#
VALUE Strip-User-Name No 0
VALUE Strip-User-Name Yes 1
-
} decode_fail_t;
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
- uint32_t max_attributes, bool require_ma, decode_fail_t *reason)
+ uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
{
bool result;
DUP_FIELD(server);
DUP_FIELD(nas_type);
- COPY_FIELD(message_authenticator);
+ COPY_FIELD(require_message_authenticator);
/* dynamic MUST be false */
COPY_FIELD(server_cs);
COPY_FIELD(cs);
COPY_FIELD(ipaddr);
COPY_FIELD(src_ipaddr);
- COPY_FIELD(message_authenticator);
+ COPY_FIELD(require_message_authenticator);
COPY_FIELD(use_connected);
// @todo - fill in other fields?
if (namecmp(longname) && namecmp(secret) &&
namecmp(shortname) && namecmp(nas_type) &&
namecmp(server) &&
- (old->message_authenticator == client->message_authenticator)) {
+ (old->require_message_authenticator == client->require_message_authenticator)) {
WARN("Ignoring duplicate client %s", client->longname);
client_free(client);
return true;
{ FR_CONF_OFFSET("track_connections", fr_client_t, use_connected) },
- { FR_CONF_OFFSET("require_message_authenticator", fr_client_t, message_authenticator) },
+ { FR_CONF_OFFSET("require_message_authenticator", fr_client_t, require_message_authenticator) },
{ FR_CONF_OFFSET("dedup_authenticator", fr_client_t, dedup_authenticator) },
#include <freeradius-devel/server/socket.h>
#include <freeradius-devel/server/stats.h>
#include <freeradius-devel/util/inet.h>
+#include <freeradius-devel/radius/radius.h>
/** Describes a host allowed to send packets to the server
*
char const *secret; //!< Secret PSK.
- bool message_authenticator; //!< Require RADIUS message authenticator in requests.
+ bool require_message_authenticator; //!< Require RADIUS message authenticator
+ ///< for incoming packets.
bool dynamic; //!< Whether the client was dynamically defined.
bool active; //!< for dynamic clients
bool use_connected; //!< do we use connected sockets for this client
size_t section_offset; //!< Where to look in the process instance for
///< a pointer to the section we should execute.
rlm_rcode_t rcode; //!< Default rcode
- module_method_t resume; //!< Function to call after running a recv section.
+ module_method_t resume; //!< Function to call after running a recv section.
/*
* Each state has only one "recv" or "send".
*/
union {
module_method_t recv; //!< Method to call when receiving this type of packet.
- module_method_t send; //!< Method to call when sending this type of packet.
+ module_method_t send; //!< Method to call when sending this type of packet.
};
PROCESS_STATE_EXTRA_FIELDS
} fr_process_state_t;
#include <freeradius-devel/io/listen.h>
#include <freeradius-devel/unlang/xlat_func.h>
#include <freeradius-devel/server/module_rlm.h>
+#include <stdbool.h>
#include "proto_radius.h"
extern fr_app_t proto_radius;
*/
static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *const data, size_t data_len)
{
- fr_io_track_t const *track = talloc_get_type_abort_const(request->async->packet_ctx, fr_io_track_t);
- fr_io_address_t const *address = track->address;
- fr_client_t const *client;
- fr_radius_ctx_t common_ctx;
- fr_radius_decode_ctx_t decode_ctx;
+ fr_io_track_t const *track = talloc_get_type_abort_const(request->async->packet_ctx, fr_io_track_t);
+ fr_io_address_t const *address = track->address;
+ fr_client_t *client = UNCONST(fr_client_t *, address->radclient);
+ fr_radius_ctx_t common_ctx;
+ fr_radius_decode_ctx_t decode_ctx;
fr_assert(data[0] < FR_RADIUS_CODE_MAX);
*/
request->dict = dict_radius;
- client = address->radclient;
-
common_ctx = (fr_radius_ctx_t) {
.secret = client->secret,
.secret_length = talloc_array_length(client->secret) - 1,
};
+ request->packet->code = data[0];
+
decode_ctx = (fr_radius_decode_ctx_t) {
.common = &common_ctx,
.tmp_ctx = talloc(request, uint8_t),
/* decode figures out request_authenticator */
.end = data + data_len,
.verify = client->active,
- .require_message_authenticator = client->message_authenticator,
+ .require_message_authenticator = client->require_message_authenticator,
};
/*
*
* @todo - That needs to be changed.
*/
- request->packet->code = data[0];
request->packet->id = data[1];
request->reply->id = data[1];
memcpy(request->packet->vector, data + 4, sizeof(request->packet->vector));
/*
* Set the rest of the fields.
*/
- request->client = UNCONST(fr_client_t *, client);
+ request->client = client;
request->packet->socket = address->socket;
fr_socket_addr_swap(&request->reply->socket, &address->socket);
uint32_t *types; //!< array of allowed packet types
uint32_t status_check; //!< code of status-check type
map_list_t status_check_map; //!< attributes for the status-server checks
- uint32_t num_answers_to_alive; //!< How many status check responses we need to
+ uint32_t num_answers_to_alive; //!< How many status check responses we need to
///< mark the connection as alive.
bool allowed[FR_RADIUS_CODE_MAX];
uint32_t num_replies; //!< number of reply packets, sent is in retry.count
bool synchronous; //!< cached from inst->parent->synchronous
- bool require_ma; //!< saved from the original packet.
+ bool require_message_authenticator; //!< saved from the original packet.
bool can_retransmit; //!< can we retransmit this packet?
bool status_check; //!< is this packet a status check?
{
ssize_t packet_len;
uint8_t *msg = NULL;
- int message_authenticator = u->require_ma * (RADIUS_MESSAGE_AUTHENTICATOR_LENGTH + 2);
+ int message_authenticator = u->require_message_authenticator * (RADIUS_MESSAGE_AUTHENTICATOR_LENGTH + 2);
int proxy_state = 6;
fr_assert(inst->parent->allowed[u->code]);
* @todo - don't edit the input packet!
*/
if (fr_pair_find_by_da(&request->request_pairs, NULL, attr_message_authenticator)) {
- u->require_ma = true;
+ u->require_message_authenticator = true;
pair_delete_request(attr_message_authenticator);
}
{
fr_value_box_t *secret, *vb;
int ret;
- bool require_ma = false;
+ bool require_message_authenticator = false;
XLAT_ARGS(args, &secret);
* All the other packet types are signed using the
* authenticator field.
*/
- if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) require_ma = true;
+ if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) require_message_authenticator = true;
- ret = fr_radius_verify(request->packet->data, NULL, secret->vb_octets, secret->vb_length, require_ma);
+ ret = fr_radius_verify(request->packet->data, NULL, secret->vb_octets, secret->vb_length, require_message_authenticator);
switch (ret) {
case 0:
vb->vb_bool = true;
#define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf_push
fr_table_num_sorted_t const fr_radius_request_name_table[] = {
- { L("acct"), FR_RADIUS_CODE_ACCOUNTING_REQUEST },
- { L("auth"), FR_RADIUS_CODE_ACCESS_REQUEST },
- { L("auto"), FR_RADIUS_CODE_UNDEFINED },
- { L("challenge"), FR_RADIUS_CODE_ACCESS_CHALLENGE },
- { L("coa"), FR_RADIUS_CODE_COA_REQUEST },
+ { L("acct"), FR_RADIUS_CODE_ACCOUNTING_REQUEST },
+ { L("auth"), FR_RADIUS_CODE_ACCESS_REQUEST },
+ { L("auto"), FR_RADIUS_CODE_UNDEFINED },
+ { L("challenge"), FR_RADIUS_CODE_ACCESS_CHALLENGE },
+ { L("coa"), FR_RADIUS_CODE_COA_REQUEST },
{ L("disconnect"), FR_RADIUS_CODE_DISCONNECT_REQUEST },
- { L("status"), FR_RADIUS_CODE_STATUS_SERVER }
+ { L("status"), FR_RADIUS_CODE_STATUS_SERVER }
};
size_t fr_radius_request_name_table_len = NUM_ELEMENTS(fr_radius_request_name_table);
* @param[in] packet to check.
* @param[in,out] packet_len_p The size of the packet data.
* @param[in] max_attributes to allow in the packet.
- * @param[in] require_ma whether we require Message-Authenticator.
+ * @param[in] require_message_authenticator whether we require Message-Authenticator.
* @param[in] reason if not NULL, will have the failure reason written to where it points.
* @return
* - True on success.
* - False on failure.
*/
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
- uint32_t max_attributes, bool require_ma, decode_fail_t *reason)
+ uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
{
uint8_t const *attr, *end;
size_t totallen;
* Message-Authenticator is required in Status-Server
* packets, otherwise they can be trivially forged.
*/
- if (packet[0] == FR_RADIUS_CODE_STATUS_SERVER) require_ma = true;
+ if (packet[0] == FR_RADIUS_CODE_STATUS_SERVER) require_message_authenticator = true;
/*
* Repeat the length checks. This time, instead of
* a Message-Authenticator.
*/
case FR_EAP_MESSAGE:
- require_ma = true;
+ require_message_authenticator = true;
break;
case FR_MESSAGE_AUTHENTICATOR:
* Similarly, Status-Server packets MUST contain
* Message-Authenticator attributes.
*/
- if (require_ma && !seen_ma) {
+ if (require_message_authenticator && !seen_ma) {
FR_DEBUG_STRERROR_PRINTF("we require Message-Authenticator attribute, but it is not in the packet");
failure = DECODE_FAIL_MA_MISSING;
goto finish;
* comparing the signature in the packet with the one we calculated.
* If they differ, there's a problem.
*
- * @param[in] packet the raw RADIUS packet (request or response)
- * @param[in] vector the original packet vector
- * @param[in] secret the shared secret
- * @param[in] secret_len the length of the secret
- * @param[in] require_ma whether we require Message-Authenticator.
+ * @param[in] packet the raw RADIUS packet (request or response)
+ * @param[in] vector the original packet vector
+ * @param[in] secret the shared secret
+ * @param[in] secret_len the length of the secret
+ * @param[in] require_message_authenticator whether we require Message-Authenticator.
* @return
* - -2 if the message authenticator or request authenticator was invalid.
* - -1 if we were unable to verify the shared secret, or the packet
* - 0 on success.
*/
int fr_radius_verify(uint8_t *packet, uint8_t const *vector,
- uint8_t const *secret, size_t secret_len, bool require_ma)
+ uint8_t const *secret, size_t secret_len, bool require_message_authenticator)
{
- bool found_ma;
- int rcode;
- int code;
- uint8_t *msg, *end;
- size_t packet_len = fr_nbo_to_uint16(packet + 2);
- uint8_t request_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
- uint8_t message_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
+ bool found_message_authenticator;
+ int rcode;
+ int code;
+ uint8_t *msg, *end;
+ size_t packet_len = fr_nbo_to_uint16(packet + 2);
+ uint8_t request_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
+ uint8_t message_authenticator[RADIUS_AUTH_VECTOR_LENGTH];
if (packet_len < RADIUS_HEADER_LENGTH) {
fr_strerror_printf("invalid packet length %zd", packet_len);
*/
msg = packet + RADIUS_HEADER_LENGTH;
end = packet + packet_len;
- found_ma = false;
+ found_message_authenticator = false;
while (msg < end) {
if ((end - msg) < 2) goto invalid_attribute;
* Found it, save a copy.
*/
memcpy(message_authenticator, msg + 2, sizeof(message_authenticator));
- found_ma = true;
+ found_message_authenticator = true;
break;
}
if ((packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) &&
- require_ma && !found_ma) {
+ require_message_authenticator && !found_message_authenticator) {
fr_strerror_const("Access-Request is missing the required Message-Authenticator attribute");
return -1;
}
fr_bio_verify_action_t fr_radius_bio_verify(fr_bio_t *bio, UNUSED void *packet_ctx, const void *data, size_t *size);
fr_bio_verify_action_t fr_radius_bio_verify_datagram(fr_bio_t *bio, UNUSED void *packet_ctx, const void *data, size_t *size);
-
if (!my->retry) goto fail;
my->retry->uctx = my;
-
+
my->info.retry_info = fr_bio_retry_info(my->retry);
fr_assert(my->info.retry_info != NULL);
* same as our previous reply: ignore it.
*/
if (memcmp(buffer, id_ctx->response->data, RADIUS_HEADER_LENGTH) != 0) return false;
-
+
/*
* Tell the caller that it's a duplicate reply.
*/
fr_dcursor_t *cursor, void *encode_ctx);
static ssize_t encode_child(fr_dbuff_t *dbuff,
- fr_da_stack_t *da_stack, unsigned int depth,
- fr_dcursor_t *cursor, void *encode_ctx);
+ fr_da_stack_t *da_stack, unsigned int depth,
+ fr_dcursor_t *cursor, void *encode_ctx);
/** "encrypt" a password RADIUS style
*
* FIXME: Add socket.fd, if -1, do round-robin, else do socket.fd
* IF in fdset.
*/
-fr_packet_t *fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, uint32_t max_attributes, bool require_ma)
+fr_packet_t *fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, uint32_t max_attributes, bool require_message_authenticator)
{
int start;
fr_packet_t *packet;
packet = fr_tcp_recv(pl->sockets[start].socket.fd, false);
} else
packet = fr_packet_recv(NULL, pl->sockets[start].socket.fd, UDP_FLAGS_NONE,
- max_attributes, require_ma);
+ max_attributes, require_message_authenticator);
if (!packet) continue;
/*
bool fr_packet_list_socket_freeze(fr_packet_list_t *pl, int sockfd);
bool fr_packet_list_socket_thaw(fr_packet_list_t *pl, int sockfd);
int fr_packet_list_fd_set(fr_packet_list_t *pl, fd_set *set);
-fr_packet_t *fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, uint32_t max_attributes, bool require_ma);
+fr_packet_t *fr_packet_list_recv(fr_packet_list_t *pl, fd_set *set, uint32_t max_attributes, bool require_message_authenticator);
uint32_t fr_packet_list_num_incoming(fr_packet_list_t *pl);
uint32_t fr_packet_list_num_outgoing(fr_packet_list_t *pl);
*
* @param[in] packet to check.
* @param[in] max_attributes to decode.
- * @param[in] require_ma to require Message-Authenticator.
+ * @param[in] require_message_authenticator to require Message-Authenticator.
* @param[out] reason if not NULL, will have the failure reason written to where it points.
* @return
* - True on success.
* - False on failure.
*/
-bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_ma, decode_fail_t *reason)
+bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
{
char host_ipaddr[INET6_ADDRSTRLEN];
- if (!fr_radius_ok(packet->data, &packet->data_len, max_attributes, require_ma, reason)) {
+ if (!fr_radius_ok(packet->data, &packet->data_len, max_attributes, require_message_authenticator, reason)) {
FR_DEBUG_STRERROR_PRINTF("Bad packet received from host %s",
inet_ntop(packet->socket.inet.src_ipaddr.af, &packet->socket.inet.src_ipaddr.addr,
host_ipaddr, sizeof(host_ipaddr)));
/** Receive UDP client requests, and fill in the basics of a fr_packet_t structure
*
*/
-fr_packet_t *fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_ma)
+fr_packet_t *fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator)
{
ssize_t data_len;
fr_packet_t *packet;
/*
* See if it's a well-formed RADIUS packet.
*/
- if (!fr_packet_ok(packet, max_attributes, require_ma, NULL)) {
+ if (!fr_packet_ok(packet, max_attributes, require_message_authenticator, NULL)) {
fr_packet_free(&packet);
return NULL;
}
int fr_radius_sign(uint8_t *packet, uint8_t const *vector,
uint8_t const *secret, size_t secret_len) CC_HINT(nonnull (1,3));
int fr_radius_verify(uint8_t *packet, uint8_t const *vector,
- uint8_t const *secret, size_t secret_len, bool require_ma) CC_HINT(nonnull (1,3));
+ uint8_t const *secret, size_t secret_len, bool require_message_authenticator) CC_HINT(nonnull (1,3));
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
- uint32_t max_attributes, bool require_ma, decode_fail_t *reason) CC_HINT(nonnull (1,2));
+ uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason) CC_HINT(nonnull (1,2));
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen,
char const *secret, uint8_t const *vector);
fr_packet_t const *original,
char const *secret) CC_HINT(nonnull (1,2,4));
-bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_ma,
+bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator,
decode_fail_t *reason) CC_HINT(nonnull (1));
int fr_packet_verify(fr_packet_t *packet, fr_packet_t *original,
int fr_packet_sign(fr_packet_t *packet, fr_packet_t const *original,
char const *secret) CC_HINT(nonnull (1,3));
-fr_packet_t *fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_ma);
+fr_packet_t *fr_packet_recv(TALLOC_CTX *ctx, int fd, int flags, uint32_t max_attributes, bool require_message_authenticator);
int fr_packet_send(fr_packet_t *packet, fr_pair_list_t *list,
fr_packet_t const *original, char const *secret) CC_HINT(nonnull (1,2,4));
* Calling this function MAY change sockfd,
* if src_ipaddr.af == AF_UNSPEC.
*/
-int fr_tcp_read_packet(fr_packet_t *packet, uint32_t max_attributes, bool require_ma)
+int fr_tcp_read_packet(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator)
{
ssize_t len;
/*
* See if it's a well-formed RADIUS packet.
*/
- if (!fr_packet_ok(packet, max_attributes, require_ma, NULL)) {
+ if (!fr_packet_ok(packet, max_attributes, require_message_authenticator, NULL)) {
return -1;
}
*/
RCSIDH(tcp_h, "$Id$")
-int fr_tcp_read_packet(fr_packet_t *packet, uint32_t max_attributes, bool require_ma);
+int fr_tcp_read_packet(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator);
fr_packet_t *fr_tcp_recv(int sockfd, int flags);
projects / thirdparty / freeradius-server.git / commitdiff
