The FreeRADIUS server $Id: f3670dba8951ca10eb4948feb3dc3db9423a334f $
Loading...
Searching...
No Matches
radclient.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: a9d94bec8dcbb38869afa1016e2baa2844734252 $
19 *
20 * @file src/bin/radclient.c
21 * @brief General radius client and debug tool.
22 *
23 * @copyright 2000,2006,2014 The FreeRADIUS server project
24 * @copyright 2000 Miquel van Smoorenburg (miquels@cistron.nl)
25 * @copyright 2000 Alan DeKok (aland@freeradius.org)
26 */
27
28RCSID("$Id: a9d94bec8dcbb38869afa1016e2baa2844734252 $")
29
30#include <freeradius-devel/util/conf.h>
31#include <freeradius-devel/util/syserror.h>
32#include <freeradius-devel/util/atexit.h>
33#include <freeradius-devel/util/pair_legacy.h>
34#include <freeradius-devel/util/time.h>
35#include <freeradius-devel/server/packet.h>
36#include <freeradius-devel/radius/list.h>
37#include <freeradius-devel/radius/radius.h>
38#include <freeradius-devel/util/chap.h>
39#ifdef HAVE_OPENSSL_SSL_H
40#include <openssl/ssl.h>
41#include <freeradius-devel/util/md4.h>
42#endif
43
44#ifdef HAVE_GETOPT_H
45# include <getopt.h>
46#endif
47
48
49typedef struct request_s request_t; /* to shut up warnings about mschap.h */
50
51#include "smbdes.h"
52#include "mschap.h"
53
54#include "radclient.h"
55
56#define pair_update_request(_attr, _da) do { \
57 _attr = fr_pair_find_by_da(&request->request_pairs, NULL, _da); \
58 if (!_attr) { \
59 _attr = fr_pair_afrom_da(request, _da); \
60 fr_assert(_attr != NULL); \
61 fr_pair_append(&request->request_pairs, _attr); \
62 } \
63 } while (0)
64
65static int retries = 3;
66static fr_time_delta_t timeout = fr_time_delta_wrap((int64_t)5 * NSEC); /* 5 seconds */
68static char *secret = NULL;
69static bool do_output = true;
70
71static const char *attr_coa_filter_name = "User-Name";
72
74
78static int resend_count = 1;
79static int ignore_count = 0;
80static bool done = true;
81static bool print_filename = false;
82static bool blast_radius = false;
83
86
87static int sockfd;
88static int last_used_id = -1;
89
90static int ipproto = IPPROTO_UDP;
91
92static bool do_coa = false;
93static int coafd;
95static fr_rb_tree_t *coa_tree = NULL;
96
98
99static FR_DLIST_HEAD(rc_request_list) rc_request_list;
100
101static char const *radclient_version = RADIUSD_VERSION_BUILD("radclient");
102
103static fr_dict_t const *dict_freeradius;
104static fr_dict_t const *dict_radius;
105
106static const fr_dict_autoload_t radclient_dict[] = {
107 { .out = &dict_freeradius, .proto = "freeradius" },
108 { .out = &dict_radius, .proto = "radius" },
110};
111
113
117
120
128
131
133
135 { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
136 { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
137 { .out = &attr_ms_chap_password, .name = "Password.MS-CHAP", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
138 { .out = &attr_ms_chap_response, .name = "Vendor-Specific.Microsoft.CHAP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
139
140 { .out = &attr_radclient_test_name, .name = "Radclient-Test-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
141 { .out = &attr_request_authenticator, .name = "Request-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
142
143 { .out = &attr_radclient_coa_filename, .name = "Radclient-CoA-Filename", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
144 { .out = &attr_radclient_coa_filter, .name = "Radclient-CoA-Filter", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
145
146 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
147 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
148 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
149 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
150 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
151 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
152 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
153
155};
156
157static NEVER_RETURNS void usage(void)
158{
159 fprintf(stderr, "Usage: radclient [options] server[:port] <command> [<secret>]\n");
160
161 fprintf(stderr, " <command> One of auth, acct, status, coa, disconnect or auto.\n");
162 fprintf(stderr, " -4 Use IPv4 address of server\n");
163 fprintf(stderr, " -6 Use IPv6 address of server.\n");
164 fprintf(stderr, " -A <attribute> Use named 'attribute' to match CoA requests to packets. Default is User-Name\n");
165 fprintf(stderr, " -b Mandate checks for Blast RADIUS issue (this is not set by default).\n");
166 fprintf(stderr, " -C [<client_ip>:]<client_port> Client source port and source IP address. Port values may be 1..65535\n");
167 fprintf(stderr, " -c <count> Send each packet 'count' times.\n");
168 fprintf(stderr, " -d <confdir> Set user dictionary directory (defaults to " CONFDIR ").\n");
169 fprintf(stderr, " -D <dictdir> Set main dictionary directory (defaults to " DICTDIR ").\n");
170 fprintf(stderr, " -f <request>[:<expected>][:<coa_reply>][:<coa_expected>] Read packets from file, not stdin.\n");
171 fprintf(stderr, " If a second file is provided, it will be used to verify responses\n");
172 fprintf(stderr, " -F Print the file name, packet number and reply code.\n");
173 fprintf(stderr, " -h Print usage help information.\n");
174 fprintf(stderr, " -i <id> Set request id to 'id'. Values may be 0..255\n");
175 fprintf(stderr, " -n <num> Send N requests/s\n");
176 fprintf(stderr, " -o <port> Set CoA listening port (defaults to 3799)\n");
177 fprintf(stderr, " -p <num> Send 'num' packets from a file in parallel.\n");
178 fprintf(stderr, " -P <proto> Use proto (tcp or udp) for transport.\n");
179 fprintf(stderr, " -r <retries> If timeout, retry sending the packet 'retries' times.\n");
180 fprintf(stderr, " -s Print out summary information of auth results.\n");
181 fprintf(stderr, " -S <file> read secret from file, not command line.\n");
182 fprintf(stderr, " -t <timeout> Wait 'timeout' seconds before retrying (may be a floating point number).\n");
183 fprintf(stderr, " -v Show program version information.\n");
184 fprintf(stderr, " -x Debugging mode.\n");
185
186 fr_exit_now(EXIT_SUCCESS);
187}
188
189/*
190 * Free a radclient struct, which may (or may not)
191 * already be in the list.
192 */
193static int _rc_request_free(rc_request_t *request)
194{
195 rc_request_list_remove(&rc_request_list, request);
196
198 (void) fr_rb_delete_by_inline_node(coa_tree, &request->node);
199 }
200
201 return 0;
202}
203
204#ifdef HAVE_OPENSSL_SSL_H
205#include <openssl/provider.h>
206
207static OSSL_PROVIDER *openssl_default_provider = NULL;
208static OSSL_PROVIDER *openssl_legacy_provider = NULL;
209
210static int openssl3_init(void)
211{
212 /*
213 * Load the default provider for most algorithms
214 */
215 openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
216 if (!openssl_default_provider) {
217 ERROR("(TLS) Failed loading default provider");
218 return -1;
219 }
220
221 /*
222 * Needed for MD4
223 *
224 * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
225 */
226 openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
227 if (!openssl_legacy_provider) {
228 ERROR("(TLS) Failed loading legacy provider");
229 return -1;
230 }
231
232 fr_md5_openssl_init();
233 fr_md4_openssl_init();
234
235 return 0;
236}
237
238static void openssl3_free(void)
239{
240 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
241 ERROR("Failed unloading default provider");
242 }
243 openssl_default_provider = NULL;
244
245 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
246 ERROR("Failed unloading legacy provider");
247 }
248 openssl_legacy_provider = NULL;
249
250 fr_md5_openssl_free();
251 fr_md4_openssl_free();
252}
253#else
254#define openssl3_init() (0)
255#define openssl3_free()
256#endif
257
259 char const *password)
260{
261 unsigned int i;
262 uint8_t *p;
263 fr_pair_t *challenge, *reply;
264 uint8_t nthash[16];
265
268
270
271 fr_pair_append(list, challenge);
272
273 MEM(p = talloc_array(challenge, uint8_t, 8));
274 fr_pair_value_memdup_buffer_shallow(challenge, p, false);
275
276 for (i = 0; i < challenge->vp_length; i++) {
277 p[i] = fr_rand();
278 }
279
281 fr_pair_append(list, reply);
282 p = talloc_zero_array(reply, uint8_t, 50); /* really reply->da->flags.length */
284
285 p[1] = 0x01; /* NT hash */
286
287 if (mschap_nt_password_hash(nthash, password) < 0) return 0;
288
289 smbdes_mschap(nthash, challenge->vp_octets, p + 26);
290 return 1;
291}
292
293
294static int getport(char const *name)
295{
296 struct servent *svp;
297
298 svp = getservbyname(name, "udp");
299 if (!svp) return 0;
300
301 return ntohs(svp->s_port);
302}
303
304/*
305 * Set a port from the request type if we don't already have one
306 */
308{
309 switch (type) {
310 default:
314 if (*port == 0) *port = getport("radius");
315 if (*port == 0) *port = FR_AUTH_UDP_PORT;
316 return;
317
319 if (*port == 0) *port = getport("radacct");
320 if (*port == 0) *port = FR_ACCT_UDP_PORT;
321 return;
322
324 if (*port == 0) *port = FR_POD_UDP_PORT;
325 return;
326
328 if (*port == 0) *port = FR_COA_UDP_PORT;
329 return;
330
332 if (*port == 0) *port = 0;
333 return;
334 }
335}
336
337/*
338 * Resolve a port to a request type
339 */
341{
342 /*
343 * getport returns 0 if the service doesn't exist
344 * so we need to return early, to avoid incorrect
345 * codes.
346 */
347 if (port == 0) return FR_RADIUS_CODE_UNDEFINED;
348
349 if ((port == getport("radius")) || (port == FR_AUTH_UDP_PORT) || (port == FR_AUTH_UDP_PORT_ALT)) {
351 }
352 if ((port == getport("radacct")) || (port == FR_ACCT_UDP_PORT) || (port == FR_ACCT_UDP_PORT_ALT)) {
354 }
356
358}
359
360
362{
363 size_t i;
364
365 if (!vp || (vp->vp_type != FR_TYPE_OCTETS)) return true;
366
367 /*
368 * If it's 17 octets, it *might* be already encoded.
369 * Or, it might just be a 17-character password (maybe UTF-8)
370 * Check it for non-printable characters. The odds of ALL
371 * of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
372 * or 1/(2^51), which is pretty much zero.
373 */
374 for (i = 0; i < vp->vp_length; i++) {
375 if (vp->vp_octets[i] < 32) {
376 return true;
377 }
378 }
379
380 return false;
381}
382
383/** Read one CoA reply and potentially a filter
384 *
385 *
386 */
388 FILE *coa_reply, char const *reply_filename, bool *coa_reply_done,
389 FILE *coa_filter, char const *filter_filename, bool *coa_filter_done)
390{
391 rc_request_t *request;
392 fr_pair_t *vp;
393
394 /*
395 * Allocate it.
396 */
397 MEM(request = talloc_zero(parent, rc_request_t));
398 MEM(request->reply = fr_packet_alloc(request, false));
399
400 /*
401 * Don't initialize src/dst IP/port, or anything else. That will be read from the network.
402 */
403 fr_pair_list_init(&request->filter);
406
407 /*
408 * Read the reply VP's.
409 */
411 &request->reply_pairs, coa_reply, coa_reply_done, true) < 0) {
412 REDEBUG("Error parsing \"%s\"", reply_filename);
413 error:
414 talloc_free(request);
415 return -1;
416 }
417
418 /*
419 * The reply can be empty. In which case we just send an empty ACK.
420 */
422 if (vp) request->reply->code = vp->vp_uint32;
423
424 /*
425 * Read in filter VP's.
426 */
427 if (coa_filter) {
429 &request->filter, coa_filter, coa_filter_done, true) < 0) {
430 REDEBUG("Error parsing \"%s\"", filter_filename);
431 goto error;
432 }
433
434 if (*coa_filter_done && !*coa_reply_done) {
435 REDEBUG("Differing number of replies/filters in %s:%s "
436 "(too many replies)", reply_filename, filter_filename);
437 goto error;
438 }
439
440 if (!*coa_filter_done && *coa_reply_done) {
441 REDEBUG("Differing number of replies/filters in %s:%s "
442 "(too many filters)", reply_filename, filter_filename);
443 goto error;
444 }
445
446 /*
447 * This allows efficient list comparisons later
448 */
450 }
451
452 request->name = parent->name;
453
454 /*
455 * Automatically set the response code from the request code
456 * (if one wasn't already set).
457 */
458 if (request->filter_code == FR_RADIUS_CODE_UNDEFINED) {
460 }
461
462 parent->coa = request;
463
464 /*
465 * Ensure that the packet is also tracked in the CoA tree.
466 */
469 ERROR("Failed inserting packet from %s into CoA tree", request->name);
470 fr_exit_now(1);
471 }
472
473 return 0;
474}
475
476/*
477 * Initialize a radclient data structure and add it to
478 * the global linked list.
479 */
480static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
481{
482 FILE *packets, *filters = NULL;
483
484 fr_pair_t *vp;
485 rc_request_t *request = NULL;
486 bool packets_done = false;
487 uint64_t num = 0;
488
489 FILE *coa_reply = NULL;
490 FILE *coa_filter = NULL;
491 bool coa_reply_done = false;
492 bool coa_filter_done = false;
493
494 fr_assert(files->packets != NULL);
495
496 /*
497 * Determine where to read the VP's from.
498 */
499 if (strcmp(files->packets, "-") != 0) {
500 packets = fopen(files->packets, "r");
501 if (!packets) {
502 ERROR("Error opening %s: %s", files->packets, fr_syserror(errno));
503 return -1;
504 }
505
506 /*
507 * Read in the pairs representing the expected response.
508 */
509 if (files->filters) {
510 filters = fopen(files->filters, "r");
511 if (!filters) {
512 ERROR("Error opening %s: %s", files->filters, fr_syserror(errno));
513 goto error;
514 }
515 }
516
517 if (files->coa_reply) {
518 coa_reply = fopen(files->coa_reply, "r");
519 if (!coa_reply) {
520 ERROR("Error opening %s: %s", files->coa_reply, fr_syserror(errno));
521 goto error;
522 }
523 }
524
525 if (files->coa_filter) {
526 coa_filter = fopen(files->coa_filter, "r");
527 if (!coa_filter) {
528 ERROR("Error opening %s: %s", files->coa_filter, fr_syserror(errno));
529 goto error;
530 }
531 }
532 } else {
533 packets = stdin;
534 }
535
536 /*
537 * Loop until the file is done.
538 */
539 do {
540 char const *coa_reply_filename = NULL;
541 char const *coa_filter_filename = NULL;
542
543 /*
544 * Allocate it.
545 */
546 MEM(request = talloc_zero(ctx, rc_request_t));
547 MEM(request->packet = fr_packet_alloc(request, true));
548 request->packet->uctx = request;
549
550 request->packet->socket.inet.src_ipaddr = client_ipaddr;
551 request->packet->socket.inet.src_port = client_port;
552 request->packet->socket.inet.dst_ipaddr = server_ipaddr;
553 request->packet->socket.inet.dst_port = server_port;
554 request->packet->socket.type = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
555
556 request->files = files;
557 request->packet->id = last_used_id;
558 request->num = num++;
559
560 fr_pair_list_init(&request->filter);
563
564 /*
565 * Read the request VP's.
566 */
568 &request->request_pairs, packets, &packets_done, true) < 0) {
569 char const *input;
570
571 if ((files->packets[0] == '-') && (files->packets[1] == '\0')) {
572 input = "stdin";
573 } else {
574 input = files->packets;
575 }
576
577 REDEBUG("Error parsing \"%s\"", input);
578 goto error;
579 }
580
581 /*
582 * Skip empty entries
583 */
584 if (fr_pair_list_empty(&request->request_pairs)) {
585 WARN("Skipping \"%s\": No Attributes", files->packets);
586 talloc_free(request);
587 continue;
588 }
589
590 /*
591 * Read in filter VP's.
592 */
593 if (filters) {
594 bool filters_done;
595
597 &request->filter, filters, &filters_done, true) < 0) {
598 REDEBUG("Error parsing \"%s\"", files->filters);
599 goto error;
600 }
601
602 if (filters_done && !packets_done) {
603 REDEBUG("Differing number of packets/filters in %s:%s "
604 "(too many requests))", files->packets, files->filters);
605 goto error;
606 }
607
608 if (!filters_done && packets_done) {
609 REDEBUG("Differing number of packets/filters in %s:%s "
610 "(too many filters))", files->packets, files->filters);
611 goto error;
612 }
613
614 vp = fr_pair_find_by_da(&request->filter, NULL, attr_packet_type);
615 if (vp) {
616 if (!FR_RADIUS_PACKET_CODE_VALID(vp->vp_uint32)) {
617 REDEBUG("Invalid filter code %u in %s:%s", vp->vp_uint32,
618 files->packets, files->filters);
619 goto error;
620 }
621
622 request->filter_code = vp->vp_uint32;
623 fr_pair_delete(&request->filter, vp);
624 }
625
626 /*
627 * This allows efficient list comparisons later
628 */
630 }
631
632 /*
633 * Process special attributes
634 */
635 for (vp = fr_pair_list_head(&request->request_pairs);
636 vp;
637 vp = fr_pair_list_next(&request->request_pairs, vp)) {
638 /*
639 * Allow it to set the packet type in
640 * the attributes read from the file.
641 */
642 if (vp->da == attr_packet_type) {
643 request->packet->code = vp->vp_uint32;
644 } else if (vp->da == attr_request_authenticator) {
645 if (vp->vp_length >= sizeof(request->packet->vector)) {
646 memcpy(request->packet->vector, vp->vp_octets, sizeof(request->packet->vector));
647 } else {
648 memset(request->packet->vector, 0, sizeof(request->packet->vector));
649 memcpy(request->packet->vector, vp->vp_octets, vp->vp_length);
650 }
651 } else if (vp->da == attr_cleartext_password) {
652 request->password = vp;
653 /*
654 * Keep a copy of the the password attribute.
655 */
656 } else if (vp->da == attr_chap_password) {
657 /*
658 * If it's already hex, do nothing.
659 */
660 if ((vp->vp_length == 17) && (already_hex(vp))) continue;
661
662 /*
663 * CHAP-Password is octets, so it may not be zero terminated.
664 */
666 fr_pair_value_bstrndup(request->password, vp->vp_strvalue, vp->vp_length, true);
667 } else if (vp->da == attr_ms_chap_password) {
669 fr_pair_value_bstrndup(request->password, vp->vp_strvalue, vp->vp_length, true);
670
671 } else if (vp->da == attr_radclient_test_name) {
672 request->name = vp->vp_strvalue;
673
674 /*
675 * Allow these to be dynamically specified
676 * in the request file, as well as on the
677 * command line.
678 */
679 } else if (vp->da == attr_radclient_coa_filename) {
680 coa_reply_filename = vp->vp_strvalue;
681
682 } else if (vp->da == attr_radclient_coa_filter) {
683 coa_filter_filename = vp->vp_strvalue;
684 }
685 } /* loop over the VP's we read in */
686
687 /*
688 * Use the default set on the command line
689 */
690 if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) request->packet->code = packet_code;
691
692 /*
693 * Fill in the packet header from attributes, and then
694 * re-realize the attributes.
695 */
696 fr_packet_net_from_pairs(request->packet, &request->request_pairs);
697
698 /*
699 * Default to the filename
700 */
701 if (!request->name) request->name = request->files->packets;
702
703 /*
704 * Automatically set the response code from the request code
705 * (if one wasn't already set).
706 */
707 if (request->filter_code == FR_RADIUS_CODE_UNDEFINED) {
708 switch (request->packet->code) {
711 break;
712
715 break;
716
719 break;
720
723 break;
724
726 switch (radclient_get_code(request->packet->socket.inet.dst_port)) {
729 break;
730
733 break;
734
735 default:
737 break;
738 }
739 break;
740
742 REDEBUG("Packet-Type must be defined,"
743 "or a well known RADIUS port");
744 goto error;
745
746 default:
747 REDEBUG("Can't determine expected reply.Packet-Type for Packet-Type %i",
748 request->packet->code);
749 goto error;
750 }
751 /*
752 * Automatically set the request code from the response code
753 * (if one wasn't already set).
754 */
755 } else if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) {
756 switch (request->filter_code) {
760 break;
761
764 break;
765
769 break;
770
774 break;
775
776 default:
777 REDEBUG("Can't determine expected Packet-Type for reply.Packet-Type %i",
778 request->filter_code);
779 goto error;
780 }
781 }
782
783 /*
784 * Automatically set the dst port (if one wasn't already set).
785 */
786 if (request->packet->socket.inet.dst_port == 0) {
787 radclient_get_port(request->packet->code, &request->packet->socket.inet.dst_port);
788 if (request->packet->socket.inet.dst_port == 0) {
789 REDEBUG("Can't determine destination port");
790 goto error;
791 }
792 }
793
794 /*
795 * Read in the CoA filename and filter.
796 */
797 if (coa_reply_filename) {
798 if (coa_reply) {
799 RDEBUG("Cannot specify CoA file on both the command line and via Radclient-CoA-Filename");
800 goto error;
801 }
802
803 coa_reply = fopen(coa_reply_filename, "r");
804 if (!coa_reply) {
805 ERROR("Error opening %s: %s", coa_reply_filename, fr_syserror(errno));
806 goto error;
807 }
808
809 if (coa_filter_filename) {
810 coa_filter = fopen(coa_filter_filename, "r");
811 if (!coa_filter) {
812 ERROR("Error opening %s: %s", coa_filter_filename, fr_syserror(errno));
813 goto error;
814 }
815 } else {
816 coa_filter = NULL;
817 }
818
819 /*
820 * Read in one CoA reply and/or filter
821 */
822 if (coa_init(request,
823 coa_reply, coa_reply_filename, &coa_reply_done,
824 coa_filter, coa_filter_filename, &coa_filter_done) < 0) {
825 goto error;
826 }
827
828 fclose(coa_reply);
829 coa_reply = NULL;
830 if (coa_filter) {
831 fclose(coa_filter);
832 coa_filter = NULL;
833 }
834 do_coa = true;
835
836 } else if (coa_reply) {
837 if (coa_init(request,
838 coa_reply, coa_reply_filename, &coa_reply_done,
839 coa_filter, coa_filter_filename, &coa_filter_done) < 0) {
840 goto error;
841 }
842
843 if (coa_reply_done != packets_done) {
844 REDEBUG("Differing number of packets in input file and coa_reply in %s:%s ",
845 files->packets, files->coa_reply);
846 goto error;
847
848 }
849 }
850
851 /*
852 * Add it to the tail of the list.
853 */
854 rc_request_list_insert_tail(&rc_request_list, request);
855
856 /*
857 * Set the destructor so it removes itself from the
858 * request list when freed. We don't set this until
859 * the packet is actually in the list, else we trigger
860 * the asserts in the free callback.
861 */
862 talloc_set_destructor(request, _rc_request_free);
863 } while (!packets_done); /* loop until the file is done. */
864
865 if (packets != stdin) fclose(packets);
866 if (filters) fclose(filters);
867 if (coa_reply) fclose(coa_reply);
868 if (coa_filter) fclose(coa_filter);
869
870 /*
871 * And we're done.
872 */
873 return 0;
874
875error:
876 talloc_free(request);
877
878 if (packets != stdin) fclose(packets);
879 if (filters) fclose(filters);
880 if (coa_reply) fclose(coa_reply);
881 if (coa_filter) fclose(coa_filter);
882
883 return -1;
884}
885
886
887/*
888 * Sanity check each argument.
889 */
890static int radclient_sane(rc_request_t *request)
891{
892 if (request->packet->socket.inet.dst_port == 0) {
893 request->packet->socket.inet.dst_port = server_port;
894 }
895 if (request->packet->socket.inet.dst_ipaddr.af == AF_UNSPEC) {
896 if (server_ipaddr.af == AF_UNSPEC) {
897 ERROR("No server was given, and request %" PRIu64 " in file %s did not contain "
898 "Packet-Dst-IP-Address", request->num, request->files->packets);
899 return -1;
900 }
901 request->packet->socket.inet.dst_ipaddr = server_ipaddr;
902 }
903 if (request->packet->code == 0) {
904 if (packet_code == -1) {
905 ERROR("Request was \"auto\", and request %" PRIu64 " in file %s did not contain Packet-Type",
906 request->num, request->files->packets);
907 return -1;
908 }
909 request->packet->code = packet_code;
910 }
911 request->packet->socket.fd = -1;
912
913 return 0;
914}
915
916
917static int8_t request_cmp(void const *one, void const *two)
918{
919 rc_request_t const *a = one, *b = two;
920 fr_pair_t *vp1, *vp2;
921
923 vp2 = fr_pair_find_by_da(&b->request_pairs, NULL, attr_coa_match_attr);
924
925 if (!vp1) return -1;
926 if (!vp2) return +1;
927
928 return fr_value_box_cmp(&vp1->data, &vp2->data);
929}
930
931
932/*
933 * Deallocate packet ID, etc.
934 */
935static void deallocate_id(rc_request_t *request)
936{
937 if (!request || !request->packet ||
938 (request->packet->id < 0)) {
939 return;
940 }
941
942 /*
943 * One more unused RADIUS ID.
944 */
946
947 /*
948 * If we've already sent a packet, free up the old one,
949 * and ensure that the next packet has a unique
950 * authentication vector.
951 */
952 if (request->packet->data) TALLOC_FREE(request->packet->data);
953 if (request->reply) fr_packet_free(&request->reply);
954}
955
956/*
957 * Send one packet.
958 */
959static int send_one_packet(rc_request_t *request)
960{
961 fr_pair_t *vp;
962
963 fr_assert(request->done == false);
964
965#ifdef STATIC_ANALYZER
966 if (!secret) fr_exit_now(1);
967#endif
968
969 /*
970 * Remember when we have to wake up, to re-send the
971 * request, of we didn't receive a reply.
972 */
975 }
976
977 /*
978 * Haven't sent the packet yet. Initialize it.
979 */
980 if (!request->tries || request->packet->id == -1) {
981 bool rcode;
982
983 fr_assert(request->reply == NULL);
984
985 /*
986 * Didn't find a free packet ID, we're not done,
987 * we don't sleep, and we stop trying to process
988 * this packet.
989 */
990 retry:
991 request->packet->socket.inet.src_ipaddr.af = server_ipaddr.af;
992 rcode = fr_packet_list_id_alloc(packet_list, ipproto, request->packet, NULL);
993 if (!rcode) {
994 int mysockfd;
995
996 if (ipproto == IPPROTO_TCP) {
997 mysockfd = fr_socket_client_tcp(NULL, NULL,
998 &request->packet->socket.inet.dst_ipaddr,
999 request->packet->socket.inet.dst_port, false);
1000 if (mysockfd < 0) {
1001 fr_perror("Error opening socket");
1002 return -1;
1003 }
1004 } else {
1005 uint16_t port = 0;
1006
1007 mysockfd = fr_socket_server_udp(&client_ipaddr, &port, NULL, true);
1008 if (mysockfd < 0) {
1009 fr_perror("Error opening socket");
1010 return -1;
1011 }
1012
1013 if (fr_socket_bind(mysockfd, NULL, &client_ipaddr, &port) < 0) {
1014 fr_perror("Error binding socket");
1015 return -1;
1016 }
1017 }
1018
1020 &request->packet->socket.inet.dst_ipaddr,
1021 request->packet->socket.inet.dst_port, NULL)) {
1022 ERROR("Can't add new socket");
1023 fr_exit_now(1);
1024 }
1025 goto retry;
1026 }
1027
1028 fr_assert(request->packet->id != -1);
1029 fr_assert(request->packet->data == NULL);
1030
1031 /*
1032 * Update the password, so it can be encrypted with the
1033 * new authentication vector.
1034 */
1035 if (request->password) {
1036 if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password)) != NULL) {
1037 uint8_t buffer[17];
1038 fr_pair_t *challenge;
1039
1040 /*
1041 * Use CHAP-Challenge pair if present, otherwise create CHAP-Challenge and
1042 * populate with current Request Authenticator.
1043 *
1044 * Request Authenticator is re-calculated by fr_packet_sign
1045 */
1046 challenge = fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge);
1047 if (!challenge || (challenge->vp_length < 7)) {
1049 fr_pair_value_memdup(challenge, request->packet->vector, RADIUS_AUTH_VECTOR_LENGTH, false);
1050 }
1051
1053 fr_rand() & 0xff, challenge->vp_octets, challenge->vp_length,
1054 request->password->vp_strvalue,
1055 request->password->vp_length);
1056 fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
1057
1058 } else if (fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_ms_chap_password) != NULL) {
1059 mschapv1_encode(request->packet, &request->request_pairs, request->password->vp_strvalue);
1060
1061 } else {
1062 DEBUG("WARNING: No password in the request");
1063 }
1064 }
1065
1066 request->timestamp = fr_time();
1067 request->tries = 1;
1068 request->resend++;
1069
1070 } else { /* request->packet->id >= 0 */
1071 fr_time_t now = fr_time();
1072
1073 /*
1074 * FIXME: Accounting packets are never retried!
1075 * The Acct-Delay-Time attribute is updated to
1076 * reflect the delay, and the packet is re-sent
1077 * from scratch!
1078 */
1079
1080 /*
1081 * Not time for a retry, do so.
1082 */
1083 if (fr_time_delta_lt(fr_time_sub(now, request->timestamp), timeout)) {
1084 fr_time_delta_t remaining;
1085
1086 remaining = fr_time_delta_sub(timeout, fr_time_sub(now, request->timestamp));
1087
1089 fr_time_delta_gt(sleep_time, remaining)) {
1090 sleep_time = remaining;
1091 }
1092 return 0;
1093 }
1094
1095 /*
1096 * We're not trying later, maybe the packet is done.
1097 */
1098 if (request->tries == retries) {
1099 fr_assert(request->packet->id >= 0);
1100
1101 /*
1102 * Delete the request from the tree of
1103 * outstanding requests.
1104 */
1106
1107 REDEBUG("No reply from server for ID %d socket %d",
1108 request->packet->id, request->packet->socket.fd);
1109 deallocate_id(request);
1110
1111 /*
1112 * Normally we mark it "done" when we've received
1113 * the reply, but this is a special case.
1114 */
1115 if (request->resend == resend_count) {
1116 request->done = true;
1117 }
1118 stats.lost++;
1119 return -1;
1120 }
1121
1122 /*
1123 * We are trying later.
1124 */
1125 request->timestamp = now;
1126 request->tries++;
1127 }
1128
1129 /*
1130 * If there's a Message-Authenticator in the packet, AND it has a "don't send" operator, then
1131 * delete it. We manually encode the packet (which also prints out Message-Authenticator), and
1132 * then manually remove the Message-Authenticator bytes from the packet. The encoder still
1133 * prints out that it's sending Message-Authenticator, but oh well.
1134 */
1136 if (vp && (vp->op == T_OP_CMP_FALSE) && !request->packet->data &&
1138 fr_pair_delete(&request->request_pairs, vp);
1139
1140 if (fr_radius_packet_encode(request->packet, &request->request_pairs, NULL, secret) < 0) {
1141 REDEBUG("Failed to encode packet for ID %d", request->packet->id);
1142 goto error;
1143 }
1144
1145 /*
1146 * Manually re-write the packet to get rid of Message-Authenticator.
1147 */
1148 if ((request->packet->data_len >= (RADIUS_HEADER_LENGTH + 18)) &&
1150 (request->packet->data[RADIUS_HEADER_LENGTH + 1] == 18)) {
1151 memmove(request->packet->data + RADIUS_HEADER_LENGTH,
1152 request->packet->data + RADIUS_HEADER_LENGTH + 18,
1153 request->packet->data_len - 18);
1154 request->packet->data_len -= 18;
1155 fr_nbo_from_uint16(request->packet->data + 2, request->packet->data_len);
1156 }
1157
1158 if (fr_radius_packet_sign(request->packet, NULL, secret) < 0) {
1159 REDEBUG("Failed to sign packet for ID %d", request->packet->id);
1160 goto error;
1161 }
1162 }
1163
1164 /*
1165 * Send the packet.
1166 */
1167 if (fr_radius_packet_send(request->packet, &request->request_pairs, NULL, secret) < 0) {
1168 REDEBUG("Failed to send packet for ID %d", request->packet->id);
1169 error:
1170 deallocate_id(request);
1171 request->done = true;
1172 return -1;
1173 }
1174
1175 fr_radius_packet_log(&default_log, request->packet, &request->request_pairs, false);
1176
1177 return 0;
1178}
1179
1180/*
1181 * Receive a CoA packet, maybe.
1182 */
1184{
1185 fd_set set;
1186 fr_time_delta_t our_wait_time;
1187 rc_request_t *request, *parent;
1188 fr_packet_t *packet;
1190
1191#ifdef STATIC_ANALYZER
1192 if (!secret) fr_exit_now(1);
1193#endif
1194
1195 /* And wait for reply, timing out as necessary */
1196 FD_ZERO(&set);
1197 FD_SET(coafd, &set);
1198
1199 our_wait_time = !fr_time_delta_ispos(wait_time) ? fr_time_delta_from_sec(0) : wait_time;
1200
1201 /*
1202 * No packet was received.
1203 */
1204 if (select(coafd + 1, &set, NULL, NULL, &fr_time_delta_to_timeval(our_wait_time)) <= 0) return 0;
1205
1206 /*
1207 * Read a packet from a network.
1208 */
1209 packet = fr_packet_recv(NULL, coafd, 0, 200, false);
1210 if (!packet) {
1211 DEBUG("Failed reading CoA packet");
1212 return 0;
1213 }
1214
1215 /*
1216 * Fails the signature validation: not a real reply
1217 */
1218 if (fr_radius_packet_verify(packet, NULL, secret) < 0) {
1219 DEBUG("CoA verification failed");
1220 talloc_free(packet);
1221 return 0;
1222 }
1223
1224 fr_pair_list_init(&my.request_pairs);
1225
1226 /*
1227 * Decode the packet before looking up the parent, so that we can compare the pairs.
1228 */
1229 if (fr_radius_decode_simple(packet, &my.request_pairs,
1230 packet->data, packet->data_len,
1231 NULL, secret) < 0) {
1232 DEBUG("Failed decoding CoA packet");
1233 talloc_free(packet);
1234 return 0;
1235 }
1236
1237 fr_radius_packet_log(&default_log, packet, &my.request_pairs, true);
1238
1239 /*
1240 * Find a Access-Request which has the same User-Name / etc. as this CoA packet.
1241 */
1242 my.name = "receive CoA request";
1243 my.packet = packet;
1244
1246 if (!parent) {
1247 DEBUG("No matching request packet for CoA packet %u %u", packet->data[0], packet->data[1]);
1248 talloc_free(packet);
1249 return 0;
1250 }
1251 fr_assert(parent->coa);
1252
1253 request = parent->coa;
1254 request->packet = talloc_steal(request, packet);
1255
1257 fr_pair_list_append(&request->request_pairs, &my.request_pairs);
1258
1259 /*
1260 * If we had an expected response code, check to see if the
1261 * packet matched that.
1262 */
1263 if (request->packet->code != request->filter_code) {
1264 if (FR_RADIUS_PACKET_CODE_VALID(request->reply->code)) {
1265 REDEBUG("%s: Expected %s got %s", request->name, fr_radius_packet_name[request->filter_code],
1266 fr_radius_packet_name[request->packet->code]);
1267 } else {
1268 REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
1269 request->packet->code);
1270 }
1271 stats.failed++;
1272
1273 /*
1274 * Check if the contents of the packet matched the filter
1275 */
1276 } else if (fr_pair_list_empty(&request->filter)) {
1277 stats.passed++;
1278
1279 } else {
1280 fr_pair_t const *failed[2];
1281
1283 if (fr_pair_validate(failed, &request->filter, &request->request_pairs)) {
1284 RDEBUG("%s: CoA request passed filter", request->name);
1285 stats.passed++;
1286 } else {
1287 fr_pair_validate_debug(failed);
1288 REDEBUG("%s: CoA Request for failed filter", request->name);
1289 stats.failed++;
1290 }
1291 }
1292
1293 request->reply->id = request->packet->id;
1294
1295 request->reply->socket.type = SOCK_DGRAM;
1296 request->reply->socket.af = client_ipaddr.af;
1297 request->reply->socket.fd = coafd;
1298 request->reply->socket.inet.src_ipaddr = client_ipaddr;
1299 request->reply->socket.inet.src_port = coa_port;
1300 request->reply->socket.inet.dst_ipaddr = packet->socket.inet.src_ipaddr;
1301 request->reply->socket.inet.dst_port = packet->socket.inet.src_port;
1302
1303 if (!request->reply->code) switch (packet->code) {
1305 request->reply->code = FR_RADIUS_CODE_COA_ACK;
1306 break;
1307
1310 break;
1311
1312 default:
1313 RDEBUG("Failed getting reply packet type");
1314 return 0;
1315 }
1316
1317 fr_radius_packet_log(&default_log, request->reply, &request->reply_pairs, false);
1318
1319
1320 /*
1321 * Send reply.
1322 */
1323 if (fr_radius_packet_send(request->reply, &request->reply_pairs, packet, secret) < 0) {
1324 REDEBUG("Failed sending CoA reply");
1325 return 0;
1326 }
1327
1329
1330 /*
1331 * No longer waiting for a CoA packet for this request.
1332 */
1333 TALLOC_FREE(parent->coa);
1334 return 0;
1335}
1336
1337
1338/*
1339 * Do Blast RADIUS checks.
1340 *
1341 * The request is an Access-Request, and does NOT contain Proxy-State.
1342 *
1343 * The reply is a raw packet, and is NOT yet decoded.
1344 */
1345static int blast_radius_check(rc_request_t *request, fr_packet_t *reply)
1346{
1347 uint8_t *attr, *end;
1348 fr_pair_t *vp;
1349 bool have_message_authenticator = false;
1350
1351 /*
1352 * We've received a raw packet. Nothing has (as of yet) checked
1353 * anything in it other than the length, and that it's a
1354 * well-formed RADIUS packet.
1355 */
1356 switch (reply->data[0]) {
1361 if (reply->data[1] != request->packet->id) {
1362 ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id);
1363 return -1;
1364 }
1365 break;
1366
1367 default:
1368 ERROR("Invalid reply code %d to Access-Request", reply->data[0]);
1369 return -1;
1370 }
1371
1372 /*
1373 * If the reply has a Message-Authenticator, then it MIGHT be fine.
1374 */
1375 attr = reply->data + 20;
1376 end = reply->data + reply->data_len;
1377
1378 /*
1379 * It should be the first attribute, so we warn if it isn't there.
1380 *
1381 * But it's not a fatal error.
1382 */
1383 if (blast_radius && (attr[0] != FR_MESSAGE_AUTHENTICATOR)) {
1384 RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute. The packet may be vulnerable to Blast RADIUS attacks.",
1385 fr_radius_packet_name[reply->data[0]]);
1386 }
1387
1388 /*
1389 * Set up for Proxy-State checks.
1390 *
1391 * If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack.
1392 */
1394
1395 while (attr < end) {
1396 /*
1397 * Blast RADIUS work-arounds require that
1398 * Message-Authenticator is the first attribute in the
1399 * reply. Note that we don't check for it being the
1400 * first attribute, but simply that it exists.
1401 *
1402 * That check is a balance between securing the reply
1403 * packet from attacks, and not violating the RFCs which
1404 * say that there is no order to attributes in the
1405 * packet.
1406 *
1407 * However, no matter the status of the '-b' flag we
1408 * still can check for the signature of the attack, and
1409 * discard packets which are suspicious. This behavior
1410 * protects radclient from the attack, without mandating
1411 * new behavior on the server side.
1412 *
1413 * Note that we don't set the '-b' flag by default.
1414 * radclient is intended for testing / debugging, and is
1415 * not intended to be used as part of a secure login /
1416 * user checking system.
1417 */
1418 if (attr[0] == FR_MESSAGE_AUTHENTICATOR) {
1419 have_message_authenticator = true;
1420 goto next;
1421 }
1422
1423 /*
1424 * If there are Proxy-State attributes in the reply, they must
1425 * match EXACTLY the Proxy-State attributes in the request.
1426 *
1427 * Note that we don't care if there are more Proxy-States
1428 * in the request than in the reply. The Blast RADIUS
1429 * issue requires _adding_ Proxy-State attributes, and
1430 * cannot work when the server _deletes_ Proxy-State
1431 * attributes.
1432 */
1433 if (attr[0] == FR_PROXY_STATE) {
1434 if (!vp || (vp->vp_length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->vp_length) != 0)) {
1435 ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id);
1436 ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent.");
1437 return -1;
1438 }
1439
1441 }
1442
1443 next:
1444 attr += attr[1];
1445 }
1446
1447 /*
1448 * If "-b" is set, then we require Message-Authenticator in the reply.
1449 */
1450 if (blast_radius && !have_message_authenticator) {
1451 ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.",
1452 fr_radius_packet_name[reply->data[0]]);
1453 return -1;
1454 }
1455
1456 /*
1457 * The packet doesn't look like it's a Blast RADIUS attack. The
1458 * caller will now verify the packet signature.
1459 */
1460 return 0;
1461}
1462
1463/*
1464 * Receive one packet, maybe.
1465 */
1467{
1468 int rcode;
1469 fd_set set;
1470 fr_time_delta_t our_wait_time;
1471 rc_request_t *request;
1472 fr_packet_t *reply, *packet;
1473 volatile int max_fd;
1474
1475#ifdef STATIC_ANALYZER
1476 if (!secret) fr_exit_now(1);
1477#endif
1478
1479 /* And wait for reply, timing out as necessary */
1480 FD_ZERO(&set);
1481
1482 max_fd = fr_packet_list_fd_set(packet_list, &set);
1483 if (max_fd < 0) fr_exit_now(1); /* no sockets to listen on! */
1484
1485 our_wait_time = !fr_time_delta_ispos(wait_time) ? fr_time_delta_from_sec(0) : wait_time;
1486
1487 if (do_coa && fr_rb_num_elements(coa_tree) > 0) {
1488 FD_SET(coafd, &set);
1489 if (coafd >= max_fd) max_fd = coafd + 1;
1490 }
1491
1492 /*
1493 * See if a packet was received.
1494 */
1495retry:
1496 if (select(max_fd, &set, NULL, NULL, &fr_time_delta_to_timeval(our_wait_time)) <= 0) return 0;
1497
1498 /*
1499 * Read a CoA packet
1500 */
1501 if (FD_ISSET(coafd, &set)) {
1503 FD_CLR(coafd, &set);
1504 our_wait_time = fr_time_delta_from_sec(0);
1505 goto retry;
1506 }
1507
1508 /*
1509 * Look for the packet.
1510 */
1511 rcode = fr_packet_list_recv(packet_list, &set, NULL, &reply, RADIUS_MAX_ATTRIBUTES, false);
1512 if (rcode < 0) {
1513 ERROR("Received bad packet");
1514
1515 /*
1516 * If the packet is bad, we close the socket.
1517 * I'm not sure how to do that now, so we just
1518 * die...
1519 */
1520 if (ipproto == IPPROTO_TCP) fr_exit_now(1);
1521 return -1; /* bad packet */
1522 }
1523
1524 /*
1525 * We don't use udpfromto. So if we bind to "*", we want
1526 * to find replies sent to 192.0.2.4. Therefore, we
1527 * force all replies to have the one address we know
1528 * about, no matter what real address they were sent to.
1529 *
1530 * This only works if were not using any of the
1531 * Packet-* attributes, or running with 'auto'.
1532 */
1533 reply->socket.inet.dst_ipaddr = client_ipaddr;
1534 reply->socket.inet.dst_port = client_port;
1535
1536 /*
1537 * TCP sockets don't use recvmsg(), and thus don't get
1538 * the source IP/port. However, since they're TCP, we
1539 * know what the source IP/port is, because that's where
1540 * we connected to.
1541 */
1542 if (ipproto == IPPROTO_TCP) {
1543 reply->socket.inet.src_ipaddr = server_ipaddr;
1544 reply->socket.inet.src_port = server_port;
1545 }
1546
1548 if (!packet) {
1549 ERROR("Received reply to request we did not send. (id=%d socket %d)",
1550 reply->id, reply->socket.fd);
1551 fr_packet_free(&reply);
1552 return -1; /* got reply to packet we didn't send */
1553 }
1554 request = packet->uctx;
1555
1556 /*
1557 * We want radclient to be able to send any packet, including
1558 * imperfect ones. However, we do NOT want to be vulnerable to
1559 * the "Blast RADIUS" issue. Instead of adding command-line
1560 * flags to enable/disable similar flags to what the server
1561 * sends, we just do a few more smart checks to double-check
1562 * things.
1563 */
1564 if ((request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) &&
1565 blast_radius_check(request, reply) < 0) {
1566 fr_packet_free(&reply);
1567 return -1;
1568 }
1569
1570 /*
1571 * Fails the signature validation: not a real reply.
1572 * FIXME: Silently drop it and listen for another packet.
1573 */
1574 if (fr_radius_packet_verify(reply, request->packet, secret) < 0) {
1575 REDEBUG("Reply verification failed");
1576 stats.lost++;
1577 goto packet_done; /* shared secret is incorrect */
1578 }
1579
1580 if (print_filename) {
1581 RDEBUG("%s response code %d", request->files->packets, reply->code);
1582 }
1583
1584 if (request->tries < ignore_count) {
1585 RDEBUG("Ignoring response %d due to -e ignore_count=%d", request->tries, ignore_count);
1586 goto packet_done;
1587 }
1588
1589 deallocate_id(request);
1590 request->reply = reply;
1591 reply = NULL;
1592
1593 /*
1594 * If this fails, we're out of memory.
1595 */
1596 if (fr_radius_decode_simple(request, &request->reply_pairs,
1597 request->reply->data, request->reply->data_len,
1598 request->packet->vector, secret) < 0) {
1599 REDEBUG("Reply decode failed");
1600 stats.lost++;
1601 goto packet_done;
1602 }
1603 PAIR_LIST_VERIFY(&request->reply_pairs);
1604 fr_radius_packet_log(&default_log, request->reply, &request->reply_pairs, true);
1605
1606 /*
1607 * Increment counters...
1608 */
1609 switch (request->reply->code) {
1614 stats.accepted++;
1615 break;
1616
1618 break;
1619
1621 stats.error++;
1622 break;
1623 default:
1624 stats.rejected++;
1625 }
1626
1627 fr_strerror_clear(); /* Clear strerror buffer */
1628
1629 /*
1630 * If we had an expected response code, check to see if the
1631 * packet matched that.
1632 */
1633 if ((request->filter_code != FR_RADIUS_CODE_UNDEFINED) && (request->reply->code != request->filter_code)) {
1634 if (FR_RADIUS_PACKET_CODE_VALID(request->reply->code)) {
1635 REDEBUG("%s: Expected %s got %s", request->name, fr_radius_packet_name[request->filter_code],
1636 fr_radius_packet_name[request->reply->code]);
1637 } else {
1638 REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
1639 request->reply->code);
1640 }
1641 stats.failed++;
1642 /*
1643 * Check if the contents of the packet matched the filter
1644 */
1645 } else if (fr_pair_list_empty(&request->filter)) {
1646 stats.passed++;
1647 } else {
1648 fr_pair_t const *failed[2];
1649
1651 if (fr_pair_validate(failed, &request->filter, &request->reply_pairs)) {
1652 RDEBUG("%s: Response passed filter", request->name);
1653 stats.passed++;
1654 } else {
1655 fr_pair_validate_debug(failed);
1656 REDEBUG("%s: Response for failed filter", request->name);
1657 stats.failed++;
1658 }
1659 }
1660
1661 if (request->resend == resend_count) {
1662 request->done = true;
1663 }
1664
1665packet_done:
1666 fr_packet_free(&request->reply);
1667 fr_packet_free(&reply); /* may be NULL */
1668
1669 return 0;
1670}
1671
1672/**
1673 *
1674 * @hidecallgraph
1675 */
1676int main(int argc, char **argv)
1677{
1678 int ret = EXIT_SUCCESS;
1679 int c;
1680 char const *confdir = CONFDIR;
1681 char const *dict_dir = DICTDIR;
1682 char filesecret[256];
1683 FILE *fp;
1684 int do_summary = false;
1685 int persec = 0;
1686 int parallel = 1;
1687 int force_af = AF_UNSPEC;
1688#ifndef NDEBUG
1689 TALLOC_CTX *autofree;
1690#endif
1691 fr_dlist_head_t filenames;
1692 rc_request_t *request;
1693
1694 /*
1695 * It's easier having two sets of flags to set the
1696 * verbosity of library calls and the verbosity of
1697 * radclient.
1698 */
1699 fr_debug_lvl = 0;
1700 fr_log_fp = stdout;
1701
1702 /*
1703 * Must be called first, so the handler is called last
1704 */
1706
1707#ifndef NDEBUG
1709
1710 if (fr_fault_setup(autofree, getenv("PANIC_ACTION"), argv[0]) < 0) {
1711 fr_perror("radclient");
1712 fr_exit_now(EXIT_FAILURE);
1713 }
1714#endif
1715
1716 talloc_set_log_stderr();
1717
1718 rc_request_list_talloc_init(&rc_request_list);
1719
1720 fr_dlist_talloc_init(&filenames, rc_file_pair_t, entry);
1721
1722 /*
1723 * Always log to stdout
1724 */
1726 default_log.fd = STDOUT_FILENO;
1727 default_log.print_level = false;
1728
1729 while ((c = getopt(argc, argv, "46bc:A:C:d:D:e:f:Fhi:n:o:p:P:r:sS:t:vx")) != -1) switch (c) {
1730 case '4':
1731 force_af = AF_INET;
1732 break;
1733
1734 case '6':
1735 force_af = AF_INET6;
1736 break;
1737
1738 case 'A':
1739 attr_coa_filter_name = optarg;
1740 break;
1741
1742 case 'b':
1743 blast_radius = true;
1744 break;
1745
1746 case 'c':
1747 if (!isdigit((uint8_t) *optarg)) usage();
1748
1749 resend_count = atoi(optarg);
1750
1751 if (resend_count < 1) usage();
1752 break;
1753
1754 case 'C':
1755 {
1756 int tmp;
1757
1758 if (strchr(optarg, ':')) {
1760 optarg, -1, AF_UNSPEC, true, false) < 0) {
1761 fr_perror("Failed parsing source address");
1762 fr_exit_now(1);
1763 }
1764 break;
1765 }
1766
1767 tmp = atoi(optarg);
1768 if (tmp < 1 || tmp > 65535) usage();
1769
1770 client_port = (uint16_t)tmp;
1771 }
1772 break;
1773
1774 case 'D':
1775 dict_dir = optarg;
1776 break;
1777
1778 case 'd':
1779 confdir = optarg;
1780 break;
1781
1782 case 'e': /* magical extra stuff */
1783 if (strncmp(optarg, "ignore_count=", 13) == 0) {
1784 ignore_count = atoi(optarg + 13);
1785 break;
1786 }
1787 usage();
1788
1789 /*
1790 * packet,filter,coa_reply,coa_filter
1791 */
1792 case 'f':
1793 {
1794 char const *p;
1795 rc_file_pair_t *files;
1796
1797 MEM(files = talloc_zero(talloc_autofree_context(), rc_file_pair_t));
1798
1799 /*
1800 * Commas are nicer than colons.
1801 */
1802 c = ':';
1803
1804 p = strchr(optarg, c);
1805 if (!p) {
1806 c = ',';
1807 p = strchr(optarg, c);
1808 }
1809 if (!p) {
1810 files->packets = optarg;
1811 files->filters = NULL;
1812 } else {
1813 char *q;
1814
1815 MEM(files->packets = talloc_strndup(files, optarg, p - optarg));
1816 files->filters = p + 1;
1817
1818 /*
1819 * Look for CoA filename
1820 */
1821 q = UNCONST(char *, strchr(files->filters, c));
1822 if (q) {
1823 do_coa = true;
1824
1825 *(q++) = '\0';
1826 files->coa_reply = q;
1827
1828 q = UNCONST(char *, strchr(files->coa_reply, c));
1829 if (q) {
1830 *(q++) = '\0';
1831 files->coa_filter = q;
1832 }
1833 }
1834 }
1835 fr_dlist_insert_tail(&filenames, files);
1836 }
1837 break;
1838
1839 case 'F':
1840 print_filename = true;
1841 break;
1842
1843 case 'i':
1844 if (!isdigit((uint8_t) *optarg)) {
1845 usage();
1846 }
1847 last_used_id = atoi(optarg);
1848 if ((last_used_id < 0) || (last_used_id > 255)) {
1849 usage();
1850 }
1851 break;
1852
1853 case 'n':
1854 persec = atoi(optarg);
1855 if (persec <= 0) usage();
1856 break;
1857
1858 case 'o':
1859 coa_port = atoi(optarg);
1860 break;
1861
1862 /*
1863 * Note that sending MANY requests in
1864 * parallel can over-run the kernel
1865 * queues, and Linux will happily discard
1866 * packets. So even if the server responds,
1867 * the client may not see the reply.
1868 */
1869 case 'p':
1870 parallel = atoi(optarg);
1871 if (parallel <= 0) usage();
1872 break;
1873
1874 case 'P':
1875 if (!strcmp(optarg, "tcp")) {
1876 ipproto = IPPROTO_TCP;
1877 } else if (!strcmp(optarg, "udp")) {
1878 ipproto = IPPROTO_UDP;
1879 } else {
1880 usage();
1881 }
1882 break;
1883
1884 case 'r':
1885 if (!isdigit((uint8_t) *optarg)) usage();
1886 retries = atoi(optarg);
1887 if ((retries == 0) || (retries > 1000)) usage();
1888 break;
1889
1890 case 's':
1891 do_summary = true;
1892 break;
1893
1894 case 'S':
1895 {
1896 char *p;
1897 fp = fopen(optarg, "r");
1898 if (!fp) {
1899 ERROR("Error opening %s: %s", optarg, fr_syserror(errno));
1900 fr_exit_now(1);
1901 }
1902 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
1903 ERROR("Error reading %s: %s", optarg, fr_syserror(errno));
1904 fr_exit_now(1);
1905 }
1906 fclose(fp);
1907
1908 /* truncate newline */
1909 p = filesecret + strlen(filesecret) - 1;
1910 while ((p >= filesecret) &&
1911 (*p < ' ')) {
1912 *p = '\0';
1913 --p;
1914 }
1915
1916 if (strlen(filesecret) < 2) {
1917 ERROR("Secret in %s is too short", optarg);
1918 fr_exit_now(1);
1919 }
1920 secret = talloc_strdup(NULL, filesecret);
1921 }
1922 break;
1923
1924 case 't':
1925 if (fr_time_delta_from_str(&timeout, optarg, strlen(optarg), FR_TIME_RES_SEC) < 0) {
1926 fr_perror("Failed parsing timeout value");
1927 fr_exit_now(EXIT_FAILURE);
1928 }
1929 break;
1930
1931 case 'v':
1932 fr_debug_lvl = 1;
1933 DEBUG("%s", radclient_version);
1934 fr_exit_now(0);
1935
1936 case 'x':
1937 fr_debug_lvl++;
1938 if (fr_debug_lvl > 1) default_log.print_level = true;
1939 break;
1940
1941 case 'h':
1942 default:
1943 usage();
1944 }
1945 argc -= (optind - 1);
1946 argv += (optind - 1);
1947
1948 if ((argc < 3) || ((secret == NULL) && (argc < 4))) {
1949 ERROR("Insufficient arguments");
1950 usage();
1951 }
1952 /*
1953 * Mismatch between the binary and the libraries it depends on
1954 */
1956 fr_perror("radclient");
1957 fr_exit_now(EXIT_FAILURE);
1958 }
1959
1960 if (!fr_dict_global_ctx_init(NULL, true, dict_dir)) {
1961 fr_perror("radclient");
1962 fr_exit_now(EXIT_FAILURE);
1963 }
1964
1965 if (fr_radius_global_init() < 0) {
1966 fr_perror("radclient");
1967 fr_exit_now(EXIT_FAILURE);
1968 }
1969
1970 if (fr_dict_autoload(radclient_dict) < 0) {
1971 fr_perror("radclient");
1972 exit(EXIT_FAILURE);
1973 }
1974
1976 fr_perror("radclient");
1977 exit(EXIT_FAILURE);
1978 }
1979
1981 fr_log_perror(&default_log, L_ERR, __FILE__, __LINE__, NULL,
1982 "Failed to initialize the dictionaries");
1983 exit(EXIT_FAILURE);
1984 }
1985
1986 if (do_coa) {
1988 if (!attr_coa_match_attr) {
1989 ERROR("Unknown or invalid CoA filter attribute %s", attr_coa_filter_name);
1990 fr_exit_now(1);
1991 }
1992
1994 }
1996
1997 fr_strerror_clear(); /* Clear the error buffer */
1998
1999 /*
2000 * Get the request type
2001 */
2002 if (!isdigit((uint8_t) argv[2][0])) {
2004 if (packet_code == -2) {
2005 ERROR("Unrecognised request type \"%s\"", argv[2]);
2006 usage();
2007 }
2008 } else {
2009 packet_code = atoi(argv[2]);
2010 }
2011
2012 /*
2013 * Resolve hostname.
2014 */
2015 if (strcmp(argv[1], "-") != 0) {
2016 if (fr_inet_pton_port(&server_ipaddr, &server_port, argv[1], -1, force_af, true, true) < 0) {
2017 fr_perror("radclient");
2018 fr_exit_now(1);
2019 }
2020
2021 /*
2022 * Work backwards from the port to determine the packet type
2023 */
2025 }
2027
2028 /*
2029 * Add the secret.
2030 */
2031 if (argv[3]) {
2033 secret = talloc_strdup(NULL, argv[3]);
2034 }
2035
2036 /*
2037 * If no '-f' is specified, we're reading from stdin.
2038 */
2039 if (fr_dlist_num_elements(&filenames) == 0) {
2040 rc_file_pair_t *files;
2041
2042 files = talloc_zero(talloc_autofree_context(), rc_file_pair_t);
2043 files->packets = "-";
2044 if (radclient_init(files, files) < 0) fr_exit_now(1);
2045 }
2046
2047 /*
2048 * Walk over the list of filenames, creating the requests.
2049 */
2050 fr_dlist_foreach(&filenames, rc_file_pair_t, files) {
2051 if (radclient_init(files, files)) {
2052 ERROR("Failed parsing input files");
2053 fr_exit_now(1);
2054 }
2055 }
2056
2057 /*
2058 * No packets read. Die.
2059 */
2060 if (!rc_request_list_num_elements(&rc_request_list)) {
2061 ERROR("Nothing to send");
2062 fr_exit_now(1);
2063 }
2064
2065 if (openssl3_init() < 0) {
2066 fr_perror("radclient");
2067 fr_exit_now(EXIT_FAILURE);
2068 }
2069
2070 /*
2071 * Bind to the first specified IP address and port.
2072 * This means we ignore later ones.
2073 */
2074 request = rc_request_list_head(&rc_request_list);
2075
2076 if (client_ipaddr.af == AF_UNSPEC) {
2077 if (request->packet->socket.inet.src_ipaddr.af == AF_UNSPEC) {
2078 memset(&client_ipaddr, 0, sizeof(client_ipaddr));
2080 } else {
2081 client_ipaddr = request->packet->socket.inet.src_ipaddr;
2082 }
2083 }
2084
2085 if (client_port == 0) client_port = request->packet->socket.inet.src_port;
2086
2087 if (ipproto == IPPROTO_TCP) {
2088 sockfd = fr_socket_client_tcp(NULL, NULL, &server_ipaddr, server_port, false);
2089 if (sockfd < 0) {
2090 ERROR("Failed opening socket");
2091 return -1;
2092 }
2093
2094 } else {
2096 if (sockfd < 0) {
2097 fr_perror("Error opening socket");
2098 return -1;
2099 }
2100
2101 if (fr_socket_bind(sockfd, NULL, &client_ipaddr, &client_port) < 0) {
2102 fr_perror("Error binding socket");
2103 return -1;
2104 }
2105 }
2106
2107 if (do_coa) {
2109 if (coafd < 0) {
2110 fr_perror("Error opening CoA socket");
2111 return -1;
2112 }
2113
2114 if (fr_socket_bind(coafd, NULL, &client_ipaddr, &coa_port) < 0) {
2115 fr_perror("Error binding socket");
2116 return -1;
2117 }
2118 }
2119
2122 server_port, NULL)) {
2123 ERROR("Failed adding socket");
2124 fr_exit_now(1);
2125 }
2126
2127 /*
2128 * Walk over the list of packets, sanity checking
2129 * everything.
2130 */
2131 rc_request_list_foreach(&rc_request_list, this) {
2132 this->packet->socket.inet.src_ipaddr = client_ipaddr;
2133 this->packet->socket.inet.src_port = client_port;
2134 if (radclient_sane(this) != 0) {
2135 fr_exit_now(1);
2136 }
2137 }
2138
2139 /*
2140 * Walk over the packets to send, until
2141 * we're all done.
2142 *
2143 * FIXME: This currently busy-loops until it receives
2144 * all of the packets. It should really have some sort of
2145 * send packet, get time to wait, select for time, etc.
2146 * loop.
2147 */
2148 do {
2149 int n = parallel;
2150 char const *filename = NULL;
2151
2152 done = true;
2154
2155 /*
2156 * Walk over the packets, sending them.
2157 *
2158 * This essentially ends up handling
2159 * retries as well, as requests to
2160 * retry stay in the request list, and
2161 * then get sent again on the next
2162 * iteration of the outer loop.
2163 */
2164 rc_request_list_foreach(&rc_request_list, this) {
2165 /*
2166 * If there's a packet to receive,
2167 * receive it, but don't wait for a
2168 * packet.
2169 */
2171
2172 /*
2173 * This packet is done. Delete it.
2174 */
2175 if (this->done) {
2176 /*
2177 * We still have a CoA reply to
2178 * receive for this packet.
2179 */
2180 if (this->coa) {
2182 if (this->coa) continue;
2183 }
2184
2185 talloc_free(this);
2186 continue;
2187 }
2188
2189 /*
2190 * Packets from multiple '-f' are sent
2191 * in parallel.
2192 *
2193 * Packets from one file are sent in
2194 * series, unless '-p' is specified, in
2195 * which case N packets from each file
2196 * are sent in parallel.
2197 */
2198 if (this->files->packets != filename) {
2199 filename = this->files->packets;
2200 n = parallel;
2201 }
2202
2203 if (n > 0) {
2204 n--;
2205
2206 /*
2207 * Send the current packet.
2208 */
2209 if (send_one_packet(this) < 0) {
2210 talloc_free(this);
2211 break;
2212 }
2213
2214 /*
2215 * Wait a little before sending
2216 * the next packet, if told to.
2217 */
2218 if (persec) {
2219 fr_time_delta_t psec;
2220
2221 psec = (persec == 1) ? fr_time_delta_from_sec(1) : fr_time_delta_wrap(1000000 / persec);
2222
2223 /*
2224 * Don't sleep elsewhere.
2225 */
2227
2228
2229 /*
2230 * Sleep for milliseconds,
2231 * portably.
2232 *
2233 * If we get an error or
2234 * a signal, treat it like
2235 * a normal timeout.
2236 */
2237 select(0, NULL, NULL, NULL, &fr_time_delta_to_timeval(psec));
2238 }
2239
2240 /*
2241 * If we haven't sent this packet
2242 * often enough, we're not done,
2243 * and we shouldn't sleep.
2244 */
2245 if (this->resend < resend_count) {
2246 int i;
2247
2248 done = false;
2250
2251 for (i = 0; i < 4; i++) {
2252 ((uint32_t *) this->packet->vector)[i] = fr_rand();
2253 }
2254 }
2255 } else { /* haven't sent this packet, we're not done */
2256 fr_assert(this->done == false);
2257 fr_assert(this->reply == NULL);
2258 done = false;
2259 }
2260 }
2261
2262 /*
2263 * Still have outstanding requests.
2264 */
2266 done = false;
2267 } else {
2269 }
2270
2271 /*
2272 * Nothing to do until we receive a request, so
2273 * sleep until then. Once we receive one packet,
2274 * we go back, and walk through the whole list again,
2275 * sending more packets (if necessary), and updating
2276 * the sleep time.
2277 */
2280 }
2281 } while (!done);
2282
2284
2285 rc_request_list_talloc_free(&rc_request_list);
2286
2288
2290
2292
2293 if (fr_dict_autofree(radclient_dict) < 0) {
2294 fr_perror("radclient");
2295 ret = EXIT_FAILURE;
2296 }
2297
2298#ifndef NDEBUG
2300#endif
2301
2302 if (do_summary) {
2303 fr_perror("Packet summary:\n"
2304 "\tAccepted : %" PRIu64 "\n"
2305 "\tRejected : %" PRIu64 "\n"
2306 "\tLost : %" PRIu64 "\n"
2307 "\tErrored : %" PRIu64 "\n"
2308 "\tPassed filter : %" PRIu64 "\n"
2309 "\tFailed filter : %" PRIu64,
2312 stats.lost,
2313 stats.error,
2314 stats.passed,
2316 );
2317 }
2318
2319 /*
2320 * Ensure our atexit handlers run before any other
2321 * atexit handlers registered by third party libraries.
2322 */
2324
2325 if ((stats.lost > 0) || (stats.failed > 0)) return EXIT_FAILURE;
2326
2327 openssl3_free();
2328
2329 return ret;
2330}
static int const char char buffer[256]
Definition acutest.h:576
int n
Definition acutest.h:577
int fr_atexit_global_setup(void)
Setup the atexit handler, should be called at the start of a program's execution.
Definition atexit.c:179
int fr_atexit_global_trigger_all(void)
Cause all global free triggers to fire.
Definition atexit.c:308
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:186
#define RCSID(id)
Definition build.h:512
#define NEVER_RETURNS
Should be placed before the function return type.
Definition build.h:334
void fr_chap_encode(uint8_t out[static 1+FR_CHAP_CHALLENGE_LENGTH], uint8_t id, uint8_t const *challenge, size_t challenge_len, char const *password, size_t password_len)
Encode a CHAP password.
Definition chap.c:34
TALLOC_CTX * autofree
Definition common.c:29
int fr_fault_setup(TALLOC_CTX *ctx, char const *cmd, char const *program)
Registers signal handlers to execute panic_action on fatal signal.
Definition debug.c:1071
#define MEM(x)
Definition debug.h:36
#define fr_exit_now(_x)
Exit without calling atexit() handlers, producing a log message in debug builds.
Definition debug.h:226
fr_radius_packet_code_t
RADIUS packet codes.
Definition defs.h:31
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
@ FR_RADIUS_CODE_DISCONNECT_ACK
RFC3575/RFC5176 - Disconnect-Ack (positive)
Definition defs.h:47
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_ACCOUNTING_RESPONSE
RFC2866 - Accounting-Response.
Definition defs.h:37
@ FR_RADIUS_CODE_COA_NAK
RFC3575/RFC5176 - CoA-Nak (not willing to perform)
Definition defs.h:51
@ FR_RADIUS_CODE_UNDEFINED
Packet code has not been set.
Definition defs.h:32
@ FR_RADIUS_CODE_COA_ACK
RFC3575/RFC5176 - CoA-Ack (positive)
Definition defs.h:50
@ FR_RADIUS_CODE_DISCONNECT_NAK
RFC3575/RFC5176 - Disconnect-Nak (not willing to perform)
Definition defs.h:48
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
#define FR_COA_UDP_PORT
Definition defs.h:63
#define FR_AUTH_UDP_PORT
Definition defs.h:57
#define FR_ACCT_UDP_PORT_ALT
Definition defs.h:60
#define FR_AUTH_UDP_PORT_ALT
Definition defs.h:58
#define FR_POD_UDP_PORT
Definition defs.h:61
#define FR_ACCT_UDP_PORT
Definition defs.h:59
#define ERROR(fmt,...)
Definition dhcpclient.c:40
static fr_dict_t const * dict_freeradius
Definition dhcpclient.c:78
#define DEBUG(fmt,...)
Definition dhcpclient.c:38
fr_dict_t * fr_dict_unconst(fr_dict_t const *dict)
Coerce to non-const.
Definition dict_util.c:4880
#define fr_dict_autofree(_to_free)
Definition dict.h:915
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition dict_util.c:3505
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2639
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:292
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:305
int fr_dict_read(fr_dict_t *dict, char const *dict_dir, char const *filename))
Read supplementary attribute definitions into an existing dictionary.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4372
#define fr_dict_autoload(_to_load)
Definition dict.h:912
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
fr_dict_gctx_t * fr_dict_global_ctx_init(TALLOC_CTX *ctx, bool free_at_exit, char const *dict_dir))
Initialise the global protocol hashes.
Definition dict_util.c:4690
Specifies an attribute which must be present for the module to function.
Definition dict.h:291
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:304
#define fr_dlist_foreach(_list_head, _type, _iter)
Iterate over the contents of a list.
Definition dlist.h:98
static unsigned int fr_dlist_num_elements(fr_dlist_head_t const *head)
Return the number of elements in the dlist.
Definition dlist.h:921
static int fr_dlist_insert_tail(fr_dlist_head_t *list_head, void *ptr)
Insert an item into the tail of a list.
Definition dlist.h:360
#define FR_DLIST_HEAD(_name)
Expands to the type name used for the head wrapper structure.
Definition dlist.h:1104
#define fr_dlist_talloc_init(_head, _type, _field)
Initialise the head structure of a doubly linked list.
Definition dlist.h:257
Head of a doubly linked list.
Definition dlist.h:51
void fr_bio_shutdown & my
Definition fd_errno.h:73
talloc_free(hp)
int fr_inet_pton_port(fr_ipaddr_t *out, uint16_t *port_out, char const *value, ssize_t inlen, int af, bool resolve, bool mask)
Parses IPv4/6 address + port, to fr_ipaddr_t and integer (port)
Definition inet.c:944
int af
Address family.
Definition inet.h:63
IPv4/6 prefix.
int packet_global_init(void)
Initialises the Net.
Definition packet.c:200
void fr_packet_net_from_pairs(fr_packet_t *packet, fr_pair_list_t const *list)
Convert pairs to information in a packet.
Definition packet.c:154
#define fr_time()
Definition event.c:60
int fr_debug_lvl
Definition log.c:41
FILE * fr_log_fp
Definition log.c:40
fr_log_t default_log
Definition log.c:306
void fr_log_perror(fr_log_t const *log, fr_log_type_t type, char const *file, int line, fr_log_perror_format_t const *rules, char const *fmt,...)
Drain any outstanding messages from the fr_strerror buffers.
Definition log.c:742
@ L_DST_STDOUT
Log to stdout.
Definition log.h:75
@ L_ERR
Error message.
Definition log.h:53
fr_packet_t * fr_packet_alloc(TALLOC_CTX *ctx, bool new_vector)
Allocate a new fr_packet_t.
Definition packet.c:38
void fr_packet_free(fr_packet_t **packet_p)
Free a fr_packet_t.
Definition packet.c:89
fr_packet_t * fr_packet_list_find_byreply(fr_packet_list_t *pl, fr_packet_t *reply)
Definition list.c:338
void fr_packet_list_free(fr_packet_list_t *pl)
Definition list.c:279
int fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, TALLOC_CTX *ctx, fr_packet_t **packet_p, uint32_t max_attributes, bool require_message_authenticator)
Definition list.c:687
fr_packet_list_t * fr_packet_list_create(int alloc_id)
Definition list.c:291
bool fr_packet_list_id_alloc(fr_packet_list_t *pl, int proto, fr_packet_t *request, void **pctx)
Definition list.c:410
bool fr_packet_list_yank(fr_packet_list_t *pl, fr_packet_t *request)
Definition list.c:376
bool fr_packet_list_socket_add(fr_packet_list_t *pl, int sockfd, int proto, fr_ipaddr_t *dst_ipaddr, uint16_t dst_port, void *ctx)
Definition list.c:193
uint32_t fr_packet_list_num_elements(fr_packet_list_t *pl)
Definition list.c:383
int fr_packet_list_fd_set(fr_packet_list_t *pl, fd_set *set)
Definition list.c:660
bool fr_packet_list_id_free(fr_packet_list_t *pl, fr_packet_t *request, bool yank)
Definition list.c:636
unsigned short uint16_t
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
int mschap_nt_password_hash(uint8_t out[static NT_DIGEST_LENGTH], char const *password)
Converts Unicode password to 16-byte NT hash with MD4.
Definition mschap.c:52
static void fr_nbo_from_uint16(uint8_t out[static sizeof(uint16_t)], uint16_t num)
Write out an unsigned 16bit integer in wire format (big endian)
Definition nbo.h:38
#define RADIUS_HEADER_LENGTH
Definition net.h:80
#define RADIUS_AUTH_VECTOR_LENGTH
Definition net.h:89
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2962
void fr_pair_validate_debug(fr_pair_t const *failed[2])
Write an error to the library errorbuff detailing the mismatch.
Definition pair.c:2096
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1352
int fr_pair_delete_by_da(fr_pair_list_t *list, fr_dict_attr_t const *da)
Delete matching pairs from the specified list.
Definition pair.c:1696
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
bool fr_pair_validate(fr_pair_t const *failed[2], fr_pair_list_t *filter, fr_pair_list_t *list)
Uses fr_pair_cmp to verify all fr_pair_ts in list match the filter defined by check.
Definition pair.c:2131
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2812
int fr_pair_delete(fr_pair_list_t *list, fr_pair_t *vp)
Remove fr_pair_t from a list and free.
Definition pair.c:1833
void fr_pair_list_steal(TALLOC_CTX *ctx, fr_pair_list_t *list)
Steal a list of pairs to a new context.
Definition pair.c:2307
int8_t fr_pair_cmp_by_da(void const *a, void const *b)
Order attributes by their da, and tag.
Definition pair.c:1851
int fr_pair_value_memdup_buffer_shallow(fr_pair_t *vp, uint8_t const *src, bool tainted)
Assign a talloced buffer to a "octets" type value pair.
Definition pair.c:3037
int fr_pair_list_afrom_file(TALLOC_CTX *ctx, fr_dict_t const *dict, fr_pair_list_t *out, FILE *fp, bool *pfiledone, bool allow_exec)
Read valuepairs from the fp up to End-Of-File.
int fr_radius_global_init(void)
Definition base.c:1313
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret)
Simple wrapper for callers who just need a shared secret.
Definition base.c:1291
void fr_radius_global_free(void)
Definition base.c:1337
fr_table_num_sorted_t const fr_radius_request_name_table[]
Definition base.c:104
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:115
int fr_radius_packet_sign(fr_packet_t *packet, fr_packet_t const *original, char const *secret)
Sign a previously encoded packet.
Definition packet.c:150
int fr_radius_packet_verify(fr_packet_t *packet, fr_packet_t *original, char const *secret)
Verify the Request/Response Authenticator (and Message-Authenticator if present) of a packet.
Definition packet.c:129
int fr_radius_packet_send(fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret)
Reply to the request.
Definition packet.c:277
fr_packet_t * fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator)
Receive UDP client requests, and fill in the basics of a fr_packet_t structure.
Definition packet.c:191
void fr_radius_packet_log(fr_log_t const *log, fr_packet_t *packet, fr_pair_list_t *list, bool received)
Definition packet.c:478
ssize_t fr_radius_packet_encode(fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret)
Encode a packet.
Definition packet.c:43
#define fr_assert(_expr)
Definition rad_assert.h:37
#define REDEBUG(fmt,...)
#define RDEBUG(fmt,...)
#define rc_request_list_foreach(_list_head, _iter)
#define WARN(fmt,...)
static int blast_radius_check(rc_request_t *request, fr_packet_t *reply)
Definition radclient.c:1345
static fr_rb_tree_t * coa_tree
Definition radclient.c:95
static fr_ipaddr_t client_ipaddr
Definition radclient.c:84
static fr_dict_attr_t const * attr_packet_type
Definition radclient.c:123
static fr_dict_attr_t const * attr_request_authenticator
Definition radclient.c:119
static bool blast_radius
Definition radclient.c:82
static fr_dict_attr_t const * attr_user_password
Definition radclient.c:125
static int send_one_packet(rc_request_t *request)
Definition radclient.c:959
static int getport(char const *name)
Definition radclient.c:294
static bool done
Definition radclient.c:80
static int _rc_request_free(rc_request_t *request)
Definition radclient.c:193
static uint16_t client_port
Definition radclient.c:85
static int radclient_sane(rc_request_t *request)
Definition radclient.c:890
static int recv_one_packet(fr_time_delta_t wait_time)
Definition radclient.c:1466
static fr_dict_attr_t const * attr_coa_match_attr
Definition radclient.c:132
static fr_time_delta_t sleep_time
Definition radclient.c:67
static uint16_t coa_port
Definition radclient.c:94
int main(int argc, char **argv)
Definition radclient.c:1676
static fr_dict_attr_t const * attr_chap_password
Definition radclient.c:121
static int ignore_count
Definition radclient.c:79
static fr_packet_list_t * packet_list
Definition radclient.c:97
static int resend_count
Definition radclient.c:78
static rc_stats_t stats
Definition radclient.c:73
static fr_dict_attr_t const * attr_ms_chap_response
Definition radclient.c:116
static fr_dict_attr_t const * attr_ms_chap_challenge
Definition radclient.c:114
static int last_used_id
Definition radclient.c:88
static uint16_t server_port
Definition radclient.c:75
static int packet_code
Definition radclient.c:76
static fr_dict_attr_t const * attr_chap_challenge
Definition radclient.c:122
static int recv_coa_packet(fr_time_delta_t wait_time)
Definition radclient.c:1183
static bool do_output
Definition radclient.c:69
static fr_ipaddr_t server_ipaddr
Definition radclient.c:77
#define openssl3_free()
Definition radclient.c:255
static int ipproto
Definition radclient.c:90
static int retries
Definition radclient.c:65
static fr_dict_attr_t const * attr_proxy_state
Definition radclient.c:126
static fr_dict_attr_t const * attr_cleartext_password
Definition radclient.c:112
static void deallocate_id(rc_request_t *request)
Definition radclient.c:935
static bool print_filename
Definition radclient.c:81
static bool do_coa
Definition radclient.c:92
#define openssl3_init()
Definition radclient.c:254
static fr_dict_attr_t const * attr_radclient_test_name
Definition radclient.c:118
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
Definition radclient.c:480
static fr_dict_attr_t const * attr_radclient_coa_filename
Definition radclient.c:129
static int mschapv1_encode(fr_packet_t *packet, fr_pair_list_t *list, char const *password)
Definition radclient.c:258
static const fr_dict_attr_autoload_t radclient_dict_attr[]
Definition radclient.c:134
static bool already_hex(fr_pair_t *vp)
Definition radclient.c:361
static fr_dict_attr_t const * attr_user_name
Definition radclient.c:124
static char * secret
Definition radclient.c:68
static int coafd
Definition radclient.c:93
static int sockfd
Definition radclient.c:87
static void radclient_get_port(fr_radius_packet_code_t type, uint16_t *port)
Definition radclient.c:307
static fr_dict_attr_t const * attr_ms_chap_password
Definition radclient.c:115
#define pair_update_request(_attr, _da)
Definition radclient.c:56
static int8_t request_cmp(void const *one, void const *two)
Definition radclient.c:917
static const char * attr_coa_filter_name
Definition radclient.c:71
static fr_time_delta_t timeout
Definition radclient.c:66
static fr_dict_attr_t const * attr_radclient_coa_filter
Definition radclient.c:130
static NEVER_RETURNS void usage(void)
Definition radclient.c:157
static fr_radius_packet_code_t radclient_get_code(uint16_t port)
Definition radclient.c:340
static fr_dict_attr_t const * attr_message_authenticator
Definition radclient.c:127
static int coa_init(rc_request_t *parent, FILE *coa_reply, char const *reply_filename, bool *coa_reply_done, FILE *coa_filter, char const *filter_filename, bool *coa_filter_done)
Read one CoA reply and potentially a filter.
Definition radclient.c:387
Structures for the radclient utility.
uint64_t accepted
Requests to which we received a accept.
uint64_t rejected
Requests to which we received a reject.
uint64_t lost
Requests to which we received no response.
uint64_t failed
Requests which failed a filter.
char const * coa_filter
file containing the CoA filter we want to match
uint64_t passed
Requests which passed a filter.
char const * filters
The file containing the definition of the packet we want to match.
char const * coa_reply
file containing the CoA reply we want to send
char const * packets
The file containing the request packet.
uint64_t error
Requests which received a Protocol-Error response.
#define RADIUS_MAX_ATTRIBUTES
Definition radius.h:39
#define FR_RADIUS_PACKET_CODE_VALID(_x)
Definition radius.h:51
static fr_dict_t const * dict_radius
Definition radsniff.c:93
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:104
uint32_t fr_rb_num_elements(fr_rb_tree_t *tree)
Return how many nodes there are in a tree.
Definition rb.c:781
void * fr_rb_remove(fr_rb_tree_t *tree, void const *data)
Remove an entry from the tree, without freeing the data.
Definition rb.c:695
bool fr_rb_delete_by_inline_node(fr_rb_tree_t *tree, fr_rb_node_t *node)
Remove node and free data (if a free function was specified)
Definition rb.c:767
void * fr_rb_find(fr_rb_tree_t const *tree, void const *data)
Find an element in the tree, returning the data, not the node.
Definition rb.c:577
bool fr_rb_insert(fr_rb_tree_t *tree, void const *data)
Insert data into a tree.
Definition rb.c:626
#define fr_rb_inline_talloc_alloc(_ctx, _type, _field, _data_cmp, _data_free)
Allocs a red black that verifies elements are of a specific talloc type.
Definition rb.h:244
static bool fr_rb_node_inline_in_tree(fr_rb_node_t const *node)
Check to see if an item is in a tree by examining its inline fr_rb_node_t.
Definition rb.h:312
bool being_freed
Prevent double frees in talloc_destructor.
Definition rb.h:94
The main red black tree structure.
Definition rb.h:71
fr_packet_t * reply
Outgoing response.
Definition request.h:254
char const *fr_packet_t * packet
< Module the request is currently being processed by.
Definition request.h:253
static char const * name
void smbdes_mschap(uint8_t const win_password[16], uint8_t const *challenge, uint8_t *response)
Definition smbdes.c:339
int fr_socket_server_udp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 unconnected UDP socket.
Definition socket.c:846
int fr_socket_client_tcp(char const *ifname, fr_ipaddr_t *src_ipaddr, fr_ipaddr_t const *dst_ipaddr, uint16_t dst_port, bool async)
Establish a connected TCP socket.
Definition socket.c:708
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition socket.c:200
fr_aka_sim_id_type_t type
fr_pair_t * vp
fr_log_dst_t dst
Log destination.
Definition log.h:94
int fd
File descriptor to write messages to.
Definition log.h:109
bool print_level
sometimes we don't want log levels printed
Definition log.h:103
uint64_t num
The number (within the file) of the request were reading.
fr_packet_t * reply
The incoming response.
fr_pair_t * password
Password.Cleartext.
char const * name
Test name (as specified in the request).
rc_file_pair_t * files
Request and response file names.
rc_request_t * coa
CoA filter and reply.
fr_packet_t * packet
The outgoing request.
fr_pair_list_t request_pairs
fr_rb_node_t node
rbtree node data for CoA
bool done
Whether the request is complete.
fr_pair_list_t filter
If the reply passes the filter, then the request passes.
fr_pair_list_t reply_pairs
fr_radius_packet_code_t filter_code
Expected code of the response packet.
fr_time_t timestamp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:685
#define talloc_strndup(_ctx, _str, _len)
Definition talloc.h:150
#define talloc_autofree_context
The original function is deprecated, so replace it with our version.
Definition talloc.h:55
#define talloc_strdup(_ctx, _str)
Definition talloc.h:149
fr_slen_t fr_time_delta_from_str(fr_time_delta_t *out, char const *in, size_t inlen, fr_time_res_t hint)
Create fr_time_delta_t from a string.
Definition time.c:412
#define fr_time_delta_lt(_a, _b)
Definition time.h:285
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
#define fr_time_delta_wrap(_time)
Definition time.h:152
#define fr_time_delta_ispos(_a)
Definition time.h:290
#define fr_time_delta_to_timeval(_delta)
Convert a delta to a timeval.
Definition time.h:656
#define fr_time_delta_eq(_a, _b)
Definition time.h:287
@ FR_TIME_RES_SEC
Definition time.h:50
#define NSEC
Definition time.h:379
static fr_time_delta_t fr_time_delta_sub(fr_time_delta_t a, fr_time_delta_t b)
Definition time.h:261
#define fr_time_sub(_a, _b)
Subtract one time from another.
Definition time.h:229
#define fr_time_delta_gt(_a, _b)
Definition time.h:283
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
"server local" time.
Definition time.h:69
@ T_OP_CMP_FALSE
Definition token.h:103
#define FR_DICTIONARY_FILE
Definition conf.h:7
void * uctx
Definition packet.h:79
unsigned int code
Packet code (type).
Definition packet.h:61
fr_socket_t socket
This packet was received on.
Definition packet.h:57
int id
Packet ID (used to link requests/responses).
Definition packet.h:60
uint8_t * data
Packet data (body).
Definition packet.h:63
size_t data_len
Length of packet data.
Definition packet.h:64
uint8_t vector[RADIUS_AUTH_VECTOR_LENGTH]
RADIUS authentication vector.
Definition packet.h:69
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
void fr_pair_list_sort(fr_pair_list_t *list, fr_cmp_t cmp)
Sort a doubly linked list of fr_pair_ts using merge sort.
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
void fr_pair_list_append(fr_pair_list_t *dst, fr_pair_list_t *src)
Appends a list of fr_pair_t from a temporary list to a destination list.
#define PAIR_LIST_VERIFY(_x)
Definition pair.h:207
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
static fr_slen_t parent
Definition pair.h:858
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:75
int fd
File descriptor if this is a live socket.
Definition socket.h:78
int type
SOCK_STREAM, SOCK_DGRAM, etc.
Definition socket.h:76
void fr_perror(char const *fmt,...)
Print the current error to stderr with a prefix.
Definition strerror.c:737
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
Definition strerror.c:581
int fr_check_lib_magic(uint64_t magic)
Check if the application linking to the library has the correct magic number.
Definition version.c:40
#define RADIUSD_VERSION_BUILD(_x)
Create a version string for a utility in the suite of FreeRADIUS utilities.
Definition version.h:58
#define RADIUSD_MAGIC_NUMBER
Definition version.h:81
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:748