Radcli library 1.4.0
A simple radius library
Loading...
Searching...
No Matches
sendserver.c
1/*
2 * Copyright (C) 1995,1996,1997 Lars Fenneberg
3 *
4 * Copyright 1992 Livingston Enterprises, Inc.
5 *
6 * Copyright 1992,1993, 1994,1995 The Regents of the University of Michigan
7 * and Merit Network, Inc. All Rights Reserved
8 *
9 * See the file COPYRIGHT for the respective terms and conditions.
10 * If the file is missing contact me at lf@elemental.net
11 * and I'll send you a copy.
12 *
13 */
14
15#include <includes.h>
16#include <radcli/radcli.h>
17#include <pathnames.h>
18#include <poll.h>
19#include "util.h"
20#include "rc-md5.h"
21#include "rc-hmac.h"
22
23#if defined(HAVE_GNUTLS)
24# include <gnutls/gnutls.h>
25# include <gnutls/crypto.h>
26#endif
27
28#if defined(__linux__)
29#include <linux/in6.h>
30#endif
31
32
33#define SCLOSE(fd) if (sfuncs->close_fd) sfuncs->close_fd(fd)
34
35static void rc_random_vector(unsigned char *);
36static int rc_check_reply(AUTH_HDR *, int, char const *, unsigned char const *,
37 unsigned char);
38
53static int rc_pack_list(VALUE_PAIR * vp, char *secret, AUTH_HDR * auth)
54{
55 int length, i, pc, padded_length;
56 int total_length = 0;
57 size_t secretlen;
58 uint32_t lvalue, vendor;
59 unsigned char passbuf[RC_MAX(AUTH_PASS_LEN, CHAP_VALUE_LENGTH)];
60 unsigned char md5buf[256];
61 unsigned char *buf, *vector, *vsa_length_ptr;
62
63 buf = auth->data;
64
65 while (vp != NULL) {
66 vsa_length_ptr = NULL;
67 if (VENDOR(vp->attribute) != 0) {
68 *buf++ = PW_VENDOR_SPECIFIC;
69 vsa_length_ptr = buf;
70 *buf++ = 6;
71 vendor = htonl(VENDOR(vp->attribute));
72 memcpy(buf, &vendor, sizeof(uint32_t));
73 buf += 4;
74 total_length += 6;
75 }
76 *buf++ = (vp->attribute & 0xff);
77
78 switch (vp->attribute) {
79 case PW_USER_PASSWORD:
80
81 /* Encrypt the password */
82
83 /* Chop off password at AUTH_PASS_LEN */
84 length = vp->lvalue;
85 if (length > AUTH_PASS_LEN)
86 length = AUTH_PASS_LEN;
87
88 /* Calculate the padded length */
89 padded_length =
90 (length +
91 (AUTH_VECTOR_LEN - 1)) & ~(AUTH_VECTOR_LEN - 1);
92
93 /* Record the attribute length */
94 *buf++ = padded_length + 2;
95 if (vsa_length_ptr != NULL)
96 *vsa_length_ptr += padded_length + 2;
97
98 /* Pad the password with zeros */
99 memset((char *)passbuf, '\0', AUTH_PASS_LEN);
100 memcpy((char *)passbuf, vp->strvalue, (size_t) length);
101
102 secretlen = strlen(secret);
103 vector = (unsigned char *)auth->vector;
104 for (i = 0; i < padded_length; i += AUTH_VECTOR_LEN) {
105 /* Calculate the MD5 digest */
106 strcpy((char *)md5buf, secret);
107 memcpy((char *)md5buf + secretlen, vector,
108 AUTH_VECTOR_LEN);
109 rc_md5_calc(buf, md5buf,
110 secretlen + AUTH_VECTOR_LEN);
111
112 /* Remember the start of the digest */
113 vector = buf;
114
115 /* Xor the password into the MD5 digest */
116 for (pc = i; pc < (i + AUTH_VECTOR_LEN); pc++) {
117 *buf++ ^= passbuf[pc];
118 }
119 }
120
121 total_length += padded_length + 2;
122
123 break;
124 default:
125 switch (vp->type) {
126 case PW_TYPE_STRING:
127 length = vp->lvalue;
128 *buf++ = length + 2;
129 if (vsa_length_ptr != NULL)
130 *vsa_length_ptr += length + 2;
131 memcpy(buf, vp->strvalue, (size_t) length);
132 buf += length;
133 total_length += length + 2;
134 break;
135
136 case PW_TYPE_IPV6ADDR:
137 length = 16;
138 *buf++ = length + 2;
139 if (vsa_length_ptr != NULL)
140 *vsa_length_ptr += length + 2;
141 memcpy(buf, vp->strvalue, (size_t) length);
142 buf += length;
143 total_length += length + 2;
144 break;
145
146 case PW_TYPE_IPV6PREFIX:
147 length = vp->lvalue;
148 *buf++ = length + 2;
149 if (vsa_length_ptr != NULL)
150 *vsa_length_ptr += length + 2;
151 memcpy(buf, vp->strvalue, (size_t) length);
152 buf += length;
153 total_length += length + 2;
154 break;
155
156 case PW_TYPE_INTEGER:
157 case PW_TYPE_IPADDR:
158 case PW_TYPE_DATE:
159 *buf++ = sizeof(uint32_t) + 2;
160 if (vsa_length_ptr != NULL)
161 *vsa_length_ptr += sizeof(uint32_t) + 2;
162 lvalue = htonl(vp->lvalue);
163 memcpy(buf, (char *)&lvalue, sizeof(uint32_t));
164 buf += sizeof(uint32_t);
165 total_length += sizeof(uint32_t) + 2;
166 break;
167
168 default:
169 break;
170 }
171 break;
172 }
173 vp = vp->next;
174 }
175 return total_length;
176}
177
185static void strappend(char *dest, unsigned max_size, int *pos, const char *src)
186{
187 unsigned len = strlen(src) + 1;
188
189 if (*pos == -1)
190 return;
191
192 if (len + *pos > max_size) {
193 *pos = -1;
194 return;
195 }
196
197 memcpy(&dest[*pos], src, len);
198 *pos += len - 1;
199 return;
200}
201
202
203static int populate_ctx(RC_AAA_CTX ** ctx, char secret[MAX_SECRET_LENGTH + 1],
204 uint8_t vector[AUTH_VECTOR_LEN])
205{
206 if (ctx) {
207 if (*ctx != NULL)
208 return ERROR_RC;
209
210 *ctx = malloc(sizeof(RC_AAA_CTX));
211 if (*ctx) {
212 memcpy((*ctx)->secret, secret, sizeof((*ctx)->secret));
213 memcpy((*ctx)->request_vector, vector,
214 sizeof((*ctx)->request_vector));
215 } else {
216 return ERROR_RC;
217 }
218 }
219 return OK_RC;
220}
221
232int rc_send_server(rc_handle * rh, SEND_DATA * data, char *msg, rc_type type)
233{
234 return rc_send_server_ctx(rh, NULL, data, msg, type);
235}
236
246static int rc_check_reply(AUTH_HDR * auth, int bufferlen, char const *secret,
247 unsigned char const *vector, uint8_t seq_nbr)
248{
249 int secretlen;
250 int totallen;
251 unsigned char calc_digest[AUTH_VECTOR_LEN];
252 unsigned char reply_digest[AUTH_VECTOR_LEN];
253#ifdef DIGEST_DEBUG
254 uint8_t *ptr;
255#endif
256
257 totallen = ntohs(auth->length);
258 secretlen = (int)strlen(secret);
259
260 /* Do sanity checks on packet length */
261 if ((totallen < 20) || (totallen > 4096)) {
262 rc_log(LOG_ERR,
263 "rc_check_reply: received RADIUS server response with invalid length");
264 return BADRESP_RC;
265 }
266
267 /* Verify buffer space, should never trigger with current buffer size and check above */
268 if ((totallen + secretlen) > bufferlen) {
269 rc_log(LOG_ERR,
270 "rc_check_reply: not enough buffer space to verify RADIUS server response");
271 return BADRESP_RC;
272 }
273
274 /* Verify that id (seq. number) matches what we sent */
275 if (auth->id != seq_nbr) {
276 rc_log(LOG_ERR,
277 "rc_check_reply: received non-matching id in RADIUS server response");
278 return BADRESPID_RC;
279 }
280 /* Verify the reply digest */
281 memcpy((char *)reply_digest, (char *)auth->vector, AUTH_VECTOR_LEN);
282 memcpy((char *)auth->vector, (char *)vector, AUTH_VECTOR_LEN);
283 memcpy((char *)auth + totallen, secret, secretlen);
284#ifdef DIGEST_DEBUG
285 rc_log(LOG_ERR, "Calculating digest on:");
286 for (ptr = (u_char *) auth;
287 ptr < ((u_char *) auth) + totallen + secretlen; ptr += 32) {
288 char buf[65];
289 int i;
290
291 buf[0] = '\0';
292 for (i = 0; i < 32; i++) {
293 if (ptr + i >= ((u_char *) auth) + totallen + secretlen)
294 break;
295 sprintf(buf + i * 2, "%.2X", ptr[i]);
296 }
297 rc_log(LOG_ERR, " %s", buf);
298 }
299#endif
300 rc_md5_calc(calc_digest, (unsigned char *)auth, totallen + secretlen);
301#ifdef DIGEST_DEBUG
302 rc_log(LOG_ERR, "Calculated digest is:");
303 for (ptr = (u_char *) calc_digest; ptr < ((u_char *) calc_digest) + 16;
304 ptr += 32) {
305 char buf[65];
306 int i;
307
308 buf[0] = '\0';
309 for (i = 0; i < 32; i++) {
310 if (ptr + i >= ((u_char *) calc_digest) + 16)
311 break;
312 sprintf(buf + i * 2, "%.2X", ptr[i]);
313 }
314 rc_log(LOG_ERR, " %s", buf);
315 }
316 rc_log(LOG_ERR, "Reply digest is:");
317 for (ptr = (u_char *) reply_digest;
318 ptr < ((u_char *) reply_digest) + 16; ptr += 32) {
319 char buf[65];
320 int i;
321
322 buf[0] = '\0';
323 for (i = 0; i < 32; i++) {
324 if (ptr + i >= ((u_char *) reply_digest) + 16)
325 break;
326 sprintf(buf + i * 2, "%.2X", ptr[i]);
327 }
328 rc_log(LOG_ERR, " %s", buf);
329 }
330#endif
331
332 if (memcmp((char *)reply_digest, (char *)calc_digest,
333 AUTH_VECTOR_LEN) != 0) {
334 rc_log(LOG_ERR,
335 "rc_check_reply: received invalid reply digest from RADIUS server");
336 return BADRESP_RC;
337 }
338
339 return OK_RC;
340
341}
342
347static void rc_random_vector(unsigned char *vector)
348{
349 int randno;
350 int i;
351#if defined(HAVE_GNUTLS)
352 if (gnutls_rnd(GNUTLS_RND_NONCE, vector, AUTH_VECTOR_LEN) >= 0) {
353 return;
354 }
355#elif defined(HAVE_GETENTROPY)
356 if (getentropy(vector, AUTH_VECTOR_LEN) >= 0) {
357 return;
358 } /* else fall through */
359#elif defined(HAVE_DEV_URANDOM)
360 int fd;
361
362/* well, I added this to increase the security for user passwords.
363 we use /dev/urandom here, as /dev/random might block and we don't
364 need that much randomness. BTW, great idea, Ted! -lf, 03/18/95 */
365
366 if ((fd = open(_PATH_DEV_URANDOM, O_RDONLY)) >= 0) {
367 unsigned char *pos;
368 int readcount;
369
370 i = AUTH_VECTOR_LEN;
371 pos = vector;
372 while (i > 0) {
373 readcount = read(fd, (char *)pos, i);
374 if (readcount >= 0) {
375 pos += readcount;
376 i -= readcount;
377 } else {
378 if (errno != EINTR && errno != EAGAIN)
379 goto fallback;
380 }
381 }
382
383 close(fd);
384 return;
385 } /* else fall through */
386 fallback:
387#endif
388 for (i = 0; i < AUTH_VECTOR_LEN;) {
389 randno = random();
390 memcpy((char *)vector, (char *)&randno, sizeof(int));
391 vector += sizeof(int);
392 i += sizeof(int);
393 }
394
395 return;
396}
397
413static int add_msg_auth_attr(rc_handle * rh, char * secret,
414 AUTH_HDR *auth, int total_length)
415{
416 size_t secretlen = strlen(secret);
417 uint8_t *msg_auth = (uint8_t *)auth + total_length;
418 msg_auth[0] = PW_MESSAGE_AUTHENTICATOR;
419 msg_auth[1] = 18;
420 memset(&msg_auth[2], 0, MD5_DIGEST_SIZE);
421 total_length += 18;
422 auth->length = htons((unsigned short)total_length);
423
424 /* Calculate HMAC-MD5 [RFC2104] hash */
425 uint8_t digest[MD5_DIGEST_SIZE];
426 rc_hmac_md5((uint8_t *)auth, (size_t)total_length, (uint8_t *)secret, secretlen, digest);
427 memcpy(&msg_auth[2], digest, MD5_DIGEST_SIZE);
428
429 return total_length;
430}
431
444int rc_send_server_ctx(rc_handle * rh, RC_AAA_CTX ** ctx, SEND_DATA * data,
445 char *msg, rc_type type)
446{
447 int sockfd = -1;
448 AUTH_HDR *auth, *recv_auth;
449 char *server_name, *p; /* Name of server to query */
450 struct sockaddr_storage our_sockaddr;
451 struct addrinfo *auth_addr = NULL;
452 socklen_t salen;
453 int result = 0;
454 int total_length;
455 int length, pos;
456 int retry_max;
457 const rc_sockets_override *sfuncs;
458 unsigned discover_local_ip;
459 size_t secretlen;
460 char secret[MAX_SECRET_LENGTH + 1];
461 unsigned char vector[AUTH_VECTOR_LEN];
462 uint8_t recv_buffer[RC_BUFFER_LEN];
463 uint8_t send_buffer[RC_BUFFER_LEN];
464 uint8_t *attr;
465 uint16_t tlen;
466 int retries;
467 VALUE_PAIR *vp;
468 struct pollfd pfd;
469 double start_time, timeout;
470 struct sockaddr_storage *ss_set = NULL;
471 char *server_type = "auth";
472 char *ns = NULL;
473 int ns_def_hdl = 0;
474
475 server_name = data->server;
476 if (server_name == NULL || server_name[0] == '\0')
477 return ERROR_RC;
478
479 ns = rc_conf_str(rh, "namespace"); /* Check for namespace config */
480 if (ns != NULL) {
481 if(-1 == rc_set_netns(ns, &ns_def_hdl)) {
482 rc_log(LOG_ERR, "rc_send_server: namespace %s set failed", ns);
483 return ERROR_RC;
484 }
485 }
486 if ((vp = rc_avpair_get(data->send_pairs, PW_SERVICE_TYPE, 0)) &&
487 (vp->lvalue == PW_ADMINISTRATIVE)) {
488 strcpy(secret, MGMT_POLL_SECRET);
489 auth_addr =
490 rc_getaddrinfo(server_name,
491 type == AUTH ? PW_AI_AUTH : PW_AI_ACCT);
492 if (auth_addr == NULL) {
493 result = ERROR_RC;
494 goto exit_error;
495 }
496 } else {
497 if (data->secret != NULL) {
498 strlcpy(secret, data->secret, MAX_SECRET_LENGTH);
499 }
500 /*
501 else
502 {
503 */
504 if (rc_find_server_addr
505 (rh, server_name, &auth_addr, secret, type) != 0) {
506 rc_log(LOG_ERR,
507 "rc_send_server: unable to find server: %s",
508 server_name);
509 result = ERROR_RC;
510 goto exit_error;
511 }
512 /*} */
513 }
514
515 sfuncs = &rh->so;
516
517 if (sfuncs->static_secret) {
518 /* any static secret set in sfuncs overrides the configured */
519 strlcpy(secret, sfuncs->static_secret,
520 MAX_SECRET_LENGTH);
521 }
522
523 if (sfuncs->lock) {
524 if (sfuncs->lock(sfuncs->ptr) != 0) {
525 rc_log(LOG_ERR, "%s: lock error", __func__);
526 result = ERROR_RC;
527 goto exit_error;
528 }
529 }
530
531 rc_own_bind_addr(rh, &our_sockaddr);
532 discover_local_ip = 0;
533 if (our_sockaddr.ss_family == AF_INET) {
534 if (((struct sockaddr_in *)(&our_sockaddr))->sin_addr.s_addr ==
535 INADDR_ANY) {
536 discover_local_ip = 1;
537 }
538 }
539
540 DEBUG(LOG_ERR, "DEBUG: rc_send_server: creating socket to: %s",
541 server_name);
542 if (discover_local_ip) {
543 result = rc_get_srcaddr(SA(&our_sockaddr), auth_addr->ai_addr);
544 if (result != OK_RC) {
545 memset(secret, '\0', sizeof(secret));
546 rc_log(LOG_ERR,
547 "rc_send_server: cannot figure our own address");
548 goto cleanup;
549 }
550 }
551
552 if (sfuncs->get_fd) {
553 sockfd = sfuncs->get_fd(sfuncs->ptr, SA(&our_sockaddr));
554 if (sockfd < 0) {
555 memset(secret, '\0', sizeof(secret));
556 rc_log(LOG_ERR, "rc_send_server: socket: %s",
557 strerror(errno));
558 result = ERROR_RC;
559 goto cleanup;
560 }
561 }
562
563 if(our_sockaddr.ss_family == AF_INET6) {
564 /* Check for IPv6 non-temporary address support */
565 char *non_temp_addr = rc_conf_str(rh, "use-public-addr");
566 if (non_temp_addr && (strcasecmp(non_temp_addr, "true") == 0)) {
567#if defined(__linux__)
568 int sock_opt = IPV6_PREFER_SRC_PUBLIC;
569 if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES,
570 &sock_opt, sizeof(sock_opt)) != 0) {
571 rc_log(LOG_ERR, "rc_send_server: setsockopt: %s",
572 strerror(errno));
573 result = ERROR_RC;
574 goto cleanup;
575 }
576#elif defined(BSD) || defined(__APPLE__)
577 int sock_opt = 0;
578 if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_PREFER_TEMPADDR,
579 &sock_opt, sizeof(sock_opt)) != 0) {
580 rc_log(LOG_ERR, "rc_send_server: setsockopt: %s",
581 strerror(errno));
582 result = ERROR_RC;
583 goto cleanup;
584 }
585#else
586 rc_log(LOG_INFO, "rc_send_server: Usage of non-temporary IPv6"
587 " address is not supported in this system");
588#endif
589 }
590 }
591
592 retry_max = data->retries; /* Max. numbers to try for reply */
593 retries = 0; /* Init retry cnt for blocking call */
594
595 if (data->svc_port) {
596 if (our_sockaddr.ss_family == AF_INET)
597 ((struct sockaddr_in *)auth_addr->ai_addr)->sin_port =
598 htons((unsigned short)data->svc_port);
599 else
600 ((struct sockaddr_in6 *)auth_addr->ai_addr)->sin6_port =
601 htons((unsigned short)data->svc_port);
602 }
603
604 /*
605 * Fill in NAS-IP-Address (if needed)
606 */
607 if (rh->nas_addr_set) {
608 rc_avpair_remove(&(data->send_pairs), PW_NAS_IP_ADDRESS, 0);
609 rc_avpair_remove(&(data->send_pairs), PW_NAS_IPV6_ADDRESS, 0);
610
611 ss_set = &rh->nas_addr;
612 } else if (rc_avpair_get(data->send_pairs, PW_NAS_IP_ADDRESS, 0) == NULL &&
613 rc_avpair_get(data->send_pairs, PW_NAS_IPV6_ADDRESS, 0) == NULL) {
614
615 ss_set = &our_sockaddr;
616 }
617
618 if (ss_set) {
619 if (ss_set->ss_family == AF_INET) {
620 uint32_t ip;
621 ip = *((uint32_t
622 *) (&((struct sockaddr_in *)ss_set)->
623 sin_addr));
624 ip = ntohl(ip);
625
626 rc_avpair_add(rh, &(data->send_pairs),
627 PW_NAS_IP_ADDRESS, &ip, 0, 0);
628 } else {
629 void *p;
630 p = &((struct sockaddr_in6 *)ss_set)->sin6_addr;
631
632 rc_avpair_add(rh, &(data->send_pairs),
633 PW_NAS_IPV6_ADDRESS, p, 16, 0);
634 }
635 }
636
637 /*
638 * Fill in NAS-Identifier (if needed)
639 */
640 p = rc_conf_str(rh, "nas-identifier");
641 if (p != NULL) {
642 rc_avpair_remove(&(data->send_pairs), PW_NAS_IDENTIFIER, 0);
643 rc_avpair_add(rh, &(data->send_pairs),
644 PW_NAS_IDENTIFIER, p, -1, 0);
645 }
646
647 /* Build a request */
648 auth = (AUTH_HDR *) send_buffer;
649 auth->code = data->code;
650 auth->id = data->seq_nbr;
651
652 if (data->code == PW_ACCOUNTING_REQUEST) {
653 server_type = "acct";
654 total_length =
655 rc_pack_list(data->send_pairs, secret, auth) + AUTH_HDR_LEN;
656
657 tlen = htons((unsigned short)total_length);
658 memcpy(&auth->length, &tlen, sizeof(uint16_t));
659
660 memset((char *)auth->vector, 0, AUTH_VECTOR_LEN);
661 secretlen = strlen(secret);
662 memcpy((char *)auth + total_length, secret, secretlen);
663 rc_md5_calc(vector, (unsigned char *)auth,
664 total_length + secretlen);
665 memcpy((char *)auth->vector, (char *)vector, AUTH_VECTOR_LEN);
666 } else {
667 rc_random_vector(vector);
668 memcpy((char *)auth->vector, (char *)vector, AUTH_VECTOR_LEN);
669
670 total_length =
671 rc_pack_list(data->send_pairs, secret, auth) + AUTH_HDR_LEN;
672
673 auth->length = htons((unsigned short)total_length);
674
675 /* If EAP message we MUST add a Message-Authenticator attribute */
676 if (rc_avpair_get(data->send_pairs, PW_EAP_MESSAGE, 0) != NULL)
677 total_length = add_msg_auth_attr(rh, secret, auth, total_length);
678 }
679
680 if (radcli_debug) {
681 char our_addr_txt[50] = ""; /* hold a text IP */
682 char auth_addr_txt[50] = ""; /* hold a text IP */
683
684 getnameinfo(SA(&our_sockaddr), SS_LEN(&our_sockaddr), NULL, 0,
685 our_addr_txt, sizeof(our_addr_txt), NI_NUMERICHOST);
686 getnameinfo(auth_addr->ai_addr, auth_addr->ai_addrlen, NULL, 0,
687 auth_addr_txt, sizeof(auth_addr_txt),
688 NI_NUMERICHOST);
689
690 DEBUG(LOG_ERR,
691 "DEBUG: timeout=%d retries=%d local %s : 0, remote %s : %u\n",
692 data->timeout, retry_max, our_addr_txt, auth_addr_txt,
693 data->svc_port);
694 }
695
696 for (;;) {
697 do {
698 result =
699 sfuncs->sendto(sfuncs->ptr, sockfd, (char *)auth,
700 (unsigned int)total_length, (int)0,
701 SA(auth_addr->ai_addr),
702 auth_addr->ai_addrlen);
703 } while (result == -1 && errno == EINTR);
704 if (result == -1) {
705 result = errno == ENETUNREACH ? NETUNREACH_RC : ERROR_RC;
706 rc_log(LOG_ERR, "%s: socket: %s", __FUNCTION__,
707 strerror(errno));
708 goto cleanup;
709 }
710
711 pfd.fd = sockfd;
712 pfd.events = POLLIN;
713 pfd.revents = 0;
714 start_time = rc_getmtime();
715 for (timeout = data->timeout; timeout > 0;
716 timeout -= rc_getmtime() - start_time) {
717 result = poll(&pfd, 1, timeout * 1000);
718 if (result != -1 || errno != EINTR)
719 break;
720 }
721
722 if (result == -1) {
723 rc_log(LOG_ERR, "rc_send_server: poll: %s",
724 strerror(errno));
725 memset(secret, '\0', sizeof(secret));
726 SCLOSE(sockfd);
727 result = ERROR_RC;
728 goto cleanup;
729 }
730
731 if (result == 1 && (pfd.revents & POLLIN) != 0) {
732 salen = auth_addr->ai_addrlen;
733 do {
734 length = sfuncs->recvfrom(sfuncs->ptr, sockfd,
735 (char *)recv_buffer,
736 (int)
737 sizeof(recv_buffer),
738 (int)0,
739 SA(auth_addr->
740 ai_addr), &salen);
741 } while (length == -1 && errno == EINTR);
742
743 if (length <= 0) {
744 int e = errno;
745 rc_log(LOG_ERR,
746 "rc_send_server: recvfrom: %s:%d: %s",
747 server_name, data->svc_port,
748 strerror(e));
749 if (length == -1 && (e == EAGAIN || e == EINTR))
750 continue;
751 SCLOSE(sockfd);
752 memset(secret, '\0', sizeof(secret));
753 result = ERROR_RC;
754 goto cleanup;
755 }
756
757 recv_auth = (AUTH_HDR *) recv_buffer;
758
759 if (length < AUTH_HDR_LEN
760 || length < ntohs(recv_auth->length)) {
761 rc_log(LOG_ERR,
762 "rc_send_server: recvfrom: %s:%d: reply is too short",
763 server_name, data->svc_port);
764 SCLOSE(sockfd);
765 memset(secret, '\0', sizeof(secret));
766 result = ERROR_RC;
767 goto cleanup;
768 }
769
770 result =
771 rc_check_reply(recv_auth, RC_BUFFER_LEN, secret,
772 vector, data->seq_nbr);
773 if (result != BADRESPID_RC) {
774 /* if a message that doesn't match our ID was received, then ignore
775 * it, and try to receive more, until timeout. That is because in
776 * DTLS the channel is shared, and we may receive duplicates or
777 * out-of-order packets. */
778 break;
779 }
780 }
781
782 /*
783 * Timed out waiting for response. Retry "retry_max" times
784 * before giving up. If retry_max = 0, don't retry at all.
785 */
786 if (retries++ >= retry_max) {
787 char radius_server_ip[128];
788 struct sockaddr_in *si =
789 (struct sockaddr_in *)auth_addr->ai_addr;
790 inet_ntop(auth_addr->ai_family, &si->sin_addr,
791 radius_server_ip, sizeof(radius_server_ip));
792 rc_log(LOG_ERR,
793 "rc_send_server: no reply from RADIUS %s server %s:%u",
794 server_type, radius_server_ip, data->svc_port);
795 SCLOSE(sockfd);
796 memset(secret, '\0', sizeof(secret));
797 result = TIMEOUT_RC;
798 goto cleanup;
799 }
800 }
801
802 /*
803 * If UDP is larger than RADIUS, shorten it to RADIUS.
804 */
805 if (length > ntohs(recv_auth->length))
806 length = ntohs(recv_auth->length);
807
808 /*
809 * Verify that it's a valid RADIUS packet before doing ANYTHING with it.
810 */
811 attr = recv_buffer + AUTH_HDR_LEN;
812 while (attr < (recv_buffer + length)) {
813 if (attr[0] == 0) {
814 rc_log(LOG_ERR,
815 "rc_send_server: recvfrom: %s:%d: attribute zero is invalid",
816 server_name, data->svc_port);
817 SCLOSE(sockfd);
818 memset(secret, '\0', sizeof(secret));
819 result = ERROR_RC;
820 goto cleanup;
821 }
822
823 if (attr[1] < 2) {
824 rc_log(LOG_ERR,
825 "rc_send_server: recvfrom: %s:%d: attribute length is too small",
826 server_name, data->svc_port);
827 SCLOSE(sockfd);
828 memset(secret, '\0', sizeof(secret));
829 result = ERROR_RC;
830 goto cleanup;
831 }
832
833 if ((attr + attr[1]) > (recv_buffer + length)) {
834 rc_log(LOG_ERR,
835 "rc_send_server: recvfrom: %s:%d: attribute overflows the packet",
836 server_name, data->svc_port);
837 SCLOSE(sockfd);
838 memset(secret, '\0', sizeof(secret));
839 result = ERROR_RC;
840 goto cleanup;
841 }
842
843 attr += attr[1];
844 }
845
846 length = ntohs(recv_auth->length) - AUTH_HDR_LEN;
847 if (length > 0) {
848 data->receive_pairs = rc_avpair_gen(rh, NULL, recv_auth->data,
849 length, 0);
850 } else {
851 data->receive_pairs = NULL;
852 }
853
854 SCLOSE(sockfd);
855 result = populate_ctx(ctx, secret, vector);
856 if (result != OK_RC) {
857 memset(secret, '\0', sizeof(secret));
858 goto cleanup;
859 }
860
861 memset(secret, '\0', sizeof(secret));
862
863 if (msg) {
864 *msg = '\0';
865 pos = 0;
866 vp = data->receive_pairs;
867 while (vp) {
868 if ((vp = rc_avpair_get(vp, PW_REPLY_MESSAGE, 0))) {
869 strappend(msg, PW_MAX_MSG_SIZE, &pos,
870 vp->strvalue);
871 strappend(msg, PW_MAX_MSG_SIZE, &pos, "\n");
872 vp = vp->next;
873 }
874 }
875 }
876
877 switch (recv_auth->code) {
878 case PW_ACCESS_ACCEPT:
879 case PW_PASSWORD_ACK:
880 case PW_ACCOUNTING_RESPONSE:
881 result = OK_RC;
882 break;
883
884 case PW_ACCESS_REJECT:
885 case PW_PASSWORD_REJECT:
886 result = REJECT_RC;
887 break;
888
889 case PW_ACCESS_CHALLENGE:
890 result = CHALLENGE_RC;
891 break;
892
893 default:
894 rc_log(LOG_ERR, "rc_send_server: received RADIUS server response neither ACCEPT nor REJECT, code=%d is invalid",
895 recv_auth->code);
896 result = BADRESP_RC;
897 }
898
899 cleanup:
900 if (auth_addr)
901 freeaddrinfo(auth_addr);
902
903 if (sfuncs->unlock) {
904 if (sfuncs->unlock(sfuncs->ptr) != 0) {
905 rc_log(LOG_ERR, "%s: unlock error", __func__);
906 }
907 }
908 exit_error:
909 if (ns != NULL) {
910 if(-1 == rc_reset_netns(&ns_def_hdl)) {
911 rc_log(LOG_ERR, "rc_send_server: namespace %s reset failed", ns);
912 result = ERROR_RC;
913 }
914 }
915
916 return result;
917}
rc_get_srcaddr
int rc_get_srcaddr(struct sockaddr *lia, const struct sockaddr *ria)
Definition ip_util.c:124
rc_own_bind_addr
void rc_own_bind_addr(rc_handle *rh, struct sockaddr_storage *lia)
Definition ip_util.c:164
rc_avpair_remove
void rc_avpair_remove(VALUE_PAIR **list, uint32_t attrid, uint32_t vendorspec)
Definition avpair.c:69
rc_type
rc_type
Definition radcli.h:69
rc_avpair_gen
VALUE_PAIR * rc_avpair_gen(rc_handle const *rh, VALUE_PAIR *pair, unsigned char const *ptr, int length, uint32_t vendorspec)
Definition avpair.c:271
MGMT_POLL_SECRET
#define MGMT_POLL_SECRET
Default for Merit radiusd.
Definition radcli.h:457
rc_send_server
int rc_send_server(rc_handle *rh, SEND_DATA *data, char *msg, rc_type type)
Definition sendserver.c:232
rc_conf_str
char * rc_conf_str(rc_handle const *rh, char const *optname)
Definition config.c:708
rc_find_server_addr
int rc_find_server_addr(rc_handle const *rh, char const *server_name, struct addrinfo **info, char *secret, rc_type type)
Definition config.c:912
rc_avpair_add
VALUE_PAIR * rc_avpair_add(rc_handle const *rh, VALUE_PAIR **list, uint32_t attrid, void const *pval, int len, uint32_t vendorspec)
Definition avpair.c:46
rc_avpair_get
VALUE_PAIR * rc_avpair_get(VALUE_PAIR *vp, uint32_t attrid, uint32_t vendorspec)
Definition avpair.c:433
AUTH
@ AUTH
Request for authentication server.
Definition radcli.h:70
PW_NAS_IDENTIFIER
@ PW_NAS_IDENTIFIER
Its type is string.
Definition radcli.h:177
PW_NAS_IP_ADDRESS
@ PW_NAS_IP_ADDRESS
Its type is ipaddr.
Definition radcli.h:149
PW_SERVICE_TYPE
@ PW_SERVICE_TYPE
Its type is integer.
Definition radcli.h:151
PW_NAS_IPV6_ADDRESS
@ PW_NAS_IPV6_ADDRESS
Its type is string.
Definition radcli.h:239
PW_EAP_MESSAGE
@ PW_EAP_MESSAGE
Its type is string.
Definition radcli.h:223
PW_MESSAGE_AUTHENTICATOR
@ PW_MESSAGE_AUTHENTICATOR
Its type is string.
Definition radcli.h:224
PW_REPLY_MESSAGE
@ PW_REPLY_MESSAGE
Its type is string.
Definition radcli.h:163
PW_VENDOR_SPECIFIC
@ PW_VENDOR_SPECIFIC
Its type is string.
Definition radcli.h:171
PW_USER_PASSWORD
@ PW_USER_PASSWORD
Its type is string.
Definition radcli.h:147
PW_TYPE_IPADDR
@ PW_TYPE_IPADDR
The attribute is an IPv4 address in host-byte order.
Definition radcli.h:118
PW_TYPE_IPV6ADDR
@ PW_TYPE_IPV6ADDR
The attribute is an 128-bit IPv6 address.
Definition radcli.h:120
PW_TYPE_IPV6PREFIX
@ PW_TYPE_IPV6PREFIX
The attribute is an IPv6 prefix; the lvalue will indicate its size.
Definition radcli.h:121
PW_TYPE_INTEGER
@ PW_TYPE_INTEGER
The attribute is a 32-bit integer.
Definition radcli.h:117
PW_TYPE_DATE
@ PW_TYPE_DATE
The attribute contains a 32-bit number indicating the seconds since epoch.
Definition radcli.h:119
PW_TYPE_STRING
@ PW_TYPE_STRING
The attribute is a printable string.
Definition radcli.h:116
rc_value_pair
Definition radcli.h:479
rc_value_pair::type
rc_attr_type type
attribute type.
Definition radcli.h:482
rc_value_pair::attribute
uint64_t attribute
attribute numeric value of type rc_attr_id including vendor; use VENDOR() and ATTRID() to separate.
Definition radcli.h:481
rc_value_pair::lvalue
uint32_t lvalue
attribute value if type is PW_TYPE_INTEGER, PW_TYPE_DATE or PW_TYPE_IPADDR.
Definition radcli.h:483
rc_value_pair::strvalue
char strvalue[AUTH_STRING_LEN+1]
contains attribute value in other cases.
Definition radcli.h:484
send_data
Definition radcli.h:490
send_data::timeout
int timeout
Session timeout in seconds.
Definition radcli.h:496
send_data::secret
char * secret
Shared secret of RADIUS server.
Definition radcli.h:495
send_data::seq_nbr
uint8_t seq_nbr
Packet sequence number.
Definition radcli.h:492
send_data::svc_port
int svc_port
RADIUS protocol destination port.
Definition radcli.h:494
send_data::server
char * server
Name/address of RADIUS server.
Definition radcli.h:493
send_data::send_pairs
VALUE_PAIR * send_pairs
More a/v pairs to send.
Definition radcli.h:498
send_data::receive_pairs
VALUE_PAIR * receive_pairs
Where to place received a/v pairs.
Definition radcli.h:499
send_data::code
uint8_t code
RADIUS packet code.
Definition radcli.h:491
Generated by doxygen 1.10.0