2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005,2006 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/radius_snmp.h>
29 #include <freeradius-devel/modules.h>
30 #include <freeradius-devel/rad_assert.h>
31 #include <freeradius-devel/vqp.h>
33 #include <sys/resource.h>
39 #ifdef HAVE_SYS_STAT_H
45 #define USEC (1000000)
48 * We'll use this below.
50 typedef int (*rad_listen_parse_t)(const char *, int, CONF_SECTION *, rad_listen_t *);
51 typedef void (*rad_listen_free_t)(rad_listen_t *);
53 typedef struct rad_listen_master_t {
54 rad_listen_parse_t parse;
55 rad_listen_free_t free;
56 rad_listen_recv_t recv;
57 rad_listen_send_t send;
58 rad_listen_print_t print;
59 rad_listen_encode_t encode;
60 rad_listen_decode_t decode;
61 } rad_listen_master_t;
63 typedef struct listen_socket_t {
69 RADCLIENT_LIST *clients;
72 typedef struct listen_detail_t {
78 lrad_ipaddr_t client_ip;
79 int load_factor; /* 1..100 */
85 struct timeval last_packet;
90 * Find a per-socket client.
92 static RADCLIENT *client_listener_find(const rad_listen_t *listener,
93 const lrad_ipaddr_t *ipaddr)
95 const RADCLIENT_LIST *clients;
97 rad_assert(listener != NULL);
98 rad_assert(ipaddr != NULL);
100 rad_assert((listener->type == RAD_LISTEN_AUTH) ||
101 (listener->type == RAD_LISTEN_ACCT) ||
102 (listener->type == RAD_LISTEN_VQP));
104 clients = ((listen_socket_t *)listener->data)->clients;
105 if (!clients) clients = mainconfig.clients;
107 rad_assert(clients != NULL);
109 return client_find(clients, ipaddr);
112 static int listen_bind(rad_listen_t *this);
115 * Process and reply to a server-status request.
116 * Like rad_authenticate and rad_accounting this should
117 * live in it's own file but it's so small we don't bother.
119 static int rad_status_server(REQUEST *request)
121 int rcode = RLM_MODULE_OK;
124 switch (request->listener->type) {
125 case RAD_LISTEN_AUTH:
126 dval = dict_valbyname(PW_AUTZ_TYPE, "Status-Server");
128 rcode = module_authorize(dval->value, request);
130 rcode = RLM_MODULE_OK;
135 case RLM_MODULE_UPDATED:
136 request->reply->code = PW_AUTHENTICATION_ACK;
139 case RLM_MODULE_FAIL:
140 case RLM_MODULE_HANDLED:
141 request->reply->code = 0; /* don't reply */
145 case RLM_MODULE_REJECT:
146 request->reply->code = PW_AUTHENTICATION_REJECT;
151 case RAD_LISTEN_ACCT:
152 dval = dict_valbyname(PW_ACCT_TYPE, "Status-Server");
154 rcode = module_accounting(dval->value, request);
156 rcode = RLM_MODULE_OK;
161 case RLM_MODULE_UPDATED:
162 request->reply->code = PW_ACCOUNTING_RESPONSE;
166 request->reply->code = 0; /* don't reply */
179 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
182 listen_socket_t *sock = this->data;
184 if ((sock->ipaddr.af == AF_INET) &&
185 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
188 ip_ntoh(&sock->ipaddr, buffer, bufsize);
191 len = strlen(buffer);
193 return len + snprintf(buffer + len, bufsize - len, " port %d",
199 * Parse an authentication or accounting socket.
201 static int common_socket_parse(const char *filename, int lineno,
202 CONF_SECTION *cs, rad_listen_t *this)
206 lrad_ipaddr_t ipaddr;
207 listen_socket_t *sock = this->data;
208 const char *section_name = NULL;
209 CONF_SECTION *client_cs;
214 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
215 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
216 &ipaddr.ipaddr.ip4addr, NULL);
217 if (rcode < 0) return -1;
219 if (rcode == 0) { /* successfully parsed IPv4 */
222 } else { /* maybe IPv6? */
223 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
224 &ipaddr.ipaddr.ip6addr, NULL);
225 if (rcode < 0) return -1;
228 radlog(L_ERR, "%s[%d]: No address specified in listen section",
232 ipaddr.af = AF_INET6;
235 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
237 if (rcode < 0) return -1;
239 sock->ipaddr = ipaddr;
240 sock->port = listen_port;
243 * And bind it to the port.
245 if (listen_bind(this) < 0) {
247 radlog(L_CONS|L_ERR, "%s[%d]: Error binding to port for %s port %d",
248 filename, cf_section_lineno(cs),
249 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
255 * If we can bind to interfaces, do so,
258 if (cf_pair_find(cs, "interface")) {
259 #ifndef SO_BINDTODEVICE
260 radlog(L_CONS|L_ERR, "%s[%d]: System does not support binding to interfaces, delete this line from the configuration file.",
261 filename, cf_section_lineno(cs));
265 CONF_PAIR *cp = cf_pair_find(cs, "interface");
268 rad_assert(cp != NULL);
269 value = cf_pair_value(cp);
270 rad_assert(value != NULL);
272 strcpy(ifreq.ifr_name, value);
274 if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
275 (char *)&ifreq, sizeof(ifreq)) < 0) {
276 radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
277 filename, cf_section_lineno(cs),
278 value, strerror(errno));
280 } /* else it worked. */
285 * Look for the name of a section that holds a list
288 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
289 §ion_name, NULL);
290 if (rcode < 0) return -1; /* bad string */
293 * Explicit list given: use it.
295 client_cs = cf_section_find(section_name);
298 radlog(L_CONS|L_ERR, "%s[%d]: Failed to find client section %s",
299 filename, cf_section_lineno(cs), section_name);
303 } else if (this->identity) { /* no "clients = ", try using identity */
305 * Else base it off of the identity.
307 client_cs = cf_section_sub_find_name2(mainconfig.config,
311 (cf_section_sub_find(client_cs, "client") == NULL)) {
312 client_cs = mainconfig.config;
316 client_cs = mainconfig.config;
319 sock->clients = clients_parse_section(filename, client_cs);
320 if (!sock->clients) {
328 * Send an authentication response packet
330 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
332 rad_assert(request->listener == listener);
333 rad_assert(listener->send == auth_socket_send);
335 return rad_send(request->reply, request->packet,
336 request->client->secret);
341 * Send an accounting response packet (or not)
343 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
345 rad_assert(request->listener == listener);
346 rad_assert(listener->send == acct_socket_send);
349 * Accounting reject's are silently dropped.
351 * We do it here to avoid polluting the rest of the
352 * code with this knowledge
354 if (request->reply->code == 0) return 0;
356 return rad_send(request->reply, request->packet,
357 request->client->secret);
362 * Send a packet to a home server.
364 * FIXME: have different code for proxy auth & acct!
366 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
368 listen_socket_t *sock = listener->data;
370 rad_assert(request->proxy_listener == listener);
371 rad_assert(listener->send == proxy_socket_send);
373 request->proxy->src_ipaddr = sock->ipaddr;
374 request->proxy->src_port = sock->port;
376 return rad_send(request->proxy, request->packet,
377 request->home_server->secret);
382 * Check if an incoming request is "ok"
384 * It takes packets, not requests. It sees if the packet looks
385 * OK. If so, it does a number of sanity checks on it.
387 static int auth_socket_recv(rad_listen_t *listener,
388 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
392 RADIUS_PACKET *packet;
393 RAD_REQUEST_FUNP fun = NULL;
396 lrad_ipaddr_t src_ipaddr;
398 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
399 if (rcode < 0) return 0;
401 RAD_SNMP_TYPE_INC(listener, total_requests);
403 if (rcode < 20) { /* AUTH_HDR_LEN */
404 RAD_SNMP_TYPE_INC(listener, total_malformed_requests);
408 if ((client = client_listener_find(listener,
409 &src_ipaddr)) == NULL) {
410 rad_recv_discard(listener->fd);
411 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
414 * This is debugging rather than logging, so that
415 * DoS attacks don't affect us.
417 DEBUG("Ignoring request from unknown client %s port %d",
418 inet_ntop(src_ipaddr.af, &src_ipaddr.ipaddr,
419 buffer, sizeof(buffer)), src_port);
424 * Some sanity checks, based on the packet code.
427 case PW_AUTHENTICATION_REQUEST:
428 RAD_SNMP_CLIENT_INC(listener, client, requests);
429 fun = rad_authenticate;
432 case PW_STATUS_SERVER:
433 if (!mainconfig.status_server) {
434 rad_recv_discard(listener->fd);
435 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
436 RAD_SNMP_CLIENT_INC(listener, client, packets_dropped);
437 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
440 fun = rad_status_server;
444 rad_recv_discard(listener->fd);
445 RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
446 RAD_SNMP_CLIENT_INC(listener, client, unknown_types);
448 DEBUG("Invalid packet code %d sent to authentication port from client %s port %d : IGNORED",
449 code, client->shortname, src_port);
452 } /* switch over packet types */
455 * Now that we've sanity checked everything, receive the
458 packet = rad_recv(listener->fd);
460 RAD_SNMP_TYPE_INC(listener, total_malformed_requests);
461 radlog(L_ERR, "%s", librad_errstr);
465 if (!received_request(listener, packet, prequest, client)) {
466 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
467 RAD_SNMP_CLIENT_INC(listener, client, packets_dropped);
478 * Receive packets from an accounting socket
480 static int acct_socket_recv(rad_listen_t *listener,
481 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
485 RADIUS_PACKET *packet;
486 RAD_REQUEST_FUNP fun = NULL;
489 lrad_ipaddr_t src_ipaddr;
491 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
492 if (rcode < 0) return 0;
494 RAD_SNMP_TYPE_INC(listener, total_requests);
496 if (rcode < 20) { /* AUTH_HDR_LEN */
497 RAD_SNMP_TYPE_INC(listener, total_malformed_requests);
501 if ((client = client_listener_find(listener,
502 &src_ipaddr)) == NULL) {
503 rad_recv_discard(listener->fd);
504 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
507 * This is debugging rather than logging, so that
508 * DoS attacks don't affect us.
510 DEBUG("Ignoring request from unknown client %s port %d",
511 inet_ntop(src_ipaddr.af, &src_ipaddr.ipaddr,
512 buffer, sizeof(buffer)), src_port);
517 * Some sanity checks, based on the packet code.
520 case PW_ACCOUNTING_REQUEST:
521 RAD_SNMP_CLIENT_INC(listener, client, requests);
522 fun = rad_accounting;
525 case PW_STATUS_SERVER:
526 if (!mainconfig.status_server) {
527 rad_recv_discard(listener->fd);
528 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
529 RAD_SNMP_CLIENT_INC(listener, client, unknown_types);
531 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
534 fun = rad_status_server;
538 rad_recv_discard(listener->fd);
539 RAD_SNMP_TYPE_INC(listener, total_unknown_types);
540 RAD_SNMP_CLIENT_INC(listener, client, unknown_types);
542 DEBUG("Invalid packet code %d sent to a accounting port from client %s port %d : IGNORED",
543 code, client->shortname, src_port);
545 } /* switch over packet types */
548 * Now that we've sanity checked everything, receive the
551 packet = rad_recv(listener->fd);
553 RAD_SNMP_TYPE_INC(listener, total_malformed_requests);
554 radlog(L_ERR, "%s", librad_errstr);
559 * There can be no duplicate accounting packets.
561 if (!received_request(listener, packet, prequest, client)) {
562 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
563 RAD_SNMP_CLIENT_INC(listener, client, packets_dropped);
574 * Recieve packets from a proxy socket.
576 static int proxy_socket_recv(rad_listen_t *listener,
577 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
580 RADIUS_PACKET *packet;
581 RAD_REQUEST_FUNP fun = NULL;
584 packet = rad_recv(listener->fd);
586 radlog(L_ERR, "%s", librad_errstr);
591 * FIXME: Client MIB updates?
593 switch(packet->code) {
594 case PW_AUTHENTICATION_ACK:
595 case PW_ACCESS_CHALLENGE:
596 case PW_AUTHENTICATION_REJECT:
597 fun = rad_authenticate;
600 case PW_ACCOUNTING_RESPONSE:
601 fun = rad_accounting;
606 * FIXME: Update MIB for packet types?
608 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
609 "from home server %s port %d - ID %d : IGNORED",
611 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
612 packet->src_port, packet->id);
617 request = received_proxy_response(packet);
622 rad_assert(fun != NULL);
630 static int client_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
632 if (!request->reply->code) return 0;
634 rad_encode(request->reply, request->packet,
635 request->client->secret);
636 rad_sign(request->reply, request->packet,
637 request->client->secret);
643 static int client_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
645 if (rad_verify(request->packet, NULL,
646 request->client->secret) < 0) {
650 return rad_decode(request->packet, NULL,
651 request->client->secret);
654 static int proxy_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
656 rad_encode(request->proxy, NULL, request->home_server->secret);
657 rad_sign(request->proxy, NULL, request->home_server->secret);
663 static int proxy_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
665 if (rad_verify(request->proxy_reply, request->proxy,
666 request->home_server->secret) < 0) {
670 return rad_decode(request->proxy_reply, request->proxy,
671 request->home_server->secret);
675 #define STATE_UNOPENED (0)
676 #define STATE_UNLOCKED (1)
677 #define STATE_HEADER (2)
678 #define STATE_READING (3)
679 #define STATE_QUEUED (4)
680 #define STATE_RUNNING (5)
681 #define STATE_NO_REPLY (6)
682 #define STATE_REPLIED (7)
685 * If we're limiting outstanding packets, then mark the response
688 static int detail_send(rad_listen_t *listener, REQUEST *request)
692 listen_detail_t *data = listener->data;
694 rad_assert(request->listener == listener);
695 rad_assert(listener->send == detail_send);
698 * This request timed out. Remember that, and tell the
699 * caller it's OK to read more "detail" file stuff.
701 if (request->reply->code == 0) {
702 radius_signal_self(RADIUS_SIGNAL_SELF_DETAIL);
703 data->state = STATE_NO_REPLY;
708 * We call gettimeofday a lot. But here it should be OK,
709 * because there's nothing else to do.
711 gettimeofday(&now, NULL);
714 * If we haven't sent a packet in the last second, reset
718 if (timercmp(&data->last_packet, &now, <)) {
719 data->has_rtt = FALSE;
724 * Only one detail packet may be outstanding at a time,
725 * so it's safe to update some entries in the detail
728 * We keep smoothed round trip time (SRTT), but not round
729 * trip timeout (RTO). We use SRTT to calculate a rough
732 rtt = now.tv_sec - request->received.tv_sec;
735 rtt -= request->received.tv_usec;
738 * If we're proxying, the RTT is our processing time,
739 * plus the network delay there and back, plus the time
740 * on the other end to process the packet. Ideally, we
741 * should remove the network delays from the RTT, but we
742 * don't know what they are.
744 * So, to be safe, we over-estimate the total cost of
745 * processing the packet.
747 if (!data->has_rtt) {
748 data->has_rtt = TRUE;
750 data->rttvar = rtt / 2;
753 data->rttvar -= data->rttvar >> 2;
754 data->rttvar += (data->srtt - rtt);
755 data->srtt -= data->srtt >> 3;
756 data->srtt += rtt >> 3;
760 * Calculate the time we wait before sending the next
763 * rtt / (rtt + delay) = load_factor / 100
765 data->delay_time = (data->srtt * (100 - data->load_factor)) / (data->load_factor);
768 * FIXME: Push this delay to the event handler!
770 DEBUG2("RTT %d\tdelay %d", data->srtt, data->delay_time);
772 usleep(data->delay_time);
773 data->last_packet = now;
774 data->state = STATE_REPLIED;
781 * Open the detail file..
783 * FIXME: create it, if it's not already there, so that the main
784 * server select() will wake us up if there's anything to read.
786 static int detail_open(rad_listen_t *this)
790 listen_detail_t *data = this->data;
792 rad_assert(data->state == STATE_UNOPENED);
793 snprintf(buffer, sizeof(buffer), "%s.work", data->filename);
796 * Open detail.work first, so we don't lose
797 * accounting packets. It's probably better to
798 * duplicate them than to lose them.
800 * Note that we're not writing to the file, but
801 * we've got to open it for writing in order to
802 * establish the lock, to prevent rlm_detail from
805 this->fd = open(buffer, O_RDWR);
808 * Try reading the detail file. If it
809 * doesn't exist, we can't do anything.
811 * Doing the stat will tell us if the file
812 * exists, even if we don't have permissions
815 if (stat(data->filename, &st) < 0) {
820 * Open it BEFORE we rename it, just to
823 this->fd = open(data->filename, O_RDWR);
825 radlog(L_ERR, "Failed to open %s: %s",
826 data->filename, strerror(errno));
831 * Rename detail to detail.work
833 if (rename(data->filename, buffer) < 0) {
838 } /* else detail.work existed, and we opened it */
840 rad_assert(data->vps == NULL);
842 rad_assert(data->fp == NULL);
843 data->fp = fdopen(this->fd, "r");
845 radlog(L_ERR, "Failed to re-open %s: %s",
846 data->filename, strerror(errno));
850 data->state = STATE_UNLOCKED;
852 data->client_ip.af = AF_UNSPEC;
859 * FIXME: this should be dynamically allocated.
861 static const RADCLIENT detail_client = {
880 * FIXME: add a configuration "exit when done" so that the detail
881 * file reader can be used as a one-off tool to update stuff.
883 * The time sequence for reading from the detail file is:
885 * t_0 signalled that the server is idle, and we
886 * can read from the detail file.
888 * t_rtt the packet has been processed successfully,
889 * wait for t_delay to enforce load factor.
891 * t_rtt + t_delay wait for signal that the server is idle.
894 static int detail_recv(rad_listen_t *listener,
895 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
897 char key[256], value[1024];
898 VALUE_PAIR *vp, **tail;
899 RADIUS_PACKET *packet;
901 listen_detail_t *data = listener->data;
903 switch (data->state) {
905 rad_assert(listener->fd < 0);
908 * FIXME: If the file doesn't exist, then
909 * return "sleep for 1s", to avoid busy
912 if (!detail_open(listener)) return 0;
914 rad_assert(data->state == STATE_UNLOCKED);
915 rad_assert(listener->fd >= 0);
920 * Try to lock fd. If we can't, return.
921 * If we can, continue. This means that
922 * the server doesn't block while waiting
923 * for the lock to open...
927 * Note that we do NOT block waiting for
928 * the lock. We've re-named the file
929 * above, so we've already guaranteed
930 * that any *new* detail writer will not
931 * be opening this file. The only
932 * purpose of the lock is to catch a race
933 * condition where the execution
934 * "ping-pongs" between radiusd &
937 if (rad_lockfd_nonblock(listener->fd, 0) < 0) {
941 * Look for the header
943 data->state = STATE_HEADER;
951 * End of file. Delete it, and re-set
954 if (feof(data->fp)) {
956 snprintf(buffer, sizeof(buffer),
957 "%s.work", data->filename);
959 fclose(data->fp); /* closes listener->fd */
962 data->state = STATE_UNOPENED;
963 rad_assert(data->vps == NULL);
968 * Else go read something.
973 * Read more value-pair's, unless we're
974 * at EOF. In that case, queue whatever
978 if (!feof(data->fp)) break;
979 data->state = STATE_QUEUED;
987 * We still have an outstanding packet.
988 * Don't read any more.
994 * If there's no reply, keep
995 * retransmitting the current packet
999 data->state = STATE_QUEUED;
1003 * We have a reply. Clean up the old
1004 * request, and go read another one.
1007 pairfree(&data->vps);
1008 data->state = STATE_HEADER;
1013 while (*tail) tail = &(*tail)->next;
1016 * Read a header, OR a value-pair.
1018 while (fgets(buffer, sizeof(buffer), data->fp)) {
1020 * Badly formatted file: delete it.
1022 * FIXME: Maybe flag an error?
1024 if (!strchr(buffer, '\n')) {
1025 pairfree(&data->vps);
1030 * We're reading VP's, and got a blank line.
1033 if ((data->state == STATE_READING) &&
1034 (buffer[0] == '\n')) {
1035 data->state = STATE_QUEUED;
1040 * Look for date/time header, and read VP's if
1041 * found. If not, keep reading lines until we
1044 if (data->state == STATE_HEADER) {
1047 if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
1048 data->state = STATE_READING;
1054 * We have a full "attribute = value" line.
1055 * If it doesn't look reasonable, skip it.
1057 * FIXME: print an error for badly formatted attributes?
1059 if (sscanf(buffer, "%255s = %1023s", key, value) != 2) {
1064 * Skip non-protocol attributes.
1066 if (!strcasecmp(key, "Request-Authenticator")) continue;
1069 * Set the original client IP address, based on
1070 * what's in the detail file.
1072 * Hmm... we don't set the server IP address.
1075 if (!strcasecmp(key, "Client-IP-Address")) {
1076 data->client_ip.af = AF_INET;
1077 ip_hton(value, AF_INET, &data->client_ip);
1082 * The original time at which we received the
1083 * packet. We need this to properly calculate
1086 if (!strcasecmp(key, "Timestamp")) {
1087 data->timestamp = atoi(value);
1094 * FIXME: do we want to check for non-protocol
1095 * attributes like radsqlrelay does?
1098 if ((userparse(buffer, &vp) > 0) &&
1106 * Some kind of error.
1108 * FIXME: Leave the file in-place, and warn the
1111 if (ferror(data->fp)) goto cleanup;
1114 * Process the packet.
1117 rad_assert(data->state == STATE_QUEUED);
1120 * We're done reading the file, but we didn't read
1121 * anything. Clean up, and don't return anything.
1124 data->state = STATE_HEADER;
1129 * Allocate the packet. If we fail, it's a serious
1132 packet = rad_alloc(1);
1134 data->state = STATE_NO_REPLY; /* try again later */
1135 return 0; /* maybe memory will magically free up... */
1138 memset(packet, 0, sizeof(*packet));
1139 packet->sockfd = -1;
1140 packet->src_ipaddr.af = AF_INET;
1141 packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1142 packet->code = PW_ACCOUNTING_REQUEST;
1143 packet->timestamp = time(NULL);
1146 * Remember where it came from, so that we don't
1147 * proxy it to the place it came from...
1149 if (data->client_ip.af != AF_UNSPEC) {
1150 packet->src_ipaddr = data->client_ip;
1153 vp = pairfind(packet->vps, PW_PACKET_SRC_IP_ADDRESS);
1155 packet->src_ipaddr.af = AF_INET;
1156 packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
1158 vp = pairfind(packet->vps, PW_PACKET_SRC_IPV6_ADDRESS);
1160 packet->src_ipaddr.af = AF_INET6;
1161 memcpy(&packet->src_ipaddr.ipaddr.ip6addr,
1162 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1166 vp = pairfind(packet->vps, PW_PACKET_DST_IP_ADDRESS);
1168 packet->dst_ipaddr.af = AF_INET;
1169 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
1171 vp = pairfind(packet->vps, PW_PACKET_DST_IPV6_ADDRESS);
1173 packet->dst_ipaddr.af = AF_INET6;
1174 memcpy(&packet->dst_ipaddr.ipaddr.ip6addr,
1175 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1180 * We've got to give SOME value for Id & ports, so that
1181 * the packets can be added to the request queue.
1182 * However, we don't want to keep track of used/unused
1183 * id's and ports, as that's a lot of work. This hack
1184 * ensures that (if we have real random numbers), that
1185 * there will be a collision on every 2^(16+15+15+24 - 1)
1186 * packets, on average. That means we can read 2^37
1187 * packets before having a collision, which means it's
1188 * effectively impossible.
1190 packet->id = lrad_rand() & 0xffff;
1191 packet->src_port = 1024 + (lrad_rand() & 0x7fff);
1192 packet->dst_port = 1024 + (lrad_rand() & 0x7fff);
1194 packet->dst_ipaddr.af = AF_INET;
1195 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl((INADDR_LOOPBACK & ~0xffffff) | (lrad_rand() & 0xffffff));
1198 * If everything's OK, this is a waste of memory.
1199 * Otherwise, it lets us re-send the original packet
1200 * contents, unmolested.
1202 packet->vps = paircopy(data->vps);
1205 * Look for Acct-Delay-Time, and update
1206 * based on Acct-Delay-Time += (time(NULL) - timestamp)
1208 vp = pairfind(packet->vps, PW_ACCT_DELAY_TIME);
1210 vp = paircreate(PW_ACCT_DELAY_TIME, PW_TYPE_INTEGER);
1211 rad_assert(vp != NULL);
1212 pairadd(&packet->vps, vp);
1214 if (data->timestamp != 0) {
1215 vp->vp_integer += time(NULL) - data->timestamp;
1218 *pfun = rad_accounting;
1221 printf("detail_recv: Read packet from %s\n", data->filename);
1222 for (vp = packet->vps; vp; vp = vp->next) {
1224 vp_print(stdout, vp);
1230 * FIXME: many of these checks may not be necessary when
1231 * reading from the detail file.
1233 * Try again later...
1235 if (!received_request(listener, packet, prequest, &detail_client)) {
1237 data->state = STATE_NO_REPLY; /* try again later */
1241 data->state = STATE_RUNNING;
1248 * Free detail-specific stuff.
1250 static void detail_free(rad_listen_t *this)
1252 listen_detail_t *data = this->data;
1254 free(data->filename);
1255 pairfree(&data->vps);
1257 if (data->fp != NULL) fclose(data->fp);
1261 static int detail_print(rad_listen_t *this, char *buffer, size_t bufsize)
1263 return snprintf(buffer, bufsize, "%s",
1264 ((listen_detail_t *)(this->data))->filename);
1267 static int detail_encode(UNUSED rad_listen_t *this, UNUSED REQUEST *request)
1270 * We never encode responses "sent to" the detail file.
1275 static int detail_decode(UNUSED rad_listen_t *this, UNUSED REQUEST *request)
1278 * We never decode responses read from the detail file.
1284 static const CONF_PARSER detail_config[] = {
1285 { "filename", PW_TYPE_STRING_PTR,
1286 offsetof(listen_detail_t, filename), NULL, NULL },
1287 { "load_factor", PW_TYPE_INTEGER,
1288 offsetof(listen_detail_t, load_factor), NULL, Stringify(10)},
1290 { NULL, -1, 0, NULL, NULL } /* end the list */
1295 * Parse a detail section.
1297 static int detail_parse(const char *filename, int lineno,
1298 CONF_SECTION *cs, rad_listen_t *this)
1301 listen_detail_t *data;
1305 rcode = cf_section_parse(cs, data, detail_config);
1307 radlog(L_ERR, "%s[%d]: Failed parsing listen section",
1312 if (!data->filename) {
1313 radlog(L_ERR, "%s[%d]: No detail file specified in listen section",
1318 if ((data->load_factor < 1) || (data->load_factor > 100)) {
1319 radlog(L_ERR, "%s[%d]: Load factor must be between 1 and 100",
1326 data->state = STATE_UNOPENED;
1334 static int radius_snmp_recv(rad_listen_t *listener,
1335 UNUSED RAD_REQUEST_FUNP *pfun,
1336 UNUSED REQUEST **prequest)
1338 if (!mainconfig.do_snmp) return 0;
1340 if ((rad_snmp.smux_fd >= 0) &&
1341 (rad_snmp.smux_event == SMUX_READ)) {
1346 * If we've got to re-connect, then do so now,
1347 * before calling select again.
1349 if (rad_snmp.smux_event == SMUX_CONNECT) {
1354 * Reset this every time, as the smux connect may have
1355 * opened a new socket.
1357 listener->fd = rad_snmp.smux_fd;
1363 static int radius_snmp_print(UNUSED rad_listen_t *this, char *buffer, size_t bufsize)
1365 return snprintf(buffer, bufsize, "SMUX with OID .1.3.6.1.4.1.11344.1.1.1");
1372 * Check if an incoming request is "ok"
1374 * It takes packets, not requests. It sees if the packet looks
1375 * OK. If so, it does a number of sanity checks on it.
1377 static int vqp_socket_recv(rad_listen_t *listener,
1378 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1380 RADIUS_PACKET *packet;
1381 RAD_REQUEST_FUNP fun = NULL;
1385 packet = vqp_recv(listener->fd);
1387 radlog(L_ERR, "%s", librad_errstr);
1391 if ((client = client_listener_find(listener,
1392 &packet->src_ipaddr)) == NULL) {
1393 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
1395 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
1396 inet_ntop(packet->src_ipaddr.af,
1397 &packet->src_ipaddr.ipaddr,
1398 buffer, sizeof(buffer)),
1409 if (!received_request(listener, packet, prequest, client)) {
1421 * Send an authentication response packet
1423 static int vqp_socket_send(rad_listen_t *listener, REQUEST *request)
1425 rad_assert(request->listener == listener);
1426 rad_assert(listener->send == vqp_socket_send);
1428 if (vqp_encode(request->reply, request->packet) < 0) {
1429 DEBUG2("Failed encoding packet: %s\n", librad_errstr);
1433 return vqp_send(request->reply);
1437 static int vqp_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
1439 return vqp_encode(request->reply, request->packet);
1443 static int vqp_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
1445 return vqp_decode(request->packet);
1447 #endif /* WITH_VMPS */
1450 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1451 { NULL, NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1455 proxy_socket_recv, proxy_socket_send,
1456 socket_print, proxy_socket_encode, proxy_socket_decode },
1458 /* authentication */
1459 { common_socket_parse, NULL,
1460 auth_socket_recv, auth_socket_send,
1461 socket_print, client_socket_encode, client_socket_decode },
1464 { common_socket_parse, NULL,
1465 acct_socket_recv, acct_socket_send,
1466 socket_print, client_socket_encode, client_socket_decode},
1469 { detail_parse, detail_free,
1470 detail_recv, detail_send,
1471 detail_print, detail_encode, detail_decode },
1474 /* vlan query protocol */
1475 { common_socket_parse, NULL,
1476 vqp_socket_recv, vqp_socket_send,
1477 socket_print, vqp_socket_encode, vqp_socket_decode },
1479 { NULL, NULL, NULL, NULL, NULL, NULL, NULL},
1482 { NULL, NULL, NULL, NULL, NULL, NULL, NULL} /* RAD_LISTEN_SNMP */
1488 * Binds a listener to a socket.
1490 static int listen_bind(rad_listen_t *this)
1492 rad_listen_t **last;
1493 listen_socket_t *sock = this->data;
1496 * If the port is zero, then it means the appropriate
1497 * thing from /etc/services.
1499 if (sock->port == 0) {
1500 struct servent *svp;
1502 switch (this->type) {
1503 case RAD_LISTEN_AUTH:
1504 svp = getservbyname ("radius", "udp");
1506 sock->port = ntohs(svp->s_port);
1508 sock->port = PW_AUTH_UDP_PORT;
1512 case RAD_LISTEN_ACCT:
1513 svp = getservbyname ("radacct", "udp");
1515 sock->port = ntohs(svp->s_port);
1517 sock->port = PW_ACCT_UDP_PORT;
1522 radlog(L_ERR|L_CONS, "ERROR: Non-fatal internal sanity check failed in bind.");
1528 * Find it in the old list, AFTER updating the port. If
1529 * it's there, use that, rather than creating a new
1530 * socket. This allows HUP's to re-use the old sockets,
1531 * which means that packets waiting in the socket queue
1534 for (last = &mainconfig.listen;
1536 last = &((*last)->next)) {
1537 listen_socket_t *other;
1539 if (this->type != (*last)->type) continue;
1541 if ((this->type == RAD_LISTEN_DETAIL) ||
1542 (this->type == RAD_LISTEN_SNMP)) continue;
1544 other = (listen_socket_t *)((*last)->data);
1546 if ((sock->port == other->port) &&
1547 (sock->ipaddr.af == other->ipaddr.af) &&
1548 (lrad_ipaddr_cmp(&sock->ipaddr, &other->ipaddr) == 0)) {
1549 this->fd = (*last)->fd;
1555 this->fd = lrad_socket(&sock->ipaddr, sock->port);
1557 radlog(L_ERR|L_CONS, "ERROR: Failed to open socket: %s",
1564 if ((flags = fcntl(this->fd, F_GETFL, NULL)) < 0) {
1565 radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
1569 flags |= O_NONBLOCK;
1570 if( fcntl(this->fd, F_SETFL, flags) < 0) {
1571 radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
1582 * Allocate & initialize a new listener.
1584 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1588 this = rad_malloc(sizeof(*this));
1589 memset(this, 0, sizeof(*this));
1592 this->recv = master_listen[this->type].recv;
1593 this->send = master_listen[this->type].send;
1594 this->print = master_listen[this->type].print;
1595 this->encode = master_listen[this->type].encode;
1596 this->decode = master_listen[this->type].decode;
1599 case RAD_LISTEN_AUTH:
1600 case RAD_LISTEN_ACCT:
1601 case RAD_LISTEN_PROXY:
1602 case RAD_LISTEN_VQP:
1603 this->data = rad_malloc(sizeof(listen_socket_t));
1604 memset(this->data, 0, sizeof(listen_socket_t));
1607 case RAD_LISTEN_DETAIL:
1608 this->data = rad_malloc(sizeof(listen_detail_t));
1609 memset(this->data, 0, sizeof(listen_detail_t));
1612 rad_assert("Unsupported option!" == NULL);
1621 * Externally visible function for creating a new proxy LISTENER.
1623 * For now, don't take ipaddr or port.
1625 * Not thread-safe, but all calls to it are protected by the
1626 * proxy mutex in request_list.c
1628 rad_listen_t *proxy_new_listener()
1630 int last_proxy_port, port;
1631 rad_listen_t *this, *tmp, **last;
1632 listen_socket_t *sock, *old;
1634 this = listen_alloc(RAD_LISTEN_PROXY);
1637 * Find an existing proxy socket to copy.
1639 * FIXME: Make it per-realm, or per-home server!
1641 last_proxy_port = 0;
1643 last = &mainconfig.listen;
1644 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1645 if (tmp->type == RAD_LISTEN_PROXY) {
1647 if (sock->port > last_proxy_port) {
1648 last_proxy_port = sock->port + 1;
1650 if (!old) old = sock;
1653 last = &(tmp->next);
1656 if (!old) return NULL; /* This is a serious error. */
1659 * FIXME: find a new IP address to listen on?
1661 * This could likely be done in the "home server"
1662 * configuration, to have per-home-server source IP's.
1665 memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr));
1668 * Keep going until we find an unused port.
1670 for (port = last_proxy_port; port < 64000; port++) {
1672 if (listen_bind(this) == 0) {
1674 * Add the new listener to the list of
1686 static const LRAD_NAME_NUMBER listen_compare[] = {
1687 { "auth", RAD_LISTEN_AUTH },
1688 { "acct", RAD_LISTEN_ACCT },
1689 { "detail", RAD_LISTEN_DETAIL },
1691 { "vmps", RAD_LISTEN_VQP },
1698 * Generate a list of listeners. Takes an input list of
1699 * listeners, too, so we don't close sockets with waiting packets.
1701 int listen_init(const char *filename, rad_listen_t **head)
1705 rad_listen_t **last;
1707 lrad_ipaddr_t server_ipaddr;
1711 * We shouldn't be called with a pre-existing list.
1713 rad_assert(head && (*head == NULL));
1716 server_ipaddr.af = AF_UNSPEC;
1719 * If the port is specified on the command-line,
1720 * it over-rides the configuration file.
1722 * FIXME: If argv[0] == "vmpsd", then don't listen on auth/acct!
1724 if (mainconfig.port >= 0) auth_port = mainconfig.port;
1727 * If the IP address was configured on the command-line,
1728 * use that as the "bind_address"
1730 if (mainconfig.myip.af != AF_UNSPEC) {
1731 memcpy(&server_ipaddr, &mainconfig.myip,
1732 sizeof(server_ipaddr));
1737 * Else look for bind_address and/or listen sections.
1739 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1740 rcode = cf_item_parse(mainconfig.config, "bind_address",
1742 &server_ipaddr.ipaddr.ip4addr, NULL);
1743 if (rcode < 0) return -1; /* error parsing it */
1745 if (rcode == 0) { /* successfully parsed IPv4 */
1746 listen_socket_t *sock;
1747 server_ipaddr.af = AF_INET;
1749 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1753 if (strcmp(progname, "vmpsd") == 0) {
1754 this = listen_alloc(RAD_LISTEN_VQP);
1755 if (!auth_port) auth_port = 1589;
1758 this = listen_alloc(RAD_LISTEN_AUTH);
1762 sock->ipaddr = server_ipaddr;
1763 sock->port = auth_port;
1765 if (listen_bind(this) < 0) {
1768 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1771 auth_port = sock->port; /* may have been updated in listen_bind */
1773 last = &(this->next);
1779 if (strcmp(progname, "vmpsd") == 0) goto do_proxy;
1783 * Open Accounting Socket.
1785 * If we haven't already gotten acct_port from
1786 * /etc/services, then make it auth_port + 1.
1788 this = listen_alloc(RAD_LISTEN_ACCT);
1792 * Create the accounting socket.
1794 * The accounting port is always the
1795 * authentication port + 1
1797 sock->ipaddr = server_ipaddr;
1798 sock->port = auth_port + 1;
1800 if (listen_bind(this) < 0) {
1803 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1808 last = &(this->next);
1810 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1811 radlog(L_CONS|L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1817 * They specified an IP on the command-line, ignore
1818 * all listen sections.
1820 if (mainconfig.myip.af != AF_UNSPEC) goto do_proxy;
1823 * Walk through the "listen" sections, if they exist.
1825 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "listen");
1827 cs = cf_subsection_find_next(mainconfig.config, cs, "listen")) {
1829 char *listen_type, *identity;
1830 int lineno = cf_section_lineno(cs);
1832 listen_type = identity = NULL;
1834 DEBUG2(" listen {");
1836 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1838 if (rcode < 0) return -1;
1842 radlog(L_ERR, "%s[%d]: No type specified in listen section",
1848 * See if there's an identity.
1850 rcode = cf_item_parse(cs, "identity", PW_TYPE_STRING_PTR,
1858 type = lrad_str2int(listen_compare, listen_type,
1861 if (type == RAD_LISTEN_NONE) {
1863 radlog(L_CONS|L_ERR, "%s[%d]: Invalid type in listen section.",
1869 * Set up cross-type data.
1871 this = listen_alloc(type);
1872 this->identity = identity;
1876 * Call per-type parser.
1878 if (master_listen[type].parse(filename, lineno,
1888 last = &(this->next);
1892 * If we're proxying requests, open the proxy FD.
1893 * Otherwise, don't do anything.
1896 if (mainconfig.proxy_requests == TRUE) {
1898 listen_socket_t *sock = NULL;
1901 * No sockets to receive packets, therefore
1902 * proxying is pointless.
1904 if (!*head) return -1;
1907 * If we previously had proxy sockets, copy them
1908 * to the new config.
1910 if (mainconfig.listen != NULL) {
1911 rad_listen_t *old, *next, **tail;
1913 tail = &mainconfig.listen;
1914 for (old = mainconfig.listen;
1919 if (old->type != RAD_LISTEN_PROXY) {
1920 tail = &((*tail)->next);
1927 last = &(old->next);
1934 * Find the first authentication port,
1937 for (this = *head; this != NULL; this = this->next) {
1938 if (this->type == RAD_LISTEN_AUTH) {
1940 if (server_ipaddr.af == AF_UNSPEC) {
1941 server_ipaddr = sock->ipaddr;
1943 port = sock->port + 2; /* skip acct port */
1946 if (this->type == RAD_LISTEN_VQP) {
1948 if (server_ipaddr.af == AF_UNSPEC) {
1949 server_ipaddr = sock->ipaddr;
1951 port = sock->port + 1;
1956 if (port < 0) port = 1024 + (lrad_rand() & 0x1ff);
1959 * Address is still unspecified, use IPv4.
1961 if (server_ipaddr.af == AF_UNSPEC) {
1962 server_ipaddr.af = AF_INET;
1963 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
1966 this = listen_alloc(RAD_LISTEN_PROXY);
1970 * Create the first proxy socket.
1972 sock->ipaddr = server_ipaddr;
1975 * Try to find a proxy port (value doesn't matter)
1977 for (sock->port = port;
1980 if (listen_bind(this) == 0) {
1982 last = &(this->next); /* just in case */
1987 if (sock->port >= 64000) {
1990 radlog(L_ERR|L_CONS, "Failed to open socket for proxying");
1997 if (mainconfig.do_snmp) {
2001 * Forget about the old one.
2003 for (this = mainconfig.listen;
2005 this = this->next) {
2006 if (this->type != RAD_LISTEN_SNMP) continue;
2010 this = rad_malloc(sizeof(*this));
2011 memset(this, 0, sizeof(*this));
2013 this->type = RAD_LISTEN_SNMP;
2014 this->fd = rad_snmp.smux_fd;
2016 this->recv = radius_snmp_recv;
2017 this->print = radius_snmp_print;
2020 last = &(this->next);
2028 * Free a linked list of listeners;
2030 void listen_free(rad_listen_t **head)
2034 if (!head || !*head) return;
2038 rad_listen_t *next = this->next;
2040 free(this->identity);
2043 * Other code may have eaten the FD.
2045 if (this->fd >= 0) close(this->fd);
2047 if (master_listen[this->type].free) {
2048 master_listen[this->type].free(this);
projects / freeradius.git / blob