1 /* See the file COPYING for licensing information. */
3 #if defined HAVE_CONFIG_H
10 #include <freeradius/libradius.h>
11 #include <event2/event.h>
12 #include <event2/bufferevent.h>
13 #include <radsec/radsec.h>
14 #include <radsec/radsec-impl.h>
17 #if defined (RS_ENABLE_TLS)
18 #include <event2/bufferevent_ssl.h>
19 #include <openssl/err.h>
23 #include <sys/socket.h>
24 #include <event2/buffer.h>
28 _do_send (struct rs_packet *pkt)
34 assert (!pkt->original);
36 vp = paircreate (PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS);
38 return rs_err_conn_push_fl (pkt->conn, RSE_NOMEM, __FILE__, __LINE__,
39 "paircreate: %s", fr_strerror ());
40 pairadd (&pkt->rpkt->vps, vp);
42 if (rad_encode (pkt->rpkt, NULL, pkt->conn->active_peer->secret))
43 return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
44 "rad_encode: %s", fr_strerror ());
45 if (rad_sign (pkt->rpkt, NULL, pkt->conn->active_peer->secret))
46 return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
47 "rad_sign: %s", fr_strerror ());
50 char host[80], serv[80];
52 getnameinfo (pkt->conn->active_peer->addr->ai_addr,
53 pkt->conn->active_peer->addr->ai_addrlen,
54 host, sizeof(host), serv, sizeof(serv),
55 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/);
56 rs_debug (("%s: about to send this to %s:%s:\n", __func__, host, serv));
61 err = bufferevent_write (pkt->conn->bev, pkt->rpkt->data,
64 return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__,
65 "bufferevent_write: %s",
66 evutil_gai_strerror(err));
71 _on_connect (struct rs_connection *conn)
73 conn->active_peer->is_connected = 1;
74 rs_debug (("%s: %p connected\n", __func__, conn->active_peer));
75 if (conn->callbacks.connected_cb)
76 conn->callbacks.connected_cb (conn->user_data);
80 _on_disconnect (struct rs_connection *conn)
82 conn->active_peer->is_connected = 0;
83 rs_debug (("%s: %p disconnected\n", __func__, conn->active_peer));
84 if (conn->callbacks.disconnected_cb)
85 conn->callbacks.disconnected_cb (conn->user_data);
89 _event_cb (struct bufferevent *bev, short events, void *ctx)
91 struct rs_packet *pkt = (struct rs_packet *)ctx;
92 struct rs_connection *conn;
95 #if defined (RS_ENABLE_TLS)
101 assert (pkt->conn->active_peer);
103 p = conn->active_peer;
105 p->is_connecting = 0;
106 if (events & BEV_EVENT_CONNECTED)
110 rs_debug (("%s: error sending\n", __func__));
112 else if (events & BEV_EVENT_EOF)
114 _on_disconnect (conn);
116 else if (events & BEV_EVENT_ERROR)
118 sockerr = evutil_socket_geterror (conn->active_peer->fd);
119 if (sockerr == 0) /* FIXME: True that errno == 0 means closed? */
121 _on_disconnect (conn);
125 rs_err_conn_push_fl (pkt->conn, RSE_SOCKERR, __FILE__, __LINE__,
126 "%d: socket error %d (%s)",
127 conn->active_peer->fd,
129 evutil_socket_error_to_string (sockerr));
130 rs_debug (("%s: socket error on fd %d: %d\n", __func__,
131 conn->active_peer->fd,
134 #if defined (RS_ENABLE_TLS)
135 if (conn->tls_ssl) /* FIXME: correct check? */
137 for (tlserr = bufferevent_get_openssl_error (conn->bev);
139 tlserr = bufferevent_get_openssl_error (conn->bev))
141 rs_debug (("%s: openssl error: %s\n", __func__,
142 ERR_error_string (tlserr, NULL)));
143 rs_err_conn_push_fl (pkt->conn, RSE_SSLERR, __FILE__, __LINE__,
147 #endif /* RS_ENABLE_TLS */
152 _write_cb (struct bufferevent *bev, void *ctx)
154 struct rs_packet *pkt = (struct rs_packet *) ctx;
159 if (pkt->conn->callbacks.sent_cb)
160 pkt->conn->callbacks.sent_cb (pkt->conn->user_data);
163 /* Read one RADIUS packet header. Return !0 on error. A return value
164 of 0 means that we need more data. */
166 _read_header (struct rs_packet *pkt)
170 n = bufferevent_read (pkt->conn->bev, pkt->hdr, RS_HEADER_LEN);
171 if (n == RS_HEADER_LEN)
173 pkt->hdr_read_flag = 1;
174 pkt->rpkt->data_len = (pkt->hdr[2] << 8) + pkt->hdr[3];
175 if (pkt->rpkt->data_len < 20 || pkt->rpkt->data_len > 4096)
177 bufferevent_free (pkt->conn->bev); /* Close connection. */
178 return rs_err_conn_push (pkt->conn, RSE_INVALID_PKT,
179 "invalid packet length: %d",
180 pkt->rpkt->data_len);
182 pkt->rpkt->data = rs_malloc (pkt->conn->ctx, pkt->rpkt->data_len);
183 if (!pkt->rpkt->data)
185 bufferevent_free (pkt->conn->bev); /* Close connection. */
186 return rs_err_conn_push_fl (pkt->conn, RSE_NOMEM, __FILE__, __LINE__,
189 memcpy (pkt->rpkt->data, pkt->hdr, RS_HEADER_LEN);
190 bufferevent_setwatermark (pkt->conn->bev, EV_READ,
191 pkt->rpkt->data_len - RS_HEADER_LEN, 0);
192 rs_debug (("%s: packet header read, total pkt len=%d\n",
193 __func__, pkt->rpkt->data_len));
197 rs_debug (("%s: buffer frozen while reading header\n", __func__));
199 else /* Error: libevent gave us less than the low watermark. */
201 bufferevent_free (pkt->conn->bev); /* Close connection. */
202 return rs_err_conn_push_fl (pkt->conn, RSE_INTERNAL, __FILE__, __LINE__,
203 "got %d octets reading header", n);
210 _read_packet (struct rs_packet *pkt)
214 rs_debug (("%s: trying to read %d octets of packet data\n", __func__,
215 pkt->rpkt->data_len - RS_HEADER_LEN));
217 n = bufferevent_read (pkt->conn->bev,
218 pkt->rpkt->data + RS_HEADER_LEN,
219 pkt->rpkt->data_len - RS_HEADER_LEN);
221 rs_debug (("%s: read %ld octets of packet data\n", __func__, n));
223 if (n == pkt->rpkt->data_len - RS_HEADER_LEN)
225 bufferevent_disable (pkt->conn->bev, EV_READ);
226 rs_debug (("%s: complete packet read\n", __func__));
227 pkt->hdr_read_flag = 0;
228 memset (pkt->hdr, 0, sizeof(*pkt->hdr));
230 /* Checks done by rad_packet_ok:
231 - lenghts (FIXME: checks really ok for tcp?)
233 - attribute lengths >= 2
234 - attribute sizes adding up correctly */
235 if (!rad_packet_ok (pkt->rpkt, 0) != 0)
237 bufferevent_free (pkt->conn->bev); /* Close connection. */
238 return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
239 "invalid packet: %s", fr_strerror ());
242 /* TODO: Verify that reception of an unsolicited response packet
243 results in connection being closed. */
245 /* If we have a request to match this response against, verify
246 and decode the response. */
249 /* Verify header and message authenticator. */
250 if (rad_verify (pkt->rpkt, pkt->original->rpkt,
251 pkt->conn->active_peer->secret))
253 bufferevent_free (pkt->conn->bev); /* Close connection. */
254 return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
255 "rad_verify: %s", fr_strerror ());
258 /* Decode and decrypt. */
259 if (rad_decode (pkt->rpkt, pkt->original->rpkt,
260 pkt->conn->active_peer->secret))
262 bufferevent_free (pkt->conn->bev); /* Close connection. */
263 return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
264 "rad_decode: %s", fr_strerror ());
269 /* Find out what happens if there's data left in the buffer. */
272 rest = evbuffer_get_length (bufferevent_get_input (pkt->conn->bev));
274 rs_debug (("%s: returning with %d octets left in buffer\n", __func__,
279 /* Hand over message to user, changes ownership of pkt. Don't
280 touch it afterwards -- it might have been freed. */
281 if (pkt->conn->callbacks.received_cb)
282 pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data);
284 else if (n < 0) /* Buffer frozen. */
285 rs_debug (("%s: buffer frozen when reading packet\n", __func__));
286 else /* Short packet. */
287 rs_debug (("%s: waiting for another %d octets\n", __func__,
288 pkt->rpkt->data_len - RS_HEADER_LEN - n));
293 /* Read callback for TCP.
295 Read exactly one RADIUS message from BEV and store it in struct
296 rs_packet passed in CTX (hereby called 'pkt').
298 Verify the received packet against pkt->original, if !NULL.
300 Inform upper layer about successful reception of valid RADIUS
301 message by invoking conn->callbacks.recevied_cb(), if !NULL. */
303 _read_cb (struct bufferevent *bev, void *ctx)
305 struct rs_packet *pkt = (struct rs_packet *) ctx;
311 pkt->rpkt->sockfd = pkt->conn->active_peer->fd;
312 pkt->rpkt->vps = NULL;
314 if (!pkt->hdr_read_flag)
315 if (_read_header (pkt))
321 _evlog_cb (int severity, const char *msg)
326 case _EVENT_LOG_DEBUG:
327 #if !defined (DEBUG_LEVENT)
335 case _EVENT_LOG_WARN:
345 fprintf (stderr, "libevent: [%s] %s\n", sevstr, msg); /* FIXME: stderr? */
349 _init_evb (struct rs_connection *conn)
354 event_enable_debug_mode ();
356 event_set_log_callback (_evlog_cb);
357 conn->evb = event_base_new ();
359 return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
366 _init_socket (struct rs_connection *conn, struct rs_peer *p)
372 p->fd = socket (p->addr->ai_family, p->addr->ai_socktype,
373 p->addr->ai_protocol);
375 return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__,
377 if (evutil_make_socket_nonblocking (p->fd) < 0)
379 evutil_closesocket (p->fd);
380 return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__,
386 static struct rs_peer *
387 _pick_peer (struct rs_connection *conn)
389 if (!conn->active_peer)
390 conn->active_peer = conn->peers;
391 return conn->active_peer;
395 _init_bev (struct rs_connection *conn, struct rs_peer *peer)
402 case RS_CONN_TYPE_UDP:
403 case RS_CONN_TYPE_TCP:
404 conn->bev = bufferevent_socket_new (conn->evb, peer->fd, 0);
406 return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
407 "bufferevent_socket_new");
409 #if defined (RS_ENABLE_TLS)
410 case RS_CONN_TYPE_TLS:
411 if (rs_tls_init (conn))
413 /* Would be convenient to pass BEV_OPT_CLOSE_ON_FREE but things
414 seem to break when be_openssl_ctrl() (in libevent) calls
415 SSL_set_bio() after BIO_new_socket() with flag=1. */
417 bufferevent_openssl_socket_new (conn->evb, peer->fd, conn->tls_ssl,
418 BUFFEREVENT_SSL_CONNECTING, 0);
420 return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
421 "bufferevent_openssl_socket_new");
424 case RS_CONN_TYPE_DTLS:
425 return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__,
426 "%s: NYI", __func__);
427 #endif /* RS_ENABLE_TLS */
429 return rs_err_conn_push_fl (conn, RSE_INTERNAL, __FILE__, __LINE__,
430 "%s: unknown connection type: %d", __func__,
438 _do_connect (struct rs_peer *p)
442 err = bufferevent_socket_connect (p->conn->bev, p->addr->ai_addr,
443 p->addr->ai_addrlen);
445 rs_err_conn_push_fl (p->conn, RSE_EVENT, __FILE__, __LINE__,
446 "bufferevent_socket_connect: %s",
447 evutil_gai_strerror(err));
449 p->is_connecting = 1;
453 _conn_open(struct rs_connection *conn, struct rs_packet *pkt)
457 if (_init_evb (conn))
460 p = _pick_peer (conn);
462 return rs_err_conn_push_fl (conn, RSE_NOPEER, __FILE__, __LINE__, NULL);
464 if (_init_socket (conn, p))
467 if (_init_bev (conn, p))
470 if (!p->is_connected)
471 if (!p->is_connecting)
478 _conn_is_open_p (struct rs_connection *conn)
480 return conn->active_peer && conn->active_peer->is_connected;
483 /* Public functions. */
485 rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out)
492 rpkt = rad_alloc (1);
494 return rs_err_conn_push (conn, RSE_NOMEM, __func__);
495 rpkt->id = conn->nextid++;
497 p = (struct rs_packet *) malloc (sizeof (struct rs_packet));
501 return rs_err_conn_push (conn, RSE_NOMEM, __func__);
503 memset (p, 0, sizeof (struct rs_packet));
512 rs_packet_create_auth_request (struct rs_connection *conn,
513 struct rs_packet **pkt_out,
514 const char *user_name, const char *user_pw)
516 struct rs_packet *pkt;
517 struct rs_attr *attr;
519 if (rs_packet_create (conn, pkt_out))
522 pkt->rpkt->code = PW_AUTHENTICATION_REQUEST;
526 if (rs_attr_create (conn, &attr, "User-Name", user_name))
528 rs_packet_add_attr (pkt, attr);
532 if (rs_attr_create (conn, &attr, "User-Password", user_pw))
534 rs_packet_add_attr (pkt, attr);
541 /* User callback used when we're dispatching for user. */
543 _wcb (void *user_data)
545 struct rs_connection *conn = (struct rs_connection *) user_data;
550 /* When we're running the event loop for the user, we must break
551 it in order to give the control back to the user. */
552 err = event_base_loopbreak (conn->evb);
554 rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
555 "event_base_loopbreak: %s",
556 evutil_gai_strerror(err));
560 rs_packet_send (struct rs_packet *pkt, void *user_data)
562 struct rs_connection *conn = NULL;
569 if (_conn_is_open_p (conn))
572 if (_conn_open (conn, pkt))
577 assert (conn->active_peer);
578 assert (conn->active_peer->fd >= 0);
580 conn->user_data = user_data;
581 bufferevent_setcb (conn->bev, NULL, _write_cb, _event_cb, pkt);
583 /* Do dispatch, unless the user wants to do it herself. */
584 if (!conn->user_dispatch_flag)
586 conn->callbacks.sent_cb = _wcb;
587 conn->user_data = conn;
588 rs_debug (("%s: entering event loop\n", __func__));
589 err = event_base_dispatch (conn->evb);
591 return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__,
592 "event_base_dispatch: %s",
593 evutil_gai_strerror(err));
594 rs_debug (("%s: event loop done\n", __func__));
595 conn->callbacks.sent_cb = NULL;
596 conn->user_data = NULL;
598 if (!event_base_got_break (conn->evb))
606 _rcb (struct rs_packet *packet, void *user_data)
610 /* When we're running the event loop for the user, we must break it
611 in order to give the control back to the user. */
612 err = event_base_loopbreak (packet->conn->evb);
614 rs_err_conn_push_fl (packet->conn, RSE_EVENT, __FILE__, __LINE__,
615 "event_base_loopbreak: %s",
616 evutil_gai_strerror(err));
619 /* Special function used in libradsec blocking dispatching mode,
620 i.e. with socket set to block on read/write and with no libradsec
621 callbacks registered.
623 For any other use of libradsec, a the received_cb callback should
624 be registered in the callbacks member of struct rs_connection.
626 On successful reception, verification and decoding of a RADIUS
627 message, PKT_OUT will upon return point at a pointer to a struct
628 rs_packet containing the message.
630 If anything goes wrong or if the read times out (TODO: explain),
631 PKT_OUT will point at the NULL pointer and one or more errors are
632 pushed on the connection (available through rs_err_conn_pop()). */
635 rs_conn_receive_packet (struct rs_connection *conn,
636 struct rs_packet *request,
637 struct rs_packet **pkt_out)
640 struct rs_packet *pkt = NULL;
643 assert (!conn->user_dispatch_flag); /* Dispatching mode only. */
645 if (rs_packet_create (conn, pkt_out))
649 pkt->original = request;
651 if (_conn_open (conn, pkt))
655 assert (conn->active_peer);
656 assert (conn->active_peer->fd >= 0);
658 /* Install read and event callbacks with libevent. */
659 bufferevent_setwatermark (conn->bev, EV_READ, RS_HEADER_LEN, 0);
660 bufferevent_enable (conn->bev, EV_READ);
661 bufferevent_setcb (conn->bev, _read_cb, NULL, _event_cb, pkt);
663 /* Install read callback with ourselves, for signaling successful
664 reception of message. */
665 conn->callbacks.received_cb = _rcb;
668 rs_debug (("%s: entering event loop\n", __func__));
669 err = event_base_dispatch (conn->evb);
671 return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__,
672 "event_base_dispatch: %s",
673 evutil_gai_strerror(err));
674 rs_debug (("%s: event loop done\n", __func__));
675 conn->callbacks.received_cb = NULL;
676 if (!event_base_got_break (conn->evb))
680 rs_dump_packet (pkt);
683 pkt->original = NULL; /* FIXME: Why? */
688 rs_packet_add_attr(struct rs_packet *pkt, struct rs_attr *attr)
690 pairadd (&pkt->rpkt->vps, attr->vp);
694 struct radius_packet *
695 rs_packet_frpkt(struct rs_packet *pkt)
702 rs_packet_destroy(struct rs_packet *pkt)
706 // FIXME: memory leak! TODO: free all attributes
707 rad_free (&pkt->rpkt);
708 rs_free (pkt->conn->ctx, pkt);