/** Create a new client TLS session
*
* Configures a new client TLS session, configuring options, setting callbacks etc...
*
* @param ctx to alloc session data in. Should usually be NULL unless the lifetime of the
* session is tied to another talloc'd object.
* @param conf values for this TLS session.
* @return
* - A new session on success.
* - NULL on error.
*/
tls_session_t *tls_session_init_client(TALLOC_CTX *ctx, fr_tls_conf_t *conf)
{
int ret;
int verify_mode;
tls_session_t *session = NULL;
REQUEST *request;
session = talloc_zero(ctx, tls_session_t);
if (!session) return NULL;
talloc_set_destructor(session, _tls_session_free);
session->ctx = conf->ctx[(conf->ctx_count == 1) ? 0 : conf->ctx_next++ % conf->ctx_count]; /* mutex not needed */
rad_assert(session->ctx);
session->ssl = SSL_new(session->ctx);
if (!session->ssl) {
talloc_free(session);
return NULL;
}
request = request_alloc(session);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
/*
* Add the message callback to identify what type of
* message/handshake is passed
*/
SSL_set_msg_callback(session->ssl, tls_session_msg_cb);
SSL_set_msg_callback_arg(session->ssl, session);
SSL_set_info_callback(session->ssl, tls_session_info_cb);
/*
* Always verify the peer certificate.
*/
DEBUG2("Requiring Server certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_set_verify(session->ssl, verify_mode, tls_validate_cert_cb);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)session);
ret = SSL_connect(session->ssl);
if (ret <= 0) {
tls_log_io_error(NULL, session, ret, "Failed in SSL_connect");
talloc_free(session);
return NULL;
}
session->mtu = conf->fragment_size;
return session;
}
static REQUEST *request_setup(FILE *fp)
{
VALUE_PAIR *vp;
REQUEST *request;
vp_cursor_t cursor;
/*
* Create and initialize the new request.
*/
request = request_alloc(NULL);
request->packet = rad_alloc(request, false);
if (!request->packet) {
ERROR("No memory");
talloc_free(request);
return NULL;
}
request->reply = rad_alloc(request, false);
if (!request->reply) {
ERROR("No memory");
talloc_free(request);
return NULL;
}
request->listener = listen_alloc(request);
request->client = client_alloc(request);
request->number = 0;
request->master_state = REQUEST_ACTIVE;
request->child_state = REQUEST_RUNNING;
request->handle = NULL;
request->server = talloc_typed_strdup(request, "default");
request->root = &main_config;
/*
* Read packet from fp
*/
if (readvp2(request->packet, &request->packet->vps, fp, &filedone) < 0) {
fr_perror("unittest");
talloc_free(request);
return NULL;
}
/*
* Set the defaults for IPs, etc.
*/
request->packet->code = PW_CODE_ACCESS_REQUEST;
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->src_port = 18120;
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->dst_port = 1812;
/*
* Copied from radclient
*/
#if 1
/*
* Fix up Digest-Attributes issues
*/
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Double quoted strings get marked up as xlat expansions,
* but we don't support that here.
*/
if (vp->type == VT_XLAT) {
vp->vp_strvalue = vp->value.xlat;
vp->value.xlat = NULL;
vp->type = VT_DATA;
}
if (!vp->da->vendor) switch (vp->da->attr) {
default:
break;
/*
* Allow it to set the packet type in
* the attributes read from the file.
*/
case PW_PACKET_TYPE:
request->packet->code = vp->vp_integer;
break;
case PW_PACKET_DST_PORT:
request->packet->dst_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_DST_IP_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_DST_IPV6_ADDRESS:
request->packet->dst_ipaddr.af = AF_INET6;
request->packet->dst_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_PACKET_SRC_PORT:
request->packet->src_port = (vp->vp_integer & 0xffff);
break;
case PW_PACKET_SRC_IP_ADDRESS:
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
break;
case PW_PACKET_SRC_IPV6_ADDRESS:
request->packet->src_ipaddr.af = AF_INET6;
request->packet->src_ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
break;
case PW_CHAP_PASSWORD: {
int i, already_hex = 0;
/*
* If it's 17 octets, it *might* be already encoded.
* Or, it might just be a 17-character password (maybe UTF-8)
* Check it for non-printable characters. The odds of ALL
* of the characters being 32..255 is (1-7/8)^17, or (1/8)^17,
* or 1/(2^51), which is pretty much zero.
*/
if (vp->length == 17) {
for (i = 0; i < 17; i++) {
if (vp->vp_octets[i] < 32) {
already_hex = 1;
break;
}
}
}
/*
* Allow the user to specify ASCII or hex CHAP-Password
*/
if (!already_hex) {
uint8_t *p;
size_t len, len2;
len = len2 = vp->length;
if (len2 < 17) len2 = 17;
p = talloc_zero_array(vp, uint8_t, len2);
memcpy(p, vp->vp_strvalue, len);
rad_chap_encode(request->packet,
p,
fr_rand() & 0xff, vp);
vp->vp_octets = p;
vp->length = 17;
}
}
break;
case PW_DIGEST_REALM:
case PW_DIGEST_NONCE:
case PW_DIGEST_METHOD:
case PW_DIGEST_URI:
case PW_DIGEST_QOP:
case PW_DIGEST_ALGORITHM:
case PW_DIGEST_BODY_DIGEST:
case PW_DIGEST_CNONCE:
case PW_DIGEST_NONCE_COUNT:
case PW_DIGEST_USER_NAME:
/* overlapping! */
{
DICT_ATTR const *da;
uint8_t *p, *q;
p = talloc_array(vp, uint8_t, vp->length + 2);
memcpy(p + 2, vp->vp_octets, vp->length);
p[0] = vp->da->attr - PW_DIGEST_REALM + 1;
vp->length += 2;
p[1] = vp->length;
da = dict_attrbyvalue(PW_DIGEST_ATTRIBUTES, 0);
rad_assert(da != NULL);
vp->da = da;
/*
* Re-do pairmemsteal ourselves,
* because we play games with
* vp->da, and pairmemsteal goes
* to GREAT lengths to sanitize
* and fix and change and
* double-check the various
* fields.
*/
memcpy(&q, &vp->vp_octets, sizeof(q));
talloc_free(q);
vp->vp_octets = talloc_steal(vp, p);
vp->type = VT_DATA;
VERIFY_VP(vp);
}
break;
}
} /* loop over the VP's we read in */
#endif
if (debug_flag) {
for (vp = fr_cursor_init(&cursor, &request->packet->vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Take this opportunity to verify all the VALUE_PAIRs are still valid.
*/
if (!talloc_get_type(vp, VALUE_PAIR)) {
ERROR("Expected VALUE_PAIR pointer got \"%s\"", talloc_get_name(vp));
fr_log_talloc_report(vp);
rad_assert(0);
}
vp_print(fr_log_fp, vp);
}
fflush(fr_log_fp);
}
/*
* FIXME: set IPs, etc.
*/
request->packet->code = PW_CODE_ACCESS_REQUEST;
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->src_port = 18120;
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->dst_port = 1812;
/*
* Build the reply template from the request.
*/
request->reply->sockfd = request->packet->sockfd;
request->reply->dst_ipaddr = request->packet->src_ipaddr;
request->reply->src_ipaddr = request->packet->dst_ipaddr;
request->reply->dst_port = request->packet->src_port;
request->reply->src_port = request->packet->dst_port;
request->reply->id = request->packet->id;
request->reply->code = 0; /* UNKNOWN code */
memcpy(request->reply->vector, request->packet->vector,
sizeof(request->reply->vector));
request->reply->vps = NULL;
request->reply->data = NULL;
request->reply->data_len = 0;
/*
* Debugging
*/
request->log.lvl = debug_flag;
request->log.func = vradlog_request;
request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
return request;
}
static int tls_socket_recv(rad_listen_t *listener)
{
int doing_init = FALSE;
ssize_t rcode;
RADIUS_PACKET *packet;
REQUEST *request;
listen_socket_t *sock = listener->data;
fr_tls_status_t status;
RADCLIENT *client = sock->client;
if (!sock->packet) {
sock->packet = rad_alloc(0);
if (!sock->packet) return 0;
sock->packet->sockfd = listener->fd;
sock->packet->src_ipaddr = sock->other_ipaddr;
sock->packet->src_port = sock->other_port;
sock->packet->dst_ipaddr = sock->my_ipaddr;
sock->packet->dst_port = sock->my_port;
if (sock->request) sock->request->packet = sock->packet;
}
/*
* Allocate a REQUEST for debugging.
*/
if (!sock->request) {
sock->request = request = request_alloc();
if (!sock->request) {
radlog(L_ERR, "Out of memory");
return 0;
}
rad_assert(request->packet == NULL);
rad_assert(sock->packet != NULL);
request->packet = sock->packet;
request->component = "<core>";
request->component = "<tls-connect>";
/*
* Not sure if we should do this on every packet...
*/
request->reply = rad_alloc(0);
if (!request->reply) return 0;
request->options = RAD_REQUEST_OPTION_DEBUG2;
rad_assert(sock->ssn == NULL);
sock->ssn = tls_new_session(listener->tls, sock->request,
listener->tls->require_client_cert);
if (!sock->ssn) {
request_free(&sock->request);
sock->packet = NULL;
return 0;
}
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&request->packet->vps);
doing_init = TRUE;
}
rad_assert(sock->request != NULL);
rad_assert(sock->request->packet != NULL);
rad_assert(sock->packet != NULL);
rad_assert(sock->ssn != NULL);
request = sock->request;
RDEBUG3("Reading from socket %d", request->packet->sockfd);
PTHREAD_MUTEX_LOCK(&sock->mutex);
rcode = read(request->packet->sockfd,
sock->ssn->dirty_in.data,
sizeof(sock->ssn->dirty_in.data));
if ((rcode < 0) && (errno == ECONNRESET)) {
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
tls_socket_close(listener);
return 0;
}
if (rcode < 0) {
RDEBUG("Error reading TLS socket: %s", strerror(errno));
goto do_close;
}
/*
* Normal socket close.
*/
if (rcode == 0) goto do_close;
sock->ssn->dirty_in.used = rcode;
memset(sock->ssn->dirty_in.data + sock->ssn->dirty_in.used,
0, 16);
dump_hex("READ FROM SSL", sock->ssn->dirty_in.data, sock->ssn->dirty_in.used);
/*
* Catch attempts to use non-SSL.
*/
if (doing_init && (sock->ssn->dirty_in.data[0] != handshake)) {
RDEBUG("Non-TLS data sent to TLS socket: closing");
goto do_close;
}
/*
* Skip ahead to reading application data.
*/
if (SSL_is_init_finished(sock->ssn->ssl)) goto app;
if (!tls_handshake_recv(request, sock->ssn)) {
RDEBUG("FAILED in TLS handshake receive");
goto do_close;
}
if (sock->ssn->dirty_out.used > 0) {
tls_socket_write(listener, request);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
app:
/*
* FIXME: Run the packet through a virtual server in
* order to see if we like the certificate presented by
* the client.
*/
status = tls_application_data(sock->ssn, request);
RDEBUG("Application data status %d", status);
if (status == FR_TLS_MORE_FRAGMENTS) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (sock->ssn->clean_out.used == 0) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
dump_hex("TUNNELED DATA", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
/*
* If the packet is a complete RADIUS packet, return it to
* the caller. Otherwise...
*/
if ((sock->ssn->clean_out.used < 20) ||
(((sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]) != (int) sock->ssn->clean_out.used)) {
RDEBUG("Received bad packet: Length %d contents %d",
sock->ssn->clean_out.used,
(sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]);
goto do_close;
}
packet = sock->packet;
packet->data = rad_malloc(sock->ssn->clean_out.used);
packet->data_len = sock->ssn->clean_out.used;
sock->ssn->record_minus(&sock->ssn->clean_out, packet->data, packet->data_len);
packet->vps = NULL;
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
if (!rad_packet_ok(packet, 0)) {
RDEBUG("Received bad packet: %s", fr_strerror());
tls_socket_close(listener);
return 0; /* do_close unlocks the mutex */
}
/*
* Copied from src/lib/radius.c, rad_recv();
*/
if (fr_debug_flag) {
char host_ipaddr[128];
if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->id, (int) packet->data_len);
} else {
RDEBUG("tls_recv: Packet from host %s port %d code=%d, id=%d, length=%d",
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->code,
packet->id, (int) packet->data_len);
}
}
FR_STATS_INC(auth, total_requests);
return 1;
}
static REQUEST *request_setup(FILE *fp)
{
REQUEST *request;
/*
* Create and initialize the new request.
*/
request = request_alloc(NULL);
request->packet = rad_alloc(request, 0);
if (!request->packet) {
ERROR("No memory");
request_free(&request);
return NULL;
}
request->reply = rad_alloc(request, 0);
if (!request->reply) {
ERROR("No memory");
request_free(&request);
return NULL;
}
request->listener = listen_alloc(request);
request->client = client_alloc(request);
request->number = 0;
request->master_state = REQUEST_ACTIVE;
request->child_state = REQUEST_ACTIVE;
request->handle = NULL;
request->server = talloc_strdup(request, "default");
request->root = &mainconfig;
/*
* Read packet from fp
*/
request->packet->vps = readvp2(request->packet, fp, &filedone, "radiusd:");
if (!request->packet->vps) {
talloc_free(request);
return NULL;
}
/*
* FIXME: set IPs, etc.
*/
request->packet->code = PW_CODE_AUTHENTICATION_REQUEST;
request->packet->src_ipaddr.af = AF_INET;
request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->src_port = 18120;
request->packet->dst_ipaddr.af = AF_INET;
request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_LOOPBACK);
request->packet->dst_port = 1812;
/*
* Build the reply template from the request.
*/
request->reply->sockfd = request->packet->sockfd;
request->reply->dst_ipaddr = request->packet->src_ipaddr;
request->reply->src_ipaddr = request->packet->dst_ipaddr;
request->reply->dst_port = request->packet->src_port;
request->reply->src_port = request->packet->dst_port;
request->reply->id = request->packet->id;
request->reply->code = 0; /* UNKNOWN code */
memcpy(request->reply->vector, request->packet->vector,
sizeof(request->reply->vector));
request->reply->vps = NULL;
request->reply->data = NULL;
request->reply->data_len = 0;
/*
* Debugging
*/
request->options = debug_flag;
request->radlog = radlog_request;
request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
return request;
}
/*
* Create a new REQUEST, based on an old one.
*
* This function allows modules to inject fake requests
* into the server, for tunneled protocols like TTLS & PEAP.
*/
REQUEST *request_alloc_fake(REQUEST *request)
{
REQUEST *fake;
fake = request_alloc();
fake->number = request->number;
#ifdef HAVE_PTHREAD_H
fake->child_pid = request->child_pid;
#endif
fake->parent = request;
fake->root = request->root;
fake->client = request->client;
/*
* For new server support.
*
* FIXME: Key instead off of a "virtual server" data structure.
*
* FIXME: Permit different servers for inner && outer sessions?
*/
fake->server = request->server;
fake->packet = rad_alloc(request, 1);
if (!fake->packet) {
request_free(&fake);
return NULL;
}
fake->reply = rad_alloc(request, 0);
if (!fake->reply) {
request_free(&fake);
return NULL;
}
fake->master_state = REQUEST_ACTIVE;
fake->child_state = REQUEST_RUNNING;
/*
* Fill in the fake request.
*/
fake->packet->sockfd = -1;
fake->packet->src_ipaddr = request->packet->src_ipaddr;
fake->packet->src_port = request->packet->src_port;
fake->packet->dst_ipaddr = request->packet->dst_ipaddr;
fake->packet->dst_port = 0;
/*
* This isn't STRICTLY required, as the fake request MUST NEVER
* be put into the request list. However, it's still reasonable
* practice.
*/
fake->packet->id = fake->number & 0xff;
fake->packet->code = request->packet->code;
fake->timestamp = request->timestamp;
/*
* Required for new identity support
*/
fake->listener = request->listener;
/*
* Fill in the fake reply, based on the fake request.
*/
fake->reply->sockfd = fake->packet->sockfd;
fake->reply->src_ipaddr = fake->packet->dst_ipaddr;
fake->reply->src_port = fake->packet->dst_port;
fake->reply->dst_ipaddr = fake->packet->src_ipaddr;
fake->reply->dst_port = fake->packet->src_port;
fake->reply->id = fake->packet->id;
fake->reply->code = 0; /* UNKNOWN code */
/*
* Copy debug information.
*/
fake->options = request->options;
fake->radlog = request->radlog;
return fake;
}
/** Execute a trigger - call an executable to process an event
*
* @param request The current request.
* @param cs to search for triggers in. If not NULL, only the portion after the last '.'
* in name is used for the trigger. If cs is NULL, the entire name is used to find
* the trigger in the global trigger section.
* @param name the path relative to the global trigger section ending in the trigger name
* e.g. module.ldap.pool.start.
* @param quench whether to rate limit triggers.
*/
void exec_trigger(REQUEST *request, CONF_SECTION *cs, char const *name, bool quench)
{
CONF_SECTION *subcs;
CONF_ITEM *ci;
CONF_PAIR *cp;
char const *attr;
char const *value;
VALUE_PAIR *vp;
bool alloc = false;
/*
* Use global "trigger" section if no local config is given.
*/
if (!cs) {
cs = exec_trigger_main;
attr = name;
} else {
/*
* Try to use pair name, rather than reference.
*/
attr = strrchr(name, '.');
if (attr) {
attr++;
} else {
attr = name;
}
}
/*
* Find local "trigger" subsection. If it isn't found,
* try using the global "trigger" section, and reset the
* reference to the full path, rather than the sub-path.
*/
subcs = cf_section_sub_find(cs, "trigger");
if (!subcs && exec_trigger_main && (cs != exec_trigger_main)) {
subcs = exec_trigger_subcs;
attr = name;
}
if (!subcs) return;
ci = cf_reference_item(subcs, exec_trigger_main, attr);
if (!ci) {
ERROR("No such item in trigger section: %s", attr);
return;
}
if (!cf_item_is_pair(ci)) {
ERROR("Trigger is not a configuration variable: %s", attr);
return;
}
cp = cf_item_to_pair(ci);
if (!cp) return;
value = cf_pair_value(cp);
if (!value) {
ERROR("Trigger has no value: %s", name);
return;
}
/*
* May be called for Status-Server packets.
*/
vp = NULL;
if (request && request->packet) vp = request->packet->vps;
/*
* Perform periodic quenching.
*/
if (quench) {
time_t *last_time;
last_time = cf_data_find(cs, value);
if (!last_time) {
last_time = rad_malloc(sizeof(*last_time));
*last_time = 0;
if (cf_data_add(cs, value, last_time, time_free) < 0) {
free(last_time);
last_time = NULL;
}
}
/*
* Send the quenched traps at most once per second.
*/
if (last_time) {
time_t now = time(NULL);
if (*last_time == now) return;
*last_time = now;
}
}
/*
* radius_exec_program always needs a request.
*/
if (!request) {
request = request_alloc(NULL);
alloc = true;
}
DEBUG("Trigger %s -> %s", name, value);
radius_exec_program(request, NULL, 0, NULL, request, value, vp, false, true, EXEC_TIMEOUT);
if (alloc) talloc_free(request);
}
continue;
}
else if(r->start_page_nr == bio->bi_back_nr)
{
r->nr_pages += (bio->bi_back_nr - bio->bi_front_nr + 1);
*req = r;
return NO_MERGE;
}
else if((r->start_page_nr + r->nr_pages) == bio->bi_front_nr)
{
r->start_page_nr = bio->bi_front_nr;
r->nr_pages += (bio->bi_back_nr - bio->bi_front_nr + 1);
}
}
r = request_alloc();
if(!r)
{
return -2;
}
request_init(rq, r, bio);
*req = r;
return BACK_MERGE;
}
int print_request(const struct request *req)
{
if(req == NULL)
{
/*
* Find a per-socket client.
*/
RADCLIENT *client_listener_find(const rad_listen_t *listener,
const fr_ipaddr_t *ipaddr, int src_port)
{
#ifdef WITH_DYNAMIC_CLIENTS
int rcode;
REQUEST *request;
RADCLIENT *created;
#endif
time_t now;
RADCLIENT *client;
RADCLIENT_LIST *clients;
listen_socket_t *sock;
rad_assert(listener != NULL);
rad_assert(ipaddr != NULL);
sock = listener->data;
clients = sock->clients;
/*
* This HAS to have been initialized previously.
*/
rad_assert(clients != NULL);
client = client_find(clients, ipaddr,sock->proto);
if (!client) {
char name[256], buffer[128];
#ifdef WITH_DYNAMIC_CLIENTS
unknown: /* used only for dynamic clients */
#endif
/*
* DoS attack quenching, but only in daemon mode.
* If they're running in debug mode, show them
* every packet.
*/
if (debug_flag == 0) {
static time_t last_printed = 0;
now = time(NULL);
if (last_printed == now) return NULL;
last_printed = now;
}
listener->print(listener, name, sizeof(name));
radlog(L_ERR, "Ignoring request to %s from unknown client %s port %d"
#ifdef WITH_TCP
" proto %s"
#endif
, name, inet_ntop(ipaddr->af, &ipaddr->ipaddr,
buffer, sizeof(buffer)), src_port
#ifdef WITH_TCP
, (sock->proto == IPPROTO_UDP) ? "udp" : "tcp"
#endif
);
return NULL;
}
#ifndef WITH_DYNAMIC_CLIENTS
return client; /* return the found client. */
#else
/*
* No server defined, and it's not dynamic. Return it.
*/
if (!client->client_server && !client->dynamic) return client;
now = time(NULL);
/*
* It's a dynamically generated client, check it.
*/
if (client->dynamic && (src_port != 0)) {
/*
* Lives forever. Return it.
*/
if (client->lifetime == 0) return client;
/*
* Rate-limit the deletion of known clients.
* This makes them last a little longer, but
* prevents the server from melting down if (say)
* 10k clients all expire at once.
*/
if (now == client->last_new_client) return client;
/*
* It's not dead yet. Return it.
*/
if ((client->created + client->lifetime) > now) return client;
/*
* This really puts them onto a queue for later
* deletion.
*/
client_delete(clients, client);
/*
* Go find the enclosing network again.
*/
client = client_find(clients, ipaddr, sock->proto);
/*
* WTF?
*/
if (!client) goto unknown;
if (!client->client_server) goto unknown;
/*
* At this point, 'client' is the enclosing
* network that configures where dynamic clients
* can be defined.
*/
rad_assert(client->dynamic == 0);
} else {
/*
* The IP is unknown, so we've found an enclosing
* network. Enable DoS protection. We only
* allow one new client per second. Known
* clients aren't subject to this restriction.
*/
if (now == client->last_new_client) goto unknown;
}
client->last_new_client = now;
request = request_alloc();
if (!request) goto unknown;
request->listener = listener;
request->client = client;
request->packet = rad_recv(listener->fd, 0x02); /* MSG_PEEK */
if (!request->packet) { /* badly formed, etc */
request_free(&request);
goto unknown;
}
request->reply = rad_alloc_reply(request->packet);
if (!request->reply) {
request_free(&request);
goto unknown;
}
request->packet->timestamp = request->timestamp;
request->number = 0;
request->priority = listener->type;
request->server = client->client_server;
request->root = &mainconfig;
/*
* Run a fake request through the given virtual server.
* Look for FreeRADIUS-Client-IP-Address
* FreeRADIUS-Client-Secret
* ...
*
* and create the RADCLIENT structure from that.
*/
DEBUG("server %s {", request->server);
rcode = module_authorize(0, request);
DEBUG("} # server %s", request->server);
if (rcode != RLM_MODULE_OK) {
request_free(&request);
goto unknown;
}
/*
* If the client was updated by rlm_dynamic_clients,
* don't create the client from attribute-value pairs.
*/
if (request->client == client) {
created = client_create(clients, request);
} else {
created = request->client;
/*
* This frees the client if it isn't valid.
*/
if (!client_validate(clients, client, created)) goto unknown;
}
request_free(&request);
if (!created) goto unknown;
return created;
#endif
}
/*
* Read a file compose of xlat's and expected results
*/
static bool do_xlats(char const *filename, FILE *fp)
{
int lineno = 0;
ssize_t len;
char *p;
char input[8192];
char output[8192];
REQUEST *request;
struct timeval now;
/*
* Create and initialize the new request.
*/
request = request_alloc(NULL);
gettimeofday(&now, NULL);
request->timestamp = now;
request->log.lvl = rad_debug_lvl;
request->log.func = vradlog_request;
output[0] = '\0';
while (fgets(input, sizeof(input), fp) != NULL) {
lineno++;
/*
* Ignore blank lines and comments
*/
p = input;
while (isspace((int) *p)) p++;
if (*p < ' ') continue;
if (*p == '#') continue;
p = strchr(p, '\n');
if (!p) {
if (!feof(fp)) {
fprintf(stderr, "Line %d too long in %s\n",
lineno, filename);
TALLOC_FREE(request);
return false;
}
} else {
*p = '\0';
}
/*
* Look for "xlat"
*/
if (strncmp(input, "xlat ", 5) == 0) {
ssize_t slen;
char const *error = NULL;
char *fmt = talloc_typed_strdup(NULL, input + 5);
xlat_exp_t *head;
slen = xlat_tokenize(fmt, fmt, &head, &error);
if (slen <= 0) {
talloc_free(fmt);
snprintf(output, sizeof(output), "ERROR offset %d '%s'", (int) -slen, error);
continue;
}
if (input[slen + 5] != '\0') {
talloc_free(fmt);
snprintf(output, sizeof(output), "ERROR offset %d 'Too much text' ::%s::", (int) slen, input + slen + 5);
continue;
}
len = radius_xlat_struct(output, sizeof(output), request, head, NULL, NULL);
if (len < 0) {
snprintf(output, sizeof(output), "ERROR expanding xlat: %s", fr_strerror());
continue;
}
TALLOC_FREE(fmt); /* also frees 'head' */
continue;
}
/*
* Look for "data".
*/
if (strncmp(input, "data ", 5) == 0) {
if (strcmp(input + 5, output) != 0) {
fprintf(stderr, "Mismatch at line %d of %s\n\tgot : %s\n\texpected : %s\n",
lineno, filename, output, input + 5);
TALLOC_FREE(request);
return false;
}
continue;
}
fprintf(stderr, "Unknown keyword in %s[%d]\n", filename, lineno);
TALLOC_FREE(request);
return false;
}
TALLOC_FREE(request);
return true;
}
static int tls_socket_recv(rad_listen_t *listener)
{
bool doing_init = false;
ssize_t rcode;
RADIUS_PACKET *packet;
REQUEST *request;
listen_socket_t *sock = listener->data;
fr_tls_status_t status;
RADCLIENT *client = sock->client;
if (!sock->packet) {
sock->packet = fr_radius_alloc(sock, false);
if (!sock->packet) return 0;
sock->packet->sockfd = listener->fd;
sock->packet->src_ipaddr = sock->other_ipaddr;
sock->packet->src_port = sock->other_port;
sock->packet->dst_ipaddr = sock->my_ipaddr;
sock->packet->dst_port = sock->my_port;
if (sock->request) sock->request->packet = talloc_steal(sock->request, sock->packet);
}
/*
* Allocate a REQUEST for debugging, and initialize the TLS session.
*/
if (!sock->request) {
sock->request = request = request_alloc(sock);
if (!sock->request) {
ERROR("Out of memory");
return 0;
}
rad_assert(request->packet == NULL);
rad_assert(sock->packet != NULL);
request->packet = talloc_steal(request, sock->packet);
request->component = "<tls-connect>";
request->reply = fr_radius_alloc(request, false);
if (!request->reply) return 0;
rad_assert(sock->tls_session == NULL);
sock->tls_session = tls_session_init_server(sock, listener->tls, sock->request,
listener->tls->require_client_cert);
if (!sock->tls_session) {
TALLOC_FREE(sock->request);
sock->packet = NULL;
return 0;
}
SSL_set_ex_data(sock->tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
doing_init = true;
}
rad_assert(sock->request != NULL);
rad_assert(sock->request->packet != NULL);
rad_assert(sock->packet != NULL);
rad_assert(sock->tls_session != NULL);
request = sock->request;
RDEBUG3("Reading from socket %d", request->packet->sockfd);
PTHREAD_MUTEX_LOCK(&sock->mutex);
rcode = read(request->packet->sockfd,
sock->tls_session->dirty_in.data,
sizeof(sock->tls_session->dirty_in.data));
if ((rcode < 0) && (errno == ECONNRESET)) {
do_close:
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
DEBUG("Closing TLS socket from client port %u", sock->other_port);
tls_socket_close(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (rcode < 0) {
RDEBUG("Error reading TLS socket: %s", fr_syserror(errno));
goto do_close;
}
/*
* Normal socket close.
*/
if (rcode == 0) goto do_close;
sock->tls_session->dirty_in.used = rcode;
dump_hex("READ FROM SSL", sock->tls_session->dirty_in.data, sock->tls_session->dirty_in.used);
/*
* Catch attempts to use non-SSL.
*/
if (doing_init && (sock->tls_session->dirty_in.data[0] != handshake)) {
RDEBUG("Non-TLS data sent to TLS socket: closing");
goto do_close;
}
/*
* If we need to do more initialization, do that here.
*/
if (!SSL_is_init_finished(sock->tls_session->ssl)) {
if (!tls_handshake_recv(request, sock->tls_session)) {
RDEBUG("FAILED in TLS handshake receive");
goto do_close;
}
/*
* More ACK data to send. Do so.
*/
if (sock->tls_session->dirty_out.used > 0) {
tls_socket_write(listener, request);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
/*
* FIXME: Run the request through a virtual
* server in order to see if we like the
* certificate presented by the client.
*/
}
/*
* Try to get application data.
*/
status = tls_application_data(sock->tls_session, request);
RDEBUG("Application data status %d", status);
if (status == FR_TLS_RECORD_FRAGMENT_MORE) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
if (sock->tls_session->clean_out.used == 0) {
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0;
}
/*
* We now have a bunch of application data.
*/
dump_hex("TUNNELED DATA > ", sock->tls_session->clean_out.data, sock->tls_session->clean_out.used);
/*
* If the packet is a complete RADIUS packet, return it to
* the caller. Otherwise...
*/
if ((sock->tls_session->clean_out.used < 20) ||
(((sock->tls_session->clean_out.data[2] << 8) | sock->tls_session->clean_out.data[3]) != (int) sock->tls_session->clean_out.used)) {
RDEBUG("Received bad packet: Length %zd contents %d",
sock->tls_session->clean_out.used,
(sock->tls_session->clean_out.data[2] << 8) | sock->tls_session->clean_out.data[3]);
goto do_close;
}
packet = sock->packet;
packet->data = talloc_array(packet, uint8_t, sock->tls_session->clean_out.used);
packet->data_len = sock->tls_session->clean_out.used;
sock->tls_session->record_to_buff(&sock->tls_session->clean_out, packet->data, packet->data_len);
packet->vps = NULL;
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
if (!fr_radius_ok(packet, 0, NULL)) {
if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
DEBUG("Closing TLS socket from client");
PTHREAD_MUTEX_LOCK(&sock->mutex);
tls_socket_close(listener);
PTHREAD_MUTEX_UNLOCK(&sock->mutex);
return 0; /* do_close unlocks the mutex */
}
/*
* Copied from src/lib/radius.c, fr_radius_recv();
*/
if (fr_debug_lvl) {
char host_ipaddr[INET6_ADDRSTRLEN];
if (is_radius_code(packet->code)) {
RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
fr_packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->id, (int) packet->data_len);
} else {
RDEBUG("tls_recv: Packet from host %s port %d code=%d, id=%d, length=%d",
inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,
host_ipaddr, sizeof(host_ipaddr)),
packet->src_port,
packet->code,
packet->id, (int) packet->data_len);
}
}
FR_STATS_INC(auth, total_requests);
return 1;
}
