The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: b4613156948c525a1f52dbc3332eb44a21873d5d $
19 * @file src/process/ttls/base.c
20 * @brief TTLS process module
21 *
22 * @copyright 2021 The FreeRADIUS server project.
23 * @copyright 2021 Network RADIUS SAS (legal@networkradius.com)
24 */
25#include <freeradius-devel/protocol/freeradius/freeradius.internal.h>
26
27#include <freeradius-devel/radius/radius.h>
28
29#include <freeradius-devel/server/main_config.h>
30#include <freeradius-devel/server/module.h>
31#include <freeradius-devel/server/pair.h>
32#include <freeradius-devel/server/protocol.h>
33#include <freeradius-devel/server/state.h>
34
35#include <freeradius-devel/unlang/module.h>
36#include <freeradius-devel/unlang/action.h>
37
38#include <freeradius-devel/util/debug.h>
39
41static fr_dict_t const *dict_radius;
42
45 { .out = &dict_freeradius, .proto = "freeradius" },
46 { .out = &dict_radius, .proto = "radius" },
47 { NULL }
48};
49
54
65
68 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
69 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
70 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
71 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
72
73 { .out = &attr_calling_station_id, .name = "Calling-Station-Id", .type = FR_TYPE_STRING, .dict = &dict_radius },
74 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
75 { .out = &attr_nas_port, .name = "NAS-Port", .type = FR_TYPE_UINT32, .dict = &dict_radius },
76 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
77 { .out = &attr_service_type, .name = "Service-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
78 { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
79 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
80 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
81
82 { .out = &attr_original_packet_code, .name = "Extended-Attribute-1.Original-Packet-Code", .type = FR_TYPE_UINT32, .dict = &dict_radius },
83 { .out = &attr_error_cause, .name = "Error-Cause", .type = FR_TYPE_UINT32, .dict = &dict_radius },
84
85 { NULL }
86};
87
90
93 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
94 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
95 { NULL }
96};
97
98/*
99 * RADIUS state machine configuration
100 */
125
126typedef struct {
127 fr_time_delta_t timeout; //!< Maximum time between the last response and next request.
128 uint32_t max; //!< Maximum ongoing session allowed.
129
130 uint8_t state_server_id; //!< Sets a specific byte in the state to allow the
131 //!< authenticating server to be identified in packet
132 //!<captures.
134
135typedef struct {
136 process_ttls_session_t session; //!< Session settings.
137
138 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
140
141typedef struct {
142 CONF_SECTION *server_cs; //!< Our virtual server.
143 process_ttls_sections_t sections; //!< Pointers to various config sections
144 ///< we need to execute.
145 process_ttls_auth_t auth; //!< Authentication configuration.
147
148#define PROCESS_PACKET_TYPE fr_radius_packet_code_t
149#define PROCESS_CODE_MAX FR_RADIUS_CODE_MAX
150#define PROCESS_CODE_DO_NOT_RESPOND FR_RADIUS_CODE_DO_NOT_RESPOND
151#define PROCESS_PACKET_CODE_VALID FR_RADIUS_PACKET_CODE_VALID
152#define PROCESS_INST process_ttls_t
153#include <freeradius-devel/server/process.h>
154
156 { FR_CONF_OFFSET("timeout", process_ttls_session_t, timeout), .dflt = "15" },
157 { FR_CONF_OFFSET("max", process_ttls_session_t, max), .dflt = "4096" },
158 { FR_CONF_OFFSET("state_server_id", process_ttls_session_t, state_server_id) },
159
161};
162
163static const conf_parser_t auth_config[] = {
165
167};
168
169static const conf_parser_t config[] = {
170 { FR_CONF_OFFSET_SUBSECTION("Access-Request", 0, process_ttls_t, auth, auth_config) },
171
173};
174
175/*
176 * Debug the packet if requested.
177 */
178static void radius_packet_debug(request_t *request, fr_packet_t *packet, fr_pair_list_t *list, bool received)
179{
180#ifdef WITH_IFINDEX_NAME_RESOLUTION
181 char if_name[IFNAMSIZ];
182#endif
183
184 if (!packet) return;
185 if (!RDEBUG_ENABLED) return;
186
187 log_request(L_DBG, L_DBG_LVL_1, request, __FILE__, __LINE__, "%s %s ID %d from %s%pV%s:%i to %s%pV%s:%i "
188#ifdef WITH_IFINDEX_NAME_RESOLUTION
189 "%s%s%s"
190#endif
191 "",
192 received ? "Received" : "Sending",
194 packet->id,
195 packet->socket.inet.src_ipaddr.af == AF_INET6 ? "[" : "",
196 fr_box_ipaddr(packet->socket.inet.src_ipaddr),
197 packet->socket.inet.src_ipaddr.af == AF_INET6 ? "]" : "",
198 packet->socket.inet.src_port,
199 packet->socket.inet.dst_ipaddr.af == AF_INET6 ? "[" : "",
200 fr_box_ipaddr(packet->socket.inet.dst_ipaddr),
201 packet->socket.inet.dst_ipaddr.af == AF_INET6 ? "]" : "",
202 packet->socket.inet.dst_port
203#ifdef WITH_IFINDEX_NAME_RESOLUTION
204 , packet->socket.inet.ifindex ? "via " : "",
205 packet->socket.inet.ifindex ? fr_ifname_from_ifindex(if_name, packet->socket.inet.ifindex) : "",
206 packet->socket.inet.ifindex ? " " : ""
207#endif
208 );
209
210 if (received || request->parent) {
211 log_request_pair_list(L_DBG_LVL_1, request, NULL, list, NULL);
212 } else {
213 log_request_proto_pair_list(L_DBG_LVL_1, request, NULL, list, NULL);
214 }
215}
216
217RESUME(auth_type);
218
219RESUME(access_request)
220{
221 rlm_rcode_t rcode = RESULT_RCODE;
222 fr_pair_t *vp;
223 CONF_SECTION *cs;
224 fr_dict_enum_value_t const *dv;
225 fr_process_state_t const *state;
227
229
231
232 UPDATE_STATE(packet);
233
234 request->reply->code = state->packet_type[rcode];
235 if (!request->reply->code) request->reply->code = state->default_reply;
236 if (!request->reply->code) request->reply->code = PROCESS_CODE_DO_NOT_RESPOND;
237 UPDATE_STATE_CS(reply);
238
239 if (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) {
240 RDEBUG("The 'recv Access-Request' section returned %s - not sending a response",
241 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
242
244 fr_assert(state->send != NULL);
245 return CALL_SEND_STATE(state);
246 }
247
248 /*
249 * Run authenticate foo { ... }
250 */
251 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
252 if (!vp) goto send_reply;
253
254 dv = fr_dict_enum_by_value(vp->da, &vp->data);
255 if (!dv) goto send_reply;
256
257 /*
258 * The magic Auth-Type accept value
259 * which means skip the authenticate
260 * section...
261 */
263 request->reply->code = FR_RADIUS_CODE_ACCESS_ACCEPT;
264 goto send_reply;
265 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
266 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
267 goto send_reply;
268 }
269
270 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
271 if (!cs) {
272 RDEBUG2("No 'authenticate %s { ... }' section found - skipping...", dv->name);
273 goto send_reply;
274 }
275
276 /*
277 * Run the "Authenticate = foo" section.
278 *
279 * And continue with sending the generic reply.
280 */
281 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
282 return unlang_module_yield_to_section(RESULT_P, request,
283 cs, RLM_MODULE_NOOP, resume_auth_type,
284 NULL, 0, mctx->rctx);
285}
286
287RESUME(auth_type)
288{
289 static const fr_process_rcode_t auth_type_rcode = {
298 };
299
300 rlm_rcode_t rcode = RESULT_RCODE;
301 fr_pair_t *vp;
302 fr_process_state_t const *state;
303
305
307 fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code));
308
309 if (auth_type_rcode[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND) {
310 request->reply->code = auth_type_rcode[rcode];
311 UPDATE_STATE(reply);
312
313 RDEBUG("The 'authenticate' section returned %s - not sending a response",
314 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
315
316 fr_assert(state->send != NULL);
317 return state->send(p_result, mctx, request);
318 }
319
320 /*
321 * Most cases except handled...
322 */
323 if (auth_type_rcode[rcode]) request->reply->code = auth_type_rcode[rcode];
324
325 switch (request->reply->code) {
326 case 0:
327 RDEBUG("No reply code was set. Forcing to Access-Reject");
328 request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
330
331 /*
332 * Print complaints before running "send Access-Reject"
333 */
335 RDEBUG2("Failed to authenticate the user");
336
337 /*
338 * Maybe the shared secret is wrong?
339 */
340 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password);
341 if (vp) {
342 if (RDEBUG_ENABLED2) {
343 uint8_t const *p;
344
345 p = (uint8_t const *) vp->vp_strvalue;
346 while (*p) {
347 int size;
348
349 size = fr_utf8_char(p, -1);
350 if (!size) {
351 RWDEBUG("Unprintable characters in the password. "
352 "Double-check the shared secret on the server "
353 "and the NAS!");
354 break;
355 }
356 p += size;
357 }
358 }
359 }
360 break;
361
362 /*
363 * Access-Challenge sections require a State. If there is
364 * none, create one here. This is so that the State
365 * attribute is accessible in the "send Access-Challenge"
366 * section.
367 */
369 if ((vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_state)) != NULL) {
370 uint8_t buffer[16];
371
372 fr_rand_buffer(buffer, sizeof(buffer));
373
375 fr_pair_value_memdup(vp, buffer, sizeof(buffer), false);
376 }
377 break;
378
379 default:
380 break;
381
382 }
383 UPDATE_STATE(reply);
384
385 fr_assert(state->send != NULL);
386 return state->send(p_result, mctx, request);
387}
388
389RESUME_FLAG(access_accept, UNUSED,)
390{
391 fr_pair_t *vp;
393
395
396 /*
397 * Check that there is a name which can be used to
398 * identify the user. The configuration depends on
399 * User-Name or Stripped-User-Name existing, and being
400 * (mostly) unique to that user.
401 */
402 if (!request->parent &&
403 ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name)) != NULL) &&
404 (vp->vp_strvalue[0] == '@') &&
405 !fr_pair_find_by_da(&request->request_pairs, NULL, attr_stripped_user_name)) {
406 RWDEBUG("User-Name is anonymized, and no Stripped-User-Name exists.");
407 RWDEBUG("It may be difficult or impossible to identify the user.");
408 RWDEBUG("Please update Stripped-User-Name with information which identifies the user.");
409 }
410
411 fr_state_discard(inst->auth.state_tree, request);
413}
414
415RESUME_FLAG(access_reject, UNUSED,)
416{
418
420
421 fr_state_discard(inst->auth.state_tree, request);
423}
424
425RESUME(access_challenge)
426{
427 CONF_SECTION *cs;
428 fr_process_state_t const *state;
430
432
433 /*
434 * Cache the state context.
435 *
436 * If this fails, don't respond to the request.
437 */
438 if (fr_request_to_state(inst->auth.state_tree, request) < 0) {
439 request->reply->code = FR_RADIUS_CODE_DO_NOT_RESPOND;
440 UPDATE_STATE_CS(reply);
441 return CALL_SEND_STATE(state);
442 }
443
444 fr_assert(request->reply->code == FR_RADIUS_CODE_ACCESS_CHALLENGE);
446}
447
448RESUME(protocol_error)
449{
450 fr_pair_t *vp;
451
453
454 fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code));
455
456 /*
457 * https://tools.ietf.org/html/rfc7930#section-4
458 */
459 vp = fr_pair_find_by_da_nested(&request->reply_pairs, NULL, attr_original_packet_code);
460 if (!vp) {
461 vp = fr_pair_afrom_da(request->reply_ctx, attr_original_packet_code);
462 if (vp) {
463 vp->vp_uint32 = request->packet->code;
464 fr_pair_append(&request->reply_pairs, vp);
465 }
466 }
467
468 /*
469 * If there's no Error-Cause, then include a generic 404.
470 */
471 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_error_cause);
472 if (!vp) {
473 vp = fr_pair_afrom_da(request->reply_ctx, attr_error_cause);
474 if (vp) {
475 vp->vp_uint32 = FR_ERROR_CAUSE_VALUE_INVALID_REQUEST;
476 fr_pair_append(&request->reply_pairs, vp);
477 }
478 }
479
480 /*
481 * And do the generic processing after running a "send" section.
482 */
483 return CALL_RESUME(send_generic);
484}
485
486static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
487{
488 fr_process_state_t const *state;
489
491
493
494 fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->packet->code));
495
496 request->component = "radius";
497 request->module = NULL;
498 fr_assert(request->proto_dict == dict_radius);
499
500 UPDATE_STATE(packet);
501
502 radius_packet_debug(request, request->packet, &request->request_pairs, true);
503
504 return state->recv(p_result, mctx, request);
505}
506
507static int mod_instantiate(module_inst_ctx_t const *mctx)
508{
509 process_ttls_t *inst = talloc_get_type_abort(mctx->mi->data, process_ttls_t);
510
511 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
512
513 inst->auth.state_tree = fr_state_tree_init(inst, attr_state, main_config->spawn_workers, inst->auth.session.max,
514 inst->auth.session.timeout, inst->auth.session.state_server_id,
516
517 return 0;
518}
519
520static int mod_bootstrap(module_inst_ctx_t const *mctx)
521{
522 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
523
524 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
525
526 return 0;
527}
528
529/*
530 * rcodes not listed under a packet_type
531 * mean that the packet code will not be
532 * changed.
533 */
534static fr_process_state_t const process_state[] = {
536 .packet_type = {
540
547 },
548 .default_rcode = RLM_MODULE_NOOP,
549 .recv = recv_generic,
550 .resume = resume_access_request,
551 .section_offset = offsetof(process_ttls_sections_t, access_request),
552 },
554 .packet_type = {
560 },
561 .default_rcode = RLM_MODULE_NOOP,
562 .result_rcode = RLM_MODULE_OK,
563 .send = send_generic,
564 .resume = resume_access_accept,
565 .section_offset = offsetof(process_ttls_sections_t, access_accept),
566 },
568 .packet_type = {
574 },
575 .default_rcode = RLM_MODULE_NOOP,
576 .result_rcode = RLM_MODULE_REJECT,
577 .send = send_generic,
578 .resume = resume_access_reject,
579 .section_offset = offsetof(process_ttls_sections_t, access_reject),
580 },
582 .packet_type = {
588 },
589 .default_rcode = RLM_MODULE_NOOP,
590 .result_rcode = RLM_MODULE_OK,
591 .send = send_generic,
592 .resume = resume_access_challenge,
593 .section_offset = offsetof(process_ttls_sections_t, access_challenge),
594 },
595
596
597 [ FR_RADIUS_CODE_PROTOCOL_ERROR ] = { /* @todo - fill out required fields */
598 .packet_type = {
604 },
605 .default_rcode = RLM_MODULE_NOOP,
606 .result_rcode = RLM_MODULE_FAIL,
607 .send = send_generic,
608 .resume = resume_protocol_error,
609 .section_offset = offsetof(process_ttls_sections_t, protocol_error),
610 },
612 .packet_type = {
617
624 },
625 .default_rcode = RLM_MODULE_NOOP,
626 .result_rcode = RLM_MODULE_HANDLED,
627 .send = send_generic,
628 .resume = resume_send_generic,
629 .section_offset = offsetof(process_ttls_sections_t, do_not_respond),
630 }
631};
632
634 {
635 .section = SECTION_NAME("recv", "Access-Request"),
636 .actions = &mod_actions_authorize,
637 .offset = PROCESS_CONF_OFFSET(access_request),
638 },
639 {
640 .section = SECTION_NAME("send", "Access-Accept"),
642 .offset = PROCESS_CONF_OFFSET(access_accept),
643 },
644 {
645 .section = SECTION_NAME("send", "Access-Challenge"),
647 .offset = PROCESS_CONF_OFFSET(access_challenge),
648 },
649 {
650 .section = SECTION_NAME("send", "Access-Reject"),
652 .offset = PROCESS_CONF_OFFSET(access_reject),
653 },
654
655 {
656 .section = SECTION_NAME("send", "Protocol-Error"),
658 .offset = PROCESS_CONF_OFFSET(protocol_error),
659 },
660 {
661 .section = SECTION_NAME("send", "Do-Not-Respond"),
663 .offset = PROCESS_CONF_OFFSET(do_not_respond),
664 },
665 {
666 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
668 },
670};
671
674 .common = {
675 .magic = MODULE_MAGIC_INIT,
676 .name = "ttls",
677 .config = config,
679 MODULE_RCTX(process_rctx_t),
680
681 .bootstrap = mod_bootstrap,
682 .instantiate = mod_instantiate
683 },
684 .process = mod_process,
685 .compile_list = compile_list,
686 .dict = &dict_radius,
687 .packet_type = &attr_packet_type
688};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
static int const char char buffer[256]
Definition acutest.h:576
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define UNUSED
Definition build.h:317
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
#define cf_parent(_cf)
Definition cf_util.h:101
#define cf_filename(_cf)
Definition cf_util.h:107
#define CF_IDENT_ANY
Definition cf_util.h:78
#define MEM(x)
Definition debug.h:36
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition defs.h:43
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DO_NOT_RESPOND
Special rcode to indicate we will not respond.
Definition defs.h:54
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition defs.h:34
@ FR_RADIUS_CODE_PROTOCOL_ERROR
RFC7930 - Protocol-Error (generic NAK)
Definition defs.h:52
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition defs.h:35
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:263
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:237
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3393
char const * name
Enum name.
Definition dict.h:234
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Specifies a value which must be present for the module to function.
Definition dict.h:262
Value of an enumerated attribute.
Definition dict.h:233
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
uint32_t fr_hash_string(char const *p)
Definition hash.c:865
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
fr_dict_attr_t const * attr_state
Definition base.c:103
fr_dict_t const * dict_radius
Definition base.c:78
fr_dict_attr_t const * attr_user_name
Definition base.c:104
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
void log_request_proto_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a list of protocol fr_pair_ts.
Definition log.c:852
void log_request(fr_log_type_t type, fr_log_lvl_t lvl, request_t *request, char const *file, int line, char const *fmt,...)
Marshal variadic log arguments into a va_list and pass to normal logging functions.
Definition log.c:610
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition log.c:828
#define RWDEBUG(fmt,...)
Definition log.h:361
@ L_DBG_LVL_1
Highest priority debug messages (-x).
Definition log.h:70
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:30
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:46
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:93
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:64
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2936
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:774
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1342
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
size_t fr_utf8_char(uint8_t const *str, ssize_t inlen)
Checks for utf-8, taken from http://www.w3.org/International/questions/qa-forms-utf-8.
Definition print.c:39
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
static const virtual_server_compile_t compile_list[]
Definition base.c:214
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:743
static fr_dict_attr_t const * attr_user_password
Definition base.c:66
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:59
static const conf_parser_t session_config[]
Definition base.c:172
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:883
static fr_dict_attr_t const * attr_auth_type
Definition base.c:56
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:94
static fr_dict_attr_t const * attr_error_cause
Definition base.c:68
static const conf_parser_t auth_config[]
Definition base.c:180
static void radius_packet_debug(request_t *request, fr_packet_t *packet, fr_pair_list_t *list, bool received)
Definition base.c:196
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:93
static fr_dict_attr_t const * attr_original_packet_code
Definition base.c:67
static const conf_parser_t config[]
Definition base.c:186
static fr_dict_attr_t const * attr_chap_password
Definition base.c:77
CONF_SECTION * disconnect_nak
Definition base.c:120
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:138
CONF_SECTION * access_request
Definition base.c:104
CONF_SECTION * coa_ack
Definition base.c:115
CONF_SECTION * access_reject
Definition base.c:106
CONF_SECTION * access_accept
Definition base.c:105
CONF_SECTION * status_server
Definition base.c:112
process_ttls_session_t session
Session settings.
Definition base.c:136
fr_time_delta_t timeout
Maximum time between the last response and next request.
Definition base.c:127
fr_dict_autoload_t process_ttls_dict[]
Definition base.c:44
process_ttls_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:143
CONF_SECTION * do_not_respond
Definition base.c:122
CONF_SECTION * accounting_request
Definition base.c:109
static fr_dict_attr_t const * attr_calling_station_id
Definition base.c:55
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:142
CONF_SECTION * coa_nak
Definition base.c:116
CONF_SECTION * protocol_error
Definition base.c:123
CONF_SECTION * accounting_response
Definition base.c:110
uint32_t max
Maximum ongoing session allowed.
Definition base.c:128
process_ttls_auth_t auth
Authentication configuration.
Definition base.c:145
CONF_SECTION * disconnect_request
Definition base.c:118
static fr_dict_attr_t const * attr_nas_port
Definition base.c:57
CONF_SECTION * disconnect_ack
Definition base.c:119
CONF_SECTION * coa_request
Definition base.c:114
fr_dict_attr_autoload_t process_ttls_dict_attr[]
Definition base.c:67
uint8_t state_server_id
Sets a specific byte in the state to allow the authenticating server to be identified in packet captu...
Definition base.c:130
static fr_dict_attr_t const * attr_service_type
Definition base.c:59
CONF_SECTION * access_challenge
Definition base.c:107
fr_dict_enum_autoload_t process_ttls_dict_enum[]
Definition base.c:92
#define PROCESS_CODE_DO_NOT_RESPOND
Definition base.c:150
fr_process_module_t process_ttls
Definition base.c:673
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
module_t common
Common fields for all loadable modules.
Common public symbol definition for all process modules.
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:113
#define fr_assert(_expr)
Definition rad_assert.h:38
#define RDEBUG_ENABLED2()
Definition radclient.h:50
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define RDEBUG(fmt,...)
Definition radclient.h:53
#define RDEBUG_ENABLED()
Definition radclient.h:49
static void send_reply(int sockfd, fr_channel_data_t *reply)
#define FR_RADIUS_PACKET_CODE_VALID(_x)
Definition radius.h:52
void fr_rand_buffer(void *start, size_t length)
Definition rand.c:125
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:45
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:50
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:49
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:48
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:51
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:44
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
#define MODULE_RCTX(_ctype)
Definition module.h:257
#define MODULE_INST(_ctype)
Definition module.h:255
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
#define pair_update_reply(_attr, _da)
Return or allocate a fr_pair_t in the reply list.
Definition pair.h:129
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, bool thread_safe, uint32_t max_sessions, fr_time_delta_t timeout, uint8_t server_id, uint32_t context_id)
Initialise a new state tree.
Definition state.c:220
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:605
int fr_request_to_state(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:736
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:249
eap_aka_sim_process_conf_t * inst
#define RESUME(_x)
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
#define talloc_get_type_abort_const
Definition talloc.h:287
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
unsigned int code
Packet code (type).
Definition packet.h:61
fr_socket_t socket
This packet was received on.
Definition packet.h:57
int id
Packet ID (used to link requests/responses).
Definition packet.h:60
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:722
#define fr_box_ipaddr(_val)
Definition value.h:313
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
section_name_t const * section
Identifier for the section.
#define COMPILE_TERMINATOR
Processing sections which are allowed in this virtual server.