/* * listen.c Handle socket stuff * * Version: $Id$ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * * Copyright 2005,2006 The FreeRADIUS server project * Copyright 2005 Alan DeKok */ RCSID("$Id$") #include #include #include #include #include #include #include #ifdef WITH_UDPFROMTO #include #endif #ifdef HAVE_SYS_RESOURCE_H #include #endif #ifdef HAVE_NET_IF_H #include #endif #ifdef HAVE_FCNTL_H #include #endif #ifdef HAVE_SYS_STAT_H #include #endif #ifdef WITH_TLS #include # ifdef __APPLE__ # if !defined(SOL_TCP) && defined(IPPROTO_TCP) # define SOL_TCP IPPROTO_TCP # endif # endif #endif #ifdef DEBUG_PRINT_PACKET static void print_packet(RADIUS_PACKET *packet) { char src[256], dst[256]; ip_ntoh(&packet->src_ipaddr, src, sizeof(src)); ip_ntoh(&packet->dst_ipaddr, dst, sizeof(dst)); fprintf(stderr, "ID %d: %s %d -> %s %d\n", packet->id, src, packet->src_port, dst, packet->dst_port); } #endif static rad_listen_t *listen_alloc(TALLOC_CTX *ctx, RAD_LISTEN_TYPE type); #ifdef WITH_COMMAND_SOCKET #ifdef WITH_TCP static int command_tcp_recv(rad_listen_t *listener); static int command_tcp_send(rad_listen_t *listener, REQUEST *request); static int command_write_magic(int newfd, listen_socket_t *sock); #endif #endif #ifdef WITH_COA_TUNNEL static int listen_coa_init(void); #endif static fr_protocol_t master_listen[]; #ifdef WITH_DYNAMIC_CLIENTS static void client_timer_free(void *ctx) { RADCLIENT *client = ctx; client_free(client); } #endif /* * Find a per-socket client. */ RADCLIENT *client_listener_find(rad_listen_t *listener, fr_ipaddr_t const *ipaddr, uint16_t src_port) { #ifdef WITH_DYNAMIC_CLIENTS int rcode; REQUEST *request; RADCLIENT *created; #endif time_t now; RADCLIENT *client; RADCLIENT_LIST *clients; listen_socket_t *sock; rad_assert(listener != NULL); rad_assert(ipaddr != NULL); sock = listener->data; clients = sock->clients; /* * This HAS to have been initialized previously. */ rad_assert(clients != NULL); client = client_find(clients, ipaddr, sock->proto); if (!client) { char name[256], buffer[128]; #ifdef WITH_DYNAMIC_CLIENTS unknown: /* used only for dynamic clients */ #endif /* * DoS attack quenching, but only in daemon mode. * If they're running in debug mode, show them * every packet. */ if (rad_debug_lvl == 0) { static time_t last_printed = 0; now = time(NULL); if (last_printed == now) return NULL; last_printed = now; } listener->print(listener, name, sizeof(name)); radlog(L_ERR, "Ignoring request to %s from unknown client %s port %d" #ifdef WITH_TCP " proto %s" #endif , name, inet_ntop(ipaddr->af, &ipaddr->ipaddr, buffer, sizeof(buffer)), src_port #ifdef WITH_TCP , (sock->proto == IPPROTO_UDP) ? "udp" : "tcp" #endif ); return NULL; } #ifndef WITH_DYNAMIC_CLIENTS return client; /* return the found client. */ #else /* * No server defined, and it's not dynamic. Return it. */ if (!client->client_server && !client->dynamic) return client; now = time(NULL); /* * It's a dynamically generated client, check it. */ if (client->dynamic && (src_port != 0)) { #ifdef HAVE_SYS_STAT_H char const *filename; #endif fr_event_list_t *el; struct timeval when; /* * Lives forever. Return it. */ if (client->lifetime == 0) return client; /* * Rate-limit the deletion of known clients. * This makes them last a little longer, but * prevents the server from melting down if (say) * 10k clients all expire at once. */ if (now == client->last_new_client) return client; /* * It's not dead yet. Return it. */ if ((client->created + client->lifetime) > now) return client; #ifdef HAVE_SYS_STAT_H /* * The client was read from a file, and the file * hasn't changed since the client was created. * Just renew the creation time, and continue. * We don't need to re-load the same information. */ if (client->cs && (filename = cf_section_filename(client->cs)) != NULL) { struct stat buf; if ((stat(filename, &buf) >= 0) && (buf.st_mtime < client->created)) { client->created = now; return client; } } #endif /* * Delete the client from the known list. */ client_delete(clients, client); /* * Add a timer to free the client 20s after it's already timed out. */ el = radius_event_list_corral(EVENT_CORRAL_MAIN); gettimeofday(&when, NULL); when.tv_sec += main_config.max_request_time + 20; /* * If this fails, we leak memory. That's better than crashing... */ (void) fr_event_insert(el, client_timer_free, client, &when, &client->ev); /* * Go find the enclosing network again. */ client = client_find(clients, ipaddr, sock->proto); /* * WTF? */ if (!client) goto unknown; if (!client->client_server) goto unknown; /* * At this point, 'client' is the enclosing * network that configures where dynamic clients * can be defined. */ rad_assert(client->dynamic == 0); } else if (!client->dynamic && client->rate_limit) { /* * The IP is unknown, so we've found an enclosing * network. Enable DoS protection. We only * allow one new client per second. Known * clients aren't subject to this restriction. */ if (now == client->last_new_client) goto unknown; } client->last_new_client = now; request = request_alloc(NULL); if (!request) goto unknown; request->listener = listener; request->client = client; request->packet = rad_recv(NULL, listener->fd, 0x02); /* MSG_PEEK */ if (!request->packet) { /* badly formed, etc */ talloc_free(request); if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); goto unknown; } (void) talloc_steal(request, request->packet); request->reply = rad_alloc_reply(request, request->packet); if (!request->reply) { talloc_free(request); goto unknown; } gettimeofday(&request->packet->timestamp, NULL); request->number = 0; request->priority = listener->type; request->server = client->client_server; request->root = &main_config; /* * Run a fake request through the given virtual server. * Look for FreeRADIUS-Client-IP-Address * FreeRADIUS-Client-Secret * ... * * and create the RADCLIENT structure from that. */ RDEBUG("server %s {", request->server); rcode = process_authorize(0, request); RDEBUG("} # server %s", request->server); switch (rcode) { case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; /* * Likely a fatal error we want to warn the user about */ case RLM_MODULE_INVALID: case RLM_MODULE_FAIL: ERROR("Virtual-Server %s returned %s, creating dynamic client failed", request->server, fr_int2str(mod_rcode_table, rcode, "")); talloc_free(request); goto unknown; /* * Probably the result of policy, or the client not existing. */ default: DEBUG("Virtual-Server %s returned %s, ignoring client", request->server, fr_int2str(mod_rcode_table, rcode, "")); talloc_free(request); goto unknown; } /* * If the client was updated by rlm_dynamic_clients, * don't create the client from attribute-value pairs. */ if (request->client == client) { created = client_afrom_request(clients, request); } else { created = request->client; /* * This frees the client if it isn't valid. */ if (!client_add_dynamic(clients, client, created)) goto unknown; } request->server = client->server; exec_trigger(request, NULL, "server.client.add", false); talloc_free(request); if (!created) goto unknown; return created; #endif } static int listen_bind(rad_listen_t *this); #ifdef WITH_COA_TUNNEL static void listener_coa_update(rad_listen_t *this, VALUE_PAIR *vps); #endif /* * Process and reply to a server-status request. * Like rad_authenticate and rad_accounting this should * live in it's own file but it's so small we don't bother. */ int rad_status_server(REQUEST *request) { int rcode = RLM_MODULE_OK; DICT_VALUE *dval; #ifdef WITH_TLS if (request->listener->tls) { listen_socket_t *sock = request->listener->data; if (sock->state == LISTEN_TLS_CHECKING) { int autz_type = PW_AUTZ_TYPE; char const *name = "Autz-Type"; if (request->listener->type == RAD_LISTEN_ACCT) { autz_type = PW_ACCT_TYPE; name = "Acct-Type"; } RDEBUG("(TLS) Checking connection to see if it is authorized."); dval = dict_valbyname(autz_type, 0, "New-TLS-Connection"); if (dval) { rcode = process_authorize(dval->value, request); } else { rcode = RLM_MODULE_OK; RWDEBUG("(TLS) Did not find '%s New-TLS-Connection' - defaulting to accept", name); } if ((rcode == RLM_MODULE_OK) || (rcode == RLM_MODULE_UPDATED)) { RDEBUG("(TLS) Connection is authorized"); request->reply->code = PW_CODE_ACCESS_ACCEPT; } else { RWDEBUG("(TLS) Connection is not authorized - closing TCP socket."); request->reply->code = PW_CODE_ACCESS_REJECT; } return 0; } } #endif #ifdef WITH_STATS /* * Full statistics are available only on a statistics * socket. */ if (request->listener->type == RAD_LISTEN_NONE) { request_stats_reply(request); } #endif switch (request->listener->type) { #ifdef WITH_STATS case RAD_LISTEN_NONE: #endif case RAD_LISTEN_AUTH: dval = dict_valbyname(PW_AUTZ_TYPE, 0, "Status-Server"); if (dval) { rcode = process_authorize(dval->value, request); } else { rcode = RLM_MODULE_OK; } switch (rcode) { case RLM_MODULE_OK: case RLM_MODULE_UPDATED: request->reply->code = PW_CODE_ACCESS_ACCEPT; #ifdef WITH_COA_TUNNEL if (request->listener->send_coa) listener_coa_update(request->listener, request->packet->vps); #endif break; case RLM_MODULE_FAIL: case RLM_MODULE_HANDLED: request->reply->code = 0; /* don't reply */ break; default: case RLM_MODULE_REJECT: request->reply->code = PW_CODE_ACCESS_REJECT; break; } break; #ifdef WITH_ACCOUNTING case RAD_LISTEN_ACCT: dval = dict_valbyname(PW_ACCT_TYPE, 0, "Status-Server"); if (dval) { rcode = process_accounting(dval->value, request); } else { rcode = RLM_MODULE_OK; } switch (rcode) { case RLM_MODULE_OK: case RLM_MODULE_UPDATED: request->reply->code = PW_CODE_ACCOUNTING_RESPONSE; #ifdef WITH_COA_TUNNEL if (request->listener->send_coa) listener_coa_update(request->listener, request->packet->vps); #endif break; default: request->reply->code = 0; /* don't reply */ break; } break; #endif #ifdef WITH_COA /* * This is a vendor extension. Suggested by Glen * Zorn in IETF 72, and rejected by the rest of * the WG. We like it, so it goes in here. */ case RAD_LISTEN_COA: dval = dict_valbyname(PW_RECV_COA_TYPE, 0, "Status-Server"); if (dval) { rcode = process_recv_coa(dval->value, request); } else { rcode = RLM_MODULE_OK; } switch (rcode) { case RLM_MODULE_OK: case RLM_MODULE_UPDATED: request->reply->code = PW_CODE_COA_ACK; break; default: request->reply->code = 0; /* don't reply */ break; } break; #endif default: return 0; } return 0; } #ifdef WITH_TCP static int dual_tcp_recv(rad_listen_t *listener) { int rcode; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; listen_socket_t *sock = listener->data; RADCLIENT *client = sock->client; rad_assert(client != NULL); if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0; /* * Allocate a packet for partial reads. */ if (!sock->packet) { sock->packet = rad_alloc(sock, false); if (!sock->packet) return 0; sock->packet->sockfd = listener->fd; sock->packet->src_ipaddr = sock->other_ipaddr; sock->packet->src_port = sock->other_port; sock->packet->dst_ipaddr = sock->my_ipaddr; sock->packet->dst_port = sock->my_port; sock->packet->proto = sock->proto; } /* * Grab the packet currently being processed. */ packet = sock->packet; rcode = fr_tcp_read_packet(packet, 0); /* * Still only a partial packet. Put it back, and return, * so that we'll read more data when it's ready. */ if (rcode == 0) { return 0; } if (rcode == -1) { /* error reading packet */ char buffer[256]; ERROR("Invalid packet from %s port %d, closing socket: %s", ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, fr_strerror()); } if (rcode < 0) { /* error or connection reset */ listener->status = RAD_LISTEN_STATUS_EOL; /* * Tell the event handler that an FD has disappeared. */ DEBUG("Client has closed connection"); radius_update_listener(listener); /* * Do NOT free the listener here. It's in use by * a request, and will need to hang around until * all of the requests are done. * * It is instead free'd in remove_from_request_hash() */ return 0; } /* * Some sanity checks, based on the packet code. */ switch (packet->code) { case PW_CODE_ACCESS_REQUEST: if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; FR_STATS_INC(auth, total_requests); fun = rad_authenticate; break; #ifdef WITH_ACCOUNTING case PW_CODE_ACCOUNTING_REQUEST: if (listener->type != RAD_LISTEN_ACCT) { /* * Allow auth + dual. Disallow * everything else. */ if (!((listener->type == RAD_LISTEN_AUTH) && (listener->dual))) { goto bad_packet; } } FR_STATS_INC(acct, total_requests); fun = rad_accounting; break; #endif case PW_CODE_STATUS_SERVER: if (!main_config.status_server) { FR_STATS_INC(auth, total_unknown_types); WARN("Ignoring Status-Server request due to security configuration"); rad_free(&sock->packet); return 0; } fun = rad_status_server; break; default: bad_packet: FR_STATS_INC(auth, total_unknown_types); DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED", packet->code, client->shortname, packet->src_port); rad_free(&sock->packet); return 0; } /* switch over packet types */ if (!request_receive(NULL, listener, packet, client, fun)) { FR_STATS_INC(auth, total_packets_dropped); rad_free(&sock->packet); return 0; } sock->packet = NULL; /* we have no need for more partial reads */ return 1; } #ifdef WITH_TLS typedef struct { char const *name; SSL_CTX *ctx; } fr_realm_ctx_t; /* hack from tls. */ static int tls_sni_callback(SSL *ssl, UNUSED int *al, void *arg) { fr_tls_server_conf_t *conf = arg; char const *name, *p; int type; fr_realm_ctx_t my_r, *r; REQUEST *request; char buffer[PATH_MAX]; /* * No SNI, that's fine. */ type = SSL_get_servername_type(ssl); if (type < 0) return SSL_TLSEXT_ERR_OK; /* * No realms configured, just use the default context. */ if (!conf->realms) return SSL_TLSEXT_ERR_OK; name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!name) return SSL_TLSEXT_ERR_OK; /* * RFC Section 6066 Section 3 says that the names are * ASCII, without a trailing dot. i.e. punycode. */ for (p = name; *p != '\0'; p++) { if (*p == '-') continue; if (*p == '.') continue; if ((*p >= 'A') && (*p <= 'Z')) continue; if ((*p >= 'a') && (*p <= 'z')) continue; if ((*p >= '0') && (*p <= '9')) continue; /* * Anything else, fail. */ return SSL_TLSEXT_ERR_ALERT_FATAL; } /* * Too long, fail. */ if ((p - name) > 255) return SSL_TLSEXT_ERR_ALERT_FATAL; snprintf(buffer, sizeof(buffer), "%s/%s.pem", conf->realm_dir, name); my_r.name = buffer; r = fr_hash_table_finddata(conf->realms, &my_r); /* * If found, switch certs. Otherwise use the default * one. */ if (r) (void) SSL_set_SSL_CTX(ssl, r->ctx); /* * Set an attribute saying which server has been selected. */ request = (REQUEST *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST); if (request) { (void) pair_make_config("TLS-Server-Name-Indication", name, T_OP_SET); } return SSL_TLSEXT_ERR_OK; } #endif #ifdef WITH_RADIUSV11 static const unsigned char radiusv11_alpn_protos[] = { 10, 'r', 'a', 'd', 'i', 'u', 's', '/', '1', '.', '1', }; /* * On the server, get the ALPN list requested by the client. */ static int radiusv11_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { rad_listen_t *this = arg; listen_socket_t *sock = this->data; unsigned char **hack; const unsigned char *server; unsigned int server_len, i; int rcode; REQUEST *request; request = (REQUEST *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST); fr_assert(request != NULL); fr_assert(inlen > 0); memcpy(&hack, &out, sizeof(out)); /* const issues */ /* * The RADIUSv11 configuration for this socket is a combination of what we require, and what we * require of the client. */ switch (this->radiusv11) { /* * If we forbid RADIUSv11, then we never advertised it via ALPN, and this callback should * never have been registered. */ case FR_RADIUSV11_FORBID: *out = NULL; *outlen = 0; return SSL_TLSEXT_ERR_OK; case FR_RADIUSV11_ALLOW: case FR_RADIUSV11_REQUIRE: server = radiusv11_alpn_protos; server_len = sizeof(radiusv11_alpn_protos); break; } for (i = 0; i < inlen; i += in[0] + 1) { RDEBUG("(TLS) ALPN sent by client is \"%.*s\"", in[i], &in[i + 1]); } /* * Select the next protocol. */ rcode = SSL_select_next_proto(hack, outlen, server, server_len, in, inlen); if (rcode == OPENSSL_NPN_NEGOTIATED) { server = *out; /* * Tell our socket which protocol we negotiated. */ fr_assert(*outlen == 10); sock->radiusv11 = (server[9] == '1'); RDEBUG("(TLS) ALPN server negotiated application protocol \"%.*s\"", (int) *outlen, server); return SSL_TLSEXT_ERR_OK; } /* * No common ALPN. */ RDEBUG("(TLS) ALPN failure - no protocols in common"); return SSL_TLSEXT_ERR_ALERT_FATAL; } int fr_radiusv11_client_init(fr_tls_server_conf_t *tls); int fr_radiusv11_client_get_alpn(rad_listen_t *listener); int fr_radiusv11_client_init(fr_tls_server_conf_t *tls) { switch (tls->radiusv11) { case FR_RADIUSV11_ALLOW: case FR_RADIUSV11_REQUIRE: if (SSL_CTX_set_alpn_protos(tls->ctx, radiusv11_alpn_protos, sizeof(radiusv11_alpn_protos)) != 0) { ERROR("Failed setting RADIUSv11 negotiation flags"); return -1; } break; default: break; } return 0; } int fr_radiusv11_client_get_alpn(rad_listen_t *listener) { const unsigned char *data; unsigned int len; listen_socket_t *sock = listener->data; SSL_get0_alpn_selected(sock->ssn->ssl, &data, &len); if (!data) { DEBUG("(TLS) ALPN home server did not send any application protocol"); if (listener->radiusv11 == FR_RADIUSV11_REQUIRE) { DEBUG("(TLS) We have 'radiusv11 = require', but the home server has not negotiated it - closing socket"); return -1; } DEBUG("(TLS) ALPN assuming historical RADIUS"); return 0; } DEBUG("(TLS) ALPN home server sent application protocol \"%.*s\"", (int) len, data); if (len != 10) { radiusv11_unknown: DEBUG("(TLS) ALPN home server sent unknown application protocol - closing connection"); return -1; } /* * Should always be "radius/1.1". The server MUST echo back one of the strings * we sent. If it doesn't, it's a bad server. */ if (memcmp(data, "radius/1.1", 10) != 0) goto radiusv11_unknown; /* * Double-check what the server sent us. It SHOULD be sane, but it never hurts to check. */ switch (listener->radiusv11) { case FR_RADIUSV11_FORBID: DEBUG("(TLS) ALPN home server sent \"radius/v1.1\" but we forbid it - closing connection to home server"); return -1; case FR_RADIUSV11_ALLOW: case FR_RADIUSV11_REQUIRE: DEBUG("(TLS) ALPN using \"radius/1.1\""); sock->radiusv11 = true; break; } sock->alpn_checked = true; return 0; } #endif static int dual_tcp_accept(rad_listen_t *listener) { int newfd; uint16_t src_port; rad_listen_t *this; socklen_t salen; struct sockaddr_storage src; listen_socket_t *sock; fr_ipaddr_t src_ipaddr; RADCLIENT *client = NULL; salen = sizeof(src); DEBUG2(" ... new connection request on TCP socket"); newfd = accept(listener->fd, (struct sockaddr *) &src, &salen); if (newfd < 0) { /* * Non-blocking sockets must handle this. */ #ifdef EWOULDBLOCK if (errno == EWOULDBLOCK) { return 0; } #endif DEBUG2(" ... failed to accept connection"); return -1; } if (!fr_sockaddr2ipaddr(&src, salen, &src_ipaddr, &src_port)) { close(newfd); DEBUG2(" ... unknown address family"); return 0; } /* * Enforce client IP address checks on accept, not on * every packet. */ if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { close(newfd); FR_STATS_INC(auth, total_invalid_requests); return 0; } #ifdef WITH_TLS /* * Enforce security restrictions. * * This shouldn't be necessary in practice. However, it * serves as a double-check on configurations. Marking a * client as "tls required" means that any accidental * exposure of the client to non-TLS traffic is * prevented. */ if (client->tls_required && !listener->tls) { INFO("Ignoring connection to TLS socket from non-TLS client"); close(newfd); return 0; } #ifdef WITH_RADIUSV11 if (listener->tls) { switch (listener->tls->radiusv11) { case FR_RADIUSV11_FORBID: if (client->radiusv11 == FR_RADIUSV11_REQUIRE) { INFO("Ignoring new connection as client is marked as 'radiusv11 = require', and this socket has 'radiusv11 = forbid'"); close(newfd); return 0; } break; case FR_RADIUSV11_ALLOW: /* * We negotiate it as per the client recommendations (forbid, allow, require) */ break; case FR_RADIUSV11_REQUIRE: if (client->radiusv11 == FR_RADIUSV11_FORBID) { INFO("Ignoring new connection as client is marked as 'radiusv11 = forbid', and this socket has 'radiusv11 = require'"); close(newfd); return 0; } break; } } #endif #endif /* * Enforce max_connections on client && listen section. */ if ((client->limit.max_connections != 0) && (client->limit.max_connections == client->limit.num_connections)) { /* * FIXME: Print client IP/port, and server IP/port. */ INFO("Ignoring new connection due to client max_connections (%d)", client->limit.max_connections); close(newfd); return 0; } sock = listener->data; if ((sock->limit.max_connections != 0) && (sock->limit.max_connections == sock->limit.num_connections)) { /* * FIXME: Print client IP/port, and server IP/port. */ INFO("Ignoring new connection due to socket max_connections"); close(newfd); return 0; } client->limit.num_connections++; sock->limit.num_connections++; /* * Add the new listener. We require a new context here, * because the allocations for the packet, etc. in the * child listener will be done in a child thread. */ this = listen_alloc(NULL, listener->type); if (!this) return -1; /* * Copy everything, including the pointer to the socket * information. */ sock = this->data; memcpy(this->data, listener->data, sizeof(*sock)); memcpy(this, listener, sizeof(*this)); this->next = NULL; this->data = sock; /* fix it back */ sock->parent = listener->data; sock->other_ipaddr = src_ipaddr; sock->other_port = src_port; sock->client = client; sock->opened = sock->last_packet = time(NULL); /* * Set the limits. The defaults are the parent limits. * Client limits on max_connections are enforced dynamically. * Set the MINIMUM of client/socket idle timeout or lifetime. */ memcpy(&sock->limit, &sock->parent->limit, sizeof(sock->limit)); if (client->limit.idle_timeout && ((sock->limit.idle_timeout == 0) || (client->limit.idle_timeout < sock->limit.idle_timeout))) { sock->limit.idle_timeout = client->limit.idle_timeout; } if (client->limit.lifetime && ((sock->limit.lifetime == 0) || (client->limit.lifetime < sock->limit.lifetime))) { sock->limit.lifetime = client->limit.lifetime; } this->fd = newfd; this->status = RAD_LISTEN_STATUS_INIT; this->parent = listener; if (!rbtree_insert(listener->children, this)) { ERROR("Failed inserting TCP socket into parent list."); } #ifdef WITH_COMMAND_SOCKET if (this->type == RAD_LISTEN_COMMAND) { this->recv = command_tcp_recv; this->send = command_tcp_send; command_write_magic(this->fd, sock); } else #endif { this->recv = dual_tcp_recv; #ifdef WITH_TLS if (this->tls) { this->recv = dual_tls_recv; this->send = dual_tls_send; /* * Set up SNI callback. We don't do it * in the main TLS code, because EAP * doesn't need or use SNI. */ SSL_CTX_set_tlsext_servername_callback(this->tls->ctx, tls_sni_callback); SSL_CTX_set_tlsext_servername_arg(this->tls->ctx, this->tls); #ifdef WITH_RADIUSV11 /* * Default is "forbid" (0). In which case we don't set any ALPN callbacks, and * the ServerHello does not contain an ALPN section. */ if (client->radiusv11 != FR_RADIUSV11_FORBID) { SSL_CTX_set_alpn_select_cb(this->tls->ctx, radiusv11_server_alpn_cb, this); DEBUG("(TLS) ALPN radiusv11 = allow / require"); } else { DEBUG("(TLS) ALPN radiusv11 = forbid"); } #endif } #endif } #ifdef WITH_COA_TUNNEL /* * Originate CoA requests to a NAS. */ if (this->send_coa) { home_server_t *home; rad_assert(this->type != RAD_LISTEN_PROXY); this->proxy_send = dual_tls_send_coa_request; this->proxy_encode = master_listen[RAD_LISTEN_PROXY].encode; this->proxy_decode = master_listen[RAD_LISTEN_PROXY].decode; /* * Automatically create a home server for this * client. There MAY be one already one for that * IP in the configuration files, but it will not * have this particular port. */ sock->home = home = talloc_zero(this, home_server_t); home->ipaddr = sock->other_ipaddr; home->port = sock->other_port; home->proto = sock->proto; home->secret = sock->client->secret; home->coa_irt = this->coa_irt; home->coa_mrt = this->coa_mrt; home->coa_mrc = this->coa_mrc; home->coa_mrd = this->coa_mrd; home->recv_coa_server = this->server; } #endif /* * FIXME: set O_NONBLOCK on the accept'd fd. * See djb's portability rants for details. */ /* * Tell the event loop that we have a new FD. * This can be called from a child thread... */ radius_update_listener(this); return 0; } #endif /* * Ensure that we always keep the correct counters. */ #ifdef WITH_TCP static void common_socket_free(rad_listen_t *this) { listen_socket_t *sock = this->data; if (sock->proto != IPPROTO_TCP) return; /* * Decrement the number of connections. */ if (sock->parent && (sock->parent->limit.num_connections > 0)) { sock->parent->limit.num_connections--; } if (sock->client && sock->client->limit.num_connections > 0) { sock->client->limit.num_connections--; } if (sock->home && sock->home->limit.num_connections > 0) { sock->home->limit.num_connections--; } } #else #define common_socket_free NULL #endif /* * This function is stupid and complicated. */ int common_socket_print(rad_listen_t const *this, char *buffer, size_t bufsize) { size_t len; listen_socket_t *sock = this->data; char const *name = master_listen[this->type].name; #define FORWARD len = strlen(buffer); if (len >= (bufsize + 1)) return 0;buffer += len;bufsize -= len #define ADDSTRING(_x) strlcpy(buffer, _x, bufsize);FORWARD ADDSTRING(name); #ifdef WITH_TCP if (this->dual) { ADDSTRING("+acct"); } #endif #ifdef WITH_COA_TUNNEL if (this->send_coa) { ADDSTRING("+coa"); } #endif if (sock->interface) { ADDSTRING(" interface "); ADDSTRING(sock->interface); } #ifdef WITH_TCP if (this->recv == dual_tcp_accept) { ADDSTRING(" proto tcp"); } #endif #ifdef WITH_TCP /* * TCP sockets get printed a little differently, to make * it clear what's going on. */ if (sock->client) { ADDSTRING(" from client ("); ip_ntoh(&sock->other_ipaddr, buffer, bufsize); FORWARD; ADDSTRING(", "); snprintf(buffer, bufsize, "%d", sock->other_port); FORWARD; ADDSTRING(") -> ("); if ((sock->my_ipaddr.af == AF_INET) && (sock->my_ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) { strlcpy(buffer, "*", bufsize); } else { ip_ntoh(&sock->my_ipaddr, buffer, bufsize); } FORWARD; ADDSTRING(", "); snprintf(buffer, bufsize, "%d", sock->my_port); FORWARD; if (this->server) { ADDSTRING(", virtual-server="); ADDSTRING(this->server); } ADDSTRING(")"); return 1; } #ifdef WITH_PROXY /* * Maybe it's a socket that we opened to a home server. */ if ((sock->proto == IPPROTO_TCP) && (this->type == RAD_LISTEN_PROXY)) { ADDSTRING(" ("); ip_ntoh(&sock->my_ipaddr, buffer, bufsize); FORWARD; ADDSTRING(", "); snprintf(buffer, bufsize, "%d", sock->my_port); FORWARD; ADDSTRING(") -> home_server ("); if ((sock->other_ipaddr.af == AF_INET) && (sock->other_ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) { strlcpy(buffer, "*", bufsize); } else { ip_ntoh(&sock->other_ipaddr, buffer, bufsize); } FORWARD; ADDSTRING(", "); snprintf(buffer, bufsize, "%d", sock->other_port); FORWARD; ADDSTRING(")"); return 1; } #endif /* WITH_PROXY */ #endif /* WITH_TCP */ ADDSTRING(" address "); if ((sock->my_ipaddr.af == AF_INET) && (sock->my_ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) { strlcpy(buffer, "*", bufsize); } else { ip_ntoh(&sock->my_ipaddr, buffer, bufsize); } FORWARD; ADDSTRING(" port "); snprintf(buffer, bufsize, "%d", sock->my_port); FORWARD; #ifdef WITH_TLS if (this->tls) { ADDSTRING(" (TLS)"); FORWARD; } #endif if (this->server) { ADDSTRING(" bound to server "); strlcpy(buffer, this->server, bufsize); } #undef ADDSTRING #undef FORWARD return 1; } static CONF_PARSER performance_config[] = { { "skip_duplicate_checks", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rad_listen_t, nodup), NULL }, { "synchronous", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rad_listen_t, synchronous), NULL }, { "workers", FR_CONF_OFFSET(PW_TYPE_INTEGER, rad_listen_t, workers), NULL }, CONF_PARSER_TERMINATOR }; static CONF_PARSER limit_config[] = { { "max_pps", FR_CONF_OFFSET(PW_TYPE_INTEGER, listen_socket_t, max_rate), NULL }, #ifdef WITH_TCP { "max_connections", FR_CONF_OFFSET(PW_TYPE_INTEGER, listen_socket_t, limit.max_connections), "16" }, { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, listen_socket_t, limit.lifetime), "0" }, { "idle_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, listen_socket_t, limit.idle_timeout), STRINGIFY(30) }, #endif CONF_PARSER_TERMINATOR }; #ifdef WITH_COA_TUNNEL static CONF_PARSER coa_config[] = { { "irt", FR_CONF_OFFSET(PW_TYPE_INTEGER, rad_listen_t, coa_irt), STRINGIFY(2) }, { "mrt", FR_CONF_OFFSET(PW_TYPE_INTEGER, rad_listen_t, coa_mrt), STRINGIFY(16) }, { "mrc", FR_CONF_OFFSET(PW_TYPE_INTEGER, rad_listen_t, coa_mrc), STRINGIFY(5) }, { "mrd", FR_CONF_OFFSET(PW_TYPE_INTEGER, rad_listen_t, coa_mrd), STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; #endif #ifdef WITH_TCP /* * TLS requires child threads to handle the listeners. Which * means that we need a separate talloc context per child thread. * Which means that we need to manually clean up the child * listeners. Which means we need to manually track them. * * All child thread linking/unlinking is done in the master * thread. If we care, we can later add a mutex for the parent * listener. */ static int listener_cmp(void const *one, void const *two) { if (one < two) return -1; if (one > two) return +1; return 0; } static int listener_unlink(UNUSED void *ctx, UNUSED void *data) { return 2; /* unlink this node from the tree */ } #endif /* * Parse an authentication or accounting socket. */ int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this) { int rcode; uint16_t listen_port; fr_ipaddr_t ipaddr; listen_socket_t *sock = this->data; char const *section_name = NULL; CONF_SECTION *client_cs, *parentcs; CONF_SECTION *subcs; CONF_PAIR *cp; this->cs = cs; /* * Try IPv4 first */ memset(&ipaddr, 0, sizeof(ipaddr)); ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE); rcode = cf_item_parse(cs, "ipaddr", FR_ITEM_POINTER(PW_TYPE_COMBO_IP_ADDR, &ipaddr), NULL); if (rcode < 0) return -1; if (rcode != 0) rcode = cf_item_parse(cs, "ipv4addr", FR_ITEM_POINTER(PW_TYPE_IPV4_ADDR, &ipaddr), NULL); if (rcode < 0) return -1; if (rcode != 0) rcode = cf_item_parse(cs, "ipv6addr", FR_ITEM_POINTER(PW_TYPE_IPV6_ADDR, &ipaddr), NULL); if (rcode < 0) return -1; if (rcode != 0) { cf_log_err_cs(cs, "No address specified in listen section"); return -1; } rcode = cf_item_parse(cs, "port", FR_ITEM_POINTER(PW_TYPE_SHORT, &listen_port), "0"); if (rcode < 0) return -1; rcode = cf_item_parse(cs, "recv_buff", PW_TYPE_INTEGER, &sock->recv_buff, NULL); if (rcode < 0) return -1; sock->proto = IPPROTO_UDP; if (cf_pair_find(cs, "proto")) { #ifndef WITH_TCP cf_log_err_cs(cs, "System does not support the TCP protocol. Delete this line from the configuration file"); return -1; #else char const *proto = NULL; #ifdef WITH_TLS CONF_SECTION *tls; #endif rcode = cf_item_parse(cs, "proto", FR_ITEM_POINTER(PW_TYPE_STRING, &proto), "udp"); if (rcode < 0) return -1; if (!proto || strcmp(proto, "udp") == 0) { sock->proto = IPPROTO_UDP; } else if (strcmp(proto, "tcp") == 0) { sock->proto = IPPROTO_TCP; } else { cf_log_err_cs(cs, "Unknown proto name \"%s\"", proto); return -1; } /* * TCP requires a destination IP for sockets. * UDP doesn't, so it's allowed. */ #ifdef WITH_PROXY if ((this->type == RAD_LISTEN_PROXY) && (sock->proto != IPPROTO_UDP)) { cf_log_err_cs(cs, "Proxy listeners can only listen on proto = udp"); return -1; } #endif /* WITH_PROXY */ #ifdef WITH_TLS tls = cf_section_sub_find(cs, "tls"); if (tls) { /* * Don't allow TLS configurations for UDP sockets. */ if (sock->proto != IPPROTO_TCP) { cf_log_err_cs(cs, "TLS transport is not available for UDP sockets"); return -1; } /* * Add support for http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt */ rcode = cf_item_parse(cs, "proxy_protocol", FR_ITEM_POINTER(PW_TYPE_BOOLEAN, &this->proxy_protocol), NULL); if (rcode < 0) return -1; /* * Allow non-blocking for TLS sockets */ rcode = cf_item_parse(cs, "nonblock", FR_ITEM_POINTER(PW_TYPE_BOOLEAN, &this->nonblock), NULL); if (rcode < 0) return -1; /* * If unset, set to default. */ if (listen_port == 0) listen_port = PW_RADIUS_TLS_PORT; this->tls = tls_server_conf_parse(tls); if (!this->tls) { return -1; } #ifdef HAVE_PTHREAD_H if (pthread_mutex_init(&sock->mutex, NULL) < 0) { rad_assert(0 == 1); listen_free(&this); return 0; } #endif rcode = cf_item_parse(cs, "check_client_connections", FR_ITEM_POINTER(PW_TYPE_BOOLEAN, &this->check_client_connections), "no"); if (rcode < 0) return -1; #ifdef WITH_RADIUSV11 if (this->tls->radiusv11_name) { rcode = fr_str2int(radiusv11_types, this->tls->radiusv11_name, -1); if (rcode < 0) { cf_log_err_cs(cs, "Invalid value for 'radiusv11'"); return -1; } this->radiusv11 = this->tls->radiusv11 = rcode; } #endif } #else /* WITH_TLS */ /* * Built without TLS. Disallow it. */ if (cf_section_sub_find(cs, "tls")) { cf_log_err_cs(cs, "TLS transport is not available in this executable"); return -1; } #endif /* WITH_TLS */ #endif /* WITH_TCP */ /* * No "proto" field. Disallow TLS. */ } else if (cf_section_sub_find(cs, "tls")) { cf_log_err_cs(cs, "TLS transport is not available in this \"listen\" section"); return -1; } /* * Magical tuning methods! */ subcs = cf_section_sub_find(cs, "performance"); if (subcs) { rcode = cf_section_parse(subcs, this, performance_config); if (rcode < 0) return -1; if (this->synchronous && sock->max_rate) { WARN("Setting 'max_pps' is incompatible with 'synchronous'. Disabling 'max_pps'"); sock->max_rate = 0; } if (!this->synchronous && this->workers) { WARN("Setting 'workers' requires 'synchronous'. Disabling 'workers'"); this->workers = 0; } } subcs = cf_section_sub_find(cs, "limit"); if (subcs) { rcode = cf_section_parse(subcs, sock, limit_config); if (rcode < 0) return -1; if (sock->max_rate && ((sock->max_rate < 10) || (sock->max_rate > 1000000))) { cf_log_err_cs(cs, "Invalid value for \"max_pps\""); return -1; } #ifdef WITH_TCP if ((sock->limit.idle_timeout > 0) && (sock->limit.idle_timeout < 5)) { WARN("Setting idle_timeout to 5"); sock->limit.idle_timeout = 5; } if ((sock->limit.lifetime > 0) && (sock->limit.lifetime < 5)) { WARN("Setting lifetime to 5"); sock->limit.lifetime = 5; } if ((sock->limit.lifetime > 0) && (sock->limit.idle_timeout > sock->limit.lifetime)) { WARN("Setting idle_timeout to 0"); sock->limit.idle_timeout = 0; } /* * Force no duplicate detection for TCP sockets. */ if (sock->proto == IPPROTO_TCP) { this->nodup = true; } } else { sock->limit.max_connections = 60; sock->limit.idle_timeout = 30; sock->limit.lifetime = 0; #endif } sock->my_ipaddr = ipaddr; sock->my_port = listen_port; #ifdef WITH_PROXY if (check_config) { /* * Until there is a side effects free way of forwarding a * request to another virtual server, this check is invalid, * and should be left disabled. */ #if 0 if (home_server_find(&sock->my_ipaddr, sock->my_port, sock->proto)) { char buffer[128]; ERROR("We have been asked to listen on %s port %d, which is also listed as a " "home server. This can create a proxy loop", ip_ntoh(&sock->my_ipaddr, buffer, sizeof(buffer)), sock->my_port); return -1; } #endif return 0; /* don't do anything */ } #endif /* * If we can bind to interfaces, do so, * else don't. */ cp = cf_pair_find(cs, "interface"); if (cp) { char const *value = cf_pair_value(cp); if (!value) { cf_log_err_cs(cs, "No interface name given"); return -1; } sock->interface = value; } #ifdef WITH_DHCP /* * If we can do broadcasts.. */ cp = cf_pair_find(cs, "broadcast"); if (cp) { #ifndef SO_BROADCAST cf_log_err_cs(cs, "System does not support broadcast sockets. Delete this line from the configuration file"); return -1; #else if (this->type != RAD_LISTEN_DHCP) { cf_log_err_cp(cp, "Broadcast can only be set for DHCP listeners. Delete this line from the configuration file"); return -1; } char const *value = cf_pair_value(cp); if (!value) { cf_log_err_cs(cs, "No broadcast value given"); return -1; } /* * Hack... whatever happened to cf_section_parse? */ sock->broadcast = (strcmp(value, "yes") == 0); #endif } #endif /* * And bind it to the port. */ if (listen_bind(this) < 0) { char buffer[128]; cf_log_err_cs(cs, "Error binding to port for %s port %d", ip_ntoh(&sock->my_ipaddr, buffer, sizeof(buffer)), sock->my_port); return -1; } #ifdef WITH_PROXY /* * Proxy sockets don't have clients. */ if (this->type == RAD_LISTEN_PROXY) return 0; #endif /* * The more specific configurations are preferred to more * generic ones. */ client_cs = NULL; parentcs = cf_top_section(cs); rcode = cf_item_parse(cs, "clients", FR_ITEM_POINTER(PW_TYPE_STRING, §ion_name), NULL); if (rcode < 0) return -1; /* bad string */ if (rcode == 0) { /* * Explicit list given: use it. */ client_cs = cf_section_sub_find_name2(parentcs, "clients", section_name); if (!client_cs) { client_cs = cf_section_find(section_name); } if (!client_cs) { cf_log_err_cs(cs, "Failed to find clients %s {...}", section_name); return -1; } } /* else there was no "clients = " entry. */ /* * The "listen" section wasn't given an explicit client list. * Look for (a) clients in this virtual server, or * (b) the global client list. */ if (!client_cs) { CONF_SECTION *server_cs; server_cs = cf_section_sub_find_name2(parentcs, "server", this->server); /* * Found a "server foo" section. If there are clients * in it, use them. */ if (server_cs && (cf_section_sub_find(server_cs, "client") != NULL)) { client_cs = server_cs; } } /* * Still nothing. Look for global clients. */ if (!client_cs) client_cs = parentcs; #ifdef WITH_TLS sock->clients = client_list_parse_section(client_cs, (this->tls != NULL)); #else sock->clients = client_list_parse_section(client_cs, false); #endif if (!sock->clients) { cf_log_err_cs(cs, "Failed to load clients for this listen section"); return -1; } #ifdef WITH_TCP if (sock->proto == IPPROTO_TCP) { /* * Re-write the listener receive function to * allow us to accept the socket. */ this->recv = dual_tcp_accept; /* * @todo - add a free function? Though this only * matters when we're tearing down the server, so * perhaps it's less relevant. */ this->children = rbtree_create(this, listener_cmp, NULL, 0); if (!this->children) { cf_log_err_cs(cs, "Failed to create child list for TCP socket."); return -1; } } #endif return 0; } /* * Send a response packet */ static int common_socket_send(rad_listen_t *listener, REQUEST *request) { rad_assert(request->listener == listener); rad_assert(listener->send == common_socket_send); if (request->reply->code == 0) return 0; #ifdef WITH_UDPFROMTO /* * Overwrite the src ip address on the outbound packet * with the one specified by the client. * This is useful to work around broken DSR implementations * and other routing issues. */ if (request->client->src_ipaddr.af != AF_UNSPEC) { request->reply->src_ipaddr = request->client->src_ipaddr; } #endif if (rad_send(request->reply, request->packet, request->client->secret) < 0) { RERROR("Failed sending reply: %s", fr_strerror()); return -1; } return 0; } #ifdef WITH_PROXY /* * Send a packet to a home server. * * FIXME: have different code for proxy auth & acct! */ static int proxy_socket_send(rad_listen_t *listener, REQUEST *request) { rad_assert(request->proxy_listener == listener); rad_assert(listener->proxy_send == proxy_socket_send); if (rad_send(request->proxy, NULL, request->home_server->secret) < 0) { RERROR("Failed sending proxied request: %s", fr_strerror()); return -1; } return 0; } #endif #ifdef WITH_STATS /* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ static int stats_socket_recv(rad_listen_t *listener) { ssize_t rcode; int code; uint16_t src_port; RADIUS_PACKET *packet; RADCLIENT *client = NULL; fr_ipaddr_t src_ipaddr; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; FR_STATS_INC(auth, total_requests); if (rcode < 20) { /* RADIUS_HDR_LEN */ if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); FR_STATS_INC(auth, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_invalid_requests); return 0; } FR_STATS_TYPE_INC(client->auth.total_requests); /* * We only understand Status-Server on this socket. */ if (code != PW_CODE_STATUS_SERVER) { DEBUG("Ignoring packet code %d sent to Status-Server port", code); rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_unknown_types); return 0; } /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(NULL, listener->fd, 1); /* require message authenticator */ if (!packet) { FR_STATS_INC(auth, total_malformed_requests); if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); return 0; } if (!request_receive(NULL, listener, packet, client, rad_status_server)) { FR_STATS_INC(auth, total_packets_dropped); rad_free(&packet); return 0; } return 1; } #endif /* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ static int auth_socket_recv(rad_listen_t *listener) { ssize_t rcode; int code; uint16_t src_port; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client = NULL; fr_ipaddr_t src_ipaddr; TALLOC_CTX *ctx; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; FR_STATS_INC(auth, total_requests); if (rcode < 20) { /* RADIUS_HDR_LEN */ if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); FR_STATS_INC(auth, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_invalid_requests); return 0; } /* * Some sanity checks, based on the packet code. */ switch (code) { case PW_CODE_ACCESS_REQUEST: FR_STATS_TYPE_INC(client->auth.total_requests); fun = rad_authenticate; break; case PW_CODE_STATUS_SERVER: if (!main_config.status_server) { rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_unknown_types); WARN("Ignoring Status-Server request due to security configuration"); return 0; } fun = rad_status_server; break; default: rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_unknown_types); if (DEBUG_ENABLED) ERROR("Receive - Invalid packet code %d sent to authentication port from " "client %s port %d", code, client->shortname, src_port); return 0; } /* switch over packet types */ ctx = talloc_pool(NULL, main_config.talloc_pool_size); if (!ctx) { rad_recv_discard(listener->fd); FR_STATS_INC(auth, total_packets_dropped); return 0; } talloc_set_name_const(ctx, "auth_listener_pool"); /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(ctx, listener->fd, client->message_authenticator); if (!packet) { FR_STATS_INC(auth, total_malformed_requests); if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); talloc_free(ctx); return 0; } #ifdef __APPLE__ #ifdef WITH_UDPFROMTO /* * This is a NICE Mac OSX bug. Create an interface with * two IP address, and then configure one listener for * each IP address. Send thousands of packets to one * address, and some will show up on the OTHER socket. * * This hack works ONLY if the clients are global. If * each listener has the same client IP, but with * different secrets, then it will fail the rad_recv() * check above, and there's nothing you can do. */ { listen_socket_t *sock = listener->data; rad_listen_t *other; other = listener_find_byipaddr(&packet->dst_ipaddr, packet->dst_port, sock->proto); if (other) listener = other; } #endif #endif if (!request_receive(ctx, listener, packet, client, fun)) { FR_STATS_INC(auth, total_packets_dropped); talloc_free(ctx); return 0; } return 1; } #ifdef WITH_ACCOUNTING /* * Receive packets from an accounting socket */ static int acct_socket_recv(rad_listen_t *listener) { ssize_t rcode; int code; uint16_t src_port; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client = NULL; fr_ipaddr_t src_ipaddr; TALLOC_CTX *ctx; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; FR_STATS_INC(acct, total_requests); if (rcode < 20) { /* RADIUS_HDR_LEN */ if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); FR_STATS_INC(acct, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); FR_STATS_INC(acct, total_invalid_requests); return 0; } /* * Some sanity checks, based on the packet code. */ switch (code) { case PW_CODE_ACCOUNTING_REQUEST: FR_STATS_TYPE_INC(client->acct.total_requests); fun = rad_accounting; break; case PW_CODE_STATUS_SERVER: if (!main_config.status_server) { rad_recv_discard(listener->fd); FR_STATS_INC(acct, total_unknown_types); WARN("Ignoring Status-Server request due to security configuration"); return 0; } fun = rad_status_server; break; default: rad_recv_discard(listener->fd); FR_STATS_INC(acct, total_unknown_types); DEBUG("Invalid packet code %d sent to a accounting port from client %s port %d : IGNORED", code, client->shortname, src_port); return 0; } /* switch over packet types */ ctx = talloc_pool(NULL, main_config.talloc_pool_size); if (!ctx) { rad_recv_discard(listener->fd); FR_STATS_INC(acct, total_packets_dropped); return 0; } talloc_set_name_const(ctx, "acct_listener_pool"); /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(ctx, listener->fd, 0); if (!packet) { FR_STATS_INC(acct, total_malformed_requests); if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); talloc_free(ctx); return 0; } /* * There can be no duplicate accounting packets. */ if (!request_receive(ctx, listener, packet, client, fun)) { FR_STATS_INC(acct, total_packets_dropped); rad_free(&packet); talloc_free(ctx); return 0; } return 1; } #endif #ifdef WITH_COA static int do_proxy(REQUEST *request) { VALUE_PAIR *vp; if (request->in_proxy_hash || (request->proxy_reply && (request->proxy_reply->code != 0))) { return 0; } vp = fr_pair_find_by_num(request->config, PW_HOME_SERVER_POOL, 0, TAG_ANY); if (vp) { if (!home_pool_byname(vp->vp_strvalue, HOME_TYPE_COA)) { REDEBUG2("Cannot proxy to unknown pool %s", vp->vp_strvalue); return -1; } return 1; } /* * We have a destination IP address. It will (later) proxied. */ vp = fr_pair_find_by_num(request->config, PW_PACKET_DST_IP_ADDRESS, 0, TAG_ANY); if (!vp) vp = fr_pair_find_by_num(request->config, PW_PACKET_DST_IPV6_ADDRESS, 0, TAG_ANY); #ifdef WITH_COA_TUNNEL if (!vp) vp = fr_pair_find_by_num(request->config, PW_PROXY_TO_ORIGINATING_REALM, 0, TAG_ANY); #endif if (!vp) return 0; return 1; } /* * Receive a CoA packet. */ int rad_coa_recv(REQUEST *request) { int rcode = RLM_MODULE_OK; int ack, nak; int proxy_status; VALUE_PAIR *vp; /* * Get the correct response */ switch (request->packet->code) { case PW_CODE_COA_REQUEST: ack = PW_CODE_COA_ACK; nak = PW_CODE_COA_NAK; break; case PW_CODE_DISCONNECT_REQUEST: ack = PW_CODE_DISCONNECT_ACK; nak = PW_CODE_DISCONNECT_NAK; break; default: /* shouldn't happen */ return RLM_MODULE_FAIL; } #ifdef WITH_PROXY #define WAS_PROXIED (request->proxy) #else #define WAS_PROXIED (0) #endif if (!WAS_PROXIED) { /* * RFC 5176 Section 3.3. If we have a CoA-Request * with Service-Type = Authorize-Only, it MUST * have a State attribute in it. */ vp = fr_pair_find_by_num(request->packet->vps, PW_SERVICE_TYPE, 0, TAG_ANY); if (request->packet->code == PW_CODE_COA_REQUEST) { if (vp && (vp->vp_integer == PW_AUTHORIZE_ONLY)) { vp = fr_pair_find_by_num(request->packet->vps, PW_STATE, 0, TAG_ANY); if (!vp || (vp->vp_length == 0)) { REDEBUG("CoA-Request with Service-Type = Authorize-Only MUST contain a State attribute"); request->reply->code = PW_CODE_COA_NAK; return RLM_MODULE_FAIL; } } } else if (vp) { /* * RFC 5176, Section 3.2. */ REDEBUG("Disconnect-Request MUST NOT contain a Service-Type attribute"); request->reply->code = PW_CODE_DISCONNECT_NAK; return RLM_MODULE_FAIL; } rcode = process_recv_coa(0, request); switch (rcode) { case RLM_MODULE_FAIL: case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: request->reply->code = nak; break; case RLM_MODULE_HANDLED: return rcode; case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: proxy_status = do_proxy(request); if (proxy_status == 1) return RLM_MODULE_OK; if (proxy_status < 0) { request->reply->code = nak; } else { request->reply->code = ack; } break; } } #ifdef WITH_PROXY else if (request->proxy_reply) { /* * Start the reply code with the proxy reply * code. */ request->reply->code = request->proxy_reply->code; } #endif /* * Copy State from the request to the reply. * See RFC 5176 Section 3.3. */ vp = fr_pair_list_copy_by_num(request->reply, request->packet->vps, PW_STATE, 0, TAG_ANY); if (vp) fr_pair_add(&request->reply->vps, vp); /* * We may want to over-ride the reply. */ if (request->reply->code) { rcode = process_send_coa(0, request); switch (rcode) { /* * We need to send CoA-NAK back if Service-Type * is Authorize-Only. Rely on the user's policy * to do that. We're not a real NAS, so this * restriction doesn't (ahem) apply to us. */ case RLM_MODULE_FAIL: case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: /* * Over-ride an ACK with a NAK */ request->reply->code = nak; break; case RLM_MODULE_HANDLED: return rcode; case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: /* * Do NOT over-ride a previously set value. * Otherwise an "ok" here will re-write a * NAK to an ACK. */ if (request->reply->code == 0) { request->reply->code = ack; } break; } } return RLM_MODULE_OK; } /* * Check if an incoming request is "ok" * * It takes packets, not requests. It sees if the packet looks * OK. If so, it does a number of sanity checks on it. */ static int coa_socket_recv(rad_listen_t *listener) { ssize_t rcode; int code; uint16_t src_port; RADIUS_PACKET *packet; RAD_REQUEST_FUNP fun = NULL; RADCLIENT *client = NULL; fr_ipaddr_t src_ipaddr; TALLOC_CTX *ctx; rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code); if (rcode < 0) return 0; if (rcode < 20) { /* RADIUS_HDR_LEN */ if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); FR_STATS_INC(coa, total_malformed_requests); return 0; } if ((client = client_listener_find(listener, &src_ipaddr, src_port)) == NULL) { rad_recv_discard(listener->fd); FR_STATS_INC(coa, total_requests); FR_STATS_INC(coa, total_invalid_requests); return 0; } /* * Some sanity checks, based on the packet code. */ switch (code) { case PW_CODE_COA_REQUEST: FR_STATS_INC(coa, total_requests); fun = rad_coa_recv; break; case PW_CODE_DISCONNECT_REQUEST: FR_STATS_INC(dsc, total_requests); fun = rad_coa_recv; break; default: rad_recv_discard(listener->fd); FR_STATS_INC(coa, total_unknown_types); DEBUG("Invalid packet code %d sent to coa port from client %s port %d : IGNORED", code, client->shortname, src_port); return 0; } /* switch over packet types */ ctx = talloc_pool(NULL, main_config.talloc_pool_size); if (!ctx) { rad_recv_discard(listener->fd); FR_STATS_INC(coa, total_packets_dropped); return 0; } talloc_set_name_const(ctx, "coa_socket_recv_pool"); /* * Now that we've sanity checked everything, receive the * packet. */ packet = rad_recv(ctx, listener->fd, client->message_authenticator); if (!packet) { FR_STATS_INC(coa, total_malformed_requests); if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); talloc_free(ctx); return 0; } if (!request_receive(ctx, listener, packet, client, fun)) { FR_STATS_INC(coa, total_packets_dropped); rad_free(&packet); talloc_free(ctx); return 0; } return 1; } #endif #ifdef WITH_PROXY /* * Recieve packets from a proxy socket. */ static int proxy_socket_recv(rad_listen_t *listener) { RADIUS_PACKET *packet; #ifdef WITH_TCP listen_socket_t *sock; #endif char buffer[128]; packet = rad_recv(NULL, listener->fd, 0); if (!packet) { if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); return 0; } switch (packet->code) { case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCESS_CHALLENGE: case PW_CODE_ACCESS_REJECT: break; #ifdef WITH_ACCOUNTING case PW_CODE_ACCOUNTING_RESPONSE: break; #endif #ifdef WITH_COA case PW_CODE_DISCONNECT_ACK: case PW_CODE_DISCONNECT_NAK: case PW_CODE_COA_ACK: case PW_CODE_COA_NAK: break; #endif default: /* * FIXME: Update MIB for packet types? */ ERROR("Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); #ifdef WITH_STATS listener->stats.total_unknown_types++; #endif rad_free(&packet); return 0; } #ifdef WITH_TCP sock = listener->data; packet->proto = sock->proto; #endif if (!request_proxy_reply(packet)) { #ifdef WITH_STATS listener->stats.total_packets_dropped++; #endif rad_free(&packet); return 0; } return 1; } #ifdef WITH_TCP /* * Recieve packets from a proxy socket. */ static int proxy_socket_tcp_recv(rad_listen_t *listener) { int rcode; RADIUS_PACKET *packet; listen_socket_t *sock = listener->data; char buffer[256]; if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0; if (!sock->packet) { sock->packet = rad_alloc(sock, false); if (!sock->packet) return 0; sock->packet->sockfd = listener->fd; sock->packet->src_ipaddr = sock->other_ipaddr; sock->packet->src_port = sock->other_port; sock->packet->dst_ipaddr = sock->my_ipaddr; sock->packet->dst_port = sock->my_port; sock->packet->proto = sock->proto; } packet = sock->packet; rcode = fr_tcp_read_packet(packet, 0); /* * Still only a partial packet. Put it back, and return, * so that we'll read more data when it's ready. */ if (rcode == 0) { return 0; } if (rcode == -1) { /* error reading packet */ ERROR("Invalid packet from %s port %d, closing socket: %s", ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, fr_strerror()); } if (rcode < 0) { /* error or connection reset */ listener->status = RAD_LISTEN_STATUS_EOL; /* * Tell the event handler that an FD has disappeared. */ DEBUG("Home server %s port %d has closed connection", ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port); radius_update_listener(listener); /* * Do NOT free the listener here. It's in use by * a request, and will need to hang around until * all of the requests are done. * * It is instead free'd in remove_from_request_hash() */ return 0; } sock->packet = NULL; /* we have no need for more partial reads */ /* * FIXME: Client MIB updates? */ switch (packet->code) { case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCESS_CHALLENGE: case PW_CODE_ACCESS_REJECT: break; #ifdef WITH_ACCOUNTING case PW_CODE_ACCOUNTING_RESPONSE: break; #endif default: /* * FIXME: Update MIB for packet types? */ ERROR("Invalid packet code %d sent to a proxy port " "from home server %s port %d - ID %d : IGNORED", packet->code, ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)), packet->src_port, packet->id); rad_free(&packet); return 0; } /* * FIXME: Have it return an indication of packets that * are OK to ignore (dups, too late), versus ones that * aren't OK to ignore (unknown response, spoofed, etc.) * * Close the socket on bad packets... */ if (!request_proxy_reply(packet)) { rad_free(&packet); return 0; } sock->opened = sock->last_packet = time(NULL); return 1; } #endif #endif #ifdef WITH_TLS #define TLS_UNUSED #else #define TLS_UNUSED UNUSED #endif static int client_socket_encode(TLS_UNUSED rad_listen_t *listener, REQUEST *request) { #ifdef WITH_TLS /* * Don't encode fake packets. */ listen_socket_t *sock = listener->data; if (sock->state == LISTEN_TLS_CHECKING) return 0; #ifdef WITH_RADIUSV11 request->reply->radiusv11 = sock->radiusv11; #endif #endif if (!request->reply->code) return 0; if (request->reply->data) return 0; /* already encoded */ if (rad_encode(request->reply, request->packet, request->client->secret) < 0) { RERROR("Failed encoding packet: %s", fr_strerror()); return -1; } if (request->reply->data_len > (MAX_PACKET_LEN - 100)) { RWDEBUG("Packet is large, and possibly truncated - %zd vs max %d", request->reply->data_len, MAX_PACKET_LEN); } if (rad_sign(request->reply, request->packet, request->client->secret) < 0) { RERROR("Failed signing packet: %s", fr_strerror()); return -1; } return 0; } static int client_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request) { #ifdef WITH_TLS listen_socket_t *sock = request->listener->data; #ifdef WITH_RADIUSV11 request->packet->radiusv11 = sock->radiusv11; #endif #endif if (rad_verify(request->packet, NULL, request->client->secret) < 0) { return -1; } #ifdef WITH_TLS /* * FIXME: Add the rest of the TLS parameters, too? But * how do we separate EAP-TLS parameters from RADIUS/TLS * parameters? */ if (sock->ssn && sock->ssn->ssl) { #ifdef PSK_MAX_IDENTITY_LEN const char *identity = SSL_get_psk_identity(sock->ssn->ssl); if (identity) { RDEBUG("Retrieved psk identity: %s", identity); pair_make_request("TLS-PSK-Identity", identity, T_OP_SET); } #endif } #endif return rad_decode(request->packet, NULL, request->client->secret); } #ifdef WITH_PROXY #ifdef WITH_RADIUSV11 #define RADIUSV11_UNUSED #else #define RADIUSV11_UNUSED UNUSED #endif static int proxy_socket_encode(RADIUSV11_UNUSED rad_listen_t *listener, REQUEST *request) { #ifdef WITH_RADIUSV11 listen_socket_t *sock = listener->data; request->proxy->radiusv11 = sock->radiusv11; #endif if (rad_encode(request->proxy, NULL, request->home_server->secret) < 0) { RERROR("Failed encoding proxied packet: %s", fr_strerror()); return -1; } if (request->proxy->data_len > (MAX_PACKET_LEN - 100)) { RWDEBUG("Packet is large, and possibly truncated - %zd vs max %d", request->proxy->data_len, MAX_PACKET_LEN); } if (rad_sign(request->proxy, NULL, request->home_server->secret) < 0) { RERROR("Failed signing proxied packet: %s", fr_strerror()); return -1; } return 0; } static int proxy_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request) { #ifdef WITH_RADIUSV11 listen_socket_t *sock = listener->data; request->proxy_reply->radiusv11 = sock->radiusv11; #endif /* * rad_verify is run in event.c, received_proxy_response() */ return rad_decode(request->proxy_reply, request->proxy, request->home_server->secret); } #endif #include "command.c" /* * Temporarily NOT const! */ static fr_protocol_t master_listen[RAD_LISTEN_MAX] = { #ifdef WITH_STATS { RLM_MODULE_INIT, "status", sizeof(listen_socket_t), NULL, common_socket_parse, NULL, stats_socket_recv, common_socket_send, common_socket_print, client_socket_encode, client_socket_decode }, #else /* * This always gets defined. */ { RLM_MODULE_INIT, "status", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */ #endif #ifdef WITH_PROXY /* proxying */ { RLM_MODULE_INIT, "proxy", sizeof(listen_socket_t), NULL, common_socket_parse, common_socket_free, proxy_socket_recv, proxy_socket_send, common_socket_print, proxy_socket_encode, proxy_socket_decode }, #else { 0, "proxy", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, #endif /* authentication */ { RLM_MODULE_INIT, "auth", sizeof(listen_socket_t), NULL, common_socket_parse, common_socket_free, auth_socket_recv, common_socket_send, common_socket_print, client_socket_encode, client_socket_decode }, #ifdef WITH_ACCOUNTING /* accounting */ { RLM_MODULE_INIT, "acct", sizeof(listen_socket_t), NULL, common_socket_parse, common_socket_free, acct_socket_recv, common_socket_send, common_socket_print, client_socket_encode, client_socket_decode}, #else { 0, "acct", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef WITH_DETAIL /* detail */ { RLM_MODULE_INIT, "detail", sizeof(listen_detail_t), NULL, detail_parse, detail_free, detail_recv, detail_send, detail_print, detail_encode, detail_decode }, #endif /* vlan query protocol */ { 0, "vmps", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, /* dhcp query protocol */ { 0, "dhcp", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, #ifdef WITH_COMMAND_SOCKET /* TCP command socket */ { RLM_MODULE_INIT, "control", sizeof(fr_command_socket_t), NULL, command_socket_parse, command_socket_free, command_domain_accept, command_domain_send, command_socket_print, command_socket_encode, command_socket_decode }, #else { 0, "command", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, #endif #ifdef WITH_COA /* Change of Authorization */ { RLM_MODULE_INIT, "coa", sizeof(listen_socket_t), NULL, common_socket_parse, NULL, coa_socket_recv, common_socket_send, common_socket_print, client_socket_encode, client_socket_decode }, #else { 0, "coa", 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }, #endif }; /* * Binds a listener to a socket. */ static int listen_bind(rad_listen_t *this) { int rcode; struct sockaddr_storage salocal; socklen_t salen; listen_socket_t *sock = this->data; #ifndef WITH_TCP #define proto_for_port "udp" #define sock_type SOCK_DGRAM #else char const *proto_for_port = "udp"; int sock_type = SOCK_DGRAM; if (sock->proto == IPPROTO_TCP) { #ifdef WITH_VMPS if (this->type == RAD_LISTEN_VQP) { ERROR("VQP does not support TCP transport"); return -1; } #endif proto_for_port = "tcp"; sock_type = SOCK_STREAM; } #endif /* * If the port is zero, then it means the appropriate * thing from /etc/services. */ if (sock->my_port == 0) { struct servent *svp; switch (this->type) { case RAD_LISTEN_AUTH: svp = getservbyname ("radius", proto_for_port); if (svp != NULL) { sock->my_port = ntohs(svp->s_port); } else { sock->my_port = PW_AUTH_UDP_PORT; } break; #ifdef WITH_ACCOUNTING case RAD_LISTEN_ACCT: svp = getservbyname ("radacct", proto_for_port); if (svp != NULL) { sock->my_port = ntohs(svp->s_port); } else { sock->my_port = PW_ACCT_UDP_PORT; } break; #endif #ifdef WITH_PROXY case RAD_LISTEN_PROXY: /* leave it at zero */ break; #endif #ifdef WITH_VMPS case RAD_LISTEN_VQP: sock->my_port = 1589; break; #endif #ifdef WITH_COMMAND_SOCKET case RAD_LISTEN_COMMAND: sock->my_port = PW_RADMIN_PORT; break; #endif #ifdef WITH_COA case RAD_LISTEN_COA: svp = getservbyname ("radius-dynauth", "udp"); if (svp != NULL) { sock->my_port = ntohs(svp->s_port); } else { sock->my_port = PW_COA_UDP_PORT; } break; #endif #ifdef WITH_DHCP case RAD_LISTEN_DHCP: svp = getservbyname ("bootps", "udp"); if (svp != NULL) { sock->my_port = ntohs(svp->s_port); } else { sock->my_port = 67; } break; #endif default: WARN("Internal sanity check failed in binding to socket. Ignoring problem"); return -1; } } /* * Don't open sockets if we're checking the config. */ if (check_config) { this->fd = -1; return 0; } /* * Copy fr_socket() here, as we may need to bind to a device. */ this->fd = socket(sock->my_ipaddr.af, sock_type, 0); if (this->fd < 0) { char buffer[256]; this->print(this, buffer, sizeof(buffer)); ERROR("Failed opening %s: %s", buffer, fr_syserror(errno)); return -1; } #ifdef FD_CLOEXEC /* * We don't want child processes inheriting these * file descriptors. */ rcode = fcntl(this->fd, F_GETFD); if (rcode >= 0) { if (fcntl(this->fd, F_SETFD, rcode | FD_CLOEXEC) < 0) { close(this->fd); ERROR("Failed setting close on exec: %s", fr_syserror(errno)); return -1; } } #endif /* * Bind to a device BEFORE touching IP addresses. */ if (sock->interface) { #ifdef SO_BINDTODEVICE struct ifreq ifreq; memset(&ifreq, 0, sizeof(ifreq)); strlcpy(ifreq.ifr_name, sock->interface, sizeof(ifreq.ifr_name)); rad_suid_up(); rcode = setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE, (char *)&ifreq, sizeof(ifreq)); rad_suid_down(); if (rcode < 0) { close(this->fd); ERROR("Failed binding to interface %s: %s", sock->interface, fr_syserror(errno)); return -1; } /* else it worked. */ #else #ifdef HAVE_STRUCT_SOCKADDR_IN6 #ifdef HAVE_NET_IF_H /* * Odds are that any system supporting "bind to * device" also supports IPv6, so this next bit * isn't necessary. But it's here for * completeness. * * If we're doing IPv6, and the scope hasn't yet * been defined, set the scope to the scope of * the interface. */ if (sock->my_ipaddr.af == AF_INET6) { if (sock->my_ipaddr.scope == 0) { sock->my_ipaddr.scope = if_nametoindex(sock->interface); if (sock->my_ipaddr.scope == 0) { close(this->fd); ERROR("Failed finding interface %s: %s", sock->interface, fr_syserror(errno)); return -1; } } /* else scope was defined: we're OK. */ } else #endif #endif /* * IPv4: no link local addresses, * and no bind to device. */ { close(this->fd); ERROR("Failed binding to interface %s: \"bind to device\" is unsupported", sock->interface); return -1; } #endif } #ifdef WITH_TCP if (sock->proto == IPPROTO_TCP) { int on = 1; if (setsockopt(this->fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) { close(this->fd); ERROR("Failed to reuse address: %s", fr_syserror(errno)); return -1; } } #endif #if defined(WITH_TCP) && defined(WITH_UDPFROMTO) else /* UDP sockets get UDPfromto */ #endif #ifdef WITH_UDPFROMTO /* * Initialize udpfromto for all sockets. */ if (udpfromto_init(this->fd) != 0) { ERROR("Failed initializing udpfromto: %s", fr_syserror(errno)); close(this->fd); return -1; } #endif /* * Set up sockaddr stuff. */ if (!fr_ipaddr2sockaddr(&sock->my_ipaddr, sock->my_port, &salocal, &salen)) { close(this->fd); return -1; } #ifdef HAVE_STRUCT_SOCKADDR_IN6 if (sock->my_ipaddr.af == AF_INET6) { /* * Listening on '::' does NOT get you IPv4 to * IPv6 mapping. You've got to listen on an IPv4 * address, too. This makes the rest of the server * design a little simpler. */ #ifdef IPV6_V6ONLY if (IN6_IS_ADDR_UNSPECIFIED(&sock->my_ipaddr.ipaddr.ip6addr)) { int on = 1; if (setsockopt(this->fd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&on, sizeof(on)) < 0) { ERROR("Failed setting socket to IPv6 " "only: %s", fr_syserror(errno)); close(this->fd); return -1; } } #endif /* IPV6_V6ONLY */ } #endif /* HAVE_STRUCT_SOCKADDR_IN6 */ if (sock->my_ipaddr.af == AF_INET) { #if (defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)) || defined(IP_DONTFRAG) int flag; #endif #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) /* * Disable PMTU discovery. On Linux, this * also makes sure that the "don't fragment" * flag is zero. */ flag = IP_PMTUDISC_DONT; if (setsockopt(this->fd, IPPROTO_IP, IP_MTU_DISCOVER, &flag, sizeof(flag)) < 0) { ERROR("Failed disabling PMTU discovery: %s", fr_syserror(errno)); close(this->fd); return -1; } #endif #if defined(IP_DONTFRAG) /* * Ensure that the "don't fragment" flag is zero. */ flag = 0; if (setsockopt(this->fd, IPPROTO_IP, IP_DONTFRAG, &flag, sizeof(flag)) < 0) { ERROR("Failed setting don't fragment flag: %s", fr_syserror(errno)); close(this->fd); return -1; } #endif } #ifdef WITH_DHCP #ifdef SO_BROADCAST if (sock->broadcast) { int on = 1; if (setsockopt(this->fd, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on)) < 0) { ERROR("Can't set broadcast option: %s", fr_syserror(errno)); return -1; } } #endif #endif #ifdef SO_RCVBUF if (sock->recv_buff > 0) { int opt; opt = sock->recv_buff; if (setsockopt(this->fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(int)) < 0) { WARN("Failed setting 'recv_buf': %s", fr_syserror(errno)); } } #endif /* * May be binding to priviledged ports. */ if (sock->my_port != 0) { rad_suid_up(); rcode = bind(this->fd, (struct sockaddr *) &salocal, salen); rad_suid_down(); if (rcode < 0) { char buffer[256]; close(this->fd); this->print(this, buffer, sizeof(buffer)); ERROR("Failed binding to %s: %s\n", buffer, fr_syserror(errno)); return -1; } /* * FreeBSD jail issues. We bind to 0.0.0.0, but the * kernel instead binds us to a 1.2.3.4. If this * happens, notice, and remember our real IP. */ { struct sockaddr_storage src; socklen_t sizeof_src = sizeof(src); memset(&src, 0, sizeof_src); if (getsockname(this->fd, (struct sockaddr *) &src, &sizeof_src) < 0) { ERROR("Failed getting socket name: %s", fr_syserror(errno)); return -1; } if (!fr_sockaddr2ipaddr(&src, sizeof_src, &sock->my_ipaddr, &sock->my_port)) { ERROR("Socket has unsupported address family"); return -1; } } } #ifdef WITH_TCP if (sock->proto == IPPROTO_TCP) { /* * Woker threads are blocking. * * Otherwise, they're non-blocking. */ if (!this->workers) { if (fr_nonblock(this->fd) < 0) { close(this->fd); ERROR("Failed setting non-blocking on socket: %s", fr_syserror(errno)); return -1; } } /* * Allow a backlog of 8 listeners, but only for incoming interfaces. */ #ifdef WITH_PROXY if (this->type != RAD_LISTEN_PROXY) #endif if (listen(this->fd, 8) < 0) { close(this->fd); ERROR("Failed in listen(): %s", fr_syserror(errno)); return -1; } } #endif /* * Mostly for proxy sockets. */ sock->other_ipaddr.af = sock->my_ipaddr.af; /* * Don't screw up other people. */ #undef proto_for_port #undef sock_type return 0; } static int _listener_free(rad_listen_t *this) { /* * Other code may have eaten the FD. */ if (this->fd >= 0) close(this->fd); if (master_listen[this->type].free) { master_listen[this->type].free(this); } #ifdef WITH_TCP if ((this->type == RAD_LISTEN_AUTH) #ifdef WITH_ACCT || (this->type == RAD_LISTEN_ACCT) #endif #ifdef WITH_PROXY || (this->type == RAD_LISTEN_PROXY) #endif #ifdef WITH_COMMAND_SOCKET || ((this->type == RAD_LISTEN_COMMAND) && (((fr_command_socket_t *) this->data)->magic != COMMAND_SOCKET_MAGIC)) #endif ) { /* * Remove the child from the parent tree. */ if (this->parent) { rbtree_deletebydata(this->parent->children, this); } /* * Delete / close all of the children, too! */ if (this->children) { rbtree_walk(this->children, RBTREE_DELETE_ORDER, listener_unlink, this); } #ifdef WITH_TLS /* * Note that we do NOT free this->tls, as the * pointer is parented by its CONF_SECTION. It * may be used by multiple listeners. */ if (this->tls) { listen_socket_t *sock = this->data; rad_assert(talloc_parent(sock) == this); rad_assert(sock->ev == NULL); rad_assert(!sock->ssn || (talloc_parent(sock->ssn) == sock)); rad_assert(!sock->request || (talloc_parent(sock->request) == sock)); if (sock->home && sock->home->listeners) (void) rbtree_deletebydata(sock->home->listeners, this); #ifdef HAVE_PTHREAD_H pthread_mutex_destroy(&(sock->mutex)); #endif } #endif /* WITH_TLS */ } #endif /* WITH_TCP */ return 0; } /* * Allocate & initialize a new listener. */ static rad_listen_t *listen_alloc(TALLOC_CTX *ctx, RAD_LISTEN_TYPE type) { rad_listen_t *this; this = talloc_zero(ctx, rad_listen_t); this->type = type; this->recv = master_listen[this->type].recv; this->send = master_listen[this->type].send; this->print = master_listen[this->type].print; if (type != RAD_LISTEN_PROXY) { this->encode = master_listen[this->type].encode; this->decode = master_listen[this->type].decode; } else { this->send = NULL; /* proxy packets shouldn't call this! */ this->proxy_send = master_listen[this->type].send; this->proxy_encode = master_listen[this->type].encode; this->proxy_decode = master_listen[this->type].decode; } talloc_set_destructor(this, _listener_free); this->data = talloc_zero_array(this, uint8_t, master_listen[this->type].inst_size); return this; } #ifdef WITH_PROXY /* * Externally visible function for creating a new proxy LISTENER. * * Not thread-safe, but all calls to it are protected by the * proxy mutex in event.c */ rad_listen_t *proxy_new_listener(TALLOC_CTX *ctx, home_server_t *home, uint16_t src_port) { time_t now; rad_listen_t *this; listen_socket_t *sock; char buffer[256]; if (!home) return NULL; rad_assert(home->virtual_server == NULL); /* we only open real sockets */ if ((home->limit.max_connections > 0) && (home->limit.num_connections >= home->limit.max_connections)) { RATE_LIMIT(INFO("Home server %s has too many open connections (%d)", home->log_name, home->limit.max_connections)); return NULL; } now = time(NULL); if (home->last_failed_open == now) { WARN("Suppressing attempt to open socket to 'down' home server"); return NULL; } this = listen_alloc(ctx, RAD_LISTEN_PROXY); sock = this->data; sock->other_ipaddr = home->ipaddr; sock->other_port = home->port; sock->home = home; sock->my_ipaddr = home->src_ipaddr; sock->my_port = src_port; sock->proto = home->proto; /* * For error messages. */ this->print(this, buffer, sizeof(buffer)); #ifdef WITH_TCP sock->opened = sock->last_packet = now; if (home->proto == IPPROTO_TCP) { this->recv = proxy_socket_tcp_recv; /* * FIXME: connect() is blocking! * We do this with the proxy mutex locked, which may * cause large delays! * * http://www.developerweb.net/forum/showthread.php?p=13486 */ this->fd = fr_socket_client_tcp(&home->src_ipaddr, &home->ipaddr, home->port, false); /* * Set max_requests, lifetime, and idle_timeout from the home server. */ sock->limit = home->limit; } else #endif this->fd = fr_socket(&home->src_ipaddr, src_port); if (this->fd < 0) { this->print(this, buffer,sizeof(buffer)); ERROR("Failed opening new proxy socket '%s' : %s", buffer, fr_strerror()); home->last_failed_open = now; listen_free(&this); return NULL; } #ifdef WITH_TCP #ifdef WITH_TLS if ((home->proto == IPPROTO_TCP) && home->tls) { DEBUG("(TLS) Trying new outgoing proxy connection to %s", buffer); /* * Set SNI, if configured. * * The OpenSSL API says the filename is "char * const *", but some versions have it as "void * *", without the "const". So we un-const it * here through various C magic. */ if (home->tls->client_hostname) { (void) SSL_set_tlsext_host_name(sock->ssn->ssl, (void *) (uintptr_t) home->tls->client_hostname); } #ifdef WITH_RADIUSV11 this->radiusv11 = home->tls->radiusv11; #endif this->nonblock |= home->nonblock; /* * Set non-blocking if it's configured. */ if (this->nonblock) { if (fr_nonblock(this->fd) < 0) { ERROR("(TLS) Failed setting nonblocking for proxy socket '%s' - %s", buffer, fr_strerror()); goto error; } rad_assert(home->listeners != NULL); if (!rbtree_insert(home->listeners, this)) { ERROR("(TLS) Failed adding tracking informtion for proxy socket '%s'", buffer); goto error; } #ifdef TCP_NODELAY /* * Also set TCP_NODELAY, to force the data to be written quickly. */ if (sock->proto == IPPROTO_TCP) { int on = 1; if (setsockopt(this->fd, SOL_TCP, TCP_NODELAY, &on, sizeof(on)) < 0) { ERROR("(TLS) Failed to set TCP_NODELAY: %s", fr_syserror(errno)); goto error; } } #endif } /* * This is blocking. :( */ sock->ssn = tls_new_client_session(sock, home->tls, this->fd, &sock->certs); if (!sock->ssn) { ERROR("(TLS) Failed opening connection on proxy socket '%s'", buffer); goto error; } #ifdef WITH_RADIUSV11 /* * Must not have alpn_checked yet. This code only runs for blocking sockets. */ if (sock->ssn->connected && (fr_radiusv11_client_get_alpn(this) < 0)) { goto error; } #endif sock->connect_timeout = home->connect_timeout; this->recv = proxy_tls_recv; this->proxy_send = proxy_tls_send; #ifdef HAVE_PTHREAD_H if (pthread_mutex_init(&sock->mutex, NULL) < 0) { rad_assert(0 == 1); listen_free(&this); return 0; } #endif /* * Make sure that this listener is associated with the home server. * * Since it's TCP+TLS, this socket can only be associated with one home server. */ #ifdef WITH_COA_TUNNEL if (home->recv_coa) { RADCLIENT *client; this->send_coa = true; /* * Don't set this->send_coa, as we are * not sending CoA-Request packets to * this home server. Instead, we are * receiving CoA packets from this home * server. */ this->send = proxy_tls_send_reply; this->encode = master_listen[RAD_LISTEN_AUTH].encode; this->decode = master_listen[RAD_LISTEN_AUTH].decode; /* * Automatically create a client for this * home server. There MAY be one already * one for that IP in the configuration * files, but there's no guarantee that * it exists. * * The only real reason to use an * existing client is to track various * statistics. */ sock->client = client = talloc_zero(sock, RADCLIENT); client->ipaddr = sock->other_ipaddr; client->src_ipaddr = sock->my_ipaddr; client->longname = client->shortname = talloc_typed_strdup(client, home->name); client->secret = talloc_typed_strdup(client, home->secret); client->nas_type = "none"; client->server = talloc_typed_strdup(client, home->recv_coa_server); } #endif } #endif #endif /* * Figure out which port we were bound to. */ if (sock->my_port == 0) { struct sockaddr_storage src; socklen_t sizeof_src = sizeof(src); memset(&src, 0, sizeof_src); if (getsockname(this->fd, (struct sockaddr *) &src, &sizeof_src) < 0) { ERROR("Failed getting socket name for '%s': %s", buffer, fr_syserror(errno)); error: close(this->fd); home->last_failed_open = now; listen_free(&this); return NULL; } if (!fr_sockaddr2ipaddr(&src, sizeof_src, &sock->my_ipaddr, &sock->my_port)) { ERROR("Socket has unsupported address family for '%s'", buffer); goto error; } this->print(this, buffer, sizeof(buffer)); } if (rad_debug_lvl >= 3) { DEBUG("Opened new proxy socket '%s'", buffer); } home->limit.num_connections++; return this; } #endif static const FR_NAME_NUMBER listen_compare[] = { #ifdef WITH_STATS { "status", RAD_LISTEN_NONE }, #endif { "auth", RAD_LISTEN_AUTH }, #ifdef WITH_COA_TUNNEL { "auth+coa", RAD_LISTEN_AUTH }, #endif #ifdef WITH_ACCOUNTING { "acct", RAD_LISTEN_ACCT }, { "auth+acct", RAD_LISTEN_AUTH }, #ifdef WITH_COA_TUNNEL { "auth+acct+coa", RAD_LISTEN_AUTH }, #endif #endif #ifdef WITH_DETAIL { "detail", RAD_LISTEN_DETAIL }, #endif #ifdef WITH_PROXY { "proxy", RAD_LISTEN_PROXY }, #endif #ifdef WITH_VMPS { "vmps", RAD_LISTEN_VQP }, #endif #ifdef WITH_DHCP { "dhcp", RAD_LISTEN_DHCP }, #endif #ifdef WITH_COMMAND_SOCKET { "control", RAD_LISTEN_COMMAND }, #endif #ifdef WITH_COA { "coa", RAD_LISTEN_COA }, #endif { NULL, 0 }, }; static int _free_proto_handle(fr_dlhandle *handle) { dlclose(*handle); return 0; } static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server) { int type, rcode; char const *listen_type; rad_listen_t *this; CONF_PAIR *cp; char const *value; fr_dlhandle handle; CONF_SECTION *server_cs; char const *p; char buffer[32]; cp = cf_pair_find(cs, "type"); if (!cp) { cf_log_err_cs(cs, "No type specified in listen section"); return NULL; } value = cf_pair_value(cp); if (!value) { cf_log_err_cp(cp, "Type cannot be empty"); return NULL; } snprintf(buffer, sizeof(buffer), "proto_%s", value); handle = fr_dlopenext(buffer); if (handle) { fr_protocol_t *proto; fr_dlhandle *marker; proto = dlsym(handle, buffer); if (!proto) { #if 0 cf_log_err_cs(cs, "Failed linking to protocol %s : %s\n", value, dlerror()); #endif dlclose(handle); return NULL; } type = fr_str2int(listen_compare, value, -1); rad_assert(type >= 0); /* shouldn't be able to compile an invalid type */ memcpy(&master_listen[type], proto, sizeof(*proto)); /* * Ensure handle gets closed if config section gets freed */ marker = talloc(cs, fr_dlhandle); *marker = handle; talloc_set_destructor(marker, _free_proto_handle); if (master_listen[type].magic != RLM_MODULE_INIT) { ERROR("Failed to load protocol '%s', it has the wrong version.", master_listen[type].name); return NULL; } } cf_log_info(cs, "listen {"); listen_type = NULL; rcode = cf_item_parse(cs, "type", FR_ITEM_POINTER(PW_TYPE_STRING, &listen_type), ""); if (rcode < 0) return NULL; if (rcode == 1) { cf_log_err_cs(cs, "No type specified in listen section"); return NULL; } type = fr_str2int(listen_compare, listen_type, -1); if (type < 0) { cf_log_err_cs(cs, "Invalid type \"%s\" in listen section.", listen_type); return NULL; } /* * DHCP and VMPS *must* be loaded dynamically. */ if (master_listen[type].magic != RLM_MODULE_INIT) { ERROR("Cannot load protocol '%s', as the required library does not exist", master_listen[type].name); return NULL; } /* * Allow listen sections in the default config to * refer to a server. */ if (!server) { rcode = cf_item_parse(cs, "virtual_server", FR_ITEM_POINTER(PW_TYPE_STRING, &server), NULL); if (rcode < 0) return NULL; } #ifdef WITH_PROXY /* * We were passed a virtual server, so the caller is * defining a proxy listener inside of a virtual server. * This isn't allowed right now. */ else if (type == RAD_LISTEN_PROXY) { ERROR("Error: listen type \"proxy\" Cannot appear in a virtual server section"); return NULL; } #endif /* * Set up cross-type data. */ this = listen_alloc(cs, type); this->server = server; this->fd = -1; #ifdef WITH_TCP /* * Add special flags '+' for "auth+acct". */ p = strchr(listen_type, '+'); if (p) { if (strncmp(p + 1, "acct", 4) == 0) { this->dual = true; #ifdef WITH_COA_TUNNEL p += 5; } if (strcmp(p, "+coa") == 0) { this->send_coa = true; #endif } } #endif /* * Call per-type parser. */ if (master_listen[type].parse(cs, this) < 0) { listen_free(&this); return NULL; } server_cs = cf_section_sub_find_name2(main_config.config, "server", this->server); if (!server_cs && this->server) { cf_log_err_cs(cs, "No such server \"%s\"", this->server); listen_free(&this); return NULL; } #ifdef WITH_COA_TUNNEL if (this->send_coa) { CONF_SECTION *coa; if (!this->tls) { cf_log_err_cs(cs, "TLS is required in order to use \"+coa\""); listen_free(&this); return NULL; } /* * Parse the configuration if it exists. */ coa = cf_section_sub_find(cs, "coa"); if (coa) { rcode = cf_section_parse(cs, this, coa_config); if (rcode < 0) { listen_free(&this); return NULL; } } /* * Use the same boundary checks as for home * server. See realm_home_server_sanitize(). */ FR_INTEGER_BOUND_CHECK("coa_irt", this->coa_irt, >=, 1); FR_INTEGER_BOUND_CHECK("coa_irt", this->coa_irt, <=, 5); FR_INTEGER_BOUND_CHECK("coa_mrc", this->coa_mrc, <=, 20); FR_INTEGER_BOUND_CHECK("coa_mrt", this->coa_mrt, <=, 30); FR_INTEGER_BOUND_CHECK("coa_mrd", this->coa_mrd, >=, 5); FR_INTEGER_BOUND_CHECK("coa_mrd", this->coa_mrd, <=, 60); } #endif /* WITH_COA_TUNNEL */ cf_log_info(cs, "}"); return this; } #ifdef HAVE_PTHREAD_H /* * A child thread which does NOTHING other than read and process * packets. */ static void *recv_thread(void *arg) { rad_listen_t *this = arg; while (1) { this->recv(this); } return NULL; } #endif /* * Generate a list of listeners. Takes an input list of * listeners, too, so we don't close sockets with waiting packets. */ int listen_init(CONF_SECTION *config, rad_listen_t **head, bool spawn_flag) { bool override = false; CONF_SECTION *cs = NULL; rad_listen_t **last; rad_listen_t *this; fr_ipaddr_t server_ipaddr; uint16_t auth_port = 0; /* * We shouldn't be called with a pre-existing list. */ rad_assert(head && (*head == NULL)); memset(&server_ipaddr, 0, sizeof(server_ipaddr)); last = head; server_ipaddr.af = AF_UNSPEC; /* * If the port is specified on the command-line, * it over-rides the configuration file. * * FIXME: If argv[0] == "vmpsd", then don't listen on auth/acct! */ if (main_config.port > 0) { auth_port = main_config.port; /* * -p X but no -i Y on the command-line. */ if (main_config.myip.af == AF_UNSPEC) { ERROR("The command-line says \"-p %d\", but there is no associated IP address to use", main_config.port); return -1; } } /* * If the IP address was configured on the command-line, * use that as the "bind_address" */ if (main_config.myip.af != AF_UNSPEC) { listen_socket_t *sock; memcpy(&server_ipaddr, &main_config.myip, sizeof(server_ipaddr)); override = true; #ifdef WITH_VMPS if (strcmp(main_config.name, "vmpsd") == 0) { this = listen_alloc(config, RAD_LISTEN_VQP); if (!auth_port) auth_port = 1589; } else #endif this = listen_alloc(config, RAD_LISTEN_AUTH); sock = this->data; sock->my_ipaddr = server_ipaddr; sock->my_port = auth_port; sock->clients = client_list_parse_section(config, false); if (!sock->clients) { cf_log_err_cs(config, "Failed to find any clients for this listen section"); listen_free(&this); return -1; } if (listen_bind(this) < 0) { listen_free(head); ERROR("There appears to be another RADIUS server running on the authentication port %d", sock->my_port); listen_free(&this); return -1; } auth_port = sock->my_port; /* may have been updated in listen_bind */ if (override) { cs = cf_section_sub_find_name2(config, "server", main_config.name); if (cs) this->server = main_config.name; } *last = this; last = &(this->next); #ifdef WITH_VMPS /* * No acct for vmpsd */ if (strcmp(main_config.name, "vmpsd") == 0) goto add_sockets; #endif #ifdef WITH_ACCOUNTING /* * Open Accounting Socket. * * If we haven't already gotten acct_port from * /etc/services, then make it auth_port + 1. */ this = listen_alloc(config, RAD_LISTEN_ACCT); sock = this->data; /* * Create the accounting socket. * * The accounting port is always the * authentication port + 1 */ sock->my_ipaddr = server_ipaddr; sock->my_port = auth_port + 1; sock->clients = client_list_parse_section(config, false); if (!sock->clients) { cf_log_err_cs(config, "Failed to find any clients for this listen section"); return -1; } if (listen_bind(this) < 0) { listen_free(&this); listen_free(head); ERROR("There appears to be another RADIUS server running on the accounting port %d", sock->my_port); return -1; } if (override) { cs = cf_section_sub_find_name2(config, "server", main_config.name); if (cs) this->server = main_config.name; } *last = this; last = &(this->next); #endif } /* * They specified an IP on the command-line, ignore * all listen sections except the one in '-n'. */ if (main_config.myip.af != AF_UNSPEC) { CONF_SECTION *subcs; char const *name2 = cf_section_name2(cs); cs = cf_section_sub_find_name2(config, "server", main_config.name); if (!cs) goto add_sockets; /* * Should really abstract this code... */ for (subcs = cf_subsection_find_next(cs, NULL, "listen"); subcs != NULL; subcs = cf_subsection_find_next(cs, subcs, "listen")) { this = listen_parse(subcs, name2); if (!this) { listen_free(head); return -1; } *last = this; last = &(this->next); } /* loop over "listen" directives in server */ goto add_sockets; } /* * Walk through the "listen" sections, if they exist. */ for (cs = cf_subsection_find_next(config, NULL, "listen"); cs != NULL; cs = cf_subsection_find_next(config, cs, "listen")) { this = listen_parse(cs, NULL); if (!this) { listen_free(head); return -1; } *last = this; last = &(this->next); } /* * Check virtual servers for "listen" sections, too. * * FIXME: Move to virtual server init? */ for (cs = cf_subsection_find_next(config, NULL, "server"); cs != NULL; cs = cf_subsection_find_next(config, cs, "server")) { CONF_SECTION *subcs; char const *name2 = cf_section_name2(cs); for (subcs = cf_subsection_find_next(cs, NULL, "listen"); subcs != NULL; subcs = cf_subsection_find_next(cs, subcs, "listen")) { this = listen_parse(subcs, name2); if (!this) { listen_free(head); return -1; } *last = this; last = &(this->next); } /* loop over "listen" directives in virtual servers */ } /* loop over virtual servers */ add_sockets: /* * No sockets to receive packets, this is an error. * proxying is pointless. */ if (!*head) { ERROR("The server is not configured to listen on any ports. Cannot start"); return -1; } /* * Print out which sockets we're listening on, and * add them to the event list. */ for (this = *head; this != NULL; this = this->next) { #ifdef WITH_TLS if (!check_config && !spawn_flag && this->tls) { cf_log_err_cs(this->cs, "Threading must be enabled for TLS sockets to function properly"); cf_log_err_cs(this->cs, "You probably need to do '%s -fxx -l stdout' for debugging", main_config.name); return -1; } #endif if (!check_config) { if (this->workers && !spawn_flag) { WARN("Setting 'workers' requires 'synchronous'. Disabling 'workers'"); this->workers = 0; } if (this->workers) { #ifdef HAVE_PTHREAD_H int rcode; uint32_t i; char buffer[256]; this->print(this, buffer, sizeof(buffer)); for (i = 0; i < this->workers; i++) { pthread_t id; /* * FIXME: create detached? */ rcode = pthread_create(&id, 0, recv_thread, this); if (rcode != 0) { ERROR("Thread create failed: %s", fr_syserror(rcode)); fr_exit(1); } DEBUG("Thread %d for %s\n", i, buffer); } #else WARN("Setting 'workers' requires 'synchronous'. Disabling 'workers'"); this->workers = 0; #endif } else { radius_update_listener(this); } } } /* * Haven't defined any sockets. Die. */ if (!*head) return -1; #ifdef WITH_COA_TUNNEL if (listen_coa_init() < 0) return -1; #endif return 0; } /* * Free a linked list of listeners; */ void listen_free(rad_listen_t **head) { rad_listen_t *this; if (!head || !*head) return; this = *head; while (this) { rad_listen_t *next = this->next; talloc_free(this); this = next; } *head = NULL; } #ifdef WITH_STATS RADCLIENT_LIST *listener_find_client_list(fr_ipaddr_t const *ipaddr, uint16_t port, int proto) { rad_listen_t *this; for (this = main_config.listen; this != NULL; this = this->next) { listen_socket_t *sock; if ((this->type != RAD_LISTEN_AUTH) #ifdef WITH_ACCOUNTING && (this->type != RAD_LISTEN_ACCT) #endif #ifdef WITH_COA && (this->type != RAD_LISTEN_COA) #endif ) continue; sock = this->data; if (sock->my_port != port) continue; if (sock->proto != proto) continue; if (fr_ipaddr_cmp(ipaddr, &sock->my_ipaddr) != 0) continue; return sock->clients; } return NULL; } #endif rad_listen_t *listener_find_byipaddr(fr_ipaddr_t const *ipaddr, uint16_t port, int proto) { rad_listen_t *this; for (this = main_config.listen; this != NULL; this = this->next) { listen_socket_t *sock; sock = this->data; if (sock->my_port != port) continue; if (sock->proto != proto) continue; if (fr_ipaddr_cmp(ipaddr, &sock->my_ipaddr) != 0) continue; return this; } /* * Failed to find a specific one. Find INADDR_ANY */ for (this = main_config.listen; this != NULL; this = this->next) { listen_socket_t *sock; sock = this->data; if (sock->my_port != port) continue; if (sock->proto != proto) continue; if (!fr_inaddr_any(&sock->my_ipaddr)) continue; return this; } return NULL; } #ifdef WITH_COA_TUNNEL /* * This is easier than putting ifdef's everywhere. And * realistically, there aren't many systems which have OpenSSL, * but not pthreads. */ #ifndef HAVE_PTHREAD_H #error CoA tunnels require pthreads #endif #include static rbtree_t *coa_tree = NULL; /* * We have an RB tree of keys, and within each key, a hash table * of one or more listeners associated with that key. */ typedef struct { char const *key; fr_hash_table_t *ht; pthread_mutex_t mutex; /* per key, to lower contention */ } coa_key_t; typedef struct { coa_key_t *coa_key; rad_listen_t *listener; } coa_entry_t; static int coa_key_cmp(void const *one, void const *two) { coa_key_t const *a = one; coa_key_t const *b = two; return strcmp(a->key, b->key); } static void coa_key_free(void *data) { coa_key_t *coa_key = data; pthread_mutex_destroy(&coa_key->mutex); fr_hash_table_free(coa_key->ht); talloc_free(coa_key); } static uint32_t coa_entry_hash(void const *data) { coa_entry_t const *a = (coa_entry_t const *) data; return fr_hash(&a->listener, sizeof(a->listener)); } static int coa_entry_cmp(void const *one, void const *two) { coa_entry_t const *a = one; coa_entry_t const *b = two; return memcmp(&a->listener, &b->listener, sizeof(a->listener)); } /* * Delete the entry, without holding the parents lock. */ static void coa_entry_free(void *data) { talloc_free(data); } static int coa_entry_destructor(coa_entry_t *entry) { pthread_mutex_lock(&entry->coa_key->mutex); fr_hash_table_delete(entry->coa_key->ht, entry); pthread_mutex_unlock(&entry->coa_key->mutex); return 0; } static int listen_coa_init(void) { /* * We will be looking up listeners by key. Each key * points us to a list of listeners. Each key has it's * own mutex, so that it's thread-safe. */ coa_tree = rbtree_create(NULL, coa_key_cmp, coa_key_free, RBTREE_FLAG_LOCK); if (!coa_tree) { ERROR("Failed creating internal tracking tree for Originating-Realm-Key"); return -1; } return 0; } void listen_coa_free(void) { /* * If we are freeing the tree, then all of the listeners * must have been freed first. */ rad_assert(rbtree_num_elements(coa_tree) == 0); rbtree_free(coa_tree); coa_tree = NULL; } /* * Adds a listener to the hash of listeners, based on key. */ void listen_coa_add(rad_listen_t *this, char const *key) { int tries = 0; coa_key_t my_key, *coa_key; coa_entry_t *entry; rad_assert(this->send_coa); rad_assert(this->parent); rad_assert(!this->key); /* * Find the key. If we can't find it, then create it. */ my_key.key = key; retry: coa_key = rbtree_finddata(coa_tree, &my_key); if (!coa_key) { coa_key = talloc_zero(NULL, coa_key_t); if (!coa_key) return; coa_key->key = talloc_strdup(coa_key, key); if (!coa_key->key) { fail: talloc_free(coa_key); return; } /* * Create the hash table of listeners. */ coa_key->ht = fr_hash_table_create(coa_entry_hash, coa_entry_cmp, coa_entry_free); if (!coa_key->ht) goto fail; if (!rbtree_insert(coa_tree, coa_key)) { talloc_free(coa_key); /* * The lookups are mutex protected, but * if there's time between the lookup and * the insert, another thread may have * created the node. In which case we * try again. */ if (tries < 3) goto retry; tries++; return; } (void) pthread_mutex_init(&coa_key->mutex, NULL); } /* * No need to strdup() this, coa_key will only be removed * after the listener has been removed. */ if (!this->key) this->key = coa_key->key; entry = talloc_zero(this, coa_entry_t); if (!entry) return; talloc_set_destructor(entry, coa_entry_destructor); entry->coa_key = coa_key; entry->listener = this; /* * Insert the entry into the hash table. */ pthread_mutex_lock(&coa_key->mutex); fr_hash_table_insert(coa_key->ht, entry); pthread_mutex_unlock(&coa_key->mutex); } /* * Find an active listener by key. * * This function will update request->home_server, and * request->proxy_listener. */ int listen_coa_find(REQUEST *request, char const *key) { coa_key_t my_key, *coa_key; rad_listen_t *this, *found; listen_socket_t *sock; fr_hash_iter_t iter; /* * Find the key. If we can't find it, then error out. */ memcpy(&my_key.key, &key, sizeof(key)); /* const issues */ coa_key = rbtree_finddata(coa_tree, &my_key); if (!coa_key) return -1; /* * We've found it. Now find a listener which has free * IDs. i.e. where the number of used IDs is less tahn * 256. */ found = NULL; pthread_mutex_lock(&coa_key->mutex); for (this = fr_hash_table_iter_init(coa_key->ht, &iter); this != NULL; this = fr_hash_table_iter_next(coa_key->ht, &iter)) { if (this->blocked) continue; if (this->dead) continue; if (!found) { if (this->num_ids_used < 256) { found = this; } /* * Skip listeners which have all used IDs. */ continue; } /* * Try to spread the load across all available * sockets. */ if (found->num_ids_used > this->num_ids_used) { found = this; continue; } /* * If they are equal, pick one at random. * * @todo - pick one with equal probability from * among the ones with the same IDs used. This * algorithm prefers the first one. */ if (found->num_ids_used == this->num_ids_used) { if ((fr_rand() & 0x01) == 0) { found = this; continue; } } } pthread_mutex_unlock(&coa_key->mutex); if (!found) return -1; request->proxy_listener = found; sock = found->data; request->home_server = sock->home; return 0; } /* * Check for an active listener by key. */ static bool listen_coa_exists(rad_listen_t *this, char const *key) { coa_key_t my_key, *coa_key; coa_entry_t my_entry, *entry; /* * Find the key. If we can't find it, then error out. */ memcpy(&my_key.key, &key, sizeof(key)); /* const issues */ coa_key = rbtree_finddata(coa_tree, &my_key); if (!coa_key) return false; my_entry.listener = this; pthread_mutex_lock(&coa_key->mutex); entry = fr_hash_table_finddata(coa_key->ht, &my_entry); pthread_mutex_unlock(&coa_key->mutex); return (entry != NULL); } /* * Delete a listener entry. */ static void listen_coa_delete(rad_listen_t *this, char const *key) { coa_key_t my_key, *coa_key; coa_entry_t my_entry; /* * Find the key. If we can't find it, then error out. */ memcpy(&my_key.key, &key, sizeof(key)); /* const issues */ coa_key = rbtree_finddata(coa_tree, &my_key); if (!coa_key) return; my_entry.listener = this; pthread_mutex_lock(&coa_key->mutex); (void) fr_hash_table_delete(coa_key->ht, &my_entry); pthread_mutex_unlock(&coa_key->mutex); } static void listener_coa_update(rad_listen_t *this, VALUE_PAIR *vps) { VALUE_PAIR *vp; vp_cursor_t cursor; fr_cursor_init(&cursor, &vps); /* * Add or delete Operator-Name realms */ while ((vp = fr_cursor_next_by_num(&cursor, PW_OPERATOR_NAME, 0, TAG_ANY)) != NULL) { if (vp->vp_length <= 1) continue; if (vp->vp_strvalue[0] == '+') { if (listen_coa_exists(this, vp->vp_strvalue)) continue; listen_coa_add(this, vp->vp_strvalue); continue; } if (vp->vp_strvalue[0] == '-') { listen_coa_delete(this, vp->vp_strvalue); continue; } } } #endif