static void got_packet(UNUSED uint8_t *args, const struct pcap_pkthdr *header, const uint8_t *data)
{
static int count = 1; /* Packets seen */
/*
* Define pointers for packet's attributes
*/
const struct ip_header *ip; /* The IP header */
const struct udp_header *udp; /* The UDP header */
const uint8_t *payload; /* Packet payload */
/*
* And define the size of the structures we're using
*/
int size_ethernet = sizeof(struct ethernet_header);
int size_ip = sizeof(struct ip_header);
int size_udp = sizeof(struct udp_header);
/*
* For FreeRADIUS
*/
RADIUS_PACKET *packet, *original;
struct timeval elapsed;
/*
* Define our packet's attributes
*/
if ((data[0] == 2) && (data[1] == 0) &&
(data[2] == 0) && (data[3] == 0)) {
ip = (const struct ip_header*) (data + 4);
} else {
ip = (const struct ip_header*)(data + size_ethernet);
}
udp = (const struct udp_header*)(((const uint8_t *) ip) + size_ip);
payload = (const uint8_t *)(((const uint8_t *) udp) + size_udp);
packet = rad_alloc(NULL, 0);
if (!packet) {
fprintf(stderr, "Out of memory\n");
return;
}
packet->src_ipaddr.af = AF_INET;
packet->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
packet->src_port = ntohs(udp->udp_sport);
packet->dst_ipaddr.af = AF_INET;
packet->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
packet->dst_port = ntohs(udp->udp_dport);
memcpy(&packet->data, &payload, sizeof(packet->data));
packet->data_len = header->len - (payload - data);
if (!rad_packet_ok(packet, 0)) {
DEBUG(log_dst, "Packet: %s\n", fr_strerror());
DEBUG(log_dst, " From %s:%d\n", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
DEBUG(log_dst, " To: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG(log_dst, " Type: %s\n", fr_packet_codes[packet->code]);
rad_free(&packet);
return;
}
switch (packet->code) {
case PW_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_AUTHENTICATION_ACK:
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, packet);
break;
case PW_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(NULL, packet);
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(packet, original, radius_secret) != 0) {
rad_free(&packet);
fr_perror("decode");
return;
}
/*
* We've seen a successfull reply to this, so delete it now
*/
if (original)
rbtree_deletebydata(request_tree, original);
if (filter_vps && filter_packet(packet)) {
rad_free(&packet);
DEBUG(log_dst, "Packet number %d doesn't match\n", count++);
return;
}
if (out) {
pcap_dump((void *) out, header, data);
goto check_filter;
}
INFO(log_dst, "%s Id %d\t", fr_packet_codes[packet->code], packet->id);
/*
* Print the RADIUS packet
*/
INFO(log_dst, "%s:%d -> ", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
INFO(log_dst, "%s:%d", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
DEBUG1(log_dst, "\t(%d packets)", count++);
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
tv_sub(&header->ts, &start_pcap, &elapsed);
INFO(log_dst, "\t+%u.%03u", (unsigned int) elapsed.tv_sec,
(unsigned int) elapsed.tv_usec / 1000);
if (fr_debug_flag > 1) {
DEBUG(log_dst, "\n");
if (packet->vps) {
if (do_sort) sort(packet);
vp_printlist(log_dst, packet->vps);
pairfree(&packet->vps);
}
}
INFO(log_dst, "\n");
if (!to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(packet);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((packet->code != PW_AUTHENTICATION_REQUEST) &&
(packet->code != PW_ACCOUNTING_REQUEST))) {
rad_free(&packet);
}
}
static int tls_socket_recv(rad_listen_t *listener)
{
int doing_init = FALSE;
ssize_t rcode;
RADIUS_PACKET *packet;
REQUEST *request;
listen_socket_t *sock = listener->data;
fr_tls_status_t status;
RADCLIENT *client = sock->client;
if (!sock->packet) {
sock->packet = rad_alloc(0);
if (!sock->packet) return 0;
sock->packet->sockfd = listener->fd;
sock->packet->src_ipaddr = sock->other_ipaddr;
sock->packet->src_port = sock->other_port;
sock->packet->dst_ipaddr = sock->my_ipaddr;
sock->packet->dst_port = sock->my_port;
if (sock->request) sock->request->packet = sock->packet;
}
/*
* Allocate a REQUEST for debugging.
*/
if (!sock->request) {
sock->request = request = request_alloc();
if (!sock->request) {
radlog(L_ERR, "Out of memory");
return 0;
}
rad_assert(request->packet == NULL);
rad_assert(sock->packet != NULL);
request->packet = sock->packet;
request->component = "<core>";
request->component = "<tls-connect>";
/*
* Not sure if we should do this on every packet...
*/
request->reply = rad_alloc(0);
if (!request->reply) return 0;
request->options = RAD_REQUEST_OPTION_DEBUG2;
rad_assert(sock->ssn == NULL);
sock->ssn = tls_new_session(listener->tls, sock->request,
listener->tls->require_client_cert);
if (!sock->ssn) {
request_free(&sock->request);
sock->packet = NULL;
return 0;
}
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&request->packet->vps);
doing_init = TRUE;
}
rad_assert(sock->request != NULL);
rad_assert(sock->request->packet != NULL);
rad_assert(sock->packet != NULL);
rad_assert(sock->ssn != NULL);
request = sock->request;
RDEBUG3("Reading from socket %d", request->packet->sockfd);
PTHREAD_MUTEX_LOCK(&sock->mutex);
rcode = read(request->packet->sockfd,
sock->ssn->dirty_in.data,
sizeof(sock->ssn->dirty_in.data));
if ((rcode < 0) && (errno == ECONNRESET)) {
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
tls_socket_close(listener);
return 0;
}
if (rcode < 0) {
RDEBUG("Error reading TLS socket: %s", strerror(errno));
goto do_close;
}
/*
* Normal socket close.
*/
if (rcode == 0) goto do_close;
sock->ssn->dirty_in.used = rcode;
memset(sock->ssn->dirty_in.data + sock->ssn->dirty_in.used,
0, 16);
dump_hex("READ FROM SSL", sock->ssn->dirty_in.data, sock->ssn->dirty_in.used);
/*
* Catch attempts to use non-SSL.
*/
if (doing_init && (sock->ssn->dirty_in.data[0] != handshake)) {
RDEBUG("Non-TLS data sent to TLS socket: closing");
goto do_close;
}
/*
* Skip ahead to reading application data.
*/
if (SSL_is_init_finished(sock->ssn->ssl)) goto app;
if (!tls_handshake_recv(request, sock->ssn)) {
RDEBUG("FAILED in TLS handshake receive");
goto do_close;
}
if (sock->ssn->dirty_out.used > 0) {
tls_socket_write(listener, request);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
app:
/*
* FIXME: Run the packet through a virtual server in
* order to see if we like the certificate presented by
* the client.
*/
status = tls_application_data(sock->ssn, request);
RDEBUG("Application data status %d", status);
if (status == FR_TLS_MORE_FRAGMENTS) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (sock->ssn->clean_out.used == 0) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
dump_hex("TUNNELED DATA", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
/*
* If the packet is a complete RADIUS packet, return it to
* the caller. Otherwise...
*/
if ((sock->ssn->clean_out.used < 20) ||
(((sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]) != (int) sock->ssn->clean_out.used)) {
RDEBUG("Received bad packet: Length %d contents %d",
sock->ssn->clean_out.used,
(sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]);
goto do_close;
}
packet = sock->packet;
packet->data = rad_malloc(sock->ssn->clean_out.used);
packet->data_len = sock->ssn->clean_out.used;
sock->ssn->record_minus(&sock->ssn->clean_out, packet->data, packet->data_len);
packet->vps = NULL;
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
if (!rad_packet_ok(packet, 0)) {
RDEBUG("Received bad packet: %s", fr_strerror());
tls_socket_close(listener);
return 0; /* do_close unlocks the mutex */
}
/*
* Copied from src/lib/radius.c, rad_recv();
*/
if (fr_debug_flag) {
char host_ipaddr[128];
if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->id, (int) packet->data_len);
} else {
RDEBUG("tls_recv: Packet from host %s port %d code=%d, id=%d, length=%d",
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->code,
packet->id, (int) packet->data_len);
}
}
FR_STATS_INC(auth, total_requests);
return 1;
}
static void rs_process_packet(rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
static int count = 0; /* Packets seen */
rs_stats_t *stats = event->stats;
decode_fail_t reason;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response = false; /* Was it a response code */
RADIUS_PACKET *current, *original;
struct timeval elapsed;
struct timeval latency;
count++;
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(NULL, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (data - p);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
DEBUG("(%i) ** %s **", count, fr_strerror());
DEBUG("(%i) %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_COA_REQUEST:
/* we need a 16 x 0 byte vector for decrypting encrypted VSAs */
original = nullpacket;
break;
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
response = true;
/* look for a matching request and use it for decoding */
original = rbtree_finddata(request_tree, current);
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
/* save the request for later matching */
original = rad_alloc_reply(event->conf, current);
original->timestamp = header->ts;
if (original) { /* just ignore allocation failures */
rbtree_deletebydata(request_tree, original);
rbtree_insert(request_tree, original);
}
/* fallthrough */
default:
/* don't attempt to decode any encrypted attributes */
original = NULL;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(current, original, event->conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
if (filter_vps && rs_filter_packet(current)) {
rad_free(¤t);
DEBUG("Packet number %d doesn't match", count++);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
goto check_filter;
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
rs_stats_update_count(&stats->gauge, current);
if (original) {
rs_tv_sub(¤t->timestamp, &original->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->code], &latency);
/*
* Print info about the response.
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
DEBUG("(%i) %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (fr_debug_flag > 1) {
if (current->vps) {
if (event->conf->do_sort) {
pairsort(¤t->vps, true);
}
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
}
/*
* We've seen a successful reply to this, so delete it now
*/
if (original) {
rbtree_deletebydata(request_tree, original);
}
if (!event->conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
check_filter:
/*
* If we're doing filtering, Access-Requests are cached in the
* filter tree.
*/
if (!filter_vps ||
((current->code != PW_CODE_AUTHENTICATION_REQUEST) && (current->code != PW_CODE_ACCOUNTING_REQUEST))) {
rad_free(¤t);
}
}
/*
* Receives a packet, assuming that the RADIUS_PACKET structure
* has been filled out already.
*
* This ASSUMES that the packet is allocated && fields
* initialized.
*
* This ASSUMES that the socket is marked as O_NONBLOCK, which
* the function above does set, if your system supports it.
*
* Calling this function MAY change sockfd,
* if src_ipaddr.af == AF_UNSPEC.
*/
int fr_tcp_read_packet(RADIUS_PACKET *packet, int flags)
{
ssize_t len;
/*
* No data allocated. Read the 4-byte header into
* a temporary buffer.
*/
if (!packet->data) {
int packet_len;
len = recv(packet->sockfd, packet->vector + packet->data_len,
4 - packet->data_len, 0);
if (len == 0) return -2; /* clean close */
#ifdef ECONNRESET
if ((len < 0) && (errno == ECONNRESET)) { /* forced */
return -2;
}
#endif
if (len < 0) {
fr_strerror_printf("Error receiving packet: %s", fr_syserror(errno));
return -1;
}
packet->data_len += len;
if (packet->data_len < 4) { /* want more data */
return 0;
}
packet_len = (packet->vector[2] << 8) | packet->vector[3];
if (packet_len < AUTH_HDR_LEN) {
fr_strerror_printf("Discarding packet: Smaller than RFC minimum of 20 bytes");
return -1;
}
/*
* If the packet is too big, then the socket is bad.
*/
if (packet_len > MAX_PACKET_LEN) {
fr_strerror_printf("Discarding packet: Larger than RFC limitation of 4096 bytes");
return -1;
}
packet->data = talloc_array(packet, uint8_t, packet_len);
if (!packet->data) {
fr_strerror_printf("Out of memory");
return -1;
}
packet->data_len = packet_len;
packet->partial = 4;
memcpy(packet->data, packet->vector, 4);
}
/*
* Try to read more data.
*/
len = recv(packet->sockfd, packet->data + packet->partial,
packet->data_len - packet->partial, 0);
if (len == 0) return -2; /* clean close */
#ifdef ECONNRESET
if ((len < 0) && (errno == ECONNRESET)) { /* forced */
return -2;
}
#endif
if (len < 0) {
fr_strerror_printf("Error receiving packet: %s", fr_syserror(errno));
return -1;
}
packet->partial += len;
if (packet->partial < packet->data_len) {
return 0;
}
/*
* See if it's a well-formed RADIUS packet.
*/
if (!rad_packet_ok(packet, flags, NULL)) {
return -1;
}
/*
* Explicitly set the VP list to empty.
*/
packet->vps = NULL;
if (fr_debug_flag) {
char ip_buf[128], buffer[256];
if (packet->src_ipaddr.af != AF_UNSPEC) {
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
ip_buf, sizeof(ip_buf));
snprintf(buffer, sizeof(buffer), "host %s port %d",
ip_buf, packet->src_port);
} else {
snprintf(buffer, sizeof(buffer), "socket %d",
packet->sockfd);
}
if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
DEBUG("rad_recv: %s packet from %s",
fr_packet_codes[packet->code], buffer);
} else {
DEBUG("rad_recv: Packet from %s code=%d",
buffer, packet->code);
}
DEBUG(", id=%d, length=%zu\n", packet->id, packet->data_len);
}
return 1; /* done reading the packet */
}
static int tls_socket_recv(rad_listen_t *listener)
{
bool doing_init = false;
ssize_t rcode;
RADIUS_PACKET *packet;
REQUEST *request;
listen_socket_t *sock = listener->data;
fr_tls_status_t status;
RADCLIENT *client = sock->client;
if (!sock->packet) {
sock->packet = rad_alloc(sock, false);
if (!sock->packet) return 0;
sock->packet->sockfd = listener->fd;
sock->packet->src_ipaddr = sock->other_ipaddr;
sock->packet->src_port = sock->other_port;
sock->packet->dst_ipaddr = sock->my_ipaddr;
sock->packet->dst_port = sock->my_port;
if (sock->request) sock->request->packet = talloc_steal(sock->request, sock->packet);
}
/*
* Allocate a REQUEST for debugging, and initialize the TLS session.
*/
if (!sock->request) {
sock->request = request = request_alloc(sock);
if (!sock->request) {
ERROR("Out of memory");
return 0;
}
rad_assert(request->packet == NULL);
rad_assert(sock->packet != NULL);
request->packet = talloc_steal(request, sock->packet);
request->component = "<core>";
request->component = "<tls-connect>";
request->reply = rad_alloc(request, false);
if (!request->reply) return 0;
rad_assert(sock->ssn == NULL);
sock->ssn = tls_new_session(sock, listener->tls, sock->request,
listener->tls->require_client_cert);
if (!sock->ssn) {
TALLOC_FREE(sock->request);
sock->packet = NULL;
return 0;
}
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs);
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock->parent);
doing_init = true;
}
rad_assert(sock->request != NULL);
rad_assert(sock->request->packet != NULL);
rad_assert(sock->packet != NULL);
rad_assert(sock->ssn != NULL);
request = sock->request;
RDEBUG3("Reading from socket %d", request->packet->sockfd);
PTHREAD_MUTEX_LOCK(&sock->mutex);
rcode = read(request->packet->sockfd,
sock->ssn->dirty_in.data,
sizeof(sock->ssn->dirty_in.data));
if ((rcode < 0) && (errno == ECONNRESET)) {
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
DEBUG("Closing TLS socket from client port %u", sock->other_port);
tls_socket_close(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (rcode < 0) {
RDEBUG("Error reading TLS socket: %s", fr_syserror(errno));
goto do_close;
}
/*
* Normal socket close.
*/
if (rcode == 0) goto do_close;
sock->ssn->dirty_in.used = rcode;
dump_hex("READ FROM SSL", sock->ssn->dirty_in.data, sock->ssn->dirty_in.used);
/*
* Catch attempts to use non-SSL.
*/
if (doing_init && (sock->ssn->dirty_in.data[0] != handshake)) {
RDEBUG("Non-TLS data sent to TLS socket: closing");
goto do_close;
}
/*
* If we need to do more initialization, do that here.
*/
if (!SSL_is_init_finished(sock->ssn->ssl)) {
if (!tls_handshake_recv(request, sock->ssn)) {
RDEBUG("FAILED in TLS handshake receive");
goto do_close;
}
/*
* More ACK data to send. Do so.
*/
if (sock->ssn->dirty_out.used > 0) {
tls_socket_write(listener, request);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
/*
* FIXME: Run the request through a virtual
* server in order to see if we like the
* certificate presented by the client.
*/
}
/*
* Try to get application data.
*/
status = tls_application_data(sock->ssn, request);
RDEBUG("Application data status %d", status);
if (status == FR_TLS_MORE_FRAGMENTS) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (sock->ssn->clean_out.used == 0) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
/*
* We now have a bunch of application data.
*/
dump_hex("TUNNELED DATA > ", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
/*
* If the packet is a complete RADIUS packet, return it to
* the caller. Otherwise...
*/
if ((sock->ssn->clean_out.used < 20) ||
(((sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]) != (int) sock->ssn->clean_out.used)) {
RDEBUG("Received bad packet: Length %zd contents %d",
sock->ssn->clean_out.used,
(sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]);
goto do_close;
}
packet = sock->packet;
packet->data = talloc_array(packet, uint8_t, sock->ssn->clean_out.used);
packet->data_len = sock->ssn->clean_out.used;
sock->ssn->record_minus(&sock->ssn->clean_out, packet->data, packet->data_len);
packet->vps = NULL;
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
if (!rad_packet_ok(packet, 0, NULL)) {
ERROR("Receive - %s", fr_strerror());
DEBUG("Closing TLS socket from client");
PTHREAD_MUTEX_LOCK(&sock->mutex);
tls_socket_close(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0; /* do_close unlocks the mutex */
}
/*
* Copied from src/lib/radius.c, rad_recv();
*/
if (fr_debug_lvl) {
char host_ipaddr[128];
if (is_radius_code(packet->code)) {
RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->id, (int) packet->data_len);
} else {
RDEBUG("tls_recv: Packet from host %s port %d code=%d, id=%d, length=%d",
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->code,
packet->id, (int) packet->data_len);
}
}
FR_STATS_INC(auth, total_requests);
return 1;
}
static void got_packet(uint8_t *args, const struct pcap_pkthdr *header, const uint8_t *data)
{
/* Just a counter of how many packets we've had */
static int count = 1;
/* Define pointers for packet's attributes */
const struct ethernet_header *ethernet; /* The ethernet header */
const struct ip_header *ip; /* The IP header */
const struct udp_header *udp; /* The UDP header */
const uint8_t *payload; /* Packet payload */
/* And define the size of the structures we're using */
int size_ethernet = sizeof(struct ethernet_header);
int size_ip = sizeof(struct ip_header);
int size_udp = sizeof(struct udp_header);
/* For FreeRADIUS */
RADIUS_PACKET *packet;
args = args; /* -Wunused */
/* Define our packet's attributes */
ethernet = (const struct ethernet_header*)(data);
ip = (const struct ip_header*)(ethernet + size_ethernet);
udp = (const struct udp_header*)(data + size_ethernet + size_ip);
payload = (const uint8_t *)(data + size_ethernet + size_ip + size_udp);
packet = malloc(sizeof(*packet));
if (!packet) {
fprintf(stderr, "Out of memory\n");
return;
}
memset(packet, 0, sizeof(*packet));
packet->src_ipaddr.af = AF_INET;
packet->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
packet->src_port = ntohs(udp->udp_sport);
packet->dst_ipaddr.af = AF_INET;
packet->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
packet->dst_port = ntohs(udp->udp_dport);
packet->data = payload;
packet->data_len = header->len - size_ethernet - size_ip - size_udp;
if (!rad_packet_ok(packet, 0)) {
fr_perror("Packet");
free(packet);
return;
}
/*
* Decode the data without bothering to check the signatures.
*/
if (rad_decode(packet, NULL, radius_secret) != 0) {
free(packet);
fr_perror("decode");
return;
}
if (filter_vps && filter_packet(packet)) {
free(packet);
DEBUG("Packet number %d doesn't match\n", count++);
return;
}
/* Print the RADIUS packet */
printf("Packet number %d has just been sniffed\n", count++);
printf("\tFrom: %s:%d\n", inet_ntoa(ip->ip_src), ntohs(udp->udp_sport));
printf("\tTo: %s:%d\n", inet_ntoa(ip->ip_dst), ntohs(udp->udp_dport));
printf("\tType: %s\n", packet_codes[packet->code]);
if (packet->vps != NULL) {
vp_printlist(stdout, packet->vps);
pairfree(&packet->vps);
}
fflush(stdout);
free(packet);
}
static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
rs_stats_t *stats = event->stats;
struct timeval elapsed;
struct timeval latency;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response; /* Was it a response code */
decode_fail_t reason; /* Why we failed decoding the packet */
static uint64_t captured = 0;
RADIUS_PACKET *current; /* Current packet were processing */
rs_request_t *original;
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(conf, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (p - data);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
RIDEBUG("(%" PRIu64 ") ** %s **", count, fr_strerror());
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
case PW_CODE_COA_NAK:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_NAK:
case PW_CODE_DISCONNECT_ACK:
case PW_CODE_STATUS_CLIENT:
{
rs_request_t search;
struct timeval when;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
/* look for a matching request and use it for decoding */
search.packet = current;
original = rbtree_finddata(request_tree, &search);
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, original ? original->packet : NULL,
conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Check if we've managed to link it to a request
*/
if (original) {
/*
* Is this a retransmit?
*/
if (!original->linked) {
original->stats_rsp = &stats->exchange[current->code];
} else {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_rsp++;
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
}
original->linked = talloc_steal(original, current);
/*
* Some RADIUS servers and proxy servers may not cache
* Accounting-Responses (and possibly other code),
* and may immediately re-use a RADIUS packet src
* port/id combination on receipt of a response.
*/
if (conf->dequeue[current->code]) {
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
} else {
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when,
&original->event)) {
ERROR("Failed inserting new event");
/*
* Delete the original request/event, it's no longer valid
* for statistics.
*/
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
return;
}
}
/*
* No request seen, or request was dropped by attribute filter
*/
} else {
/*
* If filter_vps are set assume the original request was dropped,
* the alternative is maintaining another 'filter', but that adds
* complexity, reduces max capture rate, and is generally a PITA.
*/
if (filter_vps) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
RDEBUG("(%" PRIu64 ") ** UNLINKED **", count);
stats->exchange[current->code].interval.unlinked_total++;
}
response = true;
}
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
case PW_CODE_COA_REQUEST:
case PW_CODE_DISCONNECT_REQUEST:
case PW_CODE_STATUS_SERVER:
{
rs_request_t search;
struct timeval when;
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, NULL, conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Now verify the packet passes the attribute filter
*/
if (filter_vps && !pairvalidate_relaxed(filter_vps, current->vps)) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
/*
* save the request for later matching
*/
search.packet = rad_alloc_reply(conf, current);
if (!search.packet) {
ERROR("Failed allocating memory to hold expected reply");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
rad_free(¤t);
return;
}
search.packet->code = current->code;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
original = rbtree_finddata(request_tree, &search);
/*
* Upstream device re-used src/dst ip/port id without waiting
* for the timeout period to expire, or a response.
*/
if (original && memcmp(original->packet->vector, current->vector,
sizeof(original->packet->vector) != 0)) {
RDEBUG2("(%" PRIu64 ") ** PREMATURE ID RE-USE **", count);
stats->exchange[current->code].interval.reused_total++;
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
original = NULL;
}
if (original) {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_req++;
rad_free(&original->packet);
original->packet = talloc_steal(original, search.packet);
/* We may of seen the response, but it may of been lost upstream */
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
} else {
original = talloc_zero(conf, rs_request_t);
talloc_set_destructor(original, _request_free);
original->id = count;
original->in = event->in;
original->stats_req = &stats->exchange[current->code];
original->packet = talloc_steal(original, search.packet);
rbtree_insert(request_tree, original);
}
/* update the timestamp in either case */
original->packet->timestamp = header->ts;
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when, &original->event)) {
ERROR("Failed inserting new event");
rbtree_deletebydata(request_tree, original);
return;
}
response = false;
}
break;
default:
RDEBUG("** Unsupported code %i **", current->code);
rad_free(¤t);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
/*
* Increase received count
*/
stats->exchange[current->code].interval.received_total++;
/*
* It's a linked response
*/
if (original && original->linked) {
rs_tv_sub(¤t->timestamp, &original->packet->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->packet->code], &latency);
/*
* Print info about the request/response.
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (conf->print_packet && (fr_debug_flag > 1) && current->vps) {
pairsort(¤t->vps, true);
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
if (!conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
/*
* If it's a request, a duplicate of the packet will of already been stored.
* If it's a unlinked response, we need to free it explicitly, as it will
* not be done by the event queue.
*/
if (!response || !original) {
rad_free(¤t);
}
captured++;
/*
* We've hit our capture limit, break out of the event loop
*/
if ((conf->limit > 0) && (captured >= conf->limit)) {
INFO("Captured %" PRIu64 " packets, exiting...", captured);
fr_event_loop_exit(events, 1);
}
}
