); /* loop until the file is done. */
838
839 if (packets != stdin) fclose(packets);
840 if (filters) fclose(filters);
841 if (coa_reply) fclose(coa_reply);
842 if (coa_filter) fclose(coa_filter);
843
844 /*
845 * And we're done.
846 */
847 return 0;
848
849error:
850 talloc_free(request);
851
852 if (packets != stdin) fclose(packets);
853 if (filters) fclose(filters);
854 if (coa_reply) fclose(coa_reply);
855 if (coa_filter) fclose(coa_filter);
856
857 return -1;
858}
859
860
861/*
862 * Sanity check each argument.
863 */
864static int radclient_sane(rc_request_t *request)
865{
866 if (request->packet->socket.inet.dst_port == 0) {
867 request->packet->socket.inet.dst_port = server_port;
868 }
869 if (request->packet->socket.inet.dst_ipaddr.af == AF_UNSPEC) {
870 if (server_ipaddr.af == AF_UNSPEC) {
871 ERROR("No server was given, and request %" PRIu64 " in file %s did not contain "
872 "Packet-Dst-IP-Address", request->num, request->files->packets);
873 return -1;
874 }
875 request->packet->socket.inet.dst_ipaddr = server_ipaddr;
876 }
877 if (request->packet->code == 0) {
878 if (packet_code == -1) {
879 ERROR("Request was \"auto\", and request %" PRIu64 " in file %s did not contain Packet-Type",
880 request->num, request->files->packets);
881 return -1;
882 }
883 request->packet->code = packet_code;
884 }
885 request->packet->socket.fd = -1;
886
887 return 0;
888}
889
890
891static int8_t request_cmp(void const *one, void const *two)
892{
893 rc_request_t const *a = one, *b = two;
894 fr_pair_t *vp1, *vp2;
895
896 vp1 = fr_pair_find_by_da(&a->request_pairs, NULL, attr_coa_filter);
897 vp2 = fr_pair_find_by_da(&b->request_pairs, NULL, attr_coa_filter);
898
899 if (!vp1) return -1;
900 if (!vp2) return +1;
901
902 return fr_value_box_cmp(&vp1->data, &vp2->data);
903}
904
905
906/*
907 * Deallocate packet ID, etc.
908 */
909static void deallocate_id(rc_request_t *request)
910{
911 if (!request || !request->packet ||
912 (request->packet->id < 0)) {
913 return;
914 }
915
916 /*
917 * One more unused RADIUS ID.
918 */
919 fr_packet_list_id_free(packet_list, request->packet, true);
920
921 /*
922 * If we've already sent a packet, free up the old one,
923 * and ensure that the next packet has a unique
924 * authentication vector.
925 */
926 if (request->packet->data) TALLOC_FREE(request->packet->data);
927 if (request->reply) fr_packet_free(&request->reply);
928}
929
930/*
931 * Send one packet.
932 */
933static int send_one_packet(rc_request_t *request)
934{
935 assert(request->done == false);
936
937#ifdef STATIC_ANALYZER
938 if (!secret) fr_exit_now(1);
939#endif
940
941 /*
942 * Remember when we have to wake up, to re-send the
943 * request, of we didn't receive a reply.
944 */
945 if ((fr_time_delta_eq(sleep_time, fr_time_delta_wrap(-1)) || (fr_time_delta_gt(sleep_time, timeout)))) {
946 sleep_time = timeout;
947 }
948
949 /*
950 * Haven't sent the packet yet. Initialize it.
951 */
952 if (!request->tries || request->packet->id == -1) {
953 bool rcode;
954
955 assert(request->reply == NULL);
956
957 /*
958 * Didn't find a free packet ID, we're not done,
959 * we don't sleep, and we stop trying to process
960 * this packet.
961 */
962 retry:
963 request->packet->socket.inet.src_ipaddr.af = server_ipaddr.af;
964 rcode = fr_packet_list_id_alloc(packet_list, ipproto, request->packet, NULL);
965 if (!rcode) {
966 int mysockfd;
967
968 if (ipproto == IPPROTO_TCP) {
969 mysockfd = fr_socket_client_tcp(NULL, NULL,
970 &request->packet->socket.inet.dst_ipaddr,
971 request->packet->socket.inet.dst_port, false);
972 if (mysockfd < 0) {
973 fr_perror("Error opening socket");
974 return -1;
975 }
976 } else {
977 uint16_t port = 0;
978
979 mysockfd = fr_socket_server_udp(&client_ipaddr, &port, NULL, true);
980 if (mysockfd < 0) {
981 fr_perror("Error opening socket");
982 return -1;
983 }
984
985 if (fr_socket_bind(mysockfd, NULL, &client_ipaddr, &port) < 0) {
986 fr_perror("Error binding socket");
987 return -1;
988 }
989 }
990
991 if (!fr_packet_list_socket_add(packet_list, mysockfd, ipproto,
992 &request->packet->socket.inet.dst_ipaddr,
993 request->packet->socket.inet.dst_port, NULL)) {
994 ERROR("Can't add new socket");
995 fr_exit_now(1);
996 }
997 goto retry;
998 }
999
1000 assert(request->packet->id != -1);
1001 assert(request->packet->data == NULL);
1002
1003 /*
1004 * Update the password, so it can be encrypted with the
1005 * new authentication vector.
1006 */
1007 if (request->password) {
1008 fr_pair_t *vp;
1009
1010 if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password)) != NULL) {
1011 fr_pair_value_strdup(vp, request->password->vp_strvalue, false);
1012
1013 } else if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password)) != NULL) {
1014 uint8_t buffer[17];
1015 fr_pair_t *challenge;
1016 uint8_t const *vector;
1017
1018 /*
1019 * Use Chap-Challenge pair if present,
1020 * Request Authenticator otherwise.
1021 */
1022 challenge = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge);
1023 if (challenge && (challenge->vp_length == RADIUS_AUTH_VECTOR_LENGTH)) {
1024 vector = challenge->vp_octets;
1025 } else {
1026 vector = request->packet->vector;
1027 }
1028
1029 fr_chap_encode(buffer,
1030 fr_rand() & 0xff, vector, RADIUS_AUTH_VECTOR_LENGTH,
1031 request->password->vp_strvalue,
1032 request->password->vp_length);
1033 fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
1034
1035 } else if (fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_ms_chap_password) != NULL) {
1036 mschapv1_encode(request->packet, &request->request_pairs, request->password->vp_strvalue);
1037
1038 } else {
1039 DEBUG("WARNING: No password in the request");
1040 }
1041 }
1042
1043 request->timestamp = fr_time();
1044 request->tries = 1;
1045 request->resend++;
1046
1047 } else { /* request->packet->id >= 0 */
1048 fr_time_t now = fr_time();
1049
1050 /*
1051 * FIXME: Accounting packets are never retried!
1052 * The Acct-Delay-Time attribute is updated to
1053 * reflect the delay, and the packet is re-sent
1054 * from scratch!
1055 */
1056
1057 /*
1058 * Not time for a retry, do so.
1059 */
1060 if (fr_time_delta_lt(fr_time_sub(now, request->timestamp), timeout)) {
1061 /*
1062 * When we walk over the tree sending
1063 * packets, we update the minimum time
1064 * required to sleep.
1065 */
1066 if (fr_time_delta_eq(sleep_time, fr_time_delta_wrap(-1)) ||
1067 fr_time_delta_gt(sleep_time, fr_time_sub(now, request->timestamp))) {
1068 sleep_time = fr_time_sub(now, request->timestamp);
1069 }
1070 return 0;
1071 }
1072
1073 /*
1074 * We're not trying later, maybe the packet is done.
1075 */
1076 if (request->tries == retries) {
1077 assert(request->packet->id >= 0);
1078
1079 /*
1080 * Delete the request from the tree of
1081 * outstanding requests.
1082 */
1083 fr_packet_list_yank(packet_list, request->packet);
1084
1085 REDEBUG("No reply from server for ID %d socket %d",
1086 request->packet->id, request->packet->socket.fd);
1087 deallocate_id(request);
1088
1089 /*
1090 * Normally we mark it "done" when we've received
1091 * the reply, but this is a special case.
1092 */
1093 if (request->resend == resend_count) {
1094 request->done = true;
1095 }
1096 stats.lost++;
1097 return -1;
1098 }
1099
1100 /*
1101 * We are trying later.
1102 */
1103 request->timestamp = now;
1104 request->tries++;
1105 }
1106
1107 /*
1108 * Send the packet.
1109 */
1110 if (fr_packet_send(request->packet, &request->request_pairs, NULL, secret) < 0) {
1111 REDEBUG("Failed to send packet for ID %d", request->packet->id);
1112 deallocate_id(request);
1113 request->done = true;
1114 return -1;
1115 }
1116
1117 fr_radius_packet_log(&default_log, request->packet, &request->request_pairs, false);
1118
1119 return 0;
1120}
1121
1122/*
1123 * Receive a CoA packet, maybe.
1124 */
1125static int recv_coa_packet(fr_time_delta_t wait_time)
1126{
1127 fd_set set;
1128 fr_time_delta_t our_wait_time;
1129 rc_request_t *request, *parent;
1130 fr_packet_t *packet;
1131 rc_request_t my;
1132
1133#ifdef STATIC_ANALYZER
1134 if (!secret) fr_exit_now(1);
1135#endif
1136
1137 /* And wait for reply, timing out as necessary */
1138 FD_ZERO(&set);
1139 FD_SET(coafd, &set);
1140
1141 our_wait_time = !fr_time_delta_ispos(wait_time) ? fr_time_delta_from_sec(0) : wait_time;
1142
1143 /*
1144 * No packet was received.
1145 */
1146 if (select(coafd + 1, &set, NULL, NULL, &fr_time_delta_to_timeval(our_wait_time)) <= 0) return 0;
1147
1148 /*
1149 * Read a packet from a network.
1150 */
1151 packet = fr_packet_recv(NULL, coafd, 0, 200, false);
1152 if (!packet) {
1153 DEBUG("Failed reading CoA packet");
1154 return 0;
1155 }
1156
1157 /*
1158 * Fails the signature validation: not a real reply.
1159 */
1160 if (fr_packet_verify(packet, NULL, secret) < 0) {
1161 DEBUG("CoA verification failed");
1162 return 0;
1163 }
1164
1165 fr_pair_list_init(&my.request_pairs);
1166
1167 /*
1168 * Decode the packet before looking up the parent, so that we can compare the pairs.
1169 */
1170 if (fr_radius_decode_simple(packet, &my.request_pairs,
1171 packet->data, packet->data_len,
1172 NULL, secret) < 0) {
1173 DEBUG("Failed decoding CoA packet");
1174 return 0;
1175 }
1176
1177 fr_radius_packet_log(&default_log, packet, &my.request_pairs, true);
1178
1179 /*
1180 * Find a Access-Request which has the same User-Name / etc. as this CoA packet.
1181 */
1182 my.name = "receive CoA request";
1183 my.packet = packet;
1184
1185 parent = fr_rb_find(coa_tree, &my);
1186 if (!parent) {
1187 DEBUG("No matching request packet for CoA packet %u %u", packet->data[0], packet->data[1]);
1188 talloc_free(packet);
1189 return 0;
1190 }
1191 assert(parent->coa);
1192
1193 request = parent->coa;
1194 request->packet = talloc_steal(request, packet);
1195
1196 fr_pair_list_steal(request, &my.request_pairs);
1197 fr_pair_list_append(&request->request_pairs, &my.request_pairs);
1198
1199 /*
1200 * If we had an expected response code, check to see if the
1201 * packet matched that.
1202 */
1203 if (request->packet->code != request->filter_code) {
1204 if (FR_RADIUS_PACKET_CODE_VALID(request->reply->code)) {
1205 REDEBUG("%s: Expected %s got %s", request->name, fr_radius_packet_name[request->filter_code],
1206 fr_radius_packet_name[request->packet->code]);
1207 } else {
1208 REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
1209 request->packet->code);
1210 }
1211 stats.failed++;
1212
1213 /*
1214 * Check if the contents of the packet matched the filter
1215 */
1216 } else if (fr_pair_list_empty(&request->filter)) {
1217 stats.passed++;
1218
1219 } else {
1220 fr_pair_t const *failed[2];
1221
1222 fr_pair_list_sort(&request->request_pairs, fr_pair_cmp_by_da);
1223 if (fr_pair_validate(failed, &request->filter, &request->request_pairs)) {
1224 RDEBUG("%s: CoA request passed filter", request->name);
1225 stats.passed++;
1226 } else {
1227 fr_pair_validate_debug(failed);
1228 REDEBUG("%s: CoA Request for failed filter", request->name);
1229 stats.failed++;
1230 }
1231 }
1232
1233 request->reply->id = request->packet->id;
1234
1235 request->reply->socket.type = SOCK_DGRAM;
1236 request->reply->socket.af = client_ipaddr.af;
1237 request->reply->socket.fd = coafd;
1238 request->reply->socket.inet.src_ipaddr = client_ipaddr;
1239 request->reply->socket.inet.src_port = coa_port;
1240 request->reply->socket.inet.dst_ipaddr = packet->socket.inet.src_ipaddr;
1241 request->reply->socket.inet.dst_port = packet->socket.inet.src_port;
1242
1243 if (!request->reply->code) switch (packet->code) {
1244 case FR_RADIUS_CODE_COA_REQUEST:
1245 request->reply->code = FR_RADIUS_CODE_COA_ACK;
1246 break;
1247
1248 case FR_RADIUS_CODE_DISCONNECT_REQUEST:
1249 request->reply->code = FR_RADIUS_CODE_DISCONNECT_ACK;
1250 break;
1251
1252 default:
1253 RDEBUG("Failed getting reply packet type");
1254 return 0;
1255 }
1256
1257 fr_radius_packet_log(&default_log, request->reply, &request->reply_pairs, false);
1258
1259
1260 /*
1261 * Send reply.
1262 */
1263 if (fr_packet_send(request->reply, &request->reply_pairs, packet, secret) < 0) {
1264 REDEBUG("Failed sending CoA reply");
1265 return 0;
1266 }
1267
1268 fr_rb_remove(coa_tree, request);
1269
1270 /*
1271 * No longer waiting for a CoA packet for this request.
1272 */
1273 TALLOC_FREE(parent->coa);
1274 return 0;
1275}
1276
1277
1278/*
1279 * Do Blast RADIUS checks.
1280 *
1281 * The request is an Access-Request, and does NOT contain Proxy-State.
1282 *
1283 * The reply is a raw packet, and is NOT yet decoded.
1284 */
1285static int blast_radius_check(rc_request_t *request, fr_packet_t *reply)
1286{
1287 uint8_t *attr, *end;
1288 fr_pair_t *vp;
1289 bool have_message_authenticator = false;
1290
1291 /*
1292 * We've received a raw packet. Nothing has (as of yet) checked
1293 * anything in it other than the length, and that it's a
1294 * well-formed RADIUS packet.
1295 */
1296 switch (reply->data[0]) {
1297 case FR_RADIUS_CODE_ACCESS_ACCEPT:
1298 case FR_RADIUS_CODE_ACCESS_REJECT:
1299 case FR_RADIUS_CODE_ACCESS_CHALLENGE:
1300 if (reply->data[1] != request->packet->id) {
1301 ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id);
1302 return -1;
1303 }
1304 break;
1305
1306 default:
1307 ERROR("Invalid reply code %d to Access-Request", reply->data[0]);
1308 return -1;
1309 }
1310
1311 /*
1312 * If the reply has a Message-Authenticator, then it MIGHT be fine.
1313 */
1314 attr = reply->data + 20;
1315 end = reply->data + reply->data_len;
1316
1317 /*
1318 * It should be the first attribute, so we warn if it isn't there.
1319 *
1320 * But it's not a fatal error.
1321 */
1322 if (blast_radius && (attr[0] != FR_MESSAGE_AUTHENTICATOR)) {
1323 RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute. The packet may be vulnerable to Blast RADIUS attacks.",
1324 fr_radius_packet_name[reply->data[0]]);
1325 }
1326
1327 /*
1328 * Set up for Proxy-State checks.
1329 *
1330 * If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack.
1331 */
1332 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_proxy_state);
1333
1334 while (attr < end) {
1335 /*
1336 * Blast RADIUS work-arounds require that
1337 * Message-Authenticator is the first attribute in the
1338 * reply. Note that we don't check for it being the
1339 * first attribute, but simply that it exists.
1340 *
1341 * That check is a balance between securing the reply
1342 * packet from attacks, and not violating the RFCs which
1343 * say that there is no order to attributes in the
1344 * packet.
1345 *
1346 * However, no matter the status of the '-b' flag we
1347 * still can check for the signature of the attack, and
1348 * discard packets which are suspicious. This behavior
1349 * protects radclient from the attack, without mandating
1350 * new behavior on the server side.
1351 *
1352 * Note that we don't set the '-b' flag by default.
1353 * radclient is intended for testing / debugging, and is
1354 * not intended to be used as part of a secure login /
1355 * user checking system.
1356 */
1357 if (attr[0] == FR_MESSAGE_AUTHENTICATOR) {
1358 have_message_authenticator = true;
1359 goto next;
1360 }
1361
1362 /*
1363 * If there are Proxy-State attributes in the reply, they must
1364 * match EXACTLY the Proxy-State attributes in the request.
1365 *
1366 * Note that we don't care if there are more Proxy-States
1367 * in the request than in the reply. The Blast RADIUS
1368 * issue requires _adding_ Proxy-State attributes, and
1369 * cannot work when the server _deletes_ Proxy-State
1370 * attributes.
1371 */
1372 if (attr[0] == FR_PROXY_STATE) {
1373 if (!vp || (vp->vp_length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->vp_length) != 0)) {
1374 ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id);
1375 ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent.");
1376 return -1;
1377 }
1378
1379 vp = fr_pair_find_by_da(&request->request_pairs, vp, attr_proxy_state);
1380 }
1381
1382 next:
1383 attr += attr[1];
1384 }
1385
1386 /*
1387 * If "-b" is set, then we require Message-Authenticator in the reply.
1388 */
1389 if (blast_radius && !have_message_authenticator) {
1390 ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.",
1391 fr_radius_packet_name[reply->data[0]]);
1392 return -1;
1393 }
1394
1395 /*
1396 * The packet doesn't look like it's a Blast RADIUS attack. The
1397 * caller will now verify the packet signature.
1398 */
1399 return 0;
1400}
1401
1402/*
1403 * Receive one packet, maybe.
1404 */
1405static int recv_one_packet(fr_time_delta_t wait_time)
1406{
1407 fd_set set;
1408 fr_time_delta_t our_wait_time;
1409 rc_request_t *request;
1410 fr_packet_t *reply, *packet;
1411 volatile int max_fd;
1412
1413#ifdef STATIC_ANALYZER
1414 if (!secret) fr_exit_now(1);
1415#endif
1416
1417 /* And wait for reply, timing out as necessary */
1418 FD_ZERO(&set);
1419
1420 max_fd = fr_packet_list_fd_set(packet_list, &set);
1421 if (max_fd < 0) fr_exit_now(1); /* no sockets to listen on! */
1422
1423 our_wait_time = !fr_time_delta_ispos(wait_time) ? fr_time_delta_from_sec(0) : wait_time;
1424
1425 if (do_coa && fr_rb_num_elements(coa_tree) > 0) {
1426 FD_SET(coafd, &set);
1427 if (coafd >= max_fd) max_fd = coafd + 1;
1428 }
1429
1430 /*
1431 * See if a packet was received.
1432 */
1433retry:
1434 if (select(max_fd, &set, NULL, NULL, &fr_time_delta_to_timeval(our_wait_time)) <= 0) return 0;
1435
1436 /*
1437 * Read a CoA packet
1438 */
1439 if (FD_ISSET(coafd, &set)) {
1440 recv_coa_packet(fr_time_delta_wrap(0));
1441 FD_CLR(coafd, &set);
1442 our_wait_time = fr_time_delta_from_sec(0);
1443 goto retry;
1444 }
1445
1446 /*
1447 * Look for the packet.
1448 */
1449 reply = fr_packet_list_recv(packet_list, &set, RADIUS_MAX_ATTRIBUTES, false);
1450 if (!reply) {
1451 ERROR("Received bad packet");
1452
1453 /*
1454 * If the packet is bad, we close the socket.
1455 * I'm not sure how to do that now, so we just
1456 * die...
1457 */
1458 if (ipproto == IPPROTO_TCP) fr_exit_now(1);
1459 return -1; /* bad packet */
1460 }
1461
1462 /*
1463 * We don't use udpfromto. So if we bind to "*", we want
1464 * to find replies sent to 192.0.2.4. Therefore, we
1465 * force all replies to have the one address we know
1466 * about, no matter what real address they were sent to.
1467 *
1468 * This only works if were not using any of the
1469 * Packet-* attributes, or running with 'auto'.
1470 */
1471 reply->socket.inet.dst_ipaddr = client_ipaddr;
1472 reply->socket.inet.dst_port = client_port;
1473
1474 /*
1475 * TCP sockets don't use recvmsg(), and thus don't get
1476 * the source IP/port. However, since they're TCP, we
1477 * know what the source IP/port is, because that's where
1478 * we connected to.
1479 */
1480 if (ipproto == IPPROTO_TCP) {
1481 reply->socket.inet.src_ipaddr = server_ipaddr;
1482 reply->socket.inet.src_port = server_port;
1483 }
1484
1485 packet = fr_packet_list_find_byreply(packet_list, reply);
1486 if (!packet) {
1487 ERROR("Received reply to request we did not send. (id=%d socket %d)",
1488 reply->id, reply->socket.fd);
1489 fr_packet_free(&reply);
1490 return -1; /* got reply to packet we didn't send */
1491 }
1492 request = packet->uctx;
1493
1494 /*
1495 * We want radclient to be able to send any packet, including
1496 * imperfect ones. However, we do NOT want to be vulnerable to
1497 * the "Blast RADIUS" issue. Instead of adding command-line
1498 * flags to enable/disable similar flags to what the server
1499 * sends, we just do a few more smart checks to double-check
1500 * things.
1501 */
1502 if ((request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) &&
1503 blast_radius_check(request, reply) < 0) {
1504 fr_packet_free(&reply);
1505 return -1;
1506 }
1507
1508 /*
1509 * Fails the signature validation: not a real reply.
1510 * FIXME: Silently drop it and listen for another packet.
1511 */
1512 if (fr_packet_verify(reply, request->packet, secret) < 0) {
1513 REDEBUG("Reply verification failed");
1514 stats.lost++;
1515 goto packet_done; /* shared secret is incorrect */
1516 }
1517
1518 if (print_filename) {
1519 RDEBUG("%s response code %d", request->files->packets, reply->code);
1520 }
1521
1522 deallocate_id(request);
1523 request->reply = reply;
1524 reply = NULL;
1525
1526 /*
1527 * If this fails, we're out of memory.
1528 */
1529 if (fr_radius_decode_simple(request, &request->reply_pairs,
1530 request->reply->data, request->reply->data_len,
1531 request->packet->vector, secret) < 0) {
1532 REDEBUG("Reply decode failed");
1533 stats.lost++;
1534 goto packet_done;
1535 }
1536 PAIR_LIST_VERIFY(&request->reply_pairs);
1537 fr_radius_packet_log(&default_log, request->reply, &request->reply_pairs, true);
1538
1539 /*
1540 * Increment counters...
1541 */
1542 switch (request->reply->code) {
1543 case FR_RADIUS_CODE_ACCESS_ACCEPT:
1544 case FR_RADIUS_CODE_ACCOUNTING_RESPONSE:
1545 case FR_RADIUS_CODE_COA_ACK:
1546 case FR_RADIUS_CODE_DISCONNECT_ACK:
1547 stats.accepted++;
1548 break;
1549
1550 case FR_RADIUS_CODE_ACCESS_CHALLENGE:
1551 break;
1552
1553 default:
1554 stats.rejected++;
1555 }
1556
1557 fr_strerror_clear(); /* Clear strerror buffer */
1558
1559 /*
1560 * If we had an expected response code, check to see if the
1561 * packet matched that.
1562 */
1563 if ((request->filter_code != FR_RADIUS_CODE_UNDEFINED) && (request->reply->code != request->filter_code)) {
1564 if (FR_RADIUS_PACKET_CODE_VALID(request->reply->code)) {
1565 REDEBUG("%s: Expected %s got %s", request->name, fr_radius_packet_name[request->filter_code],
1566 fr_radius_packet_name[request->reply->code]);
1567 } else {
1568 REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
1569 request->reply->code);
1570 }
1571 stats.failed++;
1572 /*
1573 * Check if the contents of the packet matched the filter
1574 */
1575 } else if (fr_pair_list_empty(&request->filter)) {
1576 stats.passed++;
1577 } else {
1578 fr_pair_t const *failed[2];
1579
1580 fr_pair_list_sort(&request->reply_pairs, fr_pair_cmp_by_da);
1581 if (fr_pair_validate(failed, &request->filter, &request->reply_pairs)) {
1582 RDEBUG("%s: Response passed filter", request->name);
1583 stats.passed++;
1584 } else {
1585 fr_pair_validate_debug(failed);
1586 REDEBUG("%s: Response for failed filter", request->name);
1587 stats.failed++;
1588 }
1589 }
1590
1591 if (request->resend == resend_count) {
1592 request->done = true;
1593 }
1594
1595packet_done:
1596 fr_packet_free(&request->reply);
1597 fr_packet_free(&reply); /* may be NULL */
1598
1599 return 0;
1600}
1601
1602/**
1603 *
1604 * @hidecallgraph
1605 */
1606int main(int argc, char **argv)
1607{
1608 int ret = EXIT_SUCCESS;
1609 int c;
1610 char const *raddb_dir = RADDBDIR;
1611 char const *dict_dir = DICTDIR;
1612 char filesecret[256];
1613 FILE *fp;
1614 int do_summary = false;
1615 int persec = 0;
1616 int parallel = 1;
1617 int force_af = AF_UNSPEC;
1618#ifndef NDEBUG
1619 TALLOC_CTX *autofree;
1620#endif
1621 fr_dlist_head_t filenames;
1622 rc_request_t *request;
1623
1624 /*
1625 * It's easier having two sets of flags to set the
1626 * verbosity of library calls and the verbosity of
1627 * radclient.
1628 */
1629 fr_debug_lvl = 0;
1630 fr_log_fp = stdout;
1631
1632 /*
1633 * Must be called first, so the handler is called last
1634 */
1635 fr_atexit_global_setup();
1636
1637#ifndef NDEBUG
1638 autofree = talloc_autofree_context();
1639
1640 if (fr_fault_setup(autofree, getenv("PANIC_ACTION"), argv[0]) < 0) {
1641 fr_perror("radclient");
1642 fr_exit_now(EXIT_FAILURE);
1643 }
1644#endif
1645
1646 talloc_set_log_stderr();
1647
1648 fr_dlist_talloc_init(&rc_request_list, rc_request_t, entry);
1649
1650 fr_dlist_talloc_init(&filenames, rc_file_pair_t, entry);
1651
1652 /*
1653 * Always log to stdout
1654 */
1655 default_log.dst = L_DST_STDOUT;
1656 default_log.fd = STDOUT_FILENO;
1657 default_log.print_level = false;
1658
1659 while ((c = getopt(argc, argv, "46bc:A:C:d:D:f:Fhi:n:o:p:P:r:sS:t:vx")) != -1) switch (c) {
1660 case '4':
1661 force_af = AF_INET;
1662 break;
1663
1664 case '6':
1665 force_af = AF_INET6;
1666 break;
1667
1668 case 'A':
1669 attr_coa_filter_name = optarg;
1670 break;
1671
1672 case 'b':
1673 blast_radius = true;
1674 break;
1675
1676 case 'c':
1677 if (!isdigit((uint8_t) *optarg)) usage();
1678
1679 resend_count = atoi(optarg);
1680
1681 if (resend_count < 1) usage();
1682 break;
1683
1684 case 'C':
1685 {
1686 int tmp;
1687
1688 if (strchr(optarg, ':')) {
1689 if (fr_inet_pton_port(&client_ipaddr, &client_port,
1690 optarg, -1, AF_UNSPEC, true, false) < 0) {
1691 fr_perror("Failed parsing source address");
1692 fr_exit_now(1);
1693 }
1694 break;
1695 }
1696
1697 tmp = atoi(optarg);
1698 if (tmp < 1 || tmp > 65535) usage();
1699
1700 client_port = (uint16_t)tmp;
1701 }
1702 break;
1703
1704 case 'D':
1705 dict_dir = optarg;
1706 break;
1707
1708 case 'd':
1709 raddb_dir = optarg;
1710 break;
1711
1712 /*
1713 * packet,filter,coa_reply,coa_filter
1714 */
1715 case 'f':
1716 {
1717 char const *p;
1718 rc_file_pair_t *files;
1719
1720 MEM(files = talloc_zero(talloc_autofree_context(), rc_file_pair_t));
1721
1722 /*
1723 * Commas are nicer than colons.
1724 */
1725 c = ':';
1726
1727 p = strchr(optarg, c);
1728 if (!p) {
1729 c = ',';
1730 p = strchr(optarg, c);
1731 }
1732 if (!p) {
1733 files->packets = optarg;
1734 files->filters = NULL;
1735 } else {
1736 char *q;
1737
1738 MEM(files->packets = talloc_strndup(files, optarg, p - optarg));
1739 files->filters = p + 1;
1740
1741 /*
1742 * Look for CoA filename
1743 */
1744 q = strchr(files->filters, c);
1745 if (q) {
1746 do_coa = true;
1747
1748 *(q++) = '\0';
1749 files->coa_reply = q;
1750
1751 q = strchr(files->coa_reply, c);
1752 if (q) {
1753 *(q++) = '\0';
1754 files->coa_filter = q;
1755 }
1756 }
1757 }
1758 fr_dlist_insert_tail(&filenames, files);
1759 }
1760 break;
1761
1762 case 'F':
1763 print_filename = true;
1764 break;
1765
1766 case 'i':
1767 if (!isdigit((uint8_t) *optarg))
1768 usage();
1769 last_used_id = atoi(optarg);
1770 if ((last_used_id < 0) || (last_used_id > 255)) {
1771 usage();
1772 }
1773 break;
1774
1775 case 'n':
1776 persec = atoi(optarg);
1777 if (persec <= 0) usage();
1778 break;
1779
1780 case 'o':
1781 coa_port = atoi(optarg);
1782 break;
1783
1784 /*
1785 * Note that sending MANY requests in
1786 * parallel can over-run the kernel
1787 * queues, and Linux will happily discard
1788 * packets. So even if the server responds,
1789 * the client may not see the reply.
1790 */
1791 case 'p':
1792 parallel = atoi(optarg);
1793 if (parallel <= 0) usage();
1794 break;
1795
1796 case 'P':
1797 if (!strcmp(optarg, "tcp")) {
1798 ipproto = IPPROTO_TCP;
1799 } else if (!strcmp(optarg, "udp")) {
1800 ipproto = IPPROTO_UDP;
1801 } else {
1802 usage();
1803 }
1804 break;
1805
1806 case 'r':
1807 if (!isdigit((uint8_t) *optarg)) usage();
1808 retries = atoi(optarg);
1809 if ((retries == 0) || (retries > 1000)) usage();
1810 break;
1811
1812 case 's':
1813 do_summary = true;
1814 break;
1815
1816 case 'S':
1817 {
1818 char *p;
1819 fp = fopen(optarg, "r");
1820 if (!fp) {
1821 ERROR("Error opening %s: %s", optarg, fr_syserror(errno));
1822 fr_exit_now(1);
1823 }
1824 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1825 ERROR("Error reading %s: %s", optarg, fr_syserror(errno));
1826 fr_exit_now(1);
1827 }
1828 fclose(fp);
1829
1830 /* truncate newline */
1831 p = filesecret + strlen(filesecret) - 1;
1832 while ((p >= filesecret) &&
1833 (*p < ' ')) {
1834 *p = '\0';
1835 --p;
1836 }
1837
1838 if (strlen(filesecret) < 2) {
1839 ERROR("Secret in %s is too short", optarg);
1840 fr_exit_now(1);
1841 }
1842 secret = talloc_strdup(NULL, filesecret);
1843 }
1844 break;
1845
1846 case 't':
1847 if (fr_time_delta_from_str(&timeout, optarg, strlen(optarg), FR_TIME_RES_SEC) < 0) {
1848 fr_perror("Failed parsing timeout value");
1849 fr_exit_now(EXIT_FAILURE);
1850 }
1851 break;
1852
1853 case 'v':
1854 fr_debug_lvl = 1;
1855 DEBUG("%s", radclient_version);
1856 fr_exit_now(0);
1857
1858 case 'x':
1859 fr_debug_lvl++;
1860 if (fr_debug_lvl > 1) default_log.print_level = true;
1861 break;
1862
1863 case 'h':
1864 default:
1865 usage();
1866 }
1867 argc -= (optind - 1);
1868 argv += (optind - 1);
1869
1870 if ((argc < 3) || ((secret == NULL) && (argc < 4))) {
1871 ERROR("Insufficient arguments");
1872 usage();
1873 }
1874 /*
1875 * Mismatch between the binary and the libraries it depends on
1876 */
1877 if (fr_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) {
1878 fr_perror("radclient");
1879 fr_exit_now(EXIT_FAILURE);
1880 }
1881
1882 if (!fr_dict_global_ctx_init(NULL, true, dict_dir)) {
1883 fr_perror("radclient");
1884 fr_exit_now(EXIT_FAILURE);
1885 }
1886
1887 if (fr_radius_global_init() < 0) {
1888 fr_perror("radclient");
1889 fr_exit_now(EXIT_FAILURE);
1890 }
1891
1892 if (fr_dict_autoload(radclient_dict) < 0) {
1893 fr_perror("radclient");
1894 exit(EXIT_FAILURE);
1895 }
1896
1897 if (fr_dict_attr_autoload(radclient_dict_attr) < 0) {
1898 fr_perror("radclient");
1899 exit(EXIT_FAILURE);
1900 }
1901
1902 if (fr_dict_read(fr_dict_unconst(dict_freeradius), raddb_dir, FR_DICTIONARY_FILE) == -1) {
1903 fr_log_perror(&default_log, L_ERR, __FILE__, __LINE__, NULL,
1904 "Failed to initialize the dictionaries");
1905 exit(EXIT_FAILURE);
1906 }
1907
1908 if (do_coa) {
1909 attr_coa_filter = fr_dict_attr_by_name(NULL, fr_dict_root(dict_radius), attr_coa_filter_name);
1910 if (!attr_coa_filter) {
1911 ERROR("Unknown or invalid CoA filter attribute %s", optarg);
1912 fr_exit_now(1);
1913 }
1914
1915 /*
1916 * If there's no attribute given to match CoA to requests, use User-Name
1917 */
1918 if (!attr_coa_filter) attr_coa_filter = attr_user_name;
1919
1920 MEM(coa_tree = fr_rb_inline_talloc_alloc(NULL, rc_request_t, node, request_cmp, NULL));
1921 }
1922 packet_global_init();
1923
1924 fr_strerror_clear(); /* Clear the error buffer */
1925
1926 /*
1927 * Get the request type
1928 */
1929 if (!isdigit((uint8_t) argv[2][0])) {
1930 packet_code = fr_table_value_by_str(fr_radius_request_name_table, argv[2], -2);
1931 if (packet_code == -2) {
1932 ERROR("Unrecognised request type \"%s\"", argv[2]);
1933 usage();
1934 }
1935 } else {
1936 packet_code = atoi(argv[2]);
1937 }
1938
1939 /*
1940 * Resolve hostname.
1941 */
1942 if (strcmp(argv[1], "-") != 0) {
1943 if (fr_inet_pton_port(&server_ipaddr, &server_port, argv[1], -1, force_af, true, true) < 0) {
1944 fr_perror("radclient");
1945 fr_exit_now(1);
1946 }
1947
1948 /*
1949 * Work backwards from the port to determine the packet type
1950 */
1951 if (packet_code == FR_RADIUS_CODE_UNDEFINED) packet_code = radclient_get_code(server_port);
1952 }
1953 radclient_get_port(packet_code, &server_port);
1954
1955 /*
1956 * Add the secret.
1957 */
1958 if (argv[3]) secret = talloc_strdup(NULL, argv[3]);
1959
1960 /*
1961 * If no '-f' is specified, we're reading from stdin.
1962 */
1963 if (fr_dlist_num_elements(&filenames) == 0) {
1964 rc_file_pair_t *files;
1965
1966 files = talloc_zero(talloc_autofree_context(), rc_file_pair_t);
1967 files->packets = "-";
1968 if (radclient_init(files, files) < 0) fr_exit_now(1);
1969 }
1970
1971 /*
1972 * Walk over the list of filenames, creating the requests.
1973 */
1974 fr_dlist_foreach(&filenames, rc_file_pair_t, files) {
1975 if (radclient_init(files, files)) {
1976 ERROR("Failed parsing input files");
1977 fr_exit_now(1);
1978 }
1979 }
1980
1981 /*
1982 * No packets read. Die.
1983 */
1984 if (!fr_dlist_num_elements(&rc_request_list)) {
1985 ERROR("Nothing to send");
1986 fr_exit_now(1);
1987 }
1988
1989 openssl3_init();
1990
1991 /*
1992 * Bind to the first specified IP address and port.
1993 * This means we ignore later ones.
1994 */
1995 request = fr_dlist_head(&rc_request_list);
1996
1997 if (client_ipaddr.af == AF_UNSPEC) {
1998 if (request->packet->socket.inet.src_ipaddr.af == AF_UNSPEC) {
1999 memset(&client_ipaddr, 0, sizeof(client_ipaddr));
2000 client_ipaddr.af = server_ipaddr.af;
2001 } else {
2002 client_ipaddr = request->packet->socket.inet.src_ipaddr;
2003 }
2004 }
2005
2006 if (client_port == 0) client_port = request->packet->socket.inet.src_port;
2007
2008 if (ipproto == IPPROTO_TCP) {
2009 sockfd = fr_socket_client_tcp(NULL, NULL, &server_ipaddr, server_port, false);
2010 if (sockfd < 0) {
2011 ERROR("Failed opening socket");
2012 return -1;
2013 }
2014
2015 } else {
2016 sockfd = fr_socket_server_udp(&client_ipaddr, &client_port, NULL, false);
2017 if (sockfd < 0) {
2018 fr_perror("Error opening socket");
2019 return -1;
2020 }
2021
2022 if (fr_socket_bind(sockfd, NULL, &client_ipaddr, &client_port) < 0) {
2023 fr_perror("Error binding socket");
2024 return -1;
2025 }
2026 }
2027
2028 if (do_coa) {
2029 coafd = fr_socket_server_udp(&client_ipaddr, &coa_port, NULL, false);
2030 if (coafd < 0) {
2031 fr_perror("Error opening CoA socket");
2032 return -1;
2033 }
2034
2035 if (fr_socket_bind(coafd, NULL, &client_ipaddr, &coa_port) < 0) {
2036 fr_perror("Error binding socket");
2037 return -1;
2038 }
2039 }
2040
2041 MEM(packet_list = fr_packet_list_create(1));
2042 if (!fr_packet_list_socket_add(packet_list, sockfd, ipproto, &server_ipaddr,
2043 server_port, NULL)) {
2044 ERROR("Failed adding socket");
2045 fr_exit_now(1);
2046 }
2047
2048 /*
2049 * Walk over the list of packets, sanity checking
2050 * everything.
2051 */
2052 fr_dlist_foreach(&rc_request_list, rc_request_t, this) {
2053 this->packet->socket.inet.src_ipaddr = client_ipaddr;
2054 this->packet->socket.inet.src_port = client_port;
2055 if (radclient_sane(this) != 0) {
2056 fr_exit_now(1);
2057 }
2058 }
2059
2060 /*
2061 * Walk over the packets to send, until
2062 * we're all done.
2063 *
2064 * FIXME: This currently busy-loops until it receives
2065 * all of the packets. It should really have some sort of
2066 * send packet, get time to wait, select for time, etc.
2067 * loop.
2068 */
2069 do {
2070 int n = parallel;
2071 rc_request_t *this, *next;
2072 char const *filename = NULL;
2073
2074 done = true;
2075 sleep_time = fr_time_delta_wrap(-1);
2076
2077 /*
2078 * Walk over the packets, sending them.
2079 */
2080
2081 for (this = fr_dlist_head(&rc_request_list);
2082 this != NULL;
2083 this = next) {
2084 next = fr_dlist_next(&rc_request_list, this);
2085
2086 /*
2087 * If there's a packet to receive,
2088 * receive it, but don't wait for a
2089 * packet.
2090 */
2091 recv_one_packet(fr_time_delta_wrap(0));
2092
2093 /*
2094 * This packet is done. Delete it.
2095 */
2096 if (this->done) {
2097 /*
2098 * We still have a CoA reply to
2099 * receive for this packet.
2100 */
2101 if (this->coa) {
2102 recv_coa_packet(fr_time_delta_wrap(0));
2103 if (this->coa) continue;
2104 }
2105
2106 talloc_free(this);
2107 continue;
2108 }
2109
2110 /*
2111 * Packets from multiple '-f' are sent
2112 * in parallel.
2113 *
2114 * Packets from one file are sent in
2115 * series, unless '-p' is specified, in
2116 * which case N packets from each file
2117 * are sent in parallel.
2118 */
2119 if (this->files->packets != filename) {
2120 filename = this->files->packets;
2121 n = parallel;
2122 }
2123
2124 if (n > 0) {
2125 n--;
2126
2127 /*
2128 * Send the current packet.
2129 */
2130 if (send_one_packet(this) < 0) {
2131 talloc_free(this);
2132 break;
2133 }
2134
2135 /*
2136 * Wait a little before sending
2137 * the next packet, if told to.
2138 */
2139 if (persec) {
2140 fr_time_delta_t psec;
2141
2142 psec = (persec == 1) ? fr_time_delta_from_sec(1) : fr_time_delta_wrap(1000000 / persec);
2143
2144 /*
2145 * Don't sleep elsewhere.
2146 */
2147 sleep_time = fr_time_delta_wrap(0);
2148
2149
2150 /*
2151 * Sleep for milliseconds,
2152 * portably.
2153 *
2154 * If we get an error or
2155 * a signal, treat it like
2156 * a normal timeout.
2157 */
2158 select(0, NULL, NULL, NULL, &fr_time_delta_to_timeval(psec));
2159 }
2160
2161 /*
2162 * If we haven't sent this packet
2163 * often enough, we're not done,
2164 * and we shouldn't sleep.
2165 */
2166 if (this->resend < resend_count) {
2167 int i;
2168
2169 done = false;
2170 sleep_time = fr_time_delta_wrap(0);
2171
2172 for (i = 0; i < 4; i++) {
2173 ((uint32_t *) this->packet->vector)[i] = fr_rand();
2174 }
2175 }
2176 } else { /* haven't sent this packet, we're not done */
2177 assert(this->done == false);
2178 assert(this->reply == NULL);
2179 done = false;
2180 }
2181 }
2182
2183 /*
2184 * Still have outstanding requests.
2185 */
2186 if (fr_packet_list_num_elements(packet_list) > 0) {
2187 done = false;
2188 } else {
2189 sleep_time = fr_time_delta_wrap(0);
2190 }
2191
2192 /*
2193 * Nothing to do until we receive a request, so
2194 * sleep until then. Once we receive one packet,
2195 * we go back, and walk through the whole list again,
2196 * sending more packets (if necessary), and updating
2197 * the sleep time.
2198 */
2199 if (!done && fr_time_delta_ispos(sleep_time)) {
2200 recv_one_packet(sleep_time);
2201 }
2202 } while (!done);
2203
2204 fr_packet_list_free(packet_list);
2205
2206 fr_dlist_talloc_free(&rc_request_list);
2207
2208 talloc_free(coa_tree);
2209
2210 talloc_free(secret);
2211
2212 fr_radius_global_free();
2213
2214 if (fr_dict_autofree(radclient_dict) < 0) {
2215 fr_perror("radclient");
2216 ret = EXIT_FAILURE;
2217 }
2218
2219#ifndef NDEBUG
2220 talloc_free(autofree);
2221#endif
2222
2223 if (do_summary) {
2224 fr_perror("Packet summary:\n"
2225 "\tAccepted : %" PRIu64 "\n"
2226 "\tRejected : %" PRIu64 "\n"
2227 "\tLost : %" PRIu64 "\n"
2228 "\tPassed filter : %" PRIu64 "\n"
2229 "\tFailed filter : %" PRIu64,
2230 stats.accepted,
2231 stats.rejected,
2232 stats.lost,
2233 stats.passed,
2234 stats.failed
2235 );
2236 }
2237
2238 /*
2239 * Ensure our atexit handlers run before any other
2240 * atexit handlers registered by third party libraries.
2241 */
2242 fr_atexit_global_trigger_all();
2243
2244 if ((stats.lost > 0) || (stats.failed > 0)) return EXIT_FAILURE;
2245
2246 openssl3_free();
2247
2248 return ret;
2249}
buffer
static int const char char buffer[256]
Definition acutest.h:576
n
int n
Definition acutest.h:577
fr_atexit_global_setup
int fr_atexit_global_setup(void)
Setup the atexit handler, should be called at the start of a program's execution.
Definition atexit.c:160
fr_atexit_global_trigger_all
int fr_atexit_global_trigger_all(void)
Cause all global free triggers to fire.
Definition atexit.c:286
RCSID
#define RCSID(id)
Definition build.h:485
NEVER_RETURNS
#define NEVER_RETURNS
Should be placed before the function return type.
Definition build.h:315
fr_chap_encode
void fr_chap_encode(uint8_t out[static 1+FR_CHAP_CHALLENGE_LENGTH], uint8_t id, uint8_t const *challenge, size_t challenge_len, char const *password, size_t password_len)
Encode a CHAP password.
Definition chap.c:34
fr_fault_setup
int fr_fault_setup(TALLOC_CTX *ctx, char const *cmd, char const *program)
Registers signal handlers to execute panic_action on fatal signal.
Definition debug.c:1242
MEM
#define MEM(x)
Definition debug.h:36
fr_exit_now
#define fr_exit_now(_x)
Exit without calling atexit() handlers, producing a log message in debug builds.
Definition debug.h:234
fr_radius_packet_code_t
fr_radius_packet_code_t
RADIUS packet codes.
Definition defs.h:31
FR_RADIUS_CODE_ACCESS_CHALLENGE
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
FR_RADIUS_CODE_ACCESS_REQUEST
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
FR_RADIUS_CODE_DISCONNECT_REQUEST
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
FR_RADIUS_CODE_DISCONNECT_ACK
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
FR_RADIUS_CODE_STATUS_SERVER
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
FR_RADIUS_CODE_COA_REQUEST
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
FR_RADIUS_CODE_ACCESS_ACCEPT
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
FR_RADIUS_CODE_ACCOUNTING_RESPONSE
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
FR_RADIUS_CODE_COA_NAK
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
FR_RADIUS_CODE_UNDEFINED
@ FR_RADIUS_CODE_UNDEFINED
Packet code has not been set.
Definition defs.h:32
FR_RADIUS_CODE_COA_ACK
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
FR_RADIUS_CODE_DISCONNECT_NAK
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
FR_RADIUS_CODE_ACCOUNTING_REQUEST
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
FR_RADIUS_CODE_ACCESS_REJECT
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
FR_COA_UDP_PORT
#define FR_COA_UDP_PORT
Definition defs.h:63
FR_AUTH_UDP_PORT
#define FR_AUTH_UDP_PORT
Definition defs.h:57
FR_ACCT_UDP_PORT_ALT
#define FR_ACCT_UDP_PORT_ALT
Definition defs.h:60
FR_AUTH_UDP_PORT_ALT
#define FR_AUTH_UDP_PORT_ALT
Definition defs.h:58
FR_POD_UDP_PORT
#define FR_POD_UDP_PORT
Definition defs.h:61
FR_ACCT_UDP_PORT
#define FR_ACCT_UDP_PORT
Definition defs.h:59
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
DEBUG
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
fr_dict_global_ctx_init
fr_dict_gctx_t * fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir)
Initialise the global protocol hashes.
Definition dict_util.c:4399
fr_dict_unconst
fr_dict_t * fr_dict_unconst(fr_dict_t const *dict)
Coerce to non-const.
Definition dict_util.c:4592
fr_dict_autofree
#define fr_dict_autofree(_to_free)
Definition dict.h:860
fr_dict_attr_by_name
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition dict_util.c:3270
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2407
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:272
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:285
fr_dict_attr_autoload
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4097
fr_dict_autoload
#define fr_dict_autoload(_to_load)
Definition dict.h:857
fr_dict_read
int fr_dict_read(fr_dict_t *dict, char const *dict_dir, char const *filename)
Read supplementary attribute definitions into an existing dictionary.
Definition dict_tokenize.c:3547
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:271
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:284
fr_dlist_head
static void * fr_dlist_head(fr_dlist_head_t const *list_head)
Return the HEAD item of a list or NULL if the list is empty.
Definition dlist.h:486
fr_dlist_foreach
#define fr_dlist_foreach(_list_head, _type, _iter)
Iterate over the contents of a list.
Definition dlist.h:94
fr_dlist_remove
static void * fr_dlist_remove(fr_dlist_head_t *list_head, void *ptr)
Remove an item from the list.
Definition dlist.h:638
fr_dlist_talloc_free
static void fr_dlist_talloc_free(fr_dlist_head_t *head)
Free all items in a doubly linked list (with talloc)
Definition dlist.h:908
fr_dlist_num_elements
static unsigned int fr_dlist_num_elements(fr_dlist_head_t const *head)
Return the number of elements in the dlist.
Definition dlist.h:939
fr_dlist_insert_tail
static int fr_dlist_insert_tail(fr_dlist_head_t *list_head, void *ptr)
Insert an item into the tail of a list.
Definition dlist.h:378
fr_dlist_talloc_init
#define fr_dlist_talloc_init(_head, _type, _field)
Initialise the head structure of a doubly linked list.
Definition dlist.h:275
fr_dlist_next
static void * fr_dlist_next(fr_dlist_head_t const *list_head, void const *ptr)
Get the next item in a list.
Definition dlist.h:555
fr_dlist_head_t
Head of a doubly linked list.
Definition dlist.h:51
my
fr_bio_shutdown & my
Definition fd_errno.h:59
fr_inet_pton_port
int fr_inet_pton_port(fr_ipaddr_t *out, uint16_t *port_out, char const *value, ssize_t inlen, int af, bool resolve, bool mask)
Parses IPv4/6 address + port, to fr_ipaddr_t and integer (port)
Definition inet.c:937
fr_ipaddr_t::af
int af
Address family.
Definition inet.h:64
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
packet_global_init
int packet_global_init(void)
Initialises the Net.
Definition packet.c:185
fr_packet_net_from_pairs
void fr_packet_net_from_pairs(fr_packet_t *packet, fr_pair_list_t const *list)
Convert pairs to information in a packet.
Definition packet.c:139
talloc_free
talloc_free(reap)
fr_debug_lvl
int fr_debug_lvl
Definition log.c:43
fr_log_fp
FILE * fr_log_fp
Definition log.c:42
default_log
fr_log_t default_log
Definition log.c:291
fr_log_perror
void fr_log_perror(fr_log_t const *log, fr_log_type_t type, char const *file, int line, fr_log_perror_format_t const *rules, char const *fmt,...)
Drain any outstanding messages from the fr_strerror buffers.
Definition log.c:709
L_DST_STDOUT
@ L_DST_STDOUT
Log to stdout.
Definition log.h:78
L_ERR
@ L_ERR
Error message.
Definition log.h:56
fr_packet_alloc
fr_packet_t * fr_packet_alloc(TALLOC_CTX *ctx, bool new_vector)
Allocate a new fr_packet_t.
Definition packet.c:38
fr_packet_free
void fr_packet_free(fr_packet_t **packet_p)
Free a fr_packet_t.
Definition packet.c:89
fr_packet_list_find_byreply
fr_packet_t * fr_packet_list_find_byreply(fr_packet_list_t *pl, fr_packet_t *reply)
Definition list.c:323
fr_packet_list_free
void fr_packet_list_free(fr_packet_list_t *pl)
Definition list.c:264
fr_packet_list_recv
fr_packet_t * fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, uint32_t max_attributes, bool require_message_authenticator)
Definition list.c:672
fr_packet_list_create
fr_packet_list_t * fr_packet_list_create(int alloc_id)
Definition list.c:276
fr_packet_list_id_alloc
bool fr_packet_list_id_alloc(fr_packet_list_t *pl, int proto, fr_packet_t *request, void **pctx)
Definition list.c:395
fr_packet_list_yank
bool fr_packet_list_yank(fr_packet_list_t *pl, fr_packet_t *request)
Definition list.c:361
fr_packet_list_socket_add
bool fr_packet_list_socket_add(fr_packet_list_t *pl, int sockfd, int proto, fr_ipaddr_t *dst_ipaddr, uint16_t dst_port, void *ctx)
Definition list.c:187
fr_packet_list_num_elements
uint32_t fr_packet_list_num_elements(fr_packet_list_t *pl)
Definition list.c:368
fr_packet_list_fd_set
int fr_packet_list_fd_set(fr_packet_list_t *pl, fd_set *set)
Definition list.c:645
fr_packet_list_id_free
bool fr_packet_list_id_free(fr_packet_list_t *pl, fr_packet_t *request, bool yank)
Definition list.c:621
fr_packet_list_s
Definition list.c:106
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
mschap_nt_password_hash
int mschap_nt_password_hash(uint8_t out[static NT_DIGEST_LENGTH], char const *password)
Converts Unicode password to 16-byte NT hash with MD4.
Definition mschap.c:52
RADIUS_AUTH_VECTOR_LENGTH
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2937
fr_pair_validate_debug
void fr_pair_validate_debug(fr_pair_t const *failed[2])
Write an error to the library errorbuff detailing the mismatch.
Definition pair.c:2095
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:772
fr_pair_value_strdup
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition pair.c:2637
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:695
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1347
fr_pair_delete_by_da
int fr_pair_delete_by_da(fr_pair_list_t *list, fr_dict_attr_t const *da)
Delete matching pairs from the specified list.
Definition pair.c:1691
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:285
fr_pair_validate
bool fr_pair_validate(fr_pair_t const *failed[2], fr_pair_list_t *filter, fr_pair_list_t *list)
Uses fr_pair_cmp to verify all fr_pair_ts in list match the filter defined by check.
Definition pair.c:2130
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2787
fr_pair_delete
int fr_pair_delete(fr_pair_list_t *list, fr_pair_t *vp)
Remove fr_pair_t from a list and free.
Definition pair.c:1828
fr_pair_list_steal
void fr_pair_list_steal(TALLOC_CTX *ctx, fr_pair_list_t *list)
Steal a list of pairs to a new context.
Definition pair.c:2302
fr_pair_cmp_by_da
int8_t fr_pair_cmp_by_da(void const *a, void const *b)
Order attributes by their da, and tag.
Definition pair.c:1846
fr_pair_value_memdup_buffer_shallow
int fr_pair_value_memdup_buffer_shallow(fr_pair_t *vp, uint8_t const *src, bool tainted)
Assign a talloced buffer to a "octets" type value pair.
Definition pair.c:3012
fr_pair_list_afrom_file
int fr_pair_list_afrom_file(TALLOC_CTX *ctx, fr_dict_t const *dict, fr_pair_list_t *out, FILE *fp, bool *pfiledone)
Read valuepairs from the fp up to End-Of-File.
Definition pair_legacy.c:671
fr_radius_global_init
int fr_radius_global_init(void)
Definition base.c:1212
fr_radius_decode_simple
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)
Simple wrapper for callers who just need a shared secret.
Definition base.c:1190
fr_radius_global_free
void fr_radius_global_free(void)
Definition base.c:1235
fr_radius_request_name_table
fr_table_num_sorted_t const fr_radius_request_name_table[]
Definition base.c:101
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:112
fr_packet_verify
int fr_packet_verify(fr_packet_t *packet, fr_packet_t *original, char const *secret)
Verify the Request/Response Authenticator (and Message-Authenticator if present) of a packet.
Definition packet.c:143
fr_packet_recv
fr_packet_t * fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator)
Receive UDP client requests, and fill in the basics of a fr_packet_t structure.
Definition packet.c:205
fr_packet_send
int fr_packet_send(fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret)
Reply to the request.
Definition packet.c:291
fr_radius_packet_log
void fr_radius_packet_log(fr_log_t const *log, fr_packet_t *packet, fr_pair_list_t *list, bool received)
Definition packet.c:491
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
autofree
static TALLOC_CTX * autofree
Definition radclient-ng.c:107
blast_radius_check
static int blast_radius_check(rc_request_t *request, fr_packet_t *reply)
Definition radclient.c:1285
coa_tree
static fr_rb_tree_t * coa_tree
Definition radclient.c:95
client_ipaddr
static fr_ipaddr_t client_ipaddr
Definition radclient.c:84
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition radclient.c:124
attr_request_authenticator
static fr_dict_attr_t const * attr_request_authenticator
Definition radclient.c:120
blast_radius
static bool blast_radius
Definition radclient.c:82
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition radclient.c:126
send_one_packet
static int send_one_packet(rc_request_t *request)
Definition radclient.c:933
getport
static int getport(char const *name)
Definition radclient.c:286
radclient_version
static char const * radclient_version
Definition radclient.c:101
done
static bool done
Definition radclient.c:80
_rc_request_free
static int _rc_request_free(rc_request_t *request)
Definition radclient.c:193
client_port
static uint16_t client_port
Definition radclient.c:85
radclient_sane
static int radclient_sane(rc_request_t *request)
Definition radclient.c:864
recv_one_packet
static int recv_one_packet(fr_time_delta_t wait_time)
Definition radclient.c:1405
sleep_time
static fr_time_delta_t sleep_time
Definition radclient.c:68
coa_port
static uint16_t coa_port
Definition radclient.c:94
main
int main(int argc, char **argv)
Definition radclient.c:1606
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition radclient.c:103
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition radclient.c:122
packet_list
static fr_packet_list_t * packet_list
Definition radclient.c:97
resend_count
static int resend_count
Definition radclient.c:79
stats
static rc_stats_t stats
Definition radclient.c:74
attr_ms_chap_response
static fr_dict_attr_t const * attr_ms_chap_response
Definition radclient.c:117
dict_radius
static fr_dict_t const * dict_radius
Definition radclient.c:104
attr_ms_chap_challenge
static fr_dict_attr_t const * attr_ms_chap_challenge
Definition radclient.c:115
last_used_id
static int last_used_id
Definition radclient.c:88
server_port
static uint16_t server_port
Definition radclient.c:76
packet_code
static int packet_code
Definition radclient.c:77
radclient_dict_attr
fr_dict_attr_autoload_t radclient_dict_attr[]
Definition radclient.c:135
attr_chap_challenge
static fr_dict_attr_t const * attr_chap_challenge
Definition radclient.c:123
recv_coa_packet
static int recv_coa_packet(fr_time_delta_t wait_time)
Definition radclient.c:1125
do_output
static bool do_output
Definition radclient.c:70
server_ipaddr
static fr_ipaddr_t server_ipaddr
Definition radclient.c:78
openssl3_free
#define openssl3_free()
Definition radclient.c:247
ipproto
static int ipproto
Definition radclient.c:90
retries
static int retries
Definition radclient.c:66
attr_proxy_state
static fr_dict_attr_t const * attr_proxy_state
Definition radclient.c:127
attr_cleartext_password
static fr_dict_attr_t const * attr_cleartext_password
Definition radclient.c:113
deallocate_id
static void deallocate_id(rc_request_t *request)
Definition radclient.c:909
print_filename
static bool print_filename
Definition radclient.c:81
do_coa
static bool do_coa
Definition radclient.c:92
openssl3_init
#define openssl3_init()
Definition radclient.c:246
attr_radclient_test_name
static fr_dict_attr_t const * attr_radclient_test_name
Definition radclient.c:119
radclient_init
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
Definition radclient.c:469
attr_radclient_coa_filename
static fr_dict_attr_t const * attr_radclient_coa_filename
Definition radclient.c:129
mschapv1_encode
static int mschapv1_encode(fr_packet_t *packet, fr_pair_list_t *list, char const *password)
Definition radclient.c:250
already_hex
static bool already_hex(fr_pair_t *vp)
Definition radclient.c:353
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition radclient.c:125
radclient_dict
fr_dict_autoload_t radclient_dict[]
Definition radclient.c:107
secret
static char * secret
Definition radclient.c:69
rc_request_list
static fr_dlist_head_t rc_request_list
Definition radclient.c:99
coafd
static int coafd
Definition radclient.c:93
sockfd
static int sockfd
Definition radclient.c:87
attr_coa_filter
static fr_dict_attr_t const * attr_coa_filter
Definition radclient.c:132
radclient_get_port
static void radclient_get_port(fr_radius_packet_code_t type, uint16_t *port)
Definition radclient.c:299
attr_ms_chap_password
static fr_dict_attr_t const * attr_ms_chap_password
Definition radclient.c:116
pair_update_request
#define pair_update_request(_attr, _da)
Definition radclient.c:57
request_cmp
static int8_t request_cmp(void const *one, void const *two)
Definition radclient.c:891
attr_coa_filter_name
static const char * attr_coa_filter_name
Definition radclient.c:72
timeout
static fr_time_delta_t timeout
Definition radclient.c:67
attr_radclient_coa_filter
static fr_dict_attr_t const * attr_radclient_coa_filter
Definition radclient.c:130
usage
static NEVER_RETURNS void usage(void)
Definition radclient.c:157
radclient_get_code
static fr_radius_packet_code_t radclient_get_code(uint16_t port)
Definition radclient.c:332
coa_init
static int coa_init(rc_request_t *parent, FILE *coa_reply, char const *reply_filename, bool *coa_reply_done, FILE *coa_filter, char const *filter_filename, bool *coa_filter_done)
Definition radclient.c:378
radclient.h
Structures for the radclient utility.
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
rc_request::num
uint64_t num
The number (within the file) of the request were reading.
Definition radclient.h:76
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient.h:53
rc_request::password
fr_pair_t * password
Password.Cleartext.
Definition radclient.h:85
rc_stats_t::accepted
uint64_t accepted
Requests to which we received a accept.
Definition radclient.h:57
rc_request::reply
fr_packet_t * reply
The incoming response.
Definition radclient.h:89
rc_request::request_pairs
fr_pair_list_t request_pairs
Definition radclient.h:91
rc_file_pair_t::coa_reply
char const * coa_reply
file containing the CoA filter we want to match
Definition radclient.h:70
rc_stats_t::rejected
uint64_t rejected
Requests to which we received a reject.
Definition radclient.h:58
rc_request::node
fr_rb_node_t node
rbtree node data for CoA
Definition radclient.h:83
rc_file_pair_t::packets
char const * packets
The file containing the request packet.
Definition radclient.h:66
rc_stats_t::lost
uint64_t lost
Requests to which we received no response.
Definition radclient.h:59
rc_request::done
bool done
Whether the request is complete.
Definition radclient.h:99
rc_file_pair_t::coa_filter
char const * coa_filter
file containing the CoA filter we want to match
Definition radclient.h:69
rc_request::filter
fr_pair_list_t filter
If the reply passes the filter, then the request passes.
Definition radclient.h:94
rc_stats_t::failed
uint64_t failed
Requests which failed a filter.
Definition radclient.h:61
rc_request::reply_pairs
fr_pair_list_t reply_pairs
Definition radclient.h:92
rc_stats_t::passed
uint64_t passed
Requests which passed a filter.
Definition radclient.h:60
rc_request::filter_code
fr_radius_packet_code_t filter_code
Expected code of the response packet.
Definition radclient.h:95
rc_request::timestamp
fr_time_t timestamp
Definition radclient.h:86
rc_request::coa
rc_request_t * coa
CoA filter and reply.
Definition radclient.h:82
rc_request::name
char const * name
Test name (as specified in the request).
Definition radclient.h:101
WARN
#define WARN(fmt,...)
Definition radclient.h:47
rc_file_pair_t::filters
char const * filters
The file containing the definition of the packet we want to match.
Definition radclient.h:67
rc_request::packet
fr_packet_t * packet
The outgoing request.
Definition radclient.h:88
rc_request::files
rc_file_pair_t * files
Request and response file names.
Definition radclient.h:80
rc_file_pair_t
Definition radclient.h:64
rc_request
Definition radclient.h:75
rc_stats_t
Definition radclient.h:56
RADIUS_MAX_ATTRIBUTES
#define RADIUS_MAX_ATTRIBUTES
Definition radius.h:40
FR_RADIUS_PACKET_CODE_VALID
#define FR_RADIUS_PACKET_CODE_VALID(_x)
Definition radius.h:52
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
fr_rb_num_elements
uint32_t fr_rb_num_elements(fr_rb_tree_t *tree)
Return how many nodes there are in a tree.
Definition rb.c:781
fr_rb_remove
void * fr_rb_remove(fr_rb_tree_t *tree, void const *data)
Remove an entry from the tree, without freeing the data.
Definition rb.c:695
fr_rb_delete_by_inline_node
bool fr_rb_delete_by_inline_node(fr_rb_tree_t *tree, fr_rb_node_t *node)
Remove node and free data (if a free function was specified)
Definition rb.c:767
fr_rb_find
void * fr_rb_find(fr_rb_tree_t const *tree, void const *data)
Find an element in the tree, returning the data, not the node.
Definition rb.c:577
fr_rb_insert
bool fr_rb_insert(fr_rb_tree_t *tree, void const *data)
Insert data into a tree.
Definition rb.c:626
fr_rb_inline_talloc_alloc
#define fr_rb_inline_talloc_alloc(_ctx, _type, _field, _data_cmp, _data_free)
Allocs a red black that verifies elements are of a specific talloc type.
Definition rb.h:246
fr_rb_tree_s
The main red black tree structure.
Definition rb.h:73
request_s::reply
fr_packet_t * reply
Outgoing response.
Definition request.h:225
request_s::packet
char const *fr_packet_t * packet
< Module the request is currently being processed by.
Definition request.h:224
request_s
Definition request.h:165
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
smbdes_mschap
void smbdes_mschap(uint8_t const win_password[16], uint8_t const *challenge, uint8_t *response)
Definition smbdes.c:339
fr_socket_server_udp
int fr_socket_server_udp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 unconnected UDP socket.
Definition socket.c:867
fr_socket_client_tcp
int fr_socket_client_tcp(char const *ifname, fr_ipaddr_t *src_ipaddr, fr_ipaddr_t const *dst_ipaddr, uint16_t dst_port, bool async)
Establish a connected TCP socket.
Definition socket.c:729
fr_socket_bind
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition socket.c:229
type
fr_aka_sim_id_type_t type
Definition state_machine.c:3623
vp
fr_pair_t * vp
Definition state_machine.c:2262
fr_time
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition state_test.c:8
fr_log_s::dst
fr_log_dst_t dst
Log destination.
Definition log.h:97
fr_log_s::fd
int fd
File descriptor to write messages to.
Definition log.h:112
fr_log_s::print_level
bool print_level
sometimes we don't want log levels printed
Definition log.h:106
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
fr_table_value_by_str
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
talloc_autofree_context
#define talloc_autofree_context
The original function is deprecated, so replace it with our version.
Definition talloc.h:51
fr_time_delta_from_str
fr_slen_t fr_time_delta_from_str(fr_time_delta_t *out, char const *in, size_t inlen, fr_time_res_t hint)
Create fr_time_delta_t from a string.
Definition time.c:456
fr_time_delta_lt
#define fr_time_delta_lt(_a, _b)
Definition time.h:285
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
fr_time_delta_wrap
#define fr_time_delta_wrap(_time)
Definition time.h:152
fr_time_delta_ispos
#define fr_time_delta_ispos(_a)
Definition time.h:290
fr_time_delta_to_timeval
#define fr_time_delta_to_timeval(_delta)
Convert a delta to a timeval.
Definition time.h:656
fr_time_delta_eq
#define fr_time_delta_eq(_a, _b)
Definition time.h:287
FR_TIME_RES_SEC
@ FR_TIME_RES_SEC
Definition time.h:50
NSEC
#define NSEC
Definition time.h:379
fr_time_sub
#define fr_time_sub(_a, _b)
Subtract one time from another.
Definition time.h:229
fr_time_delta_gt
#define fr_time_delta_gt(_a, _b)
Definition time.h:283
fr_time_delta_s
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
fr_time_s
"server local" time.
Definition time.h:69
FR_DICTIONARY_FILE
#define FR_DICTIONARY_FILE
Definition conf.h:7
fr_packet_t::uctx
void * uctx
Definition packet.h:79
fr_packet_t::code
unsigned int code
Packet code (type).
Definition packet.h:61
fr_packet_t::socket
fr_socket_t socket
This packet was received on.
Definition packet.h:57
fr_packet_t::id
int id
Packet ID (used to link requests/responses).
Definition packet.h:60
fr_packet_t::data
uint8_t * data
Packet data (body).
Definition packet.h:63
fr_packet_t::data_len
size_t data_len
Length of packet data.
Definition packet.h:64
fr_packet_t::vector
uint8_t vector[RADIUS_AUTH_VECTOR_LENGTH]
RADIUS authentication vector.
Definition packet.h:69
fr_packet_t
Definition packet.h:56
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:125
fr_pair_list_sort
void fr_pair_list_sort(fr_pair_list_t *list, fr_cmp_t cmp)
Sort a doubly linked list of fr_pair_ts using merge sort.
Definition pair_inline.c:140
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:70
fr_pair_list_append
void fr_pair_list_append(fr_pair_list_t *dst, fr_pair_list_t *src)
Appends a list of fr_pair_t from a temporary list to a destination list.
Definition pair_inline.c:182
PAIR_LIST_VERIFY
#define PAIR_LIST_VERIFY(_x)
Definition pair.h:194
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:43
parent
static fr_slen_t parent
Definition pair.h:845
fr_socket_t::af
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
fr_socket_t::fd
int fd
File descriptor if this is a live socket.
Definition socket.h:81
fr_socket_t::type
int type
SOCK_STREAM, SOCK_DGRAM, etc.
Definition socket.h:79
fr_perror
void fr_perror(char const *fmt,...)
Print the current error to stderr with a prefix.
Definition strerror.c:733
fr_strerror_clear
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
Definition strerror.c:577
fr_check_lib_magic
int fr_check_lib_magic(uint64_t magic)
Check if the application linking to the library has the correct magic number.
Definition version.c:40
RADIUSD_VERSION_BUILD
#define RADIUSD_VERSION_BUILD(_x)
Create a version string for a utility in the suite of FreeRADIUS utilities.
Definition version.h:58
RADIUSD_MAGIC_NUMBER
#define RADIUSD_MAGIC_NUMBER
Definition version.h:81
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:676
Generated by   doxygen 1.9.8