/* * Free a radclient struct, which may (or may not) * already be in the list. */ static void radclient_free(radclient_t *radclient) { radclient_t *prev, *next; if (radclient->request) rad_free(&radclient->request); if (radclient->reply) rad_free(&radclient->reply); prev = radclient->prev; next = radclient->next; if (prev) { assert(radclient_head != radclient); prev->next = next; } else if (radclient_head) { assert(radclient_head == radclient); radclient_head = next; } if (next) { assert(radclient_tail != radclient); next->prev = prev; } else if (radclient_tail) { assert(radclient_tail == radclient); radclient_tail = prev; } free(radclient); }
/* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ int vqp_socket_recv(rad_listen_t *listener, RAD_REQUEST_FUNP *pfun, REQUEST **prequest) { RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client; packet = vqp_recv(listener->fd); if (!packet) { radlog(L_ERR, "%s", fr_strerror()); return 0; } if ((client = client_listener_find(listener, &packet->src_ipaddr, packet->src_port)) == NULL) { rad_free(&packet); return 0; } /* * Do new stuff. */ fun = vmps_process; if (!received_request(listener, packet, prequest, client)) { rad_free(&packet); return 0; } *pfun = fun; return 1; }
/* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ static int vqp_socket_recv(rad_listen_t *listener) { RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client; packet = vqp_recv(listener->fd); if (!packet) { ERROR("%s", fr_strerror()); return 0; } if ((client = client_listener_find(listener, &packet->src_ipaddr, packet->src_port)) == NULL) { rad_free(&packet); return 0; } /* * Do new stuff. */ fun = vmps_process; if (!request_receive(NULL, listener, packet, client, fun)) { rad_free(&packet); return 0; } return 1; }
/* * @fixme: This can be removed once packet destructors are set by rad_alloc */ static int _request_free(rs_request_t *request) { if (!cleanup) { RDEBUG("(%i) Cleaning up request packet ID %i", request->id, request->packet->id); } rad_free(&request->packet); rad_free(&request->linked); return 0; }
/* * Deallocate packet ID, etc. */ static void deallocate_id(radclient_t *radclient) { if (!radclient || !radclient->request || (radclient->request->id < 0)) { return; } /* * One more unused RADIUS ID. */ fr_packet_list_id_free(pl, radclient->request); radclient->request->id = -1; /* * If we've already sent a packet, free up the old one, * and ensure that the next packet has a unique * authentication vector. */ if (radclient->request->data) { free(radclient->request->data); radclient->request->data = NULL; } if (radclient->reply) rad_free(&radclient->reply); }
/* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ static int status_socket_recv(rad_listen_t *listener, RAD_REQUEST_FUNP *pfun, REQUEST **prequest) { ssize_t rcode; int code, src_port; RADIUS_PACKET *packet; RADCLIENT *client; fr_ipaddr_t src_ipaddr; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; RAD_STATS_TYPE_INC(listener, total_requests); if (rcode < 20) { /* AUTH_HDR_LEN */ RAD_STATS_TYPE_INC(listener, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); RAD_STATS_TYPE_INC(listener, total_invalid_requests); return 0; } /* * We only understand Status-Server on this socket. */ if (code != PW_STATUS_SERVER) { DEBUG("Ignoring packet code %d sent to Status-Server port", code); rad_recv_discard(listener->fd); RAD_STATS_TYPE_INC(listener, total_unknown_types); RAD_STATS_CLIENT_INC(listener, client, total_unknown_types); return 0; } /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(listener->fd, 1); /* require message authenticator */ if (!packet) { RAD_STATS_TYPE_INC(listener, total_malformed_requests); DEBUG("%s", fr_strerror()); return 0; } if (!received_request(listener, packet, prequest, client)) { RAD_STATS_TYPE_INC(listener, total_packets_dropped); RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped); rad_free(&packet); return 0; } *pfun = status_process; return 1; }
static void cleanup(RADIUS_PACKET *packet) { if (!packet) return; if (packet->sockfd >= 0) { close(packet->sockfd); } rad_free(&packet); }
/* * Recieve packets from a proxy socket. */ static int proxy_socket_tcp_recv(rad_listen_t *listener, RAD_REQUEST_FUNP *pfun, REQUEST **prequest) { REQUEST *request; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; char buffer[128]; packet = fr_tcp_recv(listener->fd, 0); if (!packet) { proxy_close_tcp_listener(listener); return 0; } /* * FIXME: Client MIB updates? */ switch(packet->code) { case PW_AUTHENTICATION_ACK: case PW_ACCESS_CHALLENGE: case PW_AUTHENTICATION_REJECT: fun = rad_authenticate; break; #ifdef WITH_ACCOUNTING case PW_ACCOUNTING_RESPONSE: fun = rad_accounting; break; #endif default: /* * FIXME: Update MIB for packet types? */ radlog(L_ERR, "Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); rad_free(&packet); return 0; } request = received_proxy_tcp_response(packet, fr_listen2tcp(listener)); if (!request) { return 0; } rad_assert(fun != NULL); *pfun = fun; *prequest = request; return 1; }
RADIUS_PACKET *fr_tcp_recv(int sockfd, int flags) { RADIUS_PACKET *packet = rad_alloc(NULL, 0); if (!packet) return NULL; packet->sockfd = sockfd; if (fr_tcp_read_packet(packet, flags) != 1) { rad_free(&packet); return NULL; } return packet; }
/* * Deallocate packet ID, etc. */ static void deallocate_id(rc_request_t *request) { if (!request || !request->packet || (request->packet->id < 0)) { return; } /* * One more unused RADIUS ID. */ fr_packet_list_id_free(pl, request->packet, true); /* * If we've already sent a packet, free up the old one, * and ensure that the next packet has a unique * authentication vector. */ if (request->packet->data) TALLOC_FREE(request->packet->data); if (request->reply) rad_free(&request->reply); }
static int filter_packet(RADIUS_PACKET *packet) { VALUE_PAIR *check_item; VALUE_PAIR *vp; unsigned int pass, fail; int compare; pass = fail = 0; for (vp = packet->vps; vp != NULL; vp = vp->next) { for (check_item = filter_vps; check_item != NULL; check_item = check_item->next) if ((check_item->da == vp->da) && (check_item->op != T_OP_SET)) { compare = paircmp(check_item, vp); if (compare == 1) pass++; else fail++; } } if (fail == 0 && pass != 0) { /* * Cache authentication requests, as the replies * may not match the RADIUS filter. */ if ((packet->code == PW_AUTHENTICATION_REQUEST) || (packet->code == PW_ACCOUNTING_REQUEST)) { rbtree_deletebydata(filter_tree, packet); if (!rbtree_insert(filter_tree, packet)) { oom: fprintf(stderr, "radsniff: Out of memory\n"); exit(1); } } return 0; /* matched */ } /* * Don't create erroneous matches. */ if ((packet->code == PW_AUTHENTICATION_REQUEST) || (packet->code == PW_ACCOUNTING_REQUEST)) { rbtree_deletebydata(filter_tree, packet); return 1; } /* * Else see if a previous Access-Request * matched. If so, also print out the * matching accept, reject, or challenge. */ if ((packet->code == PW_AUTHENTICATION_ACK) || (packet->code == PW_AUTHENTICATION_REJECT) || (packet->code == PW_ACCESS_CHALLENGE) || (packet->code == PW_ACCOUNTING_RESPONSE)) { RADIUS_PACKET *reply; /* * This swaps the various fields. */ reply = rad_alloc_reply(NULL, packet); if (!reply) goto oom; compare = 1; if (rbtree_finddata(filter_tree, reply)) { compare = 0; } rad_free(&reply); return compare; } return 1; }
static void got_packet(UNUSED uint8_t *args, const struct pcap_pkthdr *header, const uint8_t *data) { static int count = 1; /* Packets seen */ /* * Define pointers for packet's attributes */ const struct ip_header *ip; /* The IP header */ const struct udp_header *udp; /* The UDP header */ const uint8_t *payload; /* Packet payload */ /* * And define the size of the structures we're using */ int size_ethernet = sizeof(struct ethernet_header); int size_ip = sizeof(struct ip_header); int size_udp = sizeof(struct udp_header); /* * For FreeRADIUS */ RADIUS_PACKET *packet, *original; struct timeval elapsed; /* * Define our packet's attributes */ if ((data[0] == 2) && (data[1] == 0) && (data[2] == 0) && (data[3] == 0)) { ip = (const struct ip_header*) (data + 4); } else { ip = (const struct ip_header*)(data + size_ethernet); } udp = (const struct udp_header*)(((const uint8_t *) ip) + size_ip); payload = (const uint8_t *)(((const uint8_t *) udp) + size_udp); packet = rad_alloc(NULL, 0); if (!packet) { fprintf(stderr, "Out of memory\n"); return; } packet->src_ipaddr.af = AF_INET; packet->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr; packet->src_port = ntohs(udp->udp_sport); packet->dst_ipaddr.af = AF_INET; packet->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr; packet->dst_port = ntohs(udp->udp_dport); memcpy(&packet->data, &payload, sizeof(packet->data)); packet->data_len = header->len - (payload - data); if (!rad_packet_ok(packet, 0)) { DEBUG(log_dst, "Packet: %s\n", fr_strerror()); DEBUG(log_dst, " From %s:%d\n", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport)); DEBUG(log_dst, " To: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport)); DEBUG(log_dst, " Type: %s\n", fr_packet_codes[packet->code]); rad_free(&packet); return; } switch (packet->code) { case PW_COA_REQUEST: /* we need a 16 x 0 byte vector for decrypting encrypted VSAs */ original = nullpacket; break; case PW_AUTHENTICATION_ACK: /* look for a matching request and use it for decoding */ original = rbtree_finddata(request_tree, packet); break; case PW_AUTHENTICATION_REQUEST: /* save the request for later matching */ original = rad_alloc_reply(NULL, packet); if (original) { /* just ignore allocation failures */ rbtree_deletebydata(request_tree, original); rbtree_insert(request_tree, original); } /* fallthrough */ default: /* don't attempt to decode any encrypted attributes */ original = NULL; } /* * Decode the data without bothering to check the signatures. */ if (rad_decode(packet, original, radius_secret) != 0) { rad_free(&packet); fr_perror("decode"); return; } /* * We've seen a successfull reply to this, so delete it now */ if (original) rbtree_deletebydata(request_tree, original); if (filter_vps && filter_packet(packet)) { rad_free(&packet); DEBUG(log_dst, "Packet number %d doesn't match\n", count++); return; } if (out) { pcap_dump((void *) out, header, data); goto check_filter; } INFO(log_dst, "%s Id %d\t", fr_packet_codes[packet->code], packet->id); /* * Print the RADIUS packet */ INFO(log_dst, "%s:%d -> ", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport)); INFO(log_dst, "%s:%d", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport)); DEBUG1(log_dst, "\t(%d packets)", count++); if (!start_pcap.tv_sec) { start_pcap = header->ts; } tv_sub(&header->ts, &start_pcap, &elapsed); INFO(log_dst, "\t+%u.%03u", (unsigned int) elapsed.tv_sec, (unsigned int) elapsed.tv_usec / 1000); if (fr_debug_flag > 1) { DEBUG(log_dst, "\n"); if (packet->vps) { if (do_sort) sort(packet); vp_printlist(log_dst, packet->vps); pairfree(&packet->vps); } } INFO(log_dst, "\n"); if (!to_stdout && (fr_debug_flag > 4)) { rad_print_hex(packet); } fflush(log_dst); check_filter: /* * If we're doing filtering, Access-Requests are cached in the * filter tree. */ if (!filter_vps || ((packet->code != PW_AUTHENTICATION_REQUEST) && (packet->code != PW_ACCOUNTING_REQUEST))) { rad_free(&packet); } }
/** Wrapper function to allow rad_free to be called as an rbtree destructor callback * * @param packet to free. */ static void _rb_rad_free(void *packet) { rad_free((RADIUS_PACKET **) &packet); }
static void rs_process_packet(rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data) { static int count = 0; /* Packets seen */ rs_stats_t *stats = event->stats; decode_fail_t reason; /* * Pointers into the packet data we just received */ size_t len; uint8_t const *p = data; struct ip_header const *ip = NULL; /* The IP header */ struct ip_header6 const *ip6 = NULL; /* The IPv6 header */ struct udp_header const *udp; /* The UDP header */ uint8_t version; /* IP header version */ bool response = false; /* Was it a response code */ RADIUS_PACKET *current, *original; struct timeval elapsed; struct timeval latency; count++; if (header->caplen <= 5) { INFO("Packet too small, captured %i bytes", header->caplen); return; } /* * Loopback header */ if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) { p += 4; /* * Ethernet header */ } else { p += sizeof(struct ethernet_header); } version = (p[0] & 0xf0) >> 4; switch (version) { case 4: ip = (struct ip_header const *)p; len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */ p += len; break; case 6: ip6 = (struct ip_header6 const *)p; p += sizeof(struct ip_header6); break; default: DEBUG("IP version invalid %i", version); return; } /* * End of variable length bits, do basic check now to see if packet looks long enough */ len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */ if (len > header->caplen) { DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes", (size_t) len, header->caplen); return; } udp = (struct udp_header const *)p; p += sizeof(struct udp_header); /* * With artificial talloc memory limits there's a good chance we can * recover once some requests timeout, so make an effort to deal * with allocation failures gracefully. */ current = rad_alloc(NULL, 0); if (!current) { ERROR("Failed allocating memory to hold decoded packet"); return; } current->timestamp = header->ts; current->data_len = header->caplen - (data - p); memcpy(¤t->data, &p, sizeof(current->data)); /* * Populate IP/UDP fields from PCAP data */ if (ip) { current->src_ipaddr.af = AF_INET; current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr; current->dst_ipaddr.af = AF_INET; current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr; } else { current->src_ipaddr.af = AF_INET6; memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr, sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr)); current->dst_ipaddr.af = AF_INET6; memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr, sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr)); } current->src_port = ntohs(udp->udp_sport); current->dst_port = ntohs(udp->udp_dport); if (!rad_packet_ok(current, 0, &reason)) { DEBUG("(%i) ** %s **", count, fr_strerror()); DEBUG("(%i) %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count, fr_packet_codes[current->code], current->id, event->in->name, fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port, fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port, (unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000)); rad_free(¤t); return; } switch (current->code) { case PW_CODE_COA_REQUEST: /* we need a 16 x 0 byte vector for decrypting encrypted VSAs */ original = nullpacket; break; case PW_CODE_ACCOUNTING_RESPONSE: case PW_CODE_AUTHENTICATION_REJECT: case PW_CODE_AUTHENTICATION_ACK: response = true; /* look for a matching request and use it for decoding */ original = rbtree_finddata(request_tree, current); break; case PW_CODE_ACCOUNTING_REQUEST: case PW_CODE_AUTHENTICATION_REQUEST: /* save the request for later matching */ original = rad_alloc_reply(event->conf, current); original->timestamp = header->ts; if (original) { /* just ignore allocation failures */ rbtree_deletebydata(request_tree, original); rbtree_insert(request_tree, original); } /* fallthrough */ default: /* don't attempt to decode any encrypted attributes */ original = NULL; } /* * Decode the data without bothering to check the signatures. */ if (rad_decode(current, original, event->conf->radius_secret) != 0) { rad_free(¤t); fr_perror("decode"); return; } if (filter_vps && rs_filter_packet(current)) { rad_free(¤t); DEBUG("Packet number %d doesn't match", count++); return; } if (event->out) { pcap_dump((void *) (event->out->dumper), header, data); goto check_filter; } rs_tv_sub(&header->ts, &start_pcap, &elapsed); rs_stats_update_count(&stats->gauge, current); if (original) { rs_tv_sub(¤t->timestamp, &original->timestamp, &latency); /* * Update stats for both the request and response types. * * This isn't useful for things like Access-Requests, but will be useful for * CoA and Disconnect Messages, as we get the average latency across both * response types. * * It also justifies allocating 255 instances rs_latency_t. */ rs_stats_update_latency(&stats->exchange[current->code], &latency); rs_stats_update_latency(&stats->exchange[original->code], &latency); /* * Print info about the response. */ DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count, fr_packet_codes[current->code], current->id, event->in->name, fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port, response ? "<-" : "->", fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port, (unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000), (unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000)); /* * It's the original request */ } else { /* * Print info about the request */ DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count, fr_packet_codes[current->code], current->id, event->in->name, fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port, response ? "<-" : "->", fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port, (unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000)); } if (fr_debug_flag > 1) { if (current->vps) { if (event->conf->do_sort) { pairsort(¤t->vps, true); } vp_printlist(log_dst, current->vps); pairfree(¤t->vps); } } /* * We've seen a successful reply to this, so delete it now */ if (original) { rbtree_deletebydata(request_tree, original); } if (!event->conf->to_stdout && (fr_debug_flag > 4)) { rad_print_hex(current); } fflush(log_dst); check_filter: /* * If we're doing filtering, Access-Requests are cached in the * filter tree. */ if (!filter_vps || ((current->code != PW_CODE_AUTHENTICATION_REQUEST) && (current->code != PW_CODE_ACCOUNTING_REQUEST))) { rad_free(¤t); } }
/* * Receive one packet, maybe. */ static int recv_one_packet(int wait_time) { fd_set set; struct timeval tv; radclient_t *radclient; RADIUS_PACKET *reply, **request_p; volatile int max_fd; /* And wait for reply, timing out as necessary */ FD_ZERO(&set); max_fd = fr_packet_list_fd_set(pl, &set); if (max_fd < 0) exit(1); /* no sockets to listen on! */ if (wait_time <= 0) { tv.tv_sec = 0; } else { tv.tv_sec = wait_time; } tv.tv_usec = 0; /* * No packet was received. */ if (select(max_fd, &set, NULL, NULL, &tv) <= 0) { return 0; } /* * Look for the packet. */ reply = fr_packet_list_recv(pl, &set); if (!reply) { fprintf(stderr, "radclient: received bad packet: %s\n", fr_strerror()); #ifdef WITH_TCP /* * If the packet is bad, we close the socket. * I'm not sure how to do that now, so we just * die... */ if (proto) exit(1); #endif return -1; /* bad packet */ } /* * udpfromto issues. We may have bound to "*", * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply->dst_ipaddr = client_ipaddr; reply->dst_port = client_port; #ifdef WITH_TCP reply->src_ipaddr = server_ipaddr; reply->src_port = server_port; #endif if (fr_debug_flag > 2) print_hex(reply); request_p = fr_packet_list_find_byreply(pl, reply); if (!request_p) { fprintf(stderr, "radclient: received response to request we did not send. (id=%d socket %d)\n", reply->id, reply->sockfd); rad_free(&reply); return -1; /* got reply to packet we didn't send */ } radclient = fr_packet2myptr(radclient_t, request, request_p); /* * Fails the signature validation: not a real reply. * FIXME: Silently drop it and listen for another packet. */ if (rad_verify(reply, radclient->request, secret) < 0) { fr_perror("rad_verify"); totallost++; goto packet_done; /* shared secret is incorrect */ } fr_packet_list_yank(pl, radclient->request); if (print_filename) printf("%s:%d %d\n", radclient->filename, radclient->packet_number, reply->code); deallocate_id(radclient); radclient->reply = reply; reply = NULL; /* * If this fails, we're out of memory. */ if (rad_decode(radclient->reply, radclient->request, secret) != 0) { fr_perror("rad_decode"); totallost++; goto packet_done; } /* libradius debug already prints out the value pairs for us */ if (!fr_debug_flag && do_output) { printf("Received response ID %d, code %d, length = %zd\n", radclient->reply->id, radclient->reply->code, radclient->reply->data_len); vp_printlist(stdout, radclient->reply->vps); } if ((radclient->reply->code == PW_AUTHENTICATION_ACK) || (radclient->reply->code == PW_ACCOUNTING_RESPONSE) || (radclient->reply->code == PW_COA_ACK) || (radclient->reply->code == PW_DISCONNECT_ACK)) { success = 1; /* have a good response */ totalapp++; } else { totaldeny++; } if (radclient->resend == resend_count) { radclient->done = 1; } packet_done: rad_free(&radclient->reply); rad_free(&reply); /* may be NULL */ return 0; }
/* * Process the "diameter" contents of the tunneled data. */ PW_CODE eapttls_process(eap_handler_t *handler, tls_session_t *tls_session) { PW_CODE code = PW_CODE_ACCESS_REJECT; rlm_rcode_t rcode; REQUEST *fake; VALUE_PAIR *vp; ttls_tunnel_t *t; uint8_t const *data; size_t data_len; REQUEST *request = handler->request; chbind_packet_t *chbind; /* * Just look at the buffer directly, without doing * record_minus. */ data_len = tls_session->clean_out.used; tls_session->clean_out.used = 0; data = tls_session->clean_out.data; t = (ttls_tunnel_t *) tls_session->opaque; /* * If there's no data, maybe this is an ACK to an * MS-CHAP2-Success. */ if (data_len == 0) { if (t->authenticated) { RDEBUG("Got ACK, and the user was already authenticated"); return PW_CODE_ACCESS_ACCEPT; } /* else no session, no data, die. */ /* * FIXME: Call SSL_get_error() to see what went * wrong. */ RDEBUG2("SSL_read Error"); return PW_CODE_ACCESS_REJECT; } #ifndef NDEBUG if ((rad_debug_lvl > 2) && fr_log_fp) { size_t i; for (i = 0; i < data_len; i++) { if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i); fprintf(fr_log_fp, "%02x ", data[i]); if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n"); } if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n"); } #endif if (!diameter_verify(request, data, data_len)) { return PW_CODE_ACCESS_REJECT; } /* * Allocate a fake REQUEST structure. */ fake = request_alloc_fake(request); rad_assert(!fake->packet->vps); /* * Add the tunneled attributes to the fake request. */ fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len); if (!fake->packet->vps) { talloc_free(fake); return PW_CODE_ACCESS_REJECT; } /* * Tell the request that it's a fake one. */ pair_make_request("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); RDEBUG("Got tunneled request"); rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL); /* * Update other items in the REQUEST data structure. */ fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY); fake->password = fr_pair_find_by_num(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY); /* * No User-Name, try to create one from stored data. */ if (!fake->username) { /* * No User-Name in the stored data, look for * an EAP-Identity, and pull it out of there. */ if (!t->username) { vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY); if (vp && (vp->vp_length >= EAP_HEADER_LEN + 2) && (vp->vp_strvalue[0] == PW_EAP_RESPONSE) && (vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && (vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { /* * Create & remember a User-Name */ t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ); rad_assert(t->username != NULL); fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5); RDEBUG("Got tunneled identity of %s", t->username->vp_strvalue); /* * If there's a default EAP type, * set it here. */ if (t->default_method != 0) { RDEBUG("Setting default EAP type for tunneled EAP session"); vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0); rad_assert(vp != NULL); vp->vp_integer = t->default_method; fr_pair_add(&fake->config, vp); } } else { /* * Don't reject the request outright, * as it's permitted to do EAP without * user-name. */ RWDEBUG2("No EAP-Identity found to start EAP conversation"); } } /* else there WAS a t->username */ if (t->username) { vp = fr_pair_list_copy(fake->packet, t->username); fr_pair_add(&fake->packet->vps, vp); fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY); } } /* else the request ALREADY had a User-Name */ /* * Add the State attribute, too, if it exists. */ if (t->state) { vp = fr_pair_list_copy(fake->packet, t->state); if (vp) fr_pair_add(&fake->packet->vps, vp); } /* * If this is set, we copy SOME of the request attributes * from outside of the tunnel to inside of the tunnel. * * We copy ONLY those attributes which do NOT already * exist in the tunneled request. */ if (t->copy_request_to_tunnel) { VALUE_PAIR *copy; vp_cursor_t cursor; for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) { /* * The attribute is a server-side thingy, * don't copy it. */ if ((vp->da->attr > 255) && (vp->da->vendor == 0)) { continue; } /* * The outside attribute is already in the * tunnel, don't copy it. * * This works for BOTH attributes which * are originally in the tunneled request, * AND attributes which are copied there * from below. */ if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) { continue; } /* * Some attributes are handled specially. */ switch (vp->da->attr) { /* * NEVER copy Message-Authenticator, * EAP-Message, or State. They're * only for outside of the tunnel. */ case PW_USER_NAME: case PW_USER_PASSWORD: case PW_CHAP_PASSWORD: case PW_CHAP_CHALLENGE: case PW_PROXY_STATE: case PW_MESSAGE_AUTHENTICATOR: case PW_EAP_MESSAGE: case PW_STATE: continue; /* * By default, copy it over. */ default: break; } /* * Don't copy from the head, we've already * checked it. */ copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY); fr_pair_add(&fake->packet->vps, copy); } } if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) { fake->server = vp->vp_strvalue; } else if (t->virtual_server) { fake->server = t->virtual_server; } /* else fake->server == request->server */ if ((rad_debug_lvl > 0) && fr_log_fp) { RDEBUG("Sending tunneled request"); } /* * Process channel binding. */ chbind = eap_chbind_vp2packet(fake, fake->packet->vps); if (chbind) { PW_CODE chbind_code; CHBIND_REQ *req = talloc_zero(fake, CHBIND_REQ); RDEBUG("received chbind request"); req->request = chbind; if (fake->username) { req->username = fake->username; } else { req->username = NULL; } chbind_code = chbind_process(request, req); /* encapsulate response here */ if (req->response) { RDEBUG("sending chbind response"); fr_pair_add(&fake->reply->vps, eap_chbind_packet2vp(fake, req->response)); } else { RDEBUG("no chbind response"); } /* clean up chbind req */ talloc_free(req); if (chbind_code != PW_CODE_ACCESS_ACCEPT) { return chbind_code; } } /* * Call authentication recursively, which will * do PAP, CHAP, MS-CHAP, etc. */ rad_virtual_server(fake); /* * Decide what to do with the reply. */ switch (fake->reply->code) { case 0: /* No reply code, must be proxied... */ #ifdef WITH_PROXY vp = fr_pair_find_by_num(fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY); if (vp) { eap_tunnel_data_t *tunnel; RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue); /* * Tell the original request that it's going * to be proxied. */ fr_pair_list_move_by_num(request, &request->config, &fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY); /* * Seed the proxy packet with the * tunneled request. */ rad_assert(!request->proxy); request->proxy = talloc_steal(request, fake->packet); memset(&request->proxy->src_ipaddr, 0, sizeof(request->proxy->src_ipaddr)); memset(&request->proxy->src_ipaddr, 0, sizeof(request->proxy->src_ipaddr)); request->proxy->src_port = 0; request->proxy->dst_port = 0; fake->packet = NULL; rad_free(&fake->reply); fake->reply = NULL; /* * Set up the callbacks for the tunnel */ tunnel = talloc_zero(request, eap_tunnel_data_t); tunnel->tls_session = tls_session; tunnel->callback = eapttls_postproxy; /* * Associate the callback with the request. */ code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK, tunnel, false); rad_assert(code == 0); /* * rlm_eap.c has taken care of associating * the handler with the fake request. * * So we associate the fake request with * this request. */ code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK, fake, true); rad_assert(code == 0); fake = NULL; /* * Didn't authenticate the packet, but * we're proxying it. */ code = PW_CODE_STATUS_CLIENT; } else #endif /* WITH_PROXY */ { RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.", request->number); code = PW_CODE_ACCESS_REJECT; } break; default: /* * Returns RLM_MODULE_FOO, and we want to return PW_FOO */ rcode = process_reply(handler, tls_session, request, fake->reply); switch (rcode) { case RLM_MODULE_REJECT: code = PW_CODE_ACCESS_REJECT; break; case RLM_MODULE_HANDLED: code = PW_CODE_ACCESS_CHALLENGE; break; case RLM_MODULE_OK: code = PW_CODE_ACCESS_ACCEPT; break; default: code = PW_CODE_ACCESS_REJECT; break; } break; } talloc_free(fake); return code; }
int dual_tls_recv(rad_listen_t *listener) { RADIUS_PACKET *packet; REQUEST *request; RAD_REQUEST_FUNP fun = NULL; listen_socket_t *sock = listener->data; RADCLIENT *client = sock->client; if (!tls_socket_recv(listener)) { return 0; } rad_assert(sock->request != NULL); rad_assert(sock->request->packet != NULL); rad_assert(sock->packet != NULL); rad_assert(sock->ssn != NULL); request = sock->request; packet = sock->packet; /* * Some sanity checks, based on the packet code. */ switch(packet->code) { case PW_AUTHENTICATION_REQUEST: if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; FR_STATS_INC(auth, total_requests); fun = rad_authenticate; break; case PW_ACCOUNTING_REQUEST: if (listener->type != RAD_LISTEN_ACCT) goto bad_packet; FR_STATS_INC(acct, total_requests); fun = rad_accounting; break; case PW_STATUS_SERVER: if (!mainconfig.status_server) { FR_STATS_INC(auth, total_unknown_types); DEBUG("WARNING: Ignoring Status-Server request due to security configuration"); rad_free(&sock->packet); request->packet = NULL; return 0; } fun = rad_status_server; break; default: bad_packet: FR_STATS_INC(auth, total_unknown_types); DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED", packet->code, client->shortname, packet->src_port); rad_free(&sock->packet); request->packet = NULL; return 0; } /* switch over packet types */ if (!request_receive(listener, packet, client, fun)) { FR_STATS_INC(auth, total_packets_dropped); rad_free(&sock->packet); request->packet = NULL; return 0; } sock->packet = NULL; /* we have no need for more partial reads */ request->packet = NULL; return 1; }
int dual_tls_recv(rad_listen_t *listener) { RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; listen_socket_t *sock = listener->data; RADCLIENT *client = sock->client; if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0; if (!tls_socket_recv(listener)) { return 0; } rad_assert(sock->packet != NULL); rad_assert(sock->ssn != NULL); rad_assert(client != NULL); packet = talloc_steal(NULL, sock->packet); sock->packet = NULL; /* * Some sanity checks, based on the packet code. * * "auth+acct" are marked as "auth", with the "dual" flag * set. */ switch (packet->code) { case PW_CODE_ACCESS_REQUEST: if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; FR_STATS_INC(auth, total_requests); fun = rad_authenticate; break; #ifdef WITH_ACCOUNTING case PW_CODE_ACCOUNTING_REQUEST: if (listener->type != RAD_LISTEN_ACCT) { /* * Allow auth + dual. Disallow * everything else. */ if (!((listener->type == RAD_LISTEN_AUTH) && (listener->dual))) { goto bad_packet; } } FR_STATS_INC(acct, total_requests); fun = rad_accounting; break; #endif case PW_CODE_STATUS_SERVER: if (!main_config.status_server) { FR_STATS_INC(auth, total_unknown_types); WARN("Ignoring Status-Server request due to security configuration"); rad_free(&packet); return 0; } fun = rad_status_server; break; default: bad_packet: FR_STATS_INC(auth, total_unknown_types); DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED", packet->code, client->shortname, packet->src_port); rad_free(&packet); return 0; } /* switch over packet types */ if (!request_receive(NULL, listener, packet, client, fun)) { FR_STATS_INC(auth, total_packets_dropped); rad_free(&packet); return 0; } return 1; }
int proxy_tls_recv(rad_listen_t *listener) { listen_socket_t *sock = listener->data; char buffer[256]; RADIUS_PACKET *packet; uint8_t *data; ssize_t data_len; if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0; DEBUG3("Proxy SSL socket has data to read"); PTHREAD_MUTEX_LOCK(&sock->mutex); data_len = proxy_tls_read(listener); PTHREAD_MUTEX_UNLOCK(&sock->mutex); if (data_len < 0) { DEBUG("Closing TLS socket to home server"); PTHREAD_MUTEX_LOCK(&sock->mutex); tls_socket_close(listener); PTHREAD_MUTEX_UNLOCK(&sock->mutex); return 0; } if (data_len == 0) return 0; /* not done yet */ data = sock->data; packet = rad_alloc(sock, false); packet->sockfd = listener->fd; packet->src_ipaddr = sock->other_ipaddr; packet->src_port = sock->other_port; packet->dst_ipaddr = sock->my_ipaddr; packet->dst_port = sock->my_port; packet->code = data[0]; packet->id = data[1]; packet->data_len = data_len; packet->data = talloc_array(packet, uint8_t, packet->data_len); memcpy(packet->data, data, packet->data_len); memcpy(packet->vector, packet->data + 4, 16); /* * FIXME: Client MIB updates? */ switch (packet->code) { case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCESS_CHALLENGE: case PW_CODE_ACCESS_REJECT: break; #ifdef WITH_ACCOUNTING case PW_CODE_ACCOUNTING_RESPONSE: break; #endif default: /* * FIXME: Update MIB for packet types? */ ERROR("Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); rad_free(&packet); return 0; } if (!request_proxy_reply(packet)) { rad_free(&packet); return 0; } return 1; }
/* * Initialize the request. */ static int request_init(char const *filename) { FILE *fp; vp_cursor_t cursor; VALUE_PAIR *vp; bool filedone = false; /* * Determine where to read the VP's from. */ if (filename) { fp = fopen(filename, "r"); if (!fp) { fprintf(stderr, "dhcpclient: Error opening %s: %s\n", filename, fr_syserror(errno)); return 0; } } else { fp = stdin; } request = rad_alloc(NULL, false); /* * Read the VP's. */ if (fr_pair_list_afrom_file(NULL, &request->vps, fp, &filedone) < 0) { fr_perror("dhcpclient"); rad_free(&request); if (fp != stdin) fclose(fp); return 1; } /* * Fix / set various options */ for (vp = fr_cursor_init(&cursor, &request->vps); vp; vp = fr_cursor_next(&cursor)) { if (vp->da->vendor == DHCP_MAGIC_VENDOR && vp->da->attr == PW_DHCP_MESSAGE_TYPE) { /* Allow to set packet type using DHCP-Message-Type. */ request->code = vp->vp_integer + PW_DHCP_OFFSET; } else if (!vp->da->vendor) switch (vp->da->attr) { default: break; /* * Allow it to set the packet type in * the attributes read from the file. * (this takes precedence over the command argument.) */ case PW_PACKET_TYPE: request->code = vp->vp_integer; break; case PW_PACKET_DST_PORT: request->dst_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_DST_IP_ADDRESS: request->dst_ipaddr.af = AF_INET; request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; request->dst_ipaddr.prefix = 32; break; case PW_PACKET_DST_IPV6_ADDRESS: request->dst_ipaddr.af = AF_INET6; request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; request->dst_ipaddr.prefix = 128; break; case PW_PACKET_SRC_PORT: request->src_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_SRC_IP_ADDRESS: request->src_ipaddr.af = AF_INET; request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; request->src_ipaddr.prefix = 32; break; case PW_PACKET_SRC_IPV6_ADDRESS: request->src_ipaddr.af = AF_INET6; request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; request->src_ipaddr.prefix = 128; break; } /* switch over the attribute */ } /* loop over the VP's we read in */ /* * Use the default set on the command line */ if (!request->code) request->code = packet_code; if (fp != stdin) fclose(fp); /* * And we're done. */ return 1; }
/* * Receive one packet, maybe. */ static int recv_one_packet(int wait_time) { fd_set set; struct timeval tv; rc_request_t *request; RADIUS_PACKET *reply, **packet_p; volatile int max_fd; /* And wait for reply, timing out as necessary */ FD_ZERO(&set); max_fd = fr_packet_list_fd_set(pl, &set); if (max_fd < 0) exit(1); /* no sockets to listen on! */ if (wait_time <= 0) { tv.tv_sec = 0; } else { tv.tv_sec = wait_time; } tv.tv_usec = 0; /* * No packet was received. */ if (select(max_fd, &set, NULL, NULL, &tv) <= 0) { return 0; } /* * Look for the packet. */ reply = fr_packet_list_recv(pl, &set); if (!reply) { ERROR("Received bad packet"); #ifdef WITH_TCP /* * If the packet is bad, we close the socket. * I'm not sure how to do that now, so we just * die... */ if (proto) exit(1); #endif return -1; /* bad packet */ } /* * udpfromto issues. We may have bound to "*", * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply->dst_ipaddr = client_ipaddr; reply->dst_port = client_port; #ifdef WITH_TCP reply->src_ipaddr = server_ipaddr; reply->src_port = server_port; #endif packet_p = fr_packet_list_find_byreply(pl, reply); if (!packet_p) { ERROR("Received reply to request we did not send. (id=%d socket %d)", reply->id, reply->sockfd); rad_free(&reply); return -1; /* got reply to packet we didn't send */ } request = fr_packet2myptr(rc_request_t, packet, packet_p); /* * Fails the signature validation: not a real reply. * FIXME: Silently drop it and listen for another packet. */ if (rad_verify(reply, request->packet, secret) < 0) { REDEBUG("Reply verification failed"); stats.lost++; goto packet_done; /* shared secret is incorrect */ } if (print_filename) { RDEBUG("%s response code %d", request->files->packets, reply->code); } deallocate_id(request); request->reply = reply; reply = NULL; /* * If this fails, we're out of memory. */ if (rad_decode(request->reply, request->packet, secret) != 0) { REDEBUG("Reply decode failed"); stats.lost++; goto packet_done; } /* * Increment counters... */ switch (request->reply->code) { case PW_CODE_AUTHENTICATION_ACK: case PW_CODE_ACCOUNTING_RESPONSE: case PW_CODE_COA_ACK: case PW_CODE_DISCONNECT_ACK: stats.accepted++; break; case PW_CODE_ACCESS_CHALLENGE: break; default: stats.rejected++; } /* * If we had an expected response code, check to see if the * packet matched that. */ if (request->reply->code != request->filter_code) { if (is_radius_code(request->packet_code)) { REDEBUG("Expected %s got %s", fr_packet_codes[request->filter_code], fr_packet_codes[request->reply->code]); } else { REDEBUG("Expected %u got %i", request->filter_code, request->reply->code); } stats.failed++; /* * Check if the contents of the packet matched the filter */ } else if (!request->filter) { stats.passed++; } else { VALUE_PAIR const *failed[2]; pairsort(&request->reply->vps, attrtagcmp); if (pairvalidate(failed, request->filter, request->reply->vps)) { RDEBUG("Response passed filter"); stats.passed++; } else { pairvalidate_debug(request, failed); REDEBUG("Response failed filter"); stats.failed++; } } if (request->resend == resend_count) { request->done = true; } packet_done: rad_free(&request->reply); rad_free(&reply); /* may be NULL */ return 0; }
/* * Free a REQUEST struct. */ void request_free(REQUEST **request_ptr) { REQUEST *request; if (!request_ptr || !*request_ptr) { return; } request = *request_ptr; rad_assert(!request->in_request_hash); #ifdef WITH_PROXY rad_assert(!request->in_proxy_hash); #endif rad_assert(!request->ev); if (request->packet) rad_free(&request->packet); #ifdef WITH_PROXY if (request->proxy) rad_free(&request->proxy); #endif if (request->reply) rad_free(&request->reply); #ifdef WITH_PROXY if (request->proxy_reply) rad_free(&request->proxy_reply); #endif if (request->config_items) pairfree(&request->config_items); request->username = NULL; request->password = NULL; if (request->data) { request_data_t *this, *next; for (this = request->data; this != NULL; this = next) { next = this->next; if (this->opaque && /* free it, if necessary */ this->free_opaque) this->free_opaque(this->opaque); free(this); } request->data = NULL; } if (request->root && (request->root->refcount > 0)) { request->root->refcount--; request->root = NULL; } #ifdef WITH_COA if (request->coa) { request->coa->parent = NULL; rad_assert(request->coa->ev == NULL); request_free(&request->coa); } if (request->parent && (request->parent->coa == request)) { request->parent->coa = NULL; } #endif #ifndef NDEBUG request->magic = 0x01020304; /* set the request to be nonsense */ #endif request->client = NULL; #ifdef WITH_PROXY request->home_server = NULL; #endif talloc_free(request); *request_ptr = NULL; }
RADIUS_PACKET *vqp_recv(int sockfd) { uint8_t *ptr; ssize_t length; uint32_t id; RADIUS_PACKET *packet; /* * Allocate the new request data structure */ if ((packet = malloc(sizeof(*packet))) == NULL) { fr_strerror_printf("out of memory"); return NULL; } memset(packet, 0, sizeof(*packet)); packet->data_len = vqp_recvfrom(sockfd, &packet->data, 0, &packet->src_ipaddr, &packet->src_port, &packet->dst_ipaddr, &packet->dst_port); /* * Check for socket errors. */ if (packet->data_len < 0) { fr_strerror_printf("Error receiving packet: %s", strerror(errno)); /* packet->data is NULL */ free(packet); return NULL; } /* * We can only receive packets formatted in a way we * expect. However, we accept MORE attributes in a * packet than normal implementations may send. */ if (packet->data_len < VQP_HDR_LEN) { fr_strerror_printf("VQP packet is too short"); rad_free(&packet); return NULL; } ptr = packet->data; if (0) { int i; for (i = 0; i < packet->data_len; i++) { if ((i & 0x0f) == 0) fprintf(stderr, "%02x: ", i); fprintf(stderr, "%02x ", ptr[i]); if ((i & 0x0f) == 0x0f) fprintf(stderr, "\n"); } } if (ptr[3] > VQP_MAX_ATTRIBUTES) { fr_strerror_printf("Too many VQP attributes"); rad_free(&packet); return NULL; } if (packet->data_len > VQP_HDR_LEN) { int attrlen; /* * Skip the header. */ ptr += VQP_HDR_LEN; length = packet->data_len - VQP_HDR_LEN; while (length > 0) { if (length < 7) { fr_strerror_printf("Packet contains malformed attribute"); rad_free(&packet); return NULL; } /* * Attributes are 4 bytes * 0x00000c01 ... 0x00000c08 */ if ((ptr[0] != 0) || (ptr[1] != 0) || (ptr[2] != 0x0c) || (ptr[3] < 1) || (ptr[3] > 8)) { fr_strerror_printf("Packet contains invalid attribute"); rad_free(&packet); return NULL; } /* * Length is 2 bytes * * We support lengths 1..253, for internal * server reasons. Also, there's no reason * for bigger lengths to exist... admins * won't be typing in a 32K vlan name. * * Except for received ethernet frames... * they get chopped to 253 internally. */ if ((ptr[3] != 5) && ((ptr[4] != 0) || (ptr[5] > MAX_VMPS_LEN))) { fr_strerror_printf("Packet contains attribute with invalid length %02x %02x", ptr[4], ptr[5]); rad_free(&packet); return NULL; } attrlen = ptr[5]; ptr += 6 + attrlen; length -= (6 + attrlen); } } packet->sockfd = sockfd; packet->vps = NULL; /* * This is more than a bit of a hack. */ packet->code = PW_AUTHENTICATION_REQUEST; memcpy(&id, packet->data + 4, 4); packet->id = ntohl(id); /* * FIXME: Create a fake "request authenticator", to * avoid duplicates? Or is the VQP sequence number * adequate for this purpose? */ return packet; }
/* * Initialize a radclient data structure and add it to * the global linked list. */ static int radclient_init(const char *filename) { FILE *fp; VALUE_PAIR *vp; radclient_t *radclient; int filedone = 0; int packet_number = 1; assert(filename != NULL); /* * Determine where to read the VP's from. */ if (strcmp(filename, "-") != 0) { fp = fopen(filename, "r"); if (!fp) { fprintf(stderr, "radclient: Error opening %s: %s\n", filename, strerror(errno)); return 0; } } else { fp = stdin; } /* * Loop until the file is done. */ do { /* * Allocate it. */ radclient = malloc(sizeof(*radclient)); if (!radclient) { perror("radclient: X"); if (fp != stdin) fclose(fp); return 0; } memset(radclient, 0, sizeof(*radclient)); radclient->request = rad_alloc(1); if (!radclient->request) { fr_perror("radclient: Y"); free(radclient); if (fp != stdin) fclose(fp); return 0; } #ifdef WITH_TCP radclient->request->src_ipaddr = client_ipaddr; radclient->request->src_port = client_port; radclient->request->dst_ipaddr = server_ipaddr; radclient->request->dst_port = server_port; #endif radclient->filename = filename; radclient->request->id = -1; /* allocate when sending */ radclient->packet_number = packet_number++; /* * Read the VP's. */ radclient->request->vps = readvp2(fp, &filedone, "radclient:"); if (!radclient->request->vps) { rad_free(&radclient->request); free(radclient); if (fp != stdin) fclose(fp); return 1; } /* * Keep a copy of the the User-Password attribute. */ if ((vp = pairfind(radclient->request->vps, PW_USER_PASSWORD, 0)) != NULL) { strlcpy(radclient->password, vp->vp_strvalue, sizeof(radclient->password)); /* * Otherwise keep a copy of the CHAP-Password attribute. */ } else if ((vp = pairfind(radclient->request->vps, PW_CHAP_PASSWORD, 0)) != NULL) { strlcpy(radclient->password, vp->vp_strvalue, sizeof(radclient->password)); } else if ((vp = pairfind(radclient->request->vps, PW_MSCHAP_PASSWORD, 0)) != NULL) { strlcpy(radclient->password, vp->vp_strvalue, sizeof(radclient->password)); } else { radclient->password[0] = '\0'; } /* * Fix up Digest-Attributes issues */ for (vp = radclient->request->vps; vp != NULL; vp = vp->next) { switch (vp->attribute) { default: break; /* * Allow it to set the packet type in * the attributes read from the file. */ case PW_PACKET_TYPE: radclient->request->code = vp->vp_integer; break; case PW_PACKET_DST_PORT: radclient->request->dst_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_DST_IP_ADDRESS: radclient->request->dst_ipaddr.af = AF_INET; radclient->request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; break; case PW_PACKET_DST_IPV6_ADDRESS: radclient->request->dst_ipaddr.af = AF_INET6; radclient->request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; break; case PW_PACKET_SRC_PORT: radclient->request->src_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_SRC_IP_ADDRESS: radclient->request->src_ipaddr.af = AF_INET; radclient->request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; break; case PW_PACKET_SRC_IPV6_ADDRESS: radclient->request->src_ipaddr.af = AF_INET6; radclient->request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; break; case PW_DIGEST_REALM: case PW_DIGEST_NONCE: case PW_DIGEST_METHOD: case PW_DIGEST_URI: case PW_DIGEST_QOP: case PW_DIGEST_ALGORITHM: case PW_DIGEST_BODY_DIGEST: case PW_DIGEST_CNONCE: case PW_DIGEST_NONCE_COUNT: case PW_DIGEST_USER_NAME: /* overlapping! */ memmove(&vp->vp_octets[2], &vp->vp_octets[0], vp->length); vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1; vp->length += 2; vp->vp_octets[1] = vp->length; vp->attribute = PW_DIGEST_ATTRIBUTES; break; } } /* loop over the VP's we read in */ /* * Add it to the tail of the list. */ if (!radclient_head) { assert(radclient_tail == NULL); radclient_head = radclient; radclient->prev = NULL; } else { assert(radclient_tail->next == NULL); radclient_tail->next = radclient; radclient->prev = radclient_tail; } radclient_tail = radclient; radclient->next = NULL; } while (!filedone); /* loop until the file is done. */ if (fp != stdin) fclose(fp); /* * And we're done. */ return 1; }
/* * Receive one packet, maybe. */ static int recv_one_packet(int wait_time) { fd_set set; struct timeval tv; rc_request_t *request; RADIUS_PACKET *reply, **packet_p; volatile int max_fd; /* And wait for reply, timing out as necessary */ FD_ZERO(&set); max_fd = fr_packet_list_fd_set(pl, &set); if (max_fd < 0) exit(1); /* no sockets to listen on! */ tv.tv_sec = (wait_time <= 0) ? 0 : wait_time; tv.tv_usec = 0; /* * No packet was received. */ if (select(max_fd, &set, NULL, NULL, &tv) <= 0) return 0; /* * Look for the packet. */ reply = fr_packet_list_recv(pl, &set); if (!reply) { ERROR("Received bad packet"); #ifdef WITH_TCP /* * If the packet is bad, we close the socket. * I'm not sure how to do that now, so we just * die... */ if (proto) exit(1); #endif return -1; /* bad packet */ } /* * We don't use udpfromto. So if we bind to "*", we want * to find replies sent to 192.0.2.4. Therefore, we * force all replies to have the one address we know * about, no matter what real address they were sent to. * * This only works if were not using any of the * Packet-* attributes, or running with 'auto'. */ reply->dst_ipaddr = client_ipaddr; reply->dst_port = client_port; #ifdef WITH_TCP /* * TCP sockets don't use recvmsg(), and thus don't get * the source IP/port. However, since they're TCP, we * know what the source IP/port is, because that's where * we connected to. */ if (ipproto == IPPROTO_TCP) { reply->src_ipaddr = server_ipaddr; reply->src_port = server_port; } #endif packet_p = fr_packet_list_find_byreply(pl, reply); if (!packet_p) { ERROR("Received reply to request we did not send. (id=%d socket %d)", reply->id, reply->sockfd); rad_free(&reply); return -1; /* got reply to packet we didn't send */ } request = fr_packet2myptr(rc_request_t, packet, packet_p); /* * Fails the signature validation: not a real reply. * FIXME: Silently drop it and listen for another packet. */ if (rad_verify(reply, request->packet, secret) < 0) { REDEBUG("Reply verification failed"); stats.lost++; goto packet_done; /* shared secret is incorrect */ } if (print_filename) { RDEBUG("%s response code %d", request->files->packets, reply->code); } deallocate_id(request); request->reply = reply; reply = NULL; /* * If this fails, we're out of memory. */ if (rad_decode(request->reply, request->packet, secret) != 0) { REDEBUG("Reply decode failed"); stats.lost++; goto packet_done; } fr_packet_header_print(fr_log_fp, request->reply, true); if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->reply->vps); /* * Increment counters... */ switch (request->reply->code) { case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCOUNTING_RESPONSE: case PW_CODE_COA_ACK: case PW_CODE_DISCONNECT_ACK: stats.accepted++; break; case PW_CODE_ACCESS_CHALLENGE: break; default: stats.rejected++; } /* * If we had an expected response code, check to see if the * packet matched that. */ if (request->reply->code != request->filter_code) { if (is_radius_code(request->reply->code)) { REDEBUG("%s: Expected %s got %s", request->name, fr_packet_codes[request->filter_code], fr_packet_codes[request->reply->code]); } else { REDEBUG("%s: Expected %u got %i", request->name, request->filter_code, request->reply->code); } stats.failed++; /* * Check if the contents of the packet matched the filter */ } else if (!request->filter) { stats.passed++; } else { VALUE_PAIR const *failed[2]; fr_pair_list_sort(&request->reply->vps, fr_pair_cmp_by_da_tag); if (fr_pair_validate(failed, request->filter, request->reply->vps)) { RDEBUG("%s: Response passed filter", request->name); stats.passed++; } else { fr_pair_validate_debug(request, failed); REDEBUG("%s: Response for failed filter", request->name); stats.failed++; } } if (request->resend == resend_count) { request->done = true; } packet_done: rad_free(&request->reply); rad_free(&reply); /* may be NULL */ return 0; }
/* * Receive packets from an accounting socket */ static int acct_socket_recv(rad_listen_t *listener, RAD_REQUEST_FUNP *pfun, REQUEST **prequest) { ssize_t rcode; int code, src_port; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client; fr_ipaddr_t src_ipaddr; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; RAD_STATS_TYPE_INC(listener, total_requests); if (rcode < 20) { /* AUTH_HDR_LEN */ RAD_STATS_TYPE_INC(listener, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); RAD_STATS_TYPE_INC(listener, total_invalid_requests); return 0; } /* * Some sanity checks, based on the packet code. */ switch(code) { case PW_ACCOUNTING_REQUEST: RAD_STATS_CLIENT_INC(listener, client, total_requests); fun = rad_accounting; break; case PW_STATUS_SERVER: if (!mainconfig.status_server) { rad_recv_discard(listener->fd); RAD_STATS_TYPE_INC(listener, total_packets_dropped); RAD_STATS_CLIENT_INC(listener, client, total_unknown_types); DEBUG("WARNING: Ignoring Status-Server request due to security configuration"); return 0; } fun = acct_status_server; break; default: rad_recv_discard(listener->fd); RAD_STATS_TYPE_INC(listener, total_unknown_types); RAD_STATS_CLIENT_INC(listener, client, total_unknown_types); DEBUG("Invalid packet code %d sent to a accounting port from client %s port %d : IGNORED", code, client->shortname, src_port); return 0; } /* switch over packet types */ /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(listener->fd, 0); if (!packet) { RAD_STATS_TYPE_INC(listener, total_malformed_requests); radlog(L_ERR, "%s", fr_strerror()); return 0; } /* * There can be no duplicate accounting packets. */ if (!received_request(listener, packet, prequest, client)) { RAD_STATS_TYPE_INC(listener, total_packets_dropped); RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped); rad_free(&packet); return 0; } *pfun = fun; return 1; }
int proxy_tls_recv(rad_listen_t *listener) { int rcode; size_t length; listen_socket_t *sock = listener->data; char buffer[256]; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; uint8_t *data; if (!sock->data) sock->data = rad_malloc(sock->ssn->offset); data = sock->data; DEBUG3("Proxy SSL socket has data to read"); PTHREAD_MUTEX_LOCK(&sock->mutex); redo: rcode = SSL_read(sock->ssn->ssl, data, 4); if (rcode <= 0) { int err = SSL_get_error(sock->ssn->ssl, rcode); switch (err) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: rcode = 0; goto redo; case SSL_ERROR_ZERO_RETURN: /* remote end sent close_notify, send one back */ SSL_shutdown(sock->ssn->ssl); case SSL_ERROR_SYSCALL: do_close: PTHREAD_MUTEX_UNLOCK(&sock->mutex); tls_socket_close(listener); return 0; default: while ((err = ERR_get_error())) { DEBUG("proxy recv says %s", ERR_error_string(err, NULL)); } goto do_close; } } length = (data[2] << 8) | data[3]; DEBUG3("Proxy received header saying we have a packet of %u bytes", (unsigned int) length); if (length > sock->ssn->offset) { radlog(L_INFO, "Received packet will be too large! Set \"fragment_size=%u\"", (data[2] << 8) | data[3]); goto do_close; } rcode = SSL_read(sock->ssn->ssl, data + 4, length); if (rcode <= 0) { switch (SSL_get_error(sock->ssn->ssl, rcode)) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: rcode = 0; break; case SSL_ERROR_ZERO_RETURN: /* remote end sent close_notify, send one back */ SSL_shutdown(sock->ssn->ssl); goto do_close; default: goto do_close; } } PTHREAD_MUTEX_UNLOCK(&sock->mutex); packet = rad_alloc(0); packet->sockfd = listener->fd; packet->src_ipaddr = sock->other_ipaddr; packet->src_port = sock->other_port; packet->dst_ipaddr = sock->my_ipaddr; packet->dst_port = sock->my_port; packet->code = data[0]; packet->id = data[1]; packet->data_len = length; packet->data = rad_malloc(packet->data_len); memcpy(packet->data, data, packet->data_len); memcpy(packet->vector, packet->data + 4, 16); /* * FIXME: Client MIB updates? */ switch(packet->code) { case PW_AUTHENTICATION_ACK: case PW_ACCESS_CHALLENGE: case PW_AUTHENTICATION_REJECT: fun = rad_authenticate; break; #ifdef WITH_ACCOUNTING case PW_ACCOUNTING_RESPONSE: fun = rad_accounting; break; #endif default: /* * FIXME: Update MIB for packet types? */ radlog(L_ERR, "Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); rad_free(&packet); return 0; } if (!request_proxy_reply(packet)) { rad_free(&packet); return 0; } return 1; }
/* * Recieve packets from a proxy socket. */ static int proxy_socket_recv(rad_listen_t *listener, RAD_REQUEST_FUNP *pfun, REQUEST **prequest) { REQUEST *request; RADIUS_PACKET *packet; char buffer[128]; RAD_REQUEST_FUNP fun = NULL; packet = rad_recv(listener->fd, 0); if (!packet) { radlog(L_ERR, "%s", fr_strerror()); return 0; } /* * FIXME: Client MIB updates? */ switch(packet->code) { case PW_AUTHENTICATION_ACK: case PW_ACCESS_CHALLENGE: case PW_AUTHENTICATION_REJECT: #ifdef WITH_ACCOUNTING case PW_ACCOUNTING_RESPONSE: #endif break; #ifdef WITH_COA case PW_DISCONNECT_ACK: case PW_DISCONNECT_NAK: case PW_COA_ACK: case PW_COA_NAK: break; #endif default: /* * FIXME: Update MIB for packet types? */ radlog(L_ERR, "Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); rad_free(&packet); return 0; } request = received_proxy_response(packet); if (!request) { return 0; } rad_assert(request->process != NULL); #ifdef WITH_COA /* * Distinguish proxied CoA requests from ones we * originate. If we've proxied a DIFFERENT packet type * than the original, then it MUST be a CoA packet. In * that case, we process it as a CoA reply packet, rather * than re-running the original method. */ if (request->packet->code != request->proxy->code) { rad_assert((request->proxy->code == PW_COA_REQUEST) || (request->proxy->code == PW_DISCONNECT_REQUEST)); fun = rad_coa_reply; /* run NEW function */ } else #endif *pfun = request->process; /* re-run original function */ *prequest = request; return 1; }
/* * Initialize the request. */ static int request_init(char const *filename) { FILE *fp; vp_cursor_t cursor; VALUE_PAIR *vp; int filedone = 0; /* * Determine where to read the VP's from. */ if (filename) { fp = fopen(filename, "r"); if (!fp) { fprintf(stderr, "dhcpclient: Error opening %s: %s\n", filename, fr_syserror(errno)); return 0; } } else { fp = stdin; } request = rad_alloc(NULL, 0); /* * Read the VP's. */ request->vps = readvp2(NULL, fp, &filedone, "dhcpclient:"); if (!request->vps) { rad_free(&request); if (fp != stdin) fclose(fp); return 1; } /* * Fix / set various options */ for (vp = paircursor(&cursor, &request->vps); vp; vp = pairnext(&cursor)) { switch (vp->da->attr) { default: break; /* * Allow it to set the packet type in * the attributes read from the file. */ case PW_PACKET_TYPE: request->code = vp->vp_integer; break; case PW_PACKET_DST_PORT: request->dst_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_DST_IP_ADDRESS: request->dst_ipaddr.af = AF_INET; request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; break; case PW_PACKET_DST_IPV6_ADDRESS: request->dst_ipaddr.af = AF_INET6; request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; break; case PW_PACKET_SRC_PORT: request->src_port = (vp->vp_integer & 0xffff); break; case PW_PACKET_SRC_IP_ADDRESS: request->src_ipaddr.af = AF_INET; request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr; break; case PW_PACKET_SRC_IPV6_ADDRESS: request->src_ipaddr.af = AF_INET6; request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr; break; } /* switch over the attribute */ } /* loop over the VP's we read in */ if (fp != stdin) fclose(fp); /* * And we're done. */ return 1; }
RADIUS_PACKET *fr_tcp_accept(int sockfd) { int newfd; socklen_t salen; RADIUS_PACKET *packet; struct sockaddr_storage src; salen = sizeof(src); newfd = accept(sockfd, (struct sockaddr *) &src, &salen); if (newfd < 0) { /* * Non-blocking sockets must handle this. */ #ifdef EWOULDBLOCK if (errno == EWOULDBLOCK) { packet = rad_alloc(NULL, 0); if (!packet) return NULL; packet->sockfd = sockfd; packet->src_ipaddr.af = AF_UNSPEC; return packet; } #endif return NULL; } packet = rad_alloc(NULL, 0); if (!packet) { close(newfd); return NULL; } if (src.ss_family == AF_INET) { struct sockaddr_in s4; memcpy(&s4, &src, sizeof(s4)); packet->src_ipaddr.af = AF_INET; packet->src_ipaddr.ipaddr.ip4addr = s4.sin_addr; packet->src_port = ntohs(s4.sin_port); #ifdef HAVE_STRUCT_SOCKADDR_IN6 } else if (src.ss_family == AF_INET6) { struct sockaddr_in6 s6; memcpy(&s6, &src, sizeof(s6)); packet->src_ipaddr.af = AF_INET6; packet->src_ipaddr.ipaddr.ip6addr = s6.sin6_addr; packet->src_port = ntohs(s6.sin6_port); #endif } else { rad_free(&packet); close(newfd); return NULL; } packet->sockfd = newfd; /* * Note: Caller has to set dst_ipaddr && dst_port. */ return packet; }