2 * dhcp.c Functions to send/receive dhcp packets.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2008 The FreeRADIUS server project
21 * Copyright 2008 Alan DeKok <aland@deployingradius.com>
26 #include <freeradius-devel/libradius.h>
27 #include <freeradius-devel/udpfromto.h>
28 #include <freeradius-devel/dhcp.h>
31 #include <sys/ioctl.h>
34 #ifdef HAVE_SYS_SOCKET_H
35 #include <sys/socket.h>
37 #ifdef HAVE_SYS_TYPES_H
38 #include <sys/types.h>
42 #include <net/if_arp.h>
45 #define DHCP_CHADDR_LEN (16)
46 #define DHCP_SNAME_LEN (64)
47 #define DHCP_FILE_LEN (128)
48 #define DHCP_VEND_LEN (308)
49 #define DHCP_OPTION_MAGIC_NUMBER (0x63825363)
51 #ifndef INADDR_BROADCAST
52 #define INADDR_BROADCAST INADDR_NONE
55 /* @todo: this is a hack */
56 # define DEBUG if (fr_debug_flag && fr_log_fp) fr_printf_log
57 # define debug_pair(vp) do { if (fr_debug_flag && fr_log_fp) { \
58 vp_print(fr_log_fp, vp); \
62 typedef struct dhcp_packet_t {
68 uint16_t secs; /* 8 */
70 uint32_t ciaddr; /* 12 */
71 uint32_t yiaddr; /* 16 */
72 uint32_t siaddr; /* 20 */
73 uint32_t giaddr; /* 24 */
74 uint8_t chaddr[DHCP_CHADDR_LEN]; /* 28 */
75 uint8_t sname[DHCP_SNAME_LEN]; /* 44 */
76 uint8_t file[DHCP_FILE_LEN]; /* 108 */
77 uint32_t option_format; /* 236 */
78 uint8_t options[DHCP_VEND_LEN];
81 typedef struct dhcp_option_t {
87 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 DISCOVER
88 * INADDR_BROADCAST : 68 <- SERVER_IP : 67 OFFER
89 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 REQUEST
90 * INADDR_BROADCAST : 68 <- SERVER_IP : 67 ACK
92 static char const *dhcp_header_names[] = {
95 "DHCP-Hardware-Address-Length",
97 "DHCP-Transaction-Id",
98 "DHCP-Number-of-Seconds",
100 "DHCP-Client-IP-Address",
101 "DHCP-Your-IP-Address",
102 "DHCP-Server-IP-Address",
103 "DHCP-Gateway-IP-Address",
104 "DHCP-Client-Hardware-Address",
105 "DHCP-Server-Host-Name",
106 "DHCP-Boot-Filename",
111 static char const *dhcp_message_types[] = {
124 static int dhcp_header_sizes[] = {
135 * Some clients silently ignore responses less than 300 bytes.
137 #define MIN_PACKET_SIZE (244)
138 #define DEFAULT_PACKET_SIZE (300)
139 #define MAX_PACKET_SIZE (1500 - 40)
141 #define DHCP_OPTION_FIELD (0)
142 #define DHCP_FILE_FIELD (1)
143 #define DHCP_SNAME_FIELD (2)
145 static uint8_t *dhcp_get_option(dhcp_packet_t *packet, size_t packet_size,
149 int field = DHCP_OPTION_FIELD;
154 size = packet_size - offsetof(dhcp_packet_t, options);
155 data = &packet->options[where];
157 while (where < size) {
158 if (data[0] == 0) { /* padding */
163 if (data[0] == 255) { /* end of options */
164 if ((field == DHCP_OPTION_FIELD) &&
165 (overload & DHCP_FILE_FIELD)) {
168 size = sizeof(packet->file);
169 field = DHCP_FILE_FIELD;
172 } else if ((field == DHCP_FILE_FIELD) &&
173 (overload & DHCP_SNAME_FIELD)) {
174 data = packet->sname;
176 size = sizeof(packet->sname);
177 field = DHCP_SNAME_FIELD;
185 * We MUST have a real option here.
187 if ((where + 2) > size) {
188 fr_strerror_printf("Options overflow field at %u",
189 (unsigned int) (data - (uint8_t *) packet));
193 if ((where + 2 + data[1]) > size) {
194 fr_strerror_printf("Option length overflows field at %u",
195 (unsigned int) (data - (uint8_t *) packet));
199 if (data[0] == option) return data;
201 if (data[0] == 52) { /* overload sname and/or file */
205 where += data[1] + 2;
213 * DHCPv4 is only for IPv4. Broadcast only works if udpfromto is
216 RADIUS_PACKET *fr_dhcp_recv(int sockfd)
219 struct sockaddr_storage src;
220 struct sockaddr_storage dst;
221 socklen_t sizeof_src;
222 socklen_t sizeof_dst;
223 RADIUS_PACKET *packet;
228 packet = rad_alloc(NULL, false);
230 fr_strerror_printf("Failed allocating packet");
234 packet->data = talloc_zero_array(packet, uint8_t, MAX_PACKET_SIZE);
236 fr_strerror_printf("Out of memory");
241 packet->sockfd = sockfd;
242 sizeof_src = sizeof(src);
243 #ifdef WITH_UDPFROMTO
244 sizeof_dst = sizeof(dst);
245 data_len = recvfromto(sockfd, packet->data, MAX_PACKET_SIZE, 0,
246 (struct sockaddr *)&src, &sizeof_src,
247 (struct sockaddr *)&dst, &sizeof_dst);
249 data_len = recvfrom(sockfd, packet->data, MAX_PACKET_SIZE, 0,
250 (struct sockaddr *)&src, &sizeof_src);
254 fr_strerror_printf("Failed reading DHCP socket: %s", fr_syserror(errno));
259 packet->data_len = data_len;
260 if (packet->data_len < MIN_PACKET_SIZE) {
261 fr_strerror_printf("DHCP packet is too small (%zu < %d)",
262 packet->data_len, MIN_PACKET_SIZE);
267 if (packet->data_len > MAX_PACKET_SIZE) {
268 fr_strerror_printf("DHCP packet is too large (%zx > %d)",
269 packet->data_len, MAX_PACKET_SIZE);
274 if (packet->data[1] != 1) {
275 fr_strerror_printf("DHCP can only receive ethernet requests, not type %02x",
281 if (packet->data[2] != 6) {
282 fr_strerror_printf("Ethernet HW length is wrong length %d",
288 memcpy(&magic, packet->data + 236, 4);
289 magic = ntohl(magic);
290 if (magic != DHCP_OPTION_MAGIC_NUMBER) {
291 fr_strerror_printf("Cannot do BOOTP");
297 * Create unique keys for the packet.
299 memcpy(&magic, packet->data + 4, 4);
300 packet->id = ntohl(magic);
302 code = dhcp_get_option((dhcp_packet_t *) packet->data,
303 packet->data_len, 53);
305 fr_strerror_printf("No message-type option was found in the packet");
310 if ((code[1] < 1) || (code[2] == 0) || (code[2] > 8)) {
311 fr_strerror_printf("Unknown value for message-type option");
316 packet->code = code[2] | PW_DHCP_OFFSET;
319 * Create a unique vector from the MAC address and the
320 * DHCP opcode. This is a hack for the RADIUS
321 * infrastructure in the rest of the server.
323 * Note: packet->data[2] == 6, which is smaller than
324 * sizeof(packet->vector)
326 * FIXME: Look for client-identifier in packet,
329 memset(packet->vector, 0, sizeof(packet->vector));
330 memcpy(packet->vector, packet->data + 28, packet->data[2]);
331 packet->vector[packet->data[2]] = packet->code & 0xff;
334 * FIXME: for DISCOVER / REQUEST: src_port == dst_port + 1
335 * FIXME: for OFFER / ACK : src_port = dst_port - 1
339 * Unique keys are xid, client mac, and client ID?
343 * FIXME: More checks, like DHCP packet type?
346 sizeof_dst = sizeof(dst);
348 #ifndef WITH_UDPFROMTO
350 * This should never fail...
352 if (getsockname(sockfd, (struct sockaddr *) &dst, &sizeof_dst) < 0) {
353 fr_strerror_printf("getsockname failed: %s", fr_syserror(errno));
359 fr_sockaddr2ipaddr(&dst, sizeof_dst, &packet->dst_ipaddr, &port);
360 packet->dst_port = port;
362 fr_sockaddr2ipaddr(&src, sizeof_src, &packet->src_ipaddr, &port);
363 packet->src_port = port;
365 if (fr_debug_flag > 1) {
367 char const *name = type_buf;
368 char src_ip_buf[256], dst_ip_buf[256];
370 if ((packet->code >= PW_DHCP_DISCOVER) &&
371 (packet->code <= PW_DHCP_INFORM)) {
372 name = dhcp_message_types[packet->code - PW_DHCP_OFFSET];
374 snprintf(type_buf, sizeof(type_buf), "%d",
375 packet->code - PW_DHCP_OFFSET);
378 DEBUG("Received %s of Id %08x from %s:%d to %s:%d\n",
379 name, (unsigned int) packet->id,
380 inet_ntop(packet->src_ipaddr.af,
381 &packet->src_ipaddr.ipaddr,
382 src_ip_buf, sizeof(src_ip_buf)),
384 inet_ntop(packet->dst_ipaddr.af,
385 &packet->dst_ipaddr.ipaddr,
386 dst_ip_buf, sizeof(dst_ip_buf)),
395 * Send a DHCP packet.
397 int fr_dhcp_send(RADIUS_PACKET *packet)
399 struct sockaddr_storage dst;
400 socklen_t sizeof_dst;
401 #ifdef WITH_UDPFROMTO
402 struct sockaddr_storage src;
403 socklen_t sizeof_src;
405 fr_ipaddr2sockaddr(&packet->src_ipaddr, packet->src_port,
409 fr_ipaddr2sockaddr(&packet->dst_ipaddr, packet->dst_port,
412 if (packet->data_len == 0) {
413 fr_strerror_printf("No data to send");
417 if (fr_debug_flag > 1) {
419 char const *name = type_buf;
420 #ifdef WITH_UDPFROMTO
421 char src_ip_buf[INET6_ADDRSTRLEN];
423 char dst_ip_buf[INET6_ADDRSTRLEN];
425 if ((packet->code >= PW_DHCP_DISCOVER) &&
426 (packet->code <= PW_DHCP_INFORM)) {
427 name = dhcp_message_types[packet->code - PW_DHCP_OFFSET];
429 snprintf(type_buf, sizeof(type_buf), "%d",
430 packet->code - PW_DHCP_OFFSET);
434 #ifdef WITH_UDPFROMTO
435 "Sending %s Id %08x from %s:%d to %s:%d\n",
437 "Sending %s Id %08x to %s:%d\n",
439 name, (unsigned int) packet->id,
440 #ifdef WITH_UDPFROMTO
441 inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr, src_ip_buf, sizeof(src_ip_buf)),
444 inet_ntop(packet->dst_ipaddr.af, &packet->dst_ipaddr.ipaddr, dst_ip_buf, sizeof(dst_ip_buf)),
448 #ifndef WITH_UDPFROMTO
450 * Assume that the packet is encoded before sending it.
452 return sendto(packet->sockfd, packet->data, packet->data_len, 0,
453 (struct sockaddr *)&dst, sizeof_dst);
456 return sendfromto(packet->sockfd, packet->data, packet->data_len, 0,
457 (struct sockaddr *)&src, sizeof_src,
458 (struct sockaddr *)&dst, sizeof_dst);
462 static int fr_dhcp_attr2vp(TALLOC_CTX *ctx, VALUE_PAIR **vp_p, uint8_t const *p, size_t alen);
464 /** Returns the number of array members for arrays with fixed element sizes
467 static int fr_dhcp_array_members(size_t *len, DICT_ATTR const *da)
472 * Could be an array of bytes, integers, etc.
474 if (da->flags.array) switch (da->type) {
480 case PW_TYPE_SHORT: /* ignore any trailing data */
481 num_entries = *len >> 1;
485 case PW_TYPE_IPV4_ADDR:
486 case PW_TYPE_INTEGER:
487 case PW_TYPE_DATE: /* ignore any trailing data */
488 num_entries = *len >> 2;
492 case PW_TYPE_IPV6_ADDR:
493 num_entries = *len >> 4;
504 /** RFC 4243 Vendor Specific Suboptions
506 * Vendor specific suboptions are in the format.
509 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
510 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
511 | Enterprise Number 0 |
512 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
514 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
516 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
517 | Enterprise Number n |
518 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
520 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
522 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
525 * So although the vendor is identified, the format of the data isn't specified
526 * so we can't actually resolve the suboption to an attribute.
528 * To get around that, we create an attribute with a vendor matching the
529 * enterprise number, and attr 0.
531 * How the suboption data is then processed, is dependent on what type
532 * \<iana\>.0 is defined as in the dictionary.
534 * @param[in,out] tlv to decode. *tlv will be set to the head of the list of suboptions and original will be freed.
535 * @param[in] ctx context to alloc new attributes in.
536 * @param[in] data to parse.
537 * @param[in] len length of data to parse.
539 static int fr_dhcp_decode_vsa(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t const *data, size_t len)
541 uint8_t const *p, *q;
546 if (len < 4) goto malformed;
551 if (p + 5 >= q) goto malformed;
552 p += sizeof(uint32_t);
556 * Check if length > the length of the buffer we have left
558 if (p >= q) goto malformed;
563 fr_cursor_init(&cursor, &head);
566 * Now we know its sane, start decoding!
574 vendor = ntohl(*((uint32_t const *) p));
576 * This is pretty much all we can do. RFC 4243 doesn't specify
577 * an attribute field, so it's up to vendors to figure out how
578 * they want to encode their attributes.
580 da = dict_attrbyvalue(0, vendor);
582 da = dict_unknown_afrom_fields(ctx, 0, vendor);
588 vp = pairalloc(ctx, da);
594 pairsteal(ctx, vp); /* for unknown attributes hack */
596 if (fr_dhcp_attr2vp(ctx, &vp, p + 5, p[4]) < 0) {
602 fr_cursor_merge(&cursor, vp);
603 dict_attr_free(&da); /* for unknown attributes hack */
605 p += 4 + 1 + p[4]; /* vendor id (4) + len (1) + vsa len (n) */
609 * The caller allocated TLV, if decoding it generated additional
610 * attributes, we now need to free it, and write the HEAD of our
611 * new list of attributes in its place.
614 vp_cursor_t tlv_cursor;
617 * Free the old TLV attribute
622 * Cursor not necessary but means we don't have to set
625 fr_cursor_init(&tlv_cursor, tlv);
626 fr_cursor_merge(&tlv_cursor, head);
632 (*tlv)->vp_tlv = talloc_array(*tlv, uint8_t, len);
633 if (!(*tlv)->vp_tlv) {
634 fr_strerror_printf("No memory");
637 memcpy((*tlv)->vp_tlv, data, len);
638 (*tlv)->length = len;
643 /** Decode DHCP suboptions
645 * @param[in,out] tlv to decode. *tlv will be set to the head of the list of suboptions and original will be freed.
646 * @param[in] ctx context to alloc new attributes in.
647 * @param[in] data to parse.
648 * @param[in] len length of data to parse.
650 static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t const *data, size_t len)
652 uint8_t const *p, *q;
653 VALUE_PAIR *head, *vp;
657 * TLV must already point to a VALUE_PAIR.
662 * Take a pass at parsing it.
668 * RFC 3046 is very specific about not allowing termination
669 * with a 255 sub-option. But it's required for decoding
670 * option 43, and vendors will probably screw it up
683 * Check if reading length would take us past the end of the buffer
685 if (++p >= q) goto malformed;
689 * Check if length > the length of the buffer we have left
691 if (p >= q) goto malformed;
696 * Got here... must be well formed.
699 fr_cursor_init(&cursor, &head);
711 * The initial OID string looks like:
714 * If <iana>.0 is type TLV then we attempt to decode its contents as more
715 * DHCP suboptions, which gives us:
718 * If <iana>.0 is not defined in the dictionary or is type octets, we leave
719 * the attribute as is.
721 attr = (*tlv)->da->attr ? ((*tlv)->da->attr | (p[0] << 8)) : p[0];
724 * Use the vendor of the parent TLV which is not necessarily
727 * Note: This does not deal with dictionary numbering clashes. If
728 * the vendor uses different numbers for DHCP suboptions and RADIUS
729 * attributes then it's time to break out %{hex:} and regular
732 da = dict_attrbyvalue(attr, (*tlv)->da->vendor);
734 da = dict_unknown_afrom_fields(ctx, attr, (*tlv)->da->vendor);
743 num_entries = fr_dhcp_array_members(&a_len, da);
744 for (i = 0; i < num_entries; i++) {
745 vp = pairalloc(ctx, da);
751 pairsteal(ctx, vp); /* for unknown attributes hack */
753 if (fr_dhcp_attr2vp(ctx, &vp, a_p, a_len) < 0) {
758 fr_cursor_merge(&cursor, vp);
763 dict_attr_free(&da); /* for unknown attributes hack */
765 p += 2 + p[1]; /* code (1) + len (1) + suboption len (n)*/
769 * The caller allocated a TLV, if decoding it generated
770 * additional attributes, we now need to free it, and write
771 * the HEAD of our new list of attributes in its place.
774 vp_cursor_t tlv_cursor;
777 * Free the old TLV attribute
782 * Cursor not necessary but means we don't have to set
785 fr_cursor_init(&tlv_cursor, tlv);
786 fr_cursor_merge(&tlv_cursor, head);
792 (*tlv)->vp_tlv = talloc_array(*tlv, uint8_t, len);
793 if (!(*tlv)->vp_tlv) {
794 fr_strerror_printf("No memory");
797 memcpy((*tlv)->vp_tlv, data, len);
798 (*tlv)->length = len;
804 * Decode ONE value into a VP
806 static int fr_dhcp_attr2vp(TALLOC_CTX *ctx, VALUE_PAIR **vp_p, uint8_t const *data, size_t len)
808 VALUE_PAIR *vp = *vp_p;
811 switch (vp->da->type) {
813 if (len != 1) goto raw;
814 vp->vp_byte = data[0];
818 if (len != 2) goto raw;
819 memcpy(&vp->vp_short, data, 2);
820 vp->vp_short = ntohs(vp->vp_short);
823 case PW_TYPE_INTEGER:
824 if (len != 4) goto raw;
825 memcpy(&vp->vp_integer, data, 4);
826 vp->vp_integer = ntohl(vp->vp_integer);
829 case PW_TYPE_IPV4_ADDR:
830 if (len != 4) goto raw;
832 * Keep value in Network Order!
834 memcpy(&vp->vp_ipaddr, data, 4);
839 * In DHCPv4, string options which can also be arrays,
840 * have their values '\0' delimited.
845 uint8_t const *q, *end;
849 q = end = data + len;
851 if (!vp->da->flags.array) {
852 pairstrncpy(vp, (char const *)p, q - p);
857 * Initialise the cursor as we may be inserting
858 * multiple additional VPs
860 fr_cursor_init(&cursor, vp_p);
862 q = memchr(p, '\0', q - p);
863 /* Malformed but recoverable */
866 pairstrncpy(vp, (char const *)p, q - p);
869 /* Need another VP for the next round */
871 vp = pairalloc(ctx, vp->da);
876 fr_cursor_insert(&cursor, vp);
884 case PW_TYPE_ETHERNET:
885 memcpy(vp->vp_ether, data, sizeof(vp->vp_ether));
886 vp->length = sizeof(vp->vp_ether);
890 * Value doesn't match up with attribute type, overwrite the
891 * vp's original DICT_ATTR with an unknown one.
894 if (pair2unknown(vp) < 0) return -1;
897 if (len > 255) return -1;
898 pairmemcpy(vp, data, len);
902 * For option 82 et al...
905 return fr_dhcp_decode_suboption(ctx, vp_p, data, len);
911 return fr_dhcp_decode_vsa(ctx, vp_p, data, len);
914 fr_strerror_printf("Internal sanity check %d %d", vp->da->type, __LINE__);
916 } /* switch over type */
922 /** Decode DHCP options
924 * @param[in,out] out Where to write the decoded options.
925 * @param[in] ctx context to alloc new attributes in.
926 * @param[in] data to parse.
927 * @param[in] len of data to parse.
929 ssize_t fr_dhcp_decode_options(TALLOC_CTX *ctx, VALUE_PAIR **out, uint8_t const *data, size_t len)
933 uint8_t const *p, *q;
936 fr_cursor_init(&cursor, out);
939 * FIXME: This should also check sname && file fields.
940 * See the dhcp_get_option() function above.
951 if (*p == 0) { /* 0x00 - Padding option */
956 if (*p == 255) { /* 0xff - End of options signifier */
960 if ((p + 2) > q) break;
966 * Unknown attribute, create an octets type
967 * attribute with the contents of the sub-option.
969 da = dict_attrbyvalue(p[0], DHCP_MAGIC_VENDOR);
971 da = dict_unknown_afrom_fields(ctx, p[0], DHCP_MAGIC_VENDOR);
976 vp = pairalloc(ctx, da);
981 pairmemcpy(vp, a_p, a_len);
982 fr_cursor_insert(&cursor, vp);
988 * Array type sub-option create a new VALUE_PAIR
989 * for each array element.
991 num_entries = fr_dhcp_array_members(&a_len, da);
992 for (i = 0; i < num_entries; i++) {
993 vp = pairalloc(ctx, da);
1000 if (fr_dhcp_attr2vp(ctx, &vp, a_p, a_len) < 0) {
1005 fr_cursor_merge(&cursor, vp);
1007 for (vp = fr_cursor_current(&cursor);
1009 vp = fr_cursor_next(&cursor)) {
1013 } /* loop over array entries */
1015 p += 2 + p[1]; /* code (1) + len (1) + option len (n)*/
1016 } /* loop over the entire packet */
1021 int fr_dhcp_decode(RADIUS_PACKET *packet)
1027 VALUE_PAIR *head = NULL, *vp;
1028 VALUE_PAIR *maxms, *mtu;
1030 fr_cursor_init(&cursor, &head);
1033 if ((fr_debug_flag > 2) && fr_log_fp) {
1034 for (i = 0; i < packet->data_len; i++) {
1035 if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, "%d: ", (int) i);
1036 fprintf(fr_log_fp, "%02x ", packet->data[i]);
1037 if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
1039 fprintf(fr_log_fp, "\n");
1042 if (packet->data[1] != 1) {
1043 fr_strerror_printf("Packet is not Ethernet: %u",
1049 * Decode the header.
1051 for (i = 0; i < 14; i++) {
1054 vp = pairmake(packet, NULL, dhcp_header_names[i], NULL, T_OP_EQ);
1057 strlcpy(buffer, fr_strerror(), sizeof(buffer));
1058 fr_strerror_printf("Cannot decode packet due to internal error: %s", buffer);
1064 * If chaddr does != 6 bytes it's probably not ethernet, and we should store
1065 * it as an opaque type (octets).
1067 if ((i == 11) && (packet->data[1] == 1) && (packet->data[2] != sizeof(vp->vp_ether))) {
1068 DICT_ATTR const *da = dict_unknown_afrom_fields(packet, vp->da->attr, vp->da->vendor);
1075 switch (vp->da->type) {
1082 vp->vp_short = (p[0] << 8) | p[1];
1086 case PW_TYPE_INTEGER:
1087 memcpy(&vp->vp_integer, p, 4);
1088 vp->vp_integer = ntohl(vp->vp_integer);
1092 case PW_TYPE_IPV4_ADDR:
1093 memcpy(&vp->vp_ipaddr, p, 4);
1097 case PW_TYPE_STRING:
1098 vp->vp_strvalue = q = talloc_array(vp, char, dhcp_header_sizes[i] + 1);
1100 memcpy(q, p, dhcp_header_sizes[i]);
1101 q[dhcp_header_sizes[i]] = '\0';
1102 vp->length = strlen(vp->vp_strvalue);
1103 if (vp->length == 0) {
1108 case PW_TYPE_OCTETS:
1109 pairmemcpy(vp, p, packet->data[2]);
1112 case PW_TYPE_ETHERNET:
1113 memcpy(vp->vp_ether, p, sizeof(vp->vp_ether));
1114 vp->length = sizeof(vp->vp_ether);
1118 fr_strerror_printf("BAD TYPE %d", vp->da->type);
1122 p += dhcp_header_sizes[i];
1127 fr_cursor_insert(&cursor, vp);
1131 * Loop over the options.
1135 * Nothing uses tail after this call, if it does in the future
1136 * it'll need to find the new tail...
1139 VALUE_PAIR *options = NULL;
1141 if (fr_dhcp_decode_options(packet, &options, packet->data + 240, packet->data_len - 240) < 0) {
1145 if (options) fr_cursor_merge(&cursor, options);
1149 * If DHCP request, set ciaddr to zero.
1153 * Set broadcast flag for broken vendors, but only if
1156 memcpy(&giaddr, packet->data + 24, sizeof(giaddr));
1157 if (giaddr == htonl(INADDR_ANY)) {
1159 * DHCP Opcode is request
1161 vp = pairfind(head, 256, DHCP_MAGIC_VENDOR, TAG_ANY);
1162 if (vp && vp->vp_integer == 3) {
1164 * Vendor is "MSFT 98"
1166 vp = pairfind(head, 63, DHCP_MAGIC_VENDOR, TAG_ANY);
1167 if (vp && (strcmp(vp->vp_strvalue, "MSFT 98") == 0)) {
1168 vp = pairfind(head, 262, DHCP_MAGIC_VENDOR, TAG_ANY);
1171 * Reply should be broadcast.
1173 if (vp) vp->vp_integer |= 0x8000;
1174 packet->data[10] |= 0x80;
1180 * FIXME: Nuke attributes that aren't used in the normal
1181 * header for discover/requests.
1186 * Client can request a LARGER size, but not a smaller
1187 * one. They also cannot request a size larger than MTU.
1189 maxms = pairfind(packet->vps, 57, DHCP_MAGIC_VENDOR, TAG_ANY);
1190 mtu = pairfind(packet->vps, 26, DHCP_MAGIC_VENDOR, TAG_ANY);
1192 if (mtu && (mtu->vp_integer < DEFAULT_PACKET_SIZE)) {
1193 fr_strerror_printf("DHCP Fatal: Client says MTU is smaller than minimum permitted by the specification");
1197 if (maxms && (maxms->vp_integer < DEFAULT_PACKET_SIZE)) {
1198 fr_strerror_printf("DHCP WARNING: Client says maximum message size is smaller than minimum permitted by the specification: fixing it");
1199 maxms->vp_integer = DEFAULT_PACKET_SIZE;
1202 if (maxms && mtu && (maxms->vp_integer > mtu->vp_integer)) {
1203 fr_strerror_printf("DHCP WARNING: Client says MTU is smaller than maximum message size: fixing it");
1204 maxms->vp_integer = mtu->vp_integer;
1207 if (fr_debug_flag) fflush(stdout);
1213 int8_t fr_dhcp_attr_cmp(void const *a, void const *b)
1215 VALUE_PAIR const *my_a = a;
1216 VALUE_PAIR const *my_b = b;
1222 * DHCP-Message-Type is first, for simplicity.
1224 if ((my_a->da->attr == 53) && (my_b->da->attr != 53)) return -1;
1227 * Relay-Agent is last
1229 if ((my_a->da->attr == 82) && (my_b->da->attr != 82)) return 1;
1231 if (my_a->da->attr < my_b->da->attr) return -1;
1232 if (my_a->da->attr > my_b->da->attr) return 1;
1237 /** Write DHCP option value into buffer
1239 * Does not include DHCP option length or number.
1241 * @param out where to write the DHCP option.
1242 * @param outlen length of output buffer.
1243 * @param vp option to encode.
1244 * @return the length of data writen, -1 if out of buffer, -2 if unsupported type.
1246 static ssize_t fr_dhcp_vp2attr(uint8_t *out, size_t outlen, VALUE_PAIR *vp)
1251 if (outlen < vp->length) {
1255 switch (vp->da->type) {
1261 p[0] = (vp->vp_short >> 8) & 0xff;
1262 p[1] = vp->vp_short & 0xff;
1265 case PW_TYPE_INTEGER:
1266 lvalue = htonl(vp->vp_integer);
1267 memcpy(p, &lvalue, 4);
1270 case PW_TYPE_IPV4_ADDR:
1271 memcpy(p, &vp->vp_ipaddr, 4);
1274 case PW_TYPE_ETHERNET:
1275 memcpy(p, &vp->vp_ether, 6);
1278 case PW_TYPE_STRING:
1279 memcpy(p, vp->vp_strvalue, vp->length);
1282 case PW_TYPE_TLV: /* FIXME: split it on 255? */
1283 memcpy(p, vp->vp_tlv, vp->length);
1286 case PW_TYPE_OCTETS:
1287 memcpy(p, vp->vp_octets, vp->length);
1291 fr_strerror_printf("Unsupported option type %d", vp->da->type);
1298 /** Create a new TLV attribute from multiple sub options
1300 * @param[in,out] ctx to allocate new attribute in.
1301 * @param[in,out] cursor should be set to the start of the list of TLV attributes.
1302 * Will be advanced to the first non-TLV attribute.
1303 * @return attribute holding the concatenation of the values of the sub options.
1305 static VALUE_PAIR *fr_dhcp_vp2suboption(TALLOC_CTX *ctx, vp_cursor_t *cursor)
1308 unsigned int parent; /* Parent attribute of suboption */
1310 uint8_t *p, *opt_len = NULL;
1311 vp_cursor_t to_pack;
1312 VALUE_PAIR *vp, *tlv;
1314 #define SUBOPTION_PARENT(_x) (_x & 0xffff00ff)
1315 #define SUBOPTION_ATTR(_x) ((_x & 0xff00) >> 8)
1317 vp = fr_cursor_current(cursor);
1318 if (!vp) return NULL;
1320 parent = SUBOPTION_PARENT(vp->da->attr);
1321 tlv = paircreate(ctx, parent, DHCP_MAGIC_VENDOR);
1322 if (!tlv) return NULL;
1324 fr_cursor_copy(&to_pack, cursor);
1327 * Loop over TLVs to determine how much memory we need to allocate
1329 * We advanced the cursor we were passed, so if we fail encoding,
1330 * the cursor is at the right position for the next potentially
1333 for (vp = fr_cursor_current(cursor);
1334 vp && vp->da->flags.is_tlv && !vp->da->flags.extended && (SUBOPTION_PARENT(vp->da->attr) == parent);
1335 vp = fr_cursor_next(cursor)) {
1337 * If it's not an array type or is an array type, but is not the same
1338 * as the previous attribute, we add 2 for the additional sub-option
1341 if (!vp->da->flags.array || (SUBOPTION_ATTR(vp->da->attr) != attr)) {
1342 attr = SUBOPTION_ATTR(vp->da->attr);
1345 tlv->length += vp->length;
1348 tlv->vp_tlv = talloc_zero_array(tlv, uint8_t, tlv->length);
1356 for (vp = fr_cursor_current(&to_pack);
1357 vp && vp->da->flags.is_tlv && !vp->da->flags.extended && (SUBOPTION_PARENT(vp->da->attr) == parent);
1358 vp = fr_cursor_next(&to_pack)) {
1359 if (SUBOPTION_ATTR(vp->da->attr) == 0) {
1360 fr_strerror_printf("Invalid attribute number 0");
1364 /* Don't write out the header, were packing array options */
1365 if (!vp->da->flags.array || (attr != SUBOPTION_ATTR(vp->da->attr))) {
1366 attr = SUBOPTION_ATTR(vp->da->attr);
1371 length = fr_dhcp_vp2attr(p, (tlv->vp_tlv + tlv->length) - p, vp);
1372 if ((length < 0) || (length > 255)) {
1385 /** Encode a DHCP option and any sub-options.
1387 * @param out Where to write encoded DHCP attributes.
1388 * @param outlen Length of out buffer.
1389 * @param ctx to use for any allocated memory.
1390 * @param cursor with current VP set to the option to be encoded. Will be advanced to the next option to encode.
1391 * @return > 0 length of data written, < 0 error, 0 not valid option (skipping).
1393 ssize_t fr_dhcp_encode_option(TALLOC_CTX *ctx, uint8_t *out, size_t outlen, vp_cursor_t *cursor)
1396 DICT_ATTR const *previous;
1397 uint8_t *opt_len, *p = out;
1398 size_t freespace = outlen;
1401 vp = fr_cursor_current(cursor);
1404 if (vp->da->vendor != DHCP_MAGIC_VENDOR) goto next; /* not a DHCP option */
1405 if (vp->da->attr == 53) goto next; /* already done */
1406 if ((vp->da->attr > 255) && (DHCP_BASE_ATTR(vp->da->attr) != PW_DHCP_OPTION_82)) goto next;
1408 if (vp->da->flags.extended) {
1410 fr_strerror_printf("Attribute \"%s\" is not a DHCP option", vp->da->name);
1411 fr_cursor_next(cursor);
1415 /* Write out the option number */
1416 *(p++) = vp->da->attr & 0xff;
1418 /* Pointer to the length field of the option */
1421 /* Zero out the option's length field */
1424 /* We just consumed two bytes for the header */
1427 /* DHCP options with the same number get coalesced into a single option */
1429 VALUE_PAIR *tlv = NULL;
1432 if (vp->da->flags.is_tlv) {
1434 * Coalesce TLVs into one sub-option.
1435 * Cursor will be advanced to next non-TLV attribute.
1437 tlv = vp = fr_dhcp_vp2suboption(ctx, cursor);
1440 * Skip if there's an issue coalescing the sub-options.
1441 * Cursor will still have been advanced to next non-TLV attribute.
1445 * If not calling fr_dhcp_vp2suboption() advance the cursor, so fr_cursor_current()
1446 * returns the next attribute.
1449 fr_cursor_next(cursor);
1452 if ((*opt_len + vp->length) > 255) {
1453 fr_strerror_printf("Skipping \"%s\": Option splitting not supported "
1454 "(option > 255 bytes)", vp->da->name);
1459 len = fr_dhcp_vp2attr(p, freespace, vp);
1462 /* Failed encoding option */
1471 } while ((vp = fr_cursor_current(cursor)) && (previous == vp->da) && vp->da->flags.array);
1476 int fr_dhcp_encode(RADIUS_PACKET *packet)
1487 # ifdef WITH_UDPFROMTO
1488 char src_ip_buf[256];
1490 char dst_ip_buf[256];
1493 if (packet->data) return 0;
1495 packet->data_len = MAX_PACKET_SIZE;
1496 packet->data = talloc_zero_array(packet, uint8_t, packet->data_len);
1498 /* XXX Ugly ... should be set by the caller */
1499 if (packet->code == 0) packet->code = PW_DHCP_NAK;
1502 if ((vp = pairfind(packet->vps, 260, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1503 packet->id = vp->vp_integer;
1505 packet->id = fr_rand();
1509 if ((packet->code >= PW_DHCP_DISCOVER) &&
1510 (packet->code <= PW_DHCP_INFORM)) {
1511 name = dhcp_message_types[packet->code - PW_DHCP_OFFSET];
1517 # ifdef WITH_UDPFROMTO
1518 "Encoding %s of id %08x from %s:%d to %s:%d\n",
1520 "Encoding %s of id %08x to %s:%d\n",
1522 name, (unsigned int) packet->id,
1523 # ifdef WITH_UDPFROMTO
1524 inet_ntop(packet->src_ipaddr.af,
1525 &packet->src_ipaddr.ipaddr,
1526 src_ip_buf, sizeof(src_ip_buf)),
1529 inet_ntop(packet->dst_ipaddr.af,
1530 &packet->dst_ipaddr.ipaddr,
1531 dst_ip_buf, sizeof(dst_ip_buf)),
1538 * @todo: Make this work again.
1541 mms = DEFAULT_PACKET_SIZE; /* maximum message size */
1544 * Clients can request a LARGER size, but not a
1545 * smaller one. They also cannot request a size
1549 /* DHCP-DHCP-Maximum-Msg-Size */
1550 vp = pairfind(packet->vps, 57, DHCP_MAGIC_VENDOR, TAG_ANY);
1551 if (vp && (vp->vp_integer > mms)) {
1552 mms = vp->vp_integer;
1554 if (mms > MAX_PACKET_SIZE) mms = MAX_PACKET_SIZE;
1558 vp = pairfind(packet->vps, 256, DHCP_MAGIC_VENDOR, TAG_ANY);
1560 *p++ = vp->vp_integer & 0xff;
1562 *p++ = 1; /* client message */
1565 /* DHCP-Hardware-Type */
1566 if ((vp = pairfind(packet->vps, 257, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1567 *p++ = vp->vp_integer & 0xFF;
1569 *p++ = 1; /* hardware type = ethernet */
1572 /* DHCP-Hardware-Address-Length */
1573 if ((vp = pairfind(packet->vps, 258, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1574 *p++ = vp->vp_integer & 0xFF;
1576 *p++ = 6; /* 6 bytes of ethernet */
1579 /* DHCP-Hop-Count */
1580 if ((vp = pairfind(packet->vps, 259, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1581 *p = vp->vp_integer & 0xff;
1585 /* DHCP-Transaction-Id */
1586 lvalue = htonl(packet->id);
1587 memcpy(p, &lvalue, 4);
1590 /* DHCP-Number-of-Seconds */
1591 if ((vp = pairfind(packet->vps, 261, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1592 lvalue = htonl(vp->vp_integer);
1593 memcpy(p, &lvalue, 2);
1598 if ((vp = pairfind(packet->vps, 262, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1599 lvalue = htons(vp->vp_integer);
1600 memcpy(p, &lvalue, 2);
1604 /* DHCP-Client-IP-Address */
1605 if ((vp = pairfind(packet->vps, 263, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1606 memcpy(p, &vp->vp_ipaddr, 4);
1610 /* DHCP-Your-IP-address */
1611 if ((vp = pairfind(packet->vps, 264, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1612 lvalue = vp->vp_ipaddr;
1614 lvalue = htonl(INADDR_ANY);
1616 memcpy(p, &lvalue, 4);
1619 /* DHCP-Server-IP-Address */
1620 vp = pairfind(packet->vps, 265, DHCP_MAGIC_VENDOR, TAG_ANY);
1622 lvalue = vp->vp_ipaddr;
1624 lvalue = htonl(INADDR_ANY);
1626 memcpy(p, &lvalue, 4);
1630 * DHCP-Gateway-IP-Address
1632 if ((vp = pairfind(packet->vps, 266, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1633 lvalue = vp->vp_ipaddr;
1635 lvalue = htonl(INADDR_ANY);
1637 memcpy(p, &lvalue, 4);
1640 /* DHCP-Client-Hardware-Address */
1641 if ((vp = pairfind(packet->vps, 267, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1642 if (vp->length == sizeof(vp->vp_ether)) {
1643 memcpy(p, vp->vp_ether, vp->length);
1644 } /* else ignore it */
1646 p += DHCP_CHADDR_LEN;
1648 /* DHCP-Server-Host-Name */
1649 if ((vp = pairfind(packet->vps, 268, DHCP_MAGIC_VENDOR, TAG_ANY))) {
1650 if (vp->length > DHCP_SNAME_LEN) {
1651 memcpy(p, vp->vp_strvalue, DHCP_SNAME_LEN);
1653 memcpy(p, vp->vp_strvalue, vp->length);
1656 p += DHCP_SNAME_LEN;
1659 * Copy over DHCP-Boot-Filename.
1661 * FIXME: This copy should be delayed until AFTER the options
1662 * have been processed. If there are too many options for
1663 * the packet, then they go into the sname && filename fields.
1664 * When that happens, the boot filename is passed as an option,
1665 * instead of being placed verbatim in the filename field.
1668 /* DHCP-Boot-Filename */
1669 vp = pairfind(packet->vps, 269, DHCP_MAGIC_VENDOR, TAG_ANY);
1671 if (vp->length > DHCP_FILE_LEN) {
1672 memcpy(p, vp->vp_strvalue, DHCP_FILE_LEN);
1674 memcpy(p, vp->vp_strvalue, vp->length);
1679 /* DHCP magic number */
1680 lvalue = htonl(DHCP_OPTION_MAGIC_NUMBER);
1681 memcpy(p, &lvalue, 4);
1687 if (fr_debug_flag > 1) {
1692 for (i = 0; i < 14; i++) {
1695 vp = pairmake(packet, NULL,
1696 dhcp_header_names[i], NULL, T_OP_EQ);
1699 strlcpy(buffer, fr_strerror(), sizeof(buffer));
1700 fr_strerror_printf("Cannot decode packet due to internal error: %s", buffer);
1704 switch (vp->da->type) {
1710 vp->vp_short = (p[0] << 8) | p[1];
1713 case PW_TYPE_INTEGER:
1714 memcpy(&vp->vp_integer, p, 4);
1715 vp->vp_integer = ntohl(vp->vp_integer);
1718 case PW_TYPE_IPV4_ADDR:
1719 memcpy(&vp->vp_ipaddr, p, 4);
1722 case PW_TYPE_STRING:
1723 vp->vp_strvalue = q = talloc_array(vp, char, dhcp_header_sizes[i] + 1);
1725 memcpy(q, p, dhcp_header_sizes[i]);
1726 q[dhcp_header_sizes[i]] = '\0';
1727 vp->length = strlen(vp->vp_strvalue);
1730 case PW_TYPE_OCTETS: /* only for Client HW Address */
1731 pairmemcpy(vp, p, packet->data[2]);
1734 case PW_TYPE_ETHERNET: /* only for Client HW Address */
1735 memcpy(vp->vp_ether, p, sizeof(vp->vp_ether));
1739 fr_strerror_printf("Internal sanity check failed %d %d", vp->da->type, __LINE__);
1744 p += dhcp_header_sizes[i];
1751 * Jump over DHCP magic number, response, etc.
1756 p[0] = 0x35; /* DHCP-Message-Type */
1758 p[2] = packet->code - PW_DHCP_OFFSET;
1763 * Pre-sort attributes into contiguous blocks so that fr_dhcp_encode_option
1764 * operates correctly. This changes the order of the list, but never mind...
1766 pairsort(&packet->vps, fr_dhcp_attr_cmp);
1767 fr_cursor_init(&cursor, &packet->vps);
1770 * Each call to fr_dhcp_encode_option will encode one complete DHCP option,
1773 while ((vp = fr_cursor_current(&cursor))) {
1774 len = fr_dhcp_encode_option(packet, p, packet->data_len - (p - packet->data), &cursor);
1776 if (len > 0) debug_pair(vp);
1780 p[0] = 0xff; /* end of option option */
1783 dhcp_size = p - packet->data;
1786 * FIXME: if (dhcp_size > mms),
1787 * then we put the extra options into the "sname" and "file"
1788 * fields, AND set the "end option option" in the "options"
1789 * field. We also set the "overload option",
1790 * and put options into the "file" field, followed by
1791 * the "sname" field. Where each option is completely
1792 * enclosed in the "file" and/or "sname" field, AND
1793 * followed by the "end of option", and MUST be followed
1794 * by padding option.
1796 * Yuck. That sucks...
1798 packet->data_len = dhcp_size;
1800 if (packet->data_len < DEFAULT_PACKET_SIZE) {
1801 memset(packet->data + packet->data_len, 0,
1802 DEFAULT_PACKET_SIZE - packet->data_len);
1803 packet->data_len = DEFAULT_PACKET_SIZE;
1806 if ((fr_debug_flag > 2) && fr_log_fp) {
1807 fprintf(fr_log_fp, "DHCP Sending %zu bytes\n", packet->data_len);
1808 for (i = 0; i < packet->data_len; i++) {
1809 if ((i & 0x0f) == 0x00) fprintf(fr_log_fp, "%d: ", (int) i);
1810 fprintf(fr_log_fp, "%02x ", packet->data[i]);
1811 if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n");
1813 fprintf(fr_log_fp, "\n");
1820 int fr_dhcp_add_arp_entry(int fd, char const *interface,
1821 VALUE_PAIR *macaddr, VALUE_PAIR *ip)
1823 struct sockaddr_in *sin;
1827 fr_strerror_printf("No interface specified. Cannot update ARP table");
1831 if (!fr_assert(macaddr) ||
1832 !fr_assert((macaddr->da->type == PW_TYPE_ETHERNET) || (macaddr->da->type == PW_TYPE_OCTETS))) {
1833 fr_strerror_printf("Wrong VP type (%s) for chaddr",
1834 fr_int2str(dict_attr_types, macaddr->da->type, "<invalid>"));
1838 if (macaddr->length > sizeof(req.arp_ha.sa_data)) {
1839 fr_strerror_printf("arp sa_data field too small (%zu octets) to contain chaddr (%zu octets)",
1840 sizeof(req.arp_ha.sa_data), macaddr->length);
1844 memset(&req, 0, sizeof(req));
1845 sin = (struct sockaddr_in *) &req.arp_pa;
1846 sin->sin_family = AF_INET;
1847 sin->sin_addr.s_addr = ip->vp_ipaddr;
1849 strlcpy(req.arp_dev, interface, sizeof(req.arp_dev));
1851 if (macaddr->da->type == PW_TYPE_ETHERNET) {
1852 memcpy(&req.arp_ha.sa_data, &macaddr->vp_ether, sizeof(macaddr->vp_ether));
1854 memcpy(&req.arp_ha.sa_data, macaddr->vp_octets, macaddr->length);
1857 req.arp_flags = ATF_COM;
1858 if (ioctl(fd, SIOCSARP, &req) < 0) {
1859 fr_strerror_printf("Failed to add entry in ARP cache: %s (%d)", fr_syserror(errno), errno);
1866 int fr_dhcp_add_arp_entry(UNUSED int fd, UNUSED char const *interface,
1867 UNUSED VALUE_PAIR *macaddr, UNUSED VALUE_PAIR *ip)
1869 fr_strerror_printf("Adding ARP entry is unsupported on this system");