/*
* Free a radclient struct, which may (or may not)
* already be in the list.
*/
static void radclient_free(radclient_t *radclient)
{
radclient_t *prev, *next;
if (radclient->request) rad_free(&radclient->request);
if (radclient->reply) rad_free(&radclient->reply);
prev = radclient->prev;
next = radclient->next;
if (prev) {
assert(radclient_head != radclient);
prev->next = next;
} else if (radclient_head) {
assert(radclient_head == radclient);
radclient_head = next;
}
if (next) {
assert(radclient_tail != radclient);
next->prev = prev;
} else if (radclient_tail) {
assert(radclient_tail == radclient);
radclient_tail = prev;
}
free(radclient);
}
/*
* Check if an incoming request is "ok"
*
* It takes packets, not requests. It sees if the packet looks
* OK. If so, it does a number of sanity checks on it.
*/
int vqp_socket_recv(rad_listen_t *listener,
RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
{
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
RADCLIENT *client;
packet = vqp_recv(listener->fd);
if (!packet) {
radlog(L_ERR, "%s", fr_strerror());
return 0;
}
if ((client = client_listener_find(listener,
&packet->src_ipaddr,
packet->src_port)) == NULL) {
rad_free(&packet);
return 0;
}
/*
* Do new stuff.
*/
fun = vmps_process;
if (!received_request(listener, packet, prequest, client)) {
rad_free(&packet);
return 0;
}
*pfun = fun;
return 1;
}
/*
* Check if an incoming request is "ok"
*
* It takes packets, not requests. It sees if the packet looks
* OK. If so, it does a number of sanity checks on it.
*/
static int vqp_socket_recv(rad_listen_t *listener)
{
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
RADCLIENT *client;
packet = vqp_recv(listener->fd);
if (!packet) {
ERROR("%s", fr_strerror());
return 0;
}
if ((client = client_listener_find(listener,
&packet->src_ipaddr,
packet->src_port)) == NULL) {
rad_free(&packet);
return 0;
}
/*
* Do new stuff.
*/
fun = vmps_process;
if (!request_receive(NULL, listener, packet, client, fun)) {
rad_free(&packet);
return 0;
}
return 1;
}
/*
* @fixme: This can be removed once packet destructors are set by rad_alloc
*/
static int _request_free(rs_request_t *request)
{
if (!cleanup) {
RDEBUG("(%i) Cleaning up request packet ID %i", request->id, request->packet->id);
}
rad_free(&request->packet);
rad_free(&request->linked);
return 0;
}
/*
* Deallocate packet ID, etc.
*/
static void deallocate_id(radclient_t *radclient)
{
if (!radclient || !radclient->request ||
(radclient->request->id < 0)) {
return;
}
/*
* One more unused RADIUS ID.
*/
fr_packet_list_id_free(pl, radclient->request);
radclient->request->id = -1;
/*
* If we've already sent a packet, free up the old one,
* and ensure that the next packet has a unique
* authentication vector.
*/
if (radclient->request->data) {
free(radclient->request->data);
radclient->request->data = NULL;
}
if (radclient->reply) rad_free(&radclient->reply);
}
/*
* Check if an incoming request is "ok"
*
* It takes packets, not requests. It sees if the packet looks
* OK. If so, it does a number of sanity checks on it.
*/
static int status_socket_recv(rad_listen_t *listener,
RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
{
ssize_t rcode;
int code, src_port;
RADIUS_PACKET *packet;
RADCLIENT *client;
fr_ipaddr_t src_ipaddr;
rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
if (rcode < 0) return 0;
RAD_STATS_TYPE_INC(listener, total_requests);
if (rcode < 20) { /* AUTH_HDR_LEN */
RAD_STATS_TYPE_INC(listener, total_malformed_requests);
return 0;
}
if ((client = client_listener_find(listener,
&src_ipaddr, src_port)) == NULL) {
rad_recv_discard(listener->fd);
RAD_STATS_TYPE_INC(listener, total_invalid_requests);
return 0;
}
/*
* We only understand Status-Server on this socket.
*/
if (code != PW_STATUS_SERVER) {
DEBUG("Ignoring packet code %d sent to Status-Server port",
code);
rad_recv_discard(listener->fd);
RAD_STATS_TYPE_INC(listener, total_unknown_types);
RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
return 0;
}
/*
* Now that we've sanity checked everything, receive the
* packet.
*/
packet = rad_recv(listener->fd, 1); /* require message authenticator */
if (!packet) {
RAD_STATS_TYPE_INC(listener, total_malformed_requests);
DEBUG("%s", fr_strerror());
return 0;
}
if (!received_request(listener, packet, prequest, client)) {
RAD_STATS_TYPE_INC(listener, total_packets_dropped);
RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
rad_free(&packet);
return 0;
}
*pfun = status_process;
return 1;
}
static void cleanup(RADIUS_PACKET *packet)
{
if (!packet) return;
if (packet->sockfd >= 0) {
close(packet->sockfd);
}
rad_free(&packet);
}
/*
* Recieve packets from a proxy socket.
*/
static int proxy_socket_tcp_recv(rad_listen_t *listener,
RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
{
REQUEST *request;
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
char buffer[128];
packet = fr_tcp_recv(listener->fd, 0);
if (!packet) {
proxy_close_tcp_listener(listener);
return 0;
}
/*
* FIXME: Client MIB updates?
*/
switch(packet->code) {
case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
case PW_AUTHENTICATION_REJECT:
fun = rad_authenticate;
break;
#ifdef WITH_ACCOUNTING
case PW_ACCOUNTING_RESPONSE:
fun = rad_accounting;
break;
#endif
default:
/*
* FIXME: Update MIB for packet types?
*/
radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
"from home server %s port %d - ID %d : IGNORED",
packet->code,
ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
packet->src_port, packet->id);
rad_free(&packet);
return 0;
}
request = received_proxy_tcp_response(packet,
fr_listen2tcp(listener));
if (!request) {
return 0;
}
rad_assert(fun != NULL);
*pfun = fun;
*prequest = request;
return 1;
}
RADIUS_PACKET *fr_tcp_recv(int sockfd, int flags)
{
RADIUS_PACKET *packet = rad_alloc(NULL, 0);
if (!packet) return NULL;
packet->sockfd = sockfd;
if (fr_tcp_read_packet(packet, flags) != 1) {
rad_free(&packet);
return NULL;
}
return packet;
}
/*
* Deallocate packet ID, etc.
*/
static void deallocate_id(rc_request_t *request)
{
if (!request || !request->packet ||
(request->packet->id < 0)) {
return;
}
/*
* One more unused RADIUS ID.
*/
fr_packet_list_id_free(pl, request->packet, true);
/*
* If we've already sent a packet, free up the old one,
* and ensure that the next packet has a unique
* authentication vector.
*/
if (request->packet->data) TALLOC_FREE(request->packet->data);
if (request->reply) rad_free(&request->reply);
}
static int filter_packet(RADIUS_PACKET *packet)
{
VALUE_PAIR *check_item;
VALUE_PAIR *vp;
unsigned int pass, fail;
int compare;
pass = fail = 0;
for (vp = packet->vps; vp != NULL; vp = vp->next) {
for (check_item = filter_vps;
check_item != NULL;
check_item = check_item->next)
if ((check_item->da == vp->da)
&& (check_item->op != T_OP_SET)) {
compare = paircmp(check_item, vp);
if (compare == 1)
pass++;
else
fail++;
}
}
if (fail == 0 && pass != 0) {
/*
* Cache authentication requests, as the replies
* may not match the RADIUS filter.
*/
if ((packet->code == PW_AUTHENTICATION_REQUEST) ||
(packet->code == PW_ACCOUNTING_REQUEST)) {
rbtree_deletebydata(filter_tree, packet);
if (!rbtree_insert(filter_tree, packet)) {
oom:
fprintf(stderr, "radsniff: Out of memory\n");
exit(1);
}
}
return 0; /* matched */
}
/*
* Don't create erroneous matches.
*/
if ((packet->code == PW_AUTHENTICATION_REQUEST) ||
(packet->code == PW_ACCOUNTING_REQUEST)) {
rbtree_deletebydata(filter_tree, packet);
return 1;
}
/*
* Else see if a previous Access-Request
* matched. If so, also print out the
* matching accept, reject, or challenge.
*/
if ((packet->code == PW_AUTHENTICATION_ACK) ||
(packet->code == PW_AUTHENTICATION_REJECT) ||
(packet->code == PW_ACCESS_CHALLENGE) ||
(packet->code == PW_ACCOUNTING_RESPONSE)) {
RADIUS_PACKET *reply;
/*
* This swaps the various fields.
*/
reply = rad_alloc_reply(NULL, packet);
if (!reply) goto oom;
compare = 1;
if (rbtree_finddata(filter_tree, reply)) {
compare = 0;
}
rad_free(&reply);
return compare;
}
return 1;
}
static void got_packet(UNUSED uint8_t *args, const struct pcap_pkthdr *header, const uint8_t *data)
{
static int count = 1; /* Packets seen */
/*
* Define pointers for packet's attributes
*/
const struct ip_header *ip; /* The IP header */
const struct udp_header *udp; /* The UDP header */
const uint8_t *payload; /* Packet payload */
/*
* And define the size of the structures we're using
*/
int size_ethernet = sizeof(struct ethernet_header);
int size_ip = sizeof(struct ip_header);
int size_udp = sizeof(struct udp_header);
/*
* For FreeRADIUS
*/
RADIUS_PACKET *packet, *original;
struct timeval elapsed;
/*
* Define our packet's attributes
*/
if ((data[0] == 2) && (data[1] == 0) &&
(data[2] == 0) && (data[3] == 0)) {
ip = (const struct ip_header*) (data + 4);
} else {
ip = (const struct ip_header*)(data + size_ethernet);
}
udp = (const struct udp_header*)(((const uint8_t *) ip) + size_ip);
payload = (const uint8_t *)(((const uint8_t *) udp) + size_udp);
packet = rad_alloc(NULL, 0);
if (!packet) {
fprintf(stderr, "Out of memory\n");
return;
}
packet->src_ipaddr.af = AF_INET;
packet->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
packet->src_port = ntohs(udp->udp_sport);
packet->dst_ipaddr.af = AF_INET;
packet->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
packet->dst_port = ntohs(udp->udp_dport);
memcpy(&packet->data, &payload, sizeof(packet->data));
packet->data_len = header->len - (payload - data);
if (!rad_packet_ok(packet, 0)) {
DEBUG(log_dst, "Packet: %s\n", fr_strerror());
DEBUG(log_dst, " From %s:%d\n", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
DEBUG(log_dst, " To: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG(log_dst, " Type: %s\n", fr_packet_codes[packet->code]);
rad_free(&packet);
return;
}
switch (packet->code) {
case PW_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_AUTHENTICATION_ACK:
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, packet);
break;
case PW_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(NULL, packet);
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(packet, original, radius_secret) != 0) {
rad_free(&packet);
fr_perror("decode");
return;
}
/*
* We've seen a successfull reply to this, so delete it now
*/
if (original)
rbtree_deletebydata(request_tree, original);
if (filter_vps && filter_packet(packet)) {
rad_free(&packet);
DEBUG(log_dst, "Packet number %d doesn't match\n", count++);
return;
}
if (out) {
pcap_dump((void *) out, header, data);
goto check_filter;
}
INFO(log_dst, "%s Id %d\t", fr_packet_codes[packet->code], packet->id);
/*
* Print the RADIUS packet
*/
INFO(log_dst, "%s:%d -> ", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
INFO(log_dst, "%s:%d", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG1(log_dst, "\t(%d packets)", count++);
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
tv_sub(&header->ts, &start_pcap, &elapsed);
INFO(log_dst, "\t+%u.%03u", (unsigned int) elapsed.tv_sec,
(unsigned int) elapsed.tv_usec / 1000);
if (fr_debug_flag > 1) {
DEBUG(log_dst, "\n");
if (packet->vps) {
if (do_sort) sort(packet);
vp_printlist(log_dst, packet->vps);
pairfree(&packet->vps);
}
}
INFO(log_dst, "\n");
if (!to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(packet);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((packet->code != PW_AUTHENTICATION_REQUEST) &&
(packet->code != PW_ACCOUNTING_REQUEST))) {
rad_free(&packet);
}
}
/** Wrapper function to allow rad_free to be called as an rbtree destructor callback
*
* @param packet to free.
*/
static void _rb_rad_free(void *packet)
{
rad_free((RADIUS_PACKET **) &packet);
}
static void rs_process_packet(rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
static int count = 0; /* Packets seen */
rs_stats_t *stats = event->stats;
decode_fail_t reason;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response = false; /* Was it a response code */
RADIUS_PACKET *current, *original;
struct timeval elapsed;
struct timeval latency;
count++;
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(NULL, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (data - p);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
DEBUG("(%i) ** %s **", count, fr_strerror());
DEBUG("(%i) %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
response = true;
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, current);
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(event->conf, current);
original->timestamp = header->ts;
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(current, original, event->conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
if (filter_vps && rs_filter_packet(current)) {
rad_free(¤t);
DEBUG("Packet number %d doesn't match", count++);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
goto check_filter;
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
rs_stats_update_count(&stats->gauge, current);
if (original) {
rs_tv_sub(¤t->timestamp, &original->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->code], &latency);
/*
* Print info about the response.
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (fr_debug_flag > 1) {
if (current->vps) {
if (event->conf->do_sort) {
pairsort(¤t->vps, true);
}
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
}
/*
* We've seen a successful reply to this, so delete it now
*/
if (original) {
rbtree_deletebydata(request_tree, original);
}
if (!event->conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((current->code != PW_CODE_AUTHENTICATION_REQUEST) && (current->code != PW_CODE_ACCOUNTING_REQUEST))) {
rad_free(¤t);
}
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
radclient_t *radclient;
RADIUS_PACKET *reply, **request_p;
volatile int max_fd;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
max_fd = fr_packet_list_fd_set(pl, &set);
if (max_fd < 0) exit(1); /* no sockets to listen on! */
if (wait_time <= 0) {
tv.tv_sec = 0;
} else {
tv.tv_sec = wait_time;
}
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(max_fd, &set, NULL, NULL, &tv) <= 0) {
return 0;
}
/*
* Look for the packet.
*/
reply = fr_packet_list_recv(pl, &set);
if (!reply) {
fprintf(stderr, "radclient: received bad packet: %s\n",
fr_strerror());
#ifdef WITH_TCP
/*
* If the packet is bad, we close the socket.
* I'm not sure how to do that now, so we just
* die...
*/
if (proto) exit(1);
#endif
return -1; /* bad packet */
}
/*
* udpfromto issues. We may have bound to "*",
* and we want to find the replies that are sent to
* (say) 127.0.0.1.
*/
reply->dst_ipaddr = client_ipaddr;
reply->dst_port = client_port;
#ifdef WITH_TCP
reply->src_ipaddr = server_ipaddr;
reply->src_port = server_port;
#endif
if (fr_debug_flag > 2) print_hex(reply);
request_p = fr_packet_list_find_byreply(pl, reply);
if (!request_p) {
fprintf(stderr, "radclient: received response to request we did not send. (id=%d socket %d)\n", reply->id, reply->sockfd);
rad_free(&reply);
return -1; /* got reply to packet we didn't send */
}
radclient = fr_packet2myptr(radclient_t, request, request_p);
/*
* Fails the signature validation: not a real reply.
* FIXME: Silently drop it and listen for another packet.
*/
if (rad_verify(reply, radclient->request, secret) < 0) {
fr_perror("rad_verify");
totallost++;
goto packet_done; /* shared secret is incorrect */
}
fr_packet_list_yank(pl, radclient->request);
if (print_filename) printf("%s:%d %d\n",
radclient->filename,
radclient->packet_number,
reply->code);
deallocate_id(radclient);
radclient->reply = reply;
reply = NULL;
/*
* If this fails, we're out of memory.
*/
if (rad_decode(radclient->reply, radclient->request, secret) != 0) {
fr_perror("rad_decode");
totallost++;
goto packet_done;
}
/* libradius debug already prints out the value pairs for us */
if (!fr_debug_flag && do_output) {
printf("Received response ID %d, code %d, length = %zd\n",
radclient->reply->id, radclient->reply->code,
radclient->reply->data_len);
vp_printlist(stdout, radclient->reply->vps);
}
if ((radclient->reply->code == PW_AUTHENTICATION_ACK) ||
(radclient->reply->code == PW_ACCOUNTING_RESPONSE) ||
(radclient->reply->code == PW_COA_ACK) ||
(radclient->reply->code == PW_DISCONNECT_ACK)) {
success = 1; /* have a good response */
totalapp++;
} else {
totaldeny++;
}
if (radclient->resend == resend_count) {
radclient->done = 1;
}
packet_done:
rad_free(&radclient->reply);
rad_free(&reply); /* may be NULL */
return 0;
}
/*
* Process the "diameter" contents of the tunneled data.
*/
PW_CODE eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
{
PW_CODE code = PW_CODE_ACCESS_REJECT;
rlm_rcode_t rcode;
REQUEST *fake;
VALUE_PAIR *vp;
ttls_tunnel_t *t;
uint8_t const *data;
size_t data_len;
REQUEST *request = handler->request;
chbind_packet_t *chbind;
/*
* Just look at the buffer directly, without doing
* record_minus.
*/
data_len = tls_session->clean_out.used;
tls_session->clean_out.used = 0;
data = tls_session->clean_out.data;
t = (ttls_tunnel_t *) tls_session->opaque;
/*
* If there's no data, maybe this is an ACK to an
* MS-CHAP2-Success.
*/
if (data_len == 0) {
if (t->authenticated) {
RDEBUG("Got ACK, and the user was already authenticated");
return PW_CODE_ACCESS_ACCEPT;
} /* else no session, no data, die. */
/*
* FIXME: Call SSL_get_error() to see what went
* wrong.
*/
RDEBUG2("SSL_read Error");
return PW_CODE_ACCESS_REJECT;
}
#ifndef NDEBUG
if ((rad_debug_lvl > 2) && fr_log_fp) {
size_t i;
for (i = 0; i < data_len; i++) {
if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TTLS tunnel data in %04x: ", (int) i);
fprintf(fr_log_fp, "%02x ", data[i]);
if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
}
if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n");
}
#endif
if (!diameter_verify(request, data, data_len)) {
return PW_CODE_ACCESS_REJECT;
}
/*
* Allocate a fake REQUEST structure.
*/
fake = request_alloc_fake(request);
rad_assert(!fake->packet->vps);
/*
* Add the tunneled attributes to the fake request.
*/
fake->packet->vps = diameter2vp(request, fake, tls_session->ssl, data, data_len);
if (!fake->packet->vps) {
talloc_free(fake);
return PW_CODE_ACCESS_REJECT;
}
/*
* Tell the request that it's a fake one.
*/
pair_make_request("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
RDEBUG("Got tunneled request");
rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
/*
* Update other items in the REQUEST data structure.
*/
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
fake->password = fr_pair_find_by_num(fake->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
/*
* No User-Name, try to create one from stored data.
*/
if (!fake->username) {
/*
* No User-Name in the stored data, look for
* an EAP-Identity, and pull it out of there.
*/
if (!t->username) {
vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp &&
(vp->vp_length >= EAP_HEADER_LEN + 2) &&
(vp->vp_strvalue[0] == PW_EAP_RESPONSE) &&
(vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
(vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
/*
* Create & remember a User-Name
*/
t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ);
rad_assert(t->username != NULL);
fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5);
RDEBUG("Got tunneled identity of %s",
t->username->vp_strvalue);
/*
* If there's a default EAP type,
* set it here.
*/
if (t->default_method != 0) {
RDEBUG("Setting default EAP type for tunneled EAP session");
vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0);
rad_assert(vp != NULL);
vp->vp_integer = t->default_method;
fr_pair_add(&fake->config, vp);
}
} else {
/*
* Don't reject the request outright,
* as it's permitted to do EAP without
* user-name.
*/
RWDEBUG2("No EAP-Identity found to start EAP conversation");
}
} /* else there WAS a t->username */
if (t->username) {
vp = fr_pair_list_copy(fake->packet, t->username);
fr_pair_add(&fake->packet->vps, vp);
fake->username = fr_pair_find_by_num(fake->packet->vps, PW_USER_NAME, 0, TAG_ANY);
}
} /* else the request ALREADY had a User-Name */
/*
* Add the State attribute, too, if it exists.
*/
if (t->state) {
vp = fr_pair_list_copy(fake->packet, t->state);
if (vp) fr_pair_add(&fake->packet->vps, vp);
}
/*
* If this is set, we copy SOME of the request attributes
* from outside of the tunnel to inside of the tunnel.
*
* We copy ONLY those attributes which do NOT already
* exist in the tunneled request.
*/
if (t->copy_request_to_tunnel) {
VALUE_PAIR *copy;
vp_cursor_t cursor;
for (vp = fr_cursor_init(&cursor, &request->packet->vps); vp; vp = fr_cursor_next(&cursor)) {
/*
* The attribute is a server-side thingy,
* don't copy it.
*/
if ((vp->da->attr > 255) &&
(vp->da->vendor == 0)) {
continue;
}
/*
* The outside attribute is already in the
* tunnel, don't copy it.
*
* This works for BOTH attributes which
* are originally in the tunneled request,
* AND attributes which are copied there
* from below.
*/
if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) {
continue;
}
/*
* Some attributes are handled specially.
*/
switch (vp->da->attr) {
/*
* NEVER copy Message-Authenticator,
* EAP-Message, or State. They're
* only for outside of the tunnel.
*/
case PW_USER_NAME:
case PW_USER_PASSWORD:
case PW_CHAP_PASSWORD:
case PW_CHAP_CHALLENGE:
case PW_PROXY_STATE:
case PW_MESSAGE_AUTHENTICATOR:
case PW_EAP_MESSAGE:
case PW_STATE:
continue;
/*
* By default, copy it over.
*/
default:
break;
}
/*
* Don't copy from the head, we've already
* checked it.
*/
copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY);
fr_pair_add(&fake->packet->vps, copy);
}
}
if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
} else if (t->virtual_server) {
fake->server = t->virtual_server;
} /* else fake->server == request->server */
if ((rad_debug_lvl > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
}
/*
* Process channel binding.
*/
chbind = eap_chbind_vp2packet(fake, fake->packet->vps);
if (chbind) {
PW_CODE chbind_code;
CHBIND_REQ *req = talloc_zero(fake, CHBIND_REQ);
RDEBUG("received chbind request");
req->request = chbind;
if (fake->username) {
req->username = fake->username;
} else {
req->username = NULL;
}
chbind_code = chbind_process(request, req);
/* encapsulate response here */
if (req->response) {
RDEBUG("sending chbind response");
fr_pair_add(&fake->reply->vps,
eap_chbind_packet2vp(fake, req->response));
} else {
RDEBUG("no chbind response");
}
/* clean up chbind req */
talloc_free(req);
if (chbind_code != PW_CODE_ACCESS_ACCEPT) {
return chbind_code;
}
}
/*
* Call authentication recursively, which will
* do PAP, CHAP, MS-CHAP, etc.
*/
rad_virtual_server(fake);
/*
* Decide what to do with the reply.
*/
switch (fake->reply->code) {
case 0: /* No reply code, must be proxied... */
#ifdef WITH_PROXY
vp = fr_pair_find_by_num(fake->config, PW_PROXY_TO_REALM, 0, TAG_ANY);
if (vp) {
eap_tunnel_data_t *tunnel;
RDEBUG("Tunneled authentication will be proxied to %s", vp->vp_strvalue);
/*
* Tell the original request that it's going
* to be proxied.
*/
fr_pair_list_move_by_num(request, &request->config,
&fake->config,
PW_PROXY_TO_REALM, 0, TAG_ANY);
/*
* Seed the proxy packet with the
* tunneled request.
*/
rad_assert(!request->proxy);
request->proxy = talloc_steal(request, fake->packet);
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
memset(&request->proxy->src_ipaddr, 0,
sizeof(request->proxy->src_ipaddr));
request->proxy->src_port = 0;
request->proxy->dst_port = 0;
fake->packet = NULL;
rad_free(&fake->reply);
fake->reply = NULL;
/*
* Set up the callbacks for the tunnel
*/
tunnel = talloc_zero(request, eap_tunnel_data_t);
tunnel->tls_session = tls_session;
tunnel->callback = eapttls_postproxy;
/*
* Associate the callback with the request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, false);
rad_assert(code == 0);
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
*
* So we associate the fake request with
* this request.
*/
code = request_data_add(request, request->proxy, REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, true);
rad_assert(code == 0);
fake = NULL;
/*
* Didn't authenticate the packet, but
* we're proxying it.
*/
code = PW_CODE_STATUS_CLIENT;
} else
#endif /* WITH_PROXY */
{
RDEBUG("No tunneled reply was found for request %d , and the request was not proxied: rejecting the user.",
request->number);
code = PW_CODE_ACCESS_REJECT;
}
break;
default:
/*
* Returns RLM_MODULE_FOO, and we want to return PW_FOO
*/
rcode = process_reply(handler, tls_session, request, fake->reply);
switch (rcode) {
case RLM_MODULE_REJECT:
code = PW_CODE_ACCESS_REJECT;
break;
case RLM_MODULE_HANDLED:
code = PW_CODE_ACCESS_CHALLENGE;
break;
case RLM_MODULE_OK:
code = PW_CODE_ACCESS_ACCEPT;
break;
default:
code = PW_CODE_ACCESS_REJECT;
break;
}
break;
}
talloc_free(fake);
return code;
}
int dual_tls_recv(rad_listen_t *listener)
{
RADIUS_PACKET *packet;
REQUEST *request;
RAD_REQUEST_FUNP fun = NULL;
listen_socket_t *sock = listener->data;
RADCLIENT *client = sock->client;
if (!tls_socket_recv(listener)) {
return 0;
}
rad_assert(sock->request != NULL);
rad_assert(sock->request->packet != NULL);
rad_assert(sock->packet != NULL);
rad_assert(sock->ssn != NULL);
request = sock->request;
packet = sock->packet;
/*
* Some sanity checks, based on the packet code.
*/
switch(packet->code) {
case PW_AUTHENTICATION_REQUEST:
if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
FR_STATS_INC(auth, total_requests);
fun = rad_authenticate;
break;
case PW_ACCOUNTING_REQUEST:
if (listener->type != RAD_LISTEN_ACCT) goto bad_packet;
FR_STATS_INC(acct, total_requests);
fun = rad_accounting;
break;
case PW_STATUS_SERVER:
if (!mainconfig.status_server) {
FR_STATS_INC(auth, total_unknown_types);
DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
rad_free(&sock->packet);
request->packet = NULL;
return 0;
}
fun = rad_status_server;
break;
default:
bad_packet:
FR_STATS_INC(auth, total_unknown_types);
DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED",
packet->code, client->shortname, packet->src_port);
rad_free(&sock->packet);
request->packet = NULL;
return 0;
} /* switch over packet types */
if (!request_receive(listener, packet, client, fun)) {
FR_STATS_INC(auth, total_packets_dropped);
rad_free(&sock->packet);
request->packet = NULL;
return 0;
}
sock->packet = NULL; /* we have no need for more partial reads */
request->packet = NULL;
return 1;
}
int dual_tls_recv(rad_listen_t *listener)
{
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
listen_socket_t *sock = listener->data;
RADCLIENT *client = sock->client;
if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
if (!tls_socket_recv(listener)) {
return 0;
}
rad_assert(sock->packet != NULL);
rad_assert(sock->ssn != NULL);
rad_assert(client != NULL);
packet = talloc_steal(NULL, sock->packet);
sock->packet = NULL;
/*
* Some sanity checks, based on the packet code.
*
* "auth+acct" are marked as "auth", with the "dual" flag
* set.
*/
switch (packet->code) {
case PW_CODE_ACCESS_REQUEST:
if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
FR_STATS_INC(auth, total_requests);
fun = rad_authenticate;
break;
#ifdef WITH_ACCOUNTING
case PW_CODE_ACCOUNTING_REQUEST:
if (listener->type != RAD_LISTEN_ACCT) {
/*
* Allow auth + dual. Disallow
* everything else.
*/
if (!((listener->type == RAD_LISTEN_AUTH) &&
(listener->dual))) {
goto bad_packet;
}
}
FR_STATS_INC(acct, total_requests);
fun = rad_accounting;
break;
#endif
case PW_CODE_STATUS_SERVER:
if (!main_config.status_server) {
FR_STATS_INC(auth, total_unknown_types);
WARN("Ignoring Status-Server request due to security configuration");
rad_free(&packet);
return 0;
}
fun = rad_status_server;
break;
default:
bad_packet:
FR_STATS_INC(auth, total_unknown_types);
DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED",
packet->code, client->shortname, packet->src_port);
rad_free(&packet);
return 0;
} /* switch over packet types */
if (!request_receive(NULL, listener, packet, client, fun)) {
FR_STATS_INC(auth, total_packets_dropped);
rad_free(&packet);
return 0;
}
return 1;
}
int proxy_tls_recv(rad_listen_t *listener)
{
listen_socket_t *sock = listener->data;
char buffer[256];
RADIUS_PACKET *packet;
uint8_t *data;
ssize_t data_len;
if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
DEBUG3("Proxy SSL socket has data to read");
PTHREAD_MUTEX_LOCK(&sock->mutex);
data_len = proxy_tls_read(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
if (data_len < 0) {
DEBUG("Closing TLS socket to home server");
PTHREAD_MUTEX_LOCK(&sock->mutex);
tls_socket_close(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (data_len == 0) return 0; /* not done yet */
data = sock->data;
packet = rad_alloc(sock, false);
packet->sockfd = listener->fd;
packet->src_ipaddr = sock->other_ipaddr;
packet->src_port = sock->other_port;
packet->dst_ipaddr = sock->my_ipaddr;
packet->dst_port = sock->my_port;
packet->code = data[0];
packet->id = data[1];
packet->data_len = data_len;
packet->data = talloc_array(packet, uint8_t, packet->data_len);
memcpy(packet->data, data, packet->data_len);
memcpy(packet->vector, packet->data + 4, 16);
/*
* FIXME: Client MIB updates?
*/
switch (packet->code) {
case PW_CODE_ACCESS_ACCEPT:
case PW_CODE_ACCESS_CHALLENGE:
case PW_CODE_ACCESS_REJECT:
break;
#ifdef WITH_ACCOUNTING
case PW_CODE_ACCOUNTING_RESPONSE:
break;
#endif
default:
/*
* FIXME: Update MIB for packet types?
*/
ERROR("Invalid packet code %d sent to a proxy port "
"from home server %s port %d - ID %d : IGNORED",
packet->code,
ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
packet->src_port, packet->id);
rad_free(&packet);
return 0;
}
if (!request_proxy_reply(packet)) {
rad_free(&packet);
return 0;
}
return 1;
}
/*
* Initialize the request.
*/
static int request_init(char const *filename)
{
FILE *fp;
vp_cursor_t cursor;
VALUE_PAIR *vp;
bool filedone = false;
/*
* Determine where to read the VP's from.
*/
if (filename) {
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "dhcpclient: Error opening %s: %s\n",
filename, fr_syserror(errno));
return 0;
}
} else {
fp = stdin;
}
request = rad_alloc(NULL, false);
/*
* Read the VP's.
*/
if (fr_pair_list_afrom_file(NULL, &request->vps, fp, &filedone) < 0) {
fr_perror("dhcpclient");
rad_free(&request);
if (fp != stdin) fclose(fp);
return 1;
}
/*
* Fix / set various options
*/
for (vp = fr_cursor_init(&cursor, &request->vps); vp; vp = fr_cursor_next(&cursor)) {
if (vp->da->vendor == DHCP_MAGIC_VENDOR && vp->da->attr == PW_DHCP_MESSAGE_TYPE) {
/* Allow to set packet type using DHCP-Message-Type. */
request->code = vp->vp_integer + PW_DHCP_OFFSET;
} else if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
* (this takes precedence over the command argument.)
*/
case PW_PACKET_TYPE:
request->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->dst_ipaddr.af = AF_INET;
request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->dst_ipaddr.prefix = 32;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->dst_ipaddr.af = AF_INET6;
request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->dst_ipaddr.prefix = 128;
break;
case PW_PACKET_SRC_PORT:
request->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->src_ipaddr.af = AF_INET;
request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
request->src_ipaddr.prefix = 32;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->src_ipaddr.af = AF_INET6;
request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
request->src_ipaddr.prefix = 128;
break;
} /* switch over the attribute */
} /* loop over the VP's we read in */
/*
* Use the default set on the command line
*/
if (!request->code) request->code = packet_code;
if (fp != stdin) fclose(fp);
/*
* And we're done.
*/
return 1;
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
rc_request_t *request;
RADIUS_PACKET *reply, **packet_p;
volatile int max_fd;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
max_fd = fr_packet_list_fd_set(pl, &set);
if (max_fd < 0) exit(1); /* no sockets to listen on! */
if (wait_time <= 0) {
tv.tv_sec = 0;
} else {
tv.tv_sec = wait_time;
}
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(max_fd, &set, NULL, NULL, &tv) <= 0) {
return 0;
}
/*
* Look for the packet.
*/
reply = fr_packet_list_recv(pl, &set);
if (!reply) {
ERROR("Received bad packet");
#ifdef WITH_TCP
/*
* If the packet is bad, we close the socket.
* I'm not sure how to do that now, so we just
* die...
*/
if (proto) exit(1);
#endif
return -1; /* bad packet */
}
/*
* udpfromto issues. We may have bound to "*",
* and we want to find the replies that are sent to
* (say) 127.0.0.1.
*/
reply->dst_ipaddr = client_ipaddr;
reply->dst_port = client_port;
#ifdef WITH_TCP
reply->src_ipaddr = server_ipaddr;
reply->src_port = server_port;
#endif
packet_p = fr_packet_list_find_byreply(pl, reply);
if (!packet_p) {
ERROR("Received reply to request we did not send. (id=%d socket %d)",
reply->id, reply->sockfd);
rad_free(&reply);
return -1; /* got reply to packet we didn't send */
}
request = fr_packet2myptr(rc_request_t, packet, packet_p);
/*
* Fails the signature validation: not a real reply.
* FIXME: Silently drop it and listen for another packet.
*/
if (rad_verify(reply, request->packet, secret) < 0) {
REDEBUG("Reply verification failed");
stats.lost++;
goto packet_done; /* shared secret is incorrect */
}
if (print_filename) {
RDEBUG("%s response code %d", request->files->packets, reply->code);
}
deallocate_id(request);
request->reply = reply;
reply = NULL;
/*
* If this fails, we're out of memory.
*/
if (rad_decode(request->reply, request->packet, secret) != 0) {
REDEBUG("Reply decode failed");
stats.lost++;
goto packet_done;
}
/*
* Increment counters...
*/
switch (request->reply->code) {
case PW_CODE_AUTHENTICATION_ACK:
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_ACK:
stats.accepted++;
break;
case PW_CODE_ACCESS_CHALLENGE:
break;
default:
stats.rejected++;
}
/*
* If we had an expected response code, check to see if the
* packet matched that.
*/
if (request->reply->code != request->filter_code) {
if (is_radius_code(request->packet_code)) {
REDEBUG("Expected %s got %s", fr_packet_codes[request->filter_code],
fr_packet_codes[request->reply->code]);
} else {
REDEBUG("Expected %u got %i", request->filter_code,
request->reply->code);
}
stats.failed++;
/*
* Check if the contents of the packet matched the filter
*/
} else if (!request->filter) {
stats.passed++;
} else {
VALUE_PAIR const *failed[2];
pairsort(&request->reply->vps, attrtagcmp);
if (pairvalidate(failed, request->filter, request->reply->vps)) {
RDEBUG("Response passed filter");
stats.passed++;
} else {
pairvalidate_debug(request, failed);
REDEBUG("Response failed filter");
stats.failed++;
}
}
if (request->resend == resend_count) {
request->done = true;
}
packet_done:
rad_free(&request->reply);
rad_free(&reply); /* may be NULL */
return 0;
}
/*
* Free a REQUEST struct.
*/
void request_free(REQUEST **request_ptr)
{
REQUEST *request;
if (!request_ptr || !*request_ptr) {
return;
}
request = *request_ptr;
rad_assert(!request->in_request_hash);
#ifdef WITH_PROXY
rad_assert(!request->in_proxy_hash);
#endif
rad_assert(!request->ev);
if (request->packet)
rad_free(&request->packet);
#ifdef WITH_PROXY
if (request->proxy)
rad_free(&request->proxy);
#endif
if (request->reply)
rad_free(&request->reply);
#ifdef WITH_PROXY
if (request->proxy_reply)
rad_free(&request->proxy_reply);
#endif
if (request->config_items)
pairfree(&request->config_items);
request->username = NULL;
request->password = NULL;
if (request->data) {
request_data_t *this, *next;
for (this = request->data; this != NULL; this = next) {
next = this->next;
if (this->opaque && /* free it, if necessary */
this->free_opaque)
this->free_opaque(this->opaque);
free(this);
}
request->data = NULL;
}
if (request->root &&
(request->root->refcount > 0)) {
request->root->refcount--;
request->root = NULL;
}
#ifdef WITH_COA
if (request->coa) {
request->coa->parent = NULL;
rad_assert(request->coa->ev == NULL);
request_free(&request->coa);
}
if (request->parent && (request->parent->coa == request)) {
request->parent->coa = NULL;
}
#endif
#ifndef NDEBUG
request->magic = 0x01020304; /* set the request to be nonsense */
#endif
request->client = NULL;
#ifdef WITH_PROXY
request->home_server = NULL;
#endif
talloc_free(request);
*request_ptr = NULL;
}
RADIUS_PACKET *vqp_recv(int sockfd)
{
uint8_t *ptr;
ssize_t length;
uint32_t id;
RADIUS_PACKET *packet;
/*
* Allocate the new request data structure
*/
if ((packet = malloc(sizeof(*packet))) == NULL) {
fr_strerror_printf("out of memory");
return NULL;
}
memset(packet, 0, sizeof(*packet));
packet->data_len = vqp_recvfrom(sockfd, &packet->data, 0,
&packet->src_ipaddr, &packet->src_port,
&packet->dst_ipaddr, &packet->dst_port);
/*
* Check for socket errors.
*/
if (packet->data_len < 0) {
fr_strerror_printf("Error receiving packet: %s", strerror(errno));
/* packet->data is NULL */
free(packet);
return NULL;
}
/*
* We can only receive packets formatted in a way we
* expect. However, we accept MORE attributes in a
* packet than normal implementations may send.
*/
if (packet->data_len < VQP_HDR_LEN) {
fr_strerror_printf("VQP packet is too short");
rad_free(&packet);
return NULL;
}
ptr = packet->data;
if (0) {
int i;
for (i = 0; i < packet->data_len; i++) {
if ((i & 0x0f) == 0) fprintf(stderr, "%02x: ", i);
fprintf(stderr, "%02x ", ptr[i]);
if ((i & 0x0f) == 0x0f) fprintf(stderr, "\n");
}
}
if (ptr[3] > VQP_MAX_ATTRIBUTES) {
fr_strerror_printf("Too many VQP attributes");
rad_free(&packet);
return NULL;
}
if (packet->data_len > VQP_HDR_LEN) {
int attrlen;
/*
* Skip the header.
*/
ptr += VQP_HDR_LEN;
length = packet->data_len - VQP_HDR_LEN;
while (length > 0) {
if (length < 7) {
fr_strerror_printf("Packet contains malformed attribute");
rad_free(&packet);
return NULL;
}
/*
* Attributes are 4 bytes
* 0x00000c01 ... 0x00000c08
*/
if ((ptr[0] != 0) || (ptr[1] != 0) ||
(ptr[2] != 0x0c) || (ptr[3] < 1) || (ptr[3] > 8)) {
fr_strerror_printf("Packet contains invalid attribute");
rad_free(&packet);
return NULL;
}
/*
* Length is 2 bytes
*
* We support lengths 1..253, for internal
* server reasons. Also, there's no reason
* for bigger lengths to exist... admins
* won't be typing in a 32K vlan name.
*
* Except for received ethernet frames...
* they get chopped to 253 internally.
*/
if ((ptr[3] != 5) &&
((ptr[4] != 0) || (ptr[5] > MAX_VMPS_LEN))) {
fr_strerror_printf("Packet contains attribute with invalid length %02x %02x", ptr[4], ptr[5]);
rad_free(&packet);
return NULL;
}
attrlen = ptr[5];
ptr += 6 + attrlen;
length -= (6 + attrlen);
}
}
packet->sockfd = sockfd;
packet->vps = NULL;
/*
* This is more than a bit of a hack.
*/
packet->code = PW_AUTHENTICATION_REQUEST;
memcpy(&id, packet->data + 4, 4);
packet->id = ntohl(id);
/*
* FIXME: Create a fake "request authenticator", to
* avoid duplicates? Or is the VQP sequence number
* adequate for this purpose?
*/
return packet;
}
/*
* Initialize a radclient data structure and add it to
* the global linked list.
*/
static int radclient_init(const char *filename)
{
FILE *fp;
VALUE_PAIR *vp;
radclient_t *radclient;
int filedone = 0;
int packet_number = 1;
assert(filename != NULL);
/*
* Determine where to read the VP's from.
*/
if (strcmp(filename, "-") != 0) {
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "radclient: Error opening %s: %s\n",
filename, strerror(errno));
return 0;
}
} else {
fp = stdin;
}
/*
* Loop until the file is done.
*/
do {
/*
* Allocate it.
*/
radclient = malloc(sizeof(*radclient));
if (!radclient) {
perror("radclient: X");
if (fp != stdin) fclose(fp);
return 0;
}
memset(radclient, 0, sizeof(*radclient));
radclient->request = rad_alloc(1);
if (!radclient->request) {
fr_perror("radclient: Y");
free(radclient);
if (fp != stdin) fclose(fp);
return 0;
}
#ifdef WITH_TCP
radclient->request->src_ipaddr = client_ipaddr;
radclient->request->src_port = client_port;
radclient->request->dst_ipaddr = server_ipaddr;
radclient->request->dst_port = server_port;
#endif
radclient->filename = filename;
radclient->request->id = -1; /* allocate when sending */
radclient->packet_number = packet_number++;
/*
* Read the VP's.
*/
radclient->request->vps = readvp2(fp, &filedone, "radclient:");
if (!radclient->request->vps) {
rad_free(&radclient->request);
free(radclient);
if (fp != stdin) fclose(fp);
return 1;
}
/*
* Keep a copy of the the User-Password attribute.
*/
if ((vp = pairfind(radclient->request->vps, PW_USER_PASSWORD, 0)) != NULL) {
strlcpy(radclient->password, vp->vp_strvalue,
sizeof(radclient->password));
/*
* Otherwise keep a copy of the CHAP-Password attribute.
*/
} else if ((vp = pairfind(radclient->request->vps, PW_CHAP_PASSWORD, 0)) != NULL) {
strlcpy(radclient->password, vp->vp_strvalue,
sizeof(radclient->password));
} else if ((vp = pairfind(radclient->request->vps, PW_MSCHAP_PASSWORD, 0)) != NULL) {
strlcpy(radclient->password, vp->vp_strvalue,
sizeof(radclient->password));
} else {
radclient->password[0] = '\0';
}
/*
* Fix up Digest-Attributes issues
*/
for (vp = radclient->request->vps; vp != NULL; vp = vp->next) {
switch (vp->attribute) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
radclient->request->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
radclient->request->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
radclient->request->dst_ipaddr.af = AF_INET;
radclient->request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
radclient->request->dst_ipaddr.af = AF_INET6;
radclient->request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
radclient->request->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
radclient->request->src_ipaddr.af = AF_INET;
radclient->request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
radclient->request->src_ipaddr.af = AF_INET6;
radclient->request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
memmove(&vp->vp_octets[2], &vp->vp_octets[0],
vp->length);
vp->vp_octets[0] = vp->attribute - PW_DIGEST_REALM + 1;
vp->length += 2;
vp->vp_octets[1] = vp->length;
vp->attribute = PW_DIGEST_ATTRIBUTES;
break;
}
} /* loop over the VP's we read in */
/*
* Add it to the tail of the list.
*/
if (!radclient_head) {
assert(radclient_tail == NULL);
radclient_head = radclient;
radclient->prev = NULL;
} else {
assert(radclient_tail->next == NULL);
radclient_tail->next = radclient;
radclient->prev = radclient_tail;
}
radclient_tail = radclient;
radclient->next = NULL;
} while (!filedone); /* loop until the file is done. */
if (fp != stdin) fclose(fp);
/*
* And we're done.
*/
return 1;
}
/*
* Receive one packet, maybe.
*/
static int recv_one_packet(int wait_time)
{
fd_set set;
struct timeval tv;
rc_request_t *request;
RADIUS_PACKET *reply, **packet_p;
volatile int max_fd;
/* And wait for reply, timing out as necessary */
FD_ZERO(&set);
max_fd = fr_packet_list_fd_set(pl, &set);
if (max_fd < 0) exit(1); /* no sockets to listen on! */
tv.tv_sec = (wait_time <= 0) ? 0 : wait_time;
tv.tv_usec = 0;
/*
* No packet was received.
*/
if (select(max_fd, &set, NULL, NULL, &tv) <= 0) return 0;
/*
* Look for the packet.
*/
reply = fr_packet_list_recv(pl, &set);
if (!reply) {
ERROR("Received bad packet");
#ifdef WITH_TCP
/*
* If the packet is bad, we close the socket.
* I'm not sure how to do that now, so we just
* die...
*/
if (proto) exit(1);
#endif
return -1; /* bad packet */
}
/*
* We don't use udpfromto. So if we bind to "*", we want
* to find replies sent to 192.0.2.4. Therefore, we
* force all replies to have the one address we know
* about, no matter what real address they were sent to.
*
* This only works if were not using any of the
* Packet-* attributes, or running with 'auto'.
*/
reply->dst_ipaddr = client_ipaddr;
reply->dst_port = client_port;
#ifdef WITH_TCP
/*
* TCP sockets don't use recvmsg(), and thus don't get
* the source IP/port. However, since they're TCP, we
* know what the source IP/port is, because that's where
* we connected to.
*/
if (ipproto == IPPROTO_TCP) {
reply->src_ipaddr = server_ipaddr;
reply->src_port = server_port;
}
#endif
packet_p = fr_packet_list_find_byreply(pl, reply);
if (!packet_p) {
ERROR("Received reply to request we did not send. (id=%d socket %d)",
reply->id, reply->sockfd);
rad_free(&reply);
return -1; /* got reply to packet we didn't send */
}
request = fr_packet2myptr(rc_request_t, packet, packet_p);
/*
* Fails the signature validation: not a real reply.
* FIXME: Silently drop it and listen for another packet.
*/
if (rad_verify(reply, request->packet, secret) < 0) {
REDEBUG("Reply verification failed");
stats.lost++;
goto packet_done; /* shared secret is incorrect */
}
if (print_filename) {
RDEBUG("%s response code %d", request->files->packets, reply->code);
}
deallocate_id(request);
request->reply = reply;
reply = NULL;
/*
* If this fails, we're out of memory.
*/
if (rad_decode(request->reply, request->packet, secret) != 0) {
REDEBUG("Reply decode failed");
stats.lost++;
goto packet_done;
}
fr_packet_header_print(fr_log_fp, request->reply, true);
if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->reply->vps);
/*
* Increment counters...
*/
switch (request->reply->code) {
case PW_CODE_ACCESS_ACCEPT:
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_ACK:
stats.accepted++;
break;
case PW_CODE_ACCESS_CHALLENGE:
break;
default:
stats.rejected++;
}
/*
* If we had an expected response code, check to see if the
* packet matched that.
*/
if (request->reply->code != request->filter_code) {
if (is_radius_code(request->reply->code)) {
REDEBUG("%s: Expected %s got %s", request->name, fr_packet_codes[request->filter_code],
fr_packet_codes[request->reply->code]);
} else {
REDEBUG("%s: Expected %u got %i", request->name, request->filter_code,
request->reply->code);
}
stats.failed++;
/*
* Check if the contents of the packet matched the filter
*/
} else if (!request->filter) {
stats.passed++;
} else {
VALUE_PAIR const *failed[2];
fr_pair_list_sort(&request->reply->vps, fr_pair_cmp_by_da_tag);
if (fr_pair_validate(failed, request->filter, request->reply->vps)) {
RDEBUG("%s: Response passed filter", request->name);
stats.passed++;
} else {
fr_pair_validate_debug(request, failed);
REDEBUG("%s: Response for failed filter", request->name);
stats.failed++;
}
}
if (request->resend == resend_count) {
request->done = true;
}
packet_done:
rad_free(&request->reply);
rad_free(&reply); /* may be NULL */
return 0;
}
/*
* Receive packets from an accounting socket
*/
static int acct_socket_recv(rad_listen_t *listener,
RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
{
ssize_t rcode;
int code, src_port;
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
RADCLIENT *client;
fr_ipaddr_t src_ipaddr;
rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
if (rcode < 0) return 0;
RAD_STATS_TYPE_INC(listener, total_requests);
if (rcode < 20) { /* AUTH_HDR_LEN */
RAD_STATS_TYPE_INC(listener, total_malformed_requests);
return 0;
}
if ((client = client_listener_find(listener,
&src_ipaddr, src_port)) == NULL) {
rad_recv_discard(listener->fd);
RAD_STATS_TYPE_INC(listener, total_invalid_requests);
return 0;
}
/*
* Some sanity checks, based on the packet code.
*/
switch(code) {
case PW_ACCOUNTING_REQUEST:
RAD_STATS_CLIENT_INC(listener, client, total_requests);
fun = rad_accounting;
break;
case PW_STATUS_SERVER:
if (!mainconfig.status_server) {
rad_recv_discard(listener->fd);
RAD_STATS_TYPE_INC(listener, total_packets_dropped);
RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
return 0;
}
fun = acct_status_server;
break;
default:
rad_recv_discard(listener->fd);
RAD_STATS_TYPE_INC(listener, total_unknown_types);
RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
DEBUG("Invalid packet code %d sent to a accounting port from client %s port %d : IGNORED",
code, client->shortname, src_port);
return 0;
} /* switch over packet types */
/*
* Now that we've sanity checked everything, receive the
* packet.
*/
packet = rad_recv(listener->fd, 0);
if (!packet) {
RAD_STATS_TYPE_INC(listener, total_malformed_requests);
radlog(L_ERR, "%s", fr_strerror());
return 0;
}
/*
* There can be no duplicate accounting packets.
*/
if (!received_request(listener, packet, prequest, client)) {
RAD_STATS_TYPE_INC(listener, total_packets_dropped);
RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
rad_free(&packet);
return 0;
}
*pfun = fun;
return 1;
}
int proxy_tls_recv(rad_listen_t *listener)
{
int rcode;
size_t length;
listen_socket_t *sock = listener->data;
char buffer[256];
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
uint8_t *data;
if (!sock->data) sock->data = rad_malloc(sock->ssn->offset);
data = sock->data;
DEBUG3("Proxy SSL socket has data to read");
PTHREAD_MUTEX_LOCK(&sock->mutex);
redo:
rcode = SSL_read(sock->ssn->ssl, data, 4);
if (rcode <= 0) {
int err = SSL_get_error(sock->ssn->ssl, rcode);
switch (err) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
rcode = 0;
goto redo;
case SSL_ERROR_ZERO_RETURN:
/* remote end sent close_notify, send one back */
SSL_shutdown(sock->ssn->ssl);
case SSL_ERROR_SYSCALL:
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
tls_socket_close(listener);
return 0;
default:
while ((err = ERR_get_error())) {
DEBUG("proxy recv says %s",
ERR_error_string(err, NULL));
}
goto do_close;
}
}
length = (data[2] << 8) | data[3];
DEBUG3("Proxy received header saying we have a packet of %u bytes",
(unsigned int) length);
if (length > sock->ssn->offset) {
radlog(L_INFO,
"Received packet will be too large! Set \"fragment_size=%u\"",
(data[2] << 8) | data[3]);
goto do_close;
}
rcode = SSL_read(sock->ssn->ssl, data + 4, length);
if (rcode <= 0) {
switch (SSL_get_error(sock->ssn->ssl, rcode)) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
rcode = 0;
break;
case SSL_ERROR_ZERO_RETURN:
/* remote end sent close_notify, send one back */
SSL_shutdown(sock->ssn->ssl);
goto do_close;
default:
goto do_close;
}
}
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
packet = rad_alloc(0);
packet->sockfd = listener->fd;
packet->src_ipaddr = sock->other_ipaddr;
packet->src_port = sock->other_port;
packet->dst_ipaddr = sock->my_ipaddr;
packet->dst_port = sock->my_port;
packet->code = data[0];
packet->id = data[1];
packet->data_len = length;
packet->data = rad_malloc(packet->data_len);
memcpy(packet->data, data, packet->data_len);
memcpy(packet->vector, packet->data + 4, 16);
/*
* FIXME: Client MIB updates?
*/
switch(packet->code) {
case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
case PW_AUTHENTICATION_REJECT:
fun = rad_authenticate;
break;
#ifdef WITH_ACCOUNTING
case PW_ACCOUNTING_RESPONSE:
fun = rad_accounting;
break;
#endif
default:
/*
* FIXME: Update MIB for packet types?
*/
radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
"from home server %s port %d - ID %d : IGNORED",
packet->code,
ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
packet->src_port, packet->id);
rad_free(&packet);
return 0;
}
if (!request_proxy_reply(packet)) {
rad_free(&packet);
return 0;
}
return 1;
}
/*
* Recieve packets from a proxy socket.
*/
static int proxy_socket_recv(rad_listen_t *listener,
RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
{
REQUEST *request;
RADIUS_PACKET *packet;
char buffer[128];
RAD_REQUEST_FUNP fun = NULL;
packet = rad_recv(listener->fd, 0);
if (!packet) {
radlog(L_ERR, "%s", fr_strerror());
return 0;
}
/*
* FIXME: Client MIB updates?
*/
switch(packet->code) {
case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
case PW_AUTHENTICATION_REJECT:
#ifdef WITH_ACCOUNTING
case PW_ACCOUNTING_RESPONSE:
#endif
break;
#ifdef WITH_COA
case PW_DISCONNECT_ACK:
case PW_DISCONNECT_NAK:
case PW_COA_ACK:
case PW_COA_NAK:
break;
#endif
default:
/*
* FIXME: Update MIB for packet types?
*/
radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
"from home server %s port %d - ID %d : IGNORED",
packet->code,
ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
packet->src_port, packet->id);
rad_free(&packet);
return 0;
}
request = received_proxy_response(packet);
if (!request) {
return 0;
}
rad_assert(request->process != NULL);
#ifdef WITH_COA
/*
* Distinguish proxied CoA requests from ones we
* originate. If we've proxied a DIFFERENT packet type
* than the original, then it MUST be a CoA packet. In
* that case, we process it as a CoA reply packet, rather
* than re-running the original method.
*/
if (request->packet->code != request->proxy->code) {
rad_assert((request->proxy->code == PW_COA_REQUEST) ||
(request->proxy->code == PW_DISCONNECT_REQUEST));
fun = rad_coa_reply; /* run NEW function */
} else
#endif
*pfun = request->process; /* re-run original function */
*prequest = request;
return 1;
}
/*
* Initialize the request.
*/
static int request_init(char const *filename)
{
FILE *fp;
vp_cursor_t cursor;
VALUE_PAIR *vp;
int filedone = 0;
/*
* Determine where to read the VP's from.
*/
if (filename) {
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "dhcpclient: Error opening %s: %s\n",
filename, fr_syserror(errno));
return 0;
}
} else {
fp = stdin;
}
request = rad_alloc(NULL, 0);
/*
* Read the VP's.
*/
request->vps = readvp2(NULL, fp, &filedone, "dhcpclient:");
if (!request->vps) {
rad_free(&request);
if (fp != stdin) fclose(fp);
return 1;
}
/*
* Fix / set various options
*/
for (vp = paircursor(&cursor, &request->vps); vp; vp = pairnext(&cursor)) {
switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->dst_ipaddr.af = AF_INET;
request->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->dst_ipaddr.af = AF_INET6;
request->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
request->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->src_ipaddr.af = AF_INET;
request->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->src_ipaddr.af = AF_INET6;
request->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
} /* switch over the attribute */
} /* loop over the VP's we read in */
if (fp != stdin) fclose(fp);
/*
* And we're done.
*/
return 1;
}
RADIUS_PACKET *fr_tcp_accept(int sockfd)
{
int newfd;
socklen_t salen;
RADIUS_PACKET *packet;
struct sockaddr_storage src;
salen = sizeof(src);
newfd = accept(sockfd, (struct sockaddr *) &src, &salen);
if (newfd < 0) {
/*
* Non-blocking sockets must handle this.
*/
#ifdef EWOULDBLOCK
if (errno == EWOULDBLOCK) {
packet = rad_alloc(NULL, 0);
if (!packet) return NULL;
packet->sockfd = sockfd;
packet->src_ipaddr.af = AF_UNSPEC;
return packet;
}
#endif
return NULL;
}
packet = rad_alloc(NULL, 0);
if (!packet) {
close(newfd);
return NULL;
}
if (src.ss_family == AF_INET) {
struct sockaddr_in s4;
memcpy(&s4, &src, sizeof(s4));
packet->src_ipaddr.af = AF_INET;
packet->src_ipaddr.ipaddr.ip4addr = s4.sin_addr;
packet->src_port = ntohs(s4.sin_port);
#ifdef HAVE_STRUCT_SOCKADDR_IN6
} else if (src.ss_family == AF_INET6) {
struct sockaddr_in6 s6;
memcpy(&s6, &src, sizeof(s6));
packet->src_ipaddr.af = AF_INET6;
packet->src_ipaddr.ipaddr.ip6addr = s6.sin6_addr;
packet->src_port = ntohs(s6.sin6_port);
#endif
} else {
rad_free(&packet);
close(newfd);
return NULL;
}
packet->sockfd = newfd;
/*
* Note: Caller has to set dst_ipaddr && dst_port.
*/
return packet;
}
