The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_radius.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 4d6ba2403026bc7561df74b1abbe590a7a5e178c $
19 * @file rlm_radius.c
20 * @brief A RADIUS client library.
21 *
22 * @copyright 2016 The FreeRADIUS server project
23 * @copyright 2016 Network RADIUS SAS
24 */
25RCSID("$Id: 4d6ba2403026bc7561df74b1abbe590a7a5e178c $")
26
27#include <freeradius-devel/io/application.h>
28#include <freeradius-devel/server/modpriv.h>
29#include <freeradius-devel/unlang/xlat_func.h>
30#include <freeradius-devel/util/debug.h>
31#include <freeradius-devel/util/dlist.h>
32
33#include "rlm_radius.h"
34
35static int mode_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
36static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
37static int status_check_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
38static int status_check_update_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
39static int radius_fixups(rlm_radius_t const *inst, request_t *request);
40
47
48static conf_parser_t const status_check_update_config[] = {
49 { FR_CONF_OFFSET_TYPE_FLAGS("update", FR_TYPE_VOID, CONF_FLAG_SUBSECTION | CONF_FLAG_REQUIRED, rlm_radius_t, status_check_map),
50 .name2 = CF_IDENT_ANY,
51 .func = status_check_update_parse },
52 { FR_CONF_OFFSET("num_answers_to_alive", rlm_radius_t, num_answers_to_alive), .dflt = STRINGIFY(3) },
53
54 CONF_PARSER_TERMINATOR
55};
56
57/*
58 * Retransmission intervals for the packets we support.
59 */
60static conf_parser_t auth_config[] = {
61 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt), .dflt = STRINGIFY(2) },
62 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt), .dflt = STRINGIFY(16) },
63 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc), .dflt = STRINGIFY(5) },
64 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd), .dflt = STRINGIFY(30) },
65 CONF_PARSER_TERMINATOR
66};
67
68static conf_parser_t acct_config[] = {
69 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt), .dflt = STRINGIFY(2) },
70 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt), .dflt = STRINGIFY(5) },
71 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc), .dflt = STRINGIFY(1) },
72 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd), .dflt = STRINGIFY(30) },
73 CONF_PARSER_TERMINATOR
74};
75
76static conf_parser_t status_config[] = {
77 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].irt), .dflt = STRINGIFY(2) },
78 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrt), .dflt = STRINGIFY(5) },
79 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrc), .dflt = STRINGIFY(5) },
80 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrd), .dflt = STRINGIFY(30) },
81 CONF_PARSER_TERMINATOR
82};
83
84static conf_parser_t coa_config[] = {
85 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].irt), .dflt = STRINGIFY(2) },
86 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrt), .dflt = STRINGIFY(16) },
87 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrc), .dflt = STRINGIFY(5) },
88 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrd), .dflt = STRINGIFY(30) },
89 CONF_PARSER_TERMINATOR
90};
91
92static conf_parser_t disconnect_config[] = {
93 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt), .dflt = STRINGIFY(2) },
94 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt), .dflt = STRINGIFY(16) },
95 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc), .dflt = STRINGIFY(5) },
96 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd), .dflt = STRINGIFY(30) },
97 CONF_PARSER_TERMINATOR
98};
99
105
106/*
107 * We only parse the pool options if we're connected.
108 */
109static conf_parser_t const connected_config[] = {
110 { FR_CONF_POINTER("status_check", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_check_config },
111
112 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_radius_t, trunk_conf, trunk_config ) },
113
114 { FR_CONF_POINTER("udp", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OPTIONAL, NULL), .subcs = (void const *) transport_config },
115
116 { FR_CONF_POINTER("tcp", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OPTIONAL, NULL), .subcs = (void const *) transport_config },
117
118 CONF_PARSER_TERMINATOR
119};
120
121/*
122 * We only parse the pool options if we're connected.
123 */
124static conf_parser_t const pool_config[] = {
125 { FR_CONF_POINTER("status_check", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_check_config },
126
127 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_radius_t, trunk_conf, trunk_config ) },
128
129 CONF_PARSER_TERMINATOR
130};
131
132/*
133 * A mapping of configuration file names to internal variables.
134 */
135static conf_parser_t const module_config[] = {
136 { FR_CONF_OFFSET_FLAGS("mode", CONF_FLAG_REQUIRED, rlm_radius_t, mode), .func = mode_parse, .dflt = "proxy" },
137
138 { FR_CONF_OFFSET_REF(rlm_radius_t, fd_config, fr_bio_fd_client_config) },
139
140 { FR_CONF_OFFSET_FLAGS("type", CONF_FLAG_NOT_EMPTY | CONF_FLAG_MULTI | CONF_FLAG_REQUIRED, rlm_radius_t, types),
141 .func = type_parse },
142
143 { FR_CONF_OFFSET_FLAGS("replicate", CONF_FLAG_DEPRECATED, rlm_radius_t, replicate) },
144
145 { FR_CONF_OFFSET_FLAGS("synchronous", CONF_FLAG_DEPRECATED, rlm_radius_t, synchronous) },
146
147 { FR_CONF_OFFSET_FLAGS("originate", CONF_FLAG_DEPRECATED, rlm_radius_t, originate) },
148
149 { FR_CONF_OFFSET("max_packet_size", rlm_radius_t, max_packet_size), .dflt = "4096" },
150 { FR_CONF_OFFSET("max_send_coalesce", rlm_radius_t, max_send_coalesce), .dflt = "1024" },
151
152 { FR_CONF_OFFSET("max_attributes", rlm_radius_t, max_attributes), .dflt = STRINGIFY(RADIUS_MAX_ATTRIBUTES) },
153
154 { FR_CONF_OFFSET("require_message_authenticator", rlm_radius_t, require_message_authenticator),
155 .func = cf_table_parse_int,
156 .uctx = &(cf_table_parse_ctx_t){ .table = fr_radius_require_ma_table, .len = &fr_radius_require_ma_table_len },
157 .dflt = "no" },
158
159 { FR_CONF_OFFSET("response_window", rlm_radius_t, response_window), .dflt = STRINGIFY(20) },
160
161 { FR_CONF_OFFSET("zombie_period", rlm_radius_t, zombie_period), .dflt = STRINGIFY(40) },
162
163 { FR_CONF_OFFSET("revive_interval", rlm_radius_t, revive_interval) },
164
165 { FR_CONF_OFFSET("home_server_lifetime", rlm_radius_t, home_server_lifetime) },
166
167 CONF_PARSER_TERMINATOR
168};
169
170static conf_parser_t const type_interval_config[FR_RADIUS_CODE_MAX] = {
171 [FR_RADIUS_CODE_ACCESS_REQUEST] = { FR_CONF_POINTER("Access-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config },
172
173 [FR_RADIUS_CODE_ACCOUNTING_REQUEST] = { FR_CONF_POINTER("Accounting-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) acct_config },
174 [FR_RADIUS_CODE_STATUS_SERVER] = { FR_CONF_POINTER("Status-Server", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_config },
175 [FR_RADIUS_CODE_COA_REQUEST] = { FR_CONF_POINTER("CoA-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) coa_config },
176 [FR_RADIUS_CODE_DISCONNECT_REQUEST] = { FR_CONF_POINTER("Disconnect-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) disconnect_config },
177};
178
179static fr_dict_t const *dict_radius;
180
181extern fr_dict_autoload_t rlm_radius_dict[];
182fr_dict_autoload_t rlm_radius_dict[] = {
183 { .out = &dict_radius, .proto = "radius" },
184 { NULL }
185};
186
187static fr_dict_attr_t const *attr_chap_challenge;
188static fr_dict_attr_t const *attr_chap_password;
189static fr_dict_attr_t const *attr_packet_type;
190static fr_dict_attr_t const *attr_proxy_state;
191
192static fr_dict_attr_t const *attr_error_cause;
193static fr_dict_attr_t const *attr_event_timestamp;
194static fr_dict_attr_t const *attr_extended_attribute_1;
195static fr_dict_attr_t const *attr_message_authenticator;
196static fr_dict_attr_t const *attr_eap_message;
197static fr_dict_attr_t const *attr_nas_identifier;
198static fr_dict_attr_t const *attr_original_packet_code;
199static fr_dict_attr_t const *attr_response_length;
200static fr_dict_attr_t const *attr_user_password;
201
202extern fr_dict_attr_autoload_t rlm_radius_dict_attr[];
203fr_dict_attr_autoload_t rlm_radius_dict_attr[] = {
204 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
205 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
206 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
207 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
208
209 { .out = &attr_error_cause, .name = "Error-Cause", .type = FR_TYPE_UINT32, .dict = &dict_radius },
210 { .out = &attr_event_timestamp, .name = "Event-Timestamp", .type = FR_TYPE_DATE, .dict = &dict_radius},
211 { .out = &attr_extended_attribute_1, .name = "Extended-Attribute-1", .type = FR_TYPE_TLV, .dict = &dict_radius},
212 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
213 { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
214 { .out = &attr_nas_identifier, .name = "NAS-Identifier", .type = FR_TYPE_STRING, .dict = &dict_radius},
215 { .out = &attr_original_packet_code, .name = "Extended-Attribute-1.Original-Packet-Code", .type = FR_TYPE_UINT32, .dict = &dict_radius},
216 { .out = &attr_response_length, .name = "Extended-Attribute-1.Response-Length", .type = FR_TYPE_UINT32, .dict = &dict_radius },
217 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius},
218
219 { NULL }
220};
221
222#include "bio.c"
223
224static fr_table_num_sorted_t mode_names[] = {
225 { L("client"), RLM_RADIUS_MODE_CLIENT },
226 { L("dynamic-proxy"), RLM_RADIUS_MODE_XLAT_PROXY },
227 { L("proxy"), RLM_RADIUS_MODE_PROXY },
228 { L("replicate"), RLM_RADIUS_MODE_REPLICATE },
229 { L("unconnected-replicate"), RLM_RADIUS_MODE_UNCONNECTED_REPLICATE },
230};
231static size_t mode_names_len = NUM_ELEMENTS(mode_names);
232
233
234/** Set the mode of operation
235 *
236 * @param[in] ctx to allocate data in (instance of rlm_radius).
237 * @param[out] out Where to write the parsed data.
238 * @param[in] parent Base structure address.
239 * @param[in] ci #CONF_PAIR specifying the name of the type module.
240 * @param[in] rule unused.
241 * @return
242 * - 0 on success.
243 * - -1 on failure.
244 */
245static int mode_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent,
246 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
247{
248 char const *name = cf_pair_value(cf_item_to_pair(ci));
249 rlm_radius_mode_t mode;
250 rlm_radius_t *inst = talloc_get_type_abort(parent, rlm_radius_t);
251 CONF_SECTION *cs = cf_item_to_section(cf_parent(ci));
252
253 mode = fr_table_value_by_str(mode_names, name, RLM_RADIUS_MODE_INVALID);
254
255 /*
256 * Commented out until we upgrade the old configurations.
257 */
258 if (mode == RLM_RADIUS_MODE_INVALID) {
259 cf_log_err(ci, "Invalid mode name \"%s\"", name);
260 return -1;
261 }
262
263 *(rlm_radius_mode_t *) out = mode;
264
265 /*
266 * Normally we want connected sockets, in which case we push additional configuration for
267 * connected sockets.
268 */
269 switch (mode) {
270 default:
271 inst->fd_config.type = FR_BIO_FD_CONNECTED;
272
273 if (cf_section_rules_push(cs, connected_config) < 0) return -1;
274 break;
275
276 case RLM_RADIUS_MODE_XLAT_PROXY:
277 inst->fd_config.type = FR_BIO_FD_UNCONNECTED; /* reset later when the home server is allocated */
278
279 if (cf_section_rules_push(cs, pool_config) < 0) return -1;
280 break;
281
282 case RLM_RADIUS_MODE_UNCONNECTED_REPLICATE:
283 inst->fd_config.type = FR_BIO_FD_UNCONNECTED;
284 break;
285 }
286
287 return 0;
288}
289
290
291/** Set which types of packets we can parse
292 *
293 * @param[in] ctx to allocate data in (instance of rlm_radius).
294 * @param[out] out Where to write the parsed data.
295 * @param[in] parent Base structure address.
296 * @param[in] ci #CONF_PAIR specifying the name of the type module.
297 * @param[in] rule unused.
298 * @return
299 * - 0 on success.
300 * - -1 on failure.
301 */
302static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
303 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
304{
305 char const *type_str = cf_pair_value(cf_item_to_pair(ci));
306 CONF_SECTION *cs = cf_item_to_section(cf_parent(ci));
307 fr_dict_enum_value_t const *type_enum;
308 uint32_t code;
309
310 /*
311 * Must be the RADIUS module
312 */
313 fr_assert(cs && (strcmp(cf_section_name1(cs), "radius") == 0));
314
315 /*
316 * Allow the process module to be specified by
317 * packet type.
318 */
319 type_enum = fr_dict_enum_by_name(attr_packet_type, type_str, -1);
320 if (!type_enum) {
321 invalid_code:
322 cf_log_err(ci, "Unknown or invalid RADIUS packet type '%s'", type_str);
323 return -1;
324 }
325
326 code = type_enum->value->vb_uint32;
327
328 /*
329 * Status-Server packets cannot be proxied.
330 */
331 if (code == FR_RADIUS_CODE_STATUS_SERVER) {
332 cf_log_err(ci, "Invalid setting of 'type = Status-Server'. Status-Server packets cannot be proxied.");
333 return -1;
334 }
335
336 if (!code ||
337 (code >= FR_RADIUS_CODE_MAX) ||
338 (!type_interval_config[code].name1)) goto invalid_code;
339
340 /*
341 * If we're doing async proxying, push the timers for the
342 * various packet types.
343 */
344 cf_section_rule_push(cs, &type_interval_config[code]);
345
346 *(uint32_t *) out = code;
347
348 return 0;
349}
350
351/** Allow for Status-Server ping checks
352 *
353 * @param[in] ctx to allocate data in (instance of proto_radius).
354 * @param[out] out Where to write our parsed data.
355 * @param[in] parent Base structure address.
356 * @param[in] ci #CONF_PAIR specifying the name of the type module.
357 * @param[in] rule unused.
358 * @return
359 * - 0 on success.
360 * - -1 on failure.
361 */
362static int status_check_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
363 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
364{
365 char const *type_str = cf_pair_value(cf_item_to_pair(ci));
366 CONF_SECTION *cs = cf_item_to_section(cf_parent(ci));
367 fr_dict_enum_value_t const *type_enum;
368 uint32_t code;
369
370 /*
371 * Allow the process module to be specified by
372 * packet type.
373 */
374 type_enum = fr_dict_enum_by_name(attr_packet_type, type_str, -1);
375 if (!type_enum) {
376 invalid_code:
377 cf_log_err(ci, "Unknown or invalid RADIUS packet type '%s'", type_str);
378 return -1;
379 }
380
381 code = type_enum->value->vb_uint32;
382
383 /*
384 * Cheat, and reuse the "type" array for allowed packet
385 * types.
386 */
387 if (!code ||
388 (code >= FR_RADIUS_CODE_MAX) ||
389 (!type_interval_config[code].name1)) goto invalid_code;
390
391 /*
392 * Add irt / mrt / mrd / mrc parsing, in the parent
393 * configuration section.
394 */
395 cf_section_rule_push(cf_item_to_section(cf_parent(cs)), &type_interval_config[code]);
396
397 memcpy(out, &code, sizeof(code));
398
399 /*
400 * Nothing more to do here, so we stop.
401 */
402 if (code == FR_RADIUS_CODE_STATUS_SERVER) return 0;
403
404 cf_section_rule_push(cs, status_check_update_config);
405
406 return 0;
407}
408
409static int status_check_verify(map_t *map, void *ctx)
410{
411 rlm_radius_t const *inst = talloc_get_type_abort_const(ctx, rlm_radius_t);
412 fr_dict_attr_t const *da;
413
414 fr_assert(tmpl_is_attr(map->lhs));
415
416 if (unlang_fixup_update(map, NULL) < 0) return -1;
417
418 if (!map->rhs) return 0;
419
420 if (tmpl_is_xlat(map->rhs)) {
421 if (xlat_impure_func(tmpl_xlat(map->rhs))) {
422 invalid_xlat:
423 cf_log_err(map->ci, "Cannot assign dynamic values here");
424 return -1;
425 }
426 } else if (!tmpl_is_data(map->rhs)) {
427 goto invalid_xlat;
428 }
429
430 da = tmpl_attr_tail_da(map->lhs);
431
432 /*
433 * Ignore internal attributes.
434 */
435 if (da->flags.internal) {
436 cf_log_err(map->ci, "Cannot use internal attributes");
437 return -1;
438 }
439
440 /*
441 * Ignore signalling attributes. They shouldn't exist.
442 */
443 if ((da == attr_proxy_state) ||
444 (da == attr_message_authenticator)) {
445 cannot_use:
446 cf_log_err(map->ci, "Cannot use %s here.", da->name);
447 return -1;
448 }
449
450 /*
451 * Allow passwords only in Access-Request packets.
452 */
453 if ((inst->status_check != FR_RADIUS_CODE_ACCESS_REQUEST) &&
454 ((da == attr_user_password) || (da == attr_chap_password) || (da == attr_eap_message))) {
455 goto cannot_use;
456 }
457
458 return 0;
459}
460
461/** Allow the admin to set packet contents for Status-Server ping checks
462 *
463 * @param[in] ctx to allocate data in (instance of proto_radius).
464 * @param[out] out Where to write our parsed data
465 * @param[in] parent Base structure address.
466 * @param[in] ci #CONF_SECTION specifying the things to update
467 * @param[in] rule unused.
468 * @return
469 * - 0 on success.
470 * - -1 on failure.
471 */
472static int status_check_update_parse(TALLOC_CTX *ctx, void *out, void *parent,
473 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
474{
475 int rcode;
476 CONF_SECTION *cs;
477 char const *name2;
478 map_list_t *head = (map_list_t *)out;
479
480 fr_assert(cf_item_is_section(ci));
481 map_list_init(head);
482
483 cs = cf_item_to_section(ci);
484 name2 = cf_section_name2(cs);
485 if (name2 && (strcmp(name2, "request") != 0)) {
486 cf_log_err(cs, "Only 'request' can be specified as the destination list");
487 return -1;
488 }
489
490 /*
491 * Compile the "update" section.
492 */
493 {
494 tmpl_rules_t parse_rules = {
495 .attr = {
496 .dict_def = dict_radius,
497 .namespace = fr_dict_root(dict_radius),
498 .list_def = request_attr_request,
499 .list_presence = TMPL_ATTR_LIST_FORBID,
500 },
501 .literals_safe_for = FR_VALUE_BOX_SAFE_FOR_ANY,
502 };
503
504 rcode = map_afrom_cs(ctx, head, cs, &parse_rules, &parse_rules, status_check_verify, parent, 128);
505 if (rcode < 0) return -1; /* message already printed */
506 if (map_list_empty(head)) {
507 cf_log_err(cs, "Invalid configuration - status check packets cannot be empty");
508 return -1;
509 }
510 }
511
512 /*
513 * Rely on "bootstrap" to do sanity checks between 'type
514 * = Access-Request', and 'update' containing passwords.
515 */
516 return 0;
517}
518
519
520/** Do any RADIUS-layer fixups for proxying.
521 *
522 */
523static int radius_fixups(rlm_radius_t const *inst, request_t *request)
524{
525 fr_pair_t *vp;
526
527 if (request->packet->code == FR_RADIUS_CODE_STATUS_SERVER) {
528 RWDEBUG("Status-Server is reserved for internal use, and cannot be sent manually.");
529 return 0;
530 }
531
532 if (!inst->allowed[request->packet->code]) {
533 REDEBUG("Packet code %s is disallowed by the configuration",
534 fr_radius_packet_name[request->packet->code]);
535 return -1;
536 }
537
538 /*
539 * Check for proxy loops.
540 *
541 * There should _never_ be two instances of the same Proxy-State in the packet.
542 */
543 if ((inst->mode == RLM_RADIUS_MODE_PROXY) && RDEBUG_ENABLED) {
544 unsigned int count = 0;
545 fr_dcursor_t cursor;
546
547 for (vp = fr_pair_dcursor_by_da_init(&cursor, &request->request_pairs, attr_proxy_state);
548 vp;
549 vp = fr_dcursor_next(&cursor)) {
550 if (vp->vp_length != sizeof(inst->common_ctx.proxy_state)) continue;
551
552 if (memcmp(vp->vp_octets, &inst->common_ctx.proxy_state,
553 sizeof(inst->common_ctx.proxy_state)) == 0) {
554
555 /*
556 * Cancel proxying when there are two instances of the same Proxy-State
557 * in the packet. This limitation could be configurable, but it likely
558 * doesn't make sense to make it configurable.
559 */
560 if (count == 1) {
561 RWARN("Canceling proxy due to loop of multiple %pV", vp);
562 return -1;
563 }
564
565 RWARN("Proxied packet contains our own %pV", vp);
566 RWARN("Check if there is a proxy loop. Perhaps the server has been configured to proxy to itself.");
567 count++;
568 }
569 }
570 }
571
572 if (request->packet->code != FR_RADIUS_CODE_ACCESS_REQUEST) return 0;
573
574 if (fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password) &&
575 !fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge)) {
576 MEM(pair_append_request(&vp, attr_chap_challenge) >= 0);
577 fr_pair_value_memdup(vp, request->packet->vector, sizeof(request->packet->vector), true);
578 }
579
580 return 0;
581}
582
583
584/** Send packets outbound.
585 *
586 */
587static unlang_action_t CC_HINT(nonnull) mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
588{
589 rlm_radius_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_radius_t);
590 bio_thread_t *thread = talloc_get_type_abort(mctx->thread, bio_thread_t);
591 fr_client_t *client;
592 int rcode;
593 bio_request_t *u = NULL;
594 fr_retry_config_t const *retry_config = NULL;
595
596 if (!request->packet->code) {
597 REDEBUG("You MUST specify a packet code");
598 RETURN_MODULE_FAIL;
599 }
600
601 if ((request->packet->code >= FR_RADIUS_CODE_MAX) ||
602 !fr_time_delta_ispos(inst->retry[request->packet->code].irt)) { /* can't be zero */
603 REDEBUG("Invalid packet code %u", request->packet->code);
604 RETURN_MODULE_FAIL;
605 }
606
607 /*
608 * Unconnected sockets use %radius.replicate(ip, port, secret),
609 * or %radius.sendto(ip, port, secret)
610 */
611 if ((inst->mode == RLM_RADIUS_MODE_UNCONNECTED_REPLICATE) ||
612 (inst->mode == RLM_RADIUS_MODE_XLAT_PROXY)) {
613 REDEBUG("When using 'mode = unconnected-*', this module cannot be used in-place. Instead, it must be called via a function call");
614 RETURN_MODULE_FAIL;
615 }
616
617 client = client_from_request(request);
618 if (client && client->dynamic && !client->active) {
619 REDEBUG("Cannot proxy packets which define dynamic clients");
620 RETURN_MODULE_FAIL;
621 }
622
623 /*
624 * Push the request and it's data to the IO submodule.
625 *
626 * This may return YIELD, for "please yield", or it may
627 * return another code which indicates what happened to
628 * the request...
629 */
630 rcode = mod_enqueue(&u, &retry_config, inst, thread->ctx.trunk, request);
631 if (rcode == 0) RETURN_MODULE_NOOP;
632 if (rcode < 0) RETURN_MODULE_FAIL;
633
634 return unlang_module_yield_to_retry(request, mod_resume, mod_retry, mod_signal, 0, u, retry_config);
635}
636
637
638static int mod_instantiate(module_inst_ctx_t const *mctx)
639{
640 size_t i, num_types;
641 rlm_radius_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
642 CONF_SECTION *conf = mctx->mi->conf;
643
644 inst->name = mctx->mi->name;
645 inst->received_message_authenticator = talloc_zero(NULL, bool); /* Allocated outside of inst to default protection */
646
647 /*
648 * Allow explicit setting of mode.
649 */
650 if (inst->mode != RLM_RADIUS_MODE_INVALID) goto check_others;
651
652 /*
653 * If not set, try to insinuate it from context.
654 */
655 if (inst->replicate) {
656 if (inst->originate) {
657 cf_log_err(conf, "Cannot set 'replicate=true' and 'originate=true' at the same time.");
658 return -1;
659 }
660
661 if (inst->synchronous) {
662 cf_log_warn(conf, "Ignoring 'synchronous=true' due to 'replicate=true'");
663 }
664
665 inst->mode = RLM_RADIUS_MODE_REPLICATE;
666 goto check_others;
667 }
668
669 /*
670 * Argubly we should be allowed to do synchronous proxying _and_ originating client packets.
671 *
672 * However, the previous code didn't really do that consistently.
673 */
674 if (inst->synchronous && inst->originate) {
675 cf_log_err(conf, "Cannot set 'synchronous=true' and 'originate=true'");
676 return -1;
677 }
678
679 if (inst->synchronous) {
680 inst->mode = RLM_RADIUS_MODE_PROXY;
681 } else {
682 inst->mode = RLM_RADIUS_MODE_CLIENT;
683 }
684
685check_others:
686 /*
687 * Replication is write-only, and append by default.
688 */
689 if (inst->mode == RLM_RADIUS_MODE_REPLICATE) {
690 if (inst->fd_config.filename && (inst->fd_config.flags != O_WRONLY)) {
691 cf_log_info(conf, "Setting 'flags = write-only' for writing to a file");
692 }
693 inst->fd_config.flags = O_WRONLY | O_APPEND;
694
695 } else if (inst->fd_config.filename) {
696 cf_log_err(conf, "When using an output 'filename', you MUST set 'mode = replicate'");
697 return -1;
698
699 } else {
700 /*
701 * All other IO is read+write.
702 */
703 inst->fd_config.flags = O_RDWR;
704 }
705
706 if (fr_bio_fd_check_config(&inst->fd_config) < 0) {
707 cf_log_perr(conf, "Invalid configuration");
708 return -1;
709 }
710
711 /*
712 * Clamp max_packet_size first before checking recv_buff and send_buff
713 */
714 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 64);
715 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
716
717 /*
718 * Check invalid configurations.
719 */
720 switch (inst->mode) {
721 default:
722 /*
723 * Filenames are write-only, and cannot get response packets.
724 */
725 if (inst->fd_config.filename) {
726 cf_log_err(conf, "Cannot set 'filename' here - it is only supported for 'mode=replicate'");
727 return -1;
728 }
729
730 /*
731 * When we expect replies, we need to be able to open multiple source ports. So the
732 * admin can't force a particular source port.
733 */
734 if (inst->fd_config.src_port) {
735 cf_log_err(conf, "Cannot 'src_port' here - it can only be set for replicating packets");
736 return -1;
737 }
738
739 /*
740 * No src_port range, we don't need to check any other settings.
741 */
742 if (!inst->fd_config.src_port_start && !inst->fd_config.src_port_end) break;
743
744 if (inst->fd_config.path) {
745 cf_log_err(conf, "Cannot set 'src_port_start' or 'src_port_end' for outgoing Unix sockets");
746 return -1;
747 }
748
749 /*
750 * We can only have one method of allocating source ports.
751 */
752 if (inst->fd_config.src_port) {
753 cf_log_err(conf, "Cannot set 'src_port' and 'src_port_start' or 'src_port_end'");
754 return -1;
755 }
756
757 /*
758 * Cross-check src_port, src_port_start, and src_port_end.
759 */
760 if (inst->fd_config.src_port_start) {
761 if (!inst->fd_config.src_port_end) {
762 cf_log_err(conf, "Range has 'src_port_start', but is missing 'src_port_end'");
763 return -1;
764 }
765
766 if (inst->fd_config.src_port_start >= inst->fd_config.src_port_end) {
767 cf_log_err(conf, "Range has invalid values for 'src_port_start' ... 'src_port_end'");
768 return -1;
769 }
770
771 } else if (inst->fd_config.src_port_end) {
772 cf_log_err(conf, "Range has 'src_port_end', but is missing 'src_port_start'");
773 return -1;
774 }
775
776 /*
777 * Encorce limits per trunk, due to the 8-bit ID space.
778 */
779 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, >=, 2);
780 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, <=, 255);
781 FR_INTEGER_BOUND_CHECK("trunk.per_connection_target", inst->trunk_conf.target_req_per_conn, <=, inst->trunk_conf.max_req_per_conn / 2);
782
783 /*
784 * This only applies for XLAT_PROXY, but what the heck.
785 */
786 FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, >=, fr_time_delta_from_sec(10));
787 FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, <=, fr_time_delta_from_sec(3600));
788 break;
789
790 case RLM_RADIUS_MODE_UNCONNECTED_REPLICATE:
791 /*
792 * Replication to dynamic filenames or dynamic unix sockets isn't supported.
793 */
794 if (inst->fd_config.filename || inst->fd_config.path) {
795 cf_log_err(conf, "Cannot set 'filename' or 'path' when using 'mode=unconnected-replicate'");
796 return -1;
797 }
798 FALL_THROUGH;
799
800 case RLM_RADIUS_MODE_REPLICATE:
801 /*
802 * We can force the source port, but then we have to set SO_REUSEPORT.
803 */
804 inst->fd_config.reuse_port = (inst->fd_config.src_port != 0);
805
806 /*
807 * Files and unix sockets are OK. The src_port can be set (or not), and that's fine.
808 */
809 if (inst->fd_config.src_port_start || inst->fd_config.src_port_end) {
810 cf_log_err(conf, "Cannot set 'src_port_start' or 'src_port_end' when replicating packets");
811 return -1;
812 }
813 break;
814 }
815
816 /*
817 * We allow what may otherwise be conflicting configurations, because the BIO code will pick one
818 * path, and the conflicts won't affect anything else. Only the src_port range is special.
819 */
820
821 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, >=, fr_time_delta_from_sec(1));
822 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, <=, fr_time_delta_from_sec(120));
823
824 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, >=, fr_time_delta_from_sec(1));
825 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, <=, fr_time_delta_from_sec(120));
826
827 if (!inst->status_check) {
828 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, >=, fr_time_delta_from_sec(10));
829 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, <=, fr_time_delta_from_sec(3600));
830 }
831
832 num_types = talloc_array_length(inst->types);
833 fr_assert(num_types > 0);
834
835 inst->timeout_retry = (fr_retry_config_t) {
836 .mrc = 1,
837 .mrd = inst->response_window,
838 };
839
840 inst->common_ctx = (fr_radius_ctx_t) {
841 .secret = inst->secret,
842 .secret_length = inst->secret ? talloc_array_length(inst->secret) - 1 : 0,
843 .proxy_state = ((uint64_t) fr_rand()) << 32 | fr_rand(),
844 };
845
846 /*
847 * Allow for O(1) lookup later...
848 */
849 for (i = 0; i < num_types; i++) {
850 uint32_t code;
851
852 code = inst->types[i];
853 fr_assert(code > 0);
854 fr_assert(code < FR_RADIUS_CODE_MAX);
855
856 inst->allowed[code] = true;
857 }
858
859 fr_assert(inst->status_check < FR_RADIUS_CODE_MAX);
860
861 /*
862 * If we're replicating, we don't care if the other end
863 * is alive.
864 */
865 if (inst->status_check) {
866 if (inst->mode == RLM_RADIUS_MODE_REPLICATE) {
867 cf_log_warn(conf, "Ignoring 'status_check = %s' due to 'mode = replicate'",
868 fr_radius_packet_name[inst->status_check]);
869 inst->status_check = false;
870
871 } else if ((inst->mode == RLM_RADIUS_MODE_UNCONNECTED_REPLICATE) ||
872 (inst->mode == RLM_RADIUS_MODE_XLAT_PROXY)) {
873 cf_log_warn(conf, "Ignoring 'status_check = %s' due to 'mode' setting",
874 fr_radius_packet_name[inst->status_check]);
875 inst->status_check = false;
876 }
877 }
878
879 /*
880 * If we have status checks, then do some sanity checks.
881 * Status-Server is always allowed. Otherwise, the
882 * status checks have to match one of the allowed
883 * packets.
884 */
885 if (inst->status_check) {
886 if (inst->status_check == FR_RADIUS_CODE_STATUS_SERVER) {
887 inst->allowed[inst->status_check] = true;
888
889 } else if (!inst->allowed[inst->status_check]) {
890 cf_log_err(conf, "Using 'status_check = %s' requires also 'type = %s'",
891 fr_radius_packet_name[inst->status_check], fr_radius_packet_name[inst->status_check]);
892 return -1;
893 }
894
895 /*
896 * @todo - check the contents of the "update"
897 * section, to be sure that (e.g.) Access-Request
898 * contains User-Name, etc.
899 */
900
901 if (inst->fd_config.filename) {
902 cf_log_info(conf, "Disabling status checks for output file %s", inst->fd_config.filename);
903 inst->status_check = 0;
904 }
905 }
906
907 /*
908 * Files and unix sockets can just have us call write().
909 */
910 if (inst->fd_config.filename || inst->fd_config.path) {
911 inst->max_send_coalesce = 1;
912 }
913
914 inst->trunk_conf.req_pool_headers = 4; /* One for the request, one for the buffer, one for the tracking binding, one for Proxy-State VP */
915 inst->trunk_conf.req_pool_size = 1024 + sizeof(fr_pair_t) + 20;
916
917 /*
918 * Only check the async timers when we're acting as a client.
919 */
920 if (inst->mode != RLM_RADIUS_MODE_CLIENT) {
921 return 0;
922 }
923
924 /*
925 * Set limits on retransmission timers
926 */
927 if (inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) {
928 FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, >=, fr_time_delta_from_sec(1));
929 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
930 FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1);
931 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
932
933 FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3));
934 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
935 FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10);
936 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
937 }
938
939 /*
940 * Note that RFC 5080 allows for Accounting-Request to
941 * have mrt=mrc=mrd = 0, which means "retransmit
942 * forever". We allow that, with the restriction that
943 * the server core will automatically free the request at
944 * request.timeout.
945 */
946 if (inst->allowed[FR_RADIUS_CODE_ACCOUNTING_REQUEST]) {
947 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, >=, fr_time_delta_from_sec(1));
948#if 0
949 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
950 FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, >=, 0);
951 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, >=, fr_time_delta_from_sec(0));
952#endif
953
954 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, <=, fr_time_delta_from_sec(5));
955 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
956 FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, <=, 10);
957 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
958 }
959
960 /*
961 * Status-Server
962 */
963 if (inst->allowed[FR_RADIUS_CODE_STATUS_SERVER]) {
964 FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, >=, fr_time_delta_from_sec(1));
965 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, >=, fr_time_delta_from_sec(5));
966 FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, >=, 1);
967 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, >=, fr_time_delta_from_sec(5));
968
969 FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, <=, fr_time_delta_from_sec(5));
970 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, <=, fr_time_delta_from_sec(30));
971 FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, <=, 10);
972 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, <=, fr_time_delta_from_sec(30));
973 }
974
975 /*
976 * CoA
977 */
978 if (inst->allowed[FR_RADIUS_CODE_COA_REQUEST]) {
979 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, >=, fr_time_delta_from_sec(1));
980 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
981 FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, >=, 1);
982 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
983
984 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, <=, fr_time_delta_from_sec(5));
985 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, <=, fr_time_delta_from_sec(60));
986 FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, <=, 10);
987 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
988 }
989
990 /*
991 * Disconnect
992 */
993 if (inst->allowed[FR_RADIUS_CODE_DISCONNECT_REQUEST]) {
994 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, >=, fr_time_delta_from_sec(1));
995 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
996 FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, >=, 1);
997 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
998
999 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, <=, fr_time_delta_from_sec(5));
1000 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
1001 FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, <=, 10);
1002 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
1003 }
1004
1005 return 0;
1006}
1007
1008static int mod_bootstrap(module_inst_ctx_t const *mctx)
1009{
1010 xlat_t *xlat;
1011 rlm_radius_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
1012
1013 switch (inst->mode) {
1014 case RLM_RADIUS_MODE_UNCONNECTED_REPLICATE:
1015 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "sendto.ipaddr", xlat_radius_replicate, FR_TYPE_VOID);
1016 xlat_func_args_set(xlat, xlat_radius_send_args);
1017 break;
1018
1019 case RLM_RADIUS_MODE_XLAT_PROXY:
1020 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "sendto.ipaddr", xlat_radius_client, FR_TYPE_UINT32);
1021 xlat_func_args_set(xlat, xlat_radius_send_args);
1022 break;
1023
1024 default:
1025 break;
1026 }
1027
1028 return 0;
1029}
1030
1031
1032static int mod_detach(module_detach_ctx_t const *mctx)
1033{
1034 rlm_radius_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
1035
1036 talloc_free(inst->received_message_authenticator);
1037 return 0;
1038}
1039
1040static int mod_load(void)
1041{
1042 if (fr_radius_global_init() < 0) {
1043 PERROR("Failed initialising protocol library");
1044 return -1;
1045 }
1046 return 0;
1047}
1048
1049static void mod_unload(void)
1050{
1051 fr_radius_global_free();
1052}
1053
1054/*
1055 * The module name should be the only globally exported symbol.
1056 * That is, everything else should be 'static'.
1057 *
1058 * If the module needs to temporarily modify it's instantiation
1059 * data, the type should be changed to MODULE_TYPE_THREAD_UNSAFE.
1060 * The server will then take care of ensuring that the module
1061 * is single-threaded.
1062 */
1063extern module_rlm_t rlm_radius;
1064module_rlm_t rlm_radius = {
1065 .common = {
1066 .magic = MODULE_MAGIC_INIT,
1067 .name = "radius",
1068 .inst_size = sizeof(rlm_radius_t),
1069 .config = module_config,
1070 .dict = &dict_radius,
1071
1072 .onload = mod_load,
1073 .unload = mod_unload,
1074
1075 .bootstrap = mod_bootstrap,
1076 .instantiate = mod_instantiate,
1077 .detach = mod_detach,
1078
1079 .thread_inst_size = sizeof(bio_thread_t),
1080 .thread_inst_type = "bio_thread_t",
1081 .thread_instantiate = mod_thread_instantiate,
1082 },
1083 .method_group = {
1084 .bindings = (module_method_binding_t[]){
1085 { .section = SECTION_NAME(CF_IDENT_ANY, CF_IDENT_ANY), .method = mod_process },
1086 MODULE_BINDING_TERMINATOR
1087 },
1088 }
1089};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
RCSID
#define RCSID(id)
Definition build.h:485
L
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
STRINGIFY
#define STRINGIFY(x)
Definition build.h:197
UNUSED
#define UNUSED
Definition build.h:317
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:339
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1592
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:612
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:518
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
conf_parser_s::name2
char const * name2
Second identifier for CONF_SECTION.
Definition cf_parse.h:597
cf_section_rules_push
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:690
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
cf_section_rule_push
#define cf_section_rule_push(_cs, _rule)
Definition cf_parse.h:688
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:272
FR_CONF_OFFSET_REF
#define FR_CONF_OFFSET_REF(_struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:326
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
FR_TIME_DELTA_BOUND_CHECK
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:529
CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:434
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:448
CONF_FLAG_DEPRECATED
@ CONF_FLAG_DEPRECATED
If a matching CONF_PAIR is found, error out with a deprecated message.
Definition cf_parse.h:432
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:449
CONF_FLAG_OPTIONAL
@ CONF_FLAG_OPTIONAL
subsection is pushed only if a non-optional matching one is pushed
Definition cf_parse.h:460
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
cf_table_parse_ctx_t
Definition cf_parse.h:653
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
cf_section_name1
char const * cf_section_name1(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1170
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_item_is_section
bool cf_item_is_section(CONF_ITEM const *ci)
Determine if CONF_ITEM is a CONF_SECTION.
Definition cf_util.c:617
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1593
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
cf_log_info
#define cf_log_info(_cf, _fmt,...)
Definition cf_util.h:291
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
cf_log_perr
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:296
cf_log_warn
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:290
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
fr_dcursor_next
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
Definition dcursor.h:288
fr_dcursor_s
Definition dcursor.h:93
MEM
#define MEM(x)
Definition debug.h:36
FR_RADIUS_CODE_ACCESS_REQUEST
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
FR_RADIUS_CODE_DISCONNECT_REQUEST
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
FR_RADIUS_CODE_MAX
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
FR_RADIUS_CODE_STATUS_SERVER
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
FR_RADIUS_CODE_COA_REQUEST
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
FR_RADIUS_CODE_ACCOUNTING_REQUEST
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2402
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:272
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:285
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:235
fr_dict_enum_by_name
fr_dict_enum_value_t * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3397
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:271
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:284
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:231
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
FR_BIO_FD_CONNECTED
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition fd.h:68
FR_BIO_FD_UNCONNECTED
@ FR_BIO_FD_UNCONNECTED
unconnected UDP / datagram only
Definition fd.h:65
fr_bio_fd_client_config
const conf_parser_t fr_bio_fd_client_config[]
Definition fd_config.c:271
fr_bio_fd_check_config
int fr_bio_fd_check_config(fr_bio_fd_config_t const *cfg)
Checks the configuration without modifying anything.
Definition fd_open.c:920
fr_client_s::active
bool active
for dynamic clients
Definition client.h:119
fr_client_s::dynamic
bool dynamic
Whether the client was dynamically defined.
Definition client.h:118
fr_client_s
Describes a host allowed to send packets to the server.
Definition client.h:80
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:361
RWARN
#define RWARN(fmt,...)
Definition log.h:297
map_afrom_cs
int map_afrom_cs(TALLOC_CTX *ctx, map_list_t *out, CONF_SECTION *cs, tmpl_rules_t const *lhs_rules, tmpl_rules_t const *rhs_rules, map_validate_t validate, void *uctx, unsigned int max)
Convert a config section into an attribute map.
Definition map.c:1105
talloc_free
talloc_free(reap)
FR_TYPE_TLV
@ FR_TYPE_TLV
Contains nested attributes.
Definition merged_model.c:118
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_DATE
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
Definition merged_model.c:111
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
unlang_fixup_update
int unlang_fixup_update(map_t *map, void *ctx)
Validate and fixup a map that's part of an update section.
Definition compile.c:449
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::thread
void * thread
Thread specific instance data.
Definition module_ctx.h:43
module_detach_ctx_t::mi
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_detach_ctx_t
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
module_rlm_xlat_register
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
Definition module_rlm.c:243
module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
module_rlm_s
Definition module_rlm.h:38
mod_enqueue
static int mod_enqueue(bio_request_t **p_u, fr_retry_config_t const **p_retry_config, rlm_radius_t const *inst, trunk_t *trunk, request_t *request)
Definition bio.c:2257
mod_retry
static void mod_retry(module_ctx_t const *mctx, request_t *request, fr_retry_t const *retry)
Handle module retries.
Definition bio.c:1420
bio_thread_t::ctx
bio_handle_ctx_t ctx
common struct for home servers and BIO handles
Definition bio.c:58
xlat_radius_replicate
static xlat_action_t xlat_radius_replicate(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2478
xlat_radius_client
static xlat_action_t xlat_radius_client(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2628
bio_handle_ctx_t::trunk
trunk_t * trunk
trunk handler
Definition bio.c:51
mod_resume
static unlang_action_t mod_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx, UNUSED request_t *request)
Resume execution of the request, returning the rcode set during trunk execution.
Definition bio.c:2166
xlat_radius_send_args
static xlat_arg_parser_t const xlat_radius_send_args[]
Definition bio.c:2468
bio_request_s
Connect request_t to local tracking structure.
Definition bio.c:113
bio_thread_t
Definition bio.c:57
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2937
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:695
config
static const conf_parser_t config[]
Definition base.c:183
fr_radius_require_ma_table_len
size_t fr_radius_require_ma_table_len
Definition base.c:90
fr_radius_global_init
int fr_radius_global_init(void)
Definition base.c:1212
fr_radius_global_free
void fr_radius_global_free(void)
Definition base.c:1235
fr_radius_require_ma_table
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:83
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:112
bio.c
Functions to support RADIUS bio handlers.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
fd_config
static fr_bio_fd_config_t fd_config
Definition radclient-ng.c:84
secret
static char * secret
Definition radclient-ng.c:69
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG_ENABLED
#define RDEBUG_ENABLED()
Definition radclient.h:49
RADIUS_MAX_ATTRIBUTES
#define RADIUS_MAX_ATTRIBUTES
Definition radius.h:40
fr_radius_ctx_t
Definition radius.h:94
conf
static rs_t * conf
Definition radsniff.c:53
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
RETURN_MODULE_NOOP
#define RETURN_MODULE_NOOP
Definition rcode.h:62
RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:56
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
request_attr_request
fr_dict_attr_t const * request_attr_request
Definition request.c:43
mod_thread_instantiate
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Definition rlm_cache_memcached.c:326
coa_config
static conf_parser_t coa_config[]
Definition rlm_radius.c:84
disconnect_config
static conf_parser_t disconnect_config[]
Definition rlm_radius.c:92
status_check_type_parse
static int status_check_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
mod_detach
static int mod_detach(module_detach_ctx_t const *mctx)
Definition rlm_radius.c:1032
mod_load
static int mod_load(void)
Definition rlm_radius.c:1040
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition rlm_radius.c:189
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition rlm_radius.c:200
mod_process
static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Send packets outbound.
Definition rlm_radius.c:587
attr_eap_message
static fr_dict_attr_t const * attr_eap_message
Definition rlm_radius.c:196
type_parse
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
pool_config
static conf_parser_t const pool_config[]
Definition rlm_radius.c:124
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition rlm_radius.c:188
status_check_verify
static int status_check_verify(map_t *map, void *ctx)
Definition rlm_radius.c:409
dict_radius
static fr_dict_t const * dict_radius
Definition rlm_radius.c:179
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition rlm_radius.c:1008
attr_chap_challenge
static fr_dict_attr_t const * attr_chap_challenge
Definition rlm_radius.c:187
status_config
static conf_parser_t status_config[]
Definition rlm_radius.c:76
rlm_radius_dict_attr
fr_dict_attr_autoload_t rlm_radius_dict_attr[]
Definition rlm_radius.c:203
attr_extended_attribute_1
static fr_dict_attr_t const * attr_extended_attribute_1
Definition rlm_radius.c:194
attr_error_cause
static fr_dict_attr_t const * attr_error_cause
Definition rlm_radius.c:192
mod_unload
static void mod_unload(void)
Definition rlm_radius.c:1049
attr_proxy_state
static fr_dict_attr_t const * attr_proxy_state
Definition rlm_radius.c:190
radius_fixups
static int radius_fixups(rlm_radius_t const *inst, request_t *request)
Do any RADIUS-layer fixups for proxying.
Definition rlm_radius.c:523
attr_nas_identifier
static fr_dict_attr_t const * attr_nas_identifier
Definition rlm_radius.c:197
type_interval_config
static conf_parser_t const type_interval_config[FR_RADIUS_CODE_MAX]
Definition rlm_radius.c:170
auth_config
static conf_parser_t auth_config[]
Definition rlm_radius.c:60
mode_parse
static int mode_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
rlm_radius
module_rlm_t rlm_radius
Definition rlm_radius.c:1064
rlm_radius_dict
fr_dict_autoload_t rlm_radius_dict[]
Definition rlm_radius.c:182
transport_config
static conf_parser_t const transport_config[]
Definition rlm_radius.c:100
status_check_update_parse
static int status_check_update_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
attr_original_packet_code
static fr_dict_attr_t const * attr_original_packet_code
Definition rlm_radius.c:198
attr_event_timestamp
static fr_dict_attr_t const * attr_event_timestamp
Definition rlm_radius.c:193
status_check_update_config
static conf_parser_t const status_check_update_config[]
Definition rlm_radius.c:48
attr_response_length
static fr_dict_attr_t const * attr_response_length
Definition rlm_radius.c:199
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_radius.c:638
status_check_config
static conf_parser_t const status_check_config[]
Definition rlm_radius.c:41
mode_names_len
static size_t mode_names_len
Definition rlm_radius.c:231
mode_names
static fr_table_num_sorted_t mode_names[]
Definition rlm_radius.c:224
module_config
static conf_parser_t const module_config[]
Definition rlm_radius.c:135
connected_config
static conf_parser_t const connected_config[]
Definition rlm_radius.c:109
attr_message_authenticator
static fr_dict_attr_t const * attr_message_authenticator
Definition rlm_radius.c:195
acct_config
static conf_parser_t acct_config[]
Definition rlm_radius.c:68
rlm_radius.h
rlm_radius_t
struct rlm_radius_s rlm_radius_t
Definition rlm_radius.h:39
rlm_radius_mode_t
rlm_radius_mode_t
Definition rlm_radius.h:41
RLM_RADIUS_MODE_XLAT_PROXY
@ RLM_RADIUS_MODE_XLAT_PROXY
Definition rlm_radius.h:47
RLM_RADIUS_MODE_INVALID
@ RLM_RADIUS_MODE_INVALID
Definition rlm_radius.h:42
RLM_RADIUS_MODE_PROXY
@ RLM_RADIUS_MODE_PROXY
Definition rlm_radius.h:43
RLM_RADIUS_MODE_REPLICATE
@ RLM_RADIUS_MODE_REPLICATE
Definition rlm_radius.h:45
RLM_RADIUS_MODE_UNCONNECTED_REPLICATE
@ RLM_RADIUS_MODE_UNCONNECTED_REPLICATE
Definition rlm_radius.h:46
RLM_RADIUS_MODE_CLIENT
@ RLM_RADIUS_MODE_CLIENT
Definition rlm_radius.h:44
rlm_radius_s
Definition rlm_radius.h:53
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition rlm_rest.c:1313
retry_config
static conf_parser_t retry_config[]
Definition rlm_tacacs.c:38
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
module_instance_s::name
char const * name
Instance name e.g. user_database.
Definition module.h:336
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:330
module_s::inst_size
size_t inst_size
Size of the module's instance data.
Definition module.h:204
module_instance_s::data
void * data
Module's instance data.
Definition module.h:272
module_instance_s::boot
void * boot
Data allocated during the boostrap phase.
Definition module.h:275
MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:151
module_method_binding_s
Named methods exported by a module.
Definition module.h:173
pair_append_request
#define pair_append_request(_attr, _da)
Allocate and append a fr_pair_t to the request list.
Definition pair.h:37
tmpl_is_xlat
#define tmpl_is_xlat(vpt)
Definition tmpl.h:210
tmpl_is_attr
#define tmpl_is_attr(vpt)
Definition tmpl.h:208
tmpl_xlat
#define tmpl_xlat(_tmpl)
Definition tmpl.h:930
tmpl_is_data
#define tmpl_is_data(vpt)
Definition tmpl.h:206
tmpl_rules_s::attr
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:335
tmpl_attr_tail_da
static fr_dict_attr_t const * tmpl_attr_tail_da(tmpl_t const *vpt)
Return the last attribute reference da.
Definition tmpl.h:801
TMPL_ATTR_LIST_FORBID
@ TMPL_ATTR_LIST_FORBID
Attribute refs are forbidden from having a list.
Definition tmpl.h:263
tmpl_rules_s
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
client_from_request
fr_client_t * client_from_request(request_t *request)
Search up a list of requests trying to locate one which has a client.
Definition client.c:1105
count
return count
Definition module.c:155
unlang_module_yield_to_retry
unlang_action_t unlang_module_yield_to_retry(request_t *request, module_method_t resume, unlang_module_retry_t retry, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx, fr_retry_config_t const *retry_cfg)
Yield a request back to the interpreter, with retries.
Definition module.c:359
mod_signal
static void mod_signal(module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)
Cancel a call to a submodule.
Definition state_machine.c:118
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
vp
fr_pair_t * vp
Definition state_machine.c:2262
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition state_machine.h:188
map_s
Value pair map.
Definition map.h:77
map_s::lhs
tmpl_t * lhs
Typically describes the attribute to add, modify or compare.
Definition map.h:78
map_s::rhs
tmpl_t * rhs
Typically describes a literal value or a src attribute to copy or compare.
Definition map.h:79
map_s::ci
CONF_ITEM * ci
Config item that the map was created from.
Definition map.h:85
tmpl_attr_rules_s::dict_def
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_table_value_by_str
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:282
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
fr_time_delta_ispos
#define fr_time_delta_ispos(_a)
Definition time.h:290
trunk_config
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:314
xlat_impure_func
bool xlat_impure_func(xlat_exp_head_t const *head)
Definition xlat_tokenize.c:2053
head
static fr_slen_t head
Definition xlat.h:416
fr_pair_dcursor_by_da_init
#define fr_pair_dcursor_by_da_init(_cursor, _list, _da)
Initialise a cursor that will return only attributes matching the specified fr_dict_attr_t.
Definition pair.h:628
fr_pair_t
struct value_pair_s fr_pair_t
Definition pair.h:48
parent
static fr_slen_t parent
Definition pair.h:845
fr_retry_config_t
Definition retry.h:32
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1012
FR_VALUE_BOX_SAFE_FOR_ANY
#define FR_VALUE_BOX_SAFE_FOR_ANY
Definition value.h:166
xlat_func_args_set
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:362
xlat_s
Definition xlat_priv.h:59
Generated by   doxygen 1.9.8