2 * radeapclient.c EAP specific radius packet debug tool.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2000 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
24 static const char rcsid[] = "$Id$";
27 #include "libradius.h"
39 #include <sys/socket.h>
42 # include <netinet/in.h>
46 # include <sys/select.h>
56 #include "../include/md5.h"
58 #include "eap_types.h"
61 static int retries = 10;
62 static float timeout = 3;
63 static const char *secret = NULL;
64 static int do_output = 1;
65 static int do_summary = 0;
66 static int filedone = 0;
67 static int totalapp = 0;
68 static int totaldeny = 0;
69 static char filesecret[256];
70 const char *radius_dir = RADDBDIR;
71 const char *progname = "radeapclient";
72 /* lrad_randctx randctx; */
75 radlog_dest_t radlog_dest = RADLOG_STDERR;
76 const char *radlog_dir = NULL;
78 struct main_config_t mainconfig;
81 struct eapsim_keys eapsim_mk;
83 static void usage(void)
85 fprintf(stderr, "Usage: radeapclient [options] server[:port] <command> [<secret>]\n");
87 fprintf(stderr, " <command> One of auth, acct, status, or disconnect.\n");
88 fprintf(stderr, " -c count Send each packet 'count' times.\n");
89 fprintf(stderr, " -d raddb Set dictionary directory.\n");
90 fprintf(stderr, " -f file Read packets from file, not stdin.\n");
91 fprintf(stderr, " -r retries If timeout, retry sending the packet 'retries' times.\n");
92 fprintf(stderr, " -t timeout Wait 'timeout' seconds before retrying (may be a floating point number).\n");
93 fprintf(stderr, " -i id Set request id to 'id'. Values may be 0..255\n");
94 fprintf(stderr, " -S file read secret from file, not command line.\n");
95 fprintf(stderr, " -q Do not print anything out.\n");
96 fprintf(stderr, " -s Print out summary information of auth results.\n");
97 fprintf(stderr, " -v Show program version information.\n");
98 fprintf(stderr, " -x Debugging mode.\n");
103 int radlog(int lvl, const char *msg, ...)
108 r = lvl; /* shut up compiler */
111 r = vfprintf(stderr, msg, ap);
118 static int getport(const char *name)
122 svp = getservbyname (name, "udp");
127 return ntohs(svp->s_port);
130 static int send_packet(RADIUS_PACKET *req, RADIUS_PACKET **rep)
135 for (i = 0; i < retries; i++) {
138 rad_send(req, NULL, secret);
140 /* And wait for reply, timing out as necessary */
142 FD_SET(req->sockfd, &rdfdesc);
144 tv.tv_sec = (int)timeout;
145 tv.tv_usec = 1000000 * (timeout - (int) timeout);
147 /* Something's wrong if we don't get exactly one fd. */
148 if (select(req->sockfd + 1, &rdfdesc, NULL, NULL, &tv) != 1) {
152 *rep = rad_recv(req->sockfd);
155 * If we get a response from a machine
156 * which we did NOT send a request to,
159 if (((*rep)->src_ipaddr != req->dst_ipaddr) ||
160 ((*rep)->src_port != req->dst_port)) {
161 char src[64], dst[64];
163 ip_ntoa(src, (*rep)->src_ipaddr);
164 ip_ntoa(dst, req->dst_ipaddr);
165 fprintf(stderr, "radclient: ERROR: Sent request to host %s:%d, got response from host %s:%d\n!",
167 src, (*rep)->src_port);
171 } else { /* NULL: couldn't receive the packet */
172 librad_perror("radclient:");
177 /* No response or no data read (?) */
179 fprintf(stderr, "radclient: no response from server\n");
183 if (rad_decode(*rep, req, secret) != 0) {
184 librad_perror("rad_decode");
188 /* libradius debug already prints out the value pairs for us */
189 if (!librad_debug && do_output) {
190 printf("Received response ID %d, code %d, length = %d\n",
191 (*rep)->id, (*rep)->code, (*rep)->data_len);
192 vp_printlist(stdout, (*rep)->vps);
194 if((*rep)->code == PW_AUTHENTICATION_ACK) {
203 static void cleanresp(RADIUS_PACKET *resp)
205 VALUE_PAIR *vpnext, *vp, **last;
209 * maybe should just copy things we care about, or keep
210 * a copy of the original input and start from there again?
212 pairdelete(&resp->vps, PW_EAP_MESSAGE);
213 pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY);
216 for(vp = *last; vp != NULL; vp = vpnext)
220 if((vp->attribute > ATTRIBUTE_EAP_BASE &&
221 vp->attribute <= ATTRIBUTE_EAP_BASE+256) ||
222 (vp->attribute > ATTRIBUTE_EAP_SIM_BASE &&
223 vp->attribute <= ATTRIBUTE_EAP_SIM_BASE+256))
234 * we got an EAP-Request/Sim/Start message in a legal state.
236 * pick a supported version, put it into the reply, and insert a nonce.
238 static int process_eap_start(RADIUS_PACKET *req,
241 VALUE_PAIR *vp, *newvp;
242 VALUE_PAIR *anyidreq_vp, *fullauthidreq_vp, *permanentidreq_vp;
243 uint16_t *versions, selectedversion;
244 unsigned int i,versioncount;
246 /* form new response clear of any EAP stuff */
249 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_VERSION_LIST)) == NULL) {
250 fprintf(stderr, "illegal start message has no VERSION_LIST\n");
254 versions = (uint16_t *)vp->strvalue;
256 /* verify that the attribute length is big enough for a length field */
259 fprintf(stderr, "start message has illegal VERSION_LIST. Too short: %d\n", vp->length);
263 versioncount = ntohs(versions[0]);
264 /* verify that the attribute length is big enough for the given number
265 * of versions present.
267 if((unsigned)vp->length <= (versioncount * sizeof(uint16_t) + 2))
269 fprintf(stderr, "start message is too short. Claimed %d versions does not fit in %d bytes\n", versioncount, vp->length);
274 * record the versionlist for the MK calculation.
276 eapsim_mk.versionlistlen = versioncount*2;
277 memcpy(eapsim_mk.versionlist, (unsigned char *)(versions+1),
278 eapsim_mk.versionlistlen);
280 /* walk the version list, and pick the one we support, which
281 * at present, is 1, EAP_SIM_VERSION.
284 for(i=0; i < versioncount; i++)
286 if(ntohs(versions[i+1]) == EAP_SIM_VERSION)
288 selectedversion=EAP_SIM_VERSION;
292 if(selectedversion == 0)
294 fprintf(stderr, "eap-sim start message. No compatible version found. We need %d\n", EAP_SIM_VERSION);
295 for(i=0; i < versioncount; i++)
297 fprintf(stderr, "\tfound version %d\n",
298 ntohs(versions[i+1]));
303 * now make sure that we have only FULLAUTH_ID_REQ.
304 * I think that it actually might not matter - we can answer in
305 * anyway we like, but it is illegal to have more than one
308 anyidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_ANY_ID_REQ);
309 fullauthidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_FULLAUTH_ID_REQ);
310 permanentidreq_vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_PERMANENT_ID_REQ);
312 if(fullauthidreq_vp == NULL ||
313 anyidreq_vp != NULL ||
314 permanentidreq_vp != NULL) {
315 fprintf(stderr, "start message has %sanyidreq, %sfullauthid and %spermanentid. Illegal combination.\n",
316 (anyidreq_vp != NULL ? "a " : "no "),
317 (fullauthidreq_vp != NULL ? "a " : "no "),
318 (permanentidreq_vp != NULL ? "a " : "no "));
322 /* okay, we have just any_id_req there, so fill in response */
324 /* mark the subtype as being EAP-SIM/Response/Start */
325 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, PW_TYPE_INTEGER);
326 newvp->lvalue = eapsim_start;
327 pairreplace(&(rep->vps), newvp);
329 /* insert selected version into response. */
330 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_SELECTED_VERSION,
332 versions = (uint16_t *)newvp->strvalue;
333 versions[0] = htons(selectedversion);
335 pairreplace(&(rep->vps), newvp);
337 /* record the selected version */
338 memcpy(eapsim_mk.versionselect, (unsigned char *)versions, 2);
345 * insert a nonce_mt that we make up.
347 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_NONCE_MT,
349 newvp->strvalue[0]=0;
350 newvp->strvalue[1]=0;
351 newvp->length = 18; /* 16 bytes of nonce + padding */
353 nonce[0]=lrad_rand();
354 nonce[1]=lrad_rand();
355 nonce[2]=lrad_rand();
356 nonce[3]=lrad_rand();
357 memcpy(&newvp->strvalue[2], nonce, 16);
358 pairreplace(&(rep->vps), newvp);
360 /* also keep a copy of the nonce! */
361 memcpy(eapsim_mk.nonce_mt, nonce, 16);
365 uint16_t *pidlen, idlen;
368 * insert the identity here.
370 vp = pairfind(rep->vps, PW_USER_NAME);
373 fprintf(stderr, "eap-sim: We need to have a User-Name attribute!\n");
376 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_IDENTITY,
378 idlen = strlen(vp->strvalue);
379 pidlen = (uint16_t *)newvp->strvalue;
380 *pidlen = htons(idlen);
381 newvp->length = idlen + 2;
383 memcpy(&newvp->strvalue[2], vp->strvalue, idlen);
384 pairreplace(&(rep->vps), newvp);
387 memcpy(eapsim_mk.identity, vp->strvalue, idlen);
388 eapsim_mk.identitylen = idlen;
395 * we got an EAP-Request/Sim/Challenge message in a legal state.
397 * use the RAND challenge to produce the SRES result, and then
398 * use that to generate a new MAC.
400 * for the moment, we ignore the RANDs, then just plug in the SRES
404 static int process_eap_challenge(RADIUS_PACKET *req,
408 VALUE_PAIR *mac, *randvp;
409 VALUE_PAIR *sres1,*sres2,*sres3;
410 VALUE_PAIR *Kc1, *Kc2, *Kc3;
413 /* look for the AT_MAC and the challenge data */
414 mac = pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC);
415 randvp= pairfind(req->vps, ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_RAND);
416 if(mac == NULL || rand == NULL) {
417 fprintf(stderr, "radeapclient: challenge message needs to contain RAND and MAC\n");
422 * XXX compare RAND with randX, to verify this is the right response
427 * now dig up the sres values from the response packet,
428 * which were put there when we read things in.
430 * Really, they should be calculated from the RAND!
433 sres1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES1);
434 sres2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES2);
435 sres3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_SRES3);
440 fprintf(stderr, "radeapclient: needs to have sres1, 2 and 3 set.\n");
443 memcpy(eapsim_mk.sres[0], sres1->strvalue, sizeof(eapsim_mk.sres[0]));
444 memcpy(eapsim_mk.sres[1], sres2->strvalue, sizeof(eapsim_mk.sres[1]));
445 memcpy(eapsim_mk.sres[2], sres3->strvalue, sizeof(eapsim_mk.sres[2]));
447 Kc1 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC1);
448 Kc2 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC2);
449 Kc3 = pairfind(rep->vps, ATTRIBUTE_EAP_SIM_KC3);
454 fprintf(stderr, "radeapclient: needs to have Kc1, 2 and 3 set.\n");
457 memcpy(eapsim_mk.Kc[0], Kc1->strvalue, sizeof(eapsim_mk.Kc[0]));
458 memcpy(eapsim_mk.Kc[1], Kc2->strvalue, sizeof(eapsim_mk.Kc[1]));
459 memcpy(eapsim_mk.Kc[2], Kc3->strvalue, sizeof(eapsim_mk.Kc[2]));
461 /* all set, calculate keys */
462 eapsim_calculate_keys(&eapsim_mk);
465 eapsim_dump_mk(&eapsim_mk);
468 /* verify the MAC, now that we have all the keys. */
469 if(eapsim_checkmac(req->vps, eapsim_mk.K_aut,
470 eapsim_mk.nonce_mt, sizeof(eapsim_mk.nonce_mt),
472 printf("MAC check succeed\n");
476 printf("calculated MAC (");
477 for (i = 0; i < 20; i++) {
484 printf("%02x", calcmac[i]);
486 printf(" did not match\n");
490 /* form new response clear of any EAP stuff */
493 /* mark the subtype as being EAP-SIM/Response/Start */
494 newvp = paircreate(ATTRIBUTE_EAP_SIM_SUBTYPE, PW_TYPE_INTEGER);
495 newvp->lvalue = eapsim_challenge;
496 pairreplace(&(rep->vps), newvp);
498 newvp = paircreate(ATTRIBUTE_EAP_SIM_BASE+PW_EAP_SIM_MAC,
500 memcpy(newvp->strvalue+EAPSIM_SRES_SIZE*0, sres1->strvalue, EAPSIM_SRES_SIZE);
501 memcpy(newvp->strvalue+EAPSIM_SRES_SIZE*1, sres2->strvalue, EAPSIM_SRES_SIZE);
502 memcpy(newvp->strvalue+EAPSIM_SRES_SIZE*2, sres3->strvalue, EAPSIM_SRES_SIZE);
503 newvp->length = EAPSIM_SRES_SIZE*3;
504 pairreplace(&(rep->vps), newvp);
506 newvp = paircreate(ATTRIBUTE_EAP_SIM_KEY, PW_TYPE_OCTETS);
507 memcpy(newvp->strvalue, eapsim_mk.K_aut, EAPSIM_AUTH_SIZE);
508 newvp->length = EAPSIM_AUTH_SIZE;
509 pairreplace(&(rep->vps), newvp);
515 * this code runs the EAP-SIM client state machine.
516 * the *request* is from the server.
517 * the *reponse* is to the server.
520 static int respond_eap_sim(RADIUS_PACKET *req,
523 enum eapsim_clientstates state, newstate;
524 enum eapsim_subtype subtype;
525 VALUE_PAIR *vp, *statevp, *radstate, *eapid;
526 char statenamebuf[32], subtypenamebuf[32];
528 if ((radstate = paircopy2(req->vps, PW_STATE)) == NULL)
533 if ((eapid = paircopy2(req->vps, ATTRIBUTE_EAP_ID)) == NULL)
538 /* first, dig up the state from the request packet, setting
539 * outselves to be in EAP-SIM-Start state if there is none.
542 if((statevp = pairfind(resp->vps, ATTRIBUTE_EAP_SIM_STATE)) == NULL)
544 /* must be initial request */
545 statevp = paircreate(ATTRIBUTE_EAP_SIM_STATE, PW_TYPE_INTEGER);
546 statevp->lvalue = eapsim_client_init;
547 pairreplace(&(resp->vps), statevp);
549 state = statevp->lvalue;
552 * map the attributes, and authenticate them.
554 unmap_eapsim_types(req);
556 printf("<+++ EAP-sim decoded packet:\n");
557 vp_printlist(stdout, req->vps);
559 if((vp = pairfind(req->vps, ATTRIBUTE_EAP_SIM_SUBTYPE)) == NULL)
563 subtype = vp->lvalue;
566 * look for the appropriate state, and process incoming message
569 case eapsim_client_init:
572 newstate = process_eap_start(req, resp);
575 case eapsim_challenge:
576 case eapsim_notification:
579 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
580 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
581 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
582 /* invalid state, drop message */
587 case eapsim_client_start:
590 /* NOT SURE ABOUT THIS ONE, retransmit, I guess */
591 newstate = process_eap_start(req, resp);
594 case eapsim_challenge:
595 newstate = process_eap_challenge(req, resp);
599 fprintf(stderr, "radeapclient: sim in state %s message %s is illegal. Reply dropped.\n",
600 sim_state2name(state, statenamebuf, sizeof(statenamebuf)),
601 sim_subtype2name(subtype, subtypenamebuf, sizeof(subtypenamebuf)));
602 /* invalid state, drop message */
609 fprintf(stderr, "radeapclient: sim in illegal state %s\n",
610 sim_state2name(state, statenamebuf, sizeof(statenamebuf)));
614 /* copy the eap state object in */
615 pairreplace(&(resp->vps), eapid);
617 /* update stete info, and send new packet */
618 map_eapsim_types(resp);
620 /* copy the radius state object in */
621 pairreplace(&(resp->vps), radstate);
623 statevp->lvalue = newstate;
627 static int respond_eap_md5(RADIUS_PACKET *req,
630 VALUE_PAIR *vp, *id, *state;
631 int valuesize, namesize;
632 unsigned char identifier;
633 unsigned char *value;
640 if ((state = paircopy2(req->vps, PW_STATE)) == NULL)
642 fprintf(stderr, "radeapclient: no state attribute found\n");
646 if ((id = paircopy2(req->vps, ATTRIBUTE_EAP_ID)) == NULL)
648 fprintf(stderr, "radeapclient: no EAP-ID attribute found\n");
651 identifier = id->lvalue;
653 if ((vp = pairfind(req->vps, ATTRIBUTE_EAP_BASE+PW_EAP_MD5)) == NULL)
655 fprintf(stderr, "radeapclient: no EAP-MD5 attribute found\n");
659 /* got the details of the MD5 challenge */
660 valuesize = vp->strvalue[0];
661 value = &vp->strvalue[1];
662 name = &vp->strvalue[valuesize+1];
663 namesize = vp->length - (valuesize + 1);
666 if(valuesize > vp->length)
668 fprintf(stderr, "radeapclient: md5 valuesize if too big (%d > %d)\n",
669 valuesize, vp->length);
673 /* now do the CHAP operation ourself, rather than build the
674 * buffer. We could also call rad_chap_encode, but it wants
675 * a CHAP-Challenge, which we don't want to bother with.
677 librad_MD5Init(&context);
678 librad_MD5Update(&context, &identifier, 1);
679 librad_MD5Update(&context, password, strlen(password));
680 librad_MD5Update(&context, value, valuesize);
681 librad_MD5Final(response, &context);
683 vp = paircreate(ATTRIBUTE_EAP_BASE+PW_EAP_MD5, PW_TYPE_OCTETS);
685 memcpy(&vp->strvalue[1], response, 16);
688 pairreplace(&(rep->vps), vp);
690 pairreplace(&(rep->vps), id);
692 /* copy the state object in */
693 pairreplace(&(rep->vps), state);
700 static int sendrecv_eap(RADIUS_PACKET *rep)
702 RADIUS_PACKET *req = NULL;
703 VALUE_PAIR *vp, *vpnext;
704 int tried_eap_md5 = 0;
707 * Keep a copy of the the User-Password attribute.
709 if ((vp = pairfind(rep->vps, ATTRIBUTE_EAP_MD5_PASSWORD)) != NULL) {
710 strNcpy(password, (char *)vp->strvalue, sizeof(vp->strvalue));
712 } else if ((vp = pairfind(rep->vps, PW_PASSWORD)) != NULL) {
713 strNcpy(password, (char *)vp->strvalue, sizeof(vp->strvalue));
715 * Otherwise keep a copy of the CHAP-Password attribute.
717 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD)) != NULL) {
718 strNcpy(password, (char *)vp->strvalue, sizeof(vp->strvalue));
726 printf("\n+++> About to send encoded packet:\n");
727 vp_printlist(stdout, rep->vps);
730 * if there are EAP types, encode them into an EAP-Message
736 * Fix up Digest-Attributes issues
738 for (vp = rep->vps; vp != NULL; vp = vp->next) {
739 switch (vp->attribute) {
743 case PW_DIGEST_REALM:
744 case PW_DIGEST_NONCE:
745 case PW_DIGEST_METHOD:
748 case PW_DIGEST_ALGORITHM:
749 case PW_DIGEST_BODY_DIGEST:
750 case PW_DIGEST_CNONCE:
751 case PW_DIGEST_NONCE_COUNT:
752 case PW_DIGEST_USER_NAME:
754 memmove(&vp->strvalue[2], &vp->strvalue[0], vp->length);
755 vp->strvalue[0] = vp->attribute - PW_DIGEST_REALM + 1;
757 vp->strvalue[1] = vp->length;
758 vp->attribute = PW_DIGEST_ATTRIBUTES;
764 * If we've already sent a packet, free up the old
765 * one, and ensure that the next packet has a unique
766 * ID and authentication vector.
773 librad_md5_calc(rep->vector, rep->vector,
774 sizeof(rep->vector));
776 if (*password != '\0') {
777 if ((vp = pairfind(rep->vps, PW_PASSWORD)) != NULL) {
778 strNcpy((char *)vp->strvalue, password, strlen(password) + 1);
779 vp->length = strlen(password);
781 } else if ((vp = pairfind(rep->vps, PW_CHAP_PASSWORD)) != NULL) {
782 strNcpy((char *)vp->strvalue, password, strlen(password) + 1);
783 vp->length = strlen(password);
785 rad_chap_encode(rep, (char *) vp->strvalue, rep->id, vp);
788 } /* there WAS a password */
790 /* send the response, wait for the next request */
791 send_packet(rep, &req);
793 /* okay got back the packet, go and decode the EAP-Message. */
794 unmap_eap_types(req);
796 printf("<+++ EAP decoded packet:\n");
797 vp_printlist(stdout, req->vps);
799 /* now look for the code type. */
800 for (vp = req->vps; vp != NULL; vp = vpnext) {
803 switch (vp->attribute) {
807 case ATTRIBUTE_EAP_BASE+PW_EAP_MD5:
808 if(respond_eap_md5(req, rep) && tried_eap_md5 < 3)
815 case ATTRIBUTE_EAP_BASE+PW_EAP_SIM:
816 if(respond_eap_sim(req, rep))
828 int main(int argc, char **argv)
834 char *filename = NULL;
839 id = ((int)getpid() & 0xff);
842 radlog_dest = RADLOG_STDERR;
844 while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xv")) != EOF)
848 if (!isdigit((int) *optarg))
850 count = atoi(optarg);
867 if (!isdigit((int) *optarg))
869 retries = atoi(optarg);
872 if (!isdigit((int) *optarg))
875 if ((id < 0) || (id > 255)) {
883 if (!isdigit((int) *optarg))
885 timeout = atof(optarg);
888 printf("radclient: $Id$ built on " __DATE__ " at " __TIME__ "\n");
892 fp = fopen(optarg, "r");
894 fprintf(stderr, "radclient: Error opening %s: %s\n",
895 optarg, strerror(errno));
898 if (fgets(filesecret, sizeof(filesecret), fp) == NULL) {
899 fprintf(stderr, "radclient: Error reading %s: %s\n",
900 optarg, strerror(errno));
905 /* truncate newline */
906 p = filesecret + strlen(filesecret) - 1;
907 while ((p >= filesecret) &&
913 if (strlen(filesecret) < 2) {
914 fprintf(stderr, "radclient: Secret in %s is too short\n", optarg);
925 argc -= (optind - 1);
926 argv += (optind - 1);
929 ((secret == NULL) && (argc < 4))) {
933 if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) {
934 librad_perror("radclient");
938 if ((req = rad_alloc(1)) == NULL) {
939 librad_perror("radclient");
947 if((randinit = fopen("/dev/urandom", "r")) == NULL)
949 perror("/dev/urandom");
951 fread(randctx.randrsl, 256, 1, randinit);
955 lrad_randinit(&randctx, 1);
961 * Strip port from hostname if needed.
963 if ((p = strchr(argv[1], ':')) != NULL) {
969 * See what kind of request we want to send.
971 if (strcmp(argv[2], "auth") == 0) {
972 if (port == 0) port = getport("radius");
973 if (port == 0) port = PW_AUTH_UDP_PORT;
974 req->code = PW_AUTHENTICATION_REQUEST;
976 } else if (strcmp(argv[2], "acct") == 0) {
977 if (port == 0) port = getport("radacct");
978 if (port == 0) port = PW_ACCT_UDP_PORT;
979 req->code = PW_ACCOUNTING_REQUEST;
982 } else if (strcmp(argv[2], "status") == 0) {
983 if (port == 0) port = getport("radius");
984 if (port == 0) port = PW_AUTH_UDP_PORT;
985 req->code = PW_STATUS_SERVER;
987 } else if (strcmp(argv[2], "disconnect") == 0) {
988 if (port == 0) port = PW_POD_UDP_PORT;
989 req->code = PW_DISCONNECT_REQUEST;
991 } else if (isdigit((int) argv[2][0])) {
992 if (port == 0) port = getport("radius");
993 if (port == 0) port = PW_AUTH_UDP_PORT;
994 req->code = atoi(argv[2]);
1000 * Ensure that the configuration is initialized.
1002 memset(&mainconfig, 0, sizeof(mainconfig));
1007 req->dst_port = port;
1008 req->dst_ipaddr = ip_getaddr(argv[1]);
1009 if (req->dst_ipaddr == INADDR_NONE) {
1010 fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]);
1017 if (argv[3]) secret = argv[3];
1021 * Maybe read them, from stdin, if there's no
1022 * filename, or if the filename is '-'.
1024 if (filename && (strcmp(filename, "-") != 0)) {
1025 fp = fopen(filename, "r");
1027 fprintf(stderr, "radclient: Error opening %s: %s\n",
1028 filename, strerror(errno));
1038 if ((req->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
1039 perror("radclient: socket: ");
1044 if(req->vps) pairfree(&req->vps);
1046 if ((req->vps = readvp2(fp, &filedone, "radeapclient:"))
1055 printf("\n\t Total approved auths: %d\n", totalapp);
1056 printf("\t Total denied auths: %d\n", totaldeny);