The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
radius.h
Go to the documentation of this file.
1#pragma once
2/*
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with this program; if not, write to the Free Software
15 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
16 */
17
18/*
19 * $Id: 8174775a6e76ffeb5254b7fff08fb75c500f7b91 $
20 *
21 * @file protocols/radius/radius.h
22 * @brief Structures and prototypes for base RADIUS functionality.
23 *
24 * @copyright 1999-2017 The FreeRADIUS server project
25 */
26#include <freeradius-devel/radius/defs.h>
27#include <freeradius-devel/util/packet.h>
28#include <freeradius-devel/util/rand.h>
29#include <freeradius-devel/util/log.h>
30#include <freeradius-devel/util/dbuff.h>
31#include <freeradius-devel/io/test_point.h>
32
33#define RADIUS_AUTH_VECTOR_OFFSET 4
34#define RADIUS_HEADER_LENGTH 20
35#define RADIUS_MAX_STRING_LENGTH 253
36#define RADIUS_MAX_TUNNEL_PASSWORD_LENGTH 249
37#define RADIUS_AUTH_VECTOR_LENGTH 16
38#define RADIUS_MESSAGE_AUTHENTICATOR_LENGTH 16
39#define RADIUS_MAX_ATTRIBUTES 255
40#define RADIUS_MAX_PACKET_SIZE 4096
41
42#define RADIUS_VENDORPEC_USR 429
43#define RADIUS_VENDORPEC_LUCENT 4846
44#define RADIUS_VENDORPEC_STARENT 8164
45
46/*
47 * protocols/radius/base.c
48 */
49
50
51#define FR_RADIUS_PACKET_CODE_VALID(_x) ((_x > 0) && (_x < FR_RADIUS_CODE_MAX))
52
53#define AUTH_PASS_LEN (RADIUS_AUTH_VECTOR_LENGTH)
54
55#define FR_TUNNEL_FR_ENC_LENGTH(_x) (2 + 1 + _x + PAD(_x + 1, 16))
56
57/** Control whether Message-Authenticator is required in Access-Requests
58 *
59 * @note Don't change the enum values. They allow efficient bistmasking.
60 */
61typedef enum {
62 FR_RADIUS_REQUIRE_MA_NO = 0x00, //!< Do not require Message-Authenticator
63 FR_RADIUS_REQUIRE_MA_YES = 0x01, //!< Require Message-Authenticator
64 FR_RADIUS_REQUIRE_MA_AUTO = 0x02, //!< Only require Message-Authenticator if we've previously
65 ///< received a packet from this client with Message-Authenticator.
66 ///< @note This isn't used by the radius protocol code, but may be used
67 ///< to drive logic in modules.
68
69} fr_radius_require_ma_t;
70
71/** Control whether Proxy-State is allowed in Access-Requests
72 *
73 * @note Don't change the enum values. They allow efficient bistmasking.
74 */
75typedef enum {
76 FR_RADIUS_LIMIT_PROXY_STATE_NO = 0x00, //!< Do not limit Proxy-State. Allow proxy-state to be sent in
77 ///< all packets.
78 FR_RADIUS_LIMIT_PROXY_STATE_YES = 0x01, //!< Limit Proxy-State. Do not allow Proxy-State to be sent in
79 ///< packets which do not have a Message-Authenticator attribute.
80
81 FR_RADIUS_LIMIT_PROXY_STATE_AUTO = 0x02, //!< Do not allow Proxy-State unless:
82 ///< - All packets received from a client have containted proxy state.
83 ///< - The client has sent a packet with a Message-Authenticator.
84 ///< @note This isn't used by the radius protocol code, but may be used
85 ///< to drive logic in modules.
86} fr_radius_limit_proxy_state_t;
87
88/** Failure reasons */
118
119extern char const *fr_radius_decode_fail_reason[FR_RADIUS_FAIL_MAX + 1];
120
125
126typedef struct {
127 char const *secret;
128 size_t secret_length;
129
130 bool secure_transport; //!< for TLS
131
132 uint64_t proxy_state;
133} fr_radius_ctx_t;
134
135typedef struct {
136 fr_radius_ctx_t const *common;
137
138 uint8_t const *request_authenticator;
139
140 fr_fast_rand_t rand_ctx; //!< for tunnel passwords
141
142 uint8_t tag; //!< current tag for encoding
143
144 uint8_t request_code;
145
146 uint8_t code;
147 uint8_t id;
148
149 bool add_proxy_state; //!< do we add a Proxy-State?
150 bool seen_message_authenticator;
151#ifdef NAS_VIOLATES_RFC
152 bool allow_vulnerable_clients; //!< for vendors who violate the RFCs.
153#endif
154
155} fr_radius_encode_ctx_t;
156
157typedef struct {
158 fr_radius_ctx_t const *common;
159
160 uint8_t const *request_authenticator;
161
162 TALLOC_CTX *tmp_ctx; //!< for temporary things cleaned up during decoding
163 uint8_t const *end; //!< end of the packet
164
165 fr_radius_decode_fail_t reason; //!< reason for decode failure
166
167 uint8_t request_code; //!< original code for the request.
168
169 bool tunnel_password_zeros; //!< check for trailing zeros on decode
170 bool verify; //!< can skip verify for dynamic clients
171 bool require_message_authenticator;
172 bool limit_proxy_state; //!< Don't allow Proxy-State in requests
173
174 fr_radius_tag_ctx_t **tags; //!< for decoding tagged attributes
175 fr_pair_list_t *tag_root; //!< Where to insert tag attributes.
176 TALLOC_CTX *tag_root_ctx; //!< Where to allocate new tag attributes.
177} fr_radius_decode_ctx_t;
178
179typedef enum {
180 RADIUS_FLAG_ENCRYPT_INVALID = -1, //!< Invalid encryption flag.
181 RADIUS_FLAG_ENCRYPT_NONE = 0, //!< No encryption.
182 RADIUS_FLAG_ENCRYPT_USER_PASSWORD = 1, //!< Encrypt attribute RFC 2865 style.
183 RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD = 2, //!< Encrypt attribute RFC 2868 style.
184 RADIUS_FLAG_ENCRYPT_ASCEND_SECRET = 3, //!< Encrypt attribute ascend style.
185} fr_radius_attr_flags_encrypt_t;
186
187typedef struct {
188 unsigned int long_extended : 1; //!< Attribute is a long extended attribute
189 unsigned int extended : 1; //!< Attribute is an extended attribute
190 unsigned int concat : 1; //!< Attribute is concatenated
191 unsigned int has_tag : 1; //!< Attribute has a tag
192 unsigned int abinary : 1; //!< Attribute is in "abinary" format
193 fr_radius_attr_flags_encrypt_t encrypt; //!< Attribute is encrypted
194} fr_radius_attr_flags_t;
195
196DIAG_OFF(unused-function)
197/** Return RADIUS-specific flags for a given attribute
198 */
203
204#define fr_radius_flag_has_tag(_da) fr_radius_attr_flags(_da)->has_tag
205#define fr_radius_flag_concat(_da) fr_radius_attr_flags(_da)->concat
206#define fr_radius_flag_abinary(_da) fr_radius_attr_flags(_da)->abinary
207#define fr_radius_flag_encrypted(_da) fr_radius_attr_flags(_da)->encrypt
208
209static bool fr_radius_flag_extended(fr_dict_attr_t const *da)
210{
211 fr_radius_attr_flags_t const *flags = fr_radius_attr_flags(da);
212
213 return flags->extended || flags->long_extended;
214}
215
216#define fr_radius_flag_long_extended(_da) fr_radius_attr_flags(_da)->long_extended
217DIAG_ON(unused-function)
218
219extern fr_table_num_sorted_t const fr_radius_require_ma_table[];
220extern size_t fr_radius_require_ma_table_len;
221
222extern fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[];
223extern size_t fr_radius_limit_proxy_state_table_len;
224
225extern fr_table_num_sorted_t const fr_radius_request_name_table[];
226extern size_t fr_radius_request_name_table_len;
227
228extern char const *fr_radius_packet_name[FR_RADIUS_CODE_MAX];
229
230/*
231 * protocols/radius/base.c
232 */
233int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX]);
234
235int fr_radius_sign(uint8_t *packet, uint8_t const *vector,
236 uint8_t const *secret, size_t secret_len) CC_HINT(nonnull (1,3));
237
238int fr_radius_verify(uint8_t *packet, uint8_t const *vector,
239 uint8_t const *secret, size_t secret_len,
240 bool require_message_authenticator, bool limit_proxy_state) CC_HINT(nonnull (1,3));
241
242bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
243 uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason) CC_HINT(nonnull (1,2));
244
245ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen,
246 char const *secret, size_t secret_len, uint8_t const *vector);
247
248ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code);
249
250ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx) CC_HINT(nonnull);
251
252ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out,
253 uint8_t *packet, size_t packet_len,
254 fr_radius_decode_ctx_t *decode_ctx) CC_HINT(nonnull);
255
256ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out,
257 uint8_t *packet, size_t packet_len,
258 uint8_t const *vector, char const *secret) CC_HINT(nonnull(1,2,3,6));
259
260int fr_radius_global_init(void);
261
262void fr_radius_global_free(void);
263
264/*
265 * protocols/radius/packet.c
266 */
267ssize_t fr_radius_packet_encode(fr_packet_t *packet, fr_pair_list_t *list,
268 fr_packet_t const *original,
269 char const *secret) CC_HINT(nonnull (1,2,4));
270
271bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator,
272 fr_radius_decode_fail_t *reason) CC_HINT(nonnull (1));
273
274int fr_radius_packet_verify(fr_packet_t *packet, fr_packet_t *original,
275 char const *secret) CC_HINT(nonnull (1,3));
276int fr_radius_packet_sign(fr_packet_t *packet, fr_packet_t const *original,
277 char const *secret) CC_HINT(nonnull (1,3));
278
279fr_packet_t *fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator);
280int fr_radius_packet_send(fr_packet_t *packet, fr_pair_list_t *list,
281 fr_packet_t const *original, char const *secret) CC_HINT(nonnull (1,2,4));
282
283#define fr_packet_log_hex(_log, _packet) _fr_packet_log_hex(_log, _packet, __FILE__, __LINE__)
284void _fr_packet_log_hex(fr_log_t const *log, fr_packet_t const *packet, char const *file, int line) CC_HINT(nonnull);
285
286/*
287 * protocols/radius/abinary.c
288 */
289ssize_t fr_radius_encode_abinary(fr_pair_t const *vp, fr_dbuff_t *dbuff);
290
291ssize_t fr_radius_decode_abinary(fr_pair_t *vp, uint8_t const *data, size_t data_len);
292
293/*
294 * protocols/radius/encode.c
295 */
296ssize_t fr_radius_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx);
297
298ssize_t fr_radius_encode_foreign(fr_dbuff_t *dbuff, fr_pair_list_t const *list) CC_HINT(nonnull);
299
300/*
301 * protocols/radius/decode.c
302 */
303int fr_radius_decode_tlv_ok(uint8_t const *data, size_t length, size_t dv_type, size_t dv_length);
304
305ssize_t fr_radius_decode_pair_value(TALLOC_CTX *ctx, fr_pair_list_t *list,
306 fr_dict_attr_t const *parent,
307 uint8_t const *data, size_t const attr_len,
308 void *packet_ctx) CC_HINT(nonnull);
309
310ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *list,
311 fr_dict_attr_t const *parent,
312 uint8_t const *data, size_t data_len,
313 fr_radius_decode_ctx_t *packet_ctx) CC_HINT(nonnull);
314
315ssize_t fr_radius_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *list,
316 uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx) CC_HINT(nonnull);
317
318ssize_t fr_radius_decode_foreign(TALLOC_CTX *ctx, fr_pair_list_t *out,
319 uint8_t const *data, size_t data_len) CC_HINT(nonnull);
320
321void fr_radius_packet_header_log(fr_log_t const *log, fr_packet_t *packet, bool received);
322
323void fr_radius_packet_log(fr_log_t const *log, fr_packet_t *packet, fr_pair_list_t *list, bool received);
file
int const char * file
Definition acutest.h:702
line
int const char int line
Definition acutest.h:702
DIAG_ON
#define DIAG_ON(_x)
Definition build.h:487
DIAG_OFF
#define DIAG_OFF(_x)
Definition build.h:486
fr_dcursor_s
Definition dcursor.h:91
FR_RADIUS_CODE_MAX
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
sockfd
static int sockfd
Definition dhcpclient.c:55
FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC
@ FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC
Protocol specific extensions.
Definition dict.h:190
in
static fr_slen_t in
Definition dict.h:882
fr_dict_attr_ext
static void * fr_dict_attr_ext(fr_dict_attr_t const *da, fr_dict_attr_ext_t ext)
Definition dict_ext.h:121
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dbuff_t
Definition merged_model.c:41
fr_dict_attr_t
Definition merged_model.c:133
encode_ctx
static fr_internal_encode_ctx_t encode_ctx
Definition proto_ldap_sync.c:34
secret
static char * secret
Definition radclient-ng.c:68
fr_radius_attr_flags_t::has_tag
unsigned int has_tag
Attribute has a tag.
Definition radius.h:191
fr_radius_ctx_t::secure_transport
bool secure_transport
for TLS
Definition radius.h:130
fr_radius_decode_foreign
ssize_t fr_radius_decode_foreign(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, size_t data_len)
Definition decode.c:2093
fr_radius_tag_ctx_t::parent
fr_pair_t * parent
Definition radius.h:122
fr_radius_decode_ctx_t::tags
fr_radius_tag_ctx_t ** tags
for decoding tagged attributes
Definition radius.h:174
fr_radius_packet_encode
ssize_t fr_radius_packet_encode(fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret))
Encode a packet.
Definition packet.c:43
fr_radius_require_ma_t
fr_radius_require_ma_t
Control whether Message-Authenticator is required in Access-Requests.
Definition radius.h:61
FR_RADIUS_REQUIRE_MA_NO
@ FR_RADIUS_REQUIRE_MA_NO
Do not require Message-Authenticator.
Definition radius.h:62
FR_RADIUS_REQUIRE_MA_YES
@ FR_RADIUS_REQUIRE_MA_YES
Require Message-Authenticator.
Definition radius.h:63
FR_RADIUS_REQUIRE_MA_AUTO
@ FR_RADIUS_REQUIRE_MA_AUTO
Only require Message-Authenticator if we've previously received a packet from this client with Messag...
Definition radius.h:64
fr_radius_ascend_secret
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen, char const *secret, size_t secret_len, uint8_t const *vector)
Do Ascend-Send / Recv-Secret calculation.
Definition base.c:250
fr_radius_encode_ctx_t::rand_ctx
fr_fast_rand_t rand_ctx
for tunnel passwords
Definition radius.h:140
fr_radius_encode_ctx_t::common
fr_radius_ctx_t const * common
Definition radius.h:136
fr_radius_decode_pair
ssize_t fr_radius_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *list, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx)
Create a "normal" fr_pair_t from the given data.
Definition decode.c:1978
fr_radius_decode_ctx_t::request_code
uint8_t request_code
original code for the request.
Definition radius.h:167
fr_radius_decode_abinary
ssize_t fr_radius_decode_abinary(fr_pair_t *vp, uint8_t const *data, size_t data_len)
Print an Ascend binary filter attribute to a string,.
Definition abinary.c:1318
fr_radius_decode_simple
ssize_t fr_radius_decode_simple(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, uint8_t const *vector, char const *secret))
Simple wrapper for callers who just need a shared secret.
Definition base.c:1275
fr_radius_decode_ctx_t::request_authenticator
uint8_t const * request_authenticator
Definition radius.h:160
fr_radius_attr_flags_t::abinary
unsigned int abinary
Attribute is in "abinary" format.
Definition radius.h:192
fr_radius_decode
ssize_t fr_radius_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t *packet, size_t packet_len, fr_radius_decode_ctx_t *decode_ctx)
Definition base.c:1162
fr_radius_tag_ctx_t::cursor
fr_dcursor_t cursor
Definition radius.h:123
fr_radius_limit_proxy_state_table_len
size_t fr_radius_limit_proxy_state_table_len
Definition base.c:102
fr_radius_sign
int fr_radius_sign(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len))
Sign a previously encoded packet.
Definition base.c:361
fr_radius_decode_fail_t
fr_radius_decode_fail_t
Failure reasons.
Definition radius.h:89
FR_RADIUS_FAIL_ATTRIBUTE_DECODE
@ FR_RADIUS_FAIL_ATTRIBUTE_DECODE
Definition radius.h:105
FR_RADIUS_FAIL_UNEXPECTED_REQUEST_CODE
@ FR_RADIUS_FAIL_UNEXPECTED_REQUEST_CODE
Definition radius.h:96
FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW
@ FR_RADIUS_FAIL_ATTRIBUTE_OVERFLOW
Definition radius.h:104
FR_RADIUS_FAIL_VERIFY
@ FR_RADIUS_FAIL_VERIFY
Definition radius.h:113
FR_RADIUS_FAIL_NONE
@ FR_RADIUS_FAIL_NONE
Definition radius.h:90
FR_RADIUS_FAIL_MA_INVALID_LENGTH
@ FR_RADIUS_FAIL_MA_INVALID_LENGTH
Definition radius.h:107
FR_RADIUS_FAIL_MIN_LENGTH_FIELD
@ FR_RADIUS_FAIL_MIN_LENGTH_FIELD
Definition radius.h:93
FR_RADIUS_FAIL_INVALID_ATTRIBUTE
@ FR_RADIUS_FAIL_INVALID_ATTRIBUTE
Definition radius.h:100
FR_RADIUS_FAIL_IO_ERROR
@ FR_RADIUS_FAIL_IO_ERROR
Definition radius.h:115
FR_RADIUS_FAIL_MAX_LENGTH_PACKET
@ FR_RADIUS_FAIL_MAX_LENGTH_PACKET
Definition radius.h:92
FR_RADIUS_FAIL_MA_MISSING
@ FR_RADIUS_FAIL_MA_MISSING
Definition radius.h:108
FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES
@ FR_RADIUS_FAIL_TOO_MANY_ATTRIBUTES
Definition radius.h:98
FR_RADIUS_FAIL_UNEXPECTED_RESPONSE_CODE
@ FR_RADIUS_FAIL_UNEXPECTED_RESPONSE_CODE
Definition radius.h:97
FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE
@ FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE
Definition radius.h:95
FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH
@ FR_RADIUS_FAIL_MIN_LENGTH_MISMATCH
Definition radius.h:94
FR_RADIUS_FAIL_NO_MATCHING_REQUEST
@ FR_RADIUS_FAIL_NO_MATCHING_REQUEST
Definition radius.h:114
FR_RADIUS_FAIL_HEADER_OVERFLOW
@ FR_RADIUS_FAIL_HEADER_OVERFLOW
Definition radius.h:102
FR_RADIUS_FAIL_MIN_LENGTH_PACKET
@ FR_RADIUS_FAIL_MIN_LENGTH_PACKET
Definition radius.h:91
FR_RADIUS_FAIL_MAX
@ FR_RADIUS_FAIL_MAX
Definition radius.h:116
FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT
@ FR_RADIUS_FAIL_ATTRIBUTE_TOO_SHORT
Definition radius.h:103
FR_RADIUS_FAIL_MA_INVALID
@ FR_RADIUS_FAIL_MA_INVALID
Definition radius.h:109
FR_RADIUS_FAIL_PROXY_STATE_MISSING_MA
@ FR_RADIUS_FAIL_PROXY_STATE_MISSING_MA
Definition radius.h:111
FR_RADIUS_FAIL_MA_TOO_MANY
@ FR_RADIUS_FAIL_MA_TOO_MANY
Definition radius.h:110
fr_radius_ctx_t::secret
char const * secret
Definition radius.h:127
fr_radius_decode_tlv
ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *parent, uint8_t const *data, size_t data_len, fr_radius_decode_ctx_t *packet_ctx)
Convert TLVs to one or more VPs.
Definition decode.c:650
fr_radius_decode_fail_reason
char const * fr_radius_decode_fail_reason[FR_RADIUS_FAIL_MAX+1]
Definition base.c:507
fr_radius_require_ma_table_len
size_t fr_radius_require_ma_table_len
Definition base.c:93
fr_radius_packet_send
int fr_radius_packet_send(fr_packet_t *packet, fr_pair_list_t *list, fr_packet_t const *original, char const *secret))
Reply to the request.
Definition packet.c:277
fr_radius_ok
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason))
See if the data pointed to by PTR is a valid RADIUS packet.
Definition base.c:548
fr_radius_attr_flags_t::concat
unsigned int concat
Attribute is concatenated.
Definition radius.h:190
fr_radius_decode_ctx_t::end
uint8_t const * end
end of the packet
Definition radius.h:163
fr_radius_global_init
int fr_radius_global_init(void)
Definition base.c:1297
fr_radius_decode_ctx_t::limit_proxy_state
bool limit_proxy_state
Don't allow Proxy-State in requests.
Definition radius.h:172
fr_radius_encode_pair
ssize_t fr_radius_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
Encode a data structure into a RADIUS attribute.
Definition encode.c:1549
fr_radius_packet_header_log
void fr_radius_packet_header_log(fr_log_t const *log, fr_packet_t *packet, bool received)
Definition packet.c:407
fr_radius_ctx_t::proxy_state
uint64_t proxy_state
Definition radius.h:132
fr_radius_encode_ctx_t::request_authenticator
uint8_t const * request_authenticator
Definition radius.h:138
fr_radius_flag_extended
static bool fr_radius_flag_extended(fr_dict_attr_t const *da)
Definition radius.h:209
fr_radius_encode_ctx_t::tag
uint8_t tag
current tag for encoding
Definition radius.h:142
fr_radius_attr_flags_t::extended
unsigned int extended
Attribute is an extended attribute.
Definition radius.h:189
fr_radius_attr_flags_t::encrypt
fr_radius_attr_flags_encrypt_t encrypt
Attribute is encrypted.
Definition radius.h:193
fr_radius_decode_tlv_ok
int fr_radius_decode_tlv_ok(uint8_t const *data, size_t length, size_t dv_type, size_t dv_length)
Check if a set of RADIUS formatted TLVs are OK.
Definition decode.c:249
fr_radius_decode_ctx_t::require_message_authenticator
bool require_message_authenticator
Definition radius.h:171
_fr_packet_log_hex
void _fr_packet_log_hex(fr_log_t const *log, fr_packet_t const *packet, char const *file, int line)
Definition packet.c:335
fr_radius_packet_sign
int fr_radius_packet_sign(fr_packet_t *packet, fr_packet_t const *original, char const *secret))
Sign a previously encoded packet.
Definition packet.c:150
fr_radius_decode_ctx_t::tag_root_ctx
TALLOC_CTX * tag_root_ctx
Where to allocate new tag attributes.
Definition radius.h:176
fr_radius_ctx_t::secret_length
size_t secret_length
Definition radius.h:128
fr_radius_request_name_table_len
size_t fr_radius_request_name_table_len
Definition base.c:113
fr_radius_packet_verify
int fr_radius_packet_verify(fr_packet_t *packet, fr_packet_t *original, char const *secret))
Verify the Request/Response Authenticator (and Message-Authenticator if present) of a packet.
Definition packet.c:129
fr_radius_encode_foreign
ssize_t fr_radius_encode_foreign(fr_dbuff_t *dbuff, fr_pair_list_t const *list)
Definition encode.c:1714
fr_radius_decode_pair_value
ssize_t fr_radius_decode_pair_value(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_dict_attr_t const *parent, uint8_t const *data, size_t const attr_len, void *packet_ctx)
Create any kind of VP from the attribute contents.
Definition decode.c:1485
fr_radius_decode_ctx_t::verify
bool verify
can skip verify for dynamic clients
Definition radius.h:170
fr_packet_recv
fr_packet_t * fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator)
Receive UDP client requests, and fill in the basics of a fr_packet_t structure.
Definition packet.c:191
fr_radius_decode_ctx_t::common
fr_radius_ctx_t const * common
Definition radius.h:158
fr_radius_verify
int fr_radius_verify(uint8_t *packet, uint8_t const *vector, uint8_t const *secret, size_t secret_len, bool require_message_authenticator, bool limit_proxy_state))
Verify the signature of a request / response packet.
Definition base.c:818
fr_radius_global_free
void fr_radius_global_free(void)
Definition base.c:1321
fr_radius_limit_proxy_state_t
fr_radius_limit_proxy_state_t
Control whether Proxy-State is allowed in Access-Requests.
Definition radius.h:75
FR_RADIUS_LIMIT_PROXY_STATE_NO
@ FR_RADIUS_LIMIT_PROXY_STATE_NO
Do not limit Proxy-State.
Definition radius.h:76
FR_RADIUS_LIMIT_PROXY_STATE_AUTO
@ FR_RADIUS_LIMIT_PROXY_STATE_AUTO
Do not allow Proxy-State unless:
Definition radius.h:81
FR_RADIUS_LIMIT_PROXY_STATE_YES
@ FR_RADIUS_LIMIT_PROXY_STATE_YES
Limit Proxy-State.
Definition radius.h:78
fr_radius_attr_flags_t::long_extended
unsigned int long_extended
Attribute is a long extended attribute.
Definition radius.h:188
fr_radius_limit_proxy_state_table
fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[]
Definition base.c:95
fr_radius_decode_ctx_t::reason
fr_radius_decode_fail_t reason
reason for decode failure
Definition radius.h:165
fr_radius_attr_flags_encrypt_t
fr_radius_attr_flags_encrypt_t
Definition radius.h:179
RADIUS_FLAG_ENCRYPT_INVALID
@ RADIUS_FLAG_ENCRYPT_INVALID
Invalid encryption flag.
Definition radius.h:180
RADIUS_FLAG_ENCRYPT_NONE
@ RADIUS_FLAG_ENCRYPT_NONE
No encryption.
Definition radius.h:181
RADIUS_FLAG_ENCRYPT_USER_PASSWORD
@ RADIUS_FLAG_ENCRYPT_USER_PASSWORD
Encrypt attribute RFC 2865 style.
Definition radius.h:182
RADIUS_FLAG_ENCRYPT_ASCEND_SECRET
@ RADIUS_FLAG_ENCRYPT_ASCEND_SECRET
Encrypt attribute ascend style.
Definition radius.h:184
RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD
@ RADIUS_FLAG_ENCRYPT_TUNNEL_PASSWORD
Encrypt attribute RFC 2868 style.
Definition radius.h:183
fr_radius_encode_abinary
ssize_t fr_radius_encode_abinary(fr_pair_t const *vp, fr_dbuff_t *dbuff)
Encode a string to abinary.
Definition abinary.c:1194
fr_radius_request_name_table
fr_table_num_sorted_t const fr_radius_request_name_table[]
Definition base.c:104
fr_radius_require_ma_table
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:86
fr_radius_encode
ssize_t fr_radius_encode(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_radius_encode_ctx_t *packet_ctx)
Definition base.c:1012
fr_radius_attr_flags
static fr_radius_attr_flags_t const * fr_radius_attr_flags(fr_dict_attr_t const *da)
Return RADIUS-specific flags for a given attribute.
Definition radius.h:199
fr_radius_decode_ctx_t::tunnel_password_zeros
bool tunnel_password_zeros
check for trailing zeros on decode
Definition radius.h:169
fr_radius_encode_ctx_t::add_proxy_state
bool add_proxy_state
do we add a Proxy-State?
Definition radius.h:149
fr_radius_encode_ctx_t::seen_message_authenticator
bool seen_message_authenticator
Definition radius.h:150
fr_radius_packet_log
void fr_radius_packet_log(fr_log_t const *log, fr_packet_t *packet, fr_pair_list_t *list, bool received)
Definition packet.c:478
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:115
fr_radius_recv_header
ssize_t fr_radius_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, unsigned int *code)
Basic validation of RADIUS packet header.
Definition base.c:288
fr_radius_decode_ctx_t::tmp_ctx
TALLOC_CTX * tmp_ctx
for temporary things cleaned up during decoding
Definition radius.h:162
fr_radius_decode_ctx_t::tag_root
fr_pair_list_t * tag_root
Where to insert tag attributes.
Definition radius.h:175
fr_packet_ok
bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason))
See if the data pointed to by PTR is a valid RADIUS packet.
Definition packet.c:110
fr_radius_allow_reply
int fr_radius_allow_reply(int code, bool allowed[static FR_RADIUS_CODE_MAX])
Definition base.c:230
fr_radius_attr_flags_t
Definition radius.h:187
fr_radius_ctx_t
Definition radius.h:126
fr_radius_decode_ctx_t
Definition radius.h:157
fr_radius_encode_ctx_t
Definition radius.h:135
fr_radius_tag_ctx_t
Definition radius.h:121
fr_fast_rand_t
Smaller fast random number generator.
Definition rand.h:54
vp
fr_pair_t * vp
Definition state_machine.c:2287
fr_log_s
Definition log.h:93
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
fr_packet_t
Definition packet.h:56
parent
static fr_slen_t parent
Definition pair.h:858
data
static fr_slen_t data
Definition value.h:1340
inlen
static size_t char fr_sbuff_t size_t inlen
Definition value.h:1030
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1030
Generated by   doxygen 1.9.8