/** Uses paircmp to verify all VALUE_PAIRs in list match the filter defined by check
*
* @note will sort both filter and list in place.
*
* @param failed pointer to an array to write the pointers of the filter/list attributes that didn't match.
* May be NULL.
* @param filter attributes to check list against.
* @param list attributes, probably a request or reply
*/
bool pairvalidate(VALUE_PAIR const *failed[2], VALUE_PAIR *filter, VALUE_PAIR *list)
{
vp_cursor_t filter_cursor;
vp_cursor_t list_cursor;
VALUE_PAIR *check, *match;
if (!filter && !list) {
return true;
}
/*
* This allows us to verify the sets of validate and reply are equal
* i.e. we have a validate rule which matches every reply attribute.
*
* @todo this should be removed one we have sets and lists
*/
pairsort(&filter, attrtagcmp);
pairsort(&list, attrtagcmp);
check = fr_cursor_init(&filter_cursor, &filter);
match = fr_cursor_init(&list_cursor, &list);
while (match || check) {
/*
* Lists are of different lengths
*/
if (!match || !check) goto mismatch;
/*
* The lists are sorted, so if the first
* attributes aren't of the same type, then we're
* done.
*/
if (!ATTRIBUTE_EQ(check, match)) goto mismatch;
/*
* They're of the same type, but don't have the
* same values. This is a problem.
*
* Note that the RFCs say that for attributes of
* the same type, order is important.
*/
if (paircmp(check, match) != 1) goto mismatch;
check = fr_cursor_next(&filter_cursor);
match = fr_cursor_next(&list_cursor);
}
return true;
mismatch:
if (failed) {
failed[0] = check;
failed[1] = match;
}
return false;
}
/** Sort a linked list of VALUE_PAIRs using merge sort
*
* @param[in,out] vps List of VALUE_PAIRs to sort.
* @param[in] cmp to sort with
*/
void pairsort(VALUE_PAIR **vps, fr_cmp_t cmp)
{
VALUE_PAIR *head = *vps;
VALUE_PAIR *a;
VALUE_PAIR *b;
/*
* If there's 0-1 elements it must already be sorted.
*/
if (!head || !head->next) {
return;
}
pairsort_split(head, &a, &b); /* Split into sublists */
pairsort(&a, cmp); /* Traverse left */
pairsort(&b, cmp); /* Traverse right */
/*
* merge the two sorted lists together
*/
*vps = pairsort_merge(a, b, cmp);
}
static void rs_process_packet(rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
static int count = 0; /* Packets seen */
rs_stats_t *stats = event->stats;
decode_fail_t reason;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response = false; /* Was it a response code */
RADIUS_PACKET *current, *original;
struct timeval elapsed;
struct timeval latency;
count++;
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(NULL, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (data - p);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
DEBUG("(%i) ** %s **", count, fr_strerror());
DEBUG("(%i) %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
response = true;
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, current);
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(event->conf, current);
original->timestamp = header->ts;
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(current, original, event->conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
if (filter_vps && rs_filter_packet(current)) {
rad_free(¤t);
DEBUG("Packet number %d doesn't match", count++);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
goto check_filter;
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
rs_stats_update_count(&stats->gauge, current);
if (original) {
rs_tv_sub(¤t->timestamp, &original->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->code], &latency);
/*
* Print info about the response.
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (fr_debug_flag > 1) {
if (current->vps) {
if (event->conf->do_sort) {
pairsort(¤t->vps, true);
}
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
}
/*
* We've seen a successful reply to this, so delete it now
*/
if (original) {
rbtree_deletebydata(request_tree, original);
}
if (!event->conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((current->code != PW_CODE_AUTHENTICATION_REQUEST) && (current->code != PW_CODE_ACCOUNTING_REQUEST))) {
rad_free(¤t);
}
}
/*
* get the vps and put them in perl hash
* If one VP have multiple values it is added as array_ref
* Example for this is Cisco-AVPair that holds multiple values.
* Which will be available as array_ref in $RAD_REQUEST{'Cisco-AVPair'}
*/
static void perl_store_vps(UNUSED TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR *vps, HV *rad_hv,
const char *hashname, const char *list_name)
{
VALUE_PAIR *vp;
hv_undef(rad_hv);
vp_cursor_t cursor;
RINDENT();
pairsort(&vps, attrtagcmp);
for (vp = fr_cursor_init(&cursor, &vps);
vp;
vp = fr_cursor_next(&cursor)) {
VALUE_PAIR *next;
char const *name;
char namebuf[256];
char buffer[1024];
size_t len;
/*
* Tagged attributes are added to the hash with name
* <attribute>:<tag>, others just use the normal attribute
* name as the key.
*/
if (vp->da->flags.has_tag && (vp->tag != TAG_ANY)) {
snprintf(namebuf, sizeof(namebuf), "%s:%d", vp->da->name, vp->tag);
name = namebuf;
} else {
name = vp->da->name;
}
/*
* We've sorted by type, then tag, so attributes of the
* same type/tag should follow on from each other.
*/
if ((next = fr_cursor_next_peek(&cursor)) && ATTRIBUTE_EQ(vp, next)) {
int i;
AV *av;
av = newAV();
for (next = fr_cursor_next_by_da(&cursor, vp->da, vp->tag), i = 0;
next;
next = fr_cursor_next_by_da(&cursor, vp->da, vp->tag), i++) {
switch (vp->da->type) {
case PW_TYPE_STRING:
RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hashname, next->da->name, i,
list_name, next->da->name, next->vp_strvalue);
av_push(av, newSVpvn(next->vp_strvalue, next->length));
break;
case PW_TYPE_OCTETS:
if (RDEBUG_ENABLED) {
char *hex;
hex = fr_abin2hex(request, next->vp_octets, next->length);
RDEBUG("$%s{'%s'}[%i] = &%s:%s -> 0x%s", hashname, next->da->name, i,
list_name, next->da->name, hex);
talloc_free(hex);
}
av_push(av, newSVpvn((char const *)next->vp_octets, next->length));
break;
default:
len = vp_prints_value(buffer, sizeof(buffer), next, 0);
RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hashname, next->da->name, i,
list_name, next->da->name, buffer);
av_push(av, newSVpvn(buffer, truncate_len(len, sizeof(buffer))));
break;
}
}
(void)hv_store(rad_hv, name, strlen(name), newRV_noinc((SV *)av), 0);
continue;
}
/*
* It's a normal single valued attribute
*/
switch (vp->da->type) {
case PW_TYPE_STRING:
RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hashname, vp->da->name, list_name,
vp->da->name, vp->vp_strvalue);
(void)hv_store(rad_hv, name, strlen(name), newSVpvn(vp->vp_strvalue, vp->length), 0);
break;
case PW_TYPE_OCTETS:
if (RDEBUG_ENABLED) {
char *hex;
hex = fr_abin2hex(request, vp->vp_octets, vp->length);
RDEBUG("$%s{'%s'} = &%s:%s -> 0x%s", hashname, vp->da->name,
list_name, vp->da->name, hex);
talloc_free(hex);
}
(void)hv_store(rad_hv, name, strlen(name),
newSVpvn((char const *)vp->vp_octets, vp->length), 0);
break;
default:
len = vp_prints_value(buffer, sizeof(buffer), vp, 0);
RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hashname, vp->da->name,
list_name, vp->da->name, buffer);
(void)hv_store(rad_hv, name, strlen(name),
newSVpvn(buffer, truncate_len(len, sizeof(buffer))), 0);
break;
}
}
REXDENT();
}
/** Uses paircmp to verify all VALUE_PAIRs in list match the filter defined by check
*
* @note will sort both filter and list in place.
*
* @param failed pointer to an array to write the pointers of the filter/list attributes that didn't match.
* May be NULL.
* @param filter attributes to check list against.
* @param list attributes, probably a request or reply
*/
bool pairvalidate_relaxed(VALUE_PAIR const *failed[2], VALUE_PAIR *filter, VALUE_PAIR *list)
{
vp_cursor_t filter_cursor;
vp_cursor_t list_cursor;
VALUE_PAIR *check, *last_check = NULL, *match = NULL;
if (!filter && !list) {
return true;
}
/*
* This allows us to verify the sets of validate and reply are equal
* i.e. we have a validate rule which matches every reply attribute.
*
* @todo this should be removed one we have sets and lists
*/
pairsort(&filter, attrtagcmp);
pairsort(&list, attrtagcmp);
fr_cursor_init(&list_cursor, &list);
for (check = fr_cursor_init(&filter_cursor, &filter);
check;
check = fr_cursor_next(&filter_cursor)) {
/*
* Were processing check attributes of a new type.
*/
if (!ATTRIBUTE_EQ(last_check, check)) {
/*
* Record the start of the matching attributes in the pair list
* For every other operator we require the match to be present
*/
match = fr_cursor_next_by_da(&list_cursor, check->da, check->tag);
if (!match) {
if (check->op == T_OP_CMP_FALSE) continue;
goto mismatch;
}
fr_cursor_init(&list_cursor, &match);
last_check = check;
}
/*
* Now iterate over all attributes of the same type.
*/
for (match = fr_cursor_first(&list_cursor);
ATTRIBUTE_EQ(match, check);
match = fr_cursor_next(&list_cursor)) {
/*
* This attribute passed the filter
*/
if (!paircmp(check, match)) goto mismatch;
}
}
return true;
mismatch:
if (failed) {
failed[0] = check;
failed[1] = match;
}
return false;
}
static void got_packet(UNUSED uint8_t *args, struct pcap_pkthdr const*header, uint8_t const *data)
{
static int count = 1; /* Packets seen */
/*
* Define pointers for packet's attributes
*/
const struct ip_header *ip; /* The IP header */
const struct udp_header *udp; /* The UDP header */
const uint8_t *payload; /* Packet payload */
/*
* And define the size of the structures we're using
*/
int size_ethernet = sizeof(struct ethernet_header);
int size_ip = sizeof(struct ip_header);
int size_udp = sizeof(struct udp_header);
/*
* For FreeRADIUS
*/
RADIUS_PACKET *packet, *original;
struct timeval elapsed;
/*
* Define our packet's attributes
*/
if ((data[0] == 2) && (data[1] == 0) &&
(data[2] == 0) && (data[3] == 0)) {
ip = (struct ip_header const *) (data + 4);
} else {
ip = (struct ip_header const *)(data + size_ethernet);
}
udp = (struct udp_header const *)(((uint8_t const *) ip) + size_ip);
payload = (uint8_t const *)(((uint8_t const *) udp) + size_udp);
packet = rad_alloc(NULL, 0);
if (!packet) {
fprintf(stderr, "Out of memory\n");
return;
}
packet->src_ipaddr.af = AF_INET;
packet->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
packet->src_port = ntohs(udp->udp_sport);
packet->dst_ipaddr.af = AF_INET;
packet->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
packet->dst_port = ntohs(udp->udp_dport);
memcpy(&packet->data, &payload, sizeof(packet->data));
packet->data_len = header->len - (payload - data);
if (!rad_packet_ok(packet, 0)) {
DEBUG("Packet: %s\n", fr_strerror());
DEBUG(" From %s:%d\n", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
DEBUG(" To: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG(" Type: %s\n", fr_packet_codes[packet->code]);
rad_free(&packet);
return;
}
switch (packet->code) {
case PW_CODE_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_CODE_AUTHENTICATION_ACK:
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, packet);
break;
case PW_CODE_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(NULL, packet);
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(packet, original, radius_secret) != 0) {
rad_free(&packet);
fr_perror("decode");
return;
}
/*
* We've seen a successfull reply to this, so delete it now
*/
if (original)
rbtree_deletebydata(request_tree, original);
if (filter_vps && filter_packet(packet)) {
rad_free(&packet);
DEBUG("Packet number %d doesn't match\n", count++);
return;
}
if (out) {
pcap_dump((void *) out, header, data);
goto check_filter;
}
INFO("%s Id %d\t", fr_packet_codes[packet->code], packet->id);
/*
* Print the RADIUS packet
*/
INFO("%s:%d -> %s:%d", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport),
inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG1("\t(%d packets)", count++);
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
tv_sub(&header->ts, &start_pcap, &elapsed);
INFO("\t+%u.%03u", (unsigned int) elapsed.tv_sec,
(unsigned int) elapsed.tv_usec / 1000);
if (fr_debug_flag > 1) {
DEBUG("\n");
if (packet->vps) {
if (do_sort) {
pairsort(&packet->vps, true);
}
vp_printlist(log_dst, packet->vps);
pairfree(&packet->vps);
}
}
INFO("\n");
if (!to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(packet);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((packet->code != PW_CODE_AUTHENTICATION_REQUEST) &&
(packet->code != PW_CODE_ACCOUNTING_REQUEST))) {
rad_free(&packet);
}
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
rc_request_t *request;
RADIUS_PACKET *reply, **packet_p;
volatile int max_fd;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
max_fd = fr_packet_list_fd_set(pl, &set);
if (max_fd < 0) exit(1); /* no sockets to listen on! */
if (wait_time <= 0) {
tv.tv_sec = 0;
} else {
tv.tv_sec = wait_time;
}
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(max_fd, &set, NULL, NULL, &tv) <= 0) {
return 0;
}
/*
* Look for the packet.
*/
reply = fr_packet_list_recv(pl, &set);
if (!reply) {
ERROR("Received bad packet");
#ifdef WITH_TCP
/*
* If the packet is bad, we close the socket.
* I'm not sure how to do that now, so we just
* die...
*/
if (proto) exit(1);
#endif
return -1; /* bad packet */
}
/*
* udpfromto issues. We may have bound to "*",
* and we want to find the replies that are sent to
* (say) 127.0.0.1.
*/
reply->dst_ipaddr = client_ipaddr;
reply->dst_port = client_port;
#ifdef WITH_TCP
reply->src_ipaddr = server_ipaddr;
reply->src_port = server_port;
#endif
packet_p = fr_packet_list_find_byreply(pl, reply);
if (!packet_p) {
ERROR("Received reply to request we did not send. (id=%d socket %d)",
reply->id, reply->sockfd);
rad_free(&reply);
return -1; /* got reply to packet we didn't send */
}
request = fr_packet2myptr(rc_request_t, packet, packet_p);
/*
* Fails the signature validation: not a real reply.
* FIXME: Silently drop it and listen for another packet.
*/
if (rad_verify(reply, request->packet, secret) < 0) {
REDEBUG("Reply verification failed");
stats.lost++;
goto packet_done; /* shared secret is incorrect */
}
if (print_filename) {
RDEBUG("%s response code %d", request->files->packets, reply->code);
}
deallocate_id(request);
request->reply = reply;
reply = NULL;
/*
* If this fails, we're out of memory.
*/
if (rad_decode(request->reply, request->packet, secret) != 0) {
REDEBUG("Reply decode failed");
stats.lost++;
goto packet_done;
}
/*
* Increment counters...
*/
switch (request->reply->code) {
case PW_CODE_AUTHENTICATION_ACK:
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_ACK:
stats.accepted++;
break;
case PW_CODE_ACCESS_CHALLENGE:
break;
default:
stats.rejected++;
}
/*
* If we had an expected response code, check to see if the
* packet matched that.
*/
if (request->reply->code != request->filter_code) {
if (is_radius_code(request->packet_code)) {
REDEBUG("Expected %s got %s", fr_packet_codes[request->filter_code],
fr_packet_codes[request->reply->code]);
} else {
REDEBUG("Expected %u got %i", request->filter_code,
request->reply->code);
}
stats.failed++;
/*
* Check if the contents of the packet matched the filter
*/
} else if (!request->filter) {
stats.passed++;
} else {
VALUE_PAIR const *failed[2];
pairsort(&request->reply->vps, attrtagcmp);
if (pairvalidate(failed, request->filter, request->reply->vps)) {
RDEBUG("Response passed filter");
stats.passed++;
} else {
pairvalidate_debug(request, failed);
REDEBUG("Response failed filter");
stats.failed++;
}
}
if (request->resend == resend_count) {
request->done = true;
}
packet_done:
rad_free(&request->reply);
rad_free(&reply); /* may be NULL */
return 0;
}
/*
* Initialize a radclient data structure and add it to
* the global linked list.
*/
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
{
FILE *packets, *filters = NULL;
vp_cursor_t cursor;
VALUE_PAIR *vp;
rc_request_t *request;
bool packets_done = false;
uint64_t num = 0;
assert(files->packets != NULL);
/*
* Determine where to read the VP's from.
*/
if (strcmp(files->packets, "-") != 0) {
packets = fopen(files->packets, "r");
if (!packets) {
ERROR("Error opening %s: %s", files->packets, strerror(errno));
return 0;
}
/*
* Read in the pairs representing the expected response.
*/
if (files->filters) {
filters = fopen(files->filters, "r");
if (!filters) {
ERROR("Error opening %s: %s", files->filters, strerror(errno));
fclose(packets);
return 0;
}
}
} else {
packets = stdin;
}
/*
* Loop until the file is done.
*/
do {
/*
* Allocate it.
*/
request = talloc_zero(ctx, rc_request_t);
if (!request) {
ERROR("Out of memory");
goto error;
}
talloc_set_destructor(request, _rc_request_free);
request->packet = rad_alloc(request, 1);
if (!request->packet) {
ERROR("Out of memory");
goto error;
}
#ifdef WITH_TCP
request->packet->src_ipaddr = client_ipaddr;
request->packet->src_port = client_port;
request->packet->dst_ipaddr = server_ipaddr;
request->packet->dst_port = server_port;
request->packet->proto = ipproto;
#endif
request->files = files;
request->packet->id = -1; /* allocate when sending */
request->num = num++;
/*
* Read the request VP's.
*/
if (readvp2(&request->packet->vps, request->packet, packets, &packets_done) < 0) {
ERROR("Error parsing \"%s\"", files->packets);
goto error;
}
fr_cursor_init(&cursor, &request->filter);
vp = fr_cursor_next_by_num(&cursor, PW_PACKET_TYPE, 0, TAG_ANY);
if (vp) {
fr_cursor_remove(&cursor);
request->packet_code = vp->vp_integer;
talloc_free(vp);
} else {
request->packet_code = packet_code; /* Use the default set on the command line */
}
/*
* Read in filter VP's.
*/
if (filters) {
bool filters_done;
if (readvp2(&request->filter, request, filters, &filters_done) < 0) {
ERROR("Error parsing \"%s\"", files->filters);
goto error;
}
if (!request->filter) {
goto error;
}
if (filters_done && !packets_done) {
ERROR("Differing number of packets/filters in %s:%s "
"(too many requests))", files->packets, files->filters);
goto error;
}
if (!filters_done && packets_done) {
ERROR("Differing number of packets/filters in %s:%s "
"(too many filters))", files->packets, files->filters);
goto error;
}
fr_cursor_init(&cursor, &request->filter);
vp = fr_cursor_next_by_num(&cursor, PW_PACKET_TYPE, 0, TAG_ANY);
if (vp) {
fr_cursor_remove(&cursor);
request->filter_code = vp->vp_integer;
talloc_free(vp);
}
/*
* xlat expansions aren't supported here
*/
for (vp = fr_cursor_init(&cursor, &request->filter);
vp;
vp = fr_cursor_next(&cursor)) {
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->value.xlat;
}
}
/*
* This allows efficient list comparisons later
*/
pairsort(&request->filter, attrtagcmp);
}
/*
* Determine the response code from the request (if not already set)
*/
if (!request->filter_code) {
switch (request->packet_code) {
case PW_CODE_AUTHENTICATION_REQUEST:
request->filter_code = PW_CODE_AUTHENTICATION_ACK;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
case PW_CODE_COA_REQUEST:
request->filter_code = PW_CODE_COA_ACK;
break;
case PW_CODE_DISCONNECT_REQUEST:
request->filter_code = PW_CODE_DISCONNECT_ACK;
break;
default:
break;
}
}
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
} else if ((vp = pairfind(request->packet->vps, PW_MSCHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
strlcpy(request->password, vp->vp_strvalue,
sizeof(request->password));
} else {
request->password[0] = '\0';
}
/*
* Fix up Digest-Attributes issues
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that in request.
*/
if (vp->type == VT_XLAT) {
vp->vp_strvalue = vp->value.xlat;
vp->value.xlat = NULL;
vp->type = VT_DATA;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->length + 2);
memcpy(p + 2, vp->vp_octets, vp->length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->length += 2;
p[1] = vp->length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
if (!da) {
ERROR("Out of memory");
goto error;
}
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
}
} /* loop over the VP's we read in */
/*
* Automatically set the port if we don't have a global
* or packet specific one.
*/
if ((server_port == 0) && (request->packet->dst_port == 0)) {
radclient_get_port(request->packet->code, &request->packet->dst_port);
}
/*
* Add it to the tail of the list.
*/
if (!request_head) {
assert(rc_request_tail == NULL);
request_head = request;
request->prev = NULL;
} else {
assert(rc_request_tail->next == NULL);
rc_request_tail->next = request;
request->prev = rc_request_tail;
}
rc_request_tail = request;
request->next = NULL;
} while (!packets_done); /* loop until the file is done. */
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
/*
* And we're done.
*/
return 1;
error:
talloc_free(request);
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
return 0;
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
rc_request_t *request;
RADIUS_PACKET *reply, **packet_p;
volatile int max_fd;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
max_fd = fr_packet_list_fd_set(pl, &set);
if (max_fd < 0) exit(1); /* no sockets to listen on! */
tv.tv_sec = (wait_time <= 0) ? 0 : wait_time;
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(max_fd, &set, NULL, NULL, &tv) <= 0) return 0;
/*
* Look for the packet.
*/
reply = fr_packet_list_recv(pl, &set);
if (!reply) {
ERROR("Received bad packet");
#ifdef WITH_TCP
/*
* If the packet is bad, we close the socket.
* I'm not sure how to do that now, so we just
* die...
*/
if (proto) exit(1);
#endif
return -1; /* bad packet */
}
/*
* We don't use udpfromto. So if we bind to "*", we want
* to find replies sent to 192.0.2.4. Therefore, we
* force all replies to have the one address we know
* about, no matter what real address they were sent to.
*
* This only works if were not using any of the
* Packet-* attributes, or running with 'auto'.
*/
reply->dst_ipaddr = client_ipaddr;
reply->dst_port = client_port;
#ifdef WITH_TCP
/*
* TCP sockets don't use recvmsg(), and thus don't get
* the source IP/port. However, since they're TCP, we
* know what the source IP/port is, because that's where
* we connected to.
*/
if (ipproto == IPPROTO_TCP) {
reply->src_ipaddr = server_ipaddr;
reply->src_port = server_port;
}
#endif
packet_p = fr_packet_list_find_byreply(pl, reply);
if (!packet_p) {
ERROR("Received reply to request we did not send. (id=%d socket %d)",
reply->id, reply->sockfd);
rad_free(&reply);
return -1; /* got reply to packet we didn't send */
}
request = fr_packet2myptr(rc_request_t, packet, packet_p);
/*
* Fails the signature validation: not a real reply.
* FIXME: Silently drop it and listen for another packet.
*/
if (rad_verify(reply, request->packet, secret) < 0) {
REDEBUG("Reply verification failed");
stats.lost++;
goto packet_done; /* shared secret is incorrect */
}
if (print_filename) {
RDEBUG("%s response code %d", request->files->packets, reply->code);
}
deallocate_id(request);
request->reply = reply;
reply = NULL;
/*
* If this fails, we're out of memory.
*/
if (rad_decode(request->reply, request->packet, secret) != 0) {
REDEBUG("Reply decode failed");
stats.lost++;
goto packet_done;
}
fr_packet_header_print(fr_log_fp, request->reply, true);
if (fr_debug_flag > 0) vp_printlist(fr_log_fp, request->reply->vps);
/*
* Increment counters...
*/
switch (request->reply->code) {
case PW_CODE_ACCESS_ACCEPT:
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_ACK:
stats.accepted++;
break;
case PW_CODE_ACCESS_CHALLENGE:
break;
default:
stats.rejected++;
}
/*
* If we had an expected response code, check to see if the
* packet matched that.
*/
if (request->reply->code != request->filter_code) {
if (is_radius_code(request->reply->code)) {
REDEBUG("%s: Expected %s got %s", request->name, fr_packet_codes[request->filter_code],
fr_packet_codes[request->reply->code]);
} else {
REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
request->reply->code);
}
stats.failed++;
/*
* Check if the contents of the packet matched the filter
*/
} else if (!request->filter) {
stats.passed++;
} else {
VALUE_PAIR const *failed[2];
pairsort(&request->reply->vps, attrtagcmp);
if (pairvalidate(failed, request->filter, request->reply->vps)) {
RDEBUG("%s: Response passed filter", request->name);
stats.passed++;
} else {
pairvalidate_debug(request, failed);
REDEBUG("%s: Response for failed filter", request->name);
stats.failed++;
}
}
if (request->resend == resend_count) {
request->done = true;
}
packet_done:
rad_free(&request->reply);
rad_free(&reply); /* may be NULL */
return 0;
}
/*
* Initialize a radclient data structure and add it to
* the global linked list.
*/
static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files)
{
FILE *packets, *filters = NULL;
vp_cursor_t cursor;
VALUE_PAIR *vp;
rc_request_t *request;
bool packets_done = false;
uint64_t num = 0;
assert(files->packets != NULL);
/*
* Determine where to read the VP's from.
*/
if (strcmp(files->packets, "-") != 0) {
packets = fopen(files->packets, "r");
if (!packets) {
ERROR("Error opening %s: %s", files->packets, strerror(errno));
return 0;
}
/*
* Read in the pairs representing the expected response.
*/
if (files->filters) {
filters = fopen(files->filters, "r");
if (!filters) {
ERROR("Error opening %s: %s", files->filters, strerror(errno));
fclose(packets);
return 0;
}
}
} else {
packets = stdin;
}
/*
* Loop until the file is done.
*/
do {
/*
* Allocate it.
*/
request = talloc_zero(ctx, rc_request_t);
if (!request) {
ERROR("Out of memory");
goto error;
}
request->packet = rad_alloc(request, true);
if (!request->packet) {
ERROR("Out of memory");
goto error;
}
#ifdef WITH_TCP
request->packet->src_ipaddr = client_ipaddr;
request->packet->src_port = client_port;
request->packet->dst_ipaddr = server_ipaddr;
request->packet->dst_port = server_port;
request->packet->proto = ipproto;
#endif
request->files = files;
request->packet->id = -1; /* allocate when sending */
request->num = num++;
/*
* Read the request VP's.
*/
if (readvp2(request->packet, &request->packet->vps, packets, &packets_done) < 0) {
char const *input;
if ((files->packets[0] == '-') && (files->packets[1] == '\0')) {
input = "stdin";
} else {
input = files->packets;
}
REDEBUG("Error parsing \"%s\"", input);
goto error;
}
/*
* Skip empty entries
*/
if (!request->packet->vps) {
talloc_free(request);
continue;
}
/*
* Read in filter VP's.
*/
if (filters) {
bool filters_done;
if (readvp2(request, &request->filter, filters, &filters_done) < 0) {
REDEBUG("Error parsing \"%s\"", files->filters);
goto error;
}
if (filters_done && !packets_done) {
REDEBUG("Differing number of packets/filters in %s:%s "
"(too many requests))", files->packets, files->filters);
goto error;
}
if (!filters_done && packets_done) {
REDEBUG("Differing number of packets/filters in %s:%s "
"(too many filters))", files->packets, files->filters);
goto error;
}
/*
* xlat expansions aren't supported here
*/
for (vp = fr_cursor_init(&cursor, &request->filter);
vp;
vp = fr_cursor_next(&cursor)) {
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->xlat;
vp->vp_length = talloc_array_length(vp->vp_strvalue) - 1;
}
if (vp->da->vendor == 0 ) switch (vp->da->attr) {
case PW_RESPONSE_PACKET_TYPE:
case PW_PACKET_TYPE:
fr_cursor_remove(&cursor); /* so we don't break the filter */
request->filter_code = vp->vp_integer;
talloc_free(vp);
default:
break;
}
}
/*
* This allows efficient list comparisons later
*/
pairsort(&request->filter, attrtagcmp);
}
request->password[0] = '\0';
/*
* Process special attributes
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that in request.
*/
if (vp->type == VT_XLAT) {
vp->type = VT_DATA;
vp->vp_strvalue = vp->xlat;
vp->vp_length = talloc_array_length(vp->vp_strvalue) - 1;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_RESPONSE_PACKET_TYPE:
request->filter_code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->packet->dst_ipaddr.prefix = 32;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->packet->dst_ipaddr.prefix = 128;
break;
case PW_PACKET_SRC_PORT:
if ((vp->vp_integer < 1024) ||
(vp->vp_integer > 65535)) {
ERROR("Invalid value '%u' for Packet-Src-Port", vp->vp_integer);
goto error;
}
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->packet->src_ipaddr.prefix = 32;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->packet->src_ipaddr.prefix = 128;
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->vp_length + 2);
memcpy(p + 2, vp->vp_octets, vp->vp_length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->vp_length += 2;
p[1] = vp->vp_length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
if (!da) {
ERROR("Out of memory");
goto error;
}
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
/*
* Keep a copy of the the password attribute.
*/
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_MS_CHAP_PASSWORD:
strlcpy(request->password, vp->vp_strvalue, sizeof(request->password));
break;
case PW_RADCLIENT_TEST_NAME:
request->name = vp->vp_strvalue;
break;
}
} /* loop over the VP's we read in */
/*
* Use the default set on the command line
*/
if (request->packet->code == PW_CODE_UNDEFINED) request->packet->code = packet_code;
/*
* Default to the filename
*/
if (!request->name) request->name = request->files->packets;
/*
* Automatically set the response code from the request code
* (if one wasn't already set).
*/
if (request->filter_code == PW_CODE_UNDEFINED) {
switch (request->packet->code) {
case PW_CODE_ACCESS_REQUEST:
request->filter_code = PW_CODE_ACCESS_ACCEPT;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
case PW_CODE_COA_REQUEST:
request->filter_code = PW_CODE_COA_ACK;
break;
case PW_CODE_DISCONNECT_REQUEST:
request->filter_code = PW_CODE_DISCONNECT_ACK;
break;
case PW_CODE_STATUS_SERVER:
switch (radclient_get_code(request->packet->dst_port)) {
case PW_CODE_ACCESS_REQUEST:
request->filter_code = PW_CODE_ACCESS_ACCEPT;
break;
case PW_CODE_ACCOUNTING_REQUEST:
request->filter_code = PW_CODE_ACCOUNTING_RESPONSE;
break;
default:
REDEBUG("Can't determine expected response to Status-Server request, specify "
"a well known RADIUS port, or add a Response-Packet-Type attribute "
"to the request of filter");
goto error;
}
break;
case PW_CODE_UNDEFINED:
REDEBUG("Both Packet-Type and Response-Packet-Type undefined, specify at least one, "
"or a well known RADIUS port");
goto error;
default:
REDEBUG("Can't determine expected Response-Packet-Type for Packet-Type %i",
request->packet->code);
goto error;
}
/*
* Automatically set the request code from the response code
* (if one wasn't already set).
*/
} else if (request->packet->code == PW_CODE_UNDEFINED) {
switch (request->filter_code) {
case PW_CODE_ACCESS_ACCEPT:
case PW_CODE_ACCESS_REJECT:
request->packet->code = PW_CODE_ACCESS_REQUEST;
break;
case PW_CODE_ACCOUNTING_RESPONSE:
request->packet->code = PW_CODE_ACCOUNTING_REQUEST;
break;
case PW_CODE_DISCONNECT_ACK:
case PW_CODE_DISCONNECT_NAK:
request->packet->code = PW_CODE_DISCONNECT_REQUEST;
break;
case PW_CODE_COA_ACK:
case PW_CODE_COA_NAK:
request->packet->code = PW_CODE_COA_REQUEST;
break;
default:
REDEBUG("Can't determine expected Packet-Type for Response-Packet-Type %i",
request->filter_code);
goto error;
}
}
/*
* Automatically set the dst port (if one wasn't already set).
*/
if (request->packet->dst_port == 0) {
radclient_get_port(request->packet->code, &request->packet->dst_port);
if (request->packet->dst_port == 0) {
REDEBUG("Can't determine destination port");
goto error;
}
}
/*
* Add it to the tail of the list.
*/
if (!request_head) {
assert(rc_request_tail == NULL);
request_head = request;
request->prev = NULL;
} else {
assert(rc_request_tail->next == NULL);
rc_request_tail->next = request;
request->prev = rc_request_tail;
}
rc_request_tail = request;
request->next = NULL;
/*
* Set the destructor so it removes itself from the
* request list when freed. We don't set this until
* the packet is actually in the list, else we trigger
* the asserts in the free callback.
*/
talloc_set_destructor(request, _rc_request_free);
} while (!packets_done); /* loop until the file is done. */
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
/*
* And we're done.
*/
return 1;
error:
talloc_free(request);
if (packets != stdin) fclose(packets);
if (filters) fclose(filters);
return 0;
}
static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
rs_stats_t *stats = event->stats;
struct timeval elapsed;
struct timeval latency;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response; /* Was it a response code */
decode_fail_t reason; /* Why we failed decoding the packet */
static uint64_t captured = 0;
RADIUS_PACKET *current; /* Current packet were processing */
rs_request_t *original;
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(conf, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (p - data);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
RIDEBUG("(%" PRIu64 ") ** %s **", count, fr_strerror());
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
case PW_CODE_COA_NAK:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_NAK:
case PW_CODE_DISCONNECT_ACK:
case PW_CODE_STATUS_CLIENT:
{
rs_request_t search;
struct timeval when;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
/* look for a matching request and use it for decoding */
search.packet = current;
original = rbtree_finddata(request_tree, &search);
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, original ? original->packet : NULL,
conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Check if we've managed to link it to a request
*/
if (original) {
/*
* Is this a retransmit?
*/
if (!original->linked) {
original->stats_rsp = &stats->exchange[current->code];
} else {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_rsp++;
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
}
original->linked = talloc_steal(original, current);
/*
* Some RADIUS servers and proxy servers may not cache
* Accounting-Responses (and possibly other code),
* and may immediately re-use a RADIUS packet src
* port/id combination on receipt of a response.
*/
if (conf->dequeue[current->code]) {
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
} else {
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when,
&original->event)) {
ERROR("Failed inserting new event");
/*
* Delete the original request/event, it's no longer valid
* for statistics.
*/
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
return;
}
}
/*
* No request seen, or request was dropped by attribute filter
*/
} else {
/*
* If filter_vps are set assume the original request was dropped,
* the alternative is maintaining another 'filter', but that adds
* complexity, reduces max capture rate, and is generally a PITA.
*/
if (filter_vps) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
RDEBUG("(%" PRIu64 ") ** UNLINKED **", count);
stats->exchange[current->code].interval.unlinked_total++;
}
response = true;
}
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
case PW_CODE_COA_REQUEST:
case PW_CODE_DISCONNECT_REQUEST:
case PW_CODE_STATUS_SERVER:
{
rs_request_t search;
struct timeval when;
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, NULL, conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Now verify the packet passes the attribute filter
*/
if (filter_vps && !pairvalidate_relaxed(filter_vps, current->vps)) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
/*
* save the request for later matching
*/
search.packet = rad_alloc_reply(conf, current);
if (!search.packet) {
ERROR("Failed allocating memory to hold expected reply");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
rad_free(¤t);
return;
}
search.packet->code = current->code;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
original = rbtree_finddata(request_tree, &search);
/*
* Upstream device re-used src/dst ip/port id without waiting
* for the timeout period to expire, or a response.
*/
if (original && memcmp(original->packet->vector, current->vector,
sizeof(original->packet->vector) != 0)) {
RDEBUG2("(%" PRIu64 ") ** PREMATURE ID RE-USE **", count);
stats->exchange[current->code].interval.reused_total++;
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
original = NULL;
}
if (original) {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_req++;
rad_free(&original->packet);
original->packet = talloc_steal(original, search.packet);
/* We may of seen the response, but it may of been lost upstream */
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
} else {
original = talloc_zero(conf, rs_request_t);
talloc_set_destructor(original, _request_free);
original->id = count;
original->in = event->in;
original->stats_req = &stats->exchange[current->code];
original->packet = talloc_steal(original, search.packet);
rbtree_insert(request_tree, original);
}
/* update the timestamp in either case */
original->packet->timestamp = header->ts;
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when, &original->event)) {
ERROR("Failed inserting new event");
rbtree_deletebydata(request_tree, original);
return;
}
response = false;
}
break;
default:
RDEBUG("** Unsupported code %i **", current->code);
rad_free(¤t);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
/*
* Increase received count
*/
stats->exchange[current->code].interval.received_total++;
/*
* It's a linked response
*/
if (original && original->linked) {
rs_tv_sub(¤t->timestamp, &original->packet->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->packet->code], &latency);
/*
* Print info about the request/response.
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (conf->print_packet && (fr_debug_flag > 1) && current->vps) {
pairsort(¤t->vps, true);
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
if (!conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
/*
* If it's a request, a duplicate of the packet will of already been stored.
* If it's a unlinked response, we need to free it explicitly, as it will
* not be done by the event queue.
*/
if (!response || !original) {
rad_free(¤t);
}
captured++;
/*
* We've hit our capture limit, break out of the event loop
*/
if ((conf->limit > 0) && (captured >= conf->limit)) {
INFO("Captured %" PRIu64 " packets, exiting...", captured);
fr_event_loop_exit(events, 1);
}
}
