X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=lib%2Fpacket.c;h=a0b3eb2e9ae496f61988e942477e1ae2ee2f21a3;hb=fed9094cd8cda69605d0c103acd14308379b6eb0;hp=b7ec05a09acfd620e92829ea6bf00ea404f7185c;hpb=397c523a8c21e35f2e0370977a8da1598dde42b4;p=radsecproxy.git diff --git a/lib/packet.c b/lib/packet.c index b7ec05a..a0b3eb2 100644 --- a/lib/packet.c +++ b/lib/packet.c @@ -1,428 +1,155 @@ -/* See the file COPYING for licensing information. */ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ #if defined HAVE_CONFIG_H #include #endif #include -#include #include -#include -#include +#include #include -#if defined RS_ENABLE_TLS -#include -#include -#endif #include #include -#include "tls.h" -#if defined DEBUG -#include -#include +#include "conn.h" #include "debug.h" -#endif - -static int -_do_send (struct rs_packet *pkt) -{ - int err; - VALUE_PAIR *vp; +#include "packet.h" - assert (pkt->rpkt); - assert (!pkt->original); - - vp = paircreate (PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS); - if (!vp) - return rs_err_conn_push_fl (pkt->conn, RSE_NOMEM, __FILE__, __LINE__, - "paircreate: %s", fr_strerror ()); - pairadd (&pkt->rpkt->vps, vp); - - if (rad_encode (pkt->rpkt, NULL, pkt->conn->active_peer->secret)) - return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__, - "rad_encode: %s", fr_strerror ()); - if (rad_sign (pkt->rpkt, NULL, pkt->conn->active_peer->secret)) - return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__, - "rad_sign: %s", fr_strerror ()); #if defined (DEBUG) - { - char host[80], serv[80]; - - getnameinfo (pkt->conn->active_peer->addr->ai_addr, - pkt->conn->active_peer->addr->ai_addrlen, - host, sizeof(host), serv, sizeof(serv), - 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); - rs_debug ("%s: about to send this to %s:%s:\n", __func__, host, serv); - rs_dump_packet (pkt); - } +#include +#include +#include #endif - err = bufferevent_write (pkt->conn->bev, pkt->rpkt->data, - pkt->rpkt->data_len); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_write: %s", - evutil_gai_strerror(err)); - return RSE_OK; -} - -static void -_event_cb (struct bufferevent *bev, short events, void *ctx) +int +packet_verify_response (struct rs_connection *conn, + struct rs_packet *response, + struct rs_packet *request) { - struct rs_packet *pkt = (struct rs_packet *)ctx; - struct rs_connection *conn; - struct rs_peer *p; -#if defined RS_ENABLE_TLS - unsigned long err; -#endif - - assert (pkt); - assert (pkt->conn); - assert (pkt->conn->active_peer); - conn = pkt->conn; - p = conn->active_peer; + int err; - p->is_connecting = 0; - if (events & BEV_EVENT_CONNECTED) + assert (conn); + assert (conn->active_peer); + assert (conn->active_peer->secret); + assert (response); + assert (response->rpkt); + assert (request); + assert (request->rpkt); + + response->rpkt->secret = conn->active_peer->secret; + response->rpkt->sizeof_secret = strlen (conn->active_peer->secret); + + /* Verify header and message authenticator. */ + err = nr_packet_verify (response->rpkt, request->rpkt); + if (err) { - p->is_connected = 1; - if (conn->callbacks.connected_cb) - conn->callbacks.connected_cb (conn->user_data); - rs_debug ("%s: connected\n", __func__); - if (_do_send (pkt)) - return; - if (conn->callbacks.sent_cb) - conn->callbacks.sent_cb (conn->user_data); - /* Packet will be freed in write callback. */ + if (conn->is_connected) + rs_conn_disconnect(conn); + return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, + "nr_packet_verify"); } - else if (events & BEV_EVENT_ERROR) + + /* Decode and decrypt. */ + err = nr_packet_decode (response->rpkt, request->rpkt); + if (err) { -#if defined RS_ENABLE_TLS - if (conn->tls_ssl) /* FIXME: correct check? */ - { - for (err = bufferevent_get_openssl_error (conn->bev); - err; - err = bufferevent_get_openssl_error (conn->bev)) - { - fprintf (stderr, "%s: DEBUG: openssl error: %s\n", __func__, - ERR_error_string (err, NULL)); /* FIXME: DEBUG, until verified that pushed errors will actually be handled */ - rs_err_conn_push_fl (pkt->conn, RSE_SSLERR, __FILE__, __LINE__, - "%d", err); - } - } -#endif /* RS_ENABLE_TLS */ - - rs_err_conn_push_fl (pkt->conn, RSE_CONNERR, __FILE__, __LINE__, NULL); - fprintf (stderr, "%s: DEBUG: BEV_EVENT_ERROR\n", __func__); /* FIXME: DEBUG, until verified that pushed errors will actually be handled */ + if (conn->is_connected) + rs_conn_disconnect(conn); + return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, + "nr_packet_decode"); } -} - -static void -_write_cb (struct bufferevent *bev, void *ctx) -{ - struct rs_packet *pkt = (struct rs_packet *) ctx; - int err; - assert (pkt); - assert (pkt->conn); - - rs_debug ("%s: packet written, breaking event loop\n", __func__); - err = event_base_loopbreak (pkt->conn->evb); - if (err < 0) - rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_loopbreak: %s", - evutil_gai_strerror(err)); + return RSE_OK; } -static void -_read_cb (struct bufferevent *bev, void *ctx) + +/* Badly named function for preparing a RADIUS message and queue it. + FIXME: Rename. */ +int +packet_do_send (struct rs_packet *pkt) { - struct rs_packet *pkt = (struct rs_packet *)ctx; int err; - size_t n; assert (pkt); assert (pkt->conn); + assert (pkt->conn->active_peer); + assert (pkt->conn->active_peer->secret); assert (pkt->rpkt); - pkt->rpkt->sockfd = pkt->conn->active_peer->fd; /* FIXME: Why? */ - pkt->rpkt->vps = NULL; /* FIXME: Why? */ + pkt->rpkt->secret = pkt->conn->active_peer->secret; + pkt->rpkt->sizeof_secret = strlen (pkt->rpkt->secret); - if (!pkt->hdr_read_flag) - { - n = bufferevent_read (pkt->conn->bev, pkt->hdr, RS_HEADER_LEN); - if (n == RS_HEADER_LEN) - { - pkt->hdr_read_flag = 1; - pkt->rpkt->data_len = (pkt->hdr[2] << 8) + pkt->hdr[3]; - if (pkt->rpkt->data_len < 20 /* || len > 4096 */) - abort (); /* FIXME: Read and discard invalid packet. */ - pkt->rpkt->data = rs_malloc (pkt->conn->ctx, pkt->rpkt->data_len); - if (!pkt->rpkt->data) - { - rs_err_conn_push_fl (pkt->conn, RSE_NOMEM, __FILE__, __LINE__, - NULL); - abort (); /* FIXME: handle ENOMEM. */ - } - memcpy (pkt->rpkt->data, pkt->hdr, RS_HEADER_LEN); - bufferevent_setwatermark (pkt->conn->bev, EV_READ, - pkt->rpkt->data_len - RS_HEADER_LEN, 0); - rs_debug ("%s: packet header read, total pkt len=%d\n", - __func__, pkt->rpkt->data_len); - } - else if (n < 0) - return; /* Buffer frozen. FIXME: Properly handled above? */ - else - { - assert (!"short header"); - abort (); /* FIXME: handle short header */ - } - } + /* Encode message. */ + err = nr_packet_encode (pkt->rpkt, NULL); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "nr_packet_encode"); + /* Sign message. */ + err = nr_packet_sign (pkt->rpkt, NULL); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "nr_packet_sign"); +#if defined (DEBUG) + { + char host[80], serv[80]; - rs_debug ("%s: trying to read %d octets of packet data\n", __func__, - pkt->rpkt->data_len - RS_HEADER_LEN); - n = bufferevent_read (pkt->conn->bev, - pkt->rpkt->data + RS_HEADER_LEN, - pkt->rpkt->data_len - RS_HEADER_LEN); - rs_debug ("%s: read %ld octets of packet data\n", __func__, n); + getnameinfo (pkt->conn->active_peer->addr_cache->ai_addr, + pkt->conn->active_peer->addr_cache->ai_addrlen, + host, sizeof(host), serv, sizeof(serv), + 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); + rs_debug (("%s: about to send this to %s:%s:\n", __func__, host, serv)); + rs_dump_packet (pkt); + } +#endif - if (n == pkt->rpkt->data_len - RS_HEADER_LEN) + /* Put message in output buffer. */ + if (pkt->conn->bev) /* TCP. */ { - bufferevent_disable (pkt->conn->bev, EV_READ); - rs_debug ("%s: complete packet read\n", __func__); - pkt->hdr_read_flag = 0; - memset (pkt->hdr, 0, sizeof(*pkt->hdr)); - if (!rad_packet_ok (pkt->rpkt, 0) != 0) - { - rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__, - "rad_packet_ok: %s", fr_strerror ()); - return; - } - assert (pkt->original); /* FIXME: where's the bug if this fires? */ - - /* Verify header and message authenticator. */ - if (rad_verify (pkt->rpkt, pkt->original->rpkt, - pkt->conn->active_peer->secret)) - { - rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__, - "rad_verify: %s", fr_strerror ()); - return; - } - - /* Decode and decrypt. */ - if (rad_decode (pkt->rpkt, pkt->original->rpkt, - pkt->conn->active_peer->secret)) - { - rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__, - "rad_decode: %s", fr_strerror ()); - return; - } - - if (pkt->conn->callbacks.received_cb) - pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data); - - err = event_base_loopbreak (pkt->conn->evb); + int err = bufferevent_write (pkt->conn->bev, pkt->rpkt->data, + pkt->rpkt->length); if (err < 0) - { - rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_loopbreak: %s", - evutil_gai_strerror(err)); - return; - } + return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, + "bufferevent_write: %s", + evutil_gai_strerror (err)); } - else if (n < 0) - return; /* Buffer frozen. FIXME: Properly handled? */ - else + else /* UDP. */ { - assert (!"short packet"); - abort (); /* FIXME: handle short packet */ - } -} + struct rs_packet **pp = &pkt->conn->out_queue; -static void -_evlog_cb (int severity, const char *msg) -{ - const char *sevstr; - switch (severity) - { - case _EVENT_LOG_DEBUG: -#if !defined (DEBUG_LEVENT) - return; -#endif - sevstr = "debug"; - break; - case _EVENT_LOG_MSG: - sevstr = "msg"; - break; - case _EVENT_LOG_WARN: - sevstr = "warn"; - break; - case _EVENT_LOG_ERR: - sevstr = "err"; - break; - default: - sevstr = "???"; - break; + while (*pp && (*pp)->next) + *pp = (*pp)->next; + *pp = pkt; } - fprintf (stderr, "libevent: [%s] %s\n", sevstr, msg); /* FIXME: stderr? */ -} -static int -_init_evb (struct rs_connection *conn) -{ - if (!conn->evb) - { -#if defined (DEBUG) - event_enable_debug_mode (); -#endif - event_set_log_callback (_evlog_cb); - conn->evb = event_base_new (); - if (!conn->evb) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_new"); - } return RSE_OK; } -static int -_init_socket (struct rs_connection *conn, struct rs_peer *p) -{ - if (p->fd != -1) - return RSE_OK; - - assert (p->addr); - p->fd = socket (p->addr->ai_family, p->addr->ai_socktype, - p->addr->ai_protocol); - if (p->fd < 0) - return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__, - strerror (errno)); - if (evutil_make_socket_nonblocking (p->fd) < 0) - { - evutil_closesocket (p->fd); - return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__, - strerror (errno)); - } - return RSE_OK; -} - -static struct rs_peer * -_pick_peer (struct rs_connection *conn) -{ - if (!conn->active_peer) - conn->active_peer = conn->peers; - return conn->active_peer; -} - -static int -_init_bev (struct rs_connection *conn, struct rs_peer *peer) -{ - if (conn->bev) - return RSE_OK; - - switch (conn->type) - { - case RS_CONN_TYPE_UDP: - case RS_CONN_TYPE_TCP: - conn->bev = bufferevent_socket_new (conn->evb, peer->fd, 0); - if (!conn->bev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_socket_new"); - break; -#if defined RS_ENABLE_TLS - case RS_CONN_TYPE_TLS: - if (rs_tls_init (conn)) - return -1; - /* Would be convenient to pass BEV_OPT_CLOSE_ON_FREE but things - seem to break when be_openssl_ctrl() (in libevent) calls - SSL_set_bio() after BIO_new_socket() with flag=1. */ - conn->bev = - bufferevent_openssl_socket_new (conn->evb, peer->fd, conn->tls_ssl, - BUFFEREVENT_SSL_CONNECTING, 0); - if (!conn->bev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_openssl_socket_new"); - - break; - case RS_CONN_TYPE_DTLS: - return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, - "%s: NYI", __func__); -#endif /* RS_ENABLE_TLS */ - default: - return rs_err_conn_push_fl (conn, RSE_INTERNAL, __FILE__, __LINE__, - "%s: unknown connection type: %d", __func__, - conn->type); - } - - return RSE_OK; -} - -static void -_do_connect (struct rs_peer *p) -{ - int err; - - err = bufferevent_socket_connect (p->conn->bev, p->addr->ai_addr, - p->addr->ai_addrlen); - if (err < 0) - rs_err_conn_push_fl (p->conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_socket_connect: %s", - evutil_gai_strerror(err)); - else - p->is_connecting = 1; -} - -static int -_conn_open(struct rs_connection *conn, struct rs_packet *pkt) -{ - struct rs_peer *p; - - if (_init_evb (conn)) - return -1; - - p = _pick_peer (conn); - if (!p) - return rs_err_conn_push_fl (conn, RSE_NOPEER, __FILE__, __LINE__, NULL); - - if (_init_socket (conn, p)) - return -1; - - if (_init_bev (conn, p)) - return -1; - - if (!p->is_connected) - if (!p->is_connecting) - _do_connect (p); - - return RSE_OK; -} - -static int -_conn_is_open_p (struct rs_connection *conn) -{ - return conn->active_peer && conn->active_peer->is_connected; -} - /* Public functions. */ int rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out) { struct rs_packet *p; RADIUS_PACKET *rpkt; + int err; *pkt_out = NULL; - rpkt = rad_alloc (1); - if (!rpkt) + rpkt = rs_malloc (conn->ctx, sizeof(*rpkt) + RS_MAX_PACKET_LEN); + if (rpkt == NULL) return rs_err_conn_push (conn, RSE_NOMEM, __func__); - rpkt->id = conn->nextid++; - p = (struct rs_packet *) malloc (sizeof (struct rs_packet)); - if (!p) + err = nr_packet_init (rpkt, NULL, NULL, + PW_ACCESS_REQUEST, + rpkt + 1, RS_MAX_PACKET_LEN); + if (err < 0) + return rs_err_conn_push (conn, -err, __func__); + + p = (struct rs_packet *) rs_calloc (conn->ctx, 1, sizeof (*p)); + if (p == NULL) { - rad_free (&rpkt); + rs_free (conn->ctx, rpkt); return rs_err_conn_push (conn, RSE_NOMEM, __func__); } - memset (p, 0, sizeof (struct rs_packet)); p->conn = conn; p->rpkt = rpkt; @@ -431,150 +158,96 @@ rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out) } int -rs_packet_create_auth_request (struct rs_connection *conn, - struct rs_packet **pkt_out, - const char *user_name, const char *user_pw) +rs_packet_create_authn_request (struct rs_connection *conn, + struct rs_packet **pkt_out, + const char *user_name, const char *user_pw) { struct rs_packet *pkt; - struct rs_attr *attr; + int err; if (rs_packet_create (conn, pkt_out)) return -1; + pkt = *pkt_out; - pkt->rpkt->code = PW_AUTHENTICATION_REQUEST; + pkt->rpkt->code = PW_ACCESS_REQUEST; if (user_name) { - if (rs_attr_create (conn, &attr, "User-Name", user_name)) - return -1; - rs_packet_add_attr (pkt, attr); - - if (user_pw) - { - if (rs_attr_create (conn, &attr, "User-Password", user_pw)) - return -1; - rs_packet_add_attr (pkt, attr); - } + err = rs_packet_append_avp (pkt, PW_USER_NAME, 0, user_name, 0); + if (err) + return err; + } + + if (user_pw) + { + err = rs_packet_append_avp (pkt, PW_USER_PASSWORD, 0, user_pw, 0); + if (err) + return err; } return RSE_OK; } -int -rs_packet_send (struct rs_packet *pkt, void *user_data) +void +rs_packet_destroy (struct rs_packet *pkt) { - struct rs_connection *conn; - int err; - assert (pkt); - conn = pkt->conn; - - if (_conn_is_open_p (conn)) - _do_send (pkt); - else - if (_conn_open (conn, pkt)) - return RSE_SOME_ERROR; /* FIXME */ - - assert (conn->evb); - assert (conn->bev); - assert (conn->active_peer); - assert (conn->active_peer->fd >= 0); - - conn->user_data = user_data; - bufferevent_setcb (conn->bev, _read_cb, _write_cb, _event_cb, pkt); - if (!conn->user_dispatch_flag) - { - err = event_base_dispatch (conn->evb); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_dispatch: %s", - evutil_gai_strerror(err)); - - rs_debug ("%s: event loop done\n", __func__); - if (!event_base_got_break(conn->evb)) - { - /* Something went wrong -- we never reached loopbreak in - _write_cb(). FIXME: Pull error/errors? */ - return RSE_SOME_ERROR; /* FIXME */ - } - } + assert (pkt->conn); + assert (pkt->conn->ctx); - return RSE_OK; + rs_avp_free (&pkt->rpkt->vps); + rs_free (pkt->conn->ctx, pkt->rpkt); + rs_free (pkt->conn->ctx, pkt); } int -rs_conn_receive_packet (struct rs_connection *conn, - struct rs_packet *request, - struct rs_packet **pkt_out) +rs_packet_append_avp (struct rs_packet *pkt, + unsigned int attr, unsigned int vendor, + const void *data, size_t data_len) { - struct rs_packet *pkt; - - assert (conn); - - if (rs_packet_create (conn, pkt_out)) - return -1; - pkt = *pkt_out; - pkt->conn = conn; - pkt->original = request; - - if (_conn_open (conn, pkt)) - return -1; - assert (conn->evb); - assert (conn->bev); - assert (conn->active_peer); - assert (conn->active_peer->fd >= 0); + const DICT_ATTR *da; + int err; - bufferevent_setwatermark (conn->bev, EV_READ, RS_HEADER_LEN, 0); - bufferevent_enable (conn->bev, EV_READ); - bufferevent_setcb (conn->bev, _read_cb, _write_cb, _event_cb, pkt); + assert (pkt); - /* Do dispatch, unless the user wants to do it herself. */ - if (!conn->user_dispatch_flag) - { - event_base_dispatch (conn->evb); - rs_debug ("%s: event loop done", __func__); - if (event_base_got_break (conn->evb)) - { - rs_debug (", got this:\n"); -#if defined DEBUG - rs_dump_packet (pkt); -#endif - } - else - { - rs_debug (", no reply\n"); - /* Something went wrong -- we never reached loopbreak in - _read_cb(). FIXME: Pull error/errors? */ - return RSE_SOME_ERROR; /* FIXME */ - } - } + da = nr_dict_attr_byvalue (attr, vendor); + if (da == NULL) + return rs_err_conn_push (pkt->conn, RSE_ATTR_TYPE_UNKNOWN, __func__); - pkt->original = NULL; + err = nr_packet_attr_append (pkt->rpkt, NULL, da, data, data_len); + if (err < 0) + return rs_err_conn_push (pkt->conn, -err, __func__); return RSE_OK; } void -rs_packet_add_attr(struct rs_packet *pkt, struct rs_attr *attr) +rs_packet_avps (struct rs_packet *pkt, rs_avp ***vps) { - pairadd (&pkt->rpkt->vps, attr->vp); - attr->pkt = pkt; + assert (pkt); + *vps = &pkt->rpkt->vps; } -struct radius_packet * -rs_packet_frpkt(struct rs_packet *pkt) +unsigned int +rs_packet_code (struct rs_packet *pkt) { assert (pkt); - return pkt->rpkt; + return pkt->rpkt->code; } -void -rs_packet_destroy(struct rs_packet *pkt) +rs_const_avp * +rs_packet_find_avp (struct rs_packet *pkt, unsigned int attr, unsigned int vendor) { - if (pkt) - { - // FIXME: memory leak! TODO: free all attributes - rad_free (&pkt->rpkt); - rs_free (pkt->conn->ctx, pkt); - } + assert (pkt); + return rs_avp_find_const (pkt->rpkt->vps, attr, vendor); +} + +int +rs_packet_set_id (struct rs_packet *pkt, int id) +{ + int old = pkt->rpkt->id; + + pkt->rpkt->id = id; + + return old; }